</para>
<para><programlisting>
-workgroup = SAMBA
-domain master = yes
-domain logons = yes
+ workgroup = SAMBA
+ domain master = yes
+ domain logons = yes
</programlisting></para>
<para>
</para>
<para><programlisting>
-workgroup = samba
-domain master = no
-domain logons = yes
+ workgroup = samba
+ domain master = no
+ domain logons = yes
</programlisting></para>
<para>
<para>
Please refer to the section on Howto configure Samba as a Primary Domain Controller
and for more information regarding how to create a domain machine account for a
-domain member server as well as for information regading how to enable the samba
+domain member server as well as for information regarding how to enable the samba
domain member machine to join the domain and to be fully trusted by it.
</para>
<para>
SWAT is a web-based interface that helps you configure samba.
SWAT might not be available in the samba package on your platform,
- but in a seperate package. Please read the swat manpage
+ but in a separate package. Please read the swat manpage
on compiling, installing and configuring swat from source.
</para>
<para>To launch SWAT just run your favorite web browser and
point it at "http://localhost:901/". Replace <replaceable>localhost</replaceable> with the name of the computer you are running samba on if you
- are running samba on a different computer then your browser.</para>
+ are running samba on a different computer than your browser.</para>
<para>Note that you can attach to SWAT from any IP connected
machine but connecting from a remote machine leaves your
<sect1>
<title>TDB</title>
<para>Samba can also store the user data in a "TDB" (Trivial Database). Using this backend
-doesn't require any additional configuration. This backend is recommended for new installations who
-don't require LDAP.
+doesn't require any additional configuration. This backend is recommended for new installations that
+don not require LDAP.
</para>
</sect1>
</sect2>
<sect2>
-<title>Introduction</title>
+<title>Encrypted Password Database</title>
<para>
Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">"encrypt
</para>
<para>
-There are a few points to stress about what the ldapsam
+There are a few points to stress about that the ldapsam
does not provide. The LDAP support referred to in the this documentation does not
include:
</para>
<abstract>
<para>
This book is a collection of HOWTOs added to Samba documentation over the years.
-Samba is always under development, and so is it's documentation. This release of the
+Samba is always under development, and so is its' documentation. This release of the
documentation represents a major revision or layout as well as contents.
The most recent version of this document can be found at
<ulink url="http://www.samba.org/">http://www.samba.org/</ulink>
project would not have been possible without significant community contribution. A not
insignificant number of ideas for inclusion (if not content itself) has been obtained
from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
-Please keep publishing you Unofficial HOWTO's - they are a source of inspiration and
-application knowledge that is most to be desired by may Samba users and administrators.
+Please keep publishing your Unofficial HOWTO's - they are a source of inspiration and
+application knowledge that is most to be desired by many Samba users and administrators.
</para>
</abstract>
<chapterinfo>
&author.tridge;
+ &author.jht;
<pubdate>17 March 2003</pubdate>
</chapterinfo>
</para>
<para><programlisting>
- hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
- hosts deny = 0.0.0.0/0
+ hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+ hosts deny = 0.0.0.0/0
</programlisting></para>
<para>
</para>
<para><programlisting>
- interfaces = eth* lo
- bind interfaces only = yes
+ interfaces = eth* lo
+ bind interfaces only = yes
</programlisting></para>
<para>
</para>
<para><programlisting>
-UDP/137 - used by nmbd
-UDP/138 - used by nmbd
-TCP/139 - used by smbd
-TCP/445 - used by smbd
+ UDP/137 - used by nmbd
+ UDP/138 - used by nmbd
+ TCP/139 - used by smbd
+ TCP/445 - used by smbd
</programlisting></para>
<para>
</para>
<para><programlisting>
- [ipc$]
- hosts allow = 192.168.115.0/24 127.0.0.1
- hosts deny = 0.0.0.0/0
+ [ipc$]
+ hosts allow = 192.168.115.0/24 127.0.0.1
+ hosts deny = 0.0.0.0/0
</programlisting></para>
<para>
</sect1>
+<sect1>
+<title>NTLMv2 Security</title>
+
+<para>
+To configure NTLMv2 authentication the following registry keys are worth knowing about:
+</para>
+
+<para>
+<programlisting>
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
+ "lmcompatibilitylevel"=dword:00000003
+
+ 0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication,
+ use NTLMv2 session security if the server supports it. Domain
+ controllers accept LM, NTLM and NTLMv2 authentication.
+
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
+ "NtlmMinClientSec"=dword:00080000
+
+ 0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
+ NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
+ session security is not negotiated.
+</programlisting>
+</para>
+</sect1>
+
<sect1>
<title>Upgrading Samba</title>