From: Jelmer Vernooij Date: Tue, 27 May 2003 16:46:06 +0000 (+0000) Subject: A lot of syntax updates, consistency when using certain tags and converting ASCII... X-Git-Tag: samba-4.0.0alpha6~801^2~13730 X-Git-Url: http://git.samba.org/samba.git/?p=sfrench%2Fsamba-autobuild%2F.git;a=commitdiff_plain;h=cc841dde2f26843c2b6ec788337b779ed1abf8ea A lot of syntax updates, consistency when using certain tags and converting ASCII -> XML (This used to be commit 85434d3144656e6fe587637276d6a2667df1857f) --- diff --git a/docs/docbook/projdoc/Compiling.xml b/docs/docbook/projdoc/Compiling.xml index f7f0a8394d7..07251d7ed9e 100644 --- a/docs/docbook/projdoc/Compiling.xml +++ b/docs/docbook/projdoc/Compiling.xml @@ -452,14 +452,16 @@ example of what you would not want to see would be: Common Errors - -I've compiled Samba-3 from the CVS and the two binaries (smbd and nmbd) -are very large files (40 Mg and 20 Mg). I've the same result with ---enable-shared ? + +I'm using gcc 3 and I've compiled Samba-3 from the CVS and the +binaries are very large files (40 Mb and 20 Mb). I've the same result with + ? + -Answer: Strip the binaries (or dond't compile with -g). +The dwarf format used by GCC 3 for storing debugging symbols is very inefficient. +Strip the binaries, don't compile with -g or compile with -gstabs. diff --git a/docs/docbook/projdoc/ProfileMgmt.xml b/docs/docbook/projdoc/ProfileMgmt.xml index 680555cd6a4..fc51b1826cb 100644 --- a/docs/docbook/projdoc/ProfileMgmt.xml +++ b/docs/docbook/projdoc/ProfileMgmt.xml @@ -320,7 +320,7 @@ they will be told that they are logging in "for the first time". instead of logging in under the [user, password, domain] dialog, - press escape. + press escape. @@ -342,9 +342,9 @@ they will be told that they are logging in "for the first time". [Exit the registry editor]. - - - WARNING - before deleting the contents of the + + + Before deleting the contents of the directory listed in the ProfilePath (this is likely to be c:\windows\profiles\username), ask them if they have any important files stored on their desktop or in their start menu. @@ -357,11 +357,11 @@ they will be told that they are logging in "for the first time". system file) user.DAT in their profile directory, as well as the local "desktop", "nethood", "start menu" and "programs" folders. - + - search for the user's .PWL password-caching file in the c:\windows + search for the user's .PWL password-caching file in the c:\windows directory, and delete it. @@ -374,8 +374,8 @@ they will be told that they are logging in "for the first time". - check the contents of the profile path (see "logon path" described - above), and delete the user.DAT or user.MAN file for the user, + check the contents of the profile path (see logon path described + above), and delete the user.DAT or user.MAN file for the user, making a backup if required. @@ -384,7 +384,7 @@ they will be told that they are logging in "for the first time". If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as ethereal or netmon.exe, and +and / or run a packet trace program such as ethereal or netmon.exe, and look for error messages. @@ -403,12 +403,12 @@ differences are with the equivalent samba trace. When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified -through the "logon path" parameter. +through the logon path parameter. There is a parameter that is now available for use with NT Profiles: -"logon drive". This should be set to H: or any other drive, and +logon drive. This should be set to H: or any other drive, and should be used in conjunction with the new "logon home" parameter. @@ -422,23 +422,23 @@ for those situations where it might be created.) In the profile directory, Windows NT4 creates more folders than Windows 9x / Me. -It creates "Application Data" and others, as well as "Desktop", "Nethood", -"Start Menu" and "Programs". The profile itself is stored in a file -NTuser.DAT. Nothing appears to be stored in the .PDS directory, and +It creates Application Data and others, as well as Desktop, Nethood, +Start Menu and Programs. The profile itself is stored in a file +NTuser.DAT. Nothing appears to be stored in the .PDS directory, and its purpose is currently unknown. -You can use the System Control Panel to copy a local profile onto +You can use the System Control Panel to copy a local profile onto a samba server (see NT Help on profiles: it is also capable of firing -up the correct location in the System Control Panel for you). The -NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN +up the correct location in the System Control Panel for you). The +NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN turns a profile into a mandatory one. The case of the profile is significant. The file must be called -NTuser.DAT or, for a mandatory profile, NTuser.MAN. +NTuser.DAT or, for a mandatory profile, NTuser.MAN. @@ -450,58 +450,58 @@ You must first convert the profile from a local profile to a domain profile on the MS Windows workstation as follows: - - - Log on as the LOCAL workstation administrator. - + + + Log on as the LOCAL workstation administrator. + - - Right click on the 'My Computer' Icon, select 'Properties' - + + Right click on the My Computer Icon, select Properties + - - Click on the 'User Profiles' tab - + + Click on the User Profiles tab + - + Select the profile you wish to convert (click on it once) - + - - Click on the button 'Copy To' - + + Click on the button Copy To + - - In the "Permitted to use" box, click on the 'Change' button. - + + In the Permitted to use box, click on the Change button. + - + Click on the 'Look in" area that lists the machine name, when you click here it will open up a selection box. Click on the domain to which the profile must be accessible. You will need to log on if a logon box opens up. Eg: In the connect - as: MIDEARTH\root, password: mypassword. - + as: MIDEARTH\root, password: mypassword. + - + To make the profile capable of being used by anyone select 'Everyone' - + - - Click OK. The Selection box will close. - + + Click OK. The Selection box will close. + - - Now click on the 'Ok' button to create the profile in the path you + + Now click on the Ok button to create the profile in the path you nominated. - - + + Done. You now have a profile that can be editted using the samba-3.0.0 -profiles tool. +profiles tool. @@ -512,16 +512,16 @@ storage of mail data. That keeps desktop profiles usable. - - + + This is a security check new to Windows XP (or maybe only Windows XP service pack 1). It can be disabled via a group policy in Active Directory. The policy is: -"Computer Configuration\Administrative Templates\System\User -Profiles\Do not check for user ownership of Roaming Profile Folders" +Computer Configuration\Administrative Templates\System\User +Profiles\Do not check for user ownership of Roaming Profile Folders -...and it should be set to "Enabled". +...and it should be set to Enabled. Does the new version of samba have an Active Directory analogue? If so, then you may be able to set the policy through this. @@ -533,36 +533,35 @@ the following (N.B. I don't know for sure that this will work in the same way as a domain group policy): - + - + On the XP workstation log in with an Administrator account. - - - Click: "Start", "Run" - Type: "mmc" - Click: "OK" - - A Microsoft Management Console should appear. - Click: File, "Add/Remove Snap-in...", "Add" - Double-Click: "Group Policy" - Click: "Finish", "Close" - Click: "OK" - - In the "Console Root" window: - Expand: "Local Computer Policy", "Computer Configuration", - "Administrative Templates", "System", "User Profiles" - Double-Click: "Do not check for user ownership of Roaming Profile - Folders" - Select: "Enabled" - Click: OK" - - Close the whole console. You do not need to save the settings (this + + + Click: Start, Run + Type: mmc + Click: OK + + A Microsoft Management Console should appear. + Click: File, Add/Remove Snap-in..., Add + Double-Click: Group Policy + Click: Finish, Close + Click: OK + + In the "Console Root" window: + Expand: Local Computer Policy, Computer Configuration, + Administrative Templates, System, User Profiles + Double-Click: Do not check for user ownership of Roaming Profile Folders + Select: Enabled + Click: OK + + Close the whole console. You do not need to save the settings (this refers to the console settings rather than the policies you have - changed). + changed). - Reboot - + Reboot + @@ -584,13 +583,13 @@ on again with the newer version of MS Windows. If you then want to share the same Start Menu / Desktop with W9x/Me, you will need to specify a common location for the profiles. The smb.conf parameters -that need to be common are logon path and -logon home. +that need to be common are logon path and +logon home. -If you have this set up correctly, you will find separate user.DAT and -NTuser.DAT files in the same profile directory. +If you have this set up correctly, you will find separate user.DAT and +NTuser.DAT files in the same profile directory. @@ -617,14 +616,14 @@ NT4/200x. The correct resource kit is required for each platform. Here is a quick guide: - + - -On your NT4 Domain Controller, right click on 'My Computer', then -select the tab labelled 'User Profiles'. - + +On your NT4 Domain Controller, right click on My Computer, then +select the tab labelled User Profiles. + - + Select a user profile you want to migrate and click on it. @@ -632,20 +631,20 @@ Select a user profile you want to migrate and click on it. create a group profile. You can give the user 'Everyone' rights to the profile you copy this to. That is what you need to do, since your samba domain is not a member of a trust relationship with your NT4 PDC. - + - Click the 'Copy To' button. +Click the Copy To button. - In the box labelled 'Copy Profile to' add your new path, eg: - c:\temp\foobar + In the box labelled Copy Profile to add your new path, eg: + c:\temp\foobar - Click on the button labelled 'Change' in the "Permitted to use" box. + Click on the button Change in the Permitted to use box. - Click on the group 'Everyone' and then click OK. This closes the - 'chose user' box. + Click on the group 'Everyone' and then click OK. This closes the + 'choose user' box. - Now click OK. - + Now click OK. + Follow the above for every profile you need to migrate. @@ -690,7 +689,7 @@ Resource Kit. Windows NT 4.0 stores the local profile information in the registry under the following key: -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList @@ -730,7 +729,7 @@ file in the copied profile and rename it to NTUser.MAN. -For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to +For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to affect a mandatory profile. @@ -750,7 +749,7 @@ to the group profile. -The next step is rather important. PLEASE NOTE: Instead of assigning a group profile +The next step is rather important. Please note: Instead of assigning a group profile to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned the now modified profile. @@ -780,18 +779,19 @@ advantages. MS Windows 9x/Me -To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System -Policy Editor or change the registry directly. +To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System +Policy Editor or change the registry directly. -To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then -select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System, -select User Profiles, click on the enable box. Do not forget to save the registry changes. +To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then +select File -> Open Registry, then click on the +Local Computer icon, click on Windows 98 System, +select User Profiles, click on the enable box. Do not forget to save the registry changes. -To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive +To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive HKEY_LOCAL_MACHINE\Network\Logon. Now add a DWORD type key with the name "User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. @@ -831,7 +831,7 @@ profile, the changes are written to the user's profile on the server. On MS Windows NT4 the default user profile is obtained from the location %SystemRoot%\Profiles which in a default installation will translate to C:\WinNT\Profiles. Under this directory on a clean install there will be -three (3) directories: Administrator, All Users, Default User. +three (3) directories: Administrator, All Users, Default User. @@ -854,8 +854,8 @@ When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft the following steps are followed in respect of profile handling: - - + + The users' account information which is obtained during the logon process contains the location of the users' desktop profile. The profile path may be local to the @@ -865,25 +865,25 @@ the following steps are followed in respect of profile handling: settings in the All Users profile in the %SystemRoot%\Profiles location. - + - + If the user account has a profile path, but at it's location a profile does not exist, then a new profile is created in the %SystemRoot%\Profiles\%USERNAME% directory from reading the Default User profile. - + - + If the NETLOGON share on the authenticating server (logon server) contains a policy file (NTConfig.POL) then it's contents are applied to the NTUser.DAT which is applied to the HKEY_CURRENT_USER part of the registry. - + - + When the user logs out, if the profile is set to be a roaming profile it will be written out to the location of the profile. The NTuser.DAT file is then @@ -892,8 +892,8 @@ the following steps are followed in respect of profile handling: next logon, the effect of the provious NTConfig.POL will still be held in the profile. The effect of this is known as tatooing. - - + + MS Windows NT4 profiles may be Local or Roaming. A Local profile @@ -925,59 +925,58 @@ are controlled by entries on Windows NT4 is: - - HKEY_CURRENT_USER - \Software - \Microsoft - \Windows - \CurrentVersion - \Explorer - \User Shell Folders\ - +HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ The above hive key contains a list of automatically managed folders. The default entries are: - - - Name Default Value - -------------- ----------------------------------------- - AppData %USERPROFILE%\Application Data - Desktop %USERPROFILE%\Desktop - Favorites %USERPROFILE%\Favorites - NetHood %USERPROFILE%\NetHood - PrintHood %USERPROFILE%\PrintHood - Programs %USERPROFILE%\Start Menu\Programs - Recent %USERPROFILE%\Recent - SendTo %USERPROFILE%\SendTo - Start Menu %USERPROFILE%\Start Menu - Startup %USERPROFILE%\Start Menu\Programs\Startup - - + + + User Shell Folder registry keys default values + + + NameDefault Value + + + AppData%USERPROFILE%\Application Data + Desktop%USERPROFILE%\Desktop + Favorites%USERPROFILE%\Favorites + NetHood%USERPROFILE%\NetHood + PrintHood%USERPROFILE%\PrintHood + Programs%USERPROFILE%\Start Menu\Programs + Recent%USERPROFILE%\Recent + SendTo%USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup%USERPROFILE%\Start Menu\Programs\Startup + + +
+ The registry key that contains the location of the default profile settings is: + - - HKEY_LOCAL_MACHINE - \SOFTWARE - \Microsoft - \Windows - \CurrentVersion - \Explorer - \User Shell Folders - + +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders + + The default entries are: - - Common Desktop %SystemRoot%\Profiles\All Users\Desktop - Common Programs %SystemRoot%\Profiles\All Users\Programs - Common Start Menu %SystemRoot%\Profiles\All Users\Start Menu - Common Startup %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup - + + Defaults of profile settings registry keys + + + Common Desktop%SystemRoot%\Profiles\All Users\Desktop + Common Programs%SystemRoot%\Profiles\All Users\Programs + Common Start Menu%SystemRoot%\Profiles\All Users\Start Menu + Common Startup%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup + + +
 @@ -1014,7 +1013,7 @@ login name of the user. - This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory + This path translates, in Samba parlance, to the &smb.conf; [NETLOGON] share. The directory should be created at the root of this share and must be called Default Profile. @@ -1064,49 +1063,43 @@ are controlled by entries on Windows 200x/XP is: - - HKEY_CURRENT_USER - \Software - \Microsoft - \Windows - \CurrentVersion - \Explorer - \User Shell Folders\ - +HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ The above hive key contains a list of automatically managed folders. The default entries are: - - - Name Default Value - -------------- ----------------------------------------- - AppData %USERPROFILE%\Application Data - Cache %USERPROFILE%\Local Settings\Temporary Internet Files - Cookies %USERPROFILE%\Cookies - Desktop %USERPROFILE%\Desktop - Favorites %USERPROFILE%\Favorites - History %USERPROFILE%\Local Settings\History - Local AppData %USERPROFILE%\Local Settings\Application Data - Local Settings %USERPROFILE%\Local Settings - My Pictures %USERPROFILE%\My Documents\My Pictures - NetHood %USERPROFILE%\NetHood - Personal %USERPROFILE%\My Documents - PrintHood %USERPROFILE%\PrintHood - Programs %USERPROFILE%\Start Menu\Programs - Recent %USERPROFILE%\Recent - SendTo %USERPROFILE%\SendTo - Start Menu %USERPROFILE%\Start Menu - Startup %USERPROFILE%\Start Menu\Programs\Startup - Templates %USERPROFILE%\Templates - - + + + Defaults of default user profile paths registry keys + + NameDefault Value + + AppData%USERPROFILE%\Application Data + Cache%USERPROFILE%\Local Settings\Temporary Internet Files + Cookies%USERPROFILE%\Cookies + Desktop%USERPROFILE%\Desktop + Favorites%USERPROFILE%\Favorites + History%USERPROFILE%\Local Settings\History + Local AppData%USERPROFILE%\Local Settings\Application Data + Local Settings%USERPROFILE%\Local Settings + My Pictures%USERPROFILE%\My Documents\My Pictures + NetHood%USERPROFILE%\NetHood + Personal%USERPROFILE%\My Documents + PrintHood%USERPROFILE%\PrintHood + Programs%USERPROFILE%\Start Menu\Programs + Recent%USERPROFILE%\Recent + SendTo%USERPROFILE%\SendTo + Start Menu%USERPROFILE%\Start Menu + Startup%USERPROFILE%\Start Menu\Programs\Startup + Templates%USERPROFILE%\Templates +
+ -There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all -the others are of type REG_EXPAND_SZ. +There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all +the others are of type REG_EXPAND_SZ. @@ -1117,21 +1110,20 @@ write the Outlook PST file over the network for every login and logout. To set this to a network location you could use the following examples: + - - %LOGONSERVER%\%USERNAME%\Default Folders - - -This would store the folders in the user's home directory under a directory called "Default Folders" +%LOGONSERVER%\%USERNAME%\Default Folders + +This would store the folders in the user's home directory under a directory called Default Folders You could also use: + - - \\SambaServer\FolderShare\%USERNAME% - +\\SambaServer\FolderShare\%USERNAME% -in which case the default folders will be stored in the server named SambaServer -in the share called FolderShare under a directory that has the name of the MS Windows + + in which case the default folders will be stored in the server named SambaServer +in the share called FolderShare under a directory that has the name of the MS Windows user as seen by the Linux/Unix file system. @@ -1145,12 +1137,9 @@ MS Windows 200x/XP profiles may be Local or Roami A roaming profile will be cached locally unless the following registry key is created: - - - HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ - "DeleteRoamingCache"=dword:00000001 - +HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001 + In which case, the local cache copy will be deleted on logout. @@ -1192,17 +1181,11 @@ In any case, you can configure only one profile per user. That profile can be either: - - - A profile unique to that user - - - A mandatory profile (one the user can not change) - - - A group profile (really should be mandatory ie:unchangable) - - + + A profile unique to that user + A mandatory profile (one the user can not change) + A group profile (really should be mandatory ie:unchangable) + @@ -1210,33 +1193,67 @@ be either: Can NOT use Roaming Profiles - -> I dont want Roaming profile to be implemented, I just want to give users -> local profiles only. + + I dont want Roaming profile to be implemented, I just want to give users + local profiles only. ... -> Please help me I am totally lost with this error from past two days I tried -> everything and googled around quite a bit but of no help. Please help me. - + Please help me I am totally lost with this error from past two days I tried + everything and googled around quite a bit but of no help. Please help me. + + Your choices are: - 1. Local profiles - - I know of no registry keys that will allow auto-deletion - of LOCAL profiles on log out - 2. Roaming profiles - - your options here are: - - can use auto-delete on logout option - - requires a registry key change on workstation - a) Personal Roaming profiles - - should be preserved on a central server - - workstations 'cache' (store) a local copy + + + + + Local profiles + + I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out + + + + + Roaming profiles + + + can use auto-delete on logout option + requires a registry key change on workstation + + + Your choices are: + + + + Personal Roaming profiles + + - should be preserved on a central server + - workstations 'cache' (store) a local copy - used in case the profile can not be downloaded at next logon - b) Group profiles - - loaded from a cetral place - c) Mandatory profiles - - can be personal or group - - can NOT be changed (except by an administrator + + + + + Group profiles + - loaded from a cetral place + + + + Mandatory profiles + + - can be personal or group + - can NOT be changed (except by an administrator + + + + + + + + + A WinNT4/2K/XP profile can vary in size from 130KB to off the scale. Outlook PST files are most often part of the profile and can be many GB in size. On average (in a well controlled environment) roaming profie size of @@ -1244,64 +1261,91 @@ size. On average (in a well controlled environment) roaming profie size of undisciplined environment I have seen up to 2GB profiles. Users tend to complain when it take an hour to log onto a workstation but they harvest the fuits of folly (and ignorance). + + The point of all the above is to show that roaming profiles and good controls of how they can be changed as well as good discipline make up for a problem free site. + -PS: Microsoft's answer to the PST problem is to store all email in an MS + +Microsoft's answer to the PST problem is to store all email in an MS Exchange Server back-end. But this is another story ...! + + So, having LOCAL profiles means: - a) If lots of users user each machine - - lot's of local disk storage needed for local profiles - b) Every workstation the user logs into has it's own profile - - can be very different from machine to machine + + + If lots of users user each machine - lot's of local disk storage needed for local profiles + Every workstation the user logs into has it's own profile - can be very different from machine to machine + On the other hand, having roaming profiles means: - a) The network administrator can control EVERY aspect of user - profiles - b) With the use of mandatory profiles - a drastic reduction - in network management overheads - c) User unhappiness about not being able to change their profiles - soon fades as they get used to being able to work reliably + + The network administrator can control EVERY aspect of user profiles + With the use of mandatory profiles - a drastic reduction in network management overheads + User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably + -But note: + + I have managed and installed MANY NT/2K networks and have NEVER found one where users who move from machine to machine are happy with local profiles. In the long run local profiles bite them. + -> When the client tries to logon to the PDC it looks for a profile to download -> where do I put this default profile. + + + + + Changing the default profile + + +When the client tries to logon to the PDC it looks for a profile to download +where do I put this default profile. + + + Firstly, your samba server need to be configured as a domain controller. - server = user - os level = 32 (or more) - domain logons = Yes + - Plus you need to have a NETLOGON share that is world readable. - It is a good idea to add a logon script to pre-set printer and - drive connections. There is also a facility for automatically - synchronizing the workstation time clock with that of the logon - server (another good thing to do). + + server = user + os level = 32 (or more) + domain logons = Yes + -Note: To invoke auto-deletion of roaming profile from the local -workstation cache (disk storage) you need to use the Group Policy Editor -to create a file called NTConfig.POL with the appropriate entries. This -file needs to be located in the NETLOGON share root directory. + +Plus you need to have a [netlogon] share that is world readable. +It is a good idea to add a logon script to pre-set printer and +drive connections. There is also a facility for automatically +synchronizing the workstation time clock with that of the logon +server (another good thing to do). + + + +To invoke auto-deletion of roaming profile from the local +workstation cache (disk storage) you need to use the Group Policy Editor +to create a file called NTConfig.POL with the appropriate entries. This +file needs to be located in the netlogon share root directory. + Oh, of course the windows clients need to be members of the domain. Workgroup machines do NOT do network logons - so they never see domain profiles. + + Secondly, for roaming profiles you need: logon path = \\%N\profiles\%U (with some such path) logon drive = H: (Z: is the default) Plus you need a PROFILES share that is world writable. - diff --git a/docs/docbook/projdoc/SWAT.xml b/docs/docbook/projdoc/SWAT.xml index f238e8e1b0c..e03c41ce39b 100644 --- a/docs/docbook/projdoc/SWAT.xml +++ b/docs/docbook/projdoc/SWAT.xml @@ -25,7 +25,7 @@ documentation inside configuration files, for them SWAT will aways be a nasty to does not store the configuration file in any intermediate form, rather, it stores only the parameter settings, so when SWAT writes the smb.conf file to disk it will write only those parameters that are at other than the default settings. The result is that all comments -will be lost from the smb.conf file. Additionally, the parameters will be written back in +will be lost from the &smb.conf; file. Additionally, the parameters will be written back in internal ordering. @@ -40,8 +40,8 @@ and only non-default settings will be written to the file. SWAT should be installed to run via the network super daemon. Depending on which system -your Unix/Linux system has you will have either an inetd or -xinetd based system. +your Unix/Linux system has you will have either an inetd or +xinetd based system. @@ -86,7 +86,7 @@ A control file for the newer style xinetd could be: -Both the above examples assume that the swat binary has been +Both the above examples assume that the swat binary has been located in the /usr/sbin directory. In addition to the above SWAT will use a directory access point from which it will load it's help files as well as other control information. The default location for this on most Linux @@ -98,14 +98,16 @@ location using samba defaults will be /usr/local/samba/swat Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user the only permission allowed is to view certain aspects of configuration as well as access to the password change facility. The buttons that will be exposed to the non-root -user are: HOME, STATUS, VIEW, PASSWORD. The only page that allows -change capability in this case is PASSWORD. +user are: HOME, STATUS, VIEW, +PASSWORD. The only page that allows +change capability in this case is PASSWORD. -So long as you log onto SWAT as the user root you should obtain +So long as you log onto SWAT as the user root you should obtain full change and commit ability. The buttons that will be exposed includes: -HOME, GLOBALS, SHARES, PRINTERS, WIZARD, STATUS, VIEW, PASSWORD. +HOME, GLOBALS, SHARES, PRINTERS, +WIZARD, STATUS, VIEW, PASSWORD. @@ -122,35 +124,35 @@ administration of Samba. Here is a method that works, courtesy of Markus Krieger Modifications to the swat setup are as following: - - + + install OpenSSL - + - + generate certificate and private key - - root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \ - /usr/share/doc/packages/stunnel/stunnel.cnf \ - -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem - + +&rootprompt;/usr/bin/openssl req -new -x509 -days 365 -nodes -config \ + /usr/share/doc/packages/stunnel/stunnel.cnf \ + -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem + - + remove swat-entry from [x]inetd - + - + start stunnel - - root# stunnel -p /etc/stunnel/stunnel.pem -d 901 \ - -l /usr/local/samba/bin/swat swat - - + +&rootprompt;stunnel -p /etc/stunnel/stunnel.pem -d 901 \ + -l /usr/local/samba/bin/swat swat + + -afterwards simply contact to swat by using the URL "https://myhost:901", accept the certificate +afterwards simply contact to swat by using the URL https://myhost:901, accept the certificate and the SSL connection is up. @@ -173,13 +175,13 @@ useful is ethereal, available from chapter on Browsing and on + MS Windows network Integration) + Domain logons for Windows NT4 / 200x / XP Professional clients + Configuration of Roaming Profiles or explicit configuration to force local profile usage + Configuration of Network/System Policies + Adding and managing domain user accounts + Configuring MS Windows client machines to become domain members + The following provisions are required to serve MS Windows 9x / Me Clients: - - - Configuration of basic TCP/IP and MS Windows Networking - - - - Correct designation of the Server Role (security = user) - - - - Network Logon Configuration (Since Windows 9x / XP Home are not technically domain - members, they do not really particpate in the security aspects of Domain logons as such) - - - - Roaming Profile Configuration - - - - Configuration of System Policy handling - - - - Installation of the Network driver "Client for MS Windows Networks" and configuration - to log onto the domain - - - - Placing Windows 9x / Me clients in user level security - if it is desired to allow - all client share access to be controlled according to domain user / group identities. - - - - Adding and managing domain user accounts - - + + Configuration of basic TCP/IP and MS Windows Networking + Correct designation of the Server Role (security = user) + Network Logon Configuration (Since Windows 9x / XP Home are not technically domain + members, they do not really particpate in the security aspects of Domain logons as such) + Roaming Profile Configuration + Configuration of System Policy handling + Installation of the Network driver "Client for MS Windows Networks" and configuration + to log onto the domain + Placing Windows 9x / Me clients in user level security - if it is desired to allow + all client share access to be controlled according to domain user / group identities. + Adding and managing domain user accounts + Roaming Profiles and System/Network policies are advanced network administration topics @@ -562,7 +518,7 @@ There are a couple of points to emphasize in the above configuration. The server must support domain logons and have a - [netlogon] share + [netlogon] share @@ -602,8 +558,8 @@ an integral part of the essential functionality that is provided by a Domain Con All Domain Controllers must run the netlogon service (domain logons -in Samba. One Domain Controller must be configured with domain master = Yes -(the Primary Domain Controller), on ALL Backup Domain Controllers domain master = No +in Samba. One Domain Controller must be configured with domain master = Yes +(the Primary Domain Controller), on ALL Backup Domain Controllers domain master = No must be set. @@ -611,8 +567,6 @@ must be set. Example Configuration - A minimal configuration to support Domain Logons - [globals] domain logons = Yes domain master = (Yes on PDC, No on BDCs) @@ -622,7 +576,6 @@ must be set. path = /var/lib/samba/netlogon guest ok = Yes browseable = No - @@ -710,7 +663,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon: a NetLogon request. This is sent to the NetBIOS name DOMAIN<#1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of - \\SERVER. + \\SERVER. @@ -750,7 +703,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon: The client then connects to the user's home share and searches for the user's profile. As it turns out, you can specify the user's home share as - a sharename and path. For example, \\server\fred\.winprofile. + a sharename and path. For example, \\server\fred\.winprofile. If the profiles are found, they are implemented. @@ -758,7 +711,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon: The client then disconnects from the user's home share, and reconnects to - the NetLogon share and looks for CONFIG.POL, the policies file. If this is + the NetLogon share and looks for CONFIG.POL, the policies file. If this is found, it is read and implemented. @@ -816,12 +769,12 @@ For this reason, it is very wise to configure the Samba DC as the DMB. Now back to the issue of configuring a Samba DC to use a mode other -than security = user. If a Samba host is configured to use +than security = user. If a Samba host is configured to use another SMB server or DC in order to validate user connection requests, then it is a fact that some other machine on the network -(the password server) knows more about the user than the Samba host. +(the password server) knows more about the user than the Samba host. 99% of the time, this other host is a domain controller. Now -in order to operate in domain mode security, the workgroup parameter +in order to operate in domain mode security, the workgroup parameter must be set to the name of the Windows NT domain (which already has a domain controller). If the domain does NOT already have a Domain Controller then you do not yet have a Domain! @@ -830,7 +783,7 @@ then you do not yet have a Domain! Configuring a Samba box as a DC for a domain that already by definition has a PDC is asking for trouble. Therefore, you should always configure the Samba DC -to be the DMB for its domain and set security = user. +to be the DMB for its domain and set security = user. This is the only officially supported mode of operation. @@ -868,9 +821,9 @@ to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: - -C:\WINNT\> net use * /d - + + C:\WINNT\> net use * /d + Further, if the machine is already a 'member of a workgroup' that @@ -884,9 +837,9 @@ does not matter what, reboot, and try again. The system can not log you on (C000019B).... I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system +to a newer version of the Samba code I get the message, The system can not log you on (C000019B), Please try again or consult your -system administrator" when attempting to logon. +system administrator when attempting to logon. @@ -901,10 +854,10 @@ SID may be reset using either the net or rpcclient utilities. The reset or change the domain SID you can use the net command as follows: - - net getlocalsid 'OLDNAME' - net setlocalsid 'SID' - + +$ net getlocalsid 'OLDNAME' +$ net setlocalsid 'SID' + @@ -914,8 +867,8 @@ The reset or change the domain SID you can use the net command as follows: exist or is not accessible. -When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". What's +When I try to join the domain I get the message The machine account +for this computer either does not exist or is not accessible. What's wrong? @@ -945,8 +898,8 @@ for both client and server. I get a message about my account being disabled. -At first be ensure to enable the useraccounts with smbpasswd -e -%user%, this is normally done, when you create an account. +At first be ensure to enable the useraccounts with smbpasswd -e +username, this is normally done, when you create an account. diff --git a/docs/docbook/projdoc/ServerType.xml b/docs/docbook/projdoc/ServerType.xml index ecfeb417359..056d6227acc 100644 --- a/docs/docbook/projdoc/ServerType.xml +++ b/docs/docbook/projdoc/ServerType.xml @@ -97,17 +97,17 @@ different type of servers: Domain Controller - - Primary Domain Controller - Backup Domain Controller - ADS Domain Controller - + + Primary Domain Controller + Backup Domain Controller + ADS Domain Controller + Domain Member Server - - Active Directory Member Server - NT4 Style Domain Member Server - + + Active Directory Member Server + NT4 Style Domain Member Server + Stand Alone Server @@ -125,7 +125,7 @@ presented. Samba Security Modes -In this section the function and purpose of Samba's security +In this section the function and purpose of Samba's security modes are described. An acurate understanding of how Samba implements each security mode as well as how to configure MS Windows clients for each mode will significantly reduce user complaints and administrator heartache. @@ -138,12 +138,13 @@ that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of ways that allow the security levels to be implemented. In actual fact, Samba implements SHARE Level security only one way, but has for ways of implementing USER Level security. Collectively, we call the samba implementations -Security Modes. These are: SHARE, USER, DOMAIN, ADS, and SERVER +Security Modes. These are: SHARE, USER, DOMAIN, +ADS, and SERVER modes. They are documented in this chapter. -A SMB server tells the client at startup what security level +A SMB server tells the client at startup what security level it is running. There are two options share level and user level. Which of these two the client receives affects the way the client then tries to authenticate itself. It does not directly affect @@ -157,7 +158,7 @@ available and whether an action is allowed. User Level Security -We will describeuser level security first, as its simpler. +We will describeuser level security first, as its simpler. In user level security the client will send a session setup command directly after the protocol negotiation. This contains a username and password. The server can either accept or reject that @@ -230,7 +231,7 @@ level security. They normally send a valid username but no password. Samba recor this username in a list of possible usernames. When the client then does a tree connection it also adds to this list the name of the share they try to connect to (useful for home directories) and any users -listed in the user = &smb.conf; line. The password is then checked +listed in the user = &smb.conf; line. The password is then checked in turn against these possible usernames. If a match is found then the client is authenticated as that user. @@ -258,7 +259,7 @@ with share mode security servers. You are strongly discouraged from use of this Domain Security Mode (User Level Security) -When samba is operating in security = domain mode this means that +When samba is operating in security = domain mode this means that the Samba server has a domain security trust account (a machine account) and will cause all authentication requests to be passed through to the domain controllers. @@ -281,7 +282,7 @@ This method involves addition of the following parameters in the &smb.conf; file -The use of the "*" argument to password server will cause samba to locate the +The use of the "*" argument to password server will cause samba to locate the domain controller in a way analogous to the way this is done within MS Windows NT. This is the default behaviour. @@ -291,34 +292,32 @@ In order for this method to work the Samba server needs to join the MS Windows N security domain. This is done as follows: - - On the MS Windows NT domain controller using + + On the MS Windows NT domain controller using the Server Manager add a machine account for the Samba server. - + - Next, on the Unix/Linux system execute: - - smbpasswd -r PDC_NAME -j DOMAIN_NAME (samba 2.x) + Next, on the Unix/Linux system execute: + + &rootprompt;smbpasswd -r PDC_NAME -j DOMAIN_NAME (samba 2.x) - net join -U administrator%password (samba-3) - - - - + &rootprompt;net join -U administrator%password (samba-3) + + As of Samba-2.2.4 the Samba 2.2.x series can auto-join a Windows NT4 style Domain just by executing: - - smbpasswd -j DOMAIN_NAME -r PDC_NAME -U Administrator%password - + +&rootprompt;smbpasswd -j DOMAIN_NAME -r PDC_NAME -U Administrator%password + As of Samba-3 the same can be done by executing: - - net join -U Administrator%password - -It is not necessary with Samba-3 to specify the DOMAIN_NAME or the PDC_NAME as it figures this -out from the smb.conf file settings. + + &rootprompt;net join -U Administrator%password + +It is not necessary with Samba-3 to specify the DOMAIN_NAME or the PDC_NAME as it +figures this out from the &smb.conf; file settings. @@ -362,17 +361,19 @@ AD-member mode can accept Kerberos. Example Configuration - - + realm = your.kerberos.REALM security = ADS encrypt passwords = Yes + -The following parameter may be required: + + The following parameter may be required: + + ads server = your.kerberos.server - - + Please refer to the Domain Membership section, Active Directory Membership for more information @@ -391,23 +392,23 @@ as a domain member server. It is highly recommended NOT to use this feature. Ser security has many draw backs. The draw backs include: - - Potential Account Lockout on MS Windows NT4/200x password servers - Lack of assurance that the password server is the one specified - Does not work with Winbind, particularly needed when storing profiles remotely - This mode may open connections to the password server, and keep them open for extended periods. - Security on the samba server breaks badly when the remote password server suddenly shuts down - With this mode there is NO security account in the domain that the password server belongs to for the samba server. - + + Potential Account Lockout on MS Windows NT4/200x password servers + Lack of assurance that the password server is the one specified + Does not work with Winbind, particularly needed when storing profiles remotely + This mode may open connections to the password server, and keep them open for extended periods. + Security on the samba server breaks badly when the remote password server suddenly shuts down + With this mode there is NO security account in the domain that the password server belongs to for the samba server. + In server level security the samba server reports to the client that it is in user level security. The client then does a session setup as described earlier. The samba server takes the username/password that the client sends and attempts to login to the -password server by sending exactly the same username/password that +password server by sending exactly the same username/password that it got from the client. If that server is in user level security and accepts the password then samba accepts the clients connection. This allows the samba server to use another SMB -server as the password server. +server as the password server. @@ -418,10 +419,10 @@ passwords in encrypted form. Samba supports this type of encryption by default. -The parameter security = server means that Samba reports to clients that +The parameter security = server means that Samba reports to clients that it is running in user mode but actually passes off all authentication requests to another user mode server. This requires an additional -parameter password server that points to the real authentication server. +parameter password server that points to the real authentication server. That real authentication server can be another Samba server or can be a Windows NT server, the later natively capable of encrypted password support. @@ -589,7 +590,7 @@ to those for whom English is not their native tongue. To some the nature of the samba security mode is very obvious, but entirely -wrong all the same. It is assumed that security = server means that Samba +wrong all the same. It is assumed that security = server means that Samba will act as a server. Not so! See above - this setting means that samba will try to use another SMB server as it's source of user authentication alone. @@ -600,7 +601,7 @@ to use another SMB server as it's source of user authentication alone. What makes Samba a Domain Controller? -The &smb.conf; parameter security = domain does NOT really make Samba behave +The &smb.conf; parameter security = domain does NOT really make Samba behave as a Domain Controller! This setting means we want samba to be a domain member! @@ -610,7 +611,7 @@ as a Domain Controller! This setting means we want samba to be a domain member! What makes Samba a Domain Member? -Guess! So many others do. But whatever you do, do NOT think that security = user +Guess! So many others do. But whatever you do, do NOT think that security = user makes Samba act as a domain member. Read the manufacturers manual before the warranty expires! diff --git a/docs/docbook/projdoc/Speed.xml b/docs/docbook/projdoc/Speed.xml index 9dd76e887d2..448ce616637 100644 --- a/docs/docbook/projdoc/Speed.xml +++ b/docs/docbook/projdoc/Speed.xml @@ -58,11 +58,11 @@ performance of a TCP based server like Samba. The socket options that Samba uses are settable both on the command -line with the -O option, or in the smb.conf file. +line with the option, or in the &smb.conf; file. -The socket options section of the &smb.conf; manual page describes how +The socket options section of the &smb.conf; manual page describes how to set these and gives recommendations. @@ -75,7 +75,7 @@ much. The correct settings are very dependent on your local network. The socket option TCP_NODELAY is the one that seems to make the biggest single difference for most networks. Many people report that -adding socket options = TCP_NODELAY doubles the read +adding socket options = TCP_NODELAY doubles the read performance of a Samba drive. The best explanation I have seen for this is that the Microsoft TCP/IP stack is slow in sending tcp ACKs. @@ -86,7 +86,7 @@ that the Microsoft TCP/IP stack is slow in sending tcp ACKs. Read size -The option read size affects the overlap of disk +The option read size affects the overlap of disk reads/writes with network reads/writes. If the amount of data being transferred in several of the SMB commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger than this value then the server begins writing @@ -114,9 +114,9 @@ pointless and will cause you to allocate memory unnecessarily. Max xmit -At startup the client and server negotiate a maximum transmit size, +At startup the client and server negotiate a maximum transmit size, which limits the size of nearly all SMB commands. You can set the -maximum size that Samba will negotiate using the max xmit = option +maximum size that Samba will negotiate using the max xmit = option in &smb.conf;. Note that this is the maximum size of SMB requests that Samba will accept, but not the maximum size that the *client* will accept. The client maximum receive size is sent to Samba by the client and Samba @@ -139,7 +139,7 @@ In most cases the default is the best option. Log level -If you set the log level (also known as debug level) higher than 2 +If you set the log level (also known as debug level) higher than 2 then you may suffer a large drop in performance. This is because the server flushes the log file after each operation, which can be very expensive. @@ -150,20 +150,20 @@ expensive. Read raw -The read raw operation is designed to be an optimised, low-latency +The read raw operation is designed to be an optimised, low-latency file read operation. A server may choose to not support it, -however. and Samba makes support for read raw optional, with it +however. and Samba makes support for read raw optional, with it being enabled by default. -In some cases clients don't handle read raw very well and actually +In some cases clients don't handle read raw very well and actually get lower performance using it than they get using the conventional read operations. -So you might like to try read raw = no and see what happens on your +So you might like to try read raw = no and see what happens on your network. It might lower, raise or not affect your performance. Only testing can really tell. @@ -174,14 +174,14 @@ testing can really tell. Write raw -The write raw operation is designed to be an optimised, low-latency +The write raw operation is designed to be an optimised, low-latency file write operation. A server may choose to not support it, -however. and Samba makes support for write raw optional, with it +however. and Samba makes support for write raw optional, with it being enabled by default. -Some machines may find write raw slower than normal write, in which +Some machines may find write raw slower than normal write, in which case you may wish to change this option. @@ -192,7 +192,7 @@ case you may wish to change this option. Slow logins are almost always due to the password checking time. Using -the lowest practical password level will improve things. +the lowest practical password level will improve things. @@ -202,7 +202,7 @@ the lowest practical password level will improve things. LDAP can be vastly improved by using the -ldap trust ids parameter. +ldap trust ids parameter. diff --git a/docs/docbook/projdoc/StandAloneServer.xml b/docs/docbook/projdoc/StandAloneServer.xml index d8f5992191c..1b24e35272c 100644 --- a/docs/docbook/projdoc/StandAloneServer.xml +++ b/docs/docbook/projdoc/StandAloneServer.xml @@ -72,7 +72,8 @@ Through the use of PAM (Pluggable Authentication Modules) and nsswitch (the name service switcher) the source of authentication may reside on another server. We would be inclined to call this the authentication server. This means that the samba server may use the local Unix/Linux system password database -(/etc/passwd or /etc/shadow), may use a local smbpasswd file, or may use +(/etc/passwd or /etc/shadow), may use a +local smbpasswd file, or may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB server for authentication. @@ -99,9 +100,7 @@ nobody. No home directories are shared, that are no users in the /etc/ Unix system database. This is a very simple system to administer. - - Share Mode Read Only Stand-Alone Server # Global parameters [global] workgroup = MYGROUP @@ -115,7 +114,6 @@ Unix system database. This is a very simple system to administer. path = /export guest only = Yes - In the above example the machine name is set to REFDOCS, the workgroup is set to the name @@ -172,9 +170,9 @@ the anonymous (guest) user two things will be required: The default for this is usually the account nobody. To find the correct name to use for your version of Samba do the following: - - testparm -s -v | grep "guest account" - + +$ testparm -s -v | grep "guest account" + Then make sure that this account exists in your system password database (/etc/passwd). @@ -183,17 +181,16 @@ the anonymous (guest) user two things will be required: The directory into which Samba will spool the file must have write access for the guest account. The following commands will ensure that this directory is available for use: - - mkdir /var/spool/samba - chown nobody.nobody /var/spool/samba - chmod a+rwt /var/spool/samba - + +&rootprompt;mkdir /var/spool/samba +&rootprompt;chown nobody.nobody /var/spool/samba +&rootprompt;chmod a+rwt /var/spool/samba + - Simple Central Print Server # Global parameters [global] workgroup = MYGROUP diff --git a/docs/docbook/projdoc/UNIX_INSTALL.xml b/docs/docbook/projdoc/UNIX_INSTALL.xml index 3dff9a55286..a169bea558d 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.xml +++ b/docs/docbook/projdoc/UNIX_INSTALL.xml @@ -33,7 +33,7 @@ Configuring samba (smb.conf) - Samba's configuration is stored in the smb.conf file, + Samba's configuration is stored in the &smb.conf; file, that usually resides in /etc/samba/smb.conf or /usr/local/samba/lib/smb.conf. You can either edit this file yourself or do it using one of the many graphical @@ -67,7 +67,7 @@ This will allow connections by anyone with an account on the server, using either - their login name or "homes" as the service name. + their login name or "homes" as the service name. (Note that the workgroup that Samba must also be set.) @@ -79,7 +79,7 @@ For more information about security settings for the - [homes] share please refer to the chapter + [homes] share please refer to the chapter Securing Samba. @@ -88,7 +88,7 @@ It's important that you test the validity of your smb.conf - file using the testparm program. If testparm runs OK + file using the &testparm; program. If testparm runs OK then it will list the loaded services. If not it will give an error message. @@ -97,7 +97,7 @@ - Always run testparm again when you change smb.conf! + Always run testparm again when you change &smb.conf;! @@ -115,7 +115,7 @@ To launch SWAT just run your favorite web browser and - point it at "http://localhost:901/". Replace + point it at http://localhost:901/. Replace localhost with the name of the computer you are running samba on if you are running samba on a different computer than your browser. @@ -160,7 +160,7 @@ would be the name of the host where you installed &smbd;. The aservice is any service you have defined in the &smb.conf; - file. Try your user name if you just have a [homes] + file. Try your user name if you just have a [homes] section in &smb.conf;. @@ -214,7 +214,7 @@ The following questions and issues get raised on the samba mailing list over and Site that is running Samba on an AIX box. They are sharing out about 2 terabytes using samba. Samba was installed using smitty and the binaries. We seem to be experiencing a memory problem -with this box. When I do a svmon -Pu the monitoring program shows that smbd has several +with this box. When I do a svmon -Pu the monitoring program shows that &smbd; has several processes of smbd running: @@ -224,7 +224,7 @@ is it normal for it to be taking up this much memory? - + Inuse * 4096 = amount of memory being used by this process Pid Command Inuse Pin Pgsp Virtual 64-bit Mthrd @@ -251,30 +251,30 @@ Inuse * 4096 = amount of memory being used by this process 19110 smbd 8404 1906 181 4862 N N Total memory used: 841,592,832 bytes - + ANSWER: Samba consists on three core programs: -nmbd, smbd, winbindd. nmbd is the name server message daemon, -smbd is the server message daemon, winbind is the daemon that +&nmbd;, &smbd;, &winbindd;. &nmbd; is the name server message daemon, +&smbd; is the server message daemon, &winbindd; is the daemon that handles communication with Domain Controllers. If your system is NOT running as a WINS server, then there will be one (1) single instance of - nmbd running on your system. If it is running as a WINS server then there will be + &nmbd; running on your system. If it is running as a WINS server then there will be two (2) instances - one to handle the WINS requests. -smbd handles ALL connection requests and then spawns a new process for each client +&smbd; handles ALL connection requests and then spawns a new process for each client connection made. That is why you are seeing so many of them, one (1) per client connection. -winbindd will run as one or two daemons, depending on whether or not it is being +&winbindd; will run as one or two daemons, depending on whether or not it is being run in "split mode" (in which case there will be two instances). diff --git a/docs/docbook/projdoc/VFS.xml b/docs/docbook/projdoc/VFS.xml index 51dd32fe64c..2ae1cfc9e06 100644 --- a/docs/docbook/projdoc/VFS.xml +++ b/docs/docbook/projdoc/VFS.xml @@ -32,18 +32,18 @@ on different systems. They currently have been tested against GNU/Linux and IRI To use the VFS modules, create a share similar to the one below. The -important parameter is the vfs object parameter which must point to +important parameter is the vfs object parameter which must point to the exact pathname of the shared library objects. For example, to log all access to files and use a recycle bin: - - [audit] - comment = Audited /data directory - path = /data - vfs object = /path/to/audit.so /path/to/recycle.so - writeable = yes - browseable = yes - + +[audit] + comment = Audited /data directory + path = /data + vfs object = /path/to/audit.so /path/to/recycle.so + writeable = yes + browseable = yes + @@ -87,7 +87,7 @@ the Samba Developers Guide. The logging information that will be written to the smbd log file is controlled by - the log level parameter in smb.conf. The + the log level parameter in smb.conf. The following information will be recorded: @@ -184,7 +184,7 @@ the Samba Developers Guide. Advantages compared to the old netatalk module: it doesn't care about creating of .AppleDouble forks, just keeps them in sync - if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically + if a share in &smb.conf; doesn't contain .AppleDouble item in hide or veto list, it will be added automatically @@ -203,7 +203,7 @@ to have his or her own CVS tree). -No statemets about the stability or functionality of any module +No statements about the stability or functionality of any module should be implied due to its presence here. diff --git a/docs/docbook/projdoc/securing-samba.xml b/docs/docbook/projdoc/securing-samba.xml index 58634fba359..10042603942 100644 --- a/docs/docbook/projdoc/securing-samba.xml +++ b/docs/docbook/projdoc/securing-samba.xml @@ -48,7 +48,7 @@ the latest protocols to permit more secure MS Windows file and print operations. Samba may be secured from connections that originate from outside the local network. This may be done using host based protection (using samba's implementation of a technology known as "tcpwrappers", or it may be done be using interface based exclusion -so that smbd will bind only to specifically permitted interfaces. It is also +so that &smbd; will bind only to specifically permitted interfaces. It is also possible to set specific share or resource based exclusions, eg: on the IPC$ auto-share. The IPC$ share is used for browsing purposes as well as to establish TCP/IP connections. @@ -85,23 +85,23 @@ before someone will find yet another vulnerability. - One of the simplest fixes in this case is to use the hosts allow and - hosts deny options in the Samba &smb.conf; configuration file to only + One of the simplest fixes in this case is to use the hosts allow and + hosts deny options in the Samba &smb.conf; configuration file to only allow access to your server from a specific range of hosts. An example might be: - + hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 - + The above will only allow SMB connections from 'localhost' (your own computer) and from the two private networks 192.168.2 and 192.168.3. All other connections will be refused as soon as the client sends its first packet. The refusal will be marked as a - 'not listening on called name' error. + not listening on called name error. @@ -111,12 +111,12 @@ before someone will find yet another vulnerability. If you want to restrict access to your server to valid users only then the following - method may be of use. In the smb.conf [globals] section put: + method may be of use. In the &smb.conf; [globals] section put: - + valid users = @smbusers, jacko - + What this does is, it restricts all server access to either the user jacko @@ -140,10 +140,10 @@ before someone will find yet another vulnerability. You can change this behaviour using options like the following: - + interfaces = eth* lo bind interfaces only = yes - + This tells Samba to only listen for connections on interfaces with a @@ -179,12 +179,12 @@ before someone will find yet another vulnerability. UDP ports to allow and block. Samba uses the following: - - UDP/137 - used by nmbd - UDP/138 - used by nmbd - TCP/139 - used by smbd - TCP/445 - used by smbd - + + UDP/137 - used by nmbd + UDP/138 - used by nmbd + TCP/139 - used by smbd + TCP/445 - used by smbd + The last one is important as many older firewall setups may not be @@ -209,11 +209,11 @@ before someone will find yet another vulnerability. To do that you could use: - - [ipc$] - hosts allow = 192.168.115.0/24 127.0.0.1 - hosts deny = 0.0.0.0/0 - + +[ipc$] + hosts allow = 192.168.115.0/24 127.0.0.1 + hosts deny = 0.0.0.0/0 + this would tell Samba that IPC$ connections are not allowed from @@ -225,7 +225,7 @@ before someone will find yet another vulnerability. - If you use this method then clients will be given a 'access denied' + If you use this method then clients will be given a access denied reply when they try to access the IPC$ share. That means that those clients will not be able to browse shares, and may also be unable to access some other resources. @@ -245,6 +245,7 @@ before someone will find yet another vulnerability. To configure NTLMv2 authentication the following registry keys are worth knowing about: + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] diff --git a/docs/docbook/projdoc/unicode.xml b/docs/docbook/projdoc/unicode.xml index 2351668e565..c222c2bdc1e 100644 --- a/docs/docbook/projdoc/unicode.xml +++ b/docs/docbook/projdoc/unicode.xml @@ -61,7 +61,7 @@ samba knows of three kinds of character sets: - unix charset + unix charset This is the charset used internally by your operating system. The default is ASCII, which is fine for most @@ -70,14 +70,14 @@ samba knows of three kinds of character sets: - display charset + display charset This is the charset samba will use to print messages on your screen. It should generally be the same as the unix charset. - dos charset + dos charset This is the charset samba uses when communicating with DOS and Windows 9x clients. It will talk unicode to all newer clients. The default depends on the charsets you have installed on your system. @@ -114,24 +114,24 @@ points of attention when setting it up: -You should set mangling method = -hash +You should set mangling method = +hash There are various iconv() implementations around and not all of them work equally well. glibc2's iconv() has a critical problem in CP932. libiconv-1.8 works with CP932 but still has some problems and does not work with EUC-JP. -You should set dos charset = CP932, not +You should set dos charset = CP932, not Shift_JIS, SJIS... -Currently only unix charset = CP932 +Currently only unix charset = CP932 will work (but still has some problems...) because of iconv() issues. -unix charset = EUC-JP doesn't work well because of +unix charset = EUC-JP doesn't work well because of iconv() issues. -Currently Samba 3.0 does not support unix charset -= UTF8-MAC/CAP/HEX/JIS* +Currently Samba 3.0 does not support unix charset += UTF8-MAC/CAP/HEX/JIS* diff --git a/docs/docbook/projdoc/winbind.xml b/docs/docbook/projdoc/winbind.xml index b588d162d17..f78f74f780f 100644 --- a/docs/docbook/projdoc/winbind.xml +++ b/docs/docbook/projdoc/winbind.xml @@ -10,7 +10,6 @@ &author.tridge; - &author.jht; NaagMummaneni @@ -224,7 +223,9 @@ of that service should be tried and in what order. If the passwd config line is: - passwd: files example + +passwd: files example + then the C library will first load a module called /lib/libnss_files.so followed by @@ -429,17 +430,15 @@ install the development packages in pam-devel-0.74-22. Before starting, it is probably best to kill off all the SAMBA -related daemons running on your server. Kill off all smbd, -nmbd, and winbindd processes that may +related daemons running on your server. Kill off all &smbd;, +&nmbd;, and &winbindd; processes that may be running. To use PAM, you will want to make sure that you have the standard PAM package (for RedHat) which supplies the /etc/pam.d directory structure, including the pam modules are used by pam-aware services, several pam libraries, and the /usr/doc and /usr/man entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, -my RedHat system has both pam-0.74-22 and -pam-devel-0.74-22 RPMs installed. +the header files needed to compile pam-aware applications. @@ -451,14 +450,14 @@ The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries. - -root# autoconf -root# make clean -root# rm config.cache -root# ./configure -root# make -root# make install - + +&rootprompt;autoconf +&rootprompt;make clean +&rootprompt;rm config.cache +&rootprompt;./configure +&rootprompt;make +&rootprompt;make install + @@ -474,12 +473,14 @@ It will also build the winbindd executable and libraries. winbind libraries on Linux and Solaris -The libraries needed to run the winbindd daemon +The libraries needed to run the &winbindd; daemon through nsswitch need to be copied to their proper locations, so -root# cp ../samba/source/nsswitch/libnss_winbind.so /lib + +&rootprompt;cp ../samba/source/nsswitch/libnss_winbind.so /lib + @@ -487,19 +488,19 @@ I also found it necessary to make the following symbolic link: -root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 +&rootprompt; ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 And, in the case of Sun solaris: - -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 - + +&rootprompt;ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 +&rootprompt;ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 +&rootprompt;ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 + Now, as root you need to edit /etc/nsswitch.conf to -allow user and group entries to be visible from the winbindd +allow user and group entries to be visible from the &winbindd; daemon. My /etc/nsswitch.conf file look like this after editing: @@ -518,7 +519,7 @@ is faster (and you don't need to reboot) if you do it manually: -root# /sbin/ldconfig -v | grep winbind +&rootprompt;/sbin/ldconfig -v | grep winbind @@ -567,11 +568,11 @@ url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/ia Several parameters are needed in the smb.conf file to control -the behavior of winbindd. Configure -smb.conf These are described in more detail in +the behavior of &winbindd;. Configure +&smb.conf; These are described in more detail in the winbindd 8 man page. My -smb.conf file was modified to +&smb.conf; file was modified to include the following entries in the [global] section: @@ -607,7 +608,7 @@ a domain user who has administrative privileges in the domain. -root# /usr/local/samba/bin/net join -S PDC -U Administrator +&rootprompt;/usr/local/samba/bin/net join -S PDC -U Administrator @@ -632,7 +633,7 @@ command as root: -root# /usr/local/samba/bin/winbindd +&rootprompt;/usr/local/samba/bin/winbindd @@ -641,11 +642,11 @@ run as 2 processes. The first will answer all requests from the cache, thus making responses to clients faster. The other will update the cache for the query that the first has just responded. Advantage of this is that responses stay accurate and are faster. -You can enable dual daemon mode by adding '-B' to the commandline: +You can enable dual daemon mode by adding to the commandline: -root# /usr/local/samba/bin/winbindd -B +&rootprompt;/usr/local/samba/bin/winbindd -B @@ -654,14 +655,14 @@ is really running... -root# ps -ae | grep winbindd +&rootprompt;ps -ae | grep winbindd This command should produce output like this, if the daemon is running - + 3025 ? 00:00:00 winbindd - + Now... for the real test, try to get some information about the @@ -669,7 +670,7 @@ users on your PDC -root# /usr/local/samba/bin/wbinfo -u +&rootprompt;/usr/local/samba/bin/wbinfo -u @@ -677,14 +678,14 @@ This should echo back a list of users on your Windows users on your PDC. For example, I get the following response: - + CEO+Administrator CEO+burdell CEO+Guest CEO+jt-ad CEO+krbtgt CEO+TsInternetUser - + Obviously, I have named my domain 'CEO' and my winbind @@ -696,8 +697,8 @@ You can do the same sort of thing to get group information from the PDC: - -root# /usr/local/samba/bin/wbinfo -g + +&rootprompt;/usr/local/samba/bin/wbinfo -g CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -707,7 +708,7 @@ the PDC: CEO+Schema Admins CEO+Enterprise Admins CEO+Group Policy Creator Owners - + The function 'getent' can now be used to get unified @@ -716,7 +717,7 @@ Try the following command: -root# getent passwd +&rootprompt;getent passwd @@ -730,7 +731,7 @@ The same thing can be done for groups with the command -root# getent group +&rootprompt;getent group @@ -743,14 +744,13 @@ The same thing can be done for groups with the command Linux -The winbindd daemon needs to start up after the -smbd and nmbd daemons are running. +The &winbindd; daemon needs to start up after the +&smbd; and &nmbd; daemons are running. To accomplish this task, you need to modify the startup scripts of your system. They are located at /etc/init.d/smb in RedHat and /etc/init.d/samba in Debian. script to add commands to invoke this daemon in the proper sequence. My -startup script starts up smbd, -nmbd, and winbindd from the +startup script starts up &smbd;, &nmbd;, and &winbindd; from the /usr/local/samba/bin directory directly. The 'start' function in the script looks like this: @@ -899,8 +899,7 @@ in the script above with: Restarting -If you restart the smbd, nmbd, -and winbindd daemons at this point, you +If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you should be able to connect to the samba server as a domain member just as if you were a local user. @@ -925,7 +924,7 @@ by invoking the command -root# make nsswitch/pam_winbind.so +&rootprompt;make nsswitch/pam_winbind.so @@ -937,7 +936,7 @@ modules reside in /usr/lib/security. -root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security +&rootprompt;cp ../samba/source/nsswitch/pam_winbind.so /lib/security @@ -982,8 +981,8 @@ For ftp services to work properly, you will also need to either have individual directories for the domain users already present on the server, or change the home directory template to a general directory for all domain users. These can be easily set using -the smb.conf global entry -template homedir. +the &smb.conf; global entry +template homedir. @@ -1023,8 +1022,8 @@ same way. It now looks like this: -In this case, I added the auth sufficient /lib/security/pam_winbind.so -lines as before, but also added the required pam_securetty.so +In this case, I added the auth sufficient /lib/security/pam_winbind.so +lines as before, but also added the required pam_securetty.so above it, to disallow root logins over the network. I also added a sufficient /lib/security/pam_unix.so use_first_pass line after the winbind.so line to get rid of annoying