| blob | 85ef2feb70563806009bf0bd67db2a5d6147980b |
1 <HTML
2 ><HEAD
3 ><TITLE
5 ><META
8 ><BODY
15 ><DIV
17 ><A
19 ></A
20 ><DIV
22 ><H1
24 ><A
27 ></H1
28 ><H3
30 ><A
33 ></H3
34 ><HR></DIV
35 ><HR><H1
36 ><A
39 ></H1
40 ><P
41 >This book is a collection of HOWTOs added to Samba documentation over the year.
42 I try to ensure that all are current, but sometimes the is a larger job
43 than one person can maintain. You can always find the later version of this
44 PDF file at <A
48 >
54 ><P
56 ><DIV
58 ><DL
59 ><DT
60 ><B
62 ></DT
63 ><DT
67 ></DT
68 ><DD
69 ><DL
70 ><DT
74 ></DT
75 ><DT
79 ></DT
80 ><DT
84 ></DT
85 ><DT
89 ></DT
90 ><DT
94 <B
97 ></A
98 ></DT
99 ><DT
103 ></DT
104 ><DD
105 ><DL
106 ><DT
110 ></DT
111 ><DT
115 ></DT
116 ></DL
117 ></DD
118 ><DT
122 server</A
123 ></DT
124 ><DT
128 ></DT
129 ><DT
134 ></DT
135 ><DT
139 ></DT
140 ><DD
141 ><DL
142 ><DT
146 ></DT
147 ><DT
151 ></DT
152 ><DT
156 ></DT
157 ><DT
161 ></DT
162 ><DT
166 ></DT
167 ><DT
171 ></DT
172 ><DT
176 ></DT
177 ></DL
178 ></DD
179 ></DL
180 ></DD
181 ><DT
185 ></DT
186 ><DD
187 ><DL
188 ><DT
192 ></DT
193 ><DT
197 ></DT
198 ><DT
202 ></DT
203 ><DD
204 ><DL
205 ><DT
209 ></DT
210 ><DT
214 ></DT
215 ></DL
216 ></DD
217 ><DT
220 ><A
222 ></A
224 ></DT
225 ><DT
229 ></DT
230 ><DT
234 ></DT
235 ></DL
236 ></DD
237 ><DT
241 ></DT
242 ><DD
243 ><DL
244 ><DT
248 ></DT
249 ><DD
250 ><DL
251 ><DT
255 ></DT
256 ></DL
257 ></DD
258 ></DL
259 ></DD
260 ><DT
264 ></DT
265 ><DD
266 ><DL
267 ><DT
271 ></DT
272 ><DT
276 ></DT
277 ><DD
278 ><DL
279 ><DT
283 ></DT
284 ><DT
288 ></DT
289 ><DT
293 ></DT
294 ><DT
298 ></DT
299 ><DT
303 ></DT
304 ></DL
305 ></DD
306 ><DT
310 ></DT
311 ><DD
312 ><DL
313 ><DT
317 ></DT
318 ><DT
322 ></DT
323 ><DT
327 ></DT
328 ><DT
332 ></DT
333 ></DL
334 ></DD
335 ><DT
338 ><A
340 ></A
343 ></DT
344 ></DL
345 ></DD
346 ><DT
350 ></DT
351 ><DD
352 ><DL
353 ><DT
357 ></DT
358 ><DT
362 ></DT
363 ><DT
367 ></DT
368 ></DL
369 ></DD
370 ><DT
374 ></DT
375 ><DD
376 ><DL
377 ><DT
381 ></DT
382 ><DT
386 ></DT
387 ><DT
390 >Creating Machine Trust Accounts and Joining Clients
391 to the Domain</A
392 ></DT
393 ><DT
397 ></DT
398 ><DT
402 ></DT
403 ><DT
407 ></DT
408 ><DD
409 ><DL
410 ><DT
414 ></DT
415 ><DT
419 ></DT
420 ></DL
421 ></DD
422 ><DT
426 ></DT
427 ></DL
428 ></DD
429 ><DT
433 ></DT
434 ><DD
435 ><DL
436 ><DT
440 ></DT
441 ><DT
445 ></DT
446 ><DT
450 ></DT
451 ><DD
452 ><DL
453 ><DT
457 ></DT
458 ></DL
459 ></DD
460 ><DT
464 ></DT
465 ><DD
466 ><DL
467 ><DT
471 ></DT
472 ><DT
476 ></DT
477 ><DT
481 ></DT
482 ><DT
486 ></DT
487 ><DT
491 ></DT
492 ></DL
493 ></DD
494 ><DT
498 ></DT
499 ><DT
503 ></DT
504 ><DT
508 ></DT
509 ></DL
510 ></DD
511 ><DT
515 ></DT
516 ><DD
517 ><DL
518 ><DT
521 >Viewing and changing UNIX permissions using the NT
522 security dialogs</A
523 ></DT
524 ><DT
528 ></DT
529 ><DT
533 ></DT
534 ><DT
538 ></DT
539 ><DD
540 ><DL
541 ><DT
545 ></DT
546 ><DT
550 ></DT
551 ></DL
552 ></DD
553 ><DT
557 ></DT
558 ><DT
561 >Interaction with the standard Samba create mask
562 parameters</A
563 ></DT
564 ><DT
567 >Interaction with the standard Samba file attribute
568 mapping</A
569 ></DT
570 ></DL
571 ></DD
572 ><DT
576 ></DT
577 ><DD
578 ><DL
579 ><DT
583 ></DT
584 ><DD
585 ><DL
586 ><DT
591 ></DT
592 ><DT
597 ></DT
598 ><DT
602 is used as a client?</A
603 ></DT
604 ><DT
607 >How do I get printer driver download working
609 ></DT
610 ></DL
611 ></DD
612 ></DL
613 ></DD
614 ></DL
615 ></DIV
616 ><DIV
618 ><HR><H1
619 ><A
622 ></H1
623 ><DIV
625 ><H1
627 ><A
630 ></H1
631 ><P
632 >The man pages distributed with SAMBA contain
633 lots of useful info that will help to get you started.
634 If you don't know how to read man pages then try
635 something like:</P
636 ><P
637 ><TT
640 ><TT
642 ><B
644 </B
645 ></TT
646 ></P
647 ><P
648 >Other sources of information are pointed to
649 by the Samba web site,<A
653 ></P
654 ></DIV
655 ><DIV
657 ><HR><H1
659 ><A
662 ></H1
663 ><P
666 >./configure
667 </B
668 > in the source directory. This should automatically
669 configure Samba for your operating system. If you have unusual
670 needs then you may wish to run</P
671 ><P
672 ><TT
675 ><TT
677 ><B
678 >./configure --help
679 </B
680 ></TT
681 ></P
682 ><P
683 >first to see what special options you can enable.
684 Then exectuting</P
685 ><P
686 ><TT
689 ><TT
691 ><B
693 ></TT
694 ></P
695 ><P
696 >will create the binaries. Once it's successfully
697 compiled you can use </P
698 ><P
699 ><TT
702 ><TT
704 ><B
706 ></TT
707 ></P
708 ><P
709 >to install the binaries and manual pages. You can
710 separately install the binaries and/or man pages using</P
711 ><P
712 ><TT
715 ><TT
717 ><B
718 >make installbin
719 </B
720 ></TT
721 ></P
722 ><P
724 ><P
725 ><TT
728 ><TT
730 ><B
731 >make installman
732 </B
733 ></TT
734 ></P
735 ><P
736 >Note that if you are upgrading for a previous version
737 of Samba you might like to know that the old versions of
738 the binaries will be renamed with a ".old" extension. You
739 can go back to the previous version with</P
740 ><P
741 ><TT
744 ><TT
746 ><B
747 >make revert
748 </B
749 ></TT
750 ></P
751 ><P
753 ></DIV
754 ><DIV
756 ><HR><H1
758 ><A
761 ></H1
762 ><P
763 >At this stage you must fetch yourself a
764 coffee or other drink you find stimulating. Getting the rest
765 of the install right can sometimes be tricky, so you will
766 probably need it.</P
767 ><P
768 >If you have installed samba before then you can skip
769 this step.</P
770 ></DIV
771 ><DIV
773 ><HR><H1
775 ><A
778 ></H1
779 ><P
780 >There are sample configuration files in the examples
781 subdirectory in the distribution. I suggest you read them
782 carefully so you can see how the options go together in
783 practice. See the man page for all the options.</P
784 ><P
785 >The simplest useful configuration file would be
786 something like this:</P
787 ><P
788 ><TABLE
792 ><TR
793 ><TD
794 ><PRE
796 > [global]
797 workgroup = MYGROUP
799 [homes]
800 guest ok = no
801 read only = no
802 </PRE
803 ></TD
804 ></TR
805 ></TABLE
806 ></P
807 ><P
808 >which would allow connections by anyone with an
809 account on the server, using either their login name or
810 "homes" as the service name. (Note that I also set the
811 workgroup that Samba is part of. See BROWSING.txt for defails)</P
812 ><P
816 > will not install
817 a <TT
820 > file. You need to create it
821 yourself. </P
822 ><P
823 >Make sure you put the smb.conf file in the same place
824 you specified in the<TT
827 > (the default is to
828 look for it in <TT
832 ><P
833 >For more information about security settings for the
834 [homes] share please refer to the document UNIX_SECURITY.txt.</P
835 ></DIV
836 ><DIV
838 ><HR><H1
840 ><A
843 <B
846 ></A
847 ></H1
848 ><P
849 >It's important that you test the validity of your
850 <TT
853 > file using the testparm program.
854 If testparm runs OK then it will list the loaded services. If
855 not it will give an error message.</P
856 ><P
857 >Make sure it runs OK and that the services look
858 resonable before proceeding. </P
859 ></DIV
860 ><DIV
862 ><HR><H1
864 ><A
867 ></H1
868 ><P
869 >You must choose to start smbd and nmbd either
870 as daemons or from <B
873 >. Don't try
874 to do both! Either you can put them in <TT
877 > and have them started on demand
878 by <B
881 >, or you can start them as
882 daemons either from the command line or in <TT
885 >. See the man pages for details
886 on the command line options. Take particular care to read
887 the bit about what user you need to be in order to start
888 Samba. In many cases you must be root.</P
889 ><P
893 >
894 and <B
897 > as a daemon is that they will
898 respond slightly more quickly to an initial connection
899 request. This is, however, unlikely to be a problem.</P
900 ><DIV
902 ><HR><H2
904 ><A
907 ></H2
908 ><P
909 >NOTE; The following will be different if
910 you use NIS or NIS+ to distributed services maps.</P
911 ><P
915 >.
916 What is defined at port 139/tcp. If nothing is defined
917 then add a line like this:</P
918 ><P
919 ><TT
921 ><B
923 ></TT
924 ></P
925 ><P
927 ><P
928 ><TT
930 ><B
932 ></TT
933 ></P
934 ><P
938 >
939 and add two lines something like this:</P
940 ><P
941 ><TABLE
945 ><TR
946 ><TD
947 ><PRE
949 > netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
950 netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
951 </PRE
952 ></TD
953 ></TR
954 ></TABLE
955 ></P
956 ><P
960 >
961 varies between unixes. Look at the other entries in inetd.conf
962 for a guide.</P
963 ><P
964 >NOTE: Some unixes already have entries like netbios_ns
965 (note the underscore) in <TT
968 >.
969 You must either edit <TT
972 > or
973 <TT
977 ><P
978 >NOTE: On many systems you may need to use the
979 "interfaces" option in smb.conf to specify the IP address
980 and netmask of your interfaces. Run <B
983 >
984 as root if you don't know what the broadcast is for your
985 net. <B
988 > tries to determine it at run
989 time, but fails on somunixes. See the section on "testing nmbd"
990 for a method of finding if you need to do this.</P
991 ><P
993 parameters on the command line in <TT
996 >.
997 This means you shouldn't use spaces between the options and
998 arguments, or you should use a script, and start the script
999 from <B
1003 ><P
1007 >, perhaps just send
1008 it a HUP. If you have installed an earlier version of <B
1012 ></DIV
1013 ><DIV
1015 ><HR><H2
1017 ><A
1020 ></H2
1021 ><P
1022 >To start the server as a daemon you should create
1023 a script something like this one, perhaps calling
1024 it <TT
1028 ><P
1029 ><TABLE
1033 ><TR
1034 ><TD
1035 ><PRE
1037 > #!/bin/sh
1038 /usr/local/samba/bin/smbd -D
1039 /usr/local/samba/bin/nmbd -D
1040 </PRE
1041 ></TD
1042 ></TR
1043 ></TABLE
1044 ></P
1045 ><P
1048 >chmod
1049 +x startsmb</B
1050 ></P
1051 ><P
1055 > by
1056 hand or execute it from <TT
1059 >
1060 </P
1061 ><P
1062 >To kill it send a kill signal to the processes
1063 <B
1070 ><P
1071 >NOTE: If you use the SVR4 style init system then
1072 you may like to look at the <TT
1075 >
1076 script to make Samba fit into that system.</P
1077 ></DIV
1078 ></DIV
1079 ><DIV
1081 ><HR><H1
1083 ><A
1086 server</A
1087 ></H1
1088 ><P
1089 ><TT
1092 ><TT
1094 ><B
1095 >smbclient -L
1096 <TT
1098 ><I
1100 ></TT
1101 ></B
1102 ></TT
1103 ></P
1104 ><P
1105 >Your should get back a list of shares available on
1106 your server. If you don't then something is incorrectly setup.
1107 Note that this method can also be used to see what shares
1108 are available on other LanManager clients (such as WfWg).</P
1109 ><P
1110 >If you choose user level security then you may find
1111 that Samba requests a password before it will list the shares.
1112 See the <B
1115 > man page for details. (you
1116 can force it to list the shares without a password by
1117 adding the option -U% to the command line. This will not work
1118 with non-Samba servers)</P
1119 ></DIV
1120 ><DIV
1122 ><HR><H1
1124 ><A
1127 ></H1
1128 ><P
1129 ><TT
1132 ><TT
1134 ><B
1137 ><I
1139 ></TT
1140 ></B
1141 ></TT
1142 ></P
1143 ><P
1146 ><I
1148 ></TT
1149 >
1150 would be the name of the host where you installed <B
1155 ><I
1157 ></TT
1158 > is
1159 any service you have defined in the <TT
1162 >
1163 file. Try your user name if you just have a [homes] section
1164 in <TT
1168 ><P
1169 >For example if your unix host is bambi and your login
1170 name is fred you would type:</P
1171 ><P
1172 ><TT
1175 ><TT
1177 ><B
1178 >smbclient //bambi/fred
1179 </B
1180 ></TT
1181 ></P
1182 ></DIV
1183 ><DIV
1185 ><HR><H1
1187 ><A
1191 ></H1
1192 ><P
1194 ><P
1195 ><TT
1198 ><TT
1200 ><B
1201 >net use d: \\servername\service
1202 </B
1203 ></TT
1204 ></P
1205 ><P
1207 ><P
1208 ><TT
1211 ><TT
1213 ><B
1214 >net use lpt1:
1215 \\servername\spoolservice</B
1216 ></TT
1217 ></P
1218 ><P
1219 ><TT
1222 ><TT
1224 ><B
1225 >print filename
1226 </B
1227 ></TT
1228 ></P
1229 ><P
1231 ></DIV
1232 ><DIV
1234 ><HR><H1
1236 ><A
1239 ></H1
1240 ><P
1243 again) till you calm down.</P
1244 ><P
1245 >Then you might read the file DIAGNOSIS.txt and the
1246 FAQ. If you are still stuck then try the mailing list or
1247 newsgroup (look in the README for details). Samba has been
1248 successfully installed at thousands of sites worldwide, so maybe
1249 someone else has hit your problem and has overcome it. You could
1250 also use the WWW site to scan back issues of the samba-digest.</P
1251 ><P
1252 >When you fix the problem PLEASE send me some updates to the
1253 documentation (or source code) so that the next person will find it
1254 easier. </P
1255 ><DIV
1257 ><HR><H2
1259 ><A
1262 ></H2
1263 ><P
1264 >If you have instalation problems then go to
1265 <TT
1268 > to try to find the
1269 problem.</P
1270 ></DIV
1271 ><DIV
1273 ><HR><H2
1275 ><A
1278 ></H2
1279 ><P
1280 >By default Samba uses a blank scope ID. This means
1281 all your windows boxes must also have a blank scope ID.
1282 If you really want to use a non-blank scope ID then you will
1284 smbclient. All your PCs will need to have the same setting for
1285 this to work. I do not recommend scope IDs.</P
1286 ></DIV
1287 ><DIV
1289 ><HR><H2
1291 ><A
1294 ></H2
1295 ><P
1296 >The SMB protocol has many dialects. Currently
1297 Samba supports 5, called CORE, COREPLUS, LANMAN1,
1298 LANMAN2 and NT1.</P
1299 ><P
1300 >You can choose what maximum protocol to support
1301 in the <TT
1304 > file. The default is
1305 NT1 and that is the best for the vast majority of sites.</P
1306 ><P
1307 >In older versions of Samba you may have found it
1308 necessary to use COREPLUS. The limitations that led to
1309 this have mostly been fixed. It is now less likely that you
1310 will want to use less than LANMAN1. The only remaining advantage
1311 of COREPLUS is that for some obscure reason WfWg preserves
1312 the case of passwords in this protocol, whereas under LANMAN1,
1313 LANMAN2 or NT1 it uppercases all passwords before sending them,
1315 ><P
1316 >The main advantage of LANMAN2 and NT1 is support for
1317 long filenames with some clients (eg: smbclient, Windows NT
1318 or Win95). </P
1319 ><P
1321 ><P
1322 >Note: To support print queue reporting you may find
1323 that you have to use TCP/IP as the default protocol under
1324 WfWg. For some reason if you leave Netbeui as the default
1325 it may break the print queue reporting on some systems.
1326 It is presumably a WfWg bug.</P
1327 ></DIV
1328 ><DIV
1330 ><HR><H2
1332 ><A
1335 ></H2
1336 ><P
1337 >To use a printer that is available via a smb-based
1338 server from a unix host you will need to compile the
1339 smbclient program. You then need to install the script
1340 "smbprint". Read the instruction in smbprint for more details.
1341 </P
1342 ><P
1343 >There is also a SYSV style script that does much
1344 the same thing called smbprint.sysv. It contains instructions.</P
1345 ></DIV
1346 ><DIV
1348 ><HR><H2
1350 ><A
1353 ></H2
1354 ><P
1356 ><P
1357 >There are two types of locking which need to be
1358 performed by a SMB server. The first is "record locking"
1359 which allows a client to lock a range of bytes in a open file.
1360 The second is the "deny modes" that are specified when a file
1361 is open.</P
1362 ><P
1364 call. This is often implemented using rpc calls to a rpc.lockd process
1365 running on the system that owns the filesystem. Unfortunately many
1366 rpc.lockd implementations are very buggy, particularly when made to
1367 talk to versions from other vendors. It is not uncommon for the
1368 rpc.lockd to crash.</P
1369 ><P
1371 requests generated by PC clients to 31 bit requests supported
1372 by most unixes. Unfortunately many PC applications (typically
1373 OLE2 applications) use byte ranges with the top bit set
1374 as semaphore sets. Samba attempts translation to support
1375 these types of applications, and the translation has proved
1376 to be quite successful.</P
1377 ><P
1378 >Strictly a SMB server should check for locks before
1379 every read and write call on a file. Unfortunately with the
1380 way fcntl() works this can be slow and may overstress the
1381 rpc.lockd. It is also almost always unnecessary as clients
1382 are supposed to independently make locking calls before reads
1383 and writes anyway if locking is important to them. By default
1384 Samba only makes locking calls when explicitly asked
1385 to by a client, but if you set "strict locking = yes" then it will
1386 make lock checking calls on every read and write. </P
1387 ><P
1388 >You can also disable by range locking completely
1389 using "locking = no". This is useful for those shares that
1390 don't support locking or don't need it (such as cdroms). In
1391 this case Samba fakes the return codes of locking calls to
1392 tell clients that everything is OK.</P
1393 ><P
1395 are set by an application when it opens a file to determine
1396 what types of access should be allowed simultaneously with
1397 its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
1398 or DENY_ALL. There are also special compatability modes called
1399 DENY_FCB and DENY_DOS.</P
1400 ><P
1402 This may be useful on a heavily loaded server as the share
1403 modes code is very slow. See also the FAST_SHARE_MODES
1404 option in the Makefile for a way to do full share modes
1405 very fast using shared memory (if your OS supports it).</P
1406 ></DIV
1407 ><DIV
1409 ><HR><H2
1411 ><A
1414 ></H2
1415 ><P
1416 >If you have different usernames on the PCs and
1417 the unix server then take a look at the "username map" option.
1418 See the smb.conf man page for details.</P
1419 ></DIV
1420 ><DIV
1422 ><HR><H2
1424 ><A
1427 ></H2
1428 ><P
1429 >If you have problems using filenames with accented
1430 characters in them (like the German, French or Scandinavian
1431 character sets) then I recommmend you look at the "valid chars"
1432 option in smb.conf and also take a look at the validchars
1433 package in the examples directory.</P
1434 ></DIV
1435 ></DIV
1436 ></DIV
1437 ><DIV
1439 ><HR><H1
1440 ><A
1443 ></H1
1444 ><DIV
1446 ><H1
1448 ><A
1451 ></H1
1452 ><P
1453 >With the development of LanManager and Windows NT
1454 compatible password encryption for Samba, it is now able
1455 to validate user connections in exactly the same way as
1456 a LanManager or Windows NT server.</P
1457 ><P
1458 >This document describes how the SMB password encryption
1459 algorithm works and what issues there are in choosing whether
1460 you want to use it. You should read it carefully, especially
1462 ></DIV
1463 ><DIV
1465 ><HR><H1
1467 ><A
1470 ></H1
1471 ><P
1472 >LanManager encryption is somewhat similar to UNIX
1473 password encryption. The server uses a file containing a
1474 hashed value of a user's password. This is created by taking
1475 the user's plaintext password, capitalising it, and either
1478 a 'magic' eight byte value, forming a 16 byte value which is
1479 stored by the server and client. Let this value be known as
1481 ><P
1482 >Windows NT encryption is a higher quality mechanism,
1483 consisting of doing an MD4 hash on a Unicode version of the user's
1484 password. This also produces a 16 byte hash value that is
1485 non-reversible.</P
1486 ><P
1487 >When a client (LanManager, Windows for WorkGroups, Windows
1488 95 or Windows NT) wishes to mount a Samba drive (or use a Samba
1489 resource), it first requests a connection and negotiates the
1490 protocol that the client and server will use. In the reply to this
1491 request the Samba server generates and appends an 8 byte, random
1492 value - this is stored in the Samba server after the reply is sent
1493 and is known as the "challenge". The challenge is different for
1494 every client connection.</P
1495 ><P
1498 DES keys, each of which is used to encrypt the challenge 8 byte
1500 ><P
1501 >In the SMB call SMBsessionsetupX (when user level security
1502 is selected) or the call SMBtconX (when share level security is
1503 selected), the 24 byte response is returned by the client to the
1504 Samba server. For Windows NT protocol levels the above calculation
1505 is done on both hashes of the user's password and both responses are
1507 ><P
1508 >The Samba server then reproduces the above calculation, using
1509 its own stored value of the 16 byte hashed password (read from the
1510 <TT
1513 > file - described later) and the challenge
1514 value that it kept from the negotiate protocol reply. It then checks
1516 returned to it from the client.</P
1517 ><P
1518 >If these values match exactly, then the client knew the
1519 correct password (or the 16 byte hashed value - see security note
1520 below) and is thus allowed access. If not, then the client did not
1521 know the correct password and is denied access.</P
1522 ><P
1523 >Note that the Samba server never knows or stores the cleartext
1524 of the user's password - just the 16 byte hashed values derived from
1525 it. Also note that the cleartext password or 16 byte hashed values
1526 are never transmitted over the network - thus increasing security.</P
1527 ></DIV
1528 ><DIV
1530 ><HR><H1
1532 ><A
1535 ></H1
1536 ><P
1537 >The unix and SMB password encryption techniques seem similar
1538 on the surface. This similarity is, however, only skin deep. The unix
1539 scheme typically sends clear text passwords over the nextwork when
1540 logging in. This is bad. The SMB encryption scheme never sends the
1541 cleartext password over the network but it does store the 16 byte
1542 hashed values on disk. This is also bad. Why? Because the 16 byte hashed
1543 values are a "password equivalent". You cannot derive the user's
1544 password from them, but they could potentially be used in a modified
1545 client to gain access to a server. This would require considerable
1546 technical knowledge on behalf of the attacker but is perfectly possible.
1547 You should thus treat the smbpasswd file as though it contained the
1548 cleartext passwords of all your users. Its contents must be kept
1549 secret, and the file should be protected accordingly.</P
1550 ><P
1551 >Ideally we would like a password scheme which neither requires
1552 plain text passwords on the net or on disk. Unfortunately this
1553 is not available as Samba is stuck with being compatible with
1554 other SMB systems (WinNT, WfWg, Win95 etc). </P
1555 ><DIV
1557 ><P
1558 ></P
1559 ><TABLE
1563 ><TR
1564 ><TD
1566 ><B
1568 ></TD
1569 ></TR
1570 ><TR
1571 ><TD
1573 ><P
1575 default for permissible authentication so that plaintext
1576 passwords are <EM
1578 > sent over the wire.
1579 The solution to this is either to switch to encrypted passwords
1580 with Samba or edit the Windows NT registry to re-enable plaintext
1581 passwords. See the document WinNT.txt for details on how to do
1582 this.</P
1583 ><P
1584 >Other Microsoft operating systems which also exhibit
1585 this behavior includes</P
1586 ><P
1587 ></P
1588 ><UL
1589 ><LI
1590 ><P
1592 the basic network redirector installed</P
1593 ></LI
1594 ><LI
1595 ><P
1597 update installed</P
1598 ></LI
1599 ><LI
1600 ><P
1602 ></LI
1603 ><LI
1604 ><P
1606 ></LI
1607 ></UL
1608 ><P
1609 ><EM
1611 >All current release of
1612 Microsoft SMB/CIFS clients support authentication via the
1613 SMB Challenge/Response mechanism described here. Enabling
1614 clear text authentication does not disable the ability
1615 of the client to particpate in encrypted authentication.</P
1616 ></TD
1617 ></TR
1618 ></TABLE
1619 ></DIV
1620 ><DIV
1622 ><HR><H2
1624 ><A
1627 ></H2
1628 ><P
1629 ></P
1630 ><UL
1631 ><LI
1632 ><P
1633 >plain text passwords are not passed across
1634 the network. Someone using a network sniffer cannot just
1635 record passwords going to the SMB server.</P
1636 ></LI
1637 ><LI
1638 ><P
1639 >WinNT doesn't like talking to a server
1640 that isn't using SMB encrypted passwords. It will refuse
1641 to browse the server if the server is also in user level
1642 security mode. It will insist on prompting the user for the
1643 password on each connection, which is very annoying. The
1644 only things you can do to stop this is to use SMB encryption.
1645 </P
1646 ></LI
1647 ></UL
1648 ></DIV
1649 ><DIV
1651 ><HR><H2
1653 ><A
1656 ></H2
1657 ><P
1658 ></P
1659 ><UL
1660 ><LI
1661 ><P
1662 >plain text passwords are not kept
1663 on disk. </P
1664 ></LI
1665 ><LI
1666 ><P
1667 >uses same password file as other unix
1668 services such as login and ftp</P
1669 ></LI
1670 ><LI
1671 ><P
1672 >you are probably already using other
1673 services (such as telnet and ftp) which send plain text
1674 passwords over the net, so sending them for SMB isn't
1675 such a big deal.</P
1676 ></LI
1677 ></UL
1678 ></DIV
1679 ></DIV
1680 ><DIV
1682 ><HR><H1
1684 ><A
1688 ></A
1690 ></H1
1691 ><P
1692 >In order for Samba to participate in the above protocol
1693 it must be able to look up the 16 byte hashed values given a user name.
1694 Unfortunately, as the UNIX password value is also a one way hash
1695 function (ie. it is impossible to retrieve the cleartext of the user's
1696 password given the UNIX hash of it), a separate password file
1697 containing this 16 byte value must be kept. To minimise problems with
1698 these two password files, getting out of sync, the UNIX <TT
1704 > file,
1705 a utility, <B
1708 >, is provided to generate
1709 a smbpasswd file from a UNIX <TT
1712 > file.
1713 </P
1714 ><P
1717 >/etc/passwd
1718 </TT
1720 ><P
1721 ><TT
1724 ><TT
1726 ><B
1727 >cat /etc/passwd | mksmbpasswd.sh
1729 ></TT
1730 ></P
1731 ><P
1733 ><P
1734 ><TT
1737 ><TT
1739 ><B
1740 >ypcat passwd | mksmbpasswd.sh
1742 ></TT
1743 ></P
1744 ><P
1748 > program is found in
1749 the Samba source directory. By default, the smbpasswd file is
1750 stored in :</P
1751 ><P
1752 ><TT
1755 ></P
1756 ><P
1760 >
1761 directory should be set to root, and the permissions on it should
1765 >).
1766 </P
1767 ><P
1768 >Likewise, the smbpasswd file inside the private directory should
1769 be owned by root and the permissions on is should be set to 0600
1770 (<B
1774 ><P
1775 >The format of the smbpasswd file is (The line has been
1776 wrapped here. It should appear as one entry per line in
1777 your smbpasswd file.)</P
1778 ><P
1779 ><TABLE
1783 ><TR
1784 ><TD
1785 ><PRE
1787 >username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
1789 </PRE
1790 ></TD
1791 ></TR
1792 ></TABLE
1793 ></P
1794 ><P
1797 ><I
1799 ></TT
1800 >,
1801 <TT
1803 ><I
1805 ></TT
1808 ><I
1810 ></TT
1811 >,
1812 [<TT
1814 ><I
1816 ></TT
1819 ><I
1821 ></TT
1822 > sections are significant
1823 and are looked at in the Samba code.</P
1824 ><P
1828 'X' characters between the two ':' characters in the XXX sections -
1829 the smbpasswd and Samba code will fail to validate any entries that
1830 do not have 32 characters between ':' characters. The first XXX
1831 section is for the Lanman password hash, the second is for the
1832 Windows NT version.</P
1833 ><P
1834 >When the password file is created all users have password entries
1835 consisting of 32 'X' characters. By default this disallows any access
1836 as this user. When a user has a password set, the 'X' characters change
1839 ><P
1840 >To set a user to have no password (not recommended), edit the file
1841 using vi, and replace the first 11 characters with the ascii text
1842 <TT
1846 ><P
1847 >For example, to clear the password for user bob, his smbpasswd file
1848 entry would look like :</P
1849 ><P
1850 ><TABLE
1854 ><TR
1855 ><TD
1856 ><PRE
1858 > bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell
1859 </PRE
1860 ></TD
1861 ></TR
1862 ></TABLE
1863 ></P
1864 ><P
1865 >If you are allowing users to use the smbpasswd command to set
1866 their own passwords, you may want to give users NO PASSWORD initially
1867 so they do not have to enter a previous password when changing to their
1868 new password (not recommended). In order for you to allow this the
1869 <B
1872 > program must be able to connect to the
1873 <B
1876 > daemon as that user with no password. Enable this
1877 by adding the line :</P
1878 ><P
1879 ><B
1882 ></P
1883 ><P
1884 >to the [global] section of the smb.conf file (this is why
1885 the above scenario is not recommended). Preferably, allocate your
1886 users a default password to begin with, so you do not have
1887 to enable this on your server.</P
1888 ><P
1889 ><EM
1891 >This file should be protected very
1892 carefully. Anyone with access to this file can (with enough knowledge of
1893 the protocols) gain access to your SMB server. The file is thus more
1894 sensitive than a normal unix <TT
1898 ></DIV
1899 ><DIV
1901 ><HR><H1
1903 ><A
1906 ></H1
1907 ><P
1909 in the smbpasswd file. If you wish to make it similar to the unix
1910 <B
1916 > programs,
1917 install it in <TT
1920 > (or your
1921 main Samba binary directory).</P
1922 ><P
1924 >MUST NOT
1925 BE INSTALLED</EM
1929 >
1930 code enforces this restriction so it cannot be run this way by
1931 accident).</P
1932 ><P
1933 ><B
1936 > now works in a client-server mode
1937 where it contacts the local smbd to change the user's password on its
1938 behalf. This has enormous benefits - as follows.</P
1939 ><P
1940 ></P
1941 ><UL
1942 ><LI
1943 ><P
1944 >smbpasswd no longer has to be setuid root -
1945 an enormous range of potential security problems is
1946 eliminated.</P
1947 ></LI
1948 ><LI
1949 ><P
1950 ><B
1953 > now has the capability
1954 to change passwords on Windows NT servers (this only works when
1955 the request is sent to the NT Primary Domain Controller if you
1956 are changing an NT Domain user's password).</P
1957 ></LI
1958 ></UL
1959 ><P
1961 ><P
1962 ><TT
1965 ><TT
1967 ><B
1969 ></TT
1970 ></P
1971 ><P
1972 ><TT
1975 ><TT
1977 ><B
1980 ></TT
1981 ></P
1982 ><P
1983 ><TT
1986 ><TT
1988 ><B
1990 </B
1991 ></TT
1992 ></P
1993 ><P
1994 ><TT
1997 ><TT
1999 ><B
2001 </B
2002 ></TT
2003 ></P
2004 ><P
2005 >If the old value does not match the current value stored for
2006 that user, or the two new values do not match each other, then the
2007 password will not be changed.</P
2008 ><P
2009 >If invoked by an ordinary user it will only allow the user
2010 to change his or her own Samba password.</P
2011 ><P
2012 >If run by the root user smbpasswd may take an optional
2013 argument, specifying the user name whose SMB password you wish to
2014 change. Note that when run as root smbpasswd does not prompt for
2015 or check the old password value, thus allowing root to set passwords
2016 for users who have forgotten their passwords.</P
2017 ><P
2018 ><B
2021 > is designed to work in the same way
2022 and be familiar to UNIX users who use the <B
2025 > or
2026 <B
2030 ><P
2034 > refer
2035 to the man page which will always be the definitive reference.</P
2036 ></DIV
2037 ><DIV
2039 ><HR><H1
2041 ><A
2044 ></H1
2045 ><P
2046 >This is a very brief description on how to setup samba to
2047 support password encryption. </P
2048 ><P
2049 ></P
2050 ><OL
2052 ><LI
2053 ><P
2055 ></LI
2056 ><LI
2057 ><P
2063 >encrypt
2064 passwords = yes</B
2066 ></LI
2067 ><LI
2068 ><P
2072 >
2073 password file in the place you specified in the Makefile
2077 >
2078 section earlier in the document for details.</P
2079 ></LI
2080 ></OL
2081 ><P
2083 ></DIV
2084 ></DIV
2085 ><DIV
2087 ><HR><H1
2088 ><A
2091 ></H1
2092 ><DIV
2094 ><H1
2096 ><A
2099 ></H1
2100 ><P
2101 >The Distributed File System (or Dfs) provides a means of
2102 separating the logical view of files and directories that users
2103 see from the actual physical locations of these resources on the
2104 network. It allows for higher availability, smoother storage expansion,
2105 load balancing etc. For more information about Dfs, refer to <A
2110 ><P
2111 >This document explains how to host a Dfs tree on a Unix
2112 machine (for Dfs-aware clients to browse) using Samba.</P
2113 ><P
2114 >To enable SMB-based DFS for Samba, configure it with the
2115 <TT
2117 ><I
2119 ></TT
2120 > option. Once built, a
2121 Samba server can be made a Dfs server by setting the global
2122 boolean <A
2125 ><TT
2127 ><I
2129 ></TT
2130 ></A
2133 >smb.conf
2134 </TT
2135 > file. You designate a share as a Dfs root using the share
2136 level boolean <A
2139 ><TT
2141 ><I
2143 ></TT
2144 ></A
2145 > parameter. A Dfs root directory on
2146 Samba hosts Dfs links in the form of symbolic links that point
2147 to other servers. For example, a symbolic link
2148 <TT
2151 > in
2152 the share directory acts as the Dfs junction. When Dfs-aware
2153 clients attempt to access the junction link, they are redirected
2154 to the storage location (in this case, \\storage1\share1).</P
2155 ><P
2156 >Dfs trees on Samba work with all Dfs-aware clients ranging
2158 ><P
2159 >Here's an example of setting up a Dfs tree on a Samba
2160 server.</P
2161 ><P
2162 ><TABLE
2166 ><TR
2167 ><TD
2168 ><PRE
2170 ># The smb.conf file:
2171 [global]
2172 netbios name = SAMBA
2173 host msdfs = yes
2175 [dfs]
2176 path = /export/dfsroot
2177 msdfs root = yes
2178 </PRE
2179 ></TD
2180 ></TR
2181 ></TABLE
2182 ></P
2183 ><P
2184 >In the /export/dfsroot directory we set up our dfs links to
2185 other servers on the network.</P
2186 ><P
2187 ><TT
2190 ><TT
2192 ><B
2194 ></TT
2195 ></P
2196 ><P
2197 ><TT
2200 ><TT
2202 ><B
2204 ></TT
2205 ></P
2206 ><P
2207 ><TT
2210 ><TT
2212 ><B
2214 ></TT
2215 ></P
2216 ><P
2217 ><TT
2220 ><TT
2222 ><B
2224 ></TT
2225 ></P
2226 ><P
2227 ><TT
2230 ><TT
2232 ><B
2234 ></TT
2235 ></P
2236 ><P
2237 >You should set up the permissions and ownership of
2238 the directory acting as the Dfs root such that only designated
2239 users can create, delete or modify the msdfs links. Also note
2240 that symlink names should be all lowercase. This limitation exists
2241 to have Samba avoid trying all the case combinations to get at
2242 the link name. Finally set up the symbolic links to point to the
2243 network shares you want, and start Samba.</P
2244 ><P
2245 >Users on Dfs-aware clients can now browse the Dfs tree
2246 on the Samba server at \\samba\dfs. Accessing
2247 links linka or linkb (which appear as directories to the client)
2248 takes users directly to the appropriate shares on the network.</P
2249 ><DIV
2251 ><HR><H2
2253 ><A
2256 ></H2
2257 ><P
2258 ></P
2259 ><UL
2260 ><LI
2261 ><P
2262 >Windows clients need to be rebooted
2263 if a previously mounted non-dfs share is made a dfs
2264 root or vice versa. A better way is to introduce a
2265 new share and make it the dfs root.</P
2266 ></LI
2267 ><LI
2268 ><P
2269 >Currently there's a restriction that msdfs
2270 symlink names should all be lowercase.</P
2271 ></LI
2272 ><LI
2273 ><P
2274 >For security purposes, the directory
2275 acting as the root of the Dfs tree should have ownership
2276 and permissions set so that only designated users can
2277 modify the symbolic links in the directory.</P
2278 ></LI
2279 ></UL
2280 ></DIV
2281 ></DIV
2282 ></DIV
2283 ><DIV
2285 ><HR><H1
2286 ><A
2289 ></H1
2290 ><DIV
2292 ><H1
2294 ><A
2297 ></H1
2298 ><P
2300 the native Windows NT printing mechanisms implemented via
2301 MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
2302 Samba only supported LanMan printing calls.</P
2303 ><P
2304 >The additional functionality provided by the new
2305 SPOOLSS support includes:</P
2306 ><P
2307 ></P
2308 ><UL
2309 ><LI
2310 ><P
2311 >Support for downloading printer driver
2313 </P
2314 ></LI
2315 ><LI
2316 ><P
2317 >Uploading of printer drivers via the
2318 Windows NT Add Printer Wizard (APW) or the
2319 Imprints tool set (refer to <A
2323 >).
2324 </P
2325 ></LI
2326 ><LI
2327 ><P
2328 >Support for the native MS-RPC printing
2329 calls such as StartDocPrinter, EnumJobs(), etc... (See
2330 the MSDN documentation at <A
2334 >
2335 for more information on the Win32 printing API)
2336 </P
2337 ></LI
2338 ><LI
2339 ><P
2340 >Support for NT Access Control Lists (ACL)
2341 on printer objects</P
2342 ></LI
2343 ><LI
2344 ><P
2345 >Improved support for printer queue manipulation
2346 through the use of an internal databases for spooled job
2347 information</P
2348 ></LI
2349 ></UL
2350 ></DIV
2351 ><DIV
2353 ><HR><H1
2355 ><A
2358 ></H1
2359 ><P
2360 ><EM
2362 > Previous versions of Samba
2363 recommended using a share named [printer$]. This name was taken from the
2364 printer$ service created by Windows 9x clients when a
2365 printer was shared. Windows 9x printer servers always have
2366 a printer$ service which provides read-only access via no
2367 password in order to support printer driver downloads.</P
2368 ><P
2369 >However, the initial implementation allowed for a
2370 parameter named <TT
2372 ><I
2374 ></TT
2375 >
2376 to be used on a per share basis to specify the location of
2377 the driver files associated with that printer. Another
2378 parameter named <TT
2380 ><I
2382 ></TT
2383 > provided
2384 a means of defining the printer driver name to be sent to
2385 the client.</P
2386 ><P
2389 ><I
2390 >printer driver
2391 file</I
2392 ></TT
2393 > parameter, are being depreciated and should not
2394 be used in new installations. For more information on this change,
2395 you should refer to the <A
2399 ><DIV
2401 ><HR><H2
2403 ><A
2406 ></H2
2407 ><P
2408 >In order to support the uploading of printer driver
2409 files, you must first configure a file share named [print$].
2410 The name of this share is hard coded in Samba's internals so
2411 the name is very important (print$ is the service used by
2412 Windows NT print servers to provide support for printer driver
2413 download).</P
2414 ><P
2415 >You should modify the server's smb.conf file to create the
2416 following file share (of course, some of the parameter values,
2417 such as 'path' are arbitrary and should be replaced with
2418 appropriate values for your site):</P
2419 ><P
2420 ><TABLE
2424 ><TR
2425 ><TD
2426 ><PRE
2428 >[print$]
2429 path = /usr/local/samba/printers
2430 guest ok = yes
2431 browseable = yes
2432 read only = yes
2433 write list = ntadmin</PRE
2434 ></TD
2435 ></TR
2436 ></TABLE
2437 ></P
2438 ><P
2442 ><TT
2444 ><I
2446 ></TT
2447 ></A
2448 > is used to allow administrative
2449 level user accounts to have write access in order to update files
2450 on the share. See the <A
2454 > for more information on
2455 configuring file shares.</P
2456 ><P
2460 ><B
2463 ></A
2464 > depends upon how your
2465 site is configured. If users will be guaranteed to have
2466 an account on the Samba host, then this is a non-issue.</P
2467 ><DIV
2469 ><BLOCKQUOTE
2471 ><P
2472 ><B
2474 >The non-issue is that if all your Windows NT users are guaranteed to be
2475 authenticated by the Samba server (such as a domain member server and the NT
2476 user has already been validated by the Domain Controller in
2477 order to logon to the Windows NT console), then guest access
2478 is not necessary. Of course, in a workgroup environment where
2479 you just want to be able to print without worrying about
2480 silly accounts and security, then configure the share for
2481 guest access. You'll probably want to add <A
2484 ><B
2487 ></A
2488 > in the [global] section as well. Make sure
2489 you understand what this parameter does before using it
2490 though. --jerry</P
2491 ></BLOCKQUOTE
2492 ></DIV
2493 ><P
2494 >In order for a Windows NT print server to support
2495 the downloading of driver files by multiple client architectures,
2496 it must create subdirectories within the [print$] service
2497 which correspond to each of the supported client architectures.
2498 Samba follows this model as well.</P
2499 ><P
2500 >Next create the directory tree below the [print$] share
2501 for each architecture you wish to support.</P
2502 ><P
2503 ><TABLE
2507 ><TR
2508 ><TD
2509 ><PRE
2511 >[print$]-----
2512 |-W32X86 ; "Windows NT x86"
2513 |-WIN40 ; "Windows 95/98"
2514 |-W32ALPHA ; "Windows NT Alpha_AXP"
2515 |-W32MIPS ; "Windows NT R4000"
2517 ></TD
2518 ></TR
2519 ></TABLE
2520 ></P
2521 ><DIV
2523 ><P
2524 ></P
2525 ><TABLE
2529 ><TR
2530 ><TD
2532 ><B
2534 ></TD
2535 ></TR
2536 ><TR
2537 ><TD
2539 ><P
2540 >In order to currently add a new driver to you Samba host,
2541 one of two conditions must hold true:</P
2542 ><P
2543 ></P
2544 ><UL
2545 ><LI
2546 ><P
2547 >The account used to connect to the Samba host
2549 ></LI
2550 ><LI
2551 ><P
2552 >The account used to connect to the Samba host
2553 must be a member of the <A
2556 ><TT
2558 ><I
2559 >printer
2560 admin</I
2561 ></TT
2562 ></A
2564 ></LI
2565 ></UL
2566 ><P
2567 >Of course, the connected account must still possess access
2568 to add files to the subdirectories beneath [print$].</P
2569 ></TD
2570 ></TR
2571 ></TABLE
2572 ></DIV
2573 ><P
2574 >Once you have created the required [print$] service and
2575 associated subdirectories, simply log onto the Samba server using
2576 a root (or <TT
2578 ><I
2580 ></TT
2581 >) account
2583 on the Samba server. You should see an initial listing of printers
2584 that matches the printer shares defined on your Samba host.</P
2585 ></DIV
2586 ><DIV
2588 ><HR><H2
2590 ><A
2593 ></H2
2594 ><P
2595 >The initial listing of printers in the Samba host's
2596 Printers folder will have no printer driver assigned to them.
2597 The way assign a driver to a printer is to view the Properties
2598 of the printer and either</P
2599 ><P
2600 ></P
2601 ><UL
2602 ><LI
2603 ><P
2605 a new printer driver, or</P
2606 ></LI
2607 ><LI
2608 ><P
2609 >Select a driver from the popup list of
2610 installed drivers. Initially this list will be empty.</P
2611 ></LI
2612 ></UL
2613 ><P
2614 >If you wish to install printer drivers for client
2615 operating systems other than "Windows NT x86", you will need
2617 ><P
2618 >Assuming you have connected with a root account, you
2619 will also be able modify other printer properties such as
2620 ACLs and device settings using this dialog box.</P
2621 ><P
2622 >A few closing comments for this section, it is possible
2623 on a Windows NT print server to have printers
2624 listed in the Printers folder which are not shared. Samba does
2625 not make this distinction. By definition, the only printers of
2626 which Samba is aware are those which are specified as shares in
2627 <TT
2631 ><P
2632 >Another interesting side note is that Windows NT clients do
2633 not use the SMB printer share, but rather can print directly
2634 to any printer on another Windows NT host using MS-RPC. This
2635 of course assumes that the printing client has the necessary
2636 privileges on the remote host serving the printer. The default
2637 permissions assigned by Windows NT to a printer gives the "Print"
2639 ></DIV
2640 ><DIV
2642 ><HR><H2
2644 ><A
2647 ></H2
2648 ><P
2649 >One issue that has arisen during the development
2650 phase of Samba 2.2 is the need to support driver downloads for
2651 100's of printers. Using the Windows NT APW is somewhat
2652 awkward to say the list. If more than one printer are using the
2653 same driver, the <A
2656 ><B
2658 >rpcclient's
2659 setdriver command</B
2660 ></A
2661 > can be used to set the driver
2662 associated with an installed driver. The following is example
2663 of how this could be accomplished:</P
2664 ><P
2665 ><TABLE
2669 ><TR
2670 ><TD
2671 ><PRE
2673 >
2674 <TT
2678 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
2680 [Windows NT x86]
2681 Printer Driver Info 1:
2682 Driver Name: [HP LaserJet 4000 Series PS]
2684 Printer Driver Info 1:
2685 Driver Name: [HP LaserJet 2100 Series PS]
2687 Printer Driver Info 1:
2690 <TT
2694 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
2695 flags:[0x800000]
2696 name:[\\POGO\hp-print]
2697 description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
2698 comment:[]
2700 <TT
2703 >rpcclient pogo -U root%bleaK.er \
2704 <TT
2708 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
2710 ></TD
2711 ></TR
2712 ></TABLE
2713 ></P
2714 ></DIV
2715 ><DIV
2717 ><HR><H2
2719 ><A
2722 ></H2
2723 ><P
2727 >
2728 in the "Printers..." folder. Also existing in this folder is the Windows NT
2729 Add Printer Wizard icon. The APW will be show only if</P
2730 ><P
2731 ></P
2732 ><UL
2733 ><LI
2734 ><P
2735 >The connected user is able to successfully
2736 execute an OpenPrinterEx(\\server) with administrative
2737 priviledges (i.e. root or <TT
2739 ><I
2741 ></TT
2742 >.
2743 </P
2744 ></LI
2745 ><LI
2746 ><P
2747 ><A
2750 ><TT
2752 ><I
2753 >show
2754 add printer wizard = yes</I
2755 ></TT
2756 ></A
2757 > (the default).
2758 </P
2759 ></LI
2760 ></UL
2761 ><P
2762 >In order to be able to use the APW to successfully add a printer to a Samba
2763 server, the <A
2766 ><TT
2768 ><I
2769 >addprinter
2770 command</I
2771 ></TT
2772 ></A
2773 > must have a defined value. The program
2774 hook must successfully add the printer to the system (i.e.
2775 <TT
2778 > or appropriate files) and
2779 <TT
2783 ><P
2784 >When using the APW from a client, if the named printer share does
2785 not exist, <B
2790 ><I
2791 >add printer
2792 program</I
2793 ></TT
2797 >
2798 to attempt to locate the new printer share. If the share is still not defined,
2799 an error of "Access Denied" is returned to the client. Note that the
2800 <TT
2802 ><I
2804 ></TT
2805 > is executed undet the context
2806 of the connected user, not necessarily a root account.</P
2807 ><P
2811 ><TT
2813 ><I
2814 >deleteprinter
2815 command</I
2816 ></TT
2817 ></A
2819 folder.</P
2820 ></DIV
2821 ><DIV
2823 ><HR><H2
2825 ><A
2828 ></H2
2829 ><P
2831 take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
2832 concept of ports associated with a printer. By default, only one printer port,
2833 named "Samba Printer Port", exists on a system. Samba does not really a port in
2834 order to print, rather it is a requirement of Windows clients. </P
2835 ><P
2837 either. This is when a logical printer is assigned to multiple ports as
2838 a form of load balancing or fail over.</P
2839 ><P
2840 >If you require that multiple ports be defined for some reason,
2841 <TT
2847 ><TT
2849 ><I
2850 >enumports
2851 command</I
2852 ></TT
2853 ></A
2854 > which can be used to define an external program
2855 that generates a listing of ports on a system.</P
2856 ></DIV
2857 ></DIV
2858 ><DIV
2860 ><HR><H1
2862 ><A
2865 ></H1
2866 ><P
2867 >The Imprints tool set provides a UNIX equivalent of the
2868 Windows NT Add Printer Wizard. For complete information, please
2869 refer to the Imprints web site at <A
2873 > as well as the documentation
2874 included with the imprints source distribution. This section will
2875 only provide a brief introduction to the features of Imprints.</P
2876 ><DIV
2878 ><HR><H2
2880 ><A
2883 ></H2
2884 ><P
2885 >Imprints is a collection of tools for supporting the goals
2886 of</P
2887 ><P
2888 ></P
2889 ><UL
2890 ><LI
2891 ><P
2892 >Providing a central repository information
2894 ></LI
2895 ><LI
2896 ><P
2897 >Providing the tools necessary for creating
2898 the Imprints printer driver packages.</P
2899 ></LI
2900 ><LI
2901 ><P
2902 >Providing an installation client which
2903 will obtain and install printer drivers on remote Samba
2905 ></LI
2906 ></UL
2907 ></DIV
2908 ><DIV
2910 ><HR><H2
2912 ><A
2915 ></H2
2916 ><P
2917 >The process of creating printer driver packages is beyond
2918 the scope of this document (refer to Imprints.txt also included
2919 with the Samba distribution for more information). In short,
2920 an Imprints driver package is a gzipped tarball containing the
2921 driver files, related INF files, and a control file needed by the
2922 installation client.</P
2923 ></DIV
2924 ><DIV
2926 ><HR><H2
2928 ><A
2931 ></H2
2932 ><P
2933 >The Imprints server is really a database server that
2934 may be queried via standard HTTP mechanisms. Each printer
2935 entry in the database has an associated URL for the actual
2936 downloading of the package. Each package is digitally signed
2937 via GnuPG which can be used to verify that package downloaded
2938 is actually the one referred in the Imprints database. It is
2939 <EM
2941 > recommended that this security check
2942 be disabled.</P
2943 ></DIV
2944 ><DIV
2946 ><HR><H2
2948 ><A
2951 ></H2
2952 ><P
2953 >More information regarding the Imprints installation client
2954 is available in the <TT
2957 >
2958 file included with the imprints source package.</P
2959 ><P
2961 ><P
2962 ></P
2963 ><UL
2964 ><LI
2965 ><P
2967 ></LI
2968 ><LI
2969 ><P
2970 >a GTK+ based graphical interface to
2971 the command line perl scripts</P
2972 ></LI
2973 ></UL
2974 ><P
2975 >The installation client (in both forms) provides a means
2976 of querying the Imprints database server for a matching
2977 list of known printer model names as well as a means to
2978 download and install the drivers on remote Samba and Windows
2979 NT print servers.</P
2980 ><P
2981 >The basic installation process is in four steps and
2982 perl code is wrapped around <B
2985 >
2986 and <B
2990 ><P
2991 ><TABLE
2995 ><TR
2996 ><TD
2997 ><PRE
2999 >
3000 foreach (supported architecture for a given driver)
3001 {
3002 1. rpcclient: Get the appropriate upload directory
3003 on the remote server
3004 2. smbclient: Upload the driver files
3005 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
3006 }
3008 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
3009 create the printer</PRE
3010 ></TD
3011 ></TR
3012 ></TABLE
3013 ></P
3014 ><P
3015 >One of the problems encountered when implementing
3016 the Imprints tool set was the name space issues between
3017 various supported client architectures. For example, Windows
3018 NT includes a driver named "Apple LaserWriter II NTX v51.8"
3021 ><P
3022 >The problem is how to know what client drivers have
3023 been uploaded for a printer. As astute reader will remember
3024 that the Windows NT Printer Properties dialog only includes
3025 space for one printer driver name. A quick look in the
3027 ><P
3028 ><TT
3030 >HKLM\System\CurrentControlSet\Control\Print\Environment
3031 </TT
3032 ></P
3033 ><P
3034 >will reveal that Windows NT always uses the NT driver
3035 name. The is ok as Windows NT always requires that at least
3036 the Windows NT version of the printer driver is present.
3037 However, Samba does not have the requirement internally.
3038 Therefore, how can you use the NT driver name if is has not
3039 already been installed?</P
3040 ><P
3041 >The way of sidestepping this limitation is to require
3042 that all Imprints printer driver packages include both the Intel
3044 installed first.</P
3045 ></DIV
3046 ></DIV
3047 ><DIV
3049 ><HR><H1
3051 ><A
3055 ></A
3058 ></H1
3059 ><P
3060 >Given that printer driver management has changed
3061 (we hope improved :) ) in 2.2.0 over prior releases,
3062 migration from an existing setup to 2.2.0 can follow
3063 several paths.</P
3064 ><DIV
3066 ><P
3067 ></P
3068 ><TABLE
3072 ><TR
3073 ><TD
3075 ><B
3077 ></TD
3078 ></TR
3079 ><TR
3080 ><TD
3082 ><P
3083 >The following smb.conf parameters are considered to be
3084 depreciated and will be removed soon. Do not use them
3085 in new installations</P
3086 ><P
3087 ></P
3088 ><UL
3089 ><LI
3090 ><P
3091 ><TT
3093 ><I
3095 ></TT
3096 >
3097 </P
3098 ></LI
3099 ><LI
3100 ><P
3101 ><TT
3103 ><I
3105 ></TT
3106 >
3107 </P
3108 ></LI
3109 ><LI
3110 ><P
3111 ><TT
3113 ><I
3115 ></TT
3116 >
3117 </P
3118 ></LI
3119 ></UL
3120 ></TD
3121 ></TR
3122 ></TABLE
3123 ></DIV
3124 ><P
3126 ><P
3127 ></P
3128 ><UL
3129 ><LI
3130 ><P
3131 >If you do not desire the new Windows NT
3132 print driver support, nothing needs to be done.
3133 All existing parameters work the same.</P
3134 ></LI
3135 ><LI
3136 ><P
3137 >If you want to take advantage of NT printer
3138 driver support but do not want to migrate the
3139 9x drivers to the new setup, the leave the existing
3140 printers.def file. When smbd attempts to locate a
3141 9x driver for the printer in the TDB and fails it
3142 will drop down to using the printers.def (and all
3143 associated parameters). The <B
3146 >
3147 tool will also remain for backwards compatibility but will
3148 be moved to the "this tool is the old way of doing it"
3149 pile.</P
3150 ></LI
3151 ><LI
3152 ><P
3154 on your Samba host (in the printing TDB), this information will
3155 take precedence and the three old printing parameters
3156 will be ignored (including print driver location).</P
3157 ></LI
3158 ><LI
3159 ><P
3163 >
3164 file into the new setup, the current only
3165 solution is to use the Windows NT APW to install the NT drivers
3169 >
3170 and <B
3173 >. See the
3174 Imprints installation client at <A
3178 >
3179 for an example.
3180 </P
3181 ></LI
3182 ></UL
3183 ></DIV
3184 ></DIV
3185 ><DIV
3187 ><HR><H1
3188 ><A
3191 ></H1
3192 ><DIV
3194 ><H1
3196 ><A
3199 ></H1
3200 ><P
3202 you must first add the NetBIOS name of the Samba server to the
3203 NT domain on the PDC using Server Manager for Domains. This creates
3204 the machine account in the domain (PDC) SAM. Note that you should
3205 add the Samba server as a "Windows NT Workstation or Server",
3206 <EM
3209 ><P
3211 <TT
3214 > and are joining an NT domain called
3215 <TT
3218 >, which has a PDC with a NetBIOS name
3219 of <TT
3222 > and two backup domain controllers
3223 with NetBIOS names <TT
3228 >DOMBDC2
3229 </TT
3231 ><P
3232 >In order to join the domain, first stop all Samba daemons
3233 and run the command:</P
3234 ><P
3235 ><TT
3238 ><TT
3240 ><B
3241 >smbpasswd -j DOM -r DOMPDC
3242 </B
3243 ></TT
3244 ></P
3245 ><P
3246 >as we are joining the domain DOM and the PDC for that domain
3247 (the only machine that has write access to the domain SAM database)
3248 is DOMPDC. If this is successful you will see the message:</P
3249 ><P
3250 ><TT
3253 >
3254 </P
3255 ><P
3261 ><P
3262 >There is existing development code to join a domain
3263 without having to create the machine trust account on the PDC
3264 beforehand. This code will hopefully be available soon
3265 in release branches as well.</P
3266 ><P
3267 >This command goes through the machine account password
3268 change protocol, then writes the new (random) machine account
3269 password for this Samba server into a file in the same directory
3270 in which an smbpasswd file would be stored - normally :</P
3271 ><P
3272 ><TT
3275 ></P
3276 ><P
3278 ><P
3279 ><TT
3281 ><TT
3283 ><I
3285 ></TT
3288 ><I
3291 ></TT
3293 ></P
3294 ><P
3298 > suffix stands for machine account
3299 password file. So in our example above, the file would be called:</P
3300 ><P
3301 ><TT
3304 ></P
3305 ><P
3307 (Trivial Database) file named <TT
3310 >.
3311 </P
3312 ><P
3313 >This file is created and owned by root and is not
3314 readable by any other user. It is the key to the domain-level
3315 security for your system, and should be treated as carefully
3316 as a shadow password file.</P
3317 ><P
3318 >Now, before restarting the Samba daemons you must
3319 edit your <A
3322 ><TT
3325 >
3326 </A
3328 ><P
3332 > <TT
3334 ><I
3336 ></TT
3337 ></A
3338 > line in the [global] section
3339 of your smb.conf to read:</P
3340 ><P
3341 ><B
3344 ></P
3345 ><P
3349 ><TT
3351 ><I
3353 ></TT
3354 ></A
3356 ><P
3357 ><B
3360 ></P
3361 ><P
3363 ><P
3367 > <TT
3369 ><I
3371 ></TT
3372 ></A
3375 >yes
3376 </TT
3378 ><P
3382 > <TT
3384 ><I
3386 ></TT
3387 ></A
3388 > line in the [global]
3389 section to read: </P
3390 ><P
3391 ><B
3394 ></P
3395 ><P
3396 >These are the primary and backup domain controllers Samba
3397 will attempt to contact in order to authenticate users. Samba will
3398 try to contact each of these servers in order, so you may want to
3399 rearrange this list in order to spread out the authentication load
3400 among domain controllers.</P
3401 ><P
3402 >Alternatively, if you want smbd to automatically determine
3403 the list of Domain controllers to use for authentication, you may
3404 set this line to be :</P
3405 ><P
3406 ><B
3409 ></P
3410 ><P
3412 allows Samba to use exactly the same mechanism that NT does. This
3413 method either broadcasts or uses a WINS database in order to
3414 find domain controllers to authenticate against.</P
3415 ><P
3416 >Finally, restart your Samba daemons and get ready for
3417 clients to begin using domain security!</P
3418 ></DIV
3419 ><DIV
3421 ><HR><H1
3423 ><A
3426 ></H1
3427 ><P
3428 >Many people have asked regarding the state of Samba's ability to participate in
3431 ><P
3434 Win2k domain controller is only needed if Windows NT BDCs must exist in the same
3435 domain. By default, a Win2k DC in "native" mode will still support
3436 NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
3438 ><P
3440 for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
3443 ></DIV
3444 ><DIV
3446 ><HR><H1
3448 ><A
3451 ></H1
3452 ><P
3453 >Currently, domain security in Samba doesn't free you from
3454 having to create local Unix users to represent the users attaching
3455 to your server. This means that if domain user <TT
3457 >DOM\fred
3458 </TT
3459 > attaches to your domain security Samba server, there needs
3460 to be a local Unix user fred to represent that user in the Unix
3461 filesystem. This is very similar to the older Samba security mode
3462 <A
3466 >,
3467 where Samba would pass through the authentication request to a Windows
3469 </P
3470 ><P
3474 >Winbind
3475 paper</A
3476 > for information on a system to automatically
3477 assign UNIX uids and gids to Windows NT Domain users and groups.
3478 This code is available in development branches only at the moment,
3479 but will be moved to release branches soon.</P
3480 ><P
3481 >The advantage to domain-level security is that the
3482 authentication in domain-level security is passed down the authenticated
3483 RPC channel in exactly the same way that an NT server would do it. This
3484 means Samba servers now participate in domain trust relationships in
3485 exactly the same way NT servers do (i.e., you can add Samba servers into
3486 a resource domain and have the authentication passed on from a resource
3487 domain PDC to an account domain PDC.</P
3488 ><P
3492 > every Samba
3493 daemon on a server has to keep a connection open to the
3494 authenticating server for as long as that daemon lasts. This can drain
3495 the connection resources on a Microsoft NT server and cause it to run
3496 out of available connections. With <B
3499 >,
3500 however, the Samba daemons connect to the PDC/BDC only for as long
3501 as is necessary to authenticate the user, and then drop the connection,
3502 thus conserving PDC connection resources.</P
3503 ><P
3504 >And finally, acting in the same manner as an NT server
3505 authenticating to a PDC means that as part of the authentication
3506 reply, the Samba server gets the user identification information such
3507 as the user SID, the list of NT groups the user belongs to, etc. All
3508 this information will allow Samba to be extended in the future into
3509 a mode the developers currently call appliance mode. In this mode,
3510 no local Unix users will be necessary, and Samba will generate Unix
3511 uids and gids from the information passed back from the PDC when a
3512 user is authenticated, making a Samba server truly plug and play
3513 in an NT domain environment. Watch for this code soon.</P
3514 ><P
3515 ><EM
3517 > Much of the text of this document
3518 was first published in the Web magazine <A
3521 >
3522 LinuxWorld</A
3526 >Doing
3527 the NIS/NT Samba</A
3529 ></DIV
3530 ></DIV
3531 ><DIV
3533 ><HR><H1
3534 ><A
3537 ></H1
3538 ><DIV
3540 ><H1
3542 ><A
3545 ></H1
3546 ><P
3547 ><EM
3549 > This document
3550 is a combination of David Bannon's Samba 2.2 PDC HOWTO
3551 and the Samba NT Domain FAQ. Both documents are superceeded by this one.</P
3552 ><P
3554 act as a Windows NT 4.0 Primary Domain Controller (PDC). The following
3556 ><P
3557 ></P
3558 ><UL
3559 ><LI
3560 ><P
3562 ></LI
3563 ><LI
3564 ><P
3566 ></LI
3567 ><LI
3568 ><P
3569 >retrieving a list of users and groups from a Samba PDC to
3571 ></LI
3572 ><LI
3573 ><P
3575 ></LI
3576 ><LI
3577 ><P
3579 ></LI
3580 ></UL
3581 ><P
3583 ><P
3584 ></P
3585 ><UL
3586 ><LI
3587 ><P
3589 ></LI
3590 ><LI
3591 ><P
3593 (i.e. a Samba PDC and a Windows NT BDC or vice versa) </P
3594 ></LI
3595 ><LI
3596 ><P
3598 ></LI
3599 ><LI
3600 ><P
3602 and Active Directory)</P
3603 ></LI
3604 ></UL
3605 ><P
3607 for reasons outlined in this article. Therefore the protocol for
3608 support Windows 9x style domain logons is completely different
3609 from NT4 domain logons and has been officially supported for some
3610 time.</P
3611 ><P
3613 support for Windows NT 4.0 style domain logons from Windows NT
3615 outlines the steps necessary for configuring Samba as a PDC.
3616 Note that it is necessary to have a working Samba server
3617 prior to implementing the PDC functionality. If you have not
3618 followed the steps outlined in <A
3622 >, please make sure that your server
3623 is configured correctly before proceeding. Another good
3624 resource in the <A
3628 page</A
3630 ><P
3632 steps.</P
3633 ><P
3634 ></P
3635 ><OL
3637 ><LI
3638 ><P
3639 >Configuring the Samba Domain Controller
3640 </P
3641 ></LI
3642 ><LI
3643 ><P
3644 >Creating machine trust accounts
3645 and joining clients to the domain</P
3646 ></LI
3647 ></OL
3648 ><P
3649 >There are other minor details such as user profiles, system
3650 policies, etc... However, these are not necessarily specific
3651 to a Samba PDC as much as they are related to Windows NT networking
3652 concepts. They will be mentioned only briefly here.</P
3653 ></DIV
3654 ><DIV
3656 ><HR><H1
3658 ><A
3661 ></H1
3662 ><P
3663 >The first step in creating a working Samba PDC is to
3664 understand the parameters necessary in smb.conf. I will not
3665 attempt to re-explain the parameters here as they are more that
3666 adequately covered in <A
3669 > the smb.conf
3670 man page</A
3671 >. For convenience, the parameters have been
3672 linked with the actual smb.conf description.</P
3673 ><P
3675 ><P
3676 ><TABLE
3680 ><TR
3681 ><TD
3682 ><PRE
3684 >[global]
3685 ; Basic server settings
3686 <A
3692 ><I
3694 ></TT
3695 >
3696 <A
3702 ><I
3704 ></TT
3705 >
3707 ; we should act as the domain and local master browser
3708 <A
3713 <A
3717 > = yes
3718 <A
3722 > = yes
3723 <A
3727 > = yes
3729 ; security settings (must user security = user)
3730 <A
3734 > = user
3736 ; encrypted passwords are a requirement for a PDC
3737 <A
3741 > = yes
3743 ; support domain logons
3744 <A
3748 > = yes
3750 ; where to store user profiles?
3751 <A
3755 > = \\%N\profiles\%u
3757 ; where is a user's home directory and where should it
3758 ; be mounted at?
3759 <A
3763 > = H:
3764 <A
3768 > = \\homeserver\%u
3770 ; specify a generic logon script for all users
3771 ; this is a relative path to the [netlogon] share
3772 <A
3776 > = logon.cmd
3778 ; necessary share for domain controller
3779 [netlogon]
3780 <A
3784 > = /usr/local/samba/lib/netlogon
3785 <A
3789 > = no
3790 <A
3796 ><I
3798 ></TT
3799 >
3801 ; share for storing user profiles
3802 [profiles]
3803 <A
3807 > = /export/smb/ntprofile
3808 <A
3812 > = yes
3813 <A
3818 <A
3823 ></TD
3824 ></TR
3825 ></TABLE
3826 ></P
3827 ><P
3828 >There are a couple of points to emphasize in the above
3829 configuration.</P
3830 ><P
3831 ></P
3832 ><UL
3833 ><LI
3834 ><P
3835 >encrypted passwords must be enabled.
3836 For more details on how to do this, refer to
3837 <A
3841 >.
3842 </P
3843 ></LI
3844 ><LI
3845 ><P
3846 >The server must support domain logons
3847 and a <TT
3851 ></LI
3852 ><LI
3853 ><P
3854 >The server must be the domain master browser
3855 in order for Windows client to locate the server as a DC.</P
3856 ></LI
3857 ></UL
3858 ><P
3860 Windows NT groups and UNIX groups (this is really quite complicated to explain
3861 in a short space), you should refer to the <A
3864 >domain
3865 admin users</A
3869 >domain
3870 admin group</A
3871 > smb.conf parameters for information of creating a Domain Admins
3872 style accounts.</P
3873 ></DIV
3874 ><DIV
3876 ><HR><H1
3878 ><A
3881 to the Domain</A
3882 ></H1
3883 ><P
3884 >First you must understand what a machine trust account is and what
3885 it is used for.</P
3886 ><P
3887 >A machine trust account is a user account owned by a computer.
3888 The account password acts as the shared secret for secure
3889 communication with the Domain Controller. Hence the reason that
3890 a Windows 9x host is never a true member of a domain because
3891 it does not posses a machine trust account and thus has no shared
3892 secret with the DC.</P
3893 ><P
3894 >On a Windows NT PDC, these machine trust account passwords are stored
3895 in the registry. A Samba PDC stores these accounts in he same location
3896 as user LanMan and NT password hashes (currently <TT
3899 >).
3900 However, machine trust accounts only possess the NT password hash.</P
3901 ><P
3903 ><P
3904 ></P
3905 ><UL
3906 ><LI
3907 ><P
3908 >Manual creation before joining the client
3909 to the domain. In this case, the password is set to a known
3910 value -- the lower case of the machine's netbios name.</P
3911 ></LI
3912 ><LI
3913 ><P
3914 >Creation of the account at the time of
3915 joining the domain. In this case, the session key of the
3916 administrative account used to join the client to the domain acts
3917 as an encryption key for setting the password to a random value.</P
3918 ></LI
3919 ></UL
3920 ><P
3921 >Because Samba requires machine accounts to possess a UNIX uid from
3922 which an Windows NT SID can be generated, all of these accounts
3923 will have an entry in <TT
3926 > and smbpasswd.
3927 Future releases will alleviate the need to create
3928 <TT
3932 ><P
3936 > entry will list the machine name
3937 with a $ appended, won't have a passwd, will have a null shell and no
3938 home directory. For example a machine called 'doppy' would have an
3939 <TT
3943 ><P
3944 ><TABLE
3948 ><TR
3949 ><TD
3950 ><PRE
3953 ></TD
3954 ></TR
3955 ></TABLE
3956 ></P
3957 ><P
3958 >If you are manually creating the machine accounts, it is necessary
3959 to add the <TT
3962 > (or NIS passwd
3963 map) entry prior to adding the <TT
3966 >
3967 entry. The following command will create a new machine account
3968 ready for use.</P
3969 ><P
3970 ><TT
3975 ><I
3977 ></TT
3978 ></P
3979 ><P
3982 ><I
3984 ></TT
3985 > is the machine's netbios
3986 name.</P
3987 ><P
3988 ><EM
3989 >If you manually create a machine account, immediately join
3990 the client to the domain.</EM
3991 > An open account like this
3992 can allow intruders to gain access to user account information
3993 in your domain.</P
3994 ><P
3995 >The second way of creating machine trust accounts is to add
3996 them on the fly at the time the client is joined to the domain.
3997 You will need to include a value for the
3998 <A
4002 >
4004 ><P
4005 ><TABLE
4009 ><TR
4010 ><TD
4011 ><PRE
4014 ></TD
4015 ></TR
4016 ></TABLE
4017 ></P
4018 ><P
4021 > can be used to create
4022 machine accounts on the fly like this. Therefore, it is required
4023 to create an entry in smbpasswd for <EM
4025 >.
4026 The password <EM
4028 > be set to s different
4029 password that the associated <TT
4032 >
4033 entry for security reasons.</P
4034 ></DIV
4035 ><DIV
4037 ><HR><H1
4039 ><A
4042 ></H1
4043 ><P
4044 ></P
4045 ><P
4046 ><EM
4048 ></P
4049 ><P
4053 >
4054 of the machine name with a '$' appended. FreeBSD (and other BSD
4055 systems ?) won't create a user with a '$' in their name.</P
4056 ><P
4057 >The problem is only in the program used to make the entry, once
4058 made, it works perfectly. So create a user without the '$' and
4059 use <B
4062 > to edit the entry, adding the '$'. Or create
4063 the whole entry with vipw if you like, make sure you use a
4064 unique uid !</P
4065 ><P
4066 ><EM
4068 when creating a machine account.</EM
4069 ></P
4070 ><P
4071 >This happens if you try to create a machine account from the
4072 machine itself and use a user name that does not work (for whatever
4073 reason) and then try another (possibly valid) user name.
4074 Exit out of the network applet to close the initial connection
4075 and try again.</P
4076 ><P
4077 >Further, if the machine is a already a 'member of a workgroup' that
4078 is the same name as the domain you are joining (bad idea) you will
4079 get this message. Change the workgroup name to something else, it
4080 does not matter what, reboot, and try again.</P
4081 ><P
4082 ><EM
4085 ></P
4086 ><P
4089 ><P
4090 ><EM
4092 ></P
4093 ><P
4094 >I joined the domain successfully but after upgrading
4095 to a newer version of the Samba code I get the message, "The system
4096 can not log you on (C000019B), Please try a gain or consult your
4098 ><P
4099 >This occurs when the domain SID stored in
4100 <TT
4103 > is
4104 changed. For example, you remove the file and <B
4107 > automatically
4108 creates a new one. Or you are swapping back and forth between
4109 versions 2.0.7, TNG and the HEAD branch code (not recommended). The
4110 only way to correct the problem is to restore the original domain
4111 SID or remove the domain client from the domain and rejoin.</P
4112 ><P
4113 ><EM
4116 ></P
4117 ><P
4119 for this computer either does not exist or is not accessible". Whats
4120 wrong ?</P
4121 ><P
4122 >This problem is caused by the PDC not having a suitable machine account.
4123 If you are using the <B
4126 > method to create
4127 accounts then this would indicate that it has not worked. Ensure the domain
4128 admin user system is working.</P
4129 ><P
4130 >Alternatively if you are creating account entries manually then they
4131 have not been created correctly. Make sure that you have the entry
4132 correct for the machine account in smbpasswd file on the Samba PDC.
4133 If you added the account using an editor rather than using the smbpasswd
4134 utility, make sure that the account name is the machine netbios name
4135 with a '$' appended to it ( ie. computer_name$ ). There must be an entry
4136 in both /etc/passwd and the smbpasswd file. Some people have reported
4137 that inconsistent subnet masks between the Samba server and the NT
4138 client have caused this problem. Make sure that these are consistent
4139 for both client and server.</P
4140 ></DIV
4141 ><DIV
4143 ><HR><H1
4145 ><A
4148 ></H1
4149 ><P
4150 >Much of the information necessary to implement System Policies and
4151 Roving User Profiles in a Samba domain is the same as that for
4152 implementing these same items in a Windows NT 4.0 domain.
4153 You should read the white paper <A
4156 >Implementing
4159 ><P
4161 ><P
4162 ><EM
4164 ></P
4165 ><P
4169 > you must use
4170 the NT Server Policy Editor, <B
4173 > which
4174 is included with NT Server but <EM
4176 >.
4177 There is a Policy Editor on a NTws
4178 but it is not suitable for creating <EM
4180 >.
4181 Further, although the Windows 95
4182 Policy Editor can be installed on an NT Workstation/Server, it will not
4183 work with NT policies because the registry key that are set by the policy templates.
4184 However, the files from the NT Server will run happily enough on an NTws.
4185 You need <TT
4191 >. It is convenient
4192 to put the two *.adm files in <TT
4195 > which is where
4196 the binary will look for them unless told otherwise. Note also that that
4197 directory is 'hidden'.</P
4198 ><P
4199 >The Windows NT policy editor is also included with the
4201 <B
4206 >Nt4sp6ai.exe
4207 /x</B
4211 > and the
4212 associated template files (*.adm) should
4213 be extracted as well. It is also possible to downloaded the policy template
4214 files for Office97 and get a copy of the policy editor. Another possible
4215 location is with the Zero Administration Kit available for download from Microsoft.</P
4216 ><P
4217 ><EM
4219 ></P
4220 ><P
4221 >Install the group policy handler for Win9x to pick up group
4222 policies. Look on the Win98 CD in <TT
4225 >.
4226 Install group policies on a Win9x client by double-clicking
4227 <TT
4230 >. Log off and on again a couple of
4231 times and see if Win98 picks up group policies. Unfortunately this needs
4232 to be done on every Win9x machine that uses group policies....</P
4233 ><P
4234 >If group policies don't work one reports suggests getting the updated
4235 (read: working) grouppol.dll for Windows 9x. The group list is grabbed
4236 from /etc/group.</P
4237 ><P
4238 ><EM
4240 ></P
4241 ><P
4242 >Since I don't need to buy an NT Server CD now, how do I get
4243 the 'User Manager for Domains', the 'Server Manager' ?</P
4244 ><P
4245 >Microsoft distributes a version of
4246 these tools called nexus for installation on Windows 95 systems. The
4247 tools set includes</P
4248 ><P
4249 ></P
4250 ><UL
4251 ><LI
4252 ><P
4254 ></LI
4255 ><LI
4256 ><P
4258 ></LI
4259 ><LI
4260 ><P
4262 ></LI
4263 ></UL
4264 ><P
4269 ></P
4270 ><P
4272 Domains' and 'Server Manager' are available from Microsoft via ftp
4273 from <A
4277 ></P
4278 ></DIV
4279 ><DIV
4281 ><HR><H1
4283 ><A
4286 ></H1
4287 ><P
4288 >There are many sources of information available in the form
4289 of mailing lists, RFC's and documentation. The docs that come
4290 with the samba distribution contain very good explanations of
4291 general SMB topics such as browsing.</P
4292 ><P
4293 ><EM
4294 >What are some diagnostics tools I can use to debug the domain logon
4295 process and where can I find them?</EM
4296 ></P
4297 ><P
4298 > One of the best diagnostic tools for debugging problems is Samba itself.
4299 You can use the -d option for both smbd and nmbd to specifiy what
4300 'debug level' at which to run. See the man pages on smbd, nmbd and
4301 smb.conf for more information on debugging options. The debug
4303 </P
4304 ><P
4305 > Another helpful method of debugging is to compile samba using the
4306 <B
4309 > flag. This will include debug
4310 information in the binaries and allow you to attach gdb to the
4311 running smbd / nmbd process. In order to attach gdb to an smbd
4312 process for an NT workstation, first get the workstation to make the
4313 connection. Pressing ctrl-alt-delete and going down to the domain box
4314 is sufficient (at least, on the first time you join the domain) to
4315 generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
4316 maintains an open connection, and therefore there will be an smbd
4317 process running (assuming that you haven't set a really short smbd
4318 idle timeout) So, in between pressing ctrl alt delete, and actually
4319 typing in your password, you can gdb attach and continue.
4320 </P
4321 ><P
4322 > Some useful samba commands worth investigating:
4323 </P
4324 ><P
4325 ></P
4326 ><UL
4327 ><LI
4328 ><P
4330 ></LI
4331 ><LI
4332 ><P
4334 ></LI
4335 ></UL
4336 ><P
4337 > An SMB enabled version of tcpdump is available from
4338 <A
4342 >.
4343 Ethereal, another good packet sniffer for UNIX and Win32
4344 hosts, can be downloaded from <A
4348 >.
4349 </P
4350 ><P
4351 > For tracing things on the Microsoft Windows NT, Network Monitor
4352 (aka. netmon) is available on the Microsoft Developer Network CD's,
4353 the Windows NT Server install CD and the SMS CD's. The version of
4354 netmon that ships with SMS allows for dumping packets between any two
4355 computers (ie. placing the network interface in promiscuous mode).
4356 The version on the NT Server install CD will only allow monitoring
4357 of network traffic directed to the local NT box and broadcasts on the
4358 local subnet. Be aware that Ethereal can read and write netmon
4359 formatted files.
4360 </P
4361 ><P
4362 ><EM
4363 >How do I install 'Network Monitor' on an NT Workstation
4365 ></P
4366 ><P
4367 > Installing netmon on an NT workstation requires a couple
4368 of steps. The following are for installing Netmon V4.00.349, which comes
4369 with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
4370 Workstation 4.0. The process should be similar for other version of
4371 Windows NT / Netmon. You will need both the Microsoft Windows
4373 </P
4374 ><P
4375 > Initially you will need to install 'Network Monitor Tools and Agent'
4376 on the NT Server. To do this
4377 </P
4378 ><P
4379 ></P
4380 ><UL
4381 ><LI
4382 ><P
4383 >Goto Start - Settings - Control Panel -
4384 Network - Services - Add </P
4385 ></LI
4386 ><LI
4387 ><P
4388 >Select the 'Network Monitor Tools and Agent' and
4389 click on 'OK'.</P
4390 ></LI
4391 ><LI
4392 ><P
4393 >Click 'OK' on the Network Control Panel.
4394 </P
4395 ></LI
4396 ><LI
4397 ><P
4399 when prompted.</P
4400 ></LI
4401 ></UL
4402 ><P
4403 > At this point the Netmon files should exist in
4404 <TT
4407 >.
4408 Two subdirectories exist as well, <TT
4411 >
4412 which contains the necessary DLL's for parsing the netmon packet
4413 dump, and <TT
4416 >.
4417 </P
4418 ><P
4419 > In order to install the Netmon tools on an NT Workstation, you will
4420 first need to install the 'Network Monitor Agent' from the Workstation
4421 install CD.
4422 </P
4423 ><P
4424 ></P
4425 ><UL
4426 ><LI
4427 ><P
4428 >Goto Start - Settings - Control Panel -
4429 Network - Services - Add</P
4430 ></LI
4431 ><LI
4432 ><P
4433 >Select the 'Network Monitor Agent' and click
4434 on 'OK'.</P
4435 ></LI
4436 ><LI
4437 ><P
4438 >Click 'OK' on the Network Control Panel.
4439 </P
4440 ></LI
4441 ><LI
4442 ><P
4444 CD when prompted.</P
4445 ></LI
4446 ></UL
4447 ><P
4448 > Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
4449 to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
4450 permissions as you deem appropriate for your site. You will need
4451 administrative rights on the NT box to run netmon.
4452 </P
4453 ><P
4455 from the Windows 9x CD (\admin\nettools\netmon). There is a readme
4456 file located with the netmon driver files on the CD if you need
4457 information on how to do this. Copy the files from a working
4458 Netmon installation.
4459 </P
4460 ><DIV
4462 ><HR><H2
4464 ><A
4467 ></H2
4468 ><P
4469 ></P
4470 ><UL
4471 ><LI
4472 ><P
4478 ></LI
4479 ><LI
4480 ><P
4483 > document
4484 on the Samba mirrors might mention your problem. If so,
4485 it might mean that the developers are working on it.</P
4486 ></LI
4487 ><LI
4488 ><P
4489 >See how Scott Merrill simulates a BDC behavior at
4490 <A
4495 ></LI
4496 ><LI
4497 ><P
4504 ></LI
4505 ><LI
4506 ><P
4507 >Misc links to CIFS information
4508 <A
4512 ></P
4513 ></LI
4514 ><LI
4515 ><P
4520 ></P
4521 ></LI
4522 ><LI
4523 ><P
4524 >FTP site for older SMB specs:
4525 <A
4529 ></P
4530 ></LI
4531 ></UL
4532 ></DIV
4533 ><DIV
4535 ><HR><H2
4537 ><A
4540 ></H2
4541 ><P
4542 ><EM
4544 ></P
4545 ><P
4550 >, click on your nearest mirror
4551 and then click on <B
4558 ><P
4559 >For questions relating to Samba TNG go to
4560 <A
4564 >
4565 It has been requested that you don't post questions about Samba-TNG to the
4566 main stream Samba lists.</P
4567 ><P
4569 ><P
4570 ></P
4571 ><UL
4572 ><LI
4573 ><P
4574 > Always remember that the developers are volunteers, they are
4575 not paid and they never guarantee to produce a particular feature at
4576 a particular time. Any time lines are 'best guess' and nothing more.
4577 </P
4578 ></LI
4579 ><LI
4580 ><P
4581 > Always mention what version of samba you are using and what
4582 operating system its running under. You should probably list the
4583 relevant sections of your smb.conf file, at least the options
4584 in [global] that affect PDC support.</P
4585 ></LI
4586 ><LI
4587 ><P
4588 >In addition to the version, if you obtained Samba via
4589 CVS mention the date when you last checked it out.</P
4590 ></LI
4591 ><LI
4592 ><P
4593 > Try and make your question clear and brief, lots of long,
4594 convoluted questions get deleted before they are completely read !
4595 Don't post html encoded messages (if you can select colour or font
4596 size its html).</P
4597 ></LI
4598 ><LI
4599 ><P
4600 > If you run one of those nifty 'I'm on holidays' things when
4601 you are away, make sure its configured to not answer mailing lists.
4602 </P
4603 ></LI
4604 ><LI
4605 ><P
4606 > Don't cross post. Work out which is the best list to post to
4607 and see what happens, ie don't post to both samba-ntdom and samba-technical.
4608 Many people active on the lists subscribe to more
4609 than one list and get annoyed to see the same message two or more times.
4610 Often someone will see a message and thinking it would be better dealt
4611 with on another, will forward it on for you.</P
4612 ></LI
4613 ><LI
4614 ><P
4617 >
4618 log files written at a debug level set to as much as 20.
4619 Please don't send the entire log but enough to give the context of the
4620 error messages.</P
4621 ></LI
4622 ><LI
4623 ><P
4624 >(Possibly) If you have a complete netmon trace ( from the opening of
4625 the pipe to the error ) you can send the *.CAP file as well.</P
4626 ></LI
4627 ><LI
4628 ><P
4629 >Please think carefully before attaching a document to an email.
4630 Consider pasting the relevant parts into the body of the message. The samba
4631 mailing lists go to a huge number of people, do they all need a copy of your
4632 smb.conf in their attach directory ?</P
4633 ></LI
4634 ></UL
4635 ><P
4636 ><EM
4638 ></P
4639 ><P
4640 >To have your name removed from a samba mailing list, go to the
4641 same place you went to to get on it. Go to <A
4645 >, click
4646 on your nearest mirror and then click on <B
4649 > and
4650 then click on <B
4653 >. Or perhaps see
4654 <A
4658 ></P
4659 ><P
4660 > Please don't post messages to the list asking to be removed, you will just
4661 be referred to the above address (unless that process failed in some way...)
4662 </P
4663 ></DIV
4664 ></DIV
4665 ><DIV
4667 ><HR><H1
4669 ><A
4672 ></H1
4673 ><P
4674 >This appendix was originally authored by John H Terpstra of the Samba Team
4675 and is included here for posterity.</P
4676 ><P
4677 ><EM
4679 >
4680 The term "Domain Controller" and those related to it refer to one specific
4681 method of authentication that can underly an SMB domain. Domain Controllers
4682 prior to Windows NT Server 3.1 were sold by various companies and based on
4683 private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
4684 Microsoft-specific ways of distributing the user authentication database.
4685 See DOMAIN.txt for examples of how Samba can participate in or create
4686 SMB domains based on shared authentication database schemes other than the
4687 Windows NT SAM.</P
4688 ><P
4689 >Windows NT Server can be installed as either a plain file and print server
4690 (WORKGROUP workstation or server) or as a server that participates in Domain
4691 Control (DOMAIN member, Primary Domain controller or Backup Domain controller).</P
4692 ><P
4694 products, all of which can participate in Domain Control along with Windows NT.
4695 However only those servers which have licensed Windows NT code in them can be
4696 a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)</P
4697 ><P
4699 ><P
4700 >Every Windows NT system (workstation or server) has a registry database.
4701 The registry contains entries that describe the initialization information
4702 for all services (the equivalent of Unix Daemons) that run within the Windows
4703 NT environment. The registry also contains entries that tell application
4704 software where to find dynamically loadable libraries that they depend upon.
4705 In fact, the registry contains entries that describes everything that anything
4706 may need to know to interact with the rest of the system.</P
4707 ><P
4708 >The registry files can be located on any Windows NT machine by opening a
4709 command prompt and typing:</P
4710 ><P
4711 ><TT
4715 ><P
4717 ><P
4718 ><TT
4722 ><P
4723 >The active parts of the registry that you may want to be familiar with are
4724 the files called: default, system, software, sam and security.</P
4725 ><P
4726 >In a domain environment, Microsoft Windows NT domain controllers participate
4727 in replication of the SAM and SECURITY files so that all controllers within
4728 the domain have an exactly identical copy of each.</P
4729 ><P
4730 >The Microsoft Windows NT system is structured within a security model that
4731 says that all applications and services must authenticate themselves before
4732 they can obtain permission from the security manager to do what they set out
4733 to do.</P
4734 ><P
4735 >The Windows NT User database also resides within the registry. This part of
4736 the registry contains the user's security identifier, home directory, group
4737 memberships, desktop profile, and so on.</P
4738 ><P
4739 >Every Windows NT system (workstation as well as server) will have its own
4740 registry. Windows NT Servers that participate in Domain Security control
4741 have a database that they share in common - thus they do NOT own an
4742 independent full registry database of their own, as do Workstations and
4743 plain Servers.</P
4744 ><P
4745 >The User database is called the SAM (Security Access Manager) database and
4746 is used for all user authentication as well as for authentication of inter-
4747 process authentication (ie: to ensure that the service action a user has
4748 requested is permitted within the limits of that user's privileges).</P
4749 ><P
4750 >The Samba team have produced a utility that can dump the Windows NT SAM into
4751 smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
4752 /pub/samba/pwdump on your nearest Samba mirror for the utility. This
4753 facility is useful but cannot be easily used to implement SAM replication
4754 to Samba systems.</P
4755 ><P
4757 can participate in a Domain security system that is controlled by Windows NT
4758 servers that have been correctly configured. At most every domain will have
4759 ONE Primary Domain Controller (PDC). It is desirable that each domain will
4760 have at least one Backup Domain Controller (BDC).</P
4761 ><P
4762 >The PDC and BDCs then participate in replication of the SAM database so that
4763 each Domain Controlling participant will have an up to date SAM component
4764 within its registry.</P
4765 ></DIV
4766 ></DIV
4767 ><DIV
4769 ><HR><H1
4770 ><A
4773 ></H1
4774 ><DIV
4776 ><H1
4778 ><A
4781 ></H1
4782 ><P
4783 >Integration of UNIX and Microsoft Windows NT through
4784 a unified logon has been considered a "holy grail" in heterogeneous
4785 computing environments for a long time. We present <EM
4786 >winbind
4787 </EM
4788 >, a component of the Samba suite of programs as a
4789 solution to the unied logon problem. Winbind uses a UNIX implementation
4790 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
4791 Service Switch to allow Windows NT domain users to appear and operate
4792 as UNIX users on a UNIX machine. This paper describes the winbind
4793 system, explaining the functionality it provides, how it is configured,
4794 and how it works internally.</P
4795 ></DIV
4796 ><DIV
4798 ><HR><H1
4800 ><A
4803 ></H1
4804 ><P
4805 >It is well known that UNIX and Microsoft Windows NT have
4806 different models for representing user and group information and
4807 use different technologies for implementing them. This fact has
4808 made it difficult to integrate the two systems in a satisfactory
4809 manner.</P
4810 ><P
4811 >One common solution in use today has been to create
4812 identically named user accounts on both the UNIX and Windows systems
4813 and use the Samba suite of programs to provide file and print services
4814 between the two. This solution is far from perfect however, as
4815 adding and deleting users on both sets of machines becomes a chore
4816 and two sets of passwords are required both of which which
4817 can lead to synchronization problems between the UNIX and Windows
4818 systems and confusion for users.</P
4819 ><P
4820 >We divide the unifed logon problem for UNIX machines into
4821 three smaller problems:</P
4822 ><P
4823 ></P
4824 ><UL
4825 ><LI
4826 ><P
4827 >Obtaining Windows NT user and group information
4828 </P
4829 ></LI
4830 ><LI
4831 ><P
4832 >Authenticating Windows NT users
4833 </P
4834 ></LI
4835 ><LI
4836 ><P
4837 >Password changing for Windows NT users
4838 </P
4839 ></LI
4840 ></UL
4841 ><P
4842 >Ideally, a prospective solution to the unified logon problem
4843 would satisfy all the above components without duplication of
4844 information on the UNIX machines and without creating additional
4845 tasks for the system administrator when maintaining users and
4846 groups on either system. The winbind system provides a simple
4847 and elegant solution to all three components of the unifed logon
4848 problem.</P
4849 ></DIV
4850 ><DIV
4852 ><HR><H1
4854 ><A
4857 ></H1
4858 ><P
4859 >Winbind unifies UNIX and Windows NT account management by
4860 allowing a UNIX box to become a full member of a NT domain. Once
4861 this is done the UNIX box will see NT users and groups as if
4862 they were native UNIX users and groups, allowing the NT domain
4863 to be used in much the same manner that NIS+ is used within
4864 UNIX-only environments.</P
4865 ><P
4866 >The end result is that whenever any
4867 program on the UNIX machine asks the operating system to lookup
4868 a user or group name, the query will be resolved by asking the
4869 NT domain controller for the specied domain to do the lookup.
4870 Because Winbind hooks into the operating system at a low level
4871 (via the NSS name resolution modules in the C library) this
4872 redirection to the NT domain controller is completely
4873 transparent.</P
4874 ><P
4875 >Users on the UNIX machine can then use NT user and group
4876 names as they would use "native" UNIX names. They can chown files
4877 so that they are owned by NT domain users or even login to the
4878 UNIX machine and run a UNIX X-Window session as a domain user.</P
4879 ><P
4880 >The only obvious indication that Winbind is being used is
4881 that user and group names take the form DOMAIN\user and
4882 DOMAIN\group. This is necessary as it allows Winbind to determine
4883 that redirection to a domain controller is wanted for a particular
4884 lookup and which trusted domain is being referenced.</P
4885 ><P
4886 >Additionally, Winbind provides a authentication service
4887 that hooks into the Pluggable Authentication Modules (PAM) system
4888 to provide authentication via a NT domain to any PAM enabled
4889 applications. This capability solves the problem of synchronizing
4890 passwords between systems as all passwords are stored in a single
4891 location (on the domain controller).</P
4892 ><DIV
4894 ><HR><H2
4896 ><A
4899 ></H2
4900 ><P
4901 >Winbind is targeted at organizations that have an
4902 existing NT based domain infrastructure into which they wish
4903 to put UNIX workstations or servers. Winbind will allow these
4904 organizations to deploy UNIX workstations without having to
4905 maintain a separate account infrastructure. This greatly simplies
4906 the administrative overhead of deploying UNIX workstations into
4907 a NT based organization.</P
4908 ><P
4909 >Another interesting way in which we expect Winbind to
4910 be used is as a central part of UNIX based appliances. Appliances
4911 that provide file and print services to Microsoft based networks
4912 will be able to use Winbind to provide seamless integration of
4913 the appliance into the domain.</P
4914 ></DIV
4915 ></DIV
4916 ><DIV
4918 ><HR><H1
4920 ><A
4923 ></H1
4924 ><P
4925 >The winbind system is designed around a client/server
4926 architecture. A long running <B
4929 > daemon
4930 listens on a UNIX domain socket waiting for requests
4931 to arrive. These requests are generated by the NSS and PAM
4932 clients and processed sequentially.</P
4933 ><P
4934 >The technologies used to implement winbind are described
4935 in detail below.</P
4936 ><DIV
4938 ><HR><H2
4940 ><A
4943 ></H2
4944 ><P
4945 >Over the last two years, efforts have been underway
4946 by various Samba Team members to decode various aspects of
4947 the Microsoft Remote Procedure Call (MSRPC) system. This
4948 system is used for most network related operations between
4949 Windows NT machines including remote management, user authentication
4950 and print spooling. Although initially this work was done
4951 to aid the implementation of Primary Domain Controller (PDC)
4952 functionality in Samba, it has also yielded a body of code which
4953 can be used for other purposes.</P
4954 ><P
4955 >Winbind uses various MSRPC calls to enumerate domain users
4956 and groups and to obtain detailed information about individual
4957 users or groups. Other MSRPC calls can be used to authenticate
4958 NT domain users and to change user passwords. By directly querying
4959 a Windows PDC for user and group information, winbind maps the
4960 NT account information onto UNIX user and group names.</P
4961 ></DIV
4962 ><DIV
4964 ><HR><H2
4966 ><A
4969 ></H2
4970 ><P
4971 >The Name Service Switch, or NSS, is a feature that is
4972 present in many UNIX operating systems. It allows system
4973 information such as hostnames, mail aliases and user information
4974 to be resolved from dierent sources. For example, a standalone
4975 UNIX workstation may resolve system information from a series of
4976 flat files stored on the local lesystem. A networked workstation
4977 may first attempt to resolve system information from local files,
4978 then consult a NIS database for user information or a DNS server
4979 for hostname information.</P
4980 ><P
4981 >The NSS application programming interface allows winbind
4982 to present itself as a source of system information when
4983 resolving UNIX usernames and groups. Winbind uses this interface,
4984 and information obtained from a Windows NT server using MSRPC
4985 calls to provide a new source of account enumeration. Using standard
4986 UNIX library calls, one can enumerate the users and groups on
4987 a UNIX machine running winbind and see all users and groups in
4988 a NT domain plus any trusted domain as though they were local
4989 users and groups.</P
4990 ><P
4993 >/etc/nsswitch.conf
4994 </TT
4995 >. When a UNIX application makes a request to do a lookup
4996 the C library looks in <TT
4999 >
5000 for a line which matches the service type being requested, for
5001 example the "passwd" service type is used when user or group names
5002 are looked up. This config line species which implementations
5003 of that service should be tried andin what order. If the passwd
5004 config line is:</P
5005 ><P
5006 ><B
5009 ></P
5010 ><P
5011 >then the C library will first load a module called
5012 <TT
5015 > followed by
5016 the module <TT
5019 >. The
5020 C library will dynamically load each of these modules in turn
5021 and call resolver functions within the modules to try to resolve
5022 the request. Once the request is resolved the C library returns the
5023 result to the application.</P
5024 ><P
5025 >This NSS interface provides a very easy way for Winbind
5026 to hook into the operating system. All that needs to be done
5027 is to put <TT
5033 >
5037 > at
5038 the appropriate place. The C library will then call Winbind to
5039 resolve user and group names.</P
5040 ></DIV
5041 ><DIV
5043 ><HR><H2
5045 ><A
5048 ></H2
5049 ><P
5050 >Pluggable Authentication Modules, also known as PAM,
5051 is a system for abstracting authentication and authorization
5052 technologies. With a PAM module it is possible to specify different
5053 authentication methods for dierent system applications without
5054 having to recompile these applications. PAM is also useful
5055 for implementing a particular policy for authorization. For example,
5056 a system administrator may only allow console logins from users
5057 stored in the local password file but only allow users resolved from
5058 a NIS database to log in over the network.</P
5059 ><P
5060 >Winbind uses the authentication management and password
5061 management PAM interface to integrate Windows NT users into a
5062 UNIX system. This allows Windows NT users to log in to a UNIX
5063 machine and be authenticated against a suitable Primary Domain
5064 Controller. These users can also change their passwords and have
5065 this change take eect directly on the Primary Domain Controller.
5066 </P
5067 ><P
5068 >PAM is congured by providing control files in the directory
5069 <TT
5072 > for each of the services that
5073 require authentication. When an authentication request is made
5074 by an application the PAM code in the C library looks up this
5075 control file to determine what modules to load to do the
5076 authentication check and in what order. This interface makes adding
5077 a new authentication service for Winbind very easy, all that needs
5078 to be done is that the <TT
5081 > module
5082 is copied to <TT
5085 > and the pam
5086 control files for relevant services are updated to allow
5087 authentication via winbind. See the PAM documentation
5088 for more details.</P
5089 ></DIV
5090 ><DIV
5092 ><HR><H2
5094 ><A
5097 ></H2
5098 ><P
5099 >When a user or group is created under Windows NT
5100 is it allocated a numerical relative identier (RID). This is
5101 slightly dierent to UNIX which has a range of numbers which are
5102 used to identify users, and the same range in which to identify
5103 groups. It is winbind's job to convert RIDs to UNIX id numbers and
5104 vice versa. When winbind is congured it is given part of the UNIX
5105 user id space and a part of the UNIX group id space in which to
5106 store Windows NT users and groups. If a Windows NT user is
5107 resolved for the first time, it is allocated the next UNIX id from
5108 the range. The same process applies for Windows NT groups. Over
5109 time, winbind will have mapped all Windows NT users and groups
5110 to UNIX user ids and group ids.</P
5111 ><P
5112 >The results of this mapping are stored persistently in
5113 a ID mapping database held in a tdb database). This ensures that
5114 RIDs are mapped to UNIX IDs in a consistent way.</P
5115 ></DIV
5116 ><DIV
5118 ><HR><H2
5120 ><A
5123 ></H2
5124 ><P
5125 >An active system can generate a lot of user and group
5126 name lookups. To reduce the network cost of these lookups winbind
5127 uses a caching scheme based on the SAM sequence number supplied
5128 by NT domain controllers. User or group information returned
5129 by a PDC is cached by winbind along with a sequence number also
5130 returned by the PDC. This sequence number is incremented by
5131 Windows NT whenever any user or group information is modied. If
5132 a cached entry has expired, the sequence number is requested from
5133 the PDC and compared against the sequence number of the cached entry.
5134 If the sequence numbers do not match, then the cached information
5135 is discarded and up to date information is requested directly
5136 from the PDC.</P
5137 ></DIV
5138 ></DIV
5139 ><DIV
5141 ><HR><H1
5143 ><A
5146 ></H1
5147 ><P
5148 >The easiest way to install winbind is by using the packages
5149 provided in the <TT
5152 >
5153 directory on your nearest
5154 Samba mirror. These packages provide snapshots of the Samba source
5155 code and binaries already setup to provide the full functionality
5156 of winbind. This setup is a little more complex than a normal Samba
5157 build as winbind needs a small amount of functionality from a
5158 development code branch called SAMBA_TNG.</P
5159 ><P
5160 >Once you have installed the packages you should read
5161 the <B
5164 > man page which will provide you
5165 with conguration information and give you sample conguration files.
5166 You may also wish to update the main Samba daemons smbd and nmbd)
5167 with a more recent development release, such as the recently
5169 ></DIV
5170 ><DIV
5172 ><HR><H1
5174 ><A
5177 ></H1
5178 ><P
5179 >Winbind has a number of limitations in its current
5180 released version which we hope to overcome in future
5181 releases:</P
5182 ><P
5183 ></P
5184 ><UL
5185 ><LI
5186 ><P
5187 >Winbind is currently only available for
5188 the Linux operating system, although ports to other operating
5189 systems are certainly possible. For such ports to be feasible,
5190 we require the C library of the target operating system to
5191 support the Name Service Switch and Pluggable Authentication
5192 Modules systems. This is becoming more common as NSS and
5193 PAM gain support among UNIX vendors.</P
5194 ></LI
5195 ><LI
5196 ><P
5197 >The mappings of Windows NT RIDs to UNIX ids
5198 is not made algorithmically and depends on the order in which
5199 unmapped users or groups are seen by winbind. It may be difficult
5200 to recover the mappings of rid to UNIX id mapping if the file
5201 containing this information is corrupted or destroyed.</P
5202 ></LI
5203 ><LI
5204 ><P
5205 >Currently the winbind PAM module does not take
5206 into account possible workstation and logon time restrictions
5207 that may be been set for Windows NT users.</P
5208 ></LI
5209 ><LI
5210 ><P
5211 >Building winbind from source is currently
5212 quite tedious as it requires combining source code from two Samba
5213 branches. Work is underway to solve this by providing all
5214 the necessary functionality in the main Samba code branch.</P
5215 ></LI
5216 ></UL
5217 ></DIV
5218 ><DIV
5220 ><HR><H1
5222 ><A
5225 ></H1
5226 ><P
5227 >The winbind system, through the use of the Name Service
5228 Switch, Pluggable Authentication Modules, and appropriate
5229 Microsoft RPC calls have allowed us to provide seamless
5230 integration of Microsoft Windows NT domain users on a
5231 UNIX system. The result is a great reduction in the administrative
5232 cost of running a mixed UNIX and NT network.</P
5233 ></DIV
5234 ></DIV
5235 ><DIV
5237 ><HR><H1
5238 ><A
5241 ></H1
5242 ><DIV
5244 ><H1
5246 ><A
5249 security dialogs</A
5250 ></H1
5251 ><P
5253 NT clients to use their native security settings dialog box to
5254 view and modify the underlying UNIX permissions.</P
5255 ><P
5256 >Note that this ability is careful not to compromise
5257 the security of the UNIX host Samba is running on, and
5258 still obeys all the file permission rules that a Samba
5259 administrator can set.</P
5260 ><P
5262 parameter <A
5265 ><TT
5267 ><I
5269 ></TT
5270 ></A
5271 > has been changed from
5272 <TT
5278 >, so
5279 manipulation of permissions is turned on by default.</P
5280 ></DIV
5281 ><DIV
5283 ><HR><H1
5285 ><A
5288 ></H1
5289 ><P
5291 mouse button on any file or directory in a Samba mounted
5292 drive letter or UNC path. When the menu pops-up, click
5293 on the <EM
5295 > entry at the bottom of
5296 the menu. This brings up the normal file properties dialog
5297 box, but with Samba 2.0.4 this will have a new tab along the top
5298 marked <EM
5300 >. Click on this tab and you
5301 will see three buttons, <EM
5303 >,
5304 <EM
5308 >.
5309 The <EM
5311 > button will cause either
5312 an error message <SPAN
5314 >A requested privilege is not held
5315 by the client</SPAN
5316 > to appear if the user is not the
5317 NT Administrator, or a dialog which is intended to allow an
5318 Administrator to add auditing requirements to a file if the
5319 user is logged on as the NT Administrator. This dialog is
5320 non-functional with a Samba share at this time, as the only
5321 useful button, the <B
5324 > button will not currently
5325 allow a list of users to be seen.</P
5326 ></DIV
5327 ><DIV
5329 ><HR><H1
5331 ><A
5334 ></H1
5335 ><P
5339 > button
5340 brings up a dialog box telling you who owns the given file. The
5341 owner name will be of the form :</P
5342 ><P
5343 ><B
5346 ></P
5347 ><P
5350 ><I
5352 ></TT
5353 > is the NetBIOS name of
5354 the Samba server, <TT
5356 ><I
5358 ></TT
5359 > is the user name of
5360 the UNIX user who owns the file, and <TT
5362 ><I
5364 ></TT
5365 >
5366 is the discriptive string identifying the user (normally found in the
5367 GECOS field of the UNIX password database). Click on the <B
5369 >Close
5370 </B
5372 ><P
5375 ><I
5377 ></TT
5378 >
5379 is set to <TT
5382 > then the file owner will
5383 be shown as the NT user <B
5387 ><P
5391 > button will not allow
5392 you to change the ownership of this file to yourself (clicking on
5393 it will display a dialog box complaining that the user you are
5394 currently logged onto the NT client cannot be found). The reason
5395 for this is that changing the ownership of a file is a privilaged
5396 operation in UNIX, available only to the <EM
5398 >
5399 user. As clicking on this button causes NT to attempt to change
5400 the ownership of a file to the current user logged into the NT
5401 client this will not work with Samba at this time.</P
5402 ><P
5403 >There is an NT chown command that will work with Samba
5404 and allow a user with Administrator privillage connected
5405 to a Samba 2.0.4 server as root to change the ownership of
5406 files on both a local NTFS filesystem or remote mounted NTFS
5407 or Samba drive. This is available as part of the <EM
5408 >Seclib
5409 </EM
5410 > NT security library written by Jeremy Allison of
5411 the Samba Team, available from the main Samba ftp site.</P
5412 ></DIV
5413 ><DIV
5415 ><HR><H1
5417 ><A
5420 ></H1
5421 ><P
5425 >
5426 button. Clicking on this brings up a dialog box that shows both
5427 the permissions and the UNIX owner of the file or directory.
5428 The owner is displayed in the form :</P
5429 ><P
5430 ><B
5433 ></P
5434 ><P
5437 ><I
5439 ></TT
5440 > is the NetBIOS name of
5441 the Samba server, <TT
5443 ><I
5445 ></TT
5446 > is the user name of
5447 the UNIX user who owns the file, and <TT
5449 ><I
5451 ></TT
5452 >
5453 is the discriptive string identifying the user (normally found in the
5454 GECOS field of the UNIX password database).</P
5455 ><P
5458 ><I
5460 ></TT
5461 >
5462 is set to <TT
5465 > then the file owner will
5466 be shown as the NT user <B
5469 > and the
5471 ><P
5472 >The permissions field is displayed differently for files
5473 and directories, so I'll describe the way file permissions
5474 are displayed first.</P
5475 ><DIV
5477 ><HR><H2
5479 ><A
5482 ></H2
5483 ><P
5484 >The standard UNIX user/group/world triple and
5486 triples are mapped by Samba into a three element NT ACL
5487 with the 'r', 'w', and 'x' bits mapped into the corresponding
5488 NT permissions. The UNIX world permissions are mapped into
5489 the global NT group <B
5492 >, followed
5493 by the list of permissions allowed for UNIX world. The UNIX
5494 owner and group permissions are displayed as an NT
5495 <B
5500 >local
5501 group</B
5502 > icon respectively followed by the list
5503 of permissions allowed for the UNIX user and group.</P
5504 ><P
5505 >As many UNIX permission sets don't map into common
5506 NT names such as <B
5515 > then
5516 usually the permissions will be prefixed by the words <B
5520 ><P
5521 >But what happens if the file has no permissions allowed
5522 for a particular UNIX user group or world component ? In order
5523 to allow "no permissions" to be seen and modified then Samba
5524 overloads the NT <B
5527 > ACL attribute
5528 (which has no meaning in UNIX) and reports a component with
5529 no permissions as having the NT <B
5532 > bit set.
5533 This was chosen of course to make it look like a zero, meaning
5534 zero permissions. More details on the decision behind this will
5535 be given below.</P
5536 ></DIV
5537 ><DIV
5539 ><HR><H2
5541 ><A
5544 ></H2
5545 ><P
5546 >Directories on an NT NTFS file system have two
5547 different sets of permissions. The first set of permissions
5548 is the ACL set on the directory itself, this is usually displayed
5549 in the first set of parentheses in the normal <B
5552 >
5553 NT style. This first set of permissions is created by Samba in
5554 exactly the same way as normal file permissions are, described
5555 above, and is displayed in the same way.</P
5556 ><P
5557 >The second set of directory permissions has no real meaning
5558 in the UNIX permissions world and represents the <B
5561 > permissions that any file created within
5562 this directory would inherit.</P
5563 ><P
5564 >Samba synthesises these inherited permissions for NT by
5565 returning as an NT ACL the UNIX permission mode that a new file
5566 created by Samba on this share would receive.</P
5567 ></DIV
5568 ></DIV
5569 ><DIV
5571 ><HR><H1
5573 ><A
5576 ></H1
5577 ><P
5578 >Modifying file and directory permissions is as simple
5579 as changing the displayed permissions in the dialog box, and
5580 clicking the <B
5583 > button. However, there are
5584 limitations that a user needs to be aware of, and also interactions
5585 with the standard Samba permission masks and mapping of DOS
5586 attributes that need to also be taken into account.</P
5587 ><P
5590 ><I
5592 ></TT
5593 >
5594 is set to <TT
5597 > then any attempt to set
5598 security permissions will fail with an <B
5601 </B
5603 ><P
5607 >
5608 button will not return a list of users in Samba 2.0.4 (it will give
5609 an error message of <B
5613 >). This means that you can only
5614 manipulate the current user/group/world permissions listed in
5615 the dialog box. This actually works quite well as these are the
5616 only permissions that UNIX actually has.</P
5617 ><P
5618 >If a permission triple (either user, group, or world)
5619 is removed from the list of permissions in the NT dialog box,
5620 then when the <B
5623 > button is pressed it will
5624 be applied as "no permissions" on the UNIX side. If you then
5625 view the permissions again the "no permissions" entry will appear
5626 as the NT <B
5629 > flag, as described above. This
5630 allows you to add permissions back to a file or directory once
5631 you have removed them from a triple component.</P
5632 ><P
5634 an NT ACL then if other NT security attributes such as "Delete
5635 access" are selected then they will be ignored when applied on
5636 the Samba server.</P
5637 ><P
5638 >When setting permissions on a directory the second
5639 set of permissions (in the second set of parentheses) is
5640 by default applied to all files within that directory. If this
5641 is not what you want you must uncheck the <B
5645 > checkbox in the NT
5646 dialog before clicking <B
5650 ><P
5651 >If you wish to remove all permissions from a
5652 user/group/world component then you may either highlight the
5653 component and click the <B
5656 > button,
5657 or set the component to only have the special <B
5664 </B
5666 ></DIV
5667 ><DIV
5669 ><HR><H1
5671 ><A
5674 parameters</A
5675 ></H1
5676 ><P
5678 to control this interaction. These are :</P
5679 ><P
5680 ><TT
5682 ><I
5684 ></TT
5685 ></P
5686 ><P
5687 ><TT
5689 ><I
5691 ></TT
5692 ></P
5693 ><P
5694 ><TT
5696 ><I
5698 ></TT
5699 ></P
5700 ><P
5701 ><TT
5703 ><I
5705 ></TT
5706 ></P
5707 ><P
5711 > to apply the
5712 permissions Samba maps the given permissions into a user/group/world
5713 r/w/x triple set, and then will check the changed permissions for a
5714 file against the bits set in the <A
5717 >
5718 <TT
5720 ><I
5722 ></TT
5723 ></A
5724 > parameter. Any bits that
5725 were changed that are not set to '1' in this parameter are left alone
5726 in the file permissions.</P
5727 ><P
5730 ><I
5732 ></TT
5733 >
5734 mask may be treated as a set of bits the user is <EM
5736 >
5737 allowed to change, and one bits are those the user is allowed to change.
5738 </P
5739 ><P
5740 >If not set explicitly this parameter is set to the same value as
5741 the <A
5744 ><TT
5746 ><I
5747 >create mask
5748 </I
5749 ></TT
5750 ></A
5752 where this permission change facility was introduced. To allow a user to
5753 modify all the user/group/world permissions on a file, set this parameter
5755 ><P
5756 >Next Samba checks the changed permissions for a file against
5757 the bits set in the <A
5760 > <TT
5762 ><I
5764 ></TT
5765 ></A
5766 > parameter. Any bits
5767 that were changed that correspond to bits set to '1' in this parameter
5768 are forced to be set.</P
5769 ><P
5772 ><I
5773 >force security mode
5774 </I
5775 ></TT
5776 > parameter may be treated as a set of bits that, when
5777 modifying security on a file, the user has always set to be 'on'.</P
5778 ><P
5779 >If not set explicitly this parameter is set to the same value
5780 as the <A
5783 ><TT
5785 ><I
5786 >force
5787 create mode</I
5788 ></TT
5789 ></A
5790 > parameter to provide compatibility
5791 with Samba 2.0.4 where the permission change facility was introduced.
5792 To allow a user to modify all the user/group/world permissions on a file,
5794 ><P
5797 ><I
5799 ></TT
5802 ><I
5803 >force
5804 security mode</I
5805 ></TT
5806 > parameters are applied to the change
5807 request in that order.</P
5808 ><P
5809 >For a directory Samba will perform the same operations as
5810 described above for a file except using the parameter <TT
5812 ><I
5814 ></TT
5817 ><I
5818 >security
5819 mask</I
5820 ></TT
5823 ><I
5824 >force directory security mode
5825 </I
5826 ></TT
5829 ><I
5830 >force security mode
5831 </I
5832 ></TT
5834 ><P
5837 ><I
5839 ></TT
5840 > parameter
5841 by default is set to the same value as the <TT
5843 ><I
5844 >directory mask
5845 </I
5846 ></TT
5849 ><I
5850 >force directory security
5851 mode</I
5852 ></TT
5853 > parameter by default is set to the same value as
5854 the <TT
5856 ><I
5858 ></TT
5859 > parameter to provide
5860 compatibility with Samba 2.0.4 where the permission change facility
5861 was introduced.</P
5862 ><P
5863 >In this way Samba enforces the permission restrictions that
5864 an administrator can set on a Samba share, whilst still allowing users
5865 to modify the permission bits within that restriction.</P
5866 ><P
5867 >If you want to set up a share that allows users full control
5868 in modifying the permission bits on their files and directories and
5869 doesn't force any particular bits to be set 'on', then set the following
5870 parameters in the <A
5873 ><TT
5876 </TT
5877 ></A
5879 ><P
5880 ><TT
5882 ><I
5884 ></TT
5885 ></P
5886 ><P
5887 ><TT
5889 ><I
5891 ></TT
5892 ></P
5893 ><P
5894 ><TT
5896 ><I
5898 ></TT
5899 ></P
5900 ><P
5901 ><TT
5903 ><I
5905 ></TT
5906 ></P
5907 ><P
5909 ><P
5910 ><TT
5912 ><I
5914 ></TT
5915 ></P
5916 ><P
5917 ><TT
5919 ><I
5921 ></TT
5922 ></P
5923 ><P
5924 ><TT
5926 ><I
5928 ></TT
5929 ></P
5930 ><P
5931 ><TT
5933 ><I
5935 ></TT
5936 ></P
5937 ><P
5939 ></DIV
5940 ><DIV
5942 ><HR><H1
5944 ><A
5947 mapping</A
5948 ></H1
5949 ><P
5951 only") into the UNIX permissions of a file. This means there can
5952 be a conflict between the permission bits set via the security
5953 dialog and the permission bits set by the file attribute mapping.
5954 </P
5955 ><P
5956 >One way this can show up is if a file has no UNIX read access
5957 for the owner it will show up as "read only" in the standard
5958 file attributes tabbed dialog. Unfortunately this dialog is
5959 the same one that contains the security info in another tab.</P
5960 ><P
5961 >What this can mean is that if the owner changes the permissions
5962 to allow themselves read access using the security dialog, clicks
5963 <B
5966 > to get back to the standard attributes tab
5967 dialog, and then clicks <B
5970 > on that dialog, then
5971 NT will set the file permissions back to read-only (as that is what
5972 the attributes still say in the dialog). This means that after setting
5973 permissions and clicking <B
5976 > to get back to the
5977 attributes dialog you should always hit <B
5980 >
5981 rather than <B
5984 > to ensure that your changes
5985 are not overridden.</P
5986 ></DIV
5987 ></DIV
5988 ><DIV
5990 ><HR><H1
5991 ><A
5994 ></H1
5995 ><DIV
5997 ><H1
5999 ><A
6002 ></H1
6003 ><DIV
6005 ><H2
6007 ><A
6011 ></H2
6012 ><P
6013 >A more complete answer to this question can be
6014 found on <A
6019 ><P
6021 ><P
6022 ></P
6023 ><UL
6024 ><LI
6025 ><P
6026 >The File and Print Client ('IBM Peer')
6027 </P
6028 ></LI
6029 ><LI
6030 ><P
6031 >TCP/IP ('Internet support')
6032 </P
6033 ></LI
6034 ><LI
6035 ><P
6037 </P
6038 ></LI
6039 ></UL
6040 ><P
6041 >Installing the first two together with the base operating
6042 system on a blank system is explained in the Warp manual. If Warp
6043 has already been installed, but you now want to install the
6044 networking support, use the "Selective Install for Networking"
6046 ><P
6048 in the manual and just barely in the online documentation. Start
6049 MPTS.EXE, click on OK, click on "Configure LAPS" and click
6050 on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
6051 is then moved to 'Current Configuration'. Select that line,
6053 configuration.</P
6054 ><P
6055 >If the Samba server(s) is not on your local subnet, you
6056 can optionally add IP names and addresses of these servers
6057 to the "Names List", or specify a WINS server ('NetBIOS
6058 Nameserver' in IBM and RFC terminology). For Warp Connect you
6059 may need to download an update for 'IBM Peer' to bring it on
6061 ></DIV
6062 ><DIV
6064 ><HR><H2
6066 ><A
6070 ></H2
6071 ><P
6073 for OS/2 from
6074 <A
6078 >.
6079 See <A
6083 > for
6084 more information on how to install and use this client. In
6085 a nutshell, edit the file \OS2VER in the root directory of
6087 ><P
6088 ><TABLE
6092 ><TR
6093 ><TD
6094 ><PRE
6097 20=netwksta.sys
6098 20=netvdd.sys
6099 </PRE
6100 ></TD
6101 ></TR
6102 ></TABLE
6103 ></P
6104 ><P
6105 >before you install the client. Also, don't use the
6106 included NE2000 driver because it is buggy. Try the NE2000
6107 or NS2000 driver from
6108 <A
6112 > instead.
6113 </P
6114 ></DIV
6115 ><DIV
6117 ><HR><H2
6119 ><A
6122 is used as a client?</A
6123 ></H2
6124 ><P
6126 Client Resource Browser", no Samba servers show up. This can
6127 be fixed by a patch from <A
6131 >.
6132 The patch will be included in a later version of Samba. It also
6133 fixes a couple of other problems, such as preserving long
6134 filenames when objects are dragged from the Workplace Shell
6135 to the Samba server. </P
6136 ></DIV
6137 ><DIV
6139 ><HR><H2
6141 ><A
6145 ></H2
6146 ><P
6147 >First, create a share called [PRINTDRV] that is
6148 world-readable. Copy your OS/2 driver files there. Note
6149 that the .EA_ files must still be separate, so you will need
6150 to use the original install files, and not copy an installed
6152 ><P
6153 >Install the NT driver first for that printer. Then,
6154 add to your smb.conf a paramater, "os2 driver map =
6155 <TT
6157 ><I
6158 >filename</I
6159 ></TT
6160 >". Then, in the file
6161 specified by <TT
6163 ><I
6165 ></TT
6166 >, map the
6167 name of the NT driver name to the OS/2 driver name as
6168 follows:</P
6169 ><P
6173 ><P
6175 ><P
6177 device name, the first attempt to download the driver will
6178 actually download the files, but the OS/2 client will tell
6179 you the driver is not available. On the second attempt, it
6180 will work. This is fixed simply by adding the device name
6181 to the mapping, after which it will work on the first attempt.
6182 </P
6183 ></DIV
6184 ></DIV
6185 ></DIV
6186 ></DIV
6187 ></BODY
6188 ></HTML
6189 >