4 >SAMBA Project Documentation
</TITLE
7 CONTENT=
"Modular DocBook HTML Stylesheet Version 1.57"></HEAD
18 NAME=
"SAMBA-PROJECT-DOCUMENTATION"
25 NAME=
"SAMBA-PROJECT-DOCUMENTATION"
26 >SAMBA Project Documentation
</A
41 >This book is a collection of HOWTOs added to Samba documentation over the years.
42 I try to ensure that all are current, but sometimes the is a larger job
43 than one person can maintain. The most recent version of this document
45 HREF=
"http://www.samba.org/"
47 >http://www.samba.org/
</A
49 on the
"Documentation" page. Please send updates to
<A
50 HREF=
"mailto:jerry@samba.org"
66 >How to Install and Test SAMBA
</A
73 >Step
0: Read the man pages
</A
78 >Step
1: Building the Binaries
</A
83 >Step
2: The all important step
</A
88 >Step
3: Create the smb configuration file.
</A
93 >Step
4: Test your config file with
102 >Step
5: Starting the smbd and nmbd
</A
109 >Step
5a: Starting from inetd.conf
</A
114 >Step
5b. Alternative: starting it as a daemon
</A
121 >Step
6: Try listing the shares available on your
127 >Step
7: Try connecting with the unix client
</A
132 >Step
8: Try connecting from a DOS, WfWg, Win9x, WinNT,
133 Win2k, OS/
2, etc... client
</A
138 >What If Things Don't Work?
</A
145 >Diagnosing Problems
</A
155 >Choosing the Protocol Level
</A
160 >Printing from UNIX to a Client PC
</A
170 >Mapping Usernames
</A
175 >Other Character Sets
</A
184 >LanMan and NT Password Encryption in Samba
2.x
</A
196 >How does it work?
</A
201 >Important Notes About Security
</A
208 >Advantages of SMB Encryption
</A
213 >Advantages of non-encrypted passwords
</A
221 NAME=
"SMBPASSWDFILEFORMAT"
223 >The smbpasswd file
</A
228 >The smbpasswd Command
</A
233 >Setting up Samba to support LanManager Encryption
</A
240 >Hosting a Microsoft Distributed File System tree on Samba
</A
263 >Printing Support in Samba
2.2.x
</A
282 >Creating [print$]
</A
287 >Setting Drivers for Existing Printers
</A
292 >Support a large number of printers
</A
297 >Adding New Printers via the Windows NT APW
</A
302 >Samba and Printer Ports
</A
309 >The Imprints Toolset
</A
316 >What is Imprints?
</A
321 >Creating Printer Driver Packages
</A
326 >The Imprints server
</A
331 >The Installation Client
</A
341 >Migration to from Samba
2.0.x to
2.2.x
</A
348 >security = domain in Samba
2.x
</A
355 >Joining an NT Domain with Samba
2.2</A
360 >Samba and Windows
2000 Domains
</A
365 >Why is this better than security = server?
</A
372 >How to Configure Samba
2.2 as a Primary Domain Controller
</A
384 >Configuring the Samba Domain Controller
</A
389 >Creating Machine Trust Accounts and Joining Clients
395 >Common Problems and Errors
</A
400 >System Policies and Profiles
</A
405 >What other help can I get ?
</A
424 >DOMAIN_CONTROL.txt : Windows NT Domain Control
& Samba
</A
431 >Unifed Logons between Windows NT and UNIX using Winbind
</A
448 >What Winbind Provides
</A
462 >How Winbind Works
</A
469 >Microsoft Remote Procedure Calls
</A
474 >Name Service Switch
</A
479 >Pluggable Authentication Modules
</A
484 >User and Group ID Allocation
</A
496 >Installation and Configuration
</A
513 >UNIX Permission Bits and WIndows NT Access Control Lists
</A
520 >Viewing and changing UNIX permissions using the NT
526 >How to view file security on a Samba share
</A
531 >Viewing file ownership
</A
536 >Viewing file or directory permissions
</A
548 >Directory Permissions
</A
555 >Modifying file or directory permissions
</A
560 >Interaction with the standard Samba create mask
566 >Interaction with the standard Samba file attribute
588 >How can I configure OS/
2 Warp Connect or
589 OS/
2 Warp
4 as a client for Samba?
</A
594 >How can I configure OS/
2 Warp
3 (not Connect),
595 OS/
2 1.2,
1.3 or
2.x for Samba?
</A
600 >Are there any other issues when OS/
2 (any version)
601 is used as a client?
</A
606 >How do I get printer driver download working
620 >Chapter
1. How to Install and Test SAMBA
</A
628 >1.1. Step
0: Read the man pages
</A
631 >The man pages distributed with SAMBA contain
632 lots of useful info that will help to get you started.
633 If you don't know how to read man pages then try
642 >nroff -man smbd
.8 | more
647 >Other sources of information are pointed to
648 by the Samba web site,
<A
649 HREF=
"http://www.samba.org/"
651 > http://www.samba.org
</A
660 >1.2. Step
1: Building the Binaries
</A
663 >To do this, first run the program
<B
667 > in the source directory. This should automatically
668 configure Samba for your operating system. If you have unusual
669 needs then you may wish to run
</P
682 >first to see what special options you can enable.
695 >will create the binaries. Once it's successfully
696 compiled you can use
</P
708 >to install the binaries and manual pages. You can
709 separately install the binaries and/or man pages using
</P
735 >Note that if you are upgrading for a previous version
736 of Samba you might like to know that the old versions of
737 the binaries will be renamed with a
".old" extension. You
738 can go back to the previous version with
</P
751 >if you find this version a disaster!
</P
759 >1.3. Step
2: The all important step
</A
762 >At this stage you must fetch yourself a
763 coffee or other drink you find stimulating. Getting the rest
764 of the install right can sometimes be tricky, so you will
767 >If you have installed samba before then you can skip
776 >1.4. Step
3: Create the smb configuration file.
</A
779 >There are sample configuration files in the examples
780 subdirectory in the distribution. I suggest you read them
781 carefully so you can see how the options go together in
782 practice. See the man page for all the options.
</P
784 >The simplest useful configuration file would be
785 something like this:
</P
794 CLASS=
"PROGRAMLISTING"
807 >which would allow connections by anyone with an
808 account on the server, using either their login name or
809 "homes" as the service name. (Note that I also set the
810 workgroup that Samba is part of. See BROWSING.txt for defails)
</P
819 > file. You need to create it
822 >Make sure you put the smb.conf file in the same place
823 you specified in the
<TT
829 >/usr/local/samba/lib/
</TT
832 >For more information about security settings for the
833 [homes] share please refer to the document UNIX_SECURITY.txt.
</P
841 >1.5. Step
4: Test your config file with
848 >It's important that you test the validity of your
852 > file using the testparm program.
853 If testparm runs OK then it will list the loaded services. If
854 not it will give an error message.
</P
856 >Make sure it runs OK and that the services look
857 resonable before proceeding.
</P
865 >1.6. Step
5: Starting the smbd and nmbd
</A
868 >You must choose to start smbd and nmbd either
869 as daemons or from
<B
873 to do both! Either you can put them in
<TT
876 > and have them started on demand
880 >, or you can start them as
881 daemons either from the command line or in
<TT
884 >. See the man pages for details
885 on the command line options. Take particular care to read
886 the bit about what user you need to be in order to start
887 Samba. In many cases you must be root.
</P
889 >The main advantage of starting
<B
896 > as a daemon is that they will
897 respond slightly more quickly to an initial connection
898 request. This is, however, unlikely to be a problem.
</P
905 >1.6.1. Step
5a: Starting from inetd.conf
</A
908 >NOTE; The following will be different if
909 you use NIS or NIS+ to distributed services maps.
</P
915 What is defined at port
139/tcp. If nothing is defined
916 then add a line like this:
</P
921 >netbios-ssn
139/tcp
</B
925 >similarly for
137/udp you should have an entry like:
</P
930 >netbios-ns
137/udp
</B
938 and add two lines something like this:
</P
947 CLASS=
"PROGRAMLISTING"
948 > netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
949 netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
956 >The exact syntax of
<TT
960 varies between unixes. Look at the other entries in inetd.conf
963 >NOTE: Some unixes already have entries like netbios_ns
964 (note the underscore) in
<TT
968 You must either edit
<TT
975 > to make them consistant.
</P
977 >NOTE: On many systems you may need to use the
978 "interfaces" option in smb.conf to specify the IP address
979 and netmask of your interfaces. Run
<B
983 as root if you don't know what the broadcast is for your
987 > tries to determine it at run
988 time, but fails on somunixes. See the section on
"testing nmbd"
989 for a method of finding if you need to do this.
</P
991 >!!!WARNING!!! Many unixes only accept around
5
992 parameters on the command line in
<TT
996 This means you shouldn't use spaces between the options and
997 arguments, or you should use a script, and start the script
1006 >, perhaps just send
1007 it a HUP. If you have installed an earlier version of
<B
1010 > then you may need to kill nmbd as well.
</P
1018 >1.6.2. Step
5b. Alternative: starting it as a daemon
</A
1021 >To start the server as a daemon you should create
1022 a script something like this one, perhaps calling
1035 CLASS=
"PROGRAMLISTING"
1037 /usr/local/samba/bin/smbd -D
1038 /usr/local/samba/bin/nmbd -D
1045 >then make it executable with
<B
1051 >You can then run
<B
1055 hand or execute it from
<TT
1061 >To kill it send a kill signal to the processes
1070 >NOTE: If you use the SVR4 style init system then
1071 you may like to look at the
<TT
1073 >examples/svr4-startup
</TT
1075 script to make Samba fit into that system.
</P
1084 >1.7. Step
6: Try listing the shares available on your
1104 >Your should get back a list of shares available on
1105 your server. If you don't then something is incorrectly setup.
1106 Note that this method can also be used to see what shares
1107 are available on other LanManager clients (such as WfWg).
</P
1109 >If you choose user level security then you may find
1110 that Samba requests a password before it will list the shares.
1114 > man page for details. (you
1115 can force it to list the shares without a password by
1116 adding the option -U% to the command line. This will not work
1117 with non-Samba servers)
</P
1125 >1.8. Step
7: Try connecting with the unix client
</A
1137 > //yourhostname/aservice
</I
1149 would be the name of the host where you installed
<B
1158 any service you have defined in the
<TT
1162 file. Try your user name if you just have a [homes] section
1168 >For example if your unix host is bambi and your login
1169 name is fred you would type:
</P
1177 >smbclient //bambi/fred
1188 >1.9. Step
8: Try connecting from a DOS, WfWg, Win9x, WinNT,
1189 Win2k, OS/
2, etc... client
</A
1192 >Try mounting disks. eg:
</P
1196 >C:\WINDOWS\
> </TT
1200 >net use d: \\servername\service
1205 >Try printing. eg:
</P
1209 >C:\WINDOWS\
> </TT
1214 \\servername\spoolservice
</B
1220 >C:\WINDOWS\
> </TT
1229 >Celebrate, or send me a bug report!
</P
1237 >1.10. What If Things Don't Work?
</A
1240 >If nothing works and you start to think
"who wrote
1241 this pile of trash" then I suggest you do step
2 again (and
1242 again) till you calm down.
</P
1244 >Then you might read the file DIAGNOSIS.txt and the
1245 FAQ. If you are still stuck then try the mailing list or
1246 newsgroup (look in the README for details). Samba has been
1247 successfully installed at thousands of sites worldwide, so maybe
1248 someone else has hit your problem and has overcome it. You could
1249 also use the WWW site to scan back issues of the samba-digest.
</P
1251 >When you fix the problem PLEASE send me some updates to the
1252 documentation (or source code) so that the next person will find it
1260 >1.10.1. Diagnosing Problems
</A
1263 >If you have instalation problems then go to
1267 > to try to find the
1276 >1.10.2. Scope IDs
</A
1279 >By default Samba uses a blank scope ID. This means
1280 all your windows boxes must also have a blank scope ID.
1281 If you really want to use a non-blank scope ID then you will
1282 need to use the -i
<scope
> option to nmbd, smbd, and
1283 smbclient. All your PCs will need to have the same setting for
1284 this to work. I do not recommend scope IDs.
</P
1292 >1.10.3. Choosing the Protocol Level
</A
1295 >The SMB protocol has many dialects. Currently
1296 Samba supports
5, called CORE, COREPLUS, LANMAN1,
1299 >You can choose what maximum protocol to support
1303 > file. The default is
1304 NT1 and that is the best for the vast majority of sites.
</P
1306 >In older versions of Samba you may have found it
1307 necessary to use COREPLUS. The limitations that led to
1308 this have mostly been fixed. It is now less likely that you
1309 will want to use less than LANMAN1. The only remaining advantage
1310 of COREPLUS is that for some obscure reason WfWg preserves
1311 the case of passwords in this protocol, whereas under LANMAN1,
1312 LANMAN2 or NT1 it uppercases all passwords before sending them,
1313 forcing you to use the
"password level=" option in some cases.
</P
1315 >The main advantage of LANMAN2 and NT1 is support for
1316 long filenames with some clients (eg: smbclient, Windows NT
1319 >See the smb.conf(
5) manual page for more details.
</P
1321 >Note: To support print queue reporting you may find
1322 that you have to use TCP/IP as the default protocol under
1323 WfWg. For some reason if you leave Netbeui as the default
1324 it may break the print queue reporting on some systems.
1325 It is presumably a WfWg bug.
</P
1333 >1.10.4. Printing from UNIX to a Client PC
</A
1336 >To use a printer that is available via a smb-based
1337 server from a unix host you will need to compile the
1338 smbclient program. You then need to install the script
1339 "smbprint". Read the instruction in smbprint for more details.
1342 >There is also a SYSV style script that does much
1343 the same thing called smbprint.sysv. It contains instructions.
</P
1354 >One area which sometimes causes trouble is locking.
</P
1356 >There are two types of locking which need to be
1357 performed by a SMB server. The first is
"record locking"
1358 which allows a client to lock a range of bytes in a open file.
1359 The second is the
"deny modes" that are specified when a file
1362 >Samba supports
"record locking" using the fcntl() unix system
1363 call. This is often implemented using rpc calls to a rpc.lockd process
1364 running on the system that owns the filesystem. Unfortunately many
1365 rpc.lockd implementations are very buggy, particularly when made to
1366 talk to versions from other vendors. It is not uncommon for the
1367 rpc.lockd to crash.
</P
1369 >There is also a problem translating the
32 bit lock
1370 requests generated by PC clients to
31 bit requests supported
1371 by most unixes. Unfortunately many PC applications (typically
1372 OLE2 applications) use byte ranges with the top bit set
1373 as semaphore sets. Samba attempts translation to support
1374 these types of applications, and the translation has proved
1375 to be quite successful.
</P
1377 >Strictly a SMB server should check for locks before
1378 every read and write call on a file. Unfortunately with the
1379 way fcntl() works this can be slow and may overstress the
1380 rpc.lockd. It is also almost always unnecessary as clients
1381 are supposed to independently make locking calls before reads
1382 and writes anyway if locking is important to them. By default
1383 Samba only makes locking calls when explicitly asked
1384 to by a client, but if you set
"strict locking = yes" then it will
1385 make lock checking calls on every read and write.
</P
1387 >You can also disable by range locking completely
1388 using
"locking = no". This is useful for those shares that
1389 don't support locking or don't need it (such as cdroms). In
1390 this case Samba fakes the return codes of locking calls to
1391 tell clients that everything is OK.
</P
1393 >The second class of locking is the
"deny modes". These
1394 are set by an application when it opens a file to determine
1395 what types of access should be allowed simultaneously with
1396 its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
1397 or DENY_ALL. There are also special compatability modes called
1398 DENY_FCB and DENY_DOS.
</P
1400 >You can disable share modes using
"share modes = no".
1401 This may be useful on a heavily loaded server as the share
1402 modes code is very slow. See also the FAST_SHARE_MODES
1403 option in the Makefile for a way to do full share modes
1404 very fast using shared memory (if your OS supports it).
</P
1412 >1.10.6. Mapping Usernames
</A
1415 >If you have different usernames on the PCs and
1416 the unix server then take a look at the
"username map" option.
1417 See the smb.conf man page for details.
</P
1425 >1.10.7. Other Character Sets
</A
1428 >If you have problems using filenames with accented
1429 characters in them (like the German, French or Scandinavian
1430 character sets) then I recommmend you look at the
"valid chars"
1431 option in smb.conf and also take a look at the validchars
1432 package in the examples directory.
</P
1441 >Chapter
2. LanMan and NT Password Encryption in Samba
2.x
</A
1449 >2.1. Introduction
</A
1452 >With the development of LanManager and Windows NT
1453 compatible password encryption for Samba, it is now able
1454 to validate user connections in exactly the same way as
1455 a LanManager or Windows NT server.
</P
1457 >This document describes how the SMB password encryption
1458 algorithm works and what issues there are in choosing whether
1459 you want to use it. You should read it carefully, especially
1460 the part about security and the
"PROS and CONS" section.
</P
1468 >2.2. How does it work?
</A
1471 >LanManager encryption is somewhat similar to UNIX
1472 password encryption. The server uses a file containing a
1473 hashed value of a user's password. This is created by taking
1474 the user's plaintext password, capitalising it, and either
1475 truncating to
14 bytes or padding to
14 bytes with null bytes.
1476 This
14 byte value is used as two
56 bit DES keys to encrypt
1477 a 'magic' eight byte value, forming a
16 byte value which is
1478 stored by the server and client. Let this value be known as
1479 the
"hashed password".
</P
1481 >Windows NT encryption is a higher quality mechanism,
1482 consisting of doing an MD4 hash on a Unicode version of the user's
1483 password. This also produces a
16 byte hash value that is
1486 >When a client (LanManager, Windows for WorkGroups, Windows
1487 95 or Windows NT) wishes to mount a Samba drive (or use a Samba
1488 resource), it first requests a connection and negotiates the
1489 protocol that the client and server will use. In the reply to this
1490 request the Samba server generates and appends an
8 byte, random
1491 value - this is stored in the Samba server after the reply is sent
1492 and is known as the
"challenge". The challenge is different for
1493 every client connection.
</P
1495 >The client then uses the hashed password (
16 byte values
1496 described above), appended with
5 null bytes, as three
56 bit
1497 DES keys, each of which is used to encrypt the challenge
8 byte
1498 value, forming a
24 byte value known as the
"response".
</P
1500 >In the SMB call SMBsessionsetupX (when user level security
1501 is selected) or the call SMBtconX (when share level security is
1502 selected), the
24 byte response is returned by the client to the
1503 Samba server. For Windows NT protocol levels the above calculation
1504 is done on both hashes of the user's password and both responses are
1505 returned in the SMB call, giving two
24 byte values.
</P
1507 >The Samba server then reproduces the above calculation, using
1508 its own stored value of the
16 byte hashed password (read from the
1512 > file - described later) and the challenge
1513 value that it kept from the negotiate protocol reply. It then checks
1514 to see if the
24 byte value it calculates matches the
24 byte value
1515 returned to it from the client.
</P
1517 >If these values match exactly, then the client knew the
1518 correct password (or the
16 byte hashed value - see security note
1519 below) and is thus allowed access. If not, then the client did not
1520 know the correct password and is denied access.
</P
1522 >Note that the Samba server never knows or stores the cleartext
1523 of the user's password - just the
16 byte hashed values derived from
1524 it. Also note that the cleartext password or
16 byte hashed values
1525 are never transmitted over the network - thus increasing security.
</P
1533 >2.3. Important Notes About Security
</A
1536 >The unix and SMB password encryption techniques seem similar
1537 on the surface. This similarity is, however, only skin deep. The unix
1538 scheme typically sends clear text passwords over the nextwork when
1539 logging in. This is bad. The SMB encryption scheme never sends the
1540 cleartext password over the network but it does store the
16 byte
1541 hashed values on disk. This is also bad. Why? Because the
16 byte hashed
1542 values are a
"password equivalent". You cannot derive the user's
1543 password from them, but they could potentially be used in a modified
1544 client to gain access to a server. This would require considerable
1545 technical knowledge on behalf of the attacker but is perfectly possible.
1546 You should thus treat the smbpasswd file as though it contained the
1547 cleartext passwords of all your users. Its contents must be kept
1548 secret, and the file should be protected accordingly.
</P
1550 >Ideally we would like a password scheme which neither requires
1551 plain text passwords on the net or on disk. Unfortunately this
1552 is not available as Samba is stuck with being compatible with
1553 other SMB systems (WinNT, WfWg, Win95 etc).
</P
1573 >Note that Windows NT
4.0 Service pack
3 changed the
1574 default for permissible authentication so that plaintext
1577 > sent over the wire.
1578 The solution to this is either to switch to encrypted passwords
1579 with Samba or edit the Windows NT registry to re-enable plaintext
1580 passwords. See the document WinNT.txt for details on how to do
1583 >Other Microsoft operating systems which also exhibit
1584 this behavior includes
</P
1590 >MS DOS Network client
3.0 with
1591 the basic network redirector installed
</P
1595 >Windows
95 with the network redirector
1610 >All current release of
1611 Microsoft SMB/CIFS clients support authentication via the
1612 SMB Challenge/Response mechanism described here. Enabling
1613 clear text authentication does not disable the ability
1614 of the client to particpate in encrypted authentication.
</P
1625 >2.3.1. Advantages of SMB Encryption
</A
1632 >plain text passwords are not passed across
1633 the network. Someone using a network sniffer cannot just
1634 record passwords going to the SMB server.
</P
1638 >WinNT doesn't like talking to a server
1639 that isn't using SMB encrypted passwords. It will refuse
1640 to browse the server if the server is also in user level
1641 security mode. It will insist on prompting the user for the
1642 password on each connection, which is very annoying. The
1643 only things you can do to stop this is to use SMB encryption.
1654 >2.3.2. Advantages of non-encrypted passwords
</A
1661 >plain text passwords are not kept
1666 >uses same password file as other unix
1667 services such as login and ftp
</P
1671 >you are probably already using other
1672 services (such as telnet and ftp) which send plain text
1673 passwords over the net, so sending them for SMB isn't
1686 NAME=
"SMBPASSWDFILEFORMAT"
1688 >The smbpasswd file
</A
1691 >In order for Samba to participate in the above protocol
1692 it must be able to look up the
16 byte hashed values given a user name.
1693 Unfortunately, as the UNIX password value is also a one way hash
1694 function (ie. it is impossible to retrieve the cleartext of the user's
1695 password given the UNIX hash of it), a separate password file
1696 containing this
16 byte value must be kept. To minimise problems with
1697 these two password files, getting out of sync, the UNIX
<TT
1707 >, is provided to generate
1708 a smbpasswd file from a UNIX
<TT
1714 >To generate the smbpasswd file from your
<TT
1718 > file use the following command :
</P
1726 >cat /etc/passwd | mksmbpasswd.sh
1727 > /usr/local/samba/private/smbpasswd
</B
1731 >If you are running on a system that uses NIS, use
</P
1739 >ypcat passwd | mksmbpasswd.sh
1740 > /usr/local/samba/private/smbpasswd
</B
1747 > program is found in
1748 the Samba source directory. By default, the smbpasswd file is
1753 >/usr/local/samba/private/smbpasswd
</TT
1756 >The owner of the
<TT
1758 >/usr/local/samba/private/
</TT
1760 directory should be set to root, and the permissions on it should
1763 >chmod
500 /usr/local/samba/private
</B
1767 >Likewise, the smbpasswd file inside the private directory should
1768 be owned by root and the permissions on is should be set to
0600
1771 >chmod
600 smbpasswd
</B
1774 >The format of the smbpasswd file is (The line has been
1775 wrapped here. It should appear as one entry per line in
1776 your smbpasswd file.)
</P
1785 CLASS=
"PROGRAMLISTING"
1786 >username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
1787 [Account type]:LCT-
<last-change-time
>:Long name
1794 >Although only the
<TT
1808 > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</I
1819 > last-change-time
</I
1821 > sections are significant
1822 and are looked at in the Samba code.
</P
1826 > important that there by
32
1827 'X' characters between the two ':' characters in the XXX sections -
1828 the smbpasswd and Samba code will fail to validate any entries that
1829 do not have
32 characters between ':' characters. The first XXX
1830 section is for the Lanman password hash, the second is for the
1831 Windows NT version.
</P
1833 >When the password file is created all users have password entries
1834 consisting of
32 'X' characters. By default this disallows any access
1835 as this user. When a user has a password set, the 'X' characters change
1836 to
32 ascii hexadecimal digits (
0-
9, A-F). These are an ascii
1837 representation of the
16 byte hashed value of a user's password.
</P
1839 >To set a user to have no password (not recommended), edit the file
1840 using vi, and replace the first
11 characters with the ascii text
1844 > (minus the quotes).
</P
1846 >For example, to clear the password for user bob, his smbpasswd file
1847 entry would look like :
</P
1856 CLASS=
"PROGRAMLISTING"
1857 > bob:
100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-
00000000:Bob's full name:/bobhome:/bobshell
1864 >If you are allowing users to use the smbpasswd command to set
1865 their own passwords, you may want to give users NO PASSWORD initially
1866 so they do not have to enter a previous password when changing to their
1867 new password (not recommended). In order for you to allow this the
1871 > program must be able to connect to the
1875 > daemon as that user with no password. Enable this
1876 by adding the line :
</P
1880 >null passwords = yes
</B
1883 >to the [global] section of the smb.conf file (this is why
1884 the above scenario is not recommended). Preferably, allocate your
1885 users a default password to begin with, so you do not have
1886 to enable this on your server.
</P
1890 >This file should be protected very
1891 carefully. Anyone with access to this file can (with enough knowledge of
1892 the protocols) gain access to your SMB server. The file is thus more
1893 sensitive than a normal unix
<TT
1904 >2.5. The smbpasswd Command
</A
1907 >The smbpasswd command maintains the two
32 byte password fields
1908 in the smbpasswd file. If you wish to make it similar to the unix
1918 >/usr/local/samba/bin/
</TT
1920 main Samba binary directory).
</P
1922 >Note that as of Samba
1.9.18p4 this program
<EM
1925 > setuid root (the new
<B
1929 code enforces this restriction so it cannot be run this way by
1935 > now works in a client-server mode
1936 where it contacts the local smbd to change the user's password on its
1937 behalf. This has enormous benefits - as follows.
</P
1943 >smbpasswd no longer has to be setuid root -
1944 an enormous range of potential security problems is
1952 > now has the capability
1953 to change passwords on Windows NT servers (this only works when
1954 the request is sent to the NT Primary Domain Controller if you
1955 are changing an NT Domain user's password).
</P
1959 >To run smbpasswd as a normal user just type :
</P
1973 >Old SMB password:
</TT
1977 ><type old value here -
1978 or hit return if there was no old password
></B
1984 >New SMB Password:
</TT
1988 ><type new value
>
1995 >Repeat New SMB Password:
</TT
1999 ><re-type new value
2004 >If the old value does not match the current value stored for
2005 that user, or the two new values do not match each other, then the
2006 password will not be changed.
</P
2008 >If invoked by an ordinary user it will only allow the user
2009 to change his or her own Samba password.
</P
2011 >If run by the root user smbpasswd may take an optional
2012 argument, specifying the user name whose SMB password you wish to
2013 change. Note that when run as root smbpasswd does not prompt for
2014 or check the old password value, thus allowing root to set passwords
2015 for users who have forgotten their passwords.
</P
2020 > is designed to work in the same way
2021 and be familiar to UNIX users who use the
<B
2030 >For more details on using
<B
2034 to the man page which will always be the definitive reference.
</P
2042 >2.6. Setting up Samba to support LanManager Encryption
</A
2045 >This is a very brief description on how to setup samba to
2046 support password encryption.
</P
2053 >compile and install samba as usual
</P
2057 >enable encrypted passwords in
<TT
2060 > by adding the line
<B
2064 > in the [global] section
</P
2068 >create the initial
<TT
2072 password file in the place you specified in the Makefile
2073 (--prefix=
<dir
>). See the notes under the
<A
2074 HREF=
"#SMBPASSWDFILEFORMAT"
2075 >The smbpasswd File
</A
2077 section earlier in the document for details.
</P
2081 >Note that you can test things using smbclient.
</P
2089 >Chapter
3. Hosting a Microsoft Distributed File System tree on Samba
</A
2097 >3.1. Instructions
</A
2100 >The Distributed File System (or Dfs) provides a means of
2101 separating the logical view of files and directories that users
2102 see from the actual physical locations of these resources on the
2103 network. It allows for higher availability, smoother storage expansion,
2104 load balancing etc. For more information about Dfs, refer to
<A
2105 HREF=
"http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp"
2107 > Microsoft documentation
</A
2110 >This document explains how to host a Dfs tree on a Unix
2111 machine (for Dfs-aware clients to browse) using Samba.
</P
2113 >To enable SMB-based DFS for Samba, configure it with the
2119 > option. Once built, a
2120 Samba server can be made a Dfs server by setting the global
2122 HREF=
"smb.conf.5.html#HOSTMSDFS"
2130 > parameter in the
<TT
2134 > file. You designate a share as a Dfs root using the share
2136 HREF=
"smb.conf.5.html#MSDFSROOT"
2144 > parameter. A Dfs root directory on
2145 Samba hosts Dfs links in the form of symbolic links that point
2146 to other servers. For example, a symbolic link
2149 >junction-
>msdfs:storage1\share1
</TT
2151 the share directory acts as the Dfs junction. When Dfs-aware
2152 clients attempt to access the junction link, they are redirected
2153 to the storage location (in this case, \\storage1\share1).
</P
2155 >Dfs trees on Samba work with all Dfs-aware clients ranging
2156 from Windows
95 to
2000.
</P
2158 >Here's an example of setting up a Dfs tree on a Samba
2168 CLASS=
"PROGRAMLISTING"
2169 ># The smb.conf file:
2171 netbios name = SAMBA
2175 path = /export/dfsroot
2183 >In the /export/dfsroot directory we set up our dfs links to
2184 other servers on the network.
</P
2192 >cd /export/dfsroot
</B
2202 >chown root /export/dfsroot
</B
2212 >chmod
755 /export/dfsroot
</B
2222 >ln -s msdfs:storageA\\shareA linka
</B
2232 >ln -s msdfs:serverB\\share,serverC\\share linkb
</B
2236 >You should set up the permissions and ownership of
2237 the directory acting as the Dfs root such that only designated
2238 users can create, delete or modify the msdfs links. Also note
2239 that symlink names should be all lowercase. This limitation exists
2240 to have Samba avoid trying all the case combinations to get at
2241 the link name. Finally set up the symbolic links to point to the
2242 network shares you want, and start Samba.
</P
2244 >Users on Dfs-aware clients can now browse the Dfs tree
2245 on the Samba server at \\samba\dfs. Accessing
2246 links linka or linkb (which appear as directories to the client)
2247 takes users directly to the appropriate shares on the network.
</P
2261 >Windows clients need to be rebooted
2262 if a previously mounted non-dfs share is made a dfs
2263 root or vice versa. A better way is to introduce a
2264 new share and make it the dfs root.
</P
2268 >Currently there's a restriction that msdfs
2269 symlink names should all be lowercase.
</P
2273 >For security purposes, the directory
2274 acting as the root of the Dfs tree should have ownership
2275 and permissions set so that only designated users can
2276 modify the symbolic links in the directory.
</P
2287 >Chapter
4. Printing Support in Samba
2.2.x
</A
2295 >4.1. Introduction
</A
2298 >Beginning with the
2.2.0 release, Samba supports
2299 the native Windows NT printing mechanisms implemented via
2300 MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
2301 Samba only supported LanMan printing calls.
</P
2303 >The additional functionality provided by the new
2304 SPOOLSS support includes:
</P
2310 >Support for downloading printer driver
2311 files to Windows
95/
98/NT/
2000 clients upon demand.
2316 >Uploading of printer drivers via the
2317 Windows NT Add Printer Wizard (APW) or the
2318 Imprints tool set (refer to
<A
2319 HREF=
"http://imprints.sourceforge.net"
2321 >http://imprints.sourceforge.net
</A
2327 >Support for the native MS-RPC printing
2328 calls such as StartDocPrinter, EnumJobs(), etc... (See
2329 the MSDN documentation at
<A
2330 HREF=
"http://msdn.microsoft.com/"
2332 >http://msdn.microsoft.com/
</A
2334 for more information on the Win32 printing API)
2339 >Support for NT Access Control Lists (ACL)
2340 on printer objects
</P
2344 >Improved support for printer queue manipulation
2345 through the use of an internal databases for spooled job
2350 >There has been some initial confusion about what all this means
2351 and whether or not it is a requirement for printer drivers to be
2352 installed on a Samba host in order to support printing from Windows
2353 clients. A bug existed in Samba
2.2.0 which made Windows NT/
2000 clients
2354 require that the Samba server possess a valid driver for the printer.
2355 This is fixed in Samba
2.2.1 and once again, Windows NT/
2000 clients
2356 can use the local APW for installing drivers to be used with a Samba
2357 served printer. This is the same behavior exhibited by Windows
9x clients.
2358 As a side note, Samba does not use these drivers in any way to process
2359 spooled files. They are utilized entirely by the clients.
</P
2361 >The following MS KB article, may be of some help if you are dealing with
2362 Windows
2000 clients:
<EM
2363 >How to Add Printers with No User
2364 Interaction in Windows
2000</EM
2368 HREF=
"http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP"
2370 >http://support.microsoft.com/support/kb/articles/Q189/
1/
05.ASP
</A
2379 >4.2. Configuration
</A
2393 >[print$] vs. [printer$]
</B
2400 >Previous versions of Samba recommended using a share named [printer$].
2401 This name was taken from the printer$ service created by Windows
9x
2402 clients when a printer was shared. Windows
9x printer servers always have
2403 a printer$ service which provides read-only access via no
2404 password in order to support printer driver downloads.
</P
2406 >However, the initial implementation allowed for a
2410 >printer driver location
</I
2413 to be used on a per share basis to specify the location of
2414 the driver files associated with that printer. Another
2421 a means of defining the printer driver name to be sent to
2424 >These parameters, including
<TT
2430 > parameter, are being depreciated and should not
2431 be used in new installations. For more information on this change,
2432 you should refer to the
<A
2434 >Migration section
</A
2436 of this document.
</P
2447 >4.2.1. Creating [print$]
</A
2450 >In order to support the uploading of printer driver
2451 files, you must first configure a file share named [print$].
2452 The name of this share is hard coded in Samba's internals so
2453 the name is very important (print$ is the service used by
2454 Windows NT print servers to provide support for printer driver
2457 >You should modify the server's smb.conf file to create the
2458 following file share (of course, some of the parameter values,
2459 such as 'path' are arbitrary and should be replaced with
2460 appropriate values for your site):
</P
2469 CLASS=
"PROGRAMLISTING"
2471 path = /usr/local/samba/printers
2475 ; since this share is configured as read only, then we need
2476 ; a 'write list'. Check the file system permissions to make
2477 ; sure this account can copy files to the share. If this
2478 ; is setup to a non-root account, then it should also exist
2479 ; as a 'printer admin'
2480 write list = ntadmin
</PRE
2487 HREF=
"smb.conf.5.html#WRITELIST"
2495 > is used to allow administrative
2496 level user accounts to have write access in order to update files
2497 on the share. See the
<A
2498 HREF=
"smb./conf.5.html"
2502 > for more information on configuring file shares.
</P
2504 >The requirement for
<A
2505 HREF=
"smb.conf.5.html#GUESTOK"
2512 > depends upon how your
2513 site is configured. If users will be guaranteed to have
2514 an account on the Samba host, then this is a non-issue.
</P
2522 >The non-issue is that if all your Windows NT users are guaranteed to be
2523 authenticated by the Samba server (such as a domain member server and the NT
2524 user has already been validated by the Domain Controller in
2525 order to logon to the Windows NT console), then guest access
2526 is not necessary. Of course, in a workgroup environment where
2527 you just want to be able to print without worrying about
2528 silly accounts and security, then configure the share for
2529 guest access. You'll probably want to add
<A
2530 HREF=
"smb.conf.5.html#MAPTOGUEST"
2534 >map to guest = Bad User
</B
2536 > in the [global] section as well. Make sure
2537 you understand what this parameter does before using it
2542 >In order for a Windows NT print server to support
2543 the downloading of driver files by multiple client architectures,
2544 it must create subdirectories within the [print$] service
2545 which correspond to each of the supported client architectures.
2546 Samba follows this model as well.
</P
2548 >Next create the directory tree below the [print$] share
2549 for each architecture you wish to support.
</P
2558 CLASS=
"PROGRAMLISTING"
2560 |-W32X86 ;
"Windows NT x86"
2561 |-WIN40 ;
"Windows 95/98"
2562 |-W32ALPHA ;
"Windows NT Alpha_AXP"
2563 |-W32MIPS ;
"Windows NT R4000"
2564 |-W32PPC ;
"Windows NT PowerPC"</PRE
2581 >ATTENTION! REQUIRED PERMISSIONS
</B
2588 >In order to currently add a new driver to you Samba host,
2589 one of two conditions must hold true:
</P
2595 >The account used to connect to the Samba host
2596 must have a uid of
0 (i.e. a root account)
</P
2600 >The account used to connect to the Samba host
2601 must be a member of the
<A
2602 HREF=
"smb.conf.5.html#PRINTERADMIN"
2615 >Of course, the connected account must still possess access
2616 to add files to the subdirectories beneath [print$]. Remember
2617 that all file shares are set to 'read only' by default.
</P
2623 >Once you have created the required [print$] service and
2624 associated subdirectories, simply log onto the Samba server using
2631 from a Windows NT
4.0 client. Navigate to the
"Printers" folder
2632 on the Samba server. You should see an initial listing of printers
2633 that matches the printer shares defined on your Samba host.
</P
2641 >4.2.2. Setting Drivers for Existing Printers
</A
2644 >The initial listing of printers in the Samba host's
2645 Printers folder will have no real printer driver assigned
2646 to them. By default, in Samba
2.2.0 this driver name was set to
2648 >NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER
</EM
2650 Later versions changed this to a NULL string to allow the use
2651 tof the local Add Printer Wizard on NT/
2000 clients.
2652 Attempting to view the printer properties for a printer
2653 which has this default driver assigned will result in
2654 the error message:
</P
2657 >Device settings cannot be displayed. The driver
2658 for the specified printer is not installed, only spooler
2659 properties will be displayed. Do you want to install the
2663 >Click
"No" in the error dialog and you will be presented with
2664 the printer properties window. The way assign a driver to a
2665 printer is to either
</P
2671 >Use the
"New Driver..." button to install
2672 a new printer driver, or
</P
2676 >Select a driver from the popup list of
2677 installed drivers. Initially this list will be empty.
</P
2681 >If you wish to install printer drivers for client
2682 operating systems other than
"Windows NT x86", you will need
2683 to use the
"Sharing" tab of the printer properties dialog.
</P
2685 >Assuming you have connected with a root account, you
2686 will also be able modify other printer properties such as
2687 ACLs and device settings using this dialog box.
</P
2689 >A few closing comments for this section, it is possible
2690 on a Windows NT print server to have printers
2691 listed in the Printers folder which are not shared. Samba does
2692 not make this distinction. By definition, the only printers of
2693 which Samba is aware are those which are specified as shares in
2699 >Another interesting side note is that Windows NT clients do
2700 not use the SMB printer share, but rather can print directly
2701 to any printer on another Windows NT host using MS-RPC. This
2702 of course assumes that the printing client has the necessary
2703 privileges on the remote host serving the printer. The default
2704 permissions assigned by Windows NT to a printer gives the
"Print"
2705 permissions to the
"Everyone" well-known group.
</P
2713 >4.2.3. Support a large number of printers
</A
2716 >One issue that has arisen during the development
2717 phase of Samba
2.2 is the need to support driver downloads for
2718 100's of printers. Using the Windows NT APW is somewhat
2719 awkward to say the list. If more than one printer are using the
2721 HREF=
"rpcclient.1.html"
2726 setdriver command
</B
2728 > can be used to set the driver
2729 associated with an installed driver. The following is example
2730 of how this could be accomplished:
</P
2739 CLASS=
"PROGRAMLISTING"
2744 >rpcclient pogo -U root%secret -c
"enumdrivers"
2745 Domain=[NARNIA] OS=[Unix] Server=[Samba
2.2.0-alpha3]
2748 Printer Driver Info
1:
2749 Driver Name: [HP LaserJet
4000 Series PS]
2751 Printer Driver Info
1:
2752 Driver Name: [HP LaserJet
2100 Series PS]
2754 Printer Driver Info
1:
2755 Driver Name: [HP LaserJet
4Si/
4SiMX PS]
2760 >rpcclient pogo -U root%secret -c
"enumprinters"
2761 Domain=[NARNIA] OS=[Unix] Server=[Samba
2.2.0-alpha3]
2763 name:[\\POGO\hp-print]
2764 description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
2770 >rpcclient pogo -U root%secret \
2774 > -c
"setdriver hp-print \"HP LaserJet
4000 Series PS\
""
2775 Domain=[NARNIA] OS=[Unix] Server=[Samba
2.2.0-alpha3]
2776 Successfully set hp-print to driver HP LaserJet
4000 Series PS.
</PRE
2788 >4.2.4. Adding New Printers via the Windows NT APW
</A
2791 >By default, Samba offers all printer shares defined in
<TT
2795 in the
"Printers..." folder. Also existing in this folder is the Windows NT
2796 Add Printer Wizard icon. The APW will be show only if
</P
2802 >The connected user is able to successfully
2803 execute an OpenPrinterEx(\\server) with administrative
2804 priviledges (i.e. root or
<TT
2815 HREF=
"smb.conf.5.html#SHOWADDPRINTERWIZARD"
2821 add printer wizard = yes
</I
2829 >In order to be able to use the APW to successfully add a printer to a Samba
2831 HREF=
"smb.conf.5.html#ADDPRINTERCOMMAND"
2840 > must have a defined value. The program
2841 hook must successfully add the printer to the system (i.e.
2845 > or appropriate files) and
2851 >When using the APW from a client, if the named printer share does
2855 > will execute the
<TT
2861 > and reparse to the
<TT
2865 to attempt to locate the new printer share. If the share is still not defined,
2866 an error of
"Access Denied" is returned to the client. Note that the
2870 >add printer program
</I
2872 > is executed under the context
2873 of the connected user, not necessarily a root account.
</P
2875 >There is a complementing
<A
2876 HREF=
"smb.conf.5.html#DELETEPRINTERCOMMAND"
2885 > for removing entries from the
"Printers..."
2894 >4.2.5. Samba and Printer Ports
</A
2897 >Windows NT/
2000 print servers associate a port with each printer. These normally
2898 take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
2899 concept of ports associated with a printer. By default, only one printer port,
2900 named
"Samba Printer Port", exists on a system. Samba does not really a port in
2901 order to print, rather it is a requirement of Windows clients.
</P
2903 >Note that Samba does not support the concept of
"Printer Pooling" internally
2904 either. This is when a logical printer is assigned to multiple ports as
2905 a form of load balancing or fail over.
</P
2907 >If you require that multiple ports be defined for some reason,
2912 HREF=
"smb.conf.5.html#ENUMPORTSCOMMAND"
2921 > which can be used to define an external program
2922 that generates a listing of ports on a system.
</P
2931 >4.3. The Imprints Toolset
</A
2934 >The Imprints tool set provides a UNIX equivalent of the
2935 Windows NT Add Printer Wizard. For complete information, please
2936 refer to the Imprints web site at
<A
2937 HREF=
"http://imprints.sourceforge.net/"
2939 > http://imprints.sourceforge.net/
</A
2940 > as well as the documentation
2941 included with the imprints source distribution. This section will
2942 only provide a brief introduction to the features of Imprints.
</P
2949 >4.3.1. What is Imprints?
</A
2952 >Imprints is a collection of tools for supporting the goals
2959 >Providing a central repository information
2960 regarding Windows NT and
95/
98 printer driver packages
</P
2964 >Providing the tools necessary for creating
2965 the Imprints printer driver packages.
</P
2969 >Providing an installation client which
2970 will obtain and install printer drivers on remote Samba
2971 and Windows NT
4 print servers.
</P
2981 >4.3.2. Creating Printer Driver Packages
</A
2984 >The process of creating printer driver packages is beyond
2985 the scope of this document (refer to Imprints.txt also included
2986 with the Samba distribution for more information). In short,
2987 an Imprints driver package is a gzipped tarball containing the
2988 driver files, related INF files, and a control file needed by the
2989 installation client.
</P
2997 >4.3.3. The Imprints server
</A
3000 >The Imprints server is really a database server that
3001 may be queried via standard HTTP mechanisms. Each printer
3002 entry in the database has an associated URL for the actual
3003 downloading of the package. Each package is digitally signed
3004 via GnuPG which can be used to verify that package downloaded
3005 is actually the one referred in the Imprints database. It is
3008 > recommended that this security check
3017 >4.3.4. The Installation Client
</A
3020 >More information regarding the Imprints installation client
3021 is available in the
<TT
3023 >Imprints-Client-HOWTO.ps
</TT
3025 file included with the imprints source package.
</P
3027 >The Imprints installation client comes in two forms.
</P
3033 >a set of command line Perl scripts
</P
3037 >a GTK+ based graphical interface to
3038 the command line perl scripts
</P
3042 >The installation client (in both forms) provides a means
3043 of querying the Imprints database server for a matching
3044 list of known printer model names as well as a means to
3045 download and install the drivers on remote Samba and Windows
3046 NT print servers.
</P
3048 >The basic installation process is in four steps and
3049 perl code is wrapped around
<B
3065 CLASS=
"PROGRAMLISTING"
3067 foreach (supported architecture for a given driver)
3069 1. rpcclient: Get the appropriate upload directory
3070 on the remote server
3071 2. smbclient: Upload the driver files
3072 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
3075 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
3076 create the printer
</PRE
3082 >One of the problems encountered when implementing
3083 the Imprints tool set was the name space issues between
3084 various supported client architectures. For example, Windows
3085 NT includes a driver named
"Apple LaserWriter II NTX v51.8"
3086 and Windows
95 callsits version of this driver
"Apple
3087 LaserWriter II NTX"</P
3089 >The problem is how to know what client drivers have
3090 been uploaded for a printer. As astute reader will remember
3091 that the Windows NT Printer Properties dialog only includes
3092 space for one printer driver name. A quick look in the
3093 Windows NT
4.0 system registry at
</P
3097 >HKLM\System\CurrentControlSet\Control\Print\Environment
3101 >will reveal that Windows NT always uses the NT driver
3102 name. The is ok as Windows NT always requires that at least
3103 the Windows NT version of the printer driver is present.
3104 However, Samba does not have the requirement internally.
3105 Therefore, how can you use the NT driver name if is has not
3106 already been installed?
</P
3108 >The way of sidestepping this limitation is to require
3109 that all Imprints printer driver packages include both the Intel
3110 Windows NT and
95/
98 printer drivers and that NT driver is
3123 >Migration to from Samba
2.0.x to
2.2.x
</A
3126 >Given that printer driver management has changed (we hope improved) in
3127 2.2 over prior releases, migration from an existing setup to
2.2 can
3128 follow several paths.
</P
3130 >Windows clients have a tendency to remember things for quite a while.
3131 For example, if a Windows NT client has attached to a Samba
2.0 server,
3132 it will remember the server as a LanMan printer server. Upgrading
3133 the Samba host to
2.2 makes support for MSRPC printing possible, but
3134 the NT client will still remember the previous setting.
</P
3136 >In order to give an NT client printing
"amesia" (only necessary if you
3137 want to use the newer MSRPC printing functionality in Samba), delete
3138 the registry keys associated with the print server contained in
3141 >[HKLM\SYSTEM\CurrentControlSet\Control\Print]
</TT
3143 spooler service on the client should be stopped prior to doing this:
</P
3147 >C:\WINNT\
></TT
3151 >net stop spooler
</B
3156 >All the normal disclaimers about editing the registry go
3158 > Be careful, and know what you are doing.
</P
3160 >The spooler service should be restarted after you have finished
3161 removing the appropriate registry entries by replacing the
3165 > command above with
<B
3170 >Windows
9x clients will continue to use LanMan printing calls
3171 with a
2.2 Samba server so there is no need to perform any of these
3172 modifications on non-NT clients.
</P
3192 >The following smb.conf parameters are considered to be depreciated and will
3193 be removed soon. Do not use them in new installations
</P
3202 >printer driver file (G)
</I
3212 >printer driver (S)
</I
3222 >printer driver location (S)
</I
3233 >Here are the possible scenarios for supporting migration:
</P
3239 >If you do not desire the new Windows NT
3240 print driver support, nothing needs to be done.
3241 All existing parameters work the same.
</P
3245 >If you want to take advantage of NT printer
3246 driver support but do not want to migrate the
3247 9x drivers to the new setup, the leave the existing
3248 printers.def file. When smbd attempts to locate a
3249 9x driver for the printer in the TDB and fails it
3250 will drop down to using the printers.def (and all
3251 associated parameters). The
<B
3255 tool will also remain for backwards compatibility but will
3256 be moved to the
"this tool is the old way of doing it"
3261 >If you install a Windows
9x driver for a printer
3262 on your Samba host (in the printing TDB), this information will
3263 take precedence and the three old printing parameters
3264 will be ignored (including print driver location).
</P
3268 >If you want to migrate an existing
<TT
3272 file into the new setup, the current only solution is to use the Windows
3273 NT APW to install the NT drivers and the
9x drivers. This can be scripted
3281 Imprints installation client at
<A
3282 HREF=
"http://imprints.sourceforge.net/"
3284 >http://imprints.sourceforge.net/
</A
3297 >Chapter
5. security = domain in Samba
2.x
</A
3305 >5.1. Joining an NT Domain with Samba
2.2</A
3308 >In order for a Samba-
2 server to join an NT domain,
3309 you must first add the NetBIOS name of the Samba server to the
3310 NT domain on the PDC using Server Manager for Domains. This creates
3311 the machine account in the domain (PDC) SAM. Note that you should
3312 add the Samba server as a
"Windows NT Workstation or Server",
3315 > as a Primary or backup domain controller.
</P
3317 >Assume you have a Samba-
2 server with a NetBIOS name of
3321 > and are joining an NT domain called
3325 >, which has a PDC with a NetBIOS name
3329 > and two backup domain controllers
3330 with NetBIOS names
<TT
3339 >In order to join the domain, first stop all Samba daemons
3340 and run the command:
</P
3348 >smbpasswd -j DOM -r DOMPDC
3353 >as we are joining the domain DOM and the PDC for that domain
3354 (the only machine that has write access to the domain SAM database)
3355 is DOMPDC. If this is successful you will see the message:
</P
3358 CLASS=
"COMPUTEROUTPUT"
3359 >smbpasswd: Joined domain DOM.
</TT
3363 >in your terminal window. See the
<A
3364 HREF=
"smbpasswd.8.html"
3367 > man page for more details.
</P
3369 >There is existing development code to join a domain
3370 without having to create the machine trust account on the PDC
3371 beforehand. This code will hopefully be available soon
3372 in release branches as well.
</P
3374 >This command goes through the machine account password
3375 change protocol, then writes the new (random) machine account
3376 password for this Samba server into a file in the same directory
3377 in which an smbpasswd file would be stored - normally :
</P
3381 >/usr/local/samba/private
</TT
3384 >In Samba
2.0.x, the filename looks like this:
</P
3391 ><NT DOMAIN NAME
></I
3405 > suffix stands for machine account
3406 password file. So in our example above, the file would be called:
</P
3413 >In Samba
2.2, this file has been replaced with a TDB
3414 (Trivial Database) file named
<TT
3420 >This file is created and owned by root and is not
3421 readable by any other user. It is the key to the domain-level
3422 security for your system, and should be treated as carefully
3423 as a shadow password file.
</P
3425 >Now, before restarting the Samba daemons you must
3427 HREF=
"smb.conf.5.html"
3434 > file to tell Samba it should now use domain security.
</P
3436 >Change (or add) your
<A
3437 HREF=
"smb.conf.5.html#SECURITY"
3445 > line in the [global] section
3446 of your smb.conf to read:
</P
3450 >security = domain
</B
3454 HREF=
"smb.conf.5.html#WORKGROUP"
3462 > line in the [global] section to read:
</P
3469 >as this is the name of the domain we are joining.
</P
3471 >You must also have the parameter
<A
3472 HREF=
"smb.conf.5.html#ENCRYPTPASSWORDS"
3477 >encrypt passwords
</I
3484 > in order for your users to authenticate to the NT PDC.
</P
3486 >Finally, add (or modify) a
<A
3487 HREF=
"smb.conf.5.html#PASSWORDSERVER"
3492 >password server =
</I
3495 > line in the [global]
3496 section to read:
</P
3500 >password server = DOMPDC DOMBDC1 DOMBDC2
</B
3503 >These are the primary and backup domain controllers Samba
3504 will attempt to contact in order to authenticate users. Samba will
3505 try to contact each of these servers in order, so you may want to
3506 rearrange this list in order to spread out the authentication load
3507 among domain controllers.
</P
3509 >Alternatively, if you want smbd to automatically determine
3510 the list of Domain controllers to use for authentication, you may
3511 set this line to be :
</P
3515 >password server = *
</B
3518 >This method, which was introduced in Samba
2.0.6,
3519 allows Samba to use exactly the same mechanism that NT does. This
3520 method either broadcasts or uses a WINS database in order to
3521 find domain controllers to authenticate against.
</P
3523 >Finally, restart your Samba daemons and get ready for
3524 clients to begin using domain security!
</P
3532 >5.2. Samba and Windows
2000 Domains
</A
3535 >Many people have asked regarding the state of Samba's ability to participate in
3536 a Windows
2000 Domain. Samba
2.2 is able to act as a member server of a Windows
3537 2000 domain operating in mixed or native mode.
</P
3539 >There is much confusion between the circumstances that require a
"mixed" mode
3540 Win2k DC and a when this host can be switched to
"native" mode. A
"mixed" mode
3541 Win2k domain controller is only needed if Windows NT BDCs must exist in the same
3542 domain. By default, a Win2k DC in
"native" mode will still support
3543 NetBIOS and NTLMv1 for authentication of legacy clients such as Windows
9x and
3544 NT
4.0. Samba has the same requirements as a Windows NT
4.0 member server.
</P
3546 >The steps for adding a Samba
2.2 host to a Win2k domain are the same as those
3547 for adding a Samba server to a Windows NT
4.0 domain. The only exception is that
3548 the
"Server Manager" from NT
4 has been replaced by the
"Active Directory Users and
3549 Computers" MMC (Microsoft Management Console) plugin.
</P
3557 >5.3. Why is this better than security = server?
</A
3560 >Currently, domain security in Samba doesn't free you from
3561 having to create local Unix users to represent the users attaching
3562 to your server. This means that if domain user
<TT
3566 > attaches to your domain security Samba server, there needs
3567 to be a local Unix user fred to represent that user in the Unix
3568 filesystem. This is very similar to the older Samba security mode
3570 HREF=
"smb.conf.5.html#SECURITYEQUALSSERVER"
3572 >security = server
</A
3574 where Samba would pass through the authentication request to a Windows
3575 NT server in the same way as a Windows
95 or Windows
98 server would.
3578 >Please refer to the
<A
3583 > for information on a system to automatically
3584 assign UNIX uids and gids to Windows NT Domain users and groups.
3585 This code is available in development branches only at the moment,
3586 but will be moved to release branches soon.
</P
3588 >The advantage to domain-level security is that the
3589 authentication in domain-level security is passed down the authenticated
3590 RPC channel in exactly the same way that an NT server would do it. This
3591 means Samba servers now participate in domain trust relationships in
3592 exactly the same way NT servers do (i.e., you can add Samba servers into
3593 a resource domain and have the authentication passed on from a resource
3594 domain PDC to an account domain PDC.
</P
3596 >In addition, with
<B
3598 >security = server
</B
3600 daemon on a server has to keep a connection open to the
3601 authenticating server for as long as that daemon lasts. This can drain
3602 the connection resources on a Microsoft NT server and cause it to run
3603 out of available connections. With
<B
3605 >security = domain
</B
3607 however, the Samba daemons connect to the PDC/BDC only for as long
3608 as is necessary to authenticate the user, and then drop the connection,
3609 thus conserving PDC connection resources.
</P
3611 >And finally, acting in the same manner as an NT server
3612 authenticating to a PDC means that as part of the authentication
3613 reply, the Samba server gets the user identification information such
3614 as the user SID, the list of NT groups the user belongs to, etc. All
3615 this information will allow Samba to be extended in the future into
3616 a mode the developers currently call appliance mode. In this mode,
3617 no local Unix users will be necessary, and Samba will generate Unix
3618 uids and gids from the information passed back from the PDC when a
3619 user is authenticated, making a Samba server truly plug and play
3620 in an NT domain environment. Watch for this code soon.
</P
3624 > Much of the text of this document
3625 was first published in the Web magazine
<A
3626 HREF=
"http://www.linuxworld.com"
3631 HREF=
"http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
3643 >Chapter
6. How to Configure Samba
2.2 as a Primary Domain Controller
</A
3661 >Author's Note :
</EM
3662 > This document is a combination
3663 of David Bannon's Samba
2.2 PDC HOWTO and the Samba NT Domain FAQ.
3664 Both documents are superceeded by this one.
</P
3668 >Version of Samba prior to release
2.2 had marginal capabilities to
3669 act as a Windows NT
4.0 Primary Domain Controller (PDC). The following
3670 functionality should work in
2.2:
</P
3676 > domain logons for Windows NT
4.0/
2000 clients
3681 > placing a Windows
9x client in user level security
3686 > retrieving a list of users and groups from a Samba PDC to
3687 Windows
9x/NT/
2000 clients
3692 > roving (roaming) user profiles
3697 > Windows NT
4.0 style system policies
3702 >The following pieces of functionality are not included in the
2.2 release:
</P
3708 > Windows NT
4 domain trusts
3713 > SAM replication with Windows NT
4.0 Domain Controllers
3714 (i.e. a Samba PDC and a Windows NT BDC or vice versa)
3719 > Adding users via the User Manager for Domains
3724 > Acting as a Windows
2000 Domain Controller (i.e. Kerberos and
3730 >Please note that Windows
9x clients are not true members of a domain
3731 for reasons outlined in this article. Therefore the protocol for
3732 support Windows
9x style domain logons is completely different
3733 from NT4 domain logons and has been officially supported for some
3736 >Beginning with Samba
2.2.0, we are proud to announce official
3737 support for Windows NT
4.0 style domain logons from Windows NT
3738 4.0 and Windows
2000 (including SP1) clients. This article
3739 outlines the steps necessary for configuring Samba as a PDC.
3740 It is necessary to have a working Samba server prior to implementing the
3741 PDC functionality. If you have not followed the steps outlined in
3743 HREF=
"UNIX_INSTALL.html"
3745 > UNIX_INSTALL.html
</A
3747 that your server is configured correctly before proceeding. Another good
3749 HREF=
"smb.conf.5.html"
3755 >Implementing a Samba PDC can basically be divided into
2 broad
3763 > Configuring the Samba PDC
3768 > Creating machine trust accounts and joining clients
3774 >There are other minor details such as user profiles, system
3775 policies, etc... However, these are not necessarily specific
3776 to a Samba PDC as much as they are related to Windows NT networking
3777 concepts. They will be mentioned only briefly here.
</P
3785 >6.2. Configuring the Samba Domain Controller
</A
3788 >The first step in creating a working Samba PDC is to
3789 understand the parameters necessary in smb.conf. I will not
3790 attempt to re-explain the parameters here as they are more that
3791 adequately covered in
<A
3792 HREF=
"smb.conf.5.html"
3796 >. For convenience, the parameters have been
3797 linked with the actual smb.conf description.
</P
3799 >Here is an example smb.conf for acting as a PDC:
</P
3808 CLASS=
"PROGRAMLISTING"
3810 ; Basic server settings
3812 HREF=
"smb.conf.5.html#NETBIOSNAME"
3822 HREF=
"smb.conf.5.html#WORKGROUP"
3832 ; we should act as the domain and local master browser
3834 HREF=
"smb.conf.5.html#OSLEVEL"
3839 HREF=
"smb.conf.5.html#PERFERREDMASTER"
3841 >preferred master
</A
3844 HREF=
"smb.conf.5.html#DOMAINMASTER"
3849 HREF=
"smb.conf.5.html#LOCALMASTER"
3854 ; security settings (must user security = user)
3856 HREF=
"smb.conf.5.html#SECURITYEQUALSUSER"
3861 ; encrypted passwords are a requirement for a PDC
3863 HREF=
"smb.conf.5.html#ENCRYPTPASSWORDS"
3865 >encrypt passwords
</A
3868 ; support domain logons
3870 HREF=
"smb.conf.5.html#DOMAINLOGONS"
3875 ; where to store user profiles?
3877 HREF=
"smb.conf.5.html#LOGONPATH"
3880 > = \\%N\profiles\%u
3882 ; where is a user's home directory and where should it
3885 HREF=
"smb.conf.5.html#LOGONDRIVE"
3890 HREF=
"smb.conf.5.html#LOGONHOME"
3895 ; specify a generic logon script for all users
3896 ; this is a relative **DOS** path to the [netlogon] share
3898 HREF=
"smb.conf.5.html#LOGONSCRIPT"
3903 ; necessary share for domain controller
3906 HREF=
"smb.conf.5.html#PATH"
3909 > = /usr/local/samba/lib/netlogon
3911 HREF=
"smb.conf.5.html#WRITEABLE"
3916 HREF=
"smb.conf.5.html#WRITELIST"
3926 ; share for storing user profiles
3929 HREF=
"smb.conf.5.html#PATH"
3932 > = /export/smb/ntprofile
3934 HREF=
"smb.conf.5.html#WRITEABLE"
3939 HREF=
"smb.conf.5.html#CREATEMASK"
3944 HREF=
"smb.conf.5.html#DIRECTORYMASK"
3953 >There are a couple of points to emphasize in the above configuration.
</P
3959 > Encrypted passwords must be enabled. For more details on how
3960 to do this, refer to
<A
3961 HREF=
"ENCRYPTION.html"
3969 > The server must support domain logons and a
3978 > The server must be the domain master browser in order for Windows
3979 client to locate the server as a DC.
3984 >As Samba
2.2 does not offer a complete implementation of group mapping between
3985 Windows NT groups and UNIX groups (this is really quite complicated to explain
3986 in a short space), you should refer to the
<A
3987 HREF=
"smb.conf.5.html#DOMAINADMINUSERS"
3992 HREF=
"smb.conf.5.html#DOMAINADMINGROUP"
3996 > smb.conf parameters for information of creating a Domain Admins
4005 >6.3. Creating Machine Trust Accounts and Joining Clients
4009 >A machine trust account is a user account owned by a computer.
4010 The account password acts as the shared secret for secure
4011 communication with the Domain Controller. Hence the reason that
4012 a Windows
9x host is never a true member of a domain because
4013 it does not posses a machine trust account and thus has no shared
4014 secret with the DC.
</P
4016 >On a Windows NT PDC, these machine trust account passwords are stored
4017 in the registry. A Samba PDC stores these accounts in he same location
4018 as user LanMan and NT password hashes (currently
<TT
4022 However, machine trust accounts only possess and use the NT password hash.
</P
4024 >There are two means of creating machine trust accounts.
</P
4030 > Manual creation before joining the client to the domain. In this case,
4031 the password is set to a known value -- the lower case of the
4032 machine's netbios name.
4037 > Creation of the account at the time of joining the domain. In
4038 this case, the session key of the administrative account used to join
4039 the client to the domain acts as an encryption key for setting the
4040 password to a random value.
4045 >Because Samba requires machine accounts to possess a UNIX uid from
4046 which an Windows NT SID can be generated, all of these accounts
4047 will have an entry in
<TT
4051 Future releases will alleviate the need to create
4060 > entry will list the machine name
4061 with a $ appended, won't have a passwd, will have a null shell and no
4062 home directory. For example a machine called 'doppy' would have an
4066 > entry like this :
</P
4075 CLASS=
"PROGRAMLISTING"
4076 >doppy$:x:
505:
501:NTMachine:/dev/null:/bin/false
</PRE
4082 >If you are manually creating the machine accounts, it is necessary
4087 map) entry prior to adding the
<TT
4091 entry. The following command will create a new machine account
4097 > smbpasswd -a -m
<TT
4109 > is the machine's netbios
4113 >If you manually create a machine account, immediately join
4114 the client to the domain.
</EM
4115 > An open account like this
4116 can allow intruders to gain access to user account information
4119 >The second way of creating machine trust accounts is to add
4120 them on the fly at the time the client is joined to the domain.
4121 You will need to include a value for the
<A
4122 HREF=
"smb.conf.5.html#ADDUSERSCRIPT"
4126 parameter. Below is an example I use on a RedHat
6.2 Linux system.
</P
4135 CLASS=
"PROGRAMLISTING"
4136 >add user script = /usr/sbin/useradd -d /dev/null -g
100 -s /bin/false -M %u
</PRE
4143 >only the root account
</EM
4144 > can be used to create
4145 machine accounts on the fly like this. Therefore, it is required to create
4146 an entry in smbpasswd for
<EM
4151 > be set to s different password that the
4155 > entry for security reasons.
</P
4163 >6.4. Common Problems and Errors
</A
4169 >I cannot include a '$' in a machine name.
</EM
4172 >A 'machine name' in (typically)
<TT
4176 of the machine name with a '$' appended. FreeBSD (and other BSD
4177 systems ?) won't create a user with a '$' in their name.
</P
4179 >The problem is only in the program used to make the entry, once
4180 made, it works perfectly. So create a user without the '$' and
4184 > to edit the entry, adding the '$'. Or create
4185 the whole entry with vipw if you like, make sure you use a
4189 >I get told
"You already have a connection to the Domain...."
4190 when creating a machine account.
</EM
4193 >This happens if you try to create a machine account from the
4194 machine itself and use a user name that does not work (for whatever
4195 reason) and then try another (possibly valid) user name.
4196 Exit out of the network applet to close the initial connection
4199 >Further, if the machine is a already a 'member of a workgroup' that
4200 is the same name as the domain you are joining (bad idea) you will
4201 get this message. Change the workgroup name to something else, it
4202 does not matter what, reboot, and try again.
</P
4205 >I get told
"Cannot join domain, the credentials supplied
4206 conflict with an existing set.."</EM
4209 >This is the same basic problem as mentioned above,
"You already
4210 have a connection..."</P
4213 >"The system can not log you on (C000019B)...."</EM
4216 >I joined the domain successfully but after upgrading
4217 to a newer version of the Samba code I get the message,
"The system
4218 can not log you on (C000019B), Please try a gain or consult your
4219 system administrator" when attempting to logon.
</P
4221 >This occurs when the domain SID stored in
4224 >private/WORKGROUP.SID
</TT
4226 changed. For example, you remove the file and
<B
4230 creates a new one. Or you are swapping back and forth between
4231 versions
2.0.7, TNG and the HEAD branch code (not recommended). The
4232 only way to correct the problem is to restore the original domain
4233 SID or remove the domain client from the domain and rejoin.
</P
4236 >"The machine account for this computer either does not
4237 exist or is not accessible."</EM
4240 >When I try to join the domain I get the message
"The machine account
4241 for this computer either does not exist or is not accessible". Whats
4244 >This problem is caused by the PDC not having a suitable machine account.
4245 If you are using the
<B
4247 >add user script =
</B
4249 accounts then this would indicate that it has not worked. Ensure the domain
4250 admin user system is working.
</P
4252 >Alternatively if you are creating account entries manually then they
4253 have not been created correctly. Make sure that you have the entry
4254 correct for the machine account in smbpasswd file on the Samba PDC.
4255 If you added the account using an editor rather than using the smbpasswd
4256 utility, make sure that the account name is the machine netbios name
4257 with a '$' appended to it ( ie. computer_name$ ). There must be an entry
4258 in both /etc/passwd and the smbpasswd file. Some people have reported
4259 that inconsistent subnet masks between the Samba server and the NT
4260 client have caused this problem. Make sure that these are consistent
4261 for both client and server.
</P
4269 >6.5. System Policies and Profiles
</A
4272 >Much of the information necessary to implement System Policies and
4273 Roving User Profiles in a Samba domain is the same as that for
4274 implementing these same items in a Windows NT
4.0 domain.
4275 You should read the white paper
<A
4276 HREF=
"http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
4279 Profiles and Policies in Windows NT
4.0</A
4280 > available from Microsoft.
</P
4282 >Here are some additional details:
</P
4285 >What about Windows NT Policy Editor ?
</EM
4288 >To create or edit
<TT
4292 the NT Server Policy Editor,
<B
4296 is included with NT Server but
<EM
4297 >not NT Workstation
</EM
4299 There is a Policy Editor on a NTws
4300 but it is not suitable for creating
<EM
4301 >Domain Policies
</EM
4303 Further, although the Windows
95
4304 Policy Editor can be installed on an NT Workstation/Server, it will not
4305 work with NT policies because the registry key that are set by the policy templates.
4306 However, the files from the NT Server will run happily enough on an NTws.
4309 >poledit.exe, common.adm
</TT
4314 to put the two *.adm files in
<TT
4318 the binary will look for them unless told otherwise. Note also that that
4319 directory is 'hidden'.
</P
4321 >The Windows NT policy editor is also included with the
4322 Service Pack
3 (and later) for Windows NT
4.0. Extract the files using
4325 >servicepackname /x
</B
4330 > for service pack
6a. The policy editor,
<B
4334 associated template files (*.adm) should
4335 be extracted as well. It is also possible to downloaded the policy template
4336 files for Office97 and get a copy of the policy editor. Another possible
4337 location is with the Zero Administration Kit available for download from Microsoft.
</P
4340 >Can Win95 do Policies ?
</EM
4343 >Install the group policy handler for Win9x to pick up group
4344 policies. Look on the Win98 CD in
<TT
4346 >\tools\reskit\netadmin\poledit
</TT
4348 Install group policies on a Win9x client by double-clicking
4352 >. Log off and on again a couple of
4353 times and see if Win98 picks up group policies. Unfortunately this needs
4354 to be done on every Win9x machine that uses group policies....
</P
4356 >If group policies don't work one reports suggests getting the updated
4357 (read: working) grouppol.dll for Windows
9x. The group list is grabbed
4361 >How do I get 'User Manager' and 'Server Manager'
</EM
4364 >Since I don't need to buy an NT Server CD now, how do I get
4365 the 'User Manager for Domains', the 'Server Manager' ?
</P
4367 >Microsoft distributes a version of
4368 these tools called nexus for installation on Windows
95 systems. The
4369 tools set includes
</P
4379 >User Manager for Domains
</P
4387 >Click here to download the archived file
<A
4388 HREF=
"ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
4390 >ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE
</A
4393 >The Windows NT
4.0 version of the 'User Manager for
4394 Domains' and 'Server Manager' are available from Microsoft via ftp
4396 HREF=
"ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
4398 >ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE
</A
4407 >6.6. What other help can I get ?
</A
4410 >There are many sources of information available in the form
4411 of mailing lists, RFC's and documentation. The docs that come
4412 with the samba distribution contain very good explanations of
4413 general SMB topics such as browsing.
</P
4416 >What are some diagnostics tools I can use to debug the domain logon
4417 process and where can I find them?
</EM
4420 > One of the best diagnostic tools for debugging problems is Samba itself.
4421 You can use the -d option for both smbd and nmbd to specifiy what
4422 'debug level' at which to run. See the man pages on smbd, nmbd and
4423 smb.conf for more information on debugging options. The debug
4424 level can range from
1 (the default) to
10 (
100 for debugging passwords).
4427 > Another helpful method of debugging is to compile samba using the
4431 > flag. This will include debug
4432 information in the binaries and allow you to attach gdb to the
4433 running smbd / nmbd process. In order to attach gdb to an smbd
4434 process for an NT workstation, first get the workstation to make the
4435 connection. Pressing ctrl-alt-delete and going down to the domain box
4436 is sufficient (at least, on the first time you join the domain) to
4437 generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
4438 maintains an open connection, and therefore there will be an smbd
4439 process running (assuming that you haven't set a really short smbd
4440 idle timeout) So, in between pressing ctrl alt delete, and actually
4441 typing in your password, you can gdb attach and continue.
4444 > Some useful samba commands worth investigating:
4451 >testparam | more
</P
4455 >smbclient -L //{netbios name of server}
</P
4459 > An SMB enabled version of tcpdump is available from
4461 HREF=
"http://www.tcpdump.org/"
4463 >http://www.tcpdup.org/
</A
4465 Ethereal, another good packet sniffer for UNIX and Win32
4466 hosts, can be downloaded from
<A
4467 HREF=
"http://www.ethereal.com/"
4469 >http://www.ethereal.com
</A
4473 > For tracing things on the Microsoft Windows NT, Network Monitor
4474 (aka. netmon) is available on the Microsoft Developer Network CD's,
4475 the Windows NT Server install CD and the SMS CD's. The version of
4476 netmon that ships with SMS allows for dumping packets between any two
4477 computers (ie. placing the network interface in promiscuous mode).
4478 The version on the NT Server install CD will only allow monitoring
4479 of network traffic directed to the local NT box and broadcasts on the
4480 local subnet. Be aware that Ethereal can read and write netmon
4485 >How do I install 'Network Monitor' on an NT Workstation
4486 or a Windows
9x box?
</EM
4489 > Installing netmon on an NT workstation requires a couple
4490 of steps. The following are for installing Netmon V4.00
.349, which comes
4491 with Microsoft Windows NT Server
4.0, on Microsoft Windows NT
4492 Workstation
4.0. The process should be similar for other version of
4493 Windows NT / Netmon. You will need both the Microsoft Windows
4494 NT Server
4.0 Install CD and the Workstation
4.0 Install CD.
4497 > Initially you will need to install 'Network Monitor Tools and Agent'
4498 on the NT Server. To do this
4505 >Goto Start - Settings - Control Panel -
4506 Network - Services - Add
</P
4510 >Select the 'Network Monitor Tools and Agent' and
4515 >Click 'OK' on the Network Control Panel.
4520 >Insert the Windows NT Server
4.0 install CD
4525 > At this point the Netmon files should exist in
4528 >%SYSTEMROOT%\System32\netmon\*.*
</TT
4530 Two subdirectories exist as well,
<TT
4534 which contains the necessary DLL's for parsing the netmon packet
4541 > In order to install the Netmon tools on an NT Workstation, you will
4542 first need to install the 'Network Monitor Agent' from the Workstation
4550 >Goto Start - Settings - Control Panel -
4551 Network - Services - Add
</P
4555 >Select the 'Network Monitor Agent' and click
4560 >Click 'OK' on the Network Control Panel.
4565 >Insert the Windows NT Workstation
4.0 install
4566 CD when prompted.
</P
4570 > Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
4571 to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
4572 permissions as you deem appropriate for your site. You will need
4573 administrative rights on the NT box to run netmon.
4576 > To install Netmon on a Windows
9x box install the network monitor agent
4577 from the Windows
9x CD (\admin\nettools\netmon). There is a readme
4578 file located with the netmon driver files on the CD if you need
4579 information on how to do this. Copy the files from a working
4580 Netmon installation.
4588 >6.6.1. URLs and similar
</A
4595 >Home of Samba site
<A
4596 HREF=
"http://samba.org"
4598 > http://samba.org
</A
4599 >. We have a mirror near you !
</P
4606 on the Samba mirrors might mention your problem. If so,
4607 it might mean that the developers are working on it.
</P
4611 >See how Scott Merrill simulates a BDC behavior at
4613 HREF=
"http://www.skippy.net/linux/smb-howto.html"
4615 > http://www.skippy.net/linux/smb-howto.html
</A
4620 >Although
2.0.7 has almost had its day as a PDC, David Bannon will
4621 keep the
2.0.7 PDC pages at
<A
4622 HREF=
"http://bioserve.latrobe.edu.au/samba"
4624 > http://bioserve.latrobe.edu.au/samba
</A
4625 > going for a while yet.
</P
4629 >Misc links to CIFS information
4631 HREF=
"http://samba.org/cifs/"
4633 >http://samba.org/cifs/
</A
4638 >NT Domains for Unix
<A
4639 HREF=
"http://mailhost.cb1.com/~lkcl/ntdom/"
4641 > http://mailhost.cb1.com/~lkcl/ntdom/
</A
4646 >FTP site for older SMB specs:
4648 HREF=
"ftp://ftp.microsoft.com/developr/drg/CIFS/"
4650 > ftp://ftp.microsoft.com/developr/drg/CIFS/
</A
4661 >6.6.2. Mailing Lists
</A
4665 >How do I get help from the mailing lists ?
</EM
4668 >There are a number of Samba related mailing lists. Go to
<A
4669 HREF=
"http://samba.org"
4671 >http://samba.org
</A
4672 >, click on your nearest mirror
4673 and then click on
<B
4676 > and then click on
<B
4678 >Samba related mailing lists
</B
4681 >For questions relating to Samba TNG go to
4683 HREF=
"http://www.samba-tng.org/"
4685 >http://www.samba-tng.org/
</A
4687 It has been requested that you don't post questions about Samba-TNG to the
4688 main stream Samba lists.
</P
4690 >If you post a message to one of the lists please observe the following guide lines :
</P
4696 > Always remember that the developers are volunteers, they are
4697 not paid and they never guarantee to produce a particular feature at
4698 a particular time. Any time lines are 'best guess' and nothing more.
4703 > Always mention what version of samba you are using and what
4704 operating system its running under. You should probably list the
4705 relevant sections of your smb.conf file, at least the options
4706 in [global] that affect PDC support.
</P
4710 >In addition to the version, if you obtained Samba via
4711 CVS mention the date when you last checked it out.
</P
4715 > Try and make your question clear and brief, lots of long,
4716 convoluted questions get deleted before they are completely read !
4717 Don't post html encoded messages (if you can select colour or font
4722 > If you run one of those nifty 'I'm on holidays' things when
4723 you are away, make sure its configured to not answer mailing lists.
4728 > Don't cross post. Work out which is the best list to post to
4729 and see what happens, ie don't post to both samba-ntdom and samba-technical.
4730 Many people active on the lists subscribe to more
4731 than one list and get annoyed to see the same message two or more times.
4732 Often someone will see a message and thinking it would be better dealt
4733 with on another, will forward it on for you.
</P
4737 >You might include
<EM
4740 log files written at a debug level set to as much as
20.
4741 Please don't send the entire log but enough to give the context of the
4746 >(Possibly) If you have a complete netmon trace ( from the opening of
4747 the pipe to the error ) you can send the *.CAP file as well.
</P
4751 >Please think carefully before attaching a document to an email.
4752 Consider pasting the relevant parts into the body of the message. The samba
4753 mailing lists go to a huge number of people, do they all need a copy of your
4754 smb.conf in their attach directory ?
</P
4759 >How do I get off the mailing lists ?
</EM
4762 >To have your name removed from a samba mailing list, go to the
4763 same place you went to to get on it. Go to
<A
4764 HREF=
"http://lists.samba.org/"
4766 >http://lists.samba.org
</A
4768 on your nearest mirror and then click on
<B
4774 > Samba related mailing lists
</B
4777 HREF=
"http://lists.samba.org/mailman/roster/samba-ntdom"
4782 > Please don't post messages to the list asking to be removed, you will just
4783 be referred to the above address (unless that process failed in some way...)
4793 >6.7. DOMAIN_CONTROL.txt : Windows NT Domain Control
& Samba
</A
4796 >This appendix was originally authored by John H Terpstra of the Samba Team
4797 and is included here for posterity.
</P
4802 The term
"Domain Controller" and those related to it refer to one specific
4803 method of authentication that can underly an SMB domain. Domain Controllers
4804 prior to Windows NT Server
3.1 were sold by various companies and based on
4805 private extensions to the LAN Manager
2.1 protocol. Windows NT introduced
4806 Microsoft-specific ways of distributing the user authentication database.
4807 See DOMAIN.txt for examples of how Samba can participate in or create
4808 SMB domains based on shared authentication database schemes other than the
4811 >Windows NT Server can be installed as either a plain file and print server
4812 (WORKGROUP workstation or server) or as a server that participates in Domain
4813 Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
</P
4815 >The same is true for OS/
2 Warp Server, Digital Pathworks and other similar
4816 products, all of which can participate in Domain Control along with Windows NT.
4817 However only those servers which have licensed Windows NT code in them can be
4818 a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)
</P
4820 >To many people these terms can be confusing, so let's try to clear the air.
</P
4822 >Every Windows NT system (workstation or server) has a registry database.
4823 The registry contains entries that describe the initialization information
4824 for all services (the equivalent of Unix Daemons) that run within the Windows
4825 NT environment. The registry also contains entries that tell application
4826 software where to find dynamically loadable libraries that they depend upon.
4827 In fact, the registry contains entries that describes everything that anything
4828 may need to know to interact with the rest of the system.
</P
4830 >The registry files can be located on any Windows NT machine by opening a
4831 command prompt and typing:
</P
4836 > dir %SystemRoot%\System32\config
</P
4838 >The environment variable %SystemRoot% value can be obtained by typing:
</P
4843 >echo %SystemRoot%
</P
4845 >The active parts of the registry that you may want to be familiar with are
4846 the files called: default, system, software, sam and security.
</P
4848 >In a domain environment, Microsoft Windows NT domain controllers participate
4849 in replication of the SAM and SECURITY files so that all controllers within
4850 the domain have an exactly identical copy of each.
</P
4852 >The Microsoft Windows NT system is structured within a security model that
4853 says that all applications and services must authenticate themselves before
4854 they can obtain permission from the security manager to do what they set out
4857 >The Windows NT User database also resides within the registry. This part of
4858 the registry contains the user's security identifier, home directory, group
4859 memberships, desktop profile, and so on.
</P
4861 >Every Windows NT system (workstation as well as server) will have its own
4862 registry. Windows NT Servers that participate in Domain Security control
4863 have a database that they share in common - thus they do NOT own an
4864 independent full registry database of their own, as do Workstations and
4867 >The User database is called the SAM (Security Access Manager) database and
4868 is used for all user authentication as well as for authentication of inter-
4869 process authentication (ie: to ensure that the service action a user has
4870 requested is permitted within the limits of that user's privileges).
</P
4872 >The Samba team have produced a utility that can dump the Windows NT SAM into
4873 smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
4874 /pub/samba/pwdump on your nearest Samba mirror for the utility. This
4875 facility is useful but cannot be easily used to implement SAM replication
4876 to Samba systems.
</P
4878 >Windows for Workgroups, Windows
95, and Windows NT Workstations and Servers
4879 can participate in a Domain security system that is controlled by Windows NT
4880 servers that have been correctly configured. At most every domain will have
4881 ONE Primary Domain Controller (PDC). It is desirable that each domain will
4882 have at least one Backup Domain Controller (BDC).
</P
4884 >The PDC and BDCs then participate in replication of the SAM database so that
4885 each Domain Controlling participant will have an up to date SAM component
4886 within its registry.
</P
4894 >Chapter
7. Unifed Logons between Windows NT and UNIX using Winbind
</A
4905 >Integration of UNIX and Microsoft Windows NT through
4906 a unified logon has been considered a
"holy grail" in heterogeneous
4907 computing environments for a long time. We present
<EM
4910 >, a component of the Samba suite of programs as a
4911 solution to the unied logon problem. Winbind uses a UNIX implementation
4912 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
4913 Service Switch to allow Windows NT domain users to appear and operate
4914 as UNIX users on a UNIX machine. This paper describes the winbind
4915 system, explaining the functionality it provides, how it is configured,
4916 and how it works internally.
</P
4924 >7.2. Introduction
</A
4927 >It is well known that UNIX and Microsoft Windows NT have
4928 different models for representing user and group information and
4929 use different technologies for implementing them. This fact has
4930 made it difficult to integrate the two systems in a satisfactory
4933 >One common solution in use today has been to create
4934 identically named user accounts on both the UNIX and Windows systems
4935 and use the Samba suite of programs to provide file and print services
4936 between the two. This solution is far from perfect however, as
4937 adding and deleting users on both sets of machines becomes a chore
4938 and two sets of passwords are required both of which which
4939 can lead to synchronization problems between the UNIX and Windows
4940 systems and confusion for users.
</P
4942 >We divide the unifed logon problem for UNIX machines into
4943 three smaller problems:
</P
4949 >Obtaining Windows NT user and group information
4954 >Authenticating Windows NT users
4959 >Password changing for Windows NT users
4964 >Ideally, a prospective solution to the unified logon problem
4965 would satisfy all the above components without duplication of
4966 information on the UNIX machines and without creating additional
4967 tasks for the system administrator when maintaining users and
4968 groups on either system. The winbind system provides a simple
4969 and elegant solution to all three components of the unifed logon
4978 >7.3. What Winbind Provides
</A
4981 >Winbind unifies UNIX and Windows NT account management by
4982 allowing a UNIX box to become a full member of a NT domain. Once
4983 this is done the UNIX box will see NT users and groups as if
4984 they were native UNIX users and groups, allowing the NT domain
4985 to be used in much the same manner that NIS+ is used within
4986 UNIX-only environments.
</P
4988 >The end result is that whenever any
4989 program on the UNIX machine asks the operating system to lookup
4990 a user or group name, the query will be resolved by asking the
4991 NT domain controller for the specied domain to do the lookup.
4992 Because Winbind hooks into the operating system at a low level
4993 (via the NSS name resolution modules in the C library) this
4994 redirection to the NT domain controller is completely
4997 >Users on the UNIX machine can then use NT user and group
4998 names as they would use
"native" UNIX names. They can chown files
4999 so that they are owned by NT domain users or even login to the
5000 UNIX machine and run a UNIX X-Window session as a domain user.
</P
5002 >The only obvious indication that Winbind is being used is
5003 that user and group names take the form DOMAIN\user and
5004 DOMAIN\group. This is necessary as it allows Winbind to determine
5005 that redirection to a domain controller is wanted for a particular
5006 lookup and which trusted domain is being referenced.
</P
5008 >Additionally, Winbind provides a authentication service
5009 that hooks into the Pluggable Authentication Modules (PAM) system
5010 to provide authentication via a NT domain to any PAM enabled
5011 applications. This capability solves the problem of synchronizing
5012 passwords between systems as all passwords are stored in a single
5013 location (on the domain controller).
</P
5020 >7.3.1. Target Uses
</A
5023 >Winbind is targeted at organizations that have an
5024 existing NT based domain infrastructure into which they wish
5025 to put UNIX workstations or servers. Winbind will allow these
5026 organizations to deploy UNIX workstations without having to
5027 maintain a separate account infrastructure. This greatly simplies
5028 the administrative overhead of deploying UNIX workstations into
5029 a NT based organization.
</P
5031 >Another interesting way in which we expect Winbind to
5032 be used is as a central part of UNIX based appliances. Appliances
5033 that provide file and print services to Microsoft based networks
5034 will be able to use Winbind to provide seamless integration of
5035 the appliance into the domain.
</P
5044 >7.4. How Winbind Works
</A
5047 >The winbind system is designed around a client/server
5048 architecture. A long running
<B
5052 listens on a UNIX domain socket waiting for requests
5053 to arrive. These requests are generated by the NSS and PAM
5054 clients and processed sequentially.
</P
5056 >The technologies used to implement winbind are described
5064 >7.4.1. Microsoft Remote Procedure Calls
</A
5067 >Over the last two years, efforts have been underway
5068 by various Samba Team members to decode various aspects of
5069 the Microsoft Remote Procedure Call (MSRPC) system. This
5070 system is used for most network related operations between
5071 Windows NT machines including remote management, user authentication
5072 and print spooling. Although initially this work was done
5073 to aid the implementation of Primary Domain Controller (PDC)
5074 functionality in Samba, it has also yielded a body of code which
5075 can be used for other purposes.
</P
5077 >Winbind uses various MSRPC calls to enumerate domain users
5078 and groups and to obtain detailed information about individual
5079 users or groups. Other MSRPC calls can be used to authenticate
5080 NT domain users and to change user passwords. By directly querying
5081 a Windows PDC for user and group information, winbind maps the
5082 NT account information onto UNIX user and group names.
</P
5090 >7.4.2. Name Service Switch
</A
5093 >The Name Service Switch, or NSS, is a feature that is
5094 present in many UNIX operating systems. It allows system
5095 information such as hostnames, mail aliases and user information
5096 to be resolved from dierent sources. For example, a standalone
5097 UNIX workstation may resolve system information from a series of
5098 flat files stored on the local lesystem. A networked workstation
5099 may first attempt to resolve system information from local files,
5100 then consult a NIS database for user information or a DNS server
5101 for hostname information.
</P
5103 >The NSS application programming interface allows winbind
5104 to present itself as a source of system information when
5105 resolving UNIX usernames and groups. Winbind uses this interface,
5106 and information obtained from a Windows NT server using MSRPC
5107 calls to provide a new source of account enumeration. Using standard
5108 UNIX library calls, one can enumerate the users and groups on
5109 a UNIX machine running winbind and see all users and groups in
5110 a NT domain plus any trusted domain as though they were local
5111 users and groups.
</P
5113 >The primary control le for NSS is
<TT
5117 >. When a UNIX application makes a request to do a lookup
5118 the C library looks in
<TT
5120 >/etc/nsswitch.conf
</TT
5122 for a line which matches the service type being requested, for
5123 example the
"passwd" service type is used when user or group names
5124 are looked up. This config line species which implementations
5125 of that service should be tried andin what order. If the passwd
5130 >passwd: files example
</B
5133 >then the C library will first load a module called
5136 >/lib/libnss_files.so
</TT
5140 >/lib/libnss_example.so
</TT
5142 C library will dynamically load each of these modules in turn
5143 and call resolver functions within the modules to try to resolve
5144 the request. Once the request is resolved the C library returns the
5145 result to the application.
</P
5147 >This NSS interface provides a very easy way for Winbind
5148 to hook into the operating system. All that needs to be done
5151 >libnss_winbind.so
</TT
5156 then add
"winbind" into
<TT
5158 >/etc/nsswitch.conf
</TT
5160 the appropriate place. The C library will then call Winbind to
5161 resolve user and group names.
</P
5169 >7.4.3. Pluggable Authentication Modules
</A
5172 >Pluggable Authentication Modules, also known as PAM,
5173 is a system for abstracting authentication and authorization
5174 technologies. With a PAM module it is possible to specify different
5175 authentication methods for dierent system applications without
5176 having to recompile these applications. PAM is also useful
5177 for implementing a particular policy for authorization. For example,
5178 a system administrator may only allow console logins from users
5179 stored in the local password file but only allow users resolved from
5180 a NIS database to log in over the network.
</P
5182 >Winbind uses the authentication management and password
5183 management PAM interface to integrate Windows NT users into a
5184 UNIX system. This allows Windows NT users to log in to a UNIX
5185 machine and be authenticated against a suitable Primary Domain
5186 Controller. These users can also change their passwords and have
5187 this change take eect directly on the Primary Domain Controller.
5190 >PAM is congured by providing control files in the directory
5194 > for each of the services that
5195 require authentication. When an authentication request is made
5196 by an application the PAM code in the C library looks up this
5197 control file to determine what modules to load to do the
5198 authentication check and in what order. This interface makes adding
5199 a new authentication service for Winbind very easy, all that needs
5200 to be done is that the
<TT
5208 control files for relevant services are updated to allow
5209 authentication via winbind. See the PAM documentation
5210 for more details.
</P
5218 >7.4.4. User and Group ID Allocation
</A
5221 >When a user or group is created under Windows NT
5222 is it allocated a numerical relative identier (RID). This is
5223 slightly dierent to UNIX which has a range of numbers which are
5224 used to identify users, and the same range in which to identify
5225 groups. It is winbind's job to convert RIDs to UNIX id numbers and
5226 vice versa. When winbind is congured it is given part of the UNIX
5227 user id space and a part of the UNIX group id space in which to
5228 store Windows NT users and groups. If a Windows NT user is
5229 resolved for the first time, it is allocated the next UNIX id from
5230 the range. The same process applies for Windows NT groups. Over
5231 time, winbind will have mapped all Windows NT users and groups
5232 to UNIX user ids and group ids.
</P
5234 >The results of this mapping are stored persistently in
5235 a ID mapping database held in a tdb database). This ensures that
5236 RIDs are mapped to UNIX IDs in a consistent way.
</P
5244 >7.4.5. Result Caching
</A
5247 >An active system can generate a lot of user and group
5248 name lookups. To reduce the network cost of these lookups winbind
5249 uses a caching scheme based on the SAM sequence number supplied
5250 by NT domain controllers. User or group information returned
5251 by a PDC is cached by winbind along with a sequence number also
5252 returned by the PDC. This sequence number is incremented by
5253 Windows NT whenever any user or group information is modied. If
5254 a cached entry has expired, the sequence number is requested from
5255 the PDC and compared against the sequence number of the cached entry.
5256 If the sequence numbers do not match, then the cached information
5257 is discarded and up to date information is requested directly
5267 >7.5. Installation and Configuration
</A
5270 >The easiest way to install winbind is by using the packages
5273 >pub/samba/appliance/
</TT
5275 directory on your nearest
5276 Samba mirror. These packages provide snapshots of the Samba source
5277 code and binaries already setup to provide the full functionality
5278 of winbind. This setup is a little more complex than a normal Samba
5279 build as winbind needs a small amount of functionality from a
5280 development code branch called SAMBA_TNG.
</P
5282 >Once you have installed the packages you should read
5286 > man page which will provide you
5287 with conguration information and give you sample conguration files.
5288 You may also wish to update the main Samba daemons smbd and nmbd)
5289 with a more recent development release, such as the recently
5290 announced Samba
2.2 alpha release.
</P
5298 >7.6. Limitations
</A
5301 >Winbind has a number of limitations in its current
5302 released version which we hope to overcome in future
5309 >Winbind is currently only available for
5310 the Linux operating system, although ports to other operating
5311 systems are certainly possible. For such ports to be feasible,
5312 we require the C library of the target operating system to
5313 support the Name Service Switch and Pluggable Authentication
5314 Modules systems. This is becoming more common as NSS and
5315 PAM gain support among UNIX vendors.
</P
5319 >The mappings of Windows NT RIDs to UNIX ids
5320 is not made algorithmically and depends on the order in which
5321 unmapped users or groups are seen by winbind. It may be difficult
5322 to recover the mappings of rid to UNIX id mapping if the file
5323 containing this information is corrupted or destroyed.
</P
5327 >Currently the winbind PAM module does not take
5328 into account possible workstation and logon time restrictions
5329 that may be been set for Windows NT users.
</P
5333 >Building winbind from source is currently
5334 quite tedious as it requires combining source code from two Samba
5335 branches. Work is underway to solve this by providing all
5336 the necessary functionality in the main Samba code branch.
</P
5349 >The winbind system, through the use of the Name Service
5350 Switch, Pluggable Authentication Modules, and appropriate
5351 Microsoft RPC calls have allowed us to provide seamless
5352 integration of Microsoft Windows NT domain users on a
5353 UNIX system. The result is a great reduction in the administrative
5354 cost of running a mixed UNIX and NT network.
</P
5362 >Chapter
8. UNIX Permission Bits and WIndows NT Access Control Lists
</A
5370 >8.1. Viewing and changing UNIX permissions using the NT
5374 >New in the Samba
2.0.4 release is the ability for Windows
5375 NT clients to use their native security settings dialog box to
5376 view and modify the underlying UNIX permissions.
</P
5378 >Note that this ability is careful not to compromise
5379 the security of the UNIX host Samba is running on, and
5380 still obeys all the file permission rules that a Samba
5381 administrator can set.
</P
5383 >In Samba
2.0.4 and above the default value of the
5385 HREF=
"smb.conf.5.html#NTACLSUPPORT"
5393 > has been changed from
5401 manipulation of permissions is turned on by default.
</P
5409 >8.2. How to view file security on a Samba share
</A
5412 >From an NT
4.0 client, single-click with the right
5413 mouse button on any file or directory in a Samba mounted
5414 drive letter or UNC path. When the menu pops-up, click
5417 > entry at the bottom of
5418 the menu. This brings up the normal file properties dialog
5419 box, but with Samba
2.0.4 this will have a new tab along the top
5422 >. Click on this tab and you
5423 will see three buttons,
<EM
5433 > button will cause either
5434 an error message
<SPAN
5436 >A requested privilege is not held
5438 > to appear if the user is not the
5439 NT Administrator, or a dialog which is intended to allow an
5440 Administrator to add auditing requirements to a file if the
5441 user is logged on as the NT Administrator. This dialog is
5442 non-functional with a Samba share at this time, as the only
5443 useful button, the
<B
5446 > button will not currently
5447 allow a list of users to be seen.
</P
5455 >8.3. Viewing file ownership
</A
5462 brings up a dialog box telling you who owns the given file. The
5463 owner name will be of the form :
</P
5467 >"SERVER\user (Long name)"</B
5475 > is the NetBIOS name of
5476 the Samba server,
<TT
5481 > is the user name of
5482 the UNIX user who owns the file, and
<TT
5488 is the discriptive string identifying the user (normally found in the
5489 GECOS field of the UNIX password database). Click on the
<B
5493 > button to remove this dialog.
</P
5495 >If the parameter
<TT
5504 > then the file owner will
5505 be shown as the NT user
<B
5513 > button will not allow
5514 you to change the ownership of this file to yourself (clicking on
5515 it will display a dialog box complaining that the user you are
5516 currently logged onto the NT client cannot be found). The reason
5517 for this is that changing the ownership of a file is a privilaged
5518 operation in UNIX, available only to the
<EM
5521 user. As clicking on this button causes NT to attempt to change
5522 the ownership of a file to the current user logged into the NT
5523 client this will not work with Samba at this time.
</P
5525 >There is an NT chown command that will work with Samba
5526 and allow a user with Administrator privillage connected
5527 to a Samba
2.0.4 server as root to change the ownership of
5528 files on both a local NTFS filesystem or remote mounted NTFS
5529 or Samba drive. This is available as part of the
<EM
5532 > NT security library written by Jeremy Allison of
5533 the Samba Team, available from the main Samba ftp site.
</P
5541 >8.4. Viewing file or directory permissions
</A
5544 >The third button is the
<B
5548 button. Clicking on this brings up a dialog box that shows both
5549 the permissions and the UNIX owner of the file or directory.
5550 The owner is displayed in the form :
</P
5554 >"SERVER\user (Long name)"</B
5562 > is the NetBIOS name of
5563 the Samba server,
<TT
5568 > is the user name of
5569 the UNIX user who owns the file, and
<TT
5575 is the discriptive string identifying the user (normally found in the
5576 GECOS field of the UNIX password database).
</P
5578 >If the parameter
<TT
5587 > then the file owner will
5588 be shown as the NT user
<B
5592 permissions will be shown as NT
"Full Control".
</P
5594 >The permissions field is displayed differently for files
5595 and directories, so I'll describe the way file permissions
5596 are displayed first.
</P
5603 >8.4.1. File Permissions
</A
5606 >The standard UNIX user/group/world triple and
5607 the correspinding
"read",
"write",
"execute" permissions
5608 triples are mapped by Samba into a three element NT ACL
5609 with the 'r', 'w', and 'x' bits mapped into the corresponding
5610 NT permissions. The UNIX world permissions are mapped into
5611 the global NT group
<B
5615 by the list of permissions allowed for UNIX world. The UNIX
5616 owner and group permissions are displayed as an NT
5624 > icon respectively followed by the list
5625 of permissions allowed for the UNIX user and group.
</P
5627 >As many UNIX permission sets don't map into common
5638 usually the permissions will be prefixed by the words
<B
5640 > "Special Access"</B
5641 > in the NT display list.
</P
5643 >But what happens if the file has no permissions allowed
5644 for a particular UNIX user group or world component ? In order
5645 to allow
"no permissions" to be seen and modified then Samba
5648 >"Take Ownership"</B
5650 (which has no meaning in UNIX) and reports a component with
5651 no permissions as having the NT
<B
5655 This was chosen of course to make it look like a zero, meaning
5656 zero permissions. More details on the decision behind this will
5665 >8.4.2. Directory Permissions
</A
5668 >Directories on an NT NTFS file system have two
5669 different sets of permissions. The first set of permissions
5670 is the ACL set on the directory itself, this is usually displayed
5671 in the first set of parentheses in the normal
<B
5675 NT style. This first set of permissions is created by Samba in
5676 exactly the same way as normal file permissions are, described
5677 above, and is displayed in the same way.
</P
5679 >The second set of directory permissions has no real meaning
5680 in the UNIX permissions world and represents the
<B
5683 > permissions that any file created within
5684 this directory would inherit.
</P
5686 >Samba synthesises these inherited permissions for NT by
5687 returning as an NT ACL the UNIX permission mode that a new file
5688 created by Samba on this share would receive.
</P
5697 >8.5. Modifying file or directory permissions
</A
5700 >Modifying file and directory permissions is as simple
5701 as changing the displayed permissions in the dialog box, and
5705 > button. However, there are
5706 limitations that a user needs to be aware of, and also interactions
5707 with the standard Samba permission masks and mapping of DOS
5708 attributes that need to also be taken into account.
</P
5710 >If the parameter
<TT
5719 > then any attempt to set
5720 security permissions will fail with an
<B
5726 >The first thing to note is that the
<B
5730 button will not return a list of users in Samba
2.0.4 (it will give
5731 an error message of
<B
5733 >"The remote proceedure call failed
5734 and did not execute"</B
5735 >). This means that you can only
5736 manipulate the current user/group/world permissions listed in
5737 the dialog box. This actually works quite well as these are the
5738 only permissions that UNIX actually has.
</P
5740 >If a permission triple (either user, group, or world)
5741 is removed from the list of permissions in the NT dialog box,
5745 > button is pressed it will
5746 be applied as
"no permissions" on the UNIX side. If you then
5747 view the permissions again the
"no permissions" entry will appear
5751 > flag, as described above. This
5752 allows you to add permissions back to a file or directory once
5753 you have removed them from a triple component.
</P
5755 >As UNIX supports only the
"r",
"w" and
"x" bits of
5756 an NT ACL then if other NT security attributes such as
"Delete
5757 access" are selected then they will be ignored when applied on
5758 the Samba server.
</P
5760 >When setting permissions on a directory the second
5761 set of permissions (in the second set of parentheses) is
5762 by default applied to all files within that directory. If this
5763 is not what you want you must uncheck the
<B
5766 permissions on existing files"</B
5767 > checkbox in the NT
5768 dialog before clicking
<B
5773 >If you wish to remove all permissions from a
5774 user/group/world component then you may either highlight the
5775 component and click the
<B
5779 or set the component to only have the special
<B
5783 > permission (dsplayed as
<B
5795 >8.6. Interaction with the standard Samba create mask
5799 >Note that with Samba
2.0.5 there are four new parameters
5800 to control this interaction. These are :
</P
5812 >force security mode
</I
5819 >directory security mask
</I
5826 >force directory security mode
</I
5830 >Once a user clicks
<B
5834 permissions Samba maps the given permissions into a user/group/world
5835 r/w/x triple set, and then will check the changed permissions for a
5836 file against the bits set in the
<A
5837 HREF=
"smb.conf.5.html#SECURITYMASK"
5846 > parameter. Any bits that
5847 were changed that are not set to '
1' in this parameter are left alone
5848 in the file permissions.
</P
5850 >Essentially, zero bits in the
<TT
5856 mask may be treated as a set of bits the user is
<EM
5859 allowed to change, and one bits are those the user is allowed to change.
5862 >If not set explicitly this parameter is set to the same value as
5864 HREF=
"smb.conf.5.html#CREATEMASK"
5873 > parameter to provide compatibility with Samba
2.0.4
5874 where this permission change facility was introduced. To allow a user to
5875 modify all the user/group/world permissions on a file, set this parameter
5878 >Next Samba checks the changed permissions for a file against
5879 the bits set in the
<A
5880 HREF=
"smb.conf.5.html#FORCESECURITYMODE"
5885 >force security mode
</I
5888 > parameter. Any bits
5889 that were changed that correspond to bits set to '
1' in this parameter
5890 are forced to be set.
</P
5892 >Essentially, bits set in the
<TT
5895 >force security mode
5898 > parameter may be treated as a set of bits that, when
5899 modifying security on a file, the user has always set to be 'on'.
</P
5901 >If not set explicitly this parameter is set to the same value
5903 HREF=
"smb.conf.5.html#FORCECREATEMODE"
5912 > parameter to provide compatibility
5913 with Samba
2.0.4 where the permission change facility was introduced.
5914 To allow a user to modify all the user/group/world permissions on a file,
5915 with no restrictions set this parameter to
000.
</P
5928 > parameters are applied to the change
5929 request in that order.
</P
5931 >For a directory Samba will perform the same operations as
5932 described above for a file except using the parameter
<TT
5935 > directory security mask
</I
5946 >force directory security mode
5949 > parameter instead of
<TT
5952 >force security mode
5960 >directory security mask
</I
5963 by default is set to the same value as the
<TT
5969 > parameter and the
<TT
5972 >force directory security
5975 > parameter by default is set to the same value as
5979 >force directory mode
</I
5981 > parameter to provide
5982 compatibility with Samba
2.0.4 where the permission change facility
5985 >In this way Samba enforces the permission restrictions that
5986 an administrator can set on a Samba share, whilst still allowing users
5987 to modify the permission bits within that restriction.
</P
5989 >If you want to set up a share that allows users full control
5990 in modifying the permission bits on their files and directories and
5991 doesn't force any particular bits to be set 'on', then set the following
5992 parameters in the
<A
5993 HREF=
"smb.conf.5.html"
6000 > file in that share specific section :
</P
6005 >security mask =
0777</I
6012 >force security mode =
0</I
6019 >directory security mask =
0777</I
6026 >force directory security mode =
0</I
6030 >As described, in Samba
2.0.4 the parameters :
</P
6042 >force create mode
</I
6056 >force directory mode
</I
6060 >were used instead of the parameters discussed here.
</P
6068 >8.7. Interaction with the standard Samba file attribute
6072 >Samba maps some of the DOS attribute bits (such as
"read
6073 only") into the UNIX permissions of a file. This means there can
6074 be a conflict between the permission bits set via the security
6075 dialog and the permission bits set by the file attribute mapping.
6078 >One way this can show up is if a file has no UNIX read access
6079 for the owner it will show up as
"read only" in the standard
6080 file attributes tabbed dialog. Unfortunately this dialog is
6081 the same one that contains the security info in another tab.
</P
6083 >What this can mean is that if the owner changes the permissions
6084 to allow themselves read access using the security dialog, clicks
6088 > to get back to the standard attributes tab
6089 dialog, and then clicks
<B
6092 > on that dialog, then
6093 NT will set the file permissions back to read-only (as that is what
6094 the attributes still say in the dialog). This means that after setting
6095 permissions and clicking
<B
6098 > to get back to the
6099 attributes dialog you should always hit
<B
6106 > to ensure that your changes
6107 are not overridden.
</P
6115 >Chapter
9. OS2 Client HOWTO
</A
6131 >9.1.1. How can I configure OS/
2 Warp Connect or
6132 OS/
2 Warp
4 as a client for Samba?
</A
6135 >A more complete answer to this question can be
6137 HREF=
"http://carol.wins.uva.nl/~leeuw/samba/warp.html"
6139 > http://carol.wins.uva.nl/~leeuw/samba/warp.html
</A
6142 >Basically, you need three components:
</P
6148 >The File and Print Client ('IBM Peer')
6153 >TCP/IP ('Internet support')
6158 >The
"NetBIOS over TCP/IP" driver ('TCPBEUI')
6163 >Installing the first two together with the base operating
6164 system on a blank system is explained in the Warp manual. If Warp
6165 has already been installed, but you now want to install the
6166 networking support, use the
"Selective Install for Networking"
6167 object in the
"System Setup" folder.
</P
6169 >Adding the
"NetBIOS over TCP/IP" driver is not described
6170 in the manual and just barely in the online documentation. Start
6171 MPTS.EXE, click on OK, click on
"Configure LAPS" and click
6172 on
"IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
6173 is then moved to 'Current Configuration'. Select that line,
6174 click on
"Change number" and increase it from
0 to
1. Save this
6177 >If the Samba server(s) is not on your local subnet, you
6178 can optionally add IP names and addresses of these servers
6179 to the
"Names List", or specify a WINS server ('NetBIOS
6180 Nameserver' in IBM and RFC terminology). For Warp Connect you
6181 may need to download an update for 'IBM Peer' to bring it on
6182 the same level as Warp
4. See the webpage mentioned above.
</P
6190 >9.1.2. How can I configure OS/
2 Warp
3 (not Connect),
6191 OS/
2 1.2,
1.3 or
2.x for Samba?
</A
6194 >You can use the free Microsoft LAN Manager
2.2c Client
6197 HREF=
"ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/"
6199 > ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/
</A
6202 HREF=
"http://carol.wins.uva.nl/~leeuw/lanman.html"
6204 > http://carol.wins.uva.nl/~leeuw/lanman.html
</A
6206 more information on how to install and use this client. In
6207 a nutshell, edit the file \OS2VER in the root directory of
6208 the OS/
2 boot partition and add the lines:
</P
6217 CLASS=
"PROGRAMLISTING"
6227 >before you install the client. Also, don't use the
6228 included NE2000 driver because it is buggy. Try the NE2000
6229 or NS2000 driver from
6231 HREF=
"ftp://ftp.cdrom.com/pub/os2/network/ndis/"
6233 > ftp://ftp.cdrom.com/pub/os2/network/ndis/
</A
6243 >9.1.3. Are there any other issues when OS/
2 (any version)
6244 is used as a client?
</A
6247 >When you do a NET VIEW or use the
"File and Print
6248 Client Resource Browser", no Samba servers show up. This can
6249 be fixed by a patch from
<A
6250 HREF=
"http://carol.wins.uva.nl/~leeuw/samba/fix.html"
6252 > http://carol.wins.uva.nl/~leeuw/samba/fix.html
</A
6254 The patch will be included in a later version of Samba. It also
6255 fixes a couple of other problems, such as preserving long
6256 filenames when objects are dragged from the Workplace Shell
6257 to the Samba server.
</P
6265 >9.1.4. How do I get printer driver download working
6266 for OS/
2 clients?
</A
6269 >First, create a share called [PRINTDRV] that is
6270 world-readable. Copy your OS/
2 driver files there. Note
6271 that the .EA_ files must still be separate, so you will need
6272 to use the original install files, and not copy an installed
6273 driver from an OS/
2 system.
</P
6275 >Install the NT driver first for that printer. Then,
6276 add to your smb.conf a paramater,
"os2 driver map =
6282 >". Then, in the file
6289 name of the NT driver name to the OS/
2 driver name as
6292 ><nt driver name
> =
<os2 driver
6293 name
>.
<device name
>, e.g.:
6294 HP LaserJet
5L = LASERJET.HP LaserJet
5L</P
6296 >You can have multiple drivers mapped in this file.
</P
6298 >If you only specify the OS/
2 driver name, and not the
6299 device name, the first attempt to download the driver will
6300 actually download the files, but the OS/
2 client will tell
6301 you the driver is not available. On the second attempt, it
6302 will work. This is fixed simply by adding the device name
6303 to the mapping, after which it will work on the first attempt.