4 >SAMBA Project Documentation
</TITLE
7 CONTENT=
"Modular DocBook HTML Stylesheet Version 1.57"></HEAD
18 NAME=
"SAMBA-PROJECT-DOCUMENTATION"
25 NAME=
"SAMBA-PROJECT-DOCUMENTATION"
26 >SAMBA Project Documentation
</A
41 >This book is a collection of HOWTOs added to Samba documentation over the year.
42 I try to ensure that all are current, but sometimes the is a larger job
43 than one person can maintain. You can always find the later version of this
45 HREF=
"http://www.samba.org/"
47 >http://www.samba.org/
</A
49 on the
"Documentation" page. Please send updates to
<A
50 HREF=
"mailto:jerry@samba.org"
66 >How to Install and Test SAMBA
</A
73 >Step
0: Read the man pages
</A
78 >Step
1: Building the Binaries
</A
83 >Step
2: The all important step
</A
88 >Step
3: Create the smb configuration file.
</A
93 >Step
4: Test your config file with
102 >Step
5: Starting the smbd and nmbd
</A
109 >Step
5a: Starting from inetd.conf
</A
114 >Step
5b. Alternative: starting it as a daemon
</A
121 >Step
6: Try listing the shares available on your
127 >Step
7: Try connecting with the unix client
</A
132 >Step
8: Try connecting from a DOS, WfWg, Win9x, WinNT,
133 Win2k, OS/
2, etc... client
</A
138 >What If Things Don't Work?
</A
145 >Diagnosing Problems
</A
155 >Choosing the Protocol Level
</A
160 >Printing from UNIX to a Client PC
</A
170 >Mapping Usernames
</A
175 >Other Character Sets
</A
184 >LanMan and NT Password Encryption in Samba
2.x
</A
196 >How does it work?
</A
201 >Important Notes About Security
</A
208 >Advantages of SMB Encryption
</A
213 >Advantages of non-encrypted passwords
</A
221 NAME=
"SMBPASSWDFILEFORMAT"
223 >The smbpasswd file
</A
228 >The smbpasswd Command
</A
233 >Setting up Samba to support LanManager Encryption
</A
240 >Hosting a Microsoft Distributed File System tree on Samba
</A
263 >Printing Support in Samba
2.2.x
</A
282 >Creating [print$]
</A
287 >Setting Drivers for Existing Printers
</A
292 >Support a large number of printers
</A
297 >Adding New Printers via the Windows NT APW
</A
302 >Samba and Printer Ports
</A
309 >The Imprints Toolset
</A
316 >What is Imprints?
</A
321 >Creating Printer Driver Packages
</A
326 >The Imprints server
</A
331 >The Installation Client
</A
341 >Migration to from Samba
2.0.x to
349 >security = domain in Samba
2.x
</A
356 >Joining an NT Domain with Samba
2.2</A
361 >Samba and Windows
2000 Domains
</A
366 >Why is this better than security = server?
</A
373 >How to Configure Samba
2.2.x as a Primary Domain Controller
</A
385 >Configuring the Samba Domain Controller
</A
390 >Creating Machine Trust Accounts and Joining Clients
396 >Common Problems and Errors
</A
401 >System Policies and Profiles
</A
406 >What other help can I get ?
</A
425 >DOMAIN_CONTROL.txt : Windows NT Domain Control
& Samba
</A
432 >Unifed Logons between Windows NT and UNIX using Winbind
</A
449 >What Winbind Provides
</A
463 >How Winbind Works
</A
470 >Microsoft Remote Procedure Calls
</A
475 >Name Service Switch
</A
480 >Pluggable Authentication Modules
</A
485 >User and Group ID Allocation
</A
497 >Installation and Configuration
</A
514 >UNIX Permission Bits and WIndows NT Access Control Lists
</A
521 >Viewing and changing UNIX permissions using the NT
527 >How to view file security on a Samba share
</A
532 >Viewing file ownership
</A
537 >Viewing file or directory permissions
</A
549 >Directory Permissions
</A
556 >Modifying file or directory permissions
</A
561 >Interaction with the standard Samba create mask
567 >Interaction with the standard Samba file attribute
589 >How can I configure OS/
2 Warp Connect or
590 OS/
2 Warp
4 as a client for Samba?
</A
595 >How can I configure OS/
2 Warp
3 (not Connect),
596 OS/
2 1.2,
1.3 or
2.x for Samba?
</A
601 >Are there any other issues when OS/
2 (any version)
602 is used as a client?
</A
607 >How do I get printer driver download working
621 >Chapter
1. How to Install and Test SAMBA
</A
629 >1.1. Step
0: Read the man pages
</A
632 >The man pages distributed with SAMBA contain
633 lots of useful info that will help to get you started.
634 If you don't know how to read man pages then try
643 >nroff -man smbd
.8 | more
648 >Other sources of information are pointed to
649 by the Samba web site,
<A
650 HREF=
"http://www.samba.org/"
652 > http://www.samba.org
</A
661 >1.2. Step
1: Building the Binaries
</A
664 >To do this, first run the program
<B
668 > in the source directory. This should automatically
669 configure Samba for your operating system. If you have unusual
670 needs then you may wish to run
</P
683 >first to see what special options you can enable.
696 >will create the binaries. Once it's successfully
697 compiled you can use
</P
709 >to install the binaries and manual pages. You can
710 separately install the binaries and/or man pages using
</P
736 >Note that if you are upgrading for a previous version
737 of Samba you might like to know that the old versions of
738 the binaries will be renamed with a
".old" extension. You
739 can go back to the previous version with
</P
752 >if you find this version a disaster!
</P
760 >1.3. Step
2: The all important step
</A
763 >At this stage you must fetch yourself a
764 coffee or other drink you find stimulating. Getting the rest
765 of the install right can sometimes be tricky, so you will
768 >If you have installed samba before then you can skip
777 >1.4. Step
3: Create the smb configuration file.
</A
780 >There are sample configuration files in the examples
781 subdirectory in the distribution. I suggest you read them
782 carefully so you can see how the options go together in
783 practice. See the man page for all the options.
</P
785 >The simplest useful configuration file would be
786 something like this:
</P
795 CLASS=
"PROGRAMLISTING"
808 >which would allow connections by anyone with an
809 account on the server, using either their login name or
810 "homes" as the service name. (Note that I also set the
811 workgroup that Samba is part of. See BROWSING.txt for defails)
</P
820 > file. You need to create it
823 >Make sure you put the smb.conf file in the same place
824 you specified in the
<TT
830 >/usr/local/samba/lib/
</TT
833 >For more information about security settings for the
834 [homes] share please refer to the document UNIX_SECURITY.txt.
</P
842 >1.5. Step
4: Test your config file with
849 >It's important that you test the validity of your
853 > file using the testparm program.
854 If testparm runs OK then it will list the loaded services. If
855 not it will give an error message.
</P
857 >Make sure it runs OK and that the services look
858 resonable before proceeding.
</P
866 >1.6. Step
5: Starting the smbd and nmbd
</A
869 >You must choose to start smbd and nmbd either
870 as daemons or from
<B
874 to do both! Either you can put them in
<TT
877 > and have them started on demand
881 >, or you can start them as
882 daemons either from the command line or in
<TT
885 >. See the man pages for details
886 on the command line options. Take particular care to read
887 the bit about what user you need to be in order to start
888 Samba. In many cases you must be root.
</P
890 >The main advantage of starting
<B
897 > as a daemon is that they will
898 respond slightly more quickly to an initial connection
899 request. This is, however, unlikely to be a problem.
</P
906 >1.6.1. Step
5a: Starting from inetd.conf
</A
909 >NOTE; The following will be different if
910 you use NIS or NIS+ to distributed services maps.
</P
916 What is defined at port
139/tcp. If nothing is defined
917 then add a line like this:
</P
922 >netbios-ssn
139/tcp
</B
926 >similarly for
137/udp you should have an entry like:
</P
931 >netbios-ns
137/udp
</B
939 and add two lines something like this:
</P
948 CLASS=
"PROGRAMLISTING"
949 > netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
950 netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
957 >The exact syntax of
<TT
961 varies between unixes. Look at the other entries in inetd.conf
964 >NOTE: Some unixes already have entries like netbios_ns
965 (note the underscore) in
<TT
969 You must either edit
<TT
976 > to make them consistant.
</P
978 >NOTE: On many systems you may need to use the
979 "interfaces" option in smb.conf to specify the IP address
980 and netmask of your interfaces. Run
<B
984 as root if you don't know what the broadcast is for your
988 > tries to determine it at run
989 time, but fails on somunixes. See the section on
"testing nmbd"
990 for a method of finding if you need to do this.
</P
992 >!!!WARNING!!! Many unixes only accept around
5
993 parameters on the command line in
<TT
997 This means you shouldn't use spaces between the options and
998 arguments, or you should use a script, and start the script
1007 >, perhaps just send
1008 it a HUP. If you have installed an earlier version of
<B
1011 > then you may need to kill nmbd as well.
</P
1019 >1.6.2. Step
5b. Alternative: starting it as a daemon
</A
1022 >To start the server as a daemon you should create
1023 a script something like this one, perhaps calling
1036 CLASS=
"PROGRAMLISTING"
1038 /usr/local/samba/bin/smbd -D
1039 /usr/local/samba/bin/nmbd -D
1046 >then make it executable with
<B
1052 >You can then run
<B
1056 hand or execute it from
<TT
1062 >To kill it send a kill signal to the processes
1071 >NOTE: If you use the SVR4 style init system then
1072 you may like to look at the
<TT
1074 >examples/svr4-startup
</TT
1076 script to make Samba fit into that system.
</P
1085 >1.7. Step
6: Try listing the shares available on your
1105 >Your should get back a list of shares available on
1106 your server. If you don't then something is incorrectly setup.
1107 Note that this method can also be used to see what shares
1108 are available on other LanManager clients (such as WfWg).
</P
1110 >If you choose user level security then you may find
1111 that Samba requests a password before it will list the shares.
1115 > man page for details. (you
1116 can force it to list the shares without a password by
1117 adding the option -U% to the command line. This will not work
1118 with non-Samba servers)
</P
1126 >1.8. Step
7: Try connecting with the unix client
</A
1138 > //yourhostname/aservice
</I
1150 would be the name of the host where you installed
<B
1159 any service you have defined in the
<TT
1163 file. Try your user name if you just have a [homes] section
1169 >For example if your unix host is bambi and your login
1170 name is fred you would type:
</P
1178 >smbclient //bambi/fred
1189 >1.9. Step
8: Try connecting from a DOS, WfWg, Win9x, WinNT,
1190 Win2k, OS/
2, etc... client
</A
1193 >Try mounting disks. eg:
</P
1197 >C:\WINDOWS\
> </TT
1201 >net use d: \\servername\service
1206 >Try printing. eg:
</P
1210 >C:\WINDOWS\
> </TT
1215 \\servername\spoolservice
</B
1221 >C:\WINDOWS\
> </TT
1230 >Celebrate, or send me a bug report!
</P
1238 >1.10. What If Things Don't Work?
</A
1241 >If nothing works and you start to think
"who wrote
1242 this pile of trash" then I suggest you do step
2 again (and
1243 again) till you calm down.
</P
1245 >Then you might read the file DIAGNOSIS.txt and the
1246 FAQ. If you are still stuck then try the mailing list or
1247 newsgroup (look in the README for details). Samba has been
1248 successfully installed at thousands of sites worldwide, so maybe
1249 someone else has hit your problem and has overcome it. You could
1250 also use the WWW site to scan back issues of the samba-digest.
</P
1252 >When you fix the problem PLEASE send me some updates to the
1253 documentation (or source code) so that the next person will find it
1261 >1.10.1. Diagnosing Problems
</A
1264 >If you have instalation problems then go to
1268 > to try to find the
1277 >1.10.2. Scope IDs
</A
1280 >By default Samba uses a blank scope ID. This means
1281 all your windows boxes must also have a blank scope ID.
1282 If you really want to use a non-blank scope ID then you will
1283 need to use the -i
<scope
> option to nmbd, smbd, and
1284 smbclient. All your PCs will need to have the same setting for
1285 this to work. I do not recommend scope IDs.
</P
1293 >1.10.3. Choosing the Protocol Level
</A
1296 >The SMB protocol has many dialects. Currently
1297 Samba supports
5, called CORE, COREPLUS, LANMAN1,
1300 >You can choose what maximum protocol to support
1304 > file. The default is
1305 NT1 and that is the best for the vast majority of sites.
</P
1307 >In older versions of Samba you may have found it
1308 necessary to use COREPLUS. The limitations that led to
1309 this have mostly been fixed. It is now less likely that you
1310 will want to use less than LANMAN1. The only remaining advantage
1311 of COREPLUS is that for some obscure reason WfWg preserves
1312 the case of passwords in this protocol, whereas under LANMAN1,
1313 LANMAN2 or NT1 it uppercases all passwords before sending them,
1314 forcing you to use the
"password level=" option in some cases.
</P
1316 >The main advantage of LANMAN2 and NT1 is support for
1317 long filenames with some clients (eg: smbclient, Windows NT
1320 >See the smb.conf(
5) manual page for more details.
</P
1322 >Note: To support print queue reporting you may find
1323 that you have to use TCP/IP as the default protocol under
1324 WfWg. For some reason if you leave Netbeui as the default
1325 it may break the print queue reporting on some systems.
1326 It is presumably a WfWg bug.
</P
1334 >1.10.4. Printing from UNIX to a Client PC
</A
1337 >To use a printer that is available via a smb-based
1338 server from a unix host you will need to compile the
1339 smbclient program. You then need to install the script
1340 "smbprint". Read the instruction in smbprint for more details.
1343 >There is also a SYSV style script that does much
1344 the same thing called smbprint.sysv. It contains instructions.
</P
1355 >One area which sometimes causes trouble is locking.
</P
1357 >There are two types of locking which need to be
1358 performed by a SMB server. The first is
"record locking"
1359 which allows a client to lock a range of bytes in a open file.
1360 The second is the
"deny modes" that are specified when a file
1363 >Samba supports
"record locking" using the fcntl() unix system
1364 call. This is often implemented using rpc calls to a rpc.lockd process
1365 running on the system that owns the filesystem. Unfortunately many
1366 rpc.lockd implementations are very buggy, particularly when made to
1367 talk to versions from other vendors. It is not uncommon for the
1368 rpc.lockd to crash.
</P
1370 >There is also a problem translating the
32 bit lock
1371 requests generated by PC clients to
31 bit requests supported
1372 by most unixes. Unfortunately many PC applications (typically
1373 OLE2 applications) use byte ranges with the top bit set
1374 as semaphore sets. Samba attempts translation to support
1375 these types of applications, and the translation has proved
1376 to be quite successful.
</P
1378 >Strictly a SMB server should check for locks before
1379 every read and write call on a file. Unfortunately with the
1380 way fcntl() works this can be slow and may overstress the
1381 rpc.lockd. It is also almost always unnecessary as clients
1382 are supposed to independently make locking calls before reads
1383 and writes anyway if locking is important to them. By default
1384 Samba only makes locking calls when explicitly asked
1385 to by a client, but if you set
"strict locking = yes" then it will
1386 make lock checking calls on every read and write.
</P
1388 >You can also disable by range locking completely
1389 using
"locking = no". This is useful for those shares that
1390 don't support locking or don't need it (such as cdroms). In
1391 this case Samba fakes the return codes of locking calls to
1392 tell clients that everything is OK.
</P
1394 >The second class of locking is the
"deny modes". These
1395 are set by an application when it opens a file to determine
1396 what types of access should be allowed simultaneously with
1397 its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
1398 or DENY_ALL. There are also special compatability modes called
1399 DENY_FCB and DENY_DOS.
</P
1401 >You can disable share modes using
"share modes = no".
1402 This may be useful on a heavily loaded server as the share
1403 modes code is very slow. See also the FAST_SHARE_MODES
1404 option in the Makefile for a way to do full share modes
1405 very fast using shared memory (if your OS supports it).
</P
1413 >1.10.6. Mapping Usernames
</A
1416 >If you have different usernames on the PCs and
1417 the unix server then take a look at the
"username map" option.
1418 See the smb.conf man page for details.
</P
1426 >1.10.7. Other Character Sets
</A
1429 >If you have problems using filenames with accented
1430 characters in them (like the German, French or Scandinavian
1431 character sets) then I recommmend you look at the
"valid chars"
1432 option in smb.conf and also take a look at the validchars
1433 package in the examples directory.
</P
1442 >Chapter
2. LanMan and NT Password Encryption in Samba
2.x
</A
1450 >2.1. Introduction
</A
1453 >With the development of LanManager and Windows NT
1454 compatible password encryption for Samba, it is now able
1455 to validate user connections in exactly the same way as
1456 a LanManager or Windows NT server.
</P
1458 >This document describes how the SMB password encryption
1459 algorithm works and what issues there are in choosing whether
1460 you want to use it. You should read it carefully, especially
1461 the part about security and the
"PROS and CONS" section.
</P
1469 >2.2. How does it work?
</A
1472 >LanManager encryption is somewhat similar to UNIX
1473 password encryption. The server uses a file containing a
1474 hashed value of a user's password. This is created by taking
1475 the user's plaintext password, capitalising it, and either
1476 truncating to
14 bytes or padding to
14 bytes with null bytes.
1477 This
14 byte value is used as two
56 bit DES keys to encrypt
1478 a 'magic' eight byte value, forming a
16 byte value which is
1479 stored by the server and client. Let this value be known as
1480 the
"hashed password".
</P
1482 >Windows NT encryption is a higher quality mechanism,
1483 consisting of doing an MD4 hash on a Unicode version of the user's
1484 password. This also produces a
16 byte hash value that is
1487 >When a client (LanManager, Windows for WorkGroups, Windows
1488 95 or Windows NT) wishes to mount a Samba drive (or use a Samba
1489 resource), it first requests a connection and negotiates the
1490 protocol that the client and server will use. In the reply to this
1491 request the Samba server generates and appends an
8 byte, random
1492 value - this is stored in the Samba server after the reply is sent
1493 and is known as the
"challenge". The challenge is different for
1494 every client connection.
</P
1496 >The client then uses the hashed password (
16 byte values
1497 described above), appended with
5 null bytes, as three
56 bit
1498 DES keys, each of which is used to encrypt the challenge
8 byte
1499 value, forming a
24 byte value known as the
"response".
</P
1501 >In the SMB call SMBsessionsetupX (when user level security
1502 is selected) or the call SMBtconX (when share level security is
1503 selected), the
24 byte response is returned by the client to the
1504 Samba server. For Windows NT protocol levels the above calculation
1505 is done on both hashes of the user's password and both responses are
1506 returned in the SMB call, giving two
24 byte values.
</P
1508 >The Samba server then reproduces the above calculation, using
1509 its own stored value of the
16 byte hashed password (read from the
1513 > file - described later) and the challenge
1514 value that it kept from the negotiate protocol reply. It then checks
1515 to see if the
24 byte value it calculates matches the
24 byte value
1516 returned to it from the client.
</P
1518 >If these values match exactly, then the client knew the
1519 correct password (or the
16 byte hashed value - see security note
1520 below) and is thus allowed access. If not, then the client did not
1521 know the correct password and is denied access.
</P
1523 >Note that the Samba server never knows or stores the cleartext
1524 of the user's password - just the
16 byte hashed values derived from
1525 it. Also note that the cleartext password or
16 byte hashed values
1526 are never transmitted over the network - thus increasing security.
</P
1534 >2.3. Important Notes About Security
</A
1537 >The unix and SMB password encryption techniques seem similar
1538 on the surface. This similarity is, however, only skin deep. The unix
1539 scheme typically sends clear text passwords over the nextwork when
1540 logging in. This is bad. The SMB encryption scheme never sends the
1541 cleartext password over the network but it does store the
16 byte
1542 hashed values on disk. This is also bad. Why? Because the
16 byte hashed
1543 values are a
"password equivalent". You cannot derive the user's
1544 password from them, but they could potentially be used in a modified
1545 client to gain access to a server. This would require considerable
1546 technical knowledge on behalf of the attacker but is perfectly possible.
1547 You should thus treat the smbpasswd file as though it contained the
1548 cleartext passwords of all your users. Its contents must be kept
1549 secret, and the file should be protected accordingly.
</P
1551 >Ideally we would like a password scheme which neither requires
1552 plain text passwords on the net or on disk. Unfortunately this
1553 is not available as Samba is stuck with being compatible with
1554 other SMB systems (WinNT, WfWg, Win95 etc).
</P
1574 >Note that Windows NT
4.0 Service pack
3 changed the
1575 default for permissible authentication so that plaintext
1578 > sent over the wire.
1579 The solution to this is either to switch to encrypted passwords
1580 with Samba or edit the Windows NT registry to re-enable plaintext
1581 passwords. See the document WinNT.txt for details on how to do
1584 >Other Microsoft operating systems which also exhibit
1585 this behavior includes
</P
1591 >MS DOS Network client
3.0 with
1592 the basic network redirector installed
</P
1596 >Windows
95 with the network redirector
1611 >All current release of
1612 Microsoft SMB/CIFS clients support authentication via the
1613 SMB Challenge/Response mechanism described here. Enabling
1614 clear text authentication does not disable the ability
1615 of the client to particpate in encrypted authentication.
</P
1626 >2.3.1. Advantages of SMB Encryption
</A
1633 >plain text passwords are not passed across
1634 the network. Someone using a network sniffer cannot just
1635 record passwords going to the SMB server.
</P
1639 >WinNT doesn't like talking to a server
1640 that isn't using SMB encrypted passwords. It will refuse
1641 to browse the server if the server is also in user level
1642 security mode. It will insist on prompting the user for the
1643 password on each connection, which is very annoying. The
1644 only things you can do to stop this is to use SMB encryption.
1655 >2.3.2. Advantages of non-encrypted passwords
</A
1662 >plain text passwords are not kept
1667 >uses same password file as other unix
1668 services such as login and ftp
</P
1672 >you are probably already using other
1673 services (such as telnet and ftp) which send plain text
1674 passwords over the net, so sending them for SMB isn't
1687 NAME=
"SMBPASSWDFILEFORMAT"
1689 >The smbpasswd file
</A
1692 >In order for Samba to participate in the above protocol
1693 it must be able to look up the
16 byte hashed values given a user name.
1694 Unfortunately, as the UNIX password value is also a one way hash
1695 function (ie. it is impossible to retrieve the cleartext of the user's
1696 password given the UNIX hash of it), a separate password file
1697 containing this
16 byte value must be kept. To minimise problems with
1698 these two password files, getting out of sync, the UNIX
<TT
1708 >, is provided to generate
1709 a smbpasswd file from a UNIX
<TT
1715 >To generate the smbpasswd file from your
<TT
1719 > file use the following command :
</P
1727 >cat /etc/passwd | mksmbpasswd.sh
1728 > /usr/local/samba/private/smbpasswd
</B
1732 >If you are running on a system that uses NIS, use
</P
1740 >ypcat passwd | mksmbpasswd.sh
1741 > /usr/local/samba/private/smbpasswd
</B
1748 > program is found in
1749 the Samba source directory. By default, the smbpasswd file is
1754 >/usr/local/samba/private/smbpasswd
</TT
1757 >The owner of the
<TT
1759 >/usr/local/samba/private/
</TT
1761 directory should be set to root, and the permissions on it should
1764 >chmod
500 /usr/local/samba/private
</B
1768 >Likewise, the smbpasswd file inside the private directory should
1769 be owned by root and the permissions on is should be set to
0600
1772 >chmod
600 smbpasswd
</B
1775 >The format of the smbpasswd file is (The line has been
1776 wrapped here. It should appear as one entry per line in
1777 your smbpasswd file.)
</P
1786 CLASS=
"PROGRAMLISTING"
1787 >username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
1788 [Account type]:LCT-
<last-change-time
>:Long name
1795 >Although only the
<TT
1809 > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</I
1820 > last-change-time
</I
1822 > sections are significant
1823 and are looked at in the Samba code.
</P
1827 > important that there by
32
1828 'X' characters between the two ':' characters in the XXX sections -
1829 the smbpasswd and Samba code will fail to validate any entries that
1830 do not have
32 characters between ':' characters. The first XXX
1831 section is for the Lanman password hash, the second is for the
1832 Windows NT version.
</P
1834 >When the password file is created all users have password entries
1835 consisting of
32 'X' characters. By default this disallows any access
1836 as this user. When a user has a password set, the 'X' characters change
1837 to
32 ascii hexadecimal digits (
0-
9, A-F). These are an ascii
1838 representation of the
16 byte hashed value of a user's password.
</P
1840 >To set a user to have no password (not recommended), edit the file
1841 using vi, and replace the first
11 characters with the ascii text
1845 > (minus the quotes).
</P
1847 >For example, to clear the password for user bob, his smbpasswd file
1848 entry would look like :
</P
1857 CLASS=
"PROGRAMLISTING"
1858 > bob:
100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-
00000000:Bob's full name:/bobhome:/bobshell
1865 >If you are allowing users to use the smbpasswd command to set
1866 their own passwords, you may want to give users NO PASSWORD initially
1867 so they do not have to enter a previous password when changing to their
1868 new password (not recommended). In order for you to allow this the
1872 > program must be able to connect to the
1876 > daemon as that user with no password. Enable this
1877 by adding the line :
</P
1881 >null passwords = yes
</B
1884 >to the [global] section of the smb.conf file (this is why
1885 the above scenario is not recommended). Preferably, allocate your
1886 users a default password to begin with, so you do not have
1887 to enable this on your server.
</P
1891 >This file should be protected very
1892 carefully. Anyone with access to this file can (with enough knowledge of
1893 the protocols) gain access to your SMB server. The file is thus more
1894 sensitive than a normal unix
<TT
1905 >2.5. The smbpasswd Command
</A
1908 >The smbpasswd command maintains the two
32 byte password fields
1909 in the smbpasswd file. If you wish to make it similar to the unix
1919 >/usr/local/samba/bin/
</TT
1921 main Samba binary directory).
</P
1923 >Note that as of Samba
1.9.18p4 this program
<EM
1926 > setuid root (the new
<B
1930 code enforces this restriction so it cannot be run this way by
1936 > now works in a client-server mode
1937 where it contacts the local smbd to change the user's password on its
1938 behalf. This has enormous benefits - as follows.
</P
1944 >smbpasswd no longer has to be setuid root -
1945 an enormous range of potential security problems is
1953 > now has the capability
1954 to change passwords on Windows NT servers (this only works when
1955 the request is sent to the NT Primary Domain Controller if you
1956 are changing an NT Domain user's password).
</P
1960 >To run smbpasswd as a normal user just type :
</P
1974 >Old SMB password:
</TT
1978 ><type old value here -
1979 or hit return if there was no old password
></B
1985 >New SMB Password:
</TT
1989 ><type new value
>
1996 >Repeat New SMB Password:
</TT
2000 ><re-type new value
2005 >If the old value does not match the current value stored for
2006 that user, or the two new values do not match each other, then the
2007 password will not be changed.
</P
2009 >If invoked by an ordinary user it will only allow the user
2010 to change his or her own Samba password.
</P
2012 >If run by the root user smbpasswd may take an optional
2013 argument, specifying the user name whose SMB password you wish to
2014 change. Note that when run as root smbpasswd does not prompt for
2015 or check the old password value, thus allowing root to set passwords
2016 for users who have forgotten their passwords.
</P
2021 > is designed to work in the same way
2022 and be familiar to UNIX users who use the
<B
2031 >For more details on using
<B
2035 to the man page which will always be the definitive reference.
</P
2043 >2.6. Setting up Samba to support LanManager Encryption
</A
2046 >This is a very brief description on how to setup samba to
2047 support password encryption.
</P
2054 >compile and install samba as usual
</P
2058 >enable encrypted passwords in
<TT
2061 > by adding the line
<B
2065 > in the [global] section
</P
2069 >create the initial
<TT
2073 password file in the place you specified in the Makefile
2074 (--prefix=
<dir
>). See the notes under the
<A
2075 HREF=
"#SMBPASSWDFILEFORMAT"
2076 >The smbpasswd File
</A
2078 section earlier in the document for details.
</P
2082 >Note that you can test things using smbclient.
</P
2090 >Chapter
3. Hosting a Microsoft Distributed File System tree on Samba
</A
2098 >3.1. Instructions
</A
2101 >The Distributed File System (or Dfs) provides a means of
2102 separating the logical view of files and directories that users
2103 see from the actual physical locations of these resources on the
2104 network. It allows for higher availability, smoother storage expansion,
2105 load balancing etc. For more information about Dfs, refer to
<A
2106 HREF=
"http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp"
2108 > Microsoft documentation
</A
2111 >This document explains how to host a Dfs tree on a Unix
2112 machine (for Dfs-aware clients to browse) using Samba.
</P
2114 >To enable SMB-based DFS for Samba, configure it with the
2120 > option. Once built, a
2121 Samba server can be made a Dfs server by setting the global
2123 HREF=
"smb.conf.5.html#HOSTMSDFS"
2131 > parameter in the
<TT
2135 > file. You designate a share as a Dfs root using the share
2137 HREF=
"smb.conf.5.html#MSDFSROOT"
2145 > parameter. A Dfs root directory on
2146 Samba hosts Dfs links in the form of symbolic links that point
2147 to other servers. For example, a symbolic link
2150 >junction-
>msdfs:storage1\share1
</TT
2152 the share directory acts as the Dfs junction. When Dfs-aware
2153 clients attempt to access the junction link, they are redirected
2154 to the storage location (in this case, \\storage1\share1).
</P
2156 >Dfs trees on Samba work with all Dfs-aware clients ranging
2157 from Windows
95 to
2000.
</P
2159 >Here's an example of setting up a Dfs tree on a Samba
2169 CLASS=
"PROGRAMLISTING"
2170 ># The smb.conf file:
2172 netbios name = SAMBA
2176 path = /export/dfsroot
2184 >In the /export/dfsroot directory we set up our dfs links to
2185 other servers on the network.
</P
2193 >cd /export/dfsroot
</B
2203 >chown root /export/dfsroot
</B
2213 >chmod
755 /export/dfsroot
</B
2223 >ln -s msdfs:storageA\\shareA linka
</B
2233 >ln -s msdfs:serverB\\share,serverC\\share linkb
</B
2237 >You should set up the permissions and ownership of
2238 the directory acting as the Dfs root such that only designated
2239 users can create, delete or modify the msdfs links. Also note
2240 that symlink names should be all lowercase. This limitation exists
2241 to have Samba avoid trying all the case combinations to get at
2242 the link name. Finally set up the symbolic links to point to the
2243 network shares you want, and start Samba.
</P
2245 >Users on Dfs-aware clients can now browse the Dfs tree
2246 on the Samba server at \\samba\dfs. Accessing
2247 links linka or linkb (which appear as directories to the client)
2248 takes users directly to the appropriate shares on the network.
</P
2262 >Windows clients need to be rebooted
2263 if a previously mounted non-dfs share is made a dfs
2264 root or vice versa. A better way is to introduce a
2265 new share and make it the dfs root.
</P
2269 >Currently there's a restriction that msdfs
2270 symlink names should all be lowercase.
</P
2274 >For security purposes, the directory
2275 acting as the root of the Dfs tree should have ownership
2276 and permissions set so that only designated users can
2277 modify the symbolic links in the directory.
</P
2288 >Chapter
4. Printing Support in Samba
2.2.x
</A
2296 >4.1. Introduction
</A
2299 >Beginning with the
2.2.0 release, Samba supports
2300 the native Windows NT printing mechanisms implemented via
2301 MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
2302 Samba only supported LanMan printing calls.
</P
2304 >The additional functionality provided by the new
2305 SPOOLSS support includes:
</P
2311 >Support for downloading printer driver
2312 files to Windows
95/
98/NT/
2000 clients upon demand.
2317 >Uploading of printer drivers via the
2318 Windows NT Add Printer Wizard (APW) or the
2319 Imprints tool set (refer to
<A
2320 HREF=
"http://imprints.sourceforge.net"
2322 >http://imprints.sourceforge.net
</A
2328 >Support for the native MS-RPC printing
2329 calls such as StartDocPrinter, EnumJobs(), etc... (See
2330 the MSDN documentation at
<A
2331 HREF=
"http://msdn.microsoft.com/"
2333 >http://msdn.microsoft.com/
</A
2335 for more information on the Win32 printing API)
2340 >Support for NT Access Control Lists (ACL)
2341 on printer objects
</P
2345 >Improved support for printer queue manipulation
2346 through the use of an internal databases for spooled job
2357 >4.2. Configuration
</A
2362 > Previous versions of Samba
2363 recommended using a share named [printer$]. This name was taken from the
2364 printer$ service created by Windows
9x clients when a
2365 printer was shared. Windows
9x printer servers always have
2366 a printer$ service which provides read-only access via no
2367 password in order to support printer driver downloads.
</P
2369 >However, the initial implementation allowed for a
2373 >printer driver location
</I
2376 to be used on a per share basis to specify the location of
2377 the driver files associated with that printer. Another
2384 a means of defining the printer driver name to be sent to
2387 >These parameters, including
<TT
2393 > parameter, are being depreciated and should not
2394 be used in new installations. For more information on this change,
2395 you should refer to the
<A
2397 >Migration section
</A
2398 >of this document.
</P
2405 >4.2.1. Creating [print$]
</A
2408 >In order to support the uploading of printer driver
2409 files, you must first configure a file share named [print$].
2410 The name of this share is hard coded in Samba's internals so
2411 the name is very important (print$ is the service used by
2412 Windows NT print servers to provide support for printer driver
2415 >You should modify the server's smb.conf file to create the
2416 following file share (of course, some of the parameter values,
2417 such as 'path' are arbitrary and should be replaced with
2418 appropriate values for your site):
</P
2427 CLASS=
"PROGRAMLISTING"
2429 path = /usr/local/samba/printers
2433 write list = ntadmin
</PRE
2440 HREF=
"smb.conf.5.html#WRITELIST"
2448 > is used to allow administrative
2449 level user accounts to have write access in order to update files
2450 on the share. See the
<A
2451 HREF=
"smb./conf.5.html"
2453 >smb.conf(
5) man page
</A
2454 > for more information on
2455 configuring file shares.
</P
2457 >The requirement for
<A
2458 HREF=
"smb.conf.5.html#GUESTOK"
2464 > depends upon how your
2465 site is configured. If users will be guaranteed to have
2466 an account on the Samba host, then this is a non-issue.
</P
2474 >The non-issue is that if all your Windows NT users are guaranteed to be
2475 authenticated by the Samba server (such as a domain member server and the NT
2476 user has already been validated by the Domain Controller in
2477 order to logon to the Windows NT console), then guest access
2478 is not necessary. Of course, in a workgroup environment where
2479 you just want to be able to print without worrying about
2480 silly accounts and security, then configure the share for
2481 guest access. You'll probably want to add
<A
2482 HREF=
"smb.conf.5.html#MAPTOGUEST"
2486 >map to guest = Bad User
</B
2488 > in the [global] section as well. Make sure
2489 you understand what this parameter does before using it
2494 >In order for a Windows NT print server to support
2495 the downloading of driver files by multiple client architectures,
2496 it must create subdirectories within the [print$] service
2497 which correspond to each of the supported client architectures.
2498 Samba follows this model as well.
</P
2500 >Next create the directory tree below the [print$] share
2501 for each architecture you wish to support.
</P
2510 CLASS=
"PROGRAMLISTING"
2512 |-W32X86 ;
"Windows NT x86"
2513 |-WIN40 ;
"Windows 95/98"
2514 |-W32ALPHA ;
"Windows NT Alpha_AXP"
2515 |-W32MIPS ;
"Windows NT R4000"
2516 |-W32PPC ;
"Windows NT PowerPC"</PRE
2533 >ATTENTION! REQUIRED PERMISSIONS
</B
2540 >In order to currently add a new driver to you Samba host,
2541 one of two conditions must hold true:
</P
2547 >The account used to connect to the Samba host
2548 must have a uid of
0 (i.e. a root account)
</P
2552 >The account used to connect to the Samba host
2553 must be a member of the
<A
2554 HREF=
"smb.conf.5.html#PRINTERADMIN"
2567 >Of course, the connected account must still possess access
2568 to add files to the subdirectories beneath [print$].
</P
2574 >Once you have created the required [print$] service and
2575 associated subdirectories, simply log onto the Samba server using
2582 from a Windows NT
4.0 client. Navigate to the
"Printers" folder
2583 on the Samba server. You should see an initial listing of printers
2584 that matches the printer shares defined on your Samba host.
</P
2592 >4.2.2. Setting Drivers for Existing Printers
</A
2595 >The initial listing of printers in the Samba host's
2596 Printers folder will have no printer driver assigned to them.
2597 The way assign a driver to a printer is to view the Properties
2598 of the printer and either
</P
2604 >Use the
"New Driver..." button to install
2605 a new printer driver, or
</P
2609 >Select a driver from the popup list of
2610 installed drivers. Initially this list will be empty.
</P
2614 >If you wish to install printer drivers for client
2615 operating systems other than
"Windows NT x86", you will need
2616 to use the
"Sharing" tab of the printer properties dialog.
</P
2618 >Assuming you have connected with a root account, you
2619 will also be able modify other printer properties such as
2620 ACLs and device settings using this dialog box.
</P
2622 >A few closing comments for this section, it is possible
2623 on a Windows NT print server to have printers
2624 listed in the Printers folder which are not shared. Samba does
2625 not make this distinction. By definition, the only printers of
2626 which Samba is aware are those which are specified as shares in
2632 >Another interesting side note is that Windows NT clients do
2633 not use the SMB printer share, but rather can print directly
2634 to any printer on another Windows NT host using MS-RPC. This
2635 of course assumes that the printing client has the necessary
2636 privileges on the remote host serving the printer. The default
2637 permissions assigned by Windows NT to a printer gives the
"Print"
2638 permissions to the
"Everyone" well-known group.
</P
2646 >4.2.3. Support a large number of printers
</A
2649 >One issue that has arisen during the development
2650 phase of Samba
2.2 is the need to support driver downloads for
2651 100's of printers. Using the Windows NT APW is somewhat
2652 awkward to say the list. If more than one printer are using the
2654 HREF=
"rpcclient.1.html"
2659 setdriver command
</B
2661 > can be used to set the driver
2662 associated with an installed driver. The following is example
2663 of how this could be accomplished:
</P
2672 CLASS=
"PROGRAMLISTING"
2677 >rpcclient pogo -U root%secret -c
"enumdrivers"
2678 Domain=[NARNIA] OS=[Unix] Server=[Samba
2.2.0-alpha3]
2681 Printer Driver Info
1:
2682 Driver Name: [HP LaserJet
4000 Series PS]
2684 Printer Driver Info
1:
2685 Driver Name: [HP LaserJet
2100 Series PS]
2687 Printer Driver Info
1:
2688 Driver Name: [HP LaserJet
4Si/
4SiMX PS]
2693 >rpcclient pogo -U root%secret -c
"enumprinters"
2694 Domain=[NARNIA] OS=[Unix] Server=[Samba
2.2.0-alpha3]
2696 name:[\\POGO\hp-print]
2697 description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
2703 >rpcclient pogo -U root%bleaK.er \
2707 > -c
"setdriver hp-print \"HP LaserJet
4000 Series PS\
""
2708 Domain=[NARNIA] OS=[Unix] Server=[Samba
2.2.0-alpha3]
2709 Successfully set hp-print to driver HP LaserJet
4000 Series PS.
</PRE
2721 >4.2.4. Adding New Printers via the Windows NT APW
</A
2724 >By default, Samba offers all printer shares defined in
<TT
2728 in the
"Printers..." folder. Also existing in this folder is the Windows NT
2729 Add Printer Wizard icon. The APW will be show only if
</P
2735 >The connected user is able to successfully
2736 execute an OpenPrinterEx(\\server) with administrative
2737 priviledges (i.e. root or
<TT
2748 HREF=
"smb.conf.5.html#SHOWADDPRINTERWIZARD"
2754 add printer wizard = yes
</I
2762 >In order to be able to use the APW to successfully add a printer to a Samba
2764 HREF=
"smb.conf.5.html#ADDPRINTERCOMMAND"
2773 > must have a defined value. The program
2774 hook must successfully add the printer to the system (i.e.
2778 > or appropriate files) and
2784 >When using the APW from a client, if the named printer share does
2788 > will execute the
<TT
2794 > and reparse to the
<TT
2798 to attempt to locate the new printer share. If the share is still not defined,
2799 an error of
"Access Denied" is returned to the client. Note that the
2803 >add printer program
</I
2805 > is executed undet the context
2806 of the connected user, not necessarily a root account.
</P
2808 >There is a complementing
<A
2809 HREF=
"smb.conf.5.html#DELETEPRINTERCOMMAND"
2818 > for removing entries from the
"Printers..."
2827 >4.2.5. Samba and Printer Ports
</A
2830 >Windows NT/
2000 print servers associate a port with each printer. These normally
2831 take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
2832 concept of ports associated with a printer. By default, only one printer port,
2833 named
"Samba Printer Port", exists on a system. Samba does not really a port in
2834 order to print, rather it is a requirement of Windows clients.
</P
2836 >Note that Samba does not support the concept of
"Printer Pooling" internally
2837 either. This is when a logical printer is assigned to multiple ports as
2838 a form of load balancing or fail over.
</P
2840 >If you require that multiple ports be defined for some reason,
2845 HREF=
"smb.conf.5.html#ENUMPORTSCOMMAND"
2854 > which can be used to define an external program
2855 that generates a listing of ports on a system.
</P
2864 >4.3. The Imprints Toolset
</A
2867 >The Imprints tool set provides a UNIX equivalent of the
2868 Windows NT Add Printer Wizard. For complete information, please
2869 refer to the Imprints web site at
<A
2870 HREF=
"http://imprints.sourceforge.net/"
2872 > http://imprints.sourceforge.net/
</A
2873 > as well as the documentation
2874 included with the imprints source distribution. This section will
2875 only provide a brief introduction to the features of Imprints.
</P
2882 >4.3.1. What is Imprints?
</A
2885 >Imprints is a collection of tools for supporting the goals
2892 >Providing a central repository information
2893 regarding Windows NT and
95/
98 printer driver packages
</P
2897 >Providing the tools necessary for creating
2898 the Imprints printer driver packages.
</P
2902 >Providing an installation client which
2903 will obtain and install printer drivers on remote Samba
2904 and Windows NT
4 print servers.
</P
2914 >4.3.2. Creating Printer Driver Packages
</A
2917 >The process of creating printer driver packages is beyond
2918 the scope of this document (refer to Imprints.txt also included
2919 with the Samba distribution for more information). In short,
2920 an Imprints driver package is a gzipped tarball containing the
2921 driver files, related INF files, and a control file needed by the
2922 installation client.
</P
2930 >4.3.3. The Imprints server
</A
2933 >The Imprints server is really a database server that
2934 may be queried via standard HTTP mechanisms. Each printer
2935 entry in the database has an associated URL for the actual
2936 downloading of the package. Each package is digitally signed
2937 via GnuPG which can be used to verify that package downloaded
2938 is actually the one referred in the Imprints database. It is
2941 > recommended that this security check
2950 >4.3.4. The Installation Client
</A
2953 >More information regarding the Imprints installation client
2954 is available in the
<TT
2956 >Imprints-Client-HOWTO.ps
</TT
2958 file included with the imprints source package.
</P
2960 >The Imprints installation client comes in two forms.
</P
2966 >a set of command line Perl scripts
</P
2970 >a GTK+ based graphical interface to
2971 the command line perl scripts
</P
2975 >The installation client (in both forms) provides a means
2976 of querying the Imprints database server for a matching
2977 list of known printer model names as well as a means to
2978 download and install the drivers on remote Samba and Windows
2979 NT print servers.
</P
2981 >The basic installation process is in four steps and
2982 perl code is wrapped around
<B
2998 CLASS=
"PROGRAMLISTING"
3000 foreach (supported architecture for a given driver)
3002 1. rpcclient: Get the appropriate upload directory
3003 on the remote server
3004 2. smbclient: Upload the driver files
3005 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
3008 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
3009 create the printer
</PRE
3015 >One of the problems encountered when implementing
3016 the Imprints tool set was the name space issues between
3017 various supported client architectures. For example, Windows
3018 NT includes a driver named
"Apple LaserWriter II NTX v51.8"
3019 and Windows
95 callsits version of this driver
"Apple
3020 LaserWriter II NTX"</P
3022 >The problem is how to know what client drivers have
3023 been uploaded for a printer. As astute reader will remember
3024 that the Windows NT Printer Properties dialog only includes
3025 space for one printer driver name. A quick look in the
3026 Windows NT
4.0 system registry at
</P
3030 >HKLM\System\CurrentControlSet\Control\Print\Environment
3034 >will reveal that Windows NT always uses the NT driver
3035 name. The is ok as Windows NT always requires that at least
3036 the Windows NT version of the printer driver is present.
3037 However, Samba does not have the requirement internally.
3038 Therefore, how can you use the NT driver name if is has not
3039 already been installed?
</P
3041 >The way of sidestepping this limitation is to require
3042 that all Imprints printer driver packages include both the Intel
3043 Windows NT and
95/
98 printer drivers and that NT driver is
3056 >Migration to from Samba
2.0.x to
3060 >Given that printer driver management has changed
3061 (we hope improved :) ) in
2.2.0 over prior releases,
3062 migration from an existing setup to
2.2.0 can follow
3083 >The following smb.conf parameters are considered to be
3084 depreciated and will be removed soon. Do not use them
3085 in new installations
</P
3094 >printer driver file (G)
</I
3104 >printer driver (S)
</I
3114 >printer driver location (S)
</I
3125 >Here are the possible scenarios for supporting migration:
</P
3131 >If you do not desire the new Windows NT
3132 print driver support, nothing needs to be done.
3133 All existing parameters work the same.
</P
3137 >If you want to take advantage of NT printer
3138 driver support but do not want to migrate the
3139 9x drivers to the new setup, the leave the existing
3140 printers.def file. When smbd attempts to locate a
3141 9x driver for the printer in the TDB and fails it
3142 will drop down to using the printers.def (and all
3143 associated parameters). The
<B
3147 tool will also remain for backwards compatibility but will
3148 be moved to the
"this tool is the old way of doing it"
3153 >If you install a Windows
9x driver for a printer
3154 on your Samba host (in the printing TDB), this information will
3155 take precedence and the three old printing parameters
3156 will be ignored (including print driver location).
</P
3160 >If you want to migrate an existing
<TT
3164 file into the new setup, the current only
3165 solution is to use the Windows NT APW to install the NT drivers
3166 and the
9x drivers. This can be scripted using
<B
3174 Imprints installation client at
<A
3175 HREF=
"http://imprints.sourceforge.net/"
3177 >http://imprints.sourceforge.net/
</A
3190 >Chapter
5. security = domain in Samba
2.x
</A
3198 >5.1. Joining an NT Domain with Samba
2.2</A
3201 >In order for a Samba-
2 server to join an NT domain,
3202 you must first add the NetBIOS name of the Samba server to the
3203 NT domain on the PDC using Server Manager for Domains. This creates
3204 the machine account in the domain (PDC) SAM. Note that you should
3205 add the Samba server as a
"Windows NT Workstation or Server",
3208 > as a Primary or backup domain controller.
</P
3210 >Assume you have a Samba-
2 server with a NetBIOS name of
3214 > and are joining an NT domain called
3218 >, which has a PDC with a NetBIOS name
3222 > and two backup domain controllers
3223 with NetBIOS names
<TT
3232 >In order to join the domain, first stop all Samba daemons
3233 and run the command:
</P
3241 >smbpasswd -j DOM -r DOMPDC
3246 >as we are joining the domain DOM and the PDC for that domain
3247 (the only machine that has write access to the domain SAM database)
3248 is DOMPDC. If this is successful you will see the message:
</P
3251 CLASS=
"COMPUTEROUTPUT"
3252 >smbpasswd: Joined domain DOM.
</TT
3256 >in your terminal window. See the
<A
3257 HREF=
"smbpasswd.8.html"
3260 > man page for more details.
</P
3262 >There is existing development code to join a domain
3263 without having to create the machine trust account on the PDC
3264 beforehand. This code will hopefully be available soon
3265 in release branches as well.
</P
3267 >This command goes through the machine account password
3268 change protocol, then writes the new (random) machine account
3269 password for this Samba server into a file in the same directory
3270 in which an smbpasswd file would be stored - normally :
</P
3274 >/usr/local/samba/private
</TT
3277 >In Samba
2.0.x, the filename looks like this:
</P
3284 ><NT DOMAIN NAME
></I
3298 > suffix stands for machine account
3299 password file. So in our example above, the file would be called:
</P
3306 >In Samba
2.2, this file has been replaced with a TDB
3307 (Trivial Database) file named
<TT
3313 >This file is created and owned by root and is not
3314 readable by any other user. It is the key to the domain-level
3315 security for your system, and should be treated as carefully
3316 as a shadow password file.
</P
3318 >Now, before restarting the Samba daemons you must
3320 HREF=
"smb.conf.5.html"
3327 > file to tell Samba it should now use domain security.
</P
3329 >Change (or add) your
<A
3330 HREF=
"smb.conf.5.html#SECURITY"
3338 > line in the [global] section
3339 of your smb.conf to read:
</P
3343 >security = domain
</B
3347 HREF=
"smb.conf.5.html#WORKGROUP"
3355 > line in the [global] section to read:
</P
3362 >as this is the name of the domain we are joining.
</P
3364 >You must also have the parameter
<A
3365 HREF=
"smb.conf.5.html#ENCRYPTPASSWORDS"
3370 >encrypt passwords
</I
3377 > in order for your users to authenticate to the NT PDC.
</P
3379 >Finally, add (or modify) a
<A
3380 HREF=
"smb.conf.5.html#PASSWORDSERVER"
3385 >password server =
</I
3388 > line in the [global]
3389 section to read:
</P
3393 >password server = DOMPDC DOMBDC1 DOMBDC2
</B
3396 >These are the primary and backup domain controllers Samba
3397 will attempt to contact in order to authenticate users. Samba will
3398 try to contact each of these servers in order, so you may want to
3399 rearrange this list in order to spread out the authentication load
3400 among domain controllers.
</P
3402 >Alternatively, if you want smbd to automatically determine
3403 the list of Domain controllers to use for authentication, you may
3404 set this line to be :
</P
3408 >password server = *
</B
3411 >This method, which was introduced in Samba
2.0.6,
3412 allows Samba to use exactly the same mechanism that NT does. This
3413 method either broadcasts or uses a WINS database in order to
3414 find domain controllers to authenticate against.
</P
3416 >Finally, restart your Samba daemons and get ready for
3417 clients to begin using domain security!
</P
3425 >5.2. Samba and Windows
2000 Domains
</A
3428 >Many people have asked regarding the state of Samba's ability to participate in
3429 a Windows
2000 Domain. Samba
2.2 is able to act as a member server of a Windows
3430 2000 domain operating in mixed or native mode.
</P
3432 >There is much confusion between the circumstances that require a
"mixed" mode
3433 Win2k DC and a when this host can be switched to
"native" mode. A
"mixed" mode
3434 Win2k domain controller is only needed if Windows NT BDCs must exist in the same
3435 domain. By default, a Win2k DC in
"native" mode will still support
3436 NetBIOS and NTLMv1 for authentication of legacy clients such as Windows
9x and
3437 NT
4.0. Samba has the same requirements as a Windows NT
4.0 member server.
</P
3439 >The steps for adding a Samba
2.2 host to a Win2k domain are the same as those
3440 for adding a Samba server to a Windows NT
4.0 domain. The only exception is that
3441 the
"Server Manager" from NT
4 has been replaced by the
"Active Directory Users and
3442 Computers" MMC (Microsoft Management Console) plugin.
</P
3450 >5.3. Why is this better than security = server?
</A
3453 >Currently, domain security in Samba doesn't free you from
3454 having to create local Unix users to represent the users attaching
3455 to your server. This means that if domain user
<TT
3459 > attaches to your domain security Samba server, there needs
3460 to be a local Unix user fred to represent that user in the Unix
3461 filesystem. This is very similar to the older Samba security mode
3463 HREF=
"smb.conf.5.html#SECURITYEQUALSSERVER"
3465 >security = server
</A
3467 where Samba would pass through the authentication request to a Windows
3468 NT server in the same way as a Windows
95 or Windows
98 server would.
3471 >Please refer to the
<A
3476 > for information on a system to automatically
3477 assign UNIX uids and gids to Windows NT Domain users and groups.
3478 This code is available in development branches only at the moment,
3479 but will be moved to release branches soon.
</P
3481 >The advantage to domain-level security is that the
3482 authentication in domain-level security is passed down the authenticated
3483 RPC channel in exactly the same way that an NT server would do it. This
3484 means Samba servers now participate in domain trust relationships in
3485 exactly the same way NT servers do (i.e., you can add Samba servers into
3486 a resource domain and have the authentication passed on from a resource
3487 domain PDC to an account domain PDC.
</P
3489 >In addition, with
<B
3491 >security = server
</B
3493 daemon on a server has to keep a connection open to the
3494 authenticating server for as long as that daemon lasts. This can drain
3495 the connection resources on a Microsoft NT server and cause it to run
3496 out of available connections. With
<B
3498 >security = domain
</B
3500 however, the Samba daemons connect to the PDC/BDC only for as long
3501 as is necessary to authenticate the user, and then drop the connection,
3502 thus conserving PDC connection resources.
</P
3504 >And finally, acting in the same manner as an NT server
3505 authenticating to a PDC means that as part of the authentication
3506 reply, the Samba server gets the user identification information such
3507 as the user SID, the list of NT groups the user belongs to, etc. All
3508 this information will allow Samba to be extended in the future into
3509 a mode the developers currently call appliance mode. In this mode,
3510 no local Unix users will be necessary, and Samba will generate Unix
3511 uids and gids from the information passed back from the PDC when a
3512 user is authenticated, making a Samba server truly plug and play
3513 in an NT domain environment. Watch for this code soon.
</P
3517 > Much of the text of this document
3518 was first published in the Web magazine
<A
3519 HREF=
"http://www.linuxworld.com"
3524 HREF=
"http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
3536 >Chapter
6. How to Configure Samba
2.2.x as a Primary Domain Controller
</A
3548 >Author's Note :
</EM
3550 is a combination of David Bannon's Samba
2.2 PDC HOWTO
3551 and the Samba NT Domain FAQ. Both documents are superceeded by this one.
</P
3553 >Version of Samba prior to release
2.2 had marginal capabilities to
3554 act as a Windows NT
4.0 Primary Domain Controller (PDC). The following
3555 functionality should work in
2.2.0:
</P
3561 >domain logons for Windows NT
4.0/
2000 clients
</P
3565 >placing a Windows
9x client in user level security
</P
3569 >retrieving a list of users and groups from a Samba PDC to
3570 Windows
9x/NT/
2000 clients
</P
3574 >roving user profiles
</P
3578 >Windows NT
4.0 style system policies
</P
3582 >The following pieces of functionality are not included in the
2.2 release:
</P
3588 >Windows NT
4 domain trusts
</P
3592 >Sam replication with Windows NT
4.0 Domain Controllers
3593 (i.e. a Samba PDC and a Windows NT BDC or vice versa)
</P
3597 >Adding users via the User Manager for Domains
</P
3601 >Acting as a Windows
2000 Domain Controller (i.e. Kerberos
3602 and Active Directory)
</P
3606 >Please note that Windows
9x clients are not true members of a domain
3607 for reasons outlined in this article. Therefore the protocol for
3608 support Windows
9x style domain logons is completely different
3609 from NT4 domain logons and has been officially supported for some
3612 >Beginning with Samba
2.2.0, we are proud to announce official
3613 support for Windows NT
4.0 style domain logons from Windows NT
3614 4.0 and Windows
2000 (including SP1) clients. This article
3615 outlines the steps necessary for configuring Samba as a PDC.
3616 Note that it is necessary to have a working Samba server
3617 prior to implementing the PDC functionality. If you have not
3618 followed the steps outlined in
<A
3619 HREF=
"UNIX_INSTALL.html"
3621 >UNIX_INSTALL.html
</A
3622 >, please make sure that your server
3623 is configured correctly before proceeding. Another good
3625 HREF=
"smb.conf.5.html"
3631 >Implementing a Samba PDC can basically be divided into
2 broad
3639 >Configuring the Samba Domain Controller
3644 >Creating machine trust accounts
3645 and joining clients to the domain
</P
3649 >There are other minor details such as user profiles, system
3650 policies, etc... However, these are not necessarily specific
3651 to a Samba PDC as much as they are related to Windows NT networking
3652 concepts. They will be mentioned only briefly here.
</P
3660 >6.2. Configuring the Samba Domain Controller
</A
3663 >The first step in creating a working Samba PDC is to
3664 understand the parameters necessary in smb.conf. I will not
3665 attempt to re-explain the parameters here as they are more that
3666 adequately covered in
<A
3667 HREF=
"smb.conf.5.html"
3671 >. For convenience, the parameters have been
3672 linked with the actual smb.conf description.
</P
3674 >Here is an example smb.conf for acting as a PDC:
</P
3683 CLASS=
"PROGRAMLISTING"
3685 ; Basic server settings
3687 HREF=
"smb.conf.5.html#NETBIOSNAME"
3697 HREF=
"smb.conf.5.html#WORKGROUP"
3707 ; we should act as the domain and local master browser
3709 HREF=
"smb.conf.5.html#OSLEVEL"
3714 HREF=
"smb.conf.5.html#PERFERREDMASTER"
3716 >preferred master
</A
3719 HREF=
"smb.conf.5.html#DOMAINMASTER"
3724 HREF=
"smb.conf.5.html#LOCALMASTER"
3729 ; security settings (must user security = user)
3731 HREF=
"smb.conf.5.html#SECURITYEQUALSUSER"
3736 ; encrypted passwords are a requirement for a PDC
3738 HREF=
"smb.conf.5.html#ENCRYPTPASSWORDS"
3740 >encrypt passwords
</A
3743 ; support domain logons
3745 HREF=
"smb.conf.5.html#DOMAINLOGONS"
3750 ; where to store user profiles?
3752 HREF=
"smb.conf.5.html#LOGONPATH"
3755 > = \\%N\profiles\%u
3757 ; where is a user's home directory and where should it
3760 HREF=
"smb.conf.5.html#LOGONDRIVE"
3765 HREF=
"smb.conf.5.html#LOGONHOME"
3770 ; specify a generic logon script for all users
3771 ; this is a relative path to the [netlogon] share
3773 HREF=
"smb.conf.5.html#LOGONSCRIPT"
3778 ; necessary share for domain controller
3781 HREF=
"smb.conf.5.html#PATH"
3784 > = /usr/local/samba/lib/netlogon
3786 HREF=
"smb.conf.5.html#WRITEABLE"
3791 HREF=
"smb.conf.5.html#WRITELIST"
3801 ; share for storing user profiles
3804 HREF=
"smb.conf.5.html#PATH"
3807 > = /export/smb/ntprofile
3809 HREF=
"smb.conf.5.html#WRITEABLE"
3814 HREF=
"smb.conf.5.html#CREATEMASK"
3819 HREF=
"smb.conf.5.html#DIRECTORYMASK"
3828 >There are a couple of points to emphasize in the above
3835 >encrypted passwords must be enabled.
3836 For more details on how to do this, refer to
3838 HREF=
"ENCRYPTION.html"
3846 >The server must support domain logons
3854 >The server must be the domain master browser
3855 in order for Windows client to locate the server as a DC.
</P
3859 >As Samba
2.2 does not offer a complete implementation of group mapping between
3860 Windows NT groups and UNIX groups (this is really quite complicated to explain
3861 in a short space), you should refer to the
<A
3862 HREF=
"smb.conf.5.html#DOMAINADMONUSERS"
3867 HREF=
"smb.conf.5.html#DOMAINADMINGROUP"
3871 > smb.conf parameters for information of creating a Domain Admins
3880 >6.3. Creating Machine Trust Accounts and Joining Clients
3884 >First you must understand what a machine trust account is and what
3887 >A machine trust account is a user account owned by a computer.
3888 The account password acts as the shared secret for secure
3889 communication with the Domain Controller. Hence the reason that
3890 a Windows
9x host is never a true member of a domain because
3891 it does not posses a machine trust account and thus has no shared
3892 secret with the DC.
</P
3894 >On a Windows NT PDC, these machine trust account passwords are stored
3895 in the registry. A Samba PDC stores these accounts in he same location
3896 as user LanMan and NT password hashes (currently
<TT
3900 However, machine trust accounts only possess the NT password hash.
</P
3902 >There are two means of creating machine trust accounts.
</P
3908 >Manual creation before joining the client
3909 to the domain. In this case, the password is set to a known
3910 value -- the lower case of the machine's netbios name.
</P
3914 >Creation of the account at the time of
3915 joining the domain. In this case, the session key of the
3916 administrative account used to join the client to the domain acts
3917 as an encryption key for setting the password to a random value.
</P
3921 >Because Samba requires machine accounts to possess a UNIX uid from
3922 which an Windows NT SID can be generated, all of these accounts
3923 will have an entry in
<TT
3927 Future releases will alleviate the need to create
3936 > entry will list the machine name
3937 with a $ appended, won't have a passwd, will have a null shell and no
3938 home directory. For example a machine called 'doppy' would have an
3942 > entry like this :
</P
3951 CLASS=
"PROGRAMLISTING"
3952 >doppy$:x:
505:
501:NTMachine:/dev/null:/bin/false
</PRE
3958 >If you are manually creating the machine accounts, it is necessary
3963 map) entry prior to adding the
<TT
3967 entry. The following command will create a new machine account
3973 > smbpasswd -a -m
<TT
3985 > is the machine's netbios
3989 >If you manually create a machine account, immediately join
3990 the client to the domain.
</EM
3991 > An open account like this
3992 can allow intruders to gain access to user account information
3995 >The second way of creating machine trust accounts is to add
3996 them on the fly at the time the client is joined to the domain.
3997 You will need to include a value for the
3999 HREF=
"smb.conf.5.html#ADDUSERSCRIPT"
4003 parameter. Below is an example I use on a RedHat
6.2 Linux system.
</P
4012 CLASS=
"PROGRAMLISTING"
4013 >add user script = /usr/sbin/useradd -d /dev/null -g
100 -s /bin/false -M %u
</PRE
4019 >In Samba
2.2.0,
<EM
4020 >only the root account
</EM
4021 > can be used to create
4022 machine accounts on the fly like this. Therefore, it is required
4023 to create an entry in smbpasswd for
<EM
4028 > be set to s different
4029 password that the associated
<TT
4033 entry for security reasons.
</P
4041 >6.4. Common Problems and Errors
</A
4047 >I cannot include a '$' in a machine name.
</EM
4050 >A 'machine name' in (typically)
<TT
4054 of the machine name with a '$' appended. FreeBSD (and other BSD
4055 systems ?) won't create a user with a '$' in their name.
</P
4057 >The problem is only in the program used to make the entry, once
4058 made, it works perfectly. So create a user without the '$' and
4062 > to edit the entry, adding the '$'. Or create
4063 the whole entry with vipw if you like, make sure you use a
4067 >I get told
"You already have a connection to the Domain...."
4068 when creating a machine account.
</EM
4071 >This happens if you try to create a machine account from the
4072 machine itself and use a user name that does not work (for whatever
4073 reason) and then try another (possibly valid) user name.
4074 Exit out of the network applet to close the initial connection
4077 >Further, if the machine is a already a 'member of a workgroup' that
4078 is the same name as the domain you are joining (bad idea) you will
4079 get this message. Change the workgroup name to something else, it
4080 does not matter what, reboot, and try again.
</P
4083 >I get told
"Cannot join domain, the credentials supplied
4084 conflict with an existing set.."</EM
4087 >This is the same basic problem as mentioned above,
"You already
4088 have a connection..."</P
4091 >"The system can not log you on (C000019B)...."</EM
4094 >I joined the domain successfully but after upgrading
4095 to a newer version of the Samba code I get the message,
"The system
4096 can not log you on (C000019B), Please try a gain or consult your
4097 system administrator" when attempting to logon.
</P
4099 >This occurs when the domain SID stored in
4102 >private/WORKGROUP.SID
</TT
4104 changed. For example, you remove the file and
<B
4108 creates a new one. Or you are swapping back and forth between
4109 versions
2.0.7, TNG and the HEAD branch code (not recommended). The
4110 only way to correct the problem is to restore the original domain
4111 SID or remove the domain client from the domain and rejoin.
</P
4114 >"The machine account for this computer either does not
4115 exist or is not accessible."</EM
4118 >When I try to join the domain I get the message
"The machine account
4119 for this computer either does not exist or is not accessible". Whats
4122 >This problem is caused by the PDC not having a suitable machine account.
4123 If you are using the
<B
4125 >add user script =
</B
4127 accounts then this would indicate that it has not worked. Ensure the domain
4128 admin user system is working.
</P
4130 >Alternatively if you are creating account entries manually then they
4131 have not been created correctly. Make sure that you have the entry
4132 correct for the machine account in smbpasswd file on the Samba PDC.
4133 If you added the account using an editor rather than using the smbpasswd
4134 utility, make sure that the account name is the machine netbios name
4135 with a '$' appended to it ( ie. computer_name$ ). There must be an entry
4136 in both /etc/passwd and the smbpasswd file. Some people have reported
4137 that inconsistent subnet masks between the Samba server and the NT
4138 client have caused this problem. Make sure that these are consistent
4139 for both client and server.
</P
4147 >6.5. System Policies and Profiles
</A
4150 >Much of the information necessary to implement System Policies and
4151 Roving User Profiles in a Samba domain is the same as that for
4152 implementing these same items in a Windows NT
4.0 domain.
4153 You should read the white paper
<A
4154 HREF=
"http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
4157 Profiles and Policies in Windows NT
4.0</A
4158 > available from Microsoft.
</P
4160 >Here are some additional details:
</P
4163 >What about Windows NT Policy Editor ?
</EM
4166 >To create or edit
<TT
4170 the NT Server Policy Editor,
<B
4174 is included with NT Server but
<EM
4175 >not NT Workstation
</EM
4177 There is a Policy Editor on a NTws
4178 but it is not suitable for creating
<EM
4179 >Domain Policies
</EM
4181 Further, although the Windows
95
4182 Policy Editor can be installed on an NT Workstation/Server, it will not
4183 work with NT policies because the registry key that are set by the policy templates.
4184 However, the files from the NT Server will run happily enough on an NTws.
4187 >poledit.exe, common.adm
</TT
4192 to put the two *.adm files in
<TT
4196 the binary will look for them unless told otherwise. Note also that that
4197 directory is 'hidden'.
</P
4199 >The Windows NT policy editor is also included with the
4200 Service Pack
3 (and later) for Windows NT
4.0. Extract the files using
4203 >servicepackname /x
</B
4208 > for service pack
6a. The policy editor,
<B
4212 associated template files (*.adm) should
4213 be extracted as well. It is also possible to downloaded the policy template
4214 files for Office97 and get a copy of the policy editor. Another possible
4215 location is with the Zero Administration Kit available for download from Microsoft.
</P
4218 >Can Win95 do Policies ?
</EM
4221 >Install the group policy handler for Win9x to pick up group
4222 policies. Look on the Win98 CD in
<TT
4224 >\tools\reskit\netadmin\poledit
</TT
4226 Install group policies on a Win9x client by double-clicking
4230 >. Log off and on again a couple of
4231 times and see if Win98 picks up group policies. Unfortunately this needs
4232 to be done on every Win9x machine that uses group policies....
</P
4234 >If group policies don't work one reports suggests getting the updated
4235 (read: working) grouppol.dll for Windows
9x. The group list is grabbed
4239 >How do I get 'User Manager' and 'Server Manager'
</EM
4242 >Since I don't need to buy an NT Server CD now, how do I get
4243 the 'User Manager for Domains', the 'Server Manager' ?
</P
4245 >Microsoft distributes a version of
4246 these tools called nexus for installation on Windows
95 systems. The
4247 tools set includes
</P
4257 >User Manager for Domains
</P
4265 >Click here to download the archived file
<A
4266 HREF=
"ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
4268 >ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE
</A
4271 >The Windows NT
4.0 version of the 'User Manager for
4272 Domains' and 'Server Manager' are available from Microsoft via ftp
4274 HREF=
"ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
4276 >ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE
</A
4285 >6.6. What other help can I get ?
</A
4288 >There are many sources of information available in the form
4289 of mailing lists, RFC's and documentation. The docs that come
4290 with the samba distribution contain very good explanations of
4291 general SMB topics such as browsing.
</P
4294 >What are some diagnostics tools I can use to debug the domain logon
4295 process and where can I find them?
</EM
4298 > One of the best diagnostic tools for debugging problems is Samba itself.
4299 You can use the -d option for both smbd and nmbd to specifiy what
4300 'debug level' at which to run. See the man pages on smbd, nmbd and
4301 smb.conf for more information on debugging options. The debug
4302 level can range from
1 (the default) to
10 (
100 for debugging passwords).
4305 > Another helpful method of debugging is to compile samba using the
4309 > flag. This will include debug
4310 information in the binaries and allow you to attach gdb to the
4311 running smbd / nmbd process. In order to attach gdb to an smbd
4312 process for an NT workstation, first get the workstation to make the
4313 connection. Pressing ctrl-alt-delete and going down to the domain box
4314 is sufficient (at least, on the first time you join the domain) to
4315 generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
4316 maintains an open connection, and therefore there will be an smbd
4317 process running (assuming that you haven't set a really short smbd
4318 idle timeout) So, in between pressing ctrl alt delete, and actually
4319 typing in your password, you can gdb attach and continue.
4322 > Some useful samba commands worth investigating:
4329 >testparam | more
</P
4333 >smbclient -L //{netbios name of server}
</P
4337 > An SMB enabled version of tcpdump is available from
4339 HREF=
"http://www.tcpdump.org/"
4341 >http://www.tcpdup.org/
</A
4343 Ethereal, another good packet sniffer for UNIX and Win32
4344 hosts, can be downloaded from
<A
4345 HREF=
"http://www.ethereal.com/"
4347 >http://www.ethereal.com
</A
4351 > For tracing things on the Microsoft Windows NT, Network Monitor
4352 (aka. netmon) is available on the Microsoft Developer Network CD's,
4353 the Windows NT Server install CD and the SMS CD's. The version of
4354 netmon that ships with SMS allows for dumping packets between any two
4355 computers (ie. placing the network interface in promiscuous mode).
4356 The version on the NT Server install CD will only allow monitoring
4357 of network traffic directed to the local NT box and broadcasts on the
4358 local subnet. Be aware that Ethereal can read and write netmon
4363 >How do I install 'Network Monitor' on an NT Workstation
4364 or a Windows
9x box?
</EM
4367 > Installing netmon on an NT workstation requires a couple
4368 of steps. The following are for installing Netmon V4.00
.349, which comes
4369 with Microsoft Windows NT Server
4.0, on Microsoft Windows NT
4370 Workstation
4.0. The process should be similar for other version of
4371 Windows NT / Netmon. You will need both the Microsoft Windows
4372 NT Server
4.0 Install CD and the Workstation
4.0 Install CD.
4375 > Initially you will need to install 'Network Monitor Tools and Agent'
4376 on the NT Server. To do this
4383 >Goto Start - Settings - Control Panel -
4384 Network - Services - Add
</P
4388 >Select the 'Network Monitor Tools and Agent' and
4393 >Click 'OK' on the Network Control Panel.
4398 >Insert the Windows NT Server
4.0 install CD
4403 > At this point the Netmon files should exist in
4406 >%SYSTEMROOT%\System32\netmon\*.*
</TT
4408 Two subdirectories exist as well,
<TT
4412 which contains the necessary DLL's for parsing the netmon packet
4419 > In order to install the Netmon tools on an NT Workstation, you will
4420 first need to install the 'Network Monitor Agent' from the Workstation
4428 >Goto Start - Settings - Control Panel -
4429 Network - Services - Add
</P
4433 >Select the 'Network Monitor Agent' and click
4438 >Click 'OK' on the Network Control Panel.
4443 >Insert the Windows NT Workstation
4.0 install
4444 CD when prompted.
</P
4448 > Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
4449 to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
4450 permissions as you deem appropriate for your site. You will need
4451 administrative rights on the NT box to run netmon.
4454 > To install Netmon on a Windows
9x box install the network monitor agent
4455 from the Windows
9x CD (\admin\nettools\netmon). There is a readme
4456 file located with the netmon driver files on the CD if you need
4457 information on how to do this. Copy the files from a working
4458 Netmon installation.
4466 >6.6.1. URLs and similar
</A
4473 >Home of Samba site
<A
4474 HREF=
"http://samba.org"
4476 > http://samba.org
</A
4477 >. We have a mirror near you !
</P
4484 on the Samba mirrors might mention your problem. If so,
4485 it might mean that the developers are working on it.
</P
4489 >See how Scott Merrill simulates a BDC behavior at
4491 HREF=
"http://www.skippy.net/linux/smb-howto.html"
4493 > http://www.skippy.net/linux/smb-howto.html
</A
4498 >Although
2.0.7 has almost had its day as a PDC, David Bannon will
4499 keep the
2.0.7 PDC pages at
<A
4500 HREF=
"http://bioserve.latrobe.edu.au/samba"
4502 > http://bioserve.latrobe.edu.au/samba
</A
4503 > going for a while yet.
</P
4507 >Misc links to CIFS information
4509 HREF=
"http://samba.org/cifs/"
4511 >http://samba.org/cifs/
</A
4516 >NT Domains for Unix
<A
4517 HREF=
"http://mailhost.cb1.com/~lkcl/ntdom/"
4519 > http://mailhost.cb1.com/~lkcl/ntdom/
</A
4524 >FTP site for older SMB specs:
4526 HREF=
"ftp://ftp.microsoft.com/developr/drg/CIFS/"
4528 > ftp://ftp.microsoft.com/developr/drg/CIFS/
</A
4539 >6.6.2. Mailing Lists
</A
4543 >How do I get help from the mailing lists ?
</EM
4546 >There are a number of Samba related mailing lists. Go to
<A
4547 HREF=
"http://samba.org"
4549 >http://samba.org
</A
4550 >, click on your nearest mirror
4551 and then click on
<B
4554 > and then click on
<B
4556 >Samba related mailing lists
</B
4559 >For questions relating to Samba TNG go to
4561 HREF=
"http://www.samba-tng.org/"
4563 >http://www.samba-tng.org/
</A
4565 It has been requested that you don't post questions about Samba-TNG to the
4566 main stream Samba lists.
</P
4568 >If you post a message to one of the lists please observe the following guide lines :
</P
4574 > Always remember that the developers are volunteers, they are
4575 not paid and they never guarantee to produce a particular feature at
4576 a particular time. Any time lines are 'best guess' and nothing more.
4581 > Always mention what version of samba you are using and what
4582 operating system its running under. You should probably list the
4583 relevant sections of your smb.conf file, at least the options
4584 in [global] that affect PDC support.
</P
4588 >In addition to the version, if you obtained Samba via
4589 CVS mention the date when you last checked it out.
</P
4593 > Try and make your question clear and brief, lots of long,
4594 convoluted questions get deleted before they are completely read !
4595 Don't post html encoded messages (if you can select colour or font
4600 > If you run one of those nifty 'I'm on holidays' things when
4601 you are away, make sure its configured to not answer mailing lists.
4606 > Don't cross post. Work out which is the best list to post to
4607 and see what happens, ie don't post to both samba-ntdom and samba-technical.
4608 Many people active on the lists subscribe to more
4609 than one list and get annoyed to see the same message two or more times.
4610 Often someone will see a message and thinking it would be better dealt
4611 with on another, will forward it on for you.
</P
4615 >You might include
<EM
4618 log files written at a debug level set to as much as
20.
4619 Please don't send the entire log but enough to give the context of the
4624 >(Possibly) If you have a complete netmon trace ( from the opening of
4625 the pipe to the error ) you can send the *.CAP file as well.
</P
4629 >Please think carefully before attaching a document to an email.
4630 Consider pasting the relevant parts into the body of the message. The samba
4631 mailing lists go to a huge number of people, do they all need a copy of your
4632 smb.conf in their attach directory ?
</P
4637 >How do I get off the mailing lists ?
</EM
4640 >To have your name removed from a samba mailing list, go to the
4641 same place you went to to get on it. Go to
<A
4642 HREF=
"http://lists.samba.org/"
4644 >http://lists.samba.org
</A
4646 on your nearest mirror and then click on
<B
4652 > Samba related mailing lists
</B
4655 HREF=
"http://lists.samba.org/mailman/roster/samba-ntdom"
4660 > Please don't post messages to the list asking to be removed, you will just
4661 be referred to the above address (unless that process failed in some way...)
4671 >6.7. DOMAIN_CONTROL.txt : Windows NT Domain Control
& Samba
</A
4674 >This appendix was originally authored by John H Terpstra of the Samba Team
4675 and is included here for posterity.
</P
4680 The term
"Domain Controller" and those related to it refer to one specific
4681 method of authentication that can underly an SMB domain. Domain Controllers
4682 prior to Windows NT Server
3.1 were sold by various companies and based on
4683 private extensions to the LAN Manager
2.1 protocol. Windows NT introduced
4684 Microsoft-specific ways of distributing the user authentication database.
4685 See DOMAIN.txt for examples of how Samba can participate in or create
4686 SMB domains based on shared authentication database schemes other than the
4689 >Windows NT Server can be installed as either a plain file and print server
4690 (WORKGROUP workstation or server) or as a server that participates in Domain
4691 Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
</P
4693 >The same is true for OS/
2 Warp Server, Digital Pathworks and other similar
4694 products, all of which can participate in Domain Control along with Windows NT.
4695 However only those servers which have licensed Windows NT code in them can be
4696 a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)
</P
4698 >To many people these terms can be confusing, so let's try to clear the air.
</P
4700 >Every Windows NT system (workstation or server) has a registry database.
4701 The registry contains entries that describe the initialization information
4702 for all services (the equivalent of Unix Daemons) that run within the Windows
4703 NT environment. The registry also contains entries that tell application
4704 software where to find dynamically loadable libraries that they depend upon.
4705 In fact, the registry contains entries that describes everything that anything
4706 may need to know to interact with the rest of the system.
</P
4708 >The registry files can be located on any Windows NT machine by opening a
4709 command prompt and typing:
</P
4714 > dir %SystemRoot%\System32\config
</P
4716 >The environment variable %SystemRoot% value can be obtained by typing:
</P
4721 >echo %SystemRoot%
</P
4723 >The active parts of the registry that you may want to be familiar with are
4724 the files called: default, system, software, sam and security.
</P
4726 >In a domain environment, Microsoft Windows NT domain controllers participate
4727 in replication of the SAM and SECURITY files so that all controllers within
4728 the domain have an exactly identical copy of each.
</P
4730 >The Microsoft Windows NT system is structured within a security model that
4731 says that all applications and services must authenticate themselves before
4732 they can obtain permission from the security manager to do what they set out
4735 >The Windows NT User database also resides within the registry. This part of
4736 the registry contains the user's security identifier, home directory, group
4737 memberships, desktop profile, and so on.
</P
4739 >Every Windows NT system (workstation as well as server) will have its own
4740 registry. Windows NT Servers that participate in Domain Security control
4741 have a database that they share in common - thus they do NOT own an
4742 independent full registry database of their own, as do Workstations and
4745 >The User database is called the SAM (Security Access Manager) database and
4746 is used for all user authentication as well as for authentication of inter-
4747 process authentication (ie: to ensure that the service action a user has
4748 requested is permitted within the limits of that user's privileges).
</P
4750 >The Samba team have produced a utility that can dump the Windows NT SAM into
4751 smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
4752 /pub/samba/pwdump on your nearest Samba mirror for the utility. This
4753 facility is useful but cannot be easily used to implement SAM replication
4754 to Samba systems.
</P
4756 >Windows for Workgroups, Windows
95, and Windows NT Workstations and Servers
4757 can participate in a Domain security system that is controlled by Windows NT
4758 servers that have been correctly configured. At most every domain will have
4759 ONE Primary Domain Controller (PDC). It is desirable that each domain will
4760 have at least one Backup Domain Controller (BDC).
</P
4762 >The PDC and BDCs then participate in replication of the SAM database so that
4763 each Domain Controlling participant will have an up to date SAM component
4764 within its registry.
</P
4772 >Chapter
7. Unifed Logons between Windows NT and UNIX using Winbind
</A
4783 >Integration of UNIX and Microsoft Windows NT through
4784 a unified logon has been considered a
"holy grail" in heterogeneous
4785 computing environments for a long time. We present
<EM
4788 >, a component of the Samba suite of programs as a
4789 solution to the unied logon problem. Winbind uses a UNIX implementation
4790 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
4791 Service Switch to allow Windows NT domain users to appear and operate
4792 as UNIX users on a UNIX machine. This paper describes the winbind
4793 system, explaining the functionality it provides, how it is configured,
4794 and how it works internally.
</P
4802 >7.2. Introduction
</A
4805 >It is well known that UNIX and Microsoft Windows NT have
4806 different models for representing user and group information and
4807 use different technologies for implementing them. This fact has
4808 made it difficult to integrate the two systems in a satisfactory
4811 >One common solution in use today has been to create
4812 identically named user accounts on both the UNIX and Windows systems
4813 and use the Samba suite of programs to provide file and print services
4814 between the two. This solution is far from perfect however, as
4815 adding and deleting users on both sets of machines becomes a chore
4816 and two sets of passwords are required both of which which
4817 can lead to synchronization problems between the UNIX and Windows
4818 systems and confusion for users.
</P
4820 >We divide the unifed logon problem for UNIX machines into
4821 three smaller problems:
</P
4827 >Obtaining Windows NT user and group information
4832 >Authenticating Windows NT users
4837 >Password changing for Windows NT users
4842 >Ideally, a prospective solution to the unified logon problem
4843 would satisfy all the above components without duplication of
4844 information on the UNIX machines and without creating additional
4845 tasks for the system administrator when maintaining users and
4846 groups on either system. The winbind system provides a simple
4847 and elegant solution to all three components of the unifed logon
4856 >7.3. What Winbind Provides
</A
4859 >Winbind unifies UNIX and Windows NT account management by
4860 allowing a UNIX box to become a full member of a NT domain. Once
4861 this is done the UNIX box will see NT users and groups as if
4862 they were native UNIX users and groups, allowing the NT domain
4863 to be used in much the same manner that NIS+ is used within
4864 UNIX-only environments.
</P
4866 >The end result is that whenever any
4867 program on the UNIX machine asks the operating system to lookup
4868 a user or group name, the query will be resolved by asking the
4869 NT domain controller for the specied domain to do the lookup.
4870 Because Winbind hooks into the operating system at a low level
4871 (via the NSS name resolution modules in the C library) this
4872 redirection to the NT domain controller is completely
4875 >Users on the UNIX machine can then use NT user and group
4876 names as they would use
"native" UNIX names. They can chown files
4877 so that they are owned by NT domain users or even login to the
4878 UNIX machine and run a UNIX X-Window session as a domain user.
</P
4880 >The only obvious indication that Winbind is being used is
4881 that user and group names take the form DOMAIN\user and
4882 DOMAIN\group. This is necessary as it allows Winbind to determine
4883 that redirection to a domain controller is wanted for a particular
4884 lookup and which trusted domain is being referenced.
</P
4886 >Additionally, Winbind provides a authentication service
4887 that hooks into the Pluggable Authentication Modules (PAM) system
4888 to provide authentication via a NT domain to any PAM enabled
4889 applications. This capability solves the problem of synchronizing
4890 passwords between systems as all passwords are stored in a single
4891 location (on the domain controller).
</P
4898 >7.3.1. Target Uses
</A
4901 >Winbind is targeted at organizations that have an
4902 existing NT based domain infrastructure into which they wish
4903 to put UNIX workstations or servers. Winbind will allow these
4904 organizations to deploy UNIX workstations without having to
4905 maintain a separate account infrastructure. This greatly simplies
4906 the administrative overhead of deploying UNIX workstations into
4907 a NT based organization.
</P
4909 >Another interesting way in which we expect Winbind to
4910 be used is as a central part of UNIX based appliances. Appliances
4911 that provide file and print services to Microsoft based networks
4912 will be able to use Winbind to provide seamless integration of
4913 the appliance into the domain.
</P
4922 >7.4. How Winbind Works
</A
4925 >The winbind system is designed around a client/server
4926 architecture. A long running
<B
4930 listens on a UNIX domain socket waiting for requests
4931 to arrive. These requests are generated by the NSS and PAM
4932 clients and processed sequentially.
</P
4934 >The technologies used to implement winbind are described
4942 >7.4.1. Microsoft Remote Procedure Calls
</A
4945 >Over the last two years, efforts have been underway
4946 by various Samba Team members to decode various aspects of
4947 the Microsoft Remote Procedure Call (MSRPC) system. This
4948 system is used for most network related operations between
4949 Windows NT machines including remote management, user authentication
4950 and print spooling. Although initially this work was done
4951 to aid the implementation of Primary Domain Controller (PDC)
4952 functionality in Samba, it has also yielded a body of code which
4953 can be used for other purposes.
</P
4955 >Winbind uses various MSRPC calls to enumerate domain users
4956 and groups and to obtain detailed information about individual
4957 users or groups. Other MSRPC calls can be used to authenticate
4958 NT domain users and to change user passwords. By directly querying
4959 a Windows PDC for user and group information, winbind maps the
4960 NT account information onto UNIX user and group names.
</P
4968 >7.4.2. Name Service Switch
</A
4971 >The Name Service Switch, or NSS, is a feature that is
4972 present in many UNIX operating systems. It allows system
4973 information such as hostnames, mail aliases and user information
4974 to be resolved from dierent sources. For example, a standalone
4975 UNIX workstation may resolve system information from a series of
4976 flat files stored on the local lesystem. A networked workstation
4977 may first attempt to resolve system information from local files,
4978 then consult a NIS database for user information or a DNS server
4979 for hostname information.
</P
4981 >The NSS application programming interface allows winbind
4982 to present itself as a source of system information when
4983 resolving UNIX usernames and groups. Winbind uses this interface,
4984 and information obtained from a Windows NT server using MSRPC
4985 calls to provide a new source of account enumeration. Using standard
4986 UNIX library calls, one can enumerate the users and groups on
4987 a UNIX machine running winbind and see all users and groups in
4988 a NT domain plus any trusted domain as though they were local
4989 users and groups.
</P
4991 >The primary control le for NSS is
<TT
4995 >. When a UNIX application makes a request to do a lookup
4996 the C library looks in
<TT
4998 >/etc/nsswitch.conf
</TT
5000 for a line which matches the service type being requested, for
5001 example the
"passwd" service type is used when user or group names
5002 are looked up. This config line species which implementations
5003 of that service should be tried andin what order. If the passwd
5008 >passwd: files example
</B
5011 >then the C library will first load a module called
5014 >/lib/libnss_files.so
</TT
5018 >/lib/libnss_example.so
</TT
5020 C library will dynamically load each of these modules in turn
5021 and call resolver functions within the modules to try to resolve
5022 the request. Once the request is resolved the C library returns the
5023 result to the application.
</P
5025 >This NSS interface provides a very easy way for Winbind
5026 to hook into the operating system. All that needs to be done
5029 >libnss_winbind.so
</TT
5034 then add
"winbind" into
<TT
5036 >/etc/nsswitch.conf
</TT
5038 the appropriate place. The C library will then call Winbind to
5039 resolve user and group names.
</P
5047 >7.4.3. Pluggable Authentication Modules
</A
5050 >Pluggable Authentication Modules, also known as PAM,
5051 is a system for abstracting authentication and authorization
5052 technologies. With a PAM module it is possible to specify different
5053 authentication methods for dierent system applications without
5054 having to recompile these applications. PAM is also useful
5055 for implementing a particular policy for authorization. For example,
5056 a system administrator may only allow console logins from users
5057 stored in the local password file but only allow users resolved from
5058 a NIS database to log in over the network.
</P
5060 >Winbind uses the authentication management and password
5061 management PAM interface to integrate Windows NT users into a
5062 UNIX system. This allows Windows NT users to log in to a UNIX
5063 machine and be authenticated against a suitable Primary Domain
5064 Controller. These users can also change their passwords and have
5065 this change take eect directly on the Primary Domain Controller.
5068 >PAM is congured by providing control files in the directory
5072 > for each of the services that
5073 require authentication. When an authentication request is made
5074 by an application the PAM code in the C library looks up this
5075 control file to determine what modules to load to do the
5076 authentication check and in what order. This interface makes adding
5077 a new authentication service for Winbind very easy, all that needs
5078 to be done is that the
<TT
5086 control files for relevant services are updated to allow
5087 authentication via winbind. See the PAM documentation
5088 for more details.
</P
5096 >7.4.4. User and Group ID Allocation
</A
5099 >When a user or group is created under Windows NT
5100 is it allocated a numerical relative identier (RID). This is
5101 slightly dierent to UNIX which has a range of numbers which are
5102 used to identify users, and the same range in which to identify
5103 groups. It is winbind's job to convert RIDs to UNIX id numbers and
5104 vice versa. When winbind is congured it is given part of the UNIX
5105 user id space and a part of the UNIX group id space in which to
5106 store Windows NT users and groups. If a Windows NT user is
5107 resolved for the first time, it is allocated the next UNIX id from
5108 the range. The same process applies for Windows NT groups. Over
5109 time, winbind will have mapped all Windows NT users and groups
5110 to UNIX user ids and group ids.
</P
5112 >The results of this mapping are stored persistently in
5113 a ID mapping database held in a tdb database). This ensures that
5114 RIDs are mapped to UNIX IDs in a consistent way.
</P
5122 >7.4.5. Result Caching
</A
5125 >An active system can generate a lot of user and group
5126 name lookups. To reduce the network cost of these lookups winbind
5127 uses a caching scheme based on the SAM sequence number supplied
5128 by NT domain controllers. User or group information returned
5129 by a PDC is cached by winbind along with a sequence number also
5130 returned by the PDC. This sequence number is incremented by
5131 Windows NT whenever any user or group information is modied. If
5132 a cached entry has expired, the sequence number is requested from
5133 the PDC and compared against the sequence number of the cached entry.
5134 If the sequence numbers do not match, then the cached information
5135 is discarded and up to date information is requested directly
5145 >7.5. Installation and Configuration
</A
5148 >The easiest way to install winbind is by using the packages
5151 >pub/samba/appliance/
</TT
5153 directory on your nearest
5154 Samba mirror. These packages provide snapshots of the Samba source
5155 code and binaries already setup to provide the full functionality
5156 of winbind. This setup is a little more complex than a normal Samba
5157 build as winbind needs a small amount of functionality from a
5158 development code branch called SAMBA_TNG.
</P
5160 >Once you have installed the packages you should read
5164 > man page which will provide you
5165 with conguration information and give you sample conguration files.
5166 You may also wish to update the main Samba daemons smbd and nmbd)
5167 with a more recent development release, such as the recently
5168 announced Samba
2.2 alpha release.
</P
5176 >7.6. Limitations
</A
5179 >Winbind has a number of limitations in its current
5180 released version which we hope to overcome in future
5187 >Winbind is currently only available for
5188 the Linux operating system, although ports to other operating
5189 systems are certainly possible. For such ports to be feasible,
5190 we require the C library of the target operating system to
5191 support the Name Service Switch and Pluggable Authentication
5192 Modules systems. This is becoming more common as NSS and
5193 PAM gain support among UNIX vendors.
</P
5197 >The mappings of Windows NT RIDs to UNIX ids
5198 is not made algorithmically and depends on the order in which
5199 unmapped users or groups are seen by winbind. It may be difficult
5200 to recover the mappings of rid to UNIX id mapping if the file
5201 containing this information is corrupted or destroyed.
</P
5205 >Currently the winbind PAM module does not take
5206 into account possible workstation and logon time restrictions
5207 that may be been set for Windows NT users.
</P
5211 >Building winbind from source is currently
5212 quite tedious as it requires combining source code from two Samba
5213 branches. Work is underway to solve this by providing all
5214 the necessary functionality in the main Samba code branch.
</P
5227 >The winbind system, through the use of the Name Service
5228 Switch, Pluggable Authentication Modules, and appropriate
5229 Microsoft RPC calls have allowed us to provide seamless
5230 integration of Microsoft Windows NT domain users on a
5231 UNIX system. The result is a great reduction in the administrative
5232 cost of running a mixed UNIX and NT network.
</P
5240 >Chapter
8. UNIX Permission Bits and WIndows NT Access Control Lists
</A
5248 >8.1. Viewing and changing UNIX permissions using the NT
5252 >New in the Samba
2.0.4 release is the ability for Windows
5253 NT clients to use their native security settings dialog box to
5254 view and modify the underlying UNIX permissions.
</P
5256 >Note that this ability is careful not to compromise
5257 the security of the UNIX host Samba is running on, and
5258 still obeys all the file permission rules that a Samba
5259 administrator can set.
</P
5261 >In Samba
2.0.4 and above the default value of the
5263 HREF=
"smb.conf.5.html#NTACLSUPPORT"
5271 > has been changed from
5279 manipulation of permissions is turned on by default.
</P
5287 >8.2. How to view file security on a Samba share
</A
5290 >From an NT
4.0 client, single-click with the right
5291 mouse button on any file or directory in a Samba mounted
5292 drive letter or UNC path. When the menu pops-up, click
5295 > entry at the bottom of
5296 the menu. This brings up the normal file properties dialog
5297 box, but with Samba
2.0.4 this will have a new tab along the top
5300 >. Click on this tab and you
5301 will see three buttons,
<EM
5311 > button will cause either
5312 an error message
<SPAN
5314 >A requested privilege is not held
5316 > to appear if the user is not the
5317 NT Administrator, or a dialog which is intended to allow an
5318 Administrator to add auditing requirements to a file if the
5319 user is logged on as the NT Administrator. This dialog is
5320 non-functional with a Samba share at this time, as the only
5321 useful button, the
<B
5324 > button will not currently
5325 allow a list of users to be seen.
</P
5333 >8.3. Viewing file ownership
</A
5340 brings up a dialog box telling you who owns the given file. The
5341 owner name will be of the form :
</P
5345 >"SERVER\user (Long name)"</B
5353 > is the NetBIOS name of
5354 the Samba server,
<TT
5359 > is the user name of
5360 the UNIX user who owns the file, and
<TT
5366 is the discriptive string identifying the user (normally found in the
5367 GECOS field of the UNIX password database). Click on the
<B
5371 > button to remove this dialog.
</P
5373 >If the parameter
<TT
5382 > then the file owner will
5383 be shown as the NT user
<B
5391 > button will not allow
5392 you to change the ownership of this file to yourself (clicking on
5393 it will display a dialog box complaining that the user you are
5394 currently logged onto the NT client cannot be found). The reason
5395 for this is that changing the ownership of a file is a privilaged
5396 operation in UNIX, available only to the
<EM
5399 user. As clicking on this button causes NT to attempt to change
5400 the ownership of a file to the current user logged into the NT
5401 client this will not work with Samba at this time.
</P
5403 >There is an NT chown command that will work with Samba
5404 and allow a user with Administrator privillage connected
5405 to a Samba
2.0.4 server as root to change the ownership of
5406 files on both a local NTFS filesystem or remote mounted NTFS
5407 or Samba drive. This is available as part of the
<EM
5410 > NT security library written by Jeremy Allison of
5411 the Samba Team, available from the main Samba ftp site.
</P
5419 >8.4. Viewing file or directory permissions
</A
5422 >The third button is the
<B
5426 button. Clicking on this brings up a dialog box that shows both
5427 the permissions and the UNIX owner of the file or directory.
5428 The owner is displayed in the form :
</P
5432 >"SERVER\user (Long name)"</B
5440 > is the NetBIOS name of
5441 the Samba server,
<TT
5446 > is the user name of
5447 the UNIX user who owns the file, and
<TT
5453 is the discriptive string identifying the user (normally found in the
5454 GECOS field of the UNIX password database).
</P
5456 >If the parameter
<TT
5465 > then the file owner will
5466 be shown as the NT user
<B
5470 permissions will be shown as NT
"Full Control".
</P
5472 >The permissions field is displayed differently for files
5473 and directories, so I'll describe the way file permissions
5474 are displayed first.
</P
5481 >8.4.1. File Permissions
</A
5484 >The standard UNIX user/group/world triple and
5485 the correspinding
"read",
"write",
"execute" permissions
5486 triples are mapped by Samba into a three element NT ACL
5487 with the 'r', 'w', and 'x' bits mapped into the corresponding
5488 NT permissions. The UNIX world permissions are mapped into
5489 the global NT group
<B
5493 by the list of permissions allowed for UNIX world. The UNIX
5494 owner and group permissions are displayed as an NT
5502 > icon respectively followed by the list
5503 of permissions allowed for the UNIX user and group.
</P
5505 >As many UNIX permission sets don't map into common
5516 usually the permissions will be prefixed by the words
<B
5518 > "Special Access"</B
5519 > in the NT display list.
</P
5521 >But what happens if the file has no permissions allowed
5522 for a particular UNIX user group or world component ? In order
5523 to allow
"no permissions" to be seen and modified then Samba
5526 >"Take Ownership"</B
5528 (which has no meaning in UNIX) and reports a component with
5529 no permissions as having the NT
<B
5533 This was chosen of course to make it look like a zero, meaning
5534 zero permissions. More details on the decision behind this will
5543 >8.4.2. Directory Permissions
</A
5546 >Directories on an NT NTFS file system have two
5547 different sets of permissions. The first set of permissions
5548 is the ACL set on the directory itself, this is usually displayed
5549 in the first set of parentheses in the normal
<B
5553 NT style. This first set of permissions is created by Samba in
5554 exactly the same way as normal file permissions are, described
5555 above, and is displayed in the same way.
</P
5557 >The second set of directory permissions has no real meaning
5558 in the UNIX permissions world and represents the
<B
5561 > permissions that any file created within
5562 this directory would inherit.
</P
5564 >Samba synthesises these inherited permissions for NT by
5565 returning as an NT ACL the UNIX permission mode that a new file
5566 created by Samba on this share would receive.
</P
5575 >8.5. Modifying file or directory permissions
</A
5578 >Modifying file and directory permissions is as simple
5579 as changing the displayed permissions in the dialog box, and
5583 > button. However, there are
5584 limitations that a user needs to be aware of, and also interactions
5585 with the standard Samba permission masks and mapping of DOS
5586 attributes that need to also be taken into account.
</P
5588 >If the parameter
<TT
5597 > then any attempt to set
5598 security permissions will fail with an
<B
5604 >The first thing to note is that the
<B
5608 button will not return a list of users in Samba
2.0.4 (it will give
5609 an error message of
<B
5611 >"The remote proceedure call failed
5612 and did not execute"</B
5613 >). This means that you can only
5614 manipulate the current user/group/world permissions listed in
5615 the dialog box. This actually works quite well as these are the
5616 only permissions that UNIX actually has.
</P
5618 >If a permission triple (either user, group, or world)
5619 is removed from the list of permissions in the NT dialog box,
5623 > button is pressed it will
5624 be applied as
"no permissions" on the UNIX side. If you then
5625 view the permissions again the
"no permissions" entry will appear
5629 > flag, as described above. This
5630 allows you to add permissions back to a file or directory once
5631 you have removed them from a triple component.
</P
5633 >As UNIX supports only the
"r",
"w" and
"x" bits of
5634 an NT ACL then if other NT security attributes such as
"Delete
5635 access" are selected then they will be ignored when applied on
5636 the Samba server.
</P
5638 >When setting permissions on a directory the second
5639 set of permissions (in the second set of parentheses) is
5640 by default applied to all files within that directory. If this
5641 is not what you want you must uncheck the
<B
5644 permissions on existing files"</B
5645 > checkbox in the NT
5646 dialog before clicking
<B
5651 >If you wish to remove all permissions from a
5652 user/group/world component then you may either highlight the
5653 component and click the
<B
5657 or set the component to only have the special
<B
5661 > permission (dsplayed as
<B
5673 >8.6. Interaction with the standard Samba create mask
5677 >Note that with Samba
2.0.5 there are four new parameters
5678 to control this interaction. These are :
</P
5690 >force security mode
</I
5697 >directory security mask
</I
5704 >force directory security mode
</I
5708 >Once a user clicks
<B
5712 permissions Samba maps the given permissions into a user/group/world
5713 r/w/x triple set, and then will check the changed permissions for a
5714 file against the bits set in the
<A
5715 HREF=
"smb.conf.5.html#SECURITYMASK"
5724 > parameter. Any bits that
5725 were changed that are not set to '
1' in this parameter are left alone
5726 in the file permissions.
</P
5728 >Essentially, zero bits in the
<TT
5734 mask may be treated as a set of bits the user is
<EM
5737 allowed to change, and one bits are those the user is allowed to change.
5740 >If not set explicitly this parameter is set to the same value as
5742 HREF=
"smb.conf.5.html#CREATEMASK"
5751 > parameter to provide compatibility with Samba
2.0.4
5752 where this permission change facility was introduced. To allow a user to
5753 modify all the user/group/world permissions on a file, set this parameter
5756 >Next Samba checks the changed permissions for a file against
5757 the bits set in the
<A
5758 HREF=
"smb.conf.5.html#FORCESECURITYMODE"
5763 >force security mode
</I
5766 > parameter. Any bits
5767 that were changed that correspond to bits set to '
1' in this parameter
5768 are forced to be set.
</P
5770 >Essentially, bits set in the
<TT
5773 >force security mode
5776 > parameter may be treated as a set of bits that, when
5777 modifying security on a file, the user has always set to be 'on'.
</P
5779 >If not set explicitly this parameter is set to the same value
5781 HREF=
"smb.conf.5.html#FORCECREATEMODE"
5790 > parameter to provide compatibility
5791 with Samba
2.0.4 where the permission change facility was introduced.
5792 To allow a user to modify all the user/group/world permissions on a file,
5793 with no restrictions set this parameter to
000.
</P
5806 > parameters are applied to the change
5807 request in that order.
</P
5809 >For a directory Samba will perform the same operations as
5810 described above for a file except using the parameter
<TT
5813 > directory security mask
</I
5824 >force directory security mode
5827 > parameter instead of
<TT
5830 >force security mode
5838 >directory security mask
</I
5841 by default is set to the same value as the
<TT
5847 > parameter and the
<TT
5850 >force directory security
5853 > parameter by default is set to the same value as
5857 >force directory mode
</I
5859 > parameter to provide
5860 compatibility with Samba
2.0.4 where the permission change facility
5863 >In this way Samba enforces the permission restrictions that
5864 an administrator can set on a Samba share, whilst still allowing users
5865 to modify the permission bits within that restriction.
</P
5867 >If you want to set up a share that allows users full control
5868 in modifying the permission bits on their files and directories and
5869 doesn't force any particular bits to be set 'on', then set the following
5870 parameters in the
<A
5871 HREF=
"smb.conf.5.html"
5878 > file in that share specific section :
</P
5883 >security mask =
0777</I
5890 >force security mode =
0</I
5897 >directory security mask =
0777</I
5904 >force directory security mode =
0</I
5908 >As described, in Samba
2.0.4 the parameters :
</P
5920 >force create mode
</I
5934 >force directory mode
</I
5938 >were used instead of the parameters discussed here.
</P
5946 >8.7. Interaction with the standard Samba file attribute
5950 >Samba maps some of the DOS attribute bits (such as
"read
5951 only") into the UNIX permissions of a file. This means there can
5952 be a conflict between the permission bits set via the security
5953 dialog and the permission bits set by the file attribute mapping.
5956 >One way this can show up is if a file has no UNIX read access
5957 for the owner it will show up as
"read only" in the standard
5958 file attributes tabbed dialog. Unfortunately this dialog is
5959 the same one that contains the security info in another tab.
</P
5961 >What this can mean is that if the owner changes the permissions
5962 to allow themselves read access using the security dialog, clicks
5966 > to get back to the standard attributes tab
5967 dialog, and then clicks
<B
5970 > on that dialog, then
5971 NT will set the file permissions back to read-only (as that is what
5972 the attributes still say in the dialog). This means that after setting
5973 permissions and clicking
<B
5976 > to get back to the
5977 attributes dialog you should always hit
<B
5984 > to ensure that your changes
5985 are not overridden.
</P
5993 >Chapter
9. OS2 Client HOWTO
</A
6009 >9.1.1. How can I configure OS/
2 Warp Connect or
6010 OS/
2 Warp
4 as a client for Samba?
</A
6013 >A more complete answer to this question can be
6015 HREF=
"http://carol.wins.uva.nl/~leeuw/samba/warp.html"
6017 > http://carol.wins.uva.nl/~leeuw/samba/warp.html
</A
6020 >Basically, you need three components:
</P
6026 >The File and Print Client ('IBM Peer')
6031 >TCP/IP ('Internet support')
6036 >The
"NetBIOS over TCP/IP" driver ('TCPBEUI')
6041 >Installing the first two together with the base operating
6042 system on a blank system is explained in the Warp manual. If Warp
6043 has already been installed, but you now want to install the
6044 networking support, use the
"Selective Install for Networking"
6045 object in the
"System Setup" folder.
</P
6047 >Adding the
"NetBIOS over TCP/IP" driver is not described
6048 in the manual and just barely in the online documentation. Start
6049 MPTS.EXE, click on OK, click on
"Configure LAPS" and click
6050 on
"IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
6051 is then moved to 'Current Configuration'. Select that line,
6052 click on
"Change number" and increase it from
0 to
1. Save this
6055 >If the Samba server(s) is not on your local subnet, you
6056 can optionally add IP names and addresses of these servers
6057 to the
"Names List", or specify a WINS server ('NetBIOS
6058 Nameserver' in IBM and RFC terminology). For Warp Connect you
6059 may need to download an update for 'IBM Peer' to bring it on
6060 the same level as Warp
4. See the webpage mentioned above.
</P
6068 >9.1.2. How can I configure OS/
2 Warp
3 (not Connect),
6069 OS/
2 1.2,
1.3 or
2.x for Samba?
</A
6072 >You can use the free Microsoft LAN Manager
2.2c Client
6075 HREF=
"ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/"
6077 > ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/
</A
6080 HREF=
"http://carol.wins.uva.nl/~leeuw/lanman.html"
6082 > http://carol.wins.uva.nl/~leeuw/lanman.html
</A
6084 more information on how to install and use this client. In
6085 a nutshell, edit the file \OS2VER in the root directory of
6086 the OS/
2 boot partition and add the lines:
</P
6095 CLASS=
"PROGRAMLISTING"
6105 >before you install the client. Also, don't use the
6106 included NE2000 driver because it is buggy. Try the NE2000
6107 or NS2000 driver from
6109 HREF=
"ftp://ftp.cdrom.com/pub/os2/network/ndis/"
6111 > ftp://ftp.cdrom.com/pub/os2/network/ndis/
</A
6121 >9.1.3. Are there any other issues when OS/
2 (any version)
6122 is used as a client?
</A
6125 >When you do a NET VIEW or use the
"File and Print
6126 Client Resource Browser", no Samba servers show up. This can
6127 be fixed by a patch from
<A
6128 HREF=
"http://carol.wins.uva.nl/~leeuw/samba/fix.html"
6130 > http://carol.wins.uva.nl/~leeuw/samba/fix.html
</A
6132 The patch will be included in a later version of Samba. It also
6133 fixes a couple of other problems, such as preserving long
6134 filenames when objects are dragged from the Workplace Shell
6135 to the Samba server.
</P
6143 >9.1.4. How do I get printer driver download working
6144 for OS/
2 clients?
</A
6147 >First, create a share called [PRINTDRV] that is
6148 world-readable. Copy your OS/
2 driver files there. Note
6149 that the .EA_ files must still be separate, so you will need
6150 to use the original install files, and not copy an installed
6151 driver from an OS/
2 system.
</P
6153 >Install the NT driver first for that printer. Then,
6154 add to your smb.conf a paramater,
"os2 driver map =
6160 >". Then, in the file
6167 name of the NT driver name to the OS/
2 driver name as
6170 ><nt driver name
> =
<os2 driver
6171 name
>.
<device name
>, e.g.:
6172 HP LaserJet
5L = LASERJET.HP LaserJet
5L</P
6174 >You can have multiple drivers mapped in this file.
</P
6176 >If you only specify the OS/
2 driver name, and not the
6177 device name, the first attempt to download the driver will
6178 actually download the files, but the OS/
2 client will tell
6179 you the driver is not available. On the second attempt, it
6180 will work. This is fixed simply by adding the device name
6181 to the mapping, after which it will work on the first attempt.