1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >SAMBA Project Documentation</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77"></HEAD
19 NAME="SAMBA-PROJECT-DOCUMENTATION"
26 NAME="SAMBA-PROJECT-DOCUMENTATION"
28 >SAMBA Project Documentation</H1
48 > : Thu Aug 15 12:48:45 CDT 2002</P
50 >This book is a collection of HOWTOs added to Samba documentation over the years.
51 I try to ensure that all are current, but sometimes the is a larger job
52 than one person can maintain. The most recent version of this document
54 HREF="http://www.samba.org/"
56 >http://www.samba.org/</A
58 on the "Documentation" page. Please send updates to <A
59 HREF="mailto:jerry@samba.org"
64 >This documentation is distributed under the GNU General Public License (GPL)
65 version 2. A copy of the license is included with the Samba source
66 distribution. A copy can be found on-line at <A
67 HREF="http://www.fsf.org/licenses/gpl.txt"
69 >http://www.fsf.org/licenses/gpl.txt</A
83 >How to Install and Test SAMBA</A
90 >Step 0: Read the man pages</A
95 >Step 1: Building the Binaries</A
100 >Step 2: The all important step</A
105 >Step 3: Create the smb configuration file.</A
110 >Step 4: Test your config file with
119 >Step 5: Starting the smbd and nmbd</A
126 >Step 5a: Starting from inetd.conf</A
131 >Step 5b. Alternative: starting it as a daemon</A
138 >Step 6: Try listing the shares available on your
144 >Step 7: Try connecting with the unix client</A
149 >Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
150 Win2k, OS/2, etc... client</A
155 >What If Things Don't Work?</A
162 >Diagnosing Problems</A
172 >Choosing the Protocol Level</A
177 >Printing from UNIX to a Client PC</A
187 >Mapping Usernames</A
196 >Diagnosing your samba server</A
277 >Still having troubles?</A
283 HREF="#INTEGRATE-MS-NETWORKS"
284 >Integrating MS Windows networks with Samba</A
296 >Name Resolution in a pure Unix/Linux world</A
313 >/etc/resolv.conf</TT
329 >/etc/nsswitch.conf</TT
337 >Name resolution as used within MS Windows networking</A
344 >The NetBIOS Name Cache</A
371 >How browsing functions and how to deploy stable and
372 dependable browsing using Samba</A
377 >MS Windows security options and how to configure
378 Samba for seemless integration</A
385 >Use MS Windows NT as an authentication server</A
390 >Make Samba a member of an MS Windows NT security domain</A
395 >Configure Samba as an authentication server</A
409 >Configuring PAM for distributed but centrally
410 managed authentication</A
422 >Distributed Authentication</A
427 >PAM Configuration in smb.conf</A
434 >Hosting a Microsoft Distributed File System tree on Samba</A
456 HREF="#UNIX-PERMISSIONS"
457 >UNIX Permission Bits and Windows NT Access Control Lists</A
464 >Viewing and changing UNIX permissions using the NT
470 >How to view file security on a Samba share</A
475 >Viewing file ownership</A
480 >Viewing file or directory permissions</A
492 >Directory Permissions</A
499 >Modifying file or directory permissions</A
504 >Interaction with the standard Samba create mask
510 >Interaction with the standard Samba file attribute
518 >Printing Support in Samba 2.2.x</A
537 >Creating [print$]</A
542 >Setting Drivers for Existing Printers</A
547 >Support a large number of printers</A
552 >Adding New Printers via the Windows NT APW</A
557 >Samba and Printer Ports</A
564 >The Imprints Toolset</A
571 >What is Imprints?</A
576 >Creating Printer Driver Packages</A
581 >The Imprints server</A
586 >The Installation Client</A
596 >Migration to from Samba 2.0.x to 2.2.x</A
602 HREF="#PRINTINGDEBUG"
603 >Debugging Printing Problems</A
615 >Debugging printer problems</A
620 >What printers do I have?</A
625 >Setting up printcap and print servers</A
630 >Job sent, no output</A
635 >Job sent, strange output</A
640 >Raw PostScript printed</A
645 >Advanced Printing</A
656 HREF="#SECURITYLEVELS"
669 >More complete description of security levels</A
675 HREF="#DOMAIN-SECURITY"
676 >security = domain in Samba 2.x</A
683 >Joining an NT Domain with Samba 2.2</A
688 >Samba and Windows 2000 Domains</A
693 >Why is this better than security = server?</A
700 >Unified Logons between Windows NT and UNIX using Winbind</A
717 >What Winbind Provides</A
731 >How Winbind Works</A
738 >Microsoft Remote Procedure Calls</A
743 >Name Service Switch</A
748 >Pluggable Authentication Modules</A
753 >User and Group ID Allocation</A
765 >Installation and Configuration</A
782 >Testing Things Out</A
801 >How to Configure Samba 2.2 as a Primary Domain Controller</A
808 >Prerequisite Reading</A
818 >Configuring the Samba Domain Controller</A
823 >Creating Machine Trust Accounts and Joining Clients to the
831 >Manual Creation of Machine Trust Accounts</A
836 >"On-the-Fly" Creation of Machine Trust Accounts</A
841 >Joining the Client to the Domain</A
848 >Common Problems and Errors</A
853 >System Policies and Profiles</A
858 >What other help can I get?</A
863 >Domain Control for Windows 9x/ME</A
870 >Configuration Instructions: Network Logons</A
875 >Configuration Instructions: Setting up Roaming User Profiles</A
882 >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A
889 >How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A
896 >Prerequisite Reading</A
906 >What qualifies a Domain Controller on the network?</A
913 >How does a Workstation find its domain controller?</A
918 >When is the PDC needed?</A
925 >Can Samba be a Backup Domain Controller?</A
930 >How do I set up a Samba BDC?</A
937 >How do I replicate the smbpasswd file?</A
945 HREF="#SAMBA-LDAP-HOWTO"
946 >Storing Samba's User/Machine Account information in an LDAP Directory</A
963 >Supported LDAP Servers</A
968 >Schema and Relationship to the RFC 2307 posixAccount</A
973 >Configuring Samba with LDAP</A
980 >OpenLDAP configuration</A
985 >Configuring Samba</A
992 >Accounts and Groups management</A
997 >Security and sambaAccount</A
1002 >LDAP specials attributes for sambaAccounts</A
1007 >Example LDIF Entries for a sambaAccount</A
1019 >Using samba 3.0 with ActiveDirectory support</A
1026 >Installing the required packages for Debian</A
1031 >Installing the required packages for RedHat</A
1041 >Setup your /etc/krb5.conf</A
1046 >Create the computer account</A
1060 >Test your server setup</A
1065 >Testing with smbclient</A
1076 HREF="#IMPROVED-BROWSING"
1077 >Improved browsing in samba</A
1084 >Overview of browsing</A
1089 >Browsing support in samba</A
1094 >Problem resolution</A
1099 >Browsing across subnets</A
1106 >How does cross subnet browsing work ?</A
1113 >Setting up a WINS server</A
1118 >Setting up Browsing in a WORKGROUP</A
1123 >Setting up Browsing in a DOMAIN</A
1128 >Forcing samba to be the master</A
1133 >Making samba the domain master</A
1138 >Note about broadcast addresses</A
1143 >Multiple interfaces</A
1150 >Samba performance issues</A
1179 >Old 'fake oplocks' option - deprecated</A
1262 HREF="#OTHER-CLIENTS"
1263 >Samba and other CIFS clients</A
1270 >Macintosh clients?</A
1282 >How can I configure OS/2 Warp Connect or
1283 OS/2 Warp 4 as a client for Samba?</A
1288 >How can I configure OS/2 Warp 3 (not Connect),
1289 OS/2 1.2, 1.3 or 2.x for Samba?</A
1294 >Are there any other issues when OS/2 (any version)
1295 is used as a client?</A
1300 >How do I get printer driver download working
1301 for OS/2 clients?</A
1308 >Windows for Workgroups</A
1315 >Use latest TCP/IP stack from Microsoft</A
1320 >Delete .pwl files after password change</A
1325 >Configure WfW password handling</A
1330 >Case handling of passwords</A
1342 >Windows 2000 Service Pack 2</A
1349 >HOWTO Access Samba source code via CVS</A
1361 >CVS Access to samba.org</A
1368 >Access via CVSweb</A
1409 >Attaching to a running process</A
1420 HREF="#GROUPMAPPING"
1421 >Group mapping HOWTO</A
1455 >Chapter 1. How to Install and Test SAMBA</H1
1463 >1.1. Step 0: Read the man pages</H2
1465 >The man pages distributed with SAMBA contain
1466 lots of useful info that will help to get you started.
1467 If you don't know how to read man pages then try
1476 >nroff -man smbd.8 | more
1481 >Other sources of information are pointed to
1482 by the Samba web site,<A
1483 HREF="http://www.samba.org/"
1485 > http://www.samba.org</A
1495 >1.2. Step 1: Building the Binaries</H2
1497 >To do this, first run the program <B
1501 > in the source directory. This should automatically
1502 configure Samba for your operating system. If you have unusual
1503 needs then you may wish to run</P
1516 >first to see what special options you can enable.
1529 >will create the binaries. Once it's successfully
1530 compiled you can use </P
1542 >to install the binaries and manual pages. You can
1543 separately install the binaries and/or man pages using</P
1569 >Note that if you are upgrading for a previous version
1570 of Samba you might like to know that the old versions of
1571 the binaries will be renamed with a ".old" extension. You
1572 can go back to the previous version with</P
1585 >if you find this version a disaster!</P
1594 >1.3. Step 2: The all important step</H2
1596 >At this stage you must fetch yourself a
1597 coffee or other drink you find stimulating. Getting the rest
1598 of the install right can sometimes be tricky, so you will
1599 probably need it.</P
1601 >If you have installed samba before then you can skip
1611 >1.4. Step 3: Create the smb configuration file.</H2
1613 >There are sample configuration files in the examples
1614 subdirectory in the distribution. I suggest you read them
1615 carefully so you can see how the options go together in
1616 practice. See the man page for all the options.</P
1618 >The simplest useful configuration file would be
1619 something like this:</P
1622 CLASS="PROGRAMLISTING"
1632 >which would allow connections by anyone with an
1633 account on the server, using either their login name or
1634 "homes" as the service name. (Note that I also set the
1635 workgroup that Samba is part of. See BROWSING.txt for details)</P
1644 > file. You need to create it
1647 >Make sure you put the smb.conf file in the same place
1648 you specified in the<TT
1651 > (the default is to
1654 >/usr/local/samba/lib/</TT
1657 >For more information about security settings for the
1658 [homes] share please refer to the document UNIX_SECURITY.txt.</P
1667 >1.5. Step 4: Test your config file with
1673 >It's important that you test the validity of your
1677 > file using the testparm program.
1678 If testparm runs OK then it will list the loaded services. If
1679 not it will give an error message.</P
1681 >Make sure it runs OK and that the services look
1682 reasonable before proceeding. </P
1691 >1.6. Step 5: Starting the smbd and nmbd</H2
1693 >You must choose to start smbd and nmbd either
1694 as daemons or from <B
1698 to do both! Either you can put them in <TT
1701 > and have them started on demand
1705 >, or you can start them as
1706 daemons either from the command line or in <TT
1709 >. See the man pages for details
1710 on the command line options. Take particular care to read
1711 the bit about what user you need to be in order to start
1712 Samba. In many cases you must be root.</P
1714 >The main advantage of starting <B
1721 > using the recommended daemon method
1722 is that they will respond slightly more quickly to an initial connection
1731 >1.6.1. Step 5a: Starting from inetd.conf</H3
1733 >NOTE; The following will be different if
1734 you use NIS or NIS+ to distributed services maps.</P
1740 What is defined at port 139/tcp. If nothing is defined
1741 then add a line like this:</P
1746 >netbios-ssn 139/tcp</B
1750 >similarly for 137/udp you should have an entry like:</P
1755 >netbios-ns 137/udp</B
1761 >/etc/inetd.conf</TT
1763 and add two lines something like this:</P
1766 CLASS="PROGRAMLISTING"
1767 > netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
1768 netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
1772 >The exact syntax of <TT
1774 >/etc/inetd.conf</TT
1776 varies between unixes. Look at the other entries in inetd.conf
1779 >NOTE: Some unixes already have entries like netbios_ns
1780 (note the underscore) in <TT
1784 You must either edit <TT
1790 >/etc/inetd.conf</TT
1791 > to make them consistent.</P
1793 >NOTE: On many systems you may need to use the
1794 "interfaces" option in smb.conf to specify the IP address
1795 and netmask of your interfaces. Run <B
1799 as root if you don't know what the broadcast is for your
1803 > tries to determine it at run
1804 time, but fails on some unixes. See the section on "testing nmbd"
1805 for a method of finding if you need to do this.</P
1807 >!!!WARNING!!! Many unixes only accept around 5
1808 parameters on the command line in <TT
1812 This means you shouldn't use spaces between the options and
1813 arguments, or you should use a script, and start the script
1822 >, perhaps just send
1823 it a HUP. If you have installed an earlier version of <B
1826 > then you may need to kill nmbd as well.</P
1835 >1.6.2. Step 5b. Alternative: starting it as a daemon</H3
1837 >To start the server as a daemon you should create
1838 a script something like this one, perhaps calling
1845 CLASS="PROGRAMLISTING"
1847 /usr/local/samba/bin/smbd -D
1848 /usr/local/samba/bin/nmbd -D
1852 >then make it executable with <B
1858 >You can then run <B
1862 hand or execute it from <TT
1868 >To kill it send a kill signal to the processes
1877 >NOTE: If you use the SVR4 style init system then
1878 you may like to look at the <TT
1880 >examples/svr4-startup</TT
1882 script to make Samba fit into that system.</P
1892 >1.7. Step 6: Try listing the shares available on your
1911 >You should get back a list of shares available on
1912 your server. If you don't then something is incorrectly setup.
1913 Note that this method can also be used to see what shares
1914 are available on other LanManager clients (such as WfWg).</P
1916 >If you choose user level security then you may find
1917 that Samba requests a password before it will list the shares.
1921 > man page for details. (you
1922 can force it to list the shares without a password by
1923 adding the option -U% to the command line. This will not work
1924 with non-Samba servers)</P
1933 >1.8. Step 7: Try connecting with the unix client</H2
1944 > //yourhostname/aservice</I
1956 would be the name of the host where you installed <B
1965 any service you have defined in the <TT
1969 file. Try your user name if you just have a [homes] section
1975 >For example if your unix host is bambi and your login
1976 name is fred you would type:</P
1984 >smbclient //bambi/fred
1996 >1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
1997 Win2k, OS/2, etc... client</H2
1999 >Try mounting disks. eg:</P
2003 >C:\WINDOWS\> </TT
2007 >net use d: \\servername\service
2012 >Try printing. eg:</P
2016 >C:\WINDOWS\> </TT
2021 \\servername\spoolservice</B
2027 >C:\WINDOWS\> </TT
2036 >Celebrate, or send me a bug report!</P
2045 >1.10. What If Things Don't Work?</H2
2047 >If nothing works and you start to think "who wrote
2048 this pile of trash" then I suggest you do step 2 again (and
2049 again) till you calm down.</P
2051 >Then you might read the file DIAGNOSIS.txt and the
2052 FAQ. If you are still stuck then try the mailing list or
2053 newsgroup (look in the README for details). Samba has been
2054 successfully installed at thousands of sites worldwide, so maybe
2055 someone else has hit your problem and has overcome it. You could
2056 also use the WWW site to scan back issues of the samba-digest.</P
2058 >When you fix the problem PLEASE send me some updates to the
2059 documentation (or source code) so that the next person will find it
2068 >1.10.1. Diagnosing Problems</H3
2070 >If you have installation problems then go to
2074 > to try to find the
2084 >1.10.2. Scope IDs</H3
2086 >By default Samba uses a blank scope ID. This means
2087 all your windows boxes must also have a blank scope ID.
2088 If you really want to use a non-blank scope ID then you will
2089 need to use the 'netbios scope' smb.conf option.
2090 All your PCs will need to have the same setting for
2091 this to work. I do not recommend scope IDs.</P
2100 >1.10.3. Choosing the Protocol Level</H3
2102 >The SMB protocol has many dialects. Currently
2103 Samba supports 5, called CORE, COREPLUS, LANMAN1,
2106 >You can choose what maximum protocol to support
2110 > file. The default is
2111 NT1 and that is the best for the vast majority of sites.</P
2113 >In older versions of Samba you may have found it
2114 necessary to use COREPLUS. The limitations that led to
2115 this have mostly been fixed. It is now less likely that you
2116 will want to use less than LANMAN1. The only remaining advantage
2117 of COREPLUS is that for some obscure reason WfWg preserves
2118 the case of passwords in this protocol, whereas under LANMAN1,
2119 LANMAN2 or NT1 it uppercases all passwords before sending them,
2120 forcing you to use the "password level=" option in some cases.</P
2122 >The main advantage of LANMAN2 and NT1 is support for
2123 long filenames with some clients (eg: smbclient, Windows NT
2126 >See the smb.conf(5) manual page for more details.</P
2128 >Note: To support print queue reporting you may find
2129 that you have to use TCP/IP as the default protocol under
2130 WfWg. For some reason if you leave Netbeui as the default
2131 it may break the print queue reporting on some systems.
2132 It is presumably a WfWg bug.</P
2141 >1.10.4. Printing from UNIX to a Client PC</H3
2143 >To use a printer that is available via a smb-based
2144 server from a unix host with LPR you will need to compile the
2145 smbclient program. You then need to install the script
2146 "smbprint". Read the instruction in smbprint for more details.
2149 >There is also a SYSV style script that does much
2150 the same thing called smbprint.sysv. It contains instructions.</P
2152 >See the CUPS manual for information about setting up
2153 printing from a unix host with CUPS to a smb-based server. </P
2162 >1.10.5. Locking</H3
2164 >One area which sometimes causes trouble is locking.</P
2166 >There are two types of locking which need to be
2167 performed by a SMB server. The first is "record locking"
2168 which allows a client to lock a range of bytes in a open file.
2169 The second is the "deny modes" that are specified when a file
2172 >Record locking semantics under Unix is very
2173 different from record locking under Windows. Versions
2174 of Samba before 2.2 have tried to use the native
2175 fcntl() unix system call to implement proper record
2176 locking between different Samba clients. This can not
2177 be fully correct due to several reasons. The simplest
2178 is the fact that a Windows client is allowed to lock a
2179 byte range up to 2^32 or 2^64, depending on the client
2180 OS. The unix locking only supports byte ranges up to
2181 2^31. So it is not possible to correctly satisfy a
2182 lock request above 2^31. There are many more
2183 differences, too many to be listed here.</P
2185 >Samba 2.2 and above implements record locking
2186 completely independent of the underlying unix
2187 system. If a byte range lock that the client requests
2188 happens to fall into the range 0-2^31, Samba hands
2189 this request down to the Unix system. All other locks
2190 can not be seen by unix anyway.</P
2192 >Strictly a SMB server should check for locks before
2193 every read and write call on a file. Unfortunately with the
2194 way fcntl() works this can be slow and may overstress the
2195 rpc.lockd. It is also almost always unnecessary as clients
2196 are supposed to independently make locking calls before reads
2197 and writes anyway if locking is important to them. By default
2198 Samba only makes locking calls when explicitly asked
2199 to by a client, but if you set "strict locking = yes" then it will
2200 make lock checking calls on every read and write. </P
2202 >You can also disable by range locking completely
2203 using "locking = no". This is useful for those shares that
2204 don't support locking or don't need it (such as cdroms). In
2205 this case Samba fakes the return codes of locking calls to
2206 tell clients that everything is OK.</P
2208 >The second class of locking is the "deny modes". These
2209 are set by an application when it opens a file to determine
2210 what types of access should be allowed simultaneously with
2211 its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
2212 or DENY_ALL. There are also special compatibility modes called
2213 DENY_FCB and DENY_DOS.</P
2222 >1.10.6. Mapping Usernames</H3
2224 >If you have different usernames on the PCs and
2225 the unix server then take a look at the "username map" option.
2226 See the smb.conf man page for details.</P
2236 >Chapter 2. Diagnosing your samba server</H1
2244 >2.1. Introduction</H2
2246 >This file contains a list of tests you can perform to validate your
2247 Samba server. It also tells you what the likely cause of the problem
2248 is if it fails any one of these steps. If it passes all these tests
2249 then it is probably working fine.</P
2251 >You should do ALL the tests, in the order shown. I have tried to
2252 carefully choose them so later tests only use capabilities verified in
2253 the earlier tests.</P
2255 >If you send me an email saying "it doesn't work" and you have not
2256 followed this test procedure then you should not be surprised if I
2257 ignore your email.</P
2266 >2.2. Assumptions</H2
2268 >In all of the tests I assume you have a Samba server called BIGSERVER
2269 and a PC called ACLIENT both in workgroup TESTGROUP. I also assume the
2270 PC is running windows for workgroups with a recent copy of the
2271 microsoft tcp/ip stack. Alternatively, your PC may be running Windows
2272 95 or Windows NT (Workstation or Server).</P
2274 >The procedure is similar for other types of clients.</P
2276 >I also assume you know the name of an available share in your
2277 smb.conf. I will assume this share is called "tmp". You can add a
2278 "tmp" share like by adding the following to smb.conf:</P
2281 CLASS="PROGRAMLISTING"
2283 comment = temporary files
2285 read only = yes </PRE
2288 >THESE TESTS ASSUME VERSION 2.0.6 OR LATER OF THE SAMBA SUITE. SOME
2289 COMMANDS SHOWN DID NOT EXIST IN EARLIER VERSIONS</P
2291 >Please pay attention to the error messages you receive. If any error message
2292 reports that your server is being unfriendly you should first check that you
2293 IP name resolution is correctly set up. eg: Make sure your /etc/resolv.conf
2294 file points to name servers that really do exist.</P
2296 >Also, if you do not have DNS server access for name resolution please check
2297 that the settings for your smb.conf file results in "dns proxy = no". The
2298 best way to check this is with "testparm smb.conf"</P
2317 >In the directory in which you store your smb.conf file, run the command
2318 "testparm smb.conf". If it reports any errors then your smb.conf
2319 configuration file is faulty.</P
2321 >Note: Your smb.conf file may be located in: <TT
2327 >/usr/local/samba/lib</TT
2339 >Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from
2340 the unix box. If you don't get a valid response then your TCP/IP
2341 software is not correctly installed. </P
2343 >Note that you will need to start a "dos prompt" window on the PC to
2346 >If you get a message saying "host not found" or similar then your DNS
2347 software or /etc/hosts file is not correctly setup. It is possible to
2348 run samba without DNS entries for the server and client, but I assume
2349 you do have correct entries for the remainder of these tests. </P
2351 >Another reason why ping might fail is if your host is running firewall
2352 software. You will need to relax the rules to let in the workstation
2353 in question, perhaps by allowing access from another subnet (on Linux
2354 this is done via the ipfwadm program.)</P
2365 >Run the command "smbclient -L BIGSERVER" on the unix box. You
2366 should get a list of available shares back. </P
2368 >If you get a error message containing the string "Bad password" then
2369 you probably have either an incorrect "hosts allow", "hosts deny" or
2370 "valid users" line in your smb.conf, or your guest account is not
2371 valid. Check what your guest account is using "testparm" and
2372 temporarily remove any "hosts allow", "hosts deny", "valid users" or
2373 "invalid users" lines.</P
2375 >If you get a "connection refused" response then the smbd server may
2376 not be running. If you installed it in inetd.conf then you probably edited
2377 that file incorrectly. If you installed it as a daemon then check that
2378 it is running, and check that the netbios-ssn port is in a LISTEN
2379 state using "netstat -a".</P
2381 >If you get a "session request failed" then the server refused the
2382 connection. If it says "Your server software is being unfriendly" then
2383 its probably because you have invalid command line parameters to smbd,
2384 or a similar fatal problem with the initial startup of smbd. Also
2385 check your config file (smb.conf) for syntax errors with "testparm"
2386 and that the various directories where samba keeps its log and lock
2389 >There are a number of reasons for which smbd may refuse or decline
2390 a session request. The most common of these involve one or more of
2391 the following smb.conf file entries:</P
2394 CLASS="PROGRAMLISTING"
2396 hosts allow = xxx.xxx.xxx.xxx/yy
2397 bind interfaces only = Yes</PRE
2400 >In the above, no allowance has been made for any session requests that
2401 will automatically translate to the loopback adaptor address 127.0.0.1.
2402 To solve this problem change these lines to:</P
2405 CLASS="PROGRAMLISTING"
2407 hosts allow = xxx.xxx.xxx.xxx/yy 127.</PRE
2410 >Do NOT use the "bind interfaces only" parameter where you may wish to
2411 use the samba password change facility, or where smbclient may need to
2412 access local service for name resolution or for local resource
2413 connections. (Note: the "bind interfaces only" parameter deficiency
2414 where it will not allow connections to the loopback address will be
2417 >Another common cause of these two errors is having something already running
2418 on port 139, such as Samba (ie: smbd is running from inetd already) or
2419 something like Digital's Pathworks. Check your inetd.conf file before trying
2420 to start smbd as a daemon, it can avoid a lot of frustration!</P
2422 >And yet another possible cause for failure of TEST 3 is when the subnet mask
2423 and / or broadcast address settings are incorrect. Please check that the
2424 network interface IP Address / Broadcast Address / Subnet Mask settings are
2425 correct and that Samba has correctly noted these in the log.nmb file.</P
2436 >Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the
2437 IP address of your Samba server back.</P
2439 >If you don't then nmbd is incorrectly installed. Check your inetd.conf
2440 if you run it from there, or that the daemon is running and listening
2443 >One common problem is that many inetd implementations can't take many
2444 parameters on the command line. If this is the case then create a
2445 one-line script that contains the right parameters and run that from
2459 >nmblookup -B ACLIENT '*'</B
2462 >You should get the PCs IP address back. If you don't then the client
2463 software on the PC isn't installed correctly, or isn't started, or you
2464 got the name of the PC wrong. </P
2466 >If ACLIENT doesn't resolve via DNS then use the IP address of the
2467 client in the above test.</P
2480 >nmblookup -d 2 '*'</B
2483 >This time we are trying the same as the previous test but are trying
2484 it via a broadcast to the default broadcast address. A number of
2485 Netbios/TCPIP hosts on the network should respond, although Samba may
2486 not catch all of the responses in the short time it listens. You
2487 should see "got a positive name query response" messages from several
2490 >If this doesn't give a similar result to the previous test then
2491 nmblookup isn't correctly getting your broadcast address through its
2492 automatic mechanism. In this case you should experiment use the
2493 "interfaces" option in smb.conf to manually configure your IP
2494 address, broadcast and netmask. </P
2496 >If your PC and server aren't on the same subnet then you will need to
2497 use the -B option to set the broadcast address to the that of the PCs
2500 >This test will probably fail if your subnet mask and broadcast address are
2501 not correct. (Refer to TEST 3 notes above).</P
2514 >smbclient //BIGSERVER/TMP</B
2516 then be prompted for a password. You should use the password of the account
2517 you are logged into the unix box with. If you want to test with
2518 another account then add the -U >accountname< option to the end of
2519 the command line. eg:
2522 >smbclient //bigserver/tmp -Ujohndoe</B
2525 >Note: It is possible to specify the password along with the username
2529 >smbclient //bigserver/tmp -Ujohndoe%secret</B
2532 >Once you enter the password you should get the "smb>" prompt. If you
2533 don't then look at the error message. If it says "invalid network
2534 name" then the service "tmp" is not correctly setup in your smb.conf.</P
2536 >If it says "bad password" then the likely causes are:</P
2543 > you have shadow passords (or some other password system) but didn't
2544 compile in support for them in smbd
2549 > your "valid users" configuration is incorrect
2554 > you have a mixed case password and you haven't enabled the "password
2555 level" option at a high enough level
2560 > the "path =" line in smb.conf is incorrect. Check it with testparm
2565 > you enabled password encryption but didn't create the SMB encrypted
2571 >Once connected you should be able to use the commands
2584 >help >command<</B
2585 > for instructions. You should
2586 especially check that the amount of free disk space shown is correct
2601 >On the PC type the command <B
2603 >net view \\BIGSERVER</B
2605 need to do this from within a "dos prompt" window. You should get back a
2606 list of available shares on the server.</P
2608 >If you get a "network name not found" or similar error then netbios
2609 name resolution is not working. This is usually caused by a problem in
2610 nmbd. To overcome it you could do one of the following (you only need
2611 to choose one of them):</P
2618 > fixup the nmbd installation</P
2622 > add the IP address of BIGSERVER to the "wins server" box in the
2623 advanced tcp/ip setup on the PC.</P
2627 > enable windows name resolution via DNS in the advanced section of
2632 > add BIGSERVER to your lmhosts file on the PC.</P
2636 >If you get a "invalid network name" or "bad password error" then the
2637 same fixes apply as they did for the "smbclient -L" test above. In
2638 particular, make sure your "hosts allow" line is correct (see the man
2641 >Also, do not overlook that fact that when the workstation requests the
2642 connection to the samba server it will attempt to connect using the
2643 name with which you logged onto your Windows machine. You need to make
2644 sure that an account exists on your Samba server with that exact same
2645 name and password.</P
2647 >If you get "specified computer is not receiving requests" or similar
2648 it probably means that the host is not contactable via tcp services.
2649 Check to see if the host is running tcp wrappers, and if so add an entry in
2650 the hosts.allow file for your client (or subnet, etc.)</P
2663 >net use x: \\BIGSERVER\TMP</B
2665 be prompted for a password then you should get a "command completed
2666 successfully" message. If not then your PC software is incorrectly
2667 installed or your smb.conf is incorrect. make sure your "hosts allow"
2668 and other config lines in smb.conf are correct.</P
2670 >It's also possible that the server can't work out what user name to
2671 connect you as. To see if this is the problem add the line "user =
2672 USERNAME" to the [tmp] section of smb.conf where "USERNAME" is the
2673 username corresponding to the password you typed. If you find this
2674 fixes things you may need the username mapping option. </P
2676 >It might also be the case that your client only sends encrypted passwords
2679 >encrypt passwords = no</B
2684 Turn it back on to fix.</P
2693 >2.3.10. Test 10</H3
2697 >nmblookup -M TESTGROUP</B
2699 TESTGROUP is the name of the workgroup that your Samba server and
2700 Windows PCs belong to. You should get back the IP address of the
2701 master browser for that workgroup.</P
2703 >If you don't then the election process has failed. Wait a minute to
2704 see if it is just being slow then try again. If it still fails after
2705 that then look at the browsing options you have set in smb.conf. Make
2708 >preferred master = yes</B
2710 an election is held at startup.</P
2719 >2.3.11. Test 11</H3
2721 >From file manager try to browse the server. Your samba server should
2722 appear in the browse list of your local workgroup (or the one you
2723 specified in smb.conf). You should be able to double click on the name
2724 of the server and get a list of shares. If you get a "invalid
2725 password" error when you do then you are probably running WinNT and it
2726 is refusing to browse a server that has no encrypted password
2727 capability and is in user level security mode. In this case either set
2730 >security = server</B
2734 >password server = Windows_NT_Machine</B
2736 smb.conf file, or enable encrypted passwords AFTER compiling in support
2737 for encrypted passwords (refer to the Makefile).</P
2747 >2.4. Still having troubles?</H2
2749 >Try the mailing list or newsgroup, or use the ethereal utility to
2750 sniff the problem. The official samba mailing list can be reached at
2752 HREF="mailto:samba@samba.org"
2756 out more about samba and how to subscribe to the mailing list check
2757 out the samba web page at
2759 HREF="http://samba.org/samba"
2761 >http://samba.org/samba</A
2764 >Also look at the other docs in the Samba package!</P
2771 NAME="INTEGRATE-MS-NETWORKS"
2773 >Chapter 3. Integrating MS Windows networks with Samba</H1
2783 >To identify the key functional mechanisms of MS Windows networking
2784 to enable the deployment of Samba as a means of extending and/or
2785 replacing MS Windows NT/2000 technology.</P
2787 >We will examine:</P
2794 >Name resolution in a pure Unix/Linux TCP/IP
2800 >Name resolution as used within MS Windows
2806 >How browsing functions and how to deploy stable
2807 and dependable browsing using Samba
2812 >MS Windows security options and how to
2813 configure Samba for seemless integration
2818 >Configuration of Samba as:</P
2825 >A stand-alone server</P
2829 >An MS Windows NT 3.x/4.0 security domain member
2834 >An alternative to an MS Windows NT 3.x/4.0 Domain Controller
2848 >3.2. Name Resolution in a pure Unix/Linux world</H2
2850 >The key configuration files covered in this section are:</P
2865 >/etc/resolv.conf</TT
2879 >/etc/nsswitch.conf</TT
2895 >Contains a static list of IP Addresses and names.
2899 CLASS="PROGRAMLISTING"
2900 > 127.0.0.1 localhost localhost.localdomain
2901 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE
2908 name resolution mechanism so that uses do not need to remember
2911 >Network packets that are sent over the physical network transport
2912 layer communicate not via IP addresses but rather using the Media
2913 Access Control address, or MAC address. IP Addresses are currently
2914 32 bits in length and are typically presented as four (4) decimal
2915 numbers that are separated by a dot (or period). eg: 168.192.1.1</P
2917 >MAC Addresses use 48 bits (or 6 bytes) and are typically represented
2918 as two digit hexadecimal numbers separated by colons. eg:
2919 40:8e:0a:12:34:56</P
2921 >Every network interfrace must have an MAC address. Associated with
2922 a MAC address there may be one or more IP addresses. There is NO
2923 relationship between an IP address and a MAC address, all such assignments
2924 are arbitary or discretionary in nature. At the most basic level all
2925 network communications takes place using MAC addressing. Since MAC
2926 addresses must be globally unique, and generally remains fixed for
2927 any particular interface, the assignment of an IP address makes sense
2928 from a network management perspective. More than one IP address can
2929 be assigned per MAC address. One address must be the primary IP address,
2930 this is the address that will be returned in the ARP reply.</P
2932 >When a user or a process wants to communicate with another machine
2933 the protocol implementation ensures that the "machine name" or "host
2934 name" is resolved to an IP address in a manner that is controlled
2935 by the TCP/IP configuration control files. The file
2939 > is one such file.</P
2941 >When the IP address of the destination interface has been
2942 determined a protocol called ARP/RARP is used to identify
2943 the MAC address of the target interface. ARP stands for Address
2944 Resolution Protocol, and is a broadcast oriented method that
2945 uses UDP (User Datagram Protocol) to send a request to all
2946 interfaces on the local network segment using the all 1's MAC
2947 address. Network interfaces are programmed to respond to two
2948 MAC addresses only; their own unique address and the address
2949 ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will
2950 contain the MAC address and the primary IP address for each
2956 > file is foundational to all
2957 Unix/Linux TCP/IP installations and as a minumum will contain
2958 the localhost and local network interface IP addresses and the
2959 primary names by which they are known within the local machine.
2960 This file helps to prime the pump so that a basic level of name
2961 resolution can exist before any other method of name resolution
2962 becomes available.</P
2973 >/etc/resolv.conf</TT
2976 >This file tells the name resolution libraries:</P
2982 >The name of the domain to which the machine
2988 >The name(s) of any domains that should be
2989 automatically searched when trying to resolve unqualified
2990 host names to their IP address
2995 >The name or IP address of available Domain
2996 Name Servers that may be asked to perform name to address
3017 > is the primary means by
3018 which the setting in /etc/resolv.conf may be affected. It is a
3019 critical configuration file. This file controls the order by
3020 which name resolution may procede. The typical structure is:</P
3023 CLASS="PROGRAMLISTING"
3028 >then both addresses should be returned. Please refer to the
3029 man page for host.conf for further details.</P
3040 >/etc/nsswitch.conf</TT
3043 >This file controls the actual name resolution targets. The
3044 file typically has resolver object specifications as follows:</P
3047 CLASS="PROGRAMLISTING"
3048 > # /etc/nsswitch.conf
3050 # Name Service Switch configuration file.
3054 # Alternative entries for password authentication are:
3055 # passwd: compat files nis ldap winbind
3059 hosts: files nis dns
3060 # Alternative entries for host name resolution are:
3061 # hosts: files dns nis nis+ hesoid db compat ldap wins
3062 networks: nis files dns
3065 protocols: nis files
3067 services: nis files</PRE
3070 >Of course, each of these mechanisms requires that the appropriate
3071 facilities and/or services are correctly configured.</P
3073 >It should be noted that unless a network request/message must be
3074 sent, TCP/IP networks are silent. All TCP/IP communications assumes a
3075 principal of speaking only when necessary.</P
3077 >Samba version 2.2.0 will add Linux support for extensions to
3078 the name service switch infrastructure so that linux clients will
3079 be able to obtain resolution of MS Windows NetBIOS names to IP
3080 Addresses. To gain this functionality Samba needs to be compiled
3081 with appropriate arguments to the make command (ie: <B
3084 nsswitch/libnss_wins.so</B
3085 >). The resulting library should
3086 then be installed in the <TT
3090 the "wins" parameter needs to be added to the "hosts:" line in
3093 >/etc/nsswitch.conf</TT
3094 > file. At this point it
3095 will be possible to ping any MS Windows machine by it's NetBIOS
3096 machine name, so long as that machine is within the workgroup to
3097 which both the samba machine and the MS Windows machine belong.</P
3107 >3.3. Name resolution as used within MS Windows networking</H2
3109 >MS Windows networking is predicated about the name each machine
3110 is given. This name is known variously (and inconsistently) as
3111 the "computer name", "machine name", "networking name", "netbios name",
3112 "SMB name". All terms mean the same thing with the exception of
3113 "netbios name" which can apply also to the name of the workgroup or the
3114 domain name. The terms "workgroup" and "domain" are really just a
3115 simply name with which the machine is associated. All NetBIOS names
3116 are exactly 16 characters in length. The 16th character is reserved.
3117 It is used to store a one byte value that indicates service level
3118 information for the NetBIOS name that is registered. A NetBIOS machine
3119 name is therefore registered for each service type that is provided by
3120 the client/server.</P
3122 >The following are typical NetBIOS name/service type registrations:</P
3125 CLASS="PROGRAMLISTING"
3126 > Unique NetBIOS Names:
3127 MACHINENAME<00> = Server Service is running on MACHINENAME
3128 MACHINENAME<03> = Generic Machine Name (NetBIOS name)
3129 MACHINENAME<20> = LanMan Server service is running on MACHINENAME
3130 WORKGROUP<1b> = Domain Master Browser
3133 WORKGROUP<03> = Generic Name registered by all members of WORKGROUP
3134 WORKGROUP<1c> = Domain Controllers / Netlogon Servers
3135 WORKGROUP<1d> = Local Master Browsers
3136 WORKGROUP<1e> = Internet Name Resolvers</PRE
3139 >It should be noted that all NetBIOS machines register their own
3140 names as per the above. This is in vast contrast to TCP/IP
3141 installations where traditionally the system administrator will
3142 determine in the /etc/hosts or in the DNS database what names
3143 are associated with each IP address.</P
3145 >One further point of clarification should be noted, the <TT
3149 file and the DNS records do not provide the NetBIOS name type information
3150 that MS Windows clients depend on to locate the type of service that may
3151 be needed. An example of this is what happens when an MS Windows client
3152 wants to locate a domain logon server. It find this service and the IP
3153 address of a server that provides it by performing a lookup (via a
3154 NetBIOS broadcast) for enumeration of all machines that have
3155 registered the name type *<1c>. A logon request is then sent to each
3156 IP address that is returned in the enumerated list of IP addresses. Which
3157 ever machine first replies then ends up providing the logon services.</P
3159 >The name "workgroup" or "domain" really can be confusing since these
3160 have the added significance of indicating what is the security
3161 architecture of the MS Windows network. The term "workgroup" indicates
3162 that the primary nature of the network environment is that of a
3163 peer-to-peer design. In a WORKGROUP all machines are responsible for
3164 their own security, and generally such security is limited to use of
3165 just a password (known as SHARE MODE security). In most situations
3166 with peer-to-peer networking the users who control their own machines
3167 will simply opt to have no security at all. It is possible to have
3168 USER MODE security in a WORKGROUP environment, thus requiring use
3169 of a user name and a matching password.</P
3171 >MS Windows networking is thus predetermined to use machine names
3172 for all local and remote machine message passing. The protocol used is
3173 called Server Message Block (SMB) and this is implemented using
3174 the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
3175 be encapsulated using LLC (Logical Link Control) protocol - in which case
3176 the resulting protocol is called NetBEUI (Network Basic Extended User
3177 Interface). NetBIOS can also be run over IPX (Internetworking Packet
3178 Exchange) protocol as used by Novell NetWare, and it can be run
3179 over TCP/IP protocols - in which case the resulting protocol is called
3180 NBT or NetBT, the NetBIOS over TCP/IP.</P
3182 >MS Windows machines use a complex array of name resolution mechanisms.
3183 Since we are primarily concerned with TCP/IP this demonstration is
3184 limited to this area.</P
3192 >3.3.1. The NetBIOS Name Cache</H3
3194 >All MS Windows machines employ an in memory buffer in which is
3195 stored the NetBIOS names and IP addresses for all external
3196 machines that that machine has communicated with over the
3197 past 10-15 minutes. It is more efficient to obtain an IP address
3198 for a machine from the local cache than it is to go through all the
3199 configured name resolution mechanisms.</P
3201 >If a machine whose name is in the local name cache has been shut
3202 down before the name had been expired and flushed from the cache, then
3203 an attempt to exchange a message with that machine will be subject
3204 to time-out delays. i.e.: Its name is in the cache, so a name resolution
3205 lookup will succeed, but the machine can not respond. This can be
3206 frustrating for users - but it is a characteristic of the protocol.</P
3208 >The MS Windows utility that allows examination of the NetBIOS
3209 name cache is called "nbtstat". The Samba equivalent of this
3210 is called "nmblookup".</P
3219 >3.3.2. The LMHOSTS file</H3
3221 >This file is usually located in MS Windows NT 4.0 or
3224 >C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
3226 the IP Address and the machine name in matched pairs. The
3230 > file performs NetBIOS name
3231 to IP address mapping oriented.</P
3233 >It typically looks like:</P
3236 CLASS="PROGRAMLISTING"
3237 > # Copyright (c) 1998 Microsoft Corp.
3239 # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
3240 # over TCP/IP) stack for Windows98
3242 # This file contains the mappings of IP addresses to NT computernames
3243 # (NetBIOS) names. Each entry should be kept on an individual line.
3244 # The IP address should be placed in the first column followed by the
3245 # corresponding computername. The address and the comptername
3246 # should be separated by at least one space or tab. The "#" character
3247 # is generally used to denote the start of a comment (see the exceptions
3250 # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
3251 # files and offers the following extensions:
3254 # #DOM:<domain>
3255 # #INCLUDE <filename>
3258 # \0xnn (non-printing character support)
3260 # Following any entry in the file with the characters "#PRE" will cause
3261 # the entry to be preloaded into the name cache. By default, entries are
3262 # not preloaded, but are parsed only after dynamic name resolution fails.
3264 # Following an entry with the "#DOM:<domain>" tag will associate the
3265 # entry with the domain specified by <domain>. This affects how the
3266 # browser and logon services behave in TCP/IP environments. To preload
3267 # the host name associated with #DOM entry, it is necessary to also add a
3268 # #PRE to the line. The <domain> is always preloaded although it will not
3269 # be shown when the name cache is viewed.
3271 # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
3272 # software to seek the specified <filename> and parse it as if it were
3273 # local. <filename> is generally a UNC-based name, allowing a
3274 # centralized lmhosts file to be maintained on a server.
3275 # It is ALWAYS necessary to provide a mapping for the IP address of the
3276 # server prior to the #INCLUDE. This mapping must use the #PRE directive.
3277 # In addtion the share "public" in the example below must be in the
3278 # LanManServer list of "NullSessionShares" in order for client machines to
3279 # be able to read the lmhosts file successfully. This key is under
3280 # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
3281 # in the registry. Simply add "public" to the list found there.
3283 # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
3284 # statements to be grouped together. Any single successful include
3285 # will cause the group to succeed.
3287 # Finally, non-printing characters can be embedded in mappings by
3288 # first surrounding the NetBIOS name in quotations, then using the
3289 # \0xnn notation to specify a hex value for a non-printing character.
3291 # The following example illustrates all of these extensions:
3293 # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
3294 # 102.54.94.102 "appname \0x14" #special app server
3295 # 102.54.94.123 popular #PRE #source server
3296 # 102.54.94.117 localsrv #PRE #needed for the include
3299 # #INCLUDE \\localsrv\public\lmhosts
3300 # #INCLUDE \\rhino\public\lmhosts
3303 # In the above example, the "appname" server contains a special
3304 # character in its name, the "popular" and "localsrv" server names are
3305 # preloaded, and the "rhino" server name is specified so it can be used
3306 # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
3307 # system is unavailable.
3309 # Note that the whole file is parsed including comments on each lookup,
3310 # so keeping the number of comments to a minimum will improve performance.
3311 # Therefore it is not advisable to simply add lmhosts file entries onto the
3312 # end of this file.</PRE
3322 >3.3.3. HOSTS file</H3
3324 >This file is usually located in MS Windows NT 4.0 or 2000 in
3327 >C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
3329 the IP Address and the IP hostname in matched pairs. It can be
3330 used by the name resolution infrastructure in MS Windows, depending
3331 on how the TCP/IP environment is configured. This file is in
3332 every way the equivalent of the Unix/Linux <TT
3344 >3.3.4. DNS Lookup</H3
3346 >This capability is configured in the TCP/IP setup area in the network
3347 configuration facility. If enabled an elaborate name resolution sequence
3348 is followed the precise nature of which isdependant on what the NetBIOS
3349 Node Type parameter is configured to. A Node Type of 0 means use
3350 NetBIOS broadcast (over UDP broadcast) is first used if the name
3351 that is the subject of a name lookup is not found in the NetBIOS name
3352 cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
3353 Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
3354 WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
3364 >3.3.5. WINS Lookup</H3
3366 >A WINS (Windows Internet Name Server) service is the equivaent of the
3367 rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
3368 the names and IP addresses that are registered by a Windows client
3369 if the TCP/IP setup has been given at least one WINS Server IP Address.</P
3371 >To configure Samba to be a WINS server the following parameter needs
3372 to be added to the <TT
3378 CLASS="PROGRAMLISTING"
3379 > wins support = Yes</PRE
3382 >To configure Samba to use a WINS server the following parameters are
3383 needed in the smb.conf file:</P
3386 CLASS="PROGRAMLISTING"
3388 wins server = xxx.xxx.xxx.xxx</PRE
3397 of the WINS server.</P
3407 >3.4. How browsing functions and how to deploy stable and
3408 dependable browsing using Samba</H2
3410 >As stated above, MS Windows machines register their NetBIOS names
3411 (i.e.: the machine name for each service type in operation) on start
3412 up. Also, as stated above, the exact method by which this name registration
3413 takes place is determined by whether or not the MS Windows client/server
3414 has been given a WINS server address, whether or not LMHOSTS lookup
3415 is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P
3417 >In the case where there is no WINS server all name registrations as
3418 well as name lookups are done by UDP broadcast. This isolates name
3419 resolution to the local subnet, unless LMHOSTS is used to list all
3420 names and IP addresses. In such situations Samba provides a means by
3421 which the samba server name may be forcibly injected into the browse
3422 list of a remote MS Windows network (using the "remote announce" parameter).</P
3424 >Where a WINS server is used, the MS Windows client will use UDP
3425 unicast to register with the WINS server. Such packets can be routed
3426 and thus WINS allows name resolution to function across routed networks.</P
3428 >During the startup process an election will take place to create a
3429 local master browser if one does not already exist. On each NetBIOS network
3430 one machine will be elected to function as the domain master browser. This
3431 domain browsing has nothing to do with MS security domain control.
3432 Instead, the domain master browser serves the role of contacting each local
3433 master browser (found by asking WINS or from LMHOSTS) and exchanging browse
3434 list contents. This way every master browser will eventually obtain a complete
3435 list of all machines that are on the network. Every 11-15 minutes an election
3436 is held to determine which machine will be the master browser. By the nature of
3437 the election criteria used, the machine with the highest uptime, or the
3438 most senior protocol version, or other criteria, will win the election
3439 as domain master browser.</P
3441 >Clients wishing to browse the network make use of this list, but also depend
3442 on the availability of correct name resolution to the respective IP
3443 address/addresses. </P
3445 >Any configuration that breaks name resolution and/or browsing intrinsics
3446 will annoy users because they will have to put up with protracted
3447 inability to use the network services.</P
3449 >Samba supports a feature that allows forced synchonisation
3450 of browse lists across routed networks using the "remote
3451 browse sync" parameter in the smb.conf file. This causes Samba
3452 to contact the local master browser on a remote network and
3453 to request browse list synchronisation. This effectively bridges
3454 two networks that are separated by routers. The two remote
3455 networks may use either broadcast based name resolution or WINS
3456 based name resolution, but it should be noted that the "remote
3457 browse sync" parameter provides browse list synchronisation - and
3458 that is distinct from name to address resolution, in other
3459 words, for cross subnet browsing to function correctly it is
3460 essential that a name to address resolution mechanism be provided.
3461 This mechanism could be via DNS, <TT
3474 >3.5. MS Windows security options and how to configure
3475 Samba for seemless integration</H2
3477 >MS Windows clients may use encrypted passwords as part of a
3478 challenege/response authentication model (a.k.a. NTLMv1) or
3479 alone, or clear text strings for simple password based
3480 authentication. It should be realized that with the SMB
3481 protocol the password is passed over the network either
3482 in plain text or encrypted, but not both in the same
3483 authentication requets.</P
3485 >When encrypted passwords are used a password that has been
3486 entered by the user is encrypted in two ways:</P
3492 >An MD4 hash of the UNICODE of the password
3493 string. This is known as the NT hash.
3498 >The password is converted to upper case,
3499 and then padded or trucated to 14 bytes. This string is
3500 then appended with 5 bytes of NULL characters and split to
3501 form two 56 bit DES keys to encrypt a "magic" 8 byte value.
3502 The resulting 16 bytes for the LanMan hash.
3507 >You should refer to the <A
3508 HREF="ENCRYPTION.html"
3510 >Password Encryption</A
3511 > chapter in this HOWTO collection
3512 for more details on the inner workings</P
3514 >MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x
3515 and version 4.0 pre-service pack 3 will use either mode of
3516 password authentication. All versions of MS Windows that follow
3517 these versions no longer support plain text passwords by default.</P
3519 >MS Windows clients have a habit of dropping network mappings that
3520 have been idle for 10 minutes or longer. When the user attempts to
3521 use the mapped drive connection that has been dropped, the client
3522 re-establishes the connection using
3523 a cached copy of the password.</P
3525 >When Microsoft changed the default password mode, they dropped support for
3526 caching of the plain text password. This means that when the registry
3527 parameter is changed to re-enable use of plain text passwords it appears to
3528 work, but when a dropped mapping attempts to revalidate it will fail if
3529 the remote authentication server does not support encrypted passwords.
3530 This means that it is definitely not a good idea to re-enable plain text
3531 password support in such clients.</P
3533 >The following parameters can be used to work around the
3534 issue of Windows 9x client upper casing usernames and
3535 password before transmitting them to the SMB server
3536 when using clear text authentication.</P
3539 CLASS="PROGRAMLISTING"
3541 HREF="smb.conf.5.html#PASSWORDLEVEL"
3551 HREF="smb.conf.5.html#USERNAMELEVEL"
3562 >By default Samba will lower case the username before attempting
3563 to lookup the user in the database of local system accounts.
3564 Because UNIX usernames conventionally only contain lower case
3571 is rarely even needed.</P
3573 >However, password on UNIX systems often make use of mixed case
3574 characters. This means that in order for a user on a Windows 9x
3575 client to connect to a Samba server using clear text authentication,
3581 > must be set to the maximum
3582 number of upper case letter which <SPAN
3589 is a password. Note that is the server OS uses the traditional
3590 DES version of crypt(), then a <TT
3596 of 8 will result in case insensitive passwords as seen from Windows
3597 users. This will also result in longer login times as Samba
3598 hash to compute the permutations of the password string and
3599 try them one by one until a match is located (or all combinations fail).</P
3601 >The best option to adopt is to enable support for encrypted passwords
3602 where ever Samba is used. There are three configuration possibilities
3603 for support of encrypted passwords:</P
3611 >3.5.1. Use MS Windows NT as an authentication server</H3
3613 >This method involves the additions of the following parameters
3614 in the smb.conf file:</P
3617 CLASS="PROGRAMLISTING"
3618 > encrypt passwords = Yes
3620 password server = "NetBIOS_name_of_PDC"</PRE
3623 >There are two ways of identifying whether or not a username and
3624 password pair was valid or not. One uses the reply information provided
3625 as part of the authentication messaging process, the other uses
3626 just and error code.</P
3628 >The down-side of this mode of configuration is the fact that
3629 for security reasons Samba will send the password server a bogus
3630 username and a bogus password and if the remote server fails to
3631 reject the username and password pair then an alternative mode
3632 of identification of validation is used. Where a site uses password
3633 lock out after a certain number of failed authentication attempts
3634 this will result in user lockouts.</P
3636 >Use of this mode of authentication does require there to be
3637 a standard Unix account for the user, this account can be blocked
3638 to prevent logons by other than MS Windows clients.</P
3647 >3.5.2. Make Samba a member of an MS Windows NT security domain</H3
3649 >This method involves additon of the following paramters in the smb.conf file:</P
3652 CLASS="PROGRAMLISTING"
3653 > encrypt passwords = Yes
3655 workgroup = "name of NT domain"
3656 password server = *</PRE
3659 >The use of the "*" argument to "password server" will cause samba
3660 to locate the domain controller in a way analogous to the way
3661 this is done within MS Windows NT.</P
3663 >In order for this method to work the Samba server needs to join the
3664 MS Windows NT security domain. This is done as follows:</P
3670 >On the MS Windows NT domain controller using
3671 the Server Manager add a machine account for the Samba server.
3676 >Next, on the Linux system execute:
3679 >smbpasswd -r PDC_NAME -j DOMAIN_NAME</B
3685 >Use of this mode of authentication does require there to be
3686 a standard Unix account for the user in order to assign
3687 a uid once the account has been authenticated by the remote
3688 Windows DC. This account can be blocked to prevent logons by
3689 other than MS Windows clients by things such as setting an invalid
3695 >An alternative to assigning UIDs to Windows users on a
3696 Samba member server is presented in the <A
3699 >Winbind Overview</A
3701 this HOWTO collection.</P
3710 >3.5.3. Configure Samba as an authentication server</H3
3712 >This mode of authentication demands that there be on the
3713 Unix/Linux system both a Unix style account as well as an
3714 smbpasswd entry for the user. The Unix system account can be
3715 locked if required as only the encrypted password will be
3716 used for SMB client authentication.</P
3718 >This method involves addition of the following parameters to
3719 the smb.conf file:</P
3722 CLASS="PROGRAMLISTING"
3723 >## please refer to the Samba PDC HOWTO chapter later in
3724 ## this collection for more details
3726 encrypt passwords = Yes
3729 ; an OS level of 33 or more is recommended
3733 path = /somewhare/in/file/system
3734 read only = yes</PRE
3737 >in order for this method to work a Unix system account needs
3738 to be created for each user, as well as for each MS Windows NT/2000
3739 machine. The following structure is required.</P
3749 >A user account that may provide a home directory should be
3750 created. The following Linux system commands are typical of
3751 the procedure for creating an account.</P
3754 CLASS="PROGRAMLISTING"
3755 > # useradd -s /bin/bash -d /home/"userid" -m "userid"
3757 Enter Password: <pw>
3759 # smbpasswd -a "userid"
3760 Enter Password: <pw></PRE
3770 >3.5.3.2. MS Windows NT Machine Accounts</H4
3772 >These are required only when Samba is used as a domain
3773 controller. Refer to the Samba-PDC-HOWTO for more details.</P
3776 CLASS="PROGRAMLISTING"
3777 > # useradd -s /bin/false -d /dev/null "machine_name"\$
3778 # passwd -l "machine_name"\$
3779 # smbpasswd -a -m "machine_name"</PRE
3791 >3.6. Conclusions</H2
3793 >Samba provides a flexible means to operate as...</P
3799 >A Stand-alone server - No special action is needed
3800 other than to create user accounts. Stand-alone servers do NOT
3801 provide network logon services, meaning that machines that use this
3802 server do NOT perform a domain logon but instead make use only of
3803 the MS Windows logon which is local to the MS Windows
3809 >An MS Windows NT 3.x/4.0 security domain member.
3814 >An alternative to an MS Windows NT 3.x/4.0
3827 >Chapter 4. Configuring PAM for distributed but centrally
3828 managed authentication</H1
3836 >4.1. Samba and PAM</H2
3838 >A number of Unix systems (eg: Sun Solaris), as well as the
3839 xxxxBSD family and Linux, now utilize the Pluggable Authentication
3840 Modules (PAM) facility to provide all authentication,
3841 authorization and resource control services. Prior to the
3842 introduction of PAM, a decision to use an alternative to
3843 the system password database (<TT
3847 would require the provision of alternatives for all programs that provide
3848 security services. Such a choice would involve provision of
3849 alternatives to such programs as: <B
3861 >PAM provides a mechanism that disconnects these security programs
3862 from the underlying authentication/authorization infrastructure.
3863 PAM is configured either through one file <TT
3867 or by editing individual files that are located in <TT
3872 >The following is an example <TT
3874 >/etc/pam.d/login</TT
3875 > configuration file.
3876 This example had all options been uncommented is probably not usable
3877 as it stacks many conditions before allowing successful completion
3878 of the login process. Essentially all conditions can be disabled
3879 by commenting them out except the calls to <TT
3885 CLASS="PROGRAMLISTING"
3887 # The PAM configuration file for the `login' service
3889 auth required pam_securetty.so
3890 auth required pam_nologin.so
3891 # auth required pam_dialup.so
3892 # auth optional pam_mail.so
3893 auth required pam_pwdb.so shadow md5
3894 # account requisite pam_time.so
3895 account required pam_pwdb.so
3896 session required pam_pwdb.so
3897 # session optional pam_lastlog.so
3898 # password required pam_cracklib.so retry=3
3899 password required pam_pwdb.so shadow md5</PRE
3902 >PAM allows use of replacable modules. Those available on a
3903 sample system include:</P
3906 CLASS="PROGRAMLISTING"
3907 >$ /bin/ls /lib/security
3908 pam_access.so pam_ftp.so pam_limits.so
3909 pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
3910 pam_cracklib.so pam_group.so pam_listfile.so
3911 pam_nologin.so pam_rootok.so pam_tally.so
3912 pam_deny.so pam_issue.so pam_mail.so
3913 pam_permit.so pam_securetty.so pam_time.so
3914 pam_dialup.so pam_lastlog.so pam_mkhomedir.so
3915 pam_pwdb.so pam_shells.so pam_unix.so
3916 pam_env.so pam_ldap.so pam_motd.so
3917 pam_radius.so pam_smbpass.so pam_unix_acct.so
3918 pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
3919 pam_userdb.so pam_warn.so pam_unix_session.so</PRE
3922 >The following example for the login program replaces the use of
3926 > module which uses the system
3927 password database (<TT
3941 > which uses the Samba
3942 database which contains the Microsoft MD4 encrypted password
3943 hashes. This database is stored in either
3946 >/usr/local/samba/private/smbpasswd</TT
3950 >/etc/samba/smbpasswd</TT
3954 >/etc/samba.d/smbpasswd</TT
3956 Samba implementation for your Unix/Linux system. The
3960 > module is provided by
3961 Samba version 2.2.1 or later. It can be compiled by specifying the
3964 >--with-pam_smbpass</B
3965 > options when running Samba's
3969 > script. For more information
3973 > module, see the documentation
3976 >source/pam_smbpass</TT
3977 > directory of the Samba
3978 source distribution.</P
3981 CLASS="PROGRAMLISTING"
3983 # The PAM configuration file for the `login' service
3985 auth required pam_smbpass.so nodelay
3986 account required pam_smbpass.so nodelay
3987 session required pam_smbpass.so nodelay
3988 password required pam_smbpass.so nodelay</PRE
3991 >The following is the PAM configuration file for a particular
3992 Linux system. The default condition uses <TT
3998 CLASS="PROGRAMLISTING"
4000 # The PAM configuration file for the `samba' service
4002 auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
4003 account required /lib/security/pam_pwdb.so audit nodelay
4004 session required /lib/security/pam_pwdb.so nodelay
4005 password required /lib/security/pam_pwdb.so shadow md5</PRE
4008 >In the following example the decision has been made to use the
4009 smbpasswd database even for basic samba authentication. Such a
4010 decision could also be made for the passwd program and would
4011 thus allow the smbpasswd passwords to be changed using the passwd
4015 CLASS="PROGRAMLISTING"
4017 # The PAM configuration file for the `samba' service
4019 auth required /lib/security/pam_smbpass.so nodelay
4020 account required /lib/security/pam_pwdb.so audit nodelay
4021 session required /lib/security/pam_pwdb.so nodelay
4022 password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
4025 >Note: PAM allows stacking of authentication mechanisms. It is
4026 also possible to pass information obtained within one PAM module through
4027 to the next module in the PAM stack. Please refer to the documentation for
4028 your particular system implementation for details regarding the specific
4029 capabilities of PAM in this environment. Some Linux implmentations also
4033 > module that allows all
4034 authentication to be configured in a single central file. The
4038 > method has some very devoted followers
4039 on the basis that it allows for easier administration. As with all issues in
4040 life though, every decision makes trade-offs, so you may want examine the
4041 PAM documentation for further helpful information.</P
4050 >4.2. Distributed Authentication</H2
4052 >The astute administrator will realize from this that the
4065 HREF="http://rsync.samba.org/"
4067 >http://rsync.samba.org/</A
4069 will allow the establishment of a centrally managed, distributed
4070 user/password database that can also be used by all
4071 PAM (eg: Linux) aware programs and applications. This arrangement
4072 can have particularly potent advantages compared with the
4073 use of Microsoft Active Directory Service (ADS) in so far as
4074 reduction of wide area network authentication traffic.</P
4083 >4.3. PAM Configuration in smb.conf</H2
4085 >There is an option in smb.conf called <A
4086 HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
4088 >obey pam restrictions</A
4090 The following is from the on-line help for this option in SWAT;</P
4092 >When Samba 2.2 is configure to enable PAM support (i.e.
4096 >), this parameter will
4097 control whether or not Samba should obey PAM's account
4098 and session management directives. The default behavior
4099 is to use PAM for clear text authentication only and to
4100 ignore any account or session management. Note that Samba always
4101 ignores PAM for authentication in the case of
4103 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
4105 >encrypt passwords = yes</A
4107 The reason is that PAM modules cannot support the challenge/response
4108 authentication mechanism needed in the presence of SMB
4109 password encryption. </P
4113 >obey pam restrictions = no</B
4123 >Chapter 5. Hosting a Microsoft Distributed File System tree on Samba</H1
4131 >5.1. Instructions</H2
4133 >The Distributed File System (or Dfs) provides a means of
4134 separating the logical view of files and directories that users
4135 see from the actual physical locations of these resources on the
4136 network. It allows for higher availability, smoother storage expansion,
4137 load balancing etc. For more information about Dfs, refer to <A
4138 HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp"
4140 > Microsoft documentation</A
4143 >This document explains how to host a Dfs tree on a Unix
4144 machine (for Dfs-aware clients to browse) using Samba.</P
4146 >To enable SMB-based DFS for Samba, configure it with the
4152 > option. Once built, a
4153 Samba server can be made a Dfs server by setting the global
4155 HREF="smb.conf.5.html#HOSTMSDFS"
4163 > parameter in the <TT
4167 > file. You designate a share as a Dfs root using the share
4169 HREF="smb.conf.5.html#MSDFSROOT"
4177 > parameter. A Dfs root directory on
4178 Samba hosts Dfs links in the form of symbolic links that point
4179 to other servers. For example, a symbolic link
4182 >junction->msdfs:storage1\share1</TT
4184 the share directory acts as the Dfs junction. When Dfs-aware
4185 clients attempt to access the junction link, they are redirected
4186 to the storage location (in this case, \\storage1\share1).</P
4188 >Dfs trees on Samba work with all Dfs-aware clients ranging
4189 from Windows 95 to 2000.</P
4191 >Here's an example of setting up a Dfs tree on a Samba
4195 CLASS="PROGRAMLISTING"
4196 ># The smb.conf file:
4198 netbios name = SAMBA
4202 path = /export/dfsroot
4207 >In the /export/dfsroot directory we set up our dfs links to
4208 other servers on the network.</P
4216 >cd /export/dfsroot</B
4226 >chown root /export/dfsroot</B
4236 >chmod 755 /export/dfsroot</B
4246 >ln -s msdfs:storageA\\shareA linka</B
4256 >ln -s msdfs:serverB\\share,serverC\\share linkb</B
4260 >You should set up the permissions and ownership of
4261 the directory acting as the Dfs root such that only designated
4262 users can create, delete or modify the msdfs links. Also note
4263 that symlink names should be all lowercase. This limitation exists
4264 to have Samba avoid trying all the case combinations to get at
4265 the link name. Finally set up the symbolic links to point to the
4266 network shares you want, and start Samba.</P
4268 >Users on Dfs-aware clients can now browse the Dfs tree
4269 on the Samba server at \\samba\dfs. Accessing
4270 links linka or linkb (which appear as directories to the client)
4271 takes users directly to the appropriate shares on the network.</P
4285 >Windows clients need to be rebooted
4286 if a previously mounted non-dfs share is made a dfs
4287 root or vice versa. A better way is to introduce a
4288 new share and make it the dfs root.</P
4292 >Currently there's a restriction that msdfs
4293 symlink names should all be lowercase.</P
4297 >For security purposes, the directory
4298 acting as the root of the Dfs tree should have ownership
4299 and permissions set so that only designated users can
4300 modify the symbolic links in the directory.</P
4310 NAME="UNIX-PERMISSIONS"
4312 >Chapter 6. UNIX Permission Bits and Windows NT Access Control Lists</H1
4320 >6.1. Viewing and changing UNIX permissions using the NT
4321 security dialogs</H2
4323 >New in the Samba 2.0.4 release is the ability for Windows
4324 NT clients to use their native security settings dialog box to
4325 view and modify the underlying UNIX permissions.</P
4327 >Note that this ability is careful not to compromise
4328 the security of the UNIX host Samba is running on, and
4329 still obeys all the file permission rules that a Samba
4330 administrator can set.</P
4332 >In Samba 2.0.4 and above the default value of the
4334 HREF="smb.conf.5.html#NTACLSUPPORT"
4342 > has been changed from
4350 manipulation of permissions is turned on by default.</P
4359 >6.2. How to view file security on a Samba share</H2
4361 >From an NT 4.0 client, single-click with the right
4362 mouse button on any file or directory in a Samba mounted
4363 drive letter or UNC path. When the menu pops-up, click
4370 > entry at the bottom of
4371 the menu. This brings up the normal file properties dialog
4372 box, but with Samba 2.0.4 this will have a new tab along the top
4379 >. Click on this tab and you
4380 will see three buttons, <SPAN
4406 > button will cause either
4407 an error message <SPAN
4409 >A requested privilege is not held
4411 > to appear if the user is not the
4412 NT Administrator, or a dialog which is intended to allow an
4413 Administrator to add auditing requirements to a file if the
4414 user is logged on as the NT Administrator. This dialog is
4415 non-functional with a Samba share at this time, as the only
4416 useful button, the <B
4419 > button will not currently
4420 allow a list of users to be seen.</P
4429 >6.3. Viewing file ownership</H2
4435 brings up a dialog box telling you who owns the given file. The
4436 owner name will be of the form :</P
4440 >"SERVER\user (Long name)"</B
4448 > is the NetBIOS name of
4449 the Samba server, <TT
4454 > is the user name of
4455 the UNIX user who owns the file, and <TT
4461 is the descriptive string identifying the user (normally found in the
4462 GECOS field of the UNIX password database). Click on the <B
4466 > button to remove this dialog.</P
4468 >If the parameter <TT
4477 > then the file owner will
4478 be shown as the NT user <B
4486 > button will not allow
4487 you to change the ownership of this file to yourself (clicking on
4488 it will display a dialog box complaining that the user you are
4489 currently logged onto the NT client cannot be found). The reason
4490 for this is that changing the ownership of a file is a privileged
4491 operation in UNIX, available only to the <SPAN
4498 user. As clicking on this button causes NT to attempt to change
4499 the ownership of a file to the current user logged into the NT
4500 client this will not work with Samba at this time.</P
4502 >There is an NT chown command that will work with Samba
4503 and allow a user with Administrator privilege connected
4504 to a Samba 2.0.4 server as root to change the ownership of
4505 files on both a local NTFS filesystem or remote mounted NTFS
4506 or Samba drive. This is available as part of the <SPAN
4513 > NT security library written by Jeremy Allison of
4514 the Samba Team, available from the main Samba ftp site.</P
4523 >6.4. Viewing file or directory permissions</H2
4525 >The third button is the <B
4529 button. Clicking on this brings up a dialog box that shows both
4530 the permissions and the UNIX owner of the file or directory.
4531 The owner is displayed in the form :</P
4535 >"SERVER\user (Long name)"</B
4543 > is the NetBIOS name of
4544 the Samba server, <TT
4549 > is the user name of
4550 the UNIX user who owns the file, and <TT
4556 is the descriptive string identifying the user (normally found in the
4557 GECOS field of the UNIX password database).</P
4559 >If the parameter <TT
4568 > then the file owner will
4569 be shown as the NT user <B
4573 permissions will be shown as NT "Full Control".</P
4575 >The permissions field is displayed differently for files
4576 and directories, so I'll describe the way file permissions
4577 are displayed first.</P
4585 >6.4.1. File Permissions</H3
4587 >The standard UNIX user/group/world triple and
4588 the corresponding "read", "write", "execute" permissions
4589 triples are mapped by Samba into a three element NT ACL
4590 with the 'r', 'w', and 'x' bits mapped into the corresponding
4591 NT permissions. The UNIX world permissions are mapped into
4592 the global NT group <B
4596 by the list of permissions allowed for UNIX world. The UNIX
4597 owner and group permissions are displayed as an NT
4605 > icon respectively followed by the list
4606 of permissions allowed for the UNIX user and group.</P
4608 >As many UNIX permission sets don't map into common
4619 usually the permissions will be prefixed by the words <B
4621 > "Special Access"</B
4622 > in the NT display list.</P
4624 >But what happens if the file has no permissions allowed
4625 for a particular UNIX user group or world component ? In order
4626 to allow "no permissions" to be seen and modified then Samba
4629 >"Take Ownership"</B
4631 (which has no meaning in UNIX) and reports a component with
4632 no permissions as having the NT <B
4636 This was chosen of course to make it look like a zero, meaning
4637 zero permissions. More details on the decision behind this will
4647 >6.4.2. Directory Permissions</H3
4649 >Directories on an NT NTFS file system have two
4650 different sets of permissions. The first set of permissions
4651 is the ACL set on the directory itself, this is usually displayed
4652 in the first set of parentheses in the normal <B
4656 NT style. This first set of permissions is created by Samba in
4657 exactly the same way as normal file permissions are, described
4658 above, and is displayed in the same way.</P
4660 >The second set of directory permissions has no real meaning
4661 in the UNIX permissions world and represents the <B
4664 > permissions that any file created within
4665 this directory would inherit.</P
4667 >Samba synthesises these inherited permissions for NT by
4668 returning as an NT ACL the UNIX permission mode that a new file
4669 created by Samba on this share would receive.</P
4679 >6.5. Modifying file or directory permissions</H2
4681 >Modifying file and directory permissions is as simple
4682 as changing the displayed permissions in the dialog box, and
4686 > button. However, there are
4687 limitations that a user needs to be aware of, and also interactions
4688 with the standard Samba permission masks and mapping of DOS
4689 attributes that need to also be taken into account.</P
4691 >If the parameter <TT
4700 > then any attempt to set
4701 security permissions will fail with an <B
4707 >The first thing to note is that the <B
4711 button will not return a list of users in Samba 2.0.4 (it will give
4712 an error message of <B
4714 >"The remote procedure call failed
4715 and did not execute"</B
4716 >). This means that you can only
4717 manipulate the current user/group/world permissions listed in
4718 the dialog box. This actually works quite well as these are the
4719 only permissions that UNIX actually has.</P
4721 >If a permission triple (either user, group, or world)
4722 is removed from the list of permissions in the NT dialog box,
4726 > button is pressed it will
4727 be applied as "no permissions" on the UNIX side. If you then
4728 view the permissions again the "no permissions" entry will appear
4732 > flag, as described above. This
4733 allows you to add permissions back to a file or directory once
4734 you have removed them from a triple component.</P
4736 >As UNIX supports only the "r", "w" and "x" bits of
4737 an NT ACL then if other NT security attributes such as "Delete
4738 access" are selected then they will be ignored when applied on
4739 the Samba server.</P
4741 >When setting permissions on a directory the second
4742 set of permissions (in the second set of parentheses) is
4743 by default applied to all files within that directory. If this
4744 is not what you want you must uncheck the <B
4747 permissions on existing files"</B
4748 > checkbox in the NT
4749 dialog before clicking <B
4754 >If you wish to remove all permissions from a
4755 user/group/world component then you may either highlight the
4756 component and click the <B
4760 or set the component to only have the special <B
4764 > permission (displayed as <B
4777 >6.6. Interaction with the standard Samba create mask
4780 >Note that with Samba 2.0.5 there are four new parameters
4781 to control this interaction. These are :</P
4793 >force security mode</I
4800 >directory security mask</I
4807 >force directory security mode</I
4811 >Once a user clicks <B
4815 permissions Samba maps the given permissions into a user/group/world
4816 r/w/x triple set, and then will check the changed permissions for a
4817 file against the bits set in the <A
4818 HREF="smb.conf.5.html#SECURITYMASK"
4827 > parameter. Any bits that
4828 were changed that are not set to '1' in this parameter are left alone
4829 in the file permissions.</P
4831 >Essentially, zero bits in the <TT
4837 mask may be treated as a set of bits the user is <SPAN
4844 allowed to change, and one bits are those the user is allowed to change.
4847 >If not set explicitly this parameter is set to the same value as
4849 HREF="smb.conf.5.html#CREATEMASK"
4858 > parameter to provide compatibility with Samba 2.0.4
4859 where this permission change facility was introduced. To allow a user to
4860 modify all the user/group/world permissions on a file, set this parameter
4863 >Next Samba checks the changed permissions for a file against
4864 the bits set in the <A
4865 HREF="smb.conf.5.html#FORCESECURITYMODE"
4870 >force security mode</I
4873 > parameter. Any bits
4874 that were changed that correspond to bits set to '1' in this parameter
4875 are forced to be set.</P
4877 >Essentially, bits set in the <TT
4880 >force security mode
4883 > parameter may be treated as a set of bits that, when
4884 modifying security on a file, the user has always set to be 'on'.</P
4886 >If not set explicitly this parameter is set to the same value
4888 HREF="smb.conf.5.html#FORCECREATEMODE"
4897 > parameter to provide compatibility
4898 with Samba 2.0.4 where the permission change facility was introduced.
4899 To allow a user to modify all the user/group/world permissions on a file
4900 with no restrictions set this parameter to 000.</P
4913 > parameters are applied to the change
4914 request in that order.</P
4916 >For a directory Samba will perform the same operations as
4917 described above for a file except using the parameter <TT
4920 > directory security mask</I
4931 >force directory security mode
4934 > parameter instead of <TT
4937 >force security mode
4945 >directory security mask</I
4948 by default is set to the same value as the <TT
4954 > parameter and the <TT
4957 >force directory security
4960 > parameter by default is set to the same value as
4964 >force directory mode</I
4966 > parameter to provide
4967 compatibility with Samba 2.0.4 where the permission change facility
4970 >In this way Samba enforces the permission restrictions that
4971 an administrator can set on a Samba share, whilst still allowing users
4972 to modify the permission bits within that restriction.</P
4974 >If you want to set up a share that allows users full control
4975 in modifying the permission bits on their files and directories and
4976 doesn't force any particular bits to be set 'on', then set the following
4977 parameters in the <A
4978 HREF="smb.conf.5.html"
4985 > file in that share specific section :</P
4990 >security mask = 0777</I
4997 >force security mode = 0</I
5004 >directory security mask = 0777</I
5011 >force directory security mode = 0</I
5015 >As described, in Samba 2.0.4 the parameters :</P
5027 >force create mode</I
5041 >force directory mode</I
5045 >were used instead of the parameters discussed here.</P
5054 >6.7. Interaction with the standard Samba file attribute
5057 >Samba maps some of the DOS attribute bits (such as "read
5058 only") into the UNIX permissions of a file. This means there can
5059 be a conflict between the permission bits set via the security
5060 dialog and the permission bits set by the file attribute mapping.
5063 >One way this can show up is if a file has no UNIX read access
5064 for the owner it will show up as "read only" in the standard
5065 file attributes tabbed dialog. Unfortunately this dialog is
5066 the same one that contains the security info in another tab.</P
5068 >What this can mean is that if the owner changes the permissions
5069 to allow themselves read access using the security dialog, clicks
5073 > to get back to the standard attributes tab
5074 dialog, and then clicks <B
5077 > on that dialog, then
5078 NT will set the file permissions back to read-only (as that is what
5079 the attributes still say in the dialog). This means that after setting
5080 permissions and clicking <B
5083 > to get back to the
5084 attributes dialog you should always hit <B
5091 > to ensure that your changes
5092 are not overridden.</P
5101 >Chapter 7. Printing Support in Samba 2.2.x</H1
5109 >7.1. Introduction</H2
5111 >Beginning with the 2.2.0 release, Samba supports
5112 the native Windows NT printing mechanisms implemented via
5113 MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
5114 Samba only supported LanMan printing calls.</P
5116 >The additional functionality provided by the new
5117 SPOOLSS support includes:</P
5123 >Support for downloading printer driver
5124 files to Windows 95/98/NT/2000 clients upon demand.
5129 >Uploading of printer drivers via the
5130 Windows NT Add Printer Wizard (APW) or the
5131 Imprints tool set (refer to <A
5132 HREF="http://imprints.sourceforge.net"
5134 >http://imprints.sourceforge.net</A
5140 >Support for the native MS-RPC printing
5141 calls such as StartDocPrinter, EnumJobs(), etc... (See
5142 the MSDN documentation at <A
5143 HREF="http://msdn.microsoft.com/"
5145 >http://msdn.microsoft.com/</A
5147 for more information on the Win32 printing API)
5152 >Support for NT Access Control Lists (ACL)
5153 on printer objects</P
5157 >Improved support for printer queue manipulation
5158 through the use of an internal databases for spooled job
5163 >There has been some initial confusion about what all this means
5164 and whether or not it is a requirement for printer drivers to be
5165 installed on a Samba host in order to support printing from Windows
5166 clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients
5167 require that the Samba server possess a valid driver for the printer.
5168 This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients
5169 can use the local APW for installing drivers to be used with a Samba
5170 served printer. This is the same behavior exhibited by Windows 9x clients.
5171 As a side note, Samba does not use these drivers in any way to process
5172 spooled files. They are utilized entirely by the clients.</P
5174 >The following MS KB article, may be of some help if you are dealing with
5175 Windows 2000 clients: <SPAN
5179 >How to Add Printers with No User
5180 Interaction in Windows 2000</I
5185 HREF="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP"
5187 >http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</A
5197 >7.2. Configuration</H2
5212 SRC="/docbook-dsssl/warning.gif"
5219 >[print$] vs. [printer$]</B
5229 >Previous versions of Samba recommended using a share named [printer$].
5230 This name was taken from the printer$ service created by Windows 9x
5231 clients when a printer was shared. Windows 9x printer servers always have
5232 a printer$ service which provides read-only access via no
5233 password in order to support printer driver downloads.</P
5235 >However, the initial implementation allowed for a
5239 >printer driver location</I
5242 to be used on a per share basis to specify the location of
5243 the driver files associated with that printer. Another
5250 a means of defining the printer driver name to be sent to
5253 >These parameters, including <TT
5259 > parameter, are being deprecated and should not
5260 be used in new installations. For more information on this change,
5261 you should refer to the <A
5263 >Migration section</A
5265 of this document.</P
5277 >7.2.1. Creating [print$]</H3
5279 >In order to support the uploading of printer driver
5280 files, you must first configure a file share named [print$].
5281 The name of this share is hard coded in Samba's internals so
5282 the name is very important (print$ is the service used by
5283 Windows NT print servers to provide support for printer driver
5286 >You should modify the server's smb.conf file to add the global
5287 parameters and to create the
5288 following file share (of course, some of the parameter values,
5289 such as 'path' are arbitrary and should be replaced with
5290 appropriate values for your site):</P
5293 CLASS="PROGRAMLISTING"
5295 ; members of the ntadmin group should be able
5296 ; to add drivers and set printer properties
5297 ; root is implicitly a 'printer admin'
5298 printer admin = @ntadmin
5301 path = /usr/local/samba/printers
5305 ; since this share is configured as read only, then we need
5306 ; a 'write list'. Check the file system permissions to make
5307 ; sure this account can copy files to the share. If this
5308 ; is setup to a non-root account, then it should also exist
5309 ; as a 'printer admin'
5310 write list = @ntadmin,root</PRE
5314 HREF="smb.conf.5.html#WRITELIST"
5322 > is used to allow administrative
5323 level user accounts to have write access in order to update files
5324 on the share. See the <A
5325 HREF="smb.conf.5.html"
5329 > for more information on configuring file shares.</P
5331 >The requirement for <A
5332 HREF="smb.conf.5.html#GUESTOK"
5339 > depends upon how your
5340 site is configured. If users will be guaranteed to have
5341 an account on the Samba host, then this is a non-issue.</P
5356 SRC="/docbook-dsssl/note.gif"
5373 >The non-issue is that if all your Windows NT users are guaranteed to be
5374 authenticated by the Samba server (such as a domain member server and the NT
5375 user has already been validated by the Domain Controller in
5376 order to logon to the Windows NT console), then guest access
5377 is not necessary. Of course, in a workgroup environment where
5378 you just want to be able to print without worrying about
5379 silly accounts and security, then configure the share for
5380 guest access. You'll probably want to add <A
5381 HREF="smb.conf.5.html#MAPTOGUEST"
5385 >map to guest = Bad User</B
5387 > in the [global] section as well. Make sure
5388 you understand what this parameter does before using it
5395 >In order for a Windows NT print server to support
5396 the downloading of driver files by multiple client architectures,
5397 it must create subdirectories within the [print$] service
5398 which correspond to each of the supported client architectures.
5399 Samba follows this model as well.</P
5401 >Next create the directory tree below the [print$] share
5402 for each architecture you wish to support.</P
5405 CLASS="PROGRAMLISTING"
5407 |-W32X86 ; "Windows NT x86"
5408 |-WIN40 ; "Windows 95/98"
5409 |-W32ALPHA ; "Windows NT Alpha_AXP"
5410 |-W32MIPS ; "Windows NT R4000"
5411 |-W32PPC ; "Windows NT PowerPC"</PRE
5427 SRC="/docbook-dsssl/warning.gif"
5434 >ATTENTION! REQUIRED PERMISSIONS</B
5444 >In order to currently add a new driver to you Samba host,
5445 one of two conditions must hold true:</P
5451 >The account used to connect to the Samba host
5452 must have a uid of 0 (i.e. a root account)</P
5456 >The account used to connect to the Samba host
5457 must be a member of the <A
5458 HREF="smb.conf.5.html#PRINTERADMIN"
5471 >Of course, the connected account must still possess access
5472 to add files to the subdirectories beneath [print$]. Remember
5473 that all file shares are set to 'read only' by default.</P
5479 >Once you have created the required [print$] service and
5480 associated subdirectories, simply log onto the Samba server using
5487 from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or
5488 "My Network Places" and browse for the Samba host. Once you have located
5489 the server, navigate to the "Printers..." folder.
5490 You should see an initial listing of printers
5491 that matches the printer shares defined on your Samba host.</P
5500 >7.2.2. Setting Drivers for Existing Printers</H3
5502 >The initial listing of printers in the Samba host's
5503 Printers folder will have no real printer driver assigned
5504 to them. By default, in Samba 2.2.0 this driver name was set to
5509 >NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER</I
5512 Later versions changed this to a NULL string to allow the use
5513 tof the local Add Printer Wizard on NT/2000 clients.
5514 Attempting to view the printer properties for a printer
5515 which has this default driver assigned will result in
5516 the error message:</P
5522 >Device settings cannot be displayed. The driver
5523 for the specified printer is not installed, only spooler
5524 properties will be displayed. Do you want to install the
5529 >Click "No" in the error dialog and you will be presented with
5530 the printer properties window. The way to assign a driver to a
5531 printer is to either</P
5537 >Use the "New Driver..." button to install
5538 a new printer driver, or</P
5542 >Select a driver from the popup list of
5543 installed drivers. Initially this list will be empty.</P
5547 >If you wish to install printer drivers for client
5548 operating systems other than "Windows NT x86", you will need
5549 to use the "Sharing" tab of the printer properties dialog.</P
5551 >Assuming you have connected with a root account, you
5552 will also be able modify other printer properties such as
5553 ACLs and device settings using this dialog box.</P
5555 >A few closing comments for this section, it is possible
5556 on a Windows NT print server to have printers
5557 listed in the Printers folder which are not shared. Samba does
5558 not make this distinction. By definition, the only printers of
5559 which Samba is aware are those which are specified as shares in
5565 >Another interesting side note is that Windows NT clients do
5566 not use the SMB printer share, but rather can print directly
5567 to any printer on another Windows NT host using MS-RPC. This
5568 of course assumes that the printing client has the necessary
5569 privileges on the remote host serving the printer. The default
5570 permissions assigned by Windows NT to a printer gives the "Print"
5571 permissions to the "Everyone" well-known group.</P
5580 >7.2.3. Support a large number of printers</H3
5582 >One issue that has arisen during the development
5583 phase of Samba 2.2 is the need to support driver downloads for
5584 100's of printers. Using the Windows NT APW is somewhat
5585 awkward to say the list. If more than one printer are using the
5587 HREF="rpcclient.1.html"
5592 setdriver command</B
5594 > can be used to set the driver
5595 associated with an installed driver. The following is example
5596 of how this could be accomplished:</P
5599 CLASS="PROGRAMLISTING"
5604 >rpcclient pogo -U root%secret -c "enumdrivers"
5605 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
5608 Printer Driver Info 1:
5609 Driver Name: [HP LaserJet 4000 Series PS]
5611 Printer Driver Info 1:
5612 Driver Name: [HP LaserJet 2100 Series PS]
5614 Printer Driver Info 1:
5615 Driver Name: [HP LaserJet 4Si/4SiMX PS]
5620 >rpcclient pogo -U root%secret -c "enumprinters"
5621 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
5623 name:[\\POGO\hp-print]
5624 description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
5630 >rpcclient pogo -U root%secret \
5634 > -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
5635 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
5636 Successfully set hp-print to driver HP LaserJet 4000 Series PS.</PRE
5646 >7.2.4. Adding New Printers via the Windows NT APW</H3
5648 >By default, Samba offers all printer shares defined in <TT
5652 in the "Printers..." folder. Also existing in this folder is the Windows NT
5653 Add Printer Wizard icon. The APW will be show only if</P
5659 >The connected user is able to successfully
5660 execute an OpenPrinterEx(\\server) with administrative
5661 privileges (i.e. root or <TT
5672 HREF="smb.conf.5.html#SHOWADDPRINTERWIZARD"
5678 add printer wizard = yes</I
5686 >In order to be able to use the APW to successfully add a printer to a Samba
5688 HREF="smb.conf.5.html#ADDPRINTERCOMMAND"
5697 > must have a defined value. The program
5698 hook must successfully add the printer to the system (i.e.
5702 > or appropriate files) and
5708 >When using the APW from a client, if the named printer share does
5712 > will execute the <TT
5718 > and reparse to the <TT
5722 to attempt to locate the new printer share. If the share is still not defined,
5723 an error of "Access Denied" is returned to the client. Note that the
5727 >add printer program</I
5729 > is executed under the context
5730 of the connected user, not necessarily a root account.</P
5732 >There is a complementary <A
5733 HREF="smb.conf.5.html#DELETEPRINTERCOMMAND"
5742 > for removing entries from the "Printers..."
5745 >The following is an example <A
5746 HREF="smb.conf.5.html#ADDPRINTERCOMMAN"
5751 >add printer command</I
5754 > script. It adds the appropriate entries to <TT
5756 >/etc/printcap.local</TT
5757 > (change that to what you need) and returns a line of 'Done' which is needed for the whole process to work.</P
5759 CLASS="PROGRAMLISTING"
5762 # Script to insert a new printer entry into printcap.local
5764 # $1, printer name, used as the descriptive name
5765 # $2, share name, used as the printer name for Linux
5768 # $5, location, used for the device file of the printer
5769 # $6, win9x location
5772 # Make sure we use the location that RedHat uses for local printer defs
5773 PRINTCAP=/etc/printcap.local
5774 DATE=`date +%Y%m%d-%H%M%S`
5776 RESTART="service lpd restart"
5779 cp $PRINTCAP $PRINTCAP.$DATE
5780 # Add the printer to $PRINTCAP
5781 echo "" >> $PRINTCAP
5782 echo "$2|$1:\\" >> $PRINTCAP
5783 echo " :sd=/var/spool/lpd/$2:\\" >> $PRINTCAP
5784 echo " :mx=0:ml=0:sh:\\" >> $PRINTCAP
5785 echo " :lp=/usr/local/samba/var/print/$5.prn:" >> $PRINTCAP
5787 touch "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1
5788 chown $LP "/usr/local/samba/var/print/$5.prn" >> /tmp/printadd.$$ 2>&1
5790 mkdir /var/spool/lpd/$2
5791 chmod 700 /var/spool/lpd/$2
5792 chown $LP /var/spool/lpd/$2
5793 #echo $1 >> "/usr/local/samba/var/print/$5.prn"
5794 #echo $2 >> "/usr/local/samba/var/print/$5.prn"
5795 #echo $3 >> "/usr/local/samba/var/print/$5.prn"
5796 #echo $4 >> "/usr/local/samba/var/print/$5.prn"
5797 #echo $5 >> "/usr/local/samba/var/print/$5.prn"
5798 #echo $6 >> "/usr/local/samba/var/print/$5.prn"
5799 $RESTART >> "/usr/local/samba/var/print/$5.prn"
5800 # Not sure if this is needed
5801 touch /usr/local/samba/lib/smb.conf
5803 # You need to return a value, but I am not sure what it means.
5815 >7.2.5. Samba and Printer Ports</H3
5817 >Windows NT/2000 print servers associate a port with each printer. These normally
5818 take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
5819 concept of ports associated with a printer. By default, only one printer port,
5820 named "Samba Printer Port", exists on a system. Samba does not really a port in
5821 order to print, rather it is a requirement of Windows clients. </P
5823 >Note that Samba does not support the concept of "Printer Pooling" internally
5824 either. This is when a logical printer is assigned to multiple ports as
5825 a form of load balancing or fail over.</P
5827 >If you require that multiple ports be defined for some reason,
5832 HREF="smb.conf.5.html#ENUMPORTSCOMMAND"
5841 > which can be used to define an external program
5842 that generates a listing of ports on a system.</P
5852 >7.3. The Imprints Toolset</H2
5854 >The Imprints tool set provides a UNIX equivalent of the
5855 Windows NT Add Printer Wizard. For complete information, please
5856 refer to the Imprints web site at <A
5857 HREF="http://imprints.sourceforge.net/"
5859 > http://imprints.sourceforge.net/</A
5860 > as well as the documentation
5861 included with the imprints source distribution. This section will
5862 only provide a brief introduction to the features of Imprints.</P
5870 >7.3.1. What is Imprints?</H3
5872 >Imprints is a collection of tools for supporting the goals
5879 >Providing a central repository information
5880 regarding Windows NT and 95/98 printer driver packages</P
5884 >Providing the tools necessary for creating
5885 the Imprints printer driver packages.</P
5889 >Providing an installation client which
5890 will obtain and install printer drivers on remote Samba
5891 and Windows NT 4 print servers.</P
5902 >7.3.2. Creating Printer Driver Packages</H3
5904 >The process of creating printer driver packages is beyond
5905 the scope of this document (refer to Imprints.txt also included
5906 with the Samba distribution for more information). In short,
5907 an Imprints driver package is a gzipped tarball containing the
5908 driver files, related INF files, and a control file needed by the
5909 installation client.</P
5918 >7.3.3. The Imprints server</H3
5920 >The Imprints server is really a database server that
5921 may be queried via standard HTTP mechanisms. Each printer
5922 entry in the database has an associated URL for the actual
5923 downloading of the package. Each package is digitally signed
5924 via GnuPG which can be used to verify that package downloaded
5925 is actually the one referred in the Imprints database. It is
5932 > recommended that this security check
5942 >7.3.4. The Installation Client</H3
5944 >More information regarding the Imprints installation client
5945 is available in the <TT
5947 >Imprints-Client-HOWTO.ps</TT
5949 file included with the imprints source package.</P
5951 >The Imprints installation client comes in two forms.</P
5957 >a set of command line Perl scripts</P
5961 >a GTK+ based graphical interface to
5962 the command line perl scripts</P
5966 >The installation client (in both forms) provides a means
5967 of querying the Imprints database server for a matching
5968 list of known printer model names as well as a means to
5969 download and install the drivers on remote Samba and Windows
5970 NT print servers.</P
5972 >The basic installation process is in four steps and
5973 perl code is wrapped around <B
5983 CLASS="PROGRAMLISTING"
5985 foreach (supported architecture for a given driver)
5987 1. rpcclient: Get the appropriate upload directory
5988 on the remote server
5989 2. smbclient: Upload the driver files
5990 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
5993 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
5994 create the printer</PRE
5997 >One of the problems encountered when implementing
5998 the Imprints tool set was the name space issues between
5999 various supported client architectures. For example, Windows
6000 NT includes a driver named "Apple LaserWriter II NTX v51.8"
6001 and Windows 95 calls its version of this driver "Apple
6002 LaserWriter II NTX"</P
6004 >The problem is how to know what client drivers have
6005 been uploaded for a printer. As astute reader will remember
6006 that the Windows NT Printer Properties dialog only includes
6007 space for one printer driver name. A quick look in the
6008 Windows NT 4.0 system registry at</P
6012 >HKLM\System\CurrentControlSet\Control\Print\Environment
6016 >will reveal that Windows NT always uses the NT driver
6017 name. This is ok as Windows NT always requires that at least
6018 the Windows NT version of the printer driver is present.
6019 However, Samba does not have the requirement internally.
6020 Therefore, how can you use the NT driver name if is has not
6021 already been installed?</P
6023 >The way of sidestepping this limitation is to require
6024 that all Imprints printer driver packages include both the Intel
6025 Windows NT and 95/98 printer drivers and that NT driver is
6039 >Migration to from Samba 2.0.x to 2.2.x</H2
6041 >Given that printer driver management has changed (we hope improved) in
6042 2.2 over prior releases, migration from an existing setup to 2.2 can
6043 follow several paths. Here are the possible scenarios for
6050 >If you do not desire the new Windows NT
6051 print driver support, nothing needs to be done.
6052 All existing parameters work the same.</P
6056 >If you want to take advantage of NT printer
6057 driver support but do not want to migrate the
6058 9x drivers to the new setup, the leave the existing
6062 > file. When smbd attempts
6064 9x driver for the printer in the TDB and fails it
6065 will drop down to using the printers.def (and all
6066 associated parameters). The <B
6070 tool will also remain for backwards compatibility but will
6071 be removed in the next major release.</P
6075 >If you install a Windows 9x driver for a printer
6076 on your Samba host (in the printing TDB), this information will
6077 take precedence and the three old printing parameters
6078 will be ignored (including print driver location).</P
6082 >If you want to migrate an existing <TT
6086 file into the new setup, the current only solution is to use the Windows
6087 NT APW to install the NT drivers and the 9x drivers. This can be scripted
6095 Imprints installation client at <A
6096 HREF="http://imprints.sourceforge.net/"
6098 >http://imprints.sourceforge.net/</A
6118 SRC="/docbook-dsssl/warning.gif"
6138 > parameters are considered to
6139 be deprecated and will be removed soon. Do not use them in new
6149 >printer driver file (G)</I
6159 >printer driver (S)</I
6169 >printer driver location (S)</I
6180 >The have been two new parameters add in Samba 2.2.2 to for
6181 better support of Samba 2.0.x backwards capability (<TT
6187 >) and for using local printers drivers on Windows
6188 NT/2000 clients (<TT
6191 >use client driver</I
6194 these options are described in the smb.coinf(5) man page and are
6195 disabled by default.</P
6202 NAME="PRINTINGDEBUG"
6204 >Chapter 8. Debugging Printing Problems</H1
6212 >8.1. Introduction</H2
6214 >This is a short description of how to debug printing problems with
6215 Samba. This describes how to debug problems with printing from a SMB
6216 client to a Samba server, not the other way around. For the reverse
6217 see the examples/printing directory.</P
6219 >Ok, so you want to print to a Samba server from your PC. The first
6220 thing you need to understand is that Samba does not actually do any
6221 printing itself, it just acts as a middleman between your PC client
6222 and your Unix printing subsystem. Samba receives the file from the PC
6223 then passes the file to a external "print command". What print command
6224 you use is up to you.</P
6226 >The whole things is controlled using options in smb.conf. The most
6227 relevant options (which you should look up in the smb.conf man page)
6231 CLASS="PROGRAMLISTING"
6233 print command - send a file to a spooler
6234 lpq command - get spool queue status
6235 lprm command - remove a job
6237 path = /var/spool/lpd/samba</PRE
6240 >The following are nice to know about:</P
6243 CLASS="PROGRAMLISTING"
6244 > queuepause command - stop a printer or print queue
6245 queueresume command - start a printer or print queue</PRE
6251 CLASS="PROGRAMLISTING"
6252 > print command = /usr/bin/lpr -r -P%p %s
6253 lpq command = /usr/bin/lpq -P%p %s
6254 lprm command = /usr/bin/lprm -P%p %j
6255 queuepause command = /usr/sbin/lpc -P%p stop
6256 queuepause command = /usr/sbin/lpc -P%p start</PRE
6259 >Samba should set reasonable defaults for these depending on your
6260 system type, but it isn't clairvoyant. It is not uncommon that you
6261 have to tweak these for local conditions. The commands should
6262 always have fully specified pathnames, as the smdb may not have
6263 the correct PATH values.</P
6265 >When you send a job to Samba to be printed, it will make a temporary
6266 copy of it in the directory specified in the [printers] section.
6267 and it should be periodically cleaned out. The lpr -r option
6268 requests that the temporary copy be removed after printing; If
6269 printing fails then you might find leftover files in this directory,
6270 and it should be periodically cleaned out. Samba used the lpq
6271 command to determine the "job number" assigned to your print job
6274 >The %>letter< are "macros" that get dynamically replaced with appropriate
6275 values when they are used. The %s gets replaced with the name of the spool
6276 file that Samba creates and the %p gets replaced with the name of the
6277 printer. The %j gets replaced with the "job number" which comes from
6287 >8.2. Debugging printer problems</H2
6289 >One way to debug printing problems is to start by replacing these
6290 command with shell scripts that record the arguments and the contents
6291 of the print file. A simple example of this kind of things might
6295 CLASS="PROGRAMLISTING"
6296 > print command = /tmp/saveprint %p %s
6299 # we make sure that we are the right user
6300 /usr/bin/id -p >/tmp/tmp.print
6301 # we run the command and save the error messages
6302 # replace the command with the one appropriate for your system
6303 /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print</PRE
6306 >Then you print a file and try removing it. You may find that the
6307 print queue needs to be stopped in order to see the queue status
6308 and remove the job:</P
6311 CLASS="PROGRAMLISTING"
6312 > h4: {42} % echo hi >/tmp/hi
6313 h4: {43} % smbclient //localhost/lw4
6314 added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0
6316 Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7]
6317 smb: \> print /tmp/hi
6318 putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s)
6321 smb: \> cancel 1049
6322 Error cancelling job 1049 : code 0
6323 smb: \> cancel 1049
6326 smb: \> exit</PRE
6329 >The 'code 0' indicates that the job was removed. The comment
6330 by the smbclient is a bit misleading on this.
6331 You can observe the command output and then and look at the
6332 /tmp/tmp.print file to see what the results are. You can quickly
6333 find out if the problem is with your printing system. Often people
6334 have problems with their /etc/printcap file or permissions on
6335 various print queues.</P
6344 >8.3. What printers do I have?</H2
6346 >You can use the 'testprns' program to check to see if the printer
6347 name you are using is recognized by Samba. For example, you can
6351 CLASS="PROGRAMLISTING"
6352 > testprns printer /etc/printcap</PRE
6355 >Samba can get its printcap information from a file or from a program.
6356 You can try the following to see the format of the extracted
6360 CLASS="PROGRAMLISTING"
6361 > testprns -a printer /etc/printcap
6363 testprns -a printer '|/bin/cat printcap'</PRE
6373 >8.4. Setting up printcap and print servers</H2
6375 >You may need to set up some printcaps for your Samba system to use.
6376 It is strongly recommended that you use the facilities provided by
6377 the print spooler to set up queues and printcap information.</P
6379 >Samba requires either a printcap or program to deliver printcap
6380 information. This printcap information has the format:</P
6383 CLASS="PROGRAMLISTING"
6384 > name|alias1|alias2...:option=value:...</PRE
6387 >For almost all printing systems, the printer 'name' must be composed
6388 only of alphanumeric or underscore '_' characters. Some systems also
6389 allow hyphens ('-') as well. An alias is an alternative name for the
6390 printer, and an alias with a space in it is used as a 'comment'
6391 about the printer. The printcap format optionally uses a \ at the end of lines
6392 to extend the printcap to multiple lines.</P
6394 >Here are some examples of printcap files:</P
6402 >pr just printer name</P
6406 >pr|alias printer name and alias</P
6410 >pr|My Printer printer name, alias used as comment</P
6414 >pr:sh:\ Same as pr:sh:cm= testing
6420 >pr:sh Same as pr:sh:cm= testing
6426 >Samba reads the printcap information when first started. If you make
6427 changes in the printcap information, then you must do the following:</P
6434 >make sure that the print spooler is aware of these changes.
6435 The LPRng system uses the 'lpc reread' command to do this.</P
6439 >make sure that the spool queues, etc., exist and have the
6440 correct permissions. The LPRng system uses the 'checkpc -f'
6441 command to do this.</P
6445 >You now should send a SIGHUP signal to the smbd server to have
6446 it reread the printcap information.</P
6457 >8.5. Job sent, no output</H2
6459 >This is the most frustrating part of printing. You may have sent the
6460 job, verified that the job was forwarded, set up a wrapper around
6461 the command to send the file, but there was no output from the printer.</P
6463 >First, check to make sure that the job REALLY is getting to the
6464 right print queue. If you are using a BSD or LPRng print spooler,
6465 you can temporarily stop the printing of jobs. Jobs can still be
6466 submitted, but they will not be printed. Use:</P
6469 CLASS="PROGRAMLISTING"
6470 > lpc -Pprinter stop</PRE
6473 >Now submit a print job and then use 'lpq -Pprinter' to see if the
6474 job is in the print queue. If it is not in the print queue then
6475 you will have to find out why it is not being accepted for printing.</P
6477 >Next, you may want to check to see what the format of the job really
6478 was. With the assistance of the system administrator you can view
6479 the submitted jobs files. You may be surprised to find that these
6480 are not in what you would expect to call a printable format.
6481 You can use the UNIX 'file' utitily to determine what the job
6482 format actually is:</P
6485 CLASS="PROGRAMLISTING"
6486 > cd /var/spool/lpd/printer # spool directory of print jobs
6488 file dfA001myhost</PRE
6491 >You should make sure that your printer supports this format OR that
6492 your system administrator has installed a 'print filter' that will
6493 convert the file to a format appropriate for your printer.</P
6502 >8.6. Job sent, strange output</H2
6504 >Once you have the job printing, you can then start worrying about
6505 making it print nicely.</P
6507 >The most common problem is extra pages of output: banner pages
6508 OR blank pages at the end.</P
6510 >If you are getting banner pages, check and make sure that the
6511 printcap option or printer option is configured for no banners.
6512 If you have a printcap, this is the :sh (suppress header or banner
6513 page) option. You should have the following in your printer.</P
6516 CLASS="PROGRAMLISTING"
6517 > printer: ... :sh</PRE
6520 >If you have this option and are still getting banner pages, there
6521 is a strong chance that your printer is generating them for you
6522 automatically. You should make sure that banner printing is disabled
6523 for the printer. This usually requires using the printer setup software
6524 or procedures supplied by the printer manufacturer.</P
6526 >If you get an extra page of output, this could be due to problems
6527 with your job format, or if you are generating PostScript jobs,
6528 incorrect setting on your printer driver on the MicroSoft client.
6529 For example, under Win95 there is a option:</P
6532 CLASS="PROGRAMLISTING"
6533 > Printers|Printer Name|(Right Click)Properties|Postscript|Advanced|</PRE
6536 >that allows you to choose if a Ctrl-D is appended to all jobs.
6537 This is a very bad thing to do, as most spooling systems will
6538 automatically add a ^D to the end of the job if it is detected as
6539 PostScript. The multiple ^D may cause an additional page of output.</P
6548 >8.7. Raw PostScript printed</H2
6550 >This is a problem that is usually caused by either the print spooling
6551 system putting information at the start of the print job that makes
6552 the printer think the job is a text file, or your printer simply
6553 does not support PostScript. You may need to enable 'Automatic
6554 Format Detection' on your printer.</P
6563 >8.8. Advanced Printing</H2
6565 >Note that you can do some pretty magic things by using your
6566 imagination with the "print command" option and some shell scripts.
6567 Doing print accounting is easy by passing the %U option to a print
6568 command shell script. You could even make the print command detect
6569 the type of output and its size and send it to an appropriate
6579 >8.9. Real debugging</H2
6581 >If the above debug tips don't help, then maybe you need to bring in
6582 the bug guns, system tracing. See Tracing.txt in this directory.</P
6589 NAME="SECURITYLEVELS"
6591 >Chapter 9. Security levels</H1
6599 >9.1. Introduction</H2
6601 >Samba supports the following options to the global smb.conf parameter</P
6604 CLASS="PROGRAMLISTING"
6607 HREF="smb.conf.5.html#SECURITY"
6615 > = [share|user(default)|domain|ads]</PRE
6618 >Please refer to the smb.conf man page for usage information and to the document
6620 HREF="DOMAIN_MEMBER.html"
6622 >DOMAIN_MEMBER.html</A
6623 > for further background details
6624 on domain mode security. The Windows 2000 Kerberos domain security model
6625 (security = ads) is described in the <A
6626 HREF="ADS-HOWTO.html"
6631 >Of the above, "security = server" means that Samba reports to clients that
6632 it is running in "user mode" but actually passes off all authentication
6633 requests to another "user mode" server. This requires an additional
6634 parameter "password server =" that points to the real authentication server.
6635 That real authentication server can be another Samba server or can be a
6636 Windows NT server, the later natively capable of encrypted password support.</P
6645 >9.2. More complete description of security levels</H2
6647 >A SMB server tells the client at startup what "security level" it is
6648 running. There are two options "share level" and "user level". Which
6649 of these two the client receives affects the way the client then tries
6650 to authenticate itself. It does not directly affect (to any great
6651 extent) the way the Samba server does security. I know this is
6652 strange, but it fits in with the client/server approach of SMB. In SMB
6653 everything is initiated and controlled by the client, and the server
6654 can only tell the client what is available and whether an action is
6657 >I'll describe user level security first, as its simpler. In user level
6658 security the client will send a "session setup" command directly after
6659 the protocol negotiation. This contains a username and password. The
6660 server can either accept or reject that username/password
6661 combination. Note that at this stage the server has no idea what
6662 share the client will eventually try to connect to, so it can't base
6663 the "accept/reject" on anything other than:</P
6670 >the username/password</P
6674 >the machine that the client is coming from</P
6678 >If the server accepts the username/password then the client expects to
6679 be able to mount any share (using a "tree connection") without
6680 specifying a password. It expects that all access rights will be as
6681 the username/password specified in the "session setup". </P
6683 >It is also possible for a client to send multiple "session setup"
6684 requests. When the server responds it gives the client a "uid" to use
6685 as an authentication tag for that username/password. The client can
6686 maintain multiple authentication contexts in this way (WinDD is an
6687 example of an application that does this)</P
6689 >Ok, now for share level security. In share level security the client
6690 authenticates itself separately for each share. It will send a
6691 password along with each "tree connection" (share mount). It does not
6692 explicitly send a username with this operation. The client is
6693 expecting a password to be associated with each share, independent of
6694 the user. This means that samba has to work out what username the
6695 client probably wants to use. It is never explicitly sent the
6696 username. Some commercial SMB servers such as NT actually associate
6697 passwords directly with shares in share level security, but samba
6698 always uses the unix authentication scheme where it is a
6699 username/password that is authenticated, not a "share/password".</P
6701 >Many clients send a "session setup" even if the server is in share
6702 level security. They normally send a valid username but no
6703 password. Samba records this username in a list of "possible
6704 usernames". When the client then does a "tree connection" it also adds
6705 to this list the name of the share they try to connect to (useful for
6706 home directories) and any users listed in the "user =" smb.conf
6707 line. The password is then checked in turn against these "possible
6708 usernames". If a match is found then the client is authenticated as
6711 >Finally "server level" security. In server level security the samba
6712 server reports to the client that it is in user level security. The
6713 client then does a "session setup" as described earlier. The samba
6714 server takes the username/password that the client sends and attempts
6715 to login to the "password server" by sending exactly the same
6716 username/password that it got from the client. If that server is in
6717 user level security and accepts the password then samba accepts the
6718 clients connection. This allows the samba server to use another SMB
6719 server as the "password server". </P
6721 >You should also note that at the very start of all this, where the
6722 server tells the client what security level it is in, it also tells
6723 the client if it supports encryption. If it does then it supplies the
6724 client with a random "cryptkey". The client will then send all
6725 passwords in encrypted form. You have to compile samba with encryption
6726 enabled to support this feature, and you have to maintain a separate
6727 smbpasswd file with SMB style encrypted passwords. It is
6728 cryptographically impossible to translate from unix style encryption
6729 to SMB style encryption, although there are some fairly simple management
6730 schemes by which the two could be kept in sync.</P
6737 NAME="DOMAIN-SECURITY"
6739 >Chapter 10. security = domain in Samba 2.x</H1
6747 >10.1. Joining an NT Domain with Samba 2.2</H2
6749 >Assume you have a Samba 2.x server with a NetBIOS name of
6753 > and are joining an NT domain called
6757 >, which has a PDC with a NetBIOS name
6761 > and two backup domain controllers
6762 with NetBIOS names <TT
6771 >In order to join the domain, first stop all Samba daemons
6772 and run the command:</P
6780 >smbpasswd -j DOM -r DOMPDC
6784 >Administrator%password</I
6790 >as we are joining the domain DOM and the PDC for that domain
6791 (the only machine that has write access to the domain SAM database)
6795 >Administrator%password</I
6798 the login name and password for an account which has the necessary
6799 privilege to add machines to the domain. If this is successful
6800 you will see the message:</P
6803 CLASS="COMPUTEROUTPUT"
6804 >smbpasswd: Joined domain DOM.</TT
6808 >in your terminal window. See the <A
6809 HREF="smbpasswd.8.html"
6812 > man page for more details.</P
6814 >There is existing development code to join a domain
6815 without having to create the machine trust account on the PDC
6816 beforehand. This code will hopefully be available soon
6817 in release branches as well.</P
6819 >This command goes through the machine account password
6820 change protocol, then writes the new (random) machine account
6821 password for this Samba server into a file in the same directory
6822 in which an smbpasswd file would be stored - normally :</P
6826 >/usr/local/samba/private</TT
6829 >In Samba 2.0.x, the filename looks like this:</P
6836 ><NT DOMAIN NAME></I
6850 > suffix stands for machine account
6851 password file. So in our example above, the file would be called:</P
6858 >In Samba 2.2, this file has been replaced with a TDB
6859 (Trivial Database) file named <TT
6865 >This file is created and owned by root and is not
6866 readable by any other user. It is the key to the domain-level
6867 security for your system, and should be treated as carefully
6868 as a shadow password file.</P
6870 >Now, before restarting the Samba daemons you must
6872 HREF="smb.conf.5.html"
6879 > file to tell Samba it should now use domain security.</P
6881 >Change (or add) your <A
6882 HREF="smb.conf.5.html#SECURITY"
6890 > line in the [global] section
6891 of your smb.conf to read:</P
6895 >security = domain</B
6899 HREF="smb.conf.5.html#WORKGROUP"
6907 > line in the [global] section to read: </P
6914 >as this is the name of the domain we are joining. </P
6916 >You must also have the parameter <A
6917 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
6922 >encrypt passwords</I
6929 > in order for your users to authenticate to the NT PDC.</P
6931 >Finally, add (or modify) a <A
6932 HREF="smb.conf.5.html#PASSWORDSERVER"
6937 >password server =</I
6940 > line in the [global]
6941 section to read: </P
6945 >password server = DOMPDC DOMBDC1 DOMBDC2</B
6948 >These are the primary and backup domain controllers Samba
6949 will attempt to contact in order to authenticate users. Samba will
6950 try to contact each of these servers in order, so you may want to
6951 rearrange this list in order to spread out the authentication load
6952 among domain controllers.</P
6954 >Alternatively, if you want smbd to automatically determine
6955 the list of Domain controllers to use for authentication, you may
6956 set this line to be :</P
6960 >password server = *</B
6963 >This method, which was introduced in Samba 2.0.6,
6964 allows Samba to use exactly the same mechanism that NT does. This
6965 method either broadcasts or uses a WINS database in order to
6966 find domain controllers to authenticate against.</P
6968 >Finally, restart your Samba daemons and get ready for
6969 clients to begin using domain security!</P
6978 >10.2. Samba and Windows 2000 Domains</H2
6980 >Many people have asked regarding the state of Samba's ability to participate in
6981 a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows
6982 2000 domain operating in mixed or native mode.</P
6984 >There is much confusion between the circumstances that require a "mixed" mode
6985 Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
6986 Win2k domain controller is only needed if Windows NT BDCs must exist in the same
6987 domain. By default, a Win2k DC in "native" mode will still support
6988 NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
6989 NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P
6991 >The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
6992 for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
6993 the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
6994 Computers" MMC (Microsoft Management Console) plugin.</P
7003 >10.3. Why is this better than security = server?</H2
7005 >Currently, domain security in Samba doesn't free you from
7006 having to create local Unix users to represent the users attaching
7007 to your server. This means that if domain user <TT
7011 > attaches to your domain security Samba server, there needs
7012 to be a local Unix user fred to represent that user in the Unix
7013 filesystem. This is very similar to the older Samba security mode
7015 HREF="smb.conf.5.html#SECURITYEQUALSSERVER"
7017 >security = server</A
7019 where Samba would pass through the authentication request to a Windows
7020 NT server in the same way as a Windows 95 or Windows 98 server would.
7023 >Please refer to the <A
7028 > for information on a system to automatically
7029 assign UNIX uids and gids to Windows NT Domain users and groups.
7030 This code is available in development branches only at the moment,
7031 but will be moved to release branches soon.</P
7033 >The advantage to domain-level security is that the
7034 authentication in domain-level security is passed down the authenticated
7035 RPC channel in exactly the same way that an NT server would do it. This
7036 means Samba servers now participate in domain trust relationships in
7037 exactly the same way NT servers do (i.e., you can add Samba servers into
7038 a resource domain and have the authentication passed on from a resource
7039 domain PDC to an account domain PDC.</P
7041 >In addition, with <B
7043 >security = server</B
7045 daemon on a server has to keep a connection open to the
7046 authenticating server for as long as that daemon lasts. This can drain
7047 the connection resources on a Microsoft NT server and cause it to run
7048 out of available connections. With <B
7050 >security = domain</B
7052 however, the Samba daemons connect to the PDC/BDC only for as long
7053 as is necessary to authenticate the user, and then drop the connection,
7054 thus conserving PDC connection resources.</P
7056 >And finally, acting in the same manner as an NT server
7057 authenticating to a PDC means that as part of the authentication
7058 reply, the Samba server gets the user identification information such
7059 as the user SID, the list of NT groups the user belongs to, etc. All
7060 this information will allow Samba to be extended in the future into
7061 a mode the developers currently call appliance mode. In this mode,
7062 no local Unix users will be necessary, and Samba will generate Unix
7063 uids and gids from the information passed back from the PDC when a
7064 user is authenticated, making a Samba server truly plug and play
7065 in an NT domain environment. Watch for this code soon.</P
7073 > Much of the text of this document
7074 was first published in the Web magazine <A
7075 HREF="http://www.linuxworld.com"
7080 HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
7093 >Chapter 11. Unified Logons between Windows NT and UNIX using Winbind</H1
7103 >Integration of UNIX and Microsoft Windows NT through
7104 a unified logon has been considered a "holy grail" in heterogeneous
7105 computing environments for a long time. We present
7112 >, a component of the Samba suite
7113 of programs as a solution to the unified logon problem. Winbind
7114 uses a UNIX implementation
7115 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
7116 Service Switch to allow Windows NT domain users to appear and operate
7117 as UNIX users on a UNIX machine. This paper describes the winbind
7118 system, explaining the functionality it provides, how it is configured,
7119 and how it works internally.</P
7128 >11.2. Introduction</H2
7130 >It is well known that UNIX and Microsoft Windows NT have
7131 different models for representing user and group information and
7132 use different technologies for implementing them. This fact has
7133 made it difficult to integrate the two systems in a satisfactory
7136 >One common solution in use today has been to create
7137 identically named user accounts on both the UNIX and Windows systems
7138 and use the Samba suite of programs to provide file and print services
7139 between the two. This solution is far from perfect however, as
7140 adding and deleting users on both sets of machines becomes a chore
7141 and two sets of passwords are required both of which
7142 can lead to synchronization problems between the UNIX and Windows
7143 systems and confusion for users.</P
7145 >We divide the unified logon problem for UNIX machines into
7146 three smaller problems:</P
7152 >Obtaining Windows NT user and group information
7157 >Authenticating Windows NT users
7162 >Password changing for Windows NT users
7167 >Ideally, a prospective solution to the unified logon problem
7168 would satisfy all the above components without duplication of
7169 information on the UNIX machines and without creating additional
7170 tasks for the system administrator when maintaining users and
7171 groups on either system. The winbind system provides a simple
7172 and elegant solution to all three components of the unified logon
7182 >11.3. What Winbind Provides</H2
7184 >Winbind unifies UNIX and Windows NT account management by
7185 allowing a UNIX box to become a full member of a NT domain. Once
7186 this is done the UNIX box will see NT users and groups as if
7187 they were native UNIX users and groups, allowing the NT domain
7188 to be used in much the same manner that NIS+ is used within
7189 UNIX-only environments.</P
7191 >The end result is that whenever any
7192 program on the UNIX machine asks the operating system to lookup
7193 a user or group name, the query will be resolved by asking the
7194 NT domain controller for the specified domain to do the lookup.
7195 Because Winbind hooks into the operating system at a low level
7196 (via the NSS name resolution modules in the C library) this
7197 redirection to the NT domain controller is completely
7200 >Users on the UNIX machine can then use NT user and group
7201 names as they would use "native" UNIX names. They can chown files
7202 so that they are owned by NT domain users or even login to the
7203 UNIX machine and run a UNIX X-Window session as a domain user.</P
7205 >The only obvious indication that Winbind is being used is
7206 that user and group names take the form DOMAIN\user and
7207 DOMAIN\group. This is necessary as it allows Winbind to determine
7208 that redirection to a domain controller is wanted for a particular
7209 lookup and which trusted domain is being referenced.</P
7211 >Additionally, Winbind provides an authentication service
7212 that hooks into the Pluggable Authentication Modules (PAM) system
7213 to provide authentication via a NT domain to any PAM enabled
7214 applications. This capability solves the problem of synchronizing
7215 passwords between systems since all passwords are stored in a single
7216 location (on the domain controller).</P
7224 >11.3.1. Target Uses</H3
7226 >Winbind is targeted at organizations that have an
7227 existing NT based domain infrastructure into which they wish
7228 to put UNIX workstations or servers. Winbind will allow these
7229 organizations to deploy UNIX workstations without having to
7230 maintain a separate account infrastructure. This greatly
7231 simplifies the administrative overhead of deploying UNIX
7232 workstations into a NT based organization.</P
7234 >Another interesting way in which we expect Winbind to
7235 be used is as a central part of UNIX based appliances. Appliances
7236 that provide file and print services to Microsoft based networks
7237 will be able to use Winbind to provide seamless integration of
7238 the appliance into the domain.</P
7248 >11.4. How Winbind Works</H2
7250 >The winbind system is designed around a client/server
7251 architecture. A long running <B
7255 listens on a UNIX domain socket waiting for requests
7256 to arrive. These requests are generated by the NSS and PAM
7257 clients and processed sequentially.</P
7259 >The technologies used to implement winbind are described
7268 >11.4.1. Microsoft Remote Procedure Calls</H3
7270 >Over the last two years, efforts have been underway
7271 by various Samba Team members to decode various aspects of
7272 the Microsoft Remote Procedure Call (MSRPC) system. This
7273 system is used for most network related operations between
7274 Windows NT machines including remote management, user authentication
7275 and print spooling. Although initially this work was done
7276 to aid the implementation of Primary Domain Controller (PDC)
7277 functionality in Samba, it has also yielded a body of code which
7278 can be used for other purposes.</P
7280 >Winbind uses various MSRPC calls to enumerate domain users
7281 and groups and to obtain detailed information about individual
7282 users or groups. Other MSRPC calls can be used to authenticate
7283 NT domain users and to change user passwords. By directly querying
7284 a Windows PDC for user and group information, winbind maps the
7285 NT account information onto UNIX user and group names.</P
7294 >11.4.2. Name Service Switch</H3
7296 >The Name Service Switch, or NSS, is a feature that is
7297 present in many UNIX operating systems. It allows system
7298 information such as hostnames, mail aliases and user information
7299 to be resolved from different sources. For example, a standalone
7300 UNIX workstation may resolve system information from a series of
7301 flat files stored on the local filesystem. A networked workstation
7302 may first attempt to resolve system information from local files,
7303 and then consult a NIS database for user information or a DNS server
7304 for hostname information.</P
7306 >The NSS application programming interface allows winbind
7307 to present itself as a source of system information when
7308 resolving UNIX usernames and groups. Winbind uses this interface,
7309 and information obtained from a Windows NT server using MSRPC
7310 calls to provide a new source of account enumeration. Using standard
7311 UNIX library calls, one can enumerate the users and groups on
7312 a UNIX machine running winbind and see all users and groups in
7313 a NT domain plus any trusted domain as though they were local
7314 users and groups.</P
7316 >The primary control file for NSS is
7319 >/etc/nsswitch.conf</TT
7321 When a UNIX application makes a request to do a lookup
7322 the C library looks in <TT
7324 >/etc/nsswitch.conf</TT
7326 for a line which matches the service type being requested, for
7327 example the "passwd" service type is used when user or group names
7328 are looked up. This config line species which implementations
7329 of that service should be tried and in what order. If the passwd
7334 >passwd: files example</B
7337 >then the C library will first load a module called
7340 >/lib/libnss_files.so</TT
7344 >/lib/libnss_example.so</TT
7346 C library will dynamically load each of these modules in turn
7347 and call resolver functions within the modules to try to resolve
7348 the request. Once the request is resolved the C library returns the
7349 result to the application.</P
7351 >This NSS interface provides a very easy way for Winbind
7352 to hook into the operating system. All that needs to be done
7355 >libnss_winbind.so</TT
7360 then add "winbind" into <TT
7362 >/etc/nsswitch.conf</TT
7364 the appropriate place. The C library will then call Winbind to
7365 resolve user and group names.</P
7374 >11.4.3. Pluggable Authentication Modules</H3
7376 >Pluggable Authentication Modules, also known as PAM,
7377 is a system for abstracting authentication and authorization
7378 technologies. With a PAM module it is possible to specify different
7379 authentication methods for different system applications without
7380 having to recompile these applications. PAM is also useful
7381 for implementing a particular policy for authorization. For example,
7382 a system administrator may only allow console logins from users
7383 stored in the local password file but only allow users resolved from
7384 a NIS database to log in over the network.</P
7386 >Winbind uses the authentication management and password
7387 management PAM interface to integrate Windows NT users into a
7388 UNIX system. This allows Windows NT users to log in to a UNIX
7389 machine and be authenticated against a suitable Primary Domain
7390 Controller. These users can also change their passwords and have
7391 this change take effect directly on the Primary Domain Controller.
7394 >PAM is configured by providing control files in the directory
7398 > for each of the services that
7399 require authentication. When an authentication request is made
7400 by an application the PAM code in the C library looks up this
7401 control file to determine what modules to load to do the
7402 authentication check and in what order. This interface makes adding
7403 a new authentication service for Winbind very easy, all that needs
7404 to be done is that the <TT
7412 control files for relevant services are updated to allow
7413 authentication via winbind. See the PAM documentation
7414 for more details.</P
7423 >11.4.4. User and Group ID Allocation</H3
7425 >When a user or group is created under Windows NT
7426 is it allocated a numerical relative identifier (RID). This is
7427 slightly different to UNIX which has a range of numbers that are
7428 used to identify users, and the same range in which to identify
7429 groups. It is winbind's job to convert RIDs to UNIX id numbers and
7430 vice versa. When winbind is configured it is given part of the UNIX
7431 user id space and a part of the UNIX group id space in which to
7432 store Windows NT users and groups. If a Windows NT user is
7433 resolved for the first time, it is allocated the next UNIX id from
7434 the range. The same process applies for Windows NT groups. Over
7435 time, winbind will have mapped all Windows NT users and groups
7436 to UNIX user ids and group ids.</P
7438 >The results of this mapping are stored persistently in
7439 an ID mapping database held in a tdb database). This ensures that
7440 RIDs are mapped to UNIX IDs in a consistent way.</P
7449 >11.4.5. Result Caching</H3
7451 >An active system can generate a lot of user and group
7452 name lookups. To reduce the network cost of these lookups winbind
7453 uses a caching scheme based on the SAM sequence number supplied
7454 by NT domain controllers. User or group information returned
7455 by a PDC is cached by winbind along with a sequence number also
7456 returned by the PDC. This sequence number is incremented by
7457 Windows NT whenever any user or group information is modified. If
7458 a cached entry has expired, the sequence number is requested from
7459 the PDC and compared against the sequence number of the cached entry.
7460 If the sequence numbers do not match, then the cached information
7461 is discarded and up to date information is requested directly
7472 >11.5. Installation and Configuration</H2
7474 >Many thanks to John Trostel <A
7475 HREF="mailto:jtrostel@snapserver.com"
7477 >jtrostel@snapserver.com</A
7479 for providing the HOWTO for this section.</P
7481 >This HOWTO describes how to get winbind services up and running
7482 to control access and authenticate users on your Linux box using
7483 the winbind services which come with SAMBA 2.2.2.</P
7485 >There is also some Solaris specific information in
7488 >docs/textdocs/Solaris-Winbind-HOWTO.txt</TT
7490 Future revisions of this document will incorporate that
7499 >11.5.1. Introduction</H3
7501 >This HOWTO describes the procedures used to get winbind up and
7502 running on my RedHat 7.1 system. Winbind is capable of providing access
7503 and authentication control for Windows Domain users through an NT
7504 or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
7505 well for SAMBA services.</P
7507 >This HOWTO has been written from a 'RedHat-centric' perspective, so if
7508 you are using another distribution, you may have to modify the instructions
7509 somewhat to fit the way your distribution works.</P
7519 >Why should I to this?</I
7524 >This allows the SAMBA administrator to rely on the
7525 authentication mechanisms on the NT/Win2K PDC for the authentication
7526 of domain members. NT/Win2K users no longer need to have separate
7527 accounts on the SAMBA server.
7536 >Who should be reading this document?</I
7541 > This HOWTO is designed for system administrators. If you are
7542 implementing SAMBA on a file server and wish to (fairly easily)
7543 integrate existing NT/Win2K users from your PDC onto the
7544 SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
7545 expert, so you may find a better or easier way to accomplish
7558 >11.5.2. Requirements</H3
7560 >If you have a samba configuration file that you are currently
7567 > If your system already uses PAM,
7578 > If you haven't already made a boot disk,
7587 >Messing with the pam configuration files can make it nearly impossible
7588 to log in to yourmachine. That's why you want to be able to boot back
7589 into your machine in single user mode and restore your
7593 > back to the original state they were in if
7594 you get frustrated with the way things are going. ;-)</P
7596 >The latest version of SAMBA (version 2.2.2 as of this writing), now
7597 includes a functioning winbindd daemon. Please refer to the
7599 HREF="http://samba.org/"
7601 >main SAMBA web page</A
7603 better yet, your closest SAMBA mirror site for instructions on
7604 downloading the source code.</P
7606 >To allow Domain users the ability to access SAMBA shares and
7607 files, as well as potentially other services provided by your
7608 SAMBA machine, PAM (pluggable authentication modules) must
7609 be setup properly on your machine. In order to compile the
7610 winbind modules, you should have at least the pam libraries resident
7611 on your system. For recent RedHat systems (7.1, for instance), that
7615 >. For best results, it is helpful to also
7616 install the development packages in <TT
7618 >pam-devel-0.74-22</TT
7628 >11.5.3. Testing Things Out</H3
7630 >Before starting, it is probably best to kill off all the SAMBA
7631 related daemons running on your server. Kill off all <B
7641 > processes that may
7642 be running. To use PAM, you will want to make sure that you have the
7643 standard PAM package (for RedHat) which supplies the <TT
7647 directory structure, including the pam modules are used by pam-aware
7648 services, several pam libraries, and the <TT
7655 > entries for pam. Winbind built better
7656 in SAMBA if the pam-devel package was also installed. This package includes
7657 the header files needed to compile pam-aware applications. For instance,
7658 my RedHat system has both <TT
7664 >pam-devel-0.74-22</TT
7665 > RPMs installed.</P
7673 >11.5.3.1. Configure and compile SAMBA</H4
7675 >The configuration and compilation of SAMBA is pretty straightforward.
7676 The first three steps may not be necessary depending upon
7677 whether or not you have previously built the Samba binaries.</P
7680 CLASS="PROGRAMLISTING"
7707 >./configure --with-winbind</B
7725 >This will, by default, install SAMBA in <TT
7727 >/usr/local/samba</TT
7729 See the main SAMBA documentation if you want to install SAMBA somewhere else.
7730 It will also build the winbindd executable and libraries. </P
7739 >11.5.3.2. Configure <TT
7743 winbind libraries</H4
7745 >The libraries needed to run the <B
7749 through nsswitch need to be copied to their proper locations, so</P
7756 >cp ../samba/source/nsswitch/libnss_winbind.so /lib</B
7759 >I also found it necessary to make the following symbolic link:</P
7766 >ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B
7769 >And, in the case of Sun solaris:</P
7776 >ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</B
7783 >ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</B
7790 >ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</B
7793 >Now, as root you need to edit <TT
7795 >/etc/nsswitch.conf</TT
7797 allow user and group entries to be visible from the <B
7803 >/etc/nsswitch.conf</TT
7805 this after editing:</P
7808 CLASS="PROGRAMLISTING"
7809 > passwd: files winbind
7811 group: files winbind</PRE
7815 The libraries needed by the winbind daemon will be automatically
7819 > cache the next time
7820 your system reboots, but it
7821 is faster (and you don't need to reboot) if you do it manually:</P
7828 >/sbin/ldconfig -v | grep winbind</B
7834 > available to winbindd
7835 and echos back a check to you.</P
7844 >11.5.3.3. Configure smb.conf</H4
7846 >Several parameters are needed in the smb.conf file to control
7854 > These are described in more detail in
7856 HREF="winbindd.8.html"
7863 > file was modified to
7864 include the following entries in the [global] section:</P
7867 CLASS="PROGRAMLISTING"
7870 # separate domain and username with '+', like DOMAIN+username
7872 HREF="winbindd.8.html#WINBINDSEPARATOR"
7874 >winbind separator</A
7876 # use uids from 10000 to 20000 for domain users
7878 HREF="winbindd.8.html#WINBINDUID"
7882 # use gids from 10000 to 20000 for domain groups
7884 HREF="winbindd.8.html#WINBINDGID"
7888 # allow enumeration of winbind users and groups
7890 HREF="winbindd.8.html#WINBINDENUMUSERS"
7892 >winbind enum users</A
7895 HREF="winbindd.8.html#WINBINDENUMGROUP"
7897 >winbind enum groups</A
7899 # give winbind users a real shell (only needed if they have telnet access)
7901 HREF="winbindd.8.html#TEMPLATEHOMEDIR"
7903 >template homedir</A
7904 > = /home/winnt/%D/%U
7906 HREF="winbindd.8.html#TEMPLATESHELL"
7919 >11.5.3.4. Join the SAMBA server to the PDC domain</H4
7921 >Enter the following command to make the SAMBA server join the
7922 PDC domain, where <TT
7928 your Windows domain and <TT
7934 a domain user who has administrative privileges in the domain.</P
7941 >/usr/local/samba/bin/net rpc join -s PDC -U Administrator</B
7944 >The proper response to the command should be: "Joined the domain
7956 is your DOMAIN name.</P
7965 >11.5.3.5. Start up the winbindd daemon and test it!</H4
7967 >Eventually, you will want to modify your smb startup script to
7968 automatically invoke the winbindd daemon when the other parts of
7969 SAMBA start, but it is possible to test out just the winbind
7970 portion first. To start up winbind services, enter the following
7978 >/usr/local/samba/bin/winbindd</B
7981 >I'm always paranoid and like to make sure the daemon
7982 is really running...</P
7989 >ps -ae | grep winbindd</B
7992 >This command should produce output like this, if the daemon is running</P
7994 >3025 ? 00:00:00 winbindd</P
7996 >Now... for the real test, try to get some information about the
7997 users on your PDC</P
8004 >/usr/local/samba/bin/wbinfo -u</B
8008 This should echo back a list of users on your Windows users on
8009 your PDC. For example, I get the following response:</P
8012 CLASS="PROGRAMLISTING"
8018 CEO+TsInternetUser</PRE
8021 >Obviously, I have named my domain 'CEO' and my <TT
8029 >You can do the same sort of thing to get group information from
8033 CLASS="PROGRAMLISTING"
8039 >/usr/local/samba/bin/wbinfo -g</B
8044 CEO+Domain Computers
8045 CEO+Domain Controllers
8048 CEO+Enterprise Admins
8049 CEO+Group Policy Creator Owners</PRE
8052 >The function 'getent' can now be used to get unified
8053 lists of both local and PDC users and groups.
8054 Try the following command:</P
8064 >You should get a list that looks like your <TT
8068 list followed by the domain users with their new uids, gids, home
8069 directories and default shells.</P
8071 >The same thing can be done for groups with the command</P
8088 >11.5.3.6. Fix the init.d startup scripts</H4
8096 >11.5.3.6.1. Linux</H5
8101 > daemon needs to start up after the
8108 > daemons are running.
8109 To accomplish this task, you need to modify the startup scripts of your system. They are located at <TT
8111 >/etc/init.d/smb</TT
8115 >/etc/init.d/samba</TT
8117 script to add commands to invoke this daemon in the proper sequence. My
8118 startup script starts up <B
8131 >/usr/local/samba/bin</TT
8132 > directory directly. The 'start'
8133 function in the script looks like this:</P
8136 CLASS="PROGRAMLISTING"
8139 echo -n $"Starting $KIND services: "
8140 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
8144 echo -n $"Starting $KIND services: "
8145 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
8149 echo -n $"Starting $KIND services: "
8150 daemon /usr/local/samba/bin/winbindd
8153 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
8159 >The 'stop' function has a corresponding entry to shut down the
8160 services and look s like this:</P
8163 CLASS="PROGRAMLISTING"
8166 echo -n $"Shutting down $KIND services: "
8171 echo -n $"Shutting down $KIND services: "
8176 echo -n $"Shutting down $KIND services: "
8179 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
8192 >11.5.3.6.2. Solaris</H5
8194 >On solaris, you need to modify the
8197 >/etc/init.d/samba.server</TT
8198 > startup script. It usually
8199 only starts smbd and nmbd but should now start winbindd too. If you
8200 have samba installed in <TT
8202 >/usr/local/samba/bin</TT
8204 the file could contains something like this:</P
8207 CLASS="PROGRAMLISTING"
8212 if [ ! -d /usr/bin ]
8213 then # /usr not mounted
8217 killproc() { # kill the named process(es)
8218 pid=`/usr/bin/ps -e |
8219 /usr/bin/grep -w $1 |
8220 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
8221 [ "$pid" != "" ] && kill $pid
8224 # Start/stop processes required for samba server
8230 # Edit these lines to suit your installation (paths, workgroup, host)
8233 /usr/local/samba/bin/smbd -D -s \
8234 /usr/local/samba/smb.conf
8237 /usr/local/samba/bin/nmbd -D -l \
8238 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
8240 echo Starting Winbind Daemon
8241 /usr/local/samba/bin/winbindd
8251 echo "Usage: /etc/init.d/samba.server { start | stop }"
8263 >11.5.3.6.3. Restarting</H5
8265 >If you restart the <B
8275 > daemons at this point, you
8276 should be able to connect to the samba server as a domain member just as
8277 if you were a local user.</P
8287 >11.5.3.7. Configure Winbind and PAM</H4
8289 >If you have made it this far, you know that winbindd and samba are working
8290 together. If you want to use winbind to provide authentication for other
8291 services, keep reading. The pam configuration files need to be altered in
8292 this step. (Did you remember to make backups of your original
8296 > files? If not, do it now.)</P
8298 >You will need a pam module to use winbindd with these other services. This
8299 module will be compiled in the <TT
8301 >../source/nsswitch</TT
8303 by invoking the command</P
8310 >make nsswitch/pam_winbind.so</B
8320 > file should be copied to the location of
8321 your other pam security modules. On my RedHat system, this was the
8325 > directory. On Solaris, the pam security
8326 modules reside in <TT
8328 >/usr/lib/security</TT
8336 >cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B
8345 >11.5.3.7.1. Linux/FreeBSD-specific PAM configuration</H5
8349 >/etc/pam.d/samba</TT
8350 > file does not need to be changed. I
8351 just left this fileas it was:</P
8354 CLASS="PROGRAMLISTING"
8355 >auth required /lib/security/pam_stack.so service=system-auth
8356 account required /lib/security/pam_stack.so service=system-auth</PRE
8359 >The other services that I modified to allow the use of winbind
8360 as an authentication service were the normal login on the console (or a terminal
8361 session), telnet logins, and ftp service. In order to enable these
8362 services, you may first need to change the entries in
8368 >/etc/inetd.conf</TT
8370 RedHat 7.1 uses the new xinetd.d structure, in this case you need
8371 to change the lines in <TT
8373 >/etc/xinetd.d/telnet</TT
8377 >/etc/xinetd.d/wu-ftp</TT
8381 CLASS="PROGRAMLISTING"
8388 CLASS="PROGRAMLISTING"
8393 For ftp services to work properly, you will also need to either
8394 have individual directories for the domain users already present on
8395 the server, or change the home directory template to a general
8396 directory for all domain users. These can be easily set using
8403 >template homedir</B
8409 > file can be changed
8410 to allow winbind ftp access in a manner similar to the
8415 changed to look like this:</P
8418 CLASS="PROGRAMLISTING"
8419 >auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
8420 auth sufficient /lib/security/pam_winbind.so
8421 auth required /lib/security/pam_stack.so service=system-auth
8422 auth required /lib/security/pam_shells.so
8423 account sufficient /lib/security/pam_winbind.so
8424 account required /lib/security/pam_stack.so service=system-auth
8425 session required /lib/security/pam_stack.so service=system-auth</PRE
8430 >/etc/pam.d/login</TT
8431 > file can be changed nearly the
8432 same way. It now looks like this:</P
8435 CLASS="PROGRAMLISTING"
8436 >auth required /lib/security/pam_securetty.so
8437 auth sufficient /lib/security/pam_winbind.so
8438 auth sufficient /lib/security/pam_unix.so use_first_pass
8439 auth required /lib/security/pam_stack.so service=system-auth
8440 auth required /lib/security/pam_nologin.so
8441 account sufficient /lib/security/pam_winbind.so
8442 account required /lib/security/pam_stack.so service=system-auth
8443 password required /lib/security/pam_stack.so service=system-auth
8444 session required /lib/security/pam_stack.so service=system-auth
8445 session optional /lib/security/pam_console.so</PRE
8448 >In this case, I added the <B
8450 >auth sufficient /lib/security/pam_winbind.so</B
8452 lines as before, but also added the <B
8454 >required pam_securetty.so</B
8456 above it, to disallow root logins over the network. I also added a
8459 >sufficient /lib/security/pam_unix.so use_first_pass</B
8464 > line to get rid of annoying
8465 double prompts for passwords.</P
8474 >11.5.3.7.2. Solaris-specific configuration</H5
8476 >The /etc/pam.conf needs to be changed. I changed this file so that my Domain
8477 users can logon both locally as well as telnet.The following are the changes
8478 that I made.You can customize the pam.conf file as per your requirements,but
8479 be sure of those changes because in the worst case it will leave your system
8480 nearly impossible to boot.</P
8483 CLASS="PROGRAMLISTING"
8485 #ident "@(#)pam.conf 1.14 99/09/16 SMI"
8487 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
8488 # All Rights Reserved.
8492 # Authentication management
8494 login auth required /usr/lib/security/pam_winbind.so
8495 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
8496 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
8498 rlogin auth sufficient /usr/lib/security/pam_winbind.so
8499 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
8500 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
8502 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
8503 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
8505 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
8506 other auth sufficient /usr/lib/security/pam_winbind.so
8507 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
8509 # Account management
8511 login account sufficient /usr/lib/security/pam_winbind.so
8512 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
8513 login account required /usr/lib/security/$ISA/pam_unix.so.1
8515 dtlogin account sufficient /usr/lib/security/pam_winbind.so
8516 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
8517 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
8519 other account sufficient /usr/lib/security/pam_winbind.so
8520 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
8521 other account required /usr/lib/security/$ISA/pam_unix.so.1
8523 # Session management
8525 other session required /usr/lib/security/$ISA/pam_unix.so.1
8527 # Password management
8529 #other password sufficient /usr/lib/security/pam_winbind.so
8530 other password required /usr/lib/security/$ISA/pam_unix.so.1
8531 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
8533 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
8535 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
8536 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
8537 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
8538 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
8539 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
8540 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
8541 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
8542 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass</PRE
8545 >I also added a try_first_pass line after the winbind.so line to get rid of
8546 annoying double prompts for passwords.</P
8548 >Now restart your Samba & try connecting through your application that you
8549 configured in the pam.conf.</P
8561 >11.6. Limitations</H2
8563 >Winbind has a number of limitations in its current
8564 released version that we hope to overcome in future
8571 >Winbind is currently only available for
8572 the Linux operating system, although ports to other operating
8573 systems are certainly possible. For such ports to be feasible,
8574 we require the C library of the target operating system to
8575 support the Name Service Switch and Pluggable Authentication
8576 Modules systems. This is becoming more common as NSS and
8577 PAM gain support among UNIX vendors.</P
8581 >The mappings of Windows NT RIDs to UNIX ids
8582 is not made algorithmically and depends on the order in which
8583 unmapped users or groups are seen by winbind. It may be difficult
8584 to recover the mappings of rid to UNIX id mapping if the file
8585 containing this information is corrupted or destroyed.</P
8589 >Currently the winbind PAM module does not take
8590 into account possible workstation and logon time restrictions
8591 that may be been set for Windows NT users.</P
8602 >11.7. Conclusion</H2
8604 >The winbind system, through the use of the Name Service
8605 Switch, Pluggable Authentication Modules, and appropriate
8606 Microsoft RPC calls have allowed us to provide seamless
8607 integration of Microsoft Windows NT domain users on a
8608 UNIX system. The result is a great reduction in the administrative
8609 cost of running a mixed UNIX and NT network.</P
8618 >Chapter 12. How to Configure Samba 2.2 as a Primary Domain Controller</H1
8626 >12.1. Prerequisite Reading</H2
8628 >Before you continue reading in this chapter, please make sure
8629 that you are comfortable with configuring basic files services
8630 in smb.conf and how to enable and administer password
8631 encryption in Samba. Theses two topics are covered in the
8633 HREF="smb.conf.5.html"
8641 HREF="ENCRYPTION.html"
8643 >Encryption chapter</A
8645 of this HOWTO Collection.</P
8654 >12.2. Background</H2
8669 SRC="/docbook-dsssl/note.gif"
8682 > This document is a combination
8683 of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ".
8684 Both documents are superseded by this one.</P
8690 >Versions of Samba prior to release 2.2 had marginal capabilities to act
8691 as a Windows NT 4.0 Primary Domain Controller
8693 (PDC). With Samba 2.2.0, we are proud to announce official support for
8694 Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows
8695 2000 clients. This article outlines the steps
8696 necessary for configuring Samba as a PDC. It is necessary to have a
8697 working Samba server prior to implementing the PDC functionality. If
8698 you have not followed the steps outlined in <A
8699 HREF="UNIX_INSTALL.html"
8701 > UNIX_INSTALL.html</A
8703 that your server is configured correctly before proceeding. Another
8704 good resource in the <A
8705 HREF="smb.conf.5.html"
8709 >. The following functionality should work in 2.2:</P
8715 > domain logons for Windows NT 4.0/2000 clients.
8720 > placing a Windows 9x client in user level security
8725 > retrieving a list of users and groups from a Samba PDC to
8726 Windows 9x/NT/2000 clients
8731 > roving (roaming) user profiles
8736 > Windows NT 4.0-style system policies
8741 >The following pieces of functionality are not included in the 2.2 release:</P
8747 > Windows NT 4 domain trusts
8752 > SAM replication with Windows NT 4.0 Domain Controllers
8753 (i.e. a Samba PDC and a Windows NT BDC or vice versa)
8758 > Adding users via the User Manager for Domains
8763 > Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
8769 >Please note that Windows 9x clients are not true members of a domain
8770 for reasons outlined in this article. Therefore the protocol for
8771 support Windows 9x-style domain logons is completely different
8772 from NT4 domain logons and has been officially supported for some
8775 >Implementing a Samba PDC can basically be divided into 2 broad
8783 > Configuring the Samba PDC
8788 > Creating machine trust accounts and joining clients
8794 >There are other minor details such as user profiles, system
8795 policies, etc... However, these are not necessarily specific
8796 to a Samba PDC as much as they are related to Windows NT networking
8797 concepts. They will be mentioned only briefly here.</P
8806 >12.3. Configuring the Samba Domain Controller</H2
8808 >The first step in creating a working Samba PDC is to
8809 understand the parameters necessary in smb.conf. I will not
8810 attempt to re-explain the parameters here as they are more that
8811 adequately covered in <A
8812 HREF="smb.conf.5.html"
8816 >. For convenience, the parameters have been
8817 linked with the actual smb.conf description.</P
8819 >Here is an example <TT
8822 > for acting as a PDC:</P
8825 CLASS="PROGRAMLISTING"
8827 ; Basic server settings
8829 HREF="smb.conf.5.html#NETBIOSNAME"
8839 HREF="smb.conf.5.html#WORKGROUP"
8849 ; we should act as the domain and local master browser
8851 HREF="smb.conf.5.html#OSLEVEL"
8856 HREF="smb.conf.5.html#PERFERREDMASTER"
8858 >preferred master</A
8861 HREF="smb.conf.5.html#DOMAINMASTER"
8866 HREF="smb.conf.5.html#LOCALMASTER"
8871 ; security settings (must user security = user)
8873 HREF="smb.conf.5.html#SECURITYEQUALSUSER"
8878 ; encrypted passwords are a requirement for a PDC
8880 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
8882 >encrypt passwords</A
8885 ; support domain logons
8887 HREF="smb.conf.5.html#DOMAINLOGONS"
8892 ; where to store user profiles?
8894 HREF="smb.conf.5.html#LOGONPATH"
8897 > = \\%N\profiles\%u
8899 ; where is a user's home directory and where should it
8902 HREF="smb.conf.5.html#LOGONDRIVE"
8907 HREF="smb.conf.5.html#LOGONHOME"
8912 ; specify a generic logon script for all users
8913 ; this is a relative **DOS** path to the [netlogon] share
8915 HREF="smb.conf.5.html#LOGONSCRIPT"
8920 ; necessary share for domain controller
8923 HREF="smb.conf.5.html#PATH"
8926 > = /usr/local/samba/lib/netlogon
8928 HREF="smb.conf.5.html#READONLY"
8933 HREF="smb.conf.5.html#WRITELIST"
8943 ; share for storing user profiles
8946 HREF="smb.conf.5.html#PATH"
8949 > = /export/smb/ntprofile
8951 HREF="smb.conf.5.html#READONLY"
8956 HREF="smb.conf.5.html#CREATEMASK"
8961 HREF="smb.conf.5.html#DIRECTORYMASK"
8967 >There are a couple of points to emphasize in the above configuration.</P
8973 > Encrypted passwords must be enabled. For more details on how
8974 to do this, refer to <A
8975 HREF="ENCRYPTION.html"
8983 > The server must support domain logons and a
8992 > The server must be the domain master browser in order for Windows
8993 client to locate the server as a DC. Please refer to the various
8994 Network Browsing documentation included with this distribution for
9000 >As Samba 2.2 does not offer a complete implementation of group mapping
9001 between Windows NT groups and Unix groups (this is really quite
9002 complicated to explain in a short space), you should refer to the
9004 HREF="smb.conf.5.html#DOMAINADMINGROUP"
9008 > smb.conf parameter for information of creating "Domain
9009 Admins" style accounts.</P
9018 >12.4. Creating Machine Trust Accounts and Joining Clients to the
9021 >A machine trust account is a Samba account that is used to
9022 authenticate a client machine (rather than a user) to the Samba
9023 server. In Windows terminology, this is known as a "Computer
9026 >The password of a machine trust account acts as the shared secret for
9027 secure communication with the Domain Controller. This is a security
9028 feature to prevent an unauthorized machine with the same NetBIOS name
9029 from joining the domain and gaining access to domain user/group
9030 accounts. Windows NT and 2000 clients use machine trust accounts, but
9031 Windows 9x clients do not. Hence, a Windows 9x client is never a true
9032 member of a domain because it does not possess a machine trust
9033 account, and thus has no shared secret with the domain controller.</P
9035 >A Windows PDC stores each machine trust account in the Windows
9036 Registry. A Samba PDC, however, stores each machine trust account
9037 in two parts, as follows:
9044 >A Samba account, stored in the same location as user
9045 LanMan and NT password hashes (currently
9049 >). The Samba account
9050 possesses and uses only the NT password hash.</P
9054 >A corresponding Unix account, typically stored in
9058 >. (Future releases will alleviate the need to
9067 >There are two ways to create machine trust accounts:</P
9073 > Manual creation. Both the Samba and corresponding
9074 Unix account are created by hand.</P
9078 > "On-the-fly" creation. The Samba machine trust
9079 account is automatically created by Samba at the time the client
9080 is joined to the domain. (For security, this is the
9081 recommended method.) The corresponding Unix account may be
9082 created automatically or manually. </P
9092 >12.4.1. Manual Creation of Machine Trust Accounts</H3
9094 >The first step in manually creating a machine trust account is to
9095 manually create the corresponding Unix account in
9099 >. This can be done using
9103 > or other 'add user' command that is normally
9104 used to create new Unix accounts. The following is an example for a
9105 Linux based Samba server:</P
9112 >/usr/sbin/useradd -g 100 -d /dev/null -c <TT
9142 > entry will list the machine name
9143 with a "$" appended, won't have a password, will have a null shell and no
9144 home directory. For example a machine named 'doppy' would have an
9148 > entry like this:</P
9151 CLASS="PROGRAMLISTING"
9152 >doppy$:x:505:501:<TT
9155 >machine_nickname</I
9157 >:/dev/null:/bin/false</PRE
9163 >machine_nickname</I
9166 descriptive name for the client, i.e., BasementComputer.
9172 > absolutely must be the NetBIOS
9173 name of the client to be joined to the domain. The "$" must be
9174 appended to the NetBIOS name of the client or Samba will not recognize
9175 this as a machine trust account.</P
9177 >Now that the corresponding Unix account has been created, the next step is to create
9178 the Samba account for the client containing the well-known initial
9179 machine trust account password. This can be done using the <A
9180 HREF="smbpasswd.8.html"
9194 >smbpasswd -a -m <TT
9207 > is the machine's NetBIOS
9208 name. The RID of the new machine account is generated from the UID of
9209 the corresponding Unix account.</P
9224 SRC="/docbook-dsssl/warning.gif"
9231 >Join the client to the domain immediately</B
9241 > Manually creating a machine trust account using this method is the
9242 equivalent of creating a machine trust account on a Windows NT PDC using
9243 the "Server Manager". From the time at which the account is created
9244 to the time which the client joins the domain and changes the password,
9245 your domain is vulnerable to an intruder joining your domain using a
9246 a machine with the same NetBIOS name. A PDC inherently trusts
9247 members of the domain and will serve out a large degree of user
9248 information to such clients. You have been warned!
9262 >12.4.2. "On-the-Fly" Creation of Machine Trust Accounts</H3
9264 >The second (and recommended) way of creating machine trust accounts is
9265 simply to allow the Samba server to create them as needed when the client
9266 is joined to the domain. </P
9268 >Since each Samba machine trust account requires a corresponding
9269 Unix account, a method for automatically creating the
9270 Unix account is usually supplied; this requires configuration of the
9272 HREF="smb.conf.5.html#ADDUSERSCRIPT"
9280 method is not required, however; corresponding Unix accounts may also
9281 be created manually.</P
9283 >Below is an example for a RedHat 6.2 Linux system.</P
9286 CLASS="PROGRAMLISTING"
9288 # <...remainder of parameters...>
9289 add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE
9299 >12.4.3. Joining the Client to the Domain</H3
9301 >The procedure for joining a client to the domain varies with the
9302 version of Windows.</P
9316 > When the user elects to join the client to a domain, Windows prompts for
9317 an account and password that is privileged to join the domain. A
9318 Samba administrative account (i.e., a Samba account that has root
9319 privileges on the Samba server) must be entered here; the
9320 operation will fail if an ordinary user account is given.
9321 The password for this account should be
9322 set to a different password than the associated
9326 > entry, for security
9329 >The session key of the Samba administrative account acts as an
9330 encryption key for setting the password of the machine trust
9331 account. The machine trust account will be created on-the-fly, or
9332 updated if it already exists.</P
9344 > If the machine trust account was created manually, on the
9345 Identification Changes menu enter the domain name, but do not
9346 check the box "Create a Computer Account in the Domain." In this case,
9347 the existing machine trust account is used to join the machine to
9350 > If the machine trust account is to be created
9351 on-the-fly, on the Identification Changes menu enter the domain
9352 name, and check the box "Create a Computer Account in the Domain." In
9353 this case, joining the domain proceeds as above for Windows 2000
9354 (i.e., you must supply a Samba administrative account when
9367 >12.5. Common Problems and Errors</H2
9379 >I cannot include a '$' in a machine name.</I
9384 > A 'machine name' in (typically) <TT
9388 of the machine name with a '$' appended. FreeBSD (and other BSD
9389 systems?) won't create a user with a '$' in their name.
9392 > The problem is only in the program used to make the entry, once
9393 made, it works perfectly. So create a user without the '$' and
9397 > to edit the entry, adding the '$'. Or create
9398 the whole entry with vipw if you like, make sure you use a
9408 >I get told "You already have a connection to the Domain...."
9409 or "Cannot join domain, the credentials supplied conflict with an
9410 existing set.." when creating a machine trust account.</I
9415 > This happens if you try to create a machine trust account from the
9416 machine itself and already have a connection (e.g. mapped drive)
9417 to a share (or IPC$) on the Samba PDC. The following command
9418 will remove all network drive connections:
9430 > Further, if the machine is a already a 'member of a workgroup' that
9431 is the same name as the domain you are joining (bad idea) you will
9432 get this message. Change the workgroup name to something else, it
9433 does not matter what, reboot, and try again.
9442 >The system can not log you on (C000019B)....</I
9447 >I joined the domain successfully but after upgrading
9448 to a newer version of the Samba code I get the message, "The system
9449 can not log you on (C000019B), Please try a gain or consult your
9450 system administrator" when attempting to logon.
9453 > This occurs when the domain SID stored in
9456 >private/WORKGROUP.SID</TT
9458 changed. For example, you remove the file and <B
9462 creates a new one. Or you are swapping back and forth between
9463 versions 2.0.7, TNG and the HEAD branch code (not recommended). The
9464 only way to correct the problem is to restore the original domain
9465 SID or remove the domain client from the domain and rejoin.
9474 >The machine trust account for this computer either does not
9475 exist or is not accessible.</I
9480 > When I try to join the domain I get the message "The machine account
9481 for this computer either does not exist or is not accessible". What's
9485 > This problem is caused by the PDC not having a suitable machine trust account.
9486 If you are using the <TT
9492 accounts then this would indicate that it has not worked. Ensure the domain
9493 admin user system is working.
9496 > Alternatively if you are creating account entries manually then they
9497 have not been created correctly. Make sure that you have the entry
9498 correct for the machine trust account in smbpasswd file on the Samba PDC.
9499 If you added the account using an editor rather than using the smbpasswd
9500 utility, make sure that the account name is the machine NetBIOS name
9501 with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
9502 in both /etc/passwd and the smbpasswd file. Some people have reported
9503 that inconsistent subnet masks between the Samba server and the NT
9504 client have caused this problem. Make sure that these are consistent
9505 for both client and server.
9514 >When I attempt to login to a Samba Domain from a NT4/W2K workstation,
9515 I get a message about my account being disabled.</I
9520 > This problem is caused by a PAM related bug in Samba 2.2.0. This bug is
9521 fixed in 2.2.1. Other symptoms could be unaccessible shares on
9522 NT/W2K member servers in the domain or the following error in your smbd.log:
9523 passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%
9526 > At first be ensure to enable the useraccounts with <B
9530 >, this is normally done, when you create an account.
9533 > In order to work around this problem in 2.2.0, configure the
9542 >/etc/pam.d/samba</TT
9547 CLASS="PROGRAMLISTING"
9548 > account required pam_permit.so
9552 > If you want to remain backward compatibility to samba 2.0.x use
9556 >, it's also possible to use
9560 >. There are some bugs if you try to
9564 >, if you need this, be ensure to use
9565 the most recent version of this file.
9577 >12.6. System Policies and Profiles</H2
9579 >Much of the information necessary to implement System Policies and
9580 Roving User Profiles in a Samba domain is the same as that for
9581 implementing these same items in a Windows NT 4.0 domain.
9582 You should read the white paper <A
9583 HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
9586 Profiles and Policies in Windows NT 4.0</A
9587 > available from Microsoft.</P
9589 >Here are some additional details:</P
9599 >What about Windows NT Policy Editor?</I
9604 > To create or edit <TT
9608 the NT Server Policy Editor, <B
9612 is included with NT Server but <SPAN
9616 >not NT Workstation</I
9619 There is a Policy Editor on a NTws
9620 but it is not suitable for creating <SPAN
9627 Further, although the Windows 95
9628 Policy Editor can be installed on an NT Workstation/Server, it will not
9629 work with NT policies because the registry key that are set by the policy templates.
9630 However, the files from the NT Server will run happily enough on an NTws.
9633 >poledit.exe, common.adm</TT
9638 to put the two *.adm files in <TT
9642 the binary will look for them unless told otherwise. Note also that that
9643 directory is 'hidden'.
9646 > The Windows NT policy editor is also included with the Service Pack 3 (and
9647 later) for Windows NT 4.0. Extract the files using <B
9649 >servicepackname /x</B
9654 > for service pack 6a. The policy editor,
9658 > and the associated template files (*.adm) should
9659 be extracted as well. It is also possible to downloaded the policy template
9660 files for Office97 and get a copy of the policy editor. Another possible
9661 location is with the Zero Administration Kit available for download from Microsoft.
9670 >Can Win95 do Policies?</I
9675 > Install the group policy handler for Win9x to pick up group
9676 policies. Look on the Win98 CD in <TT
9678 >\tools\reskit\netadmin\poledit</TT
9680 Install group policies on a Win9x client by double-clicking
9684 >. Log off and on again a couple of
9685 times and see if Win98 picks up group policies. Unfortunately this needs
9686 to be done on every Win9x machine that uses group policies....
9689 > If group policies don't work one reports suggests getting the updated
9690 (read: working) grouppol.dll for Windows 9x. The group list is grabbed
9700 >How do I get 'User Manager' and 'Server Manager'</I
9705 > Since I don't need to buy an NT Server CD now, how do I get
9706 the 'User Manager for Domains', the 'Server Manager'?
9709 > Microsoft distributes a version of these tools called nexus for
9710 installation on Windows 95 systems. The tools set includes
9721 >User Manager for Domains</P
9729 > Click here to download the archived file <A
9730 HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
9732 >ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
9736 > The Windows NT 4.0 version of the 'User Manager for
9737 Domains' and 'Server Manager' are available from Microsoft via ftp
9739 HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
9741 >ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
9754 >12.7. What other help can I get?</H2
9756 >There are many sources of information available in the form
9757 of mailing lists, RFC's and documentation. The docs that come
9758 with the samba distribution contain very good explanations of
9759 general SMB topics such as browsing.</P
9769 >What are some diagnostics tools I can use to debug the domain logon
9770 process and where can I find them?</I
9775 > One of the best diagnostic tools for debugging problems is Samba itself.
9776 You can use the -d option for both smbd and nmbd to specify what
9777 'debug level' at which to run. See the man pages on smbd, nmbd and
9778 smb.conf for more information on debugging options. The debug
9779 level can range from 1 (the default) to 10 (100 for debugging passwords).
9782 > Another helpful method of debugging is to compile samba using the
9786 > flag. This will include debug
9787 information in the binaries and allow you to attach gdb to the
9788 running smbd / nmbd process. In order to attach gdb to an smbd
9789 process for an NT workstation, first get the workstation to make the
9790 connection. Pressing ctrl-alt-delete and going down to the domain box
9791 is sufficient (at least, on the first time you join the domain) to
9792 generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
9793 maintains an open connection, and therefore there will be an smbd
9794 process running (assuming that you haven't set a really short smbd
9795 idle timeout) So, in between pressing ctrl alt delete, and actually
9796 typing in your password, you can gdb attach and continue.
9799 > Some useful samba commands worth investigating:
9806 >testparam | more</P
9810 >smbclient -L //{netbios name of server}</P
9814 > An SMB enabled version of tcpdump is available from
9816 HREF="http://www.tcpdump.org/"
9818 >http://www.tcpdup.org/</A
9820 Ethereal, another good packet sniffer for Unix and Win32
9821 hosts, can be downloaded from <A
9822 HREF="http://www.ethereal.com/"
9824 >http://www.ethereal.com</A
9828 > For tracing things on the Microsoft Windows NT, Network Monitor
9829 (aka. netmon) is available on the Microsoft Developer Network CD's,
9830 the Windows NT Server install CD and the SMS CD's. The version of
9831 netmon that ships with SMS allows for dumping packets between any two
9832 computers (i.e. placing the network interface in promiscuous mode).
9833 The version on the NT Server install CD will only allow monitoring
9834 of network traffic directed to the local NT box and broadcasts on the
9835 local subnet. Be aware that Ethereal can read and write netmon
9845 >How do I install 'Network Monitor' on an NT Workstation
9846 or a Windows 9x box?</I
9851 > Installing netmon on an NT workstation requires a couple
9852 of steps. The following are for installing Netmon V4.00.349, which comes
9853 with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
9854 Workstation 4.0. The process should be similar for other version of
9855 Windows NT / Netmon. You will need both the Microsoft Windows
9856 NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
9859 > Initially you will need to install 'Network Monitor Tools and Agent'
9860 on the NT Server. To do this
9867 >Goto Start - Settings - Control Panel -
9868 Network - Services - Add </P
9872 >Select the 'Network Monitor Tools and Agent' and
9877 >Click 'OK' on the Network Control Panel.
9882 >Insert the Windows NT Server 4.0 install CD
9887 > At this point the Netmon files should exist in
9890 >%SYSTEMROOT%\System32\netmon\*.*</TT
9892 Two subdirectories exist as well, <TT
9896 which contains the necessary DLL's for parsing the netmon packet
9903 > In order to install the Netmon tools on an NT Workstation, you will
9904 first need to install the 'Network Monitor Agent' from the Workstation
9912 >Goto Start - Settings - Control Panel -
9913 Network - Services - Add</P
9917 >Select the 'Network Monitor Agent' and click
9922 >Click 'OK' on the Network Control Panel.
9927 >Insert the Windows NT Workstation 4.0 install
9928 CD when prompted.</P
9932 > Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
9933 to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
9934 permissions as you deem appropriate for your site. You will need
9935 administrative rights on the NT box to run netmon.
9938 > To install Netmon on a Windows 9x box install the network monitor agent
9939 from the Windows 9x CD (\admin\nettools\netmon). There is a readme
9940 file located with the netmon driver files on the CD if you need
9941 information on how to do this. Copy the files from a working
9942 Netmon installation.
9947 > The following is a list if helpful URLs and other links:
9954 >Home of Samba site <A
9955 HREF="http://samba.org"
9957 > http://samba.org</A
9958 >. We have a mirror near you !</P
9969 on the Samba mirrors might mention your problem. If so,
9970 it might mean that the developers are working on it.</P
9974 >See how Scott Merrill simulates a BDC behavior at
9976 HREF="http://www.skippy.net/linux/smb-howto.html"
9978 > http://www.skippy.net/linux/smb-howto.html</A
9983 >Although 2.0.7 has almost had its day as a PDC, David Bannon will
9984 keep the 2.0.7 PDC pages at <A
9985 HREF="http://bioserve.latrobe.edu.au/samba"
9987 > http://bioserve.latrobe.edu.au/samba</A
9988 > going for a while yet.</P
9992 >Misc links to CIFS information
9994 HREF="http://samba.org/cifs/"
9996 >http://samba.org/cifs/</A
10001 >NT Domains for Unix <A
10002 HREF="http://mailhost.cb1.com/~lkcl/ntdom/"
10004 > http://mailhost.cb1.com/~lkcl/ntdom/</A
10009 >FTP site for older SMB specs:
10011 HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/"
10013 > ftp://ftp.microsoft.com/developr/drg/CIFS/</A
10028 >How do I get help from the mailing lists?</I
10033 > There are a number of Samba related mailing lists. Go to <A
10034 HREF="http://samba.org"
10036 >http://samba.org</A
10037 >, click on your nearest mirror
10038 and then click on <B
10041 > and then click on <B
10043 > Samba related mailing lists</B
10047 > For questions relating to Samba TNG go to
10049 HREF="http://www.samba-tng.org/"
10051 >http://www.samba-tng.org/</A
10053 It has been requested that you don't post questions about Samba-TNG to the
10054 main stream Samba lists.</P
10056 > If you post a message to one of the lists please observe the following guide lines :
10063 > Always remember that the developers are volunteers, they are
10064 not paid and they never guarantee to produce a particular feature at
10065 a particular time. Any time lines are 'best guess' and nothing more.
10070 > Always mention what version of samba you are using and what
10071 operating system its running under. You should probably list the
10072 relevant sections of your smb.conf file, at least the options
10073 in [global] that affect PDC support.</P
10077 >In addition to the version, if you obtained Samba via
10078 CVS mention the date when you last checked it out.</P
10082 > Try and make your question clear and brief, lots of long,
10083 convoluted questions get deleted before they are completely read !
10084 Don't post html encoded messages (if you can select colour or font
10089 > If you run one of those nifty 'I'm on holidays' things when
10090 you are away, make sure its configured to not answer mailing lists.
10095 > Don't cross post. Work out which is the best list to post to
10096 and see what happens, i.e. don't post to both samba-ntdom and samba-technical.
10097 Many people active on the lists subscribe to more
10098 than one list and get annoyed to see the same message two or more times.
10099 Often someone will see a message and thinking it would be better dealt
10100 with on another, will forward it on for you.</P
10104 >You might include <SPAN
10111 log files written at a debug level set to as much as 20.
10112 Please don't send the entire log but enough to give the context of the
10117 >(Possibly) If you have a complete netmon trace ( from the opening of
10118 the pipe to the error ) you can send the *.CAP file as well.</P
10122 >Please think carefully before attaching a document to an email.
10123 Consider pasting the relevant parts into the body of the message. The samba
10124 mailing lists go to a huge number of people, do they all need a copy of your
10125 smb.conf in their attach directory?</P
10135 >How do I get off the mailing lists?</I
10140 >To have your name removed from a samba mailing list, go to the
10141 same place you went to to get on it. Go to <A
10142 HREF="http://lists.samba.org/"
10144 >http://lists.samba.org</A
10146 click on your nearest mirror and then click on <B
10152 > Samba related mailing lists</B
10155 HREF="http://lists.samba.org/mailman/roster/samba-ntdom"
10161 > Please don't post messages to the list asking to be removed, you will just
10162 be referred to the above address (unless that process failed in some way...)
10174 >12.8. Domain Control for Windows 9x/ME</H2
10189 SRC="/docbook-dsssl/note.gif"
10196 >The following section contains much of the original
10197 DOMAIN.txt file previously included with Samba. Much of
10198 the material is based on what went into the book <SPAN
10203 Edition, Using Samba</I
10205 >, by Richard Sharpe.</P
10211 >A domain and a workgroup are exactly the same thing in terms of network
10212 browsing. The difference is that a distributable authentication
10213 database is associated with a domain, for secure login access to a
10214 network. Also, different access rights can be granted to users if they
10215 successfully authenticate against a domain logon server (NT server and
10216 other systems based on NT server support this, as does at least Samba TNG now).</P
10218 >The SMB client logging on to a domain has an expectation that every other
10219 server in the domain should accept the same authentication information.
10220 Network browsing functionality of domains and workgroups is
10221 identical and is explained in BROWSING.txt. It should be noted, that browsing
10222 is totally orthogonal to logon support.</P
10224 >Issues related to the single-logon network model are discussed in this
10225 section. Samba supports domain logons, network logon scripts, and user
10226 profiles for MS Windows for workgroups and MS Windows 9X/ME clients
10227 which will be the focus of this section.</P
10229 >When an SMB client in a domain wishes to logon it broadcast requests for a
10230 logon server. The first one to reply gets the job, and validates its
10231 password using whatever mechanism the Samba administrator has installed.
10232 It is possible (but very stupid) to create a domain where the user
10233 database is not shared between servers, i.e. they are effectively workgroup
10234 servers advertising themselves as participating in a domain. This
10235 demonstrates how authentication is quite different from but closely
10236 involved with domains.</P
10238 >Using these features you can make your clients verify their logon via
10239 the Samba server; make clients run a batch file when they logon to
10240 the network and download their preferences, desktop and start menu.</P
10242 >Before launching into the configuration instructions, it is
10243 worthwhile lookingat how a Windows 9x/ME client performs a logon:</P
10250 > The client broadcasts (to the IP broadcast address of the subnet it is in)
10251 a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the
10252 NetBIOS layer. The client chooses the first response it receives, which
10253 contains the NetBIOS name of the logon server to use in the format of
10259 > The client then connects to that server, logs on (does an SMBsessetupX) and
10260 then connects to the IPC$ share (using an SMBtconX).
10265 > The client then does a NetWkstaUserLogon request, which retrieves the name
10266 of the user's logon script.
10271 > The client then connects to the NetLogon share and searches for this
10272 and if it is found and can be read, is retrieved and executed by the client.
10273 After this, the client disconnects from the NetLogon share.
10278 > The client then sends a NetUserGetInfo request to the server, to retrieve
10279 the user's home share, which is used to search for profiles. Since the
10280 response to the NetUserGetInfo request does not contain much more
10281 the user's home share, profiles for Win9X clients MUST reside in the user
10287 > The client then connects to the user's home share and searches for the
10288 user's profile. As it turns out, you can specify the user's home share as
10289 a sharename and path. For example, \\server\fred\.profile.
10290 If the profiles are found, they are implemented.
10295 > The client then disconnects from the user's home share, and reconnects to
10296 the NetLogon share and looks for CONFIG.POL, the policies file. If this is
10297 found, it is read and implemented.
10308 >12.8.1. Configuration Instructions: Network Logons</H3
10310 >The main difference between a PDC and a Windows 9x logon
10311 server configuration is that</P
10317 >Password encryption is not required for a Windows 9x logon server.</P
10321 >Windows 9x/ME clients do not possess machine trust accounts.</P
10325 >Therefore, a Samba PDC will also act as a Windows 9x logon
10341 SRC="/docbook-dsssl/warning.gif"
10348 >security mode and master browsers</B
10358 >There are a few comments to make in order to tie up some
10359 loose ends. There has been much debate over the issue of whether
10360 or not it is ok to configure Samba as a Domain Controller in security
10361 modes other than <TT
10364 >. The only security mode
10365 which will not work due to technical reasons is <TT
10376 mode security is really just a variation on SMB user level security.</P
10378 >Actually, this issue is also closely tied to the debate on whether
10379 or not Samba must be the domain master browser for its workgroup
10380 when operating as a DC. While it may technically be possible
10381 to configure a server as such (after all, browsing and domain logons
10382 are two distinctly different functions), it is not a good idea to
10383 so. You should remember that the DC must register the DOMAIN#1b NetBIOS
10384 name. This is the name used by Windows clients to locate the DC.
10385 Windows clients do not distinguish between the DC and the DMB.
10386 For this reason, it is very wise to configure the Samba DC as the DMB.</P
10388 >Now back to the issue of configuring a Samba DC to use a mode other
10389 than "security = user". If a Samba host is configured to use
10390 another SMB server or DC in order to validate user connection
10391 requests, then it is a fact that some other machine on the network
10392 (the "password server") knows more about user than the Samba host.
10393 99% of the time, this other host is a domain controller. Now
10394 in order to operate in domain mode security, the "workgroup" parameter
10395 must be set to the name of the Windows NT domain (which already
10396 has a domain controller, right?)</P
10398 >Therefore configuring a Samba box as a DC for a domain that
10399 already by definition has a PDC is asking for trouble.
10400 Therefore, you should always configure the Samba DC to be the DMB
10414 >12.8.2. Configuration Instructions: Setting up Roaming User Profiles</H3
10429 SRC="/docbook-dsssl/warning.gif"
10442 > Roaming profiles support is different
10443 for Win9X and WinNT.</P
10449 >Before discussing how to configure roaming profiles, it is useful to see how
10450 Win9X and WinNT clients implement these features.</P
10452 >Win9X clients send a NetUserGetInfo request to the server to get the user's
10453 profiles location. However, the response does not have room for a separate
10454 profiles location field, only the user's home share. This means that Win9X
10455 profiles are restricted to being in the user's home directory.</P
10457 >WinNT clients send a NetSAMLogon RPC request, which contains many fields,
10458 including a separate field for the location of the user's profiles.
10459 This means that support for profiles is different for Win9X and WinNT.</P
10467 >12.8.2.1. Windows NT Configuration</H4
10469 >To support WinNT clients, in the [global] section of smb.conf set the
10470 following (for example):</P
10473 CLASS="PROGRAMLISTING"
10474 >logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE
10477 >The default for this option is \\%N\%U\profile, namely
10478 \\sambaserver\username\profile. The \\N%\%U service is created
10479 automatically by the [homes] service.
10480 If you are using a samba server for the profiles, you _must_ make the
10481 share specified in the logon path browseable. </P
10496 SRC="/docbook-dsssl/note.gif"
10503 >[lkcl 26aug96 - we have discovered a problem where Windows clients can
10504 maintain a connection to the [homes] share in between logins. The
10505 [homes] share must NOT therefore be used in a profile path.]</P
10518 >12.8.2.2. Windows 9X Configuration</H4
10520 >To support Win9X clients, you must use the "logon home" parameter. Samba has
10521 now been fixed so that "net use/home" now works as well, and it, too, relies
10522 on the "logon home" parameter.</P
10524 >By using the logon home parameter, you are restricted to putting Win9X
10525 profiles in the user's home directory. But wait! There is a trick you
10526 can use. If you set the following in the [global] section of your
10530 CLASS="PROGRAMLISTING"
10531 >logon home = \\%L\%U\.profiles</PRE
10534 >then your Win9X clients will dutifully put their clients in a subdirectory
10535 of your home directory called .profiles (thus making them hidden).</P
10537 >Not only that, but 'net use/home' will also work, because of a feature in
10538 Win9X. It removes any directory stuff off the end of the home directory area
10539 and only uses the server and share portion. That is, it looks like you
10540 specified \\%L\%U for "logon home".</P
10549 >12.8.2.3. Win9X and WinNT Configuration</H4
10551 >You can support profiles for both Win9X and WinNT clients by setting both the
10552 "logon home" and "logon path" parameters. For example:</P
10555 CLASS="PROGRAMLISTING"
10556 >logon home = \\%L\%U\.profiles
10557 logon path = \\%L\profiles\%U</PRE
10573 SRC="/docbook-dsssl/note.gif"
10580 >I have not checked what 'net use /home' does on NT when "logon home" is
10594 >12.8.2.4. Windows 9X Profile Setup</H4
10596 >When a user first logs in on Windows 9X, the file user.DAT is created,
10597 as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
10598 These directories and their contents will be merged with the local
10599 versions stored in c:\windows\profiles\username on subsequent logins,
10600 taking the most recent from each. You will need to use the [global]
10601 options "preserve case = yes", "short preserve case = yes" and
10602 "case sensitive = no" in order to maintain capital letters in shortcuts
10603 in any of the profile folders.</P
10605 >The user.DAT file contains all the user's preferences. If you wish to
10606 enforce a set of preferences, rename their user.DAT file to user.MAN,
10607 and deny them write access to this file.</P
10614 > On the Windows 95 machine, go to Control Panel | Passwords and
10615 select the User Profiles tab. Select the required level of
10616 roaming preferences. Press OK, but do _not_ allow the computer
10622 > On the Windows 95 machine, go to Control Panel | Network |
10623 Client for Microsoft Networks | Preferences. Select 'Log on to
10624 NT Domain'. Then, ensure that the Primary Logon is 'Client for
10625 Microsoft Networks'. Press OK, and this time allow the computer
10631 >Under Windows 95, Profiles are downloaded from the Primary Logon.
10632 If you have the Primary Logon as 'Client for Novell Networks', then
10633 the profiles and logon script will be downloaded from your Novell
10634 Server. If you have the Primary Logon as 'Windows Logon', then the
10635 profiles will be loaded from the local machine - a bit against the
10636 concept of roaming profiles, if you ask me.</P
10638 >You will now find that the Microsoft Networks Login box contains
10639 [user, password, domain] instead of just [user, password]. Type in
10640 the samba server's domain name (or any other domain known to exist,
10641 but bear in mind that the user will be authenticated against this
10642 domain and profiles downloaded from it, if that domain logon server
10643 supports it), user name and user's password.</P
10645 >Once the user has been successfully validated, the Windows 95 machine
10646 will inform you that 'The user has not logged on before' and asks you
10647 if you wish to save the user's preferences? Select 'yes'.</P
10649 >Once the Windows 95 client comes up with the desktop, you should be able
10650 to examine the contents of the directory specified in the "logon path"
10651 on the samba server and verify that the "Desktop", "Start Menu",
10652 "Programs" and "Nethood" folders have been created.</P
10654 >These folders will be cached locally on the client, and updated when
10655 the user logs off (if you haven't made them read-only by then :-).
10656 You will find that if the user creates further folders or short-cuts,
10657 that the client will merge the profile contents downloaded with the
10658 contents of the profile directory already on the local client, taking
10659 the newest folders and short-cuts from each set.</P
10661 >If you have made the folders / files read-only on the samba server,
10662 then you will get errors from the w95 machine on logon and logout, as
10663 it attempts to merge the local and the remote profile. Basically, if
10664 you have any errors reported by the w95 machine, check the Unix file
10665 permissions and ownership rights on the profile directory contents,
10666 on the samba server.</P
10668 >If you have problems creating user profiles, you can reset the user's
10669 local desktop cache, as shown below. When this user then next logs in,
10670 they will be told that they are logging in "for the first time".</P
10677 > instead of logging in under the [user, password, domain] dialog,
10683 > run the regedit.exe program, and look in:
10686 > HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList
10689 > you will find an entry, for each user, of ProfilePath. Note the
10690 contents of this key (likely to be c:\windows\profiles\username),
10691 then delete the key ProfilePath for the required user.
10694 > [Exit the registry editor].
10705 > - before deleting the contents of the
10706 directory listed in
10707 the ProfilePath (this is likely to be c:\windows\profiles\username),
10708 ask them if they have any important files stored on their desktop
10709 or in their start menu. delete the contents of the directory
10710 ProfilePath (making a backup if any of the files are needed).
10713 > This will have the effect of removing the local (read-only hidden
10714 system file) user.DAT in their profile directory, as well as the
10715 local "desktop", "nethood", "start menu" and "programs" folders.
10720 > search for the user's .PWL password-caching file in the c:\windows
10721 directory, and delete it.
10726 > log off the windows 95 client.
10731 > check the contents of the profile path (see "logon path" described
10732 above), and delete the user.DAT or user.MAN file for the user,
10733 making a backup if required.
10738 >If all else fails, increase samba's debug log levels to between 3 and 10,
10739 and / or run a packet trace program such as tcpdump or netmon.exe, and
10740 look for any error reports.</P
10742 >If you have access to an NT server, then first set up roaming profiles
10743 and / or netlogons on the NT server. Make a packet trace, or examine
10744 the example packet traces provided with NT server, and see what the
10745 differences are with the equivalent samba trace.</P
10754 >12.8.2.5. Windows NT Workstation 4.0</H4
10756 >When a user first logs in to a Windows NT Workstation, the profile
10757 NTuser.DAT is created. The profile location can be now specified
10758 through the "logon path" parameter. </P
10773 SRC="/docbook-dsssl/note.gif"
10780 >[lkcl 10aug97 - i tried setting the path to
10781 \\samba-server\homes\profile, and discovered that this fails because
10782 a background process maintains the connection to the [homes] share
10783 which does _not_ close down in between user logins. you have to
10784 have \\samba-server\%L\profile, where user is the username created
10785 from the [homes] share].</P
10791 >There is a parameter that is now available for use with NT Profiles:
10792 "logon drive". This should be set to "h:" or any other drive, and
10793 should be used in conjunction with the new "logon home" parameter.</P
10795 >The entry for the NT 4.0 profile is a _directory_ not a file. The NT
10796 help on profiles mentions that a directory is also created with a .PDS
10797 extension. The user, while logging in, must have write permission to
10798 create the full profile path (and the folder with the .PDS extension)
10799 [lkcl 10aug97 - i found that the creation of the .PDS directory failed,
10800 and had to create these manually for each user, with a shell script.
10801 also, i presume, but have not tested, that the full profile path must
10802 be browseable just as it is for w95, due to the manner in which they
10803 attempt to create the full profile path: test existence of each path
10804 component; create path component].</P
10806 >In the profile directory, NT creates more folders than 95. It creates
10807 "Application Data" and others, as well as "Desktop", "Nethood",
10808 "Start Menu" and "Programs". The profile itself is stored in a file
10809 NTuser.DAT. Nothing appears to be stored in the .PDS directory, and
10810 its purpose is currently unknown.</P
10812 >You can use the System Control Panel to copy a local profile onto
10813 a samba server (see NT Help on profiles: it is also capable of firing
10814 up the correct location in the System Control Panel for you). The
10815 NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN
10816 turns a profile into a mandatory one.</P
10831 SRC="/docbook-dsssl/note.gif"
10838 >[lkcl 10aug97 - i notice that NT Workstation tells me that it is
10839 downloading a profile from a slow link. whether this is actually the
10840 case, or whether there is some configuration issue, as yet unknown,
10841 that makes NT Workstation _think_ that the link is a slow one is a
10842 matter to be resolved].</P
10844 >[lkcl 20aug97 - after samba digest correspondence, one user found, and
10845 another confirmed, that profiles cannot be loaded from a samba server
10846 unless "security = user" and "encrypt passwords = yes" (see the file
10847 ENCRYPTION.txt) or "security = server" and "password server = ip.address.
10848 of.yourNTserver" are used. Either of these options will allow the NT
10849 workstation to access the samba server using LAN manager encrypted
10850 passwords, without the user intervention normally required by NT
10851 workstation for clear-text passwords].</P
10853 >[lkcl 25aug97 - more comments received about NT profiles: the case of
10854 the profile _matters_. the file _must_ be called NTuser.DAT or, for
10855 a mandatory profile, NTuser.MAN].</P
10868 >12.8.2.6. Windows NT Server</H4
10870 >There is nothing to stop you specifying any path that you like for the
10871 location of users' profiles. Therefore, you could specify that the
10872 profile be stored on a samba server, or any other SMB server, as long as
10873 that SMB server supports encrypted passwords.</P
10882 >12.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</H4
10897 SRC="/docbook-dsssl/warning.gif"
10904 >Potentially outdated or incorrect material follows</B
10914 >I think this is all bogus, but have not deleted it. (Richard Sharpe)</P
10920 >The default logon path is \\%N\%U. NT Workstation will attempt to create
10921 a directory "\\samba-server\username.PDS" if you specify the logon path
10922 as "\\samba-server\username" with the NT User Manager. Therefore, you
10923 will need to specify (for example) "\\samba-server\username\profile".
10924 NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which
10925 is more likely to succeed.</P
10927 >If you then want to share the same Start Menu / Desktop with W95, you will
10928 need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97
10929 this has its drawbacks: i created a shortcut to telnet.exe, which attempts
10930 to run from the c:\winnt\system32 directory. this directory is obviously
10931 unlikely to exist on a Win95-only host].</P
10933 > If you have this set up correctly, you will find separate user.DAT and
10934 NTuser.DAT files in the same profile directory.</P
10949 SRC="/docbook-dsssl/note.gif"
10956 >[lkcl 25aug97 - there are some issues to resolve with downloading of
10957 NT profiles, probably to do with time/date stamps. i have found that
10958 NTuser.DAT is never updated on the workstation after the first time that
10959 it is copied to the local workstation profile directory. this is in
10960 contrast to w95, where it _does_ transfer / update profiles correctly].</P
10975 >12.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</H2
10990 SRC="/docbook-dsssl/warning.gif"
10997 >Possibly Outdated Material</B
11007 > This appendix was originally authored by John H Terpstra of
11008 the Samba Team and is included here for posterity.
11022 The term "Domain Controller" and those related to it refer to one specific
11023 method of authentication that can underly an SMB domain. Domain Controllers
11024 prior to Windows NT Server 3.1 were sold by various companies and based on
11025 private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
11026 Microsoft-specific ways of distributing the user authentication database.
11027 See DOMAIN.txt for examples of how Samba can participate in or create
11028 SMB domains based on shared authentication database schemes other than the
11031 >Windows NT Server can be installed as either a plain file and print server
11032 (WORKGROUP workstation or server) or as a server that participates in Domain
11033 Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
11034 The same is true for OS/2 Warp Server, Digital Pathworks and other similar
11035 products, all of which can participate in Domain Control along with Windows NT.</P
11037 >To many people these terms can be confusing, so let's try to clear the air.</P
11039 >Every Windows NT system (workstation or server) has a registry database.
11040 The registry contains entries that describe the initialization information
11041 for all services (the equivalent of Unix Daemons) that run within the Windows
11042 NT environment. The registry also contains entries that tell application
11043 software where to find dynamically loadable libraries that they depend upon.
11044 In fact, the registry contains entries that describes everything that anything
11045 may need to know to interact with the rest of the system.</P
11047 >The registry files can be located on any Windows NT machine by opening a
11048 command prompt and typing:</P
11052 >C:\WINNT\></TT
11053 > dir %SystemRoot%\System32\config</P
11055 >The environment variable %SystemRoot% value can be obtained by typing:</P
11060 >echo %SystemRoot%</P
11062 >The active parts of the registry that you may want to be familiar with are
11063 the files called: default, system, software, sam and security.</P
11065 >In a domain environment, Microsoft Windows NT domain controllers participate
11066 in replication of the SAM and SECURITY files so that all controllers within
11067 the domain have an exactly identical copy of each.</P
11069 >The Microsoft Windows NT system is structured within a security model that
11070 says that all applications and services must authenticate themselves before
11071 they can obtain permission from the security manager to do what they set out
11074 >The Windows NT User database also resides within the registry. This part of
11075 the registry contains the user's security identifier, home directory, group
11076 memberships, desktop profile, and so on.</P
11078 >Every Windows NT system (workstation as well as server) will have its own
11079 registry. Windows NT Servers that participate in Domain Security control
11080 have a database that they share in common - thus they do NOT own an
11081 independent full registry database of their own, as do Workstations and
11084 >The User database is called the SAM (Security Access Manager) database and
11085 is used for all user authentication as well as for authentication of inter-
11086 process authentication (i.e. to ensure that the service action a user has
11087 requested is permitted within the limits of that user's privileges).</P
11089 >The Samba team have produced a utility that can dump the Windows NT SAM into
11090 smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
11091 /pub/samba/pwdump on your nearest Samba mirror for the utility. This
11092 facility is useful but cannot be easily used to implement SAM replication
11093 to Samba systems.</P
11095 >Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
11096 can participate in a Domain security system that is controlled by Windows NT
11097 servers that have been correctly configured. Almost every domain will have
11098 ONE Primary Domain Controller (PDC). It is desirable that each domain will
11099 have at least one Backup Domain Controller (BDC).</P
11101 >The PDC and BDCs then participate in replication of the SAM database so that
11102 each Domain Controlling participant will have an up to date SAM component
11103 within its registry.</P
11112 >Chapter 13. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</H1
11120 >13.1. Prerequisite Reading</H2
11122 >Before you continue reading in this chapter, please make sure
11123 that you are comfortable with configuring a Samba PDC
11124 as described in the <A
11125 HREF="Samba-PDC-HOWTO.html"
11127 >Samba-PDC-HOWTO</A
11137 >13.2. Background</H2
11139 >What is a Domain Controller? It is a machine that is able to answer
11140 logon requests from workstations in a Windows NT Domain. Whenever a
11141 user logs into a Windows NT Workstation, the workstation connects to a
11142 Domain Controller and asks him whether the username and password the
11143 user typed in is correct. The Domain Controller replies with a lot of
11144 information about the user, for example the place where the users
11145 profile is stored, the users full name of the user. All this
11146 information is stored in the NT user database, the so-called SAM.</P
11148 >There are two kinds of Domain Controller in a NT 4 compatible Domain:
11149 A Primary Domain Controller (PDC) and one or more Backup Domain
11150 Controllers (BDC). The PDC contains the master copy of the
11151 SAM. Whenever the SAM has to change, for example when a user changes
11152 his password, this change has to be done on the PDC. A Backup Domain
11153 Controller is a machine that maintains a read-only copy of the
11154 SAM. This way it is able to reply to logon requests and authenticate
11155 users in case the PDC is not available. During this time no changes to
11156 the SAM are possible. Whenever changes to the SAM are done on the PDC,
11157 all BDC receive the changes from the PDC.</P
11159 >Since version 2.2 Samba officially supports domain logons for all
11160 current Windows Clients, including Windows 2000 and XP. This text
11161 assumes the domain to be named SAMBA. To be able to act as a PDC, some
11162 parameters in the [global]-section of the smb.conf have to be set:</P
11165 CLASS="PROGRAMLISTING"
11167 domain master = yes
11168 domain logons = yes</PRE
11171 >Several other things like a [homes] and a [netlogon] share also may be
11172 set along with settings for the profile path, the users home drive and
11173 others. This will not be covered in this document.</P
11182 >13.3. What qualifies a Domain Controller on the network?</H2
11184 >Every machine that is a Domain Controller for the domain SAMBA has to
11185 register the NetBIOS group name SAMBA#1c with the WINS server and/or
11186 by broadcast on the local network. The PDC also registers the unique
11187 NetBIOS name SAMBA#1b with the WINS server. The name type #1b is
11188 normally reserved for the domain master browser, a role that has
11189 nothing to do with anything related to authentication, but the
11190 Microsoft Domain implementation requires the domain master browser to
11191 be on the same machine as the PDC.</P
11199 >13.3.1. How does a Workstation find its domain controller?</H3
11201 >A NT workstation in the domain SAMBA that wants a local user to be
11202 authenticated has to find the domain controller for SAMBA. It does
11203 this by doing a NetBIOS name query for the group name SAMBA#1c. It
11204 assumes that each of the machines it gets back from the queries is a
11205 domain controller and can answer logon requests. To not open security
11206 holes both the workstation and the selected (TODO: How is the DC
11207 chosen) domain controller authenticate each other. After that the
11208 workstation sends the user's credentials (his name and password) to
11209 the domain controller, asking for approval.</P
11218 >13.3.2. When is the PDC needed?</H3
11220 >Whenever a user wants to change his password, this has to be done on
11221 the PDC. To find the PDC, the workstation does a NetBIOS name query
11222 for SAMBA#1b, assuming this machine maintains the master copy of the
11223 SAM. The workstation contacts the PDC, both mutually authenticate and
11224 the password change is done.</P
11234 >13.4. Can Samba be a Backup Domain Controller?</H2
11236 >With version 2.2, no. The native NT SAM replication protocols have
11237 not yet been fully implemented. The Samba Team is working on
11238 understanding and implementing the protocols, but this work has not
11239 been finished for version 2.2.</P
11241 >Can I get the benefits of a BDC with Samba? Yes. The main reason for
11242 implementing a BDC is availability. If the PDC is a Samba machine,
11243 a second Samba machine can be set up to
11244 service logon requests whenever the PDC is down.</P
11253 >13.5. How do I set up a Samba BDC?</H2
11255 >Several things have to be done:</P
11261 >The domain SID has to be the same on the PDC and the BDC. This used to
11262 be stored in the file private/MACHINE.SID. This file is not created
11263 anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is
11264 stored in the file private/secrets.tdb. Simply copying the secrets.tdb
11265 from the PDC to the BDC does not work, as the BDC would
11266 generate a new SID for itself and override the domain SID with this
11269 >To retrieve the domain SID from the PDC or an existing BDC and store it in the
11270 secrets.tdb, execute 'net rpc getsid' on the BDC.</P
11274 >The Unix user database has to be synchronized from the PDC to the
11275 BDC. This means that both the /etc/passwd and /etc/group have to be
11276 replicated from the PDC to the BDC. This can be done manually
11277 whenever changes are made, or the PDC is set up as a NIS master
11278 server and the BDC as a NIS slave server. To set up the BDC as a
11279 mere NIS client would not be enough, as the BDC would not be able to
11280 access its user database in case of a PDC failure.</P
11284 >The Samba password database in the file private/smbpasswd has to be
11285 replicated from the PDC to the BDC. This is a bit tricky, see the
11290 >Any netlogon share has to be replicated from the PDC to the
11291 BDC. This can be done manually whenever login scripts are changed,
11292 or it can be done automatically together with the smbpasswd
11293 synchronization.</P
11297 >Finally, the BDC has to be found by the workstations. This can be done
11301 CLASS="PROGRAMLISTING"
11304 domain logons = yes</PRE
11307 >in the [global]-section of the smb.conf of the BDC. This makes the BDC
11308 only register the name SAMBA#1c with the WINS server. This is no
11309 problem as the name SAMBA#1c is a NetBIOS group name that is meant to
11310 be registered by more than one machine. The parameter 'domain master =
11311 no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS
11312 name is reserved for the Primary Domain Controller.</P
11320 >13.5.1. How do I replicate the smbpasswd file?</H3
11322 >Replication of the smbpasswd file is sensitive. It has to be done
11323 whenever changes to the SAM are made. Every user's password change is
11324 done in the smbpasswd file and has to be replicated to the BDC. So
11325 replicating the smbpasswd file very often is necessary.</P
11327 >As the smbpasswd file contains plain text password equivalents, it
11328 must not be sent unencrypted over the wire. The best way to set up
11329 smbpasswd replication from the PDC to the BDC is to use the utility
11330 rsync. rsync can use ssh as a transport. ssh itself can be set up to
11331 accept *only* rsync transfer without requiring the user to type a
11340 NAME="SAMBA-LDAP-HOWTO"
11342 >Chapter 14. Storing Samba's User/Machine Account information in an LDAP Directory</H1
11352 >This document describes how to use an LDAP directory for storing Samba user
11353 account information traditionally stored in the smbpasswd(5) file. It is
11354 assumed that the reader already has a basic understanding of LDAP concepts
11355 and has a working directory server already installed. For more information
11356 on LDAP architectures and Directories, please refer to the following sites.</P
11363 HREF="http://www.openldap.org/"
11365 >http://www.openldap.org/</A
11370 >iPlanet Directory Server - <A
11371 HREF="http://iplanet.netscape.com/directory"
11373 >http://iplanet.netscape.com/directory</A
11379 HREF="http://www.ora.com/"
11381 >O'Reilly Publishing</A
11383 a guide to LDAP for System Administrators which has a planned release date of
11384 early summer, 2002.</P
11386 >Two additional Samba resources which may prove to be helpful are</P
11393 HREF="http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html"
11395 >Samba-PDC-LDAP-HOWTO</A
11397 maintained by Ignacio Coupeau.</P
11401 >The NT migration scripts from <A
11402 HREF="http://samba.idealx.org/"
11406 geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
11418 >14.2. Introduction</H2
11420 >Traditionally, when configuring <A
11421 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
11424 passwords = yes"</A
11428 > file, user account
11429 information such as username, LM/NT password hashes, password change times, and account
11430 flags have been stored in the <TT
11433 > file. There are several
11434 disadvantages to this approach for sites with very large numbers of users (counted
11435 in the thousands).</P
11441 >The first is that all lookups must be performed sequentially. Given that
11442 there are approximately two lookups per domain logon (one for a normal
11443 session connection such as when mapping a network drive or printer), this
11444 is a performance bottleneck for lareg sites. What is needed is an indexed approach
11445 such as is used in databases.</P
11449 >The second problem is that administrators who desired to replicate a
11450 smbpasswd file to more than one Samba server were left to use external
11458 and wrote custom, in-house scripts.</P
11462 >And finally, the amount of information which is stored in an
11463 smbpasswd entry leaves no room for additional attributes such as
11464 a home directory, password expiration time, or even a Relative
11465 Identified (RID).</P
11469 >As a result of these defeciencies, a more robust means of storing user attributes
11470 used by smbd was developed. The API which defines access to user accounts
11471 is commonly referred to as the samdb interface (previously this was called the passdb
11472 API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support
11473 for a samdb backend (e.g. <TT
11484 >) requires compile time support.</P
11486 >When compiling Samba to include the <TT
11492 option, smbd (and associated tools) will store and lookup user accounts in
11493 an LDAP directory. In reality, this is very easy to understand. If you are
11494 comfortable with using an smbpasswd file, simply replace "smbpasswd" with
11495 "LDAP directory" in all the documentation.</P
11497 >There are a few points to stress about what the <TT
11503 does not provide. The LDAP support referred to in the this documentation does not
11510 >A means of retrieving user account information from
11511 an Windows 2000 Active Directory server.</P
11515 >A means of replacing /etc/passwd.</P
11519 >The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
11520 versions of these libraries can be obtained from PADL Software
11522 HREF="http://www.padl.com/"
11524 >http://www.padl.com/</A
11526 the details of configuring these packages are beyond the scope of this document.</P
11535 >14.3. Supported LDAP Servers</H2
11537 >The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP
11538 2.0 server and client libraries. The same code should be able to work with
11539 Netscape's Directory Server and client SDK. However, due to lack of testing
11540 so far, there are bound to be compile errors and bugs. These should not be
11541 hard to fix. If you are so inclined, please be sure to forward all patches to
11543 HREF="samba-patches@samba.org"
11545 >samba-patches@samba.org</A
11548 HREF="jerry@samba.org"
11550 >jerry@samba.org</A
11560 >14.4. Schema and Relationship to the RFC 2307 posixAccount</H2
11562 >Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in
11565 >examples/LDAP/samba.schema</TT
11566 >. (Note that this schema
11567 file has been modified since the experimental support initially included
11568 in 2.2.2). The sambaAccount objectclass is given here:</P
11571 CLASS="PROGRAMLISTING"
11572 >objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
11573 DESC 'Samba Account'
11575 MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
11576 logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
11577 displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
11578 description $ userWorkstations $ primaryGroupID $ domain ))</PRE
11581 >The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are
11582 owned by the Samba Team and as such is legal to be openly published.
11583 If you translate the schema to be used with Netscape DS, please
11584 submit the modified schema file as a patch to <A
11585 HREF="jerry@samba.org"
11587 >jerry@samba.org</A
11590 >Just as the smbpasswd file is mean to store information which supplements a
11594 > entry, so is the sambaAccount object
11595 meant to supplement the UNIX user account information. A sambaAccount is a
11599 > objectclass so it can be stored individually
11600 in the directory. However, there are several fields (e.g. uid) which overlap
11601 with the posixAccount objectclass outlined in RFC2307. This is by design.</P
11603 >In order to store all user account information (UNIX and Samba) in the directory,
11604 it is necessary to use the sambaAccount and posixAccount objectclasses in
11605 combination. However, smbd will still obtain the user's UNIX account
11606 information via the standard C library calls (e.g. getpwnam(), et. al.).
11607 This means that the Samba server must also have the LDAP NSS library installed
11608 and functioning correctly. This division of information makes it possible to
11609 store all Samba account information in LDAP, but still maintain UNIX account
11610 information in NIS while the network is transitioning to a full LDAP infrastructure.</P
11619 >14.5. Configuring Samba with LDAP</H2
11627 >14.5.1. OpenLDAP configuration</H3
11629 >To include support for the sambaAccount object in an OpenLDAP directory
11630 server, first copy the samba.schema file to slapd's configuration directory.</P
11637 >cp samba.schema /etc/openldap/schema/</B
11640 >Next, include the <TT
11647 The sambaAccount object contains two attributes which depend upon other schema
11648 files. The 'uid' attribute is defined in <TT
11652 the 'displayName' attribute is defined in the <TT
11654 >inetorgperson.schema</TT
11656 file. Both of these must be included before the <TT
11662 CLASS="PROGRAMLISTING"
11663 >## /etc/openldap/slapd.conf
11665 ## schema files (core.schema is required by default)
11666 include /etc/openldap/schema/core.schema
11668 ## needed for sambaAccount
11669 include /etc/openldap/schema/cosine.schema
11670 include /etc/openldap/schema/inetorgperson.schema
11671 include /etc/openldap/schema/samba.schema
11673 ## uncomment this line if you want to support the RFC2307 (NIS) schema
11674 ## include /etc/openldap/schema/nis.schema
11679 >It is recommended that you maintain some indices on some of the most usefull attributes,
11680 like in the following example, to speed up searches made on sambaAccount objectclasses
11681 (and possibly posixAccount and posixGroup as well).</P
11684 CLASS="PROGRAMLISTING"
11685 ># Indices to maintain
11686 ## required by OpenLDAP 2.0
11687 index objectclass eq
11689 ## support pb_getsampwnam()
11691 ## support pdb_getsambapwrid()
11694 ## uncomment these if you are storing posixAccount and
11695 ## posixGroup entries in the directory as well
11696 ##index uidNumber eq
11697 ##index gidNumber eq
11699 ##index memberUid eq</PRE
11709 >14.5.2. Configuring Samba</H3
11711 >The following parameters are available in smb.conf only with <TT
11717 was included with compiling Samba.</P
11724 HREF="smb.conf.5.html#LDAPSSL"
11732 HREF="smb.conf.5.html#LDAPSERVER"
11740 HREF="smb.conf.5.html#LDAPADMINDN"
11748 HREF="smb.conf.5.html#LDAPSUFFIX"
11756 HREF="smb.conf.5.html#LDAPFILTER"
11764 HREF="smb.conf.5.html#LDAPPORT"
11771 >These are described in the <A
11772 HREF="smb.conf.5.html"
11776 page and so will not be repeated here. However, a sample smb.conf file for
11777 use with an LDAP directory could appear as</P
11780 CLASS="PROGRAMLISTING"
11781 >## /usr/local/samba/lib/smb.conf
11784 encrypt passwords = yes
11786 netbios name = TASHTEGO
11789 # ldap related parameters
11791 # define the DN to use when binding to the directory servers
11792 # The password for this DN is not stored in smb.conf. Rather it
11793 # must be set by using 'smbpasswd -w <TT
11794 CLASS="REPLACEABLE"
11799 # passphrase in the secrets.tdb file. If the "ldap admin dn" values
11800 # changes, this password will need to be reset.
11801 ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
11803 # specify the LDAP server's hostname (defaults to locahost)
11804 ldap server = ahab.samba.org
11806 # Define the SSL option when connecting to the directory
11807 # ('off', 'start tls', or 'on' (default))
11808 ldap ssl = start tls
11810 # define the port to use in the LDAP session (defaults to 636 when
11814 # specify the base DN to use when searching the directory
11815 ldap suffix = "ou=people,dc=samba,dc=org"
11817 # generally the default ldap search filter is ok
11818 # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"</PRE
11829 >14.6. Accounts and Groups management</H2
11831 >As users accounts are managed thru the sambaAccount objectclass, you should
11832 modify you existing administration tools to deal with sambaAccount attributes.</P
11834 >Machines accounts are managed with the sambaAccount objectclass, just
11835 like users accounts. However, it's up to you to stored thoses accounts
11836 in a different tree of you LDAP namespace: you should use
11837 "ou=Groups,dc=plainjoe,dc=org" to store groups and
11838 "ou=People,dc=plainjoe,dc=org" to store users. Just configure your
11839 NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration
11842 >In Samba release 2.2.3, the group management system is based on posix
11843 groups. This meand that Samba make usage of the posixGroup objectclass.
11844 For now, there is no NT-like group system management (global and local
11854 >14.7. Security and sambaAccount</H2
11856 >There are two important points to remember when discussing the security
11857 of sambaAccount entries in the directory.</P
11869 > retrieve the lmPassword or
11870 ntPassword attribute values over an unencrypted LDAP session.</P
11880 > allow non-admin users to
11881 view the lmPassword or ntPassword attribute values.</P
11885 >These password hashes are clear text equivalents and can be used to impersonate
11886 the user without deriving the original clear text strings. For more information
11887 on the details of LM/NT password hashes, refer to the <A
11888 HREF="ENCRYPTION.html"
11890 >ENCRYPTION chapter</A
11891 > of the Samba-HOWTO-Collection.</P
11893 >To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults
11894 to require an encrypted session (<B
11898 the default port of 636
11899 when contacting the directory server. When using an OpenLDAP 2.0 server, it
11900 is possible to use the use the StartTLS LDAP extended operation in the place of
11901 LDAPS. In either case, you are strongly discouraged to disable this security
11907 >Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
11908 extended operation. However, the OpenLDAP library still provides support for
11909 the older method of securing communication between clients and servers.</P
11911 >The second security precaution is to prevent non-administrative users from
11912 harvesting password hashes from the directory. This can be done using the
11913 following ACL in <TT
11919 CLASS="PROGRAMLISTING"
11920 >## allow the "ldap admin dn" access, but deny everyone else
11921 access to attrs=lmPassword,ntPassword
11922 by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
11933 >14.8. LDAP specials attributes for sambaAccounts</H2
11935 >The sambaAccount objectclass is composed of the following attributes:</P
11944 >: the LANMAN password 16-byte hash stored as a character
11945 representation of a hexidecimal string.</P
11952 >: the NT password hash 16-byte stored as a character
11953 representation of a hexidecimal string.</P
11960 >: The integer time in seconds since 1970 when the
11967 > attributes were last set.
11975 >: string of 11 characters surrounded by square brackets []
11976 representing account flags such as U (user), W(workstation), X(no password expiration), and
11984 >: Integer value currently unused</P
11991 >: Integer value currently unused</P
11998 >: Integer value currently unused</P
12005 >: Integer value currently unused</P
12012 >: Integer value currently unused</P
12019 >: specifies the drive letter to which to map the
12020 UNC path specified by homeDirectory. The drive letter must be specified in the form "X:"
12021 where X is the letter of the drive to map. Refer to the "logon drive" parameter in the
12022 smb.conf(5) man page for more information.</P
12029 >: The scriptPath property specifies the path of
12030 the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
12031 is relative to the netlogon share. Refer to the "logon script" parameter in the
12032 smb.conf(5) man page for more information.</P
12039 >: specifies a path to the user's profile.
12040 This value can be a null string, a local absolute path, or a UNC path. Refer to the
12041 "logon path" parameter in the smb.conf(5) man page for more information.</P
12048 >: The homeDirectory property specifies the path of
12049 the home directory for the user. The string can be null. If homeDrive is set and specifies
12050 a drive letter, homeDirectory should be a UNC path. The path must be a network
12051 UNC path of the form \\server\share\directory. This value can be a null string.
12052 Refer to the "logon home" parameter in the smb.conf(5) man page for more information.
12059 >userWorkstation</TT
12060 >: character string value currently unused.
12068 >: the integer representation of the user's relative identifier
12075 >primaryGroupID</TT
12076 >: the relative identifier (RID) of the primary group
12081 >The majority of these parameters are only used when Samba is acting as a PDC of
12082 a domain (refer to the <A
12083 HREF="Samba-PDC-HOWTO.html"
12085 >Samba-PDC-HOWTO</A
12087 how to configure Samba as a Primary Domain Controller). The following four attributes
12088 are only stored with the sambaAccount entry if the values are non-default values:</P
12110 >These attributes are only stored with the sambaAccount entry if
12111 the values are non-default values. For example, assume TASHTEGO has now been
12112 configured as a PDC and that <B
12114 >logon home = \\%L\%u</B
12119 > file. When a user named "becky" logons to the domain,
12125 > string is expanded to \\TASHTEGO\becky.
12126 If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
12127 this value is used. However, if this attribute does not exist, then the value
12133 > parameter is used in its place. Samba
12134 will only write the attribute value to the directory entry is the value is
12135 something other than the default (e.g. \\MOBY\becky).</P
12144 >14.9. Example LDIF Entries for a sambaAccount</H2
12146 >The following is a working LDIF with the inclusion of the posixAccount objectclass:</P
12149 CLASS="PROGRAMLISTING"
12150 >dn: uid=guest2, ou=people,dc=plainjoe,dc=org
12151 ntPassword: 878D8014606CDA29677A44EFA1353FC7
12152 pwdMustChange: 2147483647
12153 primaryGroupID: 1201
12154 lmPassword: 552902031BEDE9EFAAD3B435B51404EE
12155 pwdLastSet: 1010179124
12157 objectClass: sambaAccount
12159 kickoffTime: 2147483647
12161 logoffTime: 2147483647
12163 pwdCanChange: 0</PRE
12166 >The following is an LDIF entry for using both the sambaAccount and
12167 posixAccount objectclasses:</P
12170 CLASS="PROGRAMLISTING"
12171 >dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
12173 displayName: Gerald Carter
12174 lmPassword: 552902031BEDE9EFAAD3B435B51404EE
12175 primaryGroupID: 1201
12176 objectClass: posixAccount
12177 objectClass: sambaAccount
12179 userPassword: {crypt}BpM2ej8Rkzogo
12183 loginShell: /bin/bash
12184 logoffTime: 2147483647
12186 kickoffTime: 2147483647
12187 pwdLastSet: 1010179230
12189 homeDirectory: /home/tashtego/gcarter
12191 pwdMustChange: 2147483647
12192 ntPassword: 878D8014606CDA29677A44EFA1353FC7</PRE
12202 >14.10. Comments</H2
12204 >Please mail all comments regarding this HOWTO to <A
12205 HREF="mailto:jerry@samba.org"
12207 >jerry@samba.org</A
12208 >. This documents was
12209 last updated to reflect the Samba 2.2.3 release. </P
12218 >Chapter 15. Using samba 3.0 with ActiveDirectory support</H1
12220 >This is a VERY ROUGH guide to setting up the current (November 2001)
12221 pre-alpha version of Samba 3.0 with kerberos authentication against a
12222 Windows2000 KDC. The procedures listed here are likely to change as
12223 the code develops.</P
12225 >Pieces you need before you begin:
12233 >a Windows 2000 server.</TD
12237 >samba 3.0 or higher.</TD
12241 >the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
12245 >the OpenLDAP development libraries.</TD
12259 >15.1. Installing the required packages for Debian</H2
12261 >On Debian you need to install the following packages:
12288 >15.2. Installing the required packages for RedHat</H2
12290 >On RedHat this means you should have at least:
12298 >krb5-workstation (for kinit)</TD
12302 >krb5-libs (for linking with)</TD
12306 >krb5-devel (because you are compiling from source)</TD
12314 >in addition to the standard development environment.</P
12316 >Note that these are not standard on a RedHat install, and you may need
12317 to get them off CD2.</P
12326 >15.3. Compile Samba</H2
12328 >If your kerberos libraries are in a non-standard location then
12329 remember to add the configure option --with-krb5=DIR.</P
12331 >After you run configure make sure that include/config.h contains
12332 lines like this:</P
12335 CLASS="PROGRAMLISTING"
12336 >#define HAVE_KRB5 1
12337 #define HAVE_LDAP 1</PRE
12340 >If it doesn't then configure did not find your krb5 libraries or
12341 your ldap libraries. Look in config.log to figure out why and fix
12344 >Then compile and install Samba as usual. You must use at least the
12345 following 3 options in smb.conf:</P
12348 CLASS="PROGRAMLISTING"
12349 > realm = YOUR.KERBEROS.REALM
12350 ads server = your.kerberos.server
12352 encrypt passwords = yes</PRE
12355 >Strictly speaking, you can omit the realm name and you can use an IP
12356 address for the ads server. In that case Samba will auto-detect these.</P
12358 >You do *not* need a smbpasswd file, although it won't do any harm
12359 and if you have one then Samba will be able to fall back to normal
12360 password security for older clients. I expect that the above
12361 required options will change soon when we get better active
12362 directory integration.</P
12371 >15.4. Setup your /etc/krb5.conf</H2
12373 >The minimal configuration for krb5.conf is:</P
12376 CLASS="PROGRAMLISTING"
12378 YOUR.KERBEROS.REALM = {
12379 kdc = your.kerberos.server
12383 >Test your config by doing a "kinit USERNAME@REALM" and making sure that
12384 your password is accepted by the Win2000 KDC. </P
12386 >NOTE: The realm must be uppercase. </P
12388 >You also must ensure that you can do a reverse DNS lookup on the IP
12389 address of your KDC. Also, the name that this reverse lookup maps to
12390 must either be the netbios name of the KDC (ie. the hostname with no
12391 domain attached) or it can alternatively be the netbios name
12392 followed by the realm. </P
12394 >The easiest way to ensure you get this right is to add a /etc/hosts
12395 entry mapping the IP address of your KDC to its netbios name. If you
12396 don't get this right then you will get a "local error" when you try
12397 to join the realm.</P
12399 >If all you want is kerberos support in smbclient then you can skip
12400 straight to step 5 now. Step 3 is only needed if you want kerberos
12401 support in smbd.</P
12410 >15.5. Create the computer account</H2
12412 >Do a "kinit" as a user that has authority to change arbitrary
12413 passwords on the KDC ("Administrator" is a good choice). Then as a
12414 user that has write permission on the Samba private directory
12415 (usually root) run:
12427 >15.5.1. Possible errors</H3
12432 CLASS="VARIABLELIST"
12435 >"bash: kinit: command not found"</DT
12438 >kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P
12441 >"ADS support not compiled in"</DT
12444 >Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P
12458 >15.6. Test your server setup</H2
12460 >On a Windows 2000 client try <B
12462 >net use * \\server\share</B
12464 be logged in with kerberos without needing to know a password. If
12465 this fails then run <B
12468 >. Did you get a ticket for the
12469 server? Does it have an encoding type of DES-CBC-MD5 ? </P
12478 >15.7. Testing with smbclient</H2
12480 >On your Samba server try to login to a Win2000 server or your Samba
12481 server using smbclient and kerberos. Use smbclient as usual, but
12482 specify the -k option to choose kerberos authentication.</P
12493 >You must change administrator password at least once after DC install,
12494 to create the right encoding types</P
12496 >w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
12497 their defaults DNS setup. Maybe fixed in service packs?</P
12504 NAME="IMPROVED-BROWSING"
12506 >Chapter 16. Improved browsing in samba</H1
12514 >16.1. Overview of browsing</H2
12516 >SMB networking provides a mechanism by which clients can access a list
12517 of machines in a network, a so-called "browse list". This list
12518 contains machines that are ready to offer file and/or print services
12519 to other machines within the network. Thus it does not include
12520 machines which aren't currently able to do server tasks. The browse
12521 list is heavily used by all SMB clients. Configuration of SMB
12522 browsing has been problematic for some Samba users, hence this
12525 >Browsing will NOT work if name resolution from NetBIOS names to IP
12526 addresses does not function correctly. Use of a WINS server is highly
12527 recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
12528 WINS allows remote segment clients to obtain NetBIOS name_type information
12529 that can NOT be provided by any other means of name resolution.</P
12538 >16.2. Browsing support in samba</H2
12540 >Samba now fully supports browsing. The browsing is supported by nmbd
12541 and is also controlled by options in the smb.conf file (see smb.conf(5)).</P
12543 >Samba can act as a local browse master for a workgroup and the ability
12544 for samba to support domain logons and scripts is now available. See
12545 DOMAIN.txt for more information on domain logons.</P
12547 >Samba can also act as a domain master browser for a workgroup. This
12548 means that it will collate lists from local browse masters into a
12549 wide area network server list. In order for browse clients to
12550 resolve the names they may find in this list, it is recommended that
12551 both samba and your clients use a WINS server.</P
12553 >Note that you should NOT set Samba to be the domain master for a
12554 workgroup that has the same name as an NT Domain: on each wide area
12555 network, you must only ever have one domain master browser per workgroup,
12556 regardless of whether it is NT, Samba or any other type of domain master
12557 that is providing this service.</P
12559 >[Note that nmbd can be configured as a WINS server, but it is not
12560 necessary to specifically use samba as your WINS server. NTAS can
12561 be configured as your WINS server. In a mixed NT server and
12562 samba environment on a Wide Area Network, it is recommended that
12563 you use the NT server's WINS server capabilities. In a samba-only
12564 environment, it is recommended that you use one and only one nmbd
12565 as your WINS server].</P
12567 >To get browsing to work you need to run nmbd as usual, but will need
12568 to use the "workgroup" option in smb.conf to control what workgroup
12569 Samba becomes a part of.</P
12571 >Samba also has a useful option for a Samba server to offer itself for
12572 browsing on another subnet. It is recommended that this option is only
12573 used for 'unusual' purposes: announcements over the internet, for
12574 example. See "remote announce" in the smb.conf man page. </P
12583 >16.3. Problem resolution</H2
12585 >If something doesn't work then hopefully the log.nmb file will help
12586 you track down the problem. Try a debug level of 2 or 3 for finding
12587 problems. Also note that the current browse list usually gets stored
12588 in text form in a file called browse.dat.</P
12590 >Note that if it doesn't work for you, then you should still be able to
12591 type the server name as \\SERVER in filemanager then hit enter and
12592 filemanager should display the list of available shares.</P
12594 >Some people find browsing fails because they don't have the global
12595 "guest account" set to a valid account. Remember that the IPC$
12596 connection that lists the shares is done as guest, and thus you must
12597 have a valid guest account.</P
12599 >Also, a lot of people are getting bitten by the problem of too many
12600 parameters on the command line of nmbd in inetd.conf. This trick is to
12601 not use spaces between the option and the parameter (eg: -d2 instead
12602 of -d 2), and to not use the -B and -N options. New versions of nmbd
12603 are now far more likely to correctly find your broadcast and network
12604 address, so in most cases these aren't needed.</P
12606 >The other big problem people have is that their broadcast address,
12607 netmask or IP address is wrong (specified with the "interfaces" option
12617 >16.4. Browsing across subnets</H2
12619 >With the release of Samba 1.9.17(alpha1 and above) Samba has been
12620 updated to enable it to support the replication of browse lists
12621 across subnet boundaries. New code and options have been added to
12622 achieve this. This section describes how to set this feature up
12623 in different settings.</P
12625 >To see browse lists that span TCP/IP subnets (ie. networks separated
12626 by routers that don't pass broadcast traffic) you must set up at least
12627 one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
12628 NetBIOS name to IP address translation to be done by doing a direct
12629 query of the WINS server. This is done via a directed UDP packet on
12630 port 137 to the WINS server machine. The reason for a WINS server is
12631 that by default, all NetBIOS name to IP address translation is done
12632 by broadcasts from the querying machine. This means that machines
12633 on one subnet will not be able to resolve the names of machines on
12634 another subnet without using a WINS server.</P
12636 >Remember, for browsing across subnets to work correctly, all machines,
12637 be they Windows 95, Windows NT, or Samba servers must have the IP address
12638 of a WINS server given to them by a DHCP server, or by manual configuration
12639 (for Win95 and WinNT, this is in the TCP/IP Properties, under Network
12640 settings) for Samba this is in the smb.conf file.</P
12648 >16.4.1. How does cross subnet browsing work ?</H3
12650 >Cross subnet browsing is a complicated dance, containing multiple
12651 moving parts. It has taken Microsoft several years to get the code
12652 that achieves this correct, and Samba lags behind in some areas.
12653 However, with the 1.9.17 release, Samba is capable of cross subnet
12654 browsing when configured correctly.</P
12656 >Consider a network set up as follows :</P
12659 CLASS="PROGRAMLISTING"
12661 N1_A N1_B N1_C N1_D N1_E
12663 -------------------------------------------------------
12666 |R1 | Router 1 Router 2 |R2 |
12669 | subnet 2 subnet 3 |
12670 -------------------------- ------------------------------------
12672 N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
12676 >Consisting of 3 subnets (1, 2, 3) connected by two routers
12677 (R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
12678 on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
12679 for the moment that all these machines are configured to be in the
12680 same workgroup (for simplicities sake). Machine N1_C on subnet 1
12681 is configured as Domain Master Browser (ie. it will collate the
12682 browse lists for the workgroup). Machine N2_D is configured as
12683 WINS server and all the other machines are configured to register
12684 their NetBIOS names with it.</P
12686 >As all these machines are booted up, elections for master browsers
12687 will take place on each of the three subnets. Assume that machine
12688 N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
12689 subnet 3 - these machines are known as local master browsers for
12690 their particular subnet. N1_C has an advantage in winning as the
12691 local master browser on subnet 1 as it is set up as Domain Master
12694 >On each of the three networks, machines that are configured to
12695 offer sharing services will broadcast that they are offering
12696 these services. The local master browser on each subnet will
12697 receive these broadcasts and keep a record of the fact that
12698 the machine is offering a service. This list of records is
12699 the basis of the browse list. For this case, assume that
12700 all the machines are configured to offer services so all machines
12701 will be on the browse list.</P
12703 >For each network, the local master browser on that network is
12704 considered 'authoritative' for all the names it receives via
12705 local broadcast. This is because a machine seen by the local
12706 master browser via a local broadcast must be on the same
12707 network as the local master browser and thus is a 'trusted'
12708 and 'verifiable' resource. Machines on other networks that
12709 the local master browsers learn about when collating their
12710 browse lists have not been directly seen - these records are
12711 called 'non-authoritative'.</P
12713 >At this point the browse lists look as follows (these are
12714 the machines you would see in your network neighborhood if
12715 you looked in it on a particular network right now).</P
12718 CLASS="PROGRAMLISTING"
12719 >Subnet Browse Master List
12720 ------ ------------- ----
12721 Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E
12723 Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
12725 Subnet3 N3_D N3_A, N3_B, N3_C, N3_D</PRE
12728 >Note that at this point all the subnets are separate, no
12729 machine is seen across any of the subnets.</P
12731 >Now examine subnet 2. As soon as N2_B has become the local
12732 master browser it looks for a Domain master browser to synchronize
12733 its browse list with. It does this by querying the WINS server
12734 (N2_D) for the IP address associated with the NetBIOS name
12735 WORKGROUP>1B<. This name was registerd by the Domain master
12736 browser (N1_C) with the WINS server as soon as it was booted.</P
12738 >Once N2_B knows the address of the Domain master browser it
12739 tells it that is the local master browser for subnet 2 by
12740 sending a MasterAnnouncement packet as a UDP port 138 packet.
12741 It then synchronizes with it by doing a NetServerEnum2 call. This
12742 tells the Domain Master Browser to send it all the server
12743 names it knows about. Once the domain master browser receives
12744 the MasterAnnouncement packet it schedules a synchronization
12745 request to the sender of that packet. After both synchronizations
12746 are done the browse lists look like :</P
12749 CLASS="PROGRAMLISTING"
12750 >Subnet Browse Master List
12751 ------ ------------- ----
12752 Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
12753 N2_A(*), N2_B(*), N2_C(*), N2_D(*)
12755 Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
12756 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
12758 Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
12760 Servers with a (*) after them are non-authoritative names.</PRE
12763 >At this point users looking in their network neighborhood on
12764 subnets 1 or 2 will see all the servers on both, users on
12765 subnet 3 will still only see the servers on their own subnet.</P
12767 >The same sequence of events that occured for N2_B now occurs
12768 for the local master browser on subnet 3 (N3_D). When it
12769 synchronizes browse lists with the domain master browser (N1_A)
12770 it gets both the server entries on subnet 1, and those on
12771 subnet 2. After N3_D has synchronized with N1_C and vica-versa
12772 the browse lists look like.</P
12775 CLASS="PROGRAMLISTING"
12776 >Subnet Browse Master List
12777 ------ ------------- ----
12778 Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
12779 N2_A(*), N2_B(*), N2_C(*), N2_D(*),
12780 N3_A(*), N3_B(*), N3_C(*), N3_D(*)
12782 Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
12783 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
12785 Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
12786 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
12787 N2_A(*), N2_B(*), N2_C(*), N2_D(*)
12789 Servers with a (*) after them are non-authoritative names.</PRE
12792 >At this point users looking in their network neighborhood on
12793 subnets 1 or 3 will see all the servers on all sunbets, users on
12794 subnet 2 will still only see the servers on subnets 1 and 2, but not 3.</P
12796 >Finally, the local master browser for subnet 2 (N2_B) will sync again
12797 with the domain master browser (N1_C) and will recieve the missing
12798 server entries. Finally - and as a steady state (if no machines
12799 are removed or shut off) the browse lists will look like :</P
12802 CLASS="PROGRAMLISTING"
12803 >Subnet Browse Master List
12804 ------ ------------- ----
12805 Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
12806 N2_A(*), N2_B(*), N2_C(*), N2_D(*),
12807 N3_A(*), N3_B(*), N3_C(*), N3_D(*)
12809 Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
12810 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
12811 N3_A(*), N3_B(*), N3_C(*), N3_D(*)
12813 Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
12814 N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
12815 N2_A(*), N2_B(*), N2_C(*), N2_D(*)
12817 Servers with a (*) after them are non-authoritative names.</PRE
12820 >Synchronizations between the domain master browser and local
12821 master browsers will continue to occur, but this should be a
12822 steady state situation.</P
12824 >If either router R1 or R2 fails the following will occur:</P
12831 > Names of computers on each side of the inaccessible network fragments
12832 will be maintained for as long as 36 minutes, in the network neighbourhood
12838 > Attempts to connect to these inaccessible computers will fail, but the
12839 names will not be removed from the network neighbourhood lists.
12844 > If one of the fragments is cut off from the WINS server, it will only
12845 be able to access servers on its local subnet, by using subnet-isolated
12846 broadcast NetBIOS name resolution. The effects are similar to that of
12847 losing access to a DNS server.
12860 >16.5. Setting up a WINS server</H2
12862 >Either a Samba machine or a Windows NT Server machine may be set up
12863 as a WINS server. To set a Samba machine to be a WINS server you must
12864 add the following option to the smb.conf file on the selected machine :
12865 in the [globals] section add the line </P
12869 > wins support = yes</B
12872 >Versions of Samba previous to 1.9.17 had this parameter default to
12873 yes. If you have any older versions of Samba on your network it is
12874 strongly suggested you upgrade to 1.9.17 or above, or at the very
12875 least set the parameter to 'no' on all these machines.</P
12879 >wins support = yes</B
12880 >" will keep a list of
12881 all NetBIOS names registered with them, acting as a DNS for NetBIOS names.</P
12883 >You should set up only ONE wins server. Do NOT set the
12886 >wins support = yes</B
12887 >" option on more than one Samba
12890 >To set up a Windows NT Server as a WINS server you need to set up
12891 the WINS service - see your NT documentation for details. Note that
12892 Windows NT WINS Servers can replicate to each other, allowing more
12893 than one to be set up in a complex subnet environment. As Microsoft
12894 refuse to document these replication protocols Samba cannot currently
12895 participate in these replications. It is possible in the future that
12896 a Samba->Samba WINS replication protocol may be defined, in which
12897 case more than one Samba machine could be set up as a WINS server
12898 but currently only one Samba server should have the "wins support = yes"
12901 >After the WINS server has been configured you must ensure that all
12902 machines participating on the network are configured with the address
12903 of this WINS server. If your WINS server is a Samba machine, fill in
12904 the Samba machine IP address in the "Primary WINS Server" field of
12905 the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs
12906 in Windows 95 or Windows NT. To tell a Samba server the IP address
12907 of the WINS server add the following line to the [global] section of
12908 all smb.conf files :</P
12912 > wins server = >name or IP address<</B
12915 >where >name or IP address< is either the DNS name of the WINS server
12916 machine or its IP address.</P
12918 >Note that this line MUST NOT BE SET in the smb.conf file of the Samba
12919 server acting as the WINS server itself. If you set both the
12922 >wins support = yes</B
12926 >wins server = >name<</B
12928 nmbd will fail to start.</P
12930 >There are two possible scenarios for setting up cross subnet browsing.
12931 The first details setting up cross subnet browsing on a network containing
12932 Windows 95, Samba and Windows NT machines that are not configured as
12933 part of a Windows NT Domain. The second details setting up cross subnet
12934 browsing on networks that contain NT Domains.</P
12943 >16.6. Setting up Browsing in a WORKGROUP</H2
12945 >To set up cross subnet browsing on a network containing machines
12946 in up to be in a WORKGROUP, not an NT Domain you need to set up one
12947 Samba server to be the Domain Master Browser (note that this is *NOT*
12948 the same as a Primary Domain Controller, although in an NT Domain the
12949 same machine plays both roles). The role of a Domain master browser is
12950 to collate the browse lists from local master browsers on all the
12951 subnets that have a machine participating in the workgroup. Without
12952 one machine configured as a domain master browser each subnet would
12953 be an isolated workgroup, unable to see any machines on any other
12954 subnet. It is the presense of a domain master browser that makes
12955 cross subnet browsing possible for a workgroup.</P
12957 >In an WORKGROUP environment the domain master browser must be a
12958 Samba server, and there must only be one domain master browser per
12959 workgroup name. To set up a Samba server as a domain master browser,
12960 set the following option in the [global] section of the smb.conf file :</P
12964 > domain master = yes</B
12967 >The domain master browser should also preferrably be the local master
12968 browser for its own subnet. In order to achieve this set the following
12969 options in the [global] section of the smb.conf file :</P
12972 CLASS="PROGRAMLISTING"
12973 > domain master = yes
12975 preferred master = yes
12979 >The domain master browser may be the same machine as the WINS
12980 server, if you require.</P
12982 >Next, you should ensure that each of the subnets contains a
12983 machine that can act as a local master browser for the
12984 workgroup. Any NT machine should be able to do this, as will
12985 Windows 95 machines (although these tend to get rebooted more
12986 often, so it's not such a good idea to use these). To make a
12987 Samba server a local master browser set the following
12988 options in the [global] section of the smb.conf file :</P
12991 CLASS="PROGRAMLISTING"
12992 > domain master = no
12994 preferred master = yes
12998 >Do not do this for more than one Samba server on each subnet,
12999 or they will war with each other over which is to be the local
13002 >The "local master" parameter allows Samba to act as a local master
13003 browser. The "preferred master" causes nmbd to force a browser
13004 election on startup and the "os level" parameter sets Samba high
13005 enough so that it should win any browser elections.</P
13007 >If you have an NT machine on the subnet that you wish to
13008 be the local master browser then you can disable Samba from
13009 becoming a local master browser by setting the following
13010 options in the [global] section of the smb.conf file :</P
13013 CLASS="PROGRAMLISTING"
13014 > domain master = no
13016 preferred master = no
13027 >16.7. Setting up Browsing in a DOMAIN</H2
13029 >If you are adding Samba servers to a Windows NT Domain then
13030 you must not set up a Samba server as a domain master browser.
13031 By default, a Windows NT Primary Domain Controller for a Domain
13032 name is also the Domain master browser for that name, and many
13033 things will break if a Samba server registers the Domain master
13034 browser NetBIOS name (DOMAIN>1B<) with WINS instead of the PDC.</P
13036 >For subnets other than the one containing the Windows NT PDC
13037 you may set up Samba servers as local master browsers as
13038 described. To make a Samba server a local master browser set
13039 the following options in the [global] section of the smb.conf
13043 CLASS="PROGRAMLISTING"
13044 > domain master = no
13046 preferred master = yes
13050 >If you wish to have a Samba server fight the election with machines
13051 on the same subnet you may set the "os level" parameter to lower
13052 levels. By doing this you can tune the order of machines that
13053 will become local master browsers if they are running. For
13054 more details on this see the section "FORCING SAMBA TO BE THE MASTER"
13057 >If you have Windows NT machines that are members of the domain
13058 on all subnets, and you are sure they will always be running then
13059 you can disable Samba from taking part in browser elections and
13060 ever becoming a local master browser by setting following options
13061 in the [global] section of the smb.conf file :</P
13065 > domain master = no
13067 preferred master = no
13078 >16.8. Forcing samba to be the master</H2
13080 >Who becomes the "master browser" is determined by an election process
13081 using broadcasts. Each election packet contains a number of parameters
13082 which determine what precedence (bias) a host should have in the
13083 election. By default Samba uses a very low precedence and thus loses
13084 elections to just about anyone else.</P
13086 >If you want Samba to win elections then just set the "os level" global
13087 option in smb.conf to a higher number. It defaults to 0. Using 34
13088 would make it win all elections over every other system (except other
13091 >A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A
13092 NTAS domain controller uses level 32.</P
13094 >The maximum os level is 255</P
13096 >If you want samba to force an election on startup, then set the
13097 "preferred master" global option in smb.conf to "yes". Samba will
13098 then have a slight advantage over other potential master browsers
13099 that are not preferred master browsers. Use this parameter with
13100 care, as if you have two hosts (whether they are windows 95 or NT or
13101 samba) on the same local subnet both set with "preferred master" to
13102 "yes", then periodically and continually they will force an election
13103 in order to become the local master browser.</P
13105 >If you want samba to be a "domain master browser", then it is
13106 recommended that you also set "preferred master" to "yes", because
13107 samba will not become a domain master browser for the whole of your
13108 LAN or WAN if it is not also a local master browser on its own
13109 broadcast isolated subnet.</P
13111 >It is possible to configure two samba servers to attempt to become
13112 the domain master browser for a domain. The first server that comes
13113 up will be the domain master browser. All other samba servers will
13114 attempt to become the domain master browser every 5 minutes. They
13115 will find that another samba server is already the domain master
13116 browser and will fail. This provides automatic redundancy, should
13117 the current domain master browser fail.</P
13126 >16.9. Making samba the domain master</H2
13128 >The domain master is responsible for collating the browse lists of
13129 multiple subnets so that browsing can occur between subnets. You can
13130 make samba act as the domain master by setting "domain master = yes"
13131 in smb.conf. By default it will not be a domain master.</P
13133 >Note that you should NOT set Samba to be the domain master for a
13134 workgroup that has the same name as an NT Domain.</P
13136 >When samba is the domain master and the master browser it will listen
13137 for master announcements (made roughly every twelve minutes) from local
13138 master browsers on other subnets and then contact them to synchronise
13141 >If you want samba to be the domain master then I suggest you also set
13142 the "os level" high enough to make sure it wins elections, and set
13143 "preferred master" to "yes", to get samba to force an election on
13146 >Note that all your servers (including samba) and clients should be
13147 using a WINS server to resolve NetBIOS names. If your clients are only
13148 using broadcasting to resolve NetBIOS names, then two things will occur:</P
13155 > your local master browsers will be unable to find a domain master
13156 browser, as it will only be looking on the local subnet.
13161 > if a client happens to get hold of a domain-wide browse list, and
13162 a user attempts to access a host in that list, it will be unable to
13163 resolve the NetBIOS name of that host.
13168 >If, however, both samba and your clients are using a WINS server, then:</P
13175 > your local master browsers will contact the WINS server and, as long as
13176 samba has registered that it is a domain master browser with the WINS
13177 server, your local master browser will receive samba's ip address
13178 as its domain master browser.
13183 > when a client receives a domain-wide browse list, and a user attempts
13184 to access a host in that list, it will contact the WINS server to
13185 resolve the NetBIOS name of that host. as long as that host has
13186 registered its NetBIOS name with the same WINS server, the user will
13187 be able to see that host.
13199 >16.10. Note about broadcast addresses</H2
13201 >If your network uses a "0" based broadcast address (for example if it
13202 ends in a 0) then you will strike problems. Windows for Workgroups
13203 does not seem to support a 0's broadcast and you will probably find
13204 that browsing and name lookups won't work.</P
13213 >16.11. Multiple interfaces</H2
13215 >Samba now supports machines with multiple network interfaces. If you
13216 have multiple interfaces then you will need to use the "interfaces"
13217 option in smb.conf to configure them. See smb.conf(5) for details.</P
13226 >Chapter 17. Samba performance issues</H1
13234 >17.1. Comparisons</H2
13236 >The Samba server uses TCP to talk to the client. Thus if you are
13237 trying to see if it performs well you should really compare it to
13238 programs that use the same protocol. The most readily available
13239 programs for file transfer that use TCP are ftp or another TCP based
13242 >If you want to test against something like a NT or WfWg server then
13243 you will have to disable all but TCP on either the client or
13244 server. Otherwise you may well be using a totally different protocol
13245 (such as Netbeui) and comparisons may not be valid.</P
13247 >Generally you should find that Samba performs similarly to ftp at raw
13248 transfer speed. It should perform quite a bit faster than NFS,
13249 although this very much depends on your system.</P
13251 >Several people have done comparisons between Samba and Novell, NFS or
13252 WinNT. In some cases Samba performed the best, in others the worst. I
13253 suspect the biggest factor is not Samba vs some other system but the
13254 hardware and drivers used on the various systems. Given similar
13255 hardware Samba should certainly be competitive in speed with other
13273 >17.2.1. Overview</H3
13275 >Oplocks are the way that SMB clients get permission from a server to
13276 locally cache file operations. If a server grants an oplock
13277 (opportunistic lock) then the client is free to assume that it is the
13278 only one accessing the file and it will agressively cache file
13279 data. With some oplock types the client may even cache file open/close
13280 operations. This can give enormous performance benefits.</P
13282 >With the release of Samba 1.9.18 we now correctly support opportunistic
13283 locks. This is turned on by default, and can be turned off on a share-
13284 by-share basis by setting the parameter :</P
13288 >oplocks = False</B
13291 >We recommend that you leave oplocks on however, as current benchmark
13292 tests with NetBench seem to give approximately a 30% improvement in
13293 speed with them on. This is on average however, and the actual
13294 improvement seen can be orders of magnitude greater, depending on
13295 what the client redirector is doing.</P
13297 >Previous to Samba 1.9.18 there was a 'fake oplocks' option. This
13298 option has been left in the code for backwards compatibility reasons
13299 but it's use is now deprecated. A short summary of what the old
13300 code did follows.</P
13309 >17.2.2. Level2 Oplocks</H3
13311 >With Samba 2.0.5 a new capability - level2 (read only) oplocks is
13312 supported (although the option is off by default - see the smb.conf
13313 man page for details). Turning on level2 oplocks (on a share-by-share basis)
13314 by setting the parameter :</P
13318 >level2 oplocks = true</B
13321 >should speed concurrent access to files that are not commonly written
13322 to, such as application serving shares (ie. shares that contain common
13323 .EXE files - such as a Microsoft Office share) as it allows clients to
13324 read-ahread cache copies of these files.</P
13333 >17.2.3. Old 'fake oplocks' option - deprecated</H3
13335 >Samba can also fake oplocks, by granting a oplock whenever a client
13336 asks for one. This is controlled using the smb.conf option "fake
13337 oplocks". If you set "fake oplocks = yes" then you are telling the
13338 client that it may agressively cache the file data for all opens.</P
13340 >Enabling 'fake oplocks' on all read-only shares or shares that you know
13341 will only be accessed from one client at a time you will see a big
13342 performance improvement on many operations. If you enable this option
13343 on shares where multiple clients may be accessing the files read-write
13344 at the same time you can get data corruption.</P
13354 >17.3. Socket options</H2
13356 >There are a number of socket options that can greatly affect the
13357 performance of a TCP based server like Samba.</P
13359 >The socket options that Samba uses are settable both on the command
13360 line with the -O option, or in the smb.conf file.</P
13362 >The "socket options" section of the smb.conf manual page describes how
13363 to set these and gives recommendations.</P
13365 >Getting the socket options right can make a big difference to your
13366 performance, but getting them wrong can degrade it by just as
13367 much. The correct settings are very dependent on your local network.</P
13369 >The socket option TCP_NODELAY is the one that seems to make the
13370 biggest single difference for most networks. Many people report that
13371 adding "socket options = TCP_NODELAY" doubles the read performance of
13372 a Samba drive. The best explanation I have seen for this is that the
13373 Microsoft TCP/IP stack is slow in sending tcp ACKs.</P
13382 >17.4. Read size</H2
13384 >The option "read size" affects the overlap of disk reads/writes with
13385 network reads/writes. If the amount of data being transferred in
13386 several of the SMB commands (currently SMBwrite, SMBwriteX and
13387 SMBreadbraw) is larger than this value then the server begins writing
13388 the data before it has received the whole packet from the network, or
13389 in the case of SMBreadbraw, it begins writing to the network before
13390 all the data has been read from disk.</P
13392 >This overlapping works best when the speeds of disk and network access
13393 are similar, having very little effect when the speed of one is much
13394 greater than the other.</P
13396 >The default value is 16384, but very little experimentation has been
13397 done yet to determine the optimal value, and it is likely that the best
13398 value will vary greatly between systems anyway. A value over 65536 is
13399 pointless and will cause you to allocate memory unnecessarily.</P
13408 >17.5. Max xmit</H2
13410 >At startup the client and server negotiate a "maximum transmit" size,
13411 which limits the size of nearly all SMB commands. You can set the
13412 maximum size that Samba will negotiate using the "max xmit = " option
13413 in smb.conf. Note that this is the maximum size of SMB request that
13414 Samba will accept, but not the maximum size that the *client* will accept.
13415 The client maximum receive size is sent to Samba by the client and Samba
13416 honours this limit.</P
13418 >It defaults to 65536 bytes (the maximum), but it is possible that some
13419 clients may perform better with a smaller transmit unit. Trying values
13420 of less than 2048 is likely to cause severe problems.</P
13422 >In most cases the default is the best option.</P
13433 >By default Samba does not implement strict locking on each read/write
13434 call (although it did in previous versions). If you enable strict
13435 locking (using "strict locking = yes") then you may find that you
13436 suffer a severe performance hit on some systems.</P
13438 >The performance hit will probably be greater on NFS mounted
13439 filesystems, but could be quite high even on local disks.</P
13448 >17.7. Share modes</H2
13450 >Some people find that opening files is very slow. This is often
13451 because of the "share modes" code needed to fully implement the dos
13452 share modes stuff. You can disable this code using "share modes =
13453 no". This will gain you a lot in opening and closing files but will
13454 mean that (in some cases) the system won't force a second user of a
13455 file to open the file read-only if the first has it open
13456 read-write. For many applications that do their own locking this
13457 doesn't matter, but for some it may. Most Windows applications
13458 depend heavily on "share modes" working correctly and it is
13459 recommended that the Samba share mode support be left at the
13460 default of "on".</P
13462 >The share mode code in Samba has been re-written in the 1.9.17
13463 release following tests with the Ziff-Davis NetBench PC Benchmarking
13464 tool. It is now believed that Samba 1.9.17 implements share modes
13465 similarly to Windows NT.</P
13467 >NOTE: In the most recent versions of Samba there is an option to use
13468 shared memory via mmap() to implement the share modes. This makes
13469 things much faster. See the Makefile for how to enable this.</P
13478 >17.8. Log level</H2
13480 >If you set the log level (also known as "debug level") higher than 2
13481 then you may suffer a large drop in performance. This is because the
13482 server flushes the log file after each operation, which can be very
13492 >17.9. Wide lines</H2
13494 >The "wide links" option is now enabled by default, but if you disable
13495 it (for better security) then you may suffer a performance hit in
13496 resolving filenames. The performance loss is lessened if you have
13497 "getwd cache = yes", which is now the default.</P
13506 >17.10. Read raw</H2
13508 >The "read raw" operation is designed to be an optimised, low-latency
13509 file read operation. A server may choose to not support it,
13510 however. and Samba makes support for "read raw" optional, with it
13511 being enabled by default.</P
13513 >In some cases clients don't handle "read raw" very well and actually
13514 get lower performance using it than they get using the conventional
13515 read operations. </P
13517 >So you might like to try "read raw = no" and see what happens on your
13518 network. It might lower, raise or not affect your performance. Only
13519 testing can really tell.</P
13528 >17.11. Write raw</H2
13530 >The "write raw" operation is designed to be an optimised, low-latency
13531 file write operation. A server may choose to not support it,
13532 however. and Samba makes support for "write raw" optional, with it
13533 being enabled by default.</P
13535 >Some machines may find "write raw" slower than normal write, in which
13536 case you may wish to change this option.</P
13545 >17.12. Read prediction</H2
13547 >Samba can do read prediction on some of the SMB commands. Read
13548 prediction means that Samba reads some extra data on the last file it
13549 read while waiting for the next SMB command to arrive. It can then
13550 respond more quickly when the next read request arrives.</P
13552 >This is disabled by default. You can enable it by using "read
13553 prediction = yes".</P
13555 >Note that read prediction is only used on files that were opened read
13558 >Read prediction should particularly help for those silly clients (such
13559 as "Write" under NT) which do lots of very small reads on a file.</P
13561 >Samba will not read ahead more data than the amount specified in the
13562 "read size" option. It always reads ahead on 1k block boundaries.</P
13571 >17.13. Memory mapping</H2
13573 >Samba supports reading files via memory mapping them. One some
13574 machines this can give a large boost to performance, on others it
13575 makes not difference at all, and on some it may reduce performance.</P
13577 >To enable you you have to recompile Samba with the -DUSE_MMAP option
13578 on the FLAGS line of the Makefile.</P
13580 >Note that memory mapping is only used on files opened read only, and
13581 is not used by the "read raw" operation. Thus you may find memory
13582 mapping is more effective if you disable "read raw" using "read raw =
13592 >17.14. Slow Clients</H2
13594 >One person has reported that setting the protocol to COREPLUS rather
13595 than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).</P
13597 >I suspect that his PC's (386sx16 based) were asking for more data than
13598 they could chew. I suspect a similar speed could be had by setting
13599 "read raw = no" and "max xmit = 2048", instead of changing the
13600 protocol. Lowering the "read size" might also help.</P
13609 >17.15. Slow Logins</H2
13611 >Slow logins are almost always due to the password checking time. Using
13612 the lowest practical "password level" will improve things a lot. You
13613 could also enable the "UFC crypt" option in the Makefile.</P
13622 >17.16. Client tuning</H2
13624 >Often a speed problem can be traced to the client. The client (for
13625 example Windows for Workgroups) can often be tuned for better TCP
13628 >See your client docs for details. In particular, I have heard rumours
13629 that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a
13630 large impact on performance.</P
13632 >Also note that some people have found that setting DefaultRcvWindow in
13633 the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a
13634 big improvement. I don't know why.</P
13636 >My own experience wth DefaultRcvWindow is that I get much better
13637 performance with a large value (16384 or larger). Other people have
13638 reported that anything over 3072 slows things down enourmously. One
13639 person even reported a speed drop of a factor of 30 when he went from
13640 3072 to 8192. I don't know why.</P
13642 >It probably depends a lot on your hardware, and the type of unix box
13643 you have at the other end of the link.</P
13645 >Paul Cochrane has done some testing on client side tuning and come
13646 to the following conclusions:</P
13648 >Install the W2setup.exe file from www.microsoft.com. This is an
13649 update for the winsock stack and utilities which improve performance.</P
13651 >Configure the win95 TCPIP registry settings to give better
13652 perfomance. I use a program called MTUSPEED.exe which I got off the
13653 net. There are various other utilities of this type freely available.
13654 The setting which give the best performance for me are:</P
13669 >MTUAutoDiscover Disable</P
13673 >MTUBlackHoleDetect Disable</P
13677 >Time To Live Enabled</P
13681 >Time To Live - HOPS 32</P
13685 >NDI Cache Size 0</P
13689 >I tried virtually all of the items mentioned in the document and
13690 the only one which made a difference to me was the socket options. It
13691 turned out I was better off without any!!!!!</P
13693 >In terms of overall speed of transfer, between various win95 clients
13694 and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE
13695 drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT.</P
13698 The figures are: Put Get
13699 P166 client 3Com card: 420-440kB/s 500-520kB/s
13700 P100 client 3Com card: 390-410kB/s 490-510kB/s
13701 DX4-75 client NE2000: 370-380kB/s 330-350kB/s</P
13703 >I based these test on transfer two files a 4.5MB text file and a 15MB
13704 textfile. The results arn't bad considering the hardware Samba is
13705 running on. It's a crap machine!!!!</P
13707 >The updates mentioned in 1 and 2 brought up the transfer rates from
13708 just over 100kB/s in some clients.</P
13710 >A new client is a P333 connected via a 100MB/s card and hub. The
13711 transfer rates from this were good: 450-500kB/s on put and 600+kB/s
13714 >Looking at standard FTP throughput, Samba is a bit slower (100kB/s
13715 upwards). I suppose there is more going on in the samba protocol, but
13716 if it could get up to the rate of FTP the perfomance would be quite
13726 >17.17. My Results</H2
13728 >Some people want to see real numbers in a document like this, so here
13729 they are. I have a 486sx33 client running WfWg 3.11 with the 3.11b
13730 tcp/ip stack. It has a slow IDE drive and 20Mb of ram. It has a SMC
13731 Elite-16 ISA bus ethernet card. The only WfWg tuning I've done is to
13732 set DefaultRcvWindow in the [MSTCP] section of system.ini to 16384. My
13733 server is a 486dx3-66 running Linux. It also has 20Mb of ram and a SMC
13734 Elite-16 card. You can see my server config in the examples/tridge/
13735 subdirectory of the distribution.</P
13737 >I get 490k/s on reading a 8Mb file with copy.
13738 I get 441k/s writing the same file to the samba server.</P
13740 >Of course, there's a lot more to benchmarks than 2 raw throughput
13741 figures, but it gives you a ballpark figure.</P
13743 >I've also tested Win95 and WinNT, and found WinNT gave me the best
13744 speed as a samba client. The fastest client of all (for me) is
13745 smbclient running on another linux box. Maybe I'll add those results
13746 here someday ...</P
13753 NAME="OTHER-CLIENTS"
13755 >Chapter 18. Samba and other CIFS clients</H1
13757 >This chapter contains client-specific information.</P
13765 >18.1. Macintosh clients?</H2
13768 HREF="http://www.thursby.com/"
13771 > now have a CIFS Client / Server called DAVE - see</P
13773 >They test it against Windows 95, Windows NT and samba for
13774 compatibility issues. At the time of writing, DAVE was at version
13775 1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from
13776 the Thursby web site (the speed of finder copies has been greatly
13777 enhanced, and there are bug-fixes included).</P
13780 Alternatives - There are two free implementations of AppleTalk for
13781 several kinds of UNIX machnes, and several more commercial ones.
13782 These products allow you to run file services and print services
13783 natively to Macintosh users, with no additional support required on
13784 the Macintosh. The two free omplementations are
13786 HREF="http://www.umich.edu/~rsug/netatalk/"
13791 HREF="http://www.cs.mu.oz.au/appletalk/atalk.html"
13795 What Samba offers MS
13796 Windows users, these packages offer to Macs. For more info on these
13797 packages, Samba, and Linux (and other UNIX-based systems) see
13799 HREF="http://www.eats.com/linux_mac_win.html"
13801 >http://www.eats.com/linux_mac_win.html</A
13811 >18.2. OS2 Client</H2
13819 >18.2.1. How can I configure OS/2 Warp Connect or
13820 OS/2 Warp 4 as a client for Samba?</H3
13822 >A more complete answer to this question can be
13824 HREF="http://carol.wins.uva.nl/~leeuw/samba/warp.html"
13826 > http://carol.wins.uva.nl/~leeuw/samba/warp.html</A
13829 >Basically, you need three components:</P
13835 >The File and Print Client ('IBM Peer')
13840 >TCP/IP ('Internet support')
13845 >The "NetBIOS over TCP/IP" driver ('TCPBEUI')
13850 >Installing the first two together with the base operating
13851 system on a blank system is explained in the Warp manual. If Warp
13852 has already been installed, but you now want to install the
13853 networking support, use the "Selective Install for Networking"
13854 object in the "System Setup" folder.</P
13856 >Adding the "NetBIOS over TCP/IP" driver is not described
13857 in the manual and just barely in the online documentation. Start
13858 MPTS.EXE, click on OK, click on "Configure LAPS" and click
13859 on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
13860 is then moved to 'Current Configuration'. Select that line,
13861 click on "Change number" and increase it from 0 to 1. Save this
13864 >If the Samba server(s) is not on your local subnet, you
13865 can optionally add IP names and addresses of these servers
13866 to the "Names List", or specify a WINS server ('NetBIOS
13867 Nameserver' in IBM and RFC terminology). For Warp Connect you
13868 may need to download an update for 'IBM Peer' to bring it on
13869 the same level as Warp 4. See the webpage mentioned above.</P
13878 >18.2.2. How can I configure OS/2 Warp 3 (not Connect),
13879 OS/2 1.2, 1.3 or 2.x for Samba?</H3
13881 >You can use the free Microsoft LAN Manager 2.2c Client
13884 HREF="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/"
13886 > ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</A
13889 HREF="http://carol.wins.uva.nl/~leeuw/lanman.html"
13891 > http://carol.wins.uva.nl/~leeuw/lanman.html</A
13893 more information on how to install and use this client. In
13894 a nutshell, edit the file \OS2VER in the root directory of
13895 the OS/2 boot partition and add the lines:</P
13898 CLASS="PROGRAMLISTING"
13905 >before you install the client. Also, don't use the
13906 included NE2000 driver because it is buggy. Try the NE2000
13907 or NS2000 driver from
13909 HREF="ftp://ftp.cdrom.com/pub/os2/network/ndis/"
13911 > ftp://ftp.cdrom.com/pub/os2/network/ndis/</A
13922 >18.2.3. Are there any other issues when OS/2 (any version)
13923 is used as a client?</H3
13925 >When you do a NET VIEW or use the "File and Print
13926 Client Resource Browser", no Samba servers show up. This can
13927 be fixed by a patch from <A
13928 HREF="http://carol.wins.uva.nl/~leeuw/samba/fix.html"
13930 > http://carol.wins.uva.nl/~leeuw/samba/fix.html</A
13932 The patch will be included in a later version of Samba. It also
13933 fixes a couple of other problems, such as preserving long
13934 filenames when objects are dragged from the Workplace Shell
13935 to the Samba server. </P
13944 >18.2.4. How do I get printer driver download working
13945 for OS/2 clients?</H3
13947 >First, create a share called [PRINTDRV] that is
13948 world-readable. Copy your OS/2 driver files there. Note
13949 that the .EA_ files must still be separate, so you will need
13950 to use the original install files, and not copy an installed
13951 driver from an OS/2 system.</P
13953 >Install the NT driver first for that printer. Then,
13954 add to your smb.conf a parameter, os2 driver map =
13956 CLASS="REPLACEABLE"
13960 >". Then, in the file
13962 CLASS="REPLACEABLE"
13967 name of the NT driver name to the OS/2 driver name as
13972 >nt driver name = os2 "driver
13973 name"."device name"</B
13975 HP LaserJet 5L = LASERJET.HP LaserJet 5L</P
13977 >You can have multiple drivers mapped in this file.</P
13979 >If you only specify the OS/2 driver name, and not the
13980 device name, the first attempt to download the driver will
13981 actually download the files, but the OS/2 client will tell
13982 you the driver is not available. On the second attempt, it
13983 will work. This is fixed simply by adding the device name
13984 to the mapping, after which it will work on the first attempt.
13995 >18.3. Windows for Workgroups</H2
14003 >18.3.1. Use latest TCP/IP stack from Microsoft</H3
14005 >Use the latest TCP/IP stack from microsoft if you use Windows
14008 >The early TCP/IP stacks had lots of bugs.</P
14011 Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
14012 VxD drivers. The latest release can be found on their ftp site at
14013 ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe.
14014 There is an update.txt file there that describes the problems that were
14015 fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386,
14016 WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE.</P
14025 >18.3.2. Delete .pwl files after password change</H3
14027 >WfWg does a lousy job with passwords. I find that if I change my
14028 password on either the unix box or the PC the safest thing to do is to
14029 delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.</P
14032 If you don't do this you may find that WfWg remembers and uses the old
14033 password, even if you told it a new one.</P
14036 Often WfWg will totally ignore a password you give it in a dialog box.</P
14045 >18.3.3. Configure WfW password handling</H3
14047 >There is a program call admincfg.exe
14048 on the last disk (disk 8) of the WFW 3.11 disk set. To install it
14049 type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon
14050 for it via the "Progam Manager" "New" Menu. This program allows you
14051 to control how WFW handles passwords. ie disable Password Caching etc
14054 >security = user</B
14064 >18.3.4. Case handling of passwords</H3
14066 >Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <A
14067 HREF="smb.conf.5.html"
14070 > information on <B
14073 > to specify what characters samba should try to uppercase when checking.</P
14083 >18.4. Windows '95/'98</H2
14085 >When using Windows 95 OEM SR2 the following updates are recommended where Samba
14086 is being used. Please NOTE that the above change will affect you once these
14087 updates have been installed.</P
14090 There are more updates than the ones mentioned here. You are referred to the
14091 Microsoft Web site for all currently available updates to your specific version
14099 >Kernel Update: KRNLUPD.EXE</P
14103 >Ping Fix: PINGUPD.EXE</P
14107 >RPC Update: RPCRTUPD.EXE</P
14111 >TCP/IP Update: VIPUPD.EXE</P
14115 >Redirector Update: VRDRUPD.EXE</P
14119 >Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This
14120 fix may stop your machine from hanging for an extended period when exiting
14121 OutLook and you may also notice a significant speedup when accessing network
14122 neighborhood services.</P
14131 >18.5. Windows 2000 Service Pack 2</H2
14134 There are several annoyances with Windows 2000 SP2. One of which
14135 only appears when using a Samba server to host user profiles
14136 to Windows 2000 SP2 clients in a Windows domain. This assumes
14137 that Samba is a member of the domain, but the problem will
14138 likely occur if it is not.</P
14141 In order to server profiles successfully to Windows 2000 SP2
14142 clients (when not operating as a PDC), Samba must have
14145 >nt acl support = no</B
14147 added to the file share which houses the roaming profiles.
14148 If this is not done, then the Windows 2000 SP2 client will
14149 complain about not being able to access the profile (Access
14150 Denied) and create multiple copies of it on disk (DOMAIN.user.001,
14151 DOMAIN.user.002, etc...). See the
14153 HREF="smb.conf.5.html"
14157 for more details on this option. Also note that the
14161 > parameter was formally a global parameter in
14162 releases prior to Samba 2.2.2.</P
14165 The following is a minimal profile share:</P
14168 CLASS="PROGRAMLISTING"
14170 path = /export/profile
14172 directory mask = 0700
14173 nt acl support = no
14174 read only = no</PRE
14177 >The reason for this bug is that the Win2k SP2 client copies
14178 the security descriptor for the profile which contains
14179 the Samba server's SID, and not the domain SID. The client
14180 compares the SID for SAMBA\user and realizes it is
14181 different that the one assigned to DOMAIN\user. Hence the reason
14182 for the "access denied" message.</P
14184 >By disabling the <B
14187 > parameter, Samba will send
14188 the Win2k client a response to the QuerySecurityDescriptor
14189 trans2 call which causes the client to set a default ACL
14190 for the profile. This default ACL includes </P
14194 >DOMAIN\user "Full Control"</B
14201 >NOTE : This bug does not occur when using winbind to
14202 create accounts on the Samba host for Domain users.</I
14213 >Chapter 19. HOWTO Access Samba source code via CVS</H1
14221 >19.1. Introduction</H2
14223 >Samba is developed in an open environment. Developers use CVS
14224 (Concurrent Versioning System) to "checkin" (also known as
14225 "commit") new source code. Samba's various CVS branches can
14226 be accessed via anonymous CVS using the instructions
14227 detailed in this chapter.</P
14229 >This document is a modified version of the instructions found at
14231 HREF="http://samba.org/samba/cvs.html"
14233 >http://samba.org/samba/cvs.html</A
14243 >19.2. CVS Access to samba.org</H2
14245 >The machine samba.org runs a publicly accessible CVS
14246 repository for access to the source code of several packages,
14247 including samba, rsync and jitterbug. There are two main ways of
14248 accessing the CVS server on this host.</P
14256 >19.2.1. Access via CVSweb</H3
14258 >You can access the source code via your
14259 favourite WWW browser. This allows you to access the contents of
14260 individual files in the repository and also to look at the revision
14261 history and commit logs of individual files. You can also ask for a diff
14262 listing between any two versions on the repository.</P
14265 HREF="http://samba.org/cgi-bin/cvsweb"
14267 >http://samba.org/cgi-bin/cvsweb</A
14277 >19.2.2. Access via cvs</H3
14279 >You can also access the source code via a
14280 normal cvs client. This gives you much more control over you can
14281 do with the repository and allows you to checkout whole source trees
14282 and keep them up to date via normal cvs commands. This is the
14283 preferred method of access if you are a developer and not
14284 just a casual browser.</P
14286 >To download the latest cvs source code, point your
14287 browser at the URL : <A
14288 HREF="http://www.cyclic.com/"
14290 >http://www.cyclic.com/</A
14292 and click on the 'How to get cvs' link. CVS is free software under
14293 the GNU GPL (as is Samba). Note that there are several graphical CVS clients
14294 which provide a graphical interface to the sometimes mundane CVS commands.
14295 Links to theses clients are also available from http://www.cyclic.com.</P
14297 >To gain access via anonymous cvs use the following steps.
14298 For this example it is assumed that you want a copy of the
14299 samba source code. For the other source code repositories
14300 on this system just substitute the correct package name</P
14307 > Install a recent copy of cvs. All you really need is a
14308 copy of the cvs client binary.
14318 >cvs -d :pserver:cvs@samba.org:/cvsroot login</B
14322 > When it asks you for a password type <TT
14337 >cvs -d :pserver:cvs@samba.org:/cvsroot co samba</B
14341 > This will create a directory called samba containing the
14342 latest samba source code (i.e. the HEAD tagged cvs branch). This
14343 currently corresponds to the 3.0 development tree.
14346 > CVS branches other HEAD can be obtained by using the <TT
14352 and defining a tag name. A list of branch tag names can be found on the
14353 "Development" page of the samba web site. A common request is to obtain the
14354 latest 2.2 release code. This could be done by using the following command.
14359 >cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</B
14365 > Whenever you want to merge in the latest code changes use
14366 the following command from within the samba directory:
14371 >cvs update -d -P</B
14385 >Chapter 20. Reporting Bugs</H1
14393 >20.1. Introduction</H2
14395 >The email address for bug reports is samba@samba.org</P
14397 >Please take the time to read this file before you submit a bug
14398 report. Also, please see if it has changed between releases, as we
14399 may be changing the bug reporting mechanism at some time.</P
14401 >Please also do as much as you can yourself to help track down the
14402 bug. Samba is maintained by a dedicated group of people who volunteer
14403 their time, skills and efforts. We receive far more mail about it than
14404 we can possibly answer, so you have a much higher chance of an answer
14405 and a fix if you send us a "developer friendly" bug report that lets
14406 us fix it fast. </P
14408 >Do not assume that if you post the bug to the comp.protocols.smb
14409 newsgroup or the mailing list that we will read it. If you suspect that your
14410 problem is not a bug but a configuration problem then it is better to send
14411 it to the Samba mailing list, as there are (at last count) 5000 other users on
14412 that list that may be able to help you.</P
14414 >You may also like to look though the recent mailing list archives,
14415 which are conveniently accessible on the Samba web pages
14416 at http://samba.org/samba/ </P
14425 >20.2. General info</H2
14427 >Before submitting a bug report check your config for silly
14428 errors. Look in your log files for obvious messages that tell you that
14429 you've misconfigured something and run testparm to test your config
14430 file for correct syntax.</P
14432 >Have you run through the <A
14433 HREF="Diagnosis.html"
14437 This is very important.</P
14439 >If you include part of a log file with your bug report then be sure to
14440 annotate it with exactly what you were doing on the client at the
14441 time, and exactly what the results were.</P
14450 >20.3. Debug levels</H2
14452 >If the bug has anything to do with Samba behaving incorrectly as a
14453 server (like refusing to open a file) then the log files will probably
14454 be very useful. Depending on the problem a log level of between 3 and
14455 10 showing the problem may be appropriate. A higher level givesmore
14456 detail, but may use too much disk space.</P
14458 >To set the debug level use <B
14465 >. You may also find it useful to set the log
14466 level higher for just one machine and keep separate logs for each machine.
14470 CLASS="PROGRAMLISTING"
14472 log file = /usr/local/samba/lib/log.%m
14473 include = /usr/local/samba/lib/smb.conf.%m</PRE
14476 >then create a file
14479 >/usr/local/samba/lib/smb.conf.machine</TT
14481 "machine" is the name of the client you wish to debug. In that file
14482 put any smb.conf commands you want, for example
14486 > may be useful. This also allows you to
14487 experiment with different security systems, protocol levels etc on just
14497 is synonymous with the entry <B
14501 used in older versions of Samba and is being retained for backwards
14502 compatibility of smb.conf files.</P
14507 > value is increased you will record
14508 a significantly increasing level of debugging information. For most
14509 debugging operations you may not need a setting higher than 3. Nearly
14510 all bugs can be tracked at a setting of 10, but be prepared for a VERY
14511 large volume of log data.</P
14520 >20.4. Internal errors</H2
14522 >If you get a "INTERNAL ERROR" message in your log files it means that
14523 Samba got an unexpected signal while running. It is probably a
14524 segmentation fault and almost certainly means a bug in Samba (unless
14525 you have faulty hardware or system software)</P
14527 >If the message came from smbd then it will probably be accompanied by
14528 a message which details the last SMB message received by smbd. This
14529 info is often very useful in tracking down the problem so please
14530 include it in your bug report.</P
14532 >You should also detail how to reproduce the problem, if
14533 possible. Please make this reasonably detailed.</P
14535 >You may also find that a core file appeared in a "corefiles"
14536 subdirectory of the directory where you keep your samba log
14537 files. This file is the most useful tool for tracking down the bug. To
14538 use it you do this:</P
14545 >adding appropriate paths to smbd and core so gdb can find them. If you
14546 don't have gdb then try "dbx". Then within the debugger use the
14547 command "where" to give a stack trace of where the problem
14548 occurred. Include this in your mail.</P
14550 >If you known any assembly language then do a "disass" of the routine
14551 where the problem occurred (if its in a library routine then
14552 disassemble the routine that called it) and try to work out exactly
14553 where the problem is by looking at the surrounding code. Even if you
14554 don't know assembly then incuding this info in the bug report can be
14564 >20.5. Attaching to a running process</H2
14566 >Unfortunately some unixes (in particular some recent linux kernels)
14567 refuse to dump a core file if the task has changed uid (which smbd
14568 does often). To debug with this sort of system you could try to attach
14569 to the running process using "gdb smbd PID" where you get PID from
14570 smbstatus. Then use "c" to continue and try to cause the core dump
14571 using the client. The debugger should catch the fault and tell you
14572 where it occurred.</P
14583 >The best sort of bug report is one that includes a fix! If you send us
14584 patches please use <B
14587 > format if your version of
14588 diff supports it, otherwise use <B
14592 your do the diff against a clean version of the source and let me know
14593 exactly what version you used. </P
14600 NAME="GROUPMAPPING"
14602 >Chapter 21. Group mapping HOWTO</H1
14605 Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
14606 current method (likely to change) to manage the groups is a new command called
14612 >The first immediate reason to use the group mapping on a PDC, is that
14615 >domain admin group</B
14620 now gone. This parameter was used to give the listed users local admin rights
14621 on their workstations. It was some magic stuff that simply worked but didn't
14622 scale very well for complex setups.</P
14624 >Let me explain how it works on NT/W2K, to have this magic fade away.
14625 When installing NT/W2K on a computer, the installer program creates some users
14626 and groups. Notably the 'Administrators' group, and gives to that group some
14627 privileges like the ability to change the date and time or to kill any process
14628 (or close too) running on the local machine. The 'Administrator' user is a
14629 member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
14630 group privileges. If a 'joe' user is created and become a member of the
14631 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P
14633 >When a NT/W2K machine is joined to a domain, during that phase, the "Domain
14634 Administrators' group of the PDC is added to the 'Administrators' group of the
14635 workstation. Every members of the 'Domain Administrators' group 'inherit' the
14636 rights of the 'Administrators' group when logging on the workstation.</P
14638 >You are now wondering how to make some of your samba PDC users members of the
14639 'Domain Administrators' ? That's really easy.</P
14646 >create a unix group (usually in <TT
14649 >), let's call it domadm</P
14653 >add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT
14656 > will look like:</P
14659 CLASS="PROGRAMLISTING"
14660 >domadm:x:502:joe,john,mary</PRE
14665 >Map this domadm group to the <B
14668 > group by running the command:</P
14672 >smbgroupedit -c "Domain Admins" -u domadm</B
14677 >You're set, joe, john and mary are domain administrators !</P
14679 >Like the Domain Admins group, you can map any arbitrary Unix group to any NT
14680 group. You can also make any Unix group a domain group. For example, on a domain
14681 member machine (an NT/W2K or a samba server running winbind), you would like to
14682 give access to a certain directory to some users who are member of a group on
14683 your samba PDC. Flag that group as a domain group by running:</P
14687 >smbgroupedit -a unixgroup -td</B
14690 >You can list the various groups in the mapping database like this</P
14694 >smbgroupedit -v</B
14703 >Chapter 22. Portability</H1
14705 >Samba works on a wide range of platforms but the interface all the
14706 platforms provide is not always compatible. This chapter contains
14707 platform-specific information about compiling and using samba.</P
14717 >HP's implementation of supplementary groups is, er, non-standard (for
14718 hysterical reasons). There are two group files, /etc/group and
14719 /etc/logingroup; the system maps UIDs to numbers using the former, but
14720 initgroups() reads the latter. Most system admins who know the ropes
14721 symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons
14722 too stupid to go into here). initgroups() will complain if one of the
14723 groups you're in in /etc/logingroup has what it considers to be an invalid
14724 ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think)
14725 60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody'
14728 >If you encounter this problem, make sure that the programs that are failing
14729 to initgroups() be run as users not in any groups with GIDs outside the
14732 >This is documented in the HP manual pages under setgroups(2) and passwd(4).</P
14741 >22.2. SCO Unix</H2
14744 If you run an old version of SCO Unix then you may need to get important
14745 TCP/IP patches for Samba to work correctly. Without the patch, you may
14746 encounter corrupt data transfers using samba.</P
14748 >The patch you need is UOD385 Connection Drivers SLS. It is available from
14749 SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z).</P
14760 >DNIX has a problem with seteuid() and setegid(). These routines are
14761 needed for Samba to work correctly, but they were left out of the DNIX
14762 C library for some reason.</P
14764 >For this reason Samba by default defines the macro NO_EID in the DNIX
14765 section of includes.h. This works around the problem in a limited way,
14766 but it is far from ideal, some things still won't work right.</P
14769 To fix the problem properly you need to assemble the following two
14770 functions and then either add them to your C library or link them into
14774 put this in the file <TT
14780 CLASS="PROGRAMLISTING"
14795 >put this in the file <TT
14801 CLASS="PROGRAMLISTING"
14816 >after creating the above files you then assemble them using</P
14828 >that should produce the files <TT
14837 >then you need to add these to the LIBSM line in the DNIX section of
14838 the Samba Makefile. Your LIBSM line will then look something like this:</P
14841 CLASS="PROGRAMLISTING"
14842 >LIBSM = setegid.o seteuid.o -ln</PRE
14846 You should then remove the line:</P
14849 CLASS="PROGRAMLISTING"
14850 >#define NO_EID</PRE
14853 >from the DNIX section of <TT