# DVI files
$(DVIDIR)/Samba-HOWTO-Collection.dvi: samba-doc.tex
@echo "Building LaTeX sources via $(LATEX)..."
- @$(LATEX) $< | grep 'Rerun to get cross-references right' && \
- $(LATEX) $< | grep 'Rerun to get cross-references right' && \
- $(LATEX) $< || echo
+ @$(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \
+ $(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \
+ $(LATEX) $< 2>&1 || echo
@echo "done"
@mv samba-doc.dvi $@
$(DVIDIR)/Samba-Developers-Guide.dvi: dev-doc.tex
@echo "Building LaTeX sources via $(LATEX)..."
- @$(LATEX) $< | grep 'Rerun to get cross-references right' && \
- $(LATEX) $< | grep 'Rerun to get cross-references right' && \
- $(LATEX) $< || echo
+ @$(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \
+ $(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \
+ $(LATEX) $< 2>&1 || echo
@echo "done"
@mv dev-doc.dvi $@
to depths of control ability should review the &smb.conf; man page.
</para>
- <itemizedlist>
- <title>File System Feature Comparison</title>
- <listitem>
- <para><emphasis>Name Space</emphasis></para>
+ <variablelist>
+ <title>File System Feature Comparison</title>
+ <varlistentry>
+ <term>Name Space</term>
+ <listitem>
<para>
MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names
may be 1023 characters long. In MS Windows file extensions indicate particular file types,
<para>
What MS Windows calls a Folder, Unix calls a directory,
</para>
- </listitem>
+ </listitem>
+ </varlistentry>
- <listitem>
- <para><emphasis>Case Sensitivity</emphasis></para>
+ <varlistentry>
+ <term>Case Sensitivity</term>
+ <listitem>
<para>
MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name
and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case
first will be accessible to MS Windows users, the others are invisible and unaccessible - any
other solution would be suicidal.
</para>
- </listitem>
+ </listitem>
+ </varlistentry>
- <listitem>
- <para><emphasis>Directory Separators</emphasis></para>
+ <varlistentry>
+ <term>Directory Separators</term>
+ <listitem>
<para>
MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/'
as it's directory delimiter. This is transparently handled by Samba.
</para>
- </listitem>
+ </listitem>
+ </varlistentry>
- <listitem>
- <para><emphasis>Drive Identification</emphasis></para>
+ <varlistentry>
+ <term>Drive Identification</term>
+ <listitem>
<para>
MS Windows products support a notion of drive letters, like <command>C:</command> to represent
disk partitions. Unix has NO concept if separate identifiers for file partitions since each
The Unix directory tree begins at '/', just like the root of a DOS drive is specified like
<command>C:\</command>.
</para>
- </listitem>
+ </listitem>
+ </varlistentry>
- <listitem>
- <para><emphasis>File Naming Conventions</emphasis></para>
+ <varlistentry>
+ <term>File Naming Conventions</term>
+ <listitem>
<para>
MS Windows generally never experiences file names that begin with a '.', while in Unix these
are commonly found in a user's home directory. Files that begin with a '.' are typically
either start up files for various Unix applications, or they may be files that contain
start-up configuration data.
</para>
- </listitem>
-
- <listitem>
- <para><emphasis>Links and Short-Cuts</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Links and Short-Cuts</term>
+ <listitem>
<para>
MS Windows make use of "links and Short-Cuts" that are actually special types of files that will
redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory
referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
one physical file to be known simulataneously by more than one file name.
</para>
- </listitem>
- </itemizedlist>
+ </listitem>
+ </varlistentry>
+ </variablelist>
<para>
There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
The permissions field is made up of:
<programlisting>
- <!-- JRV: Put this into a diagram of some sort -->
+ <comment> JRV: Put this into a diagram of some sort</comment>
[ type ] [ users ] [ group ] [ others ] [File, Directory Permissions]
[ d | l ] [ r w x ] [ r w x ] [ r w x ]
| | | | | | | | | | |
<para>
Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
- <!-- FIXME -->
- <programlisting>
- <title>Example File</title>
+
+ <example>
+ <title>Example File</title>
+ <programlisting>
-rwxr-x--- Means: The owner (user) can read, write, execute
the group can read and execute
everyone else can NOT do anything with it
- </programlisting>
+ </programlisting>
+ </example>
+
</para>
<para>
</para>
<para>
- The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r
+ The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
sticky (t).
</para>
</para>
<para>
- When a directory is set <command>drw-r-----</command> this means that the owner can read and create (write) files in it, but because
+ When a directory is set <constant>drw-r-----</constant> this means that the owner can read and create (write) files in it, but because
the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
group members will be able to write to (or delete) them.
<para>
User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
- file system operations as if a single user is doing this, the use of the <emphasis>force user</emphasis> and
- <emphasis>force group</emphasis> behaviour will achieve this. In other situations it may be necessary to affect a
+ file system operations as if a single user is doing this, the use of the <parameter>force user</parameter> and
+ <parameter>force group</parameter> behaviour will achieve this. In other situations it may be necessary to affect a
paranoia level of control to ensure that only particular authorised persons will be able to access a share or
- it's contents, here the use of the <emphasis>valid users</emphasis> or the <emphasis>invalid users</emphasis> may
+ it's contents, here the use of the <parameter>valid users</parameter> or the <parameter>invalid users</parameter> may
be most useful.
</para>
By default samba sets no restrictions on the share itself. Restrictions on the share itself
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
connect to a share. In the absence of specific restrictions the default setting is to allow
- the global user <emphasis>Everyone</emphasis> Full Control (ie: Full control, Change and Read).
+ the global user <constant>Everyone</constant> Full Control (ie: Full control, Change and Read).
</para>
<para>
<procedure>
<title>Instructions</title>
<step><para>
- Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu
- select Computer, then click on the Shared Directories entry.
+ Launch the <application>NT4 Server Manager</application>, click on the Samba server you want to administer, then from the menu
+ select <guimenu>Computer</guimenu>, then click on the <guimenuitem>Shared Directories</guimenuitem> entry.
</para></step>
<step><para>
- Now click on the share that you wish to manage, then click on the Properties tab, next click on
- the Permissions tab. Now you can Add or change access control settings as you wish.
+ Now click on the share that you wish to manage, then click on the <guilabel>Properties</guilabel> tab, next click on
+ the <guilabel>Permissions</guilabel> tab. Now you can add or change access control settings as you wish.
</para></step>
</procedure>
<title>Windows 200x/XP</title>
<para>
- On MS Windows NT4/200x/XP system access control lists on the share itself are set using native
+ On <application>MS Windows NT4/200x/XP</application> system access control lists on the share itself are set using native
tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
- then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows
- <emphasis>Everyone</emphasis> Full Control on the Share.
+ then select <guimenuitem>Sharing</guimenuitem>, then click on <guilabel>Permissions</guilabel>. The default
+ Windows NT4/200x permission allows <emphasis>Everyone</emphasis> Full Control on the Share.
</para>
<para>
- MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the
+ MS Windows 200x and later all comes with a tool called the <application>Computer Management</application> snap-in for the
Microsoft Management Console (MMC). This tool is located by clicking on <filename>Control Panel ->
Administrative Tools -> Computer Management</filename>.
</para>
<procedure>
<title>Instructions</title>
<step><para>
- After launching the MMC with the Computer Management snap-in, click on the menu item 'Action',
- select 'Connect to another computer'. If you are not logged onto a domain you will be prompted
+ After launching the MMC with the Computer Management snap-in, click on the menu item <guimenuitem>Action</guimenuitem>,
+ select <guilabel>Connect to another computer</guilabel>. If you are not logged onto a domain you will be prompted
to enter a domain login user identifier and a password. This will authenticate you to the domain.
If you where already logged in with administrative privilidge this step is not offered.
</para></step>
<step><para>
- If the Samba server is not shown in the Select Computer box, then type in the name of the target
- Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+]
- next to 'Shared Folders' in the left panel.
+ If the Samba server is not shown in the <guilabel>Select Computer</guilabel> box, then type in the name of the target
+ Samba server in the field <guilabel>Name:</guilabel>. Now click on the <guibutton>[+]</guibutton> next to
+ <guilabel>System Tools</guilabel>, then on the <guibutton>[+]</guibutton> next to <guilabel>Shared Folders</guilabel> in the
+ left panel.
</para></step>
<step><para>
Now in the right panel, double-click on the share you wish to set access control permissions on.
- Then click on the tab 'Share Permissions'. It is now possible to add access control entities
+ Then click on the tab <guilabel>Share Permissions</guilabel>. It is now possible to add access control entities
to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
wish to assign for each entry.
</para></step>
<warning>
<para>
- Be careful. If you take away all permissions from the Everyone user without removing this user
+ Be careful. If you take away all permissions from the <constant>Everyone</constant> user without removing this user
then effectively no user will be able to access the share. This is a result of what is known as
- ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone
- will have no access even if this user is given explicit full control access.
+ ACL precidence. ie: Everyone with <strong>no access</strong> means that MaryK who is part of the group
+ <constant>Everyone</constant> will have no access even if this user is given explicit full control access.
</para>
</warning>
<para>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
- on the <emphasis>Properties</emphasis> entry at the bottom of
+ on the <guilabel>Properties</guilabel> entry at the bottom of
the menu. This brings up the file properties dialog
- box. Click on the tab <emphasis>Security</emphasis> and you
- will see three buttons, <emphasis>Permissions</emphasis>,
- <emphasis>Auditing</emphasis>, and <emphasis>Ownership</emphasis>.
- The <emphasis>Auditing</emphasis> button will cause either
+ box. Click on the tab <guilabel>Security</guilabel> and you
+ will see three buttons, <guibutton>Permissions</guibutton>,
+ <guibutton>Auditing</guibutton>, and <guibutton>Ownership</guibutton>.
+ The <guibutton>Auditing</guibutton> button will cause either
an error message <errorname>A requested privilege is not held
by the client</errorname> to appear if the user is not the
NT Administrator, or a dialog which is intended to allow an
Administrator to add auditing requirements to a file if the
user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only
- useful button, the <command>Add</command> button will not currently
+ useful button, the <guibutton>Add</guibutton> button will not currently
allow a list of users to be seen.</para>
</sect2>
and allow a user with Administrator privilege connected
to a Samba server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
- or Samba drive. This is available as part of the <emphasis>Seclib
- </emphasis> NT security library written by Jeremy Allison of
+ or Samba drive. This is available as part of the <application>Seclib
+ </application> NT security library written by Jeremy Allison of
the Samba Team, available from the main Samba ftp site.</para>
</sect2>
<para>Directories on an NT NTFS file system have two
different sets of permissions. The first set of permissions
is the ACL set on the directory itself, this is usually displayed
- in the first set of parentheses in the normal <command>"RW"</command>
+ in the first set of parentheses in the normal <constant>"RW"</constant>
NT style. This first set of permissions is created by Samba in
exactly the same way as normal file permissions are, described
above, and is displayed in the same way.</para>
<para>There are four parameters
to control interaction with the standard Samba create mask parameters.
- These are :</para>
+ These are :
+
+ <simplelist>
+ <member><parameter>security mask</parameter></member>
+ <member><parameter>force security mode</parameter></member>
+ <member><parameter>directory security mask</parameter></member>
+ <member><parameter>force directory security mode</parameter></member>
+ </simplelist>
- <para><parameter>security mask</parameter></para>
- <para><parameter>force security mode</parameter></para>
- <para><parameter>directory security mask</parameter></para>
- <para><parameter>force directory security mode</parameter></para>
+ </para>
<para>Once a user clicks <guibutton>OK</guibutton> to apply the
permissions Samba maps the given permissions into a user/group/world
<para>If you want to set up a share that allows users full control
in modifying the permission bits on their files and directories and
doesn't force any particular bits to be set 'on', then set the following
- parameters in the &smb.conf; file in that share specific section :</para>
+ parameters in the &smb.conf; file in that share specific section :
+ </para>
- <para><parameter>security mask = 0777</parameter></para>
- <para><parameter>force security mode = 0</parameter></para>
- <para><parameter>directory security mask = 0777</parameter></para>
- <para><parameter>force directory security mode = 0</parameter></para>
+ <simplelist>
+ <member><parameter>security mask = 0777</parameter></member>
+ <member><parameter>force security mode = 0</parameter></member>
+ <member><parameter>directory security mask = 0777</parameter></member>
+ <member><parameter>force directory security mode = 0</parameter></member>
+ </simplelist>
</sect2>
<sect2>
</para>
<para>
- You should see that the file 'Afile' created by Jill will have ownership
+ You should see that the file <filename>Afile</filename> created by Jill will have ownership
and permissions of Jack, as follows:
<screen>
-rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
</para>
<note><para>
- The above are only needed IF your users are NOT members of the group
+ The above are only needed <strong>if</strong> your users are <strong>not</strong> members of the group
you have used. ie: Within the OS do not have write permission on the directory.
</para>
</note>
</para>
<simplelist>
- <member>http://www.craigelachie.org/rhacer/ntlogon</member>
- <member>http://www.kixtart.org</member>
- <member>http://support.microsoft.com/default.asp?scid=kb;en-us;189105</member>
+ <member><ulink url="http://www.craigelachie.org/rhacer/ntlogon">http://www.craigelachie.org/rhacer/ntlogon</ulink></member>
+ <member><ulink url="http://www.kixtart.org">http://www.kixtart.org</ulink></member>
+ <member><ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</ulink></member>
</simplelist>
<sect2>
<sect1>
<title>Introduction</title>
-<para>Please report bugs using <ulink url="https://bugzilla.samba.org/">bugzilla</ulink>.</para>
+<para>Please report bugs using
+ <ulink url="https://bugzilla.samba.org/">bugzilla</ulink>.</para>
<para>
Please take the time to read this file before you submit a bug
<title>How to compile SAMBA</title>
<para>
-You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version,
+You can obtain the samba source from the
+<ulink url="http://samba.org/">samba website</ulink>. To obtain a development version,
you can download samba from CVS or using rsync.
</para>
configure Samba for your operating system. If you have unusual
needs then you may wish to run</para>
- <para><prompt>root# </prompt><userinput>./configure --help
+ <para>&rootprompt;<userinput>./configure --help
</userinput></para>
<para>first to see what special options you can enable.
Then executing</para>
- <para><prompt>root# </prompt><userinput>make</userinput></para>
+ <para>&rootprompt;<userinput>make</userinput></para>
<para>will create the binaries. Once it's successfully
compiled you can use </para>
- <para><prompt>root# </prompt><userinput>make install</userinput></para>
+ <para>&rootprompt;<userinput>make install</userinput></para>
<para>to install the binaries and manual pages. You can
separately install the binaries and/or man pages using</para>
- <para><prompt>root# </prompt><userinput>make installbin
+ <para>&rootprompt;<userinput>make installbin
</userinput></para>
<para>and</para>
- <para><prompt>root# </prompt><userinput>make installman
+ <para>&rootprompt;<userinput>make installman
</userinput></para>
<para>Note that if you are upgrading for a previous version
the binaries will be renamed with a ".old" extension. You
can go back to the previous version with</para>
- <para><prompt>root# </prompt><userinput>make revert
+ <para>&rootprompt;<userinput>make revert
</userinput></para>
<para>if you find this version a disaster!</para>
</para>
<para>
-<prompt>root# </prompt><userinput>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </userinput>
+&rootprompt;<userinput>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </userinput>
</para>
<para>
-<prompt>root# </prompt><userinput>passwd -l <replaceable>machine_name</replaceable>$</userinput>
+&rootprompt;<userinput>passwd -l <replaceable>machine_name</replaceable>$</userinput>
</para>
<para>
</para>
<para>
-<prompt>root# </prompt><userinput>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</userinput>
+&rootprompt;<userinput>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</userinput>
</para>
<para>
<filename>/etc/passwd</filename> entry like this:
</para>
-<para>
+<programlisting>
doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/false
-</para>
+</programlisting>
<para>
Above, <replaceable>machine_nickname</replaceable> can be any
</para>
<para>
-<programlisting>
-<prompt>root# </prompt><userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
-</programlisting>
+<screen>
+&rootprompt;<userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
+</screen>>
</para>
<para>
<procedure>
<title>Server Manager Account Machine Account Management</title>
<step><para>
- From the menu select <guimenu>Computer</guimenu>
+ From the menu select <guimenu>Computer</guimenu>
</para></step>
<step><para>
<para>
The name of the account that is used to create domain member machine accounts can be
- anything the network administrator may choose. If it is other than <command>root</command>
+ anything the network administrator may choose. If it is other than <emphasis>root</emphasis>
then this is easily mapped to root using the file pointed to be the &smb.conf; parameter
- <emphasis>username map =</emphasis> <command>/etc/samba/smbusers</command>.
+ <parameter>username map = /etc/samba/smbusers</parameter>.
</para>
<para>
<para>
If the machine trust account was created manually, on the
Identification Changes menu enter the domain name, but do not
- check the box "Create a Computer Account in the Domain." In this case,
- the existing machine trust account is used to join the machine to
- the domain.
+ check the box <guilabel>Create a Computer Account in the Domain</guilabel>.
+ In this case, the existing machine trust account is used to join the machine
+ to the domain.
</para>
<para>
If the machine trust account is to be created
on-the-fly, on the Identification Changes menu enter the domain
- name, and check the box "Create a Computer Account in the Domain." In
- this case, joining the domain proceeds as above for Windows 2000
- (i.e., you must supply a Samba administrative account when
+ name, and check the box <guilabel>Create a Computer Account in the
+ Domain</guilabel>. In this case, joining the domain proceeds as above
+ for Windows 2000 (i.e., you must supply a Samba administrative account when
prompted).
</para>
</sect3>
<para>
Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
-<parameter>security =</parameter></ulink> line in the [global] section
+<parameter>security</parameter></ulink> line in the [global] section
of your &smb.conf; to read:
</para>
</para>
<note><para>
-You do ¬ need a smbpasswd file, and older clients will be authenticated as
+You do <strong>not</strong> need a smbpasswd file, and older clients will be authenticated as
if <parameter>security = domain</parameter>, although it won't do any harm and
allows you to have local users not in the domain. It is expected that the above
required options will change soon when active directory integration will get
<note><para>
Time between the two servers must be synchronized. You will get a
-"kinit(v5): Clock skew too great while getting initial credentials" if the time
-difference is more than five minutes.
+<errorname>kinit(v5): Clock skew too great while getting initial credentials</errorname>
+if the time difference is more than five minutes.
</para></note>
<para>
The easiest way to ensure you get this right is to add a
<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to
its netbios name. If you don't get this right then you will get a
-"local error" when you try to join the realm.
+<errorname>local error</errorname> when you try to join the realm.
</para>
<para>
<para>
<variablelist>
- <varlistentry><term>ADS support not compiled in</term>
+ <varlistentry><term><errorname>ADS support not compiled in</errorname></term>
<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
(make clean all install) after the kerberos libs and headers are installed.
</para></listitem></varlistentry>
- <varlistentry><term>net join prompts for user name</term>
+ <varlistentry><term><errorname>net join prompts for user name</errorname></term>
<listitem><para>You need to login to the domain using <userinput>kinit
<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
</para>
<para>
-w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
+W2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
their defaults DNS setup. Maybe fixed in service packs?
</para>
<para>
Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a
-message that, "The machine could not be added at this time, there is a network problem.
-Please try again later." Why?
+message that, <errorname>The machine could not be added at this time, there is a network problem.
+Please try again later.</errorname> Why?
</para>
<para>
-You should check that there is an <emphasis>add machine script</emphasis> in your &smb.conf;
+You should check that there is an <parameter>add machine script</parameter> in your &smb.conf;
file. If there is not, please add one that is appropriate for your OS platform. If a script
-has been defined you will need to debug it's operation. Increase the <emphasis>log level</emphasis>
+has been defined you will need to debug it's operation. Increase the <parameter>log level</parameter>
in the &smb.conf; file to level 10, then try to rejoin the domain. Check the logs to see which
operation is failing.
</para>
</para>
<para>
-If you get a message saying "host not found" or similar then your DNS
+If you get a message saying <errorname>host not found</errorname> or similar then your DNS
software or <filename>/etc/hosts</filename> file is not correctly setup.
It is possible to
run samba without DNS entries for the server and client, but I assume
this is done via the <application>ipfwadm</application> program.)
</para>
+<note>
<para>
-Note: Modern Linux distributions install ipchains/iptables by default.
+Modern Linux distributions install ipchains/iptables by default.
This is a common problem that is often overlooked.
</para>
+</note>
</step>
<step performance="required">
</para>
<para>
-If you get a "connection refused" response then the smbd server may
+If you get a <errorname>connection refused</errorname> response then the smbd server may
not be running. If you installed it in inetd.conf then you probably edited
that file incorrectly. If you installed it as a daemon then check that
it is running, and check that the netbios-ssn port is in a LISTEN
</para></note>
<para>
-If you get a "session request failed" then the server refused the
+If you get a <errorname>session request failed</errorname> then the server refused the
connection. If it says "Your server software is being unfriendly" then
its probably because you have invalid command line parameters to &smbd;,
or a similar fatal problem with the initial startup of &smbd;. Also
</programlisting></para>
<para>
-Do NOT use the <command>bind interfaces only</command> parameter where you
+Do <strong>not</strong> use the <command>bind interfaces only</command> parameter where you
may wish to
use the samba password change facility, or where &smbclient; may need to
access a local service for name resolution or for local resource
<para>
Another common cause of these two errors is having something already running
-on port 139, such as Samba (ie: smbd is running from <application>inetd</application> already) or
+on port <constant>139</constant>, such as Samba
+(ie: &smbd; is running from <application>inetd</application> already) or
something like Digital's Pathworks. Check your <filename>inetd.conf</filename> file before trying
to start &smbd; as a daemon, it can avoid a lot of frustration!
</para>
it via a broadcast to the default broadcast address. A number of
Netbios/TCPIP hosts on the network should respond, although Samba may
not catch all of the responses in the short time it listens. You
-should see "got a positive name query response" messages from several
-hosts.
+should see <errorname>got a positive name query response</errorname>
+messages from several hosts.
</para>
<para>
<para>
Once you enter the password you should get the <prompt>smb></prompt> prompt. If you
-don't then look at the error message. If it says "invalid network
-name" then the service "tmp" is not correctly setup in your &smb.conf;.
+don't then look at the error message. If it says <errorname>invalid network
+name</errorname> then the service <emphasis>"tmp"</emphasis> is not correctly setup in your &smb.conf;.
</para>
<para>
-If it says "bad password" then the likely causes are:
+If it says <errorname>bad password</errorname> then the likely causes are:
</para>
<orderedlist>
<listitem>
<para>
- you enabled password encryption but didn't create the SMB encrypted
- password file
+ you enabled password encryption but didn't map unix to samba users
</para>
</listitem>
</orderedlist>
</para>
<para>
-If you get a "network name not found" or similar error then netbios
+If you get a <errorname>network name not found</errorname> or similar error then netbios
name resolution is not working. This is usually caused by a problem in
nmbd. To overcome it you could do one of the following (you only need
to choose one of them):
</orderedlist>
<para>
-If you get a "invalid network name" or "bad password error" then the
+If you get a <errorname>invalid network name</errorname> or <errorname>bad password error</errorname> then the
same fixes apply as they did for the <userinput>smbclient -L</userinput> test above. In
particular, make sure your <command>hosts allow</command> line is correct (see the man
pages)
</para>
<para>
-If you get "specified computer is not receiving requests" or similar
+If you get <errorname>specified computer is not receiving requests</errorname> or similar
it probably means that the host is not contactable via tcp services.
Check to see if the host is running tcp wrappers, and if so add an entry in
the <filename>hosts.allow</filename> file for your client (or subnet, etc.)
<para>
Run the command <userinput>net use x: \\BIGSERVER\TMP</userinput>. You should
-be prompted for a password then you should get a "command completed
-successfully" message. If not then your PC software is incorrectly
+be prompted for a password then you should get a <computeroutput>command completed
+successfully</computeroutput> message. If not then your PC software is incorrectly
installed or your smb.conf is incorrect. make sure your <command>hosts allow</command>
and other config lines in &smb.conf; are correct.
</para>
<para>
It's also possible that the server can't work out what user name to
-connect you as. To see if this is the problem add the line <command>user =
-<replaceable>username</replaceable></command> to the <command>[tmp]</command> section of
+connect you as. To see if this is the problem add the line <parameter>user =
+<replaceable>username</replaceable></parameter> to the <parameter>[tmp]</parameter> section of
&smb.conf; where <replaceable>username</replaceable> is the
username corresponding to the password you typed. If you find this
fixes things you may need the username mapping option.
<para>
It might also be the case that your client only sends encrypted passwords
-and you have <command>encrypt passwords = no</command> in &smb.conf;
+and you have <parameter>encrypt passwords = no</parameter> in &smb.conf;
Turn it back on to fix.
</para>
If you don't then the election process has failed. Wait a minute to
see if it is just being slow then try again. If it still fails after
that then look at the browsing options you have set in &smb.conf;. Make
-sure you have <command>preferred master = yes</command> to ensure that
+sure you have <parameter>preferred master = yes</parameter> to ensure that
an election is held at startup.
</para>
password" error when you do then you are probably running WinNT and it
is refusing to browse a server that has no encrypted password
capability and is in user level security mode. In this case either set
-<command>security = server</command> AND
-<command>password server = Windows_NT_Machine</command> in your
-&smb.conf; file, or make sure <command>encrypted passwords</command> is
+<parameter>security = server</parameter> AND
+<parameter>password server = Windows_NT_Machine</parameter> in your
+&smb.conf; file, or make sure <parameter>encrypted passwords</parameter> is
set to "yes".
</para>
The first immediate reason to use the group mapping on a Samba PDC, is that
the <parameter>domain admin group</parameter> has been removed and should no longer
be specified in &smb.conf;. This parameter was used to give the listed users membership
- in the "Domain Admins" Windows group which gave local admin rights on their workstations
+ in the <constant>Domain Admins</constant> Windows group which gave local admin rights on their workstations
(in default configurations).
</para>
</warning>
<para>
Administrators should be aware that where &smb.conf; group interface scripts make
- direct calls to the Unix/Linux system tools (eg: the shadow utilities, <command>groupadd,
- groupdel, groupmod</command>) then the resulting Unix/Linux group names will be subject
+ direct calls to the Unix/Linux system tools (eg: the shadow utilities, <command>groupadd</command>,
+ <command>groupdel</command>, <command>groupmod</command>) then the resulting Unix/Linux group names will be subject
to any limits imposed by these tools. If the tool does NOT allow upper case characters
or space characters, then the creation of an MS Windows NT4 / 200x style group of
<parameter>Engineering Managers</parameter> will attempt to create an identically named
<title>Discussion</title>
<para>
- When installing MS Windows NT4 / 200x on a computer, the installation program creates default
- users and groups. Notably the 'Administrators' group, and gives to that group privileges necessary
- privilidges to perform essential system tasks. eg: Ability to change the date and time or to
- kill any process (or close too) running on the local machine.
+ When installing <application>MS Windows NT4 / 200x</application> on a computer, the installation
+ program creates default users and groups. Notably the <constant>Administrators</constant> group,
+ and gives to that group privileges necessary privilidges to perform essential system tasks.
+ eg: Ability to change the date and time or to kill any process (or close too) running on the
+ local machine.
</para>
<para>
look like:
</para>
- <para><screen>
+ <para><programlisting>
domadm:x:502:joe,john,mary
- </screen>
+ </programlisting>
</para></listitem>
<listitem><para>
</para>
<para>
- <screen>&rootprompt; net groupmap list
+ <screen>
+ &rootprompt; <userinput>net groupmap list</userinput>
System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
</para>
<sect2>
- <title>Sample smb.conf add group script</title>
+ <title>Sample &smb.conf; add group script</title>
<para>
A script to great complying group names for use by the samba group interfaces:
</para>
-<para>
-<screen>
-Script name: smbgrpadd.sh
+ <para>
+<example>
+ <title>smbgrpadd.sh</title>
+<programlisting>
#!/bin/bash
# Now return the GID as would normally happen.
echo $thegid
exit 0
-</screen>
+</programlisting>
+</example>
</para>
<para>
The &smb.conf; entry for the above script would look like:
- <screen>
+ <programlisting>
add group script = /path_to_tool/smbgrpadd.sh %g
- </screen>
+ </programlisting>
</para>
</sect2>
</para>
<para>
-<screen>
+<programlisting>
#!/bin/bash
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
#net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d
#net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d
#net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
-</screen>
+</programlisting>
</para>
<para>
layer communicate not via IP addresses but rather using the Media
Access Control address, or MAC address. IP Addresses are currently
32 bits in length and are typically presented as four (4) decimal
-numbers that are separated by a dot (or period). eg: 168.192.1.1
+numbers that are separated by a dot (or period). eg: 168.192.1.1.
</para>
<para>
the name service switch infrastructure so that linux clients will
be able to obtain resolution of MS Windows NetBIOS names to IP
Addresses. To gain this functionality Samba needs to be compiled
-with appropriate arguments to the make command (ie: <command>make
-nsswitch/libnss_wins.so</command>). The resulting library should
+with appropriate arguments to the make command (ie: <userinput>make
+nsswitch/libnss_wins.so</userinput>). The resulting library should
then be installed in the <filename>/lib</filename> directory and
the "wins" parameter needs to be added to the "hosts:" line in
the <filename>/etc/nsswitch.conf</filename> file. At this point it
<para>
The MS Windows utility that allows examination of the NetBIOS
name cache is called "nbtstat". The Samba equivalent of this
-is called "nmblookup".
+is called <command>nmblookup</command>.
</para>
</sect2>
<title>NT4 as the Trusting Domain (ie. creating the trusted account)</title>
<para>
-For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager.
-To affect a two way trust relationship it is necessary for each domain administrator to make
-available (for use by an external domain) it's security resources. This is done from the Domain
-User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then
-next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and
-"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that
-will be able to assign user rights to your domain. In addition it is necessary to enter a password
+For MS Windows NT4, all domain trust relationships are configured using the
+<application>Domain User Manager</application>. To affect a two way trust relationship it is
+necessary for each domain administrator to make available (for use by an external domain) it's
+security resources. This is done from the Domain User Manager Policies entry on the menu bar.
+From the <guimenu>Policy</guimenu> menu, select <guimenuitem>Trust Relationships</guimenuitem>, then
+next to the lower box that is labelled <guilabel>Permitted to Trust this Domain</guilabel> are two
+buttons, <guibutton>Add</guibutton> and <guibutton>Remove</guibutton>. The <guibutton>Add</guibutton>
+button will open a panel in which needs to be entered the remote domain that will be able to assign
+user rights to your domain. In addition it is necessary to enter a password
that is specific to this trust relationship. The password needs to be
typed twice (for standard confirmation).
</para>
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
with the trusted domain. To consumate the trust relationship the administrator will launch the
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
-"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in
-which must be entered the name of the remote domain as well as the password assigned to that trust.
+<guibutton>Add</guibutton> button that is next to the box that is labelled
+<guilabel>Trusted Domains</guilabel>. A panel will open in which must be entered the name of the remote
+domain as well as the password assigned to that trust.
</para>
</sect2>
<para>
<screen>
-<prompt>deity#</prompt> <userinput>smbpasswd -a -i rumba</userinput>
+&rootprompt; <userinput>smbpasswd -a -i rumba</userinput>
New SMB password: XXXXXXXX
Retype SMB password: XXXXXXXX
Added user rumba$
</screen>
-where <parameter>-a</parameter> means to add a new account into the
-passdb database and <parameter>-i</parameter> means: ''create this
+where <option>-a</option> means to add a new account into the
+passdb database and <option>-i</option> means: ''create this
account with the InterDomain trust flag''
</para>
</para>
<para>
-Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'.
-Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for
+Open <application>User Manager for Domains</application> and from menu
+<guimenu>Policies</guimenu> select <guimenuitem>Trust Relationships...</guimenuitem>.
+Right beside <guilabel>Trusted domains</guilabel> list box press the
+<guimenu>Add...</guimenu> button. You will be prompted for
the trusted domain name and the relationship password. Type in SAMBA, as this is
your domain name, and the password used at the time of account creation.
-Press OK and, if everything went without incident, you will see 'Trusted domain relationship
-successfully established' message.
+Press OK and, if everything went without incident, you will see
+<computeroutput>Trusted domain relationship successfully
+established</computeroutput> message.
</para>
</sect2>
</para>
<para>
-Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'.
-Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted
-domain (SAMBA) and password securing the relationship.
+Launch the <application>Domain User Manager</application>, then from the menu select
+<guimenu>Policies</guimenu>, <guimenuitem>Trust Relationships</guimenuitem>.
+Now, next to <guilabel>Trusted Domains</guilabel> box press the <guibutton>Add</guibutton>
+button, and type in the name of the trusted domain (SAMBA) and password securing
+the relationship.
</para>
<para>
</para>
<para>
-<prompt>deity# </prompt><userinput>net rpc trustdom establish rumba</userinput>
+&rootprompt;<userinput>net rpc trustdom establish rumba</userinput>
</para>
<para>
password you gave is correct and the NT4 Server says the account is
ready for interdomain connection and not for ordinary
connection. After that, be patient it can take a while (especially
-in large networks), you should see the 'Success' message. Congratulations! Your trust
-relationship has just been established.
+in large networks), you should see the <computeroutput>Success</computeroutput> message.
+Congratulations! Your trust relationship has just been established.
</para>
<note><para>
<title>Introduction to Samba</title>
-<para><emphasis>
+<para><quote>
"If you understand what you're doing, you're not learning anything."
-- Anonymous
-</emphasis></para>
+</quote></para>
<para>
Samba is a file and print server for Windows-based clients using TCP/IP as the underlying
</itemizedlist>
<para>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
-http://www.samba.org). Optionally, you could just search mailing.unix.samba at http://groups.google.com
+<ulink url="http://www.samba.org/">http://www.samba.org</ulink>).
</para>
</sect1>
</para>
<para>
-There are other Open Source CIFS client implementations, such as the jCIFS project
-(jcifs.samba.org) which provides an SMB client toolkit written in Java.
+There are other Open Source CIFS client implementations, such as the
+<ulink url="http://jcifs.samba.org/">jCIFS project</ulink>
+which provides an SMB client toolkit written in Java.
</para>
</itemizedlist>
<para>
-A good way to examine this process in depth is to try out SecurityFriday's SWB program
-at http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html. It allows you to
-walk through the establishment of a SMB/CIFS session step by step.
+A good way to examine this process in depth is to try out
+<ulink url="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html">SecurityFriday's SWB program</ulink>.
+It allows you to walk through the establishment of a SMB/CIFS session step by step.
</para>
</sect1>
<sect1>
<title>Epilogue</title>
-<para><emphasis>
-"What's fundamentally wrong is that nobody ever had any taste when they
+<para><quote>
+What's fundamentally wrong is that nobody ever had any taste when they
did it. Microsoft has been very much into making the user interface look good,
but internally it's just a complete mess. And even people who program for Microsoft
and who have had years of experience, just don't know how it works internally.
that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested
in making money. They don't have anybody who takes pride in Windows 95 as an
operating system.
-</emphasis></para>
+</quote></para>
-<para><emphasis>
+<para><quote>
People inside Microsoft know it's a bad operating system and they still
continue obviously working on it because they want to get the next version out
because they want to have all these new features to sell more copies of the
system.
-</emphasis></para>
+</quote></para>
-<para><emphasis>
+<para><quote>
The problem with that is that over time, when you have this kind of approach,
and because nobody understands it, because nobody REALLY fixes bugs (other than
when they're really obvious), the end result is really messy. You can't trust
and nobody knows why. Not Microsoft, not the experienced user and certainly
not the completely clueless user who probably sits there shivering thinking
"What did I do wrong?" when they didn't do anything wrong at all.
-</emphasis></para>
+</quote></para>
-<para><emphasis>
+<para><quote>
That's what's really irritating to me."
-</emphasis></para>
+</quote></para>
<para>--
<ulink url="http://hr.uoregon.edu/davidrl/boot.txt">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</ulink>
<sect1>
<title>Miscellaneous</title>
-<para>
-This chapter was lovingly handcrafted on a Dell Latitude C400 laptop running Slackware Linux 9.0,
-in case anyone asks.
-</para>
-
-<!-- This really needs to go... -->
+<!--FIXME: This really needs to go... -->
<para>
This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
Possible motivations to make a change include:
</para>
-<itemizedlist>
-<listitem>
- <para>Improve network manageability</para>
-</listitem>
-<listitem>
- <para>Obtain better user level functionality</para>
-</listitem>
-<listitem>
- <para>Reduce network operating costs</para>
-</listitem>
-<listitem>
- <para>Reduce exposure caused by Microsoft withdrawal of NT4 support</para>
-</listitem>
-<listitem>
- <para>Avoid MS License 6 implications</para>
-</listitem>
-<listitem>
- <para>Reduce organisation's dependency on Microsoft</para>
-</listitem>
-</itemizedlist>
+<simplelist>
+ <member>Improve network manageability</member>
+ <member>Obtain better user level functionality</member>
+ <member>Reduce network operating costs</member>
+ <member>Reduce exposure caused by Microsoft withdrawal of NT4 support</member>
+ <member>Avoid MS License 6 implications</member>
+ <member>Reduce organisation's dependency on Microsoft</member>
+</simplelist>
<para>
It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers
What are the features that Samba-3 can NOT provide?
</para>
-<itemizedlist>
-<listitem>
- <para>Active Directory Server</para>
-</listitem>
-<listitem>
- <para>Group Policy Objects (in Active Direcrtory)</para>
-</listitem>
-<listitem>
- <para>Machine Policy objects</para>
-</listitem>
-<listitem>
- <para>Logon Scripts in Active Directorty</para>
-</listitem>
-<listitem>
- <para>Software Application and Access Controls in Active Directory</para>
-</listitem>
-</itemizedlist>
+<simplelist>
+ <member>Active Directory Server</member>
+ <member>Group Policy Objects (in Active Direcrtory)</member>
+ <member>Machine Policy objects</member>
+ <member>Logon Scripts in Active Directorty</member>
+ <member>Software Application and Access Controls in Active Directory</member>
+</simplelist>
<para>
The features that Samba-3 DOES provide and that may be of compelling interest to your site
includes:
</para>
-<itemizedlist>
-<listitem>
- <para>Lower Cost of Ownership</para>
-</listitem>
-<listitem>
- <para>Global availability of support with no strings attached</para>
-</listitem>
-<listitem>
- <para>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</para>
-</listitem>
-<listitem>
- <para>Creation of on-the-fly logon scripts</para>
-</listitem>
-<listitem>
- <para>Creation of on-the-fly Policy Files</para>
-</listitem>
-<listitem>
- <para>Greater Stability, Reliability, Performance and Availability</para>
-</listitem>
-<listitem>
- <para>Manageability via an ssh connection</para>
-</listitem>
-<listitem>
- <para>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</para>
-</listitem>
-<listitem>
- <para>Ability to implement a full single-signon architecture</para>
-</listitem>
-<listitem>
- <para>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</para>
-</listitem>
-</itemizedlist>
+<simplelist>
+ <member>Lower Cost of Ownership</member>
+ <member>Global availability of support with no strings attached</member>
+ <member>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</member>
+ <member>Creation of on-the-fly logon scripts</member>
+ <member>Creation of on-the-fly Policy Files</member>
+ <member>Greater Stability, Reliability, Performance and Availability</member>
+ <member>Manageability via an ssh connection</member>
+ <member>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</member>
+ <member>Ability to implement a full single-signon architecture</member>
+ <member>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</member>
+</simplelist>
<para>
Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
Logon scripts can be created on-the-fly so that all commands executed are specific to the
rights and privilidges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logong script using
-the <filename>root preexec</filename> parameters to the <filename>NETLOGON</filename> share.
+the <parameter>root preexec</parameter> parameters to the <filename>NETLOGON</filename> share.
</para>
<para>
-Some sites prefer to use a tool such as <filename>kixstart</filename> to establish a controlled
+Some sites prefer to use a tool such as <command>kixstart</command> to establish a controlled
user environment. In any case you may wish to do a google search for logon script process controls.
In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
deals with how to add printers without user intervention via the logon script process.
</para>
<para>
-Profiles may also be managed using the Samba-3 tool <filename>profiles</filename>. This tool allows
+Profiles may also be managed using the Samba-3 tool <command>profiles</command>. This tool allows
the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
to be changed to the SID of the Samba-3 domain.
</para>
<substeps><step><para>Samba must NOT be running</para></step></substeps></step>
<step>
- <para>rpcclient NT4PDC -U Administrator%passwd</para>
+ <para><userinput>rpcclient <replaceable>NT4PDC</replaceable> -U Administrator%<replaceable>passwd</replaceable></userinput></para>
<substeps><step><para>lsaquery</para></step>
<step><para>Note the SID returned</para></step>
</substeps>
</step>
- <step><para>net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd</para>
+ <step><para><userinput>net getsid -S <replaceable>NT4PDC</replaceable> -w <replaceable>DOMNAME</replaceable> -U Administrator%<replaceable>passwd</replaceable></userinput></para>
<substeps><step><para>Note the SID</para></step></substeps>
</step>
- <step><para>net getlocalsid</para>
+ <step><para><userinput>net getlocalsid</userinput></para>
<substeps>
<step><para>Note the SID, now check that all three SIDS reported are the same!</para></step>
</substeps>
</step>
- <step><para>net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd</para></step>
+ <step><para><userinput>net rpc join -S <replaceable>NT4PDC</replaceable> -w <replaceable>DOMNAME</replaceable> -U Administrator%<replaceable>passwd</replaceable></userinput></para></step>
- <step><para>net rpc vampire -S NT4PDC -U administrator%passwd</para></step>
+ <step><para><userinput>net rpc vampire -S <replaceable>NT4PDC</replaceable> -U administrator%<replaceable>passwd</replaceable></userinput></para></step>
- <step><para>pdbedit -l</para>
+ <step><para><userinput>pdbedit -L</userinput></para>
<substeps><step><para>Note - did the users migrate?</para></step></substeps>
</step>
- <step><para>initGrps.sh DOMNAME</para></step>
+ <step><para><userinput>initGrps.sh <replaceable>DOMNAME</replaceable></userinput></para></step>
- <step><para>net groupmap list</para>
+ <step><para><userinput>net groupmap list</userinput></para>
<substeps><step><para>Now check that all groups are recognised</para></step></substeps>
</step>
- <step><para>net rpc campire -S NT4PDC -U administrator%passwd</para></step>
+ <step><para><userinput>net rpc campire -S <replaceable>NT4PDC</replaceable> -U administrator%<replaceable>passwd</replaceable></userinput></para></step>
- <step><para>pdbedit -lv</para>
+ <step><para><userinput>pdbedit -Lv</userinput></para>
<substeps><step>
<para>Note - check that all group membership has been migrated</para>
</step></substeps>
<sect2>
<title>Samba Implementation Choices</title>
+<!-- FIXME: Either a better layout or more written-out text-->
<para><programlisting>
Authentication database back end
Winbind (external Samba or NT4/200x server)
</para>
<para><programlisting>
+ <!--FIXME-->
Browsing options:
-----------------
* os level
In an WORKGROUP environment the domain master browser must be a
Samba server, and there must only be one domain master browser per
workgroup name. To set up a Samba server as a domain master browser,
-set the following option in the [global] section of the &smb.conf; file :
+set the following option in the <parameter>[global]</parameter> section
+of the &smb.conf; file :
</para>
<para>
<para>
The domain master browser should also preferrably be the local master
browser for its own subnet. In order to achieve this set the following
-options in the [global] section of the &smb.conf; file :
+options in the <parameter>[global]</parameter> section of the &smb.conf; file :
</para>
<para>
able to do this, as will Windows 9x machines (although these
tend to get rebooted more often, so it's not such a good idea
to use these). To make a Samba server a local master browser
-set the following options in the [global] section of the
+set the following options in the <parameter>[global]</parameter> section of the
&smb.conf; file :
</para>
</para>
<para>
-The <command>local master</command> parameter allows Samba to act as a
-local master browser. The <command>preferred master</command> causes nmbd
-to force a browser election on startup and the <command>os level</command>
+The <parameter>local master</parameter> parameter allows Samba to act as a
+local master browser. The <parameter>preferred master</parameter> causes nmbd
+to force a browser election on startup and the <parameter>os level</parameter>
parameter sets Samba high enough so that it should win any browser elections.
</para>
If you have an NT machine on the subnet that you wish to
be the local master browser then you can disable Samba from
becoming a local master browser by setting the following
-options in the <command>[global]</command> section of the
+options in the <parameter>[global]</parameter> section of the
&smb.conf; file :
</para>
<para>
If you wish to have a Samba server fight the election with machines
-on the same subnet you may set the <command>os level</command> parameter
+on the same subnet you may set the <parameter>os level</parameter> parameter
to lower levels. By doing this you can tune the order of machines that
will become local master browsers if they are running. For
more details on this see the section <link linkend="browse-force-master">
on all subnets, and you are sure they will always be running then
you can disable Samba from taking part in browser elections and
ever becoming a local master browser by setting following options
-in the <command>[global]</command> section of the &smb.conf;
+in the <parameter>[global]</parameter> section of the &smb.conf;
file :
</para>
<title>Forcing samba to be the master</title>
<para>
-Who becomes the <command>master browser</command> is determined by an election
+Who becomes the <parameter>master browser</parameter> is determined by an election
process using broadcasts. Each election packet contains a number of parameters
which determine what precedence (bias) a host should have in the
election. By default Samba uses a very low precedence and thus loses
</para>
<para>
-If you want Samba to win elections then just set the <command>os level</command> global
+If you want Samba to win elections then just set the <parameter>os level</parameter> global
option in &smb.conf; to a higher number. It defaults to 0. Using 34
would make it win all elections over every other system (except other
samba systems!)
</para>
<para>
-A <command>os level</command> of 2 would make it beat WfWg and Win95, but not MS Windows
+A <parameter>os level</parameter> of 2 would make it beat WfWg and Win95, but not MS Windows
NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
</para>
<para>
If you want samba to force an election on startup, then set the
-<command>preferred master</command> global option in &smb.conf; to "yes". Samba will
+<parameter>preferred master</parameter> global option in &smb.conf; to <constant>yes</constant>. Samba will
then have a slight advantage over other potential master browsers
that are not preferred master browsers. Use this parameter with
care, as if you have two hosts (whether they are windows 95 or NT or
-samba) on the same local subnet both set with <command>preferred master</command> to
-"yes", then periodically and continually they will force an election
+samba) on the same local subnet both set with <parameter>preferred master</parameter> to
+<constant>yes</constant>, then periodically and continually they will force an election
in order to become the local master browser.
</para>
<para>
-If you want samba to be a <command>domain master browser</command>, then it is
-recommended that you also set <command>preferred master</command> to "yes", because
+ If you want samba to be a <parameter>domain master browser</parameter>, then it is
+recommended that you also set <parameter>preferred master</parameter> to <constant>yes</constant>, because
samba will not become a domain master browser for the whole of your
LAN or WAN if it is not also a local master browser on its own
broadcast isolated subnet.
<para>
The domain master is responsible for collating the browse lists of
multiple subnets so that browsing can occur between subnets. You can
-make samba act as the domain master by setting <command>domain master = yes</command>
+make samba act as the domain master by setting <parameter>domain master = yes</parameter>
in &smb.conf;. By default it will not be a domain master.
</para>
<para>
-Note that you should NOT set Samba to be the domain master for a
+Note that you should <strong>not</strong> set Samba to be the domain master for a
workgroup that has the same name as an NT Domain.
</para>
<para>
If you want samba to be the domain master then I suggest you also set
-the <command>os level</command> high enough to make sure it wins elections, and set
-<command>preferred master</command> to "yes", to get samba to force an election on
+the <parameter>os level</parameter> high enough to make sure it wins elections, and set
+<parameter>preferred master</parameter> to <constant>yes</constant>, to get samba to force an election on
startup.
</para>
</para>
</sect2>
<sect2>
-<title>Use of the <command>Remote Announce</command> parameter</title>
+<title>Use of the Remote Announce parameter</title>
<para>
-The <command>remote announce</command> parameter of
+The <parameter>remote announce</parameter> parameter of
<filename>smb.conf</filename> can be used to forcibly ensure
that all the NetBIOS names on a network get announced to a remote network.
-The syntax of the <command>remote announce</command> parameter is:
+The syntax of the <parameter>remote announce</parameter> parameter is:
<programlisting>
remote announce = a.b.c.d [e.f.g.h] ...
</programlisting>
</sect2>
<sect2>
-<title>Use of the <command>Remote Browse Sync</command> parameter</title>
+<title>Use of the Remote Browse Sync parameter</title>
<para>
-The <command>remote browse sync</command> parameter of
+The <parameter>remote browse sync</parameter> parameter of
<filename>smb.conf</filename> is used to announce to
another LMB that it must synchronise it's NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
</para>
<para>
-The syntax of the <command>remote browse sync</command> parameter is:
+The syntax of the <parameter>remote browse sync</parameter> parameter is:
<programlisting>
remote browse sync = <replaceable>a.b.c.d</replaceable>
<para>
To configure Samba as a WINS server just add
-<command>wins support = yes</command> to the <filename>smb.conf</filename>
+<parameter>wins support = yes</parameter> to the <filename>smb.conf</filename>
file [globals] section.
</para>
<para>
To configure Samba to register with a WINS server just add
-"wins server = a.b.c.d" to your smb.conf file [globals] section.
+<parameter>wins server = a.b.c.d</parameter> to your &smb.conf; file <parameter>[globals]</parameter> section.
</para>
<important><para>
-Never use both <command>wins support = yes</command> together
-with <command>wins server = a.b.c.d</command>
+Never use both <parameter>wins support = yes</parameter> together
+with <parameter>wins server = a.b.c.d</parameter>
particularly not using it's own IP address.
Specifying both will cause &nmbd; to refuse to start!
</para></important>
Either a Samba machine or a Windows NT Server machine may be set up
as a WINS server. To set a Samba machine to be a WINS server you must
add the following option to the &smb.conf; file on the selected machine :
-in the [globals] section add the line
+in the <parameter>[globals]</parameter> section add the line
</para>
<para>
</para>
<para>
-Machines with <command>wins support = yes</command> will keep a list of
+Machines with <parameter>wins support = yes</parameter> will keep a list of
all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
</para>
<para>
You should set up only ONE wins server. Do NOT set the
-<command>wins support = yes</command> option on more than one Samba
+<parameter>wins support = yes</parameter> option on more than one Samba
server.
</para>
a Samba->Samba WINS replication protocol may be defined, in which
case more than one Samba machine could be set up as a WINS server
but currently only one Samba server should have the
-<command>wins support = yes</command> parameter set.
+<parameter>wins support = yes</parameter> parameter set.
</para>
<para>
After the WINS server has been configured you must ensure that all
machines participating on the network are configured with the address
of this WINS server. If your WINS server is a Samba machine, fill in
-the Samba machine IP address in the "Primary WINS Server" field of
-the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs
+the Samba machine IP address in the <guilabel>Primary WINS Server</guilabel> field of
+the <guilabel>Control Panel->Network->Protocols->TCP->WINS Server</guilabel> dialogs
in Windows 95 or Windows NT. To tell a Samba server the IP address
-of the WINS server add the following line to the [global] section of
+of the WINS server add the following line to the <parameter>[global]</parameter> section of
all &smb.conf; files :
</para>
<para>
Note that this line MUST NOT BE SET in the &smb.conf; file of the Samba
server acting as the WINS server itself. If you set both the
-<command>wins support = yes</command> option and the
-<command>wins server = <name></command> option then
+<parameter>wins support = yes</parameter> option and the
+<parameter>wins server = <name></parameter> option then
nmbd will fail to start.
</para>
<title>Static WINS Entries</title>
<para>
-New to Samba-3 is a tool called <filename>winsedit</filename> that may be used to add
+New to Samba-3 is a tool called <command>winsedit</command> that may be used to add
static WINS entries to the WINS database. This tool can be used also to modify entries
existing in the WINS database.
</para>
<para>
Alternative means of name resolution includes:</para>
<simplelist>
-<member>/etc/hosts: is static, hard to maintain, and lacks name_type info</member>
+<member><filename>/etc/hosts</filename>: is static, hard to maintain, and lacks name_type info</member>
<member>DNS: is a good choice but lacks essential name_type info.</member>
</simplelist>
<para>
SMB networking provides a mechanism by which clients can access a list
-of machines in a network, a so-called <command>browse list</command>. This list
+of machines in a network, a so-called <parameter>browse list</parameter>. This list
contains machines that are ready to offer file and/or print services
to other machines within the network. Thus it does not include
machines which aren't currently able to do server tasks. The browse
<para>
To get browsing to work you need to run nmbd as usual, but will need
-to use the <command>workgroup</command> option in &smb.conf;
+to use the <parameter>workgroup</parameter> option in &smb.conf;
to control what workgroup Samba becomes a part of.
</para>
Samba also has a useful option for a Samba server to offer itself for
browsing on another subnet. It is recommended that this option is only
used for 'unusual' purposes: announcements over the internet, for
-example. See <command>remote announce</command> in the
+example. See <parameter>remote announce</parameter> in the
&smb.conf; man page.
</para>
</sect2>
<para>
Some people find browsing fails because they don't have the global
-<command>guest account</command> set to a valid account. Remember that the
+<parameter>guest account</parameter> set to a valid account. Remember that the
IPC$ connection that lists the shares is done as guest, and thus you must
have a valid guest account.
</para>
</para>
<para>
+ <!-- FIXME: Convert this to diagram -->
<programlisting>
(DMB)
N1_A N1_B N1_C N1_D N1_E
</para>
<para>
-<programlisting>
-Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
+<table>
+ <tgroup align="left" cols="3">
+ <thead>
+ <row><entry>Subnet</entry><entry>Browse Master</entry><entry>List</entry></row>
+ </thead>
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
-</programlisting>
+ <tbody>
+ <row><entry>Subnet1</entry><entry>N1_C</entry><entry>N1_A, N1_B, N1_C, N1_D, N1_E</entry></row>
+ <row><entry>Subnet2</entry><entry>N2_B</entry><entry>N2_A, N2_B, N2_C, N2_D</entry></row>
+ <row><entry>Subnet3</entry><entry>N3_D</entry><entry>N3_A, N3_B, N3_C, N3_D</entry></row>
+ </tbody>
+ </tgroup>
+</table>
</para>
<para>
</para>
<para>
-<programlisting>
-Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
+<table>
+ <tgroup align="left" cols="3">
+ <thead>
+ <row><entry>Subnet</entry><entry>Browse Master</entry><entry>List</entry></row>
+ </thead>
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
+ <tbody>
+ <row><entry>Subnet1</entry><entry>N1_C</entry><entry>N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</entry></row>
+ <row><entry>Subnet2</entry><entry>N2_B</entry><entry>N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</entry></row>
+ <row><entry>Subnet3</entry><entry>N3_D</entry><entry>N3_A, N3_B, N3_C, N3_D</entry></row>
+ </tbody>
+ </tgroup>
+</table>
Servers with a (*) after them are non-authoritative names.
-</programlisting>
</para>
<para>
</para>
<para>
-<programlisting>
-Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*),
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
+<table>
+ <tgroup cols="3" align="left">
+ <thead>
+ <row><entry>Subnet</entry><entry>Browse Master</entry><entry>List</entry></row>
+ </thead>
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
+ <tbody>
+ <row><entry>Subnet1</entry><entry>N1_C</entry><entry>N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</entry></row>
+ <row><entry>Subnet2</entry><entry>N2_B</entry><entry>N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</entry></row>
+ <row><entry>Subnet3</entry><entry>N3_D</entry><entry>N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</entry></row>
+ </tbody>
+ </tgroup>
+</table>
Servers with a (*) after them are non-authoritative names.
-</programlisting>
</para>
<para>
</para>
<para>
-<programlisting>
-Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*),
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
+<table>
+ <tgroup cols="3" align="left">
+ <thead>
+ <row><entry>Subnet</entry><entry>Browse Master</entry><entry>List</entry></row>
+ </thead>
+
+ <tbody>
+ <row><entry>Subnet1</entry><entry>N1_C</entry><entry>N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</entry></row>
+ <row><entry>Subnet2</entry><entry>N2_B</entry><entry>N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</entry></row>
+ <row><entry>Subnet3</entry><entry>N3_D</entry><entry>N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</entry></row>
+ </tbody>
+ </tgroup>
+</table>
Servers with a (*) after them are non-authoritative names.
-</programlisting>
</para>
<para>
<para>Basically, you need three components:</para>
- <itemizedlist>
- <listitem><para>The File and Print Client ('IBM Peer')
- </para></listitem>
- <listitem><para>TCP/IP ('Internet support')
- </para></listitem>
- <listitem><para>The "NetBIOS over TCP/IP" driver ('TCPBEUI')
- </para></listitem>
- </itemizedlist>
+ <simplelist>
+ <member>The File and Print Client ('IBM Peer')</member>
+ <member>TCP/IP ('Internet support') </member>
+ <member>The "NetBIOS over TCP/IP" driver ('TCPBEUI')</member>
+ </simplelist>
<para>Installing the first two together with the base operating
system on a blank system is explained in the Warp manual. If Warp
</para>
</sect2>
- <sect2>
- <title>Are there any other issues when OS/2 (any version)
- is used as a client?</title>
-
- <para>When you do a NET VIEW or use the "File and Print
- Client Resource Browser", no Samba servers show up. This can
- be fixed by a patch from <ulink
- url="http://carol.wins.uva.nl/~leeuw/samba/fix.html">
- http://carol.wins.uva.nl/~leeuw/samba/fix.html</ulink>.
- The patch will be included in a later version of Samba. It also
- fixes a couple of other problems, such as preserving long
- filenames when objects are dragged from the Workplace Shell
- to the Samba server. </para>
- </sect2>
-
<sect2>
<title>How do I get printer driver download working
for OS/2 clients?</title>
- <para>First, create a share called [PRINTDRV] that is
+ <para>First, create a share called <parameter>[PRINTDRV]</parameter> that is
world-readable. Copy your OS/2 driver files there. Note
that the .EA_ files must still be separate, so you will need
to use the original install files, and not copy an installed
driver from an OS/2 system.</para>
<para>Install the NT driver first for that printer. Then,
- add to your smb.conf a parameter, os2 driver map =
- <replaceable>filename</replaceable>". Then, in the file
+ add to your &smb.conf; a parameter, <parameter>os2 driver map =
+ <replaceable>filename</replaceable></parameter>. Then, in the file
specified by <replaceable>filename</replaceable>, map the
name of the NT driver name to the OS/2 driver name as
follows:</para>
- <para><command>nt driver name = os2 "driver
- name"."device name"</command>, e.g.:
- HP LaserJet 5L = LASERJET.HP LaserJet 5L</para>
+ <para><parameter><replaceable>nt driver name</replaceable> = <replaceable>os2 driver name</replaceable>.<replaceable>device name</replaceable></parameter>, e.g.:</para>
+
+ <para><parameter>
+ HP LaserJet 5L = LASERJET.HP LaserJet 5L</parameter></para>
<para>You can have multiple drivers mapped in this file.</para>
<para>
Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
VxD drivers. The latest release can be found on their ftp site at
-ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe.
+ftp.microsoft.com, located in <filename>/peropsys/windows/public/tcpip/wfwt32.exe</filename>.
There is an update.txt file there that describes the problems that were
-fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386,
-WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE.
+fixed. New files include <filename>WINSOCK.DLL</filename>,
+<filename>TELNET.EXE</filename>,
+<filename>WSOCK.386</filename>,
+<filename>VNBT.386</filename>,
+<filename>WSTCP.386</filename>,
+<filename>TRACERT.EXE</filename>,
+<filename>NETSTAT.EXE</filename>, and
+<filename>NBTSTAT.EXE</filename>.
</para>
</sect2>
<para>
There is a program call admincfg.exe
on the last disk (disk 8) of the WFW 3.11 disk set. To install it
-type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon
-for it via the "Progam Manager" "New" Menu. This program allows you
-to control how WFW handles passwords. ie disable Password Caching etc
-for use with <command>security = user</command>
+type <userinput>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</userinput>.
+Then add an icon
+for it via the <application>Program Manager</application> <guimenu>New</guimenu> Menu.
+This program allows you to control how WFW handles passwords. ie disable Password Caching etc
+for use with <parameter>security = user</parameter>
</para>
</sect2>
<sect2>
<title>Case handling of passwords</title>
-<para>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <ulink url="smb.conf.5.html">smb.conf(5)</ulink> information on <command>password level</command> to specify what characters samba should try to uppercase when checking.</para>
+<para>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <ulink url="smb.conf.5.html">smb.conf(5)</ulink> information on <parameter>password level</parameter> to specify what characters samba should try to uppercase when checking.</para>
</sect2>
<title>Speed improvement</title>
<para>
-Note that some people have found that setting DefaultRcvWindow in
-the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a
+Note that some people have found that setting <parameter>DefaultRcvWindow</parameter> in
+the <parameter>[MSTCP]</parameter> section of the
+<filename>SYSTEM.INI</filename> file under WfWg to 3072 gives a
big improvement. I don't know why.
</para>
of Windows 95.
</para>
-<orderedlist>
-<listitem><para>Kernel Update: KRNLUPD.EXE</para></listitem>
-<listitem><para>Ping Fix: PINGUPD.EXE</para></listitem>
-<listitem><para>RPC Update: RPCRTUPD.EXE</para></listitem>
-<listitem><para>TCP/IP Update: VIPUPD.EXE</para></listitem>
-<listitem><para>Redirector Update: VRDRUPD.EXE</para></listitem>
-</orderedlist>
+<simplelist>
+<member>Kernel Update: KRNLUPD.EXE</member>
+<member>Ping Fix: PINGUPD.EXE</member>
+<member>RPC Update: RPCRTUPD.EXE</member>
+<member>TCP/IP Update: VIPUPD.EXE</member>
+<member>Redirector Update: VRDRUPD.EXE</member>
+</simplelist>
<para>
-Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This
+Also, if using <application>MS OutLook</application> it is desirable to
+install the <command>OLEUPD.EXE</command> fix. This
fix may stop your machine from hanging for an extended period when exiting
OutLook and you may also notice a significant speedup when accessing network
neighborhood services.
<para>
Configure the win95 TCPIP registry settings to give better
-performance. I use a program called MTUSPEED.exe which I got off the
+performance. I use a program called <command>MTUSPEED.exe</command> which I got off the
net. There are various other utilities of this type freely available.
</para>
<para>
In order to serve profiles successfully to Windows 2000 SP2
clients (when not operating as a PDC), Samba must have
-<command>nt acl support = no</command>
+<parameter>nt acl support = no</parameter>
added to the file share which houses the roaming profiles.
If this is not done, then the Windows 2000 SP2 client will
complain about not being able to access the profile (Access
DOMAIN.user.002, etc...). See the
<ulink url="smb.conf.5.html">smb.conf(5)</ulink> man page
for more details on this option. Also note that the
-<command>nt acl support</command> parameter was formally a global parameter in
+<parameter>nt acl support</parameter> parameter was formally a global parameter in
releases prior to Samba 2.2.2.
</para>
the Samba server's SID, and not the domain SID. The client
compares the SID for SAMBA\user and realizes it is
different that the one assigned to DOMAIN\user. Hence the reason
-for the "access denied" message.
+for the <errorname>access denied</errorname> message.
</para>
<para>
-By disabling the <command>nt acl support</command> parameter, Samba will send
+By disabling the <parameter>nt acl support</parameter> parameter, Samba will send
the Win2k client a response to the QuerySecurityDescriptor
trans2 call which causes the client to set a default ACL
for the profile. This default ACL includes
</para>
-<para><command>DOMAIN\user "Full Control"</command></para>
+<para><emphasis>DOMAIN\user "Full Control"</emphasis>></para>
<note><para>This bug does not occur when using winbind to
create accounts on the Samba host for Domain users.</para></note>
<chapter id="pam">
<chapterinfo>
+ <author>
+ <firstname>Stephen</firstname><surname>Langasek</surname>
+ <affiliation>
+ <address><email>vorlon@netexpress.net</email></address>
+ </affiliation>
+ </author>
&author.jht;
<pubdate> (Jun 21 2001) </pubdate>
</chapterinfo>
Samba implementation for your Unix/Linux system. The
<filename>pam_smbpass.so</filename> module is provided by
Samba version 2.2.1 or later. It can be compiled by specifying the
-<command>--with-pam_smbpass</command> options when running Samba's
-<filename>configure</filename> script. For more information
+<option>--with-pam_smbpass</option> options when running Samba's
+<command>configure</command> script. For more information
on the <filename>pam_smbpass</filename> module, see the documentation
in the <filename>source/pam_smbpass</filename> directory of the Samba
source distribution.
<para>
When Samba is configured to enable PAM support (i.e.
-<constant>--with-pam</constant>), this parameter will
+<option>--with-pam</option>), this parameter will
control whether or not Samba should obey PAM's account
and session management directives. The default behavior
is to use PAM for clear text authentication only and to
password encryption.
</para>
-<para>Default: <command>obey pam restrictions = no</command></para>
+<para>Default: <parameter>obey pam restrictions = no</parameter></para>
</sect2>
</para>
<para>
-For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/
+ For more information on PAM, see <ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">The linux PAM homepage</ulink>.
</para>
<para>
recommended that you use pam_winbind instead.
</para>
-<para><programlisting>
+<para>
Options recognized by this module are as follows:
+<table>
+ <tgroup cols="2" align="left">
+ <tbody>
+ <row><entry>debug</entry><entry>log more debugging info</entry></row>
+ <row><entry>audit</entry><entry>like debug, but also logs unknown usernames</entry></row>
+ <row><entry>use_first_pass</entry><entry>don't prompt the user for passwords; take them from PAM_ items instead</entry></row>
+ <row><entry>try_first_pass</entry><entry>try to get the password from a previous PAM module, fall back to prompting the user</entry></row>
+ <row><entry>use_authtok</entry><entry>like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only)</entry></row>
+ <row><entry>not_set_pass</entry><entry>don't make passwords used by this module available to other modules.</entry></row>
+ <row><entry>nodelay</entry><entry>don't insert ~1 second delays on authentication failure.</entry></row>
+ <row><entry>nullok</entry><entry>null passwords are allowed.</entry></row>
+ <row><entry>nonull</entry><entry>null passwords are not allowed. Used to override the Samba configuration.</entry></row>
+ <row><entry>migrate</entry><entry>only meaningful in an "auth" context; used to update smbpasswd file with a password used for successful authentication.</entry></row>
+ <row><entry>smbconf=<replaceable>file</replaceable></entry><entry>specify an alternate path to the &smb.conf; file.</entry></row>
+ </tbody>
+</tgroup>
+</table>
+</para>
- debug - log more debugging info
- audit - like debug, but also logs unknown usernames
- use_first_pass - don't prompt the user for passwords;
- take them from PAM_ items instead
- try_first_pass - try to get the password from a previous
- PAM module, fall back to prompting the user
- use_authtok - like try_first_pass, but *fail* if the new
- PAM_AUTHTOK has not been previously set.
- (intended for stacking password modules only)
- not_set_pass - don't make passwords used by this module
- available to other modules.
- nodelay - don't insert ~1 second delays on authentication
- failure.
- nullok - null passwords are allowed.
- nonull - null passwords are not allowed. Used to
- override the Samba configuration.
- migrate - only meaningful in an "auth" context;
- used to update smbpasswd file with a
- password used for successful authentication.
- smbconf=< file > - specify an alternate path to the smb.conf
- file.
-</programlisting></para>
-
-<para><programlisting>
+<para>
Thanks go to the following people:
+<simplelist>
+ <member><ulink url="mailto:morgan@transmeta.com">Andrew Morgan</ulink>, for providing the Linux-PAM
+ framework, without which none of this would have happened</member>
- * Andrew Morgan < morgan@transmeta.com >, for providing the Linux-PAM
- framework, without which none of this would have happened
-
- * Christian Gafton < gafton@redhat.com > and Andrew Morgan again, for the
- pam_pwdb module upon which pam_smbpass was originally based
+ <member><ulink url="gafton@redhat.com">Christian Gafton</ulink> and Andrew Morgan again, for the
+ pam_pwdb module upon which pam_smbpass was originally based</member>
- * Luke Leighton < lkcl@switchboard.net > for being receptive to the idea,
+ <member><ulink url="lkcl@switchboard.net">Luke Leighton</ulink> for being receptive to the idea,
and for the occasional good-natured complaint about the project's status
- that keep me working on it :)
-
- * and of course, all the other members of the Samba team
- <http://www.samba.org/samba/team.html>, for creating a great product
- and for giving this project a purpose
-
- ---------------------
- Stephen Langasek < vorlon@netexpress.net >
-</programlisting></para>
+ that keep me working on it :)</member>
+</simplelist>.
+</para>
<para>
The following are examples of the use of pam_smbpass.so in the format of Linux
Use the Group Policy Editor to create a policy file that specifies the location of
user profiles and/or the <filename>My Documents</filename> etc. stuff. Then
save these settings in a file called <filename>Config.POL</filename> that needs to
- be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto
+ be placed in the root of the <parameter>[NETLOGON]</parameter> share. If Win98 is configured to log onto
the Samba Domain, it will automatically read this file and update the Win9x/Me registry
of the machine as it logs on.
</para>
</para>
<para>
- You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>.
+ You need <filename>poledit.exe</filename>, <filename>common.adm</filename> and <filename>winnt.adm</filename>.
It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename>
directory which is where the binary will look for them unless told otherwise. Note also that that
directory is normally 'hidden'.
The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis>
in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
- users' desktop (including: the location of <emphasis>My Documents</emphasis> files (directory), as
+ users' desktop (including: the location of <filename>My Documents</filename> files (directory), as
well as intrinsics of where menu items will appear in the Start menu). An additional new
feature is the ability to make available particular software Windows applications to particular
users and/or groups.
<title>Administration of Win2K / XP Policies</title>
<para>
- Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the
- executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console
- (MMC) snap-in as follows:</para>
+ Instead of using the tool called <application>The System Policy Editor</application>, commonly called Poledit (from the
+ executable name <command>poledit.exe</command>), <acronym>GPOs</acronym> are created and managed using a
+ <application>Microsoft Management Console</application> <acronym>(MMC)</acronym> snap-in as follows:</para>
<procedure>
<step>
<para>
- Go to the Windows 200x / XP menu <filename>Start->Programs->Administrative Tools</filename>
- and select the MMC snap-in called "Active Directory Users and Computers"
+ Go to the Windows 200x / XP menu <guimenu>Start->Programs->Administrative Tools</guimenu>
+ and select the MMC snap-in called <guimenuitem>Active Directory Users and Computers</guimenuitem>
</para>
</step>
</para></step>
<step><para>
- Now left click on the Group Policy tab, then left click on the New tab. Type a name
+ Now left click on the <guilabel>Group Policy</guilabel> tab, then left click on the New tab. Type a name
for the new policy you will create.
</para></step>
<step><para>
- Now left click on the Edit tab to commence the steps needed to create the GPO.
+ Now left click on the <guilabel>Edit</guilabel> tab to commence the steps needed to create the GPO.
</para></step>
</procedure>
<para>
With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
- <filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the
+ <command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, <command>rpcclient</command>.
+ The administrator should read the
man pages for these tools and become familiar with their use.
</para>
<chapter id="Portability">
<chapterinfo>
&author.jelmer;
+ <!-- Some other people as well, but there were no author names in the text files
+ this file is based on-->
</chapterinfo>
<title>Portability</title>
<para>
HP's implementation of supplementary groups is, er, non-standard (for
-hysterical reasons). There are two group files, /etc/group and
-/etc/logingroup; the system maps UIDs to numbers using the former, but
+hysterical reasons). There are two group files, <filename>/etc/group</filename> and
+<filename>/etc/logingroup</filename>; the system maps UIDs to numbers using the former, but
initgroups() reads the latter. Most system admins who know the ropes
-symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons
-too stupid to go into here). initgroups() will complain if one of the
-groups you're in in /etc/logingroup has what it considers to be an invalid
-ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think)
-60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody'
+symlink <filename>/etc/group</filename> to <filename>/etc/logingroup</filename>
+(hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the
+groups you're in in <filename>/etc/logingroup</filename> has what it considers to be an invalid
+ID, which means outside the range <constant>[0..UID_MAX]</constant>, where <constant>UID_MAX</constant> is (I think)
+60000 currently on HP-UX. This precludes -2 and 65534, the usual <constant>nobody</constant>
GIDs.
</para>
<title>SCO Unix</title>
<para>
-If you run an old version of SCO Unix then you may need to get important
+If you run an old version of SCO Unix then you may need to get important
TCP/IP patches for Samba to work correctly. Without the patch, you may
encounter corrupt data transfers using samba.
</para>
<para>
The patch you need is UOD385 Connection Drivers SLS. It is available from
-SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z).
+SCO (<ulink url="ftp://ftp.sco.com/">ftp.sco.com</ulink>, directory SLS,
+files uod385a.Z and uod385a.ltr.Z).
</para>
</sect1>
after creating the above files you then assemble them using
</para>
-<para><command>as seteuid.s</command></para>
-<para><command>as setegid.s</command></para>
+<screen>
+ <prompt>$ </prompt><userinput>as seteuid.s</userinput>
+ <prompt>$ </prompt><userinput>as setegid.s</userinput>
+</screen>
<para>
that should produce the files <filename>seteuid.o</filename> and
<para>
By default RedHat Rembrandt-II during installation adds an
-entry to /etc/hosts as follows:
+entry to <filename>/etc/hosts</filename> as follows:
<programlisting>
127.0.0.1 loopback "hostname"."domainname"
</programlisting>
<para>
The patch revision for 2.6 is 105181-34
-for 8 is 108528-19
-and for 9 is 112233-04
+for 8 is 108528-19 and for 9 is 112233-04
</para>
<para>
<para>
One of the best diagnostic tools for debugging problems is Samba itself.
-You can use the -d option for both smbd and nmbd to specify what
-'debug level' at which to run. See the man pages on smbd, nmbd and
+You can use the <option>-d option</option> for both &smbd; and &nmbd; to specify what
+<parameter>debug level</parameter> at which to run. See the man pages on smbd, nmbd and
smb.conf for more information on debugging options. The debug
level can range from 1 (the default) to 10 (100 for debugging passwords).
</para>
<para>
Another helpful method of debugging is to compile samba using the
-<command>gcc -g </command> flag. This will include debug
+<userinput>gcc -g </userinput> flag. This will include debug
information in the binaries and allow you to attach gdb to the
running smbd / nmbd process. In order to attach gdb to an smbd
process for an NT workstation, first get the workstation to make the
Some useful samba commands worth investigating:
</para>
-<itemizedlist>
- <listitem><para>testparam | more</para></listitem>
- <listitem><para>smbclient -L //{netbios name of server}</para></listitem>
-</itemizedlist>
+<screen>
+ <prompt>$ </prompt><userinput>testparam | more</userinput>
+ <prompt>$ </prompt><userinput>smbclient -L //{netbios name of server}</userinput>
+</screen>
<para>
An SMB enabled version of tcpdump is available from
</para>
<para>
-Initially you will need to install 'Network Monitor Tools and Agent'
+Initially you will need to install <application>Network Monitor Tools and Agent</application>
on the NT Server. To do this
</para>
<itemizedlist>
- <listitem><para>Goto Start - Settings - Control Panel -
- Network - Services - Add </para></listitem>
+ <listitem><para>Goto <guibutton>Start</guibutton> - <guibutton>Settings</guibutton> - <guibutton>Control Panel</guibutton> -
+ <guibutton>Network</guibutton> - <guibutton>Services</guibutton> - <guibutton>Add</guibutton> </para></listitem>
- <listitem><para>Select the 'Network Monitor Tools and Agent' and
- click on 'OK'.</para></listitem>
+ <listitem><para>Select the <guilabel>Network Monitor Tools and Agent</guilabel> and
+ click on <guibutton>OK</guibutton>.</para></listitem>
- <listitem><para>Click 'OK' on the Network Control Panel.
+ <listitem><para>Click <guibutton>OK</guibutton> on the Network Control Panel.
</para></listitem>
<listitem><para>Insert the Windows NT Server 4.0 install CD
</para>
<itemizedlist>
- <listitem><para>Goto Start - Settings - Control Panel -
- Network - Services - Add</para></listitem>
+ <listitem><para>Goto <guibutton>Start</guibutton> - <guibutton>Settings</guibutton> - <guibutton>Control Panel</guibutton> -
+ <guibutton>Network</guibutton> - <guibutton>Services</guibutton> - <guibutton>Add</guibutton></para></listitem>
- <listitem><para>Select the 'Network Monitor Agent' and click
- on 'OK'.</para></listitem>
+ <listitem><para>Select the <guilabel>Network Monitor Agent</guilabel> and click
+ on <guibutton>OK</guibutton>.</para></listitem>
- <listitem><para>Click 'OK' on the Network Control Panel.
+ <listitem><para>Click <guibutton>OK</guibutton> on the Network Control Panel.
</para></listitem>
<listitem><para>Insert the Windows NT Workstation 4.0 install
</itemizedlist>
<para>
-Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
-to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
-permissions as you deem appropriate for your site. You will need
+Now copy the files from the NT Server in <filename>%SYSTEMROOT%\System32\netmon\*.*</filename>
+to <filename>%SYSTEMROOT%\System32\netmon\*.*</filename> on the Workstation and set
+permissions as you deem appropriate for your site. You will need
administrative rights on the NT box to run netmon.
</para>
<para>
To install Netmon on a Windows 9x box install the network monitor agent
-from the Windows 9x CD (\admin\nettools\netmon). There is a readme
+from the Windows 9x CD (<filename>\admin\nettools\netmon</filename>). There is a readme
file located with the netmon driver files on the CD if you need
information on how to do this. Copy the files from a working
Netmon installation.
<title>Useful URL's</title>
<itemizedlist>
-<listitem><para>Home of Samba site <ulink url="http://samba.org">
- http://samba.org</ulink>. We have a mirror near you !</para></listitem>
-
-<listitem><para> The <emphasis>Development</emphasis> document
-on the Samba mirrors might mention your problem. If so,
-it might mean that the developers are working on it.</para></listitem>
-
<listitem><para>See how Scott Merrill simulates a BDC behavior at
<ulink url="http://www.skippy.net/linux/smb-howto.html">
http://www.skippy.net/linux/smb-howto.html</ulink>. </para></listitem>
-<listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will
- keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba">
- http://bioserve.latrobe.edu.au/samba</ulink> going for a while yet.</para></listitem>
-
-<listitem><para>Misc links to CIFS information
- <ulink url="http://samba.org/cifs/">http://samba.org/cifs/</ulink></para></listitem>
-
-<listitem><para>NT Domains for Unix <ulink url="http://mailhost.cb1.com/~lkcl/ntdom/">
- http://mailhost.cb1.com/~lkcl/ntdom/</ulink></para></listitem>
-
<listitem><para>FTP site for older SMB specs:
<ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">
ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem>
</itemizedlist>
+<!-- FIXME: Merge with Further Resources -->
</sect1>
</para>
<para>
-The default for this option is \\%N\%U\profile, namely \\sambaserver\username\profile.
-The \\N%\%U service is created automatically by the [homes] service. If you are using
+The default for this option is <filename>\\%N\%U\profile</filename>,
+namely <filename>\\sambaserver\username\profile</filename>.
+The <filename>\\N%\%U</filename> service is created automatically by the [homes] service. If you are using
a samba server for the profiles, you _must_ make the share specified in the logon path
-browseable. Please refer to the man page for smb.conf in respect of the different
+browseable. Please refer to the man page for &smb.conf; in respect of the different
symantics of %L and %N, as well as %U and %u.
</para>
<note>
<para>
MS Windows NT/2K clients at times do not disconnect a connection to a server
-between logons. It is recommended to NOT use the <command>homes</command>
+between logons. It is recommended to NOT use the <parameter>homes</parameter>
meta-service name as part of the profile share path.
</para>
</note>
<title>Windows 9x / Me User Profiles</title>
<para>
-To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has
+ To support Windows 9x / Me clients, you must use the <parameter>logon home</parameter> parameter. Samba has
now been fixed so that <userinput>net use /home</userinput> now works as well, and it, too, relies
on the <command>logon home</command> parameter.
</para>
<para>
By using the logon home parameter, you are restricted to putting Win9x / Me
profiles in the user's home directory. But wait! There is a trick you
-can use. If you set the following in the <command>[global]</command> section of your &smb.conf; file:
+can use. If you set the following in the <parameter>[global]</parameter> section of your &smb.conf; file:
</para>
<para><programlisting>
logon home = \\%L\%U\.profiles
Not only that, but <userinput>net use /home</userinput> will also work, because of a feature in
Windows 9x / Me. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
-specified \\%L\%U for <command>logon home</command>.
+specified <filename>\\%L\%U</filename> for <parameter>logon home</parameter>.
</para>
</sect3>
<para>
You can support profiles for both Win9X and WinNT clients by setting both the
-<command>logon home</command> and <command>logon path</command> parameters. For example:
+<parameter>logon home</parameter> and <parameter>logon path</parameter> parameters. For example:
</para>
<para><programlisting>
<title>Disabling Roaming Profile Support</title>
<para>
-A question often asked is "How may I enforce use of local profiles?" or
-"How do I disable Roaming Profiles?"
+ A question often asked is <quote>How may I enforce use of local profiles?</quote> or
+ <quote>How do I disable Roaming Profiles?</quote>
</para>
<para>
There are three ways of doing this:
</para>
-<itemizedlist>
- <listitem><para>
- <command>In smb.conf:</command> affect the following settings and ALL clients
- will be forced to use a local profile:
- <programlisting>
- logon home =
- logon path =
- </programlisting></para></listitem>
-
- <listitem><para>
- <command>MS Windows Registry:</command> by using the Microsoft Management Console
- gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This
- of course modifies registry settings. The full path to the option is:
+<variablelist>
+ <varlistentry>
+ <term>In &smb.conf;</term>
+ <listitem><para>
+ Affect the following settings and ALL clients
+ will be forced to use a local profile:
+ <programlisting>
+ logon home =
+ logon path =
+ </programlisting>
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>MS Windows Registry:</term>
+ <listitem><para>
+ By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
+ <!-- FIXME: Diagram for this ? -->
<programlisting>
Local Computer Policy\
Computer Configuration\
Disable: Only Allow Local User Profiles
Disable: Prevent Roaming Profile Change from Propogating to the Server
</programlisting>
- </para>
- </listitem>
+ </para> </listitem>
+ </varlistentry>
- <listitem><para>
- <command>Change of Profile Type:</command> From the start menu right click on the
- MY Computer icon, select <emphasis>Properties</emphasis>, click on the "<emphasis>User Profiles</emphasis>
- tab, select the profile you wish to change from Roaming type to Local, click <emphasis>Change Type</emphasis>.
- </para></listitem>
-</itemizedlist>
+ <varlistentry>
+ <term>Change of Profile Type:</term>
+ <listitem><para>
+ From the start menu right click on the
+ My Computer icon, select <guimenuitem>Properties</guimenuitem>, click on the <guilabel>User Profiles</guilabel>
+ tab, select the profile you wish to change from Roaming type to Local, click <guibutton>Change Type</guibutton>.
+ </para></listitem>
+ </varlistentry>
+</variablelist>
<para>
Consult the MS Windows registry guide for your particular MS Windows version for more
<para>
When a user first logs in on Windows 9X, the file user.DAT is created,
-as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
+as are folders <filename>Start Menu</filename>, <filename>Desktop</filename>,
+<filename>Programs</filename> and <filename>Nethood</filename>.
These directories and their contents will be merged with the local
-versions stored in c:\windows\profiles\username on subsequent logins,
-taking the most recent from each. You will need to use the [global]
-options "preserve case = yes", "short preserve case = yes" and
-"case sensitive = no" in order to maintain capital letters in shortcuts
+versions stored in <filename>c:\windows\profiles\username</filename> on subsequent logins,
+taking the most recent from each. You will need to use the <parameter>[global]</parameter>
+options <parameter>preserve case = yes</parameter>, <parameter>short preserve case = yes</parameter> and
+<parameter>case sensitive = no</parameter> in order to maintain capital letters in shortcuts
in any of the profile folders.
</para>
<orderedlist>
<listitem>
<para>
- On the Windows 9x / Me machine, go to Control Panel -> Passwords and
- select the User Profiles tab. Select the required level of
- roaming preferences. Press OK, but do _not_ allow the computer
+ On the Windows 9x / Me machine, go to <guimenu>Control Panel</guimenu> -> <guimenuitem>Passwords</guimenuitem> and
+ select the <guilabel>User Profiles</guilabel> tab. Select the required level of
+ roaming preferences. Press <guibutton>OK</guibutton>, but do _not_ allow the computer
to reboot.
</para>
</listitem>
<listitem>
<para>
- On the Windows 9x / Me machine, go to Control Panel -> Network ->
- Client for Microsoft Networks -> Preferences. Select 'Log on to
- NT Domain'. Then, ensure that the Primary Logon is 'Client for
- Microsoft Networks'. Press OK, and this time allow the computer
+ On the Windows 9x / Me machine, go to <guimenu>Control Panel</guimenu> -> <guimenuitem>Network</guimenuitem> ->
+ <guimenuitem>Client for Microsoft Networks</guimenuitem> -> <guilabel>Preferences</guilabel>. Select <guilabel>Log on to
+ NT Domain</guilabel>. Then, ensure that the Primary Logon is <guilabel>Client for
+ Microsoft Networks</guilabel>. Press <guibutton>OK</guibutton>, and this time allow the computer
to reboot.
</para>
</listitem>
<para>
Once the user has been successfully validated, the Windows 9x / Me machine
-will inform you that 'The user has not logged on before' and asks you
-if you wish to save the user's preferences? Select 'yes'.
+will inform you that <computeroutput>The user has not logged on before' and asks you
+ if you wish to save the user's preferences?</computeroutput> Select <guibutton>yes</guibutton>.
</para>
<para>
Once the Windows 9x / Me client comes up with the desktop, you should be able
-to examine the contents of the directory specified in the "logon path"
-on the samba server and verify that the "Desktop", "Start Menu",
-"Programs" and "Nethood" folders have been created.
+to examine the contents of the directory specified in the <parameter>logon path</parameter>
+on the samba server and verify that the <filename>Desktop</filename>, <filename>Start Menu</filename>,
+<filename>Programs</filename> and <filename>Nethood</filename> folders have been created.
</para>
<para>
<listitem>
<para>
- run the regedit.exe program, and look in:
+ run the <command>regedit.exe</command> program, and look in:
</para>
- <para>
- HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList
+ <filename>HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</filename>
</para>
<para>
you will find an entry, for each user, of ProfilePath. Note the
- contents of this key (likely to be c:\windows\profiles\username),
+ contents of this key (likely to be <filename>c:\windows\profiles\username</filename>),
then delete the key ProfilePath for the required user.
+ </para>
- [Exit the registry editor].
-
- </para>
+ <para>[Exit the registry editor].</para>
</listitem>
<listitem>
<para>
Strictly a SMB server should check for locks before every read and write call on
a file. Unfortunately with the way fcntl() works this can be slow and may overstress
-the rpc.lockd. It is also almost always unnecessary as clients are supposed to
+the <command>rpc.lockd</command>. It is also almost always unnecessary as clients are supposed to
independently make locking calls before reads and writes anyway if locking is
important to them. By default Samba only makes locking calls when explicitly asked
-to by a client, but if you set <emphasis>strict locking = yes</emphasis> then it
+to by a client, but if you set <parameter>strict locking = yes</parameter> then it
will make lock checking calls on every read and write.
</para>
<para>
-You can also disable by range locking completely using <emphasis>locking = no</emphasis>.
+You can also disable by range locking completely using <parameter>locking = no</parameter>.
This is useful for those shares that don't support locking or don't need it
(such as cdroms). In this case Samba fakes the return codes of locking calls to
tell clients that everything is OK.
</para>
<para>
-The second class of locking is the <emphasis>deny modes</emphasis>. These
+The second class of locking is the <parameter>deny modes</parameter>. These
are set by an application when it opens a file to determine what types of
access should be allowed simultaneously with its open. A client may ask for
-DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special compatibility
-modes called DENY_FCB and DENY_DOS.
+<constant>DENY_NONE</constant>, <constant>DENY_READ</constant>,
+<constant>DENY_WRITE</constant> or <constant>DENY_ALL</constant>. There are also special compatibility
+modes called <constant>DENY_FCB</constant> and <constant>DENY_DOS</constant>.
</para>
<sect2>
<title>Opportunistic Locking Overview</title>
<para>
-OPPORTUNISTIC LOCKING (Oplocks) is invoked by the Windows file system
+Opportunistic locking (Oplocks) is invoked by the Windows file system
(as opposed to an API) via registry entries (on the server AND client)
for the purpose of enhancing network performance when accessing a file
residing on a server. Performance is enhanced by caching the file
</varlistentry>
<varlistentry><term>Lock caching:</term>
+ <listitem><para>
The client caches application locks locally, eliminating network latency
</para></listitem>
</varlistentry>
<title>Beware of Force User</title>
<para>
-Samba includes an smb.conf parameter called "force user" that changes
+Samba includes an &smb.conf; parameter called <parameter>force user</parameter> that changes
the user accessing a share from the incoming user to whatever user is
defined by the smb.conf variable. If opportunistic locking is enabled
on a share, the change in user access causes an oplock break to be sent
<itemizedlist>
<listitem><para>
- <emphasis>force user</emphasis> in the &smb.conf; share configuration.
+ <parameter>force user</parameter> in the &smb.conf; share configuration.
</para></listitem>
<listitem><para>
administrator to adjust various properties of the oplock mechanism to
account for timing and usage levels. These parameters provide good
versatility for implementing oplocks in environments where they would
-likely cause problems. The parameters are: <emphasis>oplock break wait time,
-oplock contention limit</emphasis>.
+likely cause problems. The parameters are:
+<parameter>oplock break wait time</parameter>,
+<parameter>oplock contention limit</parameter>.
</para>
<para>
</sect3>
<sect3>
-<title>Diabling Kernel OpLocks</title>
+<title>Disabling Kernel OpLocks</title>
<para>
Kernel OpLocks is an &smb.conf; parameter that notifies Samba (if
</para>
<para>
-<programlisting><title>Example:</title>
+<programlisting>
[global]
- kernel oplocks = yes
-
-The default is "no".
+kernel oplocks = yes
</programlisting>
+The default is "no".
</para>
<para>
interval for Samba to reply to an oplock break request. Samba
recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break Wait Time can only be
-configured globally in the smb.conf file:
+configured globally in the &smb.conf; file:
</para>
<para>
[global]
oplock break contention limit = 2 (default)
- [share_name]
+[share_name]
oplock break contention limit = 2 (default)
</programlisting>
</para>
attempts to access shared data files located on another Windows 2000/XP computer,
the Windows 2000/XP operating system will attempt to increase performance by locking the
files and caching information locally. When this occurs, the application is unable to
-properly function, which results in an <emphasis>Access Denied</emphasis>
+properly function, which results in an <errorname>Access Denied</errorname>
error message being displayed during network operations.
</para>
Here's an example of setting up a DFS tree on a Samba server.
</para>
- <para><screen>
+ <para><programlisting>
# The smb.conf file:
[global]
netbios name = SMOKEY
[dfs]
path = /export/dfsroot
msdfs root = yes
- </screen></para>
+ </programlisting></para>
- <para>
- In the /export/dfsroot directory we set up our dfs links to other servers on the network.
- </para>
- <para>
+ <para>In the /export/dfsroot directory we set up our dfs links to
+ other servers on the network.</para>
+
<screen>
&rootprompt;<userinput>cd /export/dfsroot</userinput>
&rootprompt;<userinput>chown root /export/dfsroot</userinput>
&rootprompt;<userinput>ln -s msdfs:storageA\\shareA linka</userinput>
&rootprompt;<userinput>ln -s msdfs:serverB\\share,serverC\\share linkb</userinput>
</screen>
- </para>
<para>You should set up the permissions and ownership of
the directory acting as the DFS root such that only designated
although they may log onto a domain environment:
</para>
- <itemizedlist>
- <listitem><para>
- MS DOS Network client 3.0 with the basic network redirector installed
- </para></listitem>
-
- <listitem><para>
- Windows 95 with the network redirector update installed
- </para></listitem>
-
- <listitem><para>
- Windows 98 [se]
- </para></listitem>
-
- <listitem><para>
- Windows Me</para>
- </listitem>
- </itemizedlist>
+ <simplelist>
+ <member>MS DOS Network client 3.0 with the basic network redirector installed</member>
+ <member>Windows 95 with the network redirector update installed</member>
+ <member>Windows 98 [se]</member>
+ <member>Windows Me</member>
+ </simplelist>
<note>
<para>
The following versions of MS Windows fully support domain security protocols.
</para>
- <itemizedlist>
- <listitem><para>Windows NT 3.5x</para></listitem>
- <listitem><para>Windows NT 4.0</para></listitem>
- <listitem><para>Windows 2000 Professional</para></listitem>
- <listitem><para>Windows 200x Server/Advanced Server</para></listitem>
- <listitem><para>Windows XP Professional</para></listitem>
- </itemizedlist>
+ <simplelist>
+ <member>Windows NT 3.5x</member>
+ <member>Windows NT 4.0</member>
+ <member>Windows 2000 Professional</member>
+ <member>Windows 200x Server/Advanced Server</member>
+ <member>Windows XP Professional</member>
+ </simplelist>
<para>
All current release of Microsoft SMB/CIFS clients support authentication via the
<para>
Firstly, all Samba SAM (Security Account Management database) accounts require
a Unix/Linux UID that the account will map to. As users are added to the account
- information database samba-3 will call the <command>add user script</command>
+ information database samba-3 will call the <parameter>add user script</parameter>
interface to add the account to the Samba host OS. In essence all accounts in
the local SAM require a local user account.
</para>
<para>
Samba-3 provides two (2) tools for management of User and machine accounts. These tools are
-called <filename>smbpasswd</filename> and <filename>pdbedit</filename>. A third tool is under
+called <filename>smbpasswd</filename> and <command>pdbedit</command>. A third tool is under
development but is NOT expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK
GUI tool that looks much like the MS Windows NT4 Domain User Manager - hopefully this will
be announced in time for samba-3.0.1 release timing.
<command>smbpasswd</command> can be used to:
</para>
- <itemizedlist>
- <listitem><para>
- <emphasis>add</emphasis> user or machine accounts
- </para></listitem>
-
- <listitem><para>
- <emphasis>delete</emphasis> user or machine accounts
- </para></listitem>
-
- <listitem><para>
- <emphasis>enable</emphasis> user or machine accounts
- </para></listitem>
-
- <listitem><para>
- <emphasis>disable</emphasis> user or machine accounts
- </para></listitem>
-
- <listitem><para>
- <emphasis>set to NULL</emphasis> user passwords
- </para></listitem>
-
- <listitem><para>
- <emphasis>manage interdomain trust accounts</emphasis>
- </para></listitem>
- </itemizedlist>
+ <simplelist>
+ <member><emphasis>add</emphasis> user or machine accounts</member>
+ <member><emphasis>delete</emphasis> user or machine accounts</member>
+ <member><emphasis>enable</emphasis> user or machine accounts</member>
+ <member><emphasis>disable</emphasis> user or machine accounts</member>
+ <member><emphasis>set to NULL</emphasis> user passwords</member>
+ <member><emphasis>manage interdomain trust accounts</emphasis></member>
+ </simplelist>
<para>
To run smbpasswd as a normal user just type:
</para>
<para>
- <programlisting>
+ <screen>
<prompt>$ </prompt><userinput>smbpasswd</userinput>
- <prompt>Old SMB password: </prompt><userinput><secret></userinput>
- </programlisting>
- For <emphasis>secret</emphasis> type old value here - or hit return if
+ <prompt>Old SMB password: </prompt><userinput><replaceable>secret</replaceable></userinput>
+ </screen>
+ For <replaceable>secret</replaceable> type old value here - or hit return if
there was no old password
- <programlisting>
- <prompt>New SMB Password: </prompt><userinput><new secret></userinput>
- <prompt>Repeat New SMB Password: </prompt><userinput><new secret></userinput>
- </programlisting>
+ <screen>
+ <prompt>New SMB Password: </prompt><userinput><replaceable>new secret</replaceable></userinput>
+ <prompt>Repeat New SMB Password: </prompt><userinput><replaceable>new secret</replaceable></userinput>
+ </screen>
</para>
<para>
manage the passdb backend. <command>pdbedit</command> can be used to:
</para>
- <itemizedlist>
- <listitem><para>
- add, remove or modify user accounts
- </para></listitem>
-
- <listitem><para>
- listing user accounts
- </para></listitem>
-
- <listitem><para>
- migrate user accounts
- </para></listitem>
- </itemizedlist>
+ <simplelist>
+ <member>add, remove or modify user accounts</member>
+ <member>listing user accounts</member>
+ <member>migrate user accounts</member>
+ </simplelist>
<para>
The <command>pdbedit</command> tool is the only one that can manage the account
a tdbsam password backend. This listing was produced by running:
</para>
- <para>
- pdbedit -Lv met
- <programlisting>
+ <screen>
+ <prompt>$ </prompt><userinput>pdbedit -Lv met</userinput>
Unix username: met
NT username:
Account Flags: [UX ]
Password last set: Sat, 14 Dec 2002 14:37:03 GMT
Password can change: Sat, 14 Dec 2002 14:37:03 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
- </programlisting>
- </para>
+ </screen>
+
+ <!-- FIXME: Add note about migrating user accounts -->
</sect2>
</sect1>
<para>
<programlisting>
-In smb.conf [globals]
- passdb backend = tdbsam:/etc/samba/passdb.tdb, \
+[globals]
+ passdb backend = tdbsam:/etc/samba/passdb.tdb, \
tdbsam:/etc/samba/old-passdb.tdb, guest
</programlisting>
</para>
<para>
<screen>
-slapadd -v -l initldap.dif
+<prompt>$ </prompt><userinput>slapadd -v -l initldap.dif</userinput>
</screen>
</para>
Before Samba can access the LDAP server you need to stoe the LDAP admin password
into the Samba-3 <filename>secrets.tdb</filename> database by:
<screen>
- &rootprompt; <command>smbpasswd -w secret</command>
+&rootprompt; <userinput>smbpasswd -w <replaceable>secret</replaceable></userinput>
</screen>
</para>
</note>
</para>
<para>
-<screen>
+<programlisting>
## /usr/local/samba/lib/smb.conf
[global]
security = user
# generally the default ldap search filter is ok
# ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"
-</screen>
+</programlisting>
</para>
</sect3>
</para>
<para>
-<screen>
+<programlisting>
## allow the "ldap admin dn" access, but deny everyone else
access to attrs=lmPassword,ntPassword
by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
by * none
-</screen>
+</programlisting>
</para>
</sect3>
The sambaAccount objectclass is composed of the following attributes:
</para>
- <itemizedlist>
- <listitem><para><constant>lmPassword</constant>: the LANMAN password 16-byte hash stored as a character
- representation of a hexidecimal string.</para></listitem>
-
- <listitem><para><constant>ntPassword</constant>: the NT password hash 16-byte stored as a character
- representation of a hexidecimal string.</para></listitem>
-
- <listitem><para><constant>pwdLastSet</constant>: The integer time in seconds since 1970 when the
+ <table>
+ <tgroup cols="2" align="left">
+ <tbody>
+ <row><entry><constant>lmPassword</constant></entry><entry>the LANMAN password 16-byte hash stored as a character
+ representation of a hexidecimal string.</entry></row>
+ <row><entry><constant>ntPassword</constant></entry><entry>the NT password hash 16-byte stored as a character
+ representation of a hexidecimal string.</entry></row>
+ <row><entry><constant>pwdLastSet</constant></entry><entry>The integer time in seconds since 1970 when the
<constant>lmPassword</constant> and <constant>ntPassword</constant> attributes were last set.
- </para></listitem>
+ </entry></row>
- <listitem><para><constant>acctFlags</constant>: string of 11 characters surrounded by square brackets []
+ <row><entry><constant>acctFlags</constant></entry><entry>string of 11 characters surrounded by square brackets []
representing account flags such as U (user), W(workstation), X(no password expiration),
I(Domain trust account), H(Home dir required), S(Server trust account),
- and D(disabled).</para></listitem>
+ and D(disabled).</entry></row>
- <listitem><para><constant>logonTime</constant>: Integer value currently unused</para></listitem>
+ <row><entry><constant>logonTime</constant></entry><entry>Integer value currently unused</entry></row>
- <listitem><para><constant>logoffTime</constant>: Integer value currently unused</para></listitem>
+ <row><entry><constant>logoffTime</constant></entry><entry>Integer value currently unused</entry></row>
- <listitem><para><constant>kickoffTime</constant>: Integer value currently unused</para></listitem>
+ <row><entry><constant>kickoffTime</constant></entry><entry>Integer value currently unused</entry></row>
- <listitem><para><constant>pwdCanChange</constant>: Integer value currently unused</para></listitem>
+ <row><entry><constant>pwdCanChange</constant></entry><entry>Integer value currently unused</entry></row>
- <listitem><para><constant>pwdMustChange</constant>: Integer value currently unused</para></listitem>
+ <row><entry><constant>pwdMustChange</constant></entry><entry>Integer value currently unused</entry></row>
- <listitem><para><constant>homeDrive</constant>: specifies the drive letter to which to map the
+ <row><entry><constant>homeDrive</constant></entry><entry>specifies the drive letter to which to map the
UNC path specified by homeDirectory. The drive letter must be specified in the form "X:"
where X is the letter of the drive to map. Refer to the "logon drive" parameter in the
- smb.conf(5) man page for more information.</para></listitem>
+ smb.conf(5) man page for more information.</entry></row>
- <listitem><para><constant>scriptPath</constant>: The scriptPath property specifies the path of
+ <row><entry><constant>scriptPath</constant></entry><entry>The scriptPath property specifies the path of
the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
is relative to the netlogon share. Refer to the "logon script" parameter in the
- smb.conf(5) man page for more information.</para></listitem>
+ smb.conf(5) man page for more information.</entry></row>
- <listitem><para><constant>profilePath</constant>: specifies a path to the user's profile.
+ <row><entry><constant>profilePath</constant></entry><entry>specifies a path to the user's profile.
This value can be a null string, a local absolute path, or a UNC path. Refer to the
- "logon path" parameter in the smb.conf(5) man page for more information.</para></listitem>
+ "logon path" parameter in the smb.conf(5) man page for more information.</entry></row>
- <listitem><para><constant>smbHome</constant>: The homeDirectory property specifies the path of
+ <row><entry><constant>smbHome</constant></entry><entry>The homeDirectory property specifies the path of
the home directory for the user. The string can be null. If homeDrive is set and specifies
a drive letter, homeDirectory should be a UNC path. The path must be a network
UNC path of the form <filename>\\server\share\directory</filename>. This value can be a null string.
Refer to the <command>logon home</command> parameter in the &smb.conf; man page for more information.
- </para></listitem>
+ </entry></row>
- <listitem><para><constant>userWorkstation</constant>: character string value currently unused.
- </para></listitem>
+ <row><entry><constant>userWorkstation</constant></entry><entry>character string value currently unused.
+ </entry></row>
- <listitem><para><constant>rid</constant>: the integer representation of the user's relative identifier
- (RID).</para></listitem>
+ <row><entry><constant>rid</constant></entry><entry>the integer representation of the user's relative identifier
+ (RID).</entry></row>
- <listitem><para><constant>primaryGroupID</constant>: the relative identifier (RID) of the primary group
- of the user.</para></listitem>
+ <row><entry><constant>primaryGroupID</constant></entry><entry>the relative identifier (RID) of the primary group
+ of the user.</entry></row>
- <listitem><para><constant>domain</constant>: domain the user is part of.</para></listitem>
- </itemizedlist>
+ <row><entry><constant>domain</constant></entry><entry>domain the user is part of.</entry></row>
+ </tbody>
+ </tgroup></table>
<para>
The majority of these parameters are only used when Samba is acting as a PDC of
are only stored with the sambaAccount entry if the values are non-default values:
</para>
- <itemizedlist>
- <listitem><para>smbHome</para></listitem>
- <listitem><para>scriptPath</para></listitem>
- <listitem><para>logonPath</para></listitem>
- <listitem><para>homeDrive</para></listitem>
- </itemizedlist>
+ <simplelist>
+ <member>smbHome</member>
+ <member>scriptPath</member>
+ <member>logonPath</member>
+ <member>homeDrive</member>
+ </simplelist>
<para>
These attributes are only stored with the sambaAccount entry if
the values are non-default values. For example, assume TASHTEGO has now been
- configured as a PDC and that <command>logon home = \\%L\%u</command> was defined in
- its <filename>smb.conf</filename> file. When a user named "becky" logons to the domain,
+ configured as a PDC and that <parameter>logon home = \\%L\%u</parameter> was defined in
+ its &smb.conf; file. When a user named "becky" logons to the domain,
the <parameter>logon home</parameter> string is expanded to \\TASHTEGO\becky.
If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
this value is used. However, if this attribute does not exist, then the value
</para>
<para>
- <screen>
+ <programlisting>
dn: uid=guest2, ou=people,dc=plainjoe,dc=org
ntPassword: 878D8014606CDA29677A44EFA1353FC7
pwdMustChange: 2147483647
logoffTime: 2147483647
rid: 19006
pwdCanChange: 0
- </screen>
+ </programlisting>
</para>
<para>
</para>
<para>
- <screen>
+ <programlisting>
dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
logonTime: 0
displayName: Gerald Carter
pwdCanChange: 0
pwdMustChange: 2147483647
ntPassword: 878D8014606CDA29677A44EFA1353FC7
- </screen>
+</programlisting>
</para>
</sect3>
using pam_ldap, this allows changing both unix and windows passwords at once.
</para>
- <para>The <command>ldap passwd sync</command> options can have the following values:</para>
+ <para>The <parameter>ldap passwd sync</parameter> options can have the following values:</para>
<variablelist>
<varlistentry>
contains the correct queries to create the required tables. Use the command :
<screen>
- <command>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> <replaceable>databasename</replaceable> > <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></command>
+ <prompt>$ </prompt><userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> <replaceable>databasename</replaceable> > <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput>
</screen>
</para>
</sect3>
<para>This plugin lacks some good documentation, but here is some short info:</para>
- <para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>:
- <screen>
+ <para>Add a the following to the <parameter>passdb backend</parameter> variable in your &smb.conf;:
+ <programlisting>
passdb backend = [other-plugins] mysql:identifier [other-plugins]
- </screen>
+ </programlisting>
</para>
<para>The identifier can be any string you like, as long as it doesn't collide with
</para>
<para>
- Additional options can be given thru the &smb.conf; file in the <command>[global]</command> section.
+ Additional options can be given thru the &smb.conf; file in the <parameter>[global]</parameter> section.
</para>
<para>
- <screen>
+ <programlisting>
identifier:mysql host - host name, defaults to 'localhost'
identifier:mysql password
identifier:mysql user - defaults to 'samba'
identifier:mysql database - defaults to 'samba'
identifier:mysql port - defaults to 3306
identifier:table - Name of the table containing users
- </screen>
+ : </programlisting>
</para>
<warning>
<para>Names of the columns in this table(I've added column types those columns should have first):</para>
<para>
- <screen>
+ <programlisting>
identifier:logon time column - int(9)
identifier:logoff time column - int(9)
identifier:kickoff time column - int(9)
identifier:hours len column - int(9) - ?
identifier:unknown 5 column - int(9) - unknown
identifier:unknown 6 column - int(9) - unknown
- </screen>
+ </programlisting>
</para>
<para>
</para>
<para>
- <userinput>pdbedit -e xml:filename</userinput>
+ <prompt>$ </prompt><userinput>pdbedit -e xml:filename</userinput>
</para>
<para>
<para>
To import data, use:
- <userinput>pdbedit -i xml:filename -e current-pdb</userinput>
- </para>
-
- <para>
- Where filename is the name to read the data from and current-pdb to put it in.
- </para>
-
- <para>
- For example: To migrate (copy) the smbpasswd database into a tdbsam database:
- </para>
-
- <para>
- then execute (as root):
- <screen>
- &rootprompt;<userinput>pdbedit -i smbpasswd -e tdbsam</userinput>
- </screen>
+ <prompt>$ </prompt><userinput>pdbedit -i xml:filename</userinput>
</para>
</sect2>
</sect1>
</para>
<para>
- <screen>
+ <programlisting>
[globals]
...
passdb backend = smbpasswd, tdbsam, guest
...
- </screen>
+ </programlisting>
</para>
<para>
</para>
<para>
- <screen>
+ <programlisting>
[globals]
...
passdb backend = tdbsam, smbpasswd, guest
...
- </screen>
+ </programlisting>
</para>
</sect2>
<para>
The following MS KB article, may be of some help if you are dealing with
-Windows 2000 clients: <emphasis>How to Add Printers with No User
-Interaction in Windows 2000</emphasis>
-</para>
-
-<para>
-<ulink url="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP">http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</ulink>
+Windows 2000 clients:
+<ulink url="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP">How to Add Printers with No User Interaction in Windows 2000</ulink>
</para>
</sect1>
on the share. See the <ulink url="smb.conf.5.html">smb.conf(5)
man page</ulink> for more information on configuring file shares.</para>
-<para>The requirement for <ulink url="smb.conf.5.html#GUESTOK"><command>guest
-ok = yes</command></ulink> depends upon how your
+<para>The requirement for <ulink url="smb.conf.5.html#GUESTOK"><parameter>guest
+ok = yes</parameter></ulink> depends upon how your
site is configured. If users will be guaranteed to have
an account on the Samba host, then this is a non-issue.</para>
you just want to be able to print without worrying about
silly accounts and security, then configure the share for
guest access. You'll probably want to add <ulink
-url="smb.conf.5.html#MAPTOGUEST"><command>map to guest = Bad User
-</command></ulink> in the [global] section as well. Make sure
+url="smb.conf.5.html#MAPTOGUEST"><parameter>map to guest = Bad User
+</parameter></ulink> in the <parameter>[global]</parameter> section as well. Make sure
you understand what this parameter does before using it
though. --jerry
</para>
<para>
-Once you have created the required [print$] service and
+Once you have created the required <parameter>[print$]</parameter> service and
associated subdirectories, simply log onto the Samba server using
a root (or <parameter>printer admin</parameter>) account
-from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or
-"My Network Places" and browse for the Samba host. Once you have located
-the server, navigate to the "Printers..." folder.
+from a Windows NT 4.0/2k client. Open <guilabel>Network Neighbourhood</guilabel> or
+<guilabel>My Network Places</guilabel> and browse for the Samba host. Once you have located
+the server, navigate to the <guilabel>Printers...</guilabel> folder.
You should see an initial listing of printers
that matches the printer shares defined on your Samba host.
</para>
the error message:</para>
<para>
-<emphasis>Device settings cannot be displayed. The driver
+<errorname>Device settings cannot be displayed. The driver
for the specified printer is not installed, only spooler
properties will be displayed. Do you want to install the
-driver now?</emphasis>
+driver now?</errorname>
</para>
<para>
-Click "No" in the error dialog and you will be presented with
+Click <guibutton>No</guibutton> in the error dialog and you will be presented with
the printer properties window. The way to assign a driver to a
printer is to either
</para>
-<itemizedlist>
- <listitem><para>Use the "New Driver..." button to install
- a new printer driver, or</para></listitem>
+<procedure>
+ <step><para>Use the <guibutton>New Driver...</guibutton> button to install
+ a new printer driver, or</para></step>
- <
listitem><para>Select a driver from the popup list of
- installed drivers. Initially this list will be empty.</para>
- </listitem>
-</itemizedlist>
+ <
step><para>Select a driver from the popup list of
+ installed drivers. Initially this list will be empty.</para>
+ </step>
+</procedure>
<para>If you wish to install printer drivers for client
operating systems other than "Windows NT x86", you will need
-to use the "Sharing" tab of the printer properties dialog.</para>
+to use the <guilabel>Sharing</guilabel> tab of the printer properties dialog.</para>
<para>Assuming you have connected with a root account, you
will also be able modify other printer properties such as
listed in the Printers folder which are not shared. Samba does
not make this distinction. By definition, the only printers of
which Samba is aware are those which are specified as shares in
-<filename>smb.conf</filename>.</para>
+&smb.conf;.</para>
<para>Another interesting side note is that Windows NT clients do
not use the SMB printer share, but rather can print directly
<para>One issue that has arisen during the development
phase of Samba 2.2 is the need to support driver downloads for
100's of printers. Using the Windows NT APW is somewhat
-awkward to say the list. If more than one printer are using the
+awkward to say the least. If more than one printer are using the
same driver, the <ulink url="rpcclient.1.html"><command>rpcclient's
setdriver command</command></ulink> can be used to set the driver
associated with an installed driver. The following is example
of how this could be accomplished:</para>
<para>
-<prompt>$ </prompt><userinput>rpcclient pogo -U root%secret -c "enumdrivers"</userinput>
-<programlisting>
+<screen>
+<prompt>$ </prompt><userinput>rpcclient <replaceable>pogo</replaceable> -U root%<replaceable>secret</replaceable> -c "enumdrivers"</userinput>
Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
[Windows NT x86]
Printer Driver Info 1:
Driver Name: [HP LaserJet 4Si/4SiMX PS]
-</programlisting>
-<prompt>$ </prompt><userinput>rpcclient pogo -U root%secret -c "enumprinters"</userinput>
-<programlisting>
+<prompt>$ </prompt><userinput>rpcclient <replaceable>pogo</replaceable> -U root%<replaceable>secret</replaceable> -c "enumprinters"</userinput>
Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
flags:[0x800000]
name:[\\POGO\hp-print]
description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
comment:[]
-</programlisting>
-<prompt>$ </prompt><userinput>rpcclient pogo -U root%secret -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""</userinput>
-<programlisting>
+<prompt>$ </prompt><userinput>rpcclient <replaceable>pogo</replaceable> -U root%<replaceable>secret</replaceable> -c "setdriver <replaceable>hp-print</replaceable> <replaceable>\"HP LaserJet 4000 Series PS\"</replaceable></userinput>
Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
Successfully set hp-print to driver HP LaserJet 4000 Series PS.
-</programlisting></para>
+</screen></para>
</sect2>
<title>Adding New Printers via the Windows NT APW</title>
<para>
-By default, Samba offers all printer shares defined in <filename>smb.conf</filename>
-in the "Printers..." folder. Also existing in this folder is the Windows NT
-Add Printer Wizard icon. The APW will be show only if
+By default, Samba offers all printer shares defined in &smb.conf;
+in the <filename>Printers...</filename> folder. Also existing in this folder is the Windows NT
+Add Printer Wizard icon. The <acronym>APW</acronym> will be show only if
</para>
<itemizedlist>
printer command</parameter></ulink> must have a defined value. The program
hook must successfully add the printer to the system (i.e.
<filename>/etc/printcap</filename> or appropriate files) and
-<filename>smb.conf</filename> if necessary.
+&smb.conf; if necessary.
</para>
<para>
When using the APW from a client, if the named printer share does
-not exist,
<command>smbd</command> will execute the <parameter>add printer
-command</parameter> and reparse to the <filename>smb.conf</filename>
+not exist,
&smbd; will execute the <parameter>add printer
+command</parameter> and reparse to the &smb.conf;
to attempt to locate the new printer share. If the share is still not defined,
-an error of "Access Denied" is returned to the client. Note that the
+an error of <errorname>Access Denied</errorname> is returned to the client. Note that the
<parameter>add printer program</parameter> is executed under the context
of the connected user, not necessarily a root account.
</para>
<para>
If you require that multiple ports be defined for some reason,
-
<filename>smb.conf</filename> possesses a <ulink
+
&smb.conf; possesses a <ulink
url="smb.conf.5.html#ENUMPORTSCOMMAND"><parameter>enumports
command</parameter></ulink> which can be used to define an external program
that generates a listing of ports on a system.
</sect1>
<!--
+FIXME
This comment from rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex()
needs to be added into a section probably. This is to remind me it needs
and remove the job:
</para>
-<para><programlisting>
-
-h4: {42} % echo hi >/tmp/hi
-h4: {43} % smbclient //localhost/lw4
+<para><screen>
+<prompt>h4: {42} % </prompt><userinput>echo hi >/tmp/hi</userinput>
+<prompt>h4: {43} % </prompt><userinput>smbclient //localhost/lw4</userinput>
added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0
Password:
Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7]
-smb: \> print /tmp/hi
+<prompt>smb: \> </prompt><userinput>print /tmp/hi</userinput>
putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s)
-smb: \> queue
+<prompt>smb: \> </prompt><userinput>queue</userinput>
1049 3 hi-17534
-smb: \> cancel 1049
+<prompt>smb: \> </prompt><userinput>cancel 1049</userinput>
Error cancelling job 1049 : code 0
-smb: \> cancel 1049
+<prompt>smb: \> </prompt><userinput>cancel 1049</userinput>
Job 1049 cancelled
-smb: \> queue
-smb: \> exit
-</programlisting></para>
+<prompt>smb: \> </prompt><userinput>queue</userinput>
+<prompt>smb: \> </prompt><userinput>exit</userinput>
+</screen></para>
<para>
The 'code 0' indicates that the job was removed. The comment
use:
</para>
-<para><programlisting>
- testprns printer /etc/printcap
-</programlisting></para>
+<para><screen>
+<prompt>$ </prompt><userinput>testprns printer /etc/printcap</userinput>
+</screen></para>
<para>
Samba can get its printcap information from a file or from a program.
information:
</para>
-<para><programlisting>
- testprns -a printer /etc/printcap
-
- testprns -a printer '|/bin/cat printcap'
-</programlisting></para>
+<para><screen>
+<prompt>$ </prompt><userinput>testprns -a printer /etc/printcap</userinput>
+<prompt>$ </prompt><userinput>testprns -a printer '|/bin/cat printcap'</userinput>
+</screen></para>
</sect2>
Here are some examples of printcap files:
</para>
-<para>
-<orderedlist>
-<listitem><para>
-pr just printer name
-</para></listitem>
-<listitem><para>
-pr|alias printer name and alias
-</para></listitem>
-<listitem><para>
-pr|My Printer printer name, alias used as comment
-</para></listitem>
-<listitem><para>
-pr:sh:\ Same as pr:sh:cm= testing
+<table>
+ <tgroup cols="2" align="left">
+ <tbody>
+ <row><entry><programlisting>pr</programlisting></entry><entry>just printer name</entry></row>
+ <row><entry><programlisting>pr|alias</programlisting></entry><entry>printer name and alias</entry></row>
+ <row><entry><programlisting>pr|My Printer</programlisting></entry><entry>printer name, alias used as comment</entry></row>
+ <row><entry><programlisting>
+pr:sh:\
:cm= \
testing
-</para></listitem>
-<listitem><para>
-pr:sh Same as pr:sh:cm= testing
+</programlisting></entry><entry>Same as pr:sh:cm= testing</entry></row>
+ <row><entry><programlisting>
+pr:sh
:cm= testing
-</para></listitem>
-</orderedlist>
-</para>
+</programlisting></entry><entry>Same as pr:sh:cm= testing</entry></row>
+</tbody>
+</tgroup>
+</table>
<para>
Samba reads the printcap information when first started. If you make
submitted, but they will not be printed. Use:
</para>
-<para><programlisting>
- lpc -Pprinter stop
-</programlisting></para>
+<para><screen>
+<prompt>$ </prompt><userinput>lpc -Pprinter stop</userinput>
+</screen></para>
<para>
-Now submit a print job and then use 'lpq -Pprinter' to see if the
+Now submit a print job and then use <userinput>lpq -Pprinter</userinput> to see if the
job is in the print queue. If it is not in the print queue then
you will have to find out why it is not being accepted for printing.
</para>
format actually is:
</para>
-<para><programlisting>
- cd /var/spool/lpd/printer # spool directory of print jobs
- ls # find job files
- file dfA001myhost
-</programlisting></para>
+<para><screen>
+<prompt>$ </prompt><userinput>cd /var/spool/lpd/printer # spool directory of print jobs</userinput>
+<prompt>$ </prompt><userinput>ls # find job files</userinput>
+<prompt>$ </prompt><userinput>file dfA001myhost</userinput>
+</screen></para>
<para>
You should make sure that your printer supports this format OR that
<para>
Note that you can do some pretty magic things by using your
-imagination with the "print command" option and some shell scripts.
+imagination with the <parameter>print command</parameter> option and some shell scripts.
Doing print accounting is easy by passing the %U option to a print
command shell script. You could even make the print command detect
the type of output and its size and send it to an appropriate
</sect2>
-<sect2>
-<title>Real debugging</title>
-
-<para>
-If the above debug tips don't help, then maybe you need to bring in
-the bug guns, system tracing. See Tracing.txt in this directory.
-</para>
-</sect2>
</sect1>
</chapter>
git.samba.org / nivanova / samba-autobuild / .git / commitdiff