</bookinfo>
-<dedication><title></>
+<dedication><title></title>
- <para>Comments, corrections and additions to <email>D.Bannon@latrobe.edu.au</email></para>
-
- <para>This is the FAQ for Samba 2.2 as an NTDomain controller.
+ <para>
+ This is the FAQ for Samba 2.2 as an NTDomain controller.
This document is derived from the origional FAQ that was built and
- maintained by Gerald Carter
- from the early days of Samba NTDomain development up until recently.
- It is now being updated as significent changes are made to 2.2.0.</para>
+ maintained by Gerald Carter from the early days of Samba NTDomain development
+ up until recently. It is now being updated as significent changes are
+ made to 2.2.0.
+ </para>
- <para>Please note it does not apply to Samba2.2alpha0, Samba2.2alpha1, Samba 2.0.7, TNG nor HEAD branch.
- </para>
- <para>I'll repeat, it does not apply to the current snapshot [ftp mirror]:/pub/samba/alpha/samba-2.2.0-alpha1.tar.gz, only to the to the current cvs.</para>
+ <para>
+ Please note it does not apply to the SAMBA_TNG nor the HEAD branch.
+ </para>
-<para>
- Also available is a Samba 2.2 PDC <ulink url="samba-pdc-howto.html">HowTo</> that takes you, step
- by step, over the process of setting up a very basic Samba 2.2 Primary Domain Controller
- </para>
+ <para>
+ Also available is a Samba 2.2 PDC <ulink url="samba-pdc-howto.html">HOWTO</ulink>
+ that takes you, step by step, over the process of setting up a very basic Samba
+ 2.2 Primary Domain Controller
+ </para>
- <note><para>Please read the Introduction for the current <link linkend=stateofplay> state of play</>.</para></>
</dedication>
<toc></toc>
<!-- ================ I N T R O D U C T I O N ==================== -->
-<chapter><title>Introduction</>
-
-<sect1><title id=stateofplay>State of Play</title>
- <para><emphasis>It should be noted that 2.2.0 in its pre-release form still has a few problems,
- I'll try and keep this section current while things are still dynamic.
- At the time of this update (December 15, 2000) the current state of play is :</emphasis></para>
-
- <para>Comments here about W2K joining the domain apply only to Samba 2.2 from the CVS after November 27th. The
- 'snapshot' release Samba2.2alpha1 does not work !!! See below on how to get a CVS tree.</para>
-
- <para><command>Known Bug !</>W2K machines will not successfully join a domain with a name that
- is made up from an even number of characters. Yep, thats right ! BIOTEST is OK as is MYDOMAI
- but MYDOMAIN will not work until this bug is fixed. Hmm.., we believe
- that this bug is fixed, but see below.</para>
-
- <para><command>Known Bug !</>After some bugs were fixed just before
- Christmas, W2K SP1 machines cannot join the domain. Expected to be
- fixed early in the new year. Whats that ? yeah, samba developers
- have a Christmas break too !</para>
+<chapter>
+<title>Introduction</title>
- <para><command>Know Bug !</>NTs (and possibly W2K ?) are not told the logged on user is a domain
- admin if the parameter "domain admin users = user" is used. The alternative, "domain admin group"
- does work. See the HowTo.</>
-
- <para>Client Side creation of Machine accounts does work but is not complete.
- Firstly, the <filename>add user script</> runs as the user who's
- name was entered, not as root. Secondly, the machine name passed to the script (%U)
- has an underscore at the end, not a '$'. One alternative is to use %m and add the $.
- This method is documented in the <ulink url="samba-pdc-howto.html">HowTo</>.
- And thirdly, it does not work with NT4ws.
- </para>
-
- <para>A W2K machine can join the domain. See the <ulink url="samba-pdc-howto.html">HowTo</>
- which explains the process. The methods
- described are 'work arounds' and should be regarded as temporary. Although I (drb)
- have tested these procedures a number of people have had difficulty so there
- may be other issues at work. JFM is aware of these
- problems and will attend to them when he can.</para>
-
- <para>A Domain Admin account is required and at present it appears that only root
- is a suitable candidate.</para>
+<sect1>
+<title id=stateofplay>State of Play</title>
<para>Much of the related code does work. For example, if an NT is removed from the
domain and then rejoins, the <filename>Create a Computer Account in the Domain</> dialog
the unix box. However, at the present, you do need to have root as an
administrator and use the root user name and password.</para>
- <para><emphasis>Actually I'm
- not sure that last paragraph is correct ....</></para>
-
- <para><command>Policies</> do work on a W2K machine. MS says that recent builds of
- W2K dont observe an NT policy but it appears it does in 'legacy' mode.</para>
+ <para><command>Policies</command> do work on a W2K machine. MS says that recent
+ builds of W2K dont observe an NT policy but it appears it does in 'legacy'
+ mode.</para>
</sect1>
-<sect1><title>Introduction</>
- <para>This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing with the 'old head'
- version of Samba and its NTDomain facilities. It is being rewritten by David Bannon (drb)
- so that it addresses more accurately the Samba 2.2 planned for release late 2000. </para>
- <para>This document probably still contains some material that does not apply to
- Samba 2.2 but most (all?) of the really misleading stuff has been removed. Some
- issues are not dealt with or are dealt with badly. Please send corrections and additions to
- David Bannon at D.Bannon@latrobe.edu.au</para>
+<sect1>
+<title>Introduction</title>
- <para>Hopefully, as we all become familiar with the Samba 2.2 as a PDC this document will
- become much more usefull.</para>
+ <para>
+ This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing
+ with the 'old HEAD' version of Samba and its NTDomain facilities. It is
+ being rewritten by David Bannon (drb) so that it addresses more
+ accurately the Samba 2.2.x release.
+ </para>
+
+ <para>
+ This document probably still contains some material that does not apply
+ to Samba 2.2 but most (all?) of the really misleading stuff has been
+ removed. Some issues are not dealt with or are dealt with badly. Please
+ send corrections and additions to <ulink
+ url="mailto:D.Bannon@latrobe.edu.au">David Bannon</ulink>.
+ </para>
+ <para>Hopefully, as we all become familiar with the Samba 2.2 as a
+ PDC this document will become much more usefull.</para>
</sect1>
+
</chapter>
<!-- ============== G E N E R A L I N F O R M A T I O N ============== -->
<sect1><title>What can we do ?</title>
-<sect2><title>What can Samba Primary Domain Controller (PDC) do ?</>
-
- <para>If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 or W2000 client, then you
- will need to obtain the 2.2.0 version, currently in pre-release. Release of a stable,
- full featured Samba PDC is currently slated for version 3.0. </para>
-
- <para>The following is a list of included features currently in Samba 2.2:</para>
-<itemizedlist>
- <listitem><para>The ability to act as a limited PDC for Windows NT and W2000 clients.
- This includes adding NT and W2K machines to the domain and authenticating users logging
- into the domain.</para></listitem>
- <listitem><para>Domain account can be viewed using the User Manager for
- Domains ????</para></listitem>
- <listitem><para>Viewing resources on the Samba PDC via the Server Manager for Domains
- from the NT client. ??</para></listitem>
- <listitem><para>Windows 95 clients will allow user level security to be set
- but will not currently allow browsing of accounts.</para></listitem>
- <listitem><para>Machine account password updates.</para></listitem>
- <listitem><para>Changing of user passwords from an NT client.</para></listitem>
- <listitem><para>Partial support for Windows NT group and username mapping.</para></listitem>
- <listitem><para>Support for a LDAP password database backend.</para></listitem>
- <listitem><para>Printing.</para></listitem>
-</itemizedlist>
+<sect2>
+<title>What can Samba 2.2.x Primary Domain Controller (PDC) do ?</title>
-
-<itemizedlist><title>These things are note expected to work in the forseeable future</title>
- <listitem><para>Trust relationships</para></listitem>
- <listitem><para>PDC and BDC integration</para></listitem>
- <listitem><para>Windows NT ACLs (on the Samba shares)</para></listitem>
- <listitem><para>Offer a list of domain users to User Manager for Domains
- (or the Security Tab etc).</para></listitem>
-</itemizedlist>
-</sect2>
+ <para>
+ If you wish to have Samba act as a PDC for Windows NT 4.0/2000 client,
+ then you will need to obtain the 2.2.0 version. Release of a stable,
+ full featured Samba PDC is currently slated for version 3.0.
+ </para>
-<sect2><title>Can I have a Windows 2000 client logon to a Samba controlled domain?</>
+ <para>
+ The following is a list of included features currently in
+ Samba 2.2:
+ </para>
- <para>The 2.2 release branch of Samba supports Windows 2000 domain
- clients in legacy mode, ie as if the PDC is a NTServer, not a
- W2K server.</para>
+ <itemizedlist>
+ <listitem><para>The ability to act as a limited PDC for
+ Windows NT and W2000 clients. This includes adding NT and
+ W2K machines to the domain and authenticating users logging
+ into the domain.</para></listitem>
+
+ <listitem><para>Domain account can be viewed using the User
+ Manager for Domains</para></listitem>
+
+ <listitem><para>Viewing/adding/deleting resources on the Samba
+ PDC via the Server Manager for Domains from the NT client.
+ </para></listitem>
+
+ <listitem><para>Windows 95/98/ME clients will allow user
+ level security to be set and browsing of domain accounts.
+ </para></listitem>
+
+ <listitem><para>Machine account password updates.</para></listitem>
+
+ <listitem><para>Changing of user passwords from an NT client.
+ </para></listitem>
+
+ <listitem><para>Partial support for Windows NT username mapping.
+ Group name mapping is slated for a later release.</para></listitem>
+ </itemizedlist>
+
+
+ <para>
+ These things are note expected to work in the forseeable future:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Trust relationships</para></listitem>
+ <listitem><para>PDC and BDC integration</para></listitem>
+ </itemizedlist>
</sect2>
-<sect2><title>What's the status of print spool (spoolss) support in the NTDOM code? </>
+<sect2>
+<title>Can I have a Windows 2000 client logon to a Samba
+controlled domain?</title>
- <para>The implementation of support for SPOOLSS pipe is complete and it will be available
- in the 2.2.0 release. This means that Samba will support the automatic downloading of printer
- drivers for Windows NT clients just as it currently does for Windows 9x clients.</para>
+ <para>
+ The 2.2 release branch of Samba supports Windows 2000 domain
+ clients in legacy mode, ie as if the PDC is a NTServer, not a
+ W2K server.
+ </para>
</sect2>
+
</sect1>
-<sect1><title>CVS</title>
- <para>CVS is a programme (publically available) that the Samba developers use to
- maintain the central source code. Non developers can get access to the source in
- a read only capacity. Many flavours of unix now arrive with cvs installed.</>
-
-<sect2><title>What are the different Samba branches available in CVS ?</>
-
- <para>You can find out more about obtaining Samba's via
- anonymous CVS from
- <ulink url="http://pserver.samba.org/samba/cvs.html">
- http://pserver.samba.org/samba/cvs.html"</>. </para>
-
-<variablelist><title>There are basically four branches to watch at the moment :</>
- <varlistentry>
- <term>HEAD</>
- <listitem><para>Samba 3.0 ? This code boasts all the main development
- work in Samba. Two things that most people are not aware of
- which live in the HEAD branch code are winbind NSS module and
- Tim Potter's VFS implementation. Due to its developmental
+<sect1>
+<title>CVS</title>
+
+ <para>
+ CVS is a programme (publically available) that the Samba developers
+ use to maintain the central source code. Non developers can get
+ access to the source in a read only capacity. Many flavours of unix
+ now arrive with cvs installed.</>
+
+<sect2>
+<title>What are the different Samba branches available in CVS ?</title>
+
+ <para>You can find out more about obtaining Samba's via anonymous
+ CVS from <ulink url="http://pserver.samba.org/samba/cvs.html">
+ http://pserver.samba.org/samba/cvs.html</ulink>.
+ </para>
+
+ <para>
+ There are basically four branches to watch at the moment :
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>HEAD</term>
+ <listitem><para>Samba 3.0 ? This code boasts all the main
+ development work in Samba. Due to its developmental
nature, its not really suitable for production work.
- </para></listitem></varlistentry>
- <varlistentry>
- <term>SAMBA_2_0</term>
- <listitem><para>This branch contains the current stable release release.
- At the moment it contains 2.0.7, a version that will do some
- limited PDC stuff. If you are really going to do PDC things then
- I (drb) suggest that you consider 2.2 instead.
- </para></listitem></varlistentry>
- <varlistentry>
- <term>SAMBA_2_2</>
- <listitem><para>The next stable release, currently in a 'alpha' form.
- It provides the Samba developers, testers and interested
- people with an approximation of what is to come. This document
- addresses only SAMBA_2_2.
- </para></listitem></varlistentry>
- <varlistentry>
- <term>SAMBA_TNG</>
- <listitem><para>This branch is no longer maintained from the Samba sites.
- Please see <ulink url="http://www.samba-tng.org/">
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>SAMBA_2_0</term>
+ <listitem><para>This branch contains the previous stable
+ release. At the moment it contains 2.0.8, a version that
+ will do some limited PDC stuff. If you are really going to
+ do PDC things, you consider 2.2 instead.
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>SAMBA_2_2</term>
+ <listitem><para>The 2.2.x release branch which is a subset
+ of the features of the HEAD branch. This document addresses
+ only SAMBA_2_2.
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>SAMBA_TNG</term>
+ <listitem><para>This branch is no longer maintained from the Samba
+ sites. Please see <ulink url="http://www.samba-tng.org/">
http://www.samba-tng.org/</ulink>. It has been requested
- that questions about TNG are not posted to the regular Samba mailing
- lists including samba-ntdom and samba-technical.
- </para></listitem></varlistentry>
-</variablelist>
+ that questions about TNG are not posted to the regular Samba
+ mailing lists including samba-ntdom and samba-technical.
+ </para></listitem></varlistentry>
+ </variablelist>
</sect2>
-<sect2><title>What are the CVS commands ?</>
-
- <para>See <ulink url="http://pserver.samba.org/samba/cvs.html">
- http://pserver.samba.org/samba/cvs.html</></para>
+<sect2>
+<title>What are the CVS commands ?</title>
-
- <itemizedlist><title>To get the Samba 2.2 version, tag SAMBA_2_2 you would do :</>
- <listitem><para> For example : <command>cd /usr/local/src/</></></>
- <listitem><para> <command>cvs -d :pserver:cvs@pserver.samba.org:/cvsroot
- login</></></>
- <listitem><para> When prompted enter a password of <command>cvs</></></>
- <listitem><para> <command>cvs -d :pserver:cvs@pserver.samba.org:/cvsroot
- co -r SAMBA_2_2 samba</></></>
- </itemizedlist>
-
- <itemizedlist><title>Then to update that directory at some later time,</>
- <listitem><para> <command>cd /usr/local/src/samba</></></>
- <listitem><para> <command>cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login</></></>
- <listitem><para> When prompted enter a password of 'cvs'.</></>
- <listitem><para> <command>cvs update -d -P</></></>
- </itemizedlist>
+ <para>
+ See <ulink url="http://pserver.samba.org/samba/cvs.html">
+ http://pserver.samba.org/samba/cvs.html</ulink> for instructions
+ on obtaining the SAMBA_2_2 or HEAD cvs code.
+ </para>
</sect2>
</sect1>
</chapter>
-<chapter><title>Establishing Connections</>
-<sect1><title></title>
-<sect2><title>How do I get my NT4 or W2000 Workstation to login to the Samba controlled Domain?</>
+<chapter>
+<title>Establishing Connections</title>
- <para>There is a comprehensive Samba PDC <ulink url="samba-pdc-howto.html">HowTo</>
- accessable from the samba web site
- under 'Documentation'. Its currently located at <ulink url="http://bioserve.latrobe.edu.au/samba">
- http://bioserve.latrobe.edu.au/samba</>. Read it.</para>
+<sect1>
+<title></title>
+
+<sect2>
+<title>How do I get my NT4 or W2000 Workstation to login to the Samba
+controlled Domain?</>
+
+ <para>
+ There is a comprehensive Samba PDC <ulink
+ url="samba-pdc-howto.html">HOWTO</ulink> accessable from the samba web
+ site under 'Documentation'. Read it.
+ </para>
</sect2>
-<sect2><title>What is a 'machine account' ?</title>
- <para>Every NT, W2K or Samba machine that joins a Samba controlled domain must be known to
- the Samba PDC. There are two entries required, one in (typically) <filename>/etc/passwd</>
- and the other in (typically) <filename>/usr/local/samba/private/smbpasswd</>. Under
- some circumstances these entries are made <link linkend=machineaccounts>manually</>, the
- <ulink url="samba-pdc-howto.html">HowTo</> discusses ways of creating them automatically.</para>
+<sect2>
+<title>What is a 'machine account' ?</title>
+
+ <para>
+ Every NT, W2K or Samba machine that joins a Samba controlled
+ domain must be known to the Samba PDC. There are two entries
+ required, one in (typically) <filename>/etc/passwd</filename>
+ and the other in (typically) <filename>/usr/local/samba/private/smbpasswd</filename>.
+ Under some circumstances these entries are made
+ <link linkend=machineaccounts>manually</link>, the <ulink
+ url="samba-pdc-howto.html">HOWTO</ulink>
+ discusses ways of creating them automatically.</para>
</sect2>
-<sect2><title>"The machine account for this computer either does not exist or is not accessable."</>
+<sect2>
+<title>"The machine account for this computer either does not
+exist or is not accessable."</>
- <para>When I try to join the domain I get the message "The machine account for this computer
- either does not exist or is not accessable". Whats wrong ?</para>
+ <para>
+ When I try to join the domain I get the message "The machine account
+ for this computer either does not exist or is not accessable". Whats
+ wrong ?
+ </para>
- <para>This problem is caused by the PDC not having a suitable machine account.
- If you are using the <command>add user script =</> method to create accounts
- then this would indicate that it has not worked. Ensure the domain admin user
- system is working.</para>
+ <para>
+ This problem is caused by the PDC not having a suitable machine account.
+ If you are using the <command>add user script =</> method to create
+ accounts then this would indicate that it has not worked. Ensure the domain
+ admin user system is working.
+ </para>
- <para>Alternatively if you are creating account entries manually then they have not been created
- correctly. Make sure that you have the entry correct for the machine account in smbpasswd
- file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility,
- make sure that the account name is the machine netbios name with a '$' appended to it
- ( ie. computer_name$ ). There must be an entry in both /etc/passwd and
- the smbpasswd file. Some people have reported that
- inconsistent subnet masks between the Samba server and the NT client have caused this problem.
- Make sure that these are consistent for both client and server.</para>
+ <para>
+ Alternatively if you are creating account entries manually then they
+ have not been created correctly. Make sure that you have the entry
+ correct for the machine account in smbpasswd file on the Samba PDC.
+ If you added the account using an editor rather than using the smbpasswd
+ utility, make sure that the account name is the machine netbios name
+ with a '$' appended to it ( ie. computer_name$ ). There must be an entry
+ in both /etc/passwd and the smbpasswd file. Some people have reported
+ that inconsistent subnet masks between the Samba server and the NT
+ client have caused this problem. Make sure that these are consistent
+ for both client and server.
+ </para>
</sect2>
-<sect2><title id=machineaccounts>How do I create machine accounts manually ?</title>
-
- <para>This was the only option until recently, now in version 2.2 better means are available.
- You might still need to do it manually for a couple of reasons. A machine account
- consists of two entries (assuming a standard install and /etc/passwd use),
- one in /etc/passwd and the other in /usr/local/samba/private/smbpasswd. The /etc/passwd
- entry will list the machine name with a $ appended, won't have a passwd, will have a null
- shell and no home directory. For example a machine called 'doppy' would have an /etc/passwd
- entry like this :</para>
-
- <para><command>doppy$:x:505:501:NTMachine:/dev/null:/bin/false</></para>
+<sect2>
+<title id=machineaccounts>How do I create machine accounts manually ?</title>
+
+ <para>
+ This was the only option until recently, now in version 2.2 better
+ means are available. You might still need to do it manually for a
+ couple of reasons. A machine account consists of two entries (assuming
+ a standard install and /etc/passwd use), one in /etc/passwd and the
+ other in /usr/local/samba/private/smbpasswd. The /etc/passwd
+ entry will list the machine name with a $ appended, won't have a
+ passwd, will have a null shell and no home directory. For example
+ a machine called 'doppy' would have an /etc/passwd entry like this :</para>
+
+ <para>
+ <command>doppy$:x:505:501:NTMachine:/dev/null:/bin/false</command>
+ </para>
- <para>On a linux system for example, you would typically add it like this :</para>
+ <para>
+ On a linux system for example, you would typically add it like
+ this :
+ </para>
- <para><command>adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n
- doppy$</command></para>
+ <para>
+ <command>adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n
+ doppy$</command>
+ </para>
- <para>Then you need to add that entry to smbpasswd, assuming you have a suitable
- path to the <command>smbpasswd</> programme, do this :</para>
+ <para>
+ Then you need to add that entry to smbpasswd, assuming you have a suitable
+ path to the <command>smbpasswd</> programme, do this :
+ </para>
- <para><command>smbpasswd -a -m doppy$</command></para>
+ <para>
+ <command>smbpasswd -a -m doppy$</command>
+ </para>
- <para>The entry will be created with a well known password, so any machine that
- says its doppy could join the domain as long as it gets in first. So don't create
- the accounts any earlier than you need them.</para>
+ <para>
+ The entry will be created with a well known password, so any machine that
+ says its doppy could join the domain as long as it gets in first. So
+ don't create the accounts any earlier than you need them.
+ </para>
</sect2>
-<sect2><title>I cannot include a '$' in a machine name.</title>
+<sect2>
+<title>I cannot include a '$' in a machine name.</title>
- <para>A 'machine name' in (typically) <filename>/etc/passwd</> consists
- of the machine name with a '$' appended. FreeBSD (and other BSD systems ?)
- won't create a user with a '$' in their name.</para>
+ <para>
+ A 'machine name' in (typically) <filename>/etc/passwd</> consists
+ of the machine name with a '$' appended. FreeBSD (and other BSD
+ systems ?) won't create a user with a '$' in their name.
+ </para>
- <para>The problem is only in the program used to make the entry, once made, it works
- perfectly. So create a user without the '$' and use <command>vipw</> to edit
- the entry, adding the '$'. Or create the whole entry with vipw if you like,
- make sure you use a unique uid !</para>
+ <para>
+ The problem is only in the program used to make the entry, once
+ made, it works perfectly. So create a user without the '$' and
+ use <command>vipw</> to edit the entry, adding the '$'. Or create
+ the whole entry with vipw if you like, make sure you use a
+ unique uid !</para>
</sect2>
-<sect2><title id=alreadyhaveconnection>I get told "You already have a connection to the Domain...." when creating a
- machine account.</>
+<sect2>
+<title id=alreadyhaveconnection>I get told "You already have a connection to the Domain...."
+when creating a machine account.</title>
- <para>This happens if you try to create a machine account from the machine itself
- and use a user name that does not work (for whatever reason) and then try
- another (possibly valid) user name.
- Exit out of the network applet to close the initial connection and try again.</para>
-
- <para>Further, if the machine is a already a 'member of a workgroup' that is the
- same name as the domain you are joining (bad idea) you will get this message.
- Change the workgroup name to something else, it does not matter what, reboot,
- and try again.</para>
+ <para>
+ This happens if you try to create a machine account from the
+ machine itself and use a user name that does not work (for whatever
+ reason) and then try another (possibly valid) user name.
+ Exit out of the network applet to close the initial connection
+ and try again.
+ </para>
+
+ <para>
+ Further, if the machine is a already a 'member of a workgroup' that
+ is the same name as the domain you are joining (bad idea) you will
+ get this message. Change the workgroup name to something else, it
+ does not matter what, reboot, and try again.</para>
</sect2>
-<sect2><title>I get told "Cannot join domain, the credentials supplied conflict
- with an existing set.."</>
- <para>This is the same basic problem as mentioned above, <link linkend=alreadyhaveconnection>
- "You already have a connection..."</link></para>
+<sect2>
+<title>I get told "Cannot join domain, the credentials supplied
+conflict with an existing set.."</title>
+
+ <para>
+ This is the same basic problem as mentioned above, <link
+ linkend=alreadyhaveconnection> "You already have a connection..."</link>
+ </para>
</sect2>
-<sect2><title>"The system can not log you on (C000019B)...."</>
- <para>I joined the domain successfully but after upgrading to a newer version of the
- Samba code I get the message, "The system can not log you on (C000019B), Please try a
- gain or consult your system administrator" when attempting to logon.</para>
+<sect2>
+<title>"The system can not log you on (C000019B)...."</title>
+
+ <para>I joined the domain successfully but after upgrading
+ to a newer version of the Samba code I get the message, "The system
+ can not log you on (C000019B), Please try a gain or consult your
+ system administrator" when attempting to logon.
+ </para>
- <para>This occurs when the domain SID stored in private/WORKGROUP.SID is changed.
- For example, you remove the file and smbd automatically creates a new one.
- Or you are swapping back and forth between versions 2.0.7, TNG and the HEAD branch
- code (not recommended). The only way to correct the problem is to restore the
- original domain SID or remove the domain client from the domain and rejoin.</para>
+ <para>
+ This occurs when the domain SID stored in private/WORKGROUP.SID is
+ changed. For example, you remove the file and smbd automatically
+ creates a new one. Or you are swapping back and forth between
+ versions 2.0.7, TNG and the HEAD branch code (not recommended). The
+ only way to correct the problem is to restore the original domain
+ SID or remove the domain client from the domain and rejoin.
+ </para>
</sect2>
+
</sect1>
</chapter>
<!-- ============ U S E R A C C O U N T M A N A G M E N T ============= -->
-<chapter><title>User Account Management</title>
-<sect1><title>Domain Admins</title>
-<sect2><title>How do I configure an account as a domain administrator?</title>
+<chapter>
+<title>User Account Management</title>
- <para>See the NTDom <ulink url="samba-pdc-howto.html">HowTo</>.</para>
-</sect2>
-</sect1>
+<sect1>
+<title>Domain Admins</title>
-<sect1><title>Profiles</title>
-<sect2><Title>Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?</>
-
- <para>Sometimes Windows clients will maintain a connection to the \\homes\ ( or [%U] ) share
- even after the user has logged out. Consider the following scenario.</para>
-<itemizedlist>
- <listitem><para> user1 logs into the Windows NT machine. Therefore the
- [homes] share is set to \\server\user1.</para></listitem>
- <listitem><para> user1 works for a while and then logs out. </para></listitem>
- <listitem><para> user2 logs into the same Windows NT machine.</para></listitem>
-</itemizedlist>
+<sect2>
+<title>How do I configure an account as a domain administrator?</title>
- <para>However, since the NT box has maintained a connection to [homes] which was
- previously set to \\server\user1, when the operating system attempts to
- get the profile and if it can read users1's profile, will get it otherwise it
- will return an error. You get the picture.</para>
+ <para>
+ See the NTDom <ulink url="samba-pdc-howto.html">HowTo</ulink>.
+ </para>
+</sect2>
+</sect1>
- <para>A better solution is to use a separate [profiles] share and set the
- "logon path = \\%N\profiles\%U" </para>
+<sect1>
+<title>Profiles</title>
+
+<sect2>
+<title>Why is it bad to set "logon path = \\%N\%U\profile" in
+smb.conf?</title>
+
+ <para>
+ Sometimes Windows clients will maintain a connection to
+ the \\homes\ ( or [%U] ) share even after the user has logged out.
+ Consider the following scenario.
+ </para>
+
+ <itemizedlist>
+ <listitem><para> user1 logs into the Windows NT machine.
+ Therefore the [homes] share is set to \\server\user1.
+ </para></listitem>
+
+ <listitem><para> user1 works for a while and then logs
+ out. </para></listitem>
+
+ <listitem><para> user2 logs into the same Windows NT
+ machine.</para></listitem>
+ </itemizedlist>
+ <para>
+ However, since the NT box has maintained a connection to [homes]
+ which was previously set to \\server\user1, when the operating system
+ attempts to get the profile and if it can read users1's profile, will
+ get it otherwise it will return an error. You get the picture.
+ </para>
- <note><para>Is this still a problem ????</para></note>
+ <para>
+ A better solution is to use a separate [profiles] share and
+ set the "logon path = \\%N\profiles\%U"
+ </para>
</sect2>
-<sect2><title>Why are all the users listed in the "domain admin users" using the same profile?</>
+<sect2>
+<title>Why are all the users listed in the "domain admin users" using the
+same profile?</title>
- <para>You are using a very very old development version of Samba. Upgrade.</para>
+ <para>
+ You are using a very very old development version of Samba.
+ Upgrade.
+ </para>
</sect2>
+<sect2>
+<title>The roaming profiles do not seem to be updating on the
+server.</title>
+ <para>
+ There can be several reasons for this.
+ </para>
-<sect2><title>The roaming profiles do not seem to be updating on the server.</title>
-
- <para>There can be several reasons for this.</para>
-
- <para>Make sure that the time on the client and the PDC are synchronized. You can accomplish
- this by executing a <command>net time \\server /set /yes</> replacing server with the
- name of your PDC (or another synchronized SMB server). See <link linkend="SettingTime">
- about Setting Time</link></para>
-
- <para>Make sure that the
- logon path is writeable by the user and make sure that the connection to the logon
- path location is by the current user. Sometimes Windows client do not drop the
- connection immediately upon logoff.</para>
+ <para>
+ Make sure that the time on the client and the PDC are synchronized. You
+ can accomplish this by executing a <command>net time \\server /set /yes</command>
+ replacing server with the name of your PDC (or another synchronized SMB server).
+ See <link linkend="SettingTime"> about Setting Time</link>
+ </para>
- <para>Some people have reported that the logon path location should also be browseable.
- I (GC) have yet to emperically verify this, but you can try.</para>
+ <para>
+ Make sure that the "logon path" is writeable by the user and make sure
+ that the connection to the logon path location is by the current user.
+ Sometimes Windows client do not drop the connection immediately upon
+ logoff.
+ </para>
+
+ <para>
+ Some people have reported that the logon path location should
+ also be browseable. I (GC) have yet to emperically verify this,
+ but you can try.</para>
</sect2>
</sect1>
<sect1><title>Policies</title>
-<sect2><title>What are 'Policies' ?.</title>
- <para>When a user logs onto the domain via a client machine, the PDC sends
- the client machine a list of things contained in the 'policy' (if it exists).
- This list may do things like suppress a splach screen, format the dates the way you
- like them or perhaps remove locally stored profiles.</para>
+<sect2>
+<title>What are 'Policies' ?.</title>
+
+ <para>
+ When a user logs onto the domain via a client machine, the PDC
+ sends the client machine a list of things contained in the
+ 'policy' (if it exists). This list may do things like suppress
+ a splach screen, format the dates the way you like them or perhaps
+ remove locally stored profiles.
+ </para>
- <para>On a samba PDC this list is obtained from a file called <command>ntconfig.pol</>
- and located in the <command>[netlogon]</>share. The file is created with a policy editor
- and must be readable by anyone and writeable by only root. See <link linkend=policyeditor>
- below</> for how to get a suitable editor.</para>
+ <para>
+ On a samba PDC this list is obtained from a file called
+ <filename>ntconfig.pol</filename> and located in the [netlogon]
+ share. The file is created with a policy editor and must be readable
+ by anyone and writeable by only root. See <link linkend=policyeditor>
+ below</link> for how to get a suitable editor.
+ </para>
</sect2>
-<sect2><title>I can't get system policies to work.</title>
+<sect2>
+<title>I can't get system policies to work.</title>
- <para>There are two possible reasons for system policies not functioning correctly.
- Make sure that you have the following parameters set in smb.conf </para>
+ <para>
+ There are two possible reasons for system policies not
+ functioning correctly. Make sure that you have the following
+ parameters set in smb.conf
+ </para>
- <programlisting>
+ <para><programlisting>
[netlogon]
....
locking = no
public = no
browseable = yes
....
- </programlisting>
+ </programlisting></para>
- <para>A policy file must be in the <command>[netlogon]</> share and must be
- readable by everyone and writeable by only root. The file must be created
- by an NTServer <link linkend=policyeditor>Policy Editor</>.</para>
+ <para>
+ A policy file must be in the [netlogon] share and must be
+ readable by everyone and writeable by only root. The file
+ must be created by an NTServer <link linkend=policyeditor>Policy
+ Editor</link>.
+ </para>
- <para>Last time I (drb) looked in the source, it was
- looking for <filename>ntconfig.pol</> first then several other combinations of upper
- and lower case. People have reported success using <filename>NTconfig.pol</>,
- <filename>NTconfig.POL</> and <filename>ntconfig.pol</>. These are the case
- settings that I (GC) use with the
- filename <filename>ntconfig.pol</></para>
+ <para>
+ Last time I (drb) looked in the source, it was looking for
+ <filename>ntconfig.pol</filename> first then several other
+ combinations of upper and lower case. People have reported
+ success using <filename>NTconfig.pol</filename>, <filename>NTconfig.POL</filename>
+ and <filename>ntconfig.pol</filename>. These are the case settings that
+ I (GC) use with the filename <filename>ntconfig.pol</filename>:
+ </para>
- <programlisting>
case sensitive = no
case preserve = yes
+ short preserve case = no
default case = yes
- </programlisting>
-
+ </programlisting></para>
+
</sect2>
-<sect2><title id=policyeditor>What about Windows NT Policy Editor ?</title>
+<sect2>
+<title id=policyeditor>What about Windows NT Policy Editor ?</title>
- <para>To create or edit <command>ntconfig.pol</> you must use the NT Server
- Policy Editor, <command>poledit.exe</> which is included with NT Server
- but <emphasis>not NT Workstation</>. There is a Policy Editor on a NTws
+ <para>
+ To create or edit <filename>ntconfig.pol</filename> you must use
+ the NT Server Policy Editor, <command>poledit.exe</command> which
+ is included with NT Server but <emphasis>not NT Workstation</emphasis>.
+ There is a Policy Editor on a NTws
but it is not suitable for creating <emphasis>Domain Policies</emphasis>.
Further, although the Windows 95
Policy Editor can be installed on an NT Workstation/Server, it will not
You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient
to put the two *.adm files in <filename>c:\winnt\inf</> which is where
the binary will look for them unless told otherwise. Note also that that
- directory is 'hidden'.</para>
+ directory is 'hidden'.
+ </para>
<para>The Windows NT policy editor is also included with the
Service Pack 3 (and later) for Windows NT 4.0. Extract the files using
- <command>servicepackname /x</>, ie thats <command>Nt4sp6ai.exe /x</>
- for service pack 6a.
- The policy editor, <command>poledt.exe</> and the associated template files (*.adm) should
+ <command>servicepackname /x</command>, ie thats <command>Nt4sp6ai.exe
+ /x</command> for service pack 6a. The policy editor, <command>poledt.exe</command> and the
+ associated template files (*.adm) should
be extracted as well. It is also possible to downloaded the policy template
files for Office97 and get a copy of the policy editor. Another possible
location is with the Zero Administration Kit available for download from Microsoft.
</sect2>
-<sect2><title>Can Win95 do Policies ?</title>
+<sect2>
+<title>Can Win95 do Policies ?</title>
- <para>Install the group policy handler for Win9x to pick up group policies.
- Look on the Win98 CD in <filename>
- \tools\reskit\netadmin\poledit</>. Install group policies on a Win9x client by double-clicking
- <filename>grouppol.inf</>. Log off and on again a couple of times and see if
- Win98 picks up group policies.
- Unfortunately this needs to be done on every Win9x machine that uses group policies....</para>
+ <para>
+ Install the group policy handler for Win9x to pick up group
+ policies. Look on the Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>.
+ Install group policies on a Win9x client by double-clicking
+ <filename>grouppol.inf</filename>. Log off and on again a couple of
+ times and see if Win98 picks up group policies. Unfortunately this needs
+ to be done on every Win9x machine that uses group policies....
+ </para>
- <para>If group policies don't work one reports suggests getting the updated (read: working)
- grouppol.dll for Windows 9x. The group list is grabbed from /etc/group.</para>
+ <para>
+ If group policies don't work one reports suggests getting the updated
+ (read: working) grouppol.dll for Windows 9x. The group list is grabbed
+ from /etc/group.
+ </para>
</sect2>
</sect1>
-<sect1><title>Passwords</title>
+<sect1>
+<title>Passwords</title>
-<sect2><title>What is password sync and should I use it ?</title>
+<sect2>
+<title>What is password sync and should I use it ?</title>
+
+ <para>
+ NTws users can change their domain password by pressing Ctrl-Alt-Del
+ and choosing 'Change Password'. By default however, this does not change the unix password
+ (typically in <filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>).
+ In lots of situations thats OK, for example :
+ </para>
- <para>NTws users can change their domain password by pressing Ctrl-Alt-Del and
- choosing 'Change Password'. By default however, this does not change the unix password
- (typically in <filename>/etc/passwd or /etc/shadow</>). In lots of situations
- thats OK, for example :</para>
- <itemizedlist>
- <listitem><para>The server is only accessible to the user via samba.</para></listitem>
- <listitem><para>Pam_smb or similar is installed so other applications
- still refer to the samba password.</></>
+ <itemizedlist>
+ <listitem><para>The server is only accessible to the user via
+ samba.</para></listitem>
+
+ <listitem><para>Pam_smb or similar is installed so other applications
+ still refer to the samba password.</para></listitem>
</itemizedlist>
- <para>But sometimes you really do need to maintain two seperate password databases and
- there are good reasons to keep then in sync. Trying to explain to users
- that they need to change their passwords in two seperate places or use
- two seperate passwords is not fun.</para>
-
- <para>However do understand that setting up password sync is not without problems either.
- The chief difficulty is the interface between Samba and the <command>passwd</> command,
- it can be a fiddle to set up and if the password the user has entered fails,
- the resulting errors are ambiguously reported
- and the user is confused. Further, you need to take steps to ensure that users
- only ever change their passwords via samba (or use <command>smbpasswd</>),
- otherwise they will only be changing the unix password.</para>
+
+ <para>
+ But sometimes you really do need to maintain two seperate password
+ databases and there are good reasons to keep then in sync. Trying
+ to explain to users that they need to change their passwords in two
+ seperate places or use two seperate passwords is not fun.
+ </para>
+
+ <para>
+ However do understand that setting up password sync is not without
+ problems either. The chief difficulty is the interface between Samba
+ and the <command>passwd</command> command, it can be a fiddle to set
+ up and if the password the user has entered fails, the resulting errors
+ are ambiguously reported and the user is confused. Further, you need
+ to take steps to ensure that users only ever change their passwords
+ via samba (or use <command>smbpasswd</command>), otherwise they will
+ only be changing the unix password.</para>
</sect2>
-<sect2><title>How do I get remote password (unix and SMB) changing working ?</>
+<sect2>
+<title>How do I get remote password (unix and SMB) changing working ?</title>
- <para>Have a practice changing a user's password (as root) to see what
- discussion takes place and change the text in the 'passwd chat' line below as necessary. The
- line as shown works for recent RH Linux but most other systems seem to like to do something
- different. The '*' is a wild card and will match anything (or nothing).
+ <para>
+ Have a practice changing a user's password (as root) to see
+ what discussion takes place and change the text in the 'passwd chat'
+ line below as necessary. The line as shown works for recent RH Linux
+ but most other systems seem to like to do something different. The '*' is
+ a wild card and will match anything (or nothing).
</para>
- <para>Add these lines to smb.conf under [Global]</para>
+ <para>
+ Add these lines to smb.conf under [Global]
+ </para>
- <programlisting>
+ <para><programlisting>
unix password sync = true
passwd program = /usr/bin/passwd %u
passwd chat = *password* %n\n *password* %n\n *successful*
- </programlisting>
+ </programlisting></para>
- <para>As mentioned above, the change to the unix password
- happens as root, not as the user, as is indicated in ~/smbd/chgpasswd.c If
- you are using NIS, the Samba server must be running on the NIS master machine.</para>
+ <para>
+ As mentioned above, the change to the unix password happens as root,
+ not as the user, as is indicated in ~/smbd/chgpasswd.c If
+ you are using NIS, the Samba server must be running on the NIS
+ master machine.
+ </para>
</sect2>
</sect1>
<!-- =================== M I S C E L L A N E O U S ================= -->
-<chapter><title>Miscellaneous</title>
-<sect1><title></title>
-<sect2><title>What editor can I use in DOS/Windows that won't mess with my unix EOF</title>
- <para>There are a number of Windows or DOS based editors that will understand, and
- leave intact, the unix eof (as opposed to a DOS CL/LF). List members suggested :</para>
-
- <itemizedlist>
- <listitem><para>UltraEdit at <ulink url="http://www.ultraedit.com">www.ultraedit.com</></></>
- <listitem><para>VI for windows at <ulink url="http://home.snafu.de/ramo/WinViEn.htm">
- home.snafu.de/ramo/WinViEn.htm</></></>
- <listitem><para>The author prefers PFE at <ulink url="http://www.lancs.ac.uk/people/cpaap/pfe/">
- www.lancs.ac.uk/people/cpaap/pfe/</> but its no longer being developed...</></>
+<chapter>
+<title>Miscellaneous</title>
+
+<sect1>
+<title></title>
+
+<sect2>
+<title>What editor can I use in DOS/Windows that won't
+mess with my unix EOF</title>
+
+ <para>There are a number of Windows or DOS based editors that will
+ understand, and leave intact, the unix eof (as opposed to a DOS CL/LF).
+ List members suggested :
+ </para>
+
+ <itemizedlist>
+ <listitem><para>UltraEdit at <ulink url="http://www.ultraedit.com">www.ultraedit.com</ulink></para></listitem>
+
+ <listitem><para>VI for windows at <ulink url="http://home.snafu.de/ramo/WinViEn.htm">
+ home.snafu.de/ramo/WinViEn.htm</ulink></para></listitem>
+
+ <listitem><para>The author prefers PFE at <ulink url="http://www.lancs.ac.uk/people/cpaap/pfe/">
+ www.lancs.ac.uk/people/cpaap/pfe/</ulink> but its no longer being developed...</para></listitem>
</itemizedlist>
</sect2>
-<sect2><title>How do I get 'User Manager' and 'Server Manager'</title>
+<sect2>
+<title>How do I get 'User Manager' and 'Server Manager'</title>
- <para>Since I don't need to buy an NT Server CD now, how do I get the 'User Manager for
- Domains', the 'Server Manager' ?</para>
+ <para>
+ Since I don't need to buy an NT Server CD now, how do I get
+ the 'User Manager for Domains', the 'Server Manager' ?
+ </para>
-<itemizedlist><title>Microsoft distributes a version of these tools called nexus
- for installation on Windows 95 systems. The tools set includes</title>
- <listitem><para>Server Manager</para></listitem>
- <listitem><para>User Manager for Domains</para></listitem>
- <listitem><para>Event Viewer</para></listitem>
-</itemizedlist>
+ <para>
+ Microsoft distributes a version of
+ these tools called nexus for installation on Windows 95 systems. The
+ tools set includes
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Server Manager</para></listitem>
+
+ <listitem><para>User Manager for Domains</para></listitem>
- <para>Click here to download the archived file
- <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">
- ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink></para>
+ <listitem><para>Event Viewer</para></listitem>
+ </itemizedlist>
- <para>The Windows NT 4.0 version of the 'User Manager for Domains'
- and 'Server Manager' are available from Microsoft via ftp from
- <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">
- ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink></para>
+ <para>
+ Click here to download the archived file <ulink
+ url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink>
+ </para>
+
+ <para>
+ The Windows NT 4.0 version of the 'User Manager for
+ Domains' and 'Server Manager' are available from Microsoft via ftp
+ from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink>
+ </para>
</sect2>
<sect2><title>How do I get my samba server to become a member ( not PDC ) of an NT domain?</title>
- <para>In a domain that has a number of servers you only need one password database.
- The machines that don't have their own ask the PDC to check for them.
- This will work fine for a domain controlled by either a Samba or NT machine.
- The following lines in smb.conf are typical, 'password server' points to the
- samba machine (or an NT) that has the password list : </para>
-
- <programlisting>
-
- [global]
- ...
- security = domain
- workgroup = { Put your domain name here }
- password server = { Put the ip of the PDC here }
- encrypt passwords = yes
- ...
- </programlisting>
-
- <para>The samba server in question will have to 'join the domain', that requires
- the domain controller to have a machine account for it. This is no different
- to the machine account requirements to allow a NTws to join the domain. For
- example, if we want a unix box called <emphasis>sleepy</> to ask the PDC called <emphasis>grumpy</>
- to do its authentication then <emphasis>grumpy</> will need an entry in its smbpasswd
- (assuming it's also samba) that starts with <emphasis>sleepy$</>. It would have to be
- created <link linkend=machineaccounts>manually</>. </para>
-
- <para>If the domain is controlled by an NTServer then the "Server Manager for Domains"
- tool must be used to add 'sleepy' to the domain list.</para>
-
- <para>In either case we then join the domain. If the domain is called <emphasis>forest</>
- then on sleepy we would join the domain by typing :</para>
-
- <para><command>smbpasswd -j forest</command></para>
-
- <para>Note that the directory where the smbpasswd file would be
- located should exist as this is where smbd will generate the MACHINE.SID file. This
- might be <filename>/usr/local/samba/private/FOREST.SLEEPY.SID</> and
- it contains the trust account password for the domain member. The permissions are
- (and should remain) "rw-------</para>
-
-
- <para>Note the Samba Servers without the password list will most likely still need an account
- for each user, this means a line in its <filename>/etc/passwd</filename>. Because authentication
- is being handled at the domain level the
- <filename>/etc/passwd</filename> line does not need a password.
- If the shares being offered are not user specific, ie a common (read only ?)
- area or perhaps just printing then the user's
- <filename>/etc/passwd</filename> does not need a home directory. A typical
- line in <filename>/etc/passwd</filename> for a server that allows domain users to
- connect to the samba shares but does not offer a home share ('cos that's on the PDC)
- and does not allow logon to the unix prompt would be like this :</para>
-
- <programlisting>jblow:x:542:100:Joe Blow:/dev/null:/bin/false</programlisting>
-
- <note><title>Notes :</>
- <itemizedlist>
- <listitem><para>When removing those 'dummy' users, watch the 'remove user' scripts,
- some OS think they should remove a users directory even when its not owned by the user !
- </para></listitem>
-
- <listitem><para>The <filename>username map = </> parameter might help you to avoid having
- all those accounts created.</para></listitem>
-
- <listitem>
- <para>You should investigate the smb.conf parameter
- <filename>'add user script'</filename>, it will be used to create accounts on
- secondary servers when that account already exists on the PDC. Very nice.
- Something like :</para>
-
- <programlisting>
- [Global]
- ....
- add user script = /usr/sbin/adduser -n -g users -c User -d /dev/null -s /bin/false %U
- ....
- </programlisting>
- </listitem>
- </itemizedlist>
- </note>
+ <para>
+ Please refer to the <ulink url="DOMAIN_MEMBER.html">Domain Member
+ HOWTO</ulink> for more information on this.
+ </para>
</sect2>
</sect1>
<sect2><title>What are some diagnostics tools I can use to debug the domain logon process and where can I
find them? </title>
- <para>One of the best diagnostic tools for debugging problems is Samba itself. You can use the -d
- option for both smbd and nmbd to specifiy what 'debug level' at which to run. See the man
- pages on smbd, nmbd and smb.conf for more information on debugging options. The debug
- level can range from 1 (the default) to around 100 but a debug level of about 20 will
- normally help you find any errors that samba is encountering. Another helpful method
- of debugging is to compile samba using the gcc -g flag. This will include debug
- information in the binaries and allow you to attch gdb to the running smbd / nmbd
- process. In order to attach gdb to an smbd process for an NT workstation, first
- get the workstation to make the connection. Pressing ctrl-alt-delete and going down
- to the domain box is sufficient (at least, on the first time you join the domain) to
- generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation maintains an open
- connection, and therefore there will be an smbd process running (assuming that you
- haven't set a really short smbd idle timeout) So, in between pressing ctrl alt
- delete, and actually typing in your password, you can gdb attach and continue.</para>
-
- <itemizedlist><title>Some usefull samba commands worth investigating:</>
- <listitem><para>testparam | more</></>
- <listitem><para>smbclient -L //{netbios name of server}</></>
- </itemizedlist>
+ <para>
+ One of the best diagnostic tools for debugging problems is Samba itself.
+ You can use the -d option for both smbd and nmbd to specifiy what
+ 'debug level' at which to run. See the man pages on smbd, nmbd and
+ smb.conf for more information on debugging options. The debug
+ level can range from 1 (the default) to 10 (100 for debugging passwords).
+ </para>
+
+ <para>
+ Another helpful method of debugging is to compile samba using the
+ <command>gcc -g </command> flag. This will include debug
+ information in the binaries and allow you to attch gdb to the
+ running smbd / nmbd process. In order to attach gdb to an smbd
+ process for an NT workstation, first get the workstation to make the
+ connection. Pressing ctrl-alt-delete and going down to the domain box
+ is sufficient (at least, on the first time you join the domain) to
+ generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
+ maintains an open connection, and therefore there will be an smbd
+ process running (assuming that you haven't set a really short smbd
+ idle timeout) So, in between pressing ctrl alt delete, and actually
+ typing in your password, you can gdb attach and continue.
+ </para>
+
+ <para>
+ Some usefull samba commands worth investigating:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>testparam | more</para></listitem>
+ <listitem><para>smbclient -L //{netbios name of server}</para></listitem>
+ </itemizedlist>
- <para>An SMB enabled version of tcpdump is available from
- <ulink url="ftp://samba.org/pub/samba/tcpdump-smb/">ftp://samba.org/pub/samba/tcpdump-smb/
- </ulink></para>
-
- <para>Capconvert is a small C program for translating output from tcpdump-smb to CAP format
- that can be read by netmon. You will need to use the raw output from tcp dump
- ( ie. <command>tcpdump -w output.dump</> ). Good news! Now you can convert
- Solaris' snoop output as well. The C source code for snoop2cap is available for download.
- </para>
-
- <para>For tracing things on the Microsoft Windows NT, Network Monitor (aka. netmon) is available
- on the Microsoft Developer Network CD's, the Windows NT Server install CD and the SMS CD's.
- The version of netmon that ships with SMS allows for dumping packets between any two
- computers (ie. placing the network interface in promiscuous mode). The version
- on the NT Server install CD will only allow monitoring of network traffic directed to the
- local NT box and broadcasts on the local subnet.</para>
+ <para>
+ An SMB enabled version of tcpdump is available from
+ <ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>.
+ Ethereal, another good packet sniffer for UNIX and Win32
+ hosts, can be downloaded from <ulink
+ url="http://www.ethereal.com/">http://www.ethereal.com</ulink>.
+ </para>
+
+ <para>
+ For tracing things on the Microsoft Windows NT, Network Monitor
+ (aka. netmon) is available on the Microsoft Developer Network CD's,
+ the Windows NT Server install CD and the SMS CD's. The version of
+ netmon that ships with SMS allows for dumping packets between any two
+ computers (ie. placing the network interface in promiscuous mode).
+ The version on the NT Server install CD will only allow monitoring
+ of network traffic directed to the local NT box and broadcasts on the
+ local subnet. Be aware that Ethereal can read and write netmon
+ formatted files.
+ </para>
</sect2>
-<sect2><title>How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?</title>
-
- <para>Installing netmon on an NT workstation requires a couple of steps. The following
- are for installing Netmon V4.00.349, which comes with Microsoft Windows NT Server
- 4.0, on Microsoft Windows NT Workstation 4.0. The process should be similar
- for other version of Windows NT / Netmon. You will need both the Microsoft Windows
- NT Server 4.0 Install CD and the Workstation 4.0 Install CD.</para>
+<sect2>
+<title>How do I install 'Network Monitor' on an NT Workstation
+or a Windows 9x box?</title>
+
+ <para>
+ Installing netmon on an NT workstation requires a couple
+ of steps. The following are for installing Netmon V4.00.349, which comes
+ with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
+ Workstation 4.0. The process should be similar for other version of
+ Windows NT / Netmon. You will need both the Microsoft Windows
+ NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
+ </para>
+
+ <para>
+ Initially you will need to install 'Network Monitor Tools and Agent'
+ on the NT Server. To do this
+ </para>
+ <itemizedlist>
+ <listitem><para>Goto Start - Settings - Control Panel -
+ Network - Services - Add </para></listitem>
+
+ <listitem><para>Select the 'Network Monitor Tools and Agent' and
+ click on 'OK'.</para></listitem>
+
+ <listitem><para>Click 'OK' on the Network Control Panel.
+ </para></listitem>
+
+ <listitem><para>Insert the Windows NT Server 4.0 install CD
+ when prompted.</para></listitem>
+ </itemizedlist>
- <para>Initially you will need to install 'Network Monitor Tools and Agent' on the
- NT Server. To do this </para>
+ <para>
+ At this point the Netmon files should exist in
+ <filename>%SYSTEMROOT%\System32\netmon\*.*</filename>.
+ Two subdirectories exist as well, <filename>parsers\</filename>
+ which contains the necessary DLL's for parsing the netmon packet
+ dump, and <filename>captures\</filename>.
+ </para>
-<itemizedlist>
- <listitem><para>Goto Start - Settings - Control Panel - Network - Services - Add </para></listitem>
- <listitem><para>Select the 'Network Monitor Tools and Agent' and click on 'OK'.</para></listitem>
- <listitem><para>Click 'OK' on the Network Control Panel.</para></listitem>
- <listitem><para>Insert the Windows NT Server 4.0 install CD when prompted.</para></listitem>
-</itemizedlist>
+ <para>
+ In order to install the Netmon tools on an NT Workstation, you will
+ first need to install the 'Network Monitor Agent' from the Workstation
+ install CD.
+ </para>
- <para>At this point the Netmon files should exist in <filename>%SYSTEMROOT%\System32\netmon\*.*</>.
- Two subdirectories exist as well, <filename>parsers\</> which contains the necessary DLL's
- for parsing the netmon packet dump, and <filename>captures\</>.</para>
-
- <para>In order to install the Netmon tools on an NT Workstation, you will first need to
- install the 'Network Monitor Agent' from the Workstation install CD.</para>
-<itemizedlist>
- <listitem><para>Goto Start - Settings - Control Panel - Network - Services - Add</para></listitem>
- <listitem><para>Select the 'Network Monitor Agent' and click on 'OK'.</para></listitem>
- <listitem><para>Click 'OK' on the Network Control Panel.</para></listitem>
- <listitem><para>Insert the Windows NT Workstation 4.0 install CD when prompted.</para></listitem>
-</itemizedlist>
+ <itemizedlist>
+ <listitem><para>Goto Start - Settings - Control Panel -
+ Network - Services - Add</para></listitem>
+ <listitem><para>Select the 'Network Monitor Agent' and click
+ on 'OK'.</para></listitem>
+
+ <listitem><para>Click 'OK' on the Network Control Panel.
+ </para></listitem>
+
+ <listitem><para>Insert the Windows NT Workstation 4.0 install
+ CD when prompted.</para></listitem>
+ </itemizedlist>
- <para>Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* to
- %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set permissions as
- you deem appropriate for your site. You will need administrative rights on the
- NT box to run netmon.</para>
- <para>To install Netmon on a Windows 9x box install the network monitor agent from
- the Windows 9x CD (\admin\nettools\netmon).
- There is a readme file located with the netmon driver files on the CD if you need
- information on how to do this. Copy the files from a working Netmon installation.</para>
+ <para>
+ Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
+ to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
+ permissions as you deem appropriate for your site. You will need
+ administrative rights on the NT box to run netmon.
+ </para>
+ <para>
+ To install Netmon on a Windows 9x box install the network monitor agent
+ from the Windows 9x CD (\admin\nettools\netmon). There is a readme
+ file located with the netmon driver files on the CD if you need
+ information on how to do this. Copy the files from a working
+ Netmon installation.
+ </para>
</sect2>
</sect1>
-<sect1><title>What other help can I get ? </title>
+<sect1>
+<title>What other help can I get ? </title>
- <para>There are many sources of information available in the form of mailing lists, RFC's
- and documentation. The docs that come with the samba distribution contain very
- good explanations of general SMB topics such as browsing.</para>
+ <para>
+ There are many sources of information available in the form
+ of mailing lists, RFC's and documentation. The docs that come
+ with the samba distribution contain very good explanations of
+ general SMB topics such as browsing.</para>
-<sect2><title id=urls>URLs and similar</title>
+<sect2>
+<title id=urls>URLs and similar</title>
-<itemizedlist>
+ <itemizedlist>
<listitem><para>Home of Samba site <ulink url="http://samba.org">
http://samba.org</ulink>. We have a mirror near you !</para></listitem>
<ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">
ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem>
-</itemizedlist>
-
+ </itemizedlist>
-<itemizedlist><title>There are a number of documents that no longer appear to live at their
- origional home. Any one know where the following may be found ?</title>
- <listitem><para>CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt</para></listitem>
- <listitem><para>CIFS Remote Administration Protocol draft-leach-cifs-rap-spec-00.txt</para></listitem>
- <listitem><para>CIFS Logon and Pass Through Authentication draft-leach-cifs-logon-spec-00.txt</para></listitem>
- <listitem><para>A Common Internet File System (CIFS/1.0) Protocol draft-leach-cifs-v1-spec-01.txt</para></listitem>
- <listitem><para>CIFS Printing Specification draft-leach-cifs-print-spec-00.txt</para></listitem>
- <listitem><para>RFC1001 (March '87) Protocol standard for a NetBIOS service on a TCP/UDP transport: Concepts and methods.
- http://ds.internic.net/rfc/rfc1001.txt </para></listitem>
- <listitem><para>RFC1002 (March '87) Protocol standard for a NetBIOS service on a TCP/UDP transport: Detailed specifications.
- http://ds.internic.net/rfc/rfc1002.txt </para></listitem>
- <listitem><para>Microsoft's main CIFS page: http://www.microsoft.com/workshop/networking/cifs/</para></listitem>
-</itemizedlist>
+ <para>
+ You should also refer to the MS archives at
+ <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">ftp://ftp.microsoft.com/developr/drg/CIFS/"</ulink>
+ </para>
</sect2>
-<sect2><title>How do I get help from the mailing lists ?</title>
+<sect2>
+<title>How do I get help from the mailing lists ?</title>
<para> There are a number of Samba related mailing lists. Go to <ulink url=
"http://samba.org">http://samba.org</ulink>, click on your nearest mirror
</sect2>
-<sect2><title>How do I get off the mailing lists ?</title>
+<sect2>
+<title>How do I get off the mailing lists ?</title>
+
<para>To have your name removed from a samba mailing list, go to the
same place you went to to get on it. Go to <ulink url=
- "http://samba.org">http://samba.org</ulink>, click on your nearest mirror
- and then click on <command>Support</> and then click on <command>
- Samba related mailing lists</>. Or perhaps see
- <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</></para>
+ "http://lists.samba.org/">http://lists.samba.org</ulink>, click
+ on your nearest mirror and then click on <command>Support</> and
+ then click on <command> Samba related mailing lists</>. Or perhaps see
+ <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink></para>
- <para>Please don't post messages to the list asking to be removed, you will just
+ <para>
+ Please don't post messages to the list asking to be removed, you will just
be refered to the above address (unless that process failed in some way...)
</para>
</sect2>
git.samba.org / sfrench / samba-autobuild / .git / commitdiff