| blob | 566f0b4068393dcfc2d1dac8fa05f5cc2411555e |
1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>SAMBA Project Documentation</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><meta name="description" content="
2 This book is a collection of HOWTOs added to Samba documentation over the years.
3 Samba is always under development, and so is its' documentation. This release of the
4 documentation represents a major revision or layout as well as contents.
5 The most recent version of this document can be found at
6 http://www.samba.org/
7 on the "Documentation" page. Please send updates to
8 Jelmer Vernooij,
9 John H. Terpstra or
10 Gerald (Jerry) Carter.
12 The Samba-Team would like to express sincere thanks to the many people who have with
13 or without their knowledge contributed to this update. The size and scope of this
14 project would not have been possible without significant community contribution. A not
15 insignificant number of ideas for inclusion (if not content itself) has been obtained
16 from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
17 Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
18 application knowledge that is most to be desired by many Samba users and administrators.
19 "></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-HOWTO-Collection"></a>SAMBA Project Documentation</h1></div><div><div class="authorgroup"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><h3 class="editor"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><h3 class="editor"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3></div></div><div><p class="pubdate">Monday April 21, 2003</p></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p>
20 This book is a collection of HOWTOs added to Samba documentation over the years.
21 Samba is always under development, and so is its' documentation. This release of the
22 documentation represents a major revision or layout as well as contents.
23 The most recent version of this document can be found at
25 on the "Documentation" page. Please send updates to
29 </p><p>
30 The Samba-Team would like to express sincere thanks to the many people who have with
31 or without their knowledge contributed to this update. The size and scope of this
32 project would not have been possible without significant community contribution. A not
33 insignificant number of ideas for inclusion (if not content itself) has been obtained
34 from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
35 Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
36 application knowledge that is most to be desired by many Samba users and administrators.
37 </p></div></div></div><div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2796910">Legal Notice</a></dt><dt><a href="#id2799782">Attributions</a></dt><dt>I. <a href="#introduction">General Installation</a></dt><dd><dl><dt>1. <a href="#IntroSMB">Introduction to Samba</a></dt><dd><dl><dt><a href="#id2801584">Background</a></dt><dt><a href="#id2801642">Terminology</a></dt><dt><a href="#id2801779">Related Projects</a></dt><dt><a href="#id2801848">SMB Methodology</a></dt><dt><a href="#id2801936">Epilogue</a></dt><dt><a href="#id2802009">Miscellaneous</a></dt></dl></dd><dt>2. <a href="#install">How to Install and Test SAMBA</a></dt><dd><dl><dt><a href="#id2802151">Obtaining and installing samba</a></dt><dt><a href="#id2802195">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="#id2802232">Example Configuration</a></dt><dt><a href="#id2866164">SWAT</a></dt></dl></dd><dt><a href="#id2866210">Try listing the shares available on your
38 server</a></dt><dt><a href="#id2866267">Try connecting with the unix client</a></dt><dt><a href="#id2866384">Try connecting from another SMB client</a></dt><dt><a href="#id2866468">What If Things Don't Work?</a></dt><dt><a href="#id2866500">Common Errors</a></dt><dd><dl><dt><a href="#id2866513">Large number of smbd processes</a></dt><dt><a href="#id2866612">"open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested"</a></dt><dt><a href="#id2866630">"The network name cannot be found"</a></dt></dl></dd></dl></dd><dt>3. <a href="#FastStart">Fast Start for the Impatient</a></dt><dd><dl><dt><a href="#id2866757">Note</a></dt></dl></dd></dl></dd><dt>II. <a href="#type">Server Configuration Basics</a></dt><dd><dl><dt>4. <a href="#ServerType">Server Types and Security Modes</a></dt><dd><dl><dt><a href="#id2866937">Features and Benefits</a></dt><dt><a href="#id2867038">Server Types</a></dt><dt><a href="#id2867124">Samba Security Modes</a></dt><dd><dl><dt><a href="#id2867244">User Level Security</a></dt><dt><a href="#id2867382">Share Level Security</a></dt><dt><a href="#id2867518">Domain Security Mode (User Level Security)</a></dt><dt><a href="#id2867776">ADS Security Mode (User Level Security)</a></dt><dt><a href="#id2867877">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="#id2868158">Password checking</a></dt><dt><a href="#id2868359">Common Errors</a></dt><dd><dl><dt><a href="#id2868387">What makes Samba a SERVER?</a></dt><dt><a href="#id2868427">What makes Samba a Domain Controller?</a></dt><dt><a href="#id2868463">What makes Samba a Domain Member?</a></dt><dt><a href="#id2868503">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></dd><dt>5. <a href="#samba-pdc">Domain Control</a></dt><dd><dl><dt><a href="#id2868835">Features and Benefits</a></dt><dt><a href="#id2869049">Basics of Domain Control</a></dt><dd><dl><dt><a href="#id2869064">Domain Controller Types</a></dt><dt><a href="#id2869309">Preparing for Domain Control</a></dt></dl></dd><dt><a href="#id2869698">Domain Control - Example Configuration</a></dt><dt><a href="#id2870186">Samba ADS Domain Control</a></dt><dt><a href="#id2870238">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="#id2870253">Domain Network Logon Service</a></dt><dt><a href="#id2870678">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="#id2870825">Common Errors</a></dt><dd><dl><dt><a href="#id2870831">'$' cannot be included in machine name</a></dt><dt><a href="#id2870890">Joining domain fails because of existing machine account</a></dt><dt><a href="#id2870945">The system can not log you on (C000019B)....</a></dt><dt><a href="#id2871029">The machine trust account not accessible</a></dt><dt><a href="#id2871102">Account disabled</a></dt><dt><a href="#id2871135">Domain Controller Unavailable</a></dt><dt><a href="#id2871156">Can not log onto domain member workstation after joining domain</a></dt></dl></dd></dl></dd><dt>6. <a href="#samba-bdc">Backup Domain Control</a></dt><dd><dl><dt><a href="#id2871317">Features And Benefits</a></dt><dt><a href="#id2871494">Essential Background Information</a></dt><dd><dl><dt><a href="#id2871522">MS Windows NT4 Style Domain Control</a></dt><dt><a href="#id2871772">Active Directory Domain Control</a></dt><dt><a href="#id2871793">What qualifies a Domain Controller on the network?</a></dt><dt><a href="#id2871819">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="#id2871833">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="#id2871968">Example Configuration</a></dt></dl></dd><dt><a href="#id2872125">Common Errors</a></dt><dd><dl><dt><a href="#id2872138">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="#id2872169">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="#id2872196">How do I replicate the smbpasswd file?</a></dt><dt><a href="#id2872240">Can I do this all with LDAP?</a></dt></dl></dd></dl></dd><dt>7. <a href="#domain-member">Domain Membership</a></dt><dd><dl><dt><a href="#id2872448">Features and Benefits</a></dt><dt><a href="#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="#id2872769">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="#id2873061">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="#id2873276">"On-the-Fly" Creation of Machine Trust Accounts</a></dt><dt><a href="#id2873347">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="#id2873558">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="#id2873995">Why is this better than security = server?</a></dt></dl></dd><dt><a href="#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="#id2874178">Setup your smb.conf</a></dt><dt><a href="#id2874307">Setup your /etc/krb5.conf</a></dt><dt><a href="#ads-create-machine-account">Create the computer account</a></dt><dt><a href="#ads-test-server">Test your server setup</a></dt><dt><a href="#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="#id2874683">Notes</a></dt></dl></dd><dt><a href="#id2874706">Common Errors</a></dt><dd><dl><dt><a href="#id2874732">Can Not Add Machine Back to Domain</a></dt><dt><a href="#id2874764">Adding Machine to Domain Fails</a></dt></dl></dd></dl></dd><dt>8. <a href="#StandAloneServer">Stand-Alone Servers</a></dt><dd><dl><dt><a href="#id2874966">Features and Benefits</a></dt><dt><a href="#id2875004">Background</a></dt><dt><a href="#id2875078">Example Configuration</a></dt><dd><dl><dt><a href="#RefDocServer">Reference Documentation Server</a></dt><dt><a href="#SimplePrintServer">Central Print Serving</a></dt></dl></dd><dt><a href="#id2875598">Common Errors</a></dt></dl></dd><dt>9. <a href="#ClientConfig">MS Windows Network Configuration Guide</a></dt><dd><dl><dt><a href="#id2875663">Note</a></dt></dl></dd></dl></dd><dt>III. <a href="#optional">Advanced Configuration</a></dt><dd><dl><dt>10. <a href="#NetworkBrowsing">Samba / MS Windows Network Browsing Guide</a></dt><dd><dl><dt><a href="#id2875816">Features and Benefits</a></dt><dt><a href="#id2875904">What is Browsing?</a></dt><dt><a href="#id2876217">Discussion</a></dt><dd><dl><dt><a href="#id2876233">NetBIOS over TCP/IP</a></dt><dt><a href="#id2876469">TCP/IP - without NetBIOS</a></dt><dt><a href="#id2876635">DNS and Active Directory</a></dt></dl></dd><dt><a href="#id2876781">How Browsing Functions</a></dt><dd><dl><dt><a href="#DMB">Setting up WORKGROUP Browsing</a></dt><dt><a href="#id2877309">Setting up DOMAIN Browsing</a></dt><dt><a href="#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="#id2877716">Making Samba the domain master</a></dt><dt><a href="#id2877893">Note about broadcast addresses</a></dt><dt><a href="#id2877911">Multiple interfaces</a></dt><dt><a href="#id2877946">Use of the Remote Announce parameter</a></dt><dt><a href="#id2878104">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="#id2878182">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="#id2878371">Setting up a WINS server</a></dt><dt><a href="#id2878627">WINS Replication</a></dt><dt><a href="#id2878652">Static WINS Entries</a></dt></dl></dd><dt><a href="#id2878737">Helpful Hints</a></dt><dd><dl><dt><a href="#id2878750">Windows Networking Protocols</a></dt><dt><a href="#id2878822">Name Resolution Order</a></dt></dl></dd><dt><a href="#id2878986">Technical Overview of browsing</a></dt><dd><dl><dt><a href="#id2879046">Browsing support in Samba</a></dt><dt><a href="#id2879168">Problem resolution</a></dt><dt><a href="#id2879254">Browsing across subnets</a></dt></dl></dd><dt><a href="#id2879936">Common Errors</a></dt><dd><dl><dt><a href="#id2879950">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="#id2879979">My client reports "This server is not configured to list shared resources"</a></dt><dt><a href="#id2880021">I get an Unable to browse the network error</a></dt></dl></dd></dl></dd><dt>11. <a href="#passdb">Account Information Databases</a></dt><dd><dl><dt><a href="#id2880302">Features and Benefits</a></dt><dd><dl><dt><a href="#id2880315">Backwards Compatibility Backends</a></dt><dt><a href="#id2880417">New Backends</a></dt></dl></dd><dt><a href="#id2880590">Technical Information</a></dt><dd><dl><dt><a href="#id2880717">Important Notes About Security</a></dt><dt><a href="#id2880966">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt><a href="#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt></dl></dd><dt><a href="#acctmgmttools">Account Management Tools</a></dt><dd><dl><dt><a href="#id2881151">The smbpasswd Command</a></dt><dt><a href="#id2881423">The pdbedit Command</a></dt></dl></dd><dt><a href="#id2881676">Password Backends</a></dt><dd><dl><dt><a href="#id2881717">Plain Text</a></dt><dt><a href="#id2881758">smbpasswd - Encrypted Password Database</a></dt><dt><a href="#id2881871">tdbsam</a></dt><dt><a href="#id2881898">ldapsam</a></dt><dt><a href="#id2883727">MySQL</a></dt><dt><a href="#XMLpassdb">XML</a></dt></dl></dd><dt><a href="#id2884575">Common Errors</a></dt><dd><dl><dt><a href="#id2884582">Users can not logon</a></dt><dt><a href="#id2884627">Users being added to wrong backend database</a></dt><dt><a href="#id2884738">auth methods does not work</a></dt></dl></dd></dl></dd><dt>12. <a href="#groupmapping">Mapping MS Windows and UNIX Groups</a></dt><dd><dl><dt><a href="#id2884967">Features and Benefits</a></dt><dt><a href="#id2885202">Discussion</a></dt><dd><dl><dt><a href="#id2885422">Example Configuration</a></dt></dl></dd><dt><a href="#id2885489">Configuration Scripts</a></dt><dd><dl><dt><a href="#id2885503">Sample smb.conf add group script</a></dt><dt><a href="#id2885582">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="#id2885658">Common Errors</a></dt><dd><dl><dt><a href="#id2885674">Adding Groups Fails</a></dt><dt><a href="#id2885742">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="#id2885768">Adding Domain Users to the Power Users group</a></dt></dl></dd></dl></dd><dt>13. <a href="#AccessControls">File, Directory and Share Access Controls</a></dt><dd><dl><dt><a href="#id2886024">Features and Benefits</a></dt><dt><a href="#id2886154">File System Access Controls</a></dt><dd><dl><dt><a href="#id2886190">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt><a href="#id2886489">Managing Directories</a></dt><dt><a href="#id2886582">File and Directory Access Control</a></dt></dl></dd><dt><a href="#id2886810">Share Definition Access Controls</a></dt><dd><dl><dt><a href="#id2886837">User and Group Based Controls</a></dt><dt><a href="#id2887260">File and Directory Permissions Based Controls</a></dt><dt><a href="#id2887639">Miscellaneous Controls</a></dt></dl></dd><dt><a href="#id2888020">Access Controls on Shares</a></dt><dd><dl><dt><a href="#id2888092">Share Permissions Management</a></dt></dl></dd><dt><a href="#id2888391">MS Windows Access Control Lists and UNIX Interoperability</a></dt><dd><dl><dt><a href="#id2888399">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="#id2888444">Viewing File Security on a Samba Share</a></dt><dt><a href="#id2888523">Viewing file ownership</a></dt><dt><a href="#id2888655">Viewing File or Directory Permissions</a></dt><dt><a href="#id2888889">Modifying file or directory permissions</a></dt><dt><a href="#id2889049">Interaction with the standard Samba create mask
39 parameters</a></dt><dt><a href="#id2889446">Interaction with the standard Samba file attribute mapping</a></dt></dl></dd><dt><a href="#id2889526">Common Errors</a></dt><dd><dl><dt><a href="#id2889540">Users can not write to a public share</a></dt><dt><a href="#id2889969">I have set force user but Samba still makes root the owner of all the files I touch!</a></dt><dt><a href="#id2890022">MS Word with Samba changes owner of file</a></dt></dl></dd></dl></dd><dt>14. <a href="#locking">File and Record Locking</a></dt><dd><dl><dt><a href="#id2890270">Features and Benefits</a></dt><dt><a href="#id2890336">Discussion</a></dt><dd><dl><dt><a href="#id2890479">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="#id2891158">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="#id2891268">Example Configuration</a></dt></dl></dd><dt><a href="#id2891665">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="#id2891896">Workstation Service Entries</a></dt><dt><a href="#id2891924">Server Service Entries</a></dt></dl></dd><dt><a href="#id2892003">Persistent Data Corruption</a></dt><dt><a href="#id2892032">Common Errors</a></dt><dd><dl><dt><a href="#id2892106">locking.tdb error messages</a></dt><dt><a href="#id2892144">Problems saving files in MS Office on Windows XP</a></dt><dt><a href="#id2892167">Long delays deleting files over network with XP SP1</a></dt></dl></dd><dt><a href="#id2892198">Additional Reading</a></dt></dl></dd><dt>15. <a href="#securing-samba">Securing Samba</a></dt><dd><dl><dt><a href="#id2892365">Introduction</a></dt><dt><a href="#id2892398">Features and Benefits</a></dt><dt><a href="#id2892471">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="#id2892490">Using host based protection</a></dt><dt><a href="#id2892590">User based protection</a></dt><dt><a href="#id2892650">Using interface protection</a></dt><dt><a href="#id2892717">Using a firewall</a></dt><dt><a href="#id2892774">Using a IPC$ share deny</a></dt><dt><a href="#id2892867">NTLMv2 Security</a></dt></dl></dd><dt><a href="#id2892926">Upgrading Samba</a></dt><dt><a href="#id2892950">Common Errors</a></dt><dd><dl><dt><a href="#id2892968">Smbclient works on localhost, but the network is dead</a></dt><dt><a href="#id2892992">Why can users access home directories of other users?</a></dt></dl></dd></dl></dd><dt>16. <a href="#InterdomainTrusts">Interdomain Trust Relationships</a></dt><dd><dl><dt><a href="#id2893283">Features and Benefits</a></dt><dt><a href="#id2893311">Trust Relationship Background</a></dt><dt><a href="#id2893400">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="#id2893428">Creating an NT4 Domain Trust</a></dt><dt><a href="#id2893500">Completing an NT4 Domain Trust</a></dt><dt><a href="#id2893547">Inter-Domain Trust Facilities</a></dt></dl></dd><dt><a href="#id2893725">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt><a href="#id2893918">Samba as the Trusting Domain</a></dt></dl></dd><dt><a href="#id2894055">NT4-style Domain Trusts with Windows 2000</a></dt><dt><a href="#id2894162">Common Errors</a></dt></dl></dd><dt>17. <a href="#msdfs">Hosting a Microsoft Distributed File System tree on Samba</a></dt><dd><dl><dt><a href="#id2894231">Features and Benefits</a></dt><dt><a href="#id2894506">Common Errors</a></dt></dl></dd><dt>18. <a href="#printing">Classical Printing Support</a></dt><dd><dl><dt><a href="#id2894626">Features and Benefits</a></dt><dt><a href="#id2894693">Technical Introduction</a></dt><dd><dl><dt><a href="#id2894730">What happens if you send a Job from a Client</a></dt><dt><a href="#id2894801">Printing Related Configuration Parameters</a></dt><dt><a href="#id2894888">Parameters Recommended for Use</a></dt></dl></dd><dt><a href="#id2895354">A simple Configuration to Print</a></dt><dd><dl><dt><a href="#id2895518">Verification of "Settings in Use" with testparm</a></dt><dt><a href="#id2895606">A little Experiment to warn you</a></dt></dl></dd><dt><a href="#id2895939">Extended Sample Configuration to Print</a></dt><dt><a href="#id2896270">Detailed Explanation of the Example's Settings</a></dt><dd><dl><dt><a href="#id2896282">The [global] Section</a></dt><dt><a href="#id2896767">The [printers] Section</a></dt><dt><a href="#id2897210">Any [my_printer_name] Section</a></dt><dt><a href="#id2897534">Print Commands</a></dt><dt><a href="#id2897592">Default Print Commands for various UNIX Print Subsystems</a></dt><dt><a href="#id2898261">Setting up your own Print Commands</a></dt></dl></dd><dt><a href="#id2898591">Innovations in Samba Printing since 2.2</a></dt><dd><dl><dt><a href="#id2898740">Client Drivers on Samba Server for Point'n'Print</a></dt><dt><a href="#id2898892">The [printer$] Section is removed from Samba 3</a></dt><dt><a href="#id2899004">Creating the [print$] Share</a></dt><dt><a href="#id2899189">Parameters in the [print$] Section</a></dt><dt><a href="#id2899475">Subdirectory Structure in [print$]</a></dt></dl></dd><dt><a href="#id2899643">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="#id2899736">Setting Drivers for existing Printers with a Client GUI</a></dt><dt><a href="#id2899935">Setting Drivers for existing Printers with
40 rpcclient</a></dt></dl></dd><dt><a href="#id2901625">Client Driver Install Procedure</a></dt><dd><dl><dt><a href="#id2901643">The first Client Driver Installation</a></dt><dt><a href="#id2901839">IMPORTANT! Setting Device Modes on new Printers</a></dt><dt><a href="#id2902136">Further Client Driver Install Procedures</a></dt><dt><a href="#id2902231">Always make first Client Connection as root or "printer admin"</a></dt></dl></dd><dt><a href="#id2902399">Other Gotchas</a></dt><dd><dl><dt><a href="#id2902431">Setting Default Print Options for the Client Drivers</a></dt><dt><a href="#id2902874">Supporting large Numbers of Printers</a></dt><dt><a href="#id2903177">Adding new Printers with the Windows NT APW</a></dt><dt><a href="#id2903470">Weird Error Message Cannot connect under a
41 different Name</a></dt><dt><a href="#id2903569">Be careful when assembling Driver Files</a></dt><dt><a href="#id2903854">Samba and Printer Ports</a></dt><dt><a href="#id2903932">Avoiding the most common Misconfigurations of the Client Driver</a></dt></dl></dd><dt><a href="#id2903954">The Imprints Toolset</a></dt><dd><dl><dt><a href="#id2903998">What is Imprints?</a></dt><dt><a href="#id2904040">Creating Printer Driver Packages</a></dt><dt><a href="#id2904059">The Imprints Server</a></dt><dt><a href="#id2904083">The Installation Client</a></dt></dl></dd><dt><a href="#id2904236">Add Network Printers at Logon without User Interaction</a></dt><dt><a href="#id2904556">The addprinter command</a></dt><dt><a href="#id2904602">Migration of "Classical" printing to Samba</a></dt><dt><a href="#id2904779">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="#id2904793">Common Errors</a></dt><dd><dl><dt><a href="#id2904800">I give my root password but I don't get access</a></dt><dt><a href="#id2904834">My printjobs get spooled into the spooling directory, but then get lost</a></dt></dl></dd></dl></dd><dt>19. <a href="#CUPS-printing">CUPS Printing Support in Samba 3.0</a></dt><dd><dl><dt><a href="#id2904970">Introduction</a></dt><dd><dl><dt><a href="#id2904977">Features and Benefits</a></dt><dt><a href="#id2905020">Overview</a></dt></dl></dd><dt><a href="#id2905074">Basic Configuration of CUPS support</a></dt><dd><dl><dt><a href="#id2905167">Linking of smbd with libcups.so</a></dt><dt><a href="#id2905408">Simple smb.conf Settings for CUPS</a></dt><dt><a href="#id2905584">More complex smb.conf Settings for
42 CUPS</a></dt></dl></dd><dt><a href="#id2905929">Advanced Configuration</a></dt><dd><dl><dt><a href="#id2905949">Central spooling vs. "Peer-to-Peer" printing</a></dt><dt><a href="#id2905999">CUPS/Samba as a "spooling-only" Print Server; "raw" printing
43 with Vendor Drivers on Windows Clients</a></dt><dt><a href="#id2906051">Driver Installation Methods on Windows Clients</a></dt><dt><a href="#id2906119">Explicitly enable "raw" printing for
44 application/octet-stream!</a></dt><dt><a href="#id2906306">Three familiar Methods for driver upload plus a new one</a></dt></dl></dd><dt><a href="#id2906432">Using CUPS/Samba in an advanced Way -- intelligent printing
45 with PostScript Driver Download</a></dt><dd><dl><dt><a href="#gdipost">GDI on Windows -- PostScript on UNIX</a></dt><dt><a href="#id2906600">Windows Drivers, GDI and EMF</a></dt><dt><a href="#id2906741">UNIX Printfile Conversion and GUI Basics</a></dt><dt><a href="#post-and-ghost">PostScript and Ghostscript</a></dt><dt><a href="#id2907029">Ghostscript -- the Software RIP for non-PostScript Printers</a></dt><dt><a href="#id2907154">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="#id2907241">CUPS can use all Windows-formatted Vendor PPDs</a></dt><dt><a href="#id2907348">CUPS also uses PPDs for non-PostScript Printers</a></dt></dl></dd><dt><a href="#id2907370">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="#id2907545">MIME types and CUPS Filters</a></dt><dt><a href="#id2907752">MIME type Conversion Rules</a></dt><dt><a href="#id2907903">Filter Requirements</a></dt><dt><a href="#id2908080">Prefilters</a></dt><dt><a href="#id2908183">pstops</a></dt><dt><a href="#id2908292">pstoraster</a></dt><dt><a href="#id2908476">imagetops and imagetoraster</a></dt><dt><a href="#id2908539">rasterto [printers specific]</a></dt><dt><a href="#id2908691">CUPS Backends</a></dt><dt><a href="#id2909039">cupsomatic/Foomatic -- how do they fit into the Picture?</a></dt><dt><a href="#id2909176">The Complete Picture</a></dt><dt><a href="#id2909191">mime.convs</a></dt><dt><a href="#id2909245">"Raw" printing</a></dt><dt><a href="#id2909312">"application/octet-stream" printing</a></dt><dt><a href="#id2909544">PostScript Printer Descriptions (PPDs) for non-PS Printers</a></dt><dt><a href="#id2909807">Difference between cupsomatic/foomatic-rip and
46 native CUPS printing</a></dt><dt><a href="#id2910018">Examples for filtering Chains</a></dt><dt><a href="#id2910331">Sources of CUPS drivers / PPDs</a></dt><dt><a href="#id2910470">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="#id2910560">Network printing (purely Windows)</a></dt><dd><dl><dt><a href="#id2910577">From Windows Clients to an NT Print Server</a></dt><dt><a href="#id2910632">Driver Execution on the Client</a></dt><dt><a href="#id2910701">Driver Execution on the Server</a></dt></dl></dd><dt><a href="#id2910813">Network Printing (Windows clients -- UNIX/Samba Print
47 Servers)</a></dt><dd><dl><dt><a href="#id2910833">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="#id2911043">Samba receiving Jobfiles and passing them to CUPS</a></dt></dl></dd><dt><a href="#id2911125">Network PostScript RIP: CUPS Filters on Server -- clients use
48 PostScript Driver with CUPS-PPDs</a></dt><dd><dl><dt><a href="#id2911206">PPDs for non-PS Printers on UNIX</a></dt><dt><a href="#id2911255">PPDs for non-PS Printers on Windows</a></dt></dl></dd><dt><a href="#id2911328">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="#id2911345">Printer Drivers running in "Kernel Mode" cause many
49 Problems</a></dt><dt><a href="#id2911379">Workarounds impose Heavy Limitations</a></dt><dt><a href="#id2911400">CUPS: a "Magical Stone"?</a></dt><dt><a href="#id2911445">PostScript Drivers with no major problems -- even in Kernel
50 Mode</a></dt></dl></dd><dt><a href="#id2911506">Setting up CUPS for driver Download</a></dt><dd><dl><dt><a href="#id2911524">cupsaddsmb: the unknown Utility</a></dt><dt><a href="#id2911625">Prepare your smb.conf for cupsaddsmb</a></dt><dt><a href="#id2911845">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt><a href="#id2912128">Recognize the different Driver Files</a></dt><dt><a href="#id2912268">Acquiring the Adobe Driver Files</a></dt><dt><a href="#id2912301">ESP Print Pro Package of "PostScript Driver for
51 WinNT/2k/XP"</a></dt><dt><a href="#id2912362">Caveats to be considered</a></dt><dt><a href="#id2912629">Benefits of using "CUPS PostScript Driver for
52 Windows NT/2k/XP" instead of Adobe Driver</a></dt><dt><a href="#id2912835">Run "cupsaddsmb" (quiet Mode)</a></dt><dt><a href="#id2912958">Run "cupsaddsmb" with verbose Output</a></dt><dt><a href="#id2913117">Understanding cupsaddsmb</a></dt><dt><a href="#id2913264">How to recognize if cupsaddsmb completed successfully</a></dt><dt><a href="#id2913349">cupsaddsmb with a Samba PDC</a></dt><dt><a href="#id2913427">cupsaddsmb Flowchart</a></dt><dt><a href="#id2913497">Installing the PostScript Driver on a Client</a></dt><dt><a href="#id2913646">Avoiding critical PostScript Driver Settings on the
53 Client</a></dt></dl></dd><dt><a href="#id2913780">Installing PostScript Driver Files manually (using
54 rpcclient)</a></dt><dd><dl><dt><a href="#id2913973">A Check of the rpcclient man Page</a></dt><dt><a href="#id2914086">Understanding the rpcclient man page</a></dt><dt><a href="#id2914186">Producing an Example by querying a Windows Box</a></dt><dt><a href="#id2914333">What is required for adddriver and setdriver to succeed</a></dt><dt><a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt><dt><a href="#id2915566">Troubleshooting revisited</a></dt></dl></dd><dt><a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt><a href="#id2915962">Trivial DataBase Files</a></dt><dt><a href="#id2916041">Binary Format</a></dt><dt><a href="#id2916103">Losing *.tdb Files</a></dt><dt><a href="#id2916162">Using tdbbackup</a></dt></dl></dd><dt><a href="#id2916297">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="#id2916436">foomatic-rip and Foomatic explained</a></dt><dt><a href="#id2917129">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="#id2917602">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="#id2917645">Setting up Quotas</a></dt><dt><a href="#id2917708">Correct and incorrect Accounting</a></dt><dt><a href="#id2917748">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="#id2917829">The page_log File Syntax</a></dt><dt><a href="#id2917938">Possible Shortcomings</a></dt><dt><a href="#id2918010">Future Developments</a></dt><dt><a href="#id2918058">Other Accounting Tools</a></dt></dl></dd><dt><a href="#id2918072">Additional Material</a></dt><dt><a href="#id2918267">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="#id2918326">CUPS Configuration Settings explained</a></dt><dt><a href="#id2918407">Pre-conditions</a></dt><dt><a href="#id2918564">Manual Configuration</a></dt></dl></dd><dt><a href="#id2918622">In Case of Trouble.....</a></dt><dt><a href="#id2918682">Printing from CUPS to Windows attached
55 Printers</a></dt><dt><a href="#id2918955">More CUPS filtering Chains</a></dt><dt><a href="#id2796634">Common Errors</a></dt><dd><dl><dt><a href="#id2796642">Win9x client can't install driver</a></dt><dt><a href="#id2919061">"cupsaddsmb" keeps asking for root password in
56 neverending loop</a></dt><dt><a href="#id2919107">"cupsaddsmb" gives "No PPD file for printer..."
57 message while PPD file is present</a></dt><dt><a href="#id2919163">Client can't connect to Samba printer</a></dt><dt><a href="#id2919497">Can't reconnect to Samba under new account
60 NT/2K/XP clients gives problems</a></dt><dt><a href="#id2919649">Can't use "cupsaddsmb" on Samba server which is
61 a PDC</a></dt><dt><a href="#id2919678">Deleted Win2K printer driver is still shown</a></dt><dt><a href="#id2919695">Win2K/XP "Local Security
63 printers for all local users"</a></dt><dt><a href="#id2919733">"Print Change Notify" functions on
64 NT-clients</a></dt><dt><a href="#id2919752">WinXP-SP1</a></dt><dt><a href="#id2919794">Print options for all users can't be set on Win2K/XP</a></dt><dt><a href="#id2920067">Most common blunders in driver
67 /var/spool/samba/ get reset after each
69 intermittently swallows jobs and spits out completely different
70 ones</a></dt><dt><a href="#id2920314">Location of Adobe PostScript driver files necessary for "cupsaddsmb"</a></dt></dl></dd><dt><a href="#id2920369">An Overview of the CUPS Printing Processes</a></dt></dl></dd><dt>20. <a href="#VFS">Stackable VFS modules</a></dt><dd><dl><dt><a href="#id2920538">Features and Benefits</a></dt><dt><a href="#id2920556">Discussion</a></dt><dt><a href="#id2920786">Included modules</a></dt><dd><dl><dt><a href="#id2920793">audit</a></dt><dt><a href="#id2920835">extd_audit</a></dt><dt><a href="#id2920965">fake_perms</a></dt><dt><a href="#id2920984">recycle</a></dt><dt><a href="#id2921153">netatalk</a></dt></dl></dd><dt><a href="#id2921198">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="#id2921220">DatabaseFS</a></dt><dt><a href="#id2921286">vscan</a></dt></dl></dd></dl></dd><dt>21. <a href="#winbind">Winbind: Use of Domain Accounts</a></dt><dd><dl><dt><a href="#id2921516">Features and Benefits</a></dt><dt><a href="#id2921611">Introduction</a></dt><dt><a href="#id2921688">What Winbind Provides</a></dt><dd><dl><dt><a href="#id2921756">Target Uses</a></dt></dl></dd><dt><a href="#id2921786">How Winbind Works</a></dt><dd><dl><dt><a href="#id2921815">Microsoft Remote Procedure Calls</a></dt><dt><a href="#id2921849">Microsoft Active Directory Services</a></dt><dt><a href="#id2921872">Name Service Switch</a></dt><dt><a href="#id2922009">Pluggable Authentication Modules</a></dt><dt><a href="#id2922081">User and Group ID Allocation</a></dt><dt><a href="#id2922128">Result Caching</a></dt></dl></dd><dt><a href="#id2922156">Installation and Configuration</a></dt><dd><dl><dt><a href="#id2922164">Introduction</a></dt><dt><a href="#id2922231">Requirements</a></dt><dt><a href="#id2922333">Testing Things Out</a></dt></dl></dd><dt><a href="#id2923890">Conclusion</a></dt><dt><a href="#id2923909">Common Errors</a></dt><dd><dl><dt><a href="#id2923962">NSCD Problem Warning</a></dt></dl></dd></dl></dd><dt>22. <a href="#AdvancedNetworkManagement">Advanced Network Management</a></dt><dd><dl><dt><a href="#id2924071">Features and Benefits</a></dt><dt><a href="#id2924101">Remote Server Administration</a></dt><dt><a href="#id2924200">Remote Desktop Management</a></dt><dd><dl><dt><a href="#id2924218">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="#id2924438">Network Logon Script Magic</a></dt><dd><dl><dt><a href="#id2924711">Adding printers without user intervention</a></dt></dl></dd><dt><a href="#id2924744">Common Errors</a></dt></dl></dd><dt>23. <a href="#PolicyMgmt">System and Account Policies</a></dt><dd><dl><dt><a href="#id2924822">Features and Benefits</a></dt><dt><a href="#id2924888">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="#id2924999">Windows 9x/Me Policies</a></dt><dt><a href="#id2925094">Windows NT4 Style Policy Files</a></dt><dt><a href="#id2925227">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="#id2925491">Managing Account/User Policies</a></dt><dd><dl><dt><a href="#id2925596">Samba Editreg Toolset</a></dt><dt><a href="#id2925636">Windows NT4/200x</a></dt><dt><a href="#id2925655">Samba PDC</a></dt></dl></dd><dt><a href="#id2925700">System Startup and Logon Processing Overview</a></dt><dt><a href="#id2925851">Common Errors</a></dt><dd><dl><dt><a href="#id2925865">Policy Does Not Work</a></dt></dl></dd></dl></dd><dt>24. <a href="#ProfileMgmt">Desktop Profile Management</a></dt><dd><dl><dt><a href="#id2925964">Features and Benefits</a></dt><dt><a href="#id2925999">Roaming Profiles</a></dt><dd><dl><dt><a href="#id2926040">Samba Configuration for Profile Handling</a></dt><dt><a href="#id2926530">Windows Client Profile Configuration Information</a></dt><dt><a href="#id2927776">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="#id2927861">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="#id2928114">Mandatory profiles</a></dt><dt><a href="#id2928172">Creating/Managing Group Profiles</a></dt><dt><a href="#id2928216">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="#id2928237">MS Windows 9x/Me</a></dt><dt><a href="#id2928385">MS Windows NT4 Workstation</a></dt><dt><a href="#id2928939">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="#id2929447">Common Errors</a></dt><dd><dl><dt><a href="#id2929460">Setting up roaming profiles for just a few user's or group's?</a></dt><dt><a href="#id2929529">Can NOT use Roaming Profiles</a></dt><dt><a href="#id2929742">Changing the default profile</a></dt></dl></dd></dl></dd><dt>25. <a href="#pam">PAM based Distributed Authentication</a></dt><dd><dl><dt><a href="#id2930024">Features and Benefits</a></dt><dt><a href="#id2930271">Technical Discussion</a></dt><dd><dl><dt><a href="#id2930288">PAM Configuration Syntax</a></dt><dt><a href="#id2930969">Example System Configurations</a></dt><dt><a href="#id2931283">smb.conf PAM Configuration</a></dt><dt><a href="#id2931361">Remote CIFS Authentication using winbindd.so</a></dt><dt><a href="#id2931445">Password Synchronization using pam_smbpass.so</a></dt></dl></dd><dt><a href="#id2931826">Common Errors</a></dt><dd><dl><dt><a href="#id2931839">pam_winbind problem</a></dt><dt><a href="#id2931926">Winbind is not resolving users and groups</a></dt></dl></dd></dl></dd><dt>26. <a href="#integrate-ms-networks">Integrating MS Windows networks with Samba</a></dt><dd><dl><dt><a href="#id2932164">Features and Benefits</a></dt><dt><a href="#id2932188">Background Information</a></dt><dt><a href="#id2932259">Name Resolution in a pure UNIX/Linux world</a></dt><dd><dl><dt><a href="#id2932315">/etc/hosts</a></dt><dt><a href="#id2932456">/etc/resolv.conf</a></dt><dt><a href="#id2932499">/etc/host.conf</a></dt><dt><a href="#id2932551">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="#id2932655">Name resolution as used within MS Windows networking</a></dt><dd><dl><dt><a href="#id2932922">The NetBIOS Name Cache</a></dt><dt><a href="#id2932985">The LMHOSTS file</a></dt><dt><a href="#id2933234">HOSTS file</a></dt><dt><a href="#id2933266">DNS Lookup</a></dt><dt><a href="#id2933298">WINS Lookup</a></dt></dl></dd><dt><a href="#id2933416">Common Errors</a></dt><dd><dl><dt><a href="#id2933432">Pinging works only in one way</a></dt><dt><a href="#id2933465">Very Slow Network Connections</a></dt><dt><a href="#id2933517">Samba server name change problem</a></dt></dl></dd></dl></dd><dt>27. <a href="#unicode">Unicode/Charsets</a></dt><dd><dl><dt><a href="#id2933721">Features and Benefits</a></dt><dt><a href="#id2933765">What are charsets and unicode?</a></dt><dt><a href="#id2933835">Samba and charsets</a></dt><dt><a href="#id2933962">Conversion from old names</a></dt><dt><a href="#id2933992">Japanese charsets</a></dt><dt><a href="#id2934130">Common errors</a></dt><dd><dl><dt><a href="#id2934137">CP850.so can't be found</a></dt></dl></dd></dl></dd><dt>28. <a href="#Backup">Samba Backup Techniques</a></dt><dd><dl><dt><a href="#id2934250">Note</a></dt><dt><a href="#id2934264">Features and Benefits</a></dt></dl></dd><dt>29. <a href="#SambaHA">High Availability Options</a></dt><dd><dl><dt><a href="#id2934334">Note</a></dt></dl></dd></dl></dd><dt>IV. <a href="#migration">Migration and Updating</a></dt><dd><dl><dt>30. <a href="#upgrading-to-3.0">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="#id2934473">New Features in Samba-3</a></dt><dt><a href="#id2934602">Configuration Parameter Changes</a></dt><dd><dl><dt><a href="#id2934617">Removed Parameters</a></dt><dt><a href="#id2934744">New Parameters</a></dt><dt><a href="#id2935140">Modified Parameters (changes in behavior):</a></dt></dl></dd><dt><a href="#id2935215">New Functionality</a></dt><dd><dl><dt><a href="#id2935222">Databases</a></dt><dt><a href="#id2935456">Changes in Behavior</a></dt><dt><a href="#id2935505">Charsets</a></dt><dt><a href="#id2935529">Passdb Backends and Authentication</a></dt><dt><a href="#id2935648">Charsets</a></dt><dt><a href="#id2935672">LDAP</a></dt></dl></dd></dl></dd><dt>31. <a href="#NT4Migration">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="#id2936004">Planning and Getting Started</a></dt><dd><dl><dt><a href="#id2936029">Objectives</a></dt><dt><a href="#id2936467">Steps In Migration Process</a></dt></dl></dd><dt><a href="#id2936679">Migration Options</a></dt><dd><dl><dt><a href="#id2936770">Planning for Success</a></dt><dt><a href="#id2937026">Samba-3 Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="#SWAT">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="#id2937386">Features and Benefits</a></dt><dd><dl><dt><a href="#id2937426">Enabling SWAT for use</a></dt><dt><a href="#id2937663">Securing SWAT through SSL</a></dt><dt><a href="#id2937775">The SWAT Home Page</a></dt><dt><a href="#id2937837">Global Settings</a></dt><dt><a href="#id2937944">Share Settings</a></dt><dt><a href="#id2938008">Printers Settings</a></dt><dt><a href="#id2938072">The SWAT Wizard</a></dt><dt><a href="#id2938120">The Status Page</a></dt><dt><a href="#id2938171">The View Page</a></dt><dt><a href="#id2938195">The Password Change Page</a></dt></dl></dd></dl></dd></dl></dd><dt>V. <a href="#troubleshooting">Troubleshooting</a></dt><dd><dl><dt>33. <a href="#diagnosis">The Samba checklist</a></dt><dd><dl><dt><a href="#id2938325">Introduction</a></dt><dt><a href="#id2938359">Assumptions</a></dt><dt><a href="#id2938586">The tests</a></dt></dl></dd><dt>34. <a href="#problems">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="#id2940060">Diagnostics tools</a></dt><dd><dl><dt><a href="#id2940082">Debugging with Samba itself</a></dt><dt><a href="#id2940195">Tcpdump</a></dt><dt><a href="#id2940216">Ethereal</a></dt><dt><a href="#id2940268">The Windows Network Monitor</a></dt></dl></dd><dt><a href="#id2940586">Useful URLs</a></dt><dt><a href="#id2940626">Getting help from the mailing lists</a></dt><dt><a href="#id2940778">How to get off the mailing lists</a></dt></dl></dd><dt>35. <a href="#bugreport">Reporting Bugs</a></dt><dd><dl><dt><a href="#id2940906">Introduction</a></dt><dt><a href="#id2940969">General info</a></dt><dt><a href="#id2941006">Debug levels</a></dt><dt><a href="#id2941215">Internal errors</a></dt><dt><a href="#id2941348">Attaching to a running process</a></dt><dt><a href="#id2941395">Patches</a></dt></dl></dd></dl></dd><dt>VI. <a href="#Appendixes">Appendixes</a></dt><dd><dl><dt>36. <a href="#compiling">How to compile Samba</a></dt><dd><dl><dt><a href="#id2941554">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="#id2941570">Introduction</a></dt><dt><a href="#id2941600">CVS Access to samba.org</a></dt></dl></dd><dt><a href="#id2941849">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="#id2941913">Verifying Samba's PGP signature</a></dt><dt><a href="#id2942063">Building the Binaries</a></dt><dd><dl><dt><a href="#id2942242">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="#id2942409">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="#id2942516">Starting from inetd.conf</a></dt><dt><a href="#id2942763">Alternative: starting it as a daemon</a></dt></dl></dd></dl></dd><dt>37. <a href="#Portability">Portability</a></dt><dd><dl><dt><a href="#id2942927">HPUX</a></dt><dt><a href="#id2943015">SCO UNIX</a></dt><dt><a href="#id2943044">DNIX</a></dt><dt><a href="#id2943217">RedHat Linux Rembrandt-II</a></dt><dt><a href="#id2943261">AIX</a></dt><dd><dl><dt><a href="#id2943268">Sequential Read Ahead</a></dt></dl></dd><dt><a href="#id2943294">Solaris</a></dt><dd><dl><dt><a href="#id2943299">Locking improvements</a></dt><dt><a href="#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="#Other-Clients">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="#id2943452">Macintosh clients?</a></dt><dt><a href="#id2943531">OS2 Client</a></dt><dd><dl><dt><a href="#id2943538">Configuring OS/2 Warp Connect or
71 OS/2 Warp 4 as a client for Samba</a></dt><dt><a href="#id2943607">Configuring OS/2 Warp 3 (not Connect),
72 OS/2 1.2, 1.3 or 2.x for Samba</a></dt><dt><a href="#id2943660">Printer driver download for for OS/2 clients?</a></dt></dl></dd><dt><a href="#id2943760">Windows for Workgroups</a></dt><dd><dl><dt><a href="#id2943768">Latest TCP/IP stack from Microsoft</a></dt><dt><a href="#id2943858">Delete .pwl files after password change</a></dt><dt><a href="#id2943888">Configuring WfW password handling</a></dt><dt><a href="#id2943941">Case handling of passwords</a></dt><dt><a href="#id2943979">Use TCP/IP as default protocol</a></dt><dt><a href="#id2943996">Speed improvement</a></dt></dl></dd><dt><a href="#id2944042">Windows '95/'98</a></dt><dd><dl><dt><a href="#id2944116">Speed improvement</a></dt></dl></dd><dt><a href="#id2944140">Windows 2000 Service Pack 2</a></dt><dt><a href="#id2944326">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="#speed">Samba Performance Tuning</a></dt><dd><dl><dt><a href="#id2944458">Comparisons</a></dt><dt><a href="#id2944501">Socket options</a></dt><dt><a href="#id2944592">Read size</a></dt><dt><a href="#id2944641">Max xmit</a></dt><dt><a href="#id2944701">Log level</a></dt><dt><a href="#id2944732">Read raw</a></dt><dt><a href="#id2944816">Write raw</a></dt><dt><a href="#id2944879">Slow Logins</a></dt><dt><a href="#id2944908">Client tuning</a></dt><dt><a href="#id2944932">Samba performance problem due changing kernel</a></dt><dt><a href="#id2944965">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="#DNSDHCP">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="#id2945070">Note</a></dt></dl></dd><dt>41. <a href="#Further-Resources">Further Resources</a></dt><dd><dl><dt><a href="#id2945137">Websites</a></dt><dt><a href="#id2945545">Related updates from Microsoft</a></dt></dl></dd></dl></dd><dt><a href="#id2945614">Index</a></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>5.1. <a href="#domain-example">An Example Domain</a></dt><dt>10.1. <a href="#browsing1">Cross subnet browsing example</a></dt><dt>11.1. <a href="#idmap-diag">IDMAP</a></dt><dt>12.1. <a href="#idmap-group-diag">IDMAP groups</a></dt><dt>13.1. <a href="#access1">Overview of unix permissions field</a></dt><dt>16.1. <a href="#trusts1">Trusts overview</a></dt><dt>19.1. <a href="#small1">Windows Printing to a local Printer</a></dt><dt>19.2. <a href="#small2">Printing to a Postscript Printer</a></dt><dt>19.3. <a href="#small3">Ghostscript as a RIP for non-postscript printers</a></dt><dt>19.4. <a href="#small4">Prefiltering in CUPS to form Postscript</a></dt><dt>19.5. <a href="#small5">Adding Device-specific Print Options</a></dt><dt>19.6. <a href="#small6">Postscript to intermediate Raster format</a></dt><dt>19.7. <a href="#small7">CUPS-raster production using Ghostscript</a></dt><dt>19.8. <a href="#small8">Image format to CUPS-raster format conversion</a></dt><dt>19.9. <a href="#small9">Raster to Printer Specific formats</a></dt><dt>19.10. <a href="#small10">cupsomatic/foomatic processing versus Native CUPS</a></dt><dt>19.11. <a href="#pdftosocket">PDF to socket chain</a></dt><dt>19.12. <a href="#pdftoepsonusb">PDF to USB chain</a></dt><dt>19.13. <a href="#small11">Print Driver execution on the Client</a></dt><dt>19.14. <a href="#small12">Print Driver execution on the Server</a></dt><dt>19.15. <a href="#small13">Printing via CUPS/samba server</a></dt><dt>19.16. <a href="#small14">cupsaddsmb flowchart</a></dt><dt>19.17. <a href="#cups1">Filtering chain 1</a></dt><dt>19.18. <a href="#cups2">Filtering chain with cupsomatic</a></dt><dt>19.19. <a href="#a_small">CUPS Printing Overview</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>7.1. <a href="#id2873569">Assumptions</a></dt><dt>10.1. <a href="#id2879437">Browse subnet example 1</a></dt><dt>10.2. <a href="#id2879550">Browse subnet example 2</a></dt><dt>10.3. <a href="#id2879662">Browse subnet example 3</a></dt><dt>10.4. <a href="#id2879779">Browse subnet example 4</a></dt><dt>11.1. <a href="#id2883118">Attributes in the sambaSamAccount objectclass (LDAP)</a></dt><dt>11.2. <a href="#id2883914">Basic smb.conf options for MySQL passdb backend</a></dt><dt>11.3. <a href="#id2884046">MySQL field names for MySQL passdb backend</a></dt><dt>13.1. <a href="#id2886508">Managing directories with unix and windows</a></dt><dt>13.2. <a href="#id2886925">User and Group Based Controls</a></dt><dt>13.3. <a href="#id2887281">File and Directory Permission Based Controls</a></dt><dt>13.4. <a href="#id2887661">Other Controls</a></dt><dt>19.1. <a href="#id2909623">PPD's shipped with CUPS</a></dt><dt>20.1. <a href="#id2920882">Extended Auditing Log Information</a></dt><dt>24.1. <a href="#id2928735">User Shell Folder registry keys default values</a></dt><dt>24.2. <a href="#id2928879">Defaults of profile settings registry keys</a></dt><dt>24.3. <a href="#id2929134">Defaults of default user profile paths registry keys</a></dt><dt>25.1. <a href="#id2931477">Options recognized by pam_smbpass</a></dt><dt>26.1. <a href="#id2932688">Unique NetBIOS names</a></dt><dt>26.2. <a href="#id2932758">Group Names</a></dt><dt>30.1. <a href="#id2935241">TDB File Descriptions</a></dt><dt>31.1. <a href="#id2936694">The 3 Major Site Types</a></dt><dt>31.2. <a href="#id2936841">Nature of the Conversion Choices</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>2.1. <a href="#id2802256">Simplest possible smb.conf file</a></dt><dt>5.1. <a href="#pdc-example">smb.conf for being a PDC</a></dt><dt>5.2. <a href="#id2870309">smb.conf for being a PDC</a></dt><dt>6.1. <a href="#id2871704">Minimal smb.conf for being a PDC</a></dt><dt>6.2. <a href="#id2871983">Minimal setup for being a BDC</a></dt><dt>8.1. <a href="#id2875123">smb.conf for Reference Documentation Server</a></dt><dt>8.2. <a href="#id2875442">smb.conf for anonymous printing</a></dt><dt>10.1. <a href="#id2877023">Domain master browser smb.conf</a></dt><dt>10.2. <a href="#id2877114">Local master browser smb.conf</a></dt><dt>10.3. <a href="#id2877252">smb.conf for not being a master browser</a></dt><dt>10.4. <a href="#id2877358">Local master browser smb.conf</a></dt><dt>10.5. <a href="#id2877475">smb.conf for not being a master browser</a></dt><dt>11.1. <a href="#idmapbackendexample"></a></dt><dt>11.2. <a href="#id2882685">Configuration with LDAP</a></dt><dt>12.1. <a href="#id2885526">smbgrpadd.sh</a></dt><dt>13.1. <a href="#id2886704">Example File</a></dt><dt>14.1. <a href="#id2891471">Share with some files oplocked</a></dt><dt>14.2. <a href="#id2891612"></a></dt><dt>17.1. <a href="#id2894342">smb.conf with DFS configured</a></dt><dt>18.1. <a href="#id2895382">Simple configuration with BSD printing</a></dt><dt>18.2. <a href="#extbsdpr">Extended configuration with BSD printing</a></dt><dt>18.3. <a href="#id2899046">[print\$] example</a></dt><dt>19.1. <a href="#id2905436">Simplest printing-related smb.conf</a></dt><dt>19.2. <a href="#id2905615">Overriding global CUPS settings for one printer</a></dt><dt>19.3. <a href="#id2911654">smb.conf for cupsaddsmb usage</a></dt><dt>20.1. <a href="#id2920594">smb.conf with VFS modules</a></dt><dt>20.2. <a href="#id2920694">smb.conf with multiple VFS modules</a></dt><dt>21.1. <a href="#id2922722">smb.conf for winbind set-up</a></dt><dt>33.1. <a href="#id2938408">smb.conf with [tmp] share</a></dt><dt>38.1. <a href="#id2944212">Minimal profile share</a></dt></dl></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id2796910"></a>Legal Notice</h2></div></div><div></div></div><p>
73 This documentation is distributed under the GNU General Public License (GPL)
74 version 2. A copy of the license is included with the Samba source
75 distribution. A copy can be found on-line at <a href="http://www.fsf.org/licenses/gpl.txt" target="_top">http://www.fsf.org/licenses/gpl.txt</a>
76 </p></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id2799782"></a>Attributions</h2></div></div><div></div></div><p><a href="#IntroSMB" title="Chapter 1. Introduction to Samba">Introduction to Samba</a></p><div class="itemizedlist"><ul type="disc"><li><p>David Lechnyr <<a href="mailto:david@lechnyr.com" target="_top">david@lechnyr.com</a>></p></li></ul></div><p><a href="#install" title="Chapter 2. How to Install and Test SAMBA">How to Install and Test SAMBA</a></p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Karl Auer</p></li></ul></div><p><a href="#FastStart" title="Chapter 3. Fast Start for the Impatient">Fast Start for the Impatient</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#ServerType" title="Chapter 4. Server Types and Security Modes">Server Types and Security Modes</a></p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#samba-pdc" title="Chapter 5. Domain Control">Domain Control</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>David Bannon <<a href="mailto:dbannon@samba.org" target="_top">dbannon@samba.org</a>></p></li></ul></div><p><a href="#samba-bdc" title="Chapter 6. Backup Domain Control">Backup Domain Control</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Volker Lendecke <<a href="mailto:Volker.Lendecke@SerNet.DE" target="_top">Volker.Lendecke@SerNet.DE</a>></p></li></ul></div><p><a href="#domain-member" title="Chapter 7. Domain Membership">Domain Membership</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div><p><a href="#StandAloneServer" title="Chapter 8. Stand-Alone Servers">Stand-Alone Servers</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#ClientConfig" title="Chapter 9. MS Windows Network Configuration Guide">MS Windows Network Configuration Guide</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#NetworkBrowsing" title="Chapter 10. Samba / MS Windows Network Browsing Guide">Samba / MS Windows Network Browsing Guide</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div><p><a href="#passdb" title="Chapter 11. Account Information Databases">Account Information Databases</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Olivier (lem) Lemaire <<a href="mailto:olem@IDEALX.org" target="_top">olem@IDEALX.org</a>></p></li></ul></div><p><a href="#groupmapping" title="Chapter 12. Mapping MS Windows and UNIX Groups">Mapping MS Windows and UNIX Groups</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jean François Micouleau</p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#AccessControls" title="Chapter 13. File, Directory and Share Access Controls">File, Directory and Share Access Controls</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>> (drawing) </p></li></ul></div><p><a href="#locking" title="Chapter 14. File and Record Locking">File and Record Locking</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Eric Roseme <<a href="mailto:eric.roseme@hp.com" target="_top">eric.roseme@hp.com</a>></p></li></ul></div><p><a href="#securing-samba" title="Chapter 15. Securing Samba">Securing Samba</a></p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#InterdomainTrusts" title="Chapter 16. Interdomain Trust Relationships">Interdomain Trust Relationships</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Rafal Szczesniak <<a href="mailto:mimir@samba.org" target="_top">mimir@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>> (drawing) </p></li><li><p>Stephen Langasek <<a href="mailto:vorlon@netexpress.net" target="_top">vorlon@netexpress.net</a>></p></li></ul></div><p><a href="#msdfs" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba">Hosting a Microsoft Distributed File System tree on Samba</a></p><div class="itemizedlist"><ul type="disc"><li><p>Shirish Kalele <<a href="mailto:samba@samba.org" target="_top">samba@samba.org</a>></p></li></ul></div><p><a href="#printing" title="Chapter 18. Classical Printing Support">Classical Printing Support</a></p><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<a href="mailto:kpfeifle@danka.de" target="_top">kpfeifle@danka.de</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li></ul></div><p><a href="#CUPS-printing" title="Chapter 19. CUPS Printing Support in Samba 3.0">CUPS Printing Support in Samba 3.0</a></p><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<a href="mailto:kpfeifle@danka.de" target="_top">kpfeifle@danka.de</a>></p></li><li><p>Ciprian Vizitiu <<a href="mailto:CVizitiu@gbif.org" target="_top">CVizitiu@gbif.org</a>> (drawings) </p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>> (drawings) </p></li></ul></div><p><a href="#VFS" title="Chapter 20. Stackable VFS modules">Stackable VFS modules</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Tim Potter</p></li><li><p>Simo Sorce (original vfs_skel README) </p></li><li><p>Alexander Bokovoy (original vfs_netatalk docs) </p></li><li><p>Stefan Metzmacher (Update for multiple modules) </p></li></ul></div><p><a href="#AdvancedNetworkManagement" title="Chapter 22. Advanced Network Management">Advanced Network Management</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#PolicyMgmt" title="Chapter 23. System and Account Policies">System and Account Policies</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#ProfileMgmt" title="Chapter 24. Desktop Profile Management">Desktop Profile Management</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#pam" title="Chapter 25. PAM based Distributed Authentication">PAM based Distributed Authentication</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Stephen Langasek <<a href="mailto:vorlon@netexpress.net" target="_top">vorlon@netexpress.net</a>></p></li></ul></div><p><a href="#integrate-ms-networks" title="Chapter 26. Integrating MS Windows networks with Samba">Integrating MS Windows networks with Samba</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#unicode" title="Chapter 27. Unicode/Charsets">Unicode/Charsets</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>TAKAHASHI Motonobu <<a href="mailto:monyo@home.monyo.com" target="_top">monyo@home.monyo.com</a>></p></li></ul></div><p><a href="#Backup" title="Chapter 28. Samba Backup Techniques">Samba Backup Techniques</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#SambaHA" title="Chapter 29. High Availability Options">High Availability Options</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#upgrading-to-3.0" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0">Upgrading from Samba-2.x to Samba-3.0.0</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li></ul></div><p><a href="#NT4Migration" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC">Migration from NT4 PDC to Samba-3 PDC</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#SWAT" title="Chapter 32. SWAT - The Samba Web Administration Tool">SWAT - The Samba Web Administration Tool</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#diagnosis" title="Chapter 33. The Samba checklist">The Samba checklist</a></p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div><p><a href="#problems" title="Chapter 34. Analysing and solving samba problems">Analysing and solving samba problems</a></p><div class="itemizedlist"><ul type="disc"><li><p>Gerald (Jerry) Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>David Bannon <<a href="mailto:dbannon@samba.org" target="_top">dbannon@samba.org</a>></p></li></ul></div><p><a href="#bugreport" title="Chapter 35. Reporting Bugs">Reporting Bugs</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li></ul></div><p><a href="#compiling" title="Chapter 36. How to compile Samba">How to compile Samba</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li></ul></div><p><a href="#Portability" title="Chapter 37. Portability">Portability</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div><p><a href="#Other-Clients" title="Chapter 38. Samba and other CIFS clients">Samba and other CIFS clients</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Jim McDonough <<a href="mailto:jmcd@us.ibm.com" target="_top">jmcd@us.ibm.com</a>> (OS/2) </p></li></ul></div><p><a href="#speed" title="Chapter 39. Samba Performance Tuning">Samba Performance Tuning</a></p><div class="itemizedlist"><ul type="disc"><li><p>Paul Cochrane <<a href="mailto:paulc@dth.scot.nhs.uk" target="_top">paulc@dth.scot.nhs.uk</a>></p></li><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#DNSDHCP" title="Chapter 40. DNS and DHCP Configuration Guide">DNS and DHCP Configuration Guide</a></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div><p><a href="#Further-Resources" title="Chapter 41. Further Resources">Further Resources</a></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="introduction"></a>General Installation</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2801502"></a>Preparing Samba for Configuration</h1></div></div><div></div></div><p>This section of the Samba-HOWTO-Collection contains general info on how to install samba
77 and how to configure the parts of samba you will most likely need.
78 PLEASE read this.</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>1. <a href="#IntroSMB">Introduction to Samba</a></dt><dd><dl><dt><a href="#id2801584">Background</a></dt><dt><a href="#id2801642">Terminology</a></dt><dt><a href="#id2801779">Related Projects</a></dt><dt><a href="#id2801848">SMB Methodology</a></dt><dt><a href="#id2801936">Epilogue</a></dt><dt><a href="#id2802009">Miscellaneous</a></dt></dl></dd><dt>2. <a href="#install">How to Install and Test SAMBA</a></dt><dd><dl><dt><a href="#id2802151">Obtaining and installing samba</a></dt><dt><a href="#id2802195">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="#id2802232">Example Configuration</a></dt><dt><a href="#id2866164">SWAT</a></dt></dl></dd><dt><a href="#id2866210">Try listing the shares available on your
79 server</a></dt><dt><a href="#id2866267">Try connecting with the unix client</a></dt><dt><a href="#id2866384">Try connecting from another SMB client</a></dt><dt><a href="#id2866468">What If Things Don't Work?</a></dt><dt><a href="#id2866500">Common Errors</a></dt><dd><dl><dt><a href="#id2866513">Large number of smbd processes</a></dt><dt><a href="#id2866612">"open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested"</a></dt><dt><a href="#id2866630">"The network name cannot be found"</a></dt></dl></dd></dl></dd><dt>3. <a href="#FastStart">Fast Start for the Impatient</a></dt><dd><dl><dt><a href="#id2866757">Note</a></dt></dl></dd></dl></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2801584">Background</a></dt><dt><a href="#id2801642">Terminology</a></dt><dt><a href="#id2801779">Related Projects</a></dt><dt><a href="#id2801848">SMB Methodology</a></dt><dt><a href="#id2801936">Epilogue</a></dt><dt><a href="#id2802009">Miscellaneous</a></dt></dl></div><p>“<span class="quote">
80 "If you understand what you're doing, you're not learning anything."
81 -- Anonymous
83 Samba is a file and print server for Windows-based clients using TCP/IP as the underlying
84 transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big
85 strengths is that you can use it to blend your mix of Windows and Linux machines together
87 by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.
88 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2801584"></a>Background</h2></div></div><div></div></div><p>
89 Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed
90 Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was
91 originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only
92 ran over UDP. When there was a need to run it over TCP so that it would be compatible
93 with DECnet 3.0, it was redesigned, submitted to The Open Group, and officially became
94 known as DCE/RPC. Microsoft came along and decided, rather than pay $20 per seat to
95 license this technology, to reimplement DCE/RPC themselves as MSRPC. From this, the
96 concept continued in the form of SMB (Server Message Block, or the "what") using the
97 NetBIOS (Network Basic Input/Output System, or the "how") compatibility layer. You can
98 run SMB (i.e., transport) over several different protocols; many different implementations
99 arose as a result, including NBIPX (NetBIOS over IPX, NwLnkNb, or NWNBLink) and NBT
100 (NetBIOS over TCP/IP, or NetBT). As the years passed, NBT became the most common form
101 of implementation until the advance of "Direct-Hosted TCP" -- the Microsoft marketing
102 term for eliminating NetBIOS entirely and running SMB by itself across TCP port 445
103 only. As of yet, direct-hosted TCP has yet to catch on.
104 </p><p>
105 Perhaps the best summary of the origins of SMB are voiced in the 1997 article titled, CIFS:
106 Common Insecurities Fail Scrutiny:
108 Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba
109 stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have
110 been dutifully waded through during the information-gathering stages of this project, and there
111 are *still* many missing pieces... While often tedious, at least the way has been generously
112 littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they
113 thinking?
114 </em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2801642"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
115 SMB: Acronym for "Server Message Block". This is Microsoft's file and printer sharing protocol.
116 </p></li><li><p>
118 decided that SMB needed the word "Internet" in it, so they changed it to CIFS.
119 </p></li><li><p>
120 Direct-Hosted: A method of providing file/printer sharing services over port 445/tcp
121 only using DNS for name resolution instead of WINS.
122 </p></li><li><p>
123 IPC: Acronym for "Inter-Process Communication". A method to communicate specific
124 information between programs.
125 </p></li><li><p>
126 Marshalling: - A method of serializing (i.e., sequential ordering of) variable data
127 suitable for transmission via a network connection or storing in a file. The source
128 data can be re-created using a similar process called unmarshalling.
129 </p></li><li><p>
130 NetBIOS: Acronym for "Network Basic Input/Output System". This is not a protocol;
131 it is a method of communication across an existing protocol. This is a standard which
132 was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit,
133 it can help to think of this in comparison your computer's BIOS -- it controls the
134 essential functions of your input/output hardware -- whereas NetBIOS controls the
135 essential functions of your input/output traffic via the network. Again, this is a bit
136 of an exaggeration but it should help that paradigm shift. What is important to realize
137 is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically
138 brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second
139 thought; this will cause no end (and no doubt) of confusion.
140 </p></li><li><p>
141 NetBEUI: Acronym for the "NetBIOS Extended User Interface". Unlike NetBIOS, NetBEUI
142 is a protocol, not a standard. It is also not routable, so traffic on one side of a
143 router will be unable to communicate with the other side. Understanding NetBEUI is
144 not essential to deciphering SMB; however it helps to point out that it is not the
145 same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally
147 It is not often heard from these days.
148 </p></li><li><p>
150 of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made
151 to IP addresses and NetBIOS name types are conceptually equivalent to TCP/IP ports.
153 traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137,
154 NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service
155 (nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts,
157 (Detailed specifications).
158 </p></li><li><p>
159 W2K: Acronym for Windows 2000 Professional or Server
160 </p></li><li><p>
161 W3K: Acronym for Windows 2003 Server
162 </p></li></ul></div><p>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
164 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2801779"></a>Related Projects</h2></div></div><div></div></div><p>
165 There are currently two network filesystem client projects for Linux that are directly
166 related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself.
168 SMBFS (Server Message Block File System) allows you to mount SMB shares (the protocol
169 that Microsoft Windows and OS/2 Lan Manager use to share files and printers
170 over local networks) and access them just like any other Unix directory. This is useful
171 if you just want to mount such filesystems without being a SMBFS server.
172 </p></li><li><p>
173 CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
174 is being actively developed for the upcoming version of the Linux kernel. The intent of this module
175 is to provide advanced network file system functionality including support for dfs (hierarchical
176 name space), secure per-user session establishment, safe distributed caching (oplock),
177 optional packet signing, Unicode and other internationalization improvements, and optional
178 Winbind (nsswitch) integration.
179 </p></li></ul></div><p>
180 Again, it's important to note that these are implementations for client filesystems, and have
181 nothing to do with acting as a file and print server for SMB/CIFS clients.
182 </p><p>
183 There are other Open Source CIFS client implementations, such as the
185 which provides an SMB client toolkit written in Java.
186 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2801848"></a>SMB Methodology</h2></div></div><div></div></div><p>
187 Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns),
189 session service, or netbios-ssn). Anyone looking at their network with a good
190 packet sniffer will be amazed at the amount of traffic generated by just opening
191 up a single file. In general, SMB sessions are established in the following order:
194 or 445/tcp.
195 </p></li><li><p>
199 </p></li><li><p>
200 "SMB Negotiate Protocol" - determine the protocol dialect to use, which will
201 be one of the following: PC Network Program 1.0 (Core) - share level security
202 mode only; Microsoft Networks 1.03 (Core Plus) - share level security
203 mode only; Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response
204 Authentication; Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response
206 Authentication
207 </p></li><li><p>
208 SMB Session Startup. Passwords are encrypted (or not) according to one of
209 the following methods: Null (no encryption); Cleartext (no encryption); LM
210 and NTLM; NTLM; NTLMv2
211 </p></li><li><p>
212 SMB Tree Connect: Connect to a share name (e.g., \\servername\share); Connect
213 to a service type (e.g., IPC$ named pipe)
214 </p></li></ul></div><p>
215 A good way to examine this process in depth is to try out
216 <a href="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html" target="_top">SecurityFriday's SWB program</a>.
217 It allows you to walk through the establishment of a SMB/CIFS session step by step.
218 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2801936"></a>Epilogue</h2></div></div><div></div></div><p>“<span class="quote">
219 What's fundamentally wrong is that nobody ever had any taste when they
220 did it. Microsoft has been very much into making the user interface look good,
221 but internally it's just a complete mess. And even people who program for Microsoft
222 and who have had years of experience, just don't know how it works internally.
223 Worse, nobody dares change it. Nobody dares to fix bugs because it's such a
224 mess that fixing one bug might just break a hundred programs that depend on
225 that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested
226 in making money. They don't have anybody who takes pride in Windows 95 as an
227 operating system.
229 People inside Microsoft know it's a bad operating system and they still
230 continue obviously working on it because they want to get the next version out
231 because they want to have all these new features to sell more copies of the
232 system.
234 The problem with that is that over time, when you have this kind of approach,
235 and because nobody understands it, because nobody REALLY fixes bugs (other than
236 when they're really obvious), the end result is really messy. You can't trust
237 it because under certain circumstances it just spontaneously reboots or just
238 halts in the middle of something that shouldn't be strange. Normally it works
239 fine and then once in a blue moon for some completely unknown reason, it's dead,
240 and nobody knows why. Not Microsoft, not the experienced user and certainly
241 not the completely clueless user who probably sits there shivering thinking
242 "What did I do wrong?" when they didn't do anything wrong at all.
244 That's what's really irritating to me."
245 </span>”</p><p>--
246 <a href="http://hr.uoregon.edu/davidrl/boot.txt" target="_top">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</a>
247 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2802009"></a>Miscellaneous</h2></div></div><div></div></div><p>
248 This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
249 Permission is granted to copy, distribute and/or modify this document under the terms
250 of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
251 Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.
252 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="install"></a>Chapter 2. How to Install and Test SAMBA</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Karl</span> <span class="surname">Auer</span></h3></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2802151">Obtaining and installing samba</a></dt><dt><a href="#id2802195">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="#id2802232">Example Configuration</a></dt><dt><a href="#id2866164">SWAT</a></dt></dl></dd><dt><a href="#id2866210">Try listing the shares available on your
253 server</a></dt><dt><a href="#id2866267">Try connecting with the unix client</a></dt><dt><a href="#id2866384">Try connecting from another SMB client</a></dt><dt><a href="#id2866468">What If Things Don't Work?</a></dt><dt><a href="#id2866500">Common Errors</a></dt><dd><dl><dt><a href="#id2866513">Large number of smbd processes</a></dt><dt><a href="#id2866612">"open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested"</a></dt><dt><a href="#id2866630">"The network name cannot be found"</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2802151"></a>Obtaining and installing samba</h2></div></div><div></div></div><p>
254 Binary packages of samba are included in almost any Linux or
255 UNIX distribution. There are also some packages available at
257 </p><p>If you need to compile samba from source, check
258 <a href="#compiling" title="Chapter 36. How to compile Samba">the chapter about compiling samba from scratch</a>.</p><p>If you have already installed samba, or if your operating system
259 was pre-installed with samba, then you may not need to bother with this
260 chapter. On the other hand, you may want to read this chapter anyhow
261 for information about updating samba.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2802195"></a>Configuring samba (smb.conf)</h2></div></div><div></div></div><p>
265 edit this file yourself or do it using one of the many graphical
266 tools that are available, such as the web-based interface swat, that
267 is included with samba.
268 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2802232"></a>Example Configuration</h3></div></div><div></div></div><p>
269 There are sample configuration files in the examples subdirectory in the
270 distribution. I suggest you read them carefully so you can see how the options
271 go together in practice. See the man page for all the options.
272 </p><p>
273 The simplest useful configuration file would be something like this:
274 </p><p>
275 </p><div class="example"><a name="id2802256"></a><p class="title"><b>Example 2.1. Simplest possible smb.conf file</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = no</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = no</tt></i></td></tr></table></div><p>
276 </p><p>
277 This will allow connections by anyone with an account on the server, using either
279 (Note that the workgroup that Samba must also be set.)
280 </p><p>
283 </p><p>
284 For more information about security settings for the
287 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2866111"></a>Test your config file with <b class="command">testparm</b></h4></div></div><div></div></div><p>
290 then it will list the loaded services. If not it will give an error message.
291 </p><p>
292 Make sure it runs OK and that the services look reasonable before proceeding.
293 </p><p>
295 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2866164"></a>SWAT</h3></div></div><div></div></div><p>
296 SWAT is a web-based interface that helps you configure samba.
297 SWAT might not be available in the samba package on your platform,
298 but in a separate package. Please read the swat manpage
299 on compiling, installing and configuring swat from source.
300 </p><p>
301 To launch SWAT just run your favorite web browser and
304 with the name of the computer you are running samba on if you
305 are running samba on a different computer than your browser.
306 </p><p>
307 Note that you can attach to SWAT from any IP connected
308 machine but connecting from a remote machine leaves your
309 connection open to password sniffing as passwords will be sent
310 in the clear over the wire.
311 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866210"></a>Try listing the shares available on your
313 <tt class="prompt">$ </tt><b class="userinput"><tt>smbclient -L <i class="replaceable"><tt>yourhostname</tt></i></tt></b>
314 </pre><p>You should get back a list of shares available on
315 your server. If you don't then something is incorrectly setup.
316 Note that this method can also be used to see what shares
317 are available on other LanManager clients (such as WfWg).</p><p>If you choose user level security then you may find
318 that Samba requests a password before it will list the shares.
320 can force it to list the shares without a password by
321 adding the option -U% to the command line. This will not work
322 with non-Samba servers)</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866267"></a>Try connecting with the unix client</h2></div></div><div></div></div><p>
324 <tt class="prompt">$ </tt><b class="userinput"><tt>smbclient <i class="replaceable"><tt> //yourhostname/aservice</tt></i></tt></b>
330 section
331 in <tt class="filename">smb.conf</tt>.</p><p>For example if your unix host is <i class="replaceable"><tt>bambi</tt></i>
332 and your login name is <i class="replaceable"><tt>fred</tt></i> you would type:</p><pre class="screen">
333 <tt class="prompt">$ </tt><b class="userinput"><tt>smbclient //<i class="replaceable"><tt>bambi</tt></i>/<i class="replaceable"><tt>fred</tt></i></tt></b>
334 </pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866384"></a>Try connecting from another SMB client</h2></div></div><div></div></div><p>Try mounting disks. from a DOS, Windows or OS/2 client, eg:</p><pre class="screen">
335 <tt class="prompt">C:\> </tt><b class="userinput"><tt>net use d: \\servername\service</tt></b>
338 <tt class="prompt">C:\> </tt><b class="userinput"><tt>net use lpt1: \\servername\spoolservice</tt></b>
339 </pre><p>
340 </p><pre class="screen"><tt class="prompt">C:\> </tt><b class="userinput"><tt>print filename</tt></b>
341 </pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866468"></a>What If Things Don't Work?</h2></div></div><div></div></div><p>Then you might read the file chapter <a href="#diagnosis" title="Chapter 33. The Samba checklist">diagnosis</a>
342 and the FAQ. If you are still stuck then refer to <a href="#problems" title="Chapter 34. Analysing and solving samba problems">"Analysing and solving problems"</a>.
343 Samba has been successfully installed at thousands of sites worldwide,
344 so maybe someone else has hit your problem and has overcome it.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866500"></a>Common Errors</h2></div></div><div></div></div><p>
345 The following questions and issues get raised on the samba mailing list over and over again.
346 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2866513"></a>Large number of smbd processes</h3></div></div><div></div></div><p>
347 Samba consists on three core programs:
348 <span class="application">nmbd</span>, <span class="application">smbd</span>, <span class="application">winbindd</span>. <span class="application">nmbd</span> is the name server message daemon,
349 <span class="application">smbd</span> is the server message daemon, <span class="application">winbindd</span> is the daemon that
350 handles communication with Domain Controllers.
351 </p><p>
352 If your system is NOT running as a WINS server, then there will be one (1) single instance of
353 <span class="application">nmbd</span> running on your system. If it is running as a WINS server then there will be
354 two (2) instances - one to handle the WINS requests.
355 </p><p>
356 <span class="application">smbd</span> handles ALL connection requests and then spawns a new process for each client
357 connection made. That is why you are seeing so many of them, one (1) per client connection.
358 </p><p>
359 <span class="application">winbindd</span> will run as one or two daemons, depending on whether or not it is being
360 run in "split mode" (in which case there will be two instances).
361 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2866612"></a>"open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested"</h3></div></div><div></div></div><p>Your loopback device isn't working correctly. Make sure it's configured properly. The loopback device is an internal (virtual) network device with
362 the ip address 127.0.0.1. Read your OS documentation for details
363 on how to configure the loopback on your system.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2866630"></a>"<span class="errorname">The network name cannot be found</span>"</h3></div></div><div></div></div><p>
364 This error can be caused by one of these misconfigurations:
365 </p><div class="itemizedlist"><ul type="disc"><li><p>You specified an nonexisting <a class="indexterm" name="id2866655"></a><i class="parameter"><tt>path</tt></i> for the share in <tt class="filename">smb.conf</tt> </p></li><li><p>The user you are trying to access the share with does not
366 have sufficient permissions to access the <a class="indexterm" name="id2866684"></a><i class="parameter"><tt>path</tt></i> for the share. Both read (r) and access (x) should be possible.</p></li><li><p>The share you are trying to access does not exist.</p></li></ul></div></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2866757">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866757"></a>Note</h2></div></div><div></div></div><p>
367 This chapter did not make it into this release.
368 It is planned for the published release of this document.
369 </p></div></div></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="type"></a>Server Configuration Basics</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2866784"></a>First Steps in Server Configuration</h1></div></div><div></div></div><p>
370 Samba can operate in various modes within SMB networks. This HOWTO section contains information on
371 configuring samba to function as the type of server your network requires. Please read this
372 section carefully.
373 </p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>4. <a href="#ServerType">Server Types and Security Modes</a></dt><dd><dl><dt><a href="#id2866937">Features and Benefits</a></dt><dt><a href="#id2867038">Server Types</a></dt><dt><a href="#id2867124">Samba Security Modes</a></dt><dd><dl><dt><a href="#id2867244">User Level Security</a></dt><dt><a href="#id2867382">Share Level Security</a></dt><dt><a href="#id2867518">Domain Security Mode (User Level Security)</a></dt><dt><a href="#id2867776">ADS Security Mode (User Level Security)</a></dt><dt><a href="#id2867877">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="#id2868158">Password checking</a></dt><dt><a href="#id2868359">Common Errors</a></dt><dd><dl><dt><a href="#id2868387">What makes Samba a SERVER?</a></dt><dt><a href="#id2868427">What makes Samba a Domain Controller?</a></dt><dt><a href="#id2868463">What makes Samba a Domain Member?</a></dt><dt><a href="#id2868503">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></dd><dt>5. <a href="#samba-pdc">Domain Control</a></dt><dd><dl><dt><a href="#id2868835">Features and Benefits</a></dt><dt><a href="#id2869049">Basics of Domain Control</a></dt><dd><dl><dt><a href="#id2869064">Domain Controller Types</a></dt><dt><a href="#id2869309">Preparing for Domain Control</a></dt></dl></dd><dt><a href="#id2869698">Domain Control - Example Configuration</a></dt><dt><a href="#id2870186">Samba ADS Domain Control</a></dt><dt><a href="#id2870238">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="#id2870253">Domain Network Logon Service</a></dt><dt><a href="#id2870678">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="#id2870825">Common Errors</a></dt><dd><dl><dt><a href="#id2870831">'$' cannot be included in machine name</a></dt><dt><a href="#id2870890">Joining domain fails because of existing machine account</a></dt><dt><a href="#id2870945">The system can not log you on (C000019B)....</a></dt><dt><a href="#id2871029">The machine trust account not accessible</a></dt><dt><a href="#id2871102">Account disabled</a></dt><dt><a href="#id2871135">Domain Controller Unavailable</a></dt><dt><a href="#id2871156">Can not log onto domain member workstation after joining domain</a></dt></dl></dd></dl></dd><dt>6. <a href="#samba-bdc">Backup Domain Control</a></dt><dd><dl><dt><a href="#id2871317">Features And Benefits</a></dt><dt><a href="#id2871494">Essential Background Information</a></dt><dd><dl><dt><a href="#id2871522">MS Windows NT4 Style Domain Control</a></dt><dt><a href="#id2871772">Active Directory Domain Control</a></dt><dt><a href="#id2871793">What qualifies a Domain Controller on the network?</a></dt><dt><a href="#id2871819">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="#id2871833">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="#id2871968">Example Configuration</a></dt></dl></dd><dt><a href="#id2872125">Common Errors</a></dt><dd><dl><dt><a href="#id2872138">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="#id2872169">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="#id2872196">How do I replicate the smbpasswd file?</a></dt><dt><a href="#id2872240">Can I do this all with LDAP?</a></dt></dl></dd></dl></dd><dt>7. <a href="#domain-member">Domain Membership</a></dt><dd><dl><dt><a href="#id2872448">Features and Benefits</a></dt><dt><a href="#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="#id2872769">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="#id2873061">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="#id2873276">"On-the-Fly" Creation of Machine Trust Accounts</a></dt><dt><a href="#id2873347">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="#id2873558">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="#id2873995">Why is this better than security = server?</a></dt></dl></dd><dt><a href="#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="#id2874178">Setup your smb.conf</a></dt><dt><a href="#id2874307">Setup your /etc/krb5.conf</a></dt><dt><a href="#ads-create-machine-account">Create the computer account</a></dt><dt><a href="#ads-test-server">Test your server setup</a></dt><dt><a href="#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="#id2874683">Notes</a></dt></dl></dd><dt><a href="#id2874706">Common Errors</a></dt><dd><dl><dt><a href="#id2874732">Can Not Add Machine Back to Domain</a></dt><dt><a href="#id2874764">Adding Machine to Domain Fails</a></dt></dl></dd></dl></dd><dt>8. <a href="#StandAloneServer">Stand-Alone Servers</a></dt><dd><dl><dt><a href="#id2874966">Features and Benefits</a></dt><dt><a href="#id2875004">Background</a></dt><dt><a href="#id2875078">Example Configuration</a></dt><dd><dl><dt><a href="#RefDocServer">Reference Documentation Server</a></dt><dt><a href="#SimplePrintServer">Central Print Serving</a></dt></dl></dd><dt><a href="#id2875598">Common Errors</a></dt></dl></dd><dt>9. <a href="#ClientConfig">MS Windows Network Configuration Guide</a></dt><dd><dl><dt><a href="#id2875663">Note</a></dt></dl></dd></dl></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 4. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2866937">Features and Benefits</a></dt><dt><a href="#id2867038">Server Types</a></dt><dt><a href="#id2867124">Samba Security Modes</a></dt><dd><dl><dt><a href="#id2867244">User Level Security</a></dt><dt><a href="#id2867382">Share Level Security</a></dt><dt><a href="#id2867518">Domain Security Mode (User Level Security)</a></dt><dt><a href="#id2867776">ADS Security Mode (User Level Security)</a></dt><dt><a href="#id2867877">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="#id2868158">Password checking</a></dt><dt><a href="#id2868359">Common Errors</a></dt><dd><dl><dt><a href="#id2868387">What makes Samba a SERVER?</a></dt><dt><a href="#id2868427">What makes Samba a Domain Controller?</a></dt><dt><a href="#id2868463">What makes Samba a Domain Member?</a></dt><dt><a href="#id2868503">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></div><p>
374 This chapter provides information regarding the types of server that Samba may be
375 configured to be. A Microsoft network administrator who wishes to migrate to or to
376 use Samba will want to know what, within a Samba context, terms familiar to MS Windows
377 administrator mean. This means that it is essential also to define how critical security
378 modes function BEFORE we get into the details of how to configure the server itself.
379 </p><p>
380 The chapter provides an overview of the security modes of which Samba is capable
381 and how these relate to MS Windows servers and clients.
382 </p><p>
383 A question often asked is, "Why would I want to use Samba?" Most chapters contain a section
384 that highlights features and benefits. We hope that the information provided will help to
385 answer this question. Be warned though, we want to be fair and reasonable, so not all
386 features are positive towards Samba so the benefit may be on the side of our competition.
387 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866937"></a>Features and Benefits</h2></div></div><div></div></div><p>
388 Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
389 hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion
390 and fury fitting his anguish. The other looked at the stone and said, that is a garnet - I
391 can turn that into a precious gem and some day it will make a princess very happy!
392 </p><p>
393 The moral of this tale: Two men, two very different perspectives regarding the same stone.
394 Like it or not, Samba is like that stone. Treat it the right way and it can bring great
395 pleasure, but if you are forced upon it and have no time for its secrets then it can be
396 a source of discomfort.
397 </p><p>
398 Samba started out as a project that sought to provide interoperability for MS Windows 3.x
399 clients with a UNIX server. It has grown up a lot since its humble beginnings and now provides
400 features and functionality fit for large scale deployment. It also has some warts. In sections
401 like this one we will tell of both.
402 </p><p>
403 So now, what are the benefits of features mentioned in this chapter?
405 Samba-3 can replace an MS Windows NT4 Domain Controller
406 </p></li><li><p>
407 Samba-3 offers excellent interoperability with MS Windows NT4
408 style domains as well as natively with Microsoft Active
409 Directory domains.
410 </p></li><li><p>
411 Samba-3 permits full NT4 style Interdomain Trusts
412 </p></li><li><p>
413 Samba has security modes that permit more flexible
414 authentication than is possible with MS Windows NT4 Domain Controllers.
415 </p></li><li><p>
416 Samba-3 permits use of multiple account database backends
417 </p></li><li><p>
418 The account (password) database backends can be distributed
419 and replicated using multiple methods. This gives Samba-3
420 greater flexibility than MS Windows NT4 and in many cases a
421 significantly higher utility than Active Directory domains
422 with MS Windows 200x.
423 </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867038"></a>Server Types</h2></div></div><div></div></div><p>Administrators of Microsoft networks often refer to three
424 different type of servers:</p><div class="itemizedlist"><ul type="disc"><li><p>Domain Controller</p><div class="itemizedlist"><ul type="circle"><li><p>Primary Domain Controller</p></li><li><p>Backup Domain Controller</p></li><li><p>ADS Domain Controller</p></li></ul></div></li><li><p>Domain Member Server</p><div class="itemizedlist"><ul type="circle"><li><p>Active Directory Domain Server</p></li><li><p>NT4 Style Domain Domain Server</p></li></ul></div></li><li><p>Stand Alone Server</p></li></ul></div><p>
425 The chapters covering Domain Control, Backup Domain Control and Domain Membership provide
426 pertinent information regarding Samba configuration for each of these server roles.
427 The reader is strongly encouraged to become intimately familiar with the information
428 presented.
429 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867124"></a>Samba Security Modes</h2></div></div><div></div></div><p>
430 In this section the function and purpose of Samba's <a class="indexterm" name="id2867135"></a><i class="parameter"><tt>security</tt></i>
431 modes are described. An accurate understanding of how Samba implements each security
432 mode as well as how to configure MS Windows clients for each mode will significantly
433 reduce user complaints and administrator heartache.
434 </p><p>
435 In the SMB/CIFS networking world, there are only two types of security: <span class="emphasis"><em>USER Level</em></span>
436 and <span class="emphasis"><em>SHARE Level</em></span>. We refer to these collectively as <span class="emphasis"><em>security levels</em></span>. In implementing these two <span class="emphasis"><em>security levels</em></span> Samba provides flexibilities
438 ways that allow the security levels to be implemented. In actual fact, Samba implements
439 <span class="emphasis"><em>SHARE Level</em></span> security only one way, but has four ways of implementing
440 <span class="emphasis"><em>USER Level</em></span> security. Collectively, we call the Samba implementations
441 <span class="emphasis"><em>Security Modes</em></span>. These are: <span class="emphasis"><em>SHARE</em></span>, <span class="emphasis"><em>USER</em></span>, <span class="emphasis"><em>DOMAIN</em></span>,
443 modes. They are documented in this chapter.
444 </p><p>
445 A SMB server tells the client at startup what <span class="emphasis"><em>security level</em></span>
447 <span class="emphasis"><em>user level</em></span>. Which of these two the client receives affects
448 the way the client then tries to authenticate itself. It does not directly affect
449 (to any great extent) the way the Samba server does security. This may sound strange,
450 but it fits in with the client/server approach of SMB. In SMB everything is initiated
451 and controlled by the client, and the server can only tell the client what is
452 available and whether an action is allowed.
453 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2867244"></a>User Level Security</h3></div></div><div></div></div><p>
454 We will describe <span class="emphasis"><em>user level</em></span> security first, as it's simpler.
456 <span class="emphasis"><em>session setup</em></span> command directly after the protocol negotiation.
457 This contains a username and password. The server can either accept or reject that
458 username/password combination. Note that at this stage the server has no idea what
459 share the client will eventually try to connect to, so it can't base the
461 </p><div class="orderedlist"><ol type="1"><li><p>The username/password</p></li><li><p>The name of the client machine</p></li></ol></div><p>
462 If the server accepts the username/password then the client expects to be able to
463 mount shares (using a <span class="emphasis"><em>tree connection</em></span>) without specifying a
464 password. It expects that all access rights will be as the username/password
466 </p><p>
467 It is also possible for a client to send multiple <span class="emphasis"><em>session setup</em></span>
468 requests. When the server responds, it gives the client a <span class="emphasis"><em>uid</em></span> to use
469 as an authentication tag for that username/password. The client can maintain multiple
470 authentication contexts in this way (WinDD is an example of an application that does this).
471 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2867336"></a>Example Configuration</h4></div></div><div></div></div><p>
472 The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>User Level Security</em></span> is:
473 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr></table><p>
474 This is the default setting since samba-2.2.x.
475 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2867382"></a>Share Level Security</h3></div></div><div></div></div><p>
476 Ok, now for share level security. In share level security, the client authenticates
477 itself separately for each share. It will send a password along with each
478 <span class="emphasis"><em>tree connection</em></span> (share mount). It does not explicitly send a
479 username with this operation. The client expects a password to be associated
480 with each share, independent of the user. This means that Samba has to work out what
481 username the client probably wants to use. It is never explicitly sent the username.
482 Some commercial SMB servers such as NT actually associate passwords directly with
483 shares in share level security, but Samba always uses the unix authentication scheme
484 where it is a username/password pair that is authenticated, not a share/password pair.
485 </p><p>
486 To gain understanding of the MS Windows networking parallels to this, one should think
487 in terms of MS Windows 9x/Me where one can create a shared folder that provides read-only
488 or full access, with or without a password.
489 </p><p>
490 Many clients send a <span class="emphasis"><em>session setup</em></span> even if the server is in share
491 level security. They normally send a valid username but no password. Samba records
492 this username in a list of <span class="emphasis"><em>possible usernames</em></span>. When the client
493 then does a <span class="emphasis"><em>tree connection</em></span> it also adds to this list the name
494 of the share they try to connect to (useful for home directories) and any users
495 listed in the <a class="indexterm" name="id2867441"></a><i class="parameter"><tt>user</tt></i> <tt class="filename">smb.conf</tt> line. The password is then checked
496 in turn against these <span class="emphasis"><em>possible usernames</em></span>. If a match is found
497 then the client is authenticated as that user.
498 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2867470"></a>Example Configuration</h4></div></div><div></div></div><p>
499 The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>Share Level Security</em></span> is:
500 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = share</tt></i></td></tr></table><p>
501 Please note that there are reports that recent MS Windows clients do not like to work
502 with share mode security servers. You are strongly discouraged from using share level security.
503 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2867518"></a>Domain Security Mode (User Level Security)</h3></div></div><div></div></div><p>
504 When Samba is operating in <a class="indexterm" name="id2867530"></a><i class="parameter"><tt>security</tt></i> = domain mode,
505 the Samba server has a domain security trust account (a machine account) and will cause
506 all authentication requests to be passed through to the domain controllers.
507 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2867549"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
508 Samba as a Domain Member Server
509 </em></span></p><p>
510 This method involves addition of the following parameters in the <tt class="filename">smb.conf</tt> file:
511 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = domain</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr></table><p>
512 In order for this method to work, the Samba server needs to join the MS Windows NT
513 security domain. This is done as follows:
515 the Server Manager, add a machine account for the Samba server.
516 </p></li><li><p>Next, on the UNIX/Linux system execute:</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>net rpc join -U administrator%password</tt></b></pre></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
517 Samba-2.2.4 and later can auto-join a Windows NT4 style Domain just by executing:
519 <tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j <i class="replaceable"><tt>DOMAIN_NAME</tt></i> -r <i class="replaceable"><tt>PDC_NAME</tt></i> \
521 </pre><p>
523 Samba-3 can do the same by executing:
525 <tt class="prompt">root# </tt><b class="userinput"><tt>net rpc join -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
526 </pre><p>
527 It is not necessary with Samba-3 to specify the <i class="replaceable"><tt>DOMAIN_NAME</tt></i> or the
528 <i class="replaceable"><tt>PDC_NAME</tt></i> as it figures this out from the <tt class="filename">smb.conf</tt> file settings.
529 </p></div><p>
530 Use of this mode of authentication does require there to be a standard UNIX account
531 for each user in order to assign a UID once the account has been authenticated by
532 the remote Windows DC. This account can be blocked to prevent logons by clients other than
533 MS Windows through means such as setting an invalid shell in the
535 </p><p>
536 An alternative to assigning UIDs to Windows users on a Samba member server is
537 presented in <a href="#winbind" title="Chapter 21. Winbind: Use of Domain Accounts">the chapter about winbind</a>.
538 </p><p>
539 For more information of being a domain member, see <a href="#domain-member" title="Chapter 7. Domain Membership">the chapter about domain membership</a>.
540 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2867776"></a>ADS Security Mode (User Level Security)</h3></div></div><div></div></div><p>
542 possible if the domain is run in native mode. Active Directory in
543 native mode perfectly allows NT4-style domain members. This is contrary to
544 popular belief. The only thing that Active Directory in native mode
545 prohibits is Backup Domain Controllers running NT4.
546 </p><p>
547 If you are using Active Directory, starting with Samba-3 you can
548 join as a native AD member. Why would you want to do that?
549 Your security policy might prohibit the use of NT-compatible
550 authentication protocols. All your machines are running Windows 2000
551 and above and all use Kerberos. In this case Samba as a NT4-style
552 domain would still require NT-compatible authentication data. Samba in
553 AD-member mode can accept Kerberos tickets.
554 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2867806"></a>Example Configuration</h4></div></div><div></div></div><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>realm = your.kerberos.REALM</tt></i></td></tr><tr><td><i class="parameter"><tt>security = ADS</tt></i></td></tr></table><p>
555 The following parameter may be required:
556 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>ads server = your.kerberos.server</tt></i></td></tr></table><p>
557 Please refer to <a href="#domain-member" title="Chapter 7. Domain Membership">the chapter on domain membership</a>
558 for more information regarding this configuration option.
559 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2867877"></a>Server Security (User Level Security)</h3></div></div><div></div></div><p>
560 Server security mode is a left over from the time when Samba was not capable of acting
561 as a domain member server. It is highly recommended NOT to use this feature. Server
562 security mode has many draw backs. The draw backs include:
563 </p><div class="itemizedlist"><ul type="disc"><li><p>Potential Account Lockout on MS Windows NT4/200x password servers</p></li><li><p>Lack of assurance that the password server is the one specified</p></li><li><p>Does not work with Winbind, particularly needed when storing profiles remotely</p></li><li><p>This mode may open connections to the password server, and keep them open for extended periods.</p></li><li><p>Security on the Samba server breaks badly when the remote password server suddenly shuts down</p></li><li><p>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</p></li></ul></div><p>
564 In server security mode the Samba server reports to the client that it is in user level
565 security. The client then does a <span class="emphasis"><em>session setup</em></span> as described earlier.
566 The Samba server takes the username/password that the client sends and attempts to login to the
567 <a class="indexterm" name="id2867950"></a><i class="parameter"><tt>password server</tt></i> by sending exactly the same username/password that
568 it got from the client. If that server is in user level security and accepts the password,
569 then Samba accepts the clients connection. This allows the Samba server to use another SMB
570 server as the <a class="indexterm" name="id2867970"></a><i class="parameter"><tt>password server</tt></i>.
571 </p><p>
572 You should also note that at the very start of all this, where the server tells the client
573 what security level it is in, it also tells the client if it supports encryption. If it
574 does then it supplies the client with a random cryptkey. The client will then send all
575 passwords in encrypted form. Samba supports this type of encryption by default.
576 </p><p>
577 The parameter <a class="indexterm" name="id2867997"></a><i class="parameter"><tt>security</tt></i> = server means that Samba reports to clients that
578 it is running in <span class="emphasis"><em>user mode</em></span> but actually passes off all authentication
579 requests to another <span class="emphasis"><em>user mode</em></span> server. This requires an additional
580 parameter <a class="indexterm" name="id2868023"></a><i class="parameter"><tt>password server</tt></i> that points to the real authentication server.
581 That real authentication server can be another Samba server or can be a Windows NT server,
582 the later natively capable of encrypted password support.
583 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
584 When Samba is running in <span class="emphasis"><em>server security mode</em></span> it is essential that
585 the parameter <span class="emphasis"><em>password server</em></span> is set to the precise NetBIOS machine
586 name of the target authentication server. Samba can NOT determine this from NetBIOS name
587 lookups because the choice of the target authentication server is arbitrary and can not
588 be determined from a domain name. In essence, a Samba server that is in
589 <span class="emphasis"><em>server security mode</em></span> is operating in what used to be known as
590 workgroup mode.
591 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2868067"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
592 Using MS Windows NT as an authentication server
593 </em></span></p><p>
594 This method involves the additions of the following parameters in the <tt class="filename">smb.conf</tt> file:
595 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>encrypt passwords = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = server</tt></i></td></tr><tr><td><i class="parameter"><tt>password server = "NetBIOS_name_of_a_DC"</tt></i></td></tr></table><p>
596 There are two ways of identifying whether or not a username and password pair was valid.
597 One uses the reply information provided as part of the authentication messaging
598 process, the other uses just an error code.
599 </p><p>
600 The down-side of this mode of configuration is the fact that for security reasons Samba
601 will send the password server a bogus username and a bogus password and if the remote
602 server fails to reject the username and password pair then an alternative mode of
603 identification of validation is used. Where a site uses password lock out after a
604 certain number of failed authentication attempts this will result in user lockouts.
605 </p><p>
606 Use of this mode of authentication does require there to be a standard UNIX account
607 for the user, though this account can be blocked to prevent logons by non-SMB/CIFS clients.
608 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2868158"></a>Password checking</h2></div></div><div></div></div><p>
609 MS Windows clients may use encrypted passwords as part of a challenge/response
610 authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear text strings for simple
611 password based authentication. It should be realized that with the SMB protocol,
612 the password is passed over the network either in plain text or encrypted, but
613 not both in the same authentication request.
614 </p><p>
615 When encrypted passwords are used, a password that has been entered by the user
616 is encrypted in two ways:
618 string. This is known as the NT hash.
619 </p></li><li><p>The password is converted to upper case,
620 and then padded or truncated to 14 bytes. This string is
621 then appended with 5 bytes of NULL characters and split to
623 The resulting 16 bytes form the LanMan hash.
624 </p></li></ul></div><p>
626 pre-service pack 3 will use either mode of password authentication. All
627 versions of MS Windows that follow these versions no longer support plain
628 text passwords by default.
629 </p><p>
630 MS Windows clients have a habit of dropping network mappings that have been idle
631 for 10 minutes or longer. When the user attempts to use the mapped drive
632 connection that has been dropped, the client re-establishes the connection using
633 a cached copy of the password.
634 </p><p>
635 When Microsoft changed the default password mode, support was dropped for caching
636 of the plain text password. This means that when the registry parameter is changed
637 to re-enable use of plain text passwords it appears to work, but when a dropped
638 service connection mapping attempts to revalidate it will fail if the remote
639 authentication server does not support encrypted passwords. This means that it
640 is definitely not a good idea to re-enable plain text password support in such clients.
641 </p><p>
642 The following parameters can be used to work around the issue of Windows 9x clients
643 upper casing usernames and password before transmitting them to the SMB server
644 when using clear text authentication.
645 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>password level = integer</tt></i></td></tr><tr><td><i class="parameter"><tt>username level = integer</tt></i></td></tr></table><p>
646 By default Samba will lower case the username before attempting to lookup the user
647 in the database of local system accounts. Because UNIX usernames conventionally
648 only contain lower-case character, the <a class="indexterm" name="id2868286"></a><i class="parameter"><tt>username level</tt></i> parameter
649 is rarely needed.
650 </p><p>
651 However, passwords on UNIX systems often make use of mixed-case characters.
652 This means that in order for a user on a Windows 9x client to connect to a Samba
653 server using clear text authentication, the <a class="indexterm" name="id2868308"></a><i class="parameter"><tt>password level</tt></i>
654 must be set to the maximum number of upper case letters which <span class="emphasis"><em>could</em></span>
655 appear in a password. Note that if the server OS uses the traditional DES version
656 of crypt(), a <a class="indexterm" name="id2868330"></a><i class="parameter"><tt>password level</tt></i> of 8 will result in case
657 insensitive passwords as seen from Windows users. This will also result in longer
658 login times as Samba has to compute the permutations of the password string and
659 try them one by one until a match is located (or all combinations fail).
660 </p><p>
661 The best option to adopt is to enable support for encrypted passwords wherever
662 Samba is used. Most attempts to apply the registry change to re-enable plain text
663 passwords will eventually lead to user complaints and unhappiness.
664 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2868359"></a>Common Errors</h2></div></div><div></div></div><p>
665 We all make mistakes. It is Ok to make mistakes, so long as they are made in the right places
666 and at the right time. A mistake that causes lost productivity is seldom tolerated. A mistake
667 made in a developmental test lab is expected.
668 </p><p>
669 Here we look at common mistakes and misapprehensions that have been the subject of discussions
670 on the Samba mailing lists. Many of these are avoidable by doing you homework before attempting
671 a Samba implementation. Some are the result of misunderstanding of the English language. The
672 English language has many turns of phrase that are potentially vague and may be highly confusing
673 to those for whom English is not their native tongue.
674 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2868387"></a>What makes Samba a SERVER?</h3></div></div><div></div></div><p>
675 To some the nature of the Samba <span class="emphasis"><em>security</em></span> mode is very obvious, but entirely
676 wrong all the same. It is assumed that <a class="indexterm" name="id2868403"></a><i class="parameter"><tt>security</tt></i> = server means that Samba
677 will act as a server. Not so! See above - this setting means that Samba will <span class="emphasis"><em>try</em></span>
678 to use another SMB server as its source of user authentication alone.
679 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2868427"></a>What makes Samba a Domain Controller?</h3></div></div><div></div></div><p>
680 The <tt class="filename">smb.conf</tt> parameter <a class="indexterm" name="id2868445"></a><i class="parameter"><tt>security</tt></i> = domain does NOT really make Samba behave
681 as a Domain Controller! This setting means we want Samba to be a domain member!
682 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2868463"></a>What makes Samba a Domain Member?</h3></div></div><div></div></div><p>
683 Guess! So many others do. But whatever you do, do NOT think that <a class="indexterm" name="id2868474"></a><i class="parameter"><tt>security</tt></i> = user
684 makes Samba act as a domain member. Read the manufacturers manual before the warranty expires! See
685 <a href="#domain-member" title="Chapter 7. Domain Membership">the chapter about domain membership</a> for more information.
686 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2868503"></a>Constantly Losing Connections to Password Server</h3></div></div><div></div></div><p>
688 Why does server_validate() simply give up rather than re-establishing its connection to the
689 password server? Though I am not fluent in the SMB protocol, perhaps the cluster server
690 process passes along to its client workstation the session key it receives from the password
691 server, which means the password hashes submitted by the client would not work on a subsequent
692 connection, whose session key would be different. So server_validate() must give up.</span>”
693 </p><p>
694 Indeed. That's why <a class="indexterm" name="id2868531"></a><i class="parameter"><tt>security</tt></i> = server is at best a nasty hack. Please use <a class="indexterm" name="id2868545"></a><i class="parameter"><tt>security</tt></i> = domain.
695 <a class="indexterm" name="id2868558"></a><i class="parameter"><tt>security</tt></i> = server mode is also known as pass-through authentication.
696 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 5. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2868835">Features and Benefits</a></dt><dt><a href="#id2869049">Basics of Domain Control</a></dt><dd><dl><dt><a href="#id2869064">Domain Controller Types</a></dt><dt><a href="#id2869309">Preparing for Domain Control</a></dt></dl></dd><dt><a href="#id2869698">Domain Control - Example Configuration</a></dt><dt><a href="#id2870186">Samba ADS Domain Control</a></dt><dt><a href="#id2870238">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="#id2870253">Domain Network Logon Service</a></dt><dt><a href="#id2870678">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="#id2870825">Common Errors</a></dt><dd><dl><dt><a href="#id2870831">'$' cannot be included in machine name</a></dt><dt><a href="#id2870890">Joining domain fails because of existing machine account</a></dt><dt><a href="#id2870945">The system can not log you on (C000019B)....</a></dt><dt><a href="#id2871029">The machine trust account not accessible</a></dt><dt><a href="#id2871102">Account disabled</a></dt><dt><a href="#id2871135">Domain Controller Unavailable</a></dt><dt><a href="#id2871156">Can not log onto domain member workstation after joining domain</a></dt></dl></dd></dl></div><p><b><span class="emphasis"><em>The Essence of Learning:</em></span> </b>
697 There are many who approach MS Windows networking with incredible misconceptions.
698 That's OK, because it gives the rest of us plenty of opportunity to be of assistance.
699 Those who really want help would be well advised to become familiar with information
700 that is already available.
701 </p><p>
702 The reader is advised NOT to tackle this section without having first understood
703 and mastered some basics. MS Windows networking is not particularly forgiving of
704 misconfiguration. Users of MS Windows networking are likely to complain
705 of persistent niggles that may be caused by a broken network configuration.
706 To a great many people however, MS Windows networking starts with a domain controller
707 that in some magical way is expected to solve all ills.
708 </p><div class="figure"><a name="domain-example"></a><p class="title"><b>Figure 5.1. An Example Domain</b></p><div class="mediaobject"><img src="projdoc/imagefiles/domain.png" width="270" alt="An Example Domain"></div></div><p>
709 From the Samba mailing list one can readily identify many common networking issues.
710 If you are not clear on the following subjects, then it will do much good to read the
711 sections of this HOWTO that deal with it. These are the most common causes of MS Windows
712 networking problems:
713 </p><div class="itemizedlist"><ul type="disc"><li><p>Basic TCP/IP configuration</p></li><li><p>NetBIOS name resolution</p></li><li><p>Authentication configuration</p></li><li><p>User and Group configuration</p></li><li><p>Basic File and Directory Permission Control in UNIX/Linux</p></li><li><p>Understanding of how MS Windows clients interoperate in a network
714 environment</p></li></ul></div><p>
715 Do not be put off; on the surface of it MS Windows networking seems so simple that anyone
716 can do it. In fact, it is not a good idea to set up an MS Windows network with
717 inadequate training and preparation. But let's get our first indelible principle out of the
718 way: <span class="emphasis"><em>It is perfectly OK to make mistakes!</em></span> In the right place and at
719 the right time, mistakes are the essence of learning. It is <span class="emphasis"><em>very much</em></span>
720 not ok to make mistakes that cause loss of productivity and impose an avoidable financial
721 burden on an organisation.
722 </p><p>
723 Where is the right place to make mistakes? Only out of harm's way! If you are going to
724 make mistakes, then please do this on a test network, away from users and in such a way as
725 to not inflict pain on others. Do your learning on a test network.
726 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2868835"></a>Features and Benefits</h2></div></div><div></div></div><p>
728 </p><p>
729 In a word, <span class="emphasis"><em>Single Sign On</em></span>, or SSO for short. To many, this is the holy
730 grail of MS Windows NT and beyond networking. SSO allows users in a well designed network
731 to log onto any workstation that is a member of the domain that their user account is in
732 (or in a domain that has an appropriate trust relationship with the domain they are visiting)
733 and they will be able to log onto the network and access resources (shares, files, and printers)
734 as if they are sitting at their home (personal) workstation. This is a feature of the Domain
735 security protocols.
736 </p><p>
737 The benefits of Domain security are available to those sites that deploy a Samba PDC.
738 A Domain provides a unique network security identifier (SID). Domain user and group security
739 identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to
740 the account. User and Group SIDs (the network SID plus the RID) can be used to create Access Control
741 Lists (ACLs) attached to network resources to provide organizational access control. UNIX systems
742 know only of local security identifiers.
743 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
744 Network clients of an MS Windows Domain security environment must be Domain members to be
745 able to gain access to the advanced features provided. Domain membership involves more than just
746 setting the workgroup name to the Domain name. It requires the creation of a Domain trust account
747 for the workstation (called a machine account). Please refer to the chapter on
748 <a href="#domain-member" title="Chapter 7. Domain Membership">setting up samba as a domain member</a> for more information.
749 </p></div><p>
750 The following functionalities are new to the Samba-3 release:
752 Windows NT4 domain trusts
753 </p></li><li><p>
754 Adding users via the User Manager for Domains. This can be done on any MS Windows
755 client using the Nexus toolkit that is available from Microsoft's web site.
756 Samba-3 supports the use of the Microsoft Management Console for user management.
757 </p></li><li><p>
758 Introduces replaceable and multiple user account (authentication)
759 back ends. In the case where the back end is placed in an LDAP database,
760 Samba-3 confers the benefits of a back end that can be distributed, replicated,
761 and is highly scalable.
762 </p></li><li><p>
763 Implements full Unicode support. This simplifies cross locale internationalisation
764 support. It also opens up the use of protocols that Samba-2.2.x had but could not use due
765 to the need to fully support Unicode.
766 </p></li></ul></div><p>
767 The following functionalities are NOT provided by Samba-3:
769 SAM replication with Windows NT4 Domain Controllers
770 (i.e. a Samba PDC and a Windows NT BDC or vice versa). This means samba
771 cannot operate as a BDC when the PDC is Microsoft-based or
772 replicate account data to Windows-BDC's.
773 </p></li><li><p>
774 Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
775 Active Directory) - In point of fact, Samba-3 DOES have some
776 Active Directory Domain Control ability that is at this time
778 to change as it becomes a fully supported feature some time
779 during the Samba-3 (or later) life cycle. However, Active Directory is
780 more then just SMB - it's also LDAP, Kerberos, DHCP and other protocols
781 (with proprietary extensions, of course).
782 </p></li></ul></div><p>
783 Windows 9x / Me / XP Home clients are not true members of a domain for reasons outlined
784 in this chapter. The protocol for support of Windows 9x / Me style network (domain) logons
785 is completely different from NT4 / Win2k type domain logons and has been officially supported
786 for some time. These clients use the old LanMan Network Logon facilities that are supported
787 in Samba since approximately the Samba-1.9.15 series.
788 </p><p>
789 Samba-3 has an implementation of group mapping between Windows NT groups
790 and UNIX groups (this is really quite complicated to explain in a short space). This is
791 discussed more fully in <a href="#groupmapping" title="Chapter 12. Mapping MS Windows and UNIX Groups">the chapter on group mapping</a>.
792 </p><p>
794 user and machine trust account information in a suitable backend data store.
795 Refer <a href="#machine-trust-accounts" title="MS Windows Workstation/Server Machine Trust Accounts">to the section on machine trust accounts</a>. With Samba-3 there can be multiple
796 back-ends for this. A complete discussion of account database backends can be found in
797 <a href="#passdb" title="Chapter 11. Account Information Databases">the chapter on Account Information Databases</a>.
798 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2869049"></a>Basics of Domain Control</h2></div></div><div></div></div><p>
799 Over the years, public perceptions of what Domain Control really is has taken on an
800 almost mystical nature. Before we branch into a brief overview of Domain Control,
801 there are three basic types of domain controllers:
802 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2869064"></a>Domain Controller Types</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Primary Domain Controller</p></li><li><p>Backup Domain Controller</p></li><li><p>ADS Domain Controller</p></li></ul></div><p>
803 The <span class="emphasis"><em>Primary Domain Controller</em></span> or PDC plays an important role in the MS
804 Windows NT4. In Windows 200x Domain Control architecture this role is held by domain controllers.
805 There is folk lore that dictates that because of it's role in the MS Windows
806 network, the domain controllers should be the most powerful and most capable machine in the network.
807 As strange as it may seem to say this here, good over all network performance dictates that
808 the entire infrastructure needs to be balanced. It is advisable to invest more in Stand-Alone
809 (or Domain Member) servers than in the domain controllers.
810 </p><p>
811 In the case of MS Windows NT4 style domains, it is the PDC that initiates a new Domain Control database.
812 This forms a part of the Windows registry called the SAM (Security Account Manager). It plays a key
813 part in NT4 type domain user authentication and in synchronisation of the domain authentication
814 database with Backup Domain Controllers.
815 </p><p>
816 With MS Windows 200x Server based Active Directory domains, one domain controller initiates a potential
817 hierarchy of domain controllers, each with their own area of delegated control. The master domain
818 controller has the ability to override any down-stream controller, but a down-line controller has
819 control only over it's down-line. With Samba-3 this functionality can be implemented using an
820 LDAP based user and machine account back end.
821 </p><p>
822 New to Samba-3 is the ability to use a back-end database that holds the same type of data as
823 the NT4 style SAM (Security Account Manager) database (one of the registry files).
825 </p><p>
826 The <span class="emphasis"><em>Backup Domain Controller</em></span> or BDC plays a key role in servicing network
827 authentication requests. The BDC is biased to answer logon requests in preference to the PDC.
828 On a network segment that has a BDC and a PDC the BDC will be most likely to service network
829 logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
830 A BDC can be promoted to a PDC. If the PDC is on line at the time that a BDC is promoted to
831 PDC, the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic
832 operation; the PDC and BDC must be manually configured and changes need to be made likewise.
833 </p><p>
834 With MS Windows NT4, it is an install time decision what type of machine the server will be.
835 It is possible to change the promote a BDC to a PDC and vice versa only, but the only way
836 to convert a domain controller to a domain member server or a stand-alone server is to
837 reinstall it. The install time choices offered are:
838 </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Primary Domain Controller</em></span> - The one that seeds the domain SAM</p></li><li><p><span class="emphasis"><em>Backup Domain Controller</em></span> - One that obtains a copy of the domain SAM</p></li><li><p><span class="emphasis"><em>Domain Member Server</em></span> - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</p></li><li><p><span class="emphasis"><em>Stand-Alone Server</em></span> - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</p></li></ul></div><p>
839 With MS Windows 2000 the configuration of domain control is done after the server has been
841 Active Directory domain.
842 </p><p>
843 New to Samba-3 is the ability to function fully as an MS Windows NT4 style Domain Controller,
844 excluding the SAM replication components. However, please be aware that Samba-3 support the
845 MS Windows 200x domain control protocols also.
846 </p><p>
847 At this time any appearance that Samba-3 is capable of acting as an
848 <span class="emphasis"><em>Domain Controller</em></span> in native ADS mode is limited and experimental in nature.
849 This functionality should not be used until the Samba-Team offers formal support for it.
850 At such a time, the documentation will be revised to duly reflect all configuration and
851 management requirements. Samba can act as a NT4-style DC in a Windows 2000/XP
852 environment. However, there are certain compromises:
854 </p><div class="itemizedlist"><ul type="disc"><li><p>No machine policy files</p></li><li><p>No Group Policy Objects</p></li><li><p>No synchronously executed AD logon scripts</p></li><li><p>Can't use ANY Active Directory management tools to manage users and machines</p></li><li><p>Registry changes tattoo the main registry, while with AD they do NOT. ie: Leave permanent changes in effect</p></li><li><p>Without AD you can not peprform the function of exporting specific applications to specific users or groups</p></li></ul></div><p>
855 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2869309"></a>Preparing for Domain Control</h3></div></div><div></div></div><p>
856 There are two ways that MS Windows machines may interact with each other, with other servers,
857 and with Domain Controllers: Either as <span class="emphasis"><em>Stand-Alone</em></span> systems, more commonly
858 called <span class="emphasis"><em>Workgroup</em></span> members, or as full participants in a security system,
860 </p><p>
861 It should be noted that <span class="emphasis"><em>Workgroup</em></span> membership involve no special configuration
862 other than the machine being configured so that the network configuration has a commonly used name
863 for it's workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this
864 mode of configuration there are NO machine trust accounts and any concept of membership as such
865 is limited to the fact that all machines appear in the network neighbourhood to be logically
866 grouped together. Again, just to be clear: <span class="emphasis"><em>workgroup mode does not involve any security machine
867 accounts</em></span>.
868 </p><p>
869 Domain member machines have a machine account in the Domain accounts database. A special procedure
870 must be followed on each machine to affect Domain membership. This procedure, which can be done
871 only by the local machine Administrator account, will create the Domain machine account (if
872 if does not exist), and then initializes that account. When the client first logs onto the
873 Domain it triggers a machine password change.
874 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
875 When running a Domain all MS Windows NT / 200x / XP Professional clients should be configured
876 as full Domain Members - IF A SECURE NETWORK IS WANTED. If the machine is NOT made a member of the
877 Domain, then it will operate like a workgroup (stand-alone) machine. Please refer to
878 <a href="#domain-member" title="Chapter 7. Domain Membership">the chapter on domain membership</a> for information regarding HOW to make your MS Windows clients Domain members.
879 </p></div><p>
880 The following are necessary for configuring Samba-3 as an MS Windows NT4 style PDC for MS Windows
881 NT4 / 200x / XP clients.
882 </p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows Networking</p></li><li><p>Correct designation of the Server Role (<a class="indexterm" name="id2869424"></a><i class="parameter"><tt>security</tt></i> = user)</p></li><li><p>Consistent configuration of Name Resolution (See chapter on <a href="#NetworkBrowsing" title="Chapter 10. Samba / MS Windows Network Browsing Guide">Network Browsing</a> and on
883 <a href="#integrate-ms-networks" title="Chapter 26. Integrating MS Windows networks with Samba">Integrating Unix into Windows networks</a>)</p></li><li><p>Domain logons for Windows NT4 / 200x / XP Professional clients</p></li><li><p>Configuration of Roaming Profiles or explicit configuration to force local profile usage</p></li><li><p>Configuration of Network/System Policies</p></li><li><p>Adding and managing domain user accounts</p></li><li><p>Configuring MS Windows client machines to become domain members</p></li></ul></div><p>
884 The following provisions are required to serve MS Windows 9x / Me Clients:
885 </p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows Networking</p></li><li><p>Correct designation of the Server Role (<a class="indexterm" name="id2869517"></a><i class="parameter"><tt>security</tt></i> = user)</p></li><li><p>Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
886 members, they do not really participate in the security aspects of Domain logons as such)</p></li><li><p>Roaming Profile Configuration</p></li><li><p>Configuration of System Policy handling</p></li><li><p>Installation of the Network driver "Client for MS Windows Networks" and configuration
887 to log onto the domain</p></li><li><p>Placing Windows 9x / Me clients in user level security - if it is desired to allow
888 all client share access to be controlled according to domain user / group identities.</p></li><li><p>Adding and managing domain user accounts</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
889 Roaming Profiles and System/Network policies are advanced network administration topics
890 that are covered in the <a href="#ProfileMgmt" title="Chapter 24. Desktop Profile Management">Profile Management</a> and
891 <a href="#PolicyMgmt" title="Chapter 23. System and Account Policies">Policy Management</a> chapters of this document. However, these are not
892 necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts.
893 </p></div><p>
894 A Domain Controller is an SMB/CIFS server that:
896 Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts
897 as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast,
898 to a WINS server over UDP unicast, or via DNS and Active Directory)
899 </p></li><li><p>
900 Provides the NETLOGON service (actually a collection of services that runs over
901 a number of protocols. These include the LanMan Logon service, the Netlogon service,
902 the Local Security Account service, and variations of them)
903 </p></li><li><p>
904 Provides a share called NETLOGON
905 </p></li></ul></div><p>
906 For Samba to provide these is rather easy to configure. Each Samba Domain Controller must provide
907 the NETLOGON service which Samba calls the <a class="indexterm" name="id2869647"></a><i class="parameter"><tt>domain logons</tt></i> functionality
908 (after the name of the parameter in the <tt class="filename">smb.conf</tt> file). Additionally, one (1) server in a Samba-3
909 Domain must advertise itself as the domain master browser<sup>[<a name="id2869672" href="#ftn.id2869672">2</a>]</sup>. This causes the Primary Domain Controller
910 to claim domain specific NetBIOS name that identifies it as a domain master browser for its given
911 domain/workgroup. Local master browsers in the same domain/workgroup on broadcast-isolated subnets
912 then ask for a complete copy of the browse list for the whole wide area network. Browser clients
913 will then contact their local master browser, and will receive the domain-wide browse list,
914 instead of just the list for their broadcast-isolated subnet.
915 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2869698"></a>Domain Control - Example Configuration</h2></div></div><div></div></div><p>
916 The first step in creating a working Samba PDC is to understand the parameters necessary
917 in <tt class="filename">smb.conf</tt>. An example <tt class="filename">smb.conf</tt> for acting as a PDC can be found in the example
919 </p><p>
920 </p><div class="example"><a name="pdc-example"></a><p class="title"><b>Example 5.1. smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = BELERIAND</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = ldapsam, guest</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 33</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>encrypt passwords = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%u</tt></i></td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td><i class="parameter"><tt>logon home = \\homeserver\%u\winprofile</tt></i></td></tr><tr><td><i class="parameter"><tt>logon script = logon.cmd</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>write list = ntadmin</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = no</tt></i></td></tr><tr><td><i class="parameter"><tt>create mask = 0600</tt></i></td></tr><tr><td><i class="parameter"><tt>directory mask = 0700</tt></i></td></tr></table></div><p>
921 </p><p>
922 The basic options shown above are explained as follows:
924 This contains all the user and group account information. Acceptable values for a PDC
925 are: <span class="emphasis"><em>smbpasswd, tdbsam, ldapsam</em></span>. The 'guest' entry provides needed
926 default accounts.</p><p>
927 Where is is intended to use backup domain controllers (BDCs) the only logical choice is
928 to use LDAP so that the passdb backend can be distributed. The tdbsam and smbpasswd files
929 can not effectively be distributed and therefore should not be used.
932 encrypt passwords, domain logons</em></span> play a central role in assuring domain
933 control and network logon support.</p><p>
934 The <span class="emphasis"><em>os level</em></span> must be set at or above a value of 32. A domain controller
935 must be the domain master browser, must be set in <span class="emphasis"><em>user</em></span> mode security,
936 must support Microsoft compatible encrypted passwords, and must provide the network logon
937 service (domain logons). Encrypted passwords must be enabled, for more details on how
938 to do this, refer to <a href="#passdb" title="Chapter 11. Account Information Databases">the chapter on account information databases</a>.
940 The parameters <span class="emphasis"><em>logon path, logon home, logon drive, logon script</em></span> are
941 environment support settings that help to facilitate client logon operations and that help
942 to provide automated control facilities to ease network management overheads. Please refer
943 to the man page information for these parameters.
945 The NETLOGON share plays a central role in domain logon and domain membership support.
946 This share is provided on all Microsoft domain controllers. It is used to provide logon
947 scripts, to store Group Policy files (NTConfig.POL), as well as to locate other common
948 tools that may be needed for logon processing. This is an essential share on a domain controller.
950 This share is used to store user desktop profiles. Eash user must have a directory at the root
951 of this share. This directory must be write enabled for the user and must be globally read enabled.
952 Samba-3 has a VFS module called 'fake_permissions' that may be installed on this share. This will
953 allow a Samba administrator to make the directory read only to everyone. Of course this is useful
954 only after the profile has been properly created.
955 </p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
956 The above parameters make for a full set of parameters that may define the server's mode
957 of operation. The following <tt class="filename">smb.conf</tt> parameters are the essentials alone:
958 </p><p>
959 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>netbios name = BELERIAND</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = User</tt></i></td></tr></table><p>
960 </p><p>
961 The additional parameters shown in the longer listing above just makes for
962 more complete explanation.
963 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2870186"></a>Samba ADS Domain Control</h2></div></div><div></div></div><p>
964 Samba-3 is not, and can not act as, an Active Directory Server. It can not truly function as
965 an Active Directory Primary Domain Controller. The protocols for some of the functionality
966 the Active Directory Domain Controllers has been partially implemented on an experimental
967 only basis. Please do NOT expect Samba-3 to support these protocols. Do not depend
968 on any such functionality either now or in the future. The Samba-Team may remove these
969 experimental features or may change their behaviour. This is mentioned for the benefit of those
970 who have discovered secret capabilities in samba-3 and who have asked when this functionality will be
971 completed. The answer is: Maybe or maybe never!
972 </p><p>
973 To be sure: Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4 style
974 domain controllers have. Samba-3 does NOT have all the capabilities of Windows NT4, but it does have
975 a number of features that Windows NT4 domain contollers do not have. In short, Samba-3 is not NT4 and it
976 is not Windows Server 200x and it is not an Active Directory server. We hope this is plain and simple
977 enough for all to understand.
978 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2870238"></a>Domain and Network Logon Configuration</h2></div></div><div></div></div><p>
979 The subject of Network or Domain Logons is discussed here because it forms
980 an integral part of the essential functionality that is provided by a Domain Controller.
981 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2870253"></a>Domain Network Logon Service</h3></div></div><div></div></div><p>
982 All Domain Controllers must run the netlogon service (<span class="emphasis"><em>domain logons</em></span>
983 in Samba). One Domain Controller must be configured with <a class="indexterm" name="id2870270"></a><i class="parameter"><tt>domain master</tt></i> = Yes
984 (the Primary Domain Controller); on ALL Backup Domain Controllers <a class="indexterm" name="id2870287"></a><i class="parameter"><tt>domain master</tt></i> = No
985 must be set.
986 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2870302"></a>Example Configuration</h4></div></div><div></div></div><div class="example"><a name="id2870309"></a><p class="title"><b>Example 5.2. smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = (Yes on PDC, No on BDCs)</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Network Logon Service</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = No</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2870393"></a>The Special Case of MS Windows XP Home Edition</h4></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
987 MS Windows XP Home Edition does not have the ability to join any type of Domain
988 security facility. Unlike, MS Windows 9x / Me, MS Windows XP Home Edition also completely
989 lacks the ability to log onto a network.
990 </p></div><p>
991 To be completely clear: If you want MS Windows XP Home Edition to integrate with your
992 MS Windows NT4 or Active Directory Domain security understand - IT CAN NOT BE DONE.
993 Your only choice is to buy the upgrade pack from MS Windows XP Home Edition to
994 MS Windows XP Professional.
995 </p><p>
996 Now that this has been said, please do NOT ask the mailing list, or email any of the
997 Samba-Team members with your questions asking how to make this work. It can't be done.
998 If it can be done, then to do so would violate your software license agreement with
999 Microsoft, and we recommend that you do not do that.
1000 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2870431"></a>The Special Case of Windows 9x / Me</h4></div></div><div></div></div><p>
1001 A domain and a workgroup are exactly the same in terms of network
1002 browsing. The difference is that a distributable authentication
1003 database is associated with a domain, for secure login access to a
1004 network. Also, different access rights can be granted to users if they
1005 successfully authenticate against a domain logon server. Samba-3 does this
1006 now in the same way that MS Windows NT/2K.
1007 </p><p>
1008 The SMB client logging on to a domain has an expectation that every other
1009 server in the domain should accept the same authentication information.
1010 Network browsing functionality of domains and workgroups is identical and
1011 is explained in this documentation under the browsing discussions.
1012 It should be noted, that browsing is totally orthogonal to logon support.
1013 </p><p>
1014 Issues related to the single-logon network model are discussed in this
1015 section. Samba supports domain logons, network logon scripts, and user
1016 profiles for MS Windows for workgroups and MS Windows 9X/ME clients
1017 which are the focus of this section.
1018 </p><p>
1019 When an SMB client in a domain wishes to logon, it broadcasts requests for a
1020 logon server. The first one to reply gets the job, and validates its
1021 password using whatever mechanism the Samba administrator has installed.
1022 It is possible (but ill advised ) to create a domain where the user
1023 database is not shared between servers, i.e. they are effectively workgroup
1024 servers advertising themselves as participating in a domain. This
1025 demonstrates how authentication is quite different from but closely
1026 involved with domains.
1027 </p><p>
1028 Using these features you can make your clients verify their logon via
1029 the Samba server; make clients run a batch file when they logon to
1030 the network and download their preferences, desktop and start menu.
1032 MS Windows XP Home edition is NOT able to join a domain and does not permit
1033 the use of domain logons.
1034 </em></span></p><p>
1035 Before launching into the configuration instructions, it is
1036 worthwhile to look at how a Windows 9x/ME client performs a logon:
1038 The client broadcasts (to the IP broadcast address of the subnet it is in)
1040 NetBIOS layer. The client chooses the first response it receives, which
1041 contains the NetBIOS name of the logon server to use in the format of
1043 </p></li><li><p>
1044 The client then connects to that server, logs on (does an SMBsessetupX) and
1045 then connects to the IPC$ share (using an SMBtconX).
1046 </p></li><li><p>
1047 The client then does a NetWkstaUserLogon request, which retrieves the name
1048 of the user's logon script.
1049 </p></li><li><p>
1050 The client then connects to the NetLogon share and searches for said script
1051 and if it is found and can be read, is retrieved and executed by the client.
1052 After this, the client disconnects from the NetLogon share.
1053 </p></li><li><p>
1054 The client then sends a NetUserGetInfo request to the server, to retrieve
1055 the user's home share, which is used to search for profiles. Since the
1056 response to the NetUserGetInfo request does not contain much more than
1057 the user's home share, profiles for Win9X clients MUST reside in the user
1058 home directory.
1059 </p></li><li><p>
1060 The client then connects to the user's home share and searches for the
1061 user's profile. As it turns out, you can specify the user's home share as
1063 If the profiles are found, they are implemented.
1064 </p></li><li><p>
1065 The client then disconnects from the user's home share, and reconnects to
1066 the NetLogon share and looks for <tt class="filename">CONFIG.POL</tt>, the policies file. If this is
1067 found, it is read and implemented.
1068 </p></li></ol></div><p>
1069 The main difference between a PDC and a Windows 9x logon server configuration is that
1071 Password encryption is not required for a Windows 9x logon server. But note
1072 that beginning with MS Windows 98 the default setting is that plain-text
1073 password support is disabled. It can be re-enabled with the registry
1074 changes that are documented in the chapter on Policies.
1075 </p></li><li><p>
1076 Windows 9x/ME clients do not require and do not use machine trust accounts.
1077 </p></li></ul></div><p>
1078 A Samba PDC will act as a Windows 9x logon server; after all, it does provide the
1079 network logon services that MS Windows 9x / Me expect to find.
1080 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1081 Use of plain-text passwords is strongly discouraged. Where used they are easily detected
1082 using a sniffer tool to examine network traffic.
1083 </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2870678"></a>Security Mode and Master Browsers</h3></div></div><div></div></div><p>
1084 There are a few comments to make in order to tie up some
1085 loose ends. There has been much debate over the issue of whether
1086 or not it is ok to configure Samba as a Domain Controller in security
1090 mode security are really just a variation on SMB user level security.
1091 </p><p>
1092 Actually, this issue is also closely tied to the debate on whether
1093 or not Samba must be the domain master browser for its workgroup
1094 when operating as a DC. While it may technically be possible
1095 to configure a server as such (after all, browsing and domain logons
1096 are two distinctly different functions), it is not a good idea to do
1098 name. This is the name used by Windows clients to locate the DC.
1099 Windows clients do not distinguish between the DC and the DMB.
1100 A DMB is a Domain Master Browser - see <a href="#DMB" title="Setting up WORKGROUP Browsing">Domain Master Browser</a>.
1101 For this reason, it is very wise to configure the Samba DC as the DMB.
1102 </p><p>
1103 Now back to the issue of configuring a Samba DC to use a mode other
1104 than <a class="indexterm" name="id2870747"></a><i class="parameter"><tt>security</tt></i> = user. If a Samba host is configured to use
1105 another SMB server or DC in order to validate user connection
1106 requests, then it is a fact that some other machine on the network
1107 (the <a class="indexterm" name="id2870765"></a><i class="parameter"><tt>password server</tt></i>) knows more about the user than the Samba host.
1108 99% of the time, this other host is a domain controller. Now
1109 in order to operate in domain mode security, the <a class="indexterm" name="id2870782"></a><i class="parameter"><tt>workgroup</tt></i> parameter
1110 must be set to the name of the Windows NT domain (which already
1111 has a domain controller). If the domain does NOT already have a Domain Controller
1112 then you do not yet have a Domain!
1113 </p><p>
1114 Configuring a Samba box as a DC for a domain that already by definition has a
1115 PDC is asking for trouble. Therefore, you should always configure the Samba DC
1116 to be the DMB for its domain and set <a class="indexterm" name="id2870806"></a><i class="parameter"><tt>security</tt></i> = user.
1117 This is the only officially supported mode of operation.
1118 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2870825"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2870831"></a>'$' cannot be included in machine name</h3></div></div><div></div></div><p>
1120 takes the form of the machine name with a '$' appended. FreeBSD (and other BSD
1121 systems?) won't create a user with a '$' in their name.
1122 </p><p>
1123 The problem is only in the program used to make the entry. Once made, it works perfectly.
1125 the '$'. Or create the whole entry with vipw if you like; make sure you use a unique User ID!
1126 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1127 The UNIX tool <b class="command">vipw</b> is a common tool for directly editting the <tt class="filename">/etc/passwd</tt> file.
1128 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2870890"></a>Joining domain fails because of existing machine account</h3></div></div><div></div></div><p>“<span class="quote">I get told "You already have a connection to the Domain...."
1129 or "Cannot join domain, the credentials supplied conflict with an
1131 This happens if you try to create a machine trust account from the
1132 machine itself and already have a connection (e.g. mapped drive)
1133 to a share (or IPC$) on the Samba PDC. The following command
1134 will remove all network drive connections:
1137 </pre><p>
1138 Further, if the machine is already a 'member of a workgroup' that
1139 is the same name as the domain you are joining (bad idea) you will
1140 get this message. Change the workgroup name to something else, it
1141 does not matter what, reboot, and try again.
1142 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2870945"></a>The system can not log you on (C000019B)....</h3></div></div><div></div></div><p>“<span class="quote">I joined the domain successfully but after upgrading
1144 can not log you on (C000019B), Please try again or consult your
1146 </p><p>
1147 This occurs when the domain SID stored in the secrets.tdb database
1148 is changed. The most common cause of a change in domain SID is when
1149 the domain name and/or the server name (NetBIOS name) is changed.
1150 The only way to correct the problem is to restore the original domain
1151 SID or remove the domain client from the domain and rejoin. The domain
1152 SID may be reset using either the net or rpcclient utilities.
1153 </p><p>
1154 The reset or change the domain SID you can use the net command as follows:
1159 </pre><p>
1160 </p><p>
1161 Workstation machine trust accounts work only with the Domain (or network) SID. If this SID changes
1162 then domain members (workstations) will not be able to log onto the domain. The original Domain SID
1163 can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join
1164 it to the domain.
1165 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871029"></a>The machine trust account not accessible</h3></div></div><div></div></div><p>
1166 “<span class="quote">When I try to join the domain I get the message <span class="errorname">The machine account
1167 for this computer either does not exist or is not accessible</span>. What's
1169 </p><p>
1170 This problem is caused by the PDC not having a suitable machine trust account.
1171 If you are using the <a class="indexterm" name="id2871056"></a><i class="parameter"><tt>add machine script</tt></i> method to create
1172 accounts then this would indicate that it has not worked. Ensure the domain
1173 admin user system is working.
1174 </p><p>
1175 Alternatively if you are creating account entries manually then they
1176 have not been created correctly. Make sure that you have the entry
1177 correct for the machine trust account in <tt class="filename">smbpasswd</tt> file on the Samba PDC.
1178 If you added the account using an editor rather than using the smbpasswd
1179 utility, make sure that the account name is the machine NetBIOS name
1180 with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
1181 in both /etc/passwd and the smbpasswd file.
1182 </p><p>
1183 Some people have also reported
1184 that inconsistent subnet masks between the Samba server and the NT
1185 client can cause this problem. Make sure that these are consistent
1186 for both client and server.
1187 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871102"></a>Account disabled</h3></div></div><div></div></div><p>“<span class="quote">When I attempt to login to a Samba Domain from a NT4/W2K workstation,
1189 Enable the user accounts with <b class="userinput"><tt>smbpasswd -e <i class="replaceable"><tt>username</tt></i>
1190 </tt></b>, this is normally done as an account is created.
1191 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871135"></a>Domain Controller Unavailable</h3></div></div><div></div></div><p>“<span class="quote">Until a few minutes after Samba has started, clients get the error "Domain Controller Unavailable"</span>”</p><p>
1192 A domain controller has to announce on the network who it is. This usually takes a while.
1193 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871156"></a>Can not log onto domain member workstation after joining domain</h3></div></div><div></div></div><p>After successfully joining the domain user logons fail with one of two messages:</p><p>One to the effect that the domain controller can not be found, the other claiming that the
1194 account does not exist in the domain or that the password is incorrect.</p><p>This may be due to incompatible settings between
1195 the Windows client and the Samba-3 server for <span class="emphasis"><em>schannel</em></span> (secure channel) settings
1196 or <span class="emphasis"><em>smb signing</em></span> settings. Check your samba settings for <span class="emphasis"><em>
1197 client schannel, server schannel, client signing, server signing</em></span> by executing:
1199 </p><p>
1200 Also use the Microsoft Management Console - Local Security Settings. This tool is available from the
1201 Control Panel. The Policy settings are found in the Local Policies / Securty Options area and are prefixed by
1203 </p><p>
1204 It is important that these be set consistently with the Samba-3 server settings.
1205 </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2869141" href="#id2869141">1</a>] </sup>See also <a href="#passdb" title="Chapter 11. Account Information Databases">the chapter on Account Information Databases</a>.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2869672" href="#id2869672">2</a>] </sup>See also <a href="#NetworkBrowsing" title="Chapter 10. Samba / MS Windows Network Browsing Guide">the chapter about network browsing</a></p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 6. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2871317">Features And Benefits</a></dt><dt><a href="#id2871494">Essential Background Information</a></dt><dd><dl><dt><a href="#id2871522">MS Windows NT4 Style Domain Control</a></dt><dt><a href="#id2871772">Active Directory Domain Control</a></dt><dt><a href="#id2871793">What qualifies a Domain Controller on the network?</a></dt><dt><a href="#id2871819">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="#id2871833">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="#id2871968">Example Configuration</a></dt></dl></dd><dt><a href="#id2872125">Common Errors</a></dt><dd><dl><dt><a href="#id2872138">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="#id2872169">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="#id2872196">How do I replicate the smbpasswd file?</a></dt><dt><a href="#id2872240">Can I do this all with LDAP?</a></dt></dl></dd></dl></div><p>
1206 Before you continue reading in this section, please make sure that you are comfortable
1207 with configuring a Samba Domain Controller as described in <a href="#samba-pdc" title="Chapter 5. Domain Control">chapter on setting up Samba as a PDC</a>.
1208 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2871317"></a>Features And Benefits</h2></div></div><div></div></div><p>
1209 This is one of the most difficult chapters to summarise. It does not matter what we say here
1210 for someone will still draw conclusions and / or approach the Samba-Team with expectations
1211 that are either not yet capable of being delivered, or that can be achieved far more
1212 effectively using a totally different approach. In the event that you should have a persistent
1213 concern that is not addressed in this book then please email
1214 <a href="mailto:jht@samba.org" target="_top">John H Terpstra</a> clearly setting out your requirements
1215 and / or question and we will do our best to provide a solution.
1216 </p><p>
1217 Samba-3 is capable of acting as a Backup Domain Controller to another Samba Primary Domain
1218 Controller. A Samba-3 PDC can operate with an LDAP Account backend. The LDAP backend can be
1219 either a common master LDAP server, or a slave server. The use of a slave LDAP server has the
1220 benefit that when the master is down clients may still be able to log onto the network.
1221 This effectively gives samba a high degree of scalability iand is a very sweet (nice) solution
1222 for large organisations.
1223 </p><p>
1224 While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will
1225 need to figure out precisely what is the best way to replicate (copy / distribute) the
1226 user and machine Accounts backend.
1227 </p><p>
1228 The use of a non-LDAP backend SAM database is particularly problematic because Domain member
1229 servers and workstations periodically change the machine trust account password. The new
1230 password is then stored only locally. This means that in the absence of a centrally stored
1231 accounts database (such as that provided with an LDAP based solution) if Samba-3 is running
1232 as a BDC, the BDC instance of the Domain member trust account password will not reach the
1233 PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in
1234 overwriting of the SAM that contains the updated (changed) trust account password with resulting
1235 breakage of the domain trust.
1236 </p><p>
1237 Considering the number of comments and questions raised concerning how to configure a BDC
1238 lets consider each possible option and look at the pro's and con's for each theoretical solution:
1239 </p><div class="itemizedlist"><p class="title"><b>Backup Domain Backend Account Distribution Options</b></p><ul type="disc"><li><p>
1240 Solution: Passwd Backend is LDAP based, BDCs use a slave LDAP server
1241 </p><p>
1242 Arguments For: This is a neat and manageable solution. The LDAP based SAM (ldapsam)
1243 is constantly kept up to date.
1244 </p><p>
1245 Arguments Against: Complexity
1246 </p></li><li><p>
1247 Passdb Backend is tdbsam based, BDCs use cron based <span class="emphasis"><em>net rpc vampire</em></span> to
1248 obtain the Accounts database from the PDC and place them into the Samba SAM.
1249 <span class="emphasis"><em>net rpc vampire</em></span> is a Samba function of the "net" command.
1250 </p><p>
1251 Arguments For: It would be a nice solution
1252 </p><p>
1253 Arguments Against: It does not work because Samba-3 does not support the required
1254 protocols. This may become a later feature but is not available today.
1255 </p></li><li><p>
1256 Make use of rsync to replicate (pull down) copies of the essential account files
1257 </p><p>
1258 Arguments For: It is a simple solution, easy to set up as a scheduled job
1259 </p><p>
1260 Arguments Against: This will over-write the locally changed machine trust account
1261 passwords. This is a broken and flawed solution. Do NOT do this.
1262 </p></li><li><p>
1263 Operate with an entirely local accounts database (not recommended)
1264 </p><p>
1265 Arguments For: Simple, easy to maintain
1266 </p><p>
1267 Arguments Against: All machine trust accounts and user accounts will be locally
1268 maintained. Domain users will NOT be able to roam from office to office. This is
1269 a broken and flawed solution. Do NOT do this.
1270 </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2871494"></a>Essential Background Information</h2></div></div><div></div></div><p>
1271 A Domain Controller is a machine that is able to answer logon requests from network
1272 workstations. Microsoft LanManager and IBM LanServer were two early products that
1273 provided this capability. The technology has become known as the LanMan Netlogon service.
1274 </p><p>
1275 When MS Windows NT3.10 was first released, it supported an new style of Domain Control
1276 and with it a new form of the network logon service that has extended functionality.
1277 This service became known as the NT NetLogon Service. The nature of this service has
1278 changed with the evolution of MS Windows NT and today provides a very complex array of
1279 services that are implemented over a complex spectrum of technologies.
1280 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871522"></a>MS Windows NT4 Style Domain Control</h3></div></div><div></div></div><p>
1281 Whenever a user logs into a Windows NT4 / 200x / XP Professional Workstation,
1282 the workstation connects to a Domain Controller (authentication server) to validate
1283 the username and password that the user entered are valid. If the information entered
1284 does not validate against the account information that has been stored in the Domain
1285 Control database (the SAM, or Security Account Manager database) then a set of error
1286 codes is returned to the workstation that has made the authentication request.
1287 </p><p>
1288 When the username / password pair has been validated, the Domain Controller
1289 (authentication server) will respond with full enumeration of the account information
1290 that has been stored regarding that user in the User and Machine Accounts database
1291 for that Domain. This information contains a complete network access profile for
1292 the user but excludes any information that is particular to the user's desktop profile,
1293 or for that matter it excludes all desktop profiles for groups that the user may
1294 belong to. It does include password time limits, password uniqueness controls,
1295 network access time limits, account validity information, machine names from which the
1296 user may access the network, and much more. All this information was stored in the SAM
1298 </p><p>
1299 The account information (user and machine) on Domain Controllers is stored in two files,
1300 one containing the Security information and the other the SAM. These are stored in files
1302 are the files that are involved in replication of the SAM database where Backup Domain
1303 Controllers are present on the network.
1304 </p><p>
1305 There are two situations in which it is desirable to install Backup Domain Controllers:
1307 On the local network that the Primary Domain Controller is on, if there are many
1308 workstations and/or where the PDC is generally very busy. In this case the BDCs
1309 will pick up network logon requests and help to add robustness to network services.
1310 </p></li><li><p>
1311 At each remote site, to reduce wide area network traffic and to add stability to
1312 remote network operations. The design of the network, the strategic placement of
1313 Backup Domain Controllers, together with an implementation that localises as much
1314 of network to client interchange as possible will help to minimise wide area network
1315 bandwidth needs (and thus costs).
1316 </p></li></ul></div><p>
1317 The PDC contains the master copy of the SAM. In the event that an administrator makes a
1318 change to the user account database while physically present on the local network that
1319 has the PDC, the change will likely be made directly to the PDC instance of the master
1320 copy of the SAM. In the event that this update may be performed in a branch office the
1321 change will likely be stored in a delta file on the local BDC. The BDC will then send
1322 a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then
1323 request the delta from the BDC and apply it to the master SAM. The PDC will then contact
1324 all the BDCs in the Domain and trigger them to obtain the update and then apply that to
1325 their own copy of the SAM.
1326 </p><p>
1327 Thus the BDC is said to hold a <span class="emphasis"><em>read-only</em></span> of the SAM from which
1328 it is able to process network logon requests and to authenticate users. The BDC can
1329 continue to provide this service, particularly while, for example, the wide area
1330 network link to the PDC is down. Thus a BDC plays a very important role in both
1331 maintenance of Domain security as well as in network integrity.
1332 </p><p>
1333 In the event that the PDC should need to be taken out of service, or if it dies, then
1334 one of the BDCs can be promoted to a PDC. If this happens while the original PDC is on
1335 line then it is automatically demoted to a BDC. This is an important aspect of Domain
1336 Controller management. The tool that is used to affect a promotion or a demotion is the
1337 Server Manager for Domains.
1338 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2871673"></a>Example PDC Configuration</h4></div></div><div></div></div><p>
1339 Since version 2.2 Samba officially supports domain logons for all current Windows Clients,
1340 including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some
1341 parameters in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> have to be set:
1342 </p><div class="example"><a name="id2871704"></a><p class="title"><b>Example 6.1. Minimal smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr></table></div><p>
1345 settings for the profile path, the users home drive, etc.. This will not be covered in this
1346 chapter, for more information please refer to <a href="#samba-pdc" title="Chapter 5. Domain Control">the chapter about samba as a PDC</a>.
1347 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871772"></a>Active Directory Domain Control</h3></div></div><div></div></div><p>
1348 As of the release of MS Windows 2000 and Active Directory, this information is now stored
1349 in a directory that can be replicated and for which partial or full administrative control
1350 can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory
1351 tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT
1352 act as a Backup Domain Controller to an Active Directory Domain Controller.
1353 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871793"></a>What qualifies a Domain Controller on the network?</h3></div></div><div></div></div><p>
1354 Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS
1358 that has nothing to do with anything related to authentication, but the Microsoft Domain
1359 implementation requires the domain master browser to be on the same machine as the PDC.
1360 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871819"></a>How does a Workstation find its domain controller?</h3></div></div><div></div></div><p>
1361 An MS Windows NT4 / 200x / XP Professional workstation in the domain SAMBA that wants a
1362 local user to be authenticated has to find the domain controller for SAMBA. It does this
1364 of the machines it gets back from the queries is a domain controller and can answer logon
1365 requests. To not open security holes both the workstation and the selected domain controller
1366 authenticate each other. After that the workstation sends the user's credentials (name and
1367 password) to the local Domain Controller, for validation.
1368 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2871833"></a>Backup Domain Controller Configuration</h2></div></div><div></div></div><p>
1369 Several things have to be done:
1371 The domain SID has to be the same on the PDC and the BDC. This used to
1372 be stored in the file private/MACHINE.SID. This file is not created
1373 since Samba 2.2.5. Nowadays the domain SID is stored in the file
1374 private/secrets.tdb. Simply copying the secrets.tdb
1375 from the PDC to the BDC does not work, as the BDC would
1376 generate a new SID for itself and override the domain SID with this
1377 new BDC SID.</p><p>
1378 To retrieve the domain SID from the PDC or an existing BDC and store it in the
1379 secrets.tdb, execute:
1382 </pre></li><li><p>
1383 The UNIX user database has to be synchronized from the PDC to the
1384 BDC. This means that both the /etc/passwd and /etc/group have to be
1385 replicated from the PDC to the BDC. This can be done manually
1386 whenever changes are made, or the PDC is set up as a NIS master
1387 server and the BDC as a NIS slave server. To set up the BDC as a
1388 mere NIS client would not be enough, as the BDC would not be able to
1389 access its user database in case of a PDC failure. NIS is by no means
1390 the only method to synchronize passwords. An LDAP solution would work
1391 as well.
1392 </p></li><li><p>
1393 The Samba password database has to be replicated from the PDC to the BDC.
1395 file with rsync and ssh, this method is broken and flawed, and is
1396 therefore not recommended. A better solution is to set up slave LDAP
1397 servers for each BDC and a master LDAP server for the PDC.
1398 </p></li><li><p>
1399 Any netlogon share has to be replicated from the PDC to the
1400 BDC. This can be done manually whenever login scripts are changed,
1401 or it can be done automatically together with the smbpasswd
1402 synchronization.
1403 </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2871968"></a>Example Configuration</h3></div></div><div></div></div><p>
1404 Finally, the BDC has to be found by the workstations. This can be done by setting:
1405 </p><div class="example"><a name="id2871983"></a><p class="title"><b>Example 6.2. Minimal setup for being a BDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap backend = ldapsam://slave-ldap.quenya.org</tt></i></td></tr></table></div><p>
1406 In the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> of the BDC. This makes the BDC
1409 be registered by more than one machine. The parameter
1412 name is reserved for the Primary Domain Controller.
1413 </p><p>
1414 The <i class="parameter"><tt>idmap backend</tt></i> will redirect the <b class="command">winbindd</b> utility to
1415 use the LDAP database to resolve all UIDs and GIDs for UNIX accounts.
1416 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1417 Samba-3 has introduced a new ID mapping facility. One of the features of this facility is that it
1418 allows greater flexibility in how user and group IDs are handled in respect of NT Domain User and Group
1419 SIDs. One of the new facilities provides for explicitly ensuring that UNIX / Linux UID and GID values
1420 will be consistent on the PDC, all BDCs and all Domain Member servers. The parameter that controls this
1421 is called <i class="parameter"><tt>idmap backend</tt></i>. Please refer to the man page for <tt class="filename">smb.conf</tt> for more information
1422 regarding it's behaviour. Do NOT set this parameter except where an LDAP backend (ldapsam) is in use.
1423 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2872125"></a>Common Errors</h2></div></div><div></div></div><p>
1424 As this is a rather new area for Samba there are not many examples that we may refer to. Keep
1425 watching for updates to this section.
1426 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2872138"></a>Machine Accounts keep expiring, what can I do?</h3></div></div><div></div></div><p>
1427 This problem will occur when occur when the passdb (SAM) files are copied from a central
1428 server but the local Backup Domain Controllers. Local machine trust account password updates
1429 are not copied back to the central server. The newer machine account password is then over
1430 written when the SAM is copied from the PDC. The result is that the Domain member machine
1431 on start up will find that it's passwords does not match the one now in the database and
1432 since the startup security check will now fail, this machine will not allow logon attempts
1433 to proceed and the account expiry error will be reported.
1434 </p><p>
1435 The solution: use a more robust passdb backend, such as the ldapsam backend, setting up
1436 an slave LDAP server for each BDC, and a master LDAP server for the PDC.
1437 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2872169"></a>Can Samba be a Backup Domain Controller to an NT4 PDC?</h3></div></div><div></div></div><p>
1438 With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully
1439 implemented. The Samba Team is working on understanding and implementing the protocols,
1440 but this work has not been finished for Samba-3.
1441 </p><p>
1442 Can I get the benefits of a BDC with Samba? Yes, but only to a Samba PDC. The main reason for implementing a
1443 BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to
1444 service logon requests whenever the PDC is down.
1445 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2872196"></a>How do I replicate the smbpasswd file?</h3></div></div><div></div></div><p>
1446 Replication of the smbpasswd file is sensitive. It has to be done whenever changes
1447 to the SAM are made. Every user's password change is done in the smbpasswd file and
1448 has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.
1449 </p><p>
1450 As the smbpasswd file contains plain text password equivalents, it must not be
1451 sent unencrypted over the wire. The best way to set up smbpasswd replication from
1452 the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
1453 Ssh itself can be set up to accept <span class="emphasis"><em>only</em></span> rsync transfer without requiring the user
1454 to type a password.
1455 </p><p>
1456 As said a few times before, use of this method is broken and flawed. Machine trust
1457 accounts will go out of sync, resulting in a very broken domain. This method is
1459 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2872240"></a>Can I do this all with LDAP?</h3></div></div><div></div></div><p>
1460 The simple answer is YES. Samba's pdb_ldap code supports binding to a replica
1461 LDAP server, and will also follow referrals and rebind to the master if it ever
1462 needs to make a modification to the database. (Normally BDCs are read only, so
1463 this will not occur often).
1464 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 7. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2872448">Features and Benefits</a></dt><dt><a href="#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="#id2872769">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="#id2873061">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="#id2873276">"On-the-Fly" Creation of Machine Trust Accounts</a></dt><dt><a href="#id2873347">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="#id2873558">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="#id2873995">Why is this better than security = server?</a></dt></dl></dd><dt><a href="#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="#id2874178">Setup your smb.conf</a></dt><dt><a href="#id2874307">Setup your /etc/krb5.conf</a></dt><dt><a href="#ads-create-machine-account">Create the computer account</a></dt><dt><a href="#ads-test-server">Test your server setup</a></dt><dt><a href="#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="#id2874683">Notes</a></dt></dl></dd><dt><a href="#id2874706">Common Errors</a></dt><dd><dl><dt><a href="#id2874732">Can Not Add Machine Back to Domain</a></dt><dt><a href="#id2874764">Adding Machine to Domain Fails</a></dt></dl></dd></dl></div><p>
1465 Domain Membership is a subject of vital concern, Samba must be able to
1466 participate as a member server in a Microsoft Domain security context, and
1467 Samba must be capable of providing Domain machine member trust accounts,
1468 otherwise it would not be capable of offering a viable option for many users.
1469 </p><p>
1470 This chapter covers background information pertaining to domain membership,
1471 Samba configuration for it, and MS Windows client procedures for joining a
1472 domain. Why is this necessary? Because both are areas in which there exists
1473 within the current MS Windows networking world and particularly in the
1474 UNIX/Linux networking and administration world, a considerable level of
1475 mis-information, incorrect understanding, and a lack of knowledge. Hopefully
1476 this chapter will fill the voids.
1477 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2872448"></a>Features and Benefits</h2></div></div><div></div></div><p>
1478 MS Windows workstations and servers that want to participate in domain security need to
1479 be made Domain members. Participating in Domain security is often called
1480 <span class="emphasis"><em>Single Sign On</em></span> or <span class="acronym">SSO</span> for short. This
1481 chapter describes the process that must be followed to make a workstation
1483 server) or a Samba server a member of an MS Windows Domain security context.
1484 </p><p>
1485 Samba-3 can join an MS Windows NT4 style domain as a native member server, an
1486 MS Windows Active Directory Domain as a native member server, or a Samba Domain
1487 Control network.
1488 </p><p>
1489 Domain membership has many advantages:
1491 MS Windows workstation users get the benefit of SSO
1492 </p></li><li><p>
1493 Domain user access rights and file ownership / access controls can be set
1494 from the single Domain SAM (Security Account Manager) database
1495 (works with Domain member servers as well as with MS Windows workstations
1496 that are domain members)
1497 </p></li><li><p>
1499 workstations that are Domain members
1500 can use network logon facilities
1501 </p></li><li><p>
1502 Domain Member workstations can be better controlled through the use of
1504 </p></li><li><p>
1505 Through the use of logon scripts, users can be given transparent access to network
1506 applications that run off application servers
1507 </p></li><li><p>
1508 Network administrators gain better application and user access management
1509 abilities because there is no need to maintain user accounts on any network
1510 client or server, other than the central Domain database
1511 (either NT4/Samba SAM style Domain, NT4 Domain that is back ended with an
1512 LDAP directory, or via an Active Directory infrastructure)
1513 </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="machine-trust-accounts"></a>MS Windows Workstation/Server Machine Trust Accounts</h2></div></div><div></div></div><a class="indexterm" name="id2872579"></a><p>
1514 A machine trust account is an account that is used to authenticate a client
1515 machine
1516 (rather than a user) to the Domain Controller server. In Windows terminology,
1517 this is known as a "Computer Account."
1518 </p><p>
1519 The password of a machine trust account acts as the shared secret for
1520 secure communication with the Domain Controller. This is a security
1521 feature to prevent an unauthorized machine with the same NetBIOS name
1522 from joining the domain and gaining access to domain user/group
1523 accounts. Windows NT, 200x, XP Professional clients use machine trust
1524 accounts, but Windows 9x / Me / XP Home clients do not. Hence, a
1525 Windows 9x / Me / XP Home client is never a true member of a domain
1526 because it does not possess a machine trust account, and thus has no
1527 shared secret with the domain controller.
1528 </p><p>
1529 A Windows NT4 PDC stores each machine trust account in the Windows Registry.
1530 The introduction of MS Windows 2000 saw the introduction of Active Directory,
1531 the new repository for machine trust accounts.
1532 </p><p>
1533 A Samba PDC, however, stores each machine trust account in two parts,
1534 as follows:
1537 A Domain Security Account (stored in the
1538 <a class="indexterm" name="id2872629"></a><i class="parameter"><tt>passdb backend</tt></i> that has been configured in the
1540 stored depends on the type of backend database that has been chosen.
1541 </p><p>
1543 which contains the UNIX login ID, the UNIX user identifier (UID), and the
1544 LanMan and NT encrypted passwords. There is also some other information in
1545 this file that we do not need to concern ourselves with here.
1546 </p><p>
1550 enables new user account controls to be used.
1551 </p></li><li><p>
1552 A corresponding UNIX account, typically stored in
1554 simplified mode of operation that does not require UNIX user accounts, but
1555 this may not be a feature of the early releases of Samba-3.
1556 </p></li></ul></div><p>
1558 There are three ways to create machine trust accounts:
1560 Manual creation from the UNIX/Linux command line. Here, both the Samba and
1561 corresponding UNIX account are created by hand.
1562 </p></li><li><p>
1564 Using the MS Windows NT4 Server Manager (either from an NT4 Domain member
1565 server, or using the Nexus toolkit available from the Microsoft web site.
1566 This tool can be run from any MS Windows machine so long as the user is
1567 logged on as the administrator account.
1568 </p></li><li><p>
1569 "On-the-fly" creation. The Samba machine trust account is automatically
1570 created by Samba at the time the client is joined to the domain.
1571 (For security, this is the recommended method.) The corresponding UNIX
1572 account may be created automatically or manually.
1573 </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2872769"></a>Manual Creation of Machine Trust Accounts</h3></div></div><div></div></div><p>
1574 The first step in manually creating a machine trust account is to manually
1577 that is normally used to create new UNIX accounts. The following is an example for a Linux based Samba server:
1582 </p><p>
1584 <tt class="prompt">root# </tt><b class="userinput"><tt>/usr/sbin/useradd -g 100 -d /dev/null -c <i class="replaceable"><tt>"machine nickname"</tt></i> \
1587 <tt class="prompt">root# </tt><b class="userinput"><tt>passwd -l <i class="replaceable"><tt>machine_name</tt></i>$</tt></b>
1588 </pre><p>
1589 </p><p>
1592 </p><p>
1595 "<i class="replaceable"><tt>machine_name</tt></i>$:*:101:100::0:0:Workstation <i class="replaceable"><tt>machine_name</tt></i>:/dev/null:/sbin/nologin"</tt></b>
1596 </pre><p>
1597 </p><p>
1599 with a "$" appended, won't have a password, will have a null shell and no
1600 home directory. For example a machine named 'doppy' would have an
1604 </pre><p>
1606 descriptive name for the client, i.e., BasementComputer.
1608 name of the client to be joined to the domain. The "$" must be
1609 appended to the NetBIOS name of the client or Samba will not recognize
1610 this as a machine trust account.
1611 </p><p>
1612 Now that the corresponding UNIX account has been created, the next step is to create
1613 the Samba account for the client containing the well-known initial
1614 machine trust account password. This can be done using the
1616 as shown here:
1617 </p><p>
1619 <tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -a -m <i class="replaceable"><tt>machine_name</tt></i></tt></b>
1620 </pre><p>
1621 </p><p>
1623 name. The RID of the new machine account is generated from the UID of
1624 the corresponding UNIX account.
1625 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Join the client to the domain immediately</h3><p>
1626 Manually creating a machine trust account using this method is the
1627 equivalent of creating a machine trust account on a Windows NT PDC using
1630 account is created to the time which the client joins the domain and
1631 changes the password, your domain is vulnerable to an intruder joining
1632 your domain using a machine with the same NetBIOS name. A PDC inherently
1633 trusts members of the domain and will serve out a large degree of user
1634 information to such clients. You have been warned!
1635 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2873061"></a>Using NT4 Server Manager to Add Machine Accounts to the Domain</h3></div></div><div></div></div><p>
1636 If the machine from which you are trying to manage the domain is an
1637 <span class="application">MS Windows NT4 workstation or MS Windows 200x / XP Professional</span>
1640 and <b class="command">UsrMgr.exe</b> (both are domain management tools for MS Windows NT4 workstation).
1641 </p><p>
1642 If your workstation is a <span class="application">Microsoft Windows 9x/Me</span> family product
1644 When executed from the target directory this will unpack the same tools but for use on
1645 this platform.
1646 </p><p>
1647 Further information about these tools may be obtained from the following locations:
1648 <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;173673</a>
1649 <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;172540</a>
1650 </p><p>
1651 Launch the <b class="command">srvmgr.exe</b> (Server Manager for Domains) and follow these steps:
1652 </p><div class="procedure"><p class="title"><b>Procedure 7.1. Server Manager Account Machine Account Management</b></p><ol type="1"><li><p>
1654 </p></li><li><p>
1656 </p></li><li><p>
1657 Click on the name of the domain you wish to administer in the
1660 </p></li><li><p>
1662 </p></li><li><p>
1664 </p></li><li><p>
1665 In the dialog box, click on the radio button to
1667 enter the machine name in the field provided, then click the
1669 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2873276"></a>"On-the-Fly" Creation of Machine Trust Accounts</h3></div></div><div></div></div><p>
1670 The second (and recommended) way of creating machine trust accounts is
1671 simply to allow the Samba server to create them as needed when the client
1672 is joined to the domain.
1673 </p><p>Since each Samba machine trust account requires a corresponding UNIX account, a method
1674 for automatically creating the UNIX account is usually supplied; this requires configuration of the
1675 add machine script option in
1677 accounts may also be created manually.
1678 </p><p>
1679 Below is an example for a RedHat Linux system.
1680 </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td># <...remainder of parameters...></td></tr><tr><td><i class="parameter"><tt>add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2873347"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div><div></div></div><p>
1681 The procedure for making an MS Windows workstation of server a member of the domain varies
1682 with the version of Windows:
1683 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2873360"></a>Windows 200x XP Professional</h4></div></div><div></div></div><p>
1684 When the user elects to make the client a domain member, Windows 200x prompts for
1685 an account and password that has privileges to create machine accounts in the domain.
1686 A Samba administrative account (i.e., a Samba account that has root privileges on the
1687 Samba server) must be entered here; the operation will fail if an ordinary user
1688 account is given.
1689 </p><p>
1690 Note: For security reasons the password for this administrative account should be set
1691 to a password that is other than that used for the root user in the
1693 </p><p>
1694 The name of the account that is used to create domain member machine accounts can be
1695 anything the network administrator may choose. If it is other than <span class="emphasis"><em>root</em></span>
1696 then this is easily mapped to root using the file pointed to be the <tt class="filename">smb.conf</tt> parameter
1697 <a class="indexterm" name="id2873412"></a><i class="parameter"><tt>username map</tt></i> = /etc/samba/smbusers.
1698 </p><p>
1699 The session key of the Samba administrative account acts as an
1700 encryption key for setting the password of the machine trust
1701 account. The machine trust account will be created on-the-fly, or
1702 updated if it already exists.
1703 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2873436"></a>Windows NT4</h4></div></div><div></div></div><p>
1704 If the machine trust account was created manually, on the
1705 Identification Changes menu enter the domain name, but do not
1707 In this case, the existing machine trust account is used to join the machine
1708 to the domain.
1709 </p><p>
1710 If the machine trust account is to be created
1711 on-the-fly, on the Identification Changes menu enter the domain
1713 Domain</span>. In this case, joining the domain proceeds as above
1714 for Windows 2000 (i.e., you must supply a Samba administrative account when
1715 prompted).
1716 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2873477"></a>Samba</h4></div></div><div></div></div><p>Joining a Samba client to a domain is documented in
1718 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domain-member-server"></a>Domain Member Server</h2></div></div><div></div></div><p>
1719 This mode of server operation involves the Samba machine being made a member
1720 of a domain security context. This means by definition that all user
1721 authentication will be done from a centrally defined authentication regime.
1722 The authentication regime may come from an NT3/4 style (old domain technology)
1723 server, or it may be provided from an Active Directory server (ADS) running on
1724 MS Windows 2000 or later.
1725 </p><p>
1727 Of course it should be clear that the authentication back end itself could be
1728 from any distributed directory architecture server that is supported by Samba.
1729 This can be LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory
1730 Server, etc.
1731 </em></span>
1732 </p><p>
1733 Please refer to <a href="#samba-pdc" title="Chapter 5. Domain Control">the chapter on setting up a PDC</a>
1734 for more information regarding how to create a domain
1735 machine account for a domain member server as well as for information
1736 regarding how to enable the Samba domain member machine to join the domain and
1737 to be fully trusted by it.
1738 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2873558"></a>Joining an NT4 type Domain with Samba-3</h3></div></div><div></div></div><p>
1739 </p><div class="table"><a name="id2873569"></a><p class="title"><b>Table 7.1. Assumptions</b></p><table summary="Assumptions" border="1"><colgroup><col><col></colgroup><tbody><tr><td align="left">NetBIOS name:</td><td align="left">SERV1</td></tr><tr><td align="left">Win2K/NT domain name:</td><td align="left">MIDEARTH</td></tr><tr><td align="left">Domain's PDC NetBIOS name:</td><td align="left">DOMPDC</td></tr><tr><td align="left">Domain's BDC NetBIOS names:</td><td align="left">DOMBDC1 and DOMBDC2</td></tr></tbody></table></div><p>
1740 </p><p>
1742 now use domain security.
1743 </p><p>
1744 Change (or add) your
1745 <a class="indexterm" name="id2873642"></a><i class="parameter"><tt>security</tt></i> line in the [global] section
1747 </p><p>
1748 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = domain</tt></i></td></tr></table><p>
1749 </p><p>
1750 Next change the <a class="indexterm" name="id2873686"></a><i class="parameter"><tt>workgroup</tt></i> line in the <i class="parameter"><tt>[global]</tt></i>
1751 section to read:
1752 </p><p>
1753 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr></table><p>
1754 </p><p>
1755 as this is the name of the domain we are joining.
1756 </p><p>
1757 You must also have the parameter
1758 <a class="indexterm" name="id2873735"></a><i class="parameter"><tt>encrypt passwords</tt></i> set to <tt class="constant">yes
1759 </tt> in order for your users to authenticate to the NT PDC.
1760 </p><p>
1761 Finally, add (or modify) a <a class="indexterm" name="id2873760"></a><i class="parameter"><tt>password server</tt></i> line in the [global]
1762 section to read:
1763 </p><p>
1764 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>password server = DOMPDC DOMBDC1 DOMBDC2</tt></i></td></tr></table><p>
1765 </p><p>
1766 These are the primary and backup domain controllers Samba
1767 will attempt to contact in order to authenticate users. Samba will
1768 try to contact each of these servers in order, so you may want to
1769 rearrange this list in order to spread out the authentication load
1770 among domain controllers.
1771 </p><p>
1772 Alternatively, if you want smbd to automatically determine
1773 the list of Domain controllers to use for authentication, you may
1774 set this line to be:
1775 </p><p>
1776 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>password server = *</tt></i></td></tr></table><p>
1777 </p><p>
1778 This method allows Samba to use exactly the same mechanism that NT does. This
1779 method either broadcasts or uses a WINS database in order to
1780 find domain controllers to authenticate against.
1781 </p><p>
1782 In order to actually join the domain, you must run this command:
1783 </p><p>
1785 <tt class="prompt">root# </tt><b class="userinput"><tt>net rpc join -S DOMPDC -U<i class="replaceable"><tt>Administrator%password</tt></i></tt></b>
1786 </pre><p>
1787 </p><p>
1790 </p><p>
1791 As we are joining the domain DOM and the PDC for that domain
1792 (the only machine that has write access to the domain SAM database)
1795 the login name and password for an account which has the necessary
1796 privilege to add machines to the domain. If this is successful
1797 you will see the message:
1798 </p><p>
1801 </p><p>
1802 in your terminal window. See the
1804 </p><p>
1805 This process joins the server to the domain without having to create the machine
1806 trust account on the PDC beforehand.
1807 </p><p>
1808 This command goes through the machine account password
1809 change protocol, then writes the new (random) machine account
1810 password for this Samba server into a file in the same directory
1811 in which an smbpasswd file would be stored - normally:
1812 </p><p>
1814 </p><p>
1815 This file is created and owned by root and is not
1816 readable by any other user. It is the key to the domain-level
1817 security for your system, and should be treated as carefully
1818 as a shadow password file.
1819 </p><p>
1820 Finally, restart your Samba daemons and get ready for
1821 clients to begin using domain security! The way you can restart your
1822 samba daemons depends on your distribution, but in most cases running
1825 </pre><p>
1826 does the job.
1827 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2873995"></a>Why is this better than security = server?</h3></div></div><div></div></div><p>
1828 Currently, domain security in Samba doesn't free you from
1829 having to create local UNIX users to represent the users attaching
1831 </tt> attaches to your domain security Samba server, there needs
1832 to be a local UNIX user fred to represent that user in the UNIX
1833 filesystem. This is very similar to the older Samba security mode
1834 security = server,
1835 where Samba would pass through the authentication request to a Windows
1837 </p><p>
1838 Please refer to <a href="#winbind" title="Chapter 21. Winbind: Use of Domain Accounts">the chapter on winbind</a> for information on a system
1839 to automatically assign UNIX uids and gids to Windows NT Domain users and groups.
1840 </p><p>
1841 The advantage to domain-level security is that the
1842 authentication in domain-level security is passed down the authenticated
1843 RPC channel in exactly the same way that an NT server would do it. This
1844 means Samba servers now participate in domain trust relationships in
1845 exactly the same way NT servers do (i.e., you can add Samba servers into
1846 a resource domain and have the authentication passed on from a resource
1847 domain PDC to an account domain PDC).
1848 </p><p>
1849 In addition, with <a class="indexterm" name="id2874050"></a><i class="parameter"><tt>security</tt></i> = server every Samba
1850 daemon on a server has to keep a connection open to the
1851 authenticating server for as long as that daemon lasts. This can drain
1852 the connection resources on a Microsoft NT server and cause it to run
1853 out of available connections. With <a class="indexterm" name="id2874069"></a><i class="parameter"><tt>security</tt></i> = domain,
1854 however, the Samba daemons connect to the PDC/BDC only for as long
1855 as is necessary to authenticate the user, and then drop the connection,
1856 thus conserving PDC connection resources.
1857 </p><p>
1858 And finally, acting in the same manner as an NT server
1859 authenticating to a PDC means that as part of the authentication
1860 reply, the Samba server gets the user identification information such
1861 as the user SID, the list of NT groups the user belongs to, etc.
1862 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1863 Much of the text of this document
1864 was first published in the Web magazine
1865 <a href="http://www.linuxworld.com" target="_top">LinuxWorld</a> as the article <a href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" target="_top">Doing
1866 the NIS/NT Samba</a>.
1867 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ads-member"></a>Samba ADS Domain Membership</h2></div></div><div></div></div><a class="indexterm" name="id2874135"></a><a class="indexterm" name="id2874144"></a><a class="indexterm" name="id2874155"></a><a class="indexterm" name="id2874163"></a><p>
1868 This is a rough guide to setting up Samba 3.0 with Kerberos authentication against a
1869 Windows2000 KDC. A familiarity with Kerberos is assumed.
1870 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2874178"></a>Setup your <tt class="filename">smb.conf</tt></h3></div></div><div></div></div><p>
1872 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>realm = your.kerberos.REALM</tt></i></td></tr><tr><td><i class="parameter"><tt>security = ADS</tt></i></td></tr><tr><td><i class="parameter"><tt>encrypt passwords = yes</tt></i></td></tr></table><p>
1873 In case samba can't figure out your ads server using your realm name, use the
1874 <a class="indexterm" name="id2874239"></a><i class="parameter"><tt>ads server</tt></i> option in <tt class="filename">smb.conf</tt>:
1875 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>ads server = your.kerberos.server</tt></i></td></tr></table><p>
1876 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1877 You do <span class="emphasis"><em>not</em></span> need a smbpasswd file, and older clients will be authenticated as
1878 if <a class="indexterm" name="id2874286"></a><i class="parameter"><tt>security</tt></i> = domain, although it won't do any harm and
1879 allows you to have local users not in the domain. It is expected that the above
1880 required options will change soon when active directory integration will get
1881 better.
1882 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2874307"></a>Setup your <tt class="filename">/etc/krb5.conf</tt></h3></div></div><div></div></div><p>
1885 [libdefaults]
1886 default_realm = YOUR.KERBEROS.REALM
1888 [realms]
1889 YOUR.KERBEROS.REALM = {
1890 kdc = your.kerberos.server
1891 }
1894 <i class="replaceable"><tt>USERNAME</tt></i>@<i class="replaceable"><tt>REALM</tt></i></tt></b> and
1895 making sure that your password is accepted by the Win2000 KDC.
1896 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1898 requested realm while getting initial credentials</span> error (Kerberos
1899 is case-sensitive!).
1900 </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1901 Time between the two servers must be synchronized. You will get a
1902 <span class="errorname">kinit(v5): Clock skew too great while getting initial credentials</span>
1903 if the time difference is more than five minutes.
1904 </p></div><p>
1905 You also must ensure that you can do a reverse DNS lookup on the IP
1906 address of your KDC. Also, the name that this reverse lookup maps to
1907 must either be the NetBIOS name of the KDC (ie. the hostname with no
1908 domain attached) or it can alternatively be the NetBIOS name
1909 followed by the realm.
1910 </p><p>
1911 The easiest way to ensure you get this right is to add a
1913 its NetBIOS name. If you don't get this right then you will get a
1915 </p><p>
1916 If all you want is Kerberos support in <span class="application">smbclient</span> then you can skip
1917 straight to <a href="#ads-test-smbclient" title="Testing with smbclient">Test with <span class="application">smbclient</span></a> now.
1918 <a href="#ads-create-machine-account" title="Create the computer account">Creating a computer account</a>
1920 is only needed if you want Kerberos support for <span class="application">smbd</span> and <span class="application">winbindd</span>.
1921 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-create-machine-account"></a>Create the computer account</h3></div></div><div></div></div><p>
1922 As a user that has write permission on the Samba private directory
1923 (usually root) run:
1925 <tt class="prompt">root# </tt> <b class="userinput"><tt>net ads join -U Administrator%password</tt></b>
1926 </pre><p>
1927 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2874526"></a>Possible errors</h4></div></div><div></div></div><p>
1928 </p><div class="variablelist"><dl><dt><span class="term"><span class="errorname">ADS support not compiled in</span></span></dt><dd><p>Samba must be reconfigured (remove config.cache) and recompiled
1929 (make clean all install) after the Kerberos libs and headers are installed.
1930 </p></dd><dt><span class="term"><span class="errorname">net ads join prompts for user name</span></span></dt><dd><p>You need to login to the domain using <b class="userinput"><tt>kinit
1931 <i class="replaceable"><tt>USERNAME</tt></i>@<i class="replaceable"><tt>REALM</tt></i></tt></b>.
1933 to the domain. </p></dd></dl></div><p>
1934 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-server"></a>Test your server setup</h3></div></div><div></div></div><p>
1935 If the join was successful, you will see a new computer account with the
1936 NetBIOS name of your Samba server in Active Directory (in the "Computers"
1937 folder under Users and Computers.
1938 </p><p>
1939 On a Windows 2000 client try <b class="userinput"><tt>net use * \\server\share</tt></b>. You should
1940 be logged in with Kerberos without needing to know a password. If
1941 this fails then run <b class="userinput"><tt>klist tickets</tt></b>. Did you get a ticket for the
1942 server? Does it have an encoding type of DES-CBC-MD5 ?
1943 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-smbclient"></a>Testing with <span class="application">smbclient</span></h3></div></div><div></div></div><a class="indexterm" name="id2874651"></a><p>
1944 On your Samba server try to login to a Win2000 server or your Samba
1945 server using <span class="application">smbclient</span> and Kerberos. Use <span class="application">smbclient</span> as usual, but
1947 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2874683"></a>Notes</h3></div></div><div></div></div><p>
1948 You must change administrator password at least once after DC
1949 install, to create the right encoding types
1950 </p><p>
1951 W2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
1952 their defaults DNS setup. Maybe this will be fixed later in service packs.
1953 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2874706"></a>Common Errors</h2></div></div><div></div></div><p>
1954 In the process of adding / deleting / re-adding domain member machine accounts there are
1955 many traps for the unwary player and there are many “<span class="quote">little</span>” things that can go wrong.
1956 It is particularly interesting how often subscribers on the samba mailing list have concluded
1957 after repeated failed attempts to add a machine account that it is necessary to "re-install"
1958 MS Windows on t he machine. In truth, it is seldom necessary to reinstall because of this type
1959 of problem. The real solution is often very simple, and with understanding of how MS Windows
1960 networking functions easy to overcome.
1961 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2874732"></a>Can Not Add Machine Back to Domain</h3></div></div><div></div></div><p>
1963 account was deleted and added immediately. The workstation will not join the domain if I use
1964 the same machine name. Attempts to add the machine fail with a message that the machine already
1966 </p><p>
1967 The original name is still in the NetBIOS name cache and must expire after machine account
1968 deletion BEFORE adding that same name as a domain member again. The best advice is to delete
1969 the old account and then to add the machine with a new name.
1970 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2874764"></a>Adding Machine to Domain Fails</h3></div></div><div></div></div><p>
1971 “<span class="quote">Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a
1972 message that, <span class="errorname">The machine could not be added at this time, there is a network problem.
1974 </p><p>
1975 You should check that there is an <a class="indexterm" name="id2874791"></a><i class="parameter"><tt>add machine script</tt></i> in your <tt class="filename">smb.conf</tt>
1976 file. If there is not, please add one that is appropriate for your OS platform. If a script
1977 has been defined you will need to debug it's operation. Increase the <a class="indexterm" name="id2874816"></a><i class="parameter"><tt>log level</tt></i>
1978 in the <tt class="filename">smb.conf</tt> file to level 10, then try to rejoin the domain. Check the logs to see which
1979 operation is failing.
1980 </p><p>
1981 Possible causes include:
1983 The script does not actually exist, or could not be located in the path specified.
1984 </p><p>
1985 <span class="emphasis"><em>Corrective Action:</em></span> Fix it. Make sure that when run manually
1986 that the script will add both the UNIX system account _and_ the Samba SAM account.
1987 </p></li><li><p>
1988 The machine could not be added to the UNIX system accounts file <tt class="filename">/etc/passwd</tt>
1989 </p><p>
1990 <span class="emphasis"><em>Corrective Action:</em></span> Check that the machine name is a legal UNIX
1992 then make sure that the machine name you are trying to add can be added using this
1994 nor will it allow spaces in the name.
1995 </p></li></ul></div></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 8. Stand-Alone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2874966">Features and Benefits</a></dt><dt><a href="#id2875004">Background</a></dt><dt><a href="#id2875078">Example Configuration</a></dt><dd><dl><dt><a href="#RefDocServer">Reference Documentation Server</a></dt><dt><a href="#SimplePrintServer">Central Print Serving</a></dt></dl></dd><dt><a href="#id2875598">Common Errors</a></dt></dl></div><p>
1996 Stand-Alone servers are independent of Domain Controllers on the network.
1997 They are NOT domain members and function more like workgroup servers. In many
1998 cases a stand-alone server is configured with a minimum of security control
1999 with the intent that all data served will be readily accessible to all users.
2000 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2874966"></a>Features and Benefits</h2></div></div><div></div></div><p>
2001 Stand-Alone servers can be as secure or as insecure as needs dictate. They can
2002 have simple or complex configurations. Above all, despite the hoopla about
2003 Domain security they remain a very common installation.
2004 </p><p>
2005 If all that is needed is a server for read-only files, or for
2006 printers alone, it may not make sense to affect a complex installation.
2007 For example: A drafting office needs to store old drawings and reference
2008 standards. No-one can write files to the server as it is legislatively
2009 important that all documents remain unaltered. A share mode read-only stand-alone
2010 server is an ideal solution.
2011 </p><p>
2012 Another situation that warrants simplicity is an office that has many printers
2013 that are queued off a single central server. Everyone needs to be able to print
2014 to the printers, there is no need to affect any access controls and no files will
2015 be served from the print server. Again a share mode stand-alone server makes
2016 a great solution.
2017 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2875004"></a>Background</h2></div></div><div></div></div><p>
2019 will provide local authentication and access control for all resources
2020 that are available from it. In general this means that there will be a
2021 local user database. In more technical terms, it means that resources
2022 on the machine will be made available in either SHARE mode or in
2023 USER mode.
2024 </p><p>
2025 No special action is needed other than to create user accounts. Stand-alone
2026 servers do NOT provide network logon services. This means that machines that
2027 use this server do NOT perform a domain logon to it. Whatever logon facility
2028 the workstations are subject to is independent of this machine. It is however
2029 necessary to accommodate any network user so that the logon name they use will
2030 be translated (mapped) locally on the stand-alone server to a locally known
2031 user name. There are several ways this can be done.
2032 </p><p>
2033 Samba tends to blur the distinction a little in respect of what is
2034 a stand-alone server. This is because the authentication database may be
2035 local or on a remote server, even if from the Samba protocol perspective
2036 the Samba server is NOT a member of a domain security context.
2037 </p><p>
2038 Through the use of PAM (Pluggable Authentication Modules) and nsswitch
2039 (the name service switcher, which maintains the unix user database) the source of authentication may reside on
2040 another server. We would be inclined to call this the authentication server.
2041 This means that the Samba server may use the local UNIX/Linux system password database
2043 local smbpasswd file, or may use
2044 an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
2045 for authentication.
2046 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2875078"></a>Example Configuration</h2></div></div><div></div></div><p>
2047 The following examples are designed to inspire simplicity. It is too easy to
2048 attempt a high level of creativity and to introduce too much complexity in
2049 server and network design.
2050 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="RefDocServer"></a>Reference Documentation Server</h3></div></div><div></div></div><p>
2051 Configuration of a read-only data server that EVERYONE can access is very simple.
2052 Here is the smb.conf file that will do this. Assume that all the reference documents
2053 are stored in the directory /export, that the documents are owned by a user other than
2054 nobody. No home directories are shared, that are no users in the <tt class="filename">/etc/passwd</tt>
2055 UNIX system database. This is a very simple system to administer.
2056 </p><div class="example"><a name="id2875123"></a><p class="title"><b>Example 8.1. smb.conf for Reference Documentation Server</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = GANDALF</tt></i></td></tr><tr><td><i class="parameter"><tt>security = SHARE</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = guest</tt></i></td></tr><tr><td><i class="parameter"><tt>wins server = 192.168.1.1</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[data]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Data</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /export</tt></i></td></tr><tr><td><i class="parameter"><tt>guest only = Yes</tt></i></td></tr></table></div><p>
2057 In the above example the machine name is set to REFDOCS, the workgroup is set to the name
2058 of the local workgroup so that the machine will appear in with systems users are familiar
2059 with. The only password backend required is the "guest" backend so as to allow default
2060 unprivileged account names to be used. Given that there is a WINS server on this network
2061 we do use it.
2062 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="SimplePrintServer"></a>Central Print Serving</h3></div></div><div></div></div><p>
2063 Configuration of a simple print server is very simple if you have all the right tools
2064 on your system.
2066 The print server must require no administration
2067 </p></li><li><p>
2068 The print spooling and processing system on our print server will be CUPS.
2069 (Please refer to <a href="#CUPS-printing" title="Chapter 19. CUPS Printing Support in Samba 3.0">the chapter about CUPS</a> for more information).
2070 </p></li><li><p>
2071 All printers that the print server will service will be network
2072 printers. They will be correctly configured, by the administrator,
2073 in the CUPS environment.
2074 </p></li><li><p>
2075 All workstations will be installed using postscript drivers. The printer
2076 of choice is the Apple Color LaserWriter.
2077 </p></li></ol></div><p>
2078 In this example our print server will spool all incoming print jobs to
2080 Samba to the CUPS print processor. Since all incoming connections will be as
2081 the anonymous (guest) user, two things will be required:
2082 </p><div class="itemizedlist"><p class="title"><b>Enabling Anonymous Printing</b></p><ul type="disc"><li><p>
2085 To find the correct name to use for your version of Samba do the
2086 following:
2088 <tt class="prompt">$ </tt><b class="userinput"><tt>testparm -s -v | grep "guest account"</tt></b>
2089 </pre><p>
2090 Then make sure that this account exists in your system password
2092 </p></li><li><p>
2093 The directory into which Samba will spool the file must have write
2094 access for the guest account. The following commands will ensure that
2095 this directory is available for use:
2098 <tt class="prompt">root# </tt><b class="userinput"><tt>chown nobody.nobody /var/spool/samba</tt></b>
2100 </pre><p>
2101 </p></li></ul></div><p>
2102 </p><div class="example"><a name="id2875442"></a><p class="title"><b>Example 8.2. smb.conf for anonymous printing</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = GANDALF</tt></i></td></tr><tr><td><i class="parameter"><tt>security = SHARE</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = guest</tt></i></td></tr><tr><td><i class="parameter"><tt>wins server = noldor</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = root</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>use client driver = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = No</tt></i></td></tr></table></div><p>
2103 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2875598"></a>Common Errors</h2></div></div><div></div></div><p>
2104 The greatest mistake so often made is to make a network configuration too complex.
2105 It pays to use the simplest solution that will meet the needs of the moment.
2106 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2875663">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2875663"></a>Note</h2></div></div><div></div></div><p>
2107 This chapter did not make it into this release.
2108 It is planned for the published release of this document.
2109 </p></div></div></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="optional"></a>Advanced Configuration</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2875691"></a>Valuable Nuts and Bolts Information</h1></div></div><div></div></div><p>
2110 Samba has several features that you might want or might not want to use. The chapters in this part each cover specific Samba features.
2111 </p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>10. <a href="#NetworkBrowsing">Samba / MS Windows Network Browsing Guide</a></dt><dd><dl><dt><a href="#id2875816">Features and Benefits</a></dt><dt><a href="#id2875904">What is Browsing?</a></dt><dt><a href="#id2876217">Discussion</a></dt><dd><dl><dt><a href="#id2876233">NetBIOS over TCP/IP</a></dt><dt><a href="#id2876469">TCP/IP - without NetBIOS</a></dt><dt><a href="#id2876635">DNS and Active Directory</a></dt></dl></dd><dt><a href="#id2876781">How Browsing Functions</a></dt><dd><dl><dt><a href="#DMB">Setting up WORKGROUP Browsing</a></dt><dt><a href="#id2877309">Setting up DOMAIN Browsing</a></dt><dt><a href="#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="#id2877716">Making Samba the domain master</a></dt><dt><a href="#id2877893">Note about broadcast addresses</a></dt><dt><a href="#id2877911">Multiple interfaces</a></dt><dt><a href="#id2877946">Use of the Remote Announce parameter</a></dt><dt><a href="#id2878104">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="#id2878182">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="#id2878371">Setting up a WINS server</a></dt><dt><a href="#id2878627">WINS Replication</a></dt><dt><a href="#id2878652">Static WINS Entries</a></dt></dl></dd><dt><a href="#id2878737">Helpful Hints</a></dt><dd><dl><dt><a href="#id2878750">Windows Networking Protocols</a></dt><dt><a href="#id2878822">Name Resolution Order</a></dt></dl></dd><dt><a href="#id2878986">Technical Overview of browsing</a></dt><dd><dl><dt><a href="#id2879046">Browsing support in Samba</a></dt><dt><a href="#id2879168">Problem resolution</a></dt><dt><a href="#id2879254">Browsing across subnets</a></dt></dl></dd><dt><a href="#id2879936">Common Errors</a></dt><dd><dl><dt><a href="#id2879950">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="#id2879979">My client reports "This server is not configured to list shared resources"</a></dt><dt><a href="#id2880021">I get an Unable to browse the network error</a></dt></dl></dd></dl></dd><dt>11. <a href="#passdb">Account Information Databases</a></dt><dd><dl><dt><a href="#id2880302">Features and Benefits</a></dt><dd><dl><dt><a href="#id2880315">Backwards Compatibility Backends</a></dt><dt><a href="#id2880417">New Backends</a></dt></dl></dd><dt><a href="#id2880590">Technical Information</a></dt><dd><dl><dt><a href="#id2880717">Important Notes About Security</a></dt><dt><a href="#id2880966">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt><a href="#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt></dl></dd><dt><a href="#acctmgmttools">Account Management Tools</a></dt><dd><dl><dt><a href="#id2881151">The smbpasswd Command</a></dt><dt><a href="#id2881423">The pdbedit Command</a></dt></dl></dd><dt><a href="#id2881676">Password Backends</a></dt><dd><dl><dt><a href="#id2881717">Plain Text</a></dt><dt><a href="#id2881758">smbpasswd - Encrypted Password Database</a></dt><dt><a href="#id2881871">tdbsam</a></dt><dt><a href="#id2881898">ldapsam</a></dt><dt><a href="#id2883727">MySQL</a></dt><dt><a href="#XMLpassdb">XML</a></dt></dl></dd><dt><a href="#id2884575">Common Errors</a></dt><dd><dl><dt><a href="#id2884582">Users can not logon</a></dt><dt><a href="#id2884627">Users being added to wrong backend database</a></dt><dt><a href="#id2884738">auth methods does not work</a></dt></dl></dd></dl></dd><dt>12. <a href="#groupmapping">Mapping MS Windows and UNIX Groups</a></dt><dd><dl><dt><a href="#id2884967">Features and Benefits</a></dt><dt><a href="#id2885202">Discussion</a></dt><dd><dl><dt><a href="#id2885422">Example Configuration</a></dt></dl></dd><dt><a href="#id2885489">Configuration Scripts</a></dt><dd><dl><dt><a href="#id2885503">Sample smb.conf add group script</a></dt><dt><a href="#id2885582">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="#id2885658">Common Errors</a></dt><dd><dl><dt><a href="#id2885674">Adding Groups Fails</a></dt><dt><a href="#id2885742">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="#id2885768">Adding Domain Users to the Power Users group</a></dt></dl></dd></dl></dd><dt>13. <a href="#AccessControls">File, Directory and Share Access Controls</a></dt><dd><dl><dt><a href="#id2886024">Features and Benefits</a></dt><dt><a href="#id2886154">File System Access Controls</a></dt><dd><dl><dt><a href="#id2886190">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt><a href="#id2886489">Managing Directories</a></dt><dt><a href="#id2886582">File and Directory Access Control</a></dt></dl></dd><dt><a href="#id2886810">Share Definition Access Controls</a></dt><dd><dl><dt><a href="#id2886837">User and Group Based Controls</a></dt><dt><a href="#id2887260">File and Directory Permissions Based Controls</a></dt><dt><a href="#id2887639">Miscellaneous Controls</a></dt></dl></dd><dt><a href="#id2888020">Access Controls on Shares</a></dt><dd><dl><dt><a href="#id2888092">Share Permissions Management</a></dt></dl></dd><dt><a href="#id2888391">MS Windows Access Control Lists and UNIX Interoperability</a></dt><dd><dl><dt><a href="#id2888399">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="#id2888444">Viewing File Security on a Samba Share</a></dt><dt><a href="#id2888523">Viewing file ownership</a></dt><dt><a href="#id2888655">Viewing File or Directory Permissions</a></dt><dt><a href="#id2888889">Modifying file or directory permissions</a></dt><dt><a href="#id2889049">Interaction with the standard Samba create mask
2112 parameters</a></dt><dt><a href="#id2889446">Interaction with the standard Samba file attribute mapping</a></dt></dl></dd><dt><a href="#id2889526">Common Errors</a></dt><dd><dl><dt><a href="#id2889540">Users can not write to a public share</a></dt><dt><a href="#id2889969">I have set force user but Samba still makes root the owner of all the files I touch!</a></dt><dt><a href="#id2890022">MS Word with Samba changes owner of file</a></dt></dl></dd></dl></dd><dt>14. <a href="#locking">File and Record Locking</a></dt><dd><dl><dt><a href="#id2890270">Features and Benefits</a></dt><dt><a href="#id2890336">Discussion</a></dt><dd><dl><dt><a href="#id2890479">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="#id2891158">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="#id2891268">Example Configuration</a></dt></dl></dd><dt><a href="#id2891665">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="#id2891896">Workstation Service Entries</a></dt><dt><a href="#id2891924">Server Service Entries</a></dt></dl></dd><dt><a href="#id2892003">Persistent Data Corruption</a></dt><dt><a href="#id2892032">Common Errors</a></dt><dd><dl><dt><a href="#id2892106">locking.tdb error messages</a></dt><dt><a href="#id2892144">Problems saving files in MS Office on Windows XP</a></dt><dt><a href="#id2892167">Long delays deleting files over network with XP SP1</a></dt></dl></dd><dt><a href="#id2892198">Additional Reading</a></dt></dl></dd><dt>15. <a href="#securing-samba">Securing Samba</a></dt><dd><dl><dt><a href="#id2892365">Introduction</a></dt><dt><a href="#id2892398">Features and Benefits</a></dt><dt><a href="#id2892471">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="#id2892490">Using host based protection</a></dt><dt><a href="#id2892590">User based protection</a></dt><dt><a href="#id2892650">Using interface protection</a></dt><dt><a href="#id2892717">Using a firewall</a></dt><dt><a href="#id2892774">Using a IPC$ share deny</a></dt><dt><a href="#id2892867">NTLMv2 Security</a></dt></dl></dd><dt><a href="#id2892926">Upgrading Samba</a></dt><dt><a href="#id2892950">Common Errors</a></dt><dd><dl><dt><a href="#id2892968">Smbclient works on localhost, but the network is dead</a></dt><dt><a href="#id2892992">Why can users access home directories of other users?</a></dt></dl></dd></dl></dd><dt>16. <a href="#InterdomainTrusts">Interdomain Trust Relationships</a></dt><dd><dl><dt><a href="#id2893283">Features and Benefits</a></dt><dt><a href="#id2893311">Trust Relationship Background</a></dt><dt><a href="#id2893400">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="#id2893428">Creating an NT4 Domain Trust</a></dt><dt><a href="#id2893500">Completing an NT4 Domain Trust</a></dt><dt><a href="#id2893547">Inter-Domain Trust Facilities</a></dt></dl></dd><dt><a href="#id2893725">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt><a href="#id2893918">Samba as the Trusting Domain</a></dt></dl></dd><dt><a href="#id2894055">NT4-style Domain Trusts with Windows 2000</a></dt><dt><a href="#id2894162">Common Errors</a></dt></dl></dd><dt>17. <a href="#msdfs">Hosting a Microsoft Distributed File System tree on Samba</a></dt><dd><dl><dt><a href="#id2894231">Features and Benefits</a></dt><dt><a href="#id2894506">Common Errors</a></dt></dl></dd><dt>18. <a href="#printing">Classical Printing Support</a></dt><dd><dl><dt><a href="#id2894626">Features and Benefits</a></dt><dt><a href="#id2894693">Technical Introduction</a></dt><dd><dl><dt><a href="#id2894730">What happens if you send a Job from a Client</a></dt><dt><a href="#id2894801">Printing Related Configuration Parameters</a></dt><dt><a href="#id2894888">Parameters Recommended for Use</a></dt></dl></dd><dt><a href="#id2895354">A simple Configuration to Print</a></dt><dd><dl><dt><a href="#id2895518">Verification of "Settings in Use" with testparm</a></dt><dt><a href="#id2895606">A little Experiment to warn you</a></dt></dl></dd><dt><a href="#id2895939">Extended Sample Configuration to Print</a></dt><dt><a href="#id2896270">Detailed Explanation of the Example's Settings</a></dt><dd><dl><dt><a href="#id2896282">The [global] Section</a></dt><dt><a href="#id2896767">The [printers] Section</a></dt><dt><a href="#id2897210">Any [my_printer_name] Section</a></dt><dt><a href="#id2897534">Print Commands</a></dt><dt><a href="#id2897592">Default Print Commands for various UNIX Print Subsystems</a></dt><dt><a href="#id2898261">Setting up your own Print Commands</a></dt></dl></dd><dt><a href="#id2898591">Innovations in Samba Printing since 2.2</a></dt><dd><dl><dt><a href="#id2898740">Client Drivers on Samba Server for Point'n'Print</a></dt><dt><a href="#id2898892">The [printer$] Section is removed from Samba 3</a></dt><dt><a href="#id2899004">Creating the [print$] Share</a></dt><dt><a href="#id2899189">Parameters in the [print$] Section</a></dt><dt><a href="#id2899475">Subdirectory Structure in [print$]</a></dt></dl></dd><dt><a href="#id2899643">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="#id2899736">Setting Drivers for existing Printers with a Client GUI</a></dt><dt><a href="#id2899935">Setting Drivers for existing Printers with
2113 rpcclient</a></dt></dl></dd><dt><a href="#id2901625">Client Driver Install Procedure</a></dt><dd><dl><dt><a href="#id2901643">The first Client Driver Installation</a></dt><dt><a href="#id2901839">IMPORTANT! Setting Device Modes on new Printers</a></dt><dt><a href="#id2902136">Further Client Driver Install Procedures</a></dt><dt><a href="#id2902231">Always make first Client Connection as root or "printer admin"</a></dt></dl></dd><dt><a href="#id2902399">Other Gotchas</a></dt><dd><dl><dt><a href="#id2902431">Setting Default Print Options for the Client Drivers</a></dt><dt><a href="#id2902874">Supporting large Numbers of Printers</a></dt><dt><a href="#id2903177">Adding new Printers with the Windows NT APW</a></dt><dt><a href="#id2903470">Weird Error Message Cannot connect under a
2114 different Name</a></dt><dt><a href="#id2903569">Be careful when assembling Driver Files</a></dt><dt><a href="#id2903854">Samba and Printer Ports</a></dt><dt><a href="#id2903932">Avoiding the most common Misconfigurations of the Client Driver</a></dt></dl></dd><dt><a href="#id2903954">The Imprints Toolset</a></dt><dd><dl><dt><a href="#id2903998">What is Imprints?</a></dt><dt><a href="#id2904040">Creating Printer Driver Packages</a></dt><dt><a href="#id2904059">The Imprints Server</a></dt><dt><a href="#id2904083">The Installation Client</a></dt></dl></dd><dt><a href="#id2904236">Add Network Printers at Logon without User Interaction</a></dt><dt><a href="#id2904556">The addprinter command</a></dt><dt><a href="#id2904602">Migration of "Classical" printing to Samba</a></dt><dt><a href="#id2904779">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="#id2904793">Common Errors</a></dt><dd><dl><dt><a href="#id2904800">I give my root password but I don't get access</a></dt><dt><a href="#id2904834">My printjobs get spooled into the spooling directory, but then get lost</a></dt></dl></dd></dl></dd><dt>19. <a href="#CUPS-printing">CUPS Printing Support in Samba 3.0</a></dt><dd><dl><dt><a href="#id2904970">Introduction</a></dt><dd><dl><dt><a href="#id2904977">Features and Benefits</a></dt><dt><a href="#id2905020">Overview</a></dt></dl></dd><dt><a href="#id2905074">Basic Configuration of CUPS support</a></dt><dd><dl><dt><a href="#id2905167">Linking of smbd with libcups.so</a></dt><dt><a href="#id2905408">Simple smb.conf Settings for CUPS</a></dt><dt><a href="#id2905584">More complex smb.conf Settings for
2115 CUPS</a></dt></dl></dd><dt><a href="#id2905929">Advanced Configuration</a></dt><dd><dl><dt><a href="#id2905949">Central spooling vs. "Peer-to-Peer" printing</a></dt><dt><a href="#id2905999">CUPS/Samba as a "spooling-only" Print Server; "raw" printing
2116 with Vendor Drivers on Windows Clients</a></dt><dt><a href="#id2906051">Driver Installation Methods on Windows Clients</a></dt><dt><a href="#id2906119">Explicitly enable "raw" printing for
2117 application/octet-stream!</a></dt><dt><a href="#id2906306">Three familiar Methods for driver upload plus a new one</a></dt></dl></dd><dt><a href="#id2906432">Using CUPS/Samba in an advanced Way -- intelligent printing
2118 with PostScript Driver Download</a></dt><dd><dl><dt><a href="#gdipost">GDI on Windows -- PostScript on UNIX</a></dt><dt><a href="#id2906600">Windows Drivers, GDI and EMF</a></dt><dt><a href="#id2906741">UNIX Printfile Conversion and GUI Basics</a></dt><dt><a href="#post-and-ghost">PostScript and Ghostscript</a></dt><dt><a href="#id2907029">Ghostscript -- the Software RIP for non-PostScript Printers</a></dt><dt><a href="#id2907154">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="#id2907241">CUPS can use all Windows-formatted Vendor PPDs</a></dt><dt><a href="#id2907348">CUPS also uses PPDs for non-PostScript Printers</a></dt></dl></dd><dt><a href="#id2907370">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="#id2907545">MIME types and CUPS Filters</a></dt><dt><a href="#id2907752">MIME type Conversion Rules</a></dt><dt><a href="#id2907903">Filter Requirements</a></dt><dt><a href="#id2908080">Prefilters</a></dt><dt><a href="#id2908183">pstops</a></dt><dt><a href="#id2908292">pstoraster</a></dt><dt><a href="#id2908476">imagetops and imagetoraster</a></dt><dt><a href="#id2908539">rasterto [printers specific]</a></dt><dt><a href="#id2908691">CUPS Backends</a></dt><dt><a href="#id2909039">cupsomatic/Foomatic -- how do they fit into the Picture?</a></dt><dt><a href="#id2909176">The Complete Picture</a></dt><dt><a href="#id2909191">mime.convs</a></dt><dt><a href="#id2909245">"Raw" printing</a></dt><dt><a href="#id2909312">"application/octet-stream" printing</a></dt><dt><a href="#id2909544">PostScript Printer Descriptions (PPDs) for non-PS Printers</a></dt><dt><a href="#id2909807">Difference between cupsomatic/foomatic-rip and
2119 native CUPS printing</a></dt><dt><a href="#id2910018">Examples for filtering Chains</a></dt><dt><a href="#id2910331">Sources of CUPS drivers / PPDs</a></dt><dt><a href="#id2910470">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="#id2910560">Network printing (purely Windows)</a></dt><dd><dl><dt><a href="#id2910577">From Windows Clients to an NT Print Server</a></dt><dt><a href="#id2910632">Driver Execution on the Client</a></dt><dt><a href="#id2910701">Driver Execution on the Server</a></dt></dl></dd><dt><a href="#id2910813">Network Printing (Windows clients -- UNIX/Samba Print
2120 Servers)</a></dt><dd><dl><dt><a href="#id2910833">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="#id2911043">Samba receiving Jobfiles and passing them to CUPS</a></dt></dl></dd><dt><a href="#id2911125">Network PostScript RIP: CUPS Filters on Server -- clients use
2121 PostScript Driver with CUPS-PPDs</a></dt><dd><dl><dt><a href="#id2911206">PPDs for non-PS Printers on UNIX</a></dt><dt><a href="#id2911255">PPDs for non-PS Printers on Windows</a></dt></dl></dd><dt><a href="#id2911328">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="#id2911345">Printer Drivers running in "Kernel Mode" cause many
2122 Problems</a></dt><dt><a href="#id2911379">Workarounds impose Heavy Limitations</a></dt><dt><a href="#id2911400">CUPS: a "Magical Stone"?</a></dt><dt><a href="#id2911445">PostScript Drivers with no major problems -- even in Kernel
2123 Mode</a></dt></dl></dd><dt><a href="#id2911506">Setting up CUPS for driver Download</a></dt><dd><dl><dt><a href="#id2911524">cupsaddsmb: the unknown Utility</a></dt><dt><a href="#id2911625">Prepare your smb.conf for cupsaddsmb</a></dt><dt><a href="#id2911845">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt><a href="#id2912128">Recognize the different Driver Files</a></dt><dt><a href="#id2912268">Acquiring the Adobe Driver Files</a></dt><dt><a href="#id2912301">ESP Print Pro Package of "PostScript Driver for
2124 WinNT/2k/XP"</a></dt><dt><a href="#id2912362">Caveats to be considered</a></dt><dt><a href="#id2912629">Benefits of using "CUPS PostScript Driver for
2125 Windows NT/2k/XP" instead of Adobe Driver</a></dt><dt><a href="#id2912835">Run "cupsaddsmb" (quiet Mode)</a></dt><dt><a href="#id2912958">Run "cupsaddsmb" with verbose Output</a></dt><dt><a href="#id2913117">Understanding cupsaddsmb</a></dt><dt><a href="#id2913264">How to recognize if cupsaddsmb completed successfully</a></dt><dt><a href="#id2913349">cupsaddsmb with a Samba PDC</a></dt><dt><a href="#id2913427">cupsaddsmb Flowchart</a></dt><dt><a href="#id2913497">Installing the PostScript Driver on a Client</a></dt><dt><a href="#id2913646">Avoiding critical PostScript Driver Settings on the
2126 Client</a></dt></dl></dd><dt><a href="#id2913780">Installing PostScript Driver Files manually (using
2127 rpcclient)</a></dt><dd><dl><dt><a href="#id2913973">A Check of the rpcclient man Page</a></dt><dt><a href="#id2914086">Understanding the rpcclient man page</a></dt><dt><a href="#id2914186">Producing an Example by querying a Windows Box</a></dt><dt><a href="#id2914333">What is required for adddriver and setdriver to succeed</a></dt><dt><a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt><dt><a href="#id2915566">Troubleshooting revisited</a></dt></dl></dd><dt><a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt><a href="#id2915962">Trivial DataBase Files</a></dt><dt><a href="#id2916041">Binary Format</a></dt><dt><a href="#id2916103">Losing *.tdb Files</a></dt><dt><a href="#id2916162">Using tdbbackup</a></dt></dl></dd><dt><a href="#id2916297">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="#id2916436">foomatic-rip and Foomatic explained</a></dt><dt><a href="#id2917129">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="#id2917602">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="#id2917645">Setting up Quotas</a></dt><dt><a href="#id2917708">Correct and incorrect Accounting</a></dt><dt><a href="#id2917748">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="#id2917829">The page_log File Syntax</a></dt><dt><a href="#id2917938">Possible Shortcomings</a></dt><dt><a href="#id2918010">Future Developments</a></dt><dt><a href="#id2918058">Other Accounting Tools</a></dt></dl></dd><dt><a href="#id2918072">Additional Material</a></dt><dt><a href="#id2918267">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="#id2918326">CUPS Configuration Settings explained</a></dt><dt><a href="#id2918407">Pre-conditions</a></dt><dt><a href="#id2918564">Manual Configuration</a></dt></dl></dd><dt><a href="#id2918622">In Case of Trouble.....</a></dt><dt><a href="#id2918682">Printing from CUPS to Windows attached
2128 Printers</a></dt><dt><a href="#id2918955">More CUPS filtering Chains</a></dt><dt><a href="#id2796634">Common Errors</a></dt><dd><dl><dt><a href="#id2796642">Win9x client can't install driver</a></dt><dt><a href="#id2919061">"cupsaddsmb" keeps asking for root password in
2129 neverending loop</a></dt><dt><a href="#id2919107">"cupsaddsmb" gives "No PPD file for printer..."
2130 message while PPD file is present</a></dt><dt><a href="#id2919163">Client can't connect to Samba printer</a></dt><dt><a href="#id2919497">Can't reconnect to Samba under new account
2131 from Win2K/XP</a></dt><dt><a href="#id2919582">Avoid being connected to the Samba server as the
2133 NT/2K/XP clients gives problems</a></dt><dt><a href="#id2919649">Can't use "cupsaddsmb" on Samba server which is
2134 a PDC</a></dt><dt><a href="#id2919678">Deleted Win2K printer driver is still shown</a></dt><dt><a href="#id2919695">Win2K/XP "Local Security
2136 printers for all local users"</a></dt><dt><a href="#id2919733">"Print Change Notify" functions on
2137 NT-clients</a></dt><dt><a href="#id2919752">WinXP-SP1</a></dt><dt><a href="#id2919794">Print options for all users can't be set on Win2K/XP</a></dt><dt><a href="#id2920067">Most common blunders in driver
2140 /var/spool/samba/ get reset after each
2142 intermittently swallows jobs and spits out completely different
2143 ones</a></dt><dt><a href="#id2920314">Location of Adobe PostScript driver files necessary for "cupsaddsmb"</a></dt></dl></dd><dt><a href="#id2920369">An Overview of the CUPS Printing Processes</a></dt></dl></dd><dt>20. <a href="#VFS">Stackable VFS modules</a></dt><dd><dl><dt><a href="#id2920538">Features and Benefits</a></dt><dt><a href="#id2920556">Discussion</a></dt><dt><a href="#id2920786">Included modules</a></dt><dd><dl><dt><a href="#id2920793">audit</a></dt><dt><a href="#id2920835">extd_audit</a></dt><dt><a href="#id2920965">fake_perms</a></dt><dt><a href="#id2920984">recycle</a></dt><dt><a href="#id2921153">netatalk</a></dt></dl></dd><dt><a href="#id2921198">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="#id2921220">DatabaseFS</a></dt><dt><a href="#id2921286">vscan</a></dt></dl></dd></dl></dd><dt>21. <a href="#winbind">Winbind: Use of Domain Accounts</a></dt><dd><dl><dt><a href="#id2921516">Features and Benefits</a></dt><dt><a href="#id2921611">Introduction</a></dt><dt><a href="#id2921688">What Winbind Provides</a></dt><dd><dl><dt><a href="#id2921756">Target Uses</a></dt></dl></dd><dt><a href="#id2921786">How Winbind Works</a></dt><dd><dl><dt><a href="#id2921815">Microsoft Remote Procedure Calls</a></dt><dt><a href="#id2921849">Microsoft Active Directory Services</a></dt><dt><a href="#id2921872">Name Service Switch</a></dt><dt><a href="#id2922009">Pluggable Authentication Modules</a></dt><dt><a href="#id2922081">User and Group ID Allocation</a></dt><dt><a href="#id2922128">Result Caching</a></dt></dl></dd><dt><a href="#id2922156">Installation and Configuration</a></dt><dd><dl><dt><a href="#id2922164">Introduction</a></dt><dt><a href="#id2922231">Requirements</a></dt><dt><a href="#id2922333">Testing Things Out</a></dt></dl></dd><dt><a href="#id2923890">Conclusion</a></dt><dt><a href="#id2923909">Common Errors</a></dt><dd><dl><dt><a href="#id2923962">NSCD Problem Warning</a></dt></dl></dd></dl></dd><dt>22. <a href="#AdvancedNetworkManagement">Advanced Network Management</a></dt><dd><dl><dt><a href="#id2924071">Features and Benefits</a></dt><dt><a href="#id2924101">Remote Server Administration</a></dt><dt><a href="#id2924200">Remote Desktop Management</a></dt><dd><dl><dt><a href="#id2924218">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="#id2924438">Network Logon Script Magic</a></dt><dd><dl><dt><a href="#id2924711">Adding printers without user intervention</a></dt></dl></dd><dt><a href="#id2924744">Common Errors</a></dt></dl></dd><dt>23. <a href="#PolicyMgmt">System and Account Policies</a></dt><dd><dl><dt><a href="#id2924822">Features and Benefits</a></dt><dt><a href="#id2924888">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="#id2924999">Windows 9x/Me Policies</a></dt><dt><a href="#id2925094">Windows NT4 Style Policy Files</a></dt><dt><a href="#id2925227">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="#id2925491">Managing Account/User Policies</a></dt><dd><dl><dt><a href="#id2925596">Samba Editreg Toolset</a></dt><dt><a href="#id2925636">Windows NT4/200x</a></dt><dt><a href="#id2925655">Samba PDC</a></dt></dl></dd><dt><a href="#id2925700">System Startup and Logon Processing Overview</a></dt><dt><a href="#id2925851">Common Errors</a></dt><dd><dl><dt><a href="#id2925865">Policy Does Not Work</a></dt></dl></dd></dl></dd><dt>24. <a href="#ProfileMgmt">Desktop Profile Management</a></dt><dd><dl><dt><a href="#id2925964">Features and Benefits</a></dt><dt><a href="#id2925999">Roaming Profiles</a></dt><dd><dl><dt><a href="#id2926040">Samba Configuration for Profile Handling</a></dt><dt><a href="#id2926530">Windows Client Profile Configuration Information</a></dt><dt><a href="#id2927776">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="#id2927861">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="#id2928114">Mandatory profiles</a></dt><dt><a href="#id2928172">Creating/Managing Group Profiles</a></dt><dt><a href="#id2928216">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="#id2928237">MS Windows 9x/Me</a></dt><dt><a href="#id2928385">MS Windows NT4 Workstation</a></dt><dt><a href="#id2928939">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="#id2929447">Common Errors</a></dt><dd><dl><dt><a href="#id2929460">Setting up roaming profiles for just a few user's or group's?</a></dt><dt><a href="#id2929529">Can NOT use Roaming Profiles</a></dt><dt><a href="#id2929742">Changing the default profile</a></dt></dl></dd></dl></dd><dt>25. <a href="#pam">PAM based Distributed Authentication</a></dt><dd><dl><dt><a href="#id2930024">Features and Benefits</a></dt><dt><a href="#id2930271">Technical Discussion</a></dt><dd><dl><dt><a href="#id2930288">PAM Configuration Syntax</a></dt><dt><a href="#id2930969">Example System Configurations</a></dt><dt><a href="#id2931283">smb.conf PAM Configuration</a></dt><dt><a href="#id2931361">Remote CIFS Authentication using winbindd.so</a></dt><dt><a href="#id2931445">Password Synchronization using pam_smbpass.so</a></dt></dl></dd><dt><a href="#id2931826">Common Errors</a></dt><dd><dl><dt><a href="#id2931839">pam_winbind problem</a></dt><dt><a href="#id2931926">Winbind is not resolving users and groups</a></dt></dl></dd></dl></dd><dt>26. <a href="#integrate-ms-networks">Integrating MS Windows networks with Samba</a></dt><dd><dl><dt><a href="#id2932164">Features and Benefits</a></dt><dt><a href="#id2932188">Background Information</a></dt><dt><a href="#id2932259">Name Resolution in a pure UNIX/Linux world</a></dt><dd><dl><dt><a href="#id2932315">/etc/hosts</a></dt><dt><a href="#id2932456">/etc/resolv.conf</a></dt><dt><a href="#id2932499">/etc/host.conf</a></dt><dt><a href="#id2932551">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="#id2932655">Name resolution as used within MS Windows networking</a></dt><dd><dl><dt><a href="#id2932922">The NetBIOS Name Cache</a></dt><dt><a href="#id2932985">The LMHOSTS file</a></dt><dt><a href="#id2933234">HOSTS file</a></dt><dt><a href="#id2933266">DNS Lookup</a></dt><dt><a href="#id2933298">WINS Lookup</a></dt></dl></dd><dt><a href="#id2933416">Common Errors</a></dt><dd><dl><dt><a href="#id2933432">Pinging works only in one way</a></dt><dt><a href="#id2933465">Very Slow Network Connections</a></dt><dt><a href="#id2933517">Samba server name change problem</a></dt></dl></dd></dl></dd><dt>27. <a href="#unicode">Unicode/Charsets</a></dt><dd><dl><dt><a href="#id2933721">Features and Benefits</a></dt><dt><a href="#id2933765">What are charsets and unicode?</a></dt><dt><a href="#id2933835">Samba and charsets</a></dt><dt><a href="#id2933962">Conversion from old names</a></dt><dt><a href="#id2933992">Japanese charsets</a></dt><dt><a href="#id2934130">Common errors</a></dt><dd><dl><dt><a href="#id2934137">CP850.so can't be found</a></dt></dl></dd></dl></dd><dt>28. <a href="#Backup">Samba Backup Techniques</a></dt><dd><dl><dt><a href="#id2934250">Note</a></dt><dt><a href="#id2934264">Features and Benefits</a></dt></dl></dd><dt>29. <a href="#SambaHA">High Availability Options</a></dt><dd><dl><dt><a href="#id2934334">Note</a></dt></dl></dd></dl></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Samba / MS Windows Network Browsing Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2875816">Features and Benefits</a></dt><dt><a href="#id2875904">What is Browsing?</a></dt><dt><a href="#id2876217">Discussion</a></dt><dd><dl><dt><a href="#id2876233">NetBIOS over TCP/IP</a></dt><dt><a href="#id2876469">TCP/IP - without NetBIOS</a></dt><dt><a href="#id2876635">DNS and Active Directory</a></dt></dl></dd><dt><a href="#id2876781">How Browsing Functions</a></dt><dd><dl><dt><a href="#DMB">Setting up WORKGROUP Browsing</a></dt><dt><a href="#id2877309">Setting up DOMAIN Browsing</a></dt><dt><a href="#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="#id2877716">Making Samba the domain master</a></dt><dt><a href="#id2877893">Note about broadcast addresses</a></dt><dt><a href="#id2877911">Multiple interfaces</a></dt><dt><a href="#id2877946">Use of the Remote Announce parameter</a></dt><dt><a href="#id2878104">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="#id2878182">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="#id2878371">Setting up a WINS server</a></dt><dt><a href="#id2878627">WINS Replication</a></dt><dt><a href="#id2878652">Static WINS Entries</a></dt></dl></dd><dt><a href="#id2878737">Helpful Hints</a></dt><dd><dl><dt><a href="#id2878750">Windows Networking Protocols</a></dt><dt><a href="#id2878822">Name Resolution Order</a></dt></dl></dd><dt><a href="#id2878986">Technical Overview of browsing</a></dt><dd><dl><dt><a href="#id2879046">Browsing support in Samba</a></dt><dt><a href="#id2879168">Problem resolution</a></dt><dt><a href="#id2879254">Browsing across subnets</a></dt></dl></dd><dt><a href="#id2879936">Common Errors</a></dt><dd><dl><dt><a href="#id2879950">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="#id2879979">My client reports "This server is not configured to list shared resources"</a></dt><dt><a href="#id2880021">I get an Unable to browse the network error</a></dt></dl></dd></dl></div><p>
2144 This document contains detailed information as well as a fast track guide to
2145 implementing browsing across subnets and / or across workgroups (or domains).
2146 WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
2147 NOT involved in browse list handling except by way of name to address resolution.
2148 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2149 MS Windows 2000 and later can be configured to operate with NO NetBIOS
2150 over TCP/IP. Samba-3 and later also supports this mode of operation.
2151 When the use of NetBIOS over TCP/IP has been disabled then the primary
2152 means for resolution of MS Windows machine names is via DNS and Active Directory.
2153 The following information assumes that your site is running NetBIOS over TCP/IP.
2154 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2875816"></a>Features and Benefits</h2></div></div><div></div></div><p>
2155 Someone once referred to the past in terms of: <span class="emphasis"><em>They were the worst of times,
2156 they were the best of times. The more we look back, them more we long for what was and
2157 hope it never returns!</em></span>.
2159 For many MS Windows network administrators, that statement sums up their feelings about
2160 NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
2161 nature was just par for the course. For those who never quite managed to tame its
2162 lusty features, NetBIOS is like Paterson's Curse.
2163 </p><p>
2164 For those not familiar with botanical problems in Australia: Paterson's curse,
2165 Echium plantagineum, was introduced to Australia from Europe during the mid-nineteenth
2166 century. Since then it has spread rapidly. The high seed production, with densities of
2167 thousands of seeds per square metre, a seed longevity of more than seven years, and an
2168 ability to germinate at any time of year, given the right conditions, are some of the
2169 features which make it such a persistent weed.
2170 </p><p>
2171 In this chapter we explore vital aspects of SMB (Server Message Block) networking with
2172 a particular focus on SMB as implemented through running NetBIOS (Network Basic
2173 Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
2174 any other protocols we need to know how to configure our network environment and simply
2175 remember to use nothing but TCP/IP on all our MS Windows network clients.
2176 </p><p>
2177 Samba provides the ability to implement a WINS (Windows Internetworking Name Server)
2178 and implements extensions to Microsoft's implementation of WINS. These extensions
2179 help Samba to affect stable WINS operations beyond the normal scope of MS WINS.
2180 </p><p>
2181 Please note that WINS is exclusively a service that applies only to those systems
2182 that run NetBIOS over TCP/IP. MS Windows 200x / XP have the capacity to turn off
2183 support for NetBIOS, in which case WINS is of no relevance. Samba supports this also.
2184 </p><p>
2185 For those networks on which NetBIOS has been disabled (ie: WINS is NOT required)
2186 the use of DNS is necessary for host name resolution.
2187 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2875904"></a>What is Browsing?</h2></div></div><div></div></div><p>
2188 To most people browsing means that they can see the MS Windows and Samba servers
2189 in the Network Neighborhood, and when the computer icon for a particular server is
2190 clicked, it opens up and shows the shares and printers available on the target server.
2191 </p><p>
2192 What seems so simple is in fact a very complex interaction of different technologies.
2193 The technologies (or methods) employed in making all of this work includes:
2194 </p><div class="itemizedlist"><ul type="disc"><li><p>MS Windows machines register their presence to the network</p></li><li><p>Machines announce themselves to other machines on the network</p></li><li><p>One or more machine on the network collates the local announcements</p></li><li><p>The client machine finds the machine that has the collated list of machines</p></li><li><p>The client machine is able to resolve the machine names to IP addresses</p></li><li><p>The client machine is able to connect to a target machine</p></li></ul></div><p>
2195 The Samba application that controls browse list management and name resolution is
2196 called <tt class="filename">nmbd</tt>. The configuration parameters involved in nmbd's operation are:
2197 </p><p>Browsing options: <a class="indexterm" name="id2875988"></a><i class="parameter"><tt>os level</tt></i>(*),
2200 <a class="indexterm" name="id2876030"></a><i class="parameter"><tt>preferred master</tt></i>(*),
2205 </p><p>Name Resolution Method:
2206 <a class="indexterm" name="id2876103"></a><i class="parameter"><tt>name resolve order</tt></i>(*).
2207 </p><p>WINS options:
2214 For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
2215 an '*' are the only options that commonly MAY need to be modified. Even if not one of these
2217 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2876217"></a>Discussion</h2></div></div><div></div></div><p>
2218 Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
2219 SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
2220 NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
2221 support.
2222 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2876233"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p>
2223 Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
2224 MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
2225 affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
2226 UDP messages can be broadcast or unicast.
2228 Normally, only unicast UDP messaging can be forwarded by routers. The
2229 <a class="indexterm" name="id2876262"></a><i class="parameter"><tt>remote announce</tt></i> parameter to smb.conf helps to project browse announcements
2230 to remote network segments via unicast UDP. Similarly, the
2231 <a class="indexterm" name="id2876280"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter of <tt class="filename">smb.conf</tt>
2232 implements browse list collation using unicast UDP.
2233 </p><p>
2234 Secondly, in those networks where Samba is the only SMB server technology,
2235 wherever possible <tt class="filename">nmbd</tt> should be configured on one (1) machine as the WINS
2236 server. This makes it easy to manage the browsing environment. If each network
2237 segment is configured with it's own Samba WINS server, then the only way to
2238 get cross segment browsing to work is by using the
2239 <a class="indexterm" name="id2876319"></a><i class="parameter"><tt>remote announce</tt></i> and the <a class="indexterm" name="id2876333"></a><i class="parameter"><tt>remote browse sync</tt></i>
2241 </p><p>
2243 If only one WINS server is used for an entire multi-segment network then
2244 the use of the <a class="indexterm" name="id2876368"></a><i class="parameter"><tt>remote announce</tt></i> and the
2245 <a class="indexterm" name="id2876382"></a><i class="parameter"><tt>remote browse sync</tt></i> parameters should NOT be necessary.
2246 </p><p>
2247 As of Samba 3 WINS replication is being worked on. The bulk of the code has
2248 been committed, but it still needs maturation. This is NOT a supported feature
2249 of the Samba-3.0.0 release. Hopefully, this will become a supported feature
2250 of one of the Samba-3 release series.
2251 </p><p>
2252 Right now Samba WINS does not support MS-WINS replication. This means that
2254 configured as a WINS server on the network. Some sites have used multiple Samba WINS
2255 servers for redundancy (one server per subnet) and then used
2256 <a class="indexterm" name="id2876422"></a><i class="parameter"><tt>remote browse sync</tt></i> and <a class="indexterm" name="id2876436"></a><i class="parameter"><tt>remote announce</tt></i>
2257 to affect browse list collation across all segments. Note that this means clients
2258 will only resolve local names, and must be configured to use DNS to resolve names
2259 on other subnets in order to resolve the IP addresses of the servers they can see
2260 on other subnets. This setup is not recommended, but is mentioned as a practical
2261 consideration (ie: an 'if all else fails' scenario).
2262 </p><p>
2263 Lastly, take note that browse lists are a collection of unreliable broadcast
2264 messages that are repeated at intervals of not more than 15 minutes. This means
2265 that it will take time to establish a browse list and it can take up to 45
2266 minutes to stabilise, particularly across network segments.
2267 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2876469"></a>TCP/IP - without NetBIOS</h3></div></div><div></div></div><p>
2271 All TCP/IP using systems use various forms of host name resolution. The primary
2272 methods for TCP/IP hostname resolutions involves either a static file (<tt class="filename">/etc/hosts
2273 </tt>) or DNS (the Domain Name System). DNS is the technology that makes
2274 the Internet usable. DNS based host name resolution is supported by nearly all TCP/IP
2275 enabled systems. Only a few embedded TCP/IP systems do not support DNS.
2276 </p><p>
2277 When an MS Windows 200x / XP system attempts to resolve a host name to an IP address
2278 it follows a defined path:
2282 </p></li><li><p>
2283 Does a DNS lookup
2284 </p></li><li><p>
2285 Checks the NetBIOS name cache
2286 </p></li><li><p>
2287 Queries the WINS server
2288 </p></li><li><p>
2289 Does a broadcast name lookup over UDP
2290 </p></li><li><p>
2291 Looks up entries in LMHOSTS. It is located in
2294 Windows 200x / XP can register it's host name with a Dynamic DNS server. You can
2295 force register with a Dynamic DNS server in Windows 200x / XP using:
2297 </p><p>
2298 With Active Directory (ADS), a correctly functioning DNS server is absolutely
2299 essential. In the absence of a working DNS server that has been correctly configured,
2300 MS Windows clients and servers will be totally unable to locate each other,
2301 consequently network services will be severely impaired.
2302 </p><p>
2303 The use of Dynamic DNS is highly recommended with Active Directory, in which case
2304 the use of BIND9 is preferred for it's ability to adequately support the SRV (service)
2305 records that are needed for Active Directory.
2306 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2876635"></a>DNS and Active Directory</h3></div></div><div></div></div><a class="indexterm" name="id2876642"></a><p>
2307 Occasionally we hear from UNIX network administrators who want to use a UNIX based Dynamic
2308 DNS server in place of the Microsoft DNS server. While this might be desirable to some, the
2309 MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible
2310 to use BIND version 8 or 9, but it will almost certainly be necessary to create service records
2311 so that MS Active Directory clients can resolve host names to locate essential network services.
2312 The following are some of the default service records that Active Directory requires:
2313 </p><div class="itemizedlist"><ul type="disc"><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
2314 This provides the address of the Windows NT PDC for the Domain.
2316 Resolves the addresses of Global Catalog servers in the domain.
2317 </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
2318 Provides list of domain controllers based on sites.
2319 </p></li><li><p>_ldap._tcp.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
2320 Enumerates list of domain controllers that have the writable
2321 copies of the Active Directory data store.
2322 </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
2323 Entry used by MS Windows clients to locate machines using the
2324 Global Unique Identifier.
2325 </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
2326 Used by MS Windows clients to locate site configuration dependent
2327 Global Catalog server.
2328 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2876781"></a>How Browsing Functions</h2></div></div><div></div></div><p>
2329 MS Windows machines register their NetBIOS names
2330 (ie: the machine name for each service type in operation) on start
2331 up. The exact method by which this name registration
2332 takes place is determined by whether or not the MS Windows client/server
2333 has been given a WINS server address, whether or not LMHOSTS lookup
2334 is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
2335 </p><p>
2336 In the case where there is no WINS server, all name registrations as
2337 well as name lookups are done by UDP broadcast. This isolates name
2338 resolution to the local subnet, unless LMHOSTS is used to list all
2339 names and IP addresses. In such situations Samba provides a means by
2340 which the Samba server name may be forcibly injected into the browse
2341 list of a remote MS Windows network (using the
2342 <a class="indexterm" name="id2876810"></a><i class="parameter"><tt>remote announce</tt></i> parameter).
2343 </p><p>
2344 Where a WINS server is used, the MS Windows client will use UDP
2345 unicast to register with the WINS server. Such packets can be routed
2346 and thus WINS allows name resolution to function across routed networks.
2347 </p><p>
2348 During the startup process an election will take place to create a
2349 local master browser if one does not already exist. On each NetBIOS network
2350 one machine will be elected to function as the domain master browser. This
2351 domain browsing has nothing to do with MS security domain control.
2352 Instead, the domain master browser serves the role of contacting each local
2353 master browser (found by asking WINS or from LMHOSTS) and exchanging browse
2354 list contents. This way every master browser will eventually obtain a complete
2356 is held to determine which machine will be the master browser. By the nature of
2357 the election criteria used, the machine with the highest uptime, or the
2358 most senior protocol version, or other criteria, will win the election
2359 as domain master browser.
2360 </p><p>
2361 Clients wishing to browse the network make use of this list, but also depend
2362 on the availability of correct name resolution to the respective IP
2363 address/addresses.
2364 </p><p>
2365 Any configuration that breaks name resolution and/or browsing intrinsics
2366 will annoy users because they will have to put up with protracted
2367 inability to use the network services.
2368 </p><p>
2369 Samba supports a feature that allows forced synchronisation
2370 of browse lists across routed networks using the <a class="indexterm" name="id2876873"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter in the <tt class="filename">smb.conf</tt> file.
2371 This causes Samba to contact the local master browser on a remote network and
2372 to request browse list synchronisation. This effectively bridges
2373 two networks that are separated by routers. The two remote
2374 networks may use either broadcast based name resolution or WINS
2375 based name resolution, but it should be noted that the <a class="indexterm" name="id2876902"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter provides browse list synchronisation - and
2376 that is distinct from name to address resolution, in other
2377 words, for cross subnet browsing to function correctly it is
2378 essential that a name to address resolution mechanism be provided.
2380 and so on.
2381 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="DMB"></a>Setting up WORKGROUP Browsing</h3></div></div><div></div></div><p>
2382 To set up cross subnet browsing on a network containing machines
2383 in up to be in a WORKGROUP, not an NT Domain you need to set up one
2384 Samba server to be the Domain Master Browser (note that this is *NOT*
2385 the same as a Primary Domain Controller, although in an NT Domain the
2386 same machine plays both roles). The role of a Domain master browser is
2387 to collate the browse lists from local master browsers on all the
2388 subnets that have a machine participating in the workgroup. Without
2389 one machine configured as a domain master browser each subnet would
2390 be an isolated workgroup, unable to see any machines on any other
2391 subnet. It is the presence of a domain master browser that makes
2392 cross subnet browsing possible for a workgroup.
2393 </p><p>
2394 In an WORKGROUP environment the domain master browser must be a
2395 Samba server, and there must only be one domain master browser per
2396 workgroup name. To set up a Samba server as a domain master browser,
2399 </p><p>
2400 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr></table><p>
2401 </p><p>
2402 The domain master browser should also preferably be the local master
2403 browser for its own subnet. In order to achieve this set the following
2404 options in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file :
2405 </p><p>
2406 </p><div class="example"><a name="id2877023"></a><p class="title"><b>Example 10.1. Domain master browser smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 65</tt></i></td></tr></table></div><p>
2407 </p><p>
2408 The domain master browser may be the same machine as the WINS
2409 server, if you require.
2410 </p><p>
2411 Next, you should ensure that each of the subnets contains a
2412 machine that can act as a local master browser for the
2414 able to do this, as will Windows 9x machines (although these
2415 tend to get rebooted more often, so it's not such a good idea
2416 to use these). To make a Samba server a local master browser
2419 </p><p>
2420 </p><div class="example"><a name="id2877114"></a><p class="title"><b>Example 10.2. Local master browser smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 65</tt></i></td></tr></table></div><p>
2421 </p><p>
2422 Do not do this for more than one Samba server on each subnet,
2423 or they will war with each other over which is to be the local
2424 master browser.
2425 </p><p>
2426 The <a class="indexterm" name="id2877180"></a><i class="parameter"><tt>local master</tt></i> parameter allows Samba to act as a
2427 local master browser. The <a class="indexterm" name="id2877196"></a><i class="parameter"><tt>preferred master</tt></i> causes nmbd
2428 to force a browser election on startup and the <a class="indexterm" name="id2877212"></a><i class="parameter"><tt>os level</tt></i>
2429 parameter sets Samba high enough so that it should win any browser elections.
2430 </p><p>
2431 If you have an NT machine on the subnet that you wish to
2432 be the local master browser then you can disable Samba from
2433 becoming a local master browser by setting the following
2436 </p><p>
2437 </p><div class="example"><a name="id2877252"></a><p class="title"><b>Example 10.3. smb.conf for not being a master browser</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 0</tt></i></td></tr></table></div><p>
2438 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2877309"></a>Setting up DOMAIN Browsing</h3></div></div><div></div></div><p>
2439 If you are adding Samba servers to a Windows NT Domain then
2440 you must not set up a Samba server as a domain master browser.
2441 By default, a Windows NT Primary Domain Controller for a domain
2442 is also the Domain master browser for that domain, and many
2443 things will break if a Samba server registers the Domain master
2445 with WINS instead of the PDC.
2446 </p><p>
2447 For subnets other than the one containing the Windows NT PDC
2448 you may set up Samba servers as local master browsers as
2449 described. To make a Samba server a local master browser set
2452 </p><p>
2453 </p><div class="example"><a name="id2877358"></a><p class="title"><b>Example 10.4. Local master browser smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 65</tt></i></td></tr></table></div><p>
2454 </p><p>
2455 If you wish to have a Samba server fight the election with machines
2456 on the same subnet you may set the <a class="indexterm" name="id2877419"></a><i class="parameter"><tt>os level</tt></i> parameter
2457 to lower levels. By doing this you can tune the order of machines that
2458 will become local master browsers if they are running. For
2459 more details on this see the section <a href="#browse-force-master" title="Forcing Samba to be the master">
2460 Forcing Samba to be the master browser</a>
2461 below.
2462 </p><p>
2463 If you have Windows NT machines that are members of the domain
2464 on all subnets, and you are sure they will always be running then
2465 you can disable Samba from taking part in browser elections and
2466 ever becoming a local master browser by setting following options
2467 in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt>
2468 file :
2469 </p><p>
2470 </p><div class="example"><a name="id2877475"></a><p class="title"><b>Example 10.5. smb.conf for not being a master browser</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 0</tt></i></td></tr></table></div><p>
2471 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to be the master</h3></div></div><div></div></div><p>
2472 Who becomes the master browser is determined by an election
2473 process using broadcasts. Each election packet contains a number of parameters
2474 which determine what precedence (bias) a host should have in the
2475 election. By default Samba uses a very low precedence and thus loses
2476 elections to just about anyone else.
2477 </p><p>
2478 If you want Samba to win elections then just set the <a class="indexterm" name="id2877559"></a><i class="parameter"><tt>os level</tt></i> global
2480 would make it win all elections over every other system (except other
2481 samba systems!)
2482 </p><p>
2483 A <a class="indexterm" name="id2877585"></a><i class="parameter"><tt>os level</tt></i> of 2 would make it beat WfWg and Win95, but not MS Windows
2486 If you want Samba to force an election on startup, then set the
2487 <a class="indexterm" name="id2877610"></a><i class="parameter"><tt>preferred master</tt></i> global option in <tt class="filename">smb.conf</tt> to <tt class="constant">yes</tt>. Samba will
2488 then have a slight advantage over other potential master browsers
2489 that are not preferred master browsers. Use this parameter with
2490 care, as if you have two hosts (whether they are Windows 95 or NT or
2491 Samba) on the same local subnet both set with <a class="indexterm" name="id2877641"></a><i class="parameter"><tt>preferred master</tt></i> to
2493 in order to become the local master browser.
2494 </p><p>
2495 If you want Samba to be a <span class="emphasis"><em>domain master browser</em></span>, then it is
2496 recommended that you also set <a class="indexterm" name="id2877670"></a><i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, because
2497 Samba will not become a domain master browser for the whole of your
2498 LAN or WAN if it is not also a local master browser on its own
2499 broadcast isolated subnet.
2500 </p><p>
2501 It is possible to configure two Samba servers to attempt to become
2502 the domain master browser for a domain. The first server that comes
2503 up will be the domain master browser. All other Samba servers will
2504 attempt to become the domain master browser every 5 minutes. They
2505 will find that another Samba server is already the domain master
2506 browser and will fail. This provides automatic redundancy, should
2507 the current domain master browser fail.
2508 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2877716"></a>Making Samba the domain master</h3></div></div><div></div></div><p>
2509 The domain master is responsible for collating the browse lists of
2510 multiple subnets so that browsing can occur between subnets. You can
2511 make Samba act as the domain master by setting <a class="indexterm" name="id2877730"></a><i class="parameter"><tt>domain master</tt></i> = yes
2513 </p><p>
2514 Note that you should <span class="emphasis"><em>not</em></span> set Samba to be the domain master for a
2515 workgroup that has the same name as an NT Domain.
2516 </p><p>
2517 When Samba is the domain master and the master browser, it will listen
2518 for master announcements (made roughly every twelve minutes) from local
2519 master browsers on other subnets and then contact them to synchronise
2520 browse lists.
2521 </p><p>
2522 If you want Samba to be the domain master then I suggest you also set
2523 the <a class="indexterm" name="id2877774"></a><i class="parameter"><tt>os level</tt></i> high enough to make sure it wins elections, and set
2524 <a class="indexterm" name="id2877790"></a><i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to get Samba to force an election on
2525 startup.
2526 </p><p>
2527 Note that all your servers (including Samba) and clients should be
2528 using a WINS server to resolve NetBIOS names. If your clients are only
2529 using broadcasting to resolve NetBIOS names, then two things will occur:
2531 your local master browsers will be unable to find a domain master
2532 browser, as it will only be looking on the local subnet.
2533 </p></li><li><p>
2534 if a client happens to get hold of a domain-wide browse list, and
2535 a user attempts to access a host in that list, it will be unable to
2536 resolve the NetBIOS name of that host.
2537 </p></li></ol></div><p>
2538 If, however, both Samba and your clients are using a WINS server, then:
2540 your local master browsers will contact the WINS server and, as long as
2541 Samba has registered that it is a domain master browser with the WINS
2542 server, your local master browser will receive Samba's IP address
2543 as its domain master browser.
2544 </p></li><li><p>
2545 when a client receives a domain-wide browse list, and a user attempts
2546 to access a host in that list, it will contact the WINS server to
2547 resolve the NetBIOS name of that host. as long as that host has
2548 registered its NetBIOS name with the same WINS server, the user will
2549 be able to see that host.
2550 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2877893"></a>Note about broadcast addresses</h3></div></div><div></div></div><p>
2551 If your network uses a "0" based broadcast address (for example if it
2552 ends in a 0) then you will strike problems. Windows for Workgroups
2553 does not seem to support a 0's broadcast and you will probably find
2554 that browsing and name lookups won't work.
2555 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2877911"></a>Multiple interfaces</h3></div></div><div></div></div><p>
2556 Samba now supports machines with multiple network interfaces. If you
2557 have multiple interfaces then you will need to use the <a class="indexterm" name="id2877922"></a><i class="parameter"><tt>interfaces</tt></i>
2559 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2877946"></a>Use of the Remote Announce parameter</h3></div></div><div></div></div><p>
2560 The <a class="indexterm" name="id2877956"></a><i class="parameter"><tt>remote announce</tt></i> parameter of
2562 that all the NetBIOS names on a network get announced to a remote network.
2563 The syntax of the <a class="indexterm" name="id2877981"></a><i class="parameter"><tt>remote announce</tt></i> parameter is:
2564 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>remote announce = a.b.c.d [e.f.g.h] ...</tt></i></td></tr></table><p>
2566 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...</tt></i></td></tr></table><p>
2568 where:
2569 </p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and
2574 is either the LMB (Local Master Browser) IP address
2575 or the broadcast address of the remote network.
2576 ie: the LMB is at 192.168.1.10, or the address
2577 could be given as 192.168.1.255 where the netmask
2579 When the remote announcement is made to the broadcast
2580 address of the remote network, every host will receive
2581 our announcements. This is noisy and therefore
2582 undesirable but may be necessary if we do NOT know
2583 the IP address of the remote LMB.</p></dd><dt><span class="term"><i class="replaceable"><tt>WORKGROUP</tt></i></span></dt><dd><p>is optional and can be either our own workgroup
2584 or that of the remote network. If you use the
2585 workgroup name of the remote network then our
2586 NetBIOS machine names will end up looking like
2587 they belong to that workgroup, this may cause
2588 name resolution problems and should be avoided.
2589 </p></dd></dl></div><p>
2590 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2878104"></a>Use of the Remote Browse Sync parameter</h3></div></div><div></div></div><p>
2591 The <a class="indexterm" name="id2878115"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter of
2593 another LMB that it must synchronise its NetBIOS name list with our
2594 Samba LMB. It works ONLY if the Samba server that has this option is
2595 simultaneously the LMB on its network segment.
2596 </p><p>
2597 The syntax of the <a class="indexterm" name="id2878144"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter is:
2599 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>remote browse sync = a.b.c.d</tt></i></td></tr></table><p>
2602 remote LMB or else is the network broadcast address of the remote segment.
2603 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2878182"></a>WINS - The Windows Internetworking Name Server</h2></div></div><div></div></div><p>
2604 Use of WINS (either Samba WINS <span class="emphasis"><em>or</em></span> MS Windows NT Server WINS) is highly
2605 recommended. Every NetBIOS machine registers its name together with a
2606 name_type value for each of several types of service it has available.
2607 eg: It registers its name directly as a unique (the type 0x03) name.
2608 It also registers its name if it is running the LanManager compatible
2609 server service (used to make shares and printers available to other users)
2610 by registering the server (the type 0x20) name.
2611 </p><p>
2612 All NetBIOS names are up to 15 characters in length. The name_type variable
2613 is added to the end of the name - thus creating a 16 character name. Any
2615 character. ie: All NetBIOS names are 16 characters long (including the
2616 name_type information).
2617 </p><p>
2618 WINS can store these 16 character names as they get registered. A client
2619 that wants to log onto the network can ask the WINS server for a list
2620 of all names that have registered the NetLogon service name_type. This saves
2621 broadcast traffic and greatly expedites logon processing. Since broadcast
2622 name resolution can not be used across network segments this type of
2623 information can only be provided via WINS <span class="emphasis"><em>or</em></span> via statically configured
2625 absence of WINS.
2626 </p><p>
2627 WINS also serves the purpose of forcing browse list synchronisation by all
2628 LMB's. LMB's must synchronise their browse list with the DMB (domain master
2629 browser) and WINS helps the LMB to identify it's DMB. By definition this
2630 will work only within a single workgroup. Note that the domain master browser
2631 has NOTHING to do with what is referred to as an MS Windows NT Domain. The
2632 later is a reference to a security environment while the DMB refers to the
2633 master controller for browse list information only.
2634 </p><p>
2635 Use of WINS will work correctly only if EVERY client TCP/IP protocol stack
2636 has been configured to use the WINS server/s. Any client that has not been
2637 configured to use the WINS server will continue to use only broadcast based
2638 name registration so that WINS may NEVER get to know about it. In any case,
2639 machines that have not registered with a WINS server will fail name to address
2640 lookup attempts by other clients and will therefore cause workstation access
2641 errors.
2642 </p><p>
2643 To configure Samba as a WINS server just add
2644 <a class="indexterm" name="id2878272"></a><i class="parameter"><tt>wins support</tt></i> = yes to the <tt class="filename">smb.conf</tt>
2645 file [global] section.
2646 </p><p>
2647 To configure Samba to register with a WINS server just add
2648 <a class="indexterm" name="id2878300"></a><i class="parameter"><tt>wins server</tt></i> = a.b.c.d to your <tt class="filename">smb.conf</tt> file <i class="parameter"><tt>[global]</tt></i> section.
2649 </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>
2650 Never use both <a class="indexterm" name="id2878332"></a><i class="parameter"><tt>wins support</tt></i> = yes together
2651 with <a class="indexterm" name="id2878348"></a><i class="parameter"><tt>wins server</tt></i> = a.b.c.d
2652 particularly not using it's own IP address.
2654 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2878371"></a>Setting up a WINS server</h3></div></div><div></div></div><p>
2655 Either a Samba machine or a Windows NT Server machine may be set up
2656 as a WINS server. To set a Samba machine to be a WINS server you must
2657 add the following option to the <tt class="filename">smb.conf</tt> file on the selected machine :
2659 </p><p>
2660 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>wins support = yes</tt></i></td></tr></table><p>
2661 </p><p>
2662 Versions of Samba prior to 1.9.17 had this parameter default to
2663 yes. If you have any older versions of Samba on your network it is
2664 strongly suggested you upgrade to a recent version, or at the very
2665 least set the parameter to 'no' on all these machines.
2666 </p><p>
2667 Machines with <a class="indexterm" name="id2878430"></a><i class="parameter"><tt>wins support</tt></i> = yes will keep a list of
2668 all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
2669 </p><p>
2670 You should set up only ONE WINS server. Do NOT set the
2671 <a class="indexterm" name="id2878452"></a><i class="parameter"><tt>wins support</tt></i> = yes option on more than one Samba
2672 server.
2673 </p><p>
2674 To set up a Windows NT Server as a WINS server you need to set up
2675 the WINS service - see your NT documentation for details. Note that
2676 Windows NT WINS Servers can replicate to each other, allowing more
2677 than one to be set up in a complex subnet environment. As Microsoft
2678 refuses to document these replication protocols, Samba cannot currently
2679 participate in these replications. It is possible in the future that
2680 a Samba->Samba WINS replication protocol may be defined, in which
2681 case more than one Samba machine could be set up as a WINS server
2682 but currently only one Samba server should have the
2683 <a class="indexterm" name="id2878487"></a><i class="parameter"><tt>wins support</tt></i> = yes parameter set.
2684 </p><p>
2685 After the WINS server has been configured you must ensure that all
2686 machines participating on the network are configured with the address
2687 of this WINS server. If your WINS server is a Samba machine, fill in
2689 the <span class="guilabel">Control Panel->Network->Protocols->TCP->WINS Server</span> dialogs
2690 in Windows 95 or Windows NT. To tell a Samba server the IP address
2691 of the WINS server add the following line to the <i class="parameter"><tt>[global]</tt></i> section of
2693 </p><p>
2694 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>wins server = <name or IP address></tt></i></td></tr></table><p>
2695 </p><p>
2697 machine or its IP address.
2698 </p><p>
2699 Note that this line MUST NOT BE SET in the <tt class="filename">smb.conf</tt> file of the Samba
2700 server acting as the WINS server itself. If you set both the
2701 <a class="indexterm" name="id2878585"></a><i class="parameter"><tt>wins support</tt></i> = yes option and the
2702 <a class="indexterm" name="id2878600"></a><i class="parameter"><tt>wins server</tt></i> = <name> option then
2703 nmbd will fail to start.
2704 </p><p>
2705 There are two possible scenarios for setting up cross subnet browsing.
2706 The first details setting up cross subnet browsing on a network containing
2707 Windows 95, Samba and Windows NT machines that are not configured as
2708 part of a Windows NT Domain. The second details setting up cross subnet
2709 browsing on networks that contain NT Domains.
2710 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2878627"></a>WINS Replication</h3></div></div><div></div></div><p>
2711 Samba-3 permits WINS replication through the use of the <tt class="filename">wrepld</tt> utility.
2712 This tool is not currently capable of being used as it is still in active development.
2713 As soon as this tool becomes moderately functional we will prepare man pages and enhance this
2714 section of the documentation to provide usage and technical details.
2715 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2878652"></a>Static WINS Entries</h3></div></div><div></div></div><p>
2716 Adding static entries to your Samba WINS server is actually fairly easy.
2719 </p><p>
2723 "NAME#TYPE" TTL ADDRESS+ FLAGS
2724 </pre><p>
2726 where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
2727 time-to-live as an absolute time in seconds, ADDRESS+ is one or more
2728 addresses corresponding to the registration and FLAGS are the NetBIOS
2729 flags for the registration.
2730 </p><p>
2731 A typical dynamic entry looks like:
2734 </pre><p>
2736 To make it static, all that has to be done is set the TTL to 0:
2740 </pre><p>
2741 </p><p>
2742 Though this method works with early Samba-3 versions, there's a
2743 possibility that it may change in future versions if WINS replication
2744 is added.
2745 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2878737"></a>Helpful Hints</h2></div></div><div></div></div><p>
2746 The following hints should be carefully considered as they are stumbling points
2747 for many new network administrators.
2748 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2878750"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
2749 Do NOT use more than one (1) protocol on MS Windows machines
2750 </p></div><p>
2751 A very common cause of browsing problems results from installing more than
2752 one protocol on an MS Windows machine.
2753 </p><p>
2754 Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
2755 every 15 minutes. A set of election criteria is used to determine the order
2756 of precedence for winning this election process. A machine running Samba or
2757 Windows NT will be biased so that the most suitable machine will predictably
2758 win and thus retain it's role.
2759 </p><p>
2760 The election process is "fought out" so to speak over every NetBIOS network
2761 interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
2762 installed and has NetBIOS enabled over both protocols the election will be
2763 decided over both protocols. As often happens, if the Windows 9x machine is
2764 the only one with both protocols then the LMB may be won on the NetBIOS
2765 interface over the IPX protocol. Samba will then lose the LMB role as Windows
2766 9x will insist it knows who the LMB is. Samba will then cease to function
2767 as an LMB and thus browse list operation on all TCP/IP only machines will
2768 fail.
2772 referred to as the WinNT family, but it should be recognised that 2000 and
2773 XP/2003 introduce new protocol extensions that cause them to behave
2774 differently from MS Windows NT4. Generally, where a server does NOT support
2775 the newer or extended protocol, these will fall back to the NT4 protocols.
2776 </em></span></p><p>
2777 The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
2778 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2878822"></a>Name Resolution Order</h3></div></div><div></div></div><p>
2779 Resolution of NetBIOS names to IP addresses can take place using a number
2780 of methods. The only ones that can provide NetBIOS name_type information
2781 are:
2782 </p><div class="itemizedlist"><ul type="disc"><li><p>WINS: the best tool!</p></li><li><p>LMHOSTS: is static and hard to maintain.</p></li><li><p>Broadcast: uses UDP and can not resolve names across remote segments.</p></li></ul></div><p>
2783 Alternative means of name resolution includes:
2784 </p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/hosts</tt>: is static, hard to maintain, and lacks name_type info</p></li><li><p>DNS: is a good choice but lacks essential name_type info.</p></li></ul></div><p>
2785 Many sites want to restrict DNS lookups and want to avoid broadcast name
2786 resolution traffic. The <i class="parameter"><tt>name resolve order</tt></i> parameter is of great help here.
2788 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>name resolve order = wins lmhosts bcast host</tt></i></td></tr></table><p>
2790 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>name resolve order = wins lmhosts (eliminates bcast and host)</tt></i></td></tr></table><p>
2791 The default is:
2792 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>name resolve order = host lmhost wins bcast</tt></i></td></tr></table><p>
2793 where "host" refers to the native methods used by the UNIX system
2794 to implement the gethostbyname() function call. This is normally
2795 controlled by <tt class="filename">/etc/host.conf</tt>, <tt class="filename">/etc/nsswitch.conf</tt> and <tt class="filename">/etc/resolv.conf</tt>.
2796 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2878986"></a>Technical Overview of browsing</h2></div></div><div></div></div><p>
2797 SMB networking provides a mechanism by which clients can access a list
2798 of machines in a network, a so-called <a class="indexterm" name="id2878999"></a><i class="parameter"><tt>browse list</tt></i>. This list
2799 contains machines that are ready to offer file and/or print services
2800 to other machines within the network. Thus it does not include
2801 machines which aren't currently able to do server tasks. The browse
2802 list is heavily used by all SMB clients. Configuration of SMB
2803 browsing has been problematic for some Samba users, hence this
2804 document.
2805 </p><p>
2807 configured to not use NetBIOS over TCP/IP. When configured this way,
2808 it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
2809 configured and operative. Browsing will NOT work if name resolution
2810 from SMB machine names to IP addresses does not function correctly.
2811 </p><p>
2812 Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
2813 recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
2814 WINS allows remote segment clients to obtain NetBIOS name_type information
2815 that can NOT be provided by any other means of name resolution.
2816 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2879046"></a>Browsing support in Samba</h3></div></div><div></div></div><p>
2819 Samba can act as a local browse master for a workgroup and the ability
2820 to support domain logons and scripts is now available.
2821 </p><p>
2822 Samba can also act as a domain master browser for a workgroup. This
2823 means that it will collate lists from local browse masters into a
2824 wide area network server list. In order for browse clients to
2825 resolve the names they may find in this list, it is recommended that
2826 both Samba and your clients use a WINS server.
2827 </p><p>
2828 Note that you should NOT set Samba to be the domain master for a
2829 workgroup that has the same name as an NT Domain: on each wide area
2830 network, you must only ever have one domain master browser per workgroup,
2831 regardless of whether it is NT, Samba or any other type of domain master
2832 that is providing this service.
2833 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2834 Nmbd can be configured as a WINS server, but it is not
2835 necessary to specifically use Samba as your WINS server. MS Windows
2838 a Wide Area Network, it is recommended that you use the Microsoft
2839 WINS server capabilities. In a Samba-only environment, it is
2840 recommended that you use one and only one Samba server as your WINS server.
2841 </p></div><p>
2842 To get browsing to work you need to run nmbd as usual, but will need
2843 to use the <a class="indexterm" name="id2879114"></a><i class="parameter"><tt>workgroup</tt></i> option in <tt class="filename">smb.conf</tt>
2844 to control what workgroup Samba becomes a part of.
2845 </p><p>
2846 Samba also has a useful option for a Samba server to offer itself for
2847 browsing on another subnet. It is recommended that this option is only
2848 used for 'unusual' purposes: announcements over the internet, for
2849 example. See <a class="indexterm" name="id2879144"></a><i class="parameter"><tt>remote announce</tt></i> in the
2851 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2879168"></a>Problem resolution</h3></div></div><div></div></div><p>
2852 If something doesn't work then hopefully the log.nmbd file will help
2854 problems. Also note that the current browse list usually gets stored
2856 </p><p>
2857 Note that if it doesn't work for you, then you should still be able to
2859 hit enter and filemanager should display the list of available shares.
2860 </p><p>
2861 Some people find browsing fails because they don't have the global
2862 <a class="indexterm" name="id2879209"></a><i class="parameter"><tt>guest account</tt></i> set to a valid account. Remember that the
2863 IPC$ connection that lists the shares is done as guest, and thus you must
2864 have a valid guest account.
2866 MS Windows 2000 and upwards (as with Samba) can be configured to disallow
2867 anonymous (ie: Guest account) access to the IPC$ share. In that case, the
2869 name of the currently logged in user to query the IPC$ share. MS Windows
2870 9X clients are not able to do this and thus will NOT be able to browse
2871 server resources.
2872 </em></span></p><p>
2873 The other big problem people have is that their broadcast address,
2874 netmask or IP address is wrong (specified with the "interfaces" option
2876 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2879254"></a>Browsing across subnets</h3></div></div><div></div></div><p>
2877 Since the release of Samba 1.9.17(alpha1), Samba has supported the
2878 replication of browse lists across subnet boundaries. This section
2879 describes how to set this feature up in different settings.
2880 </p><p>
2881 To see browse lists that span TCP/IP subnets (ie. networks separated
2882 by routers that don't pass broadcast traffic), you must set up at least
2883 one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
2884 NetBIOS name to IP address translation to be done by doing a direct
2885 query of the WINS server. This is done via a directed UDP packet on
2886 port 137 to the WINS server machine. The reason for a WINS server is
2887 that by default, all NetBIOS name to IP address translation is done
2888 by broadcasts from the querying machine. This means that machines
2889 on one subnet will not be able to resolve the names of machines on
2890 another subnet without using a WINS server.
2891 </p><p>
2892 Remember, for browsing across subnets to work correctly, all machines,
2893 be they Windows 95, Windows NT, or Samba servers must have the IP address
2894 of a WINS server given to them by a DHCP server, or by manual configuration
2895 (for Win95 and WinNT, this is in the TCP/IP Properties, under Network
2897 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2879303"></a>How does cross subnet browsing work ?</h4></div></div><div></div></div><p>
2898 Cross subnet browsing is a complicated dance, containing multiple
2899 moving parts. It has taken Microsoft several years to get the code
2900 that achieves this correct, and Samba lags behind in some areas.
2901 Samba is capable of cross subnet browsing when configured correctly.
2902 </p><p>
2903 Consider a network set up as <a href="#browsing1" title="Figure 10.1. Cross subnet browsing example">in the diagram below</a>.
2904 </p><div class="figure"><a name="browsing1"></a><p class="title"><b>Figure 10.1. Cross subnet browsing example</b></p><div class="mediaobject"><img src="projdoc/imagefiles/browsing1.png" width="270" alt="Cross subnet browsing example"></div></div><p>
2908 for the moment that all these machines are configured to be in the
2909 same workgroup (for simplicity's sake). Machine N1_C on subnet 1
2910 is configured as Domain Master Browser (ie. it will collate the
2911 browse lists for the workgroup). Machine N2_D is configured as
2912 WINS server and all the other machines are configured to register
2913 their NetBIOS names with it.
2914 </p><p>
2915 As all these machines are booted up, elections for master browsers
2916 will take place on each of the three subnets. Assume that machine
2918 subnet 3 - these machines are known as local master browsers for
2919 their particular subnet. N1_C has an advantage in winning as the
2920 local master browser on subnet 1 as it is set up as Domain Master
2921 Browser.
2922 </p><p>
2923 On each of the three networks, machines that are configured to
2924 offer sharing services will broadcast that they are offering
2925 these services. The local master browser on each subnet will
2926 receive these broadcasts and keep a record of the fact that
2927 the machine is offering a service. This list of records is
2928 the basis of the browse list. For this case, assume that
2929 all the machines are configured to offer services so all machines
2930 will be on the browse list.
2931 </p><p>
2932 For each network, the local master browser on that network is
2933 considered 'authoritative' for all the names it receives via
2934 local broadcast. This is because a machine seen by the local
2935 master browser via a local broadcast must be on the same
2936 network as the local master browser and thus is a 'trusted'
2937 and 'verifiable' resource. Machines on other networks that
2938 the local master browsers learn about when collating their
2939 browse lists have not been directly seen - these records are
2940 called 'non-authoritative'.
2941 </p><p>
2942 At this point the browse lists look as follows (these are
2943 the machines you would see in your network neighborhood if
2944 you looked in it on a particular network right now).
2945 </p><p>
2946 </p><div class="table"><a name="id2879437"></a><p class="title"><b>Table 10.1. Browse subnet example 1</b></p><table summary="Browse subnet example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
2947 </p><p>
2948 Note that at this point all the subnets are separate, no
2949 machine is seen across any of the subnets.
2950 </p><p>
2951 Now examine subnet 2. As soon as N2_B has become the local
2952 master browser it looks for a Domain master browser to synchronize
2953 its browse list with. It does this by querying the WINS server
2954 (N2_D) for the IP address associated with the NetBIOS name
2956 browser (N1_C) with the WINS server as soon as it was booted.
2957 </p><p>
2958 Once N2_B knows the address of the Domain master browser it
2959 tells it that is the local master browser for subnet 2 by
2960 sending a MasterAnnouncement packet as a UDP port 138 packet.
2961 It then synchronizes with it by doing a NetServerEnum2 call. This
2962 tells the Domain Master Browser to send it all the server
2963 names it knows about. Once the domain master browser receives
2964 the MasterAnnouncement packet it schedules a synchronization
2965 request to the sender of that packet. After both synchronizations
2966 are done the browse lists look like :
2967 </p><p>
2968 </p><div class="table"><a name="id2879550"></a><p class="title"><b>Table 10.2. Browse subnet example 2</b></p><table summary="Browse subnet example 2" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E,
2969 N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*),
2970 N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
2972 Servers with a (*) after them are non-authoritative names.
2973 </p><p>
2974 At this point users looking in their network neighborhood on
2976 subnet 3 will still only see the servers on their own subnet.
2977 </p><p>
2978 The same sequence of events that occurred for N2_B now occurs
2979 for the local master browser on subnet 3 (N3_D). When it
2980 synchronizes browse lists with the domain master browser (N1_A)
2981 it gets both the server entries on subnet 1, and those on
2982 subnet 2. After N3_D has synchronized with N1_C and vica-versa
2983 the browse lists look like.
2984 </p><p>
2985 </p><div class="table"><a name="id2879662"></a><p class="title"><b>Table 10.3. Browse subnet example 3</b></p><table summary="Browse subnet example 3" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E,
2986 N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*),
2987 N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D, N1_A(*),
2988 N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
2990 Servers with a (*) after them are non-authoritative names.
2991 </p><p>
2992 At this point users looking in their network neighborhood on
2995 </p><p>
2996 Finally, the local master browser for subnet 2 (N2_B) will sync again
2997 with the domain master browser (N1_C) and will receive the missing
2998 server entries. Finally - and as a steady state (if no machines
2999 are removed or shut off) the browse lists will look like :
3000 </p><p>
3001 </p><div class="table"><a name="id2879779"></a><p class="title"><b>Table 10.4. Browse subnet example 4</b></p><table summary="Browse subnet example 4" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E,
3002 N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*),
3003 N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*),
3004 N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*),
3005 N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D, N1_A(*),
3006 N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*),
3007 N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
3009 Servers with a (*) after them are non-authoritative names.
3010 </p><p>
3011 Synchronizations between the domain master browser and local
3012 master browsers will continue to occur, but this should be a
3013 steady state situation.
3014 </p><p>
3015 If either router R1 or R2 fails the following will occur:
3017 Names of computers on each side of the inaccessible network fragments
3018 will be maintained for as long as 36 minutes, in the network neighbourhood
3019 lists.
3020 </p></li><li><p>
3021 Attempts to connect to these inaccessible computers will fail, but the
3022 names will not be removed from the network neighbourhood lists.
3023 </p></li><li><p>
3024 If one of the fragments is cut off from the WINS server, it will only
3025 be able to access servers on its local subnet, by using subnet-isolated
3026 broadcast NetBIOS name resolution. The effects are similar to that of
3027 losing access to a DNS server.
3028 </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2879936"></a>Common Errors</h2></div></div><div></div></div><p>
3029 Many questions are asked on the mailing lists regarding browsing. The majority of browsing
3030 problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
3031 particular note.
3032 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2879950"></a>How can one flush the Samba NetBIOS name cache without restarting Samba?</h3></div></div><div></div></div><p>
3033 Samba's nmbd process controls all browse list handling. Under normal circumstances it is
3034 safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
3035 to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
3036 in the browse list. When nmbd is taken out of service another machine on the network will
3037 become the browse master. This new list may still have the rogue entry in it. If you really
3038 want to clear a rogue machine from the list then every machine on the network will need to be
3039 shut down and restarted at after all machines are down. Failing a complete restart, the only
3040 other thing you can do is wait until the entry times out and is then flushed from the list.
3041 This may take a long time on some networks (months).
3042 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2879979"></a>My client reports "This server is not configured to list shared resources"</h3></div></div><div></div></div><p>
3043 Your guest account is probably invalid for some reason. Samba uses the
3044 guest account for browsing in smbd. Check that your guest account is
3045 valid.
3046 </p><p>See also <a class="indexterm" name="id2879997"></a><i class="parameter"><tt>guest account</tt></i> in the <tt class="filename">smb.conf</tt> man page.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2880021"></a>I get an <span class="errorname">Unable to browse the network</span> error</h3></div></div><div></div></div><p>This error can have multiple causes:</p><div class="itemizedlist"><ul type="disc"><li><p>There is no local master browser. Configure <span class="application">nmbd</span>
3047 or any other machine to serve as local master browser.</p></li><li><p>You can not log onto the machine that is the local master
3048 browser. Can you logon to it as guest user? </p></li><li><p>There is no IP connectivity to the local master browser.
3049 Can you reach it by broadcast?</p></li></ul></div></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter 11. Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><tt class="email"><<a href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2880302">Features and Benefits</a></dt><dd><dl><dt><a href="#id2880315">Backwards Compatibility Backends</a></dt><dt><a href="#id2880417">New Backends</a></dt></dl></dd><dt><a href="#id2880590">Technical Information</a></dt><dd><dl><dt><a href="#id2880717">Important Notes About Security</a></dt><dt><a href="#id2880966">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt><a href="#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt></dl></dd><dt><a href="#acctmgmttools">Account Management Tools</a></dt><dd><dl><dt><a href="#id2881151">The smbpasswd Command</a></dt><dt><a href="#id2881423">The pdbedit Command</a></dt></dl></dd><dt><a href="#id2881676">Password Backends</a></dt><dd><dl><dt><a href="#id2881717">Plain Text</a></dt><dt><a href="#id2881758">smbpasswd - Encrypted Password Database</a></dt><dt><a href="#id2881871">tdbsam</a></dt><dt><a href="#id2881898">ldapsam</a></dt><dt><a href="#id2883727">MySQL</a></dt><dt><a href="#XMLpassdb">XML</a></dt></dl></dd><dt><a href="#id2884575">Common Errors</a></dt><dd><dl><dt><a href="#id2884582">Users can not logon</a></dt><dt><a href="#id2884627">Users being added to wrong backend database</a></dt><dt><a href="#id2884738">auth methods does not work</a></dt></dl></dd></dl></div><p>
3050 Samba 3 implements a new capability to work concurrently with multiple account backends.
3051 The possible new combinations of password backends allows Samba 3 a degree of flexibility
3052 and scalability that previously could be achieved only with MS Windows Active Directory.
3053 This chapter describes the new functionality and how to get the most out of it.
3054 </p><p>
3055 In the course of development of Samba-3, a number of requests were received to provide the
3056 ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide
3057 matching UNIX/Linux accounts. We called this the <span class="emphasis"><em>Non UNIX Accounts (NUA)</em></span>
3058 capability. The intent was that an administrator could decide to use the <span class="emphasis"><em>tdbsam</em></span>
3059 backend and by simply specifying <a class="indexterm" name="id2880269"></a><i class="parameter"><tt>passdb backend</tt></i> = tdbsam_nua
3060 this would allow Samba-3 to implement a solution that did not use UNIX accounts per se. Late
3061 in the development cycle, the team doing this work hit upon some obstacles that prevents this
3062 solution from being used. Given the delays with Samba-3 release a decision was made to NOT
3063 deliver this functionality until a better method of recognising NT Group SIDs from NT User
3064 SIDs could be found. This feature may thus return during the life cycle for the Samba-3 series.
3065 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
3066 Samba-3 does NOT support Non-UNIX Account (NUA) operation for user accounts.
3067 Samba-3 does support NUA operation for machine accounts.
3068 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2880302"></a>Features and Benefits</h2></div></div><div></div></div><p>
3070 as follows:
3071 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2880315"></a>Backwards Compatibility Backends</h3></div></div><div></div></div><div class="variablelist"><dl><dt><span class="term">Plain Text:</span></dt><dd><p>
3073 style back end. On systems that have PAM (Pluggable Authentication Modules)
3074 support all PAM modules are supported. The behaviour is just as it was with
3075 Samba-2.2.x, and the protocol limitations imposed by MS Windows clients
3076 apply likewise.
3079 file that maintains a plain ASCII (text) layout that includes the MS Windows
3080 LanMan and NT encrypted passwords as well as a field that stores some
3081 account information. This form of password backend does NOT store any of
3082 the MS Windows NT/200x SAM (Security Account Manager) information needed to
3083 provide the extended controls that are needed for more comprehensive
3084 interoperation with MS Windows NT4 / 200x servers.
3085 </p><p>
3086 This backend should be used only for backwards compatibility with older
3087 versions of Samba. It may be deprecated in future releases.
3088 </p></dd><dt><span class="term">ldapsam_compat (Samba-2.2 LDAP Compatibility):</span></dt><dd><p>
3089 There is a password backend option that allows continued operation with
3090 a existing OpenLDAP backend that uses the Samba-2.2.x LDAP schema extension.
3091 This option is provided primarily as a migration tool, although there is
3092 no reason to force migration at this time. Note that this tool will eventually
3093 be deprecated.
3094 </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2880417"></a>New Backends</h3></div></div><div></div></div><p>
3095 Samba-3 introduces the following new password backend capabilities:
3097 This backend provides a rich database backend for local servers. This
3098 backend is NOT suitable for multiple domain controller (ie: PDC + one
3099 or more BDC) installations.
3100 </p><p>
3101 The <span class="emphasis"><em>tdbsam</em></span> password backend stores the old <span class="emphasis"><em>
3103 SAM information into a binary format TDB (trivial database) file.
3104 The inclusion of the extended information makes it possible for Samba-3
3105 to implement the same account and system access controls that are possible
3106 with MS Windows NT4 and MS Windows 200x based systems.
3107 </p><p>
3109 response to user requests to allow simple site operation without the overhead
3110 of the complexities of running OpenLDAP. It is recommended to use this only
3111 for sites that have fewer than 250 users. For larger sites or implementations
3112 the use of OpenLDAP or of Active Directory integration is strongly recommended.
3114 This provides a rich directory backend for distributed account installation.
3115 </p><p>
3116 Samba-3 has a new and extended LDAP implementation that requires configuration
3117 of OpenLDAP with a new format samba schema. The new format schema file is
3119 </p><p>
3120 The new LDAP implementation significantly expands the control abilities that
3121 were possible with prior versions of Samba. It is now possible to specify
3122 "per user" profile settings, home directories, account access controls, and
3123 much more. Corporate sites will see that the Samba-Team has listened to their
3124 requests both for capability and to allow greater scalability.
3126 It is expected that the MySQL based SAM will be very popular in some corners.
3127 This database backend will be on considerable interest to sites that want to
3128 leverage existing MySQL technology.
3130 Allows the account and password data to be stored in an XML format
3131 data file. This backend can not be used for normal operation, it can only
3133 functionality. The DTD that is used might be subject to changes in the future.
3134 </p><p>
3135 The xmlsam option can be useful for account migration between database
3136 backends or backups. Use of this tool will allow the data to be edited before migration
3137 into another backend format.
3138 </p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2880590"></a>Technical Information</h2></div></div><div></div></div><p>
3139 Old windows clients send plain text passwords over the wire. Samba can check these
3140 passwords by crypting them and comparing them to the hash stored in the unix user database.
3141 </p><p>
3142 Newer windows clients send encrypted passwords (so-called Lanman and NT hashes) over
3143 the wire, instead of plain text passwords. The newest clients will send only encrypted
3144 passwords and refuse to send plain text passwords, unless their registry is tweaked.
3145 </p><p>
3146 These passwords can't be converted to unix style encrypted passwords. Because of that,
3147 you can't use the standard unix user database, and you have to store the Lanman and NT
3148 hashes somewhere else.
3149 </p><p>
3150 In addition to differently encrypted passwords, windows also stores certain data for each
3151 user that is not stored in a unix user database. e.g: workstations the user may logon from,
3152 the location where the users' profile is stored, and so on. Samba retrieves and stores this
3153 information using a <a class="indexterm" name="id2880630"></a><i class="parameter"><tt>passdb backend</tt></i>. Commonly available backends are LDAP, plain text
3154 file, MySQL and nisplus. For more information, see the man page for <tt class="filename">smb.conf</tt> regarding the
3155 <a class="indexterm" name="id2880654"></a><i class="parameter"><tt>passdb backend</tt></i> parameter.
3156 </p><div class="figure"><a name="idmap-diag"></a><p class="title"><b>Figure 11.1. IDMAP</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap.png" width="270" alt="IDMAP"></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2880717"></a>Important Notes About Security</h3></div></div><div></div></div><p>
3157 The unix and SMB password encryption techniques seem similar on the surface. This
3158 similarity is, however, only skin deep. The unix scheme typically sends clear text
3159 passwords over the network when logging in. This is bad. The SMB encryption scheme
3160 never sends the cleartext password over the network but it does store the 16 byte
3161 hashed values on disk. This is also bad. Why? Because the 16 byte hashed values
3162 are a "password equivalent". You cannot derive the user's password from them, but
3163 they could potentially be used in a modified client to gain access to a server.
3164 This would require considerable technical knowledge on behalf of the attacker but
3165 is perfectly possible. You should thus treat the data stored in whatever passdb
3166 backend you use (smbpasswd file, ldap, mysql) as though it contained the cleartext
3167 passwords of all your users. Its contents must be kept secret, and the file should
3168 be protected accordingly.
3169 </p><p>
3170 Ideally we would like a password scheme that involves neither plain text passwords
3171 on the net nor on disk. Unfortunately this is not available as Samba is stuck with
3172 having to be compatible with other SMB systems (WinNT, WfWg, Win95 etc).
3173 </p><p>
3175 are disabled from being sent over the wire. This mandates either the use of encrypted
3176 password support or edit the Windows NT registry to re-enable plaintext passwords.
3177 </p><p>
3178 The following versions of MS Windows do not support full domain security protocols,
3179 although they may log onto a domain environment:
3180 </p><div class="itemizedlist"><ul type="disc"><li><p>MS DOS Network client 3.0 with the basic network redirector installed</p></li><li><p>Windows 95 with the network redirector update installed</p></li><li><p>Windows 98 [se]</p></li><li><p>Windows Me</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
3181 MS Windows XP Home does not have facilities to become a domain member and it can
3182 not participate in domain logons.
3183 </p></div><p>
3184 The following versions of MS Windows fully support domain security protocols.
3185 </p><div class="itemizedlist"><ul type="disc"><li><p>Windows NT 3.5x</p></li><li><p>Windows NT 4.0</p></li><li><p>Windows 2000 Professional</p></li><li><p>Windows 200x Server/Advanced Server</p></li><li><p>Windows XP Professional</p></li></ul></div><p>
3186 All current release of Microsoft SMB/CIFS clients support authentication via the
3187 SMB Challenge/Response mechanism described here. Enabling clear text authentication
3188 does not disable the ability of the client to participate in encrypted authentication.
3189 Instead, it allows the client to negotiate either plain text _or_ encrypted password
3190 handling.
3191 </p><p>
3192 MS Windows clients will cache the encrypted password alone. Where plain text passwords
3193 are re-enabled, through the appropriate registry change, the plain text password is NEVER
3194 cached. This means that in the event that a network connections should become disconnected
3195 (broken) only the cached (encrypted) password will be sent to the resource server to
3196 affect a auto-reconnect. If the resource server does not support encrypted passwords the
3197 auto-reconnect will fail. <span class="emphasis"><em>USE OF ENCRYPTED PASSWORDS IS STRONGLY ADVISED.</em></span>
3198 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2880875"></a>Advantages of Encrypted Passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plain text passwords are not passed across
3199 the network. Someone using a network sniffer cannot just
3200 record passwords going to the SMB server.</p></li><li><p>Plain text passwords are not stored anywhere in
3201 memory or on disk.</p></li><li><p>WinNT doesn't like talking to a server
3202 that does not support encrypted passwords. It will refuse
3203 to browse the server if the server is also in user level
3204 security mode. It will insist on prompting the user for the
3205 password on each connection, which is very annoying. The
3206 only things you can do to stop this is to use SMB encryption.
3207 </p></li><li><p>Encrypted password support allows automatic share
3208 (resource) reconnects.</p></li><li><p>Encrypted passwords are essential for PDC/BDC
3209 operation.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2880929"></a>Advantages of non-encrypted passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plain text passwords are not kept
3210 on disk, and are NOT cached in memory. </p></li><li><p>Uses same password file as other unix
3211 services such as login and ftp</p></li><li><p>Use of other services (such as telnet and ftp) which
3212 send plain text passwords over the net, so sending them for SMB
3213 isn't such a big deal.</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2880966"></a>Mapping User Identifiers between MS Windows and UNIX</h3></div></div><div></div></div><p>
3214 Every operation in UNIX/Linux requires a user identifier (UID), just as in
3215 MS Windows NT4 / 200x this requires a Security Identifier (SID). Samba provides
3216 two means for mapping an MS Windows user to a UNIX/Linux UID.
3217 </p><p>
3218 Firstly, all Samba SAM (Security Account Manager database) accounts require
3219 a UNIX/Linux UID that the account will map to. As users are added to the account
3220 information database, Samba will call the <a class="indexterm" name="id2880988"></a><i class="parameter"><tt>add user script</tt></i>
3221 interface to add the account to the Samba host OS. In essence all accounts in
3222 the local SAM require a local user account.
3223 </p><p>
3224 The second way to affect Windows SID to UNIX UID mapping is via the
3225 <span class="emphasis"><em>idmap uid, idmap gid</em></span> parameters in <tt class="filename">smb.conf</tt>.
3226 Please refer to the man page for information about these parameters.
3227 These parameters are essential when mapping users from a remote SAM server.
3228 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="idmapbackend"></a>Mapping Common UIDs/GIDs on Distributed Machines</h3></div></div><div></div></div><p>
3229 Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs
3230 on all servers in a distributed network. A distributed network is one where there exists
3231 a PDC, one or more BDCs and/or one or more domain member servers. Why is this important?
3232 This is important if files are being shared over more than one protocol (eg: NFS) and where
3233 users are copying files across UNIX/Linux systems using tools such as <b class="command">rsync</b>.
3234 </p><p>
3235 The special facility is enabled using a parameter called <i class="parameter"><tt>idmap backend</tt></i>.
3236 The default setting for this parameter is an empty string. Administrators should NOT set this
3237 parameter except when an LDAP based passdb backend is in use. An example of use is:
3238 </p><p>
3239 </p><div class="example"><a name="idmapbackendexample"></a><p class="title"><b>Example 11.1. </b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap backend = ldapsam://ldap-server.quenya.org:636</tt></i></td></tr></table></div><p>
3240 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="acctmgmttools"></a>Account Management Tools</h2></div></div><div></div></div><p>
3241 Samba provides two (2) tools for management of User and machine accounts. These tools are
3242 called <b class="command">smbpasswd</b> and <b class="command">pdbedit</b>. A third tool is under
3243 development but is NOT expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK
3244 GUI tool that looks much like the MS Windows NT4 Domain User Manager - hopefully this will
3245 be announced in time for the Samba-3.0.1 release.
3246 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2881151"></a>The <span class="emphasis"><em>smbpasswd</em></span> Command</h3></div></div><div></div></div><p>
3249 fields in the passdb backend.
3250 </p><p>
3252 local smbd to change the user's password on its behalf. This has enormous benefits
3253 as follows:
3254 </p><p>
3256 servers (this only works when the request is sent to the NT Primary Domain Controller
3257 if changing an NT Domain user's password).
3258 </p><p>
3260 </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>add</em></span> user or machine accounts</p></li><li><p><span class="emphasis"><em>delete</em></span> user or machine accounts</p></li><li><p><span class="emphasis"><em>enable</em></span> user or machine accounts</p></li><li><p><span class="emphasis"><em>disable</em></span> user or machine accounts</p></li><li><p><span class="emphasis"><em>set to NULL</em></span> user passwords</p></li><li><p><span class="emphasis"><em>manage interdomain trust accounts</em></span></p></li></ul></div><p>
3261 To run smbpasswd as a normal user just type:
3262 </p><p>
3265 <tt class="prompt">Old SMB password: </tt><b class="userinput"><tt><i class="replaceable"><tt>secret</tt></i></tt></b>
3266 </pre><p>
3268 there was no old password
3270 <tt class="prompt">New SMB Password: </tt><b class="userinput"><tt><i class="replaceable"><tt>new secret</tt></i></tt></b>
3271 <tt class="prompt">Repeat New SMB Password: </tt><b class="userinput"><tt><i class="replaceable"><tt>new secret</tt></i></tt></b>
3272 </pre><p>
3273 </p><p>
3274 If the old value does not match the current value stored for that user, or the two
3275 new values do not match each other, then the password will not be changed.
3276 </p><p>
3277 When invoked by an ordinary user it will only allow change of their own
3278 SMB password.
3279 </p><p>
3280 When run by root smbpasswd may take an optional argument, specifying
3281 the user name whose SMB password you wish to change. When run as root, smbpasswd
3282 does not prompt for or check the old password value, thus allowing root to set passwords
3283 for users who have forgotten their passwords.
3284 </p><p>
3287 While designed for administrative use, this tool provides essential user level
3288 password change capabilities.
3289 </p><p>
3291 definitive reference).
3292 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2881423"></a>The <span class="emphasis"><em>pdbedit</em></span> Command</h3></div></div><div></div></div><p>
3295 </p><div class="itemizedlist"><ul type="disc"><li><p>add, remove or modify user accounts</p></li><li><p>listing user accounts</p></li><li><p>migrate user accounts</p></li></ul></div><p>
3297 security and policy settings. It is capable of all operations that smbpasswd can
3298 do as well as a super set of them.
3299 </p><p>
3301 the migration of account information from one passdb backend to another. See the
3303 </p><p>
3304 The following is an example of the user account information that is stored in
3305 a tdbsam password backend. This listing was produced by running:
3308 UNIX username: met
3309 NT username:
3310 Account Flags: [UX ]
3313 Full Name: Melissa E Terpstra
3314 Home Directory: \\frodo\met\Win9Profile
3315 HomeDir Drive: H:
3316 Logon Script: scripts\logon.bat
3317 Profile Path: \\frodo\Profiles\met
3318 Domain: MIDEARTH
3319 Account desc:
3320 Workstations: melbelle
3321 Munged dial:
3322 Logon time: 0
3328 </pre><p>
3330 databases from one backend to another. For example: To migrate accounts from an
3332 backend:
3334 Set the <a class="indexterm" name="id2881606"></a><i class="parameter"><tt>passdb backend</tt></i> = tdbsam, smbpasswd.
3335 </p></li><li><p>
3336 Execute:
3339 </pre><p>
3340 </p></li><li><p>
3343 </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2881676"></a>Password Backends</h2></div></div><div></div></div><p>
3344 Samba offers the greatest flexibility in backend account database design of any SMB/CIFS server
3345 technology available today. The flexibility is immediately obvious as one begins to explore this
3346 capability.
3347 </p><p>
3348 It is possible to specify not only multiple different password backends, but even multiple
3349 backends of the same type. For example, to use two different tdbsam databases:
3350 </p><p>
3351 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>passdb backend = tdbsam:/etc/samba/passdb.tdb, tdbsam:/etc/samba/old-passdb.tdb</tt></i></td></tr></table><p>
3352 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2881717"></a>Plain Text</h3></div></div><div></div></div><p>
3353 Older versions of Samba retrieved user information from the unix user database
3356 SMB specific data is stored at all. Instead all operations are conducted via the way
3358 eg: On Linux systems that is done via PAM.
3359 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2881758"></a>smbpasswd - Encrypted Password Database</h3></div></div><div></div></div><p>
3360 Traditionally, when configuring <a class="indexterm" name="id2881768"></a><i class="parameter"><tt>encrypt passwords</tt></i> = yes in Samba's <tt class="filename">smb.conf</tt> file, user account
3361 information such as username, LM/NT password hashes, password change times, and account
3363 disadvantages to this approach for sites with very large numbers of users (counted
3364 in the thousands).
3366 The first is that all lookups must be performed sequentially. Given that
3367 there are approximately two lookups per domain logon (one for a normal
3368 session connection such as when mapping a network drive or printer), this
3369 is a performance bottleneck for large sites. What is needed is an indexed approach
3370 such as is used in databases.
3371 </p></li><li><p>
3372 The second problem is that administrators who desire to replicate a smbpasswd file
3373 to more than one Samba server were left to use external tools such as
3375 in-house scripts.
3376 </p></li><li><p>
3377 And finally, the amount of information which is stored in an smbpasswd entry leaves
3378 no room for additional attributes such as a home directory, password expiration time,
3379 or even a Relative Identifier (RID).
3380 </p></li></ul></div><p>
3381 As a result of these deficiencies, a more robust means of storing user attributes
3382 used by smbd was developed. The API which defines access to user accounts
3383 is commonly referred to as the samdb interface (previously this was called the passdb
3384 API, and is still so named in the Samba CVS trees).
3385 </p><p>
3386 Samba provides an enhanced set of passdb backends that overcome the deficiencies
3387 of the smbpasswd plain text database. These are tdbsam, ldapsam, and xmlsam.
3388 Of these ldapsam will be of most interest to large corporate or enterprise sites.
3389 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2881871"></a>tdbsam</h3></div></div><div></div></div><p>Samba can store user and machine account data in a "TDB" (Trivial Database).
3390 Using this backend doesn't require any additional configuration. This backend is
3391 recommended for new installations that do not require LDAP.
3392 </p><p>
3393 As a general guide the Samba-Team does NOT recommend using the tdbsam backend for sites
3394 that have 250 or more users. Additionally, tdbsam is not capable of scaling for use
3395 in sites that require PDB/BDC implementations that requires replication of the account
3396 database. Clearly, for reason of scalability, the use of ldapsam should be encouraged.
3397 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2881898"></a>ldapsam</h3></div></div><div></div></div><p>
3398 There are a few points to stress that the ldapsam does not provide. The LDAP
3399 support referred to in the this documentation does not include:
3400 </p><div class="itemizedlist"><ul type="disc"><li><p>A means of retrieving user account information from
3401 an Windows 200x Active Directory server.</p></li><li><p>A means of replacing /etc/passwd.</p></li></ul></div><p>
3402 The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
3403 versions of these libraries can be obtained from PADL Software
3405 information about the configuration of these packages may be found at "LDAP,
3406 System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS".
3409 more about configuration and administration of an OpenLDAP server.
3410 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
3412 that has not been documented at the time of this publication.
3413 </p></div><p>
3414 This document describes how to use an LDAP directory for storing Samba user
3415 account information traditionally stored in the smbpasswd(5) file. It is
3416 assumed that the reader already has a basic understanding of LDAP concepts
3417 and has a working directory server already installed. For more information
3418 on LDAP architectures and Directories, please refer to the following sites.
3419 </p><div class="itemizedlist"><ul type="disc"><li><p>OpenLDAP - <a href="http://www.openldap.org/" target="_top">http://www.openldap.org/</a></p></li><li><p>iPlanet Directory Server -
3420 <a href="http://iplanet.netscape.com/directory" target="_top">http://iplanet.netscape.com/directory</a></p></li></ul></div><p>
3421 Two additional Samba resources which may prove to be helpful are
3422 </p><div class="itemizedlist"><ul type="disc"><li><p>The <a href="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html" target="_top">Samba-PDC-LDAP-HOWTO</a>
3423 maintained by Ignacio Coupeau.</p></li><li><p>The NT migration scripts from <a href="http://samba.idealx.org/" target="_top">IDEALX</a> that are
3424 geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
3425 </p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2882050"></a>Supported LDAP Servers</h4></div></div><div></div></div><p>
3427 client libraries. The same code should work with Netscape's Directory Server and client SDK.
3428 However, there are bound to be compile errors and bugs. These should not be hard to fix.
3429 Please submit fixes via <a href="#bugreport" title="Chapter 35. Reporting Bugs">Bug reporting facility</a>.
3430 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2882076"></a>Schema and Relationship to the RFC 2307 posixAccount</h4></div></div><div></div></div><p>
3432 <tt class="filename">examples/LDAP/samba.schema</tt>. The sambaSamAccount objectclass is given here:
3433 </p><p>
3435 objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
3436 DESC 'Samba 3.0 Auxiliary SAM Account'
3437 MUST ( uid $ sambaSID )
3438 MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
3439 sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
3440 sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
3441 displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
3442 sambaProfilePath $ description $ sambaUserWorkstations $
3443 sambaPrimaryGroupSID $ sambaDomainName ))
3444 </pre><p>
3445 </p><p>
3447 The OID's are owned by the Samba Team and as such is legal to be openly published.
3448 If you translate the schema to be used with Netscape DS, please
3449 submit the modified schema file as a patch to
3451 </p><p>
3452 Just as the smbpasswd file is meant to store information which supplements a
3454 meant to supplement the UNIX user account information. A sambaSamAccount is a
3456 in the directory. However, there are several fields (e.g. uid) which overlap
3457 with the posixAccount objectclass outlined in RFC2307. This is by design.
3458 </p><p>
3459 In order to store all user account information (UNIX and Samba) in the directory,
3460 it is necessary to use the sambaSamAccount and posixAccount objectclasses in
3461 combination. However, smbd will still obtain the user's UNIX account
3462 information via the standard C library calls (e.g. getpwnam(), et. al.).
3463 This means that the Samba server must also have the LDAP NSS library installed
3464 and functioning correctly. This division of information makes it possible to
3465 store all Samba account information in LDAP, but still maintain UNIX account
3466 information in NIS while the network is transitioning to a full LDAP infrastructure.
3467 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2882187"></a>OpenLDAP configuration</h4></div></div><div></div></div><p>
3468 To include support for the sambaSamAccount object in an OpenLDAP directory
3469 server, first copy the samba.schema file to slapd's configuration directory.
3471 in the samba source distribution.
3472 </p><p>
3474 <tt class="prompt">root# </tt><b class="userinput"><tt>cp samba.schema /etc/openldap/schema/</tt></b>
3475 </pre><p>
3476 </p><p>
3477 Next, include the <tt class="filename">samba.schema</tt> file in <tt class="filename">slapd.conf</tt>.
3478 The sambaSamAccount object contains two attributes which depend upon other schema
3482 </p><p>
3484 ## /etc/openldap/slapd.conf
3486 ## schema files (core.schema is required by default)
3487 include /etc/openldap/schema/core.schema
3489 ## needed for sambaSamAccount
3490 include /etc/openldap/schema/cosine.schema
3491 include /etc/openldap/schema/inetorgperson.schema
3492 include /etc/openldap/schema/samba.schema
3493 include /etc/openldap/schema/nis.schema
3494 ....
3495 </pre><p>
3496 </p><p>
3497 It is recommended that you maintain some indices on some of the most useful attributes,
3498 like in the following example, to speed up searches made on sambaSamAccount objectclasses
3499 (and possibly posixAccount and posixGroup as well).
3500 </p><p>
3502 # Indices to maintain
3503 ## required by OpenLDAP
3504 index objectclass eq
3506 index cn pres,sub,eq
3507 index sn pres,sub,eq
3508 ## required to support pdb_getsampwnam
3509 index uid pres,sub,eq
3510 ## required to support pdb_getsambapwrid()
3511 index displayName pres,sub,eq
3513 ## uncomment these if you are storing posixAccount and
3514 ## posixGroup entries in the directory as well
3515 ##index uidNumber eq
3516 ##index gidNumber eq
3517 ##index memberUid eq
3519 index sambaSID eq
3520 index sambaPrimaryGroupSID eq
3521 index sambaDomainName eq
3522 index default sub
3523 </pre><p>
3524 </p><p>
3525 Create the new index by executing:
3526 </p><p>
3529 </pre><p>
3530 </p><p>
3531 Remember to restart slapd after making these changes:
3532 </p><p>
3535 </pre><p>
3536 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2882382"></a>Initialise the LDAP database</h4></div></div><div></div></div><p>
3537 Before you can add accounts to the LDAP database you must create the account containers
3538 that they will be stored in. The following LDIF file should be modified to match your
3539 needs (ie: Your DNS entries, etc.).
3540 </p><p>
3542 # Organization for Samba Base
3543 dn: dc=quenya,dc=org
3544 objectclass: dcObject
3545 objectclass: organization
3546 dc: quenya
3547 o: Quenya Org Network
3548 description: The Samba-3 Network LDAP Example
3550 # Organizational Role for Directory Management
3551 dn: cn=Manager,dc=quenya,dc=org
3552 objectclass: organizationalRole
3553 cn: Manager
3554 description: Directory Manager
3556 # Setting up container for users
3557 dn: ou=People,dc=quenya,dc=org
3558 objectclass: top
3559 objectclass: organizationalUnit
3560 ou: People
3562 # Setting up admin handle for People OU
3563 dn: cn=admin,ou=People,dc=quenya,dc=org
3564 cn: admin
3565 objectclass: top
3566 objectclass: organizationalRole
3567 objectclass: simpleSecurityObject
3568 userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
3569 </pre><p>
3570 </p><p>
3572 </p><p>
3573 The following command will then load the contents of the LDIF file into the LDAP
3574 database.
3575 </p><p>
3578 </pre><p>
3579 </p><p>
3580 Do not forget to secure your LDAP server with an adequate access control list,
3581 as well as an admin password.
3582 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
3583 Before Samba can access the LDAP server you need to store the LDAP admin password
3586 <tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -w <i class="replaceable"><tt>secret</tt></i></tt></b>
3587 </pre><p>
3588 </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2882509"></a>Configuring Samba</h4></div></div><div></div></div><p>
3589 The following parameters are available in smb.conf only if your
3590 version of samba was built with LDAP support. Samba automatically builds with LDAP support if the
3591 LDAP libraries are found.
3592 </p><p>LDAP related smb.conf options:
3593 <a class="indexterm" name="id2882527"></a><i class="parameter"><tt>passdb backend</tt></i> = ldapsam:url,
3598 <a class="indexterm" name="id2882597"></a><i class="parameter"><tt>ldap machine suffix</tt></i>,
3603 </p><p>
3605 page and so will not be repeated here. However, a sample smb.conf file for
3606 use with an LDAP directory could appear as
3607 </p><p>
3608 </p><div class="example"><a name="id2882685"></a><p class="title"><b>Example 11.2. Configuration with LDAP</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>encrypt passwords = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = TASHTEGO</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = NARNIA</tt></i></td></tr><tr><td># ldap related parameters</td></tr><tr><td># define the DN to use when binding to the directory servers</td></tr><tr><td># The password for this DN is not stored in smb.conf. Rather it</td></tr><tr><td># must be set by using 'smbpasswd -w <i class="replaceable"><tt>secretpw</tt></i>' to store the</td></tr><tr><td># passphrase in the secrets.tdb file. If the "ldap admin dn" values</td></tr><tr><td># change, this password will need to be reset.</td></tr><tr><td><i class="parameter"><tt>ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"</tt></i></td></tr><tr><td># Define the SSL option when connecting to the directory</td></tr><tr><td># ('off', 'start tls', or 'on' (default))</td></tr><tr><td><i class="parameter"><tt>ldap ssl = start tls</tt></i></td></tr><tr><td># syntax: passdb backend = ldapsam:ldap://server-name[:port]</td></tr><tr><td><i class="parameter"><tt>passdb backend = ldapsam:ldap://funball.samba.org</tt></i></td></tr><tr><td># smbpasswd -x delete the entire dn-entry</td></tr><tr><td><i class="parameter"><tt>ldap delete dn = no</tt></i></td></tr><tr><td># the machine and user suffix added to the base suffix</td></tr><tr><td># wrote WITHOUT quotes. NULL suffixes by default</td></tr><tr><td><i class="parameter"><tt>ldap user suffix = ou=People</tt></i></td></tr><tr><td><i class="parameter"><tt>ldap machine suffix = ou=Systems</tt></i></td></tr><tr><td># Trust unix account information in LDAP</td></tr><tr><td># (see the smb.conf manpage for details)</td></tr><tr><td><i class="parameter"><tt>ldap trust ids = Yes</tt></i></td></tr><tr><td># specify the base DN to use when searching the directory</td></tr><tr><td><i class="parameter"><tt>ldap suffix = "ou=people,dc=samba,dc=org"</tt></i></td></tr><tr><td># generally the default ldap search filter is ok</td></tr><tr><td><i class="parameter"><tt>ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))"</tt></i></td></tr></table></div><p>
3609 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2882906"></a>Accounts and Groups management</h4></div></div><div></div></div><p>
3610 As users accounts are managed through the sambaSamAccount objectclass, you should
3611 modify your existing administration tools to deal with sambaSamAccount attributes.
3612 </p><p>
3613 Machines accounts are managed with the sambaSamAccount objectclass, just
3614 like users accounts. However, it's up to you to store those accounts
3615 in a different tree of your LDAP namespace: you should use
3616 "ou=Groups,dc=quenya,dc=org" to store groups and
3617 "ou=People,dc=quenya,dc=org" to store users. Just configure your
3618 NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration
3619 file).
3620 </p><p>
3621 In Samba release 3.0, the group management system is based on POSIX
3622 groups. This means that Samba makes use of the posixGroup objectclass.
3623 For now, there is no NT-like group system management (global and local
3624 groups).
3625 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2882943"></a>Security and sambaSamAccount</h4></div></div><div></div></div><p>
3626 There are two important points to remember when discussing the security
3627 of sambaSamAccount entries in the directory.
3628 </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Never</em></span> retrieve the lmPassword or
3629 ntPassword attribute values over an unencrypted LDAP session.</p></li><li><p><span class="emphasis"><em>Never</em></span> allow non-admin users to
3630 view the lmPassword or ntPassword attribute values.</p></li></ul></div><p>
3631 These password hashes are clear text equivalents and can be used to impersonate
3632 the user without deriving the original clear text strings. For more information
3633 on the details of LM/NT password hashes, refer to the
3634 <a href="#passdb" title="Chapter 11. Account Information Databases">Account Information Database</a> section of this chapter.
3635 </p><p>
3636 To remedy the first security issue, the <a class="indexterm" name="id2883003"></a><i class="parameter"><tt>ldap ssl</tt></i> <tt class="filename">smb.conf</tt> parameter defaults
3637 to require an encrypted session (<a class="indexterm" name="id2883024"></a><i class="parameter"><tt>ldap ssl</tt></i> = on) using
3639 when contacting the directory server. When using an OpenLDAP server, it
3640 is possible to use the use the StartTLS LDAP extended operation in the place of
3641 LDAPS. In either case, you are strongly discouraged to disable this security
3643 </p><p>
3644 Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
3645 extended operation. However, the OpenLDAP library still provides support for
3646 the older method of securing communication between clients and servers.
3647 </p><p>
3648 The second security precaution is to prevent non-administrative users from
3649 harvesting password hashes from the directory. This can be done using the
3651 </p><p>
3653 ## allow the "ldap admin dn" access, but deny everyone else
3654 access to attrs=lmPassword,ntPassword
3656 by * none
3657 </pre><p>
3658 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2883102"></a>LDAP special attributes for sambaSamAccounts</h4></div></div><div></div></div><p>
3659 The sambaSamAccount objectclass is composed of the following attributes:
3660 </p><p>
3661 </p><div class="table"><a name="id2883118"></a><p class="title"><b>Table 11.1. Attributes in the sambaSamAccount objectclass (LDAP)</b></p><table summary="Attributes in the sambaSamAccount objectclass (LDAP)" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><tt class="constant">sambaLMPassword</tt></td><td align="justify">the LANMAN password 16-byte hash stored as a character
3662 representation of a hexadecimal string.</td></tr><tr><td align="left"><tt class="constant">sambaNTPassword</tt></td><td align="justify">the NT password hash 16-byte stored as a character
3663 representation of a hexadecimal string.</td></tr><tr><td align="left"><tt class="constant">sambaPwdLastSet</tt></td><td align="justify">The integer time in seconds since 1970 when the
3664 <tt class="constant">sambaLMPassword</tt> and <tt class="constant">sambaNTPassword</tt> attributes were last set.
3665 </td></tr><tr><td align="left"><tt class="constant">sambaAcctFlags</tt></td><td align="justify">string of 11 characters surrounded by square brackets []
3666 representing account flags such as U (user), W(workstation), X(no password expiration),
3667 I(Domain trust account), H(Home dir required), S(Server trust account),
3668 and D(disabled).</td></tr><tr><td align="left"><tt class="constant">sambaLogonTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaLogoffTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaKickoffTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaPwdCanChange</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaPwdMustChange</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaHomeDrive</tt></td><td align="justify">specifies the drive letter to which to map the
3669 UNC path specified by sambaHomePath. The drive letter must be specified in the form "X:"
3670 where X is the letter of the drive to map. Refer to the "logon drive" parameter in the
3671 smb.conf(5) man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaLogonScript</tt></td><td align="justify">The sambaLogonScript property specifies the path of
3672 the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
3673 is relative to the netlogon share. Refer to the <a class="indexterm" name="id2883286"></a><i class="parameter"><tt>logon script</tt></i> parameter in the
3674 <tt class="filename">smb.conf</tt> man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaProfilePath</tt></td><td align="justify">specifies a path to the user's profile.
3675 This value can be a null string, a local absolute path, or a UNC path. Refer to the
3676 <a class="indexterm" name="id2883321"></a><i class="parameter"><tt>logon path</tt></i> parameter in the <tt class="filename">smb.conf</tt> man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaHomePath</tt></td><td align="justify">The sambaHomePath property specifies the path of
3677 the home directory for the user. The string can be null. If sambaHomeDrive is set and specifies
3678 a drive letter, sambaHomePath should be a UNC path. The path must be a network
3679 UNC path of the form <tt class="filename">\\server\share\directory</tt>. This value can be a null string.
3680 Refer to the <b class="command">logon home</b> parameter in the <tt class="filename">smb.conf</tt> man page for more information.
3681 </td></tr><tr><td align="left"><tt class="constant">sambaUserWorkstations</tt></td><td align="justify">character string value currently unused.
3682 </td></tr><tr><td align="left"><tt class="constant">sambaSID</tt></td><td align="justify">The security identifier(SID) of the user. The windows equivalent of unix uid's.</td></tr><tr><td align="left"><tt class="constant">sambaPrimaryGroupSID</tt></td><td align="justify">the relative identifier (RID) of the primary group
3683 of the user.</td></tr><tr><td align="left"><tt class="constant">sambaDomainName</tt></td><td align="justify">domain the user is part of.</td></tr></tbody></table></div><p>
3684 </p><p>
3685 The majority of these parameters are only used when Samba is acting as a PDC of
3686 a domain (refer to the <a href="#samba-pdc" title="Chapter 5. Domain Control">Samba as a primary domain controller</a> chapter for details on
3687 how to configure Samba as a Primary Domain Controller). The following four attributes
3688 are only stored with the sambaSamAccount entry if the values are non-default values:
3689 </p><div class="itemizedlist"><ul type="disc"><li><p>sambaHomePath</p></li><li><p>sambaLogonScript</p></li><li><p>sambaProfilePath</p></li><li><p>sambaHomeDrive</p></li></ul></div><p>
3690 These attributes are only stored with the sambaSamAccount entry if
3691 the values are non-default values. For example, assume TASHTEGO has now been
3692 configured as a PDC and that <a class="indexterm" name="id2883477"></a><i class="parameter"><tt>logon home</tt></i> = \\%L\%u was defined in
3694 the <a class="indexterm" name="id2883500"></a><i class="parameter"><tt>logon home</tt></i> string is expanded to \\TASHTEGO\becky.
3695 If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
3696 this value is used. However, if this attribute does not exist, then the value
3697 of the <a class="indexterm" name="id2883517"></a><i class="parameter"><tt>logon home</tt></i> parameter is used in its place. Samba
3698 will only write the attribute value to the directory entry if the value is
3700 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2883543"></a>Example LDIF Entries for a sambaSamAccount</h4></div></div><div></div></div><p>
3701 The following is a working LDIF with the inclusion of the posixAccount objectclass:
3702 </p><p>
3704 dn: uid=guest2, ou=people,dc=quenya,dc=org
3705 sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7
3706 sambaPwdMustChange: 2147483647
3708 sambaNTPassword: 552902031BEDE9EFAAD3B435B51404EE
3709 sambaPwdLastSet: 1010179124
3710 sambaLogonTime: 0
3711 objectClass: sambaSamAccount
3712 uid: guest2
3713 sambaKickoffTime: 2147483647
3714 sambaAcctFlags: [UX ]
3715 sambaLogoffTime: 2147483647
3717 sambaPwdCanChange: 0
3718 </pre><p>
3719 </p><p>
3720 The following is an LDIF entry for using both the sambaSamAccount and
3721 posixAccount objectclasses:
3722 </p><p>
3724 dn: uid=gcarter, ou=people,dc=quenya,dc=org
3725 sambaLogonTime: 0
3726 displayName: Gerald Carter
3727 sambaLMPassword: 552902031BEDE9EFAAD3B435B51404EE
3729 objectClass: posixAccount
3730 objectClass: sambaSamAccount
3731 sambaAcctFlags: [UX ]
3732 userPassword: {crypt}BpM2ej8Rkzogo
3733 uid: gcarter
3734 uidNumber: 9000
3735 cn: Gerald Carter
3736 loginShell: /bin/bash
3737 logoffTime: 2147483647
3738 gidNumber: 100
3739 sambaKickoffTime: 2147483647
3740 sambaPwdLastSet: 1010179230
3742 homeDirectory: /home/tashtego/gcarter
3743 sambaPwdCanChange: 0
3744 sambaPwdMustChange: 2147483647
3745 sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7
3746 </pre><p>
3747 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2883609"></a>Password synchronisation</h4></div></div><div></div></div><p>
3748 Since version 3.0 samba can update the non-samba (LDAP) password stored with an account. When
3749 using pam_ldap, this allows changing both unix and windows passwords at once.
3750 </p><p>The <a class="indexterm" name="id2883627"></a><i class="parameter"><tt>ldap passwd sync</tt></i> options can have the following values:</p><div class="variablelist"><dl><dt><span class="term">yes</span></dt><dd><p>When the user changes his password, update
3752 and the <tt class="constant">password</tt> fields.</p></dd><dt><span class="term">no</span></dt><dd><p>Only update <tt class="constant">ntPassword</tt> and <tt class="constant">lmPassword</tt>.</p></dd><dt><span class="term">only</span></dt><dd><p>Only update the LDAP password and let the LDAP server worry about the other fields. This option is only available on some LDAP servers. <sup>[<a name="id2883711" href="#ftn.id2883711">3</a>]</sup></p></dd></dl></div><p>More information can be found in the smb.conf manpage.
3753 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2883727"></a>MySQL</h3></div></div><div></div></div><p>
3754 Every so often someone will come along with a great new idea. Storing of user accounts in an
3755 SQL backend is one of them. Those who want to do this are in the best position to know what the
3756 specific benefits are to them. This may sound like a cop-out, but in truth we can not attempt
3757 to document every nitty little detail why certain things of marginal utility to the bulk of
3758 Samba users might make sense to the rest. In any case, the following instructions should help
3759 the determined SQL user to implement a working system.
3760 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2883748"></a>Creating the database</h4></div></div><div></div></div><p>
3761 You either can set up your own table and specify the field names to pdb_mysql (see below
3762 for the column names) or use the default table. The file <tt class="filename">examples/pdb/mysql/mysql.dump</tt>
3763 contains the correct queries to create the required tables. Use the command :
3766 <tt class="prompt">$ </tt><b class="userinput"><tt>mysql -u<i class="replaceable"><tt>username</tt></i> -h<i class="replaceable"><tt>hostname</tt></i> -p<i class="replaceable"><tt>password</tt></i> \
3767 <i class="replaceable"><tt>databasename</tt></i> < <tt class="filename">/path/to/samba/examples/pdb/mysql/mysql.dump</tt></tt></b>
3768 </pre><p>
3769 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2883816"></a>Configuring</h4></div></div><div></div></div><p>This plugin lacks some good documentation, but here is some short info:</p><p>Add a the following to the <a class="indexterm" name="id2883830"></a><i class="parameter"><tt>passdb backend</tt></i> variable in your <tt class="filename">smb.conf</tt>:
3770 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>passdb backend = [other-plugins] mysql:identifier [other-plugins]</tt></i></td></tr></table><p>
3771 </p><p>The identifier can be any string you like, as long as it doesn't collide with
3772 the identifiers of other plugins or other instances of pdb_mysql. If you
3773 specify multiple pdb_mysql.so entries in <a class="indexterm" name="id2883875"></a><i class="parameter"><tt>passdb backend</tt></i>, you also need to
3774 use different identifiers!
3775 </p><p>
3776 Additional options can be given through the <tt class="filename">smb.conf</tt> file in the <i class="parameter"><tt>[global]</tt></i> section.
3777 </p><p>
3778 </p><div class="table"><a name="id2883914"></a><p class="title"><b>Table 11.2. Basic smb.conf options for MySQL passdb backend</b></p><table summary="Basic smb.conf options for MySQL passdb backend" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Field</th><th align="justify">Contents</th></tr></thead><tbody><tr><td align="left">mysql host</td><td align="justify">host name, defaults to 'localhost'</td></tr><tr><td align="left">mysql password</td><td align="justify"> </td></tr><tr><td align="left">mysql user</td><td align="justify">defaults to 'samba'</td></tr><tr><td align="left">mysql database</td><td align="justify">defaults to 'samba'</td></tr><tr><td align="left">mysql port</td><td align="justify">defaults to 3306</td></tr><tr><td align="left">table</td><td align="justify">Name of the table containing users</td></tr></tbody></table></div><p>
3779 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
3780 Since the password for the MySQL user is stored in the
3781 <tt class="filename">smb.conf</tt> file, you should make the <tt class="filename">smb.conf</tt> file
3782 readable only to the user that runs Samba This is considered a security
3783 bug and will be fixed soon.
3784 </p></div><p>Names of the columns in this table (I've added column types those columns should have first):</p><p>
3785 </p><div class="table"><a name="id2884046"></a><p class="title"><b>Table 11.3. MySQL field names for MySQL passdb backend</b></p><table summary="MySQL field names for MySQL passdb backend" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Field</th><th align="left">Type</th><th align="justify">Contents</th></tr></thead><tbody><tr><td align="left">logon time column</td><td align="left">int(9)</td><td align="justify"> </td></tr><tr><td align="left">logoff time column</td><td align="left">int(9)</td><td align="justify"> </td></tr><tr><td align="left">kickoff time column</td><td align="left">int(9)</td><td align="justify"> </td></tr><tr><td align="left">pass last set time column</td><td align="left">int(9)</td><td align="justify"> </td></tr><tr><td align="left">pass can change time column</td><td align="left">int(9)</td><td align="justify"> </td></tr><tr><td align="left">pass must change time column</td><td align="left">int(9)</td><td align="justify"> </td></tr><tr><td align="left">username column</td><td align="left">varchar(255)</td><td align="justify">unix username</td></tr><tr><td align="left">domain column</td><td align="left">varchar(255)</td><td align="justify">NT domain user is part of</td></tr><tr><td align="left">nt username column</td><td align="left">varchar(255)</td><td align="justify">NT username</td></tr><tr><td align="left">fullname column</td><td align="left">varchar(255)</td><td align="justify">Full name of user</td></tr><tr><td align="left">home dir column</td><td align="left">varchar(255)</td><td align="justify">UNIX homedir path</td></tr><tr><td align="left">dir drive column</td><td align="left">varchar(2)</td><td align="justify">Directory drive path (eg: 'H:')</td></tr><tr><td align="left">logon script column</td><td align="left">varchar(255)</td><td align="justify">Batch file to run on client side when logging on</td></tr><tr><td align="left">profile path column</td><td align="left">varchar(255)</td><td align="justify">Path of profile</td></tr><tr><td align="left">acct desc column</td><td align="left">varchar(255)</td><td align="justify">Some ASCII NT user data</td></tr><tr><td align="left">workstations column</td><td align="left">varchar(255)</td><td align="justify">Workstations user can logon to (or NULL for all)</td></tr><tr><td align="left">unknown string column</td><td align="left">varchar(255)</td><td align="justify">unknown string</td></tr><tr><td align="left">munged dial column</td><td align="left">varchar(255)</td><td align="justify">?</td></tr><tr><td align="left">user sid column</td><td align="left">varchar(255)</td><td align="justify">NT user SID</td></tr><tr><td align="left">group sid column</td><td align="left">varchar(255)</td><td align="justify">NT group ID</td></tr><tr><td align="left">lanman pass column</td><td align="left">varchar(255)</td><td align="justify">encrypted lanman password</td></tr><tr><td align="left">nt pass column</td><td align="left">varchar(255)</td><td align="justify">encrypted nt passwd</td></tr><tr><td align="left">plain pass column</td><td align="left">varchar(255)</td><td align="justify">plaintext password</td></tr><tr><td align="left">acct control column</td><td align="left">int(9)</td><td align="justify">nt user data</td></tr><tr><td align="left">unknown 3 column</td><td align="left">int(9)</td><td align="justify">unknown</td></tr><tr><td align="left">logon divs column</td><td align="left">int(9)</td><td align="justify">?</td></tr><tr><td align="left">hours len column</td><td align="left">int(9)</td><td align="justify">?</td></tr><tr><td align="left">unknown 5 column</td><td align="left">int(9)</td><td align="justify">unknown</td></tr><tr><td align="left">unknown 6 column</td><td align="left">int(9)</td><td align="justify">unknown</td></tr></tbody></table></div><p>
3786 </p><p>
3787 Eventually, you can put a colon (:) after the name of each column, which
3788 should specify the column to update when updating the table. You can also
3789 specify nothing behind the colon - then the data from the field will not be
3790 updated.
3791 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2884435"></a>Using plaintext passwords or encrypted password</h4></div></div><div></div></div><p>
3792 I strongly discourage the use of plaintext passwords, however, you can use them:
3793 </p><p>
3794 If you would like to use plaintext passwords, set
3795 'identifier:lanman pass column' and 'identifier:nt pass column' to
3796 'NULL' (without the quotes) and 'identifier:plain pass column' to the
3797 name of the column containing the plaintext passwords.
3798 </p><p>
3799 If you use encrypted passwords, set the 'identifier:plain pass
3800 column' to 'NULL' (without the quotes). This is the default.
3801 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2884465"></a>Getting non-column data from the table</h4></div></div><div></div></div><p>
3802 It is possible to have not all data in the database and making some 'constant'.
3803 </p><p>
3804 For example, you can set 'identifier:fullname column' to :
3806 </p><p>
3807 Or, set 'identifier:workstations column' to :
3808 <b class="command">NULL</b></p><p>See the MySQL documentation for more language constructs.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="XMLpassdb"></a>XML</h3></div></div><div></div></div><p>This module requires libxml2 to be installed.</p><p>The usage of pdb_xml is pretty straightforward. To export data, use:
3809 </p><p>
3811 </p><p>
3812 (where filename is the name of the file to put the data in)
3813 </p><p>
3814 To import data, use:
3816 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884575"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2884582"></a>Users can not logon</h3></div></div><div></div></div><p>“<span class="quote">I've installed samba, but now I can't log on with my unix account!</span>”</p><p>Make sure your user has been added to the current samba <a class="indexterm" name="id2884600"></a><i class="parameter"><tt>passdb backend</tt></i>. Read the section <a href="#acctmgmttools" title="Account Management Tools">Account Management Tools</a> for details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2884627"></a>Users being added to wrong backend database</h3></div></div><div></div></div><p>
3817 A few complaints have been received from users that just moved to Samba-3. The following
3818 <tt class="filename">smb.conf</tt> file entries were causing problems, new accounts were being added to the old
3819 smbpasswd file, not to the tdbsam passdb.tdb file:
3820 </p><p>
3821 </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>passdb backend = smbpasswd, tdbsam</tt></i></td></tr><tr><td>...</td></tr></table><p>
3822 </p><p>
3823 Samba will add new accounts to the first entry in the <span class="emphasis"><em>passdb backend</em></span>
3824 parameter entry. If you want to update to the tdbsam, then change the entry to:
3825 </p><p>
3826 </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[globals]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>passdb backend = tdbsam, smbpasswd</tt></i></td></tr><tr><td>...</td></tr></table><p>
3827 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2884738"></a>auth methods does not work</h3></div></div><div></div></div><p>
3828 If you explicitly set an <a class="indexterm" name="id2884749"></a><i class="parameter"><tt>auth methods</tt></i> parameter, guest must be specified as the first
3829 entry on the line. Eg: <a class="indexterm" name="id2884756"></a><i class="parameter"><tt>auth methods</tt></i> = guest sam.
3830 </p><p>
3831 This is the exact opposite of the requirement for the <a class="indexterm" name="id2884784"></a><i class="parameter"><tt>passdb backend</tt></i>
3832 option, where it must be the <span class="emphasis"><em>LAST</em></span> parameter on the line.
3833 </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2883711" href="#id2883711">3</a>] </sup>Only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and UNIX Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2884967">Features and Benefits</a></dt><dt><a href="#id2885202">Discussion</a></dt><dd><dl><dt><a href="#id2885422">Example Configuration</a></dt></dl></dd><dt><a href="#id2885489">Configuration Scripts</a></dt><dd><dl><dt><a href="#id2885503">Sample smb.conf add group script</a></dt><dt><a href="#id2885582">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="#id2885658">Common Errors</a></dt><dd><dl><dt><a href="#id2885674">Adding Groups Fails</a></dt><dt><a href="#id2885742">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="#id2885768">Adding Domain Users to the Power Users group</a></dt></dl></dd></dl></div><a class="indexterm" name="id2884895"></a><p>
3834 Starting with Samba-3, new group mapping functionality is available to create associations
3836 included with the <span class="application">net</span> tool can be used to manage these associations.
3837 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
3838 The first immediate reason to use the group mapping on a Samba PDC, is that
3841 be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership
3842 in the <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations
3843 (in default configurations).
3844 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884967"></a>Features and Benefits</h2></div></div><div></div></div><p>
3845 Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to
3846 arbitrarily associate them with UNIX/Linux group accounts.
3848 Group accounts can be managed using the MS Windows NT4 or MS Windows 200x / XP Professional MMC tools.
3849 Appropriate interface scripts should be provided in <tt class="filename">smb.conf</tt> if it is desired that UNIX / Linux system
3850 accounts should be automatically created when these tools are used. In the absence of these scripts, and
3851 so long as winbind is running, Samba accounts group accounts that are created using these tools will be
3852 allocated UNIX UIDs/GIDs from the parameters set by the <a class="indexterm" name="id2885018"></a><i class="parameter"><tt>idmap uid</tt></i>/<a class="indexterm" name="id2885031"></a><i class="parameter"><tt>idmap gid</tt></i> settings
3854 </p><div class="figure"><a name="idmap-group-diag"></a><p class="title"><b>Figure 12.1. IDMAP groups</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-groups.png" width="270" alt="IDMAP groups"></div></div><a class="indexterm" name="id2885101"></a><a class="indexterm" name="id2885108"></a><p>
3855 Administrators should be aware that where <tt class="filename">smb.conf</tt> group interface scripts make
3856 direct calls to the UNIX/Linux system tools (eg: the shadow utilities, <b class="command">groupadd</b>,
3857 <b class="command">groupdel</b>, <b class="command">groupmod</b>) then the resulting UNIX/Linux group names will be subject
3858 to any limits imposed by these tools. If the tool does NOT allow upper case characters
3859 or space characters, then the creation of an MS Windows NT4 / 200x style group of
3860 <span class="emphasis"><em>Engineering Managers</em></span> will attempt to create an identically named
3861 UNIX/Linux group, an attempt that will of course fail!
3863 There are several possible work-arounds for the operating system tools limitation. One
3864 method is to use a script that generates a name for the UNIX/Linux system group that
3865 fits the operating system limits, and that then just passes the UNIX/Linux group id (GID)
3866 back to the calling Samba interface. This will provide a dynamic work-around solution.
3867 </p><p>
3868 Another work-around is to manually create a UNIX/Linux group, then manually create the
3869 MS Windows NT4 / 200x group on the Samba server and then use the <b class="command">net groupmap</b>
3870 tool to connect the two to each other.
3871 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885202"></a>Discussion</h2></div></div><div></div></div><p>
3872 When installing <span class="application">MS Windows NT4 / 200x</span> on a computer, the installation
3873 program creates default users and groups, notably the <tt class="constant">Administrators</tt> group,
3874 and gives that group privileges necessary privileges to perform essential system tasks.
3875 eg: Ability to change the date and time or to kill (or close) any process running on the
3876 local machine.
3878 The 'Administrator' user is a member of the 'Administrators' group, and thus inherits
3879 'Administrators' group privileges. If a 'joe' user is created to be a member of the
3880 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
3881 </p><p>
3882 When an MS Windows NT4 / W200x is made a domain member, the "Domain Admins" group of the
3883 PDC is added to the local 'Administrators' group of the workstation. Every member of the
3884 'Domain Administrators' group inherits the rights of the local 'Administrators' group when
3885 logging on the workstation.
3886 </p><p>
3887 The following steps describe how to make Samba PDC users members of the 'Domain Admins' group?
3890 </p></li><li><p>add to this group the users that must be Administrators. For example
3892 look like:
3894 domadm:x:502:joe,john,mary
3895 </pre><p>
3896 </p></li><li><p>
3897 Map this domadm group to the "Domain Admins" group by running the command:
3898 </p><p>
3900 <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</tt></b>
3901 </pre><p>
3903 The quotes around "Domain Admins" are necessary due to the space in the group name.
3904 Also make sure to leave no whitespace surrounding the equal character (=).
3905 </p></li></ol></div><p>
3906 Now joe, john and mary are domain administrators!
3908 It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as
3909 making any UNIX group a Windows domain group. For example, if you wanted to include a
3910 UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine,
3911 you would flag that group as a domain group by running the following on the Samba PDC:
3912 </p><p>
3914 <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</tt></b>
3915 </pre><p>
3916 </p><p>
3917 Be aware that the RID parameter is a unsigned 32 bit integer that should
3918 normally start at 1000. However, this rid must not overlap with any RID assigned
3919 to a user. Verifying this is done differently depending on the passdb backend
3920 you are using. Future versions of the tools may perform the verification automatically,
3921 but for now the burden is on you.
3922 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885422"></a>Example Configuration</h3></div></div><div></div></div><p>
3923 You can list the various groups in the mapping database by executing
3925 </p><p>
3932 </pre><p>
3933 </p><p>
3935 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885489"></a>Configuration Scripts</h2></div></div><div></div></div><p>
3936 Everyone needs tools. Some of us like to create our own, others prefer to use canned tools
3937 (ie: prepared by someone else for general use).
3938 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885503"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p>
3939 A script to create complying group names for use by the Samba group interfaces:
3940 </p><p>
3941 </p><div class="example"><a name="id2885526"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting">
3943 #!/bin/bash
3945 # Add the group using normal system groupadd tool.
3946 groupadd smbtmpgrp00
3948 thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
3950 # Now change the name to what we want for the MS Windows networking end
3951 cp /etc/group /etc/group.bak
3954 # Now return the GID as would normally happen.
3955 echo $thegid
3956 exit 0
3957 </pre></div><p>
3958 </p><p>
3960 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>add group script = /path_to_tool/smbgrpadd.sh %g</tt></i></td></tr></table><p>
3961 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885582"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p>
3962 In our example we have created a UNIX/Linux group called <span class="emphasis"><em>ntadmin</em></span>.
3963 Our script will create the additional groups <span class="emphasis"><em>Orks</em></span>, <span class="emphasis"><em>Elves</em></span>, <span class="emphasis"><em>Gnomes</em></span>:
3964 </p><p>
3966 #!/bin/bash
3981 groupadd Orks
3982 groupadd Elves
3983 groupadd Gnomes
3988 </pre><p>
3989 </p><p>
3990 Of course it is expected that the administrator will modify this to suit local needs.
3992 refer to the man page.
3993 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885658"></a>Common Errors</h2></div></div><div></div></div><p>
3994 At this time there are many little surprises for the unwary administrator. In a real sense
3995 it is imperative that every step of automated control scripts must be carefully tested
3996 manually before putting them into active service.
3997 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885674"></a>Adding Groups Fails</h3></div></div><div></div></div><p>
3999 by the Samba interface script for the <a class="indexterm" name="id2885694"></a><i class="parameter"><tt>add group script</tt></i> in
4001 </p><p>
4002 The most common cause of failure is an attempt to add an MS Windows group account
4003 that has either an upper case character and/or a space character in it.
4004 </p><p>
4005 There are three possible work-arounds. Firstly, use only group names that comply
4007 The second involves use of the script mentioned earlier in this chapter, and the
4008 third option is to manually create a UNIX/Linux group account that can substitute
4009 for the MS Windows group name, then use the procedure listed above to map that group
4010 to the MS Windows group.
4011 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885742"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><a class="indexterm" name="id2885751"></a><p>
4012 Samba-3 does NOT support nested groups from the MS Windows control environment.
4013 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885768"></a>Adding <span class="emphasis"><em>Domain Users</em></span> to the <span class="emphasis"><em>Power Users</em></span> group</h3></div></div><div></div></div><p>“<span class="quote">
4014 What must I do to add Domain Users to the Power Users group?
4016 The Power Users group is a group that is local to each Windows
4017 200x / XP Professional workstation. You can not add the Domain Users group to the Power Users
4018 group automatically, this must be done on each workstation by logging in as the local workstation
4019 <span class="emphasis"><em>administrator</em></span> and then using click on Start / Control Panel / Users and Passwords
4020 now click on the 'Advanced' tab, then on the 'Advanced' Button.
4022 Now click on 'Groups', then double click on 'Power Users'. This will launch the panel to add users
4023 or groups to the local machine 'Power Uses' group. Click on the 'Add' button, select the domain
4024 from which the 'Domain Users' group is to be added, double click on the 'Domain Users' group, then
4025 click on the 'Ok' button. Note: If a logon box is presented during this process please remember to
4026 enter the connect as DOMAIN\UserName. ie: For the domain MIDEARTH and the user 'root' enter
4027 MIDEARTH\root.
4028 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2886024">Features and Benefits</a></dt><dt><a href="#id2886154">File System Access Controls</a></dt><dd><dl><dt><a href="#id2886190">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt><a href="#id2886489">Managing Directories</a></dt><dt><a href="#id2886582">File and Directory Access Control</a></dt></dl></dd><dt><a href="#id2886810">Share Definition Access Controls</a></dt><dd><dl><dt><a href="#id2886837">User and Group Based Controls</a></dt><dt><a href="#id2887260">File and Directory Permissions Based Controls</a></dt><dt><a href="#id2887639">Miscellaneous Controls</a></dt></dl></dd><dt><a href="#id2888020">Access Controls on Shares</a></dt><dd><dl><dt><a href="#id2888092">Share Permissions Management</a></dt></dl></dd><dt><a href="#id2888391">MS Windows Access Control Lists and UNIX Interoperability</a></dt><dd><dl><dt><a href="#id2888399">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="#id2888444">Viewing File Security on a Samba Share</a></dt><dt><a href="#id2888523">Viewing file ownership</a></dt><dt><a href="#id2888655">Viewing File or Directory Permissions</a></dt><dt><a href="#id2888889">Modifying file or directory permissions</a></dt><dt><a href="#id2889049">Interaction with the standard Samba create mask
4029 parameters</a></dt><dt><a href="#id2889446">Interaction with the standard Samba file attribute mapping</a></dt></dl></dd><dt><a href="#id2889526">Common Errors</a></dt><dd><dl><dt><a href="#id2889540">Users can not write to a public share</a></dt><dt><a href="#id2889969">I have set force user but Samba still makes root the owner of all the files I touch!</a></dt><dt><a href="#id2890022">MS Word with Samba changes owner of file</a></dt></dl></dd></dl></div><a class="indexterm" name="id2885947"></a><p>
4030 Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
4031 resources shared via Samba do not behave in the manner they might expect. MS Windows network
4032 administrators are often confused regarding network access controls and how to
4033 provide users with the access they need while protecting resources from unauthorised access.
4034 </p><p>
4035 Many UNIX administrators are unfamiliar with the MS Windows environment and in particular
4036 have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file
4037 and directory access permissions.
4038 </p><p>
4039 The problem lies in the differences in how file and directory permissions and controls work
4040 between the two environments. This difference is one that Samba can not completely hide, even
4041 though it does try to bridge the chasm to a degree.
4043 POSIX Access Control List technology has been available (along with Extended Attributes)
4044 for UNIX for many years, yet there is little evidence today of any significant use. This
4045 explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows
4046 administrators are astounded at this given that ACLs were a foundational capability of the now
4047 decade old MS Windows NT operating system.
4048 </p><p>
4049 The purpose of this chapter is to present each of the points of control that are possible with
4050 Samba-3 in the hope that this will help the network administrator to find the optimum method
4051 for delivering the best environment for MS Windows desktop users.
4052 </p><p>
4053 This is an opportune point to mention that Samba was created to provide a means of interoperability
4054 and interchange of data between differing operating environments. Samba has no intent change
4055 UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient
4056 level of exchange of data between the two environments. What is available today extends well
4057 beyond early plans and expectations, yet the gap continues to shrink.
4058 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886024"></a>Features and Benefits</h2></div></div><div></div></div><p>
4059 Samba offers a lot of flexibility in file system access management. These are the key access control
4060 facilities present in Samba today:
4061 </p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p>
4063 </p><p>
4064 Samba honours and implements UNIX file system access controls. Users
4065 who access a Samba server will do so as a particular MS Windows user.
4066 This information is passed to the Samba server as part of the logon or
4067 connection setup process. Samba uses this user identity to validate
4068 whether or not the user should be given access to file system resources
4069 (files and directories). This chapter provides an overview for those
4070 to whom the UNIX permissions and controls are a little strange or unknown.
4071 </p></li><li><p>
4073 </p><p>
4075 the network administrator can exercise over-rides to native file
4076 system permissions and behaviours. This can be handy and convenient
4077 to affect behaviour that is more like what MS Windows NT users expect
4079 The basic options and techniques are described herein.
4080 </p></li><li><p>
4082 </p><p>
4083 Just like it is possible in MS Windows NT to set ACLs on shares
4084 themselves, so it is possible to do this in Samba.
4085 Very few people make use of this facility, yet it remains on of the
4086 easiest ways to affect access controls (restrictions) and can often
4087 do so with minimum invasiveness compared with other methods.
4088 </p></li><li><p>
4090 </p><p>
4091 The use of POSIX ACLs on UNIX/Linux is possible ONLY if the underlying
4092 operating system supports them. If not, then this option will not be
4093 available to you. Current UNIX technology platforms have native support
4094 for POSIX ACLs. There are patches for the Linux kernel that provide
4095 this also. Sadly, few Linux platforms ship today with native ACLs and
4096 Extended Attributes enabled. This chapter has pertinent information
4097 for users of platforms that support them.
4098 </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886154"></a>File System Access Controls</h2></div></div><div></div></div><p>
4099 Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP
4100 implement a totally divergent file system technology from what is provided in the UNIX operating system
4101 environment. Firstly we should consider what the most significant differences are, then we shall look
4102 at how Samba helps to bridge the differences.
4103 </p><a class="indexterm" name="id2886173"></a><a class="indexterm" name="id2886182"></a><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886190"></a>MS Windows NTFS Comparison with UNIX File Systems</h3></div></div><div></div></div><p>
4104 Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions
4105 and permissions. It also means that if the MS Windows networking environment requires file system
4106 behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating
4107 that in a transparent and consistent manner.
4108 </p><p>
4109 It is good news that Samba does this to a very large extent and on top of that provides a high degree
4110 of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
4111 but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
4113 </p><div class="variablelist"><p class="title"><b>File System Feature Comparison</b></p><dl><dt><span class="term">Name Space</span></dt><dd><p>
4115 may be 1023 characters long. In MS Windows file extensions indicate particular file types,
4116 in UNIX this is not so rigorously observed as all names are considered arbitrary.
4117 </p><p>
4118 What MS Windows calls a Folder, UNIX calls a directory.
4123 Insensitive.
4124 </p><p>
4125 UNIX file and directory names are case sensitive and case preserving. Samba implements the
4126 MS Windows file name behaviour, but it does so as a user application. The UNIX file system
4127 provides no mechanism to perform case insensitive file name lookups. MS Windows does this
4128 by default. This means that Samba has to carry the processing overhead to provide features
4129 that are NOT native to the UNIX operating system environment.
4130 </p><p>
4131 Consider the following, all are unique UNIX names but one single MS Windows file name:
4133 MYFILE.TXT
4134 MyFile.txt
4135 myfile.txt
4136 </tt>
4137 So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in UNIX
4138 they can. So what should Samba do if all three are present? Answer, the one that is lexically
4139 first will be accessible to MS Windows users, the others are invisible and unaccessible - any
4140 other solution would be suicidal.
4142 MS Windows and DOS uses the back-slash '\' as a directory delimiter, UNIX uses the forward-slash '/'
4143 as it's directory delimiter. This is transparently handled by Samba.
4145 MS Windows products support a notion of drive letters, like <b class="command">C:</b> to represent
4146 disk partitions. UNIX has NO concept if separate identifiers for file partitions since each
4147 such file system is <tt class="filename">mounted</tt> to become part of the over-all directory tree.
4148 The UNIX directory tree begins at '/', just like the root of a DOS drive is specified like
4151 MS Windows generally never experiences file names that begin with a '.', while in UNIX these
4152 are commonly found in a user's home directory. Files that begin with a '.' are typically
4153 either start up files for various UNIX applications, or they may be files that contain
4154 start-up configuration data.
4160 MS Windows make use of "links and Short-Cuts" that are actually special types of files that will
4161 redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory
4162 links, but they are entirely different from what MS Windows users are used to.
4163 </p><p>
4164 Symbolic links are files in UNIX that contain the actual location of the data (file OR directory). An
4165 operation (like read or write) will operate directly on the file referenced. Symbolic links are also
4166 referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
4167 one physical file to be known simultaneously by more than one file name.
4168 </p></dd></dl></div><p>
4169 There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
4170 in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the
4171 purpose of UNIX/Linux training/education.
4172 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886489"></a>Managing Directories</h3></div></div><div></div></div><p>
4173 There are three basic operations for managing directories, <b class="command">create, delete, rename</b>.
4174 </p><div class="table"><a name="id2886508"></a><p class="title"><b>Table 13.1. Managing directories with unix and windows</b></p><table summary="Managing directories with unix and windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">UNIX Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><p>
4175 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886582"></a>File and Directory Access Control</h3></div></div><div></div></div><p>
4176 The network administrator is strongly advised to read foundational training manuals and reference materials
4177 regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions
4178 without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
4179 Attributes (EAs).
4180 </p><p>
4181 UNIX/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
4182 A UNIX file listing looks as follows:-
4186 total 632
4200 </pre><p>
4201 </p><p>
4202 The columns above represent (from left to right): permissions, number of hard links to file, owner, group, size (bytes), access date, access time, file name.
4203 </p><p>
4204 An overview of the permissions field can be found in <a href="#access1" title="Figure 13.1. Overview of unix permissions field">the image below</a>.
4205 </p><div class="figure"><a name="access1"></a><p class="title"><b>Figure 13.1. Overview of unix permissions field</b></p><div class="mediaobject"><img src="projdoc/imagefiles/access1.png" width="270" alt="Overview of unix permissions field"></div></div><p>
4206 Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
4208 </p><div class="example"><a name="id2886704"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting">
4209 -rwxr-x--- Means: The owner (user) can read, write, execute
4210 the group can read and execute
4211 everyone else can NOT do anything with it
4212 </pre></div><p>
4214 </p><p>
4215 Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = UNIX Domain Socket.
4216 </p><p>
4217 The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
4218 execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
4219 sticky (t).
4220 </p><p>
4221 When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner.
4222 Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
4223 directories, such as /tmp, that are world-writable.
4224 </p><p>
4225 When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or
4226 group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that
4227 all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file
4228 to be exclusively owned by a user who's primary group is not the group that all such users belong to.
4229 </p><p>
4230 When a directory is set <tt class="constant">drw-r-----</tt> this means that the owner can read and create (write) files in it, but because
4231 the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
4232 directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
4233 group members will be able to write to (or delete) them.
4234 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886810"></a>Share Definition Access Controls</h2></div></div><div></div></div><p>
4235 The following parameters in the <tt class="filename">smb.conf</tt> file sections that define a share control or affect access controls.
4236 Before using any of the following options please refer to the man page for <tt class="filename">smb.conf</tt>.
4237 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886837"></a>User and Group Based Controls</h3></div></div><div></div></div><p>
4238 User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
4239 file system operations as if a single user is doing this, the use of the <a class="indexterm" name="id2886852"></a><i class="parameter"><tt>force user</tt></i> and
4240 <a class="indexterm" name="id2886865"></a><i class="parameter"><tt>force group</tt></i> behaviour will achieve this. In other situations it may be necessary to affect a
4241 paranoia level of control to ensure that only particular authorised persons will be able to access a share or
4242 it's contents, here the use of the <a class="indexterm" name="id2886884"></a><i class="parameter"><tt>valid users</tt></i> or the <a class="indexterm" name="id2886897"></a><i class="parameter"><tt>invalid users</tt></i> may
4243 be most useful.
4244 </p><p>
4245 As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
4246 controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
4247 if that person finds too great a mess, or if they do not understand what you have done then there is risk of
4248 Samba being removed and an alternative solution being adopted.
4249 </p><div class="table"><a name="id2886925"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id2886982"></a><i class="parameter"><tt>admin users</tt></i></td><td align="justify"><p>
4250 List of users who will be granted administrative privileges on the share.
4251 They will do all file operations as the super-user (root).
4252 Any user in this list will be able to do anything they like on the share,
4253 irrespective of file permissions.
4254 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887012"></a><i class="parameter"><tt>force group</tt></i></td><td align="justify"><p>
4255 Specifies a UNIX group name that will be assigned as the default primary group
4256 for all users connecting to this service.
4257 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887039"></a><i class="parameter"><tt>force user</tt></i></td><td align="justify"><p>
4258 Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service.
4259 This is useful for sharing files. Incorrect use can cause security problems.
4260 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887068"></a><i class="parameter"><tt>guest ok</tt></i></td><td align="justify"><p>
4261 If this parameter is set for a service, then no password is required to connect to the service. Privileges will be
4262 those of the guest account.
4263 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887095"></a><i class="parameter"><tt>invalid users</tt></i></td><td align="justify"><p>
4264 List of users that should not be allowed to login to this service.
4265 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887121"></a><i class="parameter"><tt>only user</tt></i></td><td align="justify"><p>
4266 Controls whether connections with usernames not in the user list will be allowed.
4267 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887148"></a><i class="parameter"><tt>read list</tt></i></td><td align="justify"><p>
4268 List of users that are given read-only access to a service. Users in this list
4269 will not be given write access, no matter what the read only option is set to.
4270 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887176"></a><i class="parameter"><tt>username</tt></i></td><td align="justify"><p>
4271 Refer to the <tt class="filename">smb.conf</tt> man page for more information - this is a complex and potentially misused parameter.
4272 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887208"></a><i class="parameter"><tt>valid users</tt></i></td><td align="justify"><p>
4273 List of users that should be allowed to login to this service.
4274 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887235"></a><i class="parameter"><tt>write list</tt></i></td><td align="justify"><p>
4275 List of users that are given read-write access to a service.
4276 </p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887260"></a>File and Directory Permissions Based Controls</h3></div></div><div></div></div><p>
4277 The following file and directory permission based controls, if misused, can result in considerable difficulty to
4278 diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
4279 undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
4280 re-introduce them in a controlled fashion.
4281 </p><div class="table"><a name="id2887281"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id2887336"></a><i class="parameter"><tt>create mask</tt></i></td><td align="justify"><p>
4283 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887367"></a><i class="parameter"><tt>directory mask</tt></i></td><td align="justify"><p>
4284 The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
4285 See also: directory security mask.
4286 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887394"></a><i class="parameter"><tt>dos filemode</tt></i></td><td align="justify"><p>
4287 Enabling this parameter allows a user who has write access to the file to modify the permissions on it.
4288 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887421"></a><i class="parameter"><tt>force create mode</tt></i></td><td align="justify"><p>
4289 This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba.
4290 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887447"></a><i class="parameter"><tt>force directory mode</tt></i></td><td align="justify"><p>
4291 This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba.
4292 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887476"></a><i class="parameter"><tt>force directory security mode</tt></i></td><td align="justify"><p>
4293 Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory
4294 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887504"></a><i class="parameter"><tt>force security mode</tt></i></td><td align="justify"><p>
4295 Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
4296 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887530"></a><i class="parameter"><tt>hide unreadable</tt></i></td><td align="justify"><p>
4297 Prevents clients from seeing the existence of files that cannot be read.
4298 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887557"></a><i class="parameter"><tt>hide unwriteable files</tt></i></td><td align="justify"><p>
4299 Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
4300 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887585"></a><i class="parameter"><tt>nt acl support</tt></i></td><td align="justify"><p>
4301 This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
4302 </p></td></tr><tr><td align="left"><a class="indexterm" name="id2887611"></a><i class="parameter"><tt>security mask</tt></i></td><td align="justify"><p>
4303 Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
4304 </p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887639"></a>Miscellaneous Controls</h3></div></div><div></div></div><p>
4305 The following are documented because of the prevalence of administrators creating inadvertent barriers to file
4306 access by not understanding the full implications of <tt class="filename">smb.conf</tt> file settings.
4307 </p><div class="table"><a name="id2887661"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col align="justify"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td align="justify"><a class="indexterm" name="id2887716"></a><i class="parameter"><tt>case sensitive</tt></i>, <a class="indexterm" name="id2887730"></a><i class="parameter"><tt>default case</tt></i>, <a class="indexterm" name="id2887744"></a><i class="parameter"><tt>short preserve case</tt></i></td><td align="justify"><p>
4308 This means that all file name lookup will be done in a case sensitive manner.
4309 Files will be created with the precise filename Samba received from the MS Windows client.
4310 </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2887772"></a><i class="parameter"><tt>csc policy</tt></i></td><td align="justify"><p>
4311 Client Side Caching Policy - parallels MS Windows client side file caching capabilities.
4312 </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2887799"></a><i class="parameter"><tt>dont descend</tt></i></td><td align="justify"><p>
4313 Allows to specify a comma-delimited list of directories that the server should always show as empty.
4314 </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2887826"></a><i class="parameter"><tt>dos filetime resolution</tt></i></td><td align="justify"><p>
4315 This option is mainly used as a compatibility option for Visual C++ when used against Samba shares.
4316 </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2887853"></a><i class="parameter"><tt>dos filetimes</tt></i></td><td align="justify"><p>
4317 DOS and Windows allows users to change file time stamps if they can write to the file. POSIX semantics prevent this.
4318 This options allows DOS and Windows behaviour.
4319 </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2887882"></a><i class="parameter"><tt>fake oplocks</tt></i></td><td align="justify"><p>
4320 Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an
4321 oplock then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data.
4322 </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2887912"></a><i class="parameter"><tt>hide dot files</tt></i>, <a class="indexterm" name="id2887926"></a><i class="parameter"><tt>hide files</tt></i>, <a class="indexterm" name="id2887939"></a><i class="parameter"><tt>veto files</tt></i></td><td align="justify"><p>
4323 Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible.
4324 </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2887966"></a><i class="parameter"><tt>read only</tt></i></td><td align="justify"><p>
4325 If this parameter is yes, then users of a service may not create or modify files in the service's directory.
4326 </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2887993"></a><i class="parameter"><tt>veto files</tt></i></td><td align="justify"><p>
4327 List of files and directories that are neither visible nor accessible.
4328 </p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888020"></a>Access Controls on Shares</h2></div></div><div></div></div><p>
4329 This section deals with how to configure Samba per share access control restrictions.
4330 By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
4331 can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
4332 connect to a share. In the absence of specific restrictions the default setting is to allow
4333 the global user <tt class="constant">Everyone</tt> Full Control (ie: Full control, Change and Read).
4334 </p><p>
4335 At this time Samba does NOT provide a tool for configuring access control setting on the Share
4336 itself. Samba does have the capacity to store and act on access control settings, but the only
4337 way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
4338 Computer Management.
4339 </p><p>
4340 Samba stores the per share access control settings in a file called <tt class="filename">share_info.tdb</tt>.
4341 The location of this file on your system will depend on how samba was compiled. The default location
4342 for Samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt>
4343 utility has been compiled and installed on your system, then you can examine the contents of this file
4345 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888092"></a>Share Permissions Management</h3></div></div><div></div></div><p>
4346 The best tool for the task is platform dependant. Choose the best tool for your environment.
4347 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888105"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p>
4348 The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
4349 Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
4350 You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.
4351 </p><div class="procedure"><p class="title"><b>Procedure 13.1. Instructions</b></p><ol type="1"><li><p>
4352 Launch the <span class="application">NT4 Server Manager</span>, click on the Samba server you want to administer, then from the menu
4353 select <span class="guimenu">Computer</span>, then click on the <span class="guimenuitem">Shared Directories</span> entry.
4354 </p></li><li><p>
4355 Now click on the share that you wish to manage, then click on the <span class="guilabel">Properties</span> tab, next click on
4356 the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish.
4357 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888188"></a>Windows 200x/XP</h4></div></div><div></div></div><p>
4358 On <span class="application">MS Windows NT4/200x/XP</span> system access control lists on the share itself are set using native
4359 tools, usually from file manager. For example, in Windows 200x: right click on the shared folder,
4360 then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default
4361 Windows NT4/200x permission allows <span class="emphasis"><em>Everyone</em></span> Full Control on the Share.
4362 </p><p>
4363 MS Windows 200x and later all comes with a tool called the <span class="application">Computer Management</span> snap-in for the
4364 Microsoft Management Console (MMC). This tool is located by clicking on <tt class="filename">Control Panel ->
4366 </p><div class="procedure"><p class="title"><b>Procedure 13.2. Instructions</b></p><ol type="1"><li><p>
4367 After launching the MMC with the Computer Management snap-in, click on the menu item <span class="guimenuitem">Action</span>,
4368 select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted
4369 to enter a domain login user identifier and a password. This will authenticate you to the domain.
4370 If you where already logged in with administrative privilege this step is not offered.
4371 </p></li><li><p>
4372 If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, then type in the name of the target
4373 Samba server in the field <span class="guilabel">Name:</span>. Now click on the <span class="guibutton">[+]</span> next to
4374 <span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to <span class="guilabel">Shared Folders</span> in the
4375 left panel.
4376 </p></li><li><p>
4377 Now in the right panel, double-click on the share you wish to set access control permissions on.
4378 Then click on the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities
4379 to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
4380 wish to assign for each entry.
4381 </p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
4382 Be careful. If you take away all permissions from the <tt class="constant">Everyone</tt> user without removing this user
4383 then effectively no user will be able to access the share. This is a result of what is known as
4384 ACL precedence. ie: Everyone with <span class="emphasis"><em>no access</em></span> means that MaryK who is part of the group
4385 <tt class="constant">Everyone</tt> will have no access even if this user is given explicit full control access.
4386 </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888391"></a>MS Windows Access Control Lists and UNIX Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888399"></a>Managing UNIX permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>
4387 Windows NT clients can use their native security settings dialog box to view and modify the
4388 underlying UNIX permissions.
4389 </p><p>
4390 Note that this ability is careful not to compromise the security of the UNIX host Samba is running on, and
4391 still obeys all the file permission rules that a Samba administrator can set.
4392 </p><p>
4393 Samba does not attempt to go beyond POSIX ACLs, so that the various finer-grained access control
4394 options provided in Windows are actually ignore.
4395 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
4396 All access to UNIX/Linux system files via Samba is controlled by the operating system file access controls.
4397 When trying to figure out file access problems it is vitally important to find the identity of the Windows
4398 user as it is presented by Samba at the point of file access. This can best be determined from the
4399 Samba log files.
4400 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888444"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>
4401 From an NT4/2000/XP client, single-click with the right mouse button on any file or directory in a Samba
4402 mounted drive letter or UNC path. When the menu pops-up, click on the <span class="guilabel">Properties</span>
4403 entry at the bottom of the menu. This brings up the file properties dialog box. Click on the tab
4404 <span class="guilabel">Security</span> and you will see three buttons, <span class="guibutton">Permissions</span>,
4405 <span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>. The <span class="guibutton">Auditing</span>
4406 button will cause either an error message <span class="errorname">A requested privilege is not held by the client</span>
4407 to appear if the user is not the NT Administrator, or a dialog which is intended to allow an Administrator
4408 to add auditing requirements to a file if the user is logged on as the NT Administrator. This dialog is
4409 non-functional with a Samba share at this time, as the only useful button, the <span class="guibutton">Add</span>
4410 button will not currently allow a list of users to be seen.
4411 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888523"></a>Viewing file ownership</h3></div></div><div></div></div><p>
4412 Clicking on the <span class="guibutton">Ownership</span> button brings up a dialog box telling you who owns
4413 the given file. The owner name will be of the form:
4414 </p><p>
4416 </p><p>
4417 Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of the Samba server, <i class="replaceable"><tt>user</tt></i>
4418 is the user name of the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i> is the
4419 descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).
4421 </p><p>
4422 If the parameter <a class="indexterm" name="id2888586"></a><i class="parameter"><tt>nt acl support</tt></i> is set to <tt class="constant">false</tt>
4424 </p><p>
4425 The <span class="guibutton">Take Ownership</span> button will not allow you to change the ownership of this file to
4426 yourself (clicking on it will display a dialog box complaining that the user you are currently logged onto
4427 the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged
4428 operation in UNIX, available only to the <span class="emphasis"><em>root</em></span> user. As clicking on this button causes
4429 NT to attempt to change the ownership of a file to the current user logged into the NT client this will
4430 not work with Samba at this time.</p><p>
4431 There is an NT chown command that will work with Samba and allow a user with Administrator privilege connected
4432 to a Samba server as root to change the ownership of files on both a local NTFS filesystem or remote mounted NTFS
4433 or Samba drive. This is available as part of the <span class="application">Seclib</span> NT security library written
4434 by Jeremy Allison of the Samba-Team, available from the main Samba FTP site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888655"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>
4435 The third button is the <span class="guibutton">Permissions</span> button. Clicking on this brings up a dialog box
4436 that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed in the form:
4439 <i class="replaceable"><tt>(Long name)</tt></i>"</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of the Samba server,
4440 <i class="replaceable"><tt>user</tt></i> is the user name of the UNIX user who owns the file, and
4441 <i class="replaceable"><tt>(Long name)</tt></i> is the descriptive string identifying the user (normally found in the
4442 GECOS field of the UNIX password database).</p><p>
4443 If the parameter <a class="indexterm" name="id2888720"></a><i class="parameter"><tt>nt acl support</tt></i> is set to <tt class="constant">false</tt>
4444 then the file owner will be shown as the NT user <tt class="constant">"Everyone"</tt> and the permissions will be
4445 shown as NT "Full Control".
4446 </p><p>
4447 The permissions field is displayed differently for files and directories, so I'll describe the way file permissions
4448 are displayed first.
4449 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888753"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triplet and
4451 triplets are mapped by Samba into a three element NT ACL
4452 with the 'r', 'w', and 'x' bits mapped into the corresponding
4453 NT permissions. The UNIX world permissions are mapped into
4455 by the list of permissions allowed for UNIX world. The UNIX
4456 owner and group permissions are displayed as an NT
4458 group</span> icon respectively followed by the list
4459 of permissions allowed for the UNIX user and group.</p><p>As many UNIX permission sets don't map into common
4463 "Special Access"</tt> in the NT display list.</p><p>But what happens if the file has no permissions allowed
4464 for a particular UNIX user group or world component? In order
4465 to allow "no permissions" to be seen and modified then Samba
4467 (which has no meaning in UNIX) and reports a component with
4469 This was chosen of course to make it look like a zero, meaning
4470 zero permissions. More details on the decision behind this will
4471 be given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888845"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two
4472 different sets of permissions. The first set of permissions
4473 is the ACL set on the directory itself, this is usually displayed
4475 NT style. This first set of permissions is created by Samba in
4476 exactly the same way as normal file permissions are, described
4477 above, and is displayed in the same way.</p><p>The second set of directory permissions has no real meaning
4479 inherited</tt> permissions that any file created within
4480 this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by
4481 returning as an NT ACL the UNIX permission mode that a new file
4482 created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888889"></a>Modifying file or directory permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple
4483 as changing the displayed permissions in the dialog box, and
4485 limitations that a user needs to be aware of, and also interactions
4486 with the standard Samba permission masks and mapping of DOS
4487 attributes that need to also be taken into account.</p><p>If the parameter <a class="indexterm" name="id2888918"></a><i class="parameter"><tt>nt acl support</tt></i>
4490 </span> message.</p><p>The first thing to note is that the <span class="guibutton">"Add"</span>
4491 button will not return a list of users in Samba (it will give
4493 and did not execute</span>). This means that you can only
4494 manipulate the current user/group/world permissions listed in
4495 the dialog box. This actually works quite well as these are the
4496 only permissions that UNIX actually has.</p><p>If a permission triplet (either user, group, or world)
4497 is removed from the list of permissions in the NT dialog box,
4499 be applied as "no permissions" on the UNIX side. If you then
4500 view the permissions again the "no permissions" entry will appear
4502 allows you to add permissions back to a file or directory once
4503 you have removed them from a triplet component.</p><p>As UNIX supports only the "r", "w" and "x" bits of
4504 an NT ACL then if other NT security attributes such as "Delete
4505 access" are selected then they will be ignored when applied on
4506 the Samba server.</p><p>When setting permissions on a directory the second
4507 set of permissions (in the second set of parentheses) is
4508 by default applied to all files within that directory. If this
4510 permissions on existing files</span> checkbox in the NT
4511 dialog before clicking <span class="guibutton">OK</span>.</p><p>If you wish to remove all permissions from a
4512 user/group/world component then you may either highlight the
4516 </b>) highlighted.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889049"></a>Interaction with the standard Samba create mask
4517 parameters</h3></div></div><div></div></div><p>There are four parameters
4518 to control interaction with the standard Samba create mask parameters.
4519 These are :
4521 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2889069"></a><i class="parameter"><tt>security mask</tt></i></p></li><li><p><a class="indexterm" name="id2889086"></a><i class="parameter"><tt>force security mode</tt></i></p></li><li><p><a class="indexterm" name="id2889103"></a><i class="parameter"><tt>directory security mask</tt></i></p></li><li><p><a class="indexterm" name="id2889120"></a><i class="parameter"><tt>force directory security mode</tt></i></p></li></ul></div><p>
4524 permissions Samba maps the given permissions into a user/group/world
4525 r/w/x triplet set, and then will check the changed permissions for a
4526 file against the bits set in the
4527 <a class="indexterm" name="id2889150"></a><i class="parameter"><tt>security mask</tt></i> parameter. Any bits that
4528 were changed that are not set to '1' in this parameter are left alone
4529 in the file permissions.</p><p>Essentially, zero bits in the <a class="indexterm" name="id2889171"></a><i class="parameter"><tt>security mask</tt></i>
4531 allowed to change, and one bits are those the user is allowed to change.
4532 </p><p>If not set explicitly this parameter is set to the same value as
4533 the <a class="indexterm" name="id2889196"></a><i class="parameter"><tt>create mask</tt></i> parameter. To allow a user to modify all the
4534 user/group/world permissions on a file, set this parameter
4536 the bits set in the
4537 <a class="indexterm" name="id2889218"></a><i class="parameter"><tt>force security mode</tt></i> parameter. Any bits
4538 that were changed that correspond to bits set to '1' in this parameter
4539 are forced to be set.</p><p>Essentially, bits set in the <i class="parameter"><tt>force security mode
4540 </tt></i> parameter may be treated as a set of bits that, when
4541 modifying security on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to the same value
4542 as the <a class="indexterm" name="id2889253"></a><i class="parameter"><tt>force create mode</tt></i> parameter.
4543 To allow a user to modify all the user/group/world permissions on a file
4544 with no restrictions set this parameter to 000.</p><p>The <a class="indexterm" name="id2889274"></a><i class="parameter"><tt>security mask</tt></i> and <i class="parameter"><tt>force
4545 security mode</tt></i> parameters are applied to the change
4546 request in that order.</p><p>For a directory Samba will perform the same operations as
4551 </tt></i>.</p><p>The <a class="indexterm" name="id2889335"></a><i class="parameter"><tt>directory security mask</tt></i> parameter
4554 mode</tt></i> parameter by default is set to the same value as
4555 the <a class="indexterm" name="id2889366"></a><i class="parameter"><tt>force directory mode</tt></i> parameter. </p><p>In this way Samba enforces the permission restrictions that
4556 an administrator can set on a Samba share, whilst still allowing users
4557 to modify the permission bits within that restriction.</p><p>If you want to set up a share that allows users full control
4558 in modifying the permission bits on their files and directories and
4559 doesn't force any particular bits to be set 'on', then set the following
4561 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889446"></a>Interaction with the standard Samba file attribute mapping</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Samba maps some of the DOS attribute bits (such as "read
4562 only") into the UNIX permissions of a file. This means there can
4563 be a conflict between the permission bits set via the security
4564 dialog and the permission bits set by the file attribute mapping.
4565 </p></div><p>One way this can show up is if a file has no UNIX read access
4566 for the owner it will show up as "read only" in the standard
4567 file attributes tabbed dialog. Unfortunately this dialog is
4568 the same one that contains the security info in another tab.</p><p>What this can mean is that if the owner changes the permissions
4569 to allow themselves read access using the security dialog, clicks
4572 NT will set the file permissions back to read-only (as that is what
4573 the attributes still say in the dialog). This means that after setting
4577 are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889526"></a>Common Errors</h2></div></div><div></div></div><p>
4578 File, Directory and Share access problems are very common on the mailing list. The following
4579 are examples taken from the mailing list in recent times.
4580 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889540"></a>Users can not write to a public share</h3></div></div><div></div></div><p>
4582 We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
4583 and there's a public share, on which everyone needs to have permission to create / modify files, but only
4584 root can change the file, no one else can. We need to constantly go to server to
4585 <b class="userinput"><tt>chgrp -R users *</tt></b> and <b class="userinput"><tt>chown -R nobody *</tt></b> to allow others users to change the file.
4587 </p><p>
4588 There are many ways to solve this problem, here are a few hints:
4590 Go to the top of the directory that is shared
4591 </p></li><li><p>
4592 Set the ownership to what ever public owner and group you want
4598 </pre><p>
4599 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
4600 The above will set the 'sticky bit' on all directories. Read your
4601 UNIX/Linux man page on what that does. It causes the OS to assign
4602 to all files created in the directories the ownership of the
4603 directory.
4604 </p></div></li><li><p>
4609 </pre><p>
4610 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This is the same as doing:</p><pre class="screen">
4613 </pre></div></li><li><p>Now do:
4618 </pre><p>
4620 </p><p>You should see:
4623 </pre><p>
4624 </p></li><li><p>Now do:
4630 </pre><p>
4631 </p><p>
4632 You should see that the file <tt class="filename">Afile</tt> created by Jill will have ownership
4633 and permissions of Jack, as follows:
4636 </pre><p>
4637 </p></li><li><p>
4639 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>force create mode = 0775</tt></i></td></tr><tr><td><i class="parameter"><tt>force direcrtory mode = 6775</tt></i></td></tr></table><p>
4640 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
4641 The above are only needed <span class="emphasis"><em>if</em></span> your users are <span class="emphasis"><em>not</em></span> members of the group
4642 you have used. ie: Within the OS do not have write permission on the directory.
4643 </p></div><p>
4645 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>force user = jack</tt></i></td></tr><tr><td><i class="parameter"><tt>force group = engr</tt></i></td></tr></table><p>
4646 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889969"></a>I have set force user but Samba still makes <span class="emphasis"><em>root</em></span> the owner of all the files I touch!</h3></div></div><div></div></div><p>
4647 When you have a user in <a class="indexterm" name="id2889986"></a><i class="parameter"><tt>admin users</tt></i>, samba will always do file operations for
4648 this user as <span class="emphasis"><em>root</em></span>, even if <a class="indexterm" name="id2890005"></a><i class="parameter"><tt>force user</tt></i> has been set.
4649 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890022"></a>MS Word with Samba changes owner of file</h3></div></div><div></div></div><p>
4650 <span class="emphasis"><em>Question:</em></span> “<span class="quote">When userB saves a word document that is owned by userA the updated file is now owned by userB.
4652 </p><p>
4653 <span class="emphasis"><em>Answer:</em></span> Word does the following when you modify/change a Word document: Word Creates a NEW document with
4654 a temporary name, Word then closes the old document and deletes it, Word then renames the new document to the original document name.
4655 There is NO mechanism by which Samba CAN IN ANY WAY know that the new document really should be owned by the owners
4656 of the original file. Samba has no way of knowing that the file will be renamed by MS Word. As far as Samba is able
4657 to tell, the file that gets created is a NEW file, not one that the application (Word) is updating.
4658 </p><p>
4659 There is a work-around to solve the permissions problem. That work-around involves understanding how you can manage file
4660 system behaviour from within the <tt class="filename">smb.conf</tt> file, as well as understanding how Unix file systems work. Set on the directory
4661 in which you are changing word documents: <b class="command">chmod g+s 'directory_name'</b> This ensures that all files will
4662 be created with the group that owns the directory. In smb.conf share declaration section set:
4663 </p><p>
4664 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>force create mode = 0660</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory mode = 0770</tt></i></td></tr></table><p>
4665 </p><p>
4666 These two settings will ensure that all directories and files that get created in the share will be read/writable by the
4667 owner and group set on the directory itself.
4668 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 14. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><tt class="email"><<a href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2890270">Features and Benefits</a></dt><dt><a href="#id2890336">Discussion</a></dt><dd><dl><dt><a href="#id2890479">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="#id2891158">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="#id2891268">Example Configuration</a></dt></dl></dd><dt><a href="#id2891665">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="#id2891896">Workstation Service Entries</a></dt><dt><a href="#id2891924">Server Service Entries</a></dt></dl></dd><dt><a href="#id2892003">Persistent Data Corruption</a></dt><dt><a href="#id2892032">Common Errors</a></dt><dd><dl><dt><a href="#id2892106">locking.tdb error messages</a></dt><dt><a href="#id2892144">Problems saving files in MS Office on Windows XP</a></dt><dt><a href="#id2892167">Long delays deleting files over network with XP SP1</a></dt></dl></dd><dt><a href="#id2892198">Additional Reading</a></dt></dl></div><p>
4669 One area which causes trouble for many network administrators is locking.
4670 The extent of the problem is readily evident from searches over the internet.
4671 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890270"></a>Features and Benefits</h2></div></div><div></div></div><p>
4672 Samba provides all the same locking semantics that MS Windows clients expect
4673 and that MS Windows NT4 / 200x servers provide also.
4674 </p><p>
4675 The term <span class="emphasis"><em>locking</em></span> has exceptionally broad meaning and covers
4676 a range of functions that are all categorized under this one term.
4677 </p><p>
4678 Opportunistic locking is a desirable feature when it can enhance the
4679 perceived performance of applications on a networked client. However, the
4680 opportunistic locking protocol is not robust, and therefore can
4681 encounter problems when invoked beyond a simplistic configuration, or
4682 on extended, slow, or faulty networks. In these cases, operating
4683 system management of opportunistic locking and/or recovering from
4684 repetitive errors can offset the perceived performance advantage that
4685 it is intended to provide.
4686 </p><p>
4687 The MS Windows network administrator needs to be aware that file and record
4688 locking semantics (behaviour) can be controlled either in Samba or by way of registry
4689 settings on the MS Windows client.
4690 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
4691 Sometimes it is necessary to disable locking control settings BOTH on the Samba
4692 server as well as on each MS Windows client!
4693 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890336"></a>Discussion</h2></div></div><div></div></div><p>
4694 There are two types of locking which need to be performed by a SMB server.
4695 The first is <span class="emphasis"><em>record locking</em></span> which allows a client to lock
4696 a range of bytes in a open file. The second is the <span class="emphasis"><em>deny modes</em></span>
4697 that are specified when a file is open.
4698 </p><p>
4699 Record locking semantics under UNIX are very different from record locking under
4700 Windows. Versions of Samba before 2.2 have tried to use the native fcntl() unix
4701 system call to implement proper record locking between different Samba clients.
4702 This can not be fully correct due to several reasons. The simplest is the fact
4706 many more differences, too many to be listed here.
4707 </p><p>
4708 Samba 2.2 and above implements record locking completely independent of the
4709 underlying unix system. If a byte range lock that the client requests happens
4711 All other locks can not be seen by unix anyway.
4712 </p><p>
4713 Strictly an SMB server should check for locks before every read and write call on
4714 a file. Unfortunately with the way fcntl() works this can be slow and may over-stress
4715 the <b class="command">rpc.lockd</b>. It is also almost always unnecessary as clients are supposed to
4716 independently make locking calls before reads and writes anyway if locking is
4717 important to them. By default Samba only makes locking calls when explicitly asked
4718 to by a client, but if you set <a class="indexterm" name="id2890404"></a><i class="parameter"><tt>strict locking</tt></i> = yes then it
4719 will make lock checking calls on every read and write.
4720 </p><p>
4721 You can also disable byte range locking completely using <a class="indexterm" name="id2890424"></a><i class="parameter"><tt>locking</tt></i> = no.
4722 This is useful for those shares that don't support locking or don't need it
4723 (such as cdroms). In this case Samba fakes the return codes of locking calls to
4724 tell clients that everything is OK.
4725 </p><p>
4727 are set by an application when it opens a file to determine what types of
4728 access should be allowed simultaneously with its open. A client may ask for
4730 <tt class="constant">DENY_WRITE</tt> or <tt class="constant">DENY_ALL</tt>. There are also special compatibility
4732 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890479"></a>Opportunistic Locking Overview</h3></div></div><div></div></div><p>
4733 Opportunistic locking (Oplocks) is invoked by the Windows file system
4734 (as opposed to an API) via registry entries (on the server AND client)
4735 for the purpose of enhancing network performance when accessing a file
4736 residing on a server. Performance is enhanced by caching the file
4737 locally on the client which allows:
4739 The client reads the local copy of the file, eliminating network latency
4741 The client writes to the local copy of the file, eliminating network latency
4743 The client caches application locks locally, eliminating network latency
4744 </p></dd></dl></div><p>
4745 The performance enhancement of oplocks is due to the opportunity of
4746 exclusive access to the file - even if it is opened with deny-none -
4747 because Windows monitors the file's status for concurrent access from
4748 other processes.
4749 </p><div class="variablelist"><p class="title"><b>Windows defines 4 kinds of Oplocks:</b></p><dl><dt><span class="term">Level1 Oplock:</span></dt><dd><p>
4750 The redirector sees that the file was opened with deny
4751 none (allowing concurrent access), verifies that no
4752 other process is accessing the file, checks that
4753 oplocks are enabled, then grants deny-all/read-write/exclusive
4754 access to the file. The client now performs
4755 operations on the cached local file.
4756 </p><p>
4757 If a second process attempts to open the file, the open
4758 is deferred while the redirector "breaks" the original
4759 oplock. The oplock break signals the caching client to
4760 write the local file back to the server, flush the
4761 local locks, and discard read-ahead data. The break is
4762 then complete, the deferred open is granted, and the
4763 multiple processes can enjoy concurrent file access as
4764 dictated by mandatory or byte-range locking options.
4765 However, if the original opening process opened the
4766 file with a share mode other than deny-none, then the
4767 second process is granted limited or no access, despite
4768 the oplock break.
4770 Performs like a level1 oplock, except caching is only
4771 operative for reads. All other operations are performed
4772 on the server disk copy of the file.
4774 Does not allow write or delete file access
4776 Manipulates file openings and closings - allows caching
4777 of file attributes
4778 </p></dd></dl></div><p>
4779 An important detail is that oplocks are invoked by the file system, not
4780 an application API. Therefore, an application can close an oplocked
4781 file, but the file system does not relinquish the oplock. When the
4782 oplock break is issued, the file system then simply closes the file in
4783 preparation for the subsequent open by the second process.
4784 </p><p>
4785 <span class="emphasis"><em>Opportunistic Locking</em></span> is actually an improper name for this feature.
4786 The true benefit of this feature is client-side data caching, and
4787 oplocks is merely a notification mechanism for writing data back to the
4788 networked storage disk. The limitation of opportunistic locking is the
4789 reliability of the mechanism to process an oplock break (notification)
4790 between the server and the caching client. If this exchange is faulty
4791 (usually due to timing out for any number of reasons) then the
4792 client-side caching benefit is negated.
4793 </p><p>
4794 The actual decision that a user or administrator should consider is
4795 whether it is sensible to share amongst multiple users data that will
4796 be cached locally on a client. In many cases the answer is no.
4797 Deciding when to cache or not cache data is the real question, and thus
4798 "opportunistic locking" should be treated as a toggle for client-side
4799 caching. Turn it "ON" when client-side caching is desirable and
4800 reliable. Turn it "OFF" when client-side caching is redundant,
4801 unreliable, or counter-productive.
4802 </p><p>
4803 Opportunistic locking is by default set to "on" by Samba on all
4804 configured shares, so careful attention should be given to each case to
4805 determine if the potential benefit is worth the potential for delays.
4806 The following recommendations will help to characterize the environment
4807 where opportunistic locking may be effectively configured.
4808 </p><p>
4809 Windows Opportunistic Locking is a lightweight performance-enhancing
4810 feature. It is not a robust and reliable protocol. Every
4811 implementation of Opportunistic Locking should be evaluated as a
4812 tradeoff between perceived performance and reliability. Reliability
4813 decreases as each successive rule above is not enforced. Consider a
4814 share with oplocks enabled, over a wide area network, to a client on a
4815 South Pacific atoll, on a high-availability server, serving a
4816 mission-critical multi-user corporate database, during a tropical
4817 storm. This configuration will likely encounter problems with oplocks.
4818 </p><p>
4819 Oplocks can be beneficial to perceived client performance when treated
4820 as a configuration toggle for client-side data caching. If the data
4821 caching is likely to be interrupted, then oplock usage should be
4822 reviewed. Samba enables opportunistic locking by default on all
4823 shares. Careful attention should be given to the client usage of
4824 shared data on the server, the server network reliability, and the
4825 opportunistic locking configuration of each share.
4826 n mission critical high availability environments, data integrity is
4827 often a priority. Complex and expensive configurations are implemented
4828 to ensure that if a client loses connectivity with a file server, a
4829 failover replacement will be available immediately to provide
4830 continuous data availability.
4831 </p><p>
4832 Windows client failover behavior is more at risk of application
4833 interruption than other platforms because it is dependant upon an
4834 established TCP transport connection. If the connection is interrupted
4835 - as in a file server failover - a new session must be established.
4836 It is rare for Windows client applications to be coded to recover
4837 correctly from a transport connection loss, therefore most applications
4838 will experience some sort of interruption - at worst, abort and
4839 require restarting.
4840 </p><p>
4841 If a client session has been caching writes and reads locally due to
4842 opportunistic locking, it is likely that the data will be lost when the
4843 application restarts, or recovers from the TCP interrupt. When the TCP
4844 connection drops, the client state is lost. When the file server
4845 recovers, an oplock break is not sent to the client. In this case, the
4846 work from the prior session is lost. Observing this scenario with
4847 oplocks disabled, and the client was writing data to the file server
4848 real-time, then the failover will provide the data on disk as it
4849 existed at the time of the disconnect.
4850 </p><p>
4851 In mission critical high availability environments, careful attention
4852 should be given to opportunistic locking. Ideally, comprehensive
4853 testing should be done with all affected applications with oplocks
4854 enabled and disabled.
4855 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890780"></a>Exclusively Accessed Shares</h4></div></div><div></div></div><p>
4856 Opportunistic locking is most effective when it is confined to shares
4857 that are exclusively accessed by a single user, or by only one user at
4858 a time. Because the true value of opportunistic locking is the local
4859 client caching of data, any operation that interrupts the caching
4860 mechanism will cause a delay.
4861 </p><p>
4862 Home directories are the most obvious examples of where the performance
4863 benefit of opportunistic locking can be safely realized.
4864 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890805"></a>Multiple-Accessed Shares or Files</h4></div></div><div></div></div><p>
4865 As each additional user accesses a file in a share with opportunistic
4866 locking enabled, the potential for delays and resulting perceived poor
4867 performance increases. When multiple users are accessing a file on a
4868 share that has oplocks enabled, the management impact of sending and
4869 receiving oplock breaks, and the resulting latency while other clients
4870 wait for the caching client to flush data, offset the performance gains
4871 of the caching user.
4872 </p><p>
4873 As each additional client attempts to access a file with oplocks set,
4874 the potential performance improvement is negated and eventually results
4875 in a performance bottleneck.
4876 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890834"></a>UNIX or NFS Client Accessed Files</h4></div></div><div></div></div><p>
4877 Local UNIX and NFS clients access files without a mandatory
4878 file locking mechanism. Thus, these client platforms are incapable of
4879 initiating an oplock break request from the server to a Windows client
4880 that has a file cached. Local UNIX or NFS file access can therefore
4881 write to a file that has been cached by a Windows client, which
4882 exposes the file to likely data corruption.
4883 </p><p>
4884 If files are shared between Windows clients, and either local UNIX
4885 or NFS users, then turn opportunistic locking off.
4886 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890860"></a>Slow and/or Unreliable Networks</h4></div></div><div></div></div><p>
4887 The biggest potential performance improvement for opportunistic locking
4888 occurs when the client-side caching of reads and writes delivers the
4889 most differential over sending those reads and writes over the wire.
4890 This is most likely to occur when the network is extremely slow,
4891 congested, or distributed (as in a WAN). However, network latency also
4892 has a very high impact on the reliability of the oplock break
4893 mechanism, and thus increases the likelihood of encountering oplock
4894 problems that more than offset the potential perceived performance
4895 gain. Of course, if an oplock break never has to be sent, then this is
4896 the most advantageous scenario to utilize opportunistic locking.
4897 </p><p>
4898 If the network is slow, unreliable, or a WAN, then do not configure
4899 opportunistic locking if there is any chance of multiple users
4900 regularly opening the same file.
4901 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890894"></a>Multi-User Databases</h4></div></div><div></div></div><p>
4902 Multi-user databases clearly pose a risk due to their very nature -
4903 they are typically heavily accessed by numerous users at random
4904 intervals. Placing a multi-user database on a share with opportunistic
4905 locking enabled will likely result in a locking management bottleneck
4906 on the Samba server. Whether the database application is developed
4907 in-house or a commercially available product, ensure that the share
4908 has opportunistic locking disabled.
4909 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890914"></a>PDM Data Shares</h4></div></div><div></div></div><p>
4910 Process Data Management (PDM) applications such as IMAN, Enovia, and
4911 Clearcase, are increasing in usage with Windows client platforms, and
4912 therefore SMB data stores. PDM applications manage multi-user
4913 environments for critical data security and access. The typical PDM
4914 environment is usually associated with sophisticated client design
4915 applications that will load data locally as demanded. In addition, the
4916 PDM application will usually monitor the data-state of each client.
4917 In this case, client-side data caching is best left to the local
4918 application and PDM server to negotiate and maintain. It is
4919 appropriate to eliminate the client OS from any caching tasks, and the
4920 server from any oplock management, by disabling opportunistic locking on
4921 the share.
4922 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890942"></a>Beware of Force User</h4></div></div><div></div></div><p>
4923 Samba includes an <tt class="filename">smb.conf</tt> parameter called <a class="indexterm" name="id2890960"></a><i class="parameter"><tt>force user</tt></i> that changes
4924 the user accessing a share from the incoming user to whatever user is
4925 defined by the smb.conf variable. If opportunistic locking is enabled
4926 on a share, the change in user access causes an oplock break to be sent
4927 to the client, even if the user has not explicitly loaded a file. In
4928 cases where the network is slow or unreliable, an oplock break can
4929 become lost without the user even accessing a file. This can cause
4930 apparent performance degradation as the client continually reconnects
4931 to overcome the lost oplock break.
4932 </p><p>
4933 Avoid the combination of the following:
4935 <a class="indexterm" name="id2891007"></a><i class="parameter"><tt>force user</tt></i> in the <tt class="filename">smb.conf</tt> share configuration.
4936 </p></li><li><p>
4937 Slow or unreliable networks
4938 </p></li><li><p>
4939 Opportunistic Locking Enabled
4940 </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2891044"></a>Advanced Samba Opportunistic Locking Parameters</h4></div></div><div></div></div><p>
4941 Samba provides opportunistic locking parameters that allow the
4942 administrator to adjust various properties of the oplock mechanism to
4943 account for timing and usage levels. These parameters provide good
4944 versatility for implementing oplocks in environments where they would
4945 likely cause problems. The parameters are:
4946 <a class="indexterm" name="id2891061"></a><i class="parameter"><tt>oplock break wait time</tt></i>,
4947 <a class="indexterm" name="id2891075"></a><i class="parameter"><tt>oplock contention limit</tt></i>.
4948 </p><p>
4949 For most users, administrators, and environments, if these parameters
4950 are required, then the better option is to simply turn oplocks off.
4951 The samba SWAT help text for both parameters reads "DO NOT CHANGE THIS
4952 PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE."
4953 This is good advice.
4954 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2891101"></a>Mission Critical High Availability</h4></div></div><div></div></div><p>
4955 In mission critical high availability environments, data integrity is
4956 often a priority. Complex and expensive configurations are implemented
4957 to ensure that if a client loses connectivity with a file server, a
4958 failover replacement will be available immediately to provide
4959 continuous data availability.
4960 </p><p>
4961 Windows client failover behavior is more at risk of application
4962 interruption than other platforms because it is dependant upon an
4963 established TCP transport connection. If the connection is interrupted
4964 - as in a file server failover - a new session must be established.
4965 It is rare for Windows client applications to be coded to recover
4966 correctly from a transport connection loss, therefore most applications
4967 will experience some sort of interruption - at worst, abort and
4968 require restarting.
4969 </p><p>
4970 If a client session has been caching writes and reads locally due to
4971 opportunistic locking, it is likely that the data will be lost when the
4972 application restarts, or recovers from the TCP interrupt. When the TCP
4973 connection drops, the client state is lost. When the file server
4974 recovers, an oplock break is not sent to the client. In this case, the
4975 work from the prior session is lost. Observing this scenario with
4976 oplocks disabled, and the client was writing data to the file server
4977 real-time, then the failover will provide the data on disk as it
4978 existed at the time of the disconnect.
4979 </p><p>
4980 In mission critical high availability environments, careful attention
4981 should be given to opportunistic locking. Ideally, comprehensive
4982 testing should be done with all affected applications with oplocks
4983 enabled and disabled.
4984 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2891158"></a>Samba Opportunistic Locking Control</h2></div></div><div></div></div><p>
4985 Opportunistic Locking is a unique Windows file locking feature. It is
4986 not really file locking, but is included in most discussions of Windows
4987 file locking, so is considered a de facto locking feature.
4988 Opportunistic Locking is actually part of the Windows client file
4989 caching mechanism. It is not a particularly robust or reliable feature
4990 when implemented on the variety of customized networks that exist in
4991 enterprise computing.
4992 </p><p>
4993 Like Windows, Samba implements Opportunistic Locking as a server-side
4994 component of the client caching mechanism. Because of the lightweight
4995 nature of the Windows feature design, effective configuration of
4996 Opportunistic Locking requires a good understanding of its limitations,
4997 and then applying that understanding when configuring data access for
4998 each particular customized network and client usage state.
4999 </p><p>
5000 Opportunistic locking essentially means that the client is allowed to download and cache
5001 a file on their hard drive while making changes; if a second client wants to access the
5002 file, the first client receives a break and must synchronise the file back to the server.
5003 This can give significant performance gains in some cases; some programs insist on
5004 synchronising the contents of the entire file back to the server for a single change.
5005 </p><p>
5006 Level1 Oplocks (aka just plain "oplocks") is another term for opportunistic locking.
5007 </p><p>
5008 Level2 Oplocks provides opportunistic locking for a file that will be treated as
5009 <span class="emphasis"><em>read only</em></span>. Typically this is used on files that are read-only or
5010 on files that the client has no initial intention to write to at time of opening the file.
5011 </p><p>
5012 Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with
5013 Samba's oplocked files, although this has provided better integration of MS Windows network
5014 file locking with the under lying OS, SGI IRIX and Linux are the only two OS's that are
5015 oplock aware at this time.
5016 </p><p>
5017 Unless your system supports kernel oplocks, you should disable oplocks if you are
5018 accessing the same files from both UNIX/Linux and SMB clients. Regardless, oplocks should
5019 always be disabled if you are sharing a database file (e.g., Microsoft Access) between
5020 multiple clients, as any break the first client receives will affect synchronisation of
5021 the entire file (not just the single record), which will result in a noticeable performance
5022 impairment and, more likely, problems accessing the database in the first place. Notably,
5023 Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt,
5024 disable oplocks and tune your system from that point.
5025 </p><p>
5026 If client-side caching is desirable and reliable on your network, you will benefit from
5027 turning on oplocks. If your network is slow and/or unreliable, or you are sharing your
5028 files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people
5029 will be accessing the same files frequently, you probably will not benefit from the overhead
5030 of your client sending oplock breaks and will instead want to disable oplocks for the share.
5031 </p><p>
5032 Another factor to consider is the perceived performance of file access. If oplocks provide no
5033 measurable speed benefit on your network, it might not be worth the hassle of dealing with them.
5034 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2891268"></a>Example Configuration</h3></div></div><div></div></div><p>
5035 In the following we examine two distinct aspects of Samba locking controls.
5036 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2891281"></a>Disabling Oplocks</h4></div></div><div></div></div><p>
5037 You can disable oplocks on a per-share basis with the following:
5038 </p><p>
5039 </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[acctdata]</tt></i></td></tr><tr><td><i class="parameter"><tt>oplocks = False</tt></i></td></tr><tr><td><i class="parameter"><tt>level2 oplocks = False</tt></i></td></tr></table><p>
5040 </p><p>
5041 The default oplock type is Level1. Level2 Oplocks are enabled on a per-share basis
5043 </p><p>
5044 Alternately, you could disable oplocks on a per-file basis within the share:
5045 </p><p>
5046 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/</tt></i></td></tr></table><p>
5047 </p><p>
5048 If you are experiencing problems with oplocks as apparent from Samba's log entries,
5049 you may want to play it safe and disable oplocks and level2 oplocks.
5050 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2891378"></a>Disabling Kernel OpLocks</h4></div></div><div></div></div><p>
5052 the UNIX kernel has the capability to send a Windows client an oplock
5053 break) when a UNIX process is attempting to open the file that is
5054 cached. This parameter addresses sharing files between UNIX and
5055 Windows with Oplocks enabled on the Samba server: the UNIX process
5056 can open the file that is Oplocked (cached) by the Windows client and
5057 the smbd process will not send an oplock break, which exposes the file
5058 to the risk of data corruption. If the UNIX kernel has the ability to
5059 send an oplock break, then the kernel oplocks parameter enables Samba
5060 to send the oplock break. Kernel oplocks are enabled on a per-server
5062 </p><p>
5063 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>kernel oplocks = yes</tt></i></td></tr></table><p>
5064 The default is "no".
5065 </p><p>
5066 Veto OpLocks is an <tt class="filename">smb.conf</tt> parameter that identifies specific files for
5067 which Oplocks are disabled. When a Windows client opens a file that
5068 has been configured for veto oplocks, the client will not be granted
5069 the oplock, and all operations will be executed on the original file on
5070 disk instead of a client-cached file copy. By explicitly identifying
5071 files that are shared with UNIX processes, and disabling oplocks for
5072 those files, the server-wide Oplock configuration can be enabled to
5073 allow Windows clients to utilize the performance benefit of file
5074 caching without the risk of data corruption. Veto Oplocks can be
5075 enabled on a per-share basis, or globally for the entire server, in the
5077 </p><p>
5078 </p><div class="example"><a name="id2891471"></a><p class="title"><b>Example 14.1. Share with some files oplocked</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>veto oplock files = /filename.htm/*.txt/</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[share_name]</tt></i></td></tr><tr><td><i class="parameter"><tt>veto oplock files = /*.exe/filename.ext/</tt></i></td></tr></table></div><p>
5079 </p><p>
5080 <a class="indexterm" name="id2891525"></a><i class="parameter"><tt>oplock break wait time</tt></i> is an <tt class="filename">smb.conf</tt> parameter that adjusts the time
5081 interval for Samba to reply to an oplock break request. Samba
5082 recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
5083 UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break Wait Time can only be
5085 </p><p>
5086 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>oplock break wait time = 0 (default)</tt></i></td></tr></table><p>
5087 </p><p>
5088 <span class="emphasis"><em>Oplock break contention limit</em></span> is an <tt class="filename">smb.conf</tt> parameter that limits the
5089 response of the Samba server to grant an oplock if the configured
5090 number of contending clients reaches the limit specified by the
5091 parameter. Samba recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU
5092 HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break
5093 Contention Limit can be enable on a per-share basis, or globally for
5095 </p><p>
5096 </p><div class="example"><a name="id2891612"></a><p class="title"><b>Example 14.2. </b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>oplock break contention limit = 2 (default)</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[share_name]</tt></i></td></tr><tr><td><i class="parameter"><tt>oplock break contention limit = 2 (default)</tt></i></td></tr></table></div><p>
5097 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2891665"></a>MS Windows Opportunistic Locking and Caching Controls</h2></div></div><div></div></div><p>
5098 There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP
5099 workstation computer that can affect any application attempting to access shared database files
5100 across a network. This is a result of a default setting configured in the Windows 2000/XP
5101 operating system known as <span class="emphasis"><em>Opportunistic Locking</em></span>. When a workstation
5102 attempts to access shared data files located on another Windows 2000/XP computer,
5103 the Windows 2000/XP operating system will attempt to increase performance by locking the
5104 files and caching information locally. When this occurs, the application is unable to
5106 error message being displayed during network operations.
5107 </p><p>
5108 All Windows operating systems in the NT family that act as database servers for data files
5109 (meaning that data files are stored there and accessed by other Windows PCs) may need to
5110 have opportunistic locking disabled in order to minimize the risk of data file corruption.
5112 </p><p>
5113 If you are using a Windows NT family workstation in place of a server, you must also
5114 disable opportunistic locking (oplocks) on that workstation. For example, if you use a
5115 PC with the Windows NT Workstation operating system instead of Windows NT Server, and you
5116 have data files located on it that are accessed from other Windows PCs, you may need to
5117 disable oplocks on that system.
5118 </p><p>
5119 The major difference is the location in the Windows registry where the values for disabling
5120 oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location
5121 may be used.
5122 </p><p>
5123 You can verify (or change or add, if necessary) this Registry value using the Windows
5124 Registry Editor. When you change this registry value, you will have to reboot the PC
5125 to ensure that the new setting goes into effect.
5126 </p><p>
5127 The location of the client registry entry for opportunistic locking has changed in
5128 Windows 2000 from the earlier location in Microsoft Windows NT.
5129 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
5130 Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks
5131 in earlier versions of Windows.
5132 </p></div><p>
5133 You can also deny the granting of opportunistic locks by changing the following registry entries:
5134 </p><p>
5136 HKEY_LOCAL_MACHINE\System\
5137 CurrentControlSet\Services\MRXSmb\Parameters\
5140 Default: 0 (not disabled)
5141 </pre><p>
5142 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
5143 The OplocksDisabled registry value configures Windows clients to either request or not
5144 request opportunistic locks on a remote file. To disable oplocks, the value of
5145 OplocksDisabled must be set to 1.
5146 </p></div><p>
5148 HKEY_LOCAL_MACHINE\System\
5149 CurrentControlSet\Services\LanmanServer\Parameters
5152 Default: 1 (Enabled by Default)
5155 Default: 0 (Disabled by Default)
5156 </pre><p>
5157 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
5158 The EnableOplocks value configures Windows-based servers (including Workstations sharing
5159 files) to allow or deny opportunistic locks on local files.
5160 </p></div><p>
5161 To force closure of open oplocks on close or program exit EnableOpLockForceClose must be set to 1.
5162 </p><p>
5163 An illustration of how level II oplocks work:
5165 Station 1 opens the file, requesting oplock.
5166 </p></li><li><p>
5167 Since no other station has the file open, the server grants station 1 exclusive oplock.
5168 </p></li><li><p>
5169 Station 2 opens the file, requesting oplock.
5170 </p></li><li><p>
5172 to Level II Oplock.
5173 </p></li><li><p>
5174 Station 1 complies by flushing locally buffered lock information to the server.
5175 </p></li><li><p>
5176 Station 1 informs the server that it has Broken to Level II Oplock (alternatively,
5177 station 1 could have closed the file).
5178 </p></li><li><p>
5179 The server responds to station 2's open request, granting it level II oplock.
5180 Other stations can likewise open the file and obtain level II oplock.
5181 </p></li><li><p>
5182 Station 2 (or any station that has the file open) sends a write request SMB.
5183 The server returns the write response.
5184 </p></li><li><p>
5185 The server asks all stations that have the file open to Break to None, meaning no
5186 station holds any oplock on the file. Because the workstations can have no cached
5187 writes or locks at this point, they need not respond to the break-to-none advisory;
5188 all they need do is invalidate locally cashed read-ahead data.
5189 </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2891896"></a>Workstation Service Entries</h3></div></div><div></div></div><pre class="programlisting">
5190 \HKEY_LOCAL_MACHINE\System\
5191 CurrentControlSet\Services\LanmanWorkstation\Parameters
5194 Default: 1 (true)
5195 </pre><p>
5196 Indicates whether the redirector should use opportunistic-locking (oplock) performance
5197 enhancement. This parameter should be disabled only to isolate problems.
5198 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2891924"></a>Server Service Entries</h3></div></div><div></div></div><pre class="programlisting">
5199 \HKEY_LOCAL_MACHINE\System\
5200 CurrentControlSet\Services\LanmanServer\Parameters
5203 Default: 1 (true)
5204 </pre><p>
5205 Specifies whether the server allows clients to use oplocks on files. Oplocks are a
5206 significant performance enhancement, but have the potential to cause lost cached
5207 data on some networks, particularly wide-area networks.
5209 MinLinkThroughput REG_DWORD 0 to infinite bytes per second
5210 Default: 0
5211 </pre><p>
5212 Specifies the minimum link throughput allowed by the server before it disables
5213 raw and opportunistic locks for this connection.
5216 Default: 60
5217 </pre><p>
5218 Specifies the maximum time allowed for a link delay. If delays exceed this number,
5219 the server disables raw I/O and opportunistic locking for this connection.
5222 Default: 35
5223 </pre><p>
5224 Specifies the time that the server waits for a client to respond to an oplock break
5225 request. Smaller values can allow detection of crashed clients more quickly but can
5226 potentially cause loss of cached data.
5227 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892003"></a>Persistent Data Corruption</h2></div></div><div></div></div><p>
5228 If you have applied all of the settings discussed in this chapter but data corruption problems
5229 and other symptoms persist, here are some additional things to check out:
5230 </p><p>
5231 We have credible reports from developers that faulty network hardware, such as a single
5232 faulty network card, can cause symptoms similar to read caching and data corruption.
5233 If you see persistent data corruption even after repeated reindexing, you may have to
5234 rebuild the data files in question. This involves creating a new data file with the
5235 same definition as the file to be rebuilt and transferring the data from the old file
5236 to the new one. There are several known methods for doing this that can be found in
5237 our Knowledge Base.
5238 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892032"></a>Common Errors</h2></div></div><div></div></div><p>
5239 In some sites locking problems surface as soon as a server is installed, in other sites
5240 locking problems may not surface for a long time. Almost without exception, when a locking
5241 problem does surface it will cause embarrassment and potential data corruption.
5242 </p><p>
5243 Over the past few years there have been a number of complaints on the samba mailing lists
5244 that have claimed that samba caused data corruption. Three causes have been identified
5245 so far:
5247 Incorrect configuration of opportunistic locking (incompatible with the application
5248 being used. This is a VERY common problem even where MS Windows NT4 or MS Windows 200x
5249 based servers were in use. It is imperative that the software application vendors'
5250 instructions for configuration of file locking should be followed. If in doubt,
5251 disable oplocks on both the server and the client. Disabling of all forms of file
5252 caching on the MS Windows client may be necessary also.
5253 </p></li><li><p>
5254 Defective network cards, cables, or HUBs / Switched. This is generally a more
5255 prevalent factor with low cost networking hardware, though occasionally there
5256 have been problems with incompatibilities in more up market hardware also.
5257 </p></li><li><p>
5258 There have been some random reports of samba log files being written over data
5260 and all attempts to reproduce the problem have failed. The Samba-Team has been
5261 unable to catch this happening and thus has NOT been able to isolate any particular
5262 cause. Considering the millions of systems that use samba, for the sites that have
5263 been affected by this as well as for the Samba-Team this is a frustrating and
5264 a vexing challenge. If you see this type of thing happening please create a bug
5265 report on https://bugzilla.samba.org without delay. Make sure that you give as much
5266 information as you possibly can to help isolate the cause and to allow reproduction
5267 of the problem (an essential step in problem isolation and correction).
5268 </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892106"></a>locking.tdb error messages</h3></div></div><div></div></div><p>
5270 We are seeing lots of errors in the samba logs like:
5273 tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
5275 </pre><p>
5277 What do these mean?
5279 </p><p>
5280 Corrupted tdb. Stop all instances of smbd, delete locking.tdb, restart smbd.
5281 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892144"></a>Problems saving files in MS Office on Windows XP</h3></div></div><div></div></div><p>This is a bug in Windows XP. More information can be
5282 found in <a href="http://support.microsoft.com/?id=812937" target="_top">Microsoft Knowledge Base article 812937</a>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892167"></a>Long delays deleting files over network with XP SP1</h3></div></div><div></div></div><p>“<span class="quote">It sometimes takes approximately 35 seconds to delete files over the network after XP SP1 has been applied</span>”</p><p>This is a bug in Windows XP. More information can be
5284 Microsoft Knowledge Base article 811492</a>.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892198"></a>Additional Reading</h2></div></div><div></div></div><p>
5285 You may want to check for an updated version of this white paper on our Web site from
5286 time to time. Many of our white papers are updated as information changes. For those papers,
5287 the Last Edited date is always at the top of the paper.
5288 </p><p>
5289 Section of the Microsoft MSDN Library on opportunistic locking:
5290 </p><p>
5291 Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development >
5292 Windows Base Services > Files and I/O > SDK Documentation > File Storage > File Systems
5294 <a href="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp" target="_top">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</a>
5295 </p><p>
5296 Microsoft Knowledge Base Article Q224992 "Maintaining Transactional Integrity with OPLOCKS",
5297 Microsoft Corporation, April 1999, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992</a>.
5298 </p><p>
5299 Microsoft Knowledge Base Article Q296264 "Configuring Opportunistic Locking in Windows 2000",
5300 Microsoft Corporation, April 2001, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</a>.
5301 </p><p>
5302 Microsoft Knowledge Base Article Q129202 "PC Ext: Explanation of Opportunistic Locking on Windows NT",
5303 Microsoft Corporation, April 1995, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</a>.
5304 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="securing-samba"></a>Chapter 15. Securing Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 26, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2892365">Introduction</a></dt><dt><a href="#id2892398">Features and Benefits</a></dt><dt><a href="#id2892471">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="#id2892490">Using host based protection</a></dt><dt><a href="#id2892590">User based protection</a></dt><dt><a href="#id2892650">Using interface protection</a></dt><dt><a href="#id2892717">Using a firewall</a></dt><dt><a href="#id2892774">Using a IPC$ share deny</a></dt><dt><a href="#id2892867">NTLMv2 Security</a></dt></dl></dd><dt><a href="#id2892926">Upgrading Samba</a></dt><dt><a href="#id2892950">Common Errors</a></dt><dd><dl><dt><a href="#id2892968">Smbclient works on localhost, but the network is dead</a></dt><dt><a href="#id2892992">Why can users access home directories of other users?</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892365"></a>Introduction</h2></div></div><div></div></div><p>
5305 This note was attached to the Samba 2.2.8 release notes as it contained an
5306 important security fix. The information contained here applies to Samba
5307 installations in general.
5308 </p><p>
5309 A new apprentice reported for duty to the Chief Engineer of a boiler house. He said, "Here I am,
5310 if you will show me the boiler I'll start working on it." Then engineer replied, "You're leaning
5311 on it!"
5312 </p><p>
5313 Security concerns are just like that: You need to know a little about the subject to appreciate
5314 how obvious most of it really is. The challenge for most of us is to discover that first morsel
5315 of knowledge with which we may unlock the secrets of the masters.
5316 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892398"></a>Features and Benefits</h2></div></div><div></div></div><p>
5317 There are three level at which security principals must be observed in order to render a site
5318 at least moderately secure. These are: the perimeter firewall, the configuration of the host
5319 server that is running Samba, and Samba itself.
5320 </p><p>
5321 Samba permits a most flexible approach to network security. As far as possible Samba implements
5322 the latest protocols to permit more secure MS Windows file and print operations.
5323 </p><p>
5324 Samba may be secured from connections that originate from outside the local network. This may be
5325 done using <span class="emphasis"><em>host based protection</em></span> (using samba's implementation of a technology
5326 known as "tcpwrappers", or it may be done be using <span class="emphasis"><em>interface based exclusion</em></span>
5327 so that <span class="application">smbd</span> will bind only to specifically permitted interfaces. It is also
5328 possible to set specific share or resource based exclusions, eg: on the <i class="parameter"><tt>[IPC$]</tt></i>
5329 auto-share. The <i class="parameter"><tt>[IPC$]</tt></i> share is used for browsing purposes as well as to establish
5330 TCP/IP connections.
5331 </p><p>
5332 Another method by which Samba may be secured is by way of setting Access Control Entries in an Access
5333 Control List on the shares themselves. This is discussed in the chapter on File, Directory and Share Access
5334 Control.
5335 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892471"></a>Technical Discussion of Protective Measures and Issues</h2></div></div><div></div></div><p>
5336 The key challenge of security is the fact that protective measures suffice at best
5337 only to close the door on known exploits and breach techniques. Never assume that
5338 because you have followed these few measures that the Samba server is now an impenetrable
5339 fortress! Given the history of information systems so far, it is only a matter of time
5340 before someone will find yet another vulnerability.
5341 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892490"></a>Using host based protection</h3></div></div><div></div></div><p>
5342 In many installations of Samba the greatest threat comes for outside
5343 your immediate network. By default Samba will accept connections from
5344 any host, which means that if you run an insecure version of Samba on
5345 a host that is directly connected to the Internet you can be
5346 especially vulnerable.
5347 </p><p>
5348 One of the simplest fixes in this case is to use the <a class="indexterm" name="id2892512"></a><i class="parameter"><tt>hosts allow</tt></i> and
5349 <a class="indexterm" name="id2892526"></a><i class="parameter"><tt>hosts deny</tt></i> options in the Samba <tt class="filename">smb.conf</tt> configuration file to only
5350 allow access to your server from a specific range of hosts. An example
5351 might be:
5352 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts deny = 0.0.0.0/0</tt></i></td></tr></table><p>
5353 The above will only allow SMB connections from 'localhost' (your own
5354 computer) and from the two private networks 192.168.2 and
5355 192.168.3. All other connections will be refused as soon
5356 as the client sends its first packet. The refusal will be marked as a
5358 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892590"></a>User based protection</h3></div></div><div></div></div><p>
5359 If you want to restrict access to your server to valid users only then the following
5360 method may be of use. In the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[global]</tt></i> section put:
5361 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>valid users = @smbusers, jacko</tt></i></td></tr></table><p>
5362 What this does is, it restricts all server access to either the user <span class="emphasis"><em>jacko</em></span>
5364 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892650"></a>Using interface protection</h3></div></div><div></div></div><p>
5365 By default Samba will accept connections on any network interface that
5366 it finds on your system. That means if you have a ISDN line or a PPP
5367 connection to the Internet then Samba will accept connections on those
5368 links. This may not be what you want.
5369 </p><p>
5370 You can change this behaviour using options like the following:
5371 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>interfaces = eth* lo</tt></i></td></tr><tr><td><i class="parameter"><tt>bind interfaces only = yes</tt></i></td></tr></table><p>
5372 This tells Samba to only listen for connections on interfaces with a
5373 name starting with 'eth' such as eth0, eth1, plus on the loopback
5374 interface called 'lo'. The name you will need to use depends on what
5375 OS you are using, in the above I used the common name for Ethernet
5376 adapters on Linux.
5377 </p><p>
5378 If you use the above and someone tries to make a SMB connection to
5379 your host over a PPP interface called 'ppp0' then they will get a TCP
5380 connection refused reply. In that case no Samba code is run at all as
5381 the operating system has been told not to pass connections from that
5382 interface to any samba process.
5383 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892717"></a>Using a firewall</h3></div></div><div></div></div><p>
5384 Many people use a firewall to deny access to services that they don't
5385 want exposed outside their network. This can be a very good idea,
5386 although I would recommend using it in conjunction with the above
5387 methods so that you are protected even if your firewall is not active
5388 for some reason.
5389 </p><p>
5390 If you are setting up a firewall then you need to know what TCP and
5391 UDP ports to allow and block. Samba uses the following:
5392 </p><table class="simplelist" border="0" summary="Simple list"><tr><td>UDP/137 - used by nmbd</td></tr><tr><td>UDP/138 - used by nmbd</td></tr><tr><td>TCP/139 - used by smbd</td></tr><tr><td>TCP/445 - used by smbd</td></tr></table><p>
5393 The last one is important as many older firewall setups may not be
5394 aware of it, given that this port was only added to the protocol in
5395 recent years.
5396 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892774"></a>Using a IPC$ share deny</h3></div></div><div></div></div><p>
5397 If the above methods are not suitable, then you could also place a
5398 more specific deny on the IPC$ share that is used in the recently
5399 discovered security hole. This allows you to offer access to other
5400 shares while denying access to IPC$ from potentially untrustworthy
5401 hosts.
5402 </p><p>
5403 To do that you could use:
5404 </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[ipc$]</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = 192.168.115.0/24 127.0.0.1</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts deny = 0.0.0.0/0</tt></i></td></tr></table><p>
5405 this would tell Samba that IPC$ connections are not allowed from
5406 anywhere but the two listed places (localhost and a local
5407 subnet). Connections to other shares would still be allowed. As the
5408 IPC$ share is the only share that is always accessible anonymously
5409 this provides some level of protection against attackers that do not
5410 know a username/password for your host.
5411 </p><p>
5412 If you use this method then clients will be given a <span class="errorname">access denied</span>
5413 reply when they try to access the IPC$ share. That means that those
5414 clients will not be able to browse shares, and may also be unable to
5415 access some other resources.
5416 </p><p>
5417 This is not recommended unless you cannot use one of the other
5418 methods listed above for some reason.
5419 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892867"></a>NTLMv2 Security</h3></div></div><div></div></div><p>
5420 To configure NTLMv2 authentication the following registry keys are worth knowing about:
5421 </p><p>
5423 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
5425 </pre><p>
5426 </p><p>
5427 0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication,
5428 use NTLMv2 session security if the server supports it. Domain
5429 controllers accept LM, NTLM and NTLMv2 authentication.
5430 </p><p>
5432 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
5434 </pre><p>
5435 </p><p>
5436 0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
5437 NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
5438 session security is not negotiated.
5439 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892926"></a>Upgrading Samba</h2></div></div><div></div></div><p>
5440 Please check regularly on <a href="http://www.samba.org/" target="_top">http://www.samba.org/</a> for updates and
5441 important announcements. Occasionally security releases are made and
5442 it is highly recommended to upgrade Samba when a security vulnerability
5443 is discovered. Check with your OS vendor for OS specific upgrades.
5444 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892950"></a>Common Errors</h2></div></div><div></div></div><p>
5445 If all of samba and host platform configuration were really as intuitive as one might like then this
5446 section would not be necessary. Security issues are often vexing for a support person to resolve, not
5447 because of the complexity of the problem, but for reason that most administrators who post what turns
5448 out to be a security problem request are totally convinced that the problem is with Samba.
5449 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892968"></a>Smbclient works on localhost, but the network is dead</h3></div></div><div></div></div><p>
5450 This is a very common problem. Red Hat Linux (as do others) will install a default firewall.
5451 With the default firewall in place only traffic on the loopback adapter (IP address 127.0.0.1)
5452 will be allowed through the firewall.
5453 </p><p>
5454 The solution is either to remove the firewall (stop it) or to modify the firewall script to
5455 allow SMB networking traffic through. See section above in this chapter.
5456 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892992"></a>Why can users access home directories of other users?</h3></div></div><div></div></div><p>
5458 We are unable to keep individual users from mapping to any other user's
5459 home directory once they have supplied a valid password! They only need
5460 to enter their own password. I have not found *any* method that I can
5461 use to configure samba to enforce that only a user may map their own
5462 home directory.
5465 User xyzzy can map his home directory. Once mapped user xyzzy can also map
5466 *anyone* else's home directory!
5468 This is not a security flaw, it is by design. Samba allows
5469 users to have *exactly* the same access to the UNIX filesystem
5470 as they would if they were logged onto the UNIX box, except
5471 that it only allows such views onto the file system as are
5472 allowed by the defined shares.
5473 </p><p>
5474 This means that if your UNIX home directories are set up
5475 such that one user can happily cd into another users
5476 directory and do an ls, the UNIX security solution is to
5477 change the UNIX file permissions on the users home directories
5478 such that the cd and ls would be denied.
5479 </p><p>
5480 Samba tries very hard not to second guess the UNIX administrators
5481 security policies, and trusts the UNIX admin to set
5482 the policies and permissions he or she desires.
5483 </p><p>
5484 Samba does allow the setup you require when you have set the
5485 <a class="indexterm" name="id2893052"></a><i class="parameter"><tt>only user</tt></i> = yes option on the share, is that you have not set the
5486 valid users list for the share.
5487 </p><p>
5488 Note that only user works in conjunction with the users= list,
5489 so to get the behavior you require, add the line :
5490 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>users = %S</tt></i></td></tr></table><p>
5491 this is equivalent to:
5492 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>valid users = %S</tt></i></td></tr></table><p>
5495 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:mimir@samba.org">mimir@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2893283">Features and Benefits</a></dt><dt><a href="#id2893311">Trust Relationship Background</a></dt><dt><a href="#id2893400">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="#id2893428">Creating an NT4 Domain Trust</a></dt><dt><a href="#id2893500">Completing an NT4 Domain Trust</a></dt><dt><a href="#id2893547">Inter-Domain Trust Facilities</a></dt></dl></dd><dt><a href="#id2893725">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt><a href="#id2893918">Samba as the Trusting Domain</a></dt></dl></dd><dt><a href="#id2894055">NT4-style Domain Trusts with Windows 2000</a></dt><dt><a href="#id2894162">Common Errors</a></dt></dl></div><a class="indexterm" name="id2893263"></a><p>
5496 Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
5497 will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
5498 adopt Active Directory or an LDAP based authentication back end. This section explains
5499 some background information regarding trust relationships and how to create them. It is now
5500 possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba3-to-Samba3
5501 trusts.
5502 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893283"></a>Features and Benefits</h2></div></div><div></div></div><p>
5503 Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style
5504 trust relationships. This imparts to Samba similar scalability as is possible with
5505 MS Windows NT4.
5506 </p><p>
5507 Given that Samba-3 has the capability to function with a scalable backend authentication
5508 database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
5509 modes, the administrator would be well advised to consider alternatives to the use of
5510 Interdomain trusts simply because by the very nature of how this works it is fragile.
5511 That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
5512 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893311"></a>Trust Relationship Background</h2></div></div><div></div></div><p>
5513 MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
5514 The limitations of this architecture as it affects the scalability of MS Windows networking
5515 in large organisations is well known. Additionally, the flat namespace that results from
5516 this design significantly impacts the delegation of administrative responsibilities in
5517 large and diverse organisations.
5518 </p><p>
5519 Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
5520 of circumventing the limitations of the older technologies. Not every organisation is ready
5521 or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
5522 is quite adequate, there thus remains an entrenched user base for whom there is no direct
5523 desire to go through a disruptive change to adopt ADS.
5524 </p><p>
5525 Microsoft introduced with MS Windows NT the ability to allow differing security domains
5526 to affect a mechanism so that users from one domain may be given access rights and privileges
5527 in another domain. The language that describes this capability is couched in terms of
5528 <span class="emphasis"><em>Trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users
5529 from another domain. The domain from which users are available to another security domain is
5530 said to be a trusted domain. The domain in which those users have assigned rights and privileges
5531 is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
5532 thus if users in both domains are to have privileges and rights in each others' domain, then it is
5533 necessary to establish two (2) relationships, one in each direction.
5534 </p><p>
5535 In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
5536 are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
5537 relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
5538 implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
5539 transitive.
5540 </p><p>
5542 New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
5543 by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
5544 domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
5545 an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
5546 style Interdomain trusts and interoperates with MS Windows 200x ADS
5547 security domains in similar manner to MS Windows NT4 style domains.
5548 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893400"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p>
5549 There are two steps to creating an interdomain trust relationship. To effect a two-way trust
5550 relationship it is necessary for each domain administrator to create a trust account for the
5551 other domain to use in verifying security credentials.
5554 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893428"></a>Creating an NT4 Domain Trust</h3></div></div><div></div></div><p>
5555 For MS Windows NT4, all domain trust relationships are configured using the
5556 <span class="application">Domain User Manager</span>. This is done from the Domain User Manager Policies
5559 <span class="guilabel">Permitted to Trust this Domain</span> are two buttons, <span class="guibutton">Add</span>
5560 and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span> button will open a panel in which
5561 to enter the name of the remote domain that will be able to assign access rights to users in
5562 your domain. You will also need to enter a password for this trust relationship, which the
5563 trusting domain will use when authenticating users from the trusted domain.
5564 The password needs to be typed twice (for standard confirmation).
5565 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893500"></a>Completing an NT4 Domain Trust</h3></div></div><div></div></div><p>
5567 A trust relationship will work only when the other (trusting) domain makes the appropriate connections
5568 with the trusted domain. To consummate the trust relationship the administrator will launch the
5569 Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
5571 <span class="guilabel">Trusted Domains</span>. A panel will open in which must be entered the name of the remote
5572 domain as well as the password assigned to that trust.
5573 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893547"></a>Inter-Domain Trust Facilities</h3></div></div><div></div></div><a class="indexterm" name="id2893555"></a><p>
5574 A two-way trust relationship is created when two one-way trusts are created, one in each direction.
5575 Where a one-way trust has been established between two MS Windows NT4 domains (let's call them
5576 DomA and DomB) the following facilities are created:
5577 </p><div class="figure"><a name="trusts1"></a><p class="title"><b>Figure 16.1. Trusts overview</b></p><div class="mediaobject"><img src="projdoc/imagefiles/trusts1.png" width="270" alt="Trusts overview"></div></div><div class="itemizedlist"><ul type="disc"><li><p>
5578 DomA (completes the trust connection) Trusts DomB
5579 </p></li><li><p>
5580 DomA is the Trusting domain
5581 </p></li><li><p>
5582 DomB is the Trusted domain (originates the trust account)
5583 </p></li><li><p>
5584 Users in DomB can access resources in DomA
5585 </p></li><li><p>
5586 Users in DomA can NOT access resources in DomB
5587 </p></li><li><p>
5588 Global groups from DomB CAN be used in DomA
5589 </p></li><li><p>
5590 Global groups from DomA can NOT be used in DomB
5591 </p></li><li><p>
5592 DomB DOES appear in the logon dialog box on client workstations in DomA
5593 </p></li><li><p>
5594 DomA does NOT appear in the logon dialog box on client workstations in DomB
5596 Users / Groups in a trusting domain can NOT be granted rights, permissions or access
5597 to a trusted domain.
5598 </p></li><li><p>
5599 The trusting domain CAN access and use accounts (Users / Global Groups) in the
5600 trusted domain.
5601 </p></li><li><p>
5602 Administrators of the trusted domain CAN be granted admininstrative rights in the
5603 trusting domain.
5604 </p></li><li><p>
5605 Users in a trusted domain CAN be given rights and privileges in the trusting
5606 domain.
5607 </p></li><li><p>
5608 Trusted domain Global Groups CAN be given rights and permissions in the trusting
5609 domain.
5610 </p></li><li><p>
5611 Global Groups from the trusted domain CAN be made members in Local Groups on
5612 MS Windows domain member machines.
5613 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893725"></a>Configuring Samba NT-style Domain Trusts</h2></div></div><div></div></div><p>
5614 This description is meant to be a fairly short introduction about how to set up a Samba server so
5615 that it could participate in interdomain trust relationships. Trust relationship support in Samba
5616 is in its early stage, so lot of things don't work yet.
5617 </p><p>
5618 Each of the procedures described below assumes the peer domain in the trust relationship is
5619 controlled by a Windows NT4 server. However, the remote end could just as well be another
5620 Samba-3 domain. It can be clearly seen, after reading this document, that combining
5621 Samba-specific parts of what's written below leads to trust between domains in a purely Samba
5622 environment.
5623 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div><div></div></div><p>
5624 In order to set the Samba PDC to be the trusted party of the relationship you first need
5625 to create a special account for the domain that will be the trusting party. To do that,
5626 you can use the 'smbpasswd' utility. Creating the trusted domain account is very
5627 similar to creating a trusted machine account. Suppose, your domain is
5628 called SAMBA, and the remote domain is called RUMBA. The first step
5629 will be to issue this command from your favourite shell:
5630 </p><p>
5635 Added user rumba$
5636 </pre><p>
5640 account with the InterDomain trust flag''
5641 </p><p>
5642 The account name will be 'rumba$' (the name of the remote domain)
5643 </p><p>
5644 After issuing this command you'll be asked to enter the password for
5645 the account. You can use any password you want, but be aware that Windows NT will
5646 not change this password until 7 days following account creation.
5647 After the command returns successfully, you can look at the entry for the new account
5648 (in the standard way as appropriate for your configuration) and see that account's name is
5649 really RUMBA$ and it has the 'I' flag set in the flags field. Now you're ready to confirm
5650 the trust by establishing it from Windows NT Server.
5653 <span class="guimenu">Policies</span> menu, select <span class="guimenuitem">Trust Relationships...</span>.
5656 the trusted domain name and the relationship password. Type in SAMBA, as this is
5657 the name of the remote domain, and the password used at the time of account creation.
5658 Press OK and, if everything went without incident, you will see
5660 established</tt> message.
5661 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893918"></a>Samba as the Trusting Domain</h3></div></div><div></div></div><p>
5662 This time activities are somewhat reversed. Again, we'll assume that your domain
5663 controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
5664 </p><p>
5665 The very first step is to add an account for the SAMBA domain on RUMBA's PDC.
5669 Now, next to the <span class="guilabel">Trusted Domains</span> box press the <span class="guibutton">Add</span>
5670 button, and type in the name of the trusted domain (SAMBA) and the password to use in securing
5671 the relationship.
5672 </p><p>
5673 The password can be arbitrarily chosen. It is easy to change the password
5674 from the Samba server whenever you want. After confirming the password your account is
5675 ready for use. Now it's Samba's turn.
5676 </p><p>
5677 Using your favourite shell while being logged in as root, issue this command:
5678 </p><p>
5679 <tt class="prompt">root# </tt><b class="userinput"><tt>net rpc trustdom establish rumba</tt></b>
5680 </p><p>
5681 You will be prompted for the password you just typed on your Windows NT4 Server box.
5682 Do not worry if you see an error message that mentions a return code of
5683 NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT. It means the
5684 password you gave is correct and the NT4 Server says the account is
5685 ready for interdomain connection and not for ordinary
5686 connection. After that, be patient; it can take a while (especially
5687 in large networks), but eventually you should see the <tt class="computeroutput">Success</tt> message.
5688 Congratulations! Your trust relationship has just been established.
5689 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
5690 Note that you have to run this command as root because you must have write access to
5692 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894055"></a>NT4-style Domain Trusts with Windows 2000</h2></div></div><div></div></div><p>
5693 Although <span class="application">Domain User Manager</span> is not present in Windows 2000, it is
5694 also possible to establish an NT4-style trust relationship with a Windows 2000 domain
5695 controller running in mixed mode as the trusting server. It should also be possible for
5696 Samba to trust a Windows 2000 server, however, more testing is still needed in this area.
5697 </p><p>
5698 After <a href="#samba-trusted-domain" title="Samba as the Trusted Domain">creating the interdomain trust account on the
5699 Samba server</a> as described above, open <span class="application">Active Directory Domains and
5700 Trusts</span> on the AD controller of the domain whose resources you wish Samba users
5701 to have access to. Remember that since NT4-style trusts are not transitive, if you want
5702 your users to have access to multiple mixed-mode domains in your AD forest, you will need to
5703 repeat this process for each of those domains. With <span class="application">Active Directory Domains
5704 and Trusts</span> open, right-click on the name of the Active Directory domain that
5705 will trust our Samba domain and choose <span class="guimenuitem">Properties</span>, then click on
5706 the <span class="guilabel">Trusts</span> tab. In the upper part of the panel, you will see a list box
5708 <span class="guilabel">Add...</span> button next to it. Press this button, and just as with NT4, you
5709 will be prompted for the trusted domain name and the relationship password. Press OK, and
5710 after a moment, Active Directory will respond with <tt class="computeroutput">The trusted domain has
5711 been added and the trust has been verified.</tt> Your Samba users can now be
5712 granted acess to resources in the AD domain.
5713 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894162"></a>Common Errors</h2></div></div><div></div></div><p>
5714 Interdomain trust relationships should NOT be attempted on networks that are unstable
5715 or that suffer regular outages. Network stability and integrity are key concerns with
5716 distributed trusted domains.
5717 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="msdfs"></a>Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Shirish</span> <span class="surname">Kalele</span></h3><div class="affiliation"><span class="orgname">Samba Team & Veritas Software<br></span><div class="address"><p><br>
5719 </p></div></div></div></div><div><p class="pubdate">12 Jul 2000</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2894231">Features and Benefits</a></dt><dt><a href="#id2894506">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894231"></a>Features and Benefits</h2></div></div><div></div></div><p>
5720 The Distributed File System (or DFS) provides a means of separating the logical
5721 view of files and directories that users see from the actual physical locations
5722 of these resources on the network. It allows for higher availability, smoother
5723 storage expansion, load balancing etc.
5724 </p><p>
5725 For information about DFS, refer to the
5726 <a href="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" target="_top">Microsoft documentation</a>.
5727 </p><p>
5728 This document explains how to host a DFS tree on a UNIX machine (for DFS-aware
5729 clients to browse) using Samba.
5730 </p><p>
5732 option. Once built, a Samba server can be made a DFS server by setting the global
5735 root using the share level boolean <a class="indexterm" name="id2894300"></a><i class="parameter"><tt>msdfs root</tt></i> parameter. A DFS root directory on Samba hosts DFS
5736 links in the form of symbolic links that point to other servers. For example, a symbolic link
5738 as the DFS junction. When DFS-aware clients attempt to access the junction link,
5739 they are redirected to the storage location (in this case, \\storage1\share1).
5740 </p><p>
5742 </p><p>
5743 Here's an example of setting up a DFS tree on a Samba server.
5744 </p><div class="example"><a name="id2894342"></a><p class="title"><b>Example 17.1. smb.conf with DFS configured</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = GANDALF</tt></i></td></tr><tr><td><i class="parameter"><tt>host msdfs = yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[dfs]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /export/dfsroot</tt></i></td></tr><tr><td><i class="parameter"><tt>msdfs root = yes</tt></i></td></tr></table></div><p>In the /export/dfsroot directory we set up our DFS links to
5749 <tt class="prompt">root# </tt><b class="userinput"><tt>ln -s msdfs:storageA\\shareA linka</tt></b>
5750 <tt class="prompt">root# </tt><b class="userinput"><tt>ln -s msdfs:serverB\\share,serverC\\share linkb</tt></b>
5751 </pre><p>You should set up the permissions and ownership of
5752 the directory acting as the DFS root such that only designated
5753 users can create, delete or modify the msdfs links. Also note
5754 that symlink names should be all lowercase. This limitation exists
5755 to have Samba avoid trying all the case combinations to get at
5756 the link name. Finally set up the symbolic links to point to the
5757 network shares you want, and start Samba.</p><p>Users on DFS-aware clients can now browse the DFS tree
5758 on the Samba server at \\samba\dfs. Accessing
5759 links linka or linkb (which appear as directories to the client)
5760 takes users directly to the appropriate shares on the network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894506"></a>Common Errors</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Windows clients need to be rebooted
5761 if a previously mounted non-dfs share is made a DFS
5762 root or vice versa. A better way is to introduce a
5763 new share and make it the DFS root.</p></li><li><p>Currently there's a restriction that msdfs
5764 symlink names should all be lowercase.</p></li><li><p>For security purposes, the directory
5765 acting as the root of the DFS tree should have ownership
5766 and permissions set so that only designated users can
5767 modify the symbolic links in the directory.</p></li></ul></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="printing"></a>Chapter 18. Classical Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname"> Danka Deutschland GmbH <br></span><div class="address"><p><tt class="email"><<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2894626">Features and Benefits</a></dt><dt><a href="#id2894693">Technical Introduction</a></dt><dd><dl><dt><a href="#id2894730">What happens if you send a Job from a Client</a></dt><dt><a href="#id2894801">Printing Related Configuration Parameters</a></dt><dt><a href="#id2894888">Parameters Recommended for Use</a></dt></dl></dd><dt><a href="#id2895354">A simple Configuration to Print</a></dt><dd><dl><dt><a href="#id2895518">Verification of "Settings in Use" with testparm</a></dt><dt><a href="#id2895606">A little Experiment to warn you</a></dt></dl></dd><dt><a href="#id2895939">Extended Sample Configuration to Print</a></dt><dt><a href="#id2896270">Detailed Explanation of the Example's Settings</a></dt><dd><dl><dt><a href="#id2896282">The [global] Section</a></dt><dt><a href="#id2896767">The [printers] Section</a></dt><dt><a href="#id2897210">Any [my_printer_name] Section</a></dt><dt><a href="#id2897534">Print Commands</a></dt><dt><a href="#id2897592">Default Print Commands for various UNIX Print Subsystems</a></dt><dt><a href="#id2898261">Setting up your own Print Commands</a></dt></dl></dd><dt><a href="#id2898591">Innovations in Samba Printing since 2.2</a></dt><dd><dl><dt><a href="#id2898740">Client Drivers on Samba Server for Point'n'Print</a></dt><dt><a href="#id2898892">The [printer$] Section is removed from Samba 3</a></dt><dt><a href="#id2899004">Creating the [print$] Share</a></dt><dt><a href="#id2899189">Parameters in the [print$] Section</a></dt><dt><a href="#id2899475">Subdirectory Structure in [print$]</a></dt></dl></dd><dt><a href="#id2899643">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="#id2899736">Setting Drivers for existing Printers with a Client GUI</a></dt><dt><a href="#id2899935">Setting Drivers for existing Printers with
5768 rpcclient</a></dt></dl></dd><dt><a href="#id2901625">Client Driver Install Procedure</a></dt><dd><dl><dt><a href="#id2901643">The first Client Driver Installation</a></dt><dt><a href="#id2901839">IMPORTANT! Setting Device Modes on new Printers</a></dt><dt><a href="#id2902136">Further Client Driver Install Procedures</a></dt><dt><a href="#id2902231">Always make first Client Connection as root or "printer admin"</a></dt></dl></dd><dt><a href="#id2902399">Other Gotchas</a></dt><dd><dl><dt><a href="#id2902431">Setting Default Print Options for the Client Drivers</a></dt><dt><a href="#id2902874">Supporting large Numbers of Printers</a></dt><dt><a href="#id2903177">Adding new Printers with the Windows NT APW</a></dt><dt><a href="#id2903470">Weird Error Message Cannot connect under a
5769 different Name</a></dt><dt><a href="#id2903569">Be careful when assembling Driver Files</a></dt><dt><a href="#id2903854">Samba and Printer Ports</a></dt><dt><a href="#id2903932">Avoiding the most common Misconfigurations of the Client Driver</a></dt></dl></dd><dt><a href="#id2903954">The Imprints Toolset</a></dt><dd><dl><dt><a href="#id2903998">What is Imprints?</a></dt><dt><a href="#id2904040">Creating Printer Driver Packages</a></dt><dt><a href="#id2904059">The Imprints Server</a></dt><dt><a href="#id2904083">The Installation Client</a></dt></dl></dd><dt><a href="#id2904236">Add Network Printers at Logon without User Interaction</a></dt><dt><a href="#id2904556">The addprinter command</a></dt><dt><a href="#id2904602">Migration of "Classical" printing to Samba</a></dt><dt><a href="#id2904779">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="#id2904793">Common Errors</a></dt><dd><dl><dt><a href="#id2904800">I give my root password but I don't get access</a></dt><dt><a href="#id2904834">My printjobs get spooled into the spooling directory, but then get lost</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894626"></a>Features and Benefits</h2></div></div><div></div></div><p>
5770 Printing is often a mission-critical service for the users. Samba can
5771 provide this service reliably and seamlessly for a client network
5772 consisting of Windows workstations.
5773 </p><p>
5774 A Samba print service may be run on a Standalone or a Domain
5775 member server, side by side with file serving functions, or on a
5776 dedicated print server. It can be made as tight or as loosely secured
5777 as needs dictate. Configurations may be simple or complex. Available
5778 authentication schemes are essentially the same as described for file
5779 services in previous chapters. Overall, Samba's printing support is
5780 now able to replace an NT or Windows 2000 print server full-square,
5781 with additional benefits in many cases. Clients may download and
5782 install drivers and printers through their familiar "Point'n'Print"
5783 mechanism. Printer installations executed by "Logon Scripts" are no
5784 problem. Administrators can upload and manage drivers to be used by
5785 clients through the familiar "Add Printer Wizard". As an additional
5786 benefit, driver and printer management may be run from the command line
5787 or through scripts, making it more efficient in case of large numbers
5788 of printers. If a central accounting of print jobs (tracking every
5789 single page and supplying the raw data for all sorts of statistical
5790 reports) is required, this is best supported by CUPS as the print
5791 subsystem underneath the Samba hood.
5792 </p><p>
5793 This chapter deals with the foundations of Samba printing, as they
5794 implemented by the more traditional UNIX (BSD- and System V-style)
5795 printing systems. Many things apply to CUPS, the newer Common UNIX
5796 Printing System, too; so if you use CUPS, you might be tempted to jump
5797 to the next chapter -- but you will certainly miss a few things if you
5798 do so. Better to read this chapter too.
5799 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
5800 Most of the given examples have been verified on Windows XP
5801 Professional clients. Where this document describes the responses to
5802 commands given, bear in mind that Windows 2000 clients are very
5803 similar, but may differ in details. Windows NT is somewhat different
5804 again.
5805 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894693"></a>Technical Introduction</h2></div></div><div></div></div><p>
5806 Samba's printing support always relies on the installed print
5807 subsystem of the UNIX OS it runs on. Samba is a "middleman". It takes
5808 printfiles from Windows (or other SMB) clients and passes them to the
5809 real printing system for further processing. Therefore it needs to
5810 "talk" to two sides: to the Windows print clients and to the UNIX
5811 printing system. Hence we must differentiate between the various
5812 client OS types each of which behave differently, as well as the
5813 various UNIX print subsystems, which themselves have different
5814 features and are accessed differently. This part of the Samba HOWTO
5815 Collection deals with the "traditional" way of UNIX printing first;
5816 the next chapter covers in great detail the more modern
5818 (CUPS).
5820 </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>CUPS users, be warned: don't just jump on to the next
5821 chapter. You might miss important information contained only
5822 here!</p></div><p>
5823 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894730"></a>What happens if you send a Job from a Client</h3></div></div><div></div></div><p>
5824 To successfully print a job from a Windows client via a Samba
5826 stages:
5827 </p><div class="orderedlist"><ol type="1"><li><p>Windows opens a connection to the printer share</p></li><li><p>Samba must authenticate the user</p></li><li><p>Windows sends a copy of the printfile over the network
5828 into Samba's spooling area</p></li><li><p>Windows closes the connection again</p></li><li><p>Samba invokes the print command to hand the file over
5829 to the UNIX print subsystem's spooling area</p></li><li><p>The UNIX print subsystem processes the print
5830 job</p></li><li><p>The printfile may need to be explicitly deleted
5831 from the Samba spooling area.</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894801"></a>Printing Related Configuration Parameters</h3></div></div><div></div></div><p>
5832 There are a number of configuration parameters in
5833 controlling Samba's printing
5834 behaviour. Please also refer to the man page for smb.conf to
5835 acquire an overview about these. As with other parameters, there are
5838 </p><div class="variablelist"><dl><dt><span class="term">Service Level Parameters</span></dt><dd><p>These <span class="emphasis"><em>may</em></span> go into the
5840 In this case they define the default
5841 behaviour of all individual or service level shares (provided those
5842 don't have a different setting defined for the same parameter, thus
5843 overriding the global default).</p></dd><dt><span class="term">Global Parameters</span></dt><dd><p>These <span class="emphasis"><em>may not</em></span> go into individual
5844 shares. If they go in by error, the "testparm" utility can discover
5845 this (if you run it) and tell you so.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894888"></a>Parameters Recommended for Use</h3></div></div><div></div></div><p>The following <tt class="filename">smb.conf</tt> parameters directly
5846 related to printing are used in Samba. See also the
5848 </p><p>Global level parameters: <a class="indexterm" name="id2894917"></a><i class="parameter"><tt>addprinter command</tt></i>,
5849 <a class="indexterm" name="id2894932"></a><i class="parameter"><tt>deleteprinter command</tt></i>,
5855 <a class="indexterm" name="id2895016"></a><i class="parameter"><tt>printcap name</tt></i>, <a class="indexterm" name="id2895030"></a><i class="parameter"><tt>printcap</tt></i>,
5856 <a class="indexterm" name="id2895044"></a><i class="parameter"><tt>show add printer wizard</tt></i>,
5859 </p><p>Service level parameters: <a class="indexterm" name="id2895090"></a><i class="parameter"><tt>hosts allow</tt></i>,
5868 <a class="indexterm" name="id2895216"></a><i class="parameter"><tt>printable</tt></i>, <a class="indexterm" name="id2895229"></a><i class="parameter"><tt>print ok </tt></i>,
5869 <a class="indexterm" name="id2895242"></a><i class="parameter"><tt>printer name</tt></i>, <a class="indexterm" name="id2895258"></a><i class="parameter"><tt>printer</tt></i>,
5871 <a class="indexterm" name="id2895285"></a><i class="parameter"><tt>printing</tt></i> = [cups|bsd|lprng...],
5872 <a class="indexterm" name="id2895299"></a><i class="parameter"><tt>queuepause command</tt></i>,
5873 <a class="indexterm" name="id2895313"></a><i class="parameter"><tt>queueresume command</tt></i>,
5875 </p><p>
5876 Samba's printing support implements the Microsoft Remote Procedure
5877 Calls (MS-RPC) methods for printing. These are used by Windows NT (and
5878 later) print servers. The old "LanMan" protocol is still supported as
5879 a fallback resort, and for older clients to use. More details will
5880 follow further beneath.
5881 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2895354"></a>A simple Configuration to Print</h2></div></div><div></div></div><p>
5882 Here is a very simple example configuration for print related settings
5883 in the file. If you compare it with your own system's , you probably find some
5884 additional parameters included there (as pre-configured by your OS
5885 vendor). Further below is a discussion and explanation of the
5886 parameters. Note, that this example doesn't use many parameters.
5887 However, in many environments these are enough to provide a valid
5889 </p><div class="example"><a name="id2895382"></a><p class="title"><b>Example 18.1. Simple configuration with BSD printing</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = bsd</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no</tt></i></td></tr></table></div><p>
5890 This is only an example configuration. Samba assigns default values to all
5891 configuration parameters. On the whole the defaults are conservative and
5892 sensible. When a parameter is specified in the <tt class="filename">smb.conf</tt> file this overwrites
5894 is capable of reporting all setting, both default as well as <tt class="filename">smb.conf</tt> file
5896 settings. The complete output is easily 340 lines and more, so you may want
5897 to pipe it through a pager program.
5898 </p><p>
5899 The syntax for the configuration file is easy to grasp. You should
5900 know that is not very picky about its
5901 syntax. It has been explained elsewhere in this document. A short
5902 reminder: It even tolerates some spelling errors (like "browsable"
5903 instead of "browseable"). Most spelling is case-insensitive. Also, you
5905 may be separated by commas, spaces or tabs.
5906 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2895518"></a>Verification of "Settings in Use" with <b class="command">testparm</b></h3></div></div><div></div></div><p>
5907 To see all (or at least most) printing related settings in Samba,
5908 including the implicitly used ones, try the command outlined below
5911 a nice overview about the running smbd's print configuration. (Note
5912 that this command does not show individually created printer shares,
5913 or the spooling paths in each case). Here is the output of my Samba
5914 setup, with exactly the same settings in
5915 as shown above:
5917 <tt class="prompt">root# </tt><b class="userinput"><tt>testparm -v | egrep "(lp|print|spool|driver|ports|\[)"</tt></b>
5918 Load smb config files from /etc/samba/smb.conf.simpleprinting
5919 Processing section "[homes]"
5920 Processing section "[printers]"
5922 [global]
5923 smb ports = 445 139
5924 lpq cache time = 10
5925 total print jobs = 0
5926 load printers = Yes
5927 printcap name = /etc/printcap
5928 disable spoolss = No
5929 enumports command =
5930 addprinter command =
5931 deleteprinter command =
5932 show add printer wizard = Yes
5933 os2 driver map =
5934 printer admin =
5935 min print space = 0
5936 max print jobs = 1000
5937 printable = No
5938 printing = bsd
5939 print command = lpr -r -P'%p' %s
5940 lpq command = lpq -P'%p'
5941 lprm command = lprm -P'%p' %j
5942 lppause command =
5943 lpresume command =
5944 printer name =
5945 use client driver = No
5947 [homes]
5949 [printers]
5950 path = /var/spool/samba
5951 printable = Yes
5953 </pre><p>
5954 You can easily verify which settings were implicitly added by Samba's
5956 be important in your future dealings with Samba.</em></span>
5957 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> testparm in samba 3 behaves differently from 2.2.x: used
5958 without the "-v" switch it only shows you the settings actually
5959 written into ! To see the complete
5960 configuration used, add the "-v" parameter to testparm.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2895606"></a>A little Experiment to warn you</h3></div></div><div></div></div><p>
5961 Should you need to troubleshoot at any stage, please always come back
5962 to this point first and verify if "testparm" shows the parameters you
5963 expect! To give you an example from personal experience as a warning,
5964 try to just "comment out" the <a class="indexterm" name="id2895621"></a><i class="parameter"><tt>load printers</tt></i>"
5965 parameter. If your 2.2.x system behaves like mine, you'll see this:
5968 # load printers = Yes
5969 # This setting is commented ooouuuuut!!
5972 load printers = Yes
5974 </pre><p>
5975 Despite my imagination that the commenting out of this setting should
5976 prevent Samba from publishing my printers, it still did! Oh Boy -- it
5977 cost me quite some time to find out the reason. But I am not fooled
5978 any more... at least not by this ;-)
5980 <tt class="prompt">root# </tt><b class="userinput"><tt>grep -A1 "load printers" /etc/samba/smb.conf</tt></b>
5981 load printers = No
5982 # This setting is what I mean!!
5983 # load printers = Yes
5984 # This setting is commented ooouuuuut!!
5986 <tt class="prompt">root# </tt><b class="userinput"><tt>testparm -v smb.conf.simpleprinting | egrep "(load printers)"</tt></b>
5987 load printers = No
5989 </pre><p>
5990 Only when setting the parameter explicitly to
5991 "<a class="indexterm" name="id2895714"></a><i class="parameter"><tt>load printers</tt></i> = No"
5992 would Samba recognize my intentions. So my strong advice is:
5993 </p><div class="itemizedlist"><ul type="disc"><li><p>Never rely on "commented out" parameters!</p></li><li><p>Always set it up explicitly as you intend it to
5995 settings which might not reflect your intentions.</p></li></ul></div><p>
5996 You can have a working Samba print configuration with this
5997 minimal :
5999 <tt class="prompt">root# </tt><b class="userinput"><tt>cat /etc/samba/smb.conf-minimal</tt></b>
6000 [printers]
6002 </pre><p>
6003 This example should show you that you can use testparm to test any
6004 filename for fitness as a Samba configuration. Actually, we want to
6006 on a working system (unless you know
6007 exactly what you are doing)! Don't rely on an assumption that changes
6008 will only take effect after you re-start smbd! This is not the
6009 case. Samba re-reads its every 60
6010 seconds and on each new client connection. You might have to face
6011 changes for your production clients that you didn't intend to apply at
6012 this time! You will now note a few more interesting things. Let's now
6014 would be, if you used this minimalistic file as your real
6015 :
6017 <tt class="prompt">root# </tt><b class="userinput"><tt>testparm -v smb.conf-minimal | egrep "(print|lpq|spool|driver|ports|[)"</tt></b>
6019 WARNING: [printers] service MUST be printable!
6020 No path in service printers - using /tmp
6022 lpq cache time = 10
6023 total print jobs = 0
6024 load printers = Yes
6025 printcap name = /etc/printcap
6026 disable spoolss = No
6027 enumports command =
6028 addprinter command =
6029 deleteprinter command =
6030 show add printer wizard = Yes
6031 os2 driver map =
6032 printer admin =
6033 min print space = 0
6034 max print jobs = 1000
6035 printable = No
6036 printing = bsd
6037 print command = lpr -r -P%p %s
6038 lpq command = lpq -P%p
6039 printer name =
6040 use client driver = No
6041 [printers]
6042 printable = Yes
6044 </pre><p>
6045 testparm issued 2 warnings:
6048 and</p></li><li><p>because we didn't tell it which spool directory to
6049 use.</p></li></ul></div><p>
6050 However, this was not fatal, and samba will default to values that
6051 will work here. Please, don't rely on this and don't use this
6052 example! This was only meant to make you careful to design and specify
6053 your setup to be what you really want it to be. The outcome on your
6054 system may vary for some parameters, since you may have a Samba built
6055 with a different compile-time configuration.
6056 <span class="emphasis"><em>Warning:</em></span> don't put a comment sign <span class="emphasis"><em>at
6057 the end</em></span> of a valid line. It
6058 will cause the parameter to be ignored (just as if you had put the
6059 comment sign at the front). At first I regarded this as a bug in my
6061 in a parameter value is retained verbatim.</span>” This means that a
6062 line consisting of, for example,
6063 </p><table class="simplelist" border="0" summary="Simple list"><tr><td># This defines LPRng as the printing system"</td></tr><tr><td><i class="parameter"><tt>printing = lprng</tt></i></td></tr></table><p>
6064 will regard the whole of the string after the "="
6065 sign as the value you want to define. And this is an invalid value
6066 that will be ignored, and a default value used instead.]
6067 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2895939"></a>Extended Sample Configuration to Print</h2></div></div><div></div></div><p>
6068 In <a href="#extbsdpr" title="Example 18.2. Extended configuration with BSD printing">the extended BSD configuration example</a> we show a more verbose example configuration for print related
6069 settings in BSD-printing style environment . Below is a discussion
6070 and explanation of the various parameters. We chose to use BSD-style
6071 printing here, because we guess it is still the most commonly used
6072 system on legacy Linux installations (new installs now predominantly
6073 have CUPS, which is discussed entirely in the next chapter of this
6074 document). Note, that this example explicitly names many parameters
6075 which don't need to be specified because they are set by default. You
6076 might be able to do with a leaner <tt class="filename">smb.conf</tt> file.</p><div class="example"><a name="extbsdpr"></a><p class="title"><b>Example 18.2. Extended configuration with BSD printing</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = bsd</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>show add printer wizard = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = /etc/printcap</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = @ntadmin, root</tt></i></td></tr><tr><td><i class="parameter"><tt>total print jobs = 100</tt></i></td></tr><tr><td><i class="parameter"><tt>lpq cache time = 20</tt></i></td></tr><tr><td><i class="parameter"><tt>use client driver = no</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no </tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[my_printer_name]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Printer with Restricted Access</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba_my_printer</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = kurt</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writeable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = 0.0.0.0</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = no</tt></i></td></tr></table></div><p>
6078 may not find all the settings in your own
6079 (as pre-configured by your OS
6080 vendor). Many configuration parameters, if not explicitly set to a
6081 specific value, are used and set by Samba implicitly to its own
6082 default, because these have been compiled in. To see all settings, let
6085 mis-configured certain things..
6086 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896270"></a>Detailed Explanation of the Example's Settings</h2></div></div><div></div></div><p>
6087 Following is a discussion of the settings from above shown example.
6088 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896282"></a>The [global] Section</h3></div></div><div></div></div><p>
6093 apply to the server as a whole. It is the place for parameters which
6094 have only a "global" meaning. It may also contain service level
6095 parameters which then define default settings for all other
6096 sections and shares. This way you can simplify the configuration and
6097 avoid setting the same value repeatedly. (Within each individual
6098 section or share you may however override these globally set "share
6099 level" settings and specify other values).
6100 </p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2896338"></a><i class="parameter"><tt>printing</tt></i> = bsd</span></dt><dd><p> this causes Samba to use default print commands
6101 applicable for the BSD (a.k.a. RFC 1179 style or LPR/LPD) printing
6102 system. In general, the "printing" parameter informs Samba about the
6103 print subsystem it should expect. Samba supports CUPS, LPD, LPRNG,
6104 SYSV, HPUX, AIX, QNX and PLP. Each of these systems defaults to a
6105 different <a class="indexterm" name="id2896364"></a><i class="parameter"><tt>print command</tt></i> (and other queue control
6106 commands).</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The <a class="indexterm" name="id2896384"></a><i class="parameter"><tt>printing</tt></i> parameter is
6107 normally a service level parameter. Since it is included here in the
6109 printer shares that are not defined differently. Samba 3 no longer
6110 supports the SOFTQ printing system.</p></div></dd><dt><span class="term"><a class="indexterm" name="id2896413"></a><i class="parameter"><tt>load printers</tt></i> = yes</span></dt><dd><p> this tells Samba to create automatically all
6111 available printer shares. "Available" printer shares are discovered by
6112 scanning the printcap file. All created printer shares are also loaded
6113 for browsing. If you use this parameter, you do not need to specify
6114 separate shares for each printer. Each automatically created printer
6115 share will clone the configuration options found in the
6116 <i class="parameter"><tt>[printers]</tt></i> section. (A <i class="parameter"><tt>load printers
6117 = no</tt></i> setting will allow you to specify each UNIX printer
6118 you want to share separately, leaving out some you don't want to be
6119 publicly visible and available). </p></dd><dt><span class="term"><a class="indexterm" name="id2896462"></a><i class="parameter"><tt>show add printer wizard</tt></i> = yes </span></dt><dd><p> this setting is normally
6120 enabled by default (even if the parameter is not written into the
6126 will not suffice!). The Add Printer Wizard lets you upload printer
6128 with a printer (if the respective queue exists there before the
6129 action), or exchange a printer's driver against any other previously
6130 uploaded driver. </p></dd><dt><span class="term"><a class="indexterm" name="id2896532"></a><i class="parameter"><tt>total print jobs</tt></i> = 100</span></dt><dd><p> this setting sets the upper limit to 100 print jobs
6131 being active on the Samba server at any one time. Should a client
6134 Samba to the client. A setting of "0" (the default) means there is
6136 </p></dd><dt><span class="term"><a class="indexterm" name="id2896570"></a><i class="parameter"><tt>printcap name</tt></i> = /etc/printcap</span></dt><dd><p> this tells Samba where to look for a list of
6137 available printer names. (If you use CUPS, make sure that a printcap
6138 file is written: this is controlled by the "Printcap" directive of
6140 </p></dd><dt><span class="term"><a class="indexterm" name="id2896604"></a><i class="parameter"><tt>printer admin</tt></i> = @ntadmin</span></dt><dd><p> members of the ntadmin group should be able to add
6141 drivers and set printer properties ("ntadmin" is only an example name,
6142 it needs to be a valid UNIX group name); root is implicitly always a
6143 <a class="indexterm" name="id2896628"></a><i class="parameter"><tt>printer admin</tt></i>. The "@" sign precedes group names in
6144 . A printer admin can do anything to
6145 printers via the remote administration interfaces offered by MS-RPC
6146 (see below). Note that the <a class="indexterm" name="id2896646"></a><i class="parameter"><tt>printer admin</tt></i>
6147 parameter is normally a share level parameter, so you may associate
6148 different groups to different printer shares in larger installations,
6149 if you use the <a class="indexterm" name="id2896661"></a><i class="parameter"><tt>printer admin</tt></i> parameter on the
6150 share levels).
6151 </p></dd><dt><span class="term"><a class="indexterm" name="id2896681"></a><i class="parameter"><tt>lpq cache time</tt></i> = 20</span></dt><dd><p> this controls the cache time for the results of the
6152 lpq command. It prevents the lpq command being called too often and
6153 reduces load on a heavily used print server.
6154 </p></dd><dt><span class="term"><a class="indexterm" name="id2896707"></a><i class="parameter"><tt>use client driver</tt></i> = no</span></dt><dd><p> if set to <tt class="constant">yes</tt>, this setting only
6159 have valid drivers installed on the Samba server! For more detailed
6161 </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896767"></a>The [printers] Section</h3></div></div><div></div></div><p>
6162 This is the second special section. If a section with this name
6164 connect to any printer specified in the Samba host's printcap file,
6165 because Samba on startup then creates a printer share for every
6166 printername it finds in the printcap file. You could regard this
6167 section as a general convenience shortcut to share all printers with
6168 minimal configuration. It is also a container for settings which
6169 should apply as default to all printers. (For more details see the
6171 container must be share level parameters.
6172 </p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2896809"></a><i class="parameter"><tt>comment</tt></i> = All printers</span></dt><dd><p> the <a class="indexterm" name="id2896828"></a><i class="parameter"><tt>comment</tt></i> is shown next to
6175 available shares.
6176 </p></dd><dt><span class="term"><a class="indexterm" name="id2896862"></a><i class="parameter"><tt>printable</tt></i> = yes</span></dt><dd><p> please note well, that the
6177 <i class="parameter"><tt>[printers]</tt></i> service <span class="emphasis"><em>must</em></span> be
6178 declared as printable. If you specify otherwise, smbd will refuse to
6179 load at startup. This parameter allows
6180 connected clients to open, write to and submit spool files into the
6181 directory specified with the <a class="indexterm" name="id2896896"></a><i class="parameter"><tt>path</tt></i> parameter for
6182 this service. It is used by Samba to differentiate printer shares from
6183 file shares. </p></dd><dt><span class="term"><a class="indexterm" name="id2896916"></a><i class="parameter"><tt>path</tt></i> = /var/spool/samba</span></dt><dd><p>this must point to a directory used by Samba to spool
6185 directory specified in the configuration of your UNIX print
6186 subsystem!</em></span> The path would typically point to a directory
6187 which is world writeable, with the "sticky" bit set to it.
6188 </p></dd><dt><span class="term"><a class="indexterm" name="id2896949"></a><i class="parameter"><tt>browseable</tt></i> = no</span></dt><dd><p> this is always set to <tt class="constant">no</tt> if
6189 <a class="indexterm" name="id2896973"></a><i class="parameter"><tt>printable</tt></i> = yes. It makes the
6192 in the Explorer browse list. (Note that you will of course see the
6193 individual printers).
6194 </p></dd><dt><span class="term"><a class="indexterm" name="id2897007"></a><i class="parameter"><tt>guest ok</tt></i> = yes</span></dt><dd><p>
6196 connect to the printers service. Access will be granted with the
6197 privileges of the <a class="indexterm" name="id2897033"></a><i class="parameter"><tt>guest account</tt></i>. On many systems the
6198 guest account will map to a user named "nobody". This user is in the UNIX
6199 passwd file with an empty password, but with no valid UNIX login.
6200 (Note: on some systems the guest account might not have the
6201 privilege to be able to print. Test this by logging in as your
6203 command like
6204 </p><p><b class="userinput"><tt>lpr -P printername /etc/motd</tt></b></p></dd><dt><span class="term"><a class="indexterm" name="id2897074"></a><i class="parameter"><tt>public</tt></i> = yes</span></dt><dd><p> this is a synonym for <a class="indexterm" name="id2897094"></a><i class="parameter"><tt>guest ok</tt></i> = yes. Since we have <a class="indexterm" name="id2897108"></a><i class="parameter"><tt>guest ok</tt></i> = yes,
6205 it really doesn't need to be here! (This leads to the interesting
6208 Samba wins. The "winner" is shown by testparm. Testparm doesn't
6209 complain about different settings of the same parameter for the same
6210 share! You can test this by setting up multiple lines for the "guest
6211 account" parameter with different usernames, and then run testparm to
6212 see which one is actually used by Samba.)
6213 </p></dd><dt><span class="term"><a class="indexterm" name="id2897139"></a><i class="parameter"><tt>read only</tt></i> = yes</span></dt><dd><p>this normally (for other types of shares) prevents
6214 users creating or modifying files in the service's directory. However,
6216 write to the directory (if user privileges allow the connection), but
6217 only via print spooling operations. "Normal" write operations are not
6218 allowed. </p></dd><dt><span class="term"><a class="indexterm" name="id2897173"></a><i class="parameter"><tt>writeable</tt></i> = no</span></dt><dd><p>
6219 synonym for <a class="indexterm" name="id2897193"></a><i class="parameter"><tt>read only</tt></i> = yes
6220 </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2897210"></a>Any [my_printer_name] Section</h3></div></div><div></div></div><p>
6221 If a section appears in the , which is
6222 tagged as <a class="indexterm" name="id2897220"></a><i class="parameter"><tt>printable</tt></i> = yes, Samba presents it as
6223 a printer share to its clients. Note, that Win95/98/ME clients may
6224 have problems with connecting or loading printer drivers if the share
6225 name has more than 8 characters! Also be very careful if you give a
6226 printer the same name as an existing user or file share name: upon a
6227 client's connection request to a certain sharename, Samba always tries
6228 to find file shares with that name first; if it finds one, it will
6229 connect to this and will never ultimately connect to a printer with
6230 the same name!
6231 </p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2897262"></a><i class="parameter"><tt>comment</tt></i> = Printer with Restricted Access</span></dt><dd><p> the comment says it all.
6232 </p></dd><dt><span class="term"><a class="indexterm" name="id2897287"></a><i class="parameter"><tt>path</tt></i> = /var/spool/samba_my_printer</span></dt><dd><p> here we set the spooling area for this printer to
6233 another directory than the default. It is not a requirement to set it
6234 differently, but the option is available.
6235 </p></dd><dt><span class="term"><a class="indexterm" name="id2897314"></a><i class="parameter"><tt>printer admin</tt></i> = kurt</span></dt><dd><p> the printer admin definition is different for this
6236 explicitly defined printer share from the general
6238 did it to show that it is possible if you want it.
6239 </p></dd><dt><span class="term"><a class="indexterm" name="id2897347"></a><i class="parameter"><tt>browseable</tt></i> = yes</span></dt><dd><p> we also made this printer browseable (so that the
6241 Neighbourhood</span>).
6242 </p></dd><dt><span class="term"><a class="indexterm" name="id2897380"></a><i class="parameter"><tt>printable</tt></i> = yes</span></dt><dd><p>see explanation in last subsection.
6243 </p></dd><dt><span class="term"><a class="indexterm" name="id2897403"></a><i class="parameter"><tt>writeable</tt></i> = no</span></dt><dd><p>see explanation in last subsection.
6244 </p></dd><dt><span class="term"><a class="indexterm" name="id2897427"></a><i class="parameter"><tt>hosts allow</tt></i> = 10.160.50.,10.160.51.</span></dt><dd><p>here we exercise a certain degree of access control
6245 by using the <a class="indexterm" name="id2897449"></a><i class="parameter"><tt>hosts allow</tt></i> and <a class="indexterm" name="id2897463"></a><i class="parameter"><tt>hosts deny</tt></i> parameters. Note, that
6246 this is not by any means a safe bet. It is not a way to secure your
6247 printers. This line accepts all clients from a certain subnet in a
6248 first evaluation of access control
6249 </p></dd><dt><span class="term"><a class="indexterm" name="id2897484"></a><i class="parameter"><tt>hosts deny</tt></i> = turbo_xp,10.160.50.23,10.160.51.60</span></dt><dd><p>all listed hosts are not allowed here (even if they
6250 belong to the "allowed subnets"). As you can see, you could name IP
6251 addresses as well as NetBIOS hostnames
6252 here.
6253 </p></dd><dt><span class="term"><a class="indexterm" name="id2897510"></a><i class="parameter"><tt>guest ok</tt></i> = no</span></dt><dd><p>this printer is not open for the guest account!
6254 </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2897534"></a>Print Commands</h3></div></div><div></div></div><p>
6255 In each section defining a printer (or in the
6257 command</tt></i> parameter may be defined. It sets a command to
6258 process the files which have been placed into the Samba print spool
6259 directory for that printer. (That spool directory was, if you
6260 remember, set up with the <a class="indexterm" name="id2897564"></a><i class="parameter"><tt>path</tt></i>
6261 parameter). Typically, this command will submit the spool file to the
6262 Samba host's print subsystem, using the suitable system print
6263 command. But there is no requirement that this needs to be the
6264 case. For debugging purposes or some other reason you may want to do
6265 something completely different than "print" the file. An example is a
6266 command that just copies the print file to a temporary location for
6267 further investigation when you need to debug printing. If you craft
6268 your own print commands (or even develop print command shell scripts),
6269 make sure you pay attention to the need to remove the files from the
6270 Samba spool directory. Otherwise your hard disk may soon suffer from
6271 shortage of free space.
6272 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2897592"></a>Default Print Commands for various UNIX Print Subsystems</h3></div></div><div></div></div><p>
6273 You learned earlier on, that Samba in most cases uses its built-in
6274 settings for many parameters if it can not find an explicitly stated
6275 one in its configuration file. The same is true for the
6276 <a class="indexterm" name="id2897606"></a><i class="parameter"><tt>print command</tt></i>. The default print command varies
6277 depending on the <a class="indexterm" name="id2897622"></a><i class="parameter"><tt>printing</tt></i> parameter
6278 setting. In the commands listed below, you will notice some parameters
6279 of the form <span class="emphasis"><em>%X</em></span> where <span class="emphasis"><em>X</em></span> is
6282 explained in more detail further below. Here is an overview (excluding
6283 the special case of CUPS, which is discussed in the next chapter):
6284 </p><div class="informaltable"><table border="1"><colgroup><col><col></colgroup><thead><tr><th align="left">If this setting is active...</th><th align="left">...this is used in lieu of an explicit command:</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id2897700"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">print command is <b class="command">lpr -r -P%p %s</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897731"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">print command is <b class="command">lp -c -P%p %s; rm %s</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897762"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">print command is <b class="command">lp -r -P%p -s %s</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897794"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">lpq command is <b class="command">lpq -P%p</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897824"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">lpq command is <b class="command">lpstat -o%p</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897855"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">lpq command is <b class="command">lpq -P%p</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897885"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">lprm command is <b class="command">lprm -P%p %j</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897916"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">lprm command is <b class="command">cancel %p-%j</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897947"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">lprm command is <b class="command">cancel %p-%j</b></td></tr><tr><td align="left"><a class="indexterm" name="id2897977"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">lppause command is <b class="command">lp -i %p-%j -H hold</b></td></tr><tr><td align="left"><a class="indexterm" name="id2898008"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">lppause command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id2898033"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">lppause command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id2898058"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">lpresume command is <b class="command">lp -i %p-%j -H resume</b></td></tr><tr><td align="left"><a class="indexterm" name="id2898090"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">lpresume command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id2898115"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">lpresume command (...is empty)</td></tr></tbody></table></div><p>
6285 We excluded the special CUPS case here, because it is discussed in the
6287 CUPS</tt></i>: If SAMBA is compiled against libcups, it uses the
6288 CUPS API to submit jobs, etc. (It is a good idea also to set
6289 <a class="indexterm" name="id2898153"></a><i class="parameter"><tt>printcap</tt></i> = cups in case your
6291 printcap file to an unusual place). Otherwise Samba maps to the System
6292 V printing commands with the -oraw option for printing, i.e. it uses
6294 cups</tt></i> , and if SAMBA is compiled against libcups, any
6295 manually set print command will be ignored!
6296 </p><p>
6297 Having listed the above mappings here, you should note that there used
6299 prevented the mapping from taking effect. It lead to the
6300 "bsd|aix|lprng|plp" settings taking effect for all other systems, for
6305 commands worked on bsd|aix|lprng|plp but they didn't work on
6306 sysv|hpux|qnx systems. To work around this bug, you need to
6308 check which command takes effect. Then check that this command is
6309 adequate and actually works for your installed print subsystem. It is
6310 always a good idea to explicitly set up your configuration files the
6311 way you want them to work and not rely on any built-in defaults.
6312 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2898261"></a>Setting up your own Print Commands</h3></div></div><div></div></div><p>
6313 After a print job has finished spooling to a service, the
6314 <a class="indexterm" name="id2898273"></a><i class="parameter"><tt>print command</tt></i> will be used by Samba via a
6316 the command specified will submit the spool file to the host's
6317 printing subsystem. But there is no requirement at all that this must
6318 be the case. The print subsystem will probably not remove the spool
6319 file on its own. So whatever command you specify on your own you
6320 should ensure that the spool file is deleted after it has been
6321 processed.
6322 </p><p>
6323 There is no difficulty with using your own customized print commands
6324 with the traditional printing systems. However, if you don't wish to
6325 "roll your own", you should be well informed about the default
6326 built-in commands that Samba uses for each printing subsystem (see the
6327 table above). In all the commands listed in the last paragraphs you
6330 the names of real objects. At the time of running a command with such
6331 a placeholder, Samba will insert the appropriate value
6332 automatically. Print commands can handle all Samba macro
6333 substitutions. In regard to printing, the following ones do have
6334 special relevance:
6335 </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>%s, %f</tt></i> - the path to the spool
6338 transmitted by the client.</p></li><li><p><i class="parameter"><tt>%c</tt></i> - the number of printed
6339 pages of the spooled job (if known).</p></li><li><p><i class="parameter"><tt>%z</tt></i> - the size of the spooled
6340 print job (in bytes)</p></li></ul></div><p>
6341 The print command MUST contain at least one occurrence of
6345 command. In this case the job is sent to the default printer.
6346 </p><p>
6348 command given will be used for any printable service that does not
6349 have its own print command specified. If there is neither a specified
6350 print command for a printable service nor a global print command,
6351 spool files will be created but not processed! And (most importantly):
6352 print files will not be removed, so they will start filling your Samba
6353 hard disk.
6354 </p><p>
6355 Note that printing may fail on some UNIXes from the "nobody"
6356 account. If this happens, create an alternative guest account and
6357 supply it with the privilege to print. Set up this guest account in
6359 account</tt></i> parameter.
6360 </p><p>
6361 You can form quite complex print commands. You need to realize that
6362 print commands are just passed to a UNIX shell. The shell is able to
6363 expand the included environment variables as usual. (The syntax to
6365 in or in the Samba print command is
6367 <a class="indexterm" name="id2898492"></a><i class="parameter"><tt>print command</tt></i> example, the following will log a
6369 remove it. Note that ';' is the usual separator for commands in shell
6370 scripts:
6371 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s</tt></i></td></tr></table><p>
6372 You may have to vary your own command considerably from this example
6373 depending on how you normally print files on your system. The default
6374 for the <a class="indexterm" name="id2898541"></a><i class="parameter"><tt>print command</tt></i> parameter varies depending on the setting of
6375 the <a class="indexterm" name="id2898557"></a><i class="parameter"><tt>printing</tt></i> parameter. Another example is:
6376 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>print command = /usr/local/samba/bin/myprintscript %p %s</tt></i></td></tr></table></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2898591"></a>Innovations in Samba Printing since 2.2</h2></div></div><div></div></div><p>
6377 Before version 2.2.0, Samba's print server support for Windows clients
6379 calls. This is the same protocol level as Windows 9x PCs offer when
6380 they share printers. Beginning with the 2.2.0 release, Samba started
6381 to support the native Windows NT printing mechanisms. These are
6382 implemented via <span class="emphasis"><em>MS-RPC</em></span> (RPC = <span class="emphasis"><em>Remote
6383 Procedure Calls</em></span> ). MS-RPCs use the
6385 </p><p>
6386 The additional functionality provided by the new SPOOLSS support includes:
6387 </p><div class="itemizedlist"><ul type="disc"><li><p>Support for downloading printer driver files to Windows
6389 </p></li><li><p>Uploading of printer drivers via the Windows NT
6392 </p></li><li><p>Support for the native MS-RPC printing calls such as
6393 StartDocPrinter, EnumJobs(), etc... (See the <a href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a> for more information on the Win32 printing API);</p></li><li><p>Support for NT <span class="emphasis"><em>Access Control
6394 Lists</em></span> (ACL) on printer objects;</p></li><li><p>Improved support for printer queue manipulation
6395 through the use of internal databases for spooled job information
6397 files).</p></li></ul></div><p>
6398 One other benefit of an update is this: Samba 3 is able to publish
6399 all its printers in Active Directory (or LDAP)!
6400 </p><p>
6401 One slight difference is here: it is possible on a Windows NT print
6402 server to have printers listed in the Printers folder which are
6404 distinction. By definition, the only printers of which Samba is aware
6405 are those which are specified as shares in
6406 . The reason is that Windows NT/200x/XP Professional
6407 clients do not normally need to use the standard SMB printer share;
6408 rather they can print directly to any printer on another Windows NT
6409 host using MS-RPC. This of course assumes that the printing client has
6410 the necessary privileges on the remote host serving the printer. The
6411 default permissions assigned by Windows NT to a printer gives the
6413 group. (The older clients of type Win9x can only print to "shared"
6414 printers).
6415 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2898740"></a>Client Drivers on Samba Server for <span class="emphasis"><em>Point'n'Print</em></span></h3></div></div><div></div></div><p>
6417 is it not a requirement for printer drivers to be installed on a Samba
6418 host in order to support printing from Windows clients?</em></span> The
6419 answer to this is: No, it is not a
6421 course, also run their APW to install drivers
6423 print queue). This is the same method as used by Windows 9x
6425 which made Windows NT/2000 clients require that the Samba server
6426 possess a valid driver for the printer. This was fixed in Samba
6427 2.2.1).
6428 </p><p>
6436 this driver to an existing Samba printer share can be achieved by
6437 different means:
6438 </p><div class="itemizedlist"><ul type="disc"><li><p>running the <span class="emphasis"><em>APW</em></span> on an
6442 <span class="emphasis"><em>rpcclient</em></span> commandline tools;</p></li><li><p>using <span class="emphasis"><em>cupsaddsmb</em></span>(only works for
6443 the CUPS printing system, not for LPR/LPD, LPRng
6444 etc.).</p></li></ul></div><p>
6446 does not use these uploaded drivers in any way to process spooled
6447 files</em></span>. Drivers are utilized entirely by the clients, who
6448 download and install them via the "Point'n'Print" mechanism supported
6449 by Samba. The clients use these drivers to generate print files in the
6450 format the printer (or the UNIX print system) requires. Print files
6451 received by Samba are handed over to the UNIX printing system, which
6452 is responsible for all further processing, if needed.
6453 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2898892"></a>The [printer$] Section is removed from Samba 3</h3></div></div><div></div></div><p><b>
6455 . </b>
6456 Versions of Samba prior to 2.2 made it possible to use a share
6458 same named service created by Windows 9x clients when a printer was
6459 shared by them. Windows 9x printer servers always have a
6461 access (with no password required) in order to support printer driver
6462 downloads. However, Samba's initial implementation allowed for a
6464 used on a per share basis. This specified the location of the driver
6465 files associated with that printer. Another parameter named
6467 printer driver name to be sent to the client. These parameters,
6469 are now removed and can not be used in installations of samba-3.
6471 location of downloadable printer drivers. It is taken from the
6473 a printer is shared by them. Windows NT print servers always have a
6475 access (in the context of its ACLs) in order to support printer driver
6476 down- and uploads. Don't fear -- this does not mean Windows 9x
6477 clients are thrown aside now. They can use Samba's
6479 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899004"></a>Creating the [print$] Share</h3></div></div><div></div></div><p>
6480 In order to support the up- and downloading of printer driver files,
6481 you must first configure a file share named
6483 hard coded in Samba's internals (because it is hard coded in the MS
6484 Windows clients too). It cannot be renamed since Windows clients are
6485 programmed to search for a service of exactly this name if they want
6486 to retrieve printer driver files.
6487 </p><p>
6488 You should modify the server's file to
6489 add the global parameters and create the
6491 parameter values, such as 'path' are arbitrary and should be replaced
6492 with appropriate values for your site):
6493 </p><div class="example"><a name="id2899046"></a><p class="title"><b>Example 18.3. [print\$] example</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td># members of the ntadmin group should be able to add drivers and set</td></tr><tr><td># printer properties. root is implicitly always a 'printer admin'.</td></tr><tr><td><i class="parameter"><tt>printer admin = @ntadmin</tt></i></td></tr><tr><td>...</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td>...</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Printer Driver Download Area</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /etc/samba/drivers</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>write list = @ntadmin, root</tt></i></td></tr></table></div><p>
6494 Of course, you also need to ensure that the directory named by the
6495 <a class="indexterm" name="id2899172"></a><i class="parameter"><tt>path</tt></i> parameter exists on the UNIX file system.
6496 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899189"></a>Parameters in the [print$] Section</h3></div></div><div></div></div><p>
6498 . It contains settings relevant to
6499 potential printer driver download and local installation by clients.
6500 </p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2899217"></a><i class="parameter"><tt>comment</tt></i> = Printer Driver
6501 Download Area</span></dt><dd><p> the comment appears next to the share name if it is
6502 listed in a share list (usually Windows clients won't see it often but
6504 </b> output). </p></dd><dt><span class="term"><a class="indexterm" name="id2899252"></a><i class="parameter"><tt>path</tt></i> = /etc/samba/printers</span></dt><dd><p> this is the path to the location of the Windows
6505 driver file deposit from the UNIX point of
6506 view.</p></dd><dt><span class="term"><a class="indexterm" name="id2899277"></a><i class="parameter"><tt>browseable</tt></i> = no</span></dt><dd><p> this makes the <i class="parameter"><tt>[print$]</tt></i> share
6507 "invisible" in Network Neighbourhood to clients. However, you can
6510 "Connect network drive" menu from Windows
6511 Explorer.</p></dd><dt><span class="term"><a class="indexterm" name="id2899319"></a><i class="parameter"><tt>guest ok</tt></i> = yes</span></dt><dd><p>this gives read only access to this share for all
6512 guest users. Access may be used to download and install printer
6514 yes</tt></i> depends upon how your site is configured. If users
6515 will be guaranteed to have an account on the Samba host, then this is
6516 a non-issue.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
6517 The non-issue is this: if all your Windows NT users are guaranteed to
6518 be authenticated by the Samba server (for example if Samba
6519 authenticates via an NT domain server and the NT user has already been
6520 validated by the Domain Controller in order to logon to the Windows NT
6521 session), then guest access is not necessary. Of course, in a
6522 workgroup environment where you just want to be able to print without
6523 worrying about silly accounts and security, then configure the share
6524 for guest access. You'll probably want to add <a class="indexterm" name="id2899365"></a><i class="parameter"><tt>map to guest</tt></i> = Bad User in the
6526 as well. Make sure you understand what this parameter does before
6527 using it.
6528 </p></div></dd><dt><span class="term"><a class="indexterm" name="id2899392"></a><i class="parameter"><tt>read only</tt></i> = yes</span></dt><dd><p>as we don't want everybody to upload driver files (or
6529 even change driver settings) we tagged this share as not
6530 writeable.</p></dd><dt><span class="term"><a class="indexterm" name="id2899418"></a><i class="parameter"><tt>write list</tt></i> = @ntadmin,root</span></dt><dd><p>since the <i class="parameter"><tt>[print$]</tt></i> was made
6531 read only by the previous setting, we need to create a "write list"
6532 also. UNIX groups (denoted with a leading "@" character) and users
6533 listed here are allowed write access (as an exception to the general
6534 public's "read-only" access), which they need to update files on the
6535 share. Normally you will want to only name administrative level user
6536 accounts in this setting. Check the file system permissions to make
6537 sure these accounts can copy files to the share. If this is a non-root
6538 account, then the account should also be mentioned in the global
6539 <a class="indexterm" name="id2899455"></a><i class="parameter"><tt>printer admin </tt></i> parameter. See the
6540 man page for more information on
6541 configuring file shares. </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899475"></a>Subdirectory Structure in [print$]</h3></div></div><div></div></div><p>
6542 In order for a Windows NT print server to support the downloading of
6543 driver files by multiple client architectures, you must create several
6545 (i.e. the UNIX directory named by the <a class="indexterm" name="id2899495"></a><i class="parameter"><tt>path</tt></i>
6546 parameter). These correspond to each of the supported client
6547 architectures. Samba follows this model as well. Just like the name of
6549 *must* be exactly the names listed below (you may leave out the
6550 subdirectories of architectures you don't want to support).
6551 </p><p>
6552 Therefore, create a directory tree below the
6554 to support.
6556 [print$]--+--
6557 |--W32X86 # serves drivers to "Windows NT x86"
6558 |--WIN40 # serves drivers to "Windows 95/98"
6559 |--W32ALPHA # serves drivers to "Windows NT Alpha_AXP"
6560 |--W32MIPS # serves drivers to "Windows NT R4000"
6561 |--W32PPC # serves drivers to "Windows NT PowerPC"
6562 </pre><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Required permissions</h3><p>
6563 In order to add a new driver to your Samba host, one of two conditions
6564 must hold true:
6565 </p><div class="itemizedlist"><ul type="disc"><li><p>The account used to connect to the Samba host must
6566 have a UID of 0 (i.e. a root account)</p></li><li><p>The account used to connect to the Samba host must be
6568 Of course, the connected account must still possess access to add
6569 files to the subdirectories beneath
6571 to 'read only' by default.
6572 </p></div><p>
6578 Faxes</span> folder. You should see an initial listing of printers
6579 that matches the printer shares defined on your Samba host.
6580 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2899643"></a>Installing Drivers into [print$]</h2></div></div><div></div></div><p>
6582 share in ? And Samba has re-read its
6583 configuration? Good. But you are not yet ready to take off. The
6585 too! So far it is still an empty share. Unfortunately, it is not enough
6587 up</em></span> too. And that is a bit tricky, to say the least. We
6588 will now discuss two alternative ways to install the drivers into
6596 The latter option is probably the easier one (even if the only
6597 entrance to this realm seems a little bit weird at first).
6598 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899736"></a>Setting Drivers for existing Printers with a Client GUI</h3></div></div><div></div></div><p>
6599 The initial listing of printers in the Samba host's
6601 will have no real printer driver assigned to them. By default
6602 this driver name is set to a NULL
6605 task.
6606 </p><p>
6607 However, the job to set a valid driver for the printer is not a
6608 straightforward one: You must attempt to view the printer properties
6609 for the printer to which you want the driver assigned. Open the
6610 Windows Explorer, open Network Neighbourhood, browse to the Samba
6611 host, open Samba's <span class="guiicon">Printers</span> folder, right-click the printer icon and
6612 select <span class="guimenu">Properties...</span>. You are now trying to view printer and driver
6614 assigned. This will result in an error message (this is normal here):
6616 for the specified printer is not installed, only spooler properties
6617 will be displayed. Do you want to install the driver
6618 now?</span></p><p>
6619 <span class="emphasis"><em>Important:</em></span>Don't click <span class="guibutton">Yes</span>! Instead,
6620 <span class="emphasis"><em>click <span class="guibutton">No</span></em></span> in the error dialog.
6621 Only now you will be presented with the printer properties window. From here,
6622 the way to assign a driver to a printer is open to us. You have now the choice
6623 either:
6624 </p><div class="itemizedlist"><ul type="disc"><li><p>select a driver from the pop-up list of installed
6627 install a new printer driver (which will in fact start up the
6628 APW).</p></li></ul></div><p>
6629 Once the APW is started, the procedure is exactly the same as the one
6630 you are familiar with in Windows (we assume here that you are
6631 familiar with the printer driver installations procedure on Windows
6632 NT). Make sure your connection is in fact setup as a user with
6633 <a class="indexterm" name="id2899872"></a><i class="parameter"><tt>printer admin</tt></i> privileges (if in doubt, use
6635 install printer drivers for client operating systems other than
6638 </p><p>
6639 Assuming you have connected with an administrative (or root) account
6640 (as named by the <a class="indexterm" name="id2899914"></a><i class="parameter"><tt>printer admin</tt></i> parameter),
6641 you will also be able to modify other printer properties such as ACLs
6642 and default device settings using this dialog. For the default device
6643 settings, please consider the advice given further below.
6644 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899935"></a>Setting Drivers for existing Printers with
6646 The second way to install printer drivers into
6648 done from the UNIX command line. This involves four distinct steps:
6649 </p><div class="orderedlist"><ol type="1"><li><p>gathering the info about the required driver files
6650 and collecting the files together;</p></li><li><p>deposit the driver files into the
6652 (possibly by using <b class="command">smbclient</b>);</p></li><li><p>running the <b class="command">rpcclient</b>
6656 subcommand.</p></li></ol></div><p>
6657 We will provide detailed hints for each of these steps in the next few
6658 paragraphs.
6659 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2900043"></a>Identifying the Driver Files</h4></div></div><div></div></div><p>
6660 To find out about the driver files, you have two options: you could
6661 investigate the driver CD which comes with your printer. Study the
6663 may not be the possible, since the *.inf file might be
6664 missing. Unfortunately, many vendors have now started to use their own
6665 installation programs. These installations packages are often some
6666 sort of Windows platform archive format, plus, the files may get
6667 re-named during the installation process. This makes it extremely
6668 difficult to identify the driver files you need.
6669 </p><p>
6670 Then you only have the second option: install the driver first on a
6671 Windows client *locally* and investigate which file names and paths it
6672 uses after they are installed. (Note, that you need to repeat this
6673 procedure for every client platform you want to support. We are going
6675 name used by Microsoft for all WinNT/2k/XP clients...)
6676 </p><p>
6677 A good method to recognize the driver files this is to print the test
6680 files named on the printout. You'll need to recognize what Windows
6685 for Windows NT). You need to remember all names (or better take a
6686 note) for the next steps.
6687 </p><p>
6688 Another method to quickly test the driver filenames and related paths
6694 case it was a Windows XP Professional laptop, BTW). I had installed
6696 the name of the Linux host from which I am working. We could run an
6699 type the subcommands at this prompt. This is left as a good exercise
6702 line and exit again. This is the method you would use if you want to
6703 create scripts to automate the procedure for a large number of
6704 printers and drivers. Note the different quotes used to overcome the
6705 different spaces in between words:
6711 [Windows NT x86]
6712 Printer Driver Info 3:
6713 Version: [2]
6714 Driver Name: [Heidelberg Digimaster 9110 (PS)]
6715 Architecture: [Windows NT x86]
6716 Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01_de.DLL]
6717 Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.ppd]
6718 Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01U_de.DLL]
6719 Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01U_de.HLP]
6721 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.DLL]
6722 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.INI]
6723 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1KMMin.DLL]
6724 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.dat]
6725 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.cat]
6726 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.def]
6727 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.hre]
6728 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.vnd]
6729 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.hlp]
6730 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de_reg.HLP]
6731 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01Aux.dll]
6732 Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01_de.NTF]
6734 Monitorname: []
6735 Defaultdatatype: []
6736 </pre><p>
6737 You may notice, that this driver has quite a big number of
6742 installed. This name is used by Microsoft for the Win95/98/ME platforms.
6743 If we want to support these, we need to install the Win95/98/ME driver
6745 (i.e. the WinNT72000/XP clients) onto a Windows PC. This PC
6746 can also host the Win9x drivers, even if itself runs on Windows NT,
6747 2000 or XP.
6748 </p><p>
6750 through the <span class="guiicon">Network Neighbourhood</span>, you can also use the UNC notation
6751 from Windows Explorer to poke at it. The Win9x driver files will end
6753 access them will be
6755 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> more recent drivers on Windows 2000 and Windows XP are
6757 of drivers, as used in Windows NT, were running in Kernel Mode.
6758 Windows 2000 changed this. While it still can use the Kernel Mode
6759 drivers (if this is enabled by the Admin), its native mode for printer
6760 drivers is User Mode execution. This requires drivers designed for
6761 this. These type of drivers install into the "3" subdirectory.
6762 </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2900368"></a>Collecting the Driver Files from a Windows Host's
6763 [print$] Share</h4></div></div><div></div></div><p>
6764 Now we need to collect all the driver files we identified. in our
6765 previous step. Where do we get them from? Well, why not retrieve them
6767 which we investigated in our last step to identify the files? We can
6770 listing is edited to include linebreaks for readability:
6772 <tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //TURBO_XP/print\$ -U'Danka%xxxx' \
6773 -c 'cd W32X86/2;mget HD*_de.* \
6774 hd*ppd Hd*_de.* Hddm*dll HDN*Aux.DLL'</tt></b>
6783 [...]
6785 </pre><p>
6786 After this command is complete, the files are in our current local
6787 directory. You probably have noticed that this time we passed several
6789 effects that all commands are executed in sequence on the remote
6790 Windows server before smbclient exits again.
6791 </p><p>
6793 architecture should you need to support Win95/98/XP clients. Remember, the
6794 files for these architectures are in the WIN40/0/ subdir. Once we are
6796 the collected files on the Samba server's
6798 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2900518"></a>Depositing the Driver Files into [print$]</h4></div></div><div></div></div><p>
6799 So, now we are going to put the driver files into the
6801 share has been defined previously in your
6802 . You also have created subdirectories
6803 for the different Windows client types you want to support. Supposing
6806 go here:
6807 </p><div class="itemizedlist"><ul type="disc"><li><p>for all Windows NT, 2000 and XP clients into
6809 *not*(yet) into the "2" subdir</em></span>!</p></li><li><p>for all Windows 95, 98 and ME clients into
6812 We again use smbclient to transfer the driver files across the
6813 network. We specify the same files and paths as were leaked to us by
6819 <tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //SAMBA-CUPS/print\$ -U'root%xxxx' -c \
6820 'cd W32X86; put HDNIS01_de.DLL; \
6821 put Hddm91c1_de.ppd; put HDNIS01U_de.DLL; \
6822 put HDNIS01U_de.HLP; put Hddm91c1_de.DLL; \
6823 put Hddm91c1_de.INI; put Hddm91c1KMMin.DLL; \
6824 put Hddm91c1_de.dat; put Hddm91c1_de.dat; \
6825 put Hddm91c1_de.def; put Hddm91c1_de.hre; \
6826 put Hddm91c1_de.vnd; put Hddm91c1_de.hlp; \
6827 put Hddm91c1_de_reg.HLP; put HDNIS01Aux.dll; \
6828 put HDNIS01_de.NTF'</tt></b>
6831 Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
6832 putting file HDNIS01_de.DLL as \W32X86\HDNIS01_de.DLL
6833 putting file Hddm91c1_de.ppd as \W32X86\Hddm91c1_de.ppd
6834 putting file HDNIS01U_de.DLL as \W32X86\HDNIS01U_de.DLL
6835 putting file HDNIS01U_de.HLP as \W32X86\HDNIS01U_de.HLP
6836 putting file Hddm91c1_de.DLL as \W32X86\Hddm91c1_de.DLL
6837 putting file Hddm91c1_de.INI as \W32X86\Hddm91c1_de.INI
6838 putting file Hddm91c1KMMin.DLL as \W32X86\Hddm91c1KMMin.DLL
6839 putting file Hddm91c1_de.dat as \W32X86\Hddm91c1_de.dat
6840 putting file Hddm91c1_de.dat as \W32X86\Hddm91c1_de.dat
6841 putting file Hddm91c1_de.def as \W32X86\Hddm91c1_de.def
6842 putting file Hddm91c1_de.hre as \W32X86\Hddm91c1_de.hre
6843 putting file Hddm91c1_de.vnd as \W32X86\Hddm91c1_de.vnd
6844 putting file Hddm91c1_de.hlp as \W32X86\Hddm91c1_de.hlp
6845 putting file Hddm91c1_de_reg.HLP as \W32X86\Hddm91c1_de_reg.HLP
6846 putting file HDNIS01Aux.dll as \W32X86\HDNIS01Aux.dll
6847 putting file HDNIS01_de.NTF as \W32X86\HDNIS01_de.NTF
6848 </pre><p>
6849 Phewww -- that was a lot of typing! Most drivers are a lot smaller --
6851 that while we did retrieve the files from the "2" subdirectory of the
6853 put them (for now) in this same subdirectory of the Samba box! This
6854 re-location will automatically be done by the
6856 don't forget to also put the files for the Win95/98/ME architecture
6858 them).
6859 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2900731"></a>Check if the Driver Files are there (with smbclient)</h4></div></div><div></div></div><p>
6860 For now we verify that our files are there. This can be done with
6862 also and do this through a standard UNIX shell access too):
6864 <tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //SAMBA-CUPS/print\$ -U 'root%xxxx' \
6868 Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
6870 Current directory is \\SAMBA-CUPS\print$\W32X86\
6891 Current directory is \\SAMBA-CUPS\print$\W32X86\2\
6900 </pre><p>
6901 Notice that there are already driver files present in the
6903 installation). Once the files for the new driver are there too, you
6904 are still a few steps away from being able to use them on the
6905 clients. The only thing you could do *now* is to retrieve them from a
6906 client just like you retrieve ordinary files from a file share, by
6907 opening print$ in Windows Explorer. But that wouldn't install them per
6908 Point'n'Print. The reason is: Samba doesn't know yet that these files
6910 files</em></span> and it doesn't know yet to which print queue(s) these
6911 driver files belong.
6912 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2900890"></a>Running <b class="command">rpcclient</b> with
6914 So, next you must tell Samba about the special category of the files
6917 prompt Samba to register the driver files into its internal TDB
6918 database files. The following command and its output has been edited,
6919 again, for readability:
6921 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'adddriver "Windows NT x86" \
6922 "dm9110:HDNIS01_de.DLL: \
6923 Hddm91c1_de.ppd:HDNIS01U_de.DLL:HDNIS01U_de.HLP: \
6924 NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \
6925 Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \
6926 Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \
6927 HDNIS01Aux.dll,HDNIS01_de.NTF, \
6928 Hddm91c1_de_reg.HLP' SAMBA-CUPS</tt></b>
6931 "dm9110:HDNIS01_de.DLL:Hddm91c1_de.ppd:HDNIS01U_de.DLL: \
6932 HDNIS01U_de.HLP:NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \
6933 Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \
6934 Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \
6935 HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP"
6937 Printer Driver dm9110 successfully installed.
6939 </pre><p>
6940 After this step the driver should be recognized by Samba on the print
6941 server. You need to be very careful when typing the command. Don't
6942 exchange the order of the fields. Some changes would lead to a
6944 message. These become obvious. Other changes might install the driver
6945 files successfully, but render the driver unworkable. So take care!
6946 Hints about the syntax of the adddriver command are in the man
6947 page. The CUPS printing chapter of this HOWTO collection provides a
6948 more detailed description, if you should need it.
6949 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2900990"></a>Check how Driver Files have been moved after
6951 One indication for Samba's recognition of the files as driver files is
6953 Another one is the fact, that our files have been moved by the
6955 subdirectory. You can check this again with
6958 <tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //SAMBA-CUPS/print\$ -Uroot%xx -c 'cd W32X86;dir;pwd;cd 2;dir;pwd'</tt></b>
6959 added interface ip=10.160.51.162 bcast=10.160.51.255 nmask=255.255.252.0
6960 Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
6962 Current directory is \\SAMBA-CUPS\print$\W32X86\
6963 . D 0 Sun May 4 04:32:48 2003
6964 .. D 0 Thu Apr 10 23:47:40 2003
6965 2 D 0 Sun May 4 04:32:48 2003
6966 40976 blocks of size 262144. 731 blocks available
6968 Current directory is \\SAMBA-CUPS\print$\W32X86\2\
6969 . D 0 Sun May 4 04:32:48 2003
6970 .. D 0 Sun May 4 04:32:48 2003
6971 DigiMaster.PPD A 148336 Thu Apr 24 01:07:00 2003
6972 ADOBEPS5.DLL A 434400 Sat May 3 23:18:45 2003
6973 laserjet4.ppd A 9639 Thu Apr 24 01:05:32 2003
6974 ADOBEPSU.DLL A 109568 Sat May 3 23:18:45 2003
6975 ADOBEPSU.HLP A 18082 Sat May 3 23:18:45 2003
6976 PDFcreator2.PPD A 15746 Sun Apr 20 22:24:07 2003
6977 HDNIS01Aux.dll A 15356 Sun May 4 04:32:18 2003
6978 Hddm91c1KMMin.DLL A 46966 Sun May 4 04:32:18 2003
6979 HDNIS01_de.DLL A 434400 Sun May 4 04:32:18 2003
6980 HDNIS01_de.NTF A 790404 Sun May 4 04:32:18 2003
6981 Hddm91c1_de.DLL A 876544 Sun May 4 04:32:18 2003
6982 Hddm91c1_de.INI A 101 Sun May 4 04:32:18 2003
6983 Hddm91c1_de.dat A 5044 Sun May 4 04:32:18 2003
6984 Hddm91c1_de.def A 428 Sun May 4 04:32:18 2003
6985 Hddm91c1_de.hlp A 37699 Sun May 4 04:32:18 2003
6986 Hddm91c1_de.hre A 323584 Sun May 4 04:32:18 2003
6987 Hddm91c1_de.ppd A 26373 Sun May 4 04:32:18 2003
6988 Hddm91c1_de.vnd A 45056 Sun May 4 04:32:18 2003
6989 HDNIS01U_de.DLL A 165888 Sun May 4 04:32:18 2003
6990 HDNIS01U_de.HLP A 19770 Sun May 4 04:32:18 2003
6991 Hddm91c1_de_reg.HLP A 228417 Sun May 4 04:32:18 2003
6992 40976 blocks of size 262144. 731 blocks available
6994 </pre><p>
6995 Another verification is that the timestamp of the printing TDB files
6996 is now updated (and possibly their filesize has increased).
6997 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2901159"></a>Check if the Driver is recognized by Samba</h4></div></div><div></div></div><p>
6998 Now the driver should be registered with Samba. We can easily verify
6999 this, and will do so in a moment. However, this driver is
7002 files by at least three methods:
7003 </p><div class="itemizedlist"><ul type="disc"><li><p>from any Windows client browse Network Neighbourhood,
7005 Faxes</span> folder. Select any printer icon, right-click and
7008 driver for that printer. A drop down menu allows you to change that
7009 driver (be careful to not do this unwittingly.). You can use this
7010 list to view all drivers know to Samba. Your new one should be amongst
7011 them. (Each type of client will only see his own architecture's
7012 list. If you don't have every driver installed for each platform, the
7013 list will differ if you look at it from Windows95/98/ME or
7014 WindowsNT/2000/XP.)</p></li><li><p>from a Windows 2000 or XP client (not WinNT) browse
7017 right-click the white background (with no printer highlighted). Select
7020 now. This view enables you to also inspect the list of files belonging
7023 tab).</em></span>. An alternative, much quicker method for Windows
7024 2000/XP to start this dialog is by typing into a DOS box (you must of
7025 course adapt the name to your Samba server instead of <i class="replaceable"><tt>SAMBA-CUPS</tt></i>):
7026 </p><p><b class="userinput"><tt> rundll32 printui.dll,PrintUIEntry /s /t2 /n\\<i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b></p></li><li><p>from a UNIX prompt run this command (or a variant
7029 </p><p><b class="userinput"><tt>rpcclient -U'root%xxxx' -c 'enumdrivers' <i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b></p><p>
7030 You will see a listing of all drivers Samba knows about. Your new one
7033 since we didn't install that part. Or did *you*? -- You will see a listing of
7034 all drivers Samba knows about. Your new one should be amongst them. In our
7036 shows the other installed drivers twice, for each supported architecture one
7037 time. Our new driver only shows up for
7040 have to repeat the whole procedure with the WIN40 architecture and subdirectory.
7041 </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2901363"></a>A side note: you are not bound to specific driver names</h4></div></div><div></div></div><p>
7042 You can name the driver as you like. If you repeat the
7044 with a different driver name, it will work the same:
7048 "myphantasydrivername:HDNIS01_de.DLL: \
7049 Hddm91c1_de.ppd:HDNIS01U_de.DLL:HDNIS01U_de.HLP: \
7050 NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \
7051 Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \
7052 Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \
7053 HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP' SAMBA-CUPS
7054 </tt></b>
7056 cmd = adddriver "Windows NT x86"
7057 "myphantasydrivername:HDNIS01_de.DLL:Hddm91c1_de.ppd:HDNIS01U_de.DLL:\
7058 HDNIS01U_de.HLP:NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \
7059 Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \
7060 Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \
7061 HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP"
7063 Printer Driver myphantasydrivername successfully installed.
7065 </pre><p>
7066 You will also be able to bind that driver to any print queue (however,
7067 you are responsible yourself that you associate drivers to queues
7068 which make sense to the target printer). Note, that you can't run the
7070 repeatedly. Each run "consumes" the files you had put into the
7075 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2901473"></a>Running <b class="command">rpcclient</b> with
7078 this is. It needs to create a mapping of the driver to a printer, and
7080 setdriver</b> command achieves exactly this:
7082 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'root%xxxx' -c 'setdriver dm9110 myphantasydrivername' <i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b>
7083 cmd = setdriver dm9110 myphantasydrivername
7084 Successfully set dm9110 to driver myphantasydrivername.
7085 </pre><p>
7086 Ahhhhh -- no, I didn't want to do that. Repeat, this time with the
7087 name I intended:
7089 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'root%xxxx' -c 'setdriver dm9110 dm9110' <i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b>
7090 cmd = setdriver dm9110 dm9110
7091 Successfully set dm9110 to driver dm9110.
7092 </pre><p>
7098 Now we have done *most* of the work. But not yet all....
7099 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
7101 known to
7102 Samba already. A bug in 2.2.x prevented Samba from recognizing freshly
7103 installed printers. You had to restart Samba, or at least send a HUP
7104 signal to all running smbd processes to work around this:
7105 <b class="userinput"><tt>kill -HUP `pidof smbd`</tt></b>. </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901625"></a>Client Driver Install Procedure</h2></div></div><div></div></div><p>
7108 So let's install the printer driver onto the client PCs. This is not
7109 as straightforward as it may seem. Read on.
7110 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901643"></a>The first Client Driver Installation</h3></div></div><div></div></div><p>
7111 Especially important is the installation onto the first client PC (for
7112 each architectural platform separately). Once this is done correctly,
7113 all further clients are easy to setup and shouldn't need further
7114 attention. What follows is a description for the recommended first
7115 procedure. You work now from a client workstation. First you should
7116 guarantee that your connection is not unwittingly mapped to
7118 </p><p><b class="userinput"><tt>net use \\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\print$ /user:root</tt></b></p><p>
7119 Replace root, if needed, by another valid
7121 Should you already be connected as a different user, you'll get an error
7122 message. There is no easy way to get rid of that connection, because
7123 Windows doesn't seem to know a concept of "logging off" from a share
7124 connection (don't confuse this with logging off from the local
7125 workstation; that is a different matter). You can try to close
7127 windows. As a last resort, you may have to reboot. Make sure there is
7128 no automatic re-connection set up. It may be easier to go to a
7129 different workstation and try from there. After you have made sure you
7130 are connected as a printer admin user (you can check this with the
7132 Windows workstation:
7134 Neighbourhood</span></p></li><li><p>Browse to Samba server</p></li><li><p>Open its <span class="guiicon">Printers and
7135 Faxes</span> folder</p></li><li><p>Highlight and right-click the printer</p></li><li><p>Select <span class="guimenuitem">Connect...</span> (for WinNT4/2K
7138 samba-server) should now have appeared in your
7139 <span class="emphasis"><em>local</em></span> Printer folder (check <span class="guimenu">Start</span> --
7142 </p><p>
7143 Most likely you are now tempted to try and print a test page. After
7144 all, you now can open the printer properties and on the "General" tab,
7145 there is a button offering to do just that. But chances are that you
7147 Page</span>. The reason might be that there is not yet a
7148 valid Device Mode set for the driver, or that the "Printer Driver
7149 Data" set is still incomplete.
7150 </p><p>
7151 You must now make sure that a valid "Device Mode" is set for the
7152 driver. Don't fear -- we will explain now what that means.
7153 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901839"></a>IMPORTANT! Setting Device Modes on new Printers</h3></div></div><div></div></div><p>
7154 In order for a printer to be truly usable by a Windows NT/2K/XP
7155 client, it must possess:
7156 </p><div class="itemizedlist"><ul type="disc"><li><p>a valid <span class="emphasis"><em>Device Mode</em></span> generated by
7157 the driver for the printer (defining things like paper size,
7158 orientation and duplex settings), and</p></li><li><p>a complete set of
7160 driver.</p></li></ul></div><p>
7161 If either one of these is incomplete, the clients can produce less
7162 than optimal output at best. In the worst cases, unreadable garbage or
7163 nothing at all comes from the printer or they produce a harvest of
7164 error messages when attempting to print. Samba stores the named values
7165 and all printing related info in its internal TDB database files
7169 </p><p>
7170 What do these two words stand for? Basically, the Device Mode and the
7171 set of Printer Driver Data is a collection of settings for all print
7172 queue properties, initialized in a sensible way. Device Modes and
7173 Printer Driver Data should initially be set on the print server (that is
7174 here: the Samba host) to healthy values so that the clients can start
7175 to use them immediately. How do we set these initial healthy values?
7176 This can be achieved by accessing the drivers remotely from an NT (or
7177 2k/XP) client, as is discussed in the next paragraphs.
7178 </p><p>
7179 Be aware, that a valid Device Mode can only be initiated by a
7180 <a class="indexterm" name="id2901935"></a><i class="parameter"><tt>printer admin</tt></i>, or root (the reason should be
7181 obvious). Device Modes can only correctly be set by executing the
7182 printer driver program itself. Since Samba can not execute this Win32
7183 platform driver code, it sets this field initially to NULL (which is
7184 not a valid setting for clients to use). Fortunately, most drivers
7185 generate themselves the Printer Driver Data that is needed, when they
7187 help of the APW or rpcclient.
7188 </p><p>
7189 The generation and setting of a first valid Device Mode however
7190 requires some "tickling" from a client, to set it on the Samba
7191 server. The easiest means of doing so is to simply change the page
7192 orientation on the server's printer. This "executes" enough of the
7193 printer driver program on the client for the desired effect to happen,
7194 and feeds back the new Device Mode to our Samba server. You can use the
7195 native Windows NT/2K/XP printer properties page from a Window client
7196 for this:
7197 </p><div class="itemizedlist"><ul type="disc"><li><p>Browse the <span class="guiicon">Network Neighbourhood</span></p></li><li><p>Find the Samba server</p></li><li><p>Open the Samba server's <span class="guiicon">Printers and
7198 Faxes</span> folder</p></li><li><p>Highlight the shared printer in question</p></li><li><p>Right-click the printer (you may already be here, if you
7199 followed the last section's description)</p></li><li><p>At the bottom of the context menu select
7202 further above, you need to click that one first to achieve the driver
7203 installation as shown in the last section)</p></li><li><p>Go to the <span class="guilabel">Advanced</span> tab; click on
7204 <span class="guibutton">Printing Defaults...</span></p></li><li><p>Change the "Portrait" page setting to "Landscape" (and
7206 changes between swapping the page orientation to cause the change to
7207 actually take effect...).</p></li><li><p>While you're at it, you may optionally also want to
7208 set the desired printing defaults here, which then apply to all future
7209 client driver installations on the remaining from now
7210 on.</p></li></ul></div><p>
7211 This procedure has executed the printer driver program on the client
7212 platform and fed back the correct Device Mode to Samba, which now
7213 stored it in its TDB files. Once the driver is installed on the
7214 client, you can follow the analogous steps by accessing the
7215 <span class="emphasis"><em>local</em></span> <span class="guiicon">Printers</span> folder too if you are
7216 a Samba printer admin user. From now on printing should work as expected.
7217 </p><p>
7219 devmode</tt></i> for generating a default Device Mode for a
7220 printer. Some drivers will function well with Samba's default set of
7221 properties. Others may crash the client's spooler service. So use this
7222 parameter with caution. It is always better to have the client
7223 generate a valid device mode for the printer and store it on the
7224 server for you.
7225 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902136"></a>Further Client Driver Install Procedures</h3></div></div><div></div></div><p>
7226 Every further driver may be done by any user, along the lines
7227 described above: Browse network, open printers folder on Samba server,
7229 this completes (should be not more than a few seconds, but could also take
7230 a minute, depending on network conditions), you should find the new printer in
7232 Faxes</span> folder.
7233 </p><p>
7235 using this command on Windows 2000 and Windows XP Professional workstations:
7237 </tt></b></p><p>
7238 or this command on Windows NT 4.0 workstations:
7240 rundll32 shell32.dll,Control_RunDLL MAIN.CPL @2
7241 </tt></b></p><p>
7245 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902231"></a>Always make first Client Connection as root or "printer admin"</h3></div></div><div></div></div><p>
7246 After you installed the driver on the Samba server (in its
7248 that your first client installation completes correctly. Make it a habit for
7249 yourself to build that the very first connection from a client as
7250 <a class="indexterm" name="id2902252"></a><i class="parameter"><tt>printer admin</tt></i>. This is to make sure that:
7251 </p><div class="itemizedlist"><ul type="disc"><li><p> a first valid <span class="emphasis"><em>Device Mode</em></span> is
7252 really initialized (see above for more explanation details), and
7253 that</p></li><li><p> the default print settings of your printer for all
7254 further client installations are as you want them</p></li></ul></div><p>
7255 Do this by changing the orientation to landscape, click
7257 the other settings (for example, you don't want the default media size
7261 </p><p>
7262 To connect as root to a Samba printer, try this command from a Windows
7263 2K/XP DOS box command prompt:
7265 <tt class="prompt">C:\> </tt><b class="userinput"><tt>runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /p /t3 /n
7266 \\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printername</tt></i>"</tt></b>
7267 </pre><p>
7268 </p><p>
7269 You will be prompted for root's Samba-password; type it, wait a few
7271 proceed to set the job options as should be used as defaults by all
7272 clients. Alternatively, instead of root you can name one other member
7273 of the <a class="indexterm" name="id2902370"></a><i class="parameter"><tt>printer admin</tt></i> from the setting.
7274 </p><p>
7275 Now all the other users downloading and installing the driver
7277 have the same defaults set for them. If you miss this step you'll
7278 get a lot of helpdesk calls from your users. But maybe you like to
7279 talk to people.... ;-)
7280 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902399"></a>Other Gotchas</h2></div></div><div></div></div><p>
7281 Your driver is installed. It is ready for
7284 onto your first client machine now. But wait... let's make you
7285 acquainted first with a few tips and tricks you may find useful. For
7286 example, suppose you didn't manage to "set the defaults" on the
7287 printer, as advised in the preceding paragraphs? And your users
7290 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902431"></a>Setting Default Print Options for the Client Drivers</h3></div></div><div></div></div><p>
7291 The last sentence might be viewed with mixed feelings by some users and
7292 admins. They have struggled for hours and hours and couldn't arrive at
7293 a point were their settings seemed to be saved. It is not their
7294 fault. The confusing thing is this: in the multi-tabbed dialog that pops
7295 up when you right-click the printer name and select
7297 looking dialogs, each claiming that they help you to set printer options,
7298 in three different ways. Here is the definite answer to the "Samba
7299 Default Driver Setting FAQ":
7302 How are you doing it? I bet the wrong way.... (it is not very
7303 easy to find out, though). There are 3 different ways to bring you to
7308 Administrator to do this for all users. Here is how I reproduce it in
7309 on XP Professional:
7313 </p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guiicon">Printers</span>
7314 folder.</p></li><li><p>Right-click on the printer
7317 Preferences...</span></p></li><li><p>Look at this dialog closely and remember what it looks
7318 like.</p></li></ol></div><p>
7321 </p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guimenu">Printers</span>
7323 cupshost</em></span>) and select in the context menu
7324 <span class="guimenuitem">Properties</span></p></li><li><p>Click on the <span class="guilabel">General</span>
7326 Preferences...</span></p></li><li><p>A new dialog opens. Keep this dialog open and go back
7327 to the parent dialog.</p></li></ol></div><p>
7330 "way" above)
7332 </p><div class="orderedlist"><ol type="1"><li><p>Click on the <span class="guilabel">Advanced</span>
7333 tab. (Hmmm... if everything is "Grayed Out", then you are not logged
7334 in as a user with enough privileges).</p></li><li><p>Click on the <span class="guibutton">Printing
7336 <span class="guilabel">Advanced...</span> button.</p></li><li><p>A new dialog opens. Compare this one to the other,
7338 </p></li></ol></div><p>
7340 Do you see any difference in the two settings dialogs? I don't
7341 either. However, only the last one, which you arrived at with steps
7342 C.1.-6. will permanently save any settings which will then become the
7343 defaults for new users. If you want all clients to have the same
7344 defaults, you need to conduct these steps as administrator
7345 (<a class="indexterm" name="id2902717"></a><i class="parameter"><tt>printer admin</tt></i> in )
7351 the ones the administrator gives them, before they set up their own).
7353 difference in their window names: one is called
7357 Bar</tt>". The last one is the one you arrive at when you
7359 Settings...</span>. This is the one what you were
7360 taught to use back in the days of Windows NT! So it is only natural to
7361 try the same way with Win2k or WinXP. You wouldn't dream
7362 that there is now a different "clicking path" to arrive at an
7363 identically looking, but functionally different dialog to set defaults
7364 for all users!
7365 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Try (on Win2000 and WinXP) to run this command (as a user
7366 with the right privileges):
7368 rundll32 printui.dll,PrintUIEntry /p /t3 /n\\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printersharename</tt></i>
7369 </tt></b></p><p>
7371 button (the one you need). Also run this command:
7373 rundll32 printui.dll,PrintUIEntry /p /t0 /n\\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printersharename</tt></i>
7374 </tt></b></p><p>
7376 button (the one which doesn't set system-wide defaults). You can
7379 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902874"></a>Supporting large Numbers of Printers</h3></div></div><div></div></div><p>
7380 One issue that has arisen during the recent development phase of Samba
7381 is the need to support driver downloads for 100's of printers. Using
7382 Windows NT APW here is somewhat awkward (to say the least). If you
7383 don't want to acquire RSS pains from such the printer installation
7384 clicking orgy alone, you need to think about a non-interactive script.
7385 </p><p>
7386 If more than one printer is using the same driver, the
7388 driver associated with an installed queue. If the driver is uploaded
7390 printing TDBs, it can be used by multiple print queues. In this case
7394 following is an example of how this could be accomplished:
7396 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumdrivers'</tt></b>
7397 cmd = enumdrivers
7399 [Windows NT x86]
7400 Printer Driver Info 1:
7401 Driver Name: [infotec IS 2075 PCL 6]
7403 Printer Driver Info 1:
7404 Driver Name: [DANKA InfoStream]
7406 Printer Driver Info 1:
7407 Driver Name: [Heidelberg Digimaster 9110 (PS)]
7409 Printer Driver Info 1:
7410 Driver Name: [dm9110]
7412 Printer Driver Info 1:
7413 Driver Name: [myphantasydrivername]
7415 [....]
7416 </pre><p>
7419 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
7420 cmd = enumprinters
7421 flags:[0x800000]
7422 name:[\\SAMBA-CUPS\dm9110]
7423 description:[\\SAMBA-CUPS\dm9110,,110ppm HiVolume DANKA Stuttgart]
7424 comment:[110 ppm HiVolume DANKA Stuttgart]
7425 [....]
7426 </pre><p>
7429 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c \
7430 'setdriver <i class="replaceable"><tt>dm9110</tt></i> "<i class="replaceable"><tt>Heidelberg Digimaster 9110 (PS)</tt></i>"'</tt></b>
7431 cmd = setdriver dm9110 Heidelberg Digimaster 9110 (PPD)
7432 Successfully set dm9110 to driver Heidelberg Digimaster 9110 (PS).
7433 </pre><p>
7436 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
7437 cmd = enumprinters
7438 flags:[0x800000]
7439 name:[\\SAMBA-CUPS\dm9110]
7440 description:[\\SAMBA-CUPS\dm9110,Heidelberg Digimaster 9110 (PS),\
7441 110ppm HiVolume DANKA Stuttgart]
7442 comment:[110ppm HiVolume DANKA Stuttgart]
7443 [....]
7444 </pre><p>
7447 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'setdriver <i class="replaceable"><tt>dm9110</tt></i> <i class="replaceable"><tt>myphantasydrivername</tt></i>'</tt></b>
7448 cmd = setdriver dm9110 myphantasydrivername
7449 Successfully set dm9110 to myphantasydrivername.
7450 </pre><p>
7453 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
7454 cmd = enumprinters
7455 flags:[0x800000]
7456 name:[\\SAMBA-CUPS\dm9110]
7457 description:[\\SAMBA-CUPS\dm9110,myphantasydrivername,\
7458 110ppm HiVolume DANKA Stuttgart]
7459 comment:[110ppm HiVolume DANKA Stuttgart]
7460 [....]
7461 </pre><p>
7462 It may be not easy to recognize: but the first call to
7464 empty string where the driver should have been listed (between the 2
7467 CUPS Printing chapter has more info about the installation of printer
7469 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903177"></a>Adding new Printers with the Windows NT APW</h3></div></div><div></div></div><p>
7470 By default, Samba exhibits all printer shares defined in
7473 is the Windows NT Add Printer Wizard icon. The APW will be shown only
7474 if:
7475 </p><div class="itemizedlist"><ul type="disc"><li><p>...the connected user is able to successfully execute
7477 privileges (i.e. root or <a class="indexterm" name="id2903223"></a><i class="parameter"><tt>printer admin</tt></i>).
7478 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Try this from a Windows 2K/XP DOS box command prompt:
7480 runas /netonly /user:root rundll32 printui.dll,PrintUIEntry /p /t0 /n \\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printersharename</tt></i>
7481 </tt></b></p><p>
7483 </p></div></li><li><p>... contains the setting
7484 <a class="indexterm" name="id2903277"></a><i class="parameter"><tt>show add printer wizard</tt></i> = yes (the
7485 default).</p></li></ul></div><p>
7486 The APW can do various things:
7488 <i class="parameter"><tt>[print$]</tt></i> share;</p></li><li><p>associate an uploaded driver with an existing (but
7489 still "driverless") print queue;</p></li><li><p>exchange the currently used driver for an existing
7490 print queue with one that has been uploaded before;</p></li><li><p>add an entirely new printer to the Samba host (only in
7491 conjunction with a working <a class="indexterm" name="id2903334"></a><i class="parameter"><tt>add printer command</tt></i>;
7492 a corresponding <a class="indexterm" name="id2903350"></a><i class="parameter"><tt>delete printer command</tt></i> for
7494 may be provided too)</p></li></ul></div><p>
7495 The last one (add a new printer) requires more effort than the
7496 previous ones. In order to use the APW to successfully add a printer
7497 to a Samba server, the <a class="indexterm" name="id2903380"></a><i class="parameter"><tt>add printer command</tt></i> must
7498 have a defined value. The program hook must successfully add the
7499 printer to the UNIX print system (i.e. to
7502 files) and to if necessary.
7503 </p><p>
7504 When using the APW from a client, if the named printer share does not
7506 command</tt></i> and reparse to the
7507 to attempt to locate the new printer share. If the share is still not
7509 returned to the client. Note that the <a class="indexterm" name="id2903429"></a><i class="parameter"><tt>add printer command</tt></i> is executed under the context of the connected
7510 user, not necessarily a root account. A <a class="indexterm" name="id2903446"></a><i class="parameter"><tt>map to guest</tt></i> = bad user may have connected you unwittingly under the wrong
7511 privilege; you should check it by using the
7513 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903470"></a>Weird Error Message <span class="errorname">Cannot connect under a
7514 different Name</span></h3></div></div><div></div></div><p>
7515 Once you are connected with the wrong credentials, there is no means
7516 to reverse the situation other than to close all Explorer windows, and
7517 perhaps reboot.
7518 </p><div class="itemizedlist"><ul type="disc"><li><p>The <b class="command">net use \\SAMBA-SERVER\sharename
7520 connections to a server or a shared resource by the same user
7521 utilizing the several user names are not allowed. Disconnect all
7522 previous connections to the server, resp. the shared resource, and try
7526 connected under different credentials (username and password).
7527 Disconnect first any existing connection to this network share in
7528 order to connect again under a different username and
7529 password</tt>.</p></li></ul></div><p>
7530 So you close all connections. You try again. You get the same
7531 message. You check from the Samba side, using
7533 connections. You kill them all. The client still gives you the same
7534 error message. You watch the smbd.log file on a very high debug level
7535 and try re-connect. Same error message, but not a single line in the
7536 log. You start to wonder if there was a connection attempt at all. You
7537 run ethereal and tcpdump while you try to connect. Result: not a
7538 single byte goes on the wire. Windows still gives the error
7539 message. You close all Explorer Windows and start it again. You try to
7540 connect - and this times it works! Windows seems to cache connection
7541 info somewhere and doesn't keep it up to date (if you are unlucky you
7542 might need to reboot to get rid of the error message).
7543 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903569"></a>Be careful when assembling Driver Files</h3></div></div><div></div></div><p>
7544 You need to be very careful when you take notes about the files and
7545 belonging to a particular driver. Don't confuse the files for driver
7552 be used on WinNT). Very often these different driver versions contain
7553 files carrying the same name; but still the files are very different!
7554 Also, if you look at them from the Windows Explorer (they reside in
7557 command from Samba would show mixed or lower case letters. So it is
7558 easy to confuse them. If you install them manually using
7560 without an error message. Only later, when you try install on a
7562 server has no appropriate driver for the printer</tt>.
7563 </p><p>
7564 Here is an example. You are invited to look very closely at the
7565 various files, compare their names and their spelling, and discover
7566 the differences in the composition of the version-2 and -3 sets
7567 Note: the version-0 set contained 40 (!)
7569 reasons:
7571 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U 'Administrator%<i class="replaceable"><tt>secret</tt></i>' -c 'enumdrivers 3' 10.160.50.8 </tt></b>
7573 Printer Driver Info 3:
7574 Version: [3]
7575 Driver Name: [Canon iR8500 PS3]
7576 Architecture: [Windows NT x86]
7577 Driver Path: [\\10.160.50.8\print$\W32X86\3\cns3g.dll]
7578 Datafile: [\\10.160.50.8\print$\W32X86\3\iR8500sg.xpd]
7579 Configfile: [\\10.160.50.8\print$\W32X86\3\cns3gui.dll]
7580 Helpfile: [\\10.160.50.8\print$\W32X86\3\cns3g.hlp]
7582 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aucplmNT.dll]
7583 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\ucs32p.dll]
7584 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\tnl32.dll]
7585 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aussdrv.dll]
7586 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cnspdc.dll]
7587 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aussapi.dat]
7588 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cns3407.dll]
7589 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\CnS3G.cnt]
7590 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\NBAPI.DLL]
7591 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\NBIPC.DLL]
7592 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcview.exe]
7593 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcdspl.exe]
7594 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcedit.dll]
7595 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcqm.exe]
7596 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcspl.dll]
7597 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cfine32.dll]
7598 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcr407.dll]
7599 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\Cpcqm407.hlp]
7600 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcqm407.cnt]
7601 Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cns3ggr.dll]
7603 Monitorname: []
7604 Defaultdatatype: []
7606 Printer Driver Info 3:
7607 Version: [2]
7608 Driver Name: [Canon iR5000-6000 PS3]
7609 Architecture: [Windows NT x86]
7610 Driver Path: [\\10.160.50.8\print$\W32X86\2\cns3g.dll]
7611 Datafile: [\\10.160.50.8\print$\W32X86\2\IR5000sg.xpd]
7612 Configfile: [\\10.160.50.8\print$\W32X86\2\cns3gui.dll]
7613 Helpfile: [\\10.160.50.8\print$\W32X86\2\cns3g.hlp]
7615 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\AUCPLMNT.DLL]
7616 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\aussdrv.dll]
7617 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cnspdc.dll]
7618 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\aussapi.dat]
7619 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cns3407.dll]
7620 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\CnS3G.cnt]
7621 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\NBAPI.DLL]
7622 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\NBIPC.DLL]
7623 Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cns3gum.dll]
7625 Monitorname: [CPCA Language Monitor2]
7626 Defaultdatatype: []
7628 </pre><p>
7630 into different text files and compare the result, we see this
7631 picture:
7636 cns3g.dll cns3g.dll
7637 iR8500sg.xpd iR8500sg.xpd
7638 cns3gui.dll cns3gui.dll
7639 cns3g.hlp cns3g.hlp
7640 AUCPLMNT.DLL | aucplmNT.dll
7641 > ucs32p.dll
7642 > tnl32.dll
7643 aussdrv.dll aussdrv.dll
7644 cnspdc.dll cnspdc.dll
7645 aussapi.dat aussapi.dat
7646 cns3407.dll cns3407.dll
7647 CnS3G.cnt CnS3G.cnt
7648 NBAPI.DLL NBAPI.DLL
7649 NBIPC.DLL NBIPC.DLL
7650 cns3gum.dll | cpcview.exe
7651 > cpcdspl.exe
7652 > cpcqm.exe
7653 > cpcspl.dll
7654 > cfine32.dll
7655 > cpcr407.dll
7656 > Cpcqm407.hlp
7657 > cpcqm407.cnt
7658 > cns3ggr.dll
7660 </pre><p>
7661 Don't be fooled though! Driver files for each version with identical
7662 names may be different in their content, as you can see from this size
7663 comparison:
7665 <tt class="prompt">root# </tt><b class="userinput"><tt>for i in cns3g.hlp cns3gui.dll cns3g.dll; do \
7666 smbclient //10.160.50.8/print\$ -U 'Administrator%xxxx' \
7668 done</tt></b>
7670 CNS3G.HLP A 122981 Thu May 30 02:31:00 2002
7671 CNS3G.HLP A 99948 Thu May 30 02:31:00 2002
7673 CNS3GUI.DLL A 1805824 Thu May 30 02:31:00 2002
7674 CNS3GUI.DLL A 1785344 Thu May 30 02:31:00 2002
7676 CNS3G.DLL A 1145088 Thu May 30 02:31:00 2002
7677 CNS3G.DLL A 15872 Thu May 30 02:31:00 2002
7679 </pre><p>
7680 In my example were even more differences than shown here. Conclusion:
7681 you must be very careful to select the correct driver files for each
7682 driver version. Don't rely on the names alone. Don't interchange files
7683 belonging to different driver versions.
7684 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903854"></a>Samba and Printer Ports</h3></div></div><div></div></div><p>
7685 Windows NT/2000 print servers associate a port with each
7688 must also support the concept of ports associated with a printer. By
7691 it rather is a requirement of Windows clients. They insist on being
7692 told about an available port when they request this info, otherwise
7693 they throw an error message at you. So Samba fakes the port
7694 information to keep the Windows clients happy.
7695 </p><p>
7697 internally either. Printer Pooling assigns a logical printer to
7698 multiple ports as a form of load balancing or fail over.
7699 </p><p>
7700 If you require that multiple ports be defined for some reason or
7702 working with Samba</span>”), possesses a
7703 <a class="indexterm" name="id2903913"></a><i class="parameter"><tt>enumports command</tt></i> which can be used to define
7704 an external program that generates a listing of ports on a system.
7705 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903932"></a>Avoiding the most common Misconfigurations of the Client Driver</h3></div></div><div></div></div><p>
7706 So - printing works, but there are still problems. Most jobs print
7707 well, some don't print at all. Some jobs have problems with fonts,
7708 which don't look good at all. Some jobs print fast, and some are
7709 dead-slow. We can't cover it all; but we want to encourage you to read
7710 the little paragraph about "Avoiding the wrong PostScript Driver
7711 Settings" in the CUPS Printing part of this document.
7712 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903954"></a>The Imprints Toolset</h2></div></div><div></div></div><p>
7713 The Imprints tool set provides a UNIX equivalent of the
7714 Windows NT Add Printer Wizard. For complete information, please
7715 refer to the Imprints web site
7716 at <a href="http://imprints.sourceforge.net/" target="_top">http://imprints.sourceforge.net/</a>
7717 as well as the documentation included with the imprints source
7718 distribution. This section will only provide a brief introduction
7719 to the features of Imprints.
7720 </p><p><b>Attention! Maintainer required. </b>
7721 Unfortunately, the Imprints toolset is no longer maintained. As of
7722 December, 2000, the project is in need of a new maintainer. The most
7723 important skill to have is decent perl coding and an interest in
7724 MS-RPC based printing using Samba. If you wish to volunteer, please
7725 coordinate your efforts on the samba-technical mailing list. The
7726 toolset is still in usable form; but only for a series of older
7727 printer models, where there are prepared packages to use. Packages for
7728 more up to date print devices are needed if Imprints should have a
7729 future.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903998"></a>What is Imprints?</h3></div></div><div></div></div><p>
7730 Imprints is a collection of tools for supporting these goals:
7731 </p><div class="itemizedlist"><ul type="disc"><li><p>Providing a central repository information regarding
7732 Windows NT and 95/98 printer driver packages</p></li><li><p>Providing the tools necessary for creating the
7733 Imprints printer driver packages.</p></li><li><p>Providing an installation client which will obtain
7734 printer drivers from a central internet (or intranet) Imprints Server
7735 repository and install them on remote Samba and Windows NT4 print
7736 servers.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904040"></a>Creating Printer Driver Packages</h3></div></div><div></div></div><p>
7737 The process of creating printer driver packages is beyond the scope of
7738 this document (refer to Imprints.txt also included with the Samba
7739 distribution for more information). In short, an Imprints driver
7740 package is a gzipped tarball containing the driver files, related INF
7741 files, and a control file needed by the installation client.
7742 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904059"></a>The Imprints Server</h3></div></div><div></div></div><p>
7743 The Imprints server is really a database server that may be queried
7744 via standard HTTP mechanisms. Each printer entry in the database has
7745 an associated URL for the actual downloading of the package. Each
7746 package is digitally signed via GnuPG which can be used to verify that
7747 package downloaded is actually the one referred in the Imprints
7748 database. It is strongly recommended that this security check
7750 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904083"></a>The Installation Client</h3></div></div><div></div></div><p>
7751 More information regarding the Imprints installation client is
7753 included with the imprints source package.
7754 </p><p>
7755 The Imprints installation client comes in two forms.
7756 </p><div class="itemizedlist"><ul type="disc"><li><p>a set of command line Perl scripts</p></li><li><p>a GTK+ based graphical interface to the command line Perl
7757 scripts</p></li></ul></div><p>
7758 The installation client (in both forms) provides a means of querying
7759 the Imprints database server for a matching list of known printer
7760 model names as well as a means to download and install the drivers on
7761 remote Samba and Windows NT print servers.
7762 </p><p>
7763 The basic installation process is in four steps and perl code is
7764 wrapped around smbclient and rpcclient
7766 foreach (supported architecture for a given driver)
7767 </p><div class="orderedlist"><ol type="1"><li><p>rpcclient: Get the appropriate upload directory on the remote server</p></li><li><p>smbclient: Upload the driver files</p></li><li><p>rpcclient: Issues an AddPrinterDriver() MS-RPC</p></li></ol></div><p>
7768 </p></li><li><p>rpcclient: Issue an AddPrinterEx() MS-RPC to actually create the printer</p></li></ul></div><p>
7769 One of the problems encountered when implementing the Imprints tool
7770 set was the name space issues between various supported client
7771 architectures. For example, Windows NT includes a driver named "Apple
7772 LaserWriter II NTX v51.8" and Windows 95 calls its version of this
7774 </p><p>
7775 The problem is how to know what client drivers have been uploaded for
7776 a printer. An astute reader will remember that the Windows NT Printer
7777 Properties dialog only includes space for one printer driver name. A
7778 quick look in the Windows NT 4.0 system registry at
7780 HKLM\System\CurrentControlSet\Control\Print\Environment
7781 </tt></p><p>
7782 will reveal that Windows NT always uses the NT driver name. This is
7783 ok as Windows NT always requires that at least the Windows NT version
7784 of the printer driver is present. However, Samba does not have the
7785 requirement internally. Therefore, how can you use the NT driver name
7786 if is has not already been installed?
7787 </p><p>
7788 The way of sidestepping this limitation is to require that all
7789 Imprints printer driver packages include both the Intel Windows NT and
7790 95/98 printer drivers and that NT driver is installed first.
7791 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904236"></a>Add Network Printers at Logon without User Interaction</h2></div></div><div></div></div><p>
7792 The following MS Knowledge Base article may be of some help if you
7794 with No User Interaction in Windows 2000.</em></span> ( <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;189105</a>
7795 ). It also applies to Windows XP Professional clients.
7796 </p><p>
7797 The ideas sketched out below are inspired by this article. It
7798 describes a commandline method which can be applied to install
7799 network and local printers and their drivers. This is most useful
7800 if integrated in Logon Scripts. You can see what options are
7803 A window pops up which shows you all of the commandline switches
7804 available. An extensive list of examples is also provided. This is
7805 only for Win 2k/XP. It doesn't work on WinNT. WinNT has probably some
7806 other tools in the respective Resource Kit. Here is a suggestion about
7807 what a client logon script might contain, with a short explanation of
7808 what the lines actually do (it works if 2k/XP Windows clients access
7809 printers via Samba, but works for Windows-based print servers too):
7811 <b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /dn /n "\\sambacupsserver\infotec2105-IPDS" /q</tt></b>
7812 <b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /in /n "\\sambacupsserver\infotec2105-PS"</tt></b>
7813 <b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /y /n "\\sambacupsserver\infotec2105-PS"</tt></b>
7814 </pre><p>
7815 Here is a list of the used commandline parameters:
7816 </p><div class="variablelist"><dl><dt><span class="term">/dn</span></dt><dd><p>deletes a network printer</p></dd><dt><span class="term">/q</span></dt><dd><p>quiet modus</p></dd><dt><span class="term">/n</span></dt><dd><p>names a printer</p></dd><dt><span class="term">/in</span></dt><dd><p>adds a network printer connection</p></dd><dt><span class="term">/y</span></dt><dd><p>sets printer as default printer</p></dd></dl></div><div class="itemizedlist"><ul type="disc"><li><p>Line 1 deletes a possibly existing previous network
7818 Windows drivers with LPRng that were removed from the server which was
7821 presented to the user logging on.</p></li><li><p>Line 2 adds the new printer
7823 device but is now run by the new CUPS printing system and associated
7824 with the CUPS/Adobe PS drivers). The printer and its driver
7826 logging in (e.g. by a procedure as discussed earlier in this chapter,
7828 auto-downloaded to the client PC where the user is about to log
7829 in.</p></li><li><p>Line 3 sets the default printer to this new network
7830 printer (there might be several other printers installed with this
7831 same method and some may be local as well -- so we decide for a
7832 default printer). The default printer selection may of course be
7833 different for different users.</p></li></ul></div><p>
7834 Note that the second line only works if the printer
7841 Samba versions prior to version 3.0 required a re-start of smbd after
7842 the printer install and the driver upload, otherwise the script (or
7843 any other client driver download) would fail.
7844 </p><p>
7845 Since there no easy way to test for the existence of an installed
7846 network printer from the logon script, the suggestion is: don't bother
7847 checking and just allow the deinstallation/reinstallation to occur
7848 every time a user logs in; it's really quick anyway (1 to 2 seconds).
7849 </p><p>
7850 The additional benefits for this are:
7851 </p><div class="itemizedlist"><ul type="disc"><li><p>It puts in place any printer default setup changes
7852 automatically at every user logon.</p></li><li><p>It allows for "roaming" users' login into the domain from
7853 different workstations.</p></li></ul></div><p>
7854 Since network printers are installed per user this much simplifies the
7855 process of keeping the installation up-to-date. The extra few seconds
7856 at logon time will not really be noticeable. Printers can be centrally
7857 added, changed, and deleted at will on the server with no user
7858 intervention required on the clients (you just need to keep the logon
7859 scripts up to date).
7860 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904556"></a>The <b class="command">addprinter</b> command</h2></div></div><div></div></div><p>
7862 shell script or program executed by Samba. It is triggered by running
7863 the APW from a client against the Samba print server. The APW asks the
7864 user to fill in several fields (such as printer name, driver to be
7865 used, comment, port monitor, etc.). These parameters are passed on to
7866 Samba by the APW. If the addprinter command is designed in a way that
7867 it can create a new printer (through writing correct printcap entries
7869 on more modern systems) and create the associated share in
7870 , then the APW will in effect really
7871 create a new printer on Samba and the UNIX print subsystem!
7872 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904602"></a>Migration of "Classical" printing to Samba</h2></div></div><div></div></div><p>
7874 considerably in 3.0 over the 2.2.x releases (apart from many small
7875 improvements). Here migration should be quite easy, especially if you
7876 followed previous advice to stop using deprecated parameters in your
7877 setup. For migrations from an existing 2.0.x setup, or if you
7879 is more of an effort. Please read the appropriate release notes and
7880 the HOWTO Collection for 2.2. You can follow several paths. Here are
7881 possible scenarios for migration:
7882 </p><div class="itemizedlist"><ul type="disc"><li><p>You need to study and apply the new Windows NT printer
7886 supported.</p></li><li><p>If you want to take advantage of WinNT printer driver
7887 support you also need to migrate the Win9x/ME drivers to the new
7889 (the one specified in the now removed parameter <i class="parameter"><tt>printer driver file</tt></i>) will work no longer with samba 3. In
7890 3.0, smbd attempts to locate a Win9x/ME driver files for the printer
7894 (and all associated parameters). The make_printerdef tool is removed
7895 and there is no backwards compatibility for this.</p></li><li><p>You need to install a Windows 9x driver into the
7899 into the printing-related TDBs.</p></li><li><p>If you want to migrate an existing
7901 only solution is to use the Windows NT APW to install the NT drivers
7902 and the 9x drivers. This can be scripted using smbclient and
7903 rpcclient. See the Imprints installation client at:
7904 </p><p>
7906 </p><p>
7907 for an example. See also the discussion of rpcclient usage in the
7908 "CUPS Printing" section.</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904779"></a>Publishing Printer Information in Active Directory or LDAP</h2></div></div><div></div></div><p>
7909 We will publish an update to this section shortly.
7910 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904793"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904800"></a>I give my root password but I don't get access</h3></div></div><div></div></div><p>
7911 Don't confuse the root password which is valid for the UNIX system
7912 (and in most cases stored in the form of a one-way hash in a file
7914 authenticate against Samba!. Samba doesn't know the UNIX password; for
7915 root to access Samba resources via Samba-type access, a Samba account
7916 for root must be created first. This is often done with the
7918 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904834"></a>My printjobs get spooled into the spooling directory, but then get lost</h3></div></div><div></div></div><p>
7919 Don't use the existing UNIX print system spool directory for the Samba
7920 spool directory. It may seem convenient and a saving of space, but it
7922 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="CUPS-printing"></a>Chapter 19. CUPS Printing Support in Samba 3.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname">Danka Deutschland GmbH <br></span><div class="address"><p><tt class="email"><<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Ciprian</span> <span class="surname">Vizitiu</span></h3><span class="contrib">drawings</span><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:CVizitiu@gbif.org">CVizitiu@gbif.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawings</span><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> (3 June 2003) </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2904970">Introduction</a></dt><dd><dl><dt><a href="#id2904977">Features and Benefits</a></dt><dt><a href="#id2905020">Overview</a></dt></dl></dd><dt><a href="#id2905074">Basic Configuration of CUPS support</a></dt><dd><dl><dt><a href="#id2905167">Linking of smbd with libcups.so</a></dt><dt><a href="#id2905408">Simple smb.conf Settings for CUPS</a></dt><dt><a href="#id2905584">More complex smb.conf Settings for
7923 CUPS</a></dt></dl></dd><dt><a href="#id2905929">Advanced Configuration</a></dt><dd><dl><dt><a href="#id2905949">Central spooling vs. "Peer-to-Peer" printing</a></dt><dt><a href="#id2905999">CUPS/Samba as a "spooling-only" Print Server; "raw" printing
7924 with Vendor Drivers on Windows Clients</a></dt><dt><a href="#id2906051">Driver Installation Methods on Windows Clients</a></dt><dt><a href="#id2906119">Explicitly enable "raw" printing for
7925 application/octet-stream!</a></dt><dt><a href="#id2906306">Three familiar Methods for driver upload plus a new one</a></dt></dl></dd><dt><a href="#id2906432">Using CUPS/Samba in an advanced Way -- intelligent printing
7926 with PostScript Driver Download</a></dt><dd><dl><dt><a href="#gdipost">GDI on Windows -- PostScript on UNIX</a></dt><dt><a href="#id2906600">Windows Drivers, GDI and EMF</a></dt><dt><a href="#id2906741">UNIX Printfile Conversion and GUI Basics</a></dt><dt><a href="#post-and-ghost">PostScript and Ghostscript</a></dt><dt><a href="#id2907029">Ghostscript -- the Software RIP for non-PostScript Printers</a></dt><dt><a href="#id2907154">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="#id2907241">CUPS can use all Windows-formatted Vendor PPDs</a></dt><dt><a href="#id2907348">CUPS also uses PPDs for non-PostScript Printers</a></dt></dl></dd><dt><a href="#id2907370">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="#id2907545">MIME types and CUPS Filters</a></dt><dt><a href="#id2907752">MIME type Conversion Rules</a></dt><dt><a href="#id2907903">Filter Requirements</a></dt><dt><a href="#id2908080">Prefilters</a></dt><dt><a href="#id2908183">pstops</a></dt><dt><a href="#id2908292">pstoraster</a></dt><dt><a href="#id2908476">imagetops and imagetoraster</a></dt><dt><a href="#id2908539">rasterto [printers specific]</a></dt><dt><a href="#id2908691">CUPS Backends</a></dt><dt><a href="#id2909039">cupsomatic/Foomatic -- how do they fit into the Picture?</a></dt><dt><a href="#id2909176">The Complete Picture</a></dt><dt><a href="#id2909191">mime.convs</a></dt><dt><a href="#id2909245">"Raw" printing</a></dt><dt><a href="#id2909312">"application/octet-stream" printing</a></dt><dt><a href="#id2909544">PostScript Printer Descriptions (PPDs) for non-PS Printers</a></dt><dt><a href="#id2909807">Difference between cupsomatic/foomatic-rip and
7927 native CUPS printing</a></dt><dt><a href="#id2910018">Examples for filtering Chains</a></dt><dt><a href="#id2910331">Sources of CUPS drivers / PPDs</a></dt><dt><a href="#id2910470">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="#id2910560">Network printing (purely Windows)</a></dt><dd><dl><dt><a href="#id2910577">From Windows Clients to an NT Print Server</a></dt><dt><a href="#id2910632">Driver Execution on the Client</a></dt><dt><a href="#id2910701">Driver Execution on the Server</a></dt></dl></dd><dt><a href="#id2910813">Network Printing (Windows clients -- UNIX/Samba Print
7928 Servers)</a></dt><dd><dl><dt><a href="#id2910833">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="#id2911043">Samba receiving Jobfiles and passing them to CUPS</a></dt></dl></dd><dt><a href="#id2911125">Network PostScript RIP: CUPS Filters on Server -- clients use
7929 PostScript Driver with CUPS-PPDs</a></dt><dd><dl><dt><a href="#id2911206">PPDs for non-PS Printers on UNIX</a></dt><dt><a href="#id2911255">PPDs for non-PS Printers on Windows</a></dt></dl></dd><dt><a href="#id2911328">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="#id2911345">Printer Drivers running in "Kernel Mode" cause many
7930 Problems</a></dt><dt><a href="#id2911379">Workarounds impose Heavy Limitations</a></dt><dt><a href="#id2911400">CUPS: a "Magical Stone"?</a></dt><dt><a href="#id2911445">PostScript Drivers with no major problems -- even in Kernel
7931 Mode</a></dt></dl></dd><dt><a href="#id2911506">Setting up CUPS for driver Download</a></dt><dd><dl><dt><a href="#id2911524">cupsaddsmb: the unknown Utility</a></dt><dt><a href="#id2911625">Prepare your smb.conf for cupsaddsmb</a></dt><dt><a href="#id2911845">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt><a href="#id2912128">Recognize the different Driver Files</a></dt><dt><a href="#id2912268">Acquiring the Adobe Driver Files</a></dt><dt><a href="#id2912301">ESP Print Pro Package of "PostScript Driver for
7932 WinNT/2k/XP"</a></dt><dt><a href="#id2912362">Caveats to be considered</a></dt><dt><a href="#id2912629">Benefits of using "CUPS PostScript Driver for
7933 Windows NT/2k/XP" instead of Adobe Driver</a></dt><dt><a href="#id2912835">Run "cupsaddsmb" (quiet Mode)</a></dt><dt><a href="#id2912958">Run "cupsaddsmb" with verbose Output</a></dt><dt><a href="#id2913117">Understanding cupsaddsmb</a></dt><dt><a href="#id2913264">How to recognize if cupsaddsmb completed successfully</a></dt><dt><a href="#id2913349">cupsaddsmb with a Samba PDC</a></dt><dt><a href="#id2913427">cupsaddsmb Flowchart</a></dt><dt><a href="#id2913497">Installing the PostScript Driver on a Client</a></dt><dt><a href="#id2913646">Avoiding critical PostScript Driver Settings on the
7934 Client</a></dt></dl></dd><dt><a href="#id2913780">Installing PostScript Driver Files manually (using
7935 rpcclient)</a></dt><dd><dl><dt><a href="#id2913973">A Check of the rpcclient man Page</a></dt><dt><a href="#id2914086">Understanding the rpcclient man page</a></dt><dt><a href="#id2914186">Producing an Example by querying a Windows Box</a></dt><dt><a href="#id2914333">What is required for adddriver and setdriver to succeed</a></dt><dt><a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt><dt><a href="#id2915566">Troubleshooting revisited</a></dt></dl></dd><dt><a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt><a href="#id2915962">Trivial DataBase Files</a></dt><dt><a href="#id2916041">Binary Format</a></dt><dt><a href="#id2916103">Losing *.tdb Files</a></dt><dt><a href="#id2916162">Using tdbbackup</a></dt></dl></dd><dt><a href="#id2916297">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="#id2916436">foomatic-rip and Foomatic explained</a></dt><dt><a href="#id2917129">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="#id2917602">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="#id2917645">Setting up Quotas</a></dt><dt><a href="#id2917708">Correct and incorrect Accounting</a></dt><dt><a href="#id2917748">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="#id2917829">The page_log File Syntax</a></dt><dt><a href="#id2917938">Possible Shortcomings</a></dt><dt><a href="#id2918010">Future Developments</a></dt><dt><a href="#id2918058">Other Accounting Tools</a></dt></dl></dd><dt><a href="#id2918072">Additional Material</a></dt><dt><a href="#id2918267">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="#id2918326">CUPS Configuration Settings explained</a></dt><dt><a href="#id2918407">Pre-conditions</a></dt><dt><a href="#id2918564">Manual Configuration</a></dt></dl></dd><dt><a href="#id2918622">In Case of Trouble.....</a></dt><dt><a href="#id2918682">Printing from CUPS to Windows attached
7936 Printers</a></dt><dt><a href="#id2918955">More CUPS filtering Chains</a></dt><dt><a href="#id2796634">Common Errors</a></dt><dd><dl><dt><a href="#id2796642">Win9x client can't install driver</a></dt><dt><a href="#id2919061">"cupsaddsmb" keeps asking for root password in
7937 neverending loop</a></dt><dt><a href="#id2919107">"cupsaddsmb" gives "No PPD file for printer..."
7938 message while PPD file is present</a></dt><dt><a href="#id2919163">Client can't connect to Samba printer</a></dt><dt><a href="#id2919497">Can't reconnect to Samba under new account
7939 from Win2K/XP</a></dt><dt><a href="#id2919582">Avoid being connected to the Samba server as the
7941 NT/2K/XP clients gives problems</a></dt><dt><a href="#id2919649">Can't use "cupsaddsmb" on Samba server which is
7942 a PDC</a></dt><dt><a href="#id2919678">Deleted Win2K printer driver is still shown</a></dt><dt><a href="#id2919695">Win2K/XP "Local Security
7944 printers for all local users"</a></dt><dt><a href="#id2919733">"Print Change Notify" functions on
7945 NT-clients</a></dt><dt><a href="#id2919752">WinXP-SP1</a></dt><dt><a href="#id2919794">Print options for all users can't be set on Win2K/XP</a></dt><dt><a href="#id2920067">Most common blunders in driver
7948 /var/spool/samba/ get reset after each
7950 intermittently swallows jobs and spits out completely different
7951 ones</a></dt><dt><a href="#id2920314">Location of Adobe PostScript driver files necessary for "cupsaddsmb"</a></dt></dl></dd><dt><a href="#id2920369">An Overview of the CUPS Printing Processes</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904970"></a>Introduction</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904977"></a>Features and Benefits</h3></div></div><div></div></div><p>
7952 The Common UNIX Print System (<a href="http://www.cups.org/" target="_top">CUPS</a>) has become very popular. All
7953 major Linux distributions now ship it as their default printing
7954 system. To many it is still a very mystical tool. Mostly, it
7956 which they don't want to look into, as long as it works. But once
7957 there is a little problem, they are in trouble to find out where to
7959 contains a lot of information that is relevant for CUPS.
7960 </p><p>
7961 CUPS sports quite a few unique and powerful features. While their
7962 basic functions may be grasped quite easily, they are also
7963 new. Because they are different from other, more traditional printing
7964 systems, it is best to try and not apply any prior knowledge about
7965 printing upon this new system. Rather, try to understand CUPS
7966 from the beginning. This documentation will lead you to a
7967 complete understanding of CUPS. Let's start with the most basic
7968 things first.
7969 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905020"></a>Overview</h3></div></div><div></div></div><p>
7970 CUPS is more than just a print spooling system. It is a complete
7971 printer management system that complies with the new IPP
7974 standard for network printing. Many of its functions can be managed
7975 remotely (or locally) via a web browser (giving you a
7976 platform-independent access to the CUPS print server). Additionally, it
7977 has the traditional command line and several more modern GUI interfaces
7978 (GUI interfaces developed by 3rd parties, like KDE's
7980 </p><p>
7983 file format conversion as required for the printer). In many ways
7984 this gives CUPS similar capabilities to the MS Windows print
7985 monitoring system. Of course, if you are a CUPS advocate, you would
7986 argue that CUPS is better! In any case, let us now move on to
7987 explore how one may configure CUPS for interfacing with MS Windows
7988 print clients via Samba.
7989 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905074"></a>Basic Configuration of CUPS support</h2></div></div><div></div></div><p>
7990 Printing with CUPS in the most basic <tt class="filename">smb.conf</tt> setup in Samba 3.0 (as was true for 2.2.x) only needs two
7991 settings: <a class="indexterm" name="id2905093"></a><i class="parameter"><tt>printing</tt></i> = cups and
7992 <a class="indexterm" name="id2905107"></a><i class="parameter"><tt>printcap</tt></i> = cups. CUPS does not need a printcap file.
7993 However, the <tt class="filename">cupsd.conf</tt> configuration file knows of two related directives that control
7994 how such a file will be automatically created and maintained by CUPS for the convenience of third party
7995 applications (example: <i class="parameter"><tt>Printcap /etc/printcap</tt></i> and <i class="parameter"><tt>PrintcapFormat BSD</tt></i>).
7996 Legacy programs often require the existence of a printcap file containing printer names or they will refuse to
7997 print. Make sure CUPS is set to generate and maintain a printcap file! For details see
7998 <b class="command">man cupsd.conf</b> and other CUPS-related documentation, like the wealth of documents on your CUPS server
7999 itself: <a href="http://localhost:631/documentation.html" target="_top">http://localhost:631/documentation.html</a>.
8000 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905167"></a>Linking of smbd with libcups.so</h3></div></div><div></div></div><p>
8001 Samba has a very special relationship to CUPS. Samba can be compiled with CUPS library support.
8002 Most recent installations have this support enabled. Per default CUPS linking is compiled
8003 into smbd and other Samba binaries. Of course, you can use CUPS even
8005 there are some differences in required or supported configuration
8006 then.
8007 </p><p>
8008 When Samba is compiled against libcups, <a class="indexterm" name="id2905197"></a><i class="parameter"><tt>printcap</tt></i> = cups
8009 uses the CUPS API to list printers, submit jobs, query queues, etc. Otherwise it maps to the System V
8011 system, you can use the <b class="command">ldd</b> utility to find out details (ldd may not be present on
8012 other OS platforms, or its function may be embodied by a different command):
8015 libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000)
8016 libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000)
8017 libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
8018 [....]
8019 </pre><p>
8020 The line <tt class="computeroutput">libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)</tt> shows
8021 there is CUPS support compiled into this version of Samba. If this is the case, and printing = cups
8022 is set, then <span class="emphasis"><em>any otherwise manually set print command in <tt class="filename">smb.conf</tt> is ignored</em></span>.
8023 This is an important point to remember!
8024 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Should it be necessary, for any reason, to set your own print commands, you can do this by setting
8025 <a class="indexterm" name="id2905291"></a><i class="parameter"><tt>printing</tt></i> = sysv. However, you will loose all the benefits
8026 of tight CUPS/Samba integration. When you do this you must manually configure the printing system commands
8027 (most important: <a class="indexterm" name="id2905308"></a><i class="parameter"><tt>print command</tt></i>; other commands are
8032 <a class="indexterm" name="id2905378"></a><i class="parameter"><tt>queuepause command</tt></i> and
8033 <a class="indexterm" name="id2905392"></a><i class="parameter"><tt>queue resume command</tt></i>).</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905408"></a>Simple <tt class="filename">smb.conf</tt> Settings for CUPS</h3></div></div><div></div></div><p>
8034 To summarize, here is the simplest printing-related setup for <tt class="filename">smb.conf</tt> to enable basic CUPS support:
8035 </p><div class="example"><a name="id2905436"></a><p class="title"><b>Example 19.1. Simplest printing-related smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = root, @ntadmins</tt></i></td></tr></table></div><p>
8036 This is all you need for basic printing setup for CUPS. It will print
8037 all Graphic, Text, PDF and PostScript file submitted from Windows
8038 clients. However, most of your Windows users would not know how to
8039 send these kind of files to print without opening a GUI
8040 application. Windows clients tend to have local printer drivers
8041 installed. And the GUI application's print buttons start a printer
8042 driver. Your users also very rarely send files from the command
8043 line. Unlike UNIX clients, they hardly submit graphic, text or PDF
8044 formatted files directly to the spooler. They nearly exclusively print
8046 applications native format and the print data stream. If the backend
8048 sensible only for the target printer. Read on to learn which problem
8049 this may cause and how to avoid it.
8050 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905584"></a>More complex <tt class="filename">smb.conf</tt> Settings for
8051 CUPS</h3></div></div><div></div></div><p>
8052 Here is a slightly more complex printing-related setup
8054 support for all printers, but defines one printer share which is set
8055 up differently.
8056 </p><div class="example"><a name="id2905615"></a><p class="title"><b>Example 19.2. Overriding global CUPS settings for one printer</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = root, @ntadmins</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[special_printer]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = A special printer with his own settings</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba-special</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = sysv</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap = lpstat</tt></i></td></tr><tr><td><i class="parameter"><tt>print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ; \</tt></i></td></tr><tr><td><i class="parameter"><tt>echo " `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ; \</tt></i></td></tr><tr><td><i class="parameter"><tt>echo " `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log : rm %f</tt></i></td></tr><tr><td><i class="parameter"><tt>public = no</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = no</tt></i></td></tr><tr><td><i class="parameter"><tt>writeable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = kurt</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts deny = 0.0.0.0</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60</tt></i></td></tr></table></div><p>
8057 This special share is only there for testing purposes. It does not write the print job to a file. It just logs the job parameters
8058 known to Samba into the <tt class="filename">/tmp/smbprn.log</tt> file and deletes the jobfile. Moreover, the
8059 <a class="indexterm" name="id2905879"></a><i class="parameter"><tt>printer admin</tt></i> of this share is "kurt" (not the "@ntadmins" group);
8060 guest access is not allowed; the share isn not published to the Network Neighbourhood (so you need to know it is there), and it only
8061 allows access from only three hosts. To prevent CUPS kicking in and taking over the print jobs for that share, we need to set
8062 <a class="indexterm" name="id2905899"></a><i class="parameter"><tt>printing</tt></i> = sysv and
8064 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905929"></a>Advanced Configuration</h2></div></div><div></div></div><p>
8065 Before we delve into all the configuration options, let us clarify a few
8067 correctly</em></span>. Often this is not done correctly. Legacy systems
8068 or small business LAN environments often lack design and good housekeeping.
8069 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905949"></a>Central spooling vs. "Peer-to-Peer" printing</h3></div></div><div></div></div><a class="indexterm" name="id2905958"></a><a class="indexterm" name="id2905970"></a><p>
8070 Many small office or home networks, as well as badly organized larger
8071 environments, allow each client a direct access to available network
8072 printers. This is generally a bad idea. It often blocks one client's
8073 access to the printer when another client's job is printing. It also
8074 might freeze the first client's application while it is waiting to get
8075 rid of the job. Also, there are frequent complaints about various jobs
8076 being printed with their pages mixed with each other. A better concept
8078 central system, which responds immediately, takes jobs from multiple
8079 concurrent clients at the same time and in turn transfers them to the
8080 printer(s) in the correct order.
8081 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905999"></a>CUPS/Samba as a "spooling-only" Print Server; "raw" printing
8082 with Vendor Drivers on Windows Clients</h3></div></div><div></div></div><a class="indexterm" name="id2906008"></a><a class="indexterm" name="id2906017"></a><p>
8083 Most traditionally configured UNIX print servers acting on behalf of
8084 Samba's Windows clients represented a really simple setup. Their only
8086 Samba. This approach meant that the Windows clients were expected to
8087 prepare the print job file that it s ready to be sent to the printing
8088 device. Here a native (vendor-supplied) Windows printer
8089 driver for the target device needed to be installed on each and every
8090 client.
8091 </p><p>
8092 It is possible to configure CUPS, Samba and your Windows clients in the
8093 same, traditional and simple way. When CUPS printers are configured
8094 for RAW print-through mode operation it is the responsibility of the
8095 Samba client to fully render the print job (file). The file must be
8096 sent in a format that is suitable for direct delivery to the
8097 printer. Clients need to run the vendor-provided drivers to do
8098 this. In this case CUPS will NOT do any print file format conversion
8099 work.
8100 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906051"></a>Driver Installation Methods on Windows Clients</h3></div></div><div></div></div><p>
8101 The printer drivers on the Windows clients may be installed
8102 in two functionally different ways:
8103 </p><div class="itemizedlist"><ul type="disc"><li><p>manually install the drivers locally on each client,
8106 type of connection.</p></li><li><p>
8108 deposit and prepare the drivers (for later download) on
8109 the print server (Samba); this enables the clients to use
8111 first time they access the printer; with this method NT/2K/XP
8113 type printing calls.</p></li></ul></div><p>
8114 The second method is recommended for use over the first.
8115 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906119"></a>Explicitly enable "raw" printing for
8116 <span class="emphasis"><em>application/octet-stream</em></span>!</h3></div></div><div></div></div><a class="indexterm" name="id2906132"></a><p>
8117 If you use the first option (drivers are installed on the client
8118 side), there is one setting to take care of: CUPS needs to be told
8120 formats. The CUPS files that need to be correctly set for RAW mode
8121 printers to work are:
8123 </p></li><li><p>/etc/cups/mime.convs</p></li></ul></div><p>
8124 Both contain entries (at the end of the respective files) which must
8125 be uncommented to allow RAW mode operation.
8127 present:
8129 application/octet-stream
8130 </pre><p>
8132 have this line:
8134 application/octet-stream application/vnd.cups-raw 0 -
8135 </pre><p>
8136 If these two files are not set up correctly for raw Windows client
8138 convert file 0</tt> in your CUPS error_log file.
8139 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>editing the <tt class="filename">mime.convs</tt> and the
8144 CUPS being a more security-aware printing system than traditional ones
8145 does not by default allow a user to send deliberate (possibly binary)
8146 data to printing devices. This could be easily abused to launch a
8150 allowed to go to the printer. By default, you can only send other
8152 try to convert them and passes them to the printer untouched (see next
8153 chapter for even more background explanations).
8154 </p><p>
8155 This is all you need to know to get the CUPS/Samba combo printing
8157 locally installed. If you are not interested in background information about
8158 more advanced CUPS/Samba printing, simply skip the remaining sections
8159 of this chapter.
8160 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906306"></a>Three familiar Methods for driver upload plus a new one</h3></div></div><div></div></div><a class="indexterm" name="id2906315"></a><p>
8161 If you want to use the MS-RPC type printing, you must upload the
8163 share). For a discussion on how to deposit printer drivers on the
8164 Samba host (so that the Windows clients can download and use them via
8166 HOWTO Collection. There you will find a description or reference to
8167 three methods of preparing the client drivers on the Samba server:
8168 </p><a class="indexterm" name="id2906342"></a><div class="itemizedlist"><ul type="disc"><li><p>the GUI, "Add Printer Wizard"
8172 method;</p></li><li><p>
8175 method.</p></li></ul></div><p>
8176 These 3 methods apply to CUPS all the same. A new and more
8177 convenient way to load the Windows drivers into Samba is provided
8178 if you use CUPS:
8179 </p><a class="indexterm" name="id2906402"></a><div class="itemizedlist"><ul type="disc"><li><p>the <span class="emphasis"><em>cupsaddsmb</em></span>
8180 utility.</p></li></ul></div><p>
8181 cupsaddsmb is discussed in much detail further below. But we will
8182 first explore the CUPS filtering system and compare the Windows and
8183 UNIX printing architectures.
8184 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906432"></a>Using CUPS/Samba in an advanced Way -- intelligent printing
8185 with PostScript Driver Download</h2></div></div><div></div></div><a class="indexterm" name="id2906442"></a><p>
8186 Are you still following this? Good. Let's go into more detail then. We now know
8189 </p><p>
8190 Possibly you need to setup CUPS in a more smart way. The reasons could
8191 be manifold:
8192 </p><div class="itemizedlist"><ul type="disc"><li><p>Maybe your boss wants to get monthly statistics: Which
8193 printer did how many pages? What was the average data size of a job?
8194 What was the average print run per day? What are the typical hourly
8195 peaks in printing? Which departments prints how
8196 much?</p></li><li><p>Maybe you are asked to setup a print quota system:
8197 users should not be able to print more jobs, once they have surpassed
8198 a given limit per period?</p></li><li><p>Maybe your previous network printing setup is a mess
8199 and shall be re-organized from a clean beginning?</p></li><li><p>Maybe you have experiencing too many "Blue Screens",
8200 originating from poorly debugged printer drivers running in NT "kernel
8201 mode"?</p></li></ul></div><p>
8202 These goals cannot be achieved by a raw print server. To build a
8203 server meeting these requirements, you'll first need to learn about
8204 how CUPS works and how you can enable its features.
8205 </p><p>
8206 What follows is the comparison of some fundamental concepts for
8207 Windows and UNIX printing; then is the time for a description of the
8208 CUPS filtering system, how it works and how you can tweak it.
8209 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gdipost"></a>GDI on Windows -- PostScript on UNIX</h3></div></div><div></div></div><a class="indexterm" name="id2906532"></a><a class="indexterm" name="id2906540"></a><p>
8210 Network printing is one of the most complicated and error-prone
8211 day-to-day tasks any user or an administrator may encounter. This is
8212 true for all OS platforms. And there are reasons for this.
8214 You can't expect for most file formats to just throw them towards
8215 printers and they get printed. There needs to be a file format
8216 conversion in between. The problem is: there is no common standard for
8217 print file formats across all manufacturers and printer types. While
8223 unacceptable license fees for using printer-embedded PostScript
8224 interpreters, etc.).
8225 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906600"></a>Windows Drivers, GDI and EMF</h3></div></div><div></div></div><a class="indexterm" name="id2906609"></a><a class="indexterm" name="id2906618"></a><a class="indexterm" name="id2906626"></a><p>
8226 In Windows OS, the format conversion job is done by the printer
8227 drivers. On MS Windows OS platforms all application programmers have
8229 Interface</em></span>), as part and parcel of the OS itself, to base
8230 themselves on. This GDI core is used as one common unified ground, for
8231 all Windows programs, to draw pictures, fonts and documents
8233 paper</em></span> (=print). Therefore printer driver developers can
8234 standardize on a well-defined GDI output for their own driver
8236 relatively easy, because the on-screen graphic primitives, as well as
8237 the on-paper drawn objects, come from one common source. This source,
8239 MetaFile</em></span>). The EMF is processed by the printer driver and
8240 converted to the printer-specific file format.
8241 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
8243 To the GDI foundation in MS Windows, Apple has chosen to
8244 put paper and screen output on a common foundation for their
8245 (BSD-UNIX-based, did you know??) Mac OS X and Darwin Operating
8248 </p></div><p>
8250 </p><div class="figure"><a name="small1"></a><p class="title"><b>Figure 19.1. Windows Printing to a local Printer</b></p><div class="mediaobject"><img src="projdoc/imagefiles/1small.png" width="270" alt="Windows Printing to a local Printer"></div></div><p>
8251 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906741"></a>UNIX Printfile Conversion and GUI Basics</h3></div></div><div></div></div><a class="indexterm" name="id2906749"></a><a class="indexterm" name="id2906757"></a><a class="indexterm" name="id2906766"></a><a class="indexterm" name="id2906774"></a><p>
8252 In UNIX and Linux, there is no comparable layer built into the OS
8253 kernel(s) or the X (screen display) server. Every application is
8254 responsible for itself to create its print output. Fortunately, most
8255 use PostScript. That gives at least some common ground. Unfortunately,
8256 there are many different levels of quality for this PostScript. And
8257 worse: there is a huge difference (and no common root) in the way how
8258 the same document is displayed on screen and how it is presented on
8259 paper. WYSIWYG is more difficult to achieve. This goes back to the
8261 designing the UNIX foundations and protocols for Graphical User
8263 also, as some had demanded at the time, and restricted itself to
8265 under development, attempting to build printing support into the X
8266 framework, including a PostScript and a PCL driver, but it is not yet
8267 ready for prime time.) You can see this unfavorable inheritance up to
8269 system; there are separate ones for fonts used for X display and fonts
8270 to be used on paper.
8273 but its specifications have been published to the full. Its strength
8274 lies in its powerful abilities to describe graphical objects (fonts,
8275 shapes, patterns, lines, curves, dots...), their attributes (color,
8276 linewidth...) and the way to manipulate (scale, distort, rotate,
8277 shift...) them. Because of its open specification, anybody with the
8278 skill can start writing his own implementation of a PostScript
8279 interpreter and use it to display PostScript files on screen or on
8280 paper. Most graphical output devices are based on the concept of
8282 plotters). Of course, you can look at a PostScript file in its textual
8283 form and you will be reading its PostScript code, the language
8284 instructions which need to be interpreted by a rasterizer. Rasterizers
8285 produce pixel images, which may be displayed on screen by a viewer
8286 program or on paper by a printer.
8287 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="post-and-ghost"></a>PostScript and Ghostscript</h3></div></div><div></div></div><a class="indexterm" name="id2906885"></a><a class="indexterm" name="id2906893"></a><a class="indexterm" name="id2906904"></a><p>
8288 So, UNIX is lacking a common ground for printing on paper and
8289 displaying on screen. Despite this unfavorable legacy for UNIX, basic
8290 printing is fairly easy: if you have PostScript printers at your
8291 disposal! The reason is: these devices have a built-in PostScript
8293 Processor</em></span> (RIP), (which makes them more expensive than
8294 other types of printers); throw PostScript towards them, and they will
8295 spit out your printed pages. Their RIP is doing all the hard work of
8296 converting the PostScript drawing commands into a bitmap picture as
8297 you see it on paper, in a resolution as done by your printer. This is
8298 no different to PostScript printing of a file from a Windows origin.
8299 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
8301 Traditional UNIX programs and printing systems -- while
8302 using PostScript -- are largely not PPD-aware. PPDs are "PostScript
8303 Printer Description" files. They enable you to specify and control all
8304 options a printer supports: duplexing, stapling, punching... Therefore
8305 UNIX users for a long time couldn't choose many of the supported
8306 device and job options, unlike Windows or Apple users. But now there
8307 is CUPS....
8308 </p></div><p>
8309 </p><div class="figure"><a name="small2"></a><p class="title"><b>Figure 19.2. Printing to a Postscript Printer</b></p><div class="mediaobject"><img src="projdoc/imagefiles/2small.png" width="270" alt="Printing to a Postscript Printer"></div></div><p>
8311 However, there are other types of printers out there. These don't know
8313 Language</em></span> (PDL, often proprietary). To print to them is much
8314 more demanding. Since your UNIX applications mostly produce
8315 PostScript, and since these devices don't understand PostScript, you
8316 need to convert the printfiles to a format suitable for your printer
8317 on the host, before you can send it away.
8318 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907029"></a>Ghostscript -- the Software RIP for non-PostScript Printers</h3></div></div><div></div></div><a class="indexterm" name="id2907037"></a><p>
8320 the traditional (and quite powerful) PostScript interpreter used on
8321 UNIX platforms. It is a RIP in software, capable to do a
8323 spectrum of hardware devices as well as software file formats.
8324 Ghostscript technology and drivers is what enables PostScript printing
8325 to non-PostScript hardware.
8326 </p><p>
8327 </p><div class="figure"><a name="small3"></a><p class="title"><b>Figure 19.3. Ghostscript as a RIP for non-postscript printers</b></p><div class="mediaobject"><img src="projdoc/imagefiles/3small.png" width="270" alt="Ghostscript as a RIP for non-postscript printers"></div></div><p>
8328 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
8330 Ghostscript version. If you specify e.g. a parameter of
8332 line, you are asking Ghostscript to convert the input into a PNG
8334 single parameter to tell Ghostscript how exactly it should render the
8335 input. New Ghostscript versions are released at fairly regular
8336 intervals, now by artofcode LLC. They are initially put under the
8338 AFPL version appears. GNU Ghostscript is probably the version
8339 installed on most Samba systems. But it has got some
8340 deficiencies. <a class="indexterm" name="id2907085"></a>Therefore ESP Ghostscript was developed as an
8341 enhancement over GNU Ghostscript, with lots of bug-fixes, additional
8342 devices and improvements. It is jointly maintained by developers from
8343 CUPS, Gimp-Print, MandrakeSoft, SuSE, RedHat and Debian. It includes
8345 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907154"></a>PostScript Printer Description (PPD) Specification</h3></div></div><div></div></div><a class="indexterm" name="id2907162"></a><p>
8347 Language</em></span> (PDL) to represent the page layout in a
8349 always ending up to be output on a hardware with device-specific
8350 features. To take care of all the differences in hardware, and to
8351 allow for innovations, Adobe has specified a syntax and file format
8353 files. Every PostScript printer ships with one of these files.
8354 </p><p>
8355 PPDs contain all information about general and special features of the
8356 given printer model: Which different resolutions can it handle? Does
8357 it have a Duplexing Unit? How many paper trays are there? What media
8358 types and sizes does it take? For each item it also names the special
8359 command string to be sent to the printer (mostly inside the PostScript
8360 file) in order to enable it.
8361 </p><p>
8362 Information from these PPDs is meant to be taken into account by the
8363 printer drivers. Therefore, installed as part of the Windows
8364 PostScript driver for a given printer is the printer's PPD. Where it
8365 makes sense, the PPD features are presented in the drivers' UI dialogs
8366 to display to the user as choice of print options. In the end, the
8367 user selections are somehow written (in the form of special
8368 PostScript, PJL, JCL or vendor-dependent commands) into the PostScript
8369 file created by the driver.
8370 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
8372 A PostScript file that was created to contain device-specific commands
8373 for achieving a certain print job output (e.g. duplexed, stapled and
8374 punched) on a specific target machine, may not print as expected, or
8375 may not be printable at all on other models; it also may not be fit
8376 for further processing by software (e.g. by a PDF distilling program).
8377 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907241"></a>CUPS can use all Windows-formatted Vendor PPDs</h3></div></div><div></div></div><p>
8378 CUPS can handle all spec-compliant PPDs as supplied by the
8379 manufacturers for their PostScript models. Even if a
8380 UNIX/Linux-illiterate vendor might not have mentioned our favorite
8381 OS in his manuals and brochures -- you can safely trust this:
8383 can use it unchanged in CUPS</em></span> and thus access the full
8384 power of your printer just like a Windows NT user could!
8385 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
8386 To check the spec compliance of any PPD online, go to <a href="http://www.cups.org/testppd.php" target="_top">http://www.cups.org/testppd.php</a>
8387 and upload your PPD. You will see the results displayed
8388 immediately. CUPS in all versions after 1.1.19 has a much more strict
8389 internal PPD parsing and checking code enabled; in case of printing
8390 trouble this online resource should be one of your first pitstops.
8391 </p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
8395 <span class="emphasis"><em>Foomatic</em></span> or <span class="emphasis"><em>cupsomatic</em></span>
8396 PPDs from Linuxprinting.org. With these devices the original
8397 vendor-provided PPDs are always the first choice!
8398 </p></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
8399 If you are looking for an original vendor-provided PPD of a specific
8400 device, and you know that an NT4 box (or any other Windows box) on
8401 your LAN has the PostScript driver installed, just use
8403 access the Windows directory where all printer driver files are
8405 the PPD you are seeking.
8406 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907348"></a>CUPS also uses PPDs for non-PostScript Printers</h3></div></div><div></div></div><p>
8407 CUPS also uses specially crafted PPDs to handle non-PostScript
8408 printers. These PPDs are usually not available from the vendors (and
8409 no, you can't just take the PPD of a Postscript printer with the same
8410 model name and hope it works for the non-PostScript version too). To
8411 understand how these PPDs work for non-PS printers we first need to
8412 dive deeply into the CUPS filtering and file format conversion
8413 architecture. Stay tuned.
8414 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2907370"></a>The CUPS Filtering Architecture</h2></div></div><div></div></div><p>
8415 The core of the CUPS filtering system is based on
8417 uses some other filters of its own. You (or your OS vendor) may have
8418 plugged in even more filters. CUPS handles all data file formats under
8420 printfile is subjected to an initial
8422 MIME type. A given MIME type implies zero or more possible filtering
8423 chains relevant to the selected target printer. This section discusses
8424 how MIME types recognition and conversion rules interact. They are
8425 used by CUPS to automatically setup a working filtering chain for any
8426 given input data format.
8427 </p><p>
8429 a bitmap, this is done in 2 stages:
8430 </p><div class="itemizedlist"><ul type="disc"><li><p>the first stage uses a Ghostscript device named "cups"
8431 (this is since version 1.1.15) and produces a generic raster format
8434 the generic CUPS raster to a device specific raster.</p></li></ul></div><p>
8440 Ghostscript</em></span> and re-compile or use <a class="indexterm" name="id2907462"></a><a href="http://www.cups.org/ghostscript.php" target="_top">ESP Ghostscript</a>. The
8441 superior alternative is ESP Ghostscript: it supports not just CUPS,
8442 but 300 other devices too (while GNU Ghostscript supports only about
8443 180). Because of this broad output device support, ESP Ghostscript is
8444 the first choice for non-CUPS spoolers too. It is now recommended by
8445 Linuxprinting.org for all spoolers.
8446 </p><p>
8450 rendering paths. One of the most common ones is provided by the
8451 <span class="emphasis"><em>Foomatic/cupsomatic</em></span> concept, from <a href="http://www.linuxprinting.org/" target="_top">Linuxprinting.org</a>. This
8452 uses the classical Ghostscript approach, doing everything in one
8454 others. However, even for Foomatic/cupsomatic usage, best results and
8456 broadest printer model support is provided by ESP Ghostscript (more
8457 about cupsomatic/Foomatic, particularly the new version called now
8459 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907545"></a>MIME types and CUPS Filters</h3></div></div><div></div></div><p>
8463 in the same directory) upon startup. These files contain the MIME
8464 type recognition rules which are applied when CUPS runs its
8465 auto-typing routines. The rule syntax is explained in the man page
8468 like this:
8469 </p><p>
8472 application/pdf pdf string(0,%PDF)
8473 </pre><p>
8474 This means: if a filename has either a
8477 beginning of the file itself (offset 0 from the start), then it is
8479 Another rule is this:
8481 application/postscript ai eps ps string(0,%!) string(0,<04>%!)
8482 </pre><p>
8483 Its meaning: if the filename has one of the suffixes
8486 strings <span class="emphasis"><em>%!</em></span> or <span class="emphasis"><em><04>%!</em></span>, it
8487 is a generic PostScript file
8489 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
8490 There is a very important difference between two similar MIME type in
8494 independent (job options for the file are still outside the PS file
8495 content, embedded in commandline or environment variables by CUPS),
8497 options inserted into the PostScript data itself (were
8498 applicable). The transformation of the generic PostScript
8499 (application/postscript) to the device-specific version
8500 (application/vnd.cups-postscript) is the responsibility of the
8502 contained in the PPD to do the transformation.
8503 </p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
8504 Don't confuse the other mime.types file your system might be using
8506 </p></div><p>
8507 CUPS can handle ASCII text, HP-GL, PDF, PostScript, DVI and a
8508 lot of image formats (GIF. PNG, TIFF, JPEG, Photo-CD, SUN-Raster,
8509 PNM, PBM, SGI-RGB and some more) and their associated MIME types
8510 with its filters.
8511 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907752"></a>MIME type Conversion Rules</h3></div></div><div></div></div><a class="indexterm" name="id2907760"></a><p>
8514 suffix in the same directory) upon startup. These files contain
8515 lines naming an input MIME type, an output MIME type, a format
8516 conversion filter which can produce the output from the input type
8517 and virtual costs associated with this conversion. One example line
8518 reads like this:
8520 application/pdf application/postscript 33 pdftops
8521 </pre><p>
8525 cost of this operation is 33 CUPS-$. The next filter is more
8526 expensive, costing 66 CUPS-$:
8528 application/vnd.hp-HPGL application/postscript 66 hpgltops
8529 </pre><p>
8531 plotter files to PostScript.
8533 application/octet-stream
8534 </pre><p>
8535 Here are two more examples:
8537 application/x-shell application/postscript 33 texttops
8538 text/plain application/postscript 33 texttops
8539 </pre><p>
8542 this differentiation is needed for the syntax highlighting feature of
8544 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907903"></a>Filter Requirements</h3></div></div><div></div></div><a class="indexterm" name="id2907910"></a><p>
8545 There are many more combinations named in mime.convs. However, you
8546 are not limited to use the ones pre-defined there. You can plug in any
8547 filter you like into the CUPS framework. It must meet, or must be made
8548 to meet some minimal requirements. If you find (or write) a cool
8549 conversion filter of some kind, make sure it complies to what CUPS
8552 inside CUPS!
8553 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
8558 </p><div class="variablelist"><dl><dt><span class="term">Printer</span></dt><dd><p>The name of the printer queue (normally this is the
8559 name of the filter being run)</p></dd><dt><span class="term">job</span></dt><dd><p>The numeric job ID for the job being
8560 printed</p></dd><dt><span class="term">user</span></dt><dd><p>The string from the originating-user-name
8561 attribute</p></dd><dt><span class="term">title</span></dt><dd><p>The string from the job-name attribute</p></dd><dt><span class="term">copies</span></dt><dd><p>The numeric value from the number-copies
8562 attribute</p></dd><dt><span class="term">options</span></dt><dd><p>The job options</p></dd><dt><span class="term">filename</span></dt><dd><p>(Optionally) The print request file (if missing,
8564 cases it is very easy to write a simple wrapper script around existing
8565 filters to make them work with CUPS.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908080"></a>Prefilters</h3></div></div><div></div></div><a class="indexterm" name="id2908088"></a><p>
8566 As was said, PostScript is the central file format to any UNIX based
8567 printing system. From PostScript, CUPS generates raster data to feed
8568 non-PostScript printers.
8569 </p><p>
8570 But what is happening if you send one of the supported non-PS formats
8572 generate PostScript first. There are pre-filters to create PS from
8573 ASCII text, PDF, DVI or HP-GL. The outcome of these filters is always
8575 any device-specific print options are not yet embedded into the
8576 PostScript by CUPS, and that the next filter to be called is
8577 pstops). Another pre-filter is running on all supported image formats,
8581 print options already embedded into the file.
8582 </p><p>
8583 </p><div class="figure"><a name="small4"></a><p class="title"><b>Figure 19.4. Prefiltering in CUPS to form Postscript</b></p><div class="mediaobject"><img src="projdoc/imagefiles/4small.png" width="270" alt="Prefiltering in CUPS to form Postscript"></div></div><p>
8584 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908183"></a>pstops</h3></div></div><div></div></div><p>
8588 above that this filter inserts all device-specific print options
8589 (commands to the printer to ask for the duplexing of output, or
8590 stapling an punching it, etc.) into the PostScript file.
8591 </p><p>
8592 </p><div class="figure"><a name="small5"></a><p class="title"><b>Figure 19.5. Adding Device-specific Print Options</b></p><div class="mediaobject"><img src="projdoc/imagefiles/5small.png" width="270" alt="Adding Device-specific Print Options"></div></div><p>
8593 </p><p>
8594 This is not all: other tasks performed by it are:
8596 selecting the range of pages to be printed (if you choose to
8598 ones)
8599 </p></li><li><p>
8600 putting 2 or more logical pages on one sheet of paper (the
8602 </p></li><li><p>counting the pages of the job to insert the accounting
8604 </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908292"></a>pstoraster</h3></div></div><div></div></div><p>
8606 system. It is responsible for the first stage of the rasterization
8607 process. Its input is of MIME type application/vnd.cups-postscript;
8608 its output is application/vnd.cups-raster. This output format is not
8609 yet meant to be printable. Its aim is to serve as a general purpose
8611 that are able to generate device-specific printer data.
8612 </p><p>
8613 </p><div class="figure"><a name="small6"></a><p class="title"><b>Figure 19.6. Postscript to intermediate Raster format</b></p><div class="mediaobject"><img src="projdoc/imagefiles/6small.png" width="270" alt="Postscript to intermediate Raster format"></div></div><p>
8614 </p><p>
8615 CUPS raster is a generic raster format with powerful features. It is
8616 able to include per-page information, color profiles and more to be
8617 used by the following downstream raster drivers. Its MIME type is
8618 registered with IANA and its specification is of course completely
8619 open. It is designed to make it very easy and inexpensive for
8620 manufacturers to develop Linux and UNIX raster drivers for their
8621 printer models, should they choose to do so. CUPS always takes care
8622 for the first stage of rasterization so these vendors don't need to care
8623 about Ghostscript complications (in fact, there is currently more
8624 than one vendor financing the development of CUPS raster drivers).
8625 </p><p>
8626 </p><div class="figure"><a name="small7"></a><p class="title"><b>Figure 19.7. CUPS-raster production using Ghostscript</b></p><div class="mediaobject"><img src="projdoc/imagefiles/7small.png" width="270" alt="CUPS-raster production using Ghostscript"></div></div><p>
8627 </p><p>
8628 CUPS versions before version 1.1.15 were shipping a binary (or source
8630 from GNU Ghostscript 5.50, and could be installed besides and in
8631 addition to any GNU or AFPL Ghostscript package without conflicting.
8632 </p><p>
8633 From version 1.1.15, this has changed. The functions for this has been
8634 integrated back into Ghostscript (now based on GNU Ghostscript version
8637 parameter. If your Ghostscript doesn't show a success on asking for
8639 print. Update your Ghostscript then!
8640 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908476"></a>imagetops and imagetoraster</h3></div></div><div></div></div><p>
8641 Above in the section about prefilters, we mentioned the prefilter
8642 that generates PostScript from image formats. The imagetoraster
8643 filter is used to convert directly from image to raster, without the
8644 intermediate PostScript stage. It is used more often than the above
8645 mentioned prefilters. Here is a summarizing flowchart of image file
8646 filtering:
8647 </p><p>
8648 </p><div class="figure"><a name="small8"></a><p class="title"><b>Figure 19.8. Image format to CUPS-raster format conversion</b></p><div class="mediaobject"><img src="projdoc/imagefiles/8small.png" width="270" alt="Image format to CUPS-raster format conversion"></div></div><p>
8649 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908539"></a>rasterto [printers specific]</h3></div></div><div></div></div><p>
8650 CUPS ships with quite some different raster drivers processing CUPS
8651 raster. On my system I find in /usr/lib/cups/filter/ these:
8652 <i class="parameter"><tt>rastertoalps</tt></i>, <i class="parameter"><tt>rastertobj</tt></i>, <i class="parameter"><tt>rastertoepson</tt></i>, <i class="parameter"><tt>rastertoescp</tt></i>,
8653 <i class="parameter"><tt>rastertopcl</tt></i>, <i class="parameter"><tt>rastertoturboprint</tt></i>, <i class="parameter"><tt>rastertoapdk</tt></i>, <i class="parameter"><tt>rastertodymo</tt></i>,
8654 <i class="parameter"><tt>rastertoescp</tt></i>, <i class="parameter"><tt>rastertohp</tt></i> and
8656 than this; some of these are installed by commercial add-ons to CUPS
8659 development projects (such as Gimp-Print) wanting to cooperate as
8660 closely as possible with CUPS.
8661 </p><p>
8662 </p><div class="figure"><a name="small9"></a><p class="title"><b>Figure 19.9. Raster to Printer Specific formats</b></p><div class="mediaobject"><img src="projdoc/imagefiles/9small.png" width="270" alt="Raster to Printer Specific formats"></div></div><p>
8663 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908691"></a>CUPS Backends</h3></div></div><div></div></div><p>
8665 are special programs that send the print-ready file to the final
8666 device. There is a separate backend program for any transfer
8669 associated with it. The device URI is the way to encode the backend
8670 used to send the job to its destination. Network device-URIs are using
8671 two slashes in their syntax, local device URIs only one, as you can
8672 see from the following list. Keep in mind that local interface names
8673 may vary much from my examples, if your OS is not Linux:
8675 This backend sends printfiles to USB-connected printers. An
8676 example for the CUPS device-URI to use is:
8679 This backend sends printfiles to serially connected printers.
8680 An example for the CUPS device-URI to use is:
8683 This backend sends printfiles to printers connected to the
8684 parallel port. An example for the CUPS device-URI to use is:
8687 This backend sends printfiles to printers attached to the
8688 SCSI interface. An example for the CUPS device-URI to use is:
8691 This backend sends printfiles to LPR/LPD connected network
8692 printers. An example for the CUPS device-URI to use is:
8695 This backend sends printfiles to AppSocket (a.k.a. "HP
8696 JetDirect") connected network printers. An example for the CUPS
8697 device-URI to use is:
8700 This backend sends printfiles to IPP connected network
8701 printers (or to other CUPS servers). Examples for CUPS device-URIs
8702 to use are:
8704 (for many HP printers) or
8707 This backend sends printfiles to HTTP connected printers.
8708 (The http:// CUPS backend is only a symlink to the ipp:// backend.)
8709 Examples for the CUPS device-URIs to use are:
8711 (for many HP printers) or
8714 This backend sends printfiles to printers shared by a Windows
8715 host. An example for CUPS device-URIs to use are:
8717 Or
8719 or
8721 or
8723 The smb:// backend is a symlink to the Samba utility
8725 symlink is not present in your CUPS backend directory, have your
8727 /usr/lib/cups/backend/smb</b>.
8728 </p></dd></dl></div><p>
8729 It is easy to write your own backends as Shell or Perl scripts, if you
8730 need any modification or extension to the CUPS print system. One
8734 fact I have the system-wide default printer set up to be connected to
8736 without specifying a printer, or scripts and programs which don't name
8737 a printer. The system-wide default deletes the job and sends a polite
8738 mail back to the $USER asking him to always specify a correct
8739 printername).
8740 </p><p>
8741 Not all of the mentioned backends may be present on your system or
8742 usable (depending on your hardware configuration). One test for all
8745 all available backends:
8748 </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909039"></a>cupsomatic/Foomatic -- how do they fit into the Picture?</h3></div></div><div></div></div><a class="indexterm" name="id2909047"></a><a class="indexterm" name="id2909055"></a><p>
8750 installations. You must be clear about the fact that these were not
8752 CUPS. They utilize the traditional Ghostscript devices to render jobs
8753 for CUPS. When troubleshooting, you should know about the
8754 difference. Here the whole rendering process is done in one stage,
8757 Printer & Driver Database at Linuxprinting.org.
8758 </p><p>
8759 You can recognize these PPDs from the line calling the
8763 </pre><p>
8764 This line you may find amongst the first 40 or so lines of the PPD
8765 file. If you have such a PPD installed, the printer shows up in the
8767 the driver description. cupsomatic is a Perl script that runs
8768 Ghostscript, with all the complicated commandline options
8769 auto-constructed from the selected PPD and commandline options give to
8770 the printjob.
8772 However, cupsomatic is now deprecated. Its PPDs (especially the first
8773 generation of them, still in heavy use out there) are not meeting the
8774 Adobe specifications. You might also suffer difficulties when you try
8776 and more powerful successor is now in a very stable Beta-version
8778 foomatic-rip as a filter with CUPS, you need the new-type PPDs. These
8779 have a similar, but different line:
8784 </pre><p>
8785 The PPD generating engine at Linuxprinting.org has been revamped.
8786 The new PPDs comply to the Adobe spec. On top, they also provide a
8787 new way to specify different quality levels (hi-res photo, normal
8788 color, grayscale, draft...) with a single click (whereas before you
8789 could have required 5 or more different selections (media type,
8790 resolution, inktype, dithering algorithm...). There is support for
8791 custom-size media built in. There is support to switch
8792 print-options from page to page, in the middle of a job. And the
8793 best thing is: the new foomatic-rip now works seamlessly with all
8794 legacy spoolers too (like LPRng, BSD-LPD, PDQ, PPR etc.), providing
8795 for them access to use PPDs for their printing!
8796 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909176"></a>The Complete Picture</h3></div></div><div></div></div><p>
8797 If you want to see an overview over all the filters and how they
8798 relate to each other, the complete picture of the puzzle is at the end
8799 of this document.
8800 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909191"></a><tt class="filename">mime.convs</tt></h3></div></div><div></div></div><p>
8801 CUPS auto-constructs all possible filtering chain paths for any given
8802 MIME type, and every printer installed. But how does it decide in
8803 favor or against a specific alternative? (There may often be cases,
8804 where there is a choice of two or more possible filtering chains for
8805 the same target printer). Simple: you may have noticed the figures in
8806 the 3rd column of the mime.convs file. They represent virtual costs
8807 assigned to this filter. Every possible filtering chain will sum up to
8809 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
8812 run concurrently than will consume a total of 1000 virtual filter
8813 cost. This is a very efficient way to limit the load of any CUPS
8815 200 allows roughly 1 job at a time, while a FilterLimit of 1000 allows
8816 approximately 5 jobs maximum at a time.
8817 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909245"></a>"Raw" printing</h3></div></div><div></div></div><p>
8820 without bothering if the printer is able to digest it. Users need to
8821 take care themselves that they send sensible data formats only. Raw
8823 on the command line. You can also set up raw-only queues by simply not
8824 associating any PPD with it. This command:
8826 <tt class="prompt">$ </tt><b class="userinput"><tt>lpadmin -P rawprinter -v socket://11.12.13.14:9100 -E</tt></b>
8827 </pre><p>
8830 11.12.1.3.14, using port 9100. (If you had added a PPD with
8833 </p><p>
8835 if it can't find a PPD associated with the queue. However, CUPS will
8836 only send known MIME types (as defined in its own mime.types file) and
8837 refuse others.
8838 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909312"></a>"application/octet-stream" printing</h3></div></div><div></div></div><p>
8839 Any MIME type with no rule in the
8842 sent. Because CUPS refuses to print unknown MIME types per default,
8843 you will probably have experienced the fact that printjobs originating
8844 from Windows clients were not printed. You may have found an error
8845 message in your CUPS logs like:
8847 Unable to convert file 0 to printable format for job
8848 </pre><p>
8850 these two files:
8851 </p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/cups/mime.convs</tt></p></li><li><p><tt class="filename">/etc/cups/mime.types</tt></p></li></ul></div><p>
8852 Both contain entries (at the end of the respective files) which must
8853 be uncommented to allow RAW mode operation for
8855 make sure this line is present:
8857 application/octet-stream
8858 </pre><p>
8859 This line (with no specific auto-typing rule set) makes all files
8860 not otherwise auto-typed a member of application/octet-stream. In
8862 line:
8864 application/octet-stream application/vnd.cups-raw 0 -
8870 always a green light to the CUPS scheduler to now hand the file over
8872 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Editing the <tt class="filename">mime.convs</tt> and the
8876 </p></div><p><b>Background. </b>
8877 CUPS being a more security-aware printing system than traditional ones
8878 does not by default allow one to send deliberate (possibly binary)
8879 data to printing devices. (This could be easily abused to launch a
8880 Denial of Service attack on your printer(s), causing at least the loss
8885 be one that is known to CUPS and an allowed one. The file
8887 recognizes MIME types. The file
8889 conversion filter(s) may be applied to which MIME types.
8890 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909544"></a>PostScript Printer Descriptions (PPDs) for non-PS Printers</h3></div></div><div></div></div><a class="indexterm" name="id2909552"></a><p>
8891 Originally PPDs were meant to be used for PostScript printers
8892 only. Here, they help to send device-specific commands and settings
8893 to the RIP which processes the jobfile. CUPS has extended this
8894 scope for PPDs to cover non-PostScript printers too. This was not
8895 very difficult, because it is a standardized file format. In a way
8896 it was logical too: CUPS handles PostScript and uses a PostScript
8897 RIP (=Ghostscript) to process the jobfiles. The only difference is:
8898 a PostScript printer has the RIP built-in, for other types of
8899 printers the Ghostscript RIP runs on the host computer.
8900 </p><p>
8901 PPDs for a non-PS printer have a few lines that are unique to
8902 CUPS. The most important one looks similar to this:
8904 *cupsFilter: application/vnd.cups-raster 66 rastertoprinter
8905 </pre><p>
8906 It is the last piece in the CUPS filtering puzzle. This line tells the
8909 file. Therefore CUPS should auto-construct a filtering chain, which
8910 delivers as its last output the specified MIME type. This is then
8913 filter), the file should go to the backend, which sends it to the
8914 output device.
8915 </p><p>
8916 CUPS by default ships only a few generic PPDs, but they are good for
8917 several hundred printer models. You may not be able to control
8918 different paper trays, or you may get larger margins than your
8919 specific model supports):
8920 </p><div class="table"><a name="id2909623"></a><p class="title"><b>Table 19.1. PPD's shipped with CUPS</b></p><table summary="PPD's shipped with CUPS" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">PPD file</th><th align="justify">Printer type</th></tr></thead><tbody><tr><td align="left">deskjet.ppd</td><td align="justify">older HP inkjet printers and compatible</td></tr><tr><td align="left">deskjet2.ppd</td><td align="justify">newer HP inkjet printers and compatible </td></tr><tr><td align="left">dymo.ppd</td><td align="justify">label printers </td></tr><tr><td align="left">epson9.ppd</td><td align="justify">Epson 24pin impact printers and compatible </td></tr><tr><td align="left">epson24.ppd</td><td align="justify">Epson 24pin impact printers and compatible </td></tr><tr><td align="left">okidata9.ppd</td><td align="justify">Okidata 9pin impact printers and compatible </td></tr><tr><td align="left">okidat24.ppd</td><td align="justify">Okidata 24pin impact printers and compatible </td></tr><tr><td align="left">stcolor.ppd</td><td align="justify">older Epson Stylus Color printers </td></tr><tr><td align="left">stcolor2.ppd</td><td align="justify">newer Epson Stylus Color printers </td></tr><tr><td align="left">stphoto.ppd</td><td align="justify">older Epson Stylus Photo printers </td></tr><tr><td align="left">stphoto2.ppd</td><td align="justify">newer Epson Stylus Photo printers </td></tr><tr><td align="left">laserjet.ppd</td><td align="justify">all PCL printers. Further below is a discussion of several other driver/PPD-packages suitable for use with CUPS. </td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909807"></a>Difference between <span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> and
8921 <span class="emphasis"><em>native CUPS</em></span> printing</h3></div></div><div></div></div><a class="indexterm" name="id2909825"></a><a class="indexterm" name="id2909833"></a><p>
8922 Native CUPS rasterization works in two steps.
8926 device from ESP Ghostscript 7.05.x as its tool
8927 </p></li><li><p>
8929 device-specific filters; there are several vendors who provide good
8930 quality filters for this step, some are Free Software, some are
8931 Shareware/Non-Free, some are proprietary.</p></li></ul></div><p>
8932 Often this produces better quality (and has several more
8933 advantages) than other methods.
8934 </p><p>
8935 </p><div class="figure"><a name="small10"></a><p class="title"><b>Figure 19.10. cupsomatic/foomatic processing versus Native CUPS</b></p><div class="mediaobject"><img src="projdoc/imagefiles/10small.png" width="270" alt="cupsomatic/foomatic processing versus Native CUPS"></div></div><p>
8936 </p><p>
8939 developers. It is an independent contribution to printing development,
8940 made by people from Linuxprinting.org (see also <a href="http://www.cups.org/cups-help.html" target="_top">http://www.cups.org/cups-help.html</a>).
8941 cupsomatic is no longer developed and maintained and is no longer
8942 supported. It has now been replaced by
8944 of the old cupsomatic idea, but very much improved and generalized to
8945 other (non-CUPS) spoolers. An upgrade to foomatic-rip is strongly
8946 advised, especially if you are upgrading to a recent version of CUPS
8947 too.
8948 </p><p>
8951 Both the cupsomatic (old) and the foomatic-rip (new) methods from
8952 Linuxprinting.org use the traditional Ghostscript print file
8953 processing, doing everything in a single step. It therefore relies on
8954 all the other devices built-in into Ghostscript. The quality is as
8955 good (or bad) as Ghostscript rendering is in other spoolers. The
8956 advantage is that this method supports many printer models not
8957 supported (yet) by the more modern CUPS method.
8958 </p><p>
8959 Of course, you can use both methods side by side on one system (and
8960 even for one printer, if you set up different queues), and find out
8961 which works best for you.
8962 </p><p>
8965 deviates it through the CUPS-external, system wide Ghostscript
8967 (and thus also bypasses the CUPS-raster-drivers
8969 cupsomatic hands the rendered file directly to the CUPS backend. The
8970 flowchart above illustrates the difference between native CUPS
8971 rendering and the Foomatic/cupsomatic method.
8972 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910018"></a>Examples for filtering Chains</h3></div></div><div></div></div><p>
8973 Here are a few examples of commonly occurring filtering chains to
8974 illustrate the workings of CUPS.
8975 </p><p>
8976 Assume you want to print a PDF file to a HP JetDirect-connected
8977 PostScript printer, but you want to print the pages 3-5, 7, 11-13
8979 </p><div class="itemizedlist"><ul type="disc"><li><p>your print options (page selection as required, 2-up,
8980 duplex) are passed to CUPS on the commandline;</p></li><li><p>the (complete) PDF file is sent to CUPS and autotyped as
8981 <span class="emphasis"><em>application/pdf</em></span>;</p></li><li><p>the file therefore first must pass the
8984 would still show all pages of the original PDF);</p></li><li><p>the file then passes the <span class="emphasis"><em>pstops</em></span>
8985 filter which applies the commandline options: it selects the pages
8988 PPD) into the new PostScript file; the file now is of PostScript MIME
8989 type
8990 <span class="emphasis"><em>application/vnd.cups-postscript</em></span>;</p></li><li><p>the file goes to the <span class="emphasis"><em>socket</em></span>
8991 backend, which transfers the job to the printers.</p></li></ul></div><p>
8992 The resulting filter chain therefore is as drawn in <a href="#pdftosocket" title="Figure 19.11. PDF to socket chain">the image below</a>.
8993 </p><div class="figure"><a name="pdftosocket"></a><p class="title"><b>Figure 19.11. PDF to socket chain</b></p><div class="mediaobject"><img src="projdoc/imagefiles/pdftosocket.png" width="270" alt="PDF to socket chain"></div></div><p>
8994 Assume your want to print the same filter to an USB-connected
8995 Epson Stylus Photo printer, installed with the CUPS
8997 are nearly the same:
8998 </p><div class="itemizedlist"><ul type="disc"><li><p>your print options (page selection as required, 2-up,
8999 duplex) are passed to CUPS on the commandline;</p></li><li><p>the (complete) PDF file is sent to CUPS and autotyped as
9000 <span class="emphasis"><em>application/pdf</em></span>;</p></li><li><p>the file therefore first must pass the
9003 would still show all pages of the original PDF);</p></li><li><p>the file then passes the "pstops" filter which applies
9004 the commandline options: it selects the pages 2-5, 7 and 11-13,
9007 don't support duplex printing at all -- this option will be ignored
9008 then) into the new PostScript file; the file now is of PostScript
9009 MIME type
9010 <span class="emphasis"><em>application/vnd.cups-postscript</em></span>;</p></li><li><p>the file then passes the
9012 <span class="emphasis"><em>application/cups-raster</em></span>;</p></li><li><p>finally, the <span class="emphasis"><em>rastertoepson</em></span> filter
9013 does its work (as is indicated in the printer's PPD), creating the
9014 printer-specific raster data and embedding any user-selected
9015 print-options into the print data stream;</p></li><li><p>the file goes to the <span class="emphasis"><em>usb</em></span> backend,
9016 which transfers the job to the printers.</p></li></ul></div><p>
9017 The resulting filter chain therefore is as drawn in <a href="#pdftoepsonusb" title="Figure 19.12. PDF to USB chain">the image below</a>.
9018 </p><div class="figure"><a name="pdftoepsonusb"></a><p class="title"><b>Figure 19.12. PDF to USB chain</b></p><div class="mediaobject"><img src="projdoc/imagefiles/pdftoepsonusb.png" width="270" alt="PDF to USB chain"></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910331"></a>Sources of CUPS drivers / PPDs</h3></div></div><div></div></div><p>
9019 On the internet you can find now many thousand CUPS-PPD files
9020 (with their companion filters), in many national languages,
9021 supporting more than 1000 non-PostScript models.
9022 </p><div class="itemizedlist"><a class="indexterm" name="id2910347"></a><a class="indexterm" name="id2910357"></a><ul type="disc"><li><p><a href="http://wwwl.easysw.com/printpro/" target="_top">ESP
9023 PrintPro</a> (commercial,
9024 non-Free) is packaged with more than 3000 PPDs, ready for
9026 HP-UX, Sun-Solaris, SGI-IRIX, Compaq Tru64, Digital UNIX and some
9027 more commercial Unices (it is written by the CUPS developers
9028 themselves and its sales help finance the further development of
9029 CUPS, as they feed their creators).</p></li><li><p>the <a href="http://gimp-print.sourceforge.net/" target="_top">Gimp-Print-Project
9030 </a> (GPL, Free Software)
9031 provides around 140 PPDs (supporting nearly 400 printers, many driven
9032 to photo quality output), to be used alongside the Gimp-Print CUPS
9034 </a> (Shareware, non-Free) supports
9035 roughly the same amount of printers in excellent
9036 quality;</p></li><li><p><a href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">OMNI
9037 </a>
9038 (LPGL, Free) is a package made by IBM, now containing support for more
9039 than 400 printers, stemming from the inheritance of IBM OS/2 Know-How
9040 ported over to Linux (CUPS support is in a Beta-stage at
9042 </a> (BSD-style licenses, Free)
9043 supports around 150 of HP's own printers and is also providing
9044 excellent print quality now (currently available only via the Foomatic
9045 path);</p></li><li><p><a href="http://www.linuxprinting.org/" target="_top">Foomatic/cupsomatic
9046 </a> (LPGL, Free) from
9047 Linuxprinting.org are providing PPDs for practically every Ghostscript
9048 filter known to the world (including Omni, Gimp-Print and
9049 HPIJS).</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
9050 The cupsomatic/Foomatic trick from Linuxprinting.org works
9051 differently from the other drivers. This is explained elsewhere in this
9052 document.
9053 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910470"></a>Printing with Interface Scripts</h3></div></div><div></div></div><p>
9055 System V AT&T printing systems. These are often used for PCL
9056 printers, from applications that generate PCL print jobs. Interface
9057 scripts are specific to printer models. They have a similar role as
9058 PPDs for PostScript printers. Interface scripts may inject the Escape
9059 sequences as required into the print data stream, if the user has
9060 chosen to select a certain paper tray, or print landscape, or use A3
9061 paper, etc. Interfaces scripts are practically unknown in the Linux
9062 realm. On HP-UX platforms they are more often used. You can use any
9063 working interface script on CUPS too. Just install the printer with
9066 <tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p pclprinter -v socket://11.12.13.14:9100 \
9067 -i /path/to/interface-script</tt></b>
9068 </pre><p>
9070 with CUPS they provide the most easy way to plug in your own
9071 custom-written filtering script or program into one specific print
9072 queue (some information about the traditional usage of interface scripts is
9073 to be found at <a href="http://playground.sun.com/printing/documentation/interface.html" target="_top">http://playground.sun.com/printing/documentation/interface.html</a>).
9074 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2910560"></a>Network printing (purely Windows)</h2></div></div><div></div></div><p>
9075 Network printing covers a lot of ground. To understand what exactly
9076 goes on with Samba when it is printing on behalf of its Windows
9078 with a Windows NT print server.
9079 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910577"></a>From Windows Clients to an NT Print Server</h3></div></div><div></div></div><p>
9080 Windows clients printing to an NT-based print server have two
9081 options. They may
9082 </p><a class="indexterm" name="id2910590"></a><a class="indexterm" name="id2910598"></a><div class="itemizedlist"><ul type="disc"><li><p>execute the driver locally and render the GDI output
9083 (EMF) into the printer specific format on their own,
9084 or</p></li><li><p>send the GDI output (EMF) to the server, where the
9085 driver is executed to render the printer specific
9086 output.</p></li></ul></div><p>
9087 Both print paths are shown in the flowcharts below.
9088 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910632"></a>Driver Execution on the Client</h3></div></div><div></div></div><p>
9090 meaning it shouldn't touch the jobfile and try to convert it in any
9091 way. This is what traditional UNIX-based print server can do too; and
9092 at a better performance and more reliably than NT print server. This
9093 is what most Samba administrators probably are familiar with. One
9095 be used even if no driver(s) for UNIX are available it is sufficient
9096 to have the Windows client drivers available and installed on the
9097 clients.
9098 </p><p>
9099 </p><div class="figure"><a name="small11"></a><p class="title"><b>Figure 19.13. Print Driver execution on the Client</b></p><div class="mediaobject"><img src="projdoc/imagefiles/11small.png" width="270" alt="Print Driver execution on the Client"></div></div><p>
9100 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910701"></a>Driver Execution on the Server</h3></div></div><div></div></div><a class="indexterm" name="id2910707"></a><a class="indexterm" name="id2910715"></a><a class="indexterm" name="id2910724"></a><a class="indexterm" name="id2910732"></a><a class="indexterm" name="id2910740"></a><p>
9101 The other path executes the printer driver on the server. The clients
9102 transfers print files in EMF format to the server. The server uses the
9103 PostScript, PCL, ESC/P or other driver to convert the EMF file into
9104 the printer-specific language. It is not possible for UNIX to do the
9105 same. Currently there is no program or method to convert a Windows
9106 client's GDI output on a UNIX server into something a printer could
9107 understand.
9108 </p><p>
9109 </p><div class="figure"><a name="small12"></a><p class="title"><b>Figure 19.14. Print Driver execution on the Server</b></p><div class="mediaobject"><img src="projdoc/imagefiles/12small.png" width="270" alt="Print Driver execution on the Server"></div></div><p>
9110 </p><p>
9111 However, there is something similar possible with CUPS. Read on...
9112 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2910813"></a>Network Printing (Windows clients -- UNIX/Samba Print
9113 Servers)</h2></div></div><div></div></div><p>
9115 program code on their platform, the picture is somewhat
9116 different. However, this doesn't limit your options all that
9117 much. In the contrary, you may have a way here to implement printing
9118 features which are not possible otherwise.
9119 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910833"></a>From Windows Clients to a CUPS/Samba Print Server</h3></div></div><div></div></div><p>
9120 Here is a simple recipe showing how you can take advantage of CUPS
9121 powerful features for the benefit of your Windows network printing
9122 clients:
9123 </p><div class="itemizedlist"><ul type="disc"><li><p>Let the Windows clients send PostScript to the CUPS
9124 server.</p></li><li><p>Let the CUPS server render the PostScript into device
9125 specific raster format.</p></li></ul></div><p>
9126 This requires the clients to use a PostScript driver (even if the
9127 printer is a non-PostScript model. It also requires that you have a
9129 </p><p>
9130 Firstly, to enable CUPS based printing through Samba the
9132 section:
9133 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2910891"></a><i class="parameter"><tt>printing</tt></i> = cups</p></li><li><p><a class="indexterm" name="id2910909"></a><i class="parameter"><tt>printcap</tt></i> = cups</p></li></ul></div><p>
9134 When these parameters are specified, all manually set print directives
9135 (like <a class="indexterm" name="id2910929"></a><i class="parameter"><tt>print command</tt></i>, or <a class="indexterm" name="id2910943"></a><i class="parameter"><tt>lppause command</tt></i>) in <tt class="filename">smb.conf</tt> (as well as
9136 in samba itself) will be ignored. Instead, Samba will directly
9137 interface with CUPS through it's application program interface (API) -
9138 as long as Samba has been compiled with CUPS library (libcups)
9139 support. If Samba has NOT been compiled with CUPS support, and if no
9140 other print commands are set up, then printing will use the
9142 option automatically passing through (if you want your own defined
9143 print commands to work with a Samba that has CUPS support compiled in,
9144 simply use <a class="indexterm" name="id2910981"></a><i class="parameter"><tt>printing</tt></i> = sysv).
9145 </p><p>
9146 </p><div class="figure"><a name="small13"></a><p class="title"><b>Figure 19.15. Printing via CUPS/samba server</b></p><div class="mediaobject"><img src="projdoc/imagefiles/13small.png" width="270" alt="Printing via CUPS/samba server"></div></div><p>
9147 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911043"></a>Samba receiving Jobfiles and passing them to CUPS</h3></div></div><div></div></div><p>
9149 by a line similar to <a class="indexterm" name="id2911058"></a><i class="parameter"><tt>path</tt></i> = /var/spool/samba,
9153 spool space and passes it into the spool directory of CUPS (the CUPS
9156 /var/spool/cups</tt></i>). CUPS checks the access rights of its
9157 spool dir and resets it to healthy values with every re-start. We have
9158 seen quite some people who had used a common spooling space for Samba
9160 </p><p>
9161 A Windows user authenticates only to Samba (by whatever means is
9162 configured). If Samba runs on the same host as CUPS, you only need to
9164 need to make sure the Samba host gets access to printing on CUPS.
9165 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2911125"></a>Network PostScript RIP: CUPS Filters on Server -- clients use
9166 PostScript Driver with CUPS-PPDs</h2></div></div><div></div></div><a class="indexterm" name="id2911135"></a><a class="indexterm" name="id2911143"></a><a class="indexterm" name="id2911151"></a><p>
9167 PPDs can control all print device options. They are usually provided
9168 by the manufacturer; if you own a PostScript printer, that is. PPD
9169 files (PostScript Printer Descriptions) are always a component of
9170 PostScript printer drivers on MS Windows or Apple Mac OS systems. They
9171 are ASCII files containing user-selectable print options, mapped to
9172 appropriate PostScript, PCL or PJL commands for the target
9173 printer. Printer driver GUI dialogs translate these options
9175 </p><p>
9176 CUPS can load, without any conversions, the PPD file from any Windows
9177 (NT is recommended) PostScript driver and handle the options. There is
9178 a web browser interface to the print options (select <a href="http://localhost:631/printers/" target="_top">http://localhost:631/printers/</a>
9181 or see if you have lphelp on your system). There are also some
9182 different GUI frontends on Linux/UNIX, which can present PPD options
9183 to users. PPD options are normally meant to be evaluated by the
9184 PostScript RIP on the real PostScript printer.
9185 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911206"></a>PPDs for non-PS Printers on UNIX</h3></div></div><div></div></div><a class="indexterm" name="id2911214"></a><p>
9187 of PPDs. The CUPS developers have extended the scope of the PPD
9188 concept, to also describe available device and driver options for
9189 non-PostScript printers through CUPS-PPDs.
9190 </p><p>
9191 This is logical, as CUPS includes a fully featured PostScript
9192 interpreter (RIP). This RIP is based on Ghostscript. It can process
9193 all received PostScript (and additionally many other file formats)
9194 from clients. All CUPS-PPDs geared to non-PostScript printers contain
9195 an additional line, starting with the keyword
9197 system which printer-specific filter to use for the interpretation of
9198 the supplied PostScript. Thus CUPS lets all its printers appear as
9199 PostScript devices to its clients, because it can act as a PostScript
9200 RIP for those printers, processing the received PostScript code into a
9201 proper raster print format.
9202 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911255"></a>PPDs for non-PS Printers on Windows</h3></div></div><div></div></div><a class="indexterm" name="id2911263"></a><p>
9203 CUPS-PPDs can also be used on Windows-Clients, on top of a
9206 limitations). This feature enables CUPS to do a few tricks no other
9207 spooler can do:
9208 </p><div class="itemizedlist"><ul type="disc"><li><p>act as a networked PostScript RIP (Raster Image
9209 Processor), handling printfiles from all client platforms in a uniform
9210 way;</p></li><li><p>act as a central accounting and billing server, since
9211 all files are passed through the pstops filter and are therefore
9214 which always remain unfiltered per definition;</p></li><li><p>enable clients to consolidate on a single PostScript
9215 driver, even for many different target printers.</p></li></ul></div><p>
9216 Using CUPS PPDs on Windows clients enables these to control
9217 all print job settings just as a UNIX client can do too.
9218 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2911328"></a>Windows Terminal Servers (WTS) as CUPS Clients</h2></div></div><div></div></div><p>
9219 This setup may be of special interest to people experiencing major
9220 problems in WTS environments. WTS need often a multitude of
9221 non-PostScript drivers installed to run their clients' variety of
9222 different printer models. This often imposes the price of much
9223 increased instability.
9224 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911345"></a>Printer Drivers running in "Kernel Mode" cause many
9225 Problems</h3></div></div><div></div></div><p>
9226 The reason is that in Win NT printer drivers run in "Kernel
9227 Mode", this introduces a high risk for the stability of the system
9228 if the driver is not really stable and well-tested. And there are a
9229 lot of bad drivers out there! Especially notorious is the example
9230 of the PCL printer driver that had an additional sound module
9231 running, to notify users via soundcard of their finished jobs. Do I
9232 need to say that this one was also reliably causing "Blue Screens
9233 of Death" on a regular basis?
9234 </p><p>
9235 PostScript drivers generally are very well tested. They are not known
9236 to cause any problems, even though they run in Kernel Mode too. This
9237 might be because there have so far only been 2 different PostScript
9238 drivers: the ones from Adobe and the one from Microsoft. Both are
9239 very well tested and are as stable as you ever can imagine on
9240 Windows. The CUPS driver is derived from the Microsoft one.
9241 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911379"></a>Workarounds impose Heavy Limitations</h3></div></div><div></div></div><p>
9242 In many cases, in an attempt to work around this problem, site
9243 administrators have resorted to restrict the allowed drivers installed
9244 on their WTS to one generic PCL- and one PostScript driver. This
9245 however restricts the clients in the amount of printer options
9246 available for them; often they can't get out more than simplex
9247 prints from one standard paper tray, while their devices could do much
9248 better, if driven by a different driver! )
9249 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911400"></a>CUPS: a "Magical Stone"?</h3></div></div><div></div></div><a class="indexterm" name="id2911410"></a><a class="indexterm" name="id2911418"></a><p>
9250 Using a PostScript driver, enabled with a CUPS-PPD, seems to be a very
9251 elegant way to overcome all these shortcomings. There are, depending
9252 on the version of Windows OS you use, up to 3 different PostScript
9253 drivers available: Adobe, Microsoft and CUPS PostScript drivers. None
9254 of them is known to cause major stability problems on WTS (even if
9255 used with many different PPDs). The clients will be able to (again)
9256 chose paper trays, duplex printing and other settings. However, there
9257 is a certain price for this too: a CUPS server acting as a PostScript
9258 RIP for its clients requires more CPU and RAM than when just acting as
9260 although the first feedbacks look very promising.
9261 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911445"></a>PostScript Drivers with no major problems -- even in Kernel
9263 More recent printer drivers on W2K and XP don't run in Kernel mode
9264 (unlike Win NT) any more. However, both operating systems can still
9265 use the NT drivers, running in Kernel mode (you can roughly tell which
9267 ones). As was said before, the Adobe as well as the Microsoft
9268 PostScript drivers are not known to cause any stability problems. The
9269 CUPS driver is derived from the Microsoft one. There is a simple
9270 reason for this: The MS DDK (Device Development Kit) for Win NT (which
9271 used to be available at no cost to licensees of Visual Studio)
9272 includes the source code of the Microsoft driver, and licensees of
9273 Visual Studio are allowed to use and modify it for their own driver
9274 development efforts. This is what the CUPS people have done. The
9275 license doesn't allow them to publish the whole of the source code.
9278 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2911506"></a>Setting up CUPS for driver Download</h2></div></div><div></div></div><p>
9279 As we have said before: all previously known methods to prepare client
9281 convenience of Windows workstations are working with CUPS too. These
9282 methods were described in the previous chapter. In reality, this is a
9283 pure Samba business, and only relates to the Samba/Win client
9284 relationship.
9285 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911524"></a><span class="emphasis"><em>cupsaddsmb</em></span>: the unknown Utility</h3></div></div><div></div></div><a class="indexterm" name="id2911536"></a><p>
9286 The cupsaddsmb utility (shipped with all current CUPS versions) is an
9287 alternative method to transfer printer drivers into the Samba
9289 clients expect drivers deposited and setup for download and
9290 installation. It makes the sharing of any (or all) installed CUPS
9291 printers very easy. cupsaddsmb can use the Adobe PostScript driver as
9293 WinNT/2K/XP</em></span>. Note, that cupsaddsmb does
9296 named in its man page.
9297 </p><p>
9298 The CUPS printer driver is available from the CUPS download site. Its
9300 is preferred over the Adobe drivers since it has a number of
9301 advantages:
9303 accounting;</p></li><li><p>it supports banner pages, and page labels on all
9304 printers;</p></li><li><p>it supports the setting of a number of job IPP
9305 attributes (such as job-priority, page-label and
9306 job-billing)</p></li></ul></div><p>
9307 However, currently only Windows NT, 2000, and XP are supported by the
9308 CUPS drivers. You will need to get the respective part of Adobe driver
9309 too if you need to support Windows 95, 98, and ME clients.
9310 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911625"></a>Prepare your <tt class="filename">smb.conf</tt> for cupsaddsmb</h3></div></div><div></div></div><p>
9311 Prior to running cupsaddsmb, you need the following settings in
9313 </p><div class="example"><a name="id2911654"></a><p class="title"><b>Example 19.3. smb.conf for cupsaddsmb usage</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td># setting depends on your requirements</td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = root</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Printer Drivers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /etc/samba/drivers</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = no</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>write list = root</tt></i></td></tr></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911845"></a>CUPS Package of "PostScript Driver for WinNT/2k/XP"</h3></div></div><div></div></div><a class="indexterm" name="id2911854"></a><p>
9314 CUPS users may get the exactly same packages from <a href="http://www.cups.org/software.html" target="_top">http://www.cups.org/software.html</a>.
9315 It is a separate package from the CUPS base software files, tagged as
9317 (tar.gz, 192k)</em></span>. The filename to download is
9319 it will reveal these files:
9321 <tt class="prompt">root# </tt><b class="userinput"><tt>tar xvzf cups-samba-1.1.19.tar.gz</tt></b>
9322 cups-samba.install
9323 cups-samba.license
9324 cups-samba.readme
9325 cups-samba.remove
9326 cups-samba.ss
9327 </pre><p>
9330 These have been packaged with the ESP meta packager software
9335 too). Then it puts the content into
9337 files:
9340 cupsdrvr.dll
9341 cupsui.dll
9342 cups.hlp
9343 </pre><p>
9345 handle:
9348 [....]
9349 Installing software...
9350 Updating file permissions...
9351 Running post-install commands...
9352 Installation is complete.
9353 </pre><p>
9354 The script should automatically put the driver files into the
9356 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
9357 Due to a bug, one recent CUPS release puts the
9361 copy/move the file (after running the
9363 right place.
9365 <tt class="prompt">root# </tt><b class="userinput"><tt>cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/</tt></b>
9367 This new CUPS PostScript driver is currently binary-only, but free of
9368 charge. No complete source code is provided (yet). The reason is this:
9370 Developer Kit</em></span> (DDK) and compiled with Microsoft Visual
9371 Studio 6. Driver developers are not allowed to distribute the whole of
9372 the source code as Free Software. However, CUPS developers released
9374 Visual Studio and a DDK will be able to compile for him/herself.
9375 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912128"></a>Recognize the different Driver Files</h3></div></div><div></div></div><p>
9377 the Windows NT/2000/XP client:
9378 </p><p>Windows NT, 2000, and XP are supported by:</p><p>
9379 </p><div class="itemizedlist"><ul type="disc"><li><p>cups.hlp</p></li><li><p>cupsdrvr.dll</p></li><li><p>cupsui.dll</p></li></ul></div><p>
9380 </p><p>
9381 Adobe drivers are available for the older Windows 95/98/ME as well as
9382 the Windows NT/2000/XP clients. The set of files is different for the
9383 different platforms.
9384 </p><p>Windows 95, 98, and Me are supported by:</p><p>
9385 </p><div class="itemizedlist"><ul type="disc"><li><p>ADFONTS.MFM</p></li><li><p>ADOBEPS4.DRV</p></li><li><p>ADOBEPS4.HLP</p></li><li><p>DEFPRTR2.PPD</p></li><li><p>ICONLIB.DLL</p></li><li><p>PSMON.DLL</p></li></ul></div><p>
9386 </p><p>Windows NT, 2000, and XP are supported by:</p><p>
9387 </p><div class="itemizedlist"><ul type="disc"><li><p>ADOBEPS5.DLL</p></li><li><p>ADOBEPSU.DLL</p></li><li><p>ADOBEPSU.HLP</p></li></ul></div><p>
9389 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
9390 If both, the Adobe driver files and the CUPS driver files for the
9391 support of WinNT/2k/XP are present in , the Adobe ones will be ignored
9392 and the CUPS ones will be used. If you prefer -- for whatever reason
9393 -- to use Adobe-only drivers, move away the 3 CUPS driver files. The
9394 Win95/98/ME clients use the Adobe drivers in any case.
9395 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912268"></a>Acquiring the Adobe Driver Files</h3></div></div><div></div></div><p>
9396 Acquiring the Adobe driver files seems to be unexpectedly difficult
9397 for many users. They are not available on the Adobe website as single
9398 files and the self-extracting and/or self-installing Windows-exe is
9399 not easy to locate either. Probably you need to use the included
9400 native installer and run the installation process on one client
9401 once. This will install the drivers (and one Generic PostScript
9402 printer) locally on the client. When they are installed, share the
9403 Generic PostScript printer. After this, the client's
9405 where you can get them with smbclient from the CUPS host. A more
9406 detailed description about this is in the next (the CUPS printing)
9407 chapter.
9408 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912301"></a>ESP Print Pro Package of "PostScript Driver for
9410 Users of the ESP Print Pro software are able to install their "Samba
9411 Drivers" package for this purpose with no problem. Retrieve the driver
9412 files from the normal download area of the ESP Print Pro software
9413 at <a href="http://www.easysw.com/software.html" target="_top">http://www.easysw.com/software.html</a>.
9416 area and download the package. Once installed, you can prepare any
9417 driver by simply highlighting the printer in the Printer Manager GUI
9419 course you need to have prepared Samba beforehand too to handle the
9421 share, etc. The ESP Print Pro package includes the CUPS driver files
9422 as well as a (licensed) set of Adobe drivers for the Windows 95/98/ME
9423 client family.
9424 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912362"></a>Caveats to be considered</h3></div></div><div></div></div><a class="indexterm" name="id2912371"></a><p>
9425 Once you have run the install script (and possibly manually
9428 ready to be put into Samba's <i class="parameter"><tt>[print$]</tt></i> share (which often maps to
9433 CUPS since release 1.1.16).
9434 </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
9436 You may need to put root into the smbpasswd file by running
9438 should run this whole procedure for the first time, and are not
9439 working in an environment where everything is configured for
9441 </p></div><p>
9443 and are initialized, they are ready to be downloaded and installed by
9444 the Win NT/2k/XP clients.
9445 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
9447 Win 9x/ME clients won't work with the CUPS PostScript driver. For
9449 drivers as previously.
9450 </p></li><li><p>
9451 It is not harmful if you still have the
9456 </p></li><li><p>
9459 files for the Adobe PostScript driver installed, the download and
9460 installation of the new CUPS PostScript driver for Windows NT/2k/XP
9461 will fail at first. You need to wipe the old driver from the clients
9463 will still be kept by the clients and re-used if you try to re-install
9464 the printer. To really get rid of the Adobe driver files on the
9465 clients, open the "Printers" folder (possibly via <span class="emphasis"><em>Start, Settings, Control Panel, Printers</em></span>),
9467 Properties</em></span>. When the new dialog opens, select the
9470 button. This will only work if there is not one single printer left
9473 Administrator privileges to do this.
9474 </p></li><li><p>
9476 Once you have successfully downloaded the CUPS PostScript driver to a
9477 client, you can easily switch all printers to this one by proceeding
9478 as described in <a href="#printing" title="Chapter 18. Classical Printing Support">the printing chapter</a>: either change
9482 </p></li></ol></div><p>
9483 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912629"></a>Benefits of using "CUPS PostScript Driver for
9485 You are interested in a comparison between the CUPS and the Adobe
9486 PostScript drivers? For our purposes these are the most important
9487 items which weigh in favor of the CUPS ones:
9488 </p><div class="itemizedlist"><ul type="disc"><li><p>no hassle with the Adobe EULA</p></li><li><p>no hassle with the question “<span class="quote">Where do I
9489 get the ADOBE*.* driver files from?</span>”</p></li><li><p>
9491 the Adobe drivers (on request of the printer PPD
9492 associated with them) often put a PJL header in front of the main
9493 PostScript part of the print file. Thus the printfile starts with
9497 CUPS daemon auto-typing the incoming file as a print-ready file,
9499 technically, it is not regarded as the generic MIME type
9502 the more special MIME type
9505 which therefore also leads to the page accounting in
9507 receiving the exact number of pages; instead the dummy page number
9508 of "1" is logged in a standard setup)</p></li><li><p>the Adobe driver has more options to "mis-configure" the
9509 PostScript generated by it (like setting it inadvertently to
9512 could lead to CUPS being unable to process it)</p></li><li><p>the CUPS PostScript driver output sent by Windows
9513 clients to the CUPS server will be guaranteed to be auto-typed always
9517 accounting and quota purposes</p></li><li><p>the CUPS PostScript driver supports the sending of
9518 additional standard (IPP) print options by Win NT/2k/XP clients. Such
9519 additional print options are: naming the CUPS standard
9521 installed at the time of driver download), using the CUPS
9523 <span class="emphasis"><em>job-priority</em></span> and setting the <span class="emphasis"><em>scheduled
9524 time of printing</em></span> (with the option to support additional
9525 useful IPP job attributes in the future).</p></li><li><p>the CUPS PostScript driver supports the inclusion of
9527 beginning of the PostScript file (which could be used in the future
9528 for all sort of beneficial extensions on the CUPS side, but which will
9529 not disturb any other applications as they will regard it as a comment
9530 and simply ignore it).</p></li><li><p>the CUPS PostScript driver will be the heart of the
9531 fully fledged CUPS IPP client for Windows NT/2K/XP to be released soon
9532 (probably alongside the first Beta release for CUPS
9533 1.2).</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912835"></a>Run "cupsaddsmb" (quiet Mode)</h3></div></div><div></div></div><a class="indexterm" name="id2912844"></a><a class="indexterm" name="id2912852"></a><p>
9534 The cupsaddsmb command copies the needed files into your
9536 associated with this printer is copied from
9539 Windows client installations via Point'n'Print. Before we can run the
9540 command successfully, we need to be sure that we can authenticate
9541 towards Samba. If you have a small network you are probably using user
9542 level security (<a class="indexterm" name="id2912890"></a><i class="parameter"><tt>security</tt></i> = user).
9543 </p><p>
9544 Here is an example of a successfully run cupsaddsmb command.
9546 <tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -U root infotec_IS2027</tt></b>
9547 Password for root required to access localhost via Samba: <b class="userinput"><tt>['secret']</tt></b>
9548 </pre><p>
9552 obvious that it only works for queues with a CUPS driver associated.
9553 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912958"></a>Run "cupsaddsmb" with verbose Output</h3></div></div><div></div></div><a class="indexterm" name="id2912965"></a><p>
9554 Probably you want to see what's going on. Use the
9557 a line indicate that I inserted an artificial line break plus some
9558 indentation here:
9559 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
9560 You will see the root password for the Samba account printed on
9561 screen.
9562 </p></div><a class="indexterm" name="id2912994"></a><a class="indexterm" name="id2913004"></a><pre class="screen">
9563 <tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -U root -v infotec_2105</tt></b>
9564 Password for root required to access localhost via GANDALF:
9565 Running command: smbclient //localhost/print\$ -N -U'root%secret' \
9566 -c 'mkdir W32X86; \
9567 put /var/spool/cups/tmp/3e98bf2d333b5 W32X86/infotec_2105.ppd; \
9568 put /usr/share/cups/drivers/cupsdrvr.dll W32X86/cupsdrvr.dll; \
9569 put /usr/share/cups/drivers/cupsui.dll W32X86/cupsui.dll; \
9570 put /usr/share/cups/drivers/cups.hlp W32X86/cups.hlp'
9571 added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
9572 Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
9573 NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
9574 putting file /var/spool/cups/tmp/3e98bf2d333b5 as \W32X86/infotec_2105.ppd
9575 putting file /usr/share/cups/drivers/cupsdrvr.dll as \W32X86/cupsdrvr.dll
9576 putting file /usr/share/cups/drivers/cupsui.dll as \W32X86/cupsui.dll
9577 putting file /usr/share/cups/drivers/cups.hlp as \W32X86/cups.hlp
9579 Running command: rpcclient localhost -N -U'root%secret'
9581 "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \
9582 RAW:NULL"'
9585 Printer Driver infotec_2105 successfully installed.
9587 Running command: smbclient //localhost/print\$ -N -U'root%secret' \
9588 -c 'mkdir WIN40; \
9589 put /var/spool/cups/tmp/3e98bf2d333b5 WIN40/infotec_2105.PPD; \
9590 put /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM; \
9591 put /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV; \
9592 put /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP; \
9593 put /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD; \
9594 put /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL; \
9595 put /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;'
9596 added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
9597 Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
9598 NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40
9599 putting file /var/spool/cups/tmp/3e98bf2d333b5 as \WIN40/infotec_2105.PPD
9600 putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM
9601 putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV
9602 putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP
9603 putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD
9604 putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL
9605 putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL
9607 Running command: rpcclient localhost -N -U'root%secret' \
9609 "infotec_2105:ADOBEPS4.DRV:infotec_2105.PPD:NULL:ADOBEPS4.HLP: \
9610 PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL, \
9611 ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"'
9613 ADOBEPS4.HLP:PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP, \
9614 PSMON.DLL,ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"
9615 Printer Driver infotec_2105 successfully installed.
9617 Running command: rpcclient localhost -N -U'root%secret' \
9618 -c 'setdriver infotec_2105 infotec_2105'
9619 cmd = setdriver infotec_2105 infotec_2105
9620 Successfully set infotec_2105 to driver infotec_2105.
9622 </pre><p>
9623 If you look closely, you'll discover your root password was transferred
9624 unencrypted over the wire, so beware! Also, if you look further her,
9625 you'll discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in
9626 between. They occur, because the directories WIN40 and W32X86 already
9628 (from a previous driver installation). They are harmless here.
9629 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913117"></a>Understanding cupsaddsmb</h3></div></div><div></div></div><a class="indexterm" name="id2913126"></a><p>
9630 What has happened? What did cupsaddsmb do? There are five stages of
9631 the procedure
9634 call the CUPS server via IPP and request the
9635 driver files and the PPD file for the named printer;</p></li><li><p>store the files temporarily in the local
9636 TEMPDIR (as defined in
9637 <tt class="filename">cupsd.conf</tt>);</p></li><li><p>connect via smbclient to the Samba server's
9639 share's WIN40 (for Win95/98/ME) and W32X86/ (for WinNT/2k/XP) sub
9640 directories;</p></li><li><p>
9642 connect via rpcclient to the Samba server and
9644 parameters;</p></li><li><p>
9646 connect via rpcclient to the Samba server a second
9648 Note, that you can run the cupsaddsmb utility with parameters to
9649 specify one remote host as Samba host and a second remote host as CUPS
9650 host. Especially if you want to get a deeper understanding, it is a
9651 good idea try it and see more clearly what is going on (though in real
9652 life most people will have their CUPS and Samba servers run on the
9653 same host):
9655 <tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -H sambaserver -h cupsserver -v printername</tt></b>
9656 </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913264"></a>How to recognize if cupsaddsmb completed successfully</h3></div></div><div></div></div><p>
9658 successfully in all fields. You need as a minimum these 3 messages
9659 amongst the output:
9660 </p><div class="orderedlist"><ol type="1"><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully
9661 installed.</em></span> # (for the W32X86 == WinNT/2K/XP
9662 architecture...)</p></li><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully
9663 installed.</em></span> # (for the WIN40 == Win9x/ME
9664 architecture...)</p></li><li><p><span class="emphasis"><em>Successfully set [printerXPZ] to driver
9665 [printerXYZ].</em></span></p></li></ol></div><p>
9666 These messages probably not easily recognized in the general
9669 printer drivers for download), you might miss if individual printers
9670 drivers had problems to install properly. Here a redirection of the
9671 output will help you analyze the results in retrospective.
9672 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
9673 It is impossible to see any diagnostic output if you don't run
9674 cupsaddsmb in verbose mode. Therefore we strongly recommend to not
9675 use the default quiet mode. It will hide any problems from you which
9676 might occur.
9677 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913349"></a>cupsaddsmb with a Samba PDC</h3></div></div><div></div></div><a class="indexterm" name="id2913357"></a><p>
9678 You can't get the standard cupsaddsmb command to run on a Samba PDC?
9679 You are asked for the password credential all over again and again and
9680 the command just will not take off at all? Try one of these
9681 variations:
9683 <tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -U MIDEARTH\\root -v printername</tt></b>
9684 <tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -H SAURON -U MIDEARTH\\root -v printername</tt></b>
9685 <tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -H SAURON -U MIDEARTH\\root -h cups-server -v printername</tt></b>
9686 </pre><p>
9687 (Note the two backslashes: the first one is required to
9689 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913427"></a>cupsaddsmb Flowchart</h3></div></div><div></div></div><a class="indexterm" name="id2913435"></a><p>
9690 Here is a chart about the procedures, commandflows and
9693 </p><p>
9694 </p><div class="figure"><a name="small14"></a><p class="title"><b>Figure 19.16. cupsaddsmb flowchart</b></p><div class="mediaobject"><img src="projdoc/imagefiles/14small.png" width="270" alt="cupsaddsmb flowchart"></div></div><p>
9695 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913497"></a>Installing the PostScript Driver on a Client</h3></div></div><div></div></div><a class="indexterm" name="id2913504"></a><p>
9696 After cupsaddsmb completed, your driver is prepared for the clients to
9697 use. Here are the steps you must perform to download and install it
9699 server;
9700 </p><div class="itemizedlist"><a class="indexterm" name="id2913522"></a><ul type="disc"><li><p>open the <span class="emphasis"><em>Printers</em></span>
9701 share of Samba in Network Neighbourhood;</p></li><li><p>right-click on the printer in
9702 question;</p></li><li><p>from the opening context-menu select
9705 use).</p></li></ul></div><p>
9706 After a few seconds, there should be a new printer in your
9709 SambaServer</em></span>. (In my current case it is "infotec_2105 on
9710 kde-bitshop"). If you want to test it and send your first job from
9711 an application like Winword, the new printer will appears in a
9713 dropdown list of available printers.
9714 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
9716 cupsaddsmb will only reliably work with CUPS version 1.1.15 or higher
9717 and Samba from 2.2.4. If it doesn't work, or if the automatic printer
9718 driver download to the clients doesn't succeed, you can still manually
9719 install the CUPS printer PPD on top of the Adobe PostScript driver on
9720 clients. Then point the client's printer queue to the Samba printer
9721 share for a UNC type of connection:
9723 <tt class="prompt">C:\> </tt><b class="userinput"><tt>net use lpt1: \\sambaserver\printershare /user:ntadmin</tt></b>
9724 </pre><p>
9725 should you desire to use the CUPS networked PostScript RIP
9727 with the required privileges to access the printershare) This would
9728 set up the printer connection in the traditional
9730 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913646"></a>Avoiding critical PostScript Driver Settings on the
9731 Client</h3></div></div><div></div></div><p>
9732 Soooo: printing works, but there are still problems. Most jobs print
9733 well, some don't print at all. Some jobs have problems with fonts,
9734 which don't look very good. Some jobs print fast, and some are
9735 dead-slow. Many of these problems can be greatly reduced or even
9736 completely eliminated if you follow a few guidelines. Remember, if
9737 your print device is not PostScript-enabled, you are treating your
9738 Ghostscript installation on your CUPS host with the output your client
9739 driver settings produce. Treat it well:
9740 </p><div class="itemizedlist"><ul type="disc"><li><p>Avoid the <span class="emphasis"><em>PostScript Output Option: Optimize
9742 Portability</em></span> instead (Adobe PostScript
9745 YES</em></span> (CUPS PostScript Driver)</p></li><li><p>Recommended is the <span class="emphasis"><em>True Type Font
9746 Downloading Option: Native True Type</em></span> over
9747 <span class="emphasis"><em>Automatic</em></span> and <span class="emphasis"><em>Outline</em></span>; you
9749 PostScript Driver)</p></li><li><p>Choose <span class="emphasis"><em>True Type Font: Download as Softfont
9751 Font</em></span> (for exotic fonts you may need to change it back to
9752 get a printout at all) (Adobe)</p></li><li><p>Sometimes you can choose <span class="emphasis"><em>PostScript Language
9755 handles Level 3 PostScript very well) (Adobe).</p></li><li><p>Say <span class="emphasis"><em>Yes</em></span> to <span class="emphasis"><em>PostScript
9756 Error Handler</em></span> (Adobe)</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2913780"></a>Installing PostScript Driver Files manually (using
9757 rpcclient)</h2></div></div><div></div></div><p>
9758 Of course you can run all the commands which are embedded into the
9759 cupsaddsmb convenience utility yourself, one by one, and hereby upload
9760 and prepare the driver files for future client downloads.
9761 </p><div class="orderedlist"><ol type="1"><li><p>prepare Samba (a CUPS printqueue with the name of the
9762 printer should be there. We are providing the driver
9763 now);</p></li><li><p>copy all files to
9767 (for each client architecture you want to support):</p></li><li><p>
9770 setdriver.</b></p></li></ol></div><p>
9777 to get a first idea. Look at all the printing related
9781 the most interesting ones. rpcclient implements an important part of
9782 the MS-RPC protocol. You can use it to query (and command) a Win NT
9783 (or 2K/XP) PC too. MS-RPC is used by Windows clients, amongst other
9785 mimic this too.
9786 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913973"></a>A Check of the rpcclient man Page</h3></div></div><div></div></div><p>
9787 First let's have a little check of the rpcclient man page. Here are
9788 two relevant passages:
9789 </p><p>
9791 AddPrinterDriver() RPC to install the printer driver information on
9792 the server. Note that the driver files should already exist in the
9798 Long Printer Name:\
9799 Driver File Name:\
9800 Data File Name:\
9801 Config File Name:\
9802 Help File Name:\
9803 Language Monitor Name:\
9804 Default Data Type:\
9805 Comma Separated list of Files
9806 </pre><p>Any empty fields should be enter as the string "NULL". </p><p>Samba does not need to support the concept of Print Monitors
9807 since these only apply to local printers whose driver can make use of
9809 On a remote NT print server, the Print Monitor for a driver must
9810 already be installed prior to adding the driver or else the RPC will
9811 fail
9812 </p><p>
9815 printer driver associated with an installed printer. The printer
9816 driver must already be correctly installed on the print server.
9817 </p><p> See also the enumprinters and enumdrivers commands for
9818 obtaining a list of installed printers and drivers.
9819 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914086"></a>Understanding the rpcclient man page</h3></div></div><div></div></div><p>
9821 page, since you have to deal with some parameters containing
9822 spaces. Here is a better description for it. We have line-broken the
9824 command in one line without the linebreaks:
9827 "LongPrinterName:DriverFile:DataFile:ConfigFile:HelpFile:\
9828 LanguageMonitorFile:DataType:ListOfFiles,Comma-separated"
9829 </pre><p>
9830 What the man pages denotes as a simple <config>
9831 keyword, does in reality consist of 8 colon-separated fields. The
9832 last field may take multiple (in some, very insane, cases, even
9833 20 different additional files. This might sound confusing at first.
9836 anything you want, as long as you use this name later in the
9838 practical reasons, many name the driver the same as the
9839 printer.
9840 </p><p>
9841 True: it isn't simple at all. I hear you asking:
9844 Monitor File" in each case?</em></span> -- For an answer you may
9845 want to have a look at how a Windows NT box with a shared printer
9846 presents the files to us. Remember, that this whole procedure has
9847 to be developed by the Samba Team by overhearing the traffic caused
9848 by Windows computers on the wire. We may as well turn to a Windows
9849 box now, and access it from a UNIX workstation. We will query it
9851 try to understand the man page more clearly which we've read just
9852 now.
9853 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914186"></a>Producing an Example by querying a Windows Box</h3></div></div><div></div></div><p>
9858 subcommand (in level 3 verbosity) against it. Just sit down at UNIX or
9859 Linux workstation with the Samba utilities installed. Then type the
9860 following command:
9862 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'USERNAME%PASSWORD' NT-SERVER-NAME -c 'getdriver printername 3'</tt></b>
9863 </pre><p>
9864 From the result it should become clear which is which. Here is an
9865 example from my installation:
9871 [Windows NT x86]
9872 Printer Driver Info 3:
9873 Version: [2]
9874 Driver Name: [DANKA InfoStream]
9875 Architecture: [Windows NT x86]
9876 Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.DLL]
9877 Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\INFOSTRM.PPD]
9878 Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRPTUI.DLL]
9879 Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.HLP]
9881 Dependentfiles: []
9882 Dependentfiles: []
9883 Dependentfiles: []
9884 Dependentfiles: []
9885 Dependentfiles: []
9886 Dependentfiles: []
9887 Dependentfiles: []
9889 Monitorname: []
9890 Defaultdatatype: []
9892 </pre><p>
9893 Some printer drivers list additional files under the label
9896 PostScript drivers we don't need any (nor would we for the Adobe
9898 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914333"></a>What is required for adddriver and setdriver to succeed</h3></div></div><div></div></div><p>
9899 From the manpage (and from the quoted output
9901 need to have certain conditions in order to make the manual uploading
9902 and initializing of the driver files succeed. The two rpcclient
9906 pre-conditions to complete successfully:
9907 </p><div class="itemizedlist"><ul type="disc"><li><p>you are connected as <a class="indexterm" name="id2914387"></a><i class="parameter"><tt>printer admin</tt></i>, or root (note,
9919 root</b>);</p></li><li><p>the user you're connecting as must be able to write to
9921 subdirectories;</p></li><li><p>the printer you are going to setup for the Windows
9922 clients, needs to be installed in CUPS already;</p></li><li><p>
9925 the CUPS printer must be known to Samba, otherwise the
9927 NT_STATUS_UNSUCCESSFUL error. To check if the printer is known by
9929 rpcclient. A long-standing bug prevented a proper update of the
9930 printer list until every smbd process had received a SIGHUP or was
9931 restarted. Remember this in case you've created the CUPS printer just
9932 shortly ago and encounter problems: try restarting
9933 Samba.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914542"></a>Manual Driver Installation in 15 Steps</h3></div></div><div></div></div><p>
9934 We are going to install a printer driver now by manually executing all
9935 required commands. As this may seem a rather complicated process at
9936 first, we go through the procedure step by step, explaining every
9937 single action item as it comes up.
9938 </p><div class="procedure"><p class="title"><b>Procedure 19.1. Manual Driver Installation installation</b></p><ol type="1"><li><p class="title"><b>Install the Printer on CUPS</b></p><pre class="screen">
9939 <tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p mysmbtstprn -v socket://10.160.51.131:9100 -E -P canonIR85.ppd</tt></b>
9940 </pre><p>
9942 to the CUPS system. The printer is accessed via a socket
9943 (a.k.a. JetDirect or Direct TCP/IP) connection. You need to be root
9944 for this step
9947 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'enumprinters' localhost | grep -C2 mysmbtstprn</tt></b>
9948 flags:[0x800000]
9949 name:[\\kde-bitshop\mysmbtstprn]
9950 description:[\\kde-bitshop\mysmbtstprn,,mysmbtstprn]
9951 comment:[mysmbtstprn]
9952 </pre><p>
9953 This should show the printer in the list. If not, stop and re-start
9955 `pidof smbd`</b>. Check again. Troubleshoot and repeat until
9958 already. You need to know root's Samba password (as set by the
9960 following steps. Alternatively you can authenticate as one of the
9964 Printer</b></p><a class="indexterm" name="id2914711"></a><a class="indexterm" name="id2914722"></a><pre class="screen">
9965 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
9966 | grep driver </tt></b>
9967 drivername:[]
9969 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
9970 | grep -C4 driv</tt></b>
9971 servername:[\\kde-bitshop]
9972 printername:[\\kde-bitshop\mysmbtstprn]
9973 sharename:[mysmbtstprn]
9974 portname:[Samba Printer Port]
9975 drivername:[]
9976 comment:[mysmbtstprn]
9977 location:[]
9978 sepfile:[]
9979 printprocessor:[winprint]
9981 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost</tt></b>
9982 result was WERR_UNKNOWN_PRINTER_DRIVER
9984 </pre><p>
9985 Neither method of the three commands shown above should show a driver.
9986 This step was done for the purpose of demonstrating this condition. An
9987 attempt to connect to the printer at this stage will prompt the
9988 message along the lines: "The server has not the required printer
9989 driver installed".
9992 <tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //localhost/print\$ -U 'root%xxxx' \
9993 -c 'cd W32X86; \
9994 put /etc/cups/ppd/mysmbtstprn.ppd mysmbtstprn.PPD; \
9995 put /usr/share/cups/drivers/cupsui.dll cupsui.dll; \
9996 put /usr/share/cups/drivers/cupsdrvr.dll cupsdrvr.dll; \
9997 put /usr/share/cups/drivers/cups.hlp cups.hlp'</tt></b>
9998 </pre><p>
9999 (Note that this command should be entered in one long single
10002 for the next one to succeed. It makes the driver files physically
10004 would still not be able to install them, because Samba does not yet
10005 treat them as driver files. A client asking for the driver would still
10007 </p></li><li><p class="title"><b>Verify where the Driver Files are now</b></p><pre class="screen">
10008 <tt class="prompt">root# </tt><b class="userinput"><tt>ls -l /etc/samba/drivers/W32X86/</tt></b>
10009 total 669
10010 drwxr-sr-x 2 root ntadmin 532 May 25 23:08 2
10011 drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3
10012 -rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp
10013 -rwxr--r-- 1 root ntadmin 278380 May 25 23:21 cupsdrvr.dll
10014 -rwxr--r-- 1 root ntadmin 215848 May 25 23:21 cupsui.dll
10015 -rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD
10016 </pre><p>
10021 (<b class="command">adddriver</b>)</b></p><a class="indexterm" name="id2914932"></a><pre class="screen">
10022 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c `adddriver "Windows NT x86" "mydrivername: \
10023 cupsdrvr.dll:mysmbtstprn.PPD: \
10024 cupsui.dll:cups.hlp:NULL:RAW:NULL" \
10025 localhost</tt></b>
10026 Printer Driver mydrivername successfully installed.
10027 </pre><p>
10028 Note that your cannot repeat this step if it fails. It could fail even
10029 as a result of a simple typo. It will most likely have moved a part of
10031 need to go back to the fourth step and repeat it, before you can try
10032 this one again. In this step you need to choose a name for your
10033 driver. It is normally a good idea to use the same name as is used for
10034 the printername; however, in big installations you may use this driver
10035 for a number of printers which have obviously different names. So the
10036 name of the driver is not fixed.
10037 </p></li><li><p class="title"><b>Verify where the Driver Files are now</b></p><pre class="screen">
10038 <tt class="prompt">root# </tt><b class="userinput"><tt>ls -l /etc/samba/drivers/W32X86/</tt></b>
10039 total 1
10040 drwxr-sr-x 2 root ntadmin 532 May 25 23:22 2
10041 drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3
10043 <tt class="prompt">root# </tt><b class="userinput"><tt>ls -l /etc/samba/drivers/W32X86/2</tt></b>
10044 total 5039
10045 [....]
10046 -rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp
10047 -rwxr--r-- 1 root ntadmin 278380 May 13 13:53 cupsdrvr.dll
10048 -rwxr--r-- 1 root ntadmin 215848 May 13 13:53 cupsui.dll
10049 -rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD
10050 </pre><p>
10051 Notice how step 6 did also move the driver files to the appropriate
10052 subdirectory. Compare with the situation after step 5.
10055 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'enumdrivers 3' localhost \
10056 | grep -B2 -A5 mydrivername</tt></b>
10057 Printer Driver Info 3:
10058 Version: [2]
10059 Driver Name: [mydrivername]
10060 Architecture: [Windows NT x86]
10061 Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll]
10062 Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD]
10063 Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll]
10064 Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp]
10065 </pre><p>
10066 Remember, this command greps for the name you did choose for the
10067 driver in step Six. This command must succeed before you can proceed.
10069 Files (<b class="command">setdriver</b>)</b></p><a class="indexterm" name="id2915118"></a><pre class="screen">
10070 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'setdriver mysmbtstprn mydrivername' localhost</tt></b>
10071 Successfully set mysmbtstprn to driver mydrivername
10072 </pre><p>
10073 Since you can bind any printername (=printqueue) to any driver, this
10074 is a very convenient way to setup many queues which use the same
10075 driver. You don't need to repeat all the previous steps for the
10076 setdriver command to succeed. The only pre-conditions are:
10080 recognized</b></p><a class="indexterm" name="id2915186"></a><a class="indexterm" name="id2915197"></a><a class="indexterm" name="id2915208"></a><pre class="screen">
10081 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
10082 | grep driver</tt></b>
10083 drivername:[mydrivername]
10085 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
10086 | grep -C4 driv</tt></b>
10087 servername:[\\kde-bitshop]
10088 printername:[\\kde-bitshop\mysmbtstprn]
10089 sharename:[mysmbtstprn]
10090 portname:[Done]
10091 drivername:[mydrivername]
10092 comment:[mysmbtstprn]
10093 location:[]
10094 sepfile:[]
10095 printprocessor:[winprint]
10097 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost</tt></b>
10098 [Windows NT x86]
10099 Printer Driver Info 3:
10100 Version: [2]
10101 Driver Name: [mydrivername]
10102 Architecture: [Windows NT x86]
10103 Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll]
10104 Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD]
10105 Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll]
10106 Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp]
10107 Monitorname: []
10108 Defaultdatatype: [RAW]
10109 Monitorname: []
10110 Defaultdatatype: [RAW]
10112 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'enumprinters' localhost | grep mysmbtstprn</tt></b>
10113 name:[\\kde-bitshop\mysmbtstprn]
10114 description:[\\kde-bitshop\mysmbtstprn,mydrivername,mysmbtstprn]
10115 comment:[mysmbtstprn]
10117 </pre><p>
10119 Compare these results with the ones from steps 2 and 3. Note that
10120 every single of these commands show the driver is installed. Even
10124 Device Mode</b></p><p>
10126 You certainly know how to install the driver on the client. In case
10127 you are not particularly familiar with Windows, here is a short
10128 recipe: browse the Network Neighbourhood, go to the Samba server, look
10129 for the shares. You should see all shared Samba printers.
10130 Double-click on the one in question. The driver should get
10131 installed, and the network connection set up. An alternative way is to
10136 </p><p>
10137 It is important that you execute this step as a Samba printer admin
10139 to do this on Windows XP. It uses a commandline, which you may type
10142 <tt class="prompt">C:\> </tt><b class="userinput"><tt>runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /in /n\
10143 \\sambacupsserver\mysmbtstprn"</tt></b>
10144 </pre><p>
10147 back.
10150 <tt class="prompt">C:\> </tt><b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /in /n "\\sambacupsserver\mysmbtstprn"</tt></b>
10151 </pre><p>
10152 If it doesn't work it could be a permission problem with the
10154 </p></li><li><p class="title"><b>Thirteenth Step (optional): Print a Test Page</b></p><pre class="screen">
10155 <tt class="prompt">C:\> </tt><b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /p /n "\\sambacupsserver\mysmbtstprn"</tt></b>
10156 </pre><p>
10157 Then hit [TAB] 5 times, [ENTER] twice, [TAB] once and [ENTER] again
10158 and march to the printer.
10159 </p></li><li><p class="title"><b>Fourteenth Step (recommended): Study the Test Page</b></p><p>
10160 Hmmm.... just kidding! By now you know everything about printer
10161 installations and you don't need to read a word. Just put it in a
10162 frame and bolt it to the wall with the heading "MY FIRST
10163 RPCCLIENT-INSTALLED PRINTER" - why not just throw it away!
10166 <tt class="prompt">root# </tt><b class="userinput"><tt>echo "Cheeeeerioooooo! Success..." >> /var/log/samba/log.smbd</tt></b>
10167 </pre></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915566"></a>Troubleshooting revisited</h3></div></div><div></div></div><p>
10168 The setdriver command will fail, if in Samba's mind the queue is not
10169 already there. You had promising messages about the:
10172 Printer Driver ABC successfully installed.
10174 </pre><p>
10176 a disappointing message like this one beneath?
10179 result was NT_STATUS_UNSUCCESSFUL
10181 </pre><p>
10183 It is not good enough that you
10186 bug in most recent versions of Samba prevents the proper update of
10187 the queuelist. The recognition of newly installed CUPS printers
10188 fails unless you re-start Samba or send a HUP to all smbd
10189 processes. To verify if this is the reason why Samba doesn't
10191 the printer:
10193 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient transmeta -N -U'root%secret' -c 'enumprinters 0'| grep ir85wm</tt></b>
10194 printername:[ir85wm]
10195 </pre><p>
10196 An alternative command could be this:
10198 <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm' </tt></b>
10199 cmd = getprinter ir85wm
10200 flags:[0x800000]
10201 name:[\\transmeta\ir85wm]
10202 description:[\\transmeta\ir85wm,ir85wm,DPD]
10203 comment:[CUPS PostScript-Treiber for WinNT/2K/XP]
10204 </pre><p>
10205 BTW, you can use these commands, plus a few more, of course,
10206 to install drivers on remote Windows NT print servers too!
10207 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2915718"></a>The printing <tt class="filename">*.tdb</tt> Files</h2></div></div><div></div></div><p>
10221 Some mystery is associated with the series of files with a
10222 tdb-suffix appearing in every Samba installation. They are
10235 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915962"></a>Trivial DataBase Files</h3></div></div><div></div></div><a class="indexterm" name="id2915970"></a><p>
10236 A Windows NT (Print) Server keeps track of all information needed to serve
10237 its duty toward its clients by storing entries in the Windows
10239 Administrator or user configuration settings are saved by writing into
10240 the Registry. Samba and UNIX obviously don't have such a kind of
10241 Registry. Samba instead keeps track of all client related information in a
10248 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916041"></a>Binary Format</h3></div></div><div></div></div><p>
10251 ASCII configuration files are a good and proofed tradition on UNIX."
10252 -- The reason for this design decision by the Samba Team is mainly
10253 performance. Samba needs to be fast; it runs a separate
10255 environments many thousand of them. Some of these smbds might need to
10257 same time</em></span>. The file format of Samba's
10260 same time. This wouldn't be possible with pure ASCII files.
10261 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916103"></a>Losing <tt class="filename">*.tdb</tt> Files</h3></div></div><div></div></div><p>
10263 consistent over all write and read accesses. However, it may happen
10266 progress could do the damage as well as a power interruption,
10267 etc.). In cases of trouble, a deletion of the old printing-related
10269 re-create all print related setup after that. Or you have made a
10271 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916162"></a>Using <span class="emphasis"><em>tdbbackup</em></span></h3></div></div><div></div></div><a class="indexterm" name="id2916172"></a><a class="indexterm" name="id2916186"></a><p>
10272 Samba ships with a little utility which helps the root user of your
10274 with no argument, it prints a little usage message:
10277 Usage: tdbbackup [options] <fname...>
10279 Version:3.0a
10280 -h this help message
10281 -s suffix set the backup suffix
10282 -v verify mode (restore if corrupt)
10284 </pre><p>
10285 Here is how I backed up my printing.tdb file:
10288 . browse.dat locking.tdb ntdrivers.tdb printing.tdb
10289 .. share_info.tdb connections.tdb messages.tdb ntforms.tdb
10290 printing.tdbkp unexpected.tdb brlock.tdb gmon.out namelist.debug
10291 ntprinters.tdb sessionid.tdb
10293 <tt class="prompt">root# </tt><b class="userinput"><tt>tdbbackup -s .bak printing.tdb</tt></b>
10294 printing.tdb : 135 records
10297 -rw------- 1 root root 40960 May 2 03:44 printing.tdb
10298 -rw------- 1 root root 40960 May 2 03:44 printing.tdb.bak
10300 </pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916297"></a>CUPS Print Drivers from Linuxprinting.org</h2></div></div><div></div></div><a class="indexterm" name="id2916305"></a><p>
10301 CUPS ships with good support for HP LaserJet type printers. You can
10302 install the generic driver as follows:
10304 <tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd</tt></b>
10305 </pre><p>
10308 not-yet-installed-PPDs, which CUPS typically stores in
10311 </p><p>
10312 The generic laserjet.ppd however does not support every special option
10313 for every LaserJet-compatible model. It constitutes a sort of "least
10314 denominator" of all the models. If for some reason it is ruled out to
10315 you to pay for the commercially available ESP Print Pro drivers, your
10316 first move should be to consult the database on <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">http://www.linuxprinting.org/printer_list.cgi</a>.
10317 Linuxprinting.org has excellent recommendations about which driver is
10318 best used for each printer. Its database is kept current by the
10319 tireless work of Till Kamppeter from MandrakeSoft, who is also the
10320 principal author of the foomatic-rip utility.
10321 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
10325 cupsomatic. cupsomatic is no longer maintained. Here is the new URL
10326 to the Foomatic-3.0 database:<a href="http://www.linuxprinting.org/driver_list.cgi" target="_top">http://www.linuxprinting.org/driver_list.cgi</a>.
10327 If you upgrade to foomatic-rip, don't forget to also upgrade to the
10328 new-style PPDs for your foomatic-driven printers. foomatic-rip will
10329 not work with PPDs generated for the old cupsomatic. The new-style
10330 PPDs are 100% compliant to the Adobe PPD specification. They are
10331 intended to be used by Samba and the cupsaddsmb utility also, to
10332 provide the driver files for the Windows clients also!
10333 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916436"></a>foomatic-rip and Foomatic explained</h3></div></div><div></div></div><a class="indexterm" name="id2916444"></a><a class="indexterm" name="id2916452"></a><p>
10334 Nowadays most Linux distros rely on the utilities of Linuxprinting.org
10335 to create their printing related software (which, BTW, works on all
10336 UNIXes and on Mac OS X or Darwin too). It is not known as well as it
10337 should be, that it also has a very end-user friendly interface which
10338 allows for an easy update of drivers and PPDs, for all supported
10339 models, all spoolers, all operating systems and all package formats
10340 (because there is none). Its history goes back a few years.
10341 </p><p>
10342 Recently Foomatic has achieved the astonishing milestone of <a href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">1000
10343 listed</a> printer models. Linuxprinting.org keeps all the
10344 important facts about printer drivers, supported models and which
10345 options are available for the various driver/printer combinations in
10347 database. Currently there are <a href="http://www.linuxprinting.org/driver_list.cgi" target="_top">245 drivers</a>
10348 in the database: many drivers support various models, and many models
10349 may be driven by different drivers; it's your choice!
10350 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916477"></a>690 "perfect" Printers</h4></div></div><div></div></div><p>
10353 that most of these are non-PostScript models (PostScript printers are
10354 automatically supported supported by CUPS to perfection, by using
10355 their own manufacturer-provided Windows-PPD...), and that a
10357 doesn't also scan and copy and fax under GNU/Linux: then this is a
10358 truly astonishing achievement. Three years ago the number was not
10360 anywhere near the quality it is today!
10361 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916531"></a>How the "Printing HOWTO" started it all</h4></div></div><div></div></div><p>
10363 started it all. The roots of today's Linuxprinting.org are in the
10365 HOWTO</a> which he authored. As a side-project to this document,
10366 which served many Linux users and admins to guide their first steps in
10367 this complicated and delicate setup (to a scientist, printing is
10368 "applying a structured deposition of distinct patterns of ink or toner
10370 build in a little Postgres database with information about the
10371 hardware and driver zoo that made up Linux printing of the time. This
10372 database became the core component of today's Foomatic collection of
10373 tools and data. In the meantime it has moved to an XML representation
10374 of the data.
10375 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916577"></a>Foomatic's strange Name</h4></div></div><div></div></div><a class="indexterm" name="id2916586"></a><p>
10377 2000, CUPS was far less popular than today, and most systems used LPD,
10379 (good for a few hundred different printer models). These didn't
10380 support many device-specific options. CUPS also shipped with its own
10382 Ghostscript). On the other hand, CUPS provided brilliant support for
10385 Description files). Plus, CUPS was designed to be easily extensible.
10386 </p><p>
10387 Grant already had in his database a respectable compilation
10389 they run with. His idea, to generate PPDs from the database info
10390 and use them to make standard Ghostscript filters work within CUPS,
10391 proved to work very well. It also "killed several birds with one
10392 stone":
10393 </p><div class="itemizedlist"><ul type="disc"><li><p>It made all current and future Ghostscript filter
10394 developments available for CUPS;</p></li><li><p>It made available a lot of additional printer models
10396 printing was the only one available);</p></li><li><p>It gave all the advanced CUPS options (web interface,
10397 GUI driver configurations) to users wanting (or needing) to use
10398 Ghostscript filters.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916653"></a>cupsomatic, pdqomatic, lpdomatic, directomatic</h4></div></div><div></div></div><a class="indexterm" name="id2916661"></a><a class="indexterm" name="id2916670"></a><a class="indexterm" name="id2916678"></a><p>
10399 CUPS worked through a quickly-hacked up filter script named <a href="http://www.linuxprinting.org/download.cgi?filename=cupsomatic&show=0" target="_top">cupsomatic</a>.
10400 cupsomatic ran the printfile through Ghostscript, constructing
10401 automatically the rather complicated command line needed. It just
10402 required to be copied into the CUPS system to make it work. To
10404 process, it needs a CUPS-PPD. This PPD is generated directly from the
10405 contents of the database. For CUPS and the respective printer/filter
10407 generation. After that was working, Grant implemented within a few
10408 days a similar thing for two other spoolers. Names chosen for the
10409 config-generator scripts were <a href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">PDQ-O-Matic</a>
10410 (for PDQ) and <a href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">LPD-O-Matic</a>
10411 (for - you guessed it - LPD); the configuration here didn't use PPDs
10412 but other spooler-specific files.
10413 </p><p>
10414 From late summer of that year, <a href="http://www.linuxprinting.org/till/" target="_top">Till Kamppeter</a>
10415 started to put work into the database. Till had been newly employed by
10417 convert their printing system over to CUPS, after they had seen his
10418 <a href="http://www.fltk.org/" target="_top">FLTK</a>-based <a href="http://cups.sourceforge.net/xpp/" target="_top">XPP</a> (a GUI frontend to
10419 the CUPS lp-command). He added a huge amount of new information and new
10420 printers. He also developed the support for other spoolers, like
10424 lpdomatic) and "spoolerless" printing (<a href="http://www.linuxprinting.org/download.cgi?filename=directomatic&show=0" target="_top">directomatic</a>)....
10425 </p><p>
10428 Foomatic up to versions 2.0.x required (ugly) Perl data structures
10429 attached the Linuxprinting.org PPDs for CUPS. It had a different
10431 configuration files..
10432 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916817"></a>The <span class="emphasis"><em>Grand Unification</em></span>
10434 This all has changed in Foomatic versions 2.9 (Beta) and released as
10436 scripts: it is called the <a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0" target="_top">foomatic-rip</a>.
10437 This single script is the unification of the previously different
10438 spooler-specific *omatic scripts. foomatic-rip is used by all the
10439 different spoolers alike. Because foomatic-rip can read PPDs (both the
10440 original PostScript printer PPDs and the Linuxprinting.org-generated
10441 ones), all of a sudden all supported spoolers can have the power of
10443 their system.... For users there is improved media type and source
10444 support; paper sizes and trays are easier to configure.
10445 </p><p>
10446 Also, the New Generation of Linuxprinting.org PPDs doesn't contain
10447 Perl data structures any more. If you are a distro maintainer and have
10448 used the previous version of Foomatic, you may want to give the new
10449 one a spin: but don't forget to generate a new-version set of PPDs,
10450 via the new <a href="http://www.linuxprinting.org/download/foomatic/foomatic-db-engine-3.0.0beta1.tar.gz" target="_top">foomatic-db-engine</a>!
10451 Individual users just need to generate a single new PPD specific to
10452 their model by <a href="http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/II.Foomatic-User/II.tutorial-handout-foomatic-user.html" target="_top">following
10453 the steps</a> outlined in the Foomatic tutorial or further
10454 below. This new development is truly amazing.
10455 </p><p>
10456 foomatic-rip is a very clever wrapper around the need to run
10457 Ghostscript with a different syntax, different options, different
10458 device selections and/or different filters for each different printer
10459 or different spooler. At the same time it can read the PPD associated
10460 with a print queue and modify the print job according to the user
10461 selections. Together with this comes the 100% compliance of the new
10462 Foomatic PPDs with the Adobe spec. Some really innovative features of
10463 the Foomatic concept will surprise users: it will support custom paper
10464 sizes for many printers; and it will support printing on media drawn
10465 from different paper trays within the same job (in both cases: even
10466 where there is no support for this from Windows-based vendor printer
10467 drivers).
10468 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916912"></a>Driver Development outside</h4></div></div><div></div></div><p>
10469 Most driver development itself does not happen within
10470 Linuxprinting.org. Drivers are written by independent maintainers.
10471 Linuxprinting.org just pools all the information, and stores it in its
10472 database. In addition, it also provides the Foomatic glue to integrate
10473 the many drivers into any modern (or legacy) printing system known to
10474 the world.
10475 </p><p>
10476 Speaking of the different driver development groups: most of
10477 the work is currently done in three projects. These are:
10478 </p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">Omni</a>
10479 -- a Free Software project by IBM which tries to convert their printer
10480 driver knowledge from good-ol' OS/2 times into a modern, modular,
10481 universal driver architecture for Linux/UNIX (still Beta). This
10482 currently supports 437 models.</p></li><li><p><a href="http://hpinkjet.sf.net/" target="_top">HPIJS</a> --
10483 a Free Software project by HP to provide the support for their own
10484 range of models (very mature, printing in most cases is perfect and
10485 provides true photo quality). This currently supports 369
10486 models.</p></li><li><p><a href="http://gimp-print.sf.net/" target="_top">Gimp-Print</a> -- a Free software
10487 effort, started by Michael Sweet (also lead developer for CUPS), now
10488 directed by Robert Krawitz, which has achieved an amazing level of
10489 photo print quality (many Epson users swear that its quality is
10490 better than the vendor drivers provided by Epson for the Microsoft
10491 platforms). This currently supports 522 models.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916991"></a>Forums, Downloads, Tutorials, Howtos -- also for Mac OS X and
10492 commercial UNIX</h4></div></div><div></div></div><p>
10494 drivers. Look for printer information and <a href="http://www.linuxprinting.org//kpfeifle/LinuxKongress2002/Tutorial/" target="_top">tutorials</a>
10495 or solve printing problems in its popular <a href="http://www.linuxprinting.org/newsportal/" target="_top">forums</a>. But
10496 it's not just for GNU/Linux: users and admins of <a href="http://www.linuxprinting.org/macosx/" target="_top">commercial UNIX
10497 systems</a> are also going there, and the relatively new <a href="http://www.linuxprinting.org/newsportal/thread.php3?name=linuxprinting.macosx.general" target="_top">Mac
10498 OS X forum</a> has turned out to be one of the most frequented
10499 fora after only a few weeks.
10500 </p><p>
10501 Linuxprinting.org and the Foomatic driver wrappers around Ghostscript
10502 are now a standard toolchain for printing on all the important
10503 distros. Most of them also have CUPS underneath. While in recent years
10504 most printer data had been added by Till (who works at Mandrake), many
10505 additional contributions came from engineers with SuSE, RedHat,
10506 Connectiva, Debian and others. Vendor-neutrality is an important goal
10507 of the Foomatic project.
10508 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
10509 Till Kamppeter from MandrakeSoft is doing an excellent job in his
10510 spare time to maintain Linuxprinting.org and Foomatic. So if you use
10511 it often, please send him a note showing your appreciation.
10512 </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2917064"></a>Foomatic Database generated PPDs</h4></div></div><div></div></div><p>
10513 The Foomatic database is an amazing piece of ingenuity in itself. Not
10514 only does it keep the printer and driver information, but it is
10516 its internal XML-based datasets. While these PPDs are modelled to the
10518 Linuxprinting.org/Foomatic-PPDs don't normally drive PostScript
10519 printers: they are used to describe all the bells and whistles you
10520 could ring or blow on an Epson Stylus inkjet, or a HP Photosmart or
10523 keyword: it tells the CUPS daemon how to proceed with the PostScript
10524 print file (old-style Foomatic-PPDs named the
10527 script calls Ghostscript on the host system (the recommended variant
10528 is ESP Ghostscript) to do the rendering work. foomatic-rip knows which
10529 filter or internal device setting it should ask from Ghostscript to
10530 convert the PostScript printjob into a raster format ready for the
10531 target device. This usage of PPDs to describe the options of non-PS
10532 printers was the invention of the CUPS developers. The rest is easy:
10533 GUI tools (like KDE's marvellous <a href="http://printing.kde.org/overview/kprinter.phtml" target="_top">"kprinter"</a>,
10534 or the GNOME <a href="http://gtklp.sourceforge.net/" target="_top">"gtklp"</a>, "xpp" and the CUPS
10535 web interface) read the PPD too and use this information to present
10536 the available settings to the user as an intuitive menu selection.
10537 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917129"></a>foomatic-rip and Foomatic-PPD Download and Installation</h3></div></div><div></div></div><p>
10539 compatible printer in CUPS (note that recent distributions of SuSE,
10540 UnitedLinux and Mandrake may ship with a complete package of
10541 Foomatic-PPDs plus the foomatic-rip utility. going directly to
10542 Linuxprinting.org ensures you to get the latest driver/PPD files):
10543 </p><div class="itemizedlist"><ul type="disc"><li><p>Surf to <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">http://www.linuxprinting.org/printer_list.cgi</a>
10544 </p></li><li><p>Check the complete list of printers in the database:
10545 <a href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">http://www.linuxprinting.org/printer_list.cgi?make=Anyone</a>
10546 </p></li><li><p>There select your model and click on the
10547 link.</p></li><li><p>You'll arrive at a page listing all drivers working
10548 with this model (for all printers, there will always be
10551 <a href="http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus" target="_top">http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus</a>
10552 </p></li><li><p>The recommended driver is "ljet4".</p></li><li><p>There are several links provided here. You should
10553 visit them all, if you are not familiar with the Linuxprinting.org
10555 <a href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</a>
10556 On the driver's page, you'll find important and detailed information
10557 about how to use that driver within the various available
10558 spoolers.</p></li><li><p>Another link may lead you to the homepage of the
10559 driver author or the driver.</p></li><li><p>Important links are the ones which provide hints with
10560 setup instructions for CUPS (<a href="http://www.linuxprinting.org/cups-doc.html" target="_top">http://www.linuxprinting.org/cups-doc.html</a>),
10561 PDQ (<a href="http://www.linuxprinting.org/pdq-doc.html" target="_top">http://www.linuxprinting.org/pdq-doc.html</a>),
10562 LPD, LPRng and GNUlpr (<a href="http://www.linuxprinting.org/lpd-doc.html" target="_top">http://www.linuxprinting.org/lpd-doc.html</a>)
10563 as well as PPR (<a href="http://www.linuxprinting.org/ppr-doc.html" target="_top">http://www.linuxprinting.org/ppr-doc.html)</a>
10564 or "spooler-less" printing (<a href="http://www.linuxprinting.org/direct-doc.html" target="_top">http://www.linuxprinting.org/direct-doc.html</a>
10565 ).</p></li><li><p>You can view the PPD in your browser through this
10566 link: <a href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1" target="_top">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1</a>
10567 </p></li><li><p>You can also (most importantly)
10568 generate and download the PPD: <a href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0" target="_top">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0</a>
10569 </p></li><li><p>The PPD contains all the information needed to use our
10570 model and the driver; this is, once installed, working transparently
10571 for the user. Later you'll only need to choose resolution, paper size
10572 etc. from the web-based menu, or from the print dialog GUI, or from
10573 the commandline.</p></li><li><p>Should you have ended up on the driver's page (<a href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</a>),
10576 "display PPD file" and click on "Generate PPD file".</p></li><li><p>If you save the PPD file from the browser view, please
10578 and tabs, which makes the PPD likely to fail its duty), but use "Save
10580 from the web page directly).</p></li><li><p>Another very interesting part on each driver page is
10582 select your printer model and click that button, you will get
10583 displayed a complete Ghostscript command line, enumerating all options
10584 available for that driver/printermodel combo. This is a great way to
10586 for all experienced users who need to re-construct a good command line
10587 for that damn printing script, but can't remember the exact
10588 syntax. ;-)</p></li><li><p>Some time during your visit to Linuxprinting.org, save
10589 the PPD to a suitable place on your harddisk, say
10591 your printers with the help of the CUPS web interface, save the PPD to
10593 cupsd).</p></li><li><p>Then install the printer with a suitable commandline,
10594 e.g.:
10596 <tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -P path/to/my-printer.ppd</tt></b>
10599 "foomatic-rip".Get the latest version of "foomatic-rip" from: <a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0" target="_top">http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0</a>
10600 </p></li><li><p>The foomatic-rip Perlscript itself also makes some
10601 interesting reading (<a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1" target="_top">http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1</a>),
10602 because it is very well documented by Till's inline comments (even
10603 non-Perl hackers will learn quite a bit about printing by reading
10604 it... ;-)</p></li><li><p>Save foomatic-rip either directly in
10606 your $PATH (and don't forget to make it world-executable). Again,
10608 "Save as..." menu item in your browser.</p></li><li><p>If you save foomatic-rip in your $PATH, create a symlink:
10610 foomatic-rip`</b>. For CUPS to discover this new
10611 available filter at startup, you need to re-start
10612 cupsd.</p></li></ul></div><p>
10613 Once you print to a printqueue set up with the Foomatic-PPD, CUPS will
10614 insert the appropriate commands and comments into the resulting
10615 PostScript jobfile. foomatic-rip is able to read and act upon
10616 these. foomatic-rip uses some specially encoded Foomatic comments,
10617 embedded in the jobfile. These in turn are used to construct
10618 (transparently for you, the user) the complicated ghostscript command
10619 line telling for the printer driver how exactly the resulting raster
10620 data should look like and which printer commands to embed into the
10621 data stream.
10622 </p><p>
10623 You need:
10624 </p><div class="itemizedlist"><ul type="disc"><li><p>A "foomatic+something" PPD -- but it this not enough
10627 /usr/lib/cups/filters/</p></li><li><p>Perl to make foomatic-rip run</p></li><li><p>Ghostscript (because it is doing the main work,
10628 controlled by the PPD/foomatic-rip combo) to produce the raster data
10629 fit for your printermodel's consumption</p></li><li><p>Ghostscript <span class="emphasis"><em>must</em></span> (depending on
10632 -h")</p></li><li><p>foomatic-rip needs a new version of PPDs (PPD versions
10633 produced for cupsomatic don't work with
10634 foomatic-rip).</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2917602"></a>Page Accounting with CUPS</h2></div></div><div></div></div><a class="indexterm" name="id2917611"></a><p>
10636 (that is, Windows clients) should not be able to print beyond a
10637 certain amount of pages or data volume per day, week or month. This
10638 feature is dependent on the real print subsystem you're using.
10639 Samba's part is always to receive the job files from the clients
10641 printing subsystem.
10642 </p><p>
10645 jobs or on the number of pages or both, and are spanning any time
10646 period you want.
10647 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917645"></a>Setting up Quotas</h3></div></div><div></div></div><a class="indexterm" name="id2917653"></a><p>
10648 This is an example command how root would set a print quota in CUPS,
10651 <tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p quotaprinter -o job-quota-period=604800 \
10652 -o job-k-limit=1024 -o job-page-limit=100</tt></b>
10653 </pre><p>
10654 This would limit every single user to print 100 pages or 1024 KB of
10655 data (whichever comes first) within the last 604,800 seconds ( = 1
10656 week).
10657 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917708"></a>Correct and incorrect Accounting</h3></div></div><div></div></div><p>
10658 For CUPS to count correctly, the printfile needs to pass the CUPS
10660 printfiles don't pass it (eg: image files) but then those are mostly 1
10661 page jobs anyway. This also means that proprietary drivers for the
10662 target printer running on the client computers and CUPS/Samba, which
10665 </p><p>
10666 You need to send PostScript from the clients (i.e. run a PostScript
10667 driver there) to have the chance to get accounting done. If the
10668 printer is a non-PostScript model, you need to let CUPS do the job to
10669 convert the file to a print-ready format for the target printer. This
10670 will be working for currently about 1,000 different printer models,
10671 see <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">the driver list at linuxprinting.org/</a>.
10672 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917748"></a>Adobe and CUPS PostScript Drivers for Windows Clients</h3></div></div><div></div></div><p>
10673 Before CUPS-1.1.16 your only option was to use the Adobe PostScript
10674 Driver on the Windows clients. The output of this driver was not
10676 therefore was not counted correctly (the reason is that it often,
10678 the real PostScript which caused CUPS to skip pstops and go directly
10680 </p><p>
10681 From CUPS-1.1.16 onward you can use the "CUPS PostScript Driver for
10685 </p><div class="itemizedlist"><a class="indexterm" name="id2917786"></a><ul type="disc"><li><p>to not write an PJL-header</p></li><li><p>to still read and support all PJL-options named in the
10686 driver PPD with its own means</p></li><li><p> that the file will pass through the "pstops" filter
10687 on the CUPS/Samba server</p></li><li><p>to page-count correctly the
10688 printfile</p></li></ul></div><p>
10689 You can read more about the setup of this combination in the manpage
10691 current from CUPS 1.1.16).
10692 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917829"></a>The page_log File Syntax</h3></div></div><div></div></div><a class="indexterm" name="id2917838"></a><p>
10695 </p><div class="itemizedlist"><ul type="disc"><li><p>Printer name</p></li><li><p>User name</p></li><li><p>Job ID</p></li><li><p>Time of printing</p></li><li><p>the page number</p></li><li><p>the number of copies</p></li><li><p>a billing information string
10696 (optional)</p></li><li><p>the host which sent the job (included since version
10697 1.1.19)</p></li></ul></div><p>
10698 Here is an extract of my CUPS server's page_log file to illustrate the
10699 format and included items:
10701 infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 1 3 #marketing 10.160.50.13
10702 infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 2 3 #marketing 10.160.50.13
10703 infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 3 3 #marketing 10.160.50.13
10704 infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 4 3 #marketing 10.160.50.13
10705 DigiMaster9110 boss 402 [22/Apr/2003:10:33:22 +0100] 1 440 finance-dep 10.160.51.33
10706 </pre><p>
10712 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917938"></a>Possible Shortcomings</h3></div></div><div></div></div><p>
10713 What flaws or shortcomings are there with this quota system?
10714 </p><div class="itemizedlist"><ul type="disc"><li><p>the ones named above (wrongly logged job in case of
10715 printer hardware failure, etc.)</p></li><li><p>in reality, CUPS counts the job pages that are being
10718 printing device. Thus if there is a jam while printing the 5th sheet out
10720 still show the figure of 1000 for that job</p></li><li><p>all quotas are the same for all users (no flexibility
10721 to give the boss a higher quota than the clerk), no support for
10722 groups</p></li><li><p>no means to read out the current balance or the
10723 "used-up" number of current quota</p></li><li><p>a user having used up 99 sheets of 100 quota will
10724 still be able to send and print a 1,000 sheet job</p></li><li><p>a user being denied a job because of a filled-up quota
10725 doesn't get a meaningful error message from CUPS other than
10726 "client-error-not-possible".</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918010"></a>Future Developments</h3></div></div><div></div></div><p>
10727 This is the best system currently available, and there are huge
10728 improvements under development for CUPS 1.2:
10729 </p><div class="itemizedlist"><ul type="disc"><li><p>page counting will go into the "backends" (these talk
10730 directly to the printer and will increase the count in sync with the
10731 actual printing process: thus a jam at the 5th sheet will lead to a
10732 stop in the counting)</p></li><li><p>quotas will be handled more flexibly</p></li><li><p>probably there will be support for users to inquire
10733 their "accounts" in advance</p></li><li><p>probably there will be support for some other tools
10734 around this topic</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918058"></a>Other Accounting Tools</h3></div></div><div></div></div><p>
10735 PrintAnalyzer, pyKota, printbill, LogReport.
10736 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918072"></a>Additional Material</h2></div></div><div></div></div><p>
10741 filtering at all, they hand the file directly to the CUPS backend.
10742 This backend is responsible for the sending of the data to the device
10744 smb://, ipp://, http://, parallel:/, serial:/, usb:/</tt> etc.)
10745 </p><p>
10747 and they don't ship with CUPS. They are a Third Party add-on,
10748 developed at Linuxprinting.org. As such, they are a brilliant hack to
10749 make all models (driven by Ghostscript drivers/filters in traditional
10750 spoolers) also work via CUPS, with the same (good or bad!) quality as
10752 ghostscript commandline at that stage in the CUPS filtering chain,
10755 away and re-directs it to go through Ghostscript. CUPS accepts this,
10756 because the associated CUPS-O-Matic-/Foomatic-PPD specifies:
10759 </pre><p>
10760 This line persuades CUPS to hand the file to cupsomatic, once it has
10761 successfully converted it to the MIME type
10763 Jobs arriving from Windows which are auto-typed
10766 </p><p>
10767 CUPS is widely configurable and flexible, even regarding its filtering
10768 mechanism. Another workaround in some situations would be to have in
10771 application/postscript application/vnd.cups-raw 0 -
10772 application/vnd.cups-postscript application/vnd.cups-raw 0 -
10773 </pre><p>
10774 This would prevent all Postscript files from being filtered (rather,
10777 want to print PS code on non-PS printers (provided they support ASCII
10778 text printing) an entry as follows could be useful:
10780 */* application/vnd.cups-raw 0 -
10781 </pre><p>
10783 backend without further processing.
10784 </p><p>
10785 Lastly, you could have the following entry:
10787 application/vnd.cups-postscript application/vnd.cups-raw 0 my_PJL_stripping_filter
10788 </pre><p>
10790 (could be a shellscript) that parses the PostScript and removes the
10791 unwanted PJL. This would need to conform to CUPS filter design
10792 (mainly, receive and pass the parameters printername, job-id,
10793 username, jobtitle, copies, print options and possibly the
10794 filename). It would be installed as world executable into
10797 </p><p>
10800 upon manual release by the printer operator. This is a requirement in
10802 the jobs of hundreds of users on some big machine, where no user is
10803 allowed to have direct access (such as when the operators often need
10804 to load the proper paper type before running the 10,000 page job
10805 requested by marketing for the mailing, etc.).
10806 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918267"></a>Auto-Deletion or Preservation of CUPS Spool Files</h2></div></div><div></div></div><p>
10808 incoming directory managed by Samba, (set in the <a class="indexterm" name="id2918280"></a><i class="parameter"><tt>path</tt></i> = /var/spool/samba directive in the
10811 your UNIX print subsystem. For CUPS it is normally
10814 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918326"></a>CUPS Configuration Settings explained</h3></div></div><div></div></div><p>
10815 Some important parameter settings in the CUPS configuration file
10817 </p><div class="variablelist"><dl><dt><span class="term">PreserveJobHistory Yes</span></dt><dd><p>
10818 This keeps some details of jobs in cupsd's mind (well it keeps the
10820 similar job as the old-fashioned BSD-LPD control files). This is set
10823 This keeps the job files themselves in cupsd's mind
10826 default.
10827 </p></dd><dt><span class="term"><span class="emphasis"><em>"MaxJobs 500"</em></span></span></dt><dd><p>
10828 This directive controls the maximum number of jobs
10829 that are kept in memory. Once the number of jobs reaches the limit,
10830 the oldest completed job is automatically purged from the system to
10831 make room for the new one. If all of the known jobs are still
10832 pending or active then the new job will be rejected. Setting the
10833 maximum to 0 disables this functionality. The default setting is
10834 0.
10835 </p></dd></dl></div><p>
10838 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918407"></a>Pre-conditions</h3></div></div><div></div></div><p>
10839 For everything to work as announced, you need to have three
10840 things:
10841 </p><div class="itemizedlist"><ul type="disc"><li><p>a Samba-smbd which is compiled against "libcups" (Check
10842 on Linux by running "ldd `which smbd`")</p></li><li><p>a Samba-<tt class="filename">smb.conf</tt> setting of
10843 <a class="indexterm" name="id2918443"></a><i class="parameter"><tt>printing</tt></i> = cups</p></li><li><p>another Samba-<tt class="filename">smb.conf</tt> setting of
10844 <a class="indexterm" name="id2918469"></a><i class="parameter"><tt>printcap</tt></i> = cups</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
10845 In this case all other manually set printing-related commands (like
10849 <a class="indexterm" name="id2918532"></a><i class="parameter"><tt>lppause command</tt></i> or
10850 <a class="indexterm" name="id2918546"></a><i class="parameter"><tt>lpresume command</tt></i>) are ignored and they should normally have no
10851 influence what-so-ever on your printing.
10852 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918564"></a>Manual Configuration</h3></div></div><div></div></div><p>
10853 If you want to do things manually, replace the <a class="indexterm" name="id2918574"></a><i class="parameter"><tt>printing</tt></i> = cups
10854 by <a class="indexterm" name="id2918588"></a><i class="parameter"><tt>printing</tt></i> = bsd. Then your manually set commands may work
10855 (haven't tested this), and a <a class="indexterm" name="id2918604"></a><i class="parameter"><tt>print command</tt></i> = lp -d %P %s; rm %s"
10856 may do what you need.
10857 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918622"></a>In Case of Trouble.....</h2></div></div><div></div></div><p>
10858 If you have more problems, post the output of these commands
10859 to the CUPS or Samba mailing lists (choose the one which seems more
10860 relevant to your problem):
10862 <tt class="prompt">$ </tt><b class="userinput"><tt>grep -v ^# /etc/cups/cupsd.conf | grep -v ^$</tt></b>
10863 <tt class="prompt">$ </tt><b class="userinput"><tt>grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;"</tt></b>
10864 </pre><p>
10865 (adapt paths as needed). These commands leave out the empty
10866 lines and lines with comments, providing the "naked settings" in a
10867 compact way. Don't forget to name the CUPS and Samba versions you
10868 are using! This saves bandwidth and makes for easier readability
10869 for experts (and you are expecting experts to read them, right?
10870 ;-)
10871 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918682"></a>Printing <span class="emphasis"><em>from</em></span> CUPS to Windows attached
10872 Printers</h2></div></div><div></div></div><p>
10873 From time to time the question arises, how you can print
10876 from Windows host to printer would be done by USB or parallel
10877 cable, but this doesn't matter to Samba. From here only an SMB
10878 connection needs to be opened to the Windows host. Of course, this
10879 printer must be "shared" first. As you have learned by now, CUPS uses
10881 servers. To talk to Windows shared printers you need to use the
10883 is in the CUPS backend directory. This resides usually in
10886 which file must exist and be executable:
10889 total 253
10907 </pre><p>
10908 If this symlink doesn't exist, create it:
10910 <tt class="prompt">root# </tt><b class="userinput"><tt>ln -s `which smbspool` /usr/lib/cups/backend/smb</tt></b>
10911 </pre><p>
10912 smbspool has been written by Mike Sweet from the CUPS folks. It is
10913 included and ships with Samba. It may also be used with print
10914 subsystems other than CUPS, to spool jobs to Windows printer shares. To
10916 it. Essentially this means to convert the print data on the CUPS/Samba
10917 host to a format that the printer can digest (the Windows host is
10918 unable to convert any files you may send). This also means you should
10919 be able to print to the printer if it were hooked directly at your
10920 Samba/CUPS host. For troubleshooting purposes, this is what you
10921 should do, to determine if that part of the process chain is in
10922 order. Then proceed to fix the network connection/authentication to
10923 the Windows host, etc.
10924 </p><p>
10925 To install a printer with the smb backend on CUPS, use this command:
10927 <tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p winprinter -v smb://WINDOWSNETBIOSNAME/printersharename \
10928 -P /path/to/PPD</tt></b>
10929 </pre><p>
10931 the print data for the target model. For PostScript printers just use
10932 the PPD that would be used with the Windows NT PostScript driver. But
10933 what can you do if the printer is only accessible with a password? Or
10934 if the printer's host is part of another workgroup? This is provided
10935 for: you can include the required parameters as part of the
10937 </p><div class="itemizedlist"><ul type="disc"><li><p>smb://WORKGROUP/WINDOWSNETBIOSNAME/printersharename </p></li><li><p>smb://username:password@WORKGROUP/WINDOWSNETBIOSNAME/printersharename</p></li><li><p>smb://username:password@WINDOWSNETBIOSNAME/printersharename</p></li></ul></div><p>
10938 Note that the device-URI will be visible in the process list of the
10940 command on Linux), even if the username and passwords are sanitized
10941 before they get written into the log files. So this is an inherently
10942 insecure option. However it is the only one. Don't use it if you want
10943 to protect your passwords. Better share the printer in a way that
10944 doesn't require a password! Printing will only work if you have a
10945 working netbios name resolution up and running. Note that this is a
10946 feature of CUPS and you don't necessarily need to have smbd running
10947 (but who wants that? :-).
10948 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918955"></a>More CUPS filtering Chains</h2></div></div><div></div></div><p>
10949 The following diagrams reveal how CUPS handles print jobs.
10950 </p><div class="figure"><a name="cups1"></a><p class="title"><b>Figure 19.17. Filtering chain 1</b></p><div class="mediaobject"><img src="projdoc/imagefiles/cups1.png" width="270" alt="Filtering chain 1"></div></div><div class="figure"><a name="cups2"></a><p class="title"><b>Figure 19.18. Filtering chain with cupsomatic</b></p><div class="mediaobject"><img src="projdoc/imagefiles/cups2.png" width="270" alt="Filtering chain with cupsomatic"></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
10951 Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
10952 CUPS and ESP PrintPro plug-in where rastertosomething is noted.
10953 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2796634"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2796642"></a>Win9x client can't install driver</h3></div></div><div></div></div><p>For Win9x clients require the printer names to be 8
10954 chars (or "8 plus 3 chars suffix") max; otherwise the driver files
10955 won't get transferred when you want to download them from
10956 Samba.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919061"></a>"cupsaddsmb" keeps asking for root password in
10957 neverending loop</h3></div></div><div></div></div><p>Have you <a class="indexterm" name="id2919072"></a><i class="parameter"><tt>security</tt></i> = user? Have
10959 You can do 2 things: open another terminal and execute
10961 continue with entering the password into the first terminal. Or break
10962 out of the loop by hitting ENTER twice (without trying to type a
10963 password).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919107"></a>"cupsaddsmb" gives "No PPD file for printer..."
10964 message while PPD file is present</h3></div></div><div></div></div><p>Have you enabled printer sharing on CUPS? This means:
10969 an issue if you use cupsaddsmb remotely, or if you use it with a
10971 sambaserver -h cupsserver -v printername</tt></b>.
10972 </p><p>Is your
10973 "TempDir" directive in
10975 set to a valid value and is it writeable?
10976 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919163"></a>Client can't connect to Samba printer</h3></div></div><div></div></div><p>Use <b class="command">smbstatus</b> to check which user
10977 you are from Samba's point of view. Do you have the privileges to
10979 share?</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919497"></a>Can't reconnect to Samba under new account
10980 from Win2K/XP</h3></div></div><div></div></div><p>Once you are connected as the "wrong" user (for
10981 example as "nobody", which often occurs if you have
10982 <a class="indexterm" name="id2919510"></a><i class="parameter"><tt>map to guest</tt></i> = bad user), Windows Explorer will not accept an
10983 attempt to connect again as a different user. There won't be any byte
10984 transfered on the wire to Samba, but still you'll see a stupid error
10985 message which makes you think that Samba has denied access. Use
10987 PIDs. You still can't re-connect and get the dreaded
10989 machine</tt> message, as soon as you are trying? And you
10990 don't see any single byte arriving at Samba (see logs; use "ethereal")
10991 indicating a renewed connection attempt? Shut all Explorer Windows.
10992 This makes Windows forget what it has cached in its memory as
10993 established connections. Then re-connect as the right user. Best
10997 different account. Now open the "Printers" folder (on the Samba server
10999 printer in question and select
11000 <span class="emphasis"><em>Connect...</em></span></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919582"></a>Avoid being connected to the Samba server as the
11001 "wrong" user</h3></div></div><div></div></div><p>You see per <b class="command">smbstatus</b> that you are
11003 "printeradmin"? This is probably due to
11004 <a class="indexterm" name="id2919603"></a><i class="parameter"><tt>map to guest</tt></i> = bad user, which silently connects you under the guest account,
11005 when you gave (maybe by accident) an incorrect username. Remove
11006 <a class="indexterm" name="id2919619"></a><i class="parameter"><tt>map to guest</tt></i>, if you want to prevent
11007 this.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919635"></a>Upgrading to CUPS drivers from Adobe drivers on
11008 NT/2K/XP clients gives problems</h3></div></div><div></div></div><p>First delete all "old" Adobe-using printers. Then
11009 delete all "old" Adobe drivers. (On Win2K/XP, right-click in
11011 tab "Drivers" and delete here).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919649"></a>Can't use "cupsaddsmb" on Samba server which is
11013 this way: <b class="userinput"><tt>cupsaddsmb -U <i class="replaceable"><tt>DOMAINNAME</tt></i>\\root -v
11014 <i class="replaceable"><tt>printername</tt></i></tt></b>> (note the two backslashes: the first one is
11015 required to "escape" the second one).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919678"></a>Deleted Win2K printer driver is still shown</h3></div></div><div></div></div><p>Deleting a printer on the client won't delete the
11016 driver too (to verify, right-click on the white background of the
11018 "Drivers" tab). These same old drivers will be re-used when you try to
11019 install a printer with the same name. If you want to update to a new
11020 driver, delete the old ones first. Deletion is only possible if no
11021 other printer uses the same driver.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919695"></a>Win2K/XP "Local Security
11022 Policies"</h3></div></div><div></div></div><p><span class="emphasis"><em>Local Security Policies</em></span> may not
11023 allow the installation of unsigned drivers. "Local Security Policies"
11024 may not allow the installation of printer drivers at
11025 all.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919711"></a>WinXP clients: "Administrator can not install
11026 printers for all local users"</h3></div></div><div></div></div><p>Windows XP handles SMB printers on a "per-user" basis.
11027 This means every user needs to install the printer himself. To have a
11028 printer available for everybody, you might want to use the built-in
11029 IPP client capabilities of WinXP. Add a printer with the print path of
11031 Still looking into this one: maybe a "logon script" could
11032 automatically install printers for all
11033 users.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919733"></a>"Print Change Notify" functions on
11034 NT-clients</h3></div></div><div></div></div><p>For "print change notify" functions on NT++ clients,
11035 these need to run the "Server" service first (re-named to
11037 XP).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919752"></a>WinXP-SP1</h3></div></div><div></div></div><p>WinXP-SP1 introduced a <span class="emphasis"><em>Point and Print
11038 Restriction Policy</em></span> (this restriction doesn't apply to
11041 Administrative Templates, Control Panel,
11042 Printers</em></span>. The policy is automatically set to
11043 <span class="emphasis"><em>Enabled</em></span> and the <span class="emphasis"><em>Users can only Point
11044 and Print to machines in their Forest</em></span> . You probably need
11045 to change it to <span class="emphasis"><em>Disabled</em></span> or <span class="emphasis"><em>Users can
11046 only Point and Print to these servers</em></span> in order to make
11047 driver downloads from Samba possible.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919794"></a>Print options for all users can't be set on Win2K/XP</h3></div></div><div></div></div><p>How are you doing it? I bet the wrong way (it is not
11048 very easy to find out, though). There are 3 different ways to bring
11052 Administrator or Print Administrator to do this for all users. Here
11053 is how I do in on XP:
11056 </p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="emphasis"><em>Printers</em></span>
11057 folder.</p></li><li><p>Right-click on the printer
11060 Preferences...</em></span></p></li><li><p>Look at this dialog closely and remember what it looks
11061 like.</p></li></ol></div><p>
11064 </p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="emphasis"><em>Printers</em></span>
11065 folder.</p></li><li><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on
11066 cupshost</em></span>) and select in the context menu
11067 <span class="emphasis"><em>Properties</em></span></p></li><li><p>Click on the <span class="emphasis"><em>General</em></span>
11069 Preferences...</em></span></p></li><li><p>A new dialog opens. Keep this dialog open and go back
11070 to the parent dialog.</p></li></ol></div><p>
11073 "way" above)
11075 </p><div class="orderedlist"><ol type="1"><li><p>Click on the <span class="emphasis"><em>Advanced</em></span>
11076 tab. (Hmmm... if everything is "Grayed Out", then you are not logged
11077 in as a user with enough privileges).</p></li><li><p>Click on the <span class="emphasis"><em>Printing
11080 button.</p></li><li><p>A new dialog opens. Compare this one to the other,
11082 </p></li></ol></div><p>
11083 Do you see any difference? I don't either... However, only the last
11085 permanently and be the defaults for new users. If you want all clients
11087 Administrator</em></span> (<a class="indexterm" name="id2920027"></a><i class="parameter"><tt>printer admin</tt></i> in
11089 downloads the driver (the clients can later set their own
11091 procedures <span class="emphasis"><em>A.</em></span> or <span class="emphasis"><em>B.</em></span>
11092 above).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920067"></a>Most common blunders in driver
11093 settings on Windows clients</h3></div></div><div></div></div><p>Don't use <span class="emphasis"><em>Optimize for
11095 Portability</em></span> instead (Adobe PS Driver) Don't use
11098 Yes</em></span> (Microsoft PS Driver and CUPS PS Driver for
11099 WinNT/2K/XP) If there are problems with fonts: use
11101 printer</em></span> (Adobe PS Driver). For
11104 Level 2, if you are having trouble with a non-PS printer, and if
11105 there is a choice.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920114"></a><b class="command">cupsaddsmb</b> does not work
11106 with newly installed printer</h3></div></div><div></div></div><p>Symptom: the last command of
11109 NT_STATUS_UNSUCCESSFUL then possibly the printer was not yet
11112 hostname -c 'enumprinters'</b>? Restart smbd (or send a
11115 again.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920175"></a>Permissions on
11117 reboot</h3></div></div><div></div></div><p>Have you by accident set the CUPS spool directory to
11121 <a class="indexterm" name="id2920213"></a><i class="parameter"><tt>path</tt></i>> in the <i class="parameter"><tt>[printers]</tt></i>
11124 <tt class="filename">cupsd.conf</tt> and <a class="indexterm" name="id2920252"></a><i class="parameter"><tt>path</tt></i> =
11127 sanitize permissions to its spool directory with each restart, and
11128 printing will not work reliably.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920284"></a>Printer named "lp"
11129 intermittently swallows jobs and spits out completely different
11131 is the traditional UNIX name for the default printer. CUPS may be set
11133 group all printers with the same name to a pool of devices, and
11134 loadbalancing the jobs across them in a round-robin fashion. Chances
11136 receive his jobs and send your own to his device unwittingly. To have
11139 then, giving you a better control over what may happen in a large
11140 networked environment.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920314"></a>Location of Adobe PostScript driver files necessary for "cupsaddsmb"</h3></div></div><div></div></div><p>Use <b class="command">smbclient</b> to connect to any
11142 //windowsbox/print\$ -U guest</b>. You can navigate to the
11146 files from the Adobe website.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920369"></a>An Overview of the CUPS Printing Processes</h2></div></div><div></div></div><div class="figure"><a name="a_small"></a><p class="title"><b>Figure 19.19. CUPS Printing Overview</b></p><div class="mediaobject"><img src="projdoc/imagefiles/a_small.png" width="270" alt="CUPS Printing Overview"></div></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 20. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2920538">Features and Benefits</a></dt><dt><a href="#id2920556">Discussion</a></dt><dt><a href="#id2920786">Included modules</a></dt><dd><dl><dt><a href="#id2920793">audit</a></dt><dt><a href="#id2920835">extd_audit</a></dt><dt><a href="#id2920965">fake_perms</a></dt><dt><a href="#id2920984">recycle</a></dt><dt><a href="#id2921153">netatalk</a></dt></dl></dd><dt><a href="#id2921198">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="#id2921220">DatabaseFS</a></dt><dt><a href="#id2921286">vscan</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920538"></a>Features and Benefits</h2></div></div><div></div></div><p>
11147 Since Samba-3, there is support for stackable VFS(Virtual File System) modules.
11148 Samba passes each request to access the unix file system thru the loaded VFS modules.
11149 This chapter covers all the modules that come with the samba source and references to
11150 some external modules.
11151 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920556"></a>Discussion</h2></div></div><div></div></div><p>
11152 If not supplied with your platform distribution binary Samba package you may have problems
11153 to compile these modules, as shared libraries are compiled and linked in different ways
11154 on different systems. They currently have been tested against GNU/Linux and IRIX.
11155 </p><p>
11156 To use the VFS modules, create a share similar to the one below. The
11157 important parameter is the <a class="indexterm" name="id2920577"></a><i class="parameter"><tt>vfs objects</tt></i> parameter where
11158 you can list one or more VFS modules by name. For example, to log all access
11159 to files and put deleted files in a recycle bin:
11161 </p><div class="example"><a name="id2920594"></a><p class="title"><b>Example 20.1. smb.conf with VFS modules</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[audit]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Audited /data directory</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /data</tt></i></td></tr><tr><td><i class="parameter"><tt>vfs objects = audit recycle</tt></i></td></tr><tr><td><i class="parameter"><tt>writeable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr></table></div><p>
11162 </p><p>
11163 The modules are used in the order in which they are specified.
11164 </p><p>
11166 directory in the root directory of the samba installation (usually
11168 </tt>).
11169 </p><p>
11170 Some modules can be used twice for the same share.
11171 This can be done using a configuration similar to the one below.
11173 </p><div class="example"><a name="id2920694"></a><p class="title"><b>Example 20.2. smb.conf with multiple VFS modules</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[test]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = VFS TEST</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /data</tt></i></td></tr><tr><td><i class="parameter"><tt>writeable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>vfs objects = example:example1 example example:test</tt></i></td></tr><tr><td><i class="parameter"><tt>example1: parameter = 1</tt></i></td></tr><tr><td><i class="parameter"><tt>example: parameter = 5</tt></i></td></tr><tr><td><i class="parameter"><tt>test: parameter = 7</tt></i></td></tr></table></div><p>
11174 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920786"></a>Included modules</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920793"></a>audit</h3></div></div><div></div></div><p>
11175 A simple module to audit file access to the syslog
11176 facility. The following operations are logged:
11177 </p><div class="itemizedlist"><ul type="disc"><li><p>share</p></li><li><p>connect/disconnect</p></li><li><p>directory opens/create/remove</p></li><li><p>file open/close/rename/unlink/chmod</p></li></ul></div><p>
11178 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920835"></a>extd_audit</h3></div></div><div></div></div><p>
11179 This module is identical with the <span class="emphasis"><em>audit</em></span> module above except
11180 that it sends audit logs to both syslog as well as the smbd log file/s. The
11181 loglevel for this module is set in the smb.conf file.
11182 </p><p>
11183 The logging information that will be written to the smbd log file is controlled by
11184 the <a class="indexterm" name="id2920859"></a><i class="parameter"><tt>log level</tt></i> parameter in <tt class="filename">smb.conf</tt>. The
11185 following information will be recorded:
11186 </p><div class="table"><a name="id2920882"></a><p class="title"><b>Table 20.1. Extended Auditing Log Information</b></p><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Creation / Deletion</td></tr><tr><td align="center">1</td><td align="left">Create / Delete / Rename / Permission Changes</td></tr><tr><td align="center">2</td><td align="left">Create / Delete / Rename / Perm Change / Open / Close</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920965"></a>fake_perms</h3></div></div><div></div></div><p>
11187 This module was created to allow Roaming Profile files and directories to be set (on the Samba server
11188 under Unix) as read only. This module will if installed on the Profiles share will report to the client
11189 that the Profile files and directories are writable. This satisfies the client even though the files
11190 will never be overwritten as the client logs out or shuts down.
11191 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920984"></a>recycle</h3></div></div><div></div></div><p>
11192 A recycle-bin like module. When used any unlink call
11193 will be intercepted and files moved to the recycle
11194 directory instead of being deleted. This gives the same
11196 </p><p>Supported options:
11197 </p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p>Relative path of the directory where deleted files should be moved to</p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p>Specifies whether the directory structure should
11198 be kept or if the files in the directory that is being
11199 deleted should be kept seperately in the recycle bin.
11200 </p></dd><dt><span class="term">recycle:versions</span></dt><dd><p>If this option is set, two files
11201 with the same name that are deleted will both
11202 be kept in the recycle bin. Newer deleted versions
11203 of a file will be called "Copy #x of <i class="replaceable"><tt>filename</tt></i>".</p></dd><dt><span class="term">recycle:touch</span></dt><dd><p>Specifies whether a file's access
11204 date should be touched when the file is moved to
11205 the recycle bin.</p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p>Files that are larger than the number
11206 of bytes specified by this parameter will
11207 not be put into the recycle bin.</p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p>List of files that should not
11208 be put into the recycle bin when deleted, but deleted
11209 in the regular way.</p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p>Contains a list of directories. When files from
11210 these directories are deleted, they are not put into the
11211 recycle bin, but deleted in the regular way.
11212 </p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p>Opposite of <i class="parameter"><tt>recycle:versions</tt></i>. If both options are specified, this one takes precedence.</p></dd></dl></div><p>
11213 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921153"></a>netatalk</h3></div></div><div></div></div><p>
11214 A netatalk module, that will ease co-existence of samba and
11215 netatalk file sharing services.
11216 </p><p>Advantages compared to the old netatalk module:
11217 </p><div class="itemizedlist"><ul type="disc"><li><p>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</p></li><li><p>if a share in <tt class="filename">smb.conf</tt> doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</p></li></ul></div><p>
11218 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921198"></a>VFS modules available elsewhere</h2></div></div><div></div></div><p>
11219 This section contains a listing of various other VFS modules that
11220 have been posted but don't currently reside in the Samba CVS
11221 tree for one reason or another (e.g. it is easy for the maintainer
11222 to have his or her own CVS tree).
11223 </p><p>
11224 No statements about the stability or functionality of any module
11225 should be implied due to its presence here.
11226 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921220"></a>DatabaseFS</h3></div></div><div></div></div><p>
11227 URL: <a href="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" target="_top">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</a>
11229 I have created a VFS module which implements a fairly complete read-only
11230 filesystem. It presents information from a database as a filesystem in
11231 a modular and generic way to allow different databases to be used
11232 (originally designed for organizing MP3s under directories such as
11234 roster database very easily). The directory structure is stored in the
11235 database itself and the module makes no assumptions about the database
11236 structure beyond the table it requires to run.
11237 </p><p>
11238 Any feedback would be appreciated: comments, suggestions, patches,
11239 etc... If nothing else, hopefully it might prove useful for someone
11240 else who wishes to create a virtual filesystem.
11241 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921286"></a>vscan</h3></div></div><div></div></div><p>URL: <a href="http://www.openantivirus.org/" target="_top">http://www.openantivirus.org/</a></p><p>
11242 samba-vscan is a proof-of-concept module for Samba, which
11243 uses the VFS (virtual file system) features of Samba 2.2.x/3.0
11244 alphaX. Of course, Samba has to be compiled with VFS support.
11245 samba-vscan supports various virus scanners and is maintained
11246 by Rainer Link.
11247 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 21. Winbind: Use of Domain Accounts</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><span class="contrib">Notes for Solaris</span><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Trostel</span></h3><div class="affiliation"><span class="orgname">SNAP<br></span><div class="address"><p><tt class="email"><<a href="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2921516">Features and Benefits</a></dt><dt><a href="#id2921611">Introduction</a></dt><dt><a href="#id2921688">What Winbind Provides</a></dt><dd><dl><dt><a href="#id2921756">Target Uses</a></dt></dl></dd><dt><a href="#id2921786">How Winbind Works</a></dt><dd><dl><dt><a href="#id2921815">Microsoft Remote Procedure Calls</a></dt><dt><a href="#id2921849">Microsoft Active Directory Services</a></dt><dt><a href="#id2921872">Name Service Switch</a></dt><dt><a href="#id2922009">Pluggable Authentication Modules</a></dt><dt><a href="#id2922081">User and Group ID Allocation</a></dt><dt><a href="#id2922128">Result Caching</a></dt></dl></dd><dt><a href="#id2922156">Installation and Configuration</a></dt><dd><dl><dt><a href="#id2922164">Introduction</a></dt><dt><a href="#id2922231">Requirements</a></dt><dt><a href="#id2922333">Testing Things Out</a></dt></dl></dd><dt><a href="#id2923890">Conclusion</a></dt><dt><a href="#id2923909">Common Errors</a></dt><dd><dl><dt><a href="#id2923962">NSCD Problem Warning</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921516"></a>Features and Benefits</h2></div></div><div></div></div><p>
11248 Integration of UNIX and Microsoft Windows NT through a unified logon has
11250 a long time.
11251 </p><p>
11252 There is one other facility without which UNIX and Microsoft Windows network
11253 interoperability would suffer greatly. It is imperative that there be a
11254 mechanism for sharing files across UNIX systems and to be able to assign
11255 domain user and group ownerships with integrity.
11256 </p><p>
11258 solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
11259 RPC calls, Pluggable Authentication Modules, and the Name Service Switch to
11260 allow Windows NT domain users to appear and operate as UNIX users on a UNIX
11261 machine. This chapter describes the winbind system, explaining the functionality
11262 it provides, how it is configured, and how it works internally.
11263 </p><p>
11264 Winbind provides three separate functions:
11266 Authentication of user credentials (via PAM)
11267 </p></li><li><p>
11268 Identity resolution (via NSS)`
11269 </p></li><li><p>
11270 Windindd maintains a database called winbind_idmap.tdb in which it stores
11271 mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only
11272 for users and groups that do not have a local UID/GID. It stored the UID/GID
11273 allocated from the idmap uid/gid range that it has mapped to the NT SID.
11275 then instead of using a local mapping winbindd will obtain this information
11276 from the LDAP database.
11277 </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
11278 If winbindd is not running, then smbd (which calls winbindd) will fall back to
11279 using purely local information from /etc/passwd and /etc/group and no dynamic
11280 mapping will be used.
11281 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921611"></a>Introduction</h2></div></div><div></div></div><p>It is well known that UNIX and Microsoft Windows NT have
11282 different models for representing user and group information and
11283 use different technologies for implementing them. This fact has
11284 made it difficult to integrate the two systems in a satisfactory
11285 manner.</p><p>One common solution in use today has been to create
11286 identically named user accounts on both the UNIX and Windows systems
11287 and use the Samba suite of programs to provide file and print services
11288 between the two. This solution is far from perfect however, as
11289 adding and deleting users on both sets of machines becomes a chore
11290 and two sets of passwords are required both of which
11291 can lead to synchronization problems between the UNIX and Windows
11292 systems and confusion for users.</p><p>We divide the unified logon problem for UNIX machines into
11293 three smaller problems:</p><div class="itemizedlist"><ul type="disc"><li><p>Obtaining Windows NT user and group information
11294 </p></li><li><p>Authenticating Windows NT users
11295 </p></li><li><p>Password changing for Windows NT users
11296 </p></li></ul></div><p>Ideally, a prospective solution to the unified logon problem
11297 would satisfy all the above components without duplication of
11298 information on the UNIX machines and without creating additional
11299 tasks for the system administrator when maintaining users and
11300 groups on either system. The winbind system provides a simple
11301 and elegant solution to all three components of the unified logon
11302 problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921688"></a>What Winbind Provides</h2></div></div><div></div></div><p>Winbind unifies UNIX and Windows NT account management by
11303 allowing a UNIX box to become a full member of a NT domain. Once
11304 this is done the UNIX box will see NT users and groups as if
11305 they were native UNIX users and groups, allowing the NT domain
11306 to be used in much the same manner that NIS+ is used within
11307 UNIX-only environments.</p><p>The end result is that whenever any
11308 program on the UNIX machine asks the operating system to lookup
11309 a user or group name, the query will be resolved by asking the
11310 NT domain controller for the specified domain to do the lookup.
11311 Because Winbind hooks into the operating system at a low level
11312 (via the NSS name resolution modules in the C library) this
11313 redirection to the NT domain controller is completely
11314 transparent.</p><p>Users on the UNIX machine can then use NT user and group
11316 so that they are owned by NT domain users or even login to the
11317 UNIX machine and run a UNIX X-Window session as a domain user.</p><p>The only obvious indication that Winbind is being used is
11318 that user and group names take the form DOMAIN\user and
11319 DOMAIN\group. This is necessary as it allows Winbind to determine
11320 that redirection to a domain controller is wanted for a particular
11321 lookup and which trusted domain is being referenced.</p><p>Additionally, Winbind provides an authentication service
11322 that hooks into the Pluggable Authentication Modules (PAM) system
11323 to provide authentication via a NT domain to any PAM enabled
11324 applications. This capability solves the problem of synchronizing
11325 passwords between systems since all passwords are stored in a single
11326 location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921756"></a>Target Uses</h3></div></div><div></div></div><p>Winbind is targeted at organizations that have an
11327 existing NT based domain infrastructure into which they wish
11328 to put UNIX workstations or servers. Winbind will allow these
11329 organizations to deploy UNIX workstations without having to
11330 maintain a separate account infrastructure. This greatly
11331 simplifies the administrative overhead of deploying UNIX
11332 workstations into a NT based organization.</p><p>Another interesting way in which we expect Winbind to
11333 be used is as a central part of UNIX based appliances. Appliances
11334 that provide file and print services to Microsoft based networks
11335 will be able to use Winbind to provide seamless integration of
11336 the appliance into the domain.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921786"></a>How Winbind Works</h2></div></div><div></div></div><p>The winbind system is designed around a client/server
11338 listens on a UNIX domain socket waiting for requests
11339 to arrive. These requests are generated by the NSS and PAM
11340 clients and processed sequentially.</p><p>The technologies used to implement winbind are described
11341 in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921815"></a>Microsoft Remote Procedure Calls</h3></div></div><div></div></div><p>Over the last few years, efforts have been underway
11342 by various Samba Team members to decode various aspects of
11343 the Microsoft Remote Procedure Call (MSRPC) system. This
11344 system is used for most network related operations between
11345 Windows NT machines including remote management, user authentication
11346 and print spooling. Although initially this work was done
11347 to aid the implementation of Primary Domain Controller (PDC)
11348 functionality in Samba, it has also yielded a body of code which
11349 can be used for other purposes.</p><p>Winbind uses various MSRPC calls to enumerate domain users
11350 and groups and to obtain detailed information about individual
11351 users or groups. Other MSRPC calls can be used to authenticate
11352 NT domain users and to change user passwords. By directly querying
11353 a Windows PDC for user and group information, winbind maps the
11354 NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921849"></a>Microsoft Active Directory Services</h3></div></div><div></div></div><p>
11355 Since late 2001, Samba has gained the ability to
11356 interact with Microsoft Windows 2000 using its 'Native
11357 Mode' protocols, rather than the NT4 RPC services.
11358 Using LDAP and Kerberos, a domain member running
11359 winbind can enumerate users and groups in exactly the
11360 same way as a Win2k client would, and in so doing
11361 provide a much more efficient and
11362 effective winbind implementation.
11363 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921872"></a>Name Service Switch</h3></div></div><div></div></div><p>The Name Service Switch, or NSS, is a feature that is
11364 present in many UNIX operating systems. It allows system
11365 information such as hostnames, mail aliases and user information
11366 to be resolved from different sources. For example, a standalone
11367 UNIX workstation may resolve system information from a series of
11368 flat files stored on the local filesystem. A networked workstation
11369 may first attempt to resolve system information from local files,
11370 and then consult a NIS database for user information or a DNS server
11371 for hostname information.</p><p>The NSS application programming interface allows winbind
11372 to present itself as a source of system information when
11373 resolving UNIX usernames and groups. Winbind uses this interface,
11374 and information obtained from a Windows NT server using MSRPC
11375 calls to provide a new source of account enumeration. Using standard
11376 UNIX library calls, one can enumerate the users and groups on
11377 a UNIX machine running winbind and see all users and groups in
11378 a NT domain plus any trusted domain as though they were local
11379 users and groups.</p><p>The primary control file for NSS is
11381 When a UNIX application makes a request to do a lookup
11383 for a line which matches the service type being requested, for
11385 are looked up. This config line specifies which implementations
11386 of that service should be tried and in what order. If the passwd
11388 passwd: files example
11389 </pre><p>then the C library will first load a module called
11392 C library will dynamically load each of these modules in turn
11393 and call resolver functions within the modules to try to resolve
11394 the request. Once the request is resolved the C library returns the
11395 result to the application.</p><p>This NSS interface provides a very easy way for Winbind
11396 to hook into the operating system. All that needs to be done
11399 the appropriate place. The C library will then call Winbind to
11400 resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922009"></a>Pluggable Authentication Modules</h3></div></div><div></div></div><p>Pluggable Authentication Modules, also known as PAM,
11401 is a system for abstracting authentication and authorization
11402 technologies. With a PAM module it is possible to specify different
11403 authentication methods for different system applications without
11404 having to recompile these applications. PAM is also useful
11405 for implementing a particular policy for authorization. For example,
11406 a system administrator may only allow console logins from users
11407 stored in the local password file but only allow users resolved from
11408 a NIS database to log in over the network.</p><p>Winbind uses the authentication management and password
11409 management PAM interface to integrate Windows NT users into a
11410 UNIX system. This allows Windows NT users to log in to a UNIX
11411 machine and be authenticated against a suitable Primary Domain
11412 Controller. These users can also change their passwords and have
11413 this change take effect directly on the Primary Domain Controller.
11414 </p><p>PAM is configured by providing control files in the directory
11416 require authentication. When an authentication request is made
11417 by an application the PAM code in the C library looks up this
11418 control file to determine what modules to load to do the
11419 authentication check and in what order. This interface makes adding
11420 a new authentication service for Winbind very easy, all that needs
11423 control files for relevant services are updated to allow
11424 authentication via winbind. See the PAM documentation
11425 for more details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922081"></a>User and Group ID Allocation</h3></div></div><div></div></div><p>When a user or group is created under Windows NT
11426 is it allocated a numerical relative identifier (RID). This is
11427 slightly different to UNIX which has a range of numbers that are
11428 used to identify users, and the same range in which to identify
11429 groups. It is winbind's job to convert RIDs to UNIX id numbers and
11430 vice versa. When winbind is configured it is given part of the UNIX
11431 user id space and a part of the UNIX group id space in which to
11432 store Windows NT users and groups. If a Windows NT user is
11433 resolved for the first time, it is allocated the next UNIX id from
11434 the range. The same process applies for Windows NT groups. Over
11435 time, winbind will have mapped all Windows NT users and groups
11436 to UNIX user ids and group ids.</p><p>The results of this mapping are stored persistently in
11437 an ID mapping database held in a tdb database). This ensures that
11438 RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922128"></a>Result Caching</h3></div></div><div></div></div><p>An active system can generate a lot of user and group
11439 name lookups. To reduce the network cost of these lookups winbind
11440 uses a caching scheme based on the SAM sequence number supplied
11441 by NT domain controllers. User or group information returned
11442 by a PDC is cached by winbind along with a sequence number also
11443 returned by the PDC. This sequence number is incremented by
11444 Windows NT whenever any user or group information is modified. If
11445 a cached entry has expired, the sequence number is requested from
11446 the PDC and compared against the sequence number of the cached entry.
11447 If the sequence numbers do not match, then the cached information
11448 is discarded and up to date information is requested directly
11449 from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922156"></a>Installation and Configuration</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922164"></a>Introduction</h3></div></div><div></div></div><p>
11450 This section describes the procedures used to get winbind up and
11451 running. Winbind is capable of providing access
11452 and authentication control for Windows Domain users through an NT
11453 or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
11454 well for SAMBA services.
11457 </p><p>This allows the SAMBA administrator to rely on the
11458 authentication mechanisms on the NT/Win2K PDC for the authentication
11459 of domain members. NT/Win2K users no longer need to have separate
11460 accounts on the SAMBA server.
11461 </p></li><li><p>
11463 </p><p>
11464 This HOWTO is designed for system administrators. If you are
11465 implementing SAMBA on a file server and wish to (fairly easily)
11466 integrate existing NT/Win2K users from your PDC onto the
11467 SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
11468 expert, so you may find a better or easier way to accomplish
11469 these tasks.
11470 </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922231"></a>Requirements</h3></div></div><div></div></div><p>
11471 If you have a Samba configuration file that you are currently
11474 contents!</em></span> If you haven't already made a boot disk,
11476 </p><p>
11477 Messing with the PAM configuration files can make it nearly impossible
11478 to log in to your machine. That's why you want to be able to boot back
11479 into your machine in single user mode and restore your
11481 you get frustrated with the way things are going. ;-)
11482 </p><p>
11483 The latest version of SAMBA (version 3.0 as of this writing), now
11484 includes a functioning winbindd daemon. Please refer to the
11486 better yet, your closest SAMBA mirror site for instructions on
11487 downloading the source code.
11488 </p><p>
11489 To allow Domain users the ability to access SAMBA shares and
11490 files, as well as potentially other services provided by your
11491 SAMBA machine, PAM (pluggable authentication modules) must
11492 be setup properly on your machine. In order to compile the
11493 winbind modules, you should have at least the pam libraries resident
11494 on your system. For recent RedHat systems (7.1, for instance), that
11497 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922333"></a>Testing Things Out</h3></div></div><div></div></div><p>
11498 Before starting, it is probably best to kill off all the SAMBA
11500 <span class="application">nmbd</span>, and <span class="application">winbindd</span> processes that may
11501 be running. To use PAM, you will want to make sure that you have the
11503 directory structure, including the pam modules are used by pam-aware
11506 in SAMBA if the pam-devel package was also installed. This package includes
11507 the header files needed to compile pam-aware applications.
11508 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922395"></a>Configure <tt class="filename">nsswitch.conf</tt> and the
11509 winbind libraries on Linux and Solaris</h4></div></div><div></div></div><p>
11511 through nsswitch need to be copied to their proper locations, so
11512 </p><p>
11514 <tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/libnss_winbind.so /lib</tt></b>
11515 </pre><p>
11516 </p><p>
11517 I also found it necessary to make the following symbolic link:
11518 </p><p>
11519 <tt class="prompt">root# </tt> <b class="userinput"><tt>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</tt></b>
11521 <tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</tt></b>
11522 <tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</tt></b>
11523 <tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</tt></b>
11524 </pre><p>
11528 this after editing:
11530 passwd: files winbind
11531 shadow: files
11532 group: files winbind
11533 </pre><p>
11534 The libraries needed by the winbind daemon will be automatically
11536 your system reboots, but it
11537 is faster (and you don't need to reboot) if you do it manually:
11538 </p><p>
11539 <tt class="prompt">root# </tt><b class="userinput"><tt>/sbin/ldconfig -v | grep winbind</tt></b>
11540 </p><p>
11542 and echos back a check to you.
11543 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922602"></a>NSS Winbind on AIX</h4></div></div><div></div></div><p>(This section is only for those running AIX)</p><p>
11544 The winbind AIX identification module gets built as libnss_winbind.so in the
11545 nsswitch directory of the samba source. This file can be copied to
11546 /usr/lib/security, and the AIX naming convention would indicate that it
11547 should be named WINBIND. A stanza like the following:
11549 WINBIND:
11550 program = /usr/lib/security/WINBIND
11551 options = authonly
11552 </pre><p>can then be added to
11554 supports identification, but there have been success reports using the
11555 standard winbind pam module for authentication. Use caution configuring
11556 loadable authentication modules as it is possible to make it impossible
11557 to logon to the system. More information about the AIX authentication
11558 module API can be found at "Kernel Extensions and Device Support
11559 Programming Concepts for AIX": <a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm" target="_top">
11560 Chapter 18. Loadable Authentication Module Programming Interface</a>
11561 and more information on administering the modules at <a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm" target="_top">
11563 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922674"></a>Configure smb.conf</h4></div></div><div></div></div><p>
11564 Several parameters are needed in the smb.conf file to control
11567 the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> man page. My
11569 include the following entries in the [global] section:
11570 </p><div class="example"><a name="id2922722"></a><p class="title"><b>Example 21.1. smb.conf for winbind set-up</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td># separate domain and username with '+', like DOMAIN+username</td></tr><tr><td><i class="parameter"><tt>winbind separator = +</tt></i></td></tr><tr><td># use uids from 10000 to 20000 for domain users</td></tr><tr><td><i class="parameter"><tt>idmap uid = 10000-20000</tt></i></td></tr><tr><td># use gids from 10000 to 20000 for domain groups</td></tr><tr><td><i class="parameter"><tt>winbind gid = 10000-20000</tt></i></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><i class="parameter"><tt>winbind enum users = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>winbind enum groups = yes</tt></i></td></tr><tr><td># give winbind users a real shell (only needed if they have telnet access)</td></tr><tr><td><i class="parameter"><tt>template homedir = /home/winnt/%D/%U</tt></i></td></tr><tr><td><i class="parameter"><tt>template shell = /bin/bash</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922833"></a>Join the SAMBA server to the PDC domain</h4></div></div><div></div></div><p>
11571 Enter the following command to make the SAMBA server join the
11574 a domain user who has administrative privileges in the domain.
11575 </p><p>
11576 <tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</tt></b>
11577 </p><p>
11578 The proper response to the command should be: "Joined the domain
11580 is your DOMAIN name.
11581 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922889"></a>Start up the winbindd daemon and test it!</h4></div></div><div></div></div><p>
11582 Eventually, you will want to modify your smb startup script to
11583 automatically invoke the winbindd daemon when the other parts of
11584 SAMBA start, but it is possible to test out just the winbind
11585 portion first. To start up winbind services, enter the following
11586 command as root:
11587 </p><p>
11589 </p><p>
11590 Winbindd can now also run in 'dual daemon mode'. This will make it
11591 run as 2 processes. The first will answer all requests from the cache,
11592 thus making responses to clients faster. The other will
11593 update the cache for the query that the first has just responded.
11594 Advantage of this is that responses stay accurate and are faster.
11596 </p><p>
11597 <tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/winbindd -B</tt></b>
11598 </p><p>
11599 I'm always paranoid and like to make sure the daemon
11600 is really running...
11601 </p><p>
11603 </p><p>
11604 This command should produce output like this, if the daemon is running
11606 3025 ? 00:00:00 winbindd
11607 </pre><p>
11608 Now... for the real test, try to get some information about the
11609 users on your PDC
11610 </p><p>
11611 <tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/wbinfo -u</tt></b>
11612 </p><p>
11613 This should echo back a list of users on your Windows users on
11614 your PDC. For example, I get the following response:
11616 CEO+Administrator
11617 CEO+burdell
11618 CEO+Guest
11619 CEO+jt-ad
11620 CEO+krbtgt
11621 CEO+TsInternetUser
11622 </pre><p>
11623 Obviously, I have named my domain 'CEO' and my <a class="indexterm" name="id2923034"></a><i class="parameter"><tt>winbind separator</tt></i> is '+'.
11624 </p><p>
11625 You can do the same sort of thing to get group information from
11626 the PDC:
11628 <tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/wbinfo -g</tt></b>
11629 CEO+Domain Admins
11630 CEO+Domain Users
11631 CEO+Domain Guests
11632 CEO+Domain Computers
11633 CEO+Domain Controllers
11634 CEO+Cert Publishers
11635 CEO+Schema Admins
11636 CEO+Enterprise Admins
11637 CEO+Group Policy Creator Owners
11638 </pre><p>
11639 The function 'getent' can now be used to get unified
11640 lists of both local and PDC users and groups.
11641 Try the following command:
11642 </p><p>
11644 </p><p>
11646 list followed by the domain users with their new uids, gids, home
11647 directories and default shells.
11648 </p><p>
11649 The same thing can be done for groups with the command
11650 </p><p>
11652 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923138"></a>Fix the init.d startup scripts</h4></div></div><div></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2923145"></a>Linux</h5></div></div><div></div></div><p>
11654 <span class="application">smbd</span> and <span class="application">nmbd</span> daemons are running.
11655 To accomplish this task, you need to modify the startup scripts of your system.
11658 script to add commands to invoke this daemon in the proper sequence. My
11659 startup script starts up <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> from the
11661 function in the script looks like this:
11663 start() {
11666 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
11667 RETVAL=$?
11668 echo
11671 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
11672 RETVAL2=$?
11673 echo
11676 daemon /usr/local/samba/bin/winbindd
11677 RETVAL3=$?
11678 echo
11679 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
11680 touch /var/lock/subsys/smb || RETVAL=1
11681 return $RETVAL
11682 }
11683 </pre><p>If you would like to run winbindd in dual daemon mode, replace
11684 the line
11686 daemon /usr/local/samba/bin/winbindd
11687 </pre><p>
11689 in the example above with:
11692 daemon /usr/local/samba/bin/winbindd -B
11693 </pre><p>.
11694 </p><p>
11695 The 'stop' function has a corresponding entry to shut down the
11696 services and looks like this:
11698 stop() {
11701 killproc smbd
11702 RETVAL=$?
11703 echo
11706 killproc nmbd
11707 RETVAL2=$?
11708 echo
11711 killproc winbindd
11712 RETVAL3=$?
11713 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
11714 rm -f /var/lock/subsys/smb
11716 return $RETVAL
11717 }
11718 </pre></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2923308"></a>Solaris</h5></div></div><div></div></div><p>Winbind doesn't work on Solaris 9, see the <a href="#winbind-solaris9" title="Winbind on Solaris 9">Portability</a> chapter for details.</p><p>On Solaris, you need to modify the
11720 only starts smbd and nmbd but should now start winbindd too. If you
11722 the file could contains something like this:
11724 ##
11725 ## samba.server
11726 ##
11728 if [ ! -d /usr/bin ]
11729 then # /usr not mounted
11730 exit
11731 fi
11733 killproc() { # kill the named process(es)
11734 pid=`/usr/bin/ps -e |
11735 /usr/bin/grep -w $1 |
11736 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
11738 }
11740 # Start/stop processes required for samba server
11744 'start')
11745 #
11746 # Edit these lines to suit your installation (paths, workgroup, host)
11747 #
11748 echo Starting SMBD
11749 /usr/local/samba/bin/smbd -D -s \
11750 /usr/local/samba/smb.conf
11752 echo Starting NMBD
11753 /usr/local/samba/bin/nmbd -D -l \
11754 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
11756 echo Starting Winbind Daemon
11757 /usr/local/samba/bin/winbindd
11758 ;;
11760 'stop')
11761 killproc nmbd
11762 killproc smbd
11763 killproc winbindd
11764 ;;
11766 *)
11768 ;;
11769 esac
11770 </pre><p>
11771 Again, if you would like to run samba in dual daemon mode, replace
11773 /usr/local/samba/bin/winbindd
11774 </pre><p>
11776 in the script above with:
11779 /usr/local/samba/bin/winbindd -B
11780 </pre><p>
11781 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2923426"></a>Restarting</h5></div></div><div></div></div><p>
11782 If you restart the <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> daemons at this point, you
11783 should be able to connect to the samba server as a domain member just as
11784 if you were a local user.
11785 </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923462"></a>Configure Winbind and PAM</h4></div></div><div></div></div><p>
11786 If you have made it this far, you know that winbindd and samba are working
11787 together. If you want to use winbind to provide authentication for other
11788 services, keep reading. The pam configuration files need to be altered in
11789 this step. (Did you remember to make backups of your original
11791 </p><p>
11792 You will need a pam module to use winbindd with these other services. This
11794 by invoking the command
11795 </p><p>
11797 </p><p>
11800 your other pam security modules. On my RedHat system, this was the
11803 </p><p>
11804 <tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</tt></b>
11805 </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2923568"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div><div></div></div><p>
11807 just left this file as it was:
11809 auth required /lib/security/pam_stack.so service=system-auth
11810 account required /lib/security/pam_stack.so service=system-auth
11811 </pre><p>
11812 The other services that I modified to allow the use of winbind
11813 as an authentication service were the normal login on the console (or a terminal
11814 session), telnet logins, and ftp service. In order to enable these
11815 services, you may first need to change the entries in
11817 RedHat 7.1 uses the new xinetd.d structure, in this case you need
11821 enable = no
11822 </pre><p>
11823 to
11825 enable = yes
11826 </pre><p>
11827 For ftp services to work properly, you will also need to either
11828 have individual directories for the domain users already present on
11829 the server, or change the home directory template to a general
11830 directory for all domain users. These can be easily set using
11833 </p><p>
11835 to allow winbind ftp access in a manner similar to the
11837 changed to look like this:
11839 auth required /lib/security/pam_listfile.so item=user sense=deny \
11840 file=/etc/ftpusers onerr=succeed
11841 auth sufficient /lib/security/pam_winbind.so
11842 auth required /lib/security/pam_stack.so service=system-auth
11843 auth required /lib/security/pam_shells.so
11844 account sufficient /lib/security/pam_winbind.so
11845 account required /lib/security/pam_stack.so service=system-auth
11846 session required /lib/security/pam_stack.so service=system-auth
11847 </pre><p>
11849 same way. It now looks like this:
11851 auth required /lib/security/pam_securetty.so
11852 auth sufficient /lib/security/pam_winbind.so
11853 auth sufficient /lib/security/pam_unix.so use_first_pass
11854 auth required /lib/security/pam_stack.so service=system-auth
11855 auth required /lib/security/pam_nologin.so
11856 account sufficient /lib/security/pam_winbind.so
11857 account required /lib/security/pam_stack.so service=system-auth
11858 password required /lib/security/pam_stack.so service=system-auth
11859 session required /lib/security/pam_stack.so service=system-auth
11860 session optional /lib/security/pam_console.so
11861 </pre><p>
11862 In this case, I added the </p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><p>
11863 lines as before, but also added the </p><pre class="programlisting">required pam_securetty.so</pre><p>
11864 above it, to disallow root logins over the network. I also added a
11867 double prompts for passwords.
11868 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2923800"></a>Solaris-specific configuration</h5></div></div><div></div></div><p>
11869 The /etc/pam.conf needs to be changed. I changed this file so that my Domain
11870 users can logon both locally as well as telnet.The following are the changes
11871 that I made.You can customize the pam.conf file as per your requirements,but
11872 be sure of those changes because in the worst case it will leave your system
11873 nearly impossible to boot.
11875 #
11877 #
11878 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
11879 # All Rights Reserved.
11880 #
11881 # PAM configuration
11882 #
11883 # Authentication management
11884 #
11885 login auth required /usr/lib/security/pam_winbind.so
11886 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
11887 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
11888 #
11889 rlogin auth sufficient /usr/lib/security/pam_winbind.so
11890 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
11891 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
11892 #
11893 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
11894 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
11895 #
11896 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
11897 other auth sufficient /usr/lib/security/pam_winbind.so
11898 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
11899 #
11900 # Account management
11901 #
11902 login account sufficient /usr/lib/security/pam_winbind.so
11903 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
11904 login account required /usr/lib/security/$ISA/pam_unix.so.1
11905 #
11906 dtlogin account sufficient /usr/lib/security/pam_winbind.so
11907 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
11908 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
11909 #
11910 other account sufficient /usr/lib/security/pam_winbind.so
11911 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
11912 other account required /usr/lib/security/$ISA/pam_unix.so.1
11913 #
11914 # Session management
11915 #
11916 other session required /usr/lib/security/$ISA/pam_unix.so.1
11917 #
11918 # Password management
11919 #
11920 #other password sufficient /usr/lib/security/pam_winbind.so
11921 other password required /usr/lib/security/$ISA/pam_unix.so.1
11922 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
11923 #
11924 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
11925 #
11926 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
11927 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
11928 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
11929 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
11930 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
11931 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
11932 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
11933 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
11934 </pre><p>
11935 I also added a try_first_pass line after the winbind.so line to get rid of
11936 annoying double prompts for passwords.
11937 </p><p>
11938 Now restart your Samba and try connecting through your application that you
11939 configured in the pam.conf.
11940 </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923890"></a>Conclusion</h2></div></div><div></div></div><p>The winbind system, through the use of the Name Service
11941 Switch, Pluggable Authentication Modules, and appropriate
11942 Microsoft RPC calls have allowed us to provide seamless
11943 integration of Microsoft Windows NT domain users on a
11944 UNIX system. The result is a great reduction in the administrative
11945 cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923909"></a>Common Errors</h2></div></div><div></div></div><p>Winbind has a number of limitations in its current
11946 released version that we hope to overcome in future
11947 releases:</p><div class="itemizedlist"><ul type="disc"><li><p>Winbind is currently only available for
11948 the Linux, Solaris, AIX and IRIX operating systems, although ports to other operating
11949 systems are certainly possible. For such ports to be feasible,
11950 we require the C library of the target operating system to
11951 support the Name Service Switch and Pluggable Authentication
11952 Modules systems. This is becoming more common as NSS and
11953 PAM gain support among UNIX vendors.</p></li><li><p>The mappings of Windows NT RIDs to UNIX ids
11954 is not made algorithmically and depends on the order in which
11955 unmapped users or groups are seen by winbind. It may be difficult
11956 to recover the mappings of rid to UNIX id mapping if the file
11957 containing this information is corrupted or destroyed.</p></li><li><p>Currently the winbind PAM module does not take
11958 into account possible workstation and logon time restrictions
11959 that may be been set for Windows NT users, this is
11960 instead up to the PDC to enforce.</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923962"></a>NSCD Problem Warning</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
11963 </p></div><p>
11965 even though NSSWITCH is correctly configured it will NOT be possible to resolve
11966 domain users and groups for file and directory controls.
11967 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2924071">Features and Benefits</a></dt><dt><a href="#id2924101">Remote Server Administration</a></dt><dt><a href="#id2924200">Remote Desktop Management</a></dt><dd><dl><dt><a href="#id2924218">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="#id2924438">Network Logon Script Magic</a></dt><dd><dl><dt><a href="#id2924711">Adding printers without user intervention</a></dt></dl></dd><dt><a href="#id2924744">Common Errors</a></dt></dl></div><p>
11968 This section documents peripheral issues that are of great importance to network
11969 administrators who want to improve network resource access control, to automate the user
11970 environment, and to make their lives a little easier.
11971 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924071"></a>Features and Benefits</h2></div></div><div></div></div><p>
11972 Often the difference between a working network environment and a well appreciated one can
11973 best be measured by the <span class="emphasis"><em>little things</em></span> that makes everything work more
11974 harmoniously. A key part of every network environment solution is the ability to remotely
11975 manage MS Windows workstations, to remotely access the Samba server, to provide customised
11976 logon scripts, as well as other house keeping activities that help to sustain more reliable
11977 network operations.
11978 </p><p>
11979 This chapter presents information on each of these area. They are placed here, and not in
11980 other chapters, for ease of reference.
11981 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924101"></a>Remote Server Administration</h2></div></div><div></div></div><p>
11983 </p><p>
11984 Since I don't need to buy an <span class="application">NT4 Server</span>, how do I get the 'User Manager for Domains',
11985 the 'Server Manager'?
11986 </p><p>
11987 Microsoft distributes a version of these tools called nexus for installation
11989 </p><table class="simplelist" border="0" summary="Simple list"><tr><td>Server Manager</td></tr><tr><td>User Manager for Domains</td></tr><tr><td>Event Viewer</td></tr></table><p>
11990 Click here to download the archived file <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</a>
11991 </p><p>
11993 Domains' and 'Server Manager' are available from Microsoft via ftp
11994 from <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</a>
11995 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924200"></a>Remote Desktop Management</h2></div></div><div></div></div><p>
11996 There are a number of possible remote desktop management solutions that range from free
11997 through costly. Do not let that put you off. Sometimes the most costly solutions is the
11998 most cost effective. In any case, you will need to draw your own conclusions as to which
11999 is the best tool in your network environment.
12000 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924218"></a>Remote Management from NoMachines.Com</h3></div></div><div></div></div><p>
12001 The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
12002 It is presented in slightly edited form (with author details omitted for privacy reasons).
12003 The entire answer is reproduced below with some comments removed.
12004 </p><p>
12006 > I have a wonderful linux/samba server running as PDC for a network.
12007 > Now I would like to add remote desktop capabilities so that
12008 > users outside could login to the system and get their desktop up from
12009 > home or another country..
12010 >
12011 > Is there a way to accomplish this? Do I need a windows terminal server?
12012 > Do I need to configure it so that it is a member of the domain or a
12013 > BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
12014 > even if the computer is in a domain?
12015 >
12016 > Any ideas/experience would be appreciated :)
12017 </pre><p>
12018 </p><p>
12021 </p><p>
12022 It implements a very easy-to-use interface to the remote X protocol as
12023 well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
12024 performance much better than anything you may have ever seen...
12025 </p><p>
12026 Remote X is not new at all -- but what they did achieve successfully is
12027 a new way of compression and caching technologies which makes the thing
12028 fast enough to run even over slow modem/ISDN connections.
12029 </p><p>
12030 I could test drive their (public) RedHat machine in Italy, over a loaded
12031 internet connection, with enabled thumbnail previews in KDE konqueror
12033 session I started a rdesktop session on another, a Windows XP machine.
12034 To test the performance, I played Pinball. I am proud to announce here
12035 that my score was 631750 points at first try...
12036 </p><p>
12038 connection methods I am using from time to time: TightVNC, rdesktop or
12039 remote X. It is even faster than a direct crosslink connection between
12040 two nodes.
12041 </p><p>
12042 I even got sound playing from the remote X app to my local boxes, and
12044 in Italy) to my Mozilla mailing agent... These guys are certainly doing
12045 something right!
12046 </p><p>
12047 I recommend to test drive NX to anybody with a only a remote interest
12048 in remote computing
12049 <a href="http://www.nomachine.com/testdrive.php" target="_top">http://www.nomachine.com/testdrive.php</a>.
12050 </p><p>
12051 Just download the free of charge client software (available for RedHat,
12052 SuSE, Debian and Windows) and be up and running within 5 minutes (they
12053 need to send you your account data, though, because you are assigned
12054 a real Unix account on their testdrive.nomachine.com box...
12055 </p><p>
12056 They plan to get to the point were you can have NX application servers
12057 running as a cluster of nodes, and users simply start an NX session locally,
12058 and can select applications to run transparently (apps may even run on
12059 another NX node, but pretend to be on the same as used for initial login,
12060 because it displays in the same window.... well, you also can run it
12061 fullscreen, and after a short time you forget that it is a remote session
12062 at all).
12063 </p><p>
12064 Now the best thing at the end: all the core compression and caching
12065 technologies are released under the GPL and available as source code
12066 to anybody who wants to build on it! These technologies are working,
12067 albeit started from the command line only (and very inconvenient to
12068 use in order to get a fully running remote X session up and running....)
12069 </p><p>
12070 To answer your questions:
12072 You don't need to install a terminal server; XP has RDP support built in.
12073 </p></li><li><p>
12074 NX is much cheaper than Citrix -- and comparable in performance, probably faster
12075 </p></li><li><p>
12076 You don't need to hack XP -- it just works
12077 </p></li><li><p>
12078 You log into the XP box from remote transparently (and I think there is no
12079 need to change anything to get a connection, even if authentication is against a domain)
12080 </p></li><li><p>
12081 The NX core technologies are all Open Source and released under the GPL --
12082 you can today use a (very inconvenient) commandline to use it at no cost,
12083 but you can buy a comfortable (proprietary) NX GUI frontend for money
12084 </p></li><li><p>
12085 NoMachine are encouraging and offering help to OSS/Free Software implementations
12086 for such a frontend too, even if it means competition to them (they have written
12087 to this effect even to the LTSP, KDE and GNOME developer mailing lists)
12088 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924438"></a>Network Logon Script Magic</h2></div></div><div></div></div><p>
12089 This section needs work. Volunteer contributions most welcome. Please send your patches or updates
12091 </p><p>
12092 There are several opportunities for creating a custom network startup configuration environment.
12093 </p><table class="simplelist" border="0" summary="Simple list"><tr><td>No Logon Script</td></tr><tr><td>Simple universal Logon Script that applies to all users</td></tr><tr><td>Use of a conditional Logon Script that applies per user or per group attributes</td></tr><tr><td>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
12094 a custom Logon Script and then execute it.</td></tr><tr><td>User of a tool such as KixStart</td></tr></table><p>
12095 The Samba source code tree includes two logon script generation/execution tools.
12098 </p><p>
12099 The following listings are from the genlogon directory.
12100 </p><p>
12104 #!/usr/bin/perl
12105 #
12106 # genlogon.pl
12107 #
12108 # Perl script to generate user logon scripts on the fly, when users
12109 # connect from a Windows client. This script should be called from smb.conf
12110 # with the %U, %G and %L parameters. I.e:
12111 #
12112 # root preexec = genlogon.pl %U %G %L
12113 #
12114 # The script generated will perform
12115 # the following:
12116 #
12117 # 1. Log the user connection to /var/log/samba/netlogon.log
12118 # 2. Set the PC's time to the Linux server time (which is maintained
12119 # daily to the National Institute of Standard's Atomic clock on the
12120 # internet.
12121 # 3. Connect the user's home drive to H: (H for Home).
12122 # 4. Connect common drives that everyone uses.
12123 # 5. Connect group-specific drives for certain user groups.
12124 # 6. Connect user-specific drives for certain users.
12125 # 7. Connect network printers.
12127 # Log client connection
12128 #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
12129 ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
12132 close LOG;
12134 # Start generating logon script
12138 # Connect shares just use by Software Development group
12140 {
12142 }
12144 # Connect shares just use by Technical Support staff
12146 {
12148 }
12150 # Connect shares just used by Administration staff
12152 {
12155 }
12157 # Now connect Printers. We handle just two or three users a little
12158 # differently, because they are the exceptions that have desktop
12159 # printers on LPT1: - all other user's go to the LaserJet on the
12160 # server.
12161 if ($ARGV[0] eq 'jim'
12162 || $ARGV[0] eq 'yvonne')
12163 {
12166 }
12167 else
12168 {
12171 }
12173 # All done! Close the output file.
12174 close LOGON;
12175 </pre><p>
12176 </p><p>
12177 Those wishing to use more elaborate or capable logon processing system should check out the following sites:
12178 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></td></tr><tr><td><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></td></tr><tr><td><a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</a></td></tr></table><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924711"></a>Adding printers without user intervention</h3></div></div><div></div></div><p>
12179 Printers may be added automatically during logon script processing through the use of:
12182 rundll32 printui.dll,PrintUIEntry /?
12183 </pre><p>
12185 See the documentation in the <a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft knowledgebase article no: 189105</a>.
12186 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924744"></a>Common Errors</h2></div></div><div></div></div><p>
12187 The information provided in this chapter has been reproduced from postings on the samba@samba.org
12188 mailing list. No implied endorsement or recommendation is offered. Administrators should conduct
12189 their own evaluation of alternatives and are encouraged to draw their own conclusions.
12190 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2924822">Features and Benefits</a></dt><dt><a href="#id2924888">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="#id2924999">Windows 9x/Me Policies</a></dt><dt><a href="#id2925094">Windows NT4 Style Policy Files</a></dt><dt><a href="#id2925227">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="#id2925491">Managing Account/User Policies</a></dt><dd><dl><dt><a href="#id2925596">Samba Editreg Toolset</a></dt><dt><a href="#id2925636">Windows NT4/200x</a></dt><dt><a href="#id2925655">Samba PDC</a></dt></dl></dd><dt><a href="#id2925700">System Startup and Logon Processing Overview</a></dt><dt><a href="#id2925851">Common Errors</a></dt><dd><dl><dt><a href="#id2925865">Policy Does Not Work</a></dt></dl></dd></dl></div><p>
12191 This chapter summarises the current state of knowledge derived from personal
12192 practice and knowledge from samba mailing list subscribers. Before reproduction
12193 of posted information effort has been made to validate the information provided.
12194 Where additional information was uncovered through this validation it is provided
12195 also.
12196 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924822"></a>Features and Benefits</h2></div></div><div></div></div><p>
12197 When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
12198 Group Policies for users and group. Then along came MS Windows NT4 and a few sites
12200 (or mistakes) administrators made and then requested help to resolve.
12201 </p><p>
12202 By the time that MS Windows 2000 and Active Directory was released, administrators
12203 got the message: Group Policies are a good thing! They can help reduce administrative
12204 costs and actually can help to create happier users. But adoption of the true
12205 potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
12206 and machines were picked up on rather slowly. This was very obvious from the samba
12207 mailing list as in 2000 and 2001 there were very few postings regarding GPOs and
12208 how to replicate them in a Samba environment.
12209 </p><p>
12210 Judging by the traffic volume since mid 2002, GPOs have become a standard part of
12211 the deployment in many sites. This chapter reviews techniques and methods that can
12212 be used to exploit opportunities for automation of control over user desktops and
12213 network client workstations.
12214 </p><p>
12215 A tool new to Samba may become an important part of the future Samba Administrators'
12217 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924888"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p>
12218 Under MS Windows platforms, particularly those following the release of MS Windows
12219 NT4 and MS Windows 95) it is possible to create a type of file that would be placed
12220 in the NETLOGON share of a domain controller. As the client logs onto the network
12221 this file is read and the contents initiate changes to the registry of the client
12222 machine. This file allows changes to be made to those parts of the registry that
12223 affect users, groups of users, or machines.
12224 </p><p>
12227 Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
12228 disappeared again with the introduction of MS Windows Me (Millennium Edition). From
12229 comments from MS Windows network administrators it would appear that this tool became
12230 a part of the MS Windows Me Resource Kit.
12231 </p><p>
12232 MS Windows NT4 Server products include the <span class="emphasis"><em>System Policy Editor</em></span>
12233 under the <tt class="filename">Start -> Programs -> Administrative Tools</tt> menu item.
12234 For MS Windows NT4 and later clients this file must be called <tt class="filename">NTConfig.POL</tt>.
12235 </p><p>
12236 New with the introduction of MS Windows 2000 was the Microsoft Management Console
12237 or MMC. This tool is the new wave in the ever changing landscape of Microsoft
12238 methods for management of network access and security. Every new Microsoft product
12239 or technology seems to obsolete the old rules and to introduce newer and more
12240 complex tools and methods. To Microsoft's credit though, the MMC does appear to
12241 be a step forward, but improved functionality comes at a great price.
12242 </p><p>
12243 Before embarking on the configuration of network and system policies it is highly
12244 advisable to read the documentation available from Microsoft's web site regarding
12245 <a href="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" target="_top">
12246 Implementing Profiles and Policies in Windows NT 4.0</a> available from Microsoft.
12247 There are a large number of documents in addition to this old one that should also
12249 </p><p>
12250 What follows is a very brief discussion with some helpful notes. The information provided
12251 here is incomplete - you are warned.
12252 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924999"></a>Windows 9x/Me Policies</h3></div></div><div></div></div><p>
12253 You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
12254 It can be found on the Original full product Win98 installation CD under
12256 Add/Remove Programs facility and then click on the 'Have Disk' tab.
12257 </p><p>
12258 Use the Group Policy Editor to create a policy file that specifies the location of
12261 root of the <i class="parameter"><tt>[NETLOGON]</tt></i> share. If Win98 is configured to log onto
12262 the Samba Domain, it will automatically read this file and update the Win9x/Me registry
12263 of the machine as it logs on.
12264 </p><p>
12265 Further details are covered in the Win98 Resource Kit documentation.
12266 </p><p>
12267 If you do not take the right steps, then every so often Win9x/Me will check the
12268 integrity of the registry and will restore it's settings from the back-up
12269 copy of the registry it stores on each Win9x/Me machine. Hence, you will
12270 occasionally notice things changing back to the original settings.
12271 </p><p>
12272 Install the group policy handler for Win9x to pick up group policies. Look on the
12274 Install group policies on a Win9x client by double-clicking
12276 if Win98 picks up group policies. Unfortunately this needs to be done on every
12277 Win9x/Me machine that uses group policies.
12278 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925094"></a>Windows NT4 Style Policy Files</h3></div></div><div></div></div><p>
12281 but <span class="emphasis"><em>not NT Workstation</em></span>. There is a Policy Editor on a NT4
12282 Workstation but it is not suitable for creating <span class="emphasis"><em>Domain Policies</em></span>.
12283 Further, although the Windows 95 Policy Editor can be installed on an NT4
12284 Workstation/Server, it will not work with NT clients. However, the files from
12285 the NT Server will run happily enough on an NT4 Workstation.
12286 </p><p>
12287 You need <tt class="filename">poledit.exe</tt>, <tt class="filename">common.adm</tt> and <tt class="filename">winnt.adm</tt>.
12289 directory which is where the binary will look for them unless told otherwise. Note also that that
12290 directory is normally 'hidden'.
12291 </p><p>
12292 The Windows NT policy editor is also included with the Service Pack 3 (and
12296 be extracted as well. It is also possible to downloaded the policy template
12297 files for Office97 and get a copy of the policy editor. Another possible
12298 location is with the Zero Administration Kit available for download from Microsoft.
12299 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2925205"></a>Registry Spoiling</h4></div></div><div></div></div><p>
12300 With NT4 style registry based policy changes, a large number of settings are not
12301 automatically reversed as the user logs off. Since the settings that were in the
12302 NTConfig.POL file were applied to the client machine registry and that apply to the
12303 hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
12304 as tattooing. It can have serious consequences down-stream and the administrator must
12305 be extremely careful not to lock out the ability to manage the machine at a later date.
12306 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925227"></a>MS Windows 200x / XP Professional Policies</h3></div></div><div></div></div><p>
12307 Windows NT4 System policies allows setting of registry parameters specific to
12308 users, groups and computers (client workstations) that are members of the NT4
12309 style domain. Such policy file will work with MS Windows 2000 / XP clients also.
12310 </p><p>
12311 New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
12312 a superset of capabilities compared with NT4 style policies. Obviously, the tool used
12313 to create them is different, and the mechanism for implementing them is much changed.
12314 </p><p>
12315 The older NT4 style registry based policies are known as <span class="emphasis"><em>Administrative Templates</em></span>
12316 in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
12317 configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
12318 users' desktop (including: the location of <tt class="filename">My Documents</tt> files (directory), as
12319 well as intrinsics of where menu items will appear in the Start menu). An additional new
12320 feature is the ability to make available particular software Windows applications to particular
12321 users and/or groups.
12322 </p><p>
12323 Remember: NT4 policy files are named <tt class="filename">NTConfig.POL</tt> and are stored in the root
12324 of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
12325 and selects the domain name to which the logon will attempt to take place. During the logon
12326 process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
12327 server, modifies the local registry values according to the settings in this file.
12328 </p><p>
12329 Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
12330 a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
12331 in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
12332 Directory domain controllers. The part that is stored in the Active Directory itself is called the
12333 group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
12334 known as the group policy template (GPT).
12335 </p><p>
12336 With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
12337 MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
12338 startup (machine specific part) and when the user logs onto the network the user specific part
12339 is applied. In MS Windows 200x style policy management each machine and/or user may be subject
12340 to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
12341 the administrator to also set filters over the policy settings. No such equivalent capability
12342 exists with NT4 style policy files.
12343 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2925328"></a>Administration of Win2K / XP Policies</h4></div></div><div></div></div><p>
12344 Instead of using the tool called <span class="application">The System Policy Editor</span>, commonly called Poledit (from the
12345 executable name <b class="command">poledit.exe</b>), <span class="acronym">GPOs</span> are created and managed using a
12346 <span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p>
12347 Go to the Windows 200x / XP menu <span class="guimenu">Start->Programs->Administrative Tools</span>
12348 and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span>
12349 </p></li><li><p>
12350 Select the domain or organizational unit (OU) that you wish to manage, then right click
12351 to open the context menu for that object, select the properties item.
12352 </p></li><li><p>
12353 Now left click on the <span class="guilabel">Group Policy</span> tab, then left click on the New tab. Type a name
12354 for the new policy you will create.
12355 </p></li><li><p>
12356 Now left click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO.
12357 </p></li></ol></div><p>
12358 All policy configuration options are controlled through the use of policy administrative
12359 templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
12360 Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
12361 The later introduces many new features as well as extended definition capabilities. It is
12362 well beyond the scope of this documentation to explain how to program .adm files, for that
12363 the administrator is referred to the Microsoft Windows Resource Kit for your particular
12364 version of MS Windows.
12365 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
12366 The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
12367 to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
12368 use this powerful tool. Please refer to the resource kit manuals for specific usage information.
12369 </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2925491"></a>Managing Account/User Policies</h2></div></div><div></div></div><p>
12370 Policies can define a specific user's settings or the settings for a group of users. The resulting
12371 policy file contains the registry settings for all users, groups, and computers that will be using
12372 the policy file. Separate policy files for each user, group, or computer are not necessary.
12373 </p><p>
12374 If you create a policy that will be automatically downloaded from validating domain controllers,
12375 you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
12376 policy file and, by modifying the Windows NT-based workstation, directing the computer to update
12377 the policy from a manual path. You can do this by either manually changing the registry or by using
12378 the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
12379 but if a change is necessary to all machines, this change must be made individually to each workstation.
12380 </p><p>
12381 When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
12382 controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
12383 applied to the user's part of the registry.
12384 </p><p>
12385 MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
12386 acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
12387 itself. The key benefit of using AS GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect.
12388 This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
12389 </p><p>
12390 In addition to user access controls that may be imposed or applied via system and/or group policies
12391 in a manner that works in conjunction with user profiles, the user management environment under
12392 MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
12393 Common restrictions that are frequently used includes:
12394 </p><p>
12395 </p><div class="itemizedlist"><ul type="disc"><li><p>Logon Hours</p></li><li><p>Password Aging</p></li><li><p>Permitted Logon from certain machines only</p></li><li><p>Account type (Local or Global)</p></li><li><p>User Rights</p></li></ul></div><p>
12396 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925596"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p>
12398 to edit registry files (called NTUser.DAT) that are stored in user and group profiles.
12399 NTConfig.POL files have the same structure as the NTUser.DAT file and can be editted using
12400 this tool. <b class="command">editreg</b> is being built with the intent to enable NTConfig.POL
12401 files to be saved in text format and to permit the building of new NTConfig.POL files with
12402 extended capabilities. It is proving difficult to realise this capability, so do not be surprised
12403 if this feature does not materialise. Formal capabilities will be announced at the time that
12404 this tool is released for production use.
12405 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925636"></a>Windows NT4/200x</h3></div></div><div></div></div><p>
12406 The tools that may be used to configure these types of controls from the MS Windows environment are:
12407 The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
12408 Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
12410 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925655"></a>Samba PDC</h3></div></div><div></div></div><p>
12411 With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
12412 <b class="command">smbpasswd</b>, <b class="command">pdbedit</b>, <b class="command">net</b>, <b class="command">rpcclient</b>.
12413 The administrator should read the
12414 man pages for these tools and become familiar with their use.
12415 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2925700"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p>
12416 The following attempts to document the order of processing of system and user policies following a system
12417 reboot and as part of the user logon:
12419 Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
12420 Convention Provider (MUP) start
12421 </p></li><li><p>
12422 Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
12423 and applied. The list may include GPOs that:
12424 </p><div class="itemizedlist"><ul type="disc"><li><p>Apply to the location of machines in a Directory</p></li><li><p>Apply only when settings have changed</p></li><li><p>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</p></li></ul></div><p>
12425 No desktop user interface is presented until the above have been processed.
12426 </p></li><li><p>
12427 Execution of start-up scripts (hidden and synchronous by default).
12428 </p></li><li><p>
12429 A keyboard action to affect start of logon (Ctrl-Alt-Del).
12430 </p></li><li><p>
12431 User credentials are validated, User profile is loaded (depends on policy settings).
12432 </p></li><li><p>
12433 An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
12435 </p><div class="itemizedlist"><ul type="disc"><li><p>Is user a domain member, thus subject to particular policies</p></li><li><p>Loopback enablement, and the state of the loopback policy (Merge or Replace)</p></li><li><p>Location of the Active Directory itself</p></li><li><p>Has the list of GPOs changed. No processing is needed if not changed.</p></li></ul></div><p>
12436 </p></li><li><p>
12437 User Policies are applied from Active Directory. Note: There are several types.
12438 </p></li><li><p>
12439 Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
12440 Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal
12441 window.
12442 </p></li><li><p>
12443 The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
12444 Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
12445 </p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2925851"></a>Common Errors</h2></div></div><div></div></div><p>
12446 Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following
12447 collection demonstrates only basic issues.
12448 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925865"></a>Policy Does Not Work</h3></div></div><div></div></div><p>
12449 “<span class="quote">We have created the <tt class="filename">config.pol</tt> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share.
12450 It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not
12451 work any longer since we upgraded to Win XP Pro. Any hints?</span>”
12452 </p><p>
12453 Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based
12454 platforms. You need to use the NT4 Group Policy Editor to create a file called <tt class="filename">NTConfig.POL</tt> so that
12455 it is in the correct format for your MS Windows XP Pro clients.
12456 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2925964">Features and Benefits</a></dt><dt><a href="#id2925999">Roaming Profiles</a></dt><dd><dl><dt><a href="#id2926040">Samba Configuration for Profile Handling</a></dt><dt><a href="#id2926530">Windows Client Profile Configuration Information</a></dt><dt><a href="#id2927776">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="#id2927861">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="#id2928114">Mandatory profiles</a></dt><dt><a href="#id2928172">Creating/Managing Group Profiles</a></dt><dt><a href="#id2928216">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="#id2928237">MS Windows 9x/Me</a></dt><dt><a href="#id2928385">MS Windows NT4 Workstation</a></dt><dt><a href="#id2928939">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="#id2929447">Common Errors</a></dt><dd><dl><dt><a href="#id2929460">Setting up roaming profiles for just a few user's or group's?</a></dt><dt><a href="#id2929529">Can NOT use Roaming Profiles</a></dt><dt><a href="#id2929742">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2925964"></a>Features and Benefits</h2></div></div><div></div></div><p>
12457 Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
12458 some administrators.
12459 </p><p>
12460 Roaming Profiles allow an administrator to make available a consistent user desktop
12461 as the user moves from one machine to another. This chapter provides much information
12462 regarding how to configure and manage Roaming Profiles.
12463 </p><p>
12464 While Roaming Profiles might sound like nirvana to some, they are a real and tangible
12465 problem to others. In particular, users of mobile computing tools, where often there may not
12466 be a sustained network connection, are often better served by purely Local Profiles.
12467 This chapter provides information to help the Samba administrator to deal with those
12468 situations also.
12469 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2925999"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
12470 Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
12471 </p></div><p>
12472 Before discussing how to configure roaming profiles, it is useful to see how
12473 Windows 9x / Me and Windows NT4/200x clients implement these features.
12474 </p><p>
12475 Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
12476 profiles location. However, the response does not have room for a separate
12477 profiles location field, only the user's home share. This means that Win9X/Me
12478 profiles are restricted to being stored in the user's home directory.
12479 </p><p>
12480 Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
12481 including a separate field for the location of the user's profiles.
12482 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2926040"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
12483 This section documents how to configure Samba for MS Windows client profile support.
12484 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926053"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
12485 To support Windows NT4/200x clients, in the [global] section of smb.conf set the
12486 following (for example):
12487 </p><p>
12488 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</tt></i></td></tr></table><p>
12490 This is typically implemented like:
12492 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%L\Profiles\%u</tt></i></td></tr></table><p>
12493 where %L translates to the name of the Samba server and %u translates to the user name
12494 </p><p>
12497 The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
12498 a samba server for the profiles, you _must_ make the share specified in the logon path
12499 browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
12500 semantics of %L and %N, as well as %U and %u.
12501 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
12502 MS Windows NT/2K clients at times do not disconnect a connection to a server
12504 meta-service name as part of the profile share path.
12505 </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926161"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
12506 To support Windows 9x / Me clients, you must use the <a class="indexterm" name="id2926173"></a><i class="parameter"><tt>logon home</tt></i> parameter. Samba has
12507 now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies
12509 </p><p>
12510 By using the logon home parameter, you are restricted to putting Win9x / Me
12511 profiles in the user's home directory. But wait! There is a trick you
12512 can use. If you set the following in the <i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
12513 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%U\.profiles</tt></i></td></tr></table><p>
12514 then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
12516 </p><p>
12517 Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work, because of a feature in
12518 Windows 9x / Me. It removes any directory stuff off the end of the home directory area
12519 and only uses the server and share portion. That is, it looks like you
12520 specified <tt class="filename">\\%L\%U</tt> for <a class="indexterm" name="id2926277"></a><i class="parameter"><tt>logon home</tt></i>.
12521 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926293"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
12522 You can support profiles for both Win9X and WinNT clients by setting both the
12523 <a class="indexterm" name="id2926306"></a><i class="parameter"><tt>logon home</tt></i> and <a class="indexterm" name="id2926319"></a><i class="parameter"><tt>logon path</tt></i> parameters. For example:
12524 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%u\.profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%L\profiles\%u</tt></i></td></tr></table></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926360"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
12525 A question often asked is “<span class="quote">How may I enforce use of local profiles?</span>” or
12527 </p><p>
12528 There are three ways of doing this:
12529 </p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd><p>
12530 Affect the following settings and ALL clients
12531 will be forced to use a local profile:
12532 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path</tt></i></td></tr></table><p>
12534 By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
12538 Local Computer Policy\
12539 Computer Configuration\
12540 Administrative Templates\
12541 System\
12542 User Profiles\
12544 Disable: Only Allow Local User Profiles
12545 Disable: Prevent Roaming Profile Change from Propagating to the Server
12546 </pre><p>
12548 From the start menu right click on the
12549 My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
12550 tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>.
12551 </p></dd></dl></div><p>
12552 Consult the MS Windows registry guide for your particular MS Windows version for more
12553 information about which registry keys to change to enforce use of only local user
12554 profiles.
12555 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
12556 The specifics of how to convert a local profile to a roaming profile, or a roaming profile
12557 to a local one vary according to the version of MS Windows you are running. Consult the
12558 Microsoft MS Windows Resource Kit for your version of Windows for specific information.
12559 </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2926530"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926538"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
12560 When a user first logs in on Windows 9X, the file user.DAT is created,
12563 These directories and their contents will be merged with the local
12564 versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins,
12565 taking the most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i>
12566 options <a class="indexterm" name="id2926594"></a><i class="parameter"><tt>preserve case</tt></i> = yes, <a class="indexterm" name="id2926609"></a><i class="parameter"><tt>short preserve case</tt></i> = yes and
12567 <a class="indexterm" name="id2926623"></a><i class="parameter"><tt>case sensitive</tt></i> = no in order to maintain capital letters in shortcuts
12568 in any of the profile folders.
12569 </p><p>
12570 The user.DAT file contains all the user's preferences. If you wish to
12571 enforce a set of preferences, rename their user.DAT file to user.MAN,
12572 and deny them write access to this file.
12574 On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -> <span class="guimenuitem">Passwords</span> and
12577 to reboot.
12578 </p></li><li><p>
12579 On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -> <span class="guimenuitem">Network</span> ->
12580 <span class="guimenuitem">Client for Microsoft Networks</span> -> <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to
12582 Microsoft Networks</span>. Press <span class="guibutton">OK</span>, and this time allow the computer
12583 to reboot.
12584 </p></li></ol></div><p>
12585 Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
12586 If you have the Primary Logon as 'Client for Novell Networks', then
12587 the profiles and logon script will be downloaded from your Novell
12588 Server. If you have the Primary Logon as 'Windows Logon', then the
12589 profiles will be loaded from the local machine - a bit against the
12590 concept of roaming profiles, it would seem!
12591 </p><p>
12592 You will now find that the Microsoft Networks Login box contains
12593 [user, password, domain] instead of just [user, password]. Type in
12594 the samba server's domain name (or any other domain known to exist,
12595 but bear in mind that the user will be authenticated against this
12596 domain and profiles downloaded from it, if that domain logon server
12597 supports it), user name and user's password.
12598 </p><p>
12599 Once the user has been successfully validated, the Windows 9x / Me machine
12600 will inform you that <tt class="computeroutput">The user has not logged on before</tt> and asks you
12601 <tt class="computeroutput">Do you wish to save the user's preferences?</tt>. Select <span class="guibutton">yes</span>.
12602 </p><p>
12603 Once the Windows 9x / Me client comes up with the desktop, you should be able
12604 to examine the contents of the directory specified in the <a class="indexterm" name="id2926811"></a><i class="parameter"><tt>logon path</tt></i>
12605 on the samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
12606 <tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created.
12607 </p><p>
12608 These folders will be cached locally on the client, and updated when
12609 the user logs off (if you haven't made them read-only by then).
12610 You will find that if the user creates further folders or short-cuts,
12611 that the client will merge the profile contents downloaded with the
12612 contents of the profile directory already on the local client, taking
12613 the newest folders and short-cuts from each set.
12614 </p><p>
12615 If you have made the folders / files read-only on the samba server,
12616 then you will get errors from the Windows 9x / Me machine on logon and logout, as
12617 it attempts to merge the local and the remote profile. Basically, if
12618 you have any errors reported by the Windows 9x / Me machine, check the UNIX file
12619 permissions and ownership rights on the profile directory contents,
12620 on the samba server.
12621 </p><p>
12622 If you have problems creating user profiles, you can reset the user's
12623 local desktop cache, as shown below. When this user then next logs in,
12625 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
12626 Before deleting the contents of the
12627 directory listed in the ProfilePath (this is likely to be
12629 have any important files stored on their desktop or in their start menu.
12630 Delete the contents of the directory ProfilePath (making a backup if any
12631 of the files are needed).
12632 </p><p>
12633 This will have the effect of removing the local (read-only hidden
12634 system file) user.DAT in their profile directory, as well as the
12637 instead of logging in under the [user, password, domain] dialog,
12639 </p></li><li><p>
12641 </p><p>
12643 </p><p>
12644 you will find an entry, for each user, of ProfilePath. Note the
12646 then delete the key ProfilePath for the required user.
12647 </p><p>[Exit the registry editor].</p></li><li><p>
12649 directory, and delete it.
12650 </p></li><li><p>
12651 log off the windows 9x / Me client.
12652 </p></li><li><p>
12653 check the contents of the profile path (see <a class="indexterm" name="id2927017"></a><i class="parameter"><tt>logon path</tt></i> described
12654 above), and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt> file for the user,
12655 making a backup if required.
12656 </p></li></ol></div><p>
12657 If all else fails, increase samba's debug log levels to between 3 and 10,
12658 and / or run a packet trace program such as ethereal or <b class="command">netmon.exe</b>, and
12659 look for error messages.
12660 </p><p>
12661 If you have access to an Windows NT4/200x server, then first set up roaming profiles
12662 and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
12663 the example packet traces provided with Windows NT4/200x server, and see what the
12664 differences are with the equivalent samba trace.
12665 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2927080"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
12666 When a user first logs in to a Windows NT Workstation, the profile
12667 NTuser.DAT is created. The profile location can be now specified
12668 through the <a class="indexterm" name="id2927093"></a><i class="parameter"><tt>logon path</tt></i> parameter.
12669 </p><p>
12670 There is a parameter that is now available for use with NT Profiles:
12671 <a class="indexterm" name="id2927113"></a><i class="parameter"><tt>logon drive</tt></i>. This should be set to <tt class="filename">H:</tt> or any other drive, and
12672 should be used in conjunction with the new <a class="indexterm" name="id2927135"></a><i class="parameter"><tt>logon home</tt></i> parameter.
12673 </p><p>
12674 The entry for the NT4 profile is a _directory_ not a file. The NT
12675 help on profiles mentions that a directory is also created with a .PDS
12676 extension. The user, while logging in, must have write permission to
12677 create the full profile path (and the folder with the .PDS extension
12678 for those situations where it might be created.)
12679 </p><p>
12680 In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
12681 It creates <tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>, <tt class="filename">Nethood</tt>,
12682 <tt class="filename">Start Menu</tt> and <tt class="filename">Programs</tt>. The profile itself is stored in a file
12684 its purpose is currently unknown.
12685 </p><p>
12686 You can use the <span class="application">System Control Panel</span> to copy a local profile onto
12687 a samba server (see NT Help on profiles: it is also capable of firing
12688 up the correct location in the <span class="application">System Control Panel</span> for you). The
12689 NT Help file also mentions that renaming <tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt>
12690 turns a profile into a mandatory one.
12691 </p><p>
12692 The case of the profile is significant. The file must be called
12693 <tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>.
12694 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2927266"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
12695 You must first convert the profile from a local profile to a domain
12696 profile on the MS Windows workstation as follows:
12699 </p></li><li><p>
12700 Right click on the <span class="guiicon">My Computer</span> Icon, select <span class="guimenuitem">Properties</span>
12701 </p></li><li><p>
12703 </p></li><li><p>
12704 Select the profile you wish to convert (click on it once)
12705 </p></li><li><p>
12707 </p></li><li><p>
12708 In the <span class="guilabel">Permitted to use</span> box, click on the <span class="guibutton">Change</span> button.
12709 </p></li><li><p>
12710 Click on the 'Look in" area that lists the machine name, when you click
12711 here it will open up a selection box. Click on the domain to which the
12712 profile must be accessible.
12713 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. Eg: In the connect as: <i class="replaceable"><tt>DOMAIN</tt></i>\root, password: <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p>
12714 To make the profile capable of being used by anyone select 'Everyone'
12715 </p></li><li><p>
12717 </p></li><li><p>
12718 Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you
12719 nominated.
12720 </p></li></ol></div><p>
12721 Done. You now have a profile that can be edited using the samba
12723 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
12724 Under NT/2K the use of mandatory profiles forces the use of MS Exchange
12725 storage of mail data. That keeps desktop profiles usable.
12726 </p></div><div class="procedure"><p class="title"><b>Procedure 24.2. Windows XP Service Pack 1</b></p><ol type="1"><li><p>
12727 This is a security check new to Windows XP (or maybe only
12728 Windows XP service pack 1). It can be disabled via a group policy in
12729 Active Directory. The policy is:</p><p><tt class="filename">Computer Configuration\Administrative Templates\System\User
12730 Profiles\Do not check for user ownership of Roaming Profile Folders</tt></p><p>...and it should be set to <tt class="constant">Enabled</tt>.
12731 Does the new version of samba have an Active Directory analogue? If so,
12732 then you may be able to set the policy through this.
12733 </p><p>
12734 If you cannot set group policies in samba, then you may be able to set
12735 the policy locally on each machine. If you want to try this, then do
12736 the following (N.B. I don't know for sure that this will work in the
12737 same way as a domain group policy):
12738 </p></li><li><p>
12739 On the XP workstation log in with an Administrator account.
12740 </p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the "Console Root" window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>,
12741 <span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this
12742 refers to the console settings rather than the policies you have
12743 changed).</p></li><li><p>Reboot</p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2927776"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
12744 Sharing of desktop profiles between Windows versions is NOT recommended.
12745 Desktop profiles are an evolving phenomenon and profiles for later versions
12746 of MS Windows clients add features that may interfere with earlier versions
12747 of MS Windows clients. Probably the more salient reason to NOT mix profiles
12748 is that when logging off an earlier version of MS Windows the older format
12749 of profile contents may overwrite information that belongs to the newer
12750 version resulting in loss of profile information content when that user logs
12751 on again with the newer version of MS Windows.
12752 </p><p>
12753 If you then want to share the same Start Menu / Desktop with W9x/Me, you will
12754 need to specify a common location for the profiles. The <tt class="filename">smb.conf</tt> parameters
12755 that need to be common are <a class="indexterm" name="id2927812"></a><i class="parameter"><tt>logon path</tt></i> and
12757 </p><p>
12758 If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
12760 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2927861"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
12761 There is nothing to stop you specifying any path that you like for the
12762 location of users' profiles. Therefore, you could specify that the
12763 profile be stored on a samba server, or any other SMB server, as long as
12764 that SMB server supports encrypted passwords.
12765 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2927878"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
12766 Unfortunately, the Resource Kit information is specific to the version of MS Windows
12767 NT4/200x. The correct resource kit is required for each platform.
12768 </p><p>
12769 Here is a quick guide:
12773 </p></li><li><p>
12774 Select a user profile you want to migrate and click on it.
12775 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term "migrate" loosely. You can copy a profile to
12776 create a group profile. You can give the user 'Everyone' rights to the
12777 profile you copy this to. That is what you need to do, since your samba
12778 domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg:
12779 <tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the
12780 'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p>
12781 Follow the above for every profile you need to migrate.
12782 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928042"></a>Side bar Notes</h4></div></div><div></div></div><p>
12783 You should obtain the SID of your NT4 domain. You can use smbpasswd to do
12784 this. Read the man page.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928057"></a>moveuser.exe</h4></div></div><div></div></div><p>
12785 The W2K professional resource kit has moveuser.exe. moveuser.exe changes
12786 the security of a profile from one user to another. This allows the account
12787 domain to change, and/or the user name to change.
12788 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928073"></a>Get SID</h4></div></div><div></div></div><p>
12789 You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
12790 Resource Kit.
12791 </p><p>
12792 Windows NT 4.0 stores the local profile information in the registry under
12793 the following key:
12794 <tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt>
12795 </p><p>
12796 Under the ProfileList key, there will be subkeys named with the SIDs of the
12797 users who have logged on to this computer. (To find the profile information
12798 for the user whose locally cached profile you want to move, find the SID for
12799 the user with the GetSID.exe utility.) Inside of the appropriate user's
12800 subkey, you will see a string value named ProfileImagePath.
12801 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928114"></a>Mandatory profiles</h2></div></div><div></div></div><p>
12802 A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
12803 During the user's session it may be possible to change the desktop environment, but
12804 as the user logs out all changes made will be lost. If it is desired to NOT allow the
12805 user any ability to change the desktop environment then this must be done through
12806 policy settings. See previous chapter.
12807 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
12808 Under NO circumstances should the profile directory (or it's contents) be made read-only
12809 as this may render the profile un-usable.
12810 </p></div><p>
12811 For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
12812 also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
12813 file in the copied profile and rename it to NTUser.MAN.
12814 </p><p>
12815 For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to
12816 affect a mandatory profile.
12817 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928172"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
12818 Most organisations are arranged into departments. There is a nice benefit in
12819 this fact since usually most users in a department will require the same desktop
12820 applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
12821 use of Group Profiles. A Group Profile is a profile that is created firstly using
12822 a template (example) user. Then using the profile migration tool (see above) the
12823 profile is assigned access rights for the user group that needs to be given access
12824 to the group profile.
12825 </p><p>
12826 The next step is rather important. <span class="emphasis"><em>Please note:</em></span> Instead of assigning a group profile
12827 to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
12828 the now modified profile.
12829 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
12830 Be careful with group profiles, if the user who is a member of a group also
12831 has a personal profile, then the result will be a fusion (merge) of the two.
12832 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928216"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
12834 a profile does not already exist. Armed with a knowledge of where the default profile
12835 is located on the Windows workstation, and knowing which registry keys affect the path
12836 from which the default profile is created, it is possible to modify the default profile
12837 to one that has been optimised for the site. This has significant administrative
12838 advantages.
12839 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928237"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
12840 To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System
12841 Policy Editor</span> or change the registry directly.
12842 </p><p>
12843 To enable default per user profiles in Windows 9x / Me, launch the <span class="application">System Policy Editor</span>, then
12844 select <span class="guimenu">File</span> -> <span class="guimenuitem">Open Registry</span>, then click on the
12845 <span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
12846 select <span class="guilabel">User Profiles</span>, click on the enable box. Do not forget to save the registry changes.
12847 </p><p>
12848 To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive
12849 <tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name
12850 "User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.
12851 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928336"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
12852 When a user logs on to a Windows 9x / Me machine, the local profile path,
12853 <tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
12854 for an existing entry for that user:
12855 </p><p>
12856 If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
12857 version of the user profile. Windows 9x / Me also checks the user's home directory (or other
12858 specified directory if the location has been modified) on the server for the User Profile.
12859 If a profile exists in both locations, the newer of the two is used. If the User Profile exists
12860 on the server, but does not exist on the local machine, the profile on the server is downloaded
12861 and used. If the User Profile only exists on the local machine, that copy is used.
12862 </p><p>
12863 If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
12864 machine is used and is copied to a newly created folder for the logged on user. At log off, any
12865 changes that the user made are written to the user's local profile. If the user has a roaming
12866 profile, the changes are written to the user's profile on the server.
12867 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928385"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
12868 On MS Windows NT4 the default user profile is obtained from the location
12869 <tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
12870 <tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be
12871 three (3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All Users</tt>, <tt class="filename">Default User</tt>.
12872 </p><p>
12873 The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
12874 system users. The <tt class="filename">Default User</tt> directory contains menu entries that are
12875 customisable per user depending on the profile settings chosen/created.
12876 </p><p>
12877 When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
12878 </p><div class="itemizedlist"><ul type="disc"><li><p>All Users settings</p></li><li><p>Default User settings (contains the default NTUser.DAT file)</p></li></ul></div><p>
12879 When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
12880 the following steps are followed in respect of profile handling:
12882 The users' account information which is obtained during the logon process contains
12883 the location of the users' desktop profile. The profile path may be local to the
12884 machine or it may be located on a network share. If there exists a profile at the location
12885 of the path from the user account, then this profile is copied to the location
12887 settings in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
12888 location.
12889 </p></li><li><p>
12890 If the user account has a profile path, but at it's location a profile does not exist,
12891 then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
12893 </p></li><li><p>
12894 If the NETLOGON share on the authenticating server (logon server) contains a policy file
12895 (<tt class="filename">NTConfig.POL</tt>) then it's contents are applied to the <tt class="filename">NTUser.DAT</tt>
12897 </p></li><li><p>
12898 When the user logs out, if the profile is set to be a roaming profile it will be written
12901 Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the
12902 next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held
12903 in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>.
12904 </p></li></ol></div><p>
12905 MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile
12906 will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will
12907 also remain stored in the same way, unless the following registry key is created:
12908 </p><p>
12910 HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
12912 </pre><p>
12914 In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be
12915 deleted on logout.
12916 </p><p>
12917 Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt>
12918 may be redirected to a network share by modifying the following registry keys. These changes may be affected
12919 via use of the System Policy Editor (to do so may require that you create your owns template extension
12920 for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
12921 creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.
12922 </p><p>
12923 The Registry Hive key that affects the behaviour of folders that are part of the default user profile
12924 are controlled by entries on Windows NT4 is:
12925 </p><p>
12926 <tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
12927 </p><p>
12928 The above hive key contains a list of automatically managed folders. The default entries are:
12929 </p><p>
12930 </p><div class="table"><a name="id2928735"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
12931 </p><p>
12932 The registry key that contains the location of the default profile settings is:
12933 </p><p>
12934 <tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt>
12935 </p><p>
12936 The default entries are:
12938 </p><div class="table"><a name="id2928879"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
12939 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928939"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
12940 MS Windows XP Home Edition does use default per user profiles, but can not participate
12941 in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
12942 only from itself. While there are benefits in doing this the beauty of those MS Windows
12943 clients that CAN participate in domain logon processes allows the administrator to create
12944 a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
12945 </p></div><p>
12946 When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
12947 <tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify (or change
12948 the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
12949 arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
12950 workstation.
12951 </p><p>
12952 When MS Windows 200x/XP participate in a domain security context, and if the default user
12953 profile is not found, then the client will search for a default profile in the NETLOGON share
12954 of the authenticating server. ie: In MS Windows parlance:
12955 <tt class="filename">%LOGONSERVER%\NETLOGON\Default User</tt> and if one exits there it will copy this
12956 to the workstation to the <tt class="filename">C:\Documents and Settings\</tt> under the Windows
12957 login name of the user.
12958 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
12959 This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory
12960 should be created at the root of this share and must be called <tt class="filename">Default Profile</tt>.
12961 </p></div><p>
12962 If a default profile does not exist in this location then MS Windows 200x/XP will use the local
12963 default profile.
12964 </p><p>
12965 On logging out, the users' desktop profile will be stored to the location specified in the registry
12966 settings that pertain to the user. If no specific policies have been created, or passed to the client
12967 during the login process (as Samba does automatically), then the user's profile will be written to
12968 the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>.
12969 </p><p>
12970 Those wishing to modify the default behaviour can do so through three methods:
12972 Modify the registry keys on the local machine manually and place the new default profile in the
12973 NETLOGON share root - NOT recommended as it is maintenance intensive.
12974 </p></li><li><p>
12975 Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
12976 in the root of the NETLOGON share along with the new default profile.
12977 </p></li><li><p>
12978 Create a GPO that enforces this through Active Directory, and place the new default profile
12979 in the NETLOGON share.
12980 </p></li></ul></div><p>
12981 The Registry Hive key that affects the behaviour of folders that are part of the default user profile
12982 are controlled by entries on Windows 200x/XP is:
12983 </p><p>
12984 <tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
12985 </p><p>
12986 The above hive key contains a list of automatically managed folders. The default entries are:
12987 </p><p>
12988 </p><div class="table"><a name="id2929134"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><p>
12989 </p><p>
12990 There is also an entry called "Default" that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all
12992 </p><p>
12993 It makes a huge difference to the speed of handling roaming user profiles if all the folders are
12994 stored on a dedicated location on a network server. This means that it will NOT be necessary to
12995 write the Outlook PST file over the network for every login and logout.
12996 </p><p>
12997 To set this to a network location you could use the following examples:
12999 This would store the folders in the user's home directory under a directory called <tt class="filename">Default Folders</tt>
13000 You could also use:
13001 </p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
13002 in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
13003 in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the MS Windows
13004 user as seen by the Linux/UNIX file system.
13005 </p><p>
13006 Please note that once you have created a default profile share, you MUST migrate a user's profile
13007 (default or custom) to it.
13008 </p><p>
13009 MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
13010 A roaming profile will be cached locally unless the following registry key is created:
13011 </p><p>
13013 HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
13015 In which case, the local cache copy will be deleted on logout.
13016 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929447"></a>Common Errors</h2></div></div><div></div></div><p>
13017 The following are some typical errors/problems/questions that have been asked.
13018 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929460"></a>Setting up roaming profiles for just a few user's or group's?</h3></div></div><div></div></div><p>
13019 With samba-2.2.x the choice you have is to enable or disable roaming
13020 profiles support. It is a global only setting. The default is to have
13021 roaming profiles and the default path will locate them in the user's home
13022 directory.
13023 </p><p>
13024 If disabled globally then no-one will have roaming profile ability.
13025 If enabled and you want it to apply only to certain machines, then on
13026 those machines on which roaming profile support is NOT wanted it is then
13027 necessary to disable roaming profile handling in the registry of each such
13028 machine.
13029 </p><p>
13030 With samba-3 you can have a global profile
13031 setting in <tt class="filename">smb.conf</tt> _AND_ you can over-ride this by per-user settings
13032 using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
13033 </p><p>
13034 In any case, you can configure only one profile per user. That profile can
13035 be either:
13036 </p><div class="itemizedlist"><ul type="disc"><li><p>A profile unique to that user</p></li><li><p>A mandatory profile (one the user can not change)</p></li><li><p>A group profile (really should be mandatory ie:unchangable)</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929529"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
13037 A user requested the following:
13039 I do not want Roaming profiles to be implemented. I want to give users a local profile alone. ...
13040 Please help me I am totally lost with this error. For the past two days I tried everything, I googled
13041 around but found no useful pointers. Please help me.
13043 The choices are:
13045 I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
13047 As a user logs onto the network a centrally stored profile is copied to the workstation
13048 to form a local profile. This local profile will persist (remain on the workstation disk)
13049 unless a registry key is changed that will cause this profile to be automatically deleted
13050 on logout.
13051 </p></dd></dl></div><p>
13053 </p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
13054 These are typically stored in a profile share on a central (or conveniently located
13055 local) server.
13056 </p><p>
13057 Workstations 'cache' (store) a local copy of the profile. This cached copy is used when
13058 the profile can not be downloaded at next logon.
13059 </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>These are loaded from a central profile server</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
13060 Mandatory profiles can be created for a user as well as for any group that a user
13061 is a member of. Mandatory profiles can NOT be changed by ordinary users. Only the administrator
13062 can change or reconfigure a mandatory profile.
13063 </p></dd></dl></div><p>
13065 Outlook PST files are most often part of the profile and can be many GB in
13066 size. On average (in a well controlled environment) roaming profile size of
13067 2MB is a good rule of thumb to use for planning purposes. In an
13068 undisciplined environment I have seen up to 2GB profiles. Users tend to
13069 complain when it take an hour to log onto a workstation but they harvest
13070 the fruits of folly (and ignorance).
13071 </p><p>
13072 The point of all the above is to show that roaming profiles and good
13073 controls of how they can be changed as well as good discipline make up for
13074 a problem free site.
13075 </p><p>
13076 Microsoft's answer to the PST problem is to store all email in an MS
13077 Exchange Server back-end. This removes the need for a PST file.
13078 </p><p>
13079 LOCAL profiles mean:
13080 </p><div class="itemizedlist"><ul type="disc"><li><p>If each machine is used my many users then much local disk storage is needed for local profiles</p></li><li><p>Every workstation the user logs into has it's own profile, these can be very different from machine to machine</p></li></ul></div><p>
13081 On the other hand, use of roaming profiles means:
13082 </p><div class="itemizedlist"><ul type="disc"><li><p>The network administrator can control the desktop environment of all users.</p></li><li><p>Use of mandatory profiles drasitcally reduces network management overheads.</p></li><li><p>In the long run users will be experience fewer problems.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929742"></a>Changing the default profile</h3></div></div><div></div></div><p>
13085 When the client logs onto the domain controller it searches for a profile to download,
13086 where do I put this default profile?
13088 Firstly, the samba server needs to be configured as a domain controller.
13090 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 32 (or more)</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr></table><p>
13092 It is a good idea to add a logon script to pre-set printer and
13093 drive connections. There is also a facility for automatically
13094 synchronizing the workstation time clock with that of the logon
13095 server (another good thing to do).
13096 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
13097 To invoke auto-deletion of roaming profile from the local
13099 to create a file called <tt class="filename">NTConfig.POL</tt> with the appropriate entries. This
13100 file needs to be located in the <i class="parameter"><tt>netlogon</tt></i> share root directory.</p></div><p>
13101 Windows clients need to be members of the domain. Workgroup machines do NOT use network logons so
13102 they do not interoperate with domain profiles.
13103 </p><p>
13105 </p><p>
13106 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%U</tt></i></td></tr><tr><td># Default logon drive is Z:</td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td># This requires a PROFILES share that is world writable.</td></tr></table><p>
13107 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 25. PAM based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></tt></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2930024">Features and Benefits</a></dt><dt><a href="#id2930271">Technical Discussion</a></dt><dd><dl><dt><a href="#id2930288">PAM Configuration Syntax</a></dt><dt><a href="#id2930969">Example System Configurations</a></dt><dt><a href="#id2931283">smb.conf PAM Configuration</a></dt><dt><a href="#id2931361">Remote CIFS Authentication using winbindd.so</a></dt><dt><a href="#id2931445">Password Synchronization using pam_smbpass.so</a></dt></dl></dd><dt><a href="#id2931826">Common Errors</a></dt><dd><dl><dt><a href="#id2931839">pam_winbind problem</a></dt><dt><a href="#id2931926">Winbind is not resolving users and groups</a></dt></dl></dd></dl></div><p>
13108 This chapter you should help you to deploy winbind based authentication on any PAM enabled
13109 UNIX/Linux system. Winbind can be used to enable user level application access authentication
13110 from any MS Windows NT Domain, MS Windows 200x Active Directory based domain, or any Samba
13111 based domain environment. It will also help you to configure PAM based local host access
13112 controls that are appropriate to your Samba configuration.
13113 </p><p>
13114 In addition to knowing how to configure winbind into PAM, you will learn generic PAM management
13115 possibilities and in particular how to deploy tools like pam_smbpass.so to your advantage.
13116 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
13117 The use of Winbind require more than PAM configuration alone. Please refer to <a href="#winbind" title="Chapter 21. Winbind: Use of Domain Accounts">the Winbind chapter</a>.
13118 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930024"></a>Features and Benefits</h2></div></div><div></div></div><p>
13119 A number of UNIX systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux,
13120 now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
13121 authorization and resource control services. Prior to the introduction of PAM, a decision
13123 would require the provision of alternatives for all programs that provide security services.
13124 Such a choice would involve provision of alternatives to such programs as: <b class="command">login</b>,
13126 </p><p>
13127 PAM provides a mechanism that disconnects these security programs from the underlying
13128 authentication/authorization infrastructure. PAM is configured either through one file
13131 </p><p>
13132 On PAM enabled UNIX/Linux systems it is an easy matter to configure the system to use any
13133 authentication backend, so long as the appropriate dynamically loadable library modules
13134 are available for it. The backend may be local to the system, or may be centralised on a
13135 remote server.
13136 </p><p>
13137 PAM support modules are available for:
13138 </p><div class="variablelist"><dl><dt><span class="term"><tt class="filename">/etc/passwd</tt>:</span></dt><dd><p>
13139 There are several PAM modules that interact with this standard UNIX user
13140 database. The most common are called: pam_unix.so, pam_unix2.so, pam_pwdb.so
13141 and pam_userdb.so.
13143 The pam_krb5.so module allows the use of any Kerberos compliant server.
13144 This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially
13145 Microsoft Active Directory (if enabled).
13147 The pam_ldap.so module allows the use of any LDAP v2 or v3 compatible backend
13148 server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1,
13149 Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory.
13151 The pam_ncp_auth.so module allows authentication off any bindery enabled
13152 NetWare Core Protocol based server.
13154 This module, called pam_smbpass.so, will allow user authentication off
13157 The pam_smb_auth.so module is the original MS Windows networking authentication
13158 tool. This module has been somewhat outdated by the Winbind module.
13160 The pam_winbind.so module allows Samba to obtain authentication from any
13161 MS Windows Domain Controller. It can just as easily be used to authenticate
13162 users for access to any PAM enabled application.
13164 There is a PAM RADIUS (Remote Access Dial-In User Service) authentication
13165 module. In most cases the administrator will need to locate the source code
13166 for this tool and compile and install it themselves. RADIUS protocols are
13167 used by many routers and terminal servers.
13168 </p></dd></dl></div><p>
13169 Of the above, Samba provides the pam_smbpasswd.so and the pam_winbind.so modules alone.
13170 </p><p>
13171 Once configured, these permit a remarkable level of flexibility in the location and use
13172 of distributed samba domain controllers that can provide wide are network bandwidth
13173 efficient authentication services for PAM capable systems. In effect, this allows the
13174 deployment of centrally managed and maintained distributed authentication from a single
13175 user account database.
13176 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930271"></a>Technical Discussion</h2></div></div><div></div></div><p>
13177 PAM is designed to provide the system administrator with a great deal of flexibility in
13178 configuration of the privilege granting applications of their system. The local
13179 configuration of system security controlled by PAM is contained in one of two places:
13180 either the single system file, /etc/pam.conf; or the /etc/pam.d/ directory.
13181 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930288"></a>PAM Configuration Syntax</h3></div></div><div></div></div><p>
13182 In this section we discuss the correct syntax of and generic options respected by entries to these files.
13183 PAM specific tokens in the configuration file are case insensitive. The module paths, however, are case
13184 sensitive since they indicate a file's name and reflect the case dependence of typical file-systems.
13185 The case-sensitivity of the arguments to any given module is defined for each module in turn.
13186 </p><p>
13187 In addition to the lines described below, there are two special characters provided for the convenience
13188 of the system administrator: comments are preceded by a `#' and extend to the next end-of-line; also,
13189 module specification lines may be extended with a `\' escaped newline.
13190 </p><p>
13191 If the PAM authentication module (loadable link library file) is located in the
13192 default location then it is not necessary to specify the path. In the case of
13194 is located outside the default then the path must be specified as:
13195 </p><p>
13197 auth required /other_path/pam_strange_module.so
13198 </pre><p>
13199 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2930347"></a>Anatomy of <tt class="filename">/etc/pam.d</tt> Entries</h4></div></div><div></div></div><p>
13200 The remaining information in this subsection was taken from the documentation of the Linux-PAM
13201 project. For more information on PAM, see
13202 <a href="http://ftp.kernel.org/pub/linux/libs/pam/" target="_top">The Official Linux-PAM home page</a>
13203 </p><p>
13204 A general configuration line of the /etc/pam.conf file has the following form:
13205 </p><p>
13207 service-name module-type control-flag module-path args
13208 </pre><p>
13209 </p><p>
13210 Below, we explain the meaning of each of these tokens. The second (and more recently adopted)
13211 way of configuring Linux-PAM is via the contents of the <tt class="filename">/etc/pam.d/</tt> directory.
13212 Once we have explained the meaning of the above tokens, we will describe this method.
13214 The name of the service associated with this entry. Frequently the service name is the conventional
13215 name of the given application. For example, `ftpd', `rlogind' and `su', etc. .
13216 </p><p>
13217 There is a special service-name, reserved for defining a default authentication mechanism. It has
13218 the name `OTHER' and may be specified in either lower or upper case characters. Note, when there
13219 is a module specified for a named service, the `OTHER' entries are ignored.
13221 One of (currently) four types of module. The four types are as follows:
13223 <span class="emphasis"><em>auth:</em></span> this module type provides two aspects of authenticating the user.
13224 Firstly, it establishes that the user is who they claim to be, by instructing the application
13225 to prompt the user for a password or other means of identification. Secondly, the module can
13226 grant group membership (independently of the <tt class="filename">/etc/groups</tt> file discussed
13227 above) or other privileges through its credential granting properties.
13228 </p></li><li><p>
13229 <span class="emphasis"><em>account:</em></span> this module performs non-authentication based account management.
13230 It is typically used to restrict/permit access to a service based on the time of day, currently
13231 available system resources (maximum number of users) or perhaps the location of the applicant
13232 user `root' login only on the console.
13233 </p></li><li><p>
13234 <span class="emphasis"><em>session:</em></span> primarily, this module is associated with doing things that need
13235 to be done for the user before/after they can be given service. Such things include the logging
13236 of information concerning the opening/closing of some data exchange with a user, mounting
13237 directories, etc.
13238 </p></li><li><p>
13239 <span class="emphasis"><em>password:</em></span> this last module type is required for updating the authentication
13240 token associated with the user. Typically, there is one module for each `challenge/response'
13241 based authentication (auth) module-type.
13243 The control-flag is used to indicate how the PAM library will react to the success or failure of the
13244 module it is associated with. Since modules can be stacked (modules of the same type execute in series,
13245 one after another), the control-flags determine the relative importance of each module. The application
13246 is not made aware of the individual success or failure of modules listed in the
13247 <tt class="filename">/etc/pam.conf</tt> file. Instead, it receives a summary success or fail response from
13248 the Linux-PAM library. The order of execution of these modules is that of the entries in the
13250 As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes.
13251 </p><p>
13252 The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the
13253 severity of concern associated with the success or failure of a specific module. There are four such
13254 <span class="emphasis"><em>keywords: required, requisite, sufficient and optional</em></span>.
13255 </p><p>
13256 The Linux-PAM library interprets these keywords in the following manner:
13258 <span class="emphasis"><em>required:</em></span> this indicates that the success of the module is required for the
13259 module-type facility to succeed. Failure of this module will not be apparent to the user until all
13260 of the remaining modules (of the same module-type) have been executed.
13261 </p></li><li><p>
13262 <span class="emphasis"><em>requisite:</em></span> like required, however, in the case that such a module returns a
13263 failure, control is directly returned to the application. The return value is that associated with
13264 the first required or requisite module to fail. Note, this flag can be used to protect against the
13265 possibility of a user getting the opportunity to enter a password over an unsafe medium. It is
13266 conceivable that such behavior might inform an attacker of valid accounts on a system. This
13267 possibility should be weighed against the not insignificant concerns of exposing a sensitive
13268 password in a hostile environment.
13269 </p></li><li><p>
13270 <span class="emphasis"><em>sufficient:</em></span> the success of this module is deemed `sufficient' to satisfy
13271 the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no
13272 previous required module has failed, no more `stacked' modules of this type are invoked. (Note,
13273 in this case subsequent required modules are not invoked.). A failure of this module is not deemed
13274 as fatal to satisfying the application that this module-type has succeeded.
13275 </p></li><li><p>
13276 <span class="emphasis"><em>optional:</em></span> as its name suggests, this control-flag marks the module as not
13277 being critical to the success or failure of the user's application for service. In general,
13278 Linux-PAM ignores such a module when determining if the module stack will succeed or fail.
13279 However, in the absence of any definite successes or failures of previous or subsequent stacked
13280 modules this module will determine the nature of the response to the application. One example of
13281 this latter case, is when the other modules return something like PAM_IGNORE.
13282 </p></li></ul></div><p>
13283 The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
13284 over how the user is authenticated. This form of the control flag is delimited with square brackets and
13285 consists of a series of value=action tokens:
13287 [value1=action1 value2=action2 ...]
13288 </pre><p>
13289 Here, value1 is one of the following return values: success; open_err; symbol_err; service_err;
13290 system_err; buf_err; perm_denied; auth_err; cred_insufficient; authinfo_unavail; user_unknown; maxtries;
13291 new_authtok_reqd; acct_expired; session_err; cred_unavail; cred_expired; cred_err; no_module_data; conv_err;
13292 authtok_err; authtok_recover_err; authtok_lock_busy; authtok_disable_aging; try_again; ignore; abort;
13293 authtok_expired; module_unknown; bad_item; and default. The last of these (default) can be used to set
13294 the action for those return values that are not explicitly defined.
13295 </p><p>
13296 The action1 can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset.
13297 A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the
13298 current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
13299 stack of modules with a number of different paths of execution. Which path is taken can be determined by the
13300 reactions of individual modules.
13302 <span class="emphasis"><em>ignore:</em></span> when used with a stack of modules, the module's return status will not
13303 contribute to the return code the application obtains.
13304 </p></li><li><p>
13305 <span class="emphasis"><em>bad:</em></span> this action indicates that the return code should be thought of as indicative
13306 of the module failing. If this module is the first in the stack to fail, its status value will be used
13307 for that of the whole stack.
13308 </p></li><li><p>
13309 <span class="emphasis"><em>die:</em></span> equivalent to bad with the side effect of terminating the module stack and
13310 PAM immediately returning to the application.
13311 </p></li><li><p>
13312 <span class="emphasis"><em>ok:</em></span> this tells PAM that the administrator thinks this return code should
13313 contribute directly to the return code of the full stack of modules. In other words, if the former
13314 state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override
13315 this value. Note, if the former state of the stack holds some value that is indicative of a modules
13316 failure, this 'ok' value will not be used to override that value.
13317 </p></li><li><p>
13318 <span class="emphasis"><em>done:</em></span> equivalent to ok with the side effect of terminating the module stack and
13319 PAM immediately returning to the application.
13320 </p></li><li><p>
13321 <span class="emphasis"><em>reset:</em></span> clear all memory of the state of the module stack and start again with
13322 the next stacked module.
13323 </p></li></ul></div><p>
13324 Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in
13325 terms of the [...] syntax. They are as follows:
13326 </p><p>
13328 required is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
13329 </p></li><li><p>
13330 requisite is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=die]
13331 </p></li><li><p>
13332 sufficient is equivalent to [success=done new_authtok_reqd=done default=ignore]
13333 </p></li><li><p>
13334 optional is equivalent to [success=ok new_authtok_reqd=ok default=ignore]
13335 </p></li></ul></div><p>
13336 </p><p>
13337 Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63,
13338 the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support
13339 machine-machine authentication using the transport protocol inherent to the client/server application. With the
13340 <span class="emphasis"><em>[ ... value=action ... ]</em></span> control syntax, it is possible for an application to be configured
13341 to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication
13342 mode for older, legacy, applications.
13344 The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the
13345 module path is `/', it is assumed to be a complete path. If this is not the case, the given module path is appended
13346 to the default module path: <tt class="filename">/lib/security</tt> (but see the notes above).
13347 </p><p>
13348 The args are a list of tokens that are passed to the module when it is invoked. Much like arguments to a typical
13349 Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments
13350 are ignored by a module, however, when encountering an invalid argument, the module is required to write an error
13351 to syslog(3). For a list of generic options see the next section.
13352 </p><p>
13353 Note, if you wish to include spaces in an argument, you should surround that argument with square brackets. For example:
13355 squid auth required pam_mysql.so user=passwd_query passwd=mada \
13356 db=eminence [query=select user_name from internet_service where \
13357 user_name='%u' and password=PASSWORD('%p') and \
13358 service='web_proxy']
13359 </pre><p>
13360 Note, when using this convention, you can include `[' characters inside the string, and if you wish to include a `]'
13361 character inside the string that will survive the argument parsing, you should use `\['. In other words:
13363 [..[..\]..] --> ..[..]..
13364 </pre><p>
13365 Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the
13366 side of caution) to make the authentication process fail. A corresponding error is written to the system log files
13367 with a call to syslog(3).
13368 </p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930969"></a>Example System Configurations</h3></div></div><div></div></div><p>
13370 This example had all options been uncommented is probably not usable
13371 as it stacks many conditions before allowing successful completion
13372 of the login process. Essentially all conditions can be disabled
13374 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2931000"></a>PAM: original login config</h4></div></div><div></div></div><pre class="programlisting">
13375 #%PAM-1.0
13376 # The PAM configuration file for the `login' service
13377 #
13378 auth required pam_securetty.so
13379 auth required pam_nologin.so
13380 # auth required pam_dialup.so
13381 # auth optional pam_mail.so
13382 auth required pam_pwdb.so shadow md5
13383 # account requisite pam_time.so
13384 account required pam_pwdb.so
13385 session required pam_pwdb.so
13386 # session optional pam_lastlog.so
13387 # password required pam_cracklib.so retry=3
13388 password required pam_pwdb.so shadow md5
13389 </pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2931038"></a>PAM: login using pam_smbpass</h4></div></div><div></div></div><p>
13390 PAM allows use of replaceable modules. Those available on a sample system include:
13393 pam_access.so pam_ftp.so pam_limits.so
13394 pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
13395 pam_cracklib.so pam_group.so pam_listfile.so
13396 pam_nologin.so pam_rootok.so pam_tally.so
13397 pam_deny.so pam_issue.so pam_mail.so
13398 pam_permit.so pam_securetty.so pam_time.so
13399 pam_dialup.so pam_lastlog.so pam_mkhomedir.so
13400 pam_pwdb.so pam_shells.so pam_unix.so
13401 pam_env.so pam_ldap.so pam_motd.so
13402 pam_radius.so pam_smbpass.so pam_unix_acct.so
13403 pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
13404 pam_userdb.so pam_warn.so pam_unix_session.so
13405 </pre><p>
13406 The following example for the login program replaces the use of
13411 database which contains the Microsoft MD4 encrypted password
13412 hashes. This database is stored in either
13416 Samba implementation for your UNIX/Linux system. The
13418 Samba version 2.2.1 or later. It can be compiled by specifying the
13423 source distribution.
13425 #%PAM-1.0
13426 # The PAM configuration file for the `login' service
13427 #
13428 auth required pam_smbpass.so nodelay
13429 account required pam_smbpass.so nodelay
13430 session required pam_smbpass.so nodelay
13431 password required pam_smbpass.so nodelay
13432 </pre><p>
13433 The following is the PAM configuration file for a particular
13436 #%PAM-1.0
13437 # The PAM configuration file for the `samba' service
13438 #
13439 auth required pam_pwdb.so nullok nodelay shadow audit
13440 account required pam_pwdb.so audit nodelay
13441 session required pam_pwdb.so nodelay
13442 password required pam_pwdb.so shadow md5
13443 </pre><p>
13444 In the following example the decision has been made to use the
13445 smbpasswd database even for basic samba authentication. Such a
13446 decision could also be made for the passwd program and would
13447 thus allow the smbpasswd passwords to be changed using the passwd
13448 program.
13450 #%PAM-1.0
13451 # The PAM configuration file for the `samba' service
13452 #
13453 auth required pam_smbpass.so nodelay
13454 account required pam_pwdb.so audit nodelay
13455 session required pam_pwdb.so nodelay
13456 password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
13457 </pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>PAM allows stacking of authentication mechanisms. It is
13458 also possible to pass information obtained within one PAM module through
13459 to the next module in the PAM stack. Please refer to the documentation for
13460 your particular system implementation for details regarding the specific
13461 capabilities of PAM in this environment. Some Linux implementations also
13463 authentication to be configured in a single central file. The
13465 on the basis that it allows for easier administration. As with all issues in
13466 life though, every decision makes trade-offs, so you may want examine the
13467 PAM documentation for further helpful information.
13468 </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931283"></a>smb.conf PAM Configuration</h3></div></div><div></div></div><p>
13469 There is an option in smb.conf called <a class="indexterm" name="id2931292"></a><i class="parameter"><tt>obey pam restrictions</tt></i>.
13470 The following is from the on-line help for this option in SWAT;
13471 </p><p>
13472 When Samba is configured to enable PAM support (i.e.
13474 control whether or not Samba should obey PAM's account
13475 and session management directives. The default behavior
13476 is to use PAM for clear text authentication only and to
13477 ignore any account or session management. Note that Samba always
13478 ignores PAM for authentication in the case of
13479 <a class="indexterm" name="id2931323"></a><i class="parameter"><tt>encrypt passwords</tt></i> = yes.
13480 The reason is that PAM modules cannot support the challenge/response
13481 authentication mechanism needed in the presence of SMB
13482 password encryption.
13483 </p><p>Default: <a class="indexterm" name="id2931344"></a><i class="parameter"><tt>obey pam restrictions</tt></i> = no</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931361"></a>Remote CIFS Authentication using winbindd.so</h3></div></div><div></div></div><p>
13484 All operating systems depend on the provision of users credentials acceptable to the platform.
13485 UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID).
13486 These are both simple integer type numbers that are obtained from a password backend such
13488 </p><p>
13489 Users and groups on a Windows NT server are assigned a relative id (rid) which is unique for
13490 the domain when the user or group is created. To convert the Windows NT user or group into
13491 a unix user or group, a mapping between rids and unix user and group ids is required. This
13492 is one of the jobs that winbind performs.
13493 </p><p>
13494 As winbind users and groups are resolved from a server, user and group ids are allocated
13495 from a specified range. This is done on a first come, first served basis, although all
13496 existing users and groups will be mapped as soon as a client performs a user or group
13497 enumeration command. The allocated unix ids are stored in a database file under the Samba
13498 lock directory and will be remembered.
13499 </p><p>
13500 The astute administrator will realize from this that the combination of <tt class="filename">pam_smbpass.so</tt>,
13501 <b class="command">winbindd</b>, and a distributed passdb backend, such as ldap, will allow the establishment of a
13502 centrally managed, distributed user/password database that can also be used by all PAM (eg: Linux) aware
13503 programs and applications. This arrangement can have particularly potent advantages compared with the use of
13504 Microsoft Active Directory Service (ADS) in so far as reduction of wide area network authentication traffic.
13505 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
13506 The rid to unix id database is the only location where the user and group mappings are
13507 stored by winbindd. If this file is deleted or corrupted, there is no way for winbindd
13508 to determine which user and group ids correspond to Windows NT user and group rids.
13509 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931445"></a>Password Synchronization using pam_smbpass.so</h3></div></div><div></div></div><p>
13510 pam_smbpass is a PAM module which can be used on conforming systems to
13511 keep the smbpasswd (Samba password) database in sync with the unix
13512 password file. PAM (Pluggable Authentication Modules) is an API supported
13513 under some Unices, such as Solaris, HPUX and Linux, that provides a
13514 generic interface to authentication mechanisms.
13515 </p><p>
13516 This module authenticates a local smbpasswd user database. If you require
13517 support for authenticating against a remote SMB server, or if you're
13518 concerned about the presence of suid root binaries on your system, it is
13519 recommended that you use pam_winbind instead.
13520 </p><p>
13521 Options recognized by this module are as follows:
13522 </p><div class="table"><a name="id2931477"></a><p class="title"><b>Table 25.1. Options recognized by pam_smbpass</b></p><table summary="Options recognized by pam_smbpass" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">debug</td><td align="justify">log more debugging info</td></tr><tr><td align="left">audit</td><td align="justify">like debug, but also logs unknown usernames</td></tr><tr><td align="left">use_first_pass</td><td align="justify">don't prompt the user for passwords; take them from PAM_ items instead</td></tr><tr><td align="left">try_first_pass</td><td align="justify">try to get the password from a previous PAM module, fall back to prompting the user</td></tr><tr><td align="left">use_authtok</td><td align="justify">like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only)</td></tr><tr><td align="left">not_set_pass</td><td align="justify">don't make passwords used by this module available to other modules.</td></tr><tr><td align="left">nodelay</td><td align="justify">don't insert ~1 second delays on authentication failure.</td></tr><tr><td align="left">nullok</td><td align="justify">null passwords are allowed.</td></tr><tr><td align="left">nonull</td><td align="justify">null passwords are not allowed. Used to override the Samba configuration.</td></tr><tr><td align="left">migrate</td><td align="justify">only meaningful in an "auth" context; used to update smbpasswd file with a password used for successful authentication.</td></tr><tr><td align="left">smbconf=<i class="replaceable"><tt>file</tt></i></td><td align="justify">specify an alternate path to the <tt class="filename">smb.conf</tt> file.</td></tr></tbody></table></div><p>
13523 </p><p>
13524 </p><div class="itemizedlist"><ul type="disc"><li><p><a href="mailto:morgan@transmeta.com" target="_top">Andrew Morgan</a>, for providing the Linux-PAM
13525 framework, without which none of this would have happened</p></li><li><p><a href="mailto:gafton@redhat.com" target="_top">Christian Gafton</a> and Andrew Morgan again, for the
13526 pam_pwdb module upon which pam_smbpass was originally based</p></li><li><p><a href="mailto:lkcl@switchboard.net" target="_top">Luke Leighton</a> for being receptive to the idea,
13527 and for the occasional good-natured complaint about the project's status
13528 that keep me working on it :)</p></li></ul></div><p>.
13529 </p><p>
13530 The following are examples of the use of pam_smbpass.so in the format of Linux
13532 tool on other platforms will need to adapt this appropriately.
13533 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2931691"></a>Password Synchronisation Configuration</h4></div></div><div></div></div><p>
13534 A sample PAM configuration that shows the use of pam_smbpass to make
13535 sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow)
13536 is changed. Useful when an expired password might be changed by an
13537 application (such as ssh).
13539 #%PAM-1.0
13540 # password-sync
13541 #
13542 auth requisite pam_nologin.so
13543 auth required pam_unix.so
13544 account required pam_unix.so
13545 password requisite pam_cracklib.so retry=3
13546 password requisite pam_unix.so shadow md5 use_authtok try_first_pass
13547 password required pam_smbpass.so nullok use_authtok try_first_pass
13548 session required pam_unix.so
13549 </pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2931724"></a>Password Migration Configuration</h4></div></div><div></div></div><p>
13550 A sample PAM configuration that shows the use of pam_smbpass to migrate
13551 from plaintext to encrypted passwords for Samba. Unlike other methods,
13552 this can be used for users who have never connected to Samba shares:
13553 password migration takes place when users ftp in, login using ssh, pop
13554 their mail, etc.
13556 #%PAM-1.0
13557 # password-migration
13558 #
13559 auth requisite pam_nologin.so
13560 # pam_smbpass is called IF pam_unix succeeds.
13561 auth requisite pam_unix.so
13562 auth optional pam_smbpass.so migrate
13563 account required pam_unix.so
13564 password requisite pam_cracklib.so retry=3
13565 password requisite pam_unix.so shadow md5 use_authtok try_first_pass
13566 password optional pam_smbpass.so nullok use_authtok try_first_pass
13567 session required pam_unix.so
13568 </pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2931759"></a>Mature Password Configuration</h4></div></div><div></div></div><p>
13569 A sample PAM configuration for a 'mature' smbpasswd installation.
13570 private/smbpasswd is fully populated, and we consider it an error if
13571 the smbpasswd doesn't exist or doesn't match the UNIX password.
13573 #%PAM-1.0
13574 # password-mature
13575 #
13576 auth requisite pam_nologin.so
13577 auth required pam_unix.so
13578 account required pam_unix.so
13579 password requisite pam_cracklib.so retry=3
13580 password requisite pam_unix.so shadow md5 use_authtok try_first_pass
13581 password required pam_smbpass.so use_authtok use_first_pass
13582 session required pam_unix.so
13583 </pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2931790"></a>Kerberos Password Integration Configuration</h4></div></div><div></div></div><p>
13584 A sample PAM configuration that shows pam_smbpass used together with
13585 pam_krb5. This could be useful on a Samba PDC that is also a member of
13586 a Kerberos realm.
13588 #%PAM-1.0
13589 # kdc-pdc
13590 #
13591 auth requisite pam_nologin.so
13592 auth requisite pam_krb5.so
13593 auth optional pam_smbpass.so migrate
13594 account required pam_krb5.so
13595 password requisite pam_cracklib.so retry=3
13596 password optional pam_smbpass.so nullok use_authtok try_first_pass
13597 password required pam_krb5.so use_authtok try_first_pass
13598 session required pam_krb5.so
13599 </pre></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931826"></a>Common Errors</h2></div></div><div></div></div><p>
13600 PAM can be a very fickle and sensitive to configuration glitches. Here we look at a few cases from
13601 the Samba mailing list.
13602 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931839"></a>pam_winbind problem</h3></div></div><div></div></div><p>
13604 I have the following PAM configuration:
13606 </p><p>
13608 auth required /lib/security/pam_securetty.so
13609 auth sufficient /lib/security/pam_winbind.so
13610 auth sufficient /lib/security/pam_unix.so use_first_pass nullok
13611 auth required /lib/security/pam_stack.so service=system-auth
13612 auth required /lib/security/pam_nologin.so
13613 account required /lib/security/pam_stack.so service=system-auth
13614 account required /lib/security/pam_winbind.so
13615 password required /lib/security/pam_stack.so service=system-auth
13616 </pre><p>
13617 </p><p>
13619 When I open a new console with [ctrl][alt][F1], then I cant log in with my user "pitie".
13620 I've tried with user "scienceu+pitie" also.
13622 </p><p>
13624 service=system-auth</tt></i>. That file often contains a lot of stuff that may
13625 duplicate what you're already doing. Try commenting out the pam_stack lines
13626 for auth and account and see if things work. If they do, look at
13627 <tt class="filename">/etc/pam.d/system-auth</tt> and copy only what you need from it into your
13628 <tt class="filename">/etc/pam.d/login</tt> file. Alternatively, if you want all services to use
13629 winbind, you can put the winbind-specific stuff in <tt class="filename">/etc/pam.d/system-auth</tt>.
13630 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931926"></a>Winbind is not resolving users and groups</h3></div></div><div></div></div><p>
13632 My smb.conf file is correctly configured. I have specified
13633 <a class="indexterm" name="id2931940"></a><i class="parameter"><tt>idmap uid</tt></i> = 12000,
13634 and <a class="indexterm" name="id2931955"></a><i class="parameter"><tt>idmap gid</tt></i> = 3000-3500
13639 MIDEARTH+maryo
13640 MIDEARTH+jackb
13641 MIDEARTH+ameds
13642 ...
13643 MIDEARTH+root
13646 MIDEARTH+Domain Users
13647 MIDEARTH+Domain Admins
13648 MIDEARTH+Domain Guests
13649 ...
13650 MIDEARTH+Accounts
13655 ...
13657 </pre><p>
13659 But the following command just fails:
13663 chown: `maryo': invalid user
13664 </pre><p>
13666 This is driving me nuts! What can be wrong?
13668 </p><p>
13670 caching daemon. Shut it down, do NOT restart it! You will find your problem resolved.
13671 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="integrate-ms-networks"></a>Chapter 26. Integrating MS Windows networks with Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> (Jan 01 2001) </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2932164">Features and Benefits</a></dt><dt><a href="#id2932188">Background Information</a></dt><dt><a href="#id2932259">Name Resolution in a pure UNIX/Linux world</a></dt><dd><dl><dt><a href="#id2932315">/etc/hosts</a></dt><dt><a href="#id2932456">/etc/resolv.conf</a></dt><dt><a href="#id2932499">/etc/host.conf</a></dt><dt><a href="#id2932551">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="#id2932655">Name resolution as used within MS Windows networking</a></dt><dd><dl><dt><a href="#id2932922">The NetBIOS Name Cache</a></dt><dt><a href="#id2932985">The LMHOSTS file</a></dt><dt><a href="#id2933234">HOSTS file</a></dt><dt><a href="#id2933266">DNS Lookup</a></dt><dt><a href="#id2933298">WINS Lookup</a></dt></dl></dd><dt><a href="#id2933416">Common Errors</a></dt><dd><dl><dt><a href="#id2933432">Pinging works only in one way</a></dt><dt><a href="#id2933465">Very Slow Network Connections</a></dt><dt><a href="#id2933517">Samba server name change problem</a></dt></dl></dd></dl></div><a class="indexterm" name="id2932131"></a><p>
13672 This section deals with NetBIOS over TCP/IP name to IP address resolution. If
13673 your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this
13674 section does not apply to your installation. If your installation involves use of
13675 NetBIOS over TCP/IP then this section may help you to resolve networking problems.
13676 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
13677 NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS
13678 over Logical Link Control (LLC). On modern networks it is highly advised
13679 to NOT run NetBEUI at all. Note also that there is NO such thing as
13680 NetBEUI over TCP/IP - the existence of such a protocol is a complete
13681 and utter mis-apprehension.
13682 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932164"></a>Features and Benefits</h2></div></div><div></div></div><p>
13683 Many MS Windows network administrators have never been exposed to basic TCP/IP
13684 networking as it is implemented in a UNIX/Linux operating system. Likewise, many UNIX and
13685 Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP based
13686 networking (and may have no desire to be either).
13687 </p><p>
13688 This chapter gives a short introduction to the basics of how a name can be resolved to
13689 it's IP address for each operating system environment.
13690 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932188"></a>Background Information</h2></div></div><div></div></div><p>
13691 Since the introduction of MS Windows 2000 it is possible to run MS Windows networking
13692 without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
13693 name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
13696 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
13697 When using Windows 2000 or later clients, if NetBIOS over TCP/IP is NOT disabled, then
13698 the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet
13700 </p></div><p>
13701 When NetBIOS over TCP/IP is disabled the use of DNS is essential. Most installations that
13702 disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires
13704 Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
13706 Use of DHCP with ADS is recommended as a further means of maintaining central control
13707 over client workstation network configuration.
13708 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932259"></a>Name Resolution in a pure UNIX/Linux world</h2></div></div><div></div></div><p>
13709 The key configuration files covered in this section are:
13710 </p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/hosts</tt></p></li><li><p><tt class="filename">/etc/resolv.conf</tt></p></li><li><p><tt class="filename">/etc/host.conf</tt></p></li><li><p><tt class="filename">/etc/nsswitch.conf</tt></p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932315"></a><tt class="filename">/etc/hosts</tt></h3></div></div><div></div></div><p>
13711 Contains a static list of IP addresses and names.
13712 eg:
13714 127.0.0.1 localhost localhost.localdomain
13715 192.168.1.1 bigbox.caldera.com bigbox alias4box
13716 </pre><p>
13718 name resolution mechanism so that uses do not need to remember
13719 IP addresses.
13720 </p><p>
13721 Network packets that are sent over the physical network transport
13722 layer communicate not via IP addresses but rather using the Media
13723 Access Control address, or MAC address. IP addresses are currently
13725 numbers that are separated by a dot (or period). eg: 168.192.1.1.
13728 as two digit hexadecimal numbers separated by colons. eg:
13730 </p><p>
13731 Every network interface must have an MAC address. Associated with
13732 a MAC address there may be one or more IP addresses. There is NO
13733 relationship between an IP address and a MAC address, all such assignments
13734 are arbitrary or discretionary in nature. At the most basic level all
13735 network communications takes place using MAC addressing. Since MAC
13736 addresses must be globally unique, and generally remains fixed for
13737 any particular interface, the assignment of an IP address makes sense
13738 from a network management perspective. More than one IP address can
13739 be assigned per MAC address. One address must be the primary IP address,
13740 this is the address that will be returned in the ARP reply.
13741 </p><p>
13742 When a user or a process wants to communicate with another machine
13744 name" is resolved to an IP address in a manner that is controlled
13745 by the TCP/IP configuration control files. The file
13747 </p><p>
13748 When the IP address of the destination interface has been
13749 determined a protocol called ARP/RARP is used to identify
13750 the MAC address of the target interface. ARP stands for Address
13751 Resolution Protocol, and is a broadcast oriented method that
13752 uses UDP (User Datagram Protocol) to send a request to all
13753 interfaces on the local network segment using the all 1's MAC
13754 address. Network interfaces are programmed to respond to two
13755 MAC addresses only; their own unique address and the address
13756 ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will
13757 contain the MAC address and the primary IP address for each
13758 interface.
13761 UNIX/Linux TCP/IP installations and as a minimum will contain
13762 the localhost and local network interface IP addresses and the
13763 primary names by which they are known within the local machine.
13764 This file helps to prime the pump so that a basic level of name
13765 resolution can exist before any other method of name resolution
13766 becomes available.
13767 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932456"></a><tt class="filename">/etc/resolv.conf</tt></h3></div></div><div></div></div><p>
13768 This file tells the name resolution libraries:
13769 </p><div class="itemizedlist"><ul type="disc"><li><p>The name of the domain to which the machine
13770 belongs
13771 </p></li><li><p>The name(s) of any domains that should be
13772 automatically searched when trying to resolve unqualified
13773 host names to their IP address
13774 </p></li><li><p>The name or IP address of available Domain
13775 Name Servers that may be asked to perform name to address
13776 translation lookups
13777 </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932499"></a><tt class="filename">/etc/host.conf</tt></h3></div></div><div></div></div><a class="indexterm" name="id2932512"></a><p>
13779 which the setting in /etc/resolv.conf may be affected. It is a
13780 critical configuration file. This file controls the order by
13781 which name resolution may proceed. The typical structure is:
13783 order hosts,bind
13784 multi on
13785 </pre><p>
13786 then both addresses should be returned. Please refer to the
13787 man page for host.conf for further details.
13788 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932551"></a><tt class="filename">/etc/nsswitch.conf</tt></h3></div></div><div></div></div><a class="indexterm" name="id2932563"></a><p>
13789 This file controls the actual name resolution targets. The
13790 file typically has resolver object specifications as follows:
13792 # /etc/nsswitch.conf
13793 #
13794 # Name Service Switch configuration file.
13795 #
13797 passwd: compat
13798 # Alternative entries for password authentication are:
13799 # passwd: compat files nis ldap winbind
13800 shadow: compat
13801 group: compat
13803 hosts: files nis dns
13804 # Alternative entries for host name resolution are:
13805 # hosts: files dns nis nis+ hesiod db compat ldap wins
13806 networks: nis files dns
13808 ethers: nis files
13809 protocols: nis files
13810 rpc: nis files
13811 services: nis files
13812 </pre><p>
13813 Of course, each of these mechanisms requires that the appropriate
13814 facilities and/or services are correctly configured.
13815 </p><p>
13816 It should be noted that unless a network request/message must be
13817 sent, TCP/IP networks are silent. All TCP/IP communications assumes a
13818 principal of speaking only when necessary.
13820 Starting with version 2.2.0 samba has Linux support for extensions to
13821 the name service switch infrastructure so that linux clients will
13822 be able to obtain resolution of MS Windows NetBIOS names to IP
13823 Addresses. To gain this functionality Samba needs to be compiled
13825 nsswitch/libnss_wins.so</tt></b>). The resulting library should
13829 will be possible to ping any MS Windows machine by its NetBIOS
13830 machine name, so long as that machine is within the workgroup to
13831 which both the samba machine and the MS Windows machine belong.
13832 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932655"></a>Name resolution as used within MS Windows networking</h2></div></div><div></div></div><p>
13833 MS Windows networking is predicated about the name each machine
13834 is given. This name is known variously (and inconsistently) as
13836 or "SMB name". All terms mean the same thing with the exception of
13837 "netbios name" which can apply also to the name of the workgroup or the
13839 simple name with which the machine is associated. All NetBIOS names
13841 It is used to store a one byte value that indicates service level
13842 information for the NetBIOS name that is registered. A NetBIOS machine
13843 name is therefore registered for each service type that is provided by
13844 the client/server.
13845 </p><p>
13846 The following are typical NetBIOS name/service type registrations:
13847 </p><div class="table"><a name="id2932688"></a><p class="title"><b>Table 26.1. Unique NetBIOS names</b></p><table summary="Unique NetBIOS names" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">MACHINENAME<00></td><td align="justify">Server Service is running on MACHINENAME</td></tr><tr><td align="left">MACHINENAME<03></td><td align="justify">Generic Machine Name (NetBIOS name)</td></tr><tr><td align="left">MACHINENAME<20></td><td align="justify">LanMan Server service is running on MACHINENAME</td></tr><tr><td align="left">WORKGROUP<1b></td><td align="justify">Domain Master Browser</td></tr></tbody></table></div><div class="table"><a name="id2932758"></a><p class="title"><b>Table 26.2. Group Names</b></p><table summary="Group Names" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">WORKGROUP<03></td><td align="justify">Generic Name registered by all members of WORKGROUP</td></tr><tr><td align="left">WORKGROUP<1c></td><td align="justify">Domain Controllers / Netlogon Servers</td></tr><tr><td align="left">WORKGROUP<1d></td><td align="justify">Local Master Browsers</td></tr><tr><td align="left">WORKGROUP<1e></td><td align="justify">Internet Name Resolvers</td></tr></tbody></table></div><p>
13849 It should be noted that all NetBIOS machines register their own
13850 names as per the above. This is in vast contrast to TCP/IP
13851 installations where traditionally the system administrator will
13852 determine in the /etc/hosts or in the DNS database what names
13853 are associated with each IP address.
13856 file and the DNS records do not provide the NetBIOS name type information
13857 that MS Windows clients depend on to locate the type of service that may
13858 be needed. An example of this is what happens when an MS Windows client
13859 wants to locate a domain logon server. It finds this service and the IP
13860 address of a server that provides it by performing a lookup (via a
13861 NetBIOS broadcast) for enumeration of all machines that have
13863 IP address that is returned in the enumerated list of IP addresses.
13864 Whichever machine first replies then ends up providing the logon services.
13865 </p><p>
13867 have the added significance of indicating what is the security
13868 architecture of the MS Windows network. The term "workgroup" indicates
13869 that the primary nature of the network environment is that of a
13870 peer-to-peer design. In a WORKGROUP all machines are responsible for
13871 their own security, and generally such security is limited to use of
13872 just a password (known as SHARE MODE security). In most situations
13873 with peer-to-peer networking the users who control their own machines
13874 will simply opt to have no security at all. It is possible to have
13875 USER MODE security in a WORKGROUP environment, thus requiring use
13876 of a user name and a matching password.
13877 </p><p>
13878 MS Windows networking is thus predetermined to use machine names
13879 for all local and remote machine message passing. The protocol used is
13880 called Server Message Block (SMB) and this is implemented using
13881 the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
13882 be encapsulated using LLC (Logical Link Control) protocol - in which case
13883 the resulting protocol is called NetBEUI (Network Basic Extended User
13884 Interface). NetBIOS can also be run over IPX (Internetworking Packet
13885 Exchange) protocol as used by Novell NetWare, and it can be run
13886 over TCP/IP protocols - in which case the resulting protocol is called
13887 NBT or NetBT, the NetBIOS over TCP/IP.
13888 </p><p>
13889 MS Windows machines use a complex array of name resolution mechanisms.
13890 Since we are primarily concerned with TCP/IP this demonstration is
13891 limited to this area.
13892 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932922"></a>The NetBIOS Name Cache</h3></div></div><div></div></div><p>
13893 All MS Windows machines employ an in memory buffer in which is
13894 stored the NetBIOS names and IP addresses for all external
13895 machines that that machine has communicated with over the
13897 for a machine from the local cache than it is to go through all the
13898 configured name resolution mechanisms.
13899 </p><p>
13900 If a machine whose name is in the local name cache has been shut
13901 down before the name had been expired and flushed from the cache, then
13902 an attempt to exchange a message with that machine will be subject
13903 to time-out delays. i.e.: Its name is in the cache, so a name resolution
13904 lookup will succeed, but the machine can not respond. This can be
13905 frustrating for users - but it is a characteristic of the protocol.
13907 The MS Windows utility that allows examination of the NetBIOS
13908 name cache is called "nbtstat". The Samba equivalent of this
13910 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932985"></a>The LMHOSTS file</h3></div></div><div></div></div><a class="indexterm" name="id2932993"></a><p>
13911 This file is usually located in MS Windows NT 4.0 or
13913 the IP Address and the machine name in matched pairs. The
13915 to IP address mapping.
13916 </p><p>
13917 It typically looks like:
13919 # Copyright (c) 1998 Microsoft Corp.
13920 #
13921 # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
13922 # over TCP/IP) stack for Windows98
13923 #
13924 # This file contains the mappings of IP addresses to NT computernames
13925 # (NetBIOS) names. Each entry should be kept on an individual line.
13926 # The IP address should be placed in the first column followed by the
13927 # corresponding computername. The address and the computername
13928 # should be separated by at least one space or tab. The "#" character
13929 # is generally used to denote the start of a comment (see the exceptions
13930 # below).
13931 #
13932 # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
13933 # files and offers the following extensions:
13934 #
13935 # #PRE
13938 # #BEGIN_ALTERNATE
13939 # #END_ALTERNATE
13940 # \0xnn (non-printing character support)
13941 #
13942 # Following any entry in the file with the characters "#PRE" will cause
13943 # the entry to be preloaded into the name cache. By default, entries are
13944 # not preloaded, but are parsed only after dynamic name resolution fails.
13945 #
13946 # Following an entry with the "#DOM:<domain>" tag will associate the
13948 # browser and logon services behave in TCP/IP environments. To preload
13949 # the host name associated with #DOM entry, it is necessary to also add a
13951 # be shown when the name cache is viewed.
13952 #
13953 # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
13956 # centralized lmhosts file to be maintained on a server.
13957 # It is ALWAYS necessary to provide a mapping for the IP address of the
13958 # server prior to the #INCLUDE. This mapping must use the #PRE directive.
13959 # In addition the share "public" in the example below must be in the
13960 # LanManServer list of "NullSessionShares" in order for client machines to
13961 # be able to read the lmhosts file successfully. This key is under
13962 # \machine\system\currentcontrolset\services\lanmanserver\
13963 # parameters\nullsessionshares
13964 # in the registry. Simply add "public" to the list found there.
13965 #
13966 # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
13967 # statements to be grouped together. Any single successful include
13968 # will cause the group to succeed.
13969 #
13970 # Finally, non-printing characters can be embedded in mappings by
13971 # first surrounding the NetBIOS name in quotations, then using the
13972 # \0xnn notation to specify a hex value for a non-printing character.
13973 #
13974 # The following example illustrates all of these extensions:
13975 #
13976 # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
13978 # 102.54.94.123 popular #PRE #source server
13979 # 102.54.94.117 localsrv #PRE #needed for the include
13980 #
13981 # #BEGIN_ALTERNATE
13982 # #INCLUDE \\localsrv\public\lmhosts
13983 # #INCLUDE \\rhino\public\lmhosts
13984 # #END_ALTERNATE
13985 #
13986 # In the above example, the "appname" server contains a special
13988 # preloaded, and the "rhino" server name is specified so it can be used
13989 # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
13990 # system is unavailable.
13991 #
13992 # Note that the whole file is parsed including comments on each lookup,
13993 # so keeping the number of comments to a minimum will improve performance.
13994 # Therefore it is not advisable to simply add lmhosts file entries onto the
13995 # end of this file.
13996 </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933234"></a>HOSTS file</h3></div></div><div></div></div><p>
13999 the IP Address and the IP hostname in matched pairs. It can be
14000 used by the name resolution infrastructure in MS Windows, depending
14001 on how the TCP/IP environment is configured. This file is in
14003 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933266"></a>DNS Lookup</h3></div></div><div></div></div><a class="indexterm" name="id2933274"></a><p>
14004 This capability is configured in the TCP/IP setup area in the network
14005 configuration facility. If enabled, an elaborate name resolution sequence
14006 is followed the precise nature of which is dependant on how the NetBIOS
14007 Node Type parameter is configured. A Node Type of 0 means that
14008 NetBIOS broadcast (over UDP broadcast) is used if the name
14009 that is the subject of a name lookup is not found in the NetBIOS name
14010 cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
14011 Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
14012 WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
14013 lookup is used.
14014 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933298"></a>WINS Lookup</h3></div></div><div></div></div><a class="indexterm" name="id2933306"></a><p>
14015 A WINS (Windows Internet Name Server) service is the equivalent of the
14016 rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
14017 the names and IP addresses that are registered by a Windows client
14018 if the TCP/IP setup has been given at least one WINS Server IP Address.
14019 </p><p>
14020 To configure Samba to be a WINS server the following parameter needs
14022 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>wins support = Yes</tt></i></td></tr></table><p>
14023 To configure Samba to use a WINS server the following parameters are
14025 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>wins support = No</tt></i></td></tr><tr><td><i class="parameter"><tt>wins server = xxx.xxx.xxx.xxx</tt></i></td></tr></table><p>
14027 of the WINS server.
14028 </p><p>For information about setting up Samba as a WINS server, read
14029 <a href="#NetworkBrowsing" title="Chapter 10. Samba / MS Windows Network Browsing Guide">the chapter on network browsing</a>.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933416"></a>Common Errors</h2></div></div><div></div></div><p>
14030 TCP/IP network configuration problems find every network administrator sooner or later.
14031 The cause can be anything from keyboard mishaps, forgetfulness, simple mistakes, and
14032 carelessness. Of course, no one is every deliberately careless!
14033 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933432"></a>Pinging works only in one way</h3></div></div><div></div></div><p>
14036 </p><p>
14039 The machines were on a local network with no external connections.
14040 </p><p>
14043 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933465"></a>Very Slow Network Connections</h3></div></div><div></div></div><p>
14044 A common causes of slow network response includes:
14045 </p><div class="itemizedlist"><ul type="disc"><li><p>Client is configured to use DNS and DNS server is down</p></li><li><p>Client is configured to use remote DNS server, but remote connection is down</p></li><li><p>Client is configured to use a WINS server, but there is no WINS server</p></li><li><p>Client is NOT configured to use a WINS server, but there is a WINS server</p></li><li><p>Firewall is filtering our DNS or WINS traffic</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933517"></a>Samba server name change problem</h3></div></div><div></div></div><p>
14046 “<span class="quote">The name of the samba server was changed, samba was restarted, samba server can not be
14047 pinged by new name from MS Windows NT4 Workstation, but it does still respond to ping using
14049 </p><p>
14050 From this description three (3) things are rather obvious:
14051 </p><div class="itemizedlist"><ul type="disc"><li><p>WINS is NOT in use, only broadcast based name resolution is used</p></li><li><p>The samba server was renamed and restarted within the last 10-15 minutes</p></li><li><p>The old samba server name is still in the NetBIOS name cache on the MS Windows NT4 Workstation</p></li></ul></div><p>
14052 To find what names are present in the NetBIOS name cache on the MS Windows NT4 machine,
14053 open a cmd shell, then:
14054 </p><p>
14058 NetBIOS Local Name Table
14060 Name Type Status
14061 ------------------------------------------------
14072 NetBIOS Remote Cache Name Table
14074 Name Type Host Address Life [sec]
14075 --------------------------------------------------------------
14079 </pre><p>
14080 </p><p>
14081 In the above example, GANDALF is the Samba server and FRODO is the MS Windows NT4 Workstation.
14082 The first listing shows the contents of the Local Name Table (i.e.: Identity information on
14083 the MS Windows workstation), the second shows the NetBIOS name in the NetBIOS name cache.
14084 The name cache contains the remote machines known to this workstation.
14085 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unicode"></a>Chapter 27. Unicode/Charsets</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">TAKAHASHI</span> <span class="surname">Motonobu</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:monyo@home.monyo.com">monyo@home.monyo.com</a>></tt></p></div></div></div></div><div><p class="pubdate">25 March 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2933721">Features and Benefits</a></dt><dt><a href="#id2933765">What are charsets and unicode?</a></dt><dt><a href="#id2933835">Samba and charsets</a></dt><dt><a href="#id2933962">Conversion from old names</a></dt><dt><a href="#id2933992">Japanese charsets</a></dt><dt><a href="#id2934130">Common errors</a></dt><dd><dl><dt><a href="#id2934137">CP850.so can't be found</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933721"></a>Features and Benefits</h2></div></div><div></div></div><p>
14086 Every industry eventually matures. One of the great areas of maturation is in
14087 the focus that has been given over the past decade to make it possible for anyone
14088 anywhere to use a computer. It has not always been that way, in fact, not so long
14089 ago it was common for software to be written for exclusive use in the country of
14090 origin.
14091 </p><p>
14092 Of all the effort that has been brought to bear on providing native language support
14093 for all computer users, the efforts of the <a href="http://www.openi18n.org/" target="_top">Openi18n organisation</a> is deserving of
14094 special mention.
14095 </p><p>
14096 Samba-2.x supported a single locale through a mechanism called
14097 <span class="emphasis"><em>codepages</em></span>. Samba-3 is destined to become a truly trans-global
14098 file and printer sharing platform.
14099 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933765"></a>What are charsets and unicode?</h2></div></div><div></div></div><p>
14100 Computers communicate in numbers. In texts, each number will be
14101 translated to a corresponding letter. The meaning that will be assigned
14103 </em></span> that is used.
14104 A charset can be seen as a table that is used to translate numbers to
14105 letters. Not all computers use the same charset (there are charsets
14106 with German umlauts, Japanese characters, etc). Usually a charset contains
14107 256 characters, which means that storing a character with it takes
14108 exactly one byte. </p><p>
14109 There are also charsets that support even more characters,
14110 but those need twice(or even more) as much storage space. These
14112 is more then all possible characters one could think of. They are called
14113 multibyte charsets (because they use more then one byte to
14114 store one character).
14115 </p><p>
14116 A standardised multibyte charset is <a href="http://www.unicode.org/" target="_top">unicode</a>.
14117 A big advantage of using a multibyte charset is that you only need one; there
14118 is no need to make sure two computers use the same charset when they are
14119 communicating.
14120 </p><p>Old windows clients use single-byte charsets, named
14121 'codepages' by Microsoft. However, there is no support for
14122 negotiating the charset to be used in the smb protocol. Thus, you
14123 have to make sure you are using the same charset when talking to an older client.
14124 Newer clients (Windows NT, 2K, XP) talk unicode over the wire.
14125 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933835"></a>Samba and charsets</h2></div></div><div></div></div><p>
14126 As of samba 3.0, samba can (and will) talk unicode over the wire. Internally,
14127 samba knows of three kinds of character sets:
14128 </p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2933856"></a><i class="parameter"><tt>unix charset</tt></i></span></dt><dd><p>
14129 This is the charset used internally by your operating system.
14132 </p></dd><dt><span class="term"><a class="indexterm" name="id2933893"></a><i class="parameter"><tt>display charset</tt></i></span></dt><dd><p>This is the charset samba will use to print messages
14134 </p></dd><dt><span class="term"><a class="indexterm" name="id2933927"></a><i class="parameter"><tt>dos charset</tt></i></span></dt><dd><p>This is the charset samba uses when communicating with
14135 DOS and Windows 9x clients. It will talk unicode to all newer clients.
14136 The default depends on the charsets you have installed on your system.
14138 what the default is on your system.
14139 </p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933962"></a>Conversion from old names</h2></div></div><div></div></div><p>Because previous samba versions did not do any charset conversion,
14140 characters in filenames are usually not correct in the unix charset but only
14141 for the local charset used by the DOS/Windows clients.</p><p>Bjoern Jacke has written a utility named <a href="http://j3e.de/linux/convmv/" target="_top">convm</a> that can convert whole directory
14142 structures to different charsets with one single command.
14143 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933992"></a>Japanese charsets</h2></div></div><div></div></div><p>Samba doesn't work correctly with Japanese charsets yet. Here are
14144 points of attention when setting it up:</p><div class="itemizedlist"><ul type="disc"><li><p>You should set <a class="indexterm" name="id2934012"></a><i class="parameter"><tt>mangling method</tt></i> = hash</p></li><li><p>There are various iconv() implementations around and not
14145 all of them work equally well. glibc2's iconv() has a critical problem
14146 in CP932. libiconv-1.8 works with CP932 but still has some problems and
14147 does not work with EUC-JP.</p></li><li><p>You should set <a class="indexterm" name="id2934042"></a><i class="parameter"><tt>dos charset</tt></i> = CP932, not
14148 Shift_JIS, SJIS...</p></li><li><p>Currently only <a class="indexterm" name="id2934062"></a><i class="parameter"><tt>unix charset</tt></i> = CP932
14149 will work (but still has some problems...) because of iconv() issues.
14150 <a class="indexterm" name="id2934077"></a><i class="parameter"><tt>unix charset</tt></i> = EUC-JP doesn't work well because of
14151 iconv() issues.</p></li><li><p>Currently Samba 3.0 does not support <a class="indexterm" name="id2934098"></a><i class="parameter"><tt>unix charset</tt></i> = UTF8-MAC/CAP/HEX/JIS*</p></li></ul></div><p>More information (in Japanese) is available at: <a href="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html" target="_top">http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html</a>.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934130"></a>Common errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934137"></a>CP850.so can't be found</h3></div></div><div></div></div><p>“<span class="quote">Samba is complaining about a missing <tt class="filename">CP850.so</tt> file</span>”.</p><p>CP850 is the default <a class="indexterm" name="id2934162"></a><i class="parameter"><tt>dos charset</tt></i>. The <a class="indexterm" name="id2934176"></a><i class="parameter"><tt>dos charset</tt></i> is used to convert data to the codepage used by your dos clients. If you don't have any dos clients, you can safely ignore this message. </p><p>CP850 should be supported by your local iconv implementation. Make sure you have all the required packages installed. If you compiled samba from source, make sure configure found iconv.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2934250">Note</a></dt><dt><a href="#id2934264">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934250"></a>Note</h2></div></div><div></div></div><p>
14152 This chapter did not make it into this release.
14153 It is planned for the published release of this document.
14154 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934264"></a>Features and Benefits</h2></div></div><div></div></div><p>
14155 We need feedback from people who are backing up samba servers.
14156 We would like to know what software tools you are using to backup
14157 your samba server/s.
14158 </p><p>
14159 In particular, if you have any success and / or failure stories you could
14160 share with other users this would be appreciated.
14161 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 29. High Availability Options</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2934334">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934334"></a>Note</h2></div></div><div></div></div><p>
14162 This chapter did not make it into this release.
14163 It is planned for the published release of this document.
14164 </p></div></div></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Migration and Updating</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>30. <a href="#upgrading-to-3.0">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="#id2934473">New Features in Samba-3</a></dt><dt><a href="#id2934602">Configuration Parameter Changes</a></dt><dd><dl><dt><a href="#id2934617">Removed Parameters</a></dt><dt><a href="#id2934744">New Parameters</a></dt><dt><a href="#id2935140">Modified Parameters (changes in behavior):</a></dt></dl></dd><dt><a href="#id2935215">New Functionality</a></dt><dd><dl><dt><a href="#id2935222">Databases</a></dt><dt><a href="#id2935456">Changes in Behavior</a></dt><dt><a href="#id2935505">Charsets</a></dt><dt><a href="#id2935529">Passdb Backends and Authentication</a></dt><dt><a href="#id2935648">Charsets</a></dt><dt><a href="#id2935672">LDAP</a></dt></dl></dd></dl></dd><dt>31. <a href="#NT4Migration">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="#id2936004">Planning and Getting Started</a></dt><dd><dl><dt><a href="#id2936029">Objectives</a></dt><dt><a href="#id2936467">Steps In Migration Process</a></dt></dl></dd><dt><a href="#id2936679">Migration Options</a></dt><dd><dl><dt><a href="#id2936770">Planning for Success</a></dt><dt><a href="#id2937026">Samba-3 Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="#SWAT">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="#id2937386">Features and Benefits</a></dt><dd><dl><dt><a href="#id2937426">Enabling SWAT for use</a></dt><dt><a href="#id2937663">Securing SWAT through SSL</a></dt><dt><a href="#id2937775">The SWAT Home Page</a></dt><dt><a href="#id2937837">Global Settings</a></dt><dt><a href="#id2937944">Share Settings</a></dt><dt><a href="#id2938008">Printers Settings</a></dt><dt><a href="#id2938072">The SWAT Wizard</a></dt><dt><a href="#id2938120">The Status Page</a></dt><dt><a href="#id2938171">The View Page</a></dt><dt><a href="#id2938195">The Password Change Page</a></dt></dl></dd></dl></dd></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">June 30, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2934473">New Features in Samba-3</a></dt><dt><a href="#id2934602">Configuration Parameter Changes</a></dt><dd><dl><dt><a href="#id2934617">Removed Parameters</a></dt><dt><a href="#id2934744">New Parameters</a></dt><dt><a href="#id2935140">Modified Parameters (changes in behavior):</a></dt></dl></dd><dt><a href="#id2935215">New Functionality</a></dt><dd><dl><dt><a href="#id2935222">Databases</a></dt><dt><a href="#id2935456">Changes in Behavior</a></dt><dt><a href="#id2935505">Charsets</a></dt><dt><a href="#id2935529">Passdb Backends and Authentication</a></dt><dt><a href="#id2935648">Charsets</a></dt><dt><a href="#id2935672">LDAP</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934473"></a>New Features in Samba-3</h2></div></div><div></div></div><p>
14165 Major new features:
14167 Active Directory support. This release is able to join a ADS realm
14168 as a member server and authenticate users using LDAP/kerberos.
14169 </p></li><li><p>
14170 Unicode support. Samba will now negotiate UNICODE on the wire and
14171 internally there is now a much better infrastructure for multi-byte
14172 and UNICODE character sets.
14173 </p></li><li><p>
14174 New authentication system. The internal authentication system has
14175 been almost completely rewritten. Most of the changes are internal,
14176 but the new auth system is also very configurable.
14177 </p></li><li><p>
14178 New filename mangling system. The filename mangling system has been
14179 completely rewritten. An internal database now stores mangling maps
14180 persistently. This needs lots of testing.
14181 </p></li><li><p>
14183 somewhat similar to the "net" command in windows. Eventually we
14184 plan to replace a bunch of other utilities (such as smbpasswd)
14185 with subcommands in "net", at the moment only a few things are
14186 implemented.
14187 </p></li><li><p>
14188 Samba now negotiates NT-style status32 codes on the wire. This
14189 improves error handling a lot.
14190 </p></li><li><p>
14192 printer attributes in active directory
14193 </p></li><li><p>
14194 New loadable RPC modules
14195 </p></li><li><p>
14196 New dual-daemon winbindd support (-B) for better performance
14197 </p></li><li><p>
14198 Support for migrating from a Windows NT 4.0 domain to a Samba
14199 domain and maintaining user, group and domain SIDs
14200 </p></li><li><p>
14201 Support for establishing trust relationships with Windows NT 4.0
14202 domain controllers
14203 </p></li><li><p>
14204 Initial support for a distributed Winbind architecture using
14205 an LDAP directory for storing SID to uid/gid mappings
14206 </p></li><li><p>
14207 Major updates to the Samba documentation tree.
14208 </p></li></ol></div><p>
14209 Plus lots of other improvements!
14210 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934602"></a>Configuration Parameter Changes</h2></div></div><div></div></div><p>
14211 This section contains a brief listing of changes to smb.conf options
14213 complete descriptions of new or modified parameters.
14214 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934617"></a>Removed Parameters</h3></div></div><div></div></div><p>(order alphabetically):</p><div class="itemizedlist"><ul type="disc"><li><p>admin log </p></li><li><p>alternate permissions </p></li><li><p>character set </p></li><li><p>client codepage </p></li><li><p>code page directory </p></li><li><p>coding system </p></li><li><p>domain admin group </p></li><li><p>domain guest group </p></li><li><p>force unknown acl user </p></li><li><p>nt smb support </p></li><li><p>post script </p></li><li><p>printer driver </p></li><li><p>printer driver file </p></li><li><p>printer driver location </p></li><li><p>status </p></li><li><p>total print jobs </p></li><li><p>use rhosts </p></li><li><p>valid chars </p></li><li><p>vfs options </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934744"></a>New Parameters</h3></div></div><div></div></div><p>(new parameters have been grouped by function):</p><p>Remote management</p><div class="itemizedlist"><ul type="disc"><li><p>abort shutdown script </p></li><li><p>shutdown script </p></li></ul></div><p>User and Group Account Management</p><div class="itemizedlist"><ul type="disc"><li><p>add group script </p></li><li><p>add machine script </p></li><li><p>add user to group script </p></li><li><p>algorithmic rid base </p></li><li><p>delete group script </p></li><li><p>delete user from group script </p></li><li><p>passdb backend </p></li><li><p>set primary group script </p></li></ul></div><p>Authentication</p><div class="itemizedlist"><ul type="disc"><li><p>auth methods </p></li><li><p>ads server </p></li><li><p>realm </p></li></ul></div><p>Protocol Options</p><div class="itemizedlist"><ul type="disc"><li><p>client lanman auth </p></li><li><p>client NTLMv2 auth </p></li><li><p>client schannel </p></li><li><p>client signing </p></li><li><p>client use spnego </p></li><li><p>disable netbios </p></li><li><p>ntlm auth </p></li><li><p>paranoid server security </p></li><li><p>server schannel </p></li><li><p>smb ports </p></li><li><p>use spnego </p></li></ul></div><p>File Service</p><div class="itemizedlist"><ul type="disc"><li><p>get quota command </p></li><li><p>hide special files </p></li><li><p>hide unwriteable files </p></li><li><p>hostname lookups </p></li><li><p>kernel change notify </p></li><li><p>mangle prefix </p></li><li><p>msdfs proxy </p></li><li><p>set quota command </p></li><li><p>use sendfile </p></li><li><p>vfs objects </p></li></ul></div><p>Printing</p><div class="itemizedlist"><ul type="disc"><li><p>max reported print jobs </p></li></ul></div><p>UNICODE and Character Sets</p><div class="itemizedlist"><ul type="disc"><li><p>display charset </p></li><li><p>dos charset </p></li><li><p>unicode </p></li><li><p>unix charset </p></li></ul></div><p>SID to uid/gid Mappings</p><div class="itemizedlist"><ul type="disc"><li><p>idmap backend </p></li><li><p>idmap gid </p></li><li><p>idmap only </p></li><li><p>idmap uid </p></li></ul></div><p>LDAP</p><div class="itemizedlist"><ul type="disc"><li><p>ldap delete dn </p></li><li><p>ldap group suffix </p></li><li><p>ldap idmap suffix </p></li><li><p>ldap machine suffix </p></li><li><p>ldap passwd sync </p></li><li><p>ldap trust ids </p></li><li><p>ldap user suffix </p></li></ul></div><p>General Configuration</p><div class="itemizedlist"><ul type="disc"><li><p>preload modules </p></li><li><p>privatedir </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935140"></a>Modified Parameters (changes in behavior):</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>encrypt passwords (enabled by default) </p></li><li><p>mangling method (set to 'hash2' by default) </p></li><li><p>passwd chat </p></li><li><p>passwd program </p></li><li><p>restrict anonymous (integer value) </p></li><li><p>security (new 'ads' value) </p></li><li><p>strict locking (enabled by default) </p></li><li><p>winbind cache time (increased to 5 minutes) </p></li><li><p>winbind uid (deprecated in favor of 'idmap uid') </p></li><li><p>winbind gid (deprecated in favor of 'idmap gid') </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2935215"></a>New Functionality</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935222"></a>Databases</h3></div></div><div></div></div><p>
14215 This section contains brief descriptions of any new databases
14216 introduced in Samba 3.0. Please remember to backup your existing
14217 ${lock directory}/*tdb before upgrading to Samba 3.0. Samba will
14218 upgrade databases as they are opened (if necessary), but downgrading
14220 </p><div class="table"><a name="id2935241"></a><p class="title"><b>Table 30.1. TDB File Descriptions</b></p><table summary="TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup?</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify">User policy settings</td><td align="left">yes</td></tr><tr><td align="left">gencache</td><td align="justify">Generic caching db</td><td align="left">no</td></tr><tr><td align="left">group_mapping</td><td align="justify"><p>Mapping table from Windows groups/SID to unix groups</p></td><td align="left">yes</td></tr><tr><td align="left">idmap</td><td align="justify"><p>new ID map table from SIDS to UNIX uids/gids</p></td><td align="left">yes</td></tr><tr><td align="left">namecache</td><td align="justify">Name resolution cache entries</td><td align="left">no</td></tr><tr><td align="left">netlogon_unigrp</td><td align="justify"><p>Cache of universal group membership obtained when operating
14221 as a member of a Windows domain</p></td><td align="left">no</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from 'lpq command' created on a per print
14222 service basis</p></td><td align="left">no</td></tr><tr><td align="left">registry</td><td align="justify"><p>Read-only samba registry skeleton that provides support for
14223 exporting various db tables via the winreg RPCs</p></td><td align="left">no</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935456"></a>Changes in Behavior</h3></div></div><div></div></div><p>
14224 The following issues are known changes in behavior between Samba 2.2 and
14225 Samba 3.0 that may affect certain installations of Samba.
14227 When operating as a member of a Windows domain, Samba 2.2 would
14228 map any users authenticated by the remote DC to the 'guest account'
14229 if a uid could not be obtained via the getpwnam() call. Samba 3.0
14230 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
14231 current work around to re-establish the 2.2 behavior.
14232 </p></li><li><p>
14233 When adding machines to a Samba 2.2 controlled domain, the
14234 'add user script' was used to create the UNIX identity of the
14235 machine trust account. Samba 3.0 introduces a new 'add machine
14236 script' that must be specified for this purpose. Samba 3.0 will
14237 not fall back to using the 'add user script' in the absence of
14238 an 'add machine script'
14239 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935505"></a>Charsets</h3></div></div><div></div></div><p>
14240 You might experience problems with special characters when communicating with old DOS
14241 clients. Codepage support has changed in samba 3.0. Read the chapter
14243 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935529"></a>Passdb Backends and Authentication</h3></div></div><div></div></div><p>
14244 There have been a few new changes that Samba administrators should be
14245 aware of when moving to Samba 3.0.
14247 Encrypted passwords have been enabled by default in order to
14248 inter-operate better with out-of-the-box Windows client
14249 installations. This does mean that either (a) a samba account
14250 must be created for each user, or (b) 'encrypt passwords = no'
14251 must be explicitly defined in smb.conf.
14252 </p></li><li><p>
14253 Inclusion of new <a class="indexterm" name="id2935568"></a><i class="parameter"><tt>security</tt></i> = ads option for integration
14254 with an Active Directory domain using the native Windows
14255 Kerberos 5 and LDAP protocols.
14256 </p></li></ol></div><p>
14257 Samba 3.0 also includes the possibility of setting up chains
14258 of authentication methods
14259 (<a class="indexterm" name="id2935590"></a><i class="parameter"><tt>auth methods</tt></i>) and account
14260 storage backends
14263 man page and <a href="#passdb" title="Chapter 11. Account Information Databases">the chapter about account information databases</a> for details. While both parameters assume sane default
14264 values, it is likely that you will need to understand what the
14265 values actually mean in order to ensure Samba operates correctly.
14266 </p><p>
14267 Certain functions of the smbpasswd(8) tool have been split between the
14269 utility. See the respective man pages for details.
14270 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935648"></a>Charsets</h3></div></div><div></div></div><p>
14271 You might experience problems with special characters when communicating with old DOS
14272 clients. Codepage support has changed in samba 3.0. Read the chapter
14274 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935672"></a>LDAP</h3></div></div><div></div></div><p>
14275 This section outlines the new features affecting Samba / LDAP integration.
14276 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2935684"></a>New Schema</h4></div></div><div></div></div><p>
14277 A new object class (sambaSamAccount) has been introduced to replace
14278 the old sambaAccount. This change aids us in the renaming of attributes
14279 to prevent clashes with attributes from other vendors. There is a
14280 conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF
14281 file to the new schema.
14282 </p><p>
14283 Example:
14287 </pre><p>
14289 on the Samba PDC as root.
14290 </p><p>
14291 The old sambaAccount schema may still be used by specifying the
14292 "ldapsam_compat" passdb backend. However, the sambaAccount and
14293 associated attributes have been moved to the historical section of
14294 the schema file and must be uncommented before use if needed.
14295 The 2.2 object class declaration for a sambaAccount has not changed
14296 in the 3.0 samba.schema file.
14297 </p><p>
14298 Other new object classes and their uses include:
14300 sambaDomain - domain information used to allocate rids
14301 for users and groups as necessary. The attributes are added
14302 in 'ldap suffix' directory entry automatically if
14303 an idmap uid/gid range has been set and the 'ldapsam'
14304 passdb backend has been selected.
14305 </p></li><li><p>
14306 sambaGroupMapping - an object representing the
14307 relationship between a posixGroup and a Windows
14308 group/SID. These entries are stored in the 'ldap
14309 group suffix' and managed by the 'net groupmap' command.
14310 </p></li><li><p>
14311 sambaUnixIdPool - created in the 'ldap idmap suffix' entry
14312 automatically and contains the next available 'idmap uid' and
14313 'idmap gid'
14314 </p></li><li><p>
14315 sambaIdmapEntry - object storing a mapping between a
14316 SID and a UNIX uid/gid. These objects are created by the
14317 idmap_ldap module as needed.
14318 </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2935797"></a>New Suffix for Searching</h4></div></div><div></div></div><p>
14319 The following new smb.conf parameters have been added to aid in directing
14320 certain LDAP queries when 'passdb backend = ldapsam://...' has been
14321 specified.
14322 </p><div class="itemizedlist"><ul type="disc"><li><p>ldap suffix - used to search for user and computer accounts</p></li><li><p>ldap user suffix - used to store user accounts</p></li><li><p>ldap machine suffix - used to store machine trust accounts</p></li><li><p>ldap group suffix - location of posixGroup/sambaGroupMapping entries</p></li><li><p>ldap idmap suffix - location of sambaIdmapEntry objects</p></li></ul></div><p>
14323 If an 'ldap suffix' is defined, it will be appended to all of the
14324 remaining sub-suffix parameters. In this case, the order of the suffix
14325 listings in smb.conf is important. Always place the 'ldap suffix' first
14326 in the list.
14327 </p><p>
14328 Due to a limitation in Samba's smb.conf parsing, you should not surround
14329 the DN's with quotation marks.
14330 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2935863"></a>IdMap LDAP support</h4></div></div><div></div></div><p>
14331 Samba 3.0 supports an ldap backend for the idmap subsystem. The
14332 following options would inform Samba that the idmap table should be
14333 stored on the directory server onterose in the "ou=idmap,dc=plainjoe,
14334 dc=org" partition.
14335 </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>idmap backend = ldap:ldap://onterose/</tt></i></td></tr><tr><td><i class="parameter"><tt>ldap idmap suffix = ou=idmap,dc=plainjoe,dc=org</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap uid = 40000-50000</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap gid = 40000-50000</tt></i></td></tr></table><p>
14336 This configuration allows winbind installations on multiple servers to
14337 share a uid/gid number space, thus avoiding the interoperability problems
14338 with NFS that were present in Samba 2.2.
14339 </p></div></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2936004">Planning and Getting Started</a></dt><dd><dl><dt><a href="#id2936029">Objectives</a></dt><dt><a href="#id2936467">Steps In Migration Process</a></dt></dl></dd><dt><a href="#id2936679">Migration Options</a></dt><dd><dl><dt><a href="#id2936770">Planning for Success</a></dt><dt><a href="#id2937026">Samba-3 Implementation Choices</a></dt></dl></dd></dl></div><p>
14340 This is a rough guide to assist those wishing to migrate from NT4 domain control to
14341 Samba-3 based domain control.
14342 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2936004"></a>Planning and Getting Started</h2></div></div><div></div></div><p>
14343 In the IT world there is often a saying that all problems are encountered because of
14344 poor planning. The corollary to this saying is that not all problems can be anticipated
14345 and planned for. Then again, good planning will anticipate most show stopper type situations.
14346 </p><p>
14347 Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control
14348 environment would do well to develop a detailed migration plan. So here are a few pointers to
14349 help migration get under way.
14350 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936029"></a>Objectives</h3></div></div><div></div></div><p>
14351 The key objective for most organisations will be to make the migration from MS Windows NT4
14352 to Samba-3 domain control as painless as possible. One of the challenges you may experience
14353 in your migration process may well be one of convincing management that the new environment
14354 should remain in place. Many who have introduced open source technologies have experienced
14355 pressure to return to a Microsoft based platform solution at the first sign of trouble.
14356 </p><p>
14357 Before attempting a migration to a Samba-3 controlled network make every possible effort to
14358 gain all-round commitment to the change. Know precisely <span class="emphasis"><em>why</em></span> the change
14359 is important for the organisation. Possible motivations to make a change include:
14360 </p><div class="itemizedlist"><ul type="disc"><li><p>Improve network manageability</p></li><li><p>Obtain better user level functionality</p></li><li><p>Reduce network operating costs</p></li><li><p>Reduce exposure caused by Microsoft withdrawal of NT4 support</p></li><li><p>Avoid MS License 6 implications</p></li><li><p>Reduce organisation's dependency on Microsoft</p></li></ul></div><p>
14362 an alternative solution that is both different from MS Windows NT4 and that offers
14363 advantages compared with it. Gain recognition that Samba-3 lacks many of the
14364 features that Microsoft has promoted as core values in migration from MS Windows NT4 to
14365 MS Windows 2000 and beyond (with or without Active Directory services).
14366 </p><p>
14367 What are the features that Samba-3 can NOT provide?
14368 </p><div class="itemizedlist"><ul type="disc"><li><p>Active Directory Server</p></li><li><p>Group Policy Objects (in Active Directory)</p></li><li><p>Machine Policy objects</p></li><li><p>Logon Scripts in Active Directory</p></li><li><p>Software Application and Access Controls in Active Directory</p></li></ul></div><p>
14369 The features that Samba-3 DOES provide and that may be of compelling interest to your site
14370 includes:
14371 </p><div class="itemizedlist"><ul type="disc"><li><p>Lower Cost of Ownership</p></li><li><p>Global availability of support with no strings attached</p></li><li><p>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</p></li><li><p>Creation of on-the-fly logon scripts</p></li><li><p>Creation of on-the-fly Policy Files</p></li><li><p>Greater Stability, Reliability, Performance and Availability</p></li><li><p>Manageability via an ssh connection</p></li><li><p>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</p></li><li><p>Ability to implement a full single-sign-on architecture</p></li><li><p>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</p></li></ul></div><p>
14372 Before migrating a network from MS Windows NT4 to Samba-3 consider all necessary factors. Users
14373 should be educated about changes they may experience so that the change will be a welcome one
14374 and not become an obstacle to the work they need to do. The following are factors that will
14375 help ensure a successful migration:
14376 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2936240"></a>Domain Layout</h4></div></div><div></div></div><p>
14377 Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
14378 a secondary controller), a domain member, or as a stand-alone server. The Windows network security
14379 domain context should be sized and scoped before implementation. Particular attention needs to be
14380 paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs).
14381 One way in which Samba-3 differs from Microsoft technology is that if one chooses to use an LDAP
14382 authentication backend then the same database can be used by several different domains. In a
14383 complex organisation there can be a single LDAP database, which itself can be distributed (ie: Have
14384 a master server and multiple slave servers) that can simultaneously serve multiple domains.
14385 </p><p>
14386 From a design perspective, the number of users per server, as well as the number of servers, per
14387 domain should be scaled taking into consideration server capacity and network bandwidth.
14388 </p><p>
14389 A physical network segment may house several domains. Each may span multiple network segments.
14390 Where domains span routed network segments, consider and test the performance implications of
14391 the design and layout of a network. A Centrally located domain controller that is designed to
14392 serve multiple routed network segments may result in severe performance problems. Check the
14393 response time (eg: ping timing) between the remote segment and the PDC. If long (more than 100 ms)
14394 locate a backup controller (BDC) on the remote segmanet to serve as the local authentication and
14395 access control server.
14396 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2936290"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p>
14397 There are cardinal rules to effective network design. These can not be broken with impunity.
14398 The most important rule: Simplicity is king in every well controlled network. Every part of
14399 the infrastructure must be managed, the more complex it is, the greater will be the demand
14400 of keeping systems secure and functional.
14401 </p><p>
14402 Keep in mind the nature of how data must be share. Physical disk space layout should be considered
14403 carefully. Some data must be backed up. The simpler the disk layout the easier it will be to
14404 keep track of backed needs. Identify what back media will be meet needs, consider backup to tape
14405 , CD-ROM or (DVD-ROM), or other off-line storage medium. Plan and implement for minimum
14406 maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance:
14407 Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
14408 </p><p>
14409 Users should be grouped according to data access control needs. File and directory access
14410 is best controlled via group permissions and the use of the "sticky bit" on group controlled
14411 directories may substantially avoid file access complaints from samba share users.
14412 </p><p>
14413 Inexperienced network administrators often attempt elaborate techniques to set access
14414 controls on files, directories, shares, as well as in share definitions.
14415 Keep your design and implementation simple and document your design extensively. Have others
14416 audit your documentation. Do not create a complex mess that your successor will not understand.
14417 Remember, job security through complex design and implementation may cause loss of operations
14418 and downtime to users as the new administrator learns to untangle your knots. Keep access
14419 controls simple and effective and make sure that users will never be interrupted by stupid
14420 complexity.
14421 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2936350"></a>Logon Scripts</h4></div></div><div></div></div><p>
14422 Logon scripts can help to ensure that all users gain share and printer connections they need.
14423 </p><p>
14424 Logon scripts can be created 'on-the-fly' so that all commands executed are specific to the
14425 rights and priviliges granted to the user. The preferred controls should be affected through
14426 group membership so that group information can be used to custom create a logon script using
14427 the <a class="indexterm" name="id2936371"></a><i class="parameter"><tt>root preexec</tt></i> parameters to the <i class="parameter"><tt>NETLOGON</tt></i> share.
14428 </p><p>
14429 Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled
14430 user environment. In any case you may wish to do a google search for logon script process controls.
14431 In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
14432 deals with how to add printers without user intervention via the logon script process.
14433 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2936413"></a>Profile Migration/Creation</h4></div></div><div></div></div><p>
14434 User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
14435 Management.
14436 </p><p>
14437 Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows
14438 the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
14439 to be changed to the SID of the Samba-3 domain.
14440 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2936443"></a>User and Group Accounts</h4></div></div><div></div></div><p>
14441 It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
14442 attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
14443 groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to map these to
14444 suitable Unix/Linux groups. By following this simple advice all user and group attributes
14445 should migrate painlessly.
14446 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936467"></a>Steps In Migration Process</h3></div></div><div></div></div><p>
14447 The approximate migration process is described below.
14449 You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
14450 </p></li><li><p>
14451 Samba-3 set up as a DC with netlogon share, profile share, etc. Configure the <tt class="filename">smb.conf</tt> file
14453 </p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p>
14454 Now assign each of the UNIX groups to NT groups:
14455 (Note: It may be useful to copy this text to a script called
14458 #!/bin/bash
14459 #### Keep this as a shell script for future re-use
14461 # First assign well known domain global groups
14466 # Now for our added domain global groups
14470 </pre><p>
14471 </p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li></ol></div><p>
14472 Now migrate all the profiles, then migrate all policy files.
14473 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2936679"></a>Migration Options</h2></div></div><div></div></div><p>
14474 Sites that wish to migrate from MS Windows NT4 Domain Control to a Samba based solution
14475 generally fit into three basic categories.
14476 </p><div class="table"><a name="id2936694"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Number of Users</th><th align="justify">Description</th></tr></thead><tbody><tr><td align="left">< 50</td><td align="justify"><p>Want simple conversion with NO pain</p></td></tr><tr><td align="left">50 - 250</td><td align="justify"><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td align="left">> 250</td><td align="justify"><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936770"></a>Planning for Success</h3></div></div><div></div></div><p>
14477 There are three basic choices for sites that intend to migrate from MS Windows NT4
14478 to Samba-3.
14480 Simple Conversion (total replacement)
14481 </p></li><li><p>
14482 Upgraded Conversion (could be one of integration)
14483 </p></li><li><p>
14484 Complete Redesign (completely new solution)
14485 </p></li></ul></div><p>
14486 Minimise down-stream problems by:
14488 Take sufficient time
14489 </p></li><li><p>
14490 Avoid Panic
14491 </p></li><li><p>
14492 Test ALL assumptions
14493 </p></li><li><p>
14494 Test full roll-out program, including workstation deployment
14495 </p></li></ul></div><div class="table"><a name="id2936841"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col align="justify"><col align="justify"><col align="justify"></colgroup><thead><tr><th align="justify">Simple</th><th align="justify">Upgraded</th><th align="justify">Redesign</th></tr></thead><tbody><tr><td align="justify"><p>Make use of minimal OS specific features</p></td><td align="justify"><p>Translate NT4 features to new host OS features</p></td><td align="justify"><p>Decide:</p></td></tr><tr><td align="justify"><p>Suck all accounts from NT4 into Samba-3</p></td><td align="justify"><p>Copy and improve:</p></td><td align="justify"><p>Authentication Regime (database location and access)</p></td></tr><tr><td align="justify"><p>Make least number of operational changes</p></td><td align="justify"><p>Make progressive improvements</p></td><td align="justify"><p>Desktop Management Methods</p></td></tr><tr><td align="justify"><p>Take least amount of time to migrate</p></td><td align="justify"><p>Minimise user impact</p></td><td align="justify"><p>Better Control of Desktops / Users</p></td></tr><tr><td align="justify"><p>Live versus Isolated Conversion</p></td><td align="justify"><p>Maximise functionality</p></td><td align="justify"><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td align="justify"><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td align="justify"><p>Take advantage of lower maintenance opportunity</p></td><td align="justify"><p></p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937026"></a>Samba-3 Implementation Choices</h3></div></div><div></div></div><div class="variablelist"><dl><dt><span class="term">Authentication database/back end:</span></dt><dd><p>
14496 Samba-3 can use an external authentication backend:
14497 </p><p>
14498 </p><div class="itemizedlist"><ul type="disc"><li><p>Winbind (external Samba or NT4/200x server)</p></li><li><p>External server could use Active Directory or NT4 Domain</p></li><li><p>Can use pam_mkhomedir.so to auto-create home dirs</p></li></ul></div><p>
14499 </p><p>
14500 Samba-3 can use a local authentication backend:
14501 </p><div class="itemizedlist"><ul type="disc"><li><p>smbpasswd, tdbsam, ldapsam, mysqlsam</p></li></ul></div><p>
14502 </p></dd><dt><span class="term">Access Control Points:</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>On the Share itself - using Share ACLs</p></li><li><p>On the file system - using UNIX permissions on files and directories</p><p>Note: Can Enable Posix ACLs in file system also</p></li><li><p>Through Samba share parameters - Not recommended - except as last resort</p></li></ul></div></dd><dt><span class="term">Policies (migrate or create new ones):</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Using Group Policy Editor (NT4)</p></li><li><p>- Watch out for Tattoo effect</p></li></ul></div></dd><dt><span class="term">User and Group Profiles:</span></dt><dd><p>
14503 Platform specific so use platform tool to change from a Local to a Roaming profile
14504 Can use new profiles tool to change SIDs (NTUser.DAT)
14506 Know how they work
14507 </p></dd><dt><span class="term">User and Group mapping to Unix/Linux:</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>username map facility may be needed</p></li><li><p>Use 'net groupmap' to connect NT4 groups to Unix groups</p></li><li><p>Use pdbedit to set/change user configuration</p><p>
14508 NOTE: When migrating to LDAP back, end it may be easier to dump initial
14509 LDAP database to LDIF, then edit, then reload into LDAP
14510 </p></li></ul></div></dd><dt><span class="term">OS specific scripts/programs may be needed:</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Add/Delete Users: Note OS limits on size of name
14511 (Linux 8 chars) NT4 up to 254 chars</p></li><li><p>Add/Delete Machines: Applied only to domain members
14512 (Note: Machine names may be limited to 16 characters)</p></li><li><p>Use 'net groupmap' to connect NT4 groups to Unix groups</p></li><li><p>Add/Delete Groups: Note OS limits on size and nature.
14513 Linux limit is 16 char, no spaces and no upper case chars (groupadd)</p></li></ul></div></dd><dt><span class="term">Migration Tools:</span></dt><dd><p>
14514 Domain Control (NT4 Style) Profiles, Policies, Access Controls, Security
14515 </p><div class="itemizedlist"><ul type="disc"><li><p>Samba: net, rpcclient, smbpasswd, pdbedit, profiles</p></li><li><p>Windows: NT4 Domain User Manager, Server Manager (NEXUS)</p></li></ul></div><p>
14516 </p></dd></dl></div></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT - The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2937386">Features and Benefits</a></dt><dd><dl><dt><a href="#id2937426">Enabling SWAT for use</a></dt><dt><a href="#id2937663">Securing SWAT through SSL</a></dt><dt><a href="#id2937775">The SWAT Home Page</a></dt><dt><a href="#id2937837">Global Settings</a></dt><dt><a href="#id2937944">Share Settings</a></dt><dt><a href="#id2938008">Printers Settings</a></dt><dt><a href="#id2938072">The SWAT Wizard</a></dt><dt><a href="#id2938120">The Status Page</a></dt><dt><a href="#id2938171">The View Page</a></dt><dt><a href="#id2938195">The Password Change Page</a></dt></dl></dd></dl></div><p>
14517 There are many and varied opinions regarding the usefulness or otherwise of SWAT.
14518 No matter how hard one tries to produce the perfect configuration tool it remains
14519 an object of personal taste. SWAT is a tool that will allow web based configuration
14520 of samba. It has a wizard that may help to get samba configured quickly, it has context
14521 sensitive help on each smb.conf parameter, it provides for monitoring of current state
14522 of connection information, and it allows network wide MS Windows network password
14523 management.
14524 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2937386"></a>Features and Benefits</h2></div></div><div></div></div><p>
14525 There are network administrators who believe that it is a good idea to write systems
14526 documentation inside configuration files, for them SWAT will aways be a nasty tool. SWAT
14527 does not store the configuration file in any intermediate form, rather, it stores only the
14528 parameter settings, so when SWAT writes the smb.conf file to disk it will write only
14529 those parameters that are at other than the default settings. The result is that all comments
14530 will be lost from the <tt class="filename">smb.conf</tt> file. Additionally, the parameters will be written back in
14531 internal ordering.
14532 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
14533 So before using SWAT please be warned - SWAT will completely replace your smb.conf with
14534 a fully optimised file that has been stripped of all comments you might have placed there
14535 and only non-default settings will be written to the file.
14536 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937426"></a>Enabling SWAT for use</h3></div></div><div></div></div><p>
14537 SWAT should be installed to run via the network super daemon. Depending on which system
14540 </p><p>
14541 The nature and location of the network super-daemon varies with the operating system
14542 implementation. The control file (or files) can be located in the file
14543 <tt class="filename">/etc/inetd.conf</tt> or in the directory <tt class="filename">/etc/[x]inet.d</tt>
14544 or similar.
14545 </p><p>
14546 The control entry for the older style file might be:
14548 # swat is the Samba Web Administration Tool
14549 swat stream tcp nowait.400 root /usr/sbin/swat swat
14550 </pre><p>
14551 A control file for the newer style xinetd could be:
14552 </p><p>
14554 # default: off
14555 # description: SWAT is the Samba Web Admin Tool. Use swat \
14556 # to configure your Samba server. To use SWAT, \
14557 # connect to port 901 with your favorite web browser.
14558 service swat
14559 {
14560 port = 901
14561 socket_type = stream
14562 wait = no
14563 only_from = localhost
14564 user = root
14565 server = /usr/sbin/swat
14566 log_on_failure += USERID
14567 disable = yes
14568 }
14569 </pre><p>
14571 </p><p>
14574 SWAT will use a directory access point from which it will load it's help files
14575 as well as other control information. The default location for this on most Linux
14578 </p><p>
14579 Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
14580 the only permission allowed is to view certain aspects of configuration as well as
14581 access to the password change facility. The buttons that will be exposed to the non-root
14582 user are: <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>,
14585 </p><p>
14586 So long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span> you should obtain
14587 full change and commit ability. The buttons that will be exposed includes:
14588 <span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>,
14589 <span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, <span class="guibutton">PASSWORD</span>.
14590 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937663"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p>
14591 Lots of people have asked about how to setup SWAT with SSL to allow for secure remote
14592 administration of Samba. Here is a method that works, courtesy of Markus Krieger
14593 </p><p>
14594 Modifications to the swat setup are as following:
14596 install OpenSSL
14597 </p></li><li><p>
14598 generate certificate and private key
14601 <tt class="prompt">root# </tt><b class="userinput"><tt>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
14602 /usr/share/doc/packages/stunnel/stunnel.cnf \
14603 -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</tt></b>
14604 </pre></li><li><p>
14605 remove swat-entry from [x]inetd
14606 </p></li><li><p>
14607 start stunnel
14610 <tt class="prompt">root# </tt><b class="userinput"><tt>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
14611 -l /usr/local/samba/bin/swat swat </tt></b>
14612 </pre></li></ol></div><p>
14613 afterwords simply contact to swat by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate
14614 and the SSL connection is up.
14615 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937775"></a>The SWAT Home Page</h3></div></div><div></div></div><p>
14616 The SWAT title page provides access to the latest Samba documentation. The manual page for
14617 each samba component is accessible from this page as are the Samba-HOWTO-Collection (this
14618 document) as well as the O'Reilly book "Using Samba".
14619 </p><p>
14620 Administrators who wish to validate their samba configuration may obtain useful information
14621 from the man pages for the diagnostic utilities. These are available from the SWAT home page
14622 also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
14623 useful is <a href="http://www.ethereal.com/" target="_top"><b class="command">ethereal</b></a>.
14624 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
14625 SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is NOT recommended
14626 as it runs SWAT without authentication and with full administrative ability. ie: Allows
14627 changes to smb.conf as well as general operation with root privileges. The option that
14628 creates this ability is the <tt class="option">-a</tt> flag to swat. <span class="emphasis"><em>Do not use this in any
14629 production environment.</em></span>
14630 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937837"></a>Global Settings</h3></div></div><div></div></div><p>
14631 The Globals button will expose a page that allows configuration of the global parameters
14632 in smb.conf. There are three levels of exposure of the parameters:
14635 </p></li><li><p>
14636 <span class="emphasis"><em>Advanced</em></span> - exposes configuration options needed in more
14637 complex environments.
14638 </p></li><li><p>
14639 <span class="emphasis"><em>Developer</em></span> - exposes configuration options that only the brave
14640 will want to tamper with.
14641 </p></li></ul></div><p>
14642 To switch to other than <span class="emphasis"><em>Basic</em></span> editing ability click on either the
14643 <span class="emphasis"><em>Advanced</em></span> or the <span class="emphasis"><em>Developer</em></span> button. You may also
14644 do this by clicking on the radio button, then click the <span class="guibutton">Commit Changes</span> button.
14645 </p><p>
14646 After making any changes to configuration parameters make sure that you click on the
14648 your changes will be immediately lost.
14649 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
14650 SWAT has context sensitive help. To find out what each parameter is for simply click the
14652 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937944"></a>Share Settings</h3></div></div><div></div></div><p>
14653 To affect a currently configured share, simply click on the pull down button between the
14654 <span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons,
14655 select the share you wish to operate on, then to edit the settings click on the
14658 </p><p>
14659 To create a new share, next to the button labelled <span class="guibutton">Create Share</span> enter
14660 into the text field the name of the share to be created, then click on the
14662 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938008"></a>Printers Settings</h3></div></div><div></div></div><p>
14663 To affect a currently configured printer, simply click on the pull down button between the
14664 <span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons,
14665 select the printer you wish to operate on, then to edit the settings click on the
14668 </p><p>
14669 To create a new printer, next to the button labelled <span class="guibutton">Create Printer</span> enter
14670 into the text field the name of the share to be created, then click on the
14672 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938072"></a>The SWAT Wizard</h3></div></div><div></div></div><p>
14673 The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
14674 to configure Samba with a minimum of effort.
14675 </p><p>
14676 The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
14677 This will also happen if you press the commit button. The two differ in the the rewrite button
14678 ignores any changes that may have been made, while the Commit button causes all changes to be
14679 affected.
14680 </p><p>
14681 The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of
14682 options that may be necessary to create a working Samba server.
14683 </p><p>
14684 Finally, there are a limited set of options that will determine what type of server Samba
14685 will be configured for, whether it will be a WINS server, participate as a WINS client, or
14686 operate with no WINS support. By clicking on one button you can elect to expose (or not) user
14687 home directories.
14688 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938120"></a>The Status Page</h3></div></div><div></div></div><p>
14689 The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
14690 The key daemons that create the samba server environment are: <span class="application">smbd</span>, <span class="application">nmbd</span>, <span class="application">winbindd</span>.
14691 </p><p>
14692 The daemons may be controlled individually or as a total group. Additionally, you may set
14693 an automatic screen refresh timing. As MS Windows clients interact with Samba new smbd processes
14694 will be continually spawned. The auto-refresh facility will allow you to track the changing
14695 conditions with minimal effort.
14696 </p><p>
14697 Lastly, the Status page may be used to terminate specific smbd client connections in order to
14698 free files that may be locked.
14699 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938171"></a>The View Page</h3></div></div><div></div></div><p>
14700 This page allows the administrator to view the optimised <tt class="filename">smb.conf</tt> file and, if you are
14701 particularly masochistic, will permit you also to see all possible global configuration
14702 parameters and their settings.
14703 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938195"></a>The Password Change Page</h3></div></div><div></div></div><p>
14704 The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation
14705 and reactivation of MS Windows networking users on the local machine. Alternatively, you can use
14706 this tool to change a local password for a user account.
14707 </p><p>
14708 When logged in as a non-root account the user will have to provide the old password as well as
14709 the new password (twice). When logged in as <span class="emphasis"><em>root</em></span> only the new password is
14710 required.
14711 </p><p>
14712 One popular use for this tool is to change user passwords across a range of remote MS Windows
14713 servers.
14714 </p></div></div></div></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Troubleshooting</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>33. <a href="#diagnosis">The Samba checklist</a></dt><dd><dl><dt><a href="#id2938325">Introduction</a></dt><dt><a href="#id2938359">Assumptions</a></dt><dt><a href="#id2938586">The tests</a></dt></dl></dd><dt>34. <a href="#problems">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="#id2940060">Diagnostics tools</a></dt><dd><dl><dt><a href="#id2940082">Debugging with Samba itself</a></dt><dt><a href="#id2940195">Tcpdump</a></dt><dt><a href="#id2940216">Ethereal</a></dt><dt><a href="#id2940268">The Windows Network Monitor</a></dt></dl></dd><dt><a href="#id2940586">Useful URLs</a></dt><dt><a href="#id2940626">Getting help from the mailing lists</a></dt><dt><a href="#id2940778">How to get off the mailing lists</a></dt></dl></dd><dt>35. <a href="#bugreport">Reporting Bugs</a></dt><dd><dl><dt><a href="#id2940906">Introduction</a></dt><dt><a href="#id2940969">General info</a></dt><dt><a href="#id2941006">Debug levels</a></dt><dt><a href="#id2941215">Internal errors</a></dt><dt><a href="#id2941348">Attaching to a running process</a></dt><dt><a href="#id2941395">Patches</a></dt></dl></dd></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="diagnosis"></a>Chapter 33. The Samba checklist</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">Wed Jan 15</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2938325">Introduction</a></dt><dt><a href="#id2938359">Assumptions</a></dt><dt><a href="#id2938586">The tests</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2938325"></a>Introduction</h2></div></div><div></div></div><p>
14715 This file contains a list of tests you can perform to validate your
14716 Samba server. It also tells you what the likely cause of the problem
14717 is if it fails any one of these steps. If it passes all these tests
14718 then it is probably working fine.
14719 </p><p>
14720 You should do ALL the tests, in the order shown. We have tried to
14721 carefully choose them so later tests only use capabilities verified in
14722 the earlier tests. However, do not stop at the first error as there
14723 have been some instances when continuing with the tests has helped
14724 to solve a problem.
14725 </p><p>
14726 If you send one of the samba mailing lists an email saying "it doesn't work"
14727 and you have not followed this test procedure then you should not be surprised
14728 if your email is ignored.
14729 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2938359"></a>Assumptions</h2></div></div><div></div></div><p>
14730 In all of the tests it is assumed you have a Samba server called
14731 BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP.
14732 </p><p>
14733 The procedure is similar for other types of clients.
14734 </p><p>
14735 It is also assumed you know the name of an available share in your
14736 <tt class="filename">smb.conf</tt>. I will assume this share is called <i class="replaceable"><tt>tmp</tt></i>.
14739 </p><div class="example"><a name="id2938408"></a><p class="title"><b>Example 33.1. smb.conf with [tmp] share</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[tmp]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = temporary files </tt></i></td></tr><tr><td><i class="parameter"><tt>path = /tmp</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr></table></div><p>
14740 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
14741 These tests assume version 3.0 or later of the samba suite.
14742 Some commands shown did not exist in earlier versions.
14743 </p></div><p>
14744 Please pay attention to the error messages you receive. If any error message
14745 reports that your server is being unfriendly you should first check that your
14746 IP name resolution is correctly set up. eg: Make sure your <tt class="filename">/etc/resolv.conf</tt>
14747 file points to name servers that really do exist.
14748 </p><p>
14749 Also, if you do not have DNS server access for name resolution please check
14750 that the settings for your <tt class="filename">smb.conf</tt> file results in <b class="command">dns proxy = no</b>. The
14753 It is helpful to monitor the log files during testing by using the
14754 <b class="command">tail -F <i class="replaceable"><tt>log_file_name</tt></i></b> in a separate
14755 terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X).
14756 Relevant log files can be found (for default installations) in
14760 </p><p>
14761 If you make changes to your <tt class="filename">smb.conf</tt> file while going through these test,
14762 don't forget to restart <span class="application">smbd</span> and <span class="application">nmbd</span>.
14763 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2938586"></a>The tests</h2></div></div><div></div></div><div class="procedure"><p class="title"><b>Procedure 33.1. Diagnosing your samba server</b></p><a class="indexterm" name="id2938602"></a><ol type="1"><li><p>
14764 In the directory in which you store your <tt class="filename">smb.conf</tt> file, run the command
14765 <b class="userinput"><tt>testparm smb.conf</tt></b>. If it reports any errors then your <tt class="filename">smb.conf</tt>
14766 configuration file is faulty.
14767 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
14768 Your <tt class="filename">smb.conf</tt> file may be located in: <tt class="filename">/etc/samba</tt>
14770 </p></div></li><li><p>
14773 the unix box. If you don't get a valid response then your TCP/IP
14774 software is not correctly installed.
14775 </p><p>
14776 Note that you will need to start a "dos prompt" window on the PC to
14777 run ping.
14778 </p><p>
14779 If you get a message saying <span class="errorname">host not found</span> or similar then your DNS
14781 It is possible to
14782 run samba without DNS entries for the server and client, but I assume
14783 you do have correct entries for the remainder of these tests.
14784 </p><p>
14785 Another reason why ping might fail is if your host is running firewall
14786 software. You will need to relax the rules to let in the workstation
14787 in question, perhaps by allowing access from another subnet (on Linux
14789 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
14790 Modern Linux distributions install ipchains/iptables by default.
14791 This is a common problem that is often overlooked.
14792 </p></div></li><li><p>
14794 should get a list of available shares back.
14795 </p><p>
14796 If you get a error message containing the string "Bad password" then
14801 temporarily remove any <b class="command">hosts allow</b>, <b class="command">hosts deny</b>, <b class="command">valid users</b> or <b class="command">invalid users</b> lines.
14802 </p><p>
14803 If you get a <span class="errorname">connection refused</span> response then the smbd server may
14804 not be running. If you installed it in inetd.conf then you probably edited
14805 that file incorrectly. If you installed it as a daemon then check that
14806 it is running, and check that the netbios-ssn port is in a LISTEN
14808 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
14813 of the control file/s for your particular system implementation of
14814 this network super daemon.
14815 </p></div><p>
14816 If you get a <span class="errorname">session request failed</span> then the server refused the
14817 connection. If it says "Your server software is being unfriendly" then
14818 its probably because you have invalid command line parameters to <span class="application">smbd</span>,
14819 or a similar fatal problem with the initial startup of <span class="application">smbd</span>. Also
14820 check your config file (<tt class="filename">smb.conf</tt>) for syntax errors with <span class="application">testparm</span>
14821 and that the various directories where samba keeps its log and lock
14822 files exist.
14823 </p><p>
14824 There are a number of reasons for which smbd may refuse or decline
14825 a session request. The most common of these involve one or more of
14827 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>hosts deny = ALL</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = xxx.xxx.xxx.xxx/yy</tt></i></td></tr><tr><td><i class="parameter"><tt>bind interfaces only = Yes</tt></i></td></tr></table><p>
14828 In the above, no allowance has been made for any session requests that
14829 will automatically translate to the loopback adapter address 127.0.0.1.
14830 To solve this problem change these lines to:
14831 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>hosts deny = ALL</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = xxx.xxx.xxx.xxx/yy 127.</tt></i></td></tr></table><p>
14832 Do <span class="emphasis"><em>not</em></span> use the <a class="indexterm" name="id2939025"></a><i class="parameter"><tt>bind interfaces only</tt></i> parameter where you
14833 may wish to
14834 use the samba password change facility, or where <span class="application">smbclient</span> may need to
14835 access a local service for name resolution or for local resource
14836 connections. (Note: the <a class="indexterm" name="id2939051"></a><i class="parameter"><tt>bind interfaces only</tt></i> parameter deficiency
14837 where it will not allow connections to the loopback address will be
14838 fixed soon).
14839 </p><p>
14841 Another common cause of these two errors is having something already running
14843 (ie: <span class="application">smbd</span> is running from <span class="application">inetd</span> already) or
14844 something like Digital's Pathworks. Check your <tt class="filename">inetd.conf</tt> file before trying
14845 to start <span class="application">smbd</span> as a daemon, it can avoid a lot of frustration!
14846 </p><p>
14847 And yet another possible cause for failure of this test is when the subnet mask
14848 and / or broadcast address settings are incorrect. Please check that the
14849 network interface IP Address / Broadcast Address / Subnet Mask settings are
14850 correct and that Samba has correctly noted these in the <tt class="filename">log.nmbd</tt> file.
14851 </p></li><li><p>
14852 Run the command <b class="userinput"><tt>nmblookup -B BIGSERVER __SAMBA__</tt></b>. You should get the
14853 IP address of your Samba server back.
14854 </p><p>
14855 If you don't then nmbd is incorrectly installed. Check your <tt class="filename">inetd.conf</tt>
14856 if you run it from there, or that the daemon is running and listening
14857 to udp port 137.
14858 </p><p>
14859 One common problem is that many inetd implementations can't take many
14860 parameters on the command line. If this is the case then create a
14861 one-line script that contains the right parameters and run that from
14862 inetd.
14863 </p></li><li><p>run the command <b class="userinput"><tt>nmblookup -B ACLIENT '*'</tt></b></p><p>
14864 You should get the PCs IP address back. If you don't then the client
14865 software on the PC isn't installed correctly, or isn't started, or you
14866 got the name of the PC wrong.
14867 </p><p>
14868 If ACLIENT doesn't resolve via DNS then use the IP address of the
14869 client in the above test.
14870 </p></li><li><p>
14872 </p><p>
14873 This time we are trying the same as the previous test but are trying
14874 it via a broadcast to the default broadcast address. A number of
14875 NetBIOS / TCP/IP hosts on the network should respond, although Samba may
14876 not catch all of the responses in the short time it listens. You
14878 messages from several hosts.
14879 </p><p>
14880 If this doesn't give a similar result to the previous test then
14881 nmblookup isn't correctly getting your broadcast address through its
14882 automatic mechanism. In this case you should experiment with the
14883 <a class="indexterm" name="id2939242"></a><i class="parameter"><tt>interfaces</tt></i> option in <tt class="filename">smb.conf</tt> to manually configure your IP
14884 address, broadcast and netmask.
14885 </p><p>
14886 If your PC and server aren't on the same subnet then you will need to
14888 subnet.
14889 </p><p>
14890 This test will probably fail if your subnet mask and broadcast address are
14891 not correct. (Refer to TEST 3 notes above).
14894 then be prompted for a password. You should use the password of the account
14895 you are logged into the unix box with. If you want to test with
14896 another account then add the <tt class="option">-U <i class="replaceable"><tt>accountname</tt></i></tt> option to the end of
14897 the command line. eg:
14899 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
14900 It is possible to specify the password along with the username
14901 as follows:
14903 </p></div><p>
14906 name</span> then the service <span class="emphasis"><em>"tmp"</em></span> is not correctly setup in your <tt class="filename">smb.conf</tt>.
14907 </p><p>
14910 you have shadow passwords (or some other password system) but didn't
14912 </p></li><li><p>
14913 your <a class="indexterm" name="id2939411"></a><i class="parameter"><tt>valid users</tt></i> configuration is incorrect
14914 </p></li><li><p>
14915 you have a mixed case password and you haven't enabled the <a class="indexterm" name="id2939433"></a><i class="parameter"><tt>password level</tt></i> option at a high enough level
14916 </p></li><li><p>
14917 the <a class="indexterm" name="id2939457"></a><i class="parameter"><tt>path</tt></i> line in <tt class="filename">smb.conf</tt> is incorrect. Check it with <span class="application">testparm</span>
14918 </p></li><li><p>
14919 you enabled password encryption but didn't map unix to samba users. Run </p><pre class="screen"><b class="userinput"><tt>smbpasswd -a <i class="replaceable"><tt>username</tt></i></tt></b></pre><p>.
14920 </p></li></ol></div><p>
14921 Once connected you should be able to use the commands
14923 Type <b class="command">help <i class="replaceable"><tt>command</tt></i></b> for instructions. You should
14924 especially check that the amount of free disk space shown is correct
14926 </p></li><li><p>
14928 need to do this from within a "dos prompt" window. You should get back a
14929 list of available shares on the server.
14930 </p><p>
14931 If you get a <span class="errorname">network name not found</span> or similar error then netbios
14932 name resolution is not working. This is usually caused by a problem in
14933 nmbd. To overcome it you could do one of the following (you only need
14934 to choose one of them):
14937 </p></li><li><p>
14939 advanced TCP/IP setup on the PC.
14940 </p></li><li><p>
14941 enable windows name resolution via DNS in the advanced section of
14942 the TCP/IP setup
14943 </p></li><li><p>
14944 add BIGSERVER to your lmhosts file on the PC.
14945 </p></li></ol></div><p>
14946 If you get a <span class="errorname">invalid network name</span> or <span class="errorname">bad password error</span> then the
14947 same fixes apply as they did for the <b class="userinput"><tt>smbclient -L</tt></b> test above. In
14949 pages)
14950 </p><p>
14951 Also, do not overlook that fact that when the workstation requests the
14952 connection to the samba server it will attempt to connect using the
14953 name with which you logged onto your Windows machine. You need to make
14954 sure that an account exists on your Samba server with that exact same
14955 name and password.
14956 </p><p>
14957 If you get <span class="errorname">specified computer is not receiving requests</span> or similar
14958 it probably means that the host is not contactable via tcp services.
14959 Check to see if the host is running tcp wrappers, and if so add an entry in
14961 </p></li><li><p>
14964 successfully</tt> message. If not then your PC software is incorrectly
14967 </p><p>
14968 It's also possible that the server can't work out what user name to
14969 connect you as. To see if this is the problem add the line <a class="indexterm" name="id2939744"></a><i class="parameter"><tt>user</tt></i> = username to the <i class="parameter"><tt>[tmp]</tt></i> section of
14971 username corresponding to the password you typed. If you find this
14972 fixes things you may need the username mapping option.
14973 </p><p>
14974 It might also be the case that your client only sends encrypted passwords
14975 and you have <a class="indexterm" name="id2939783"></a><i class="parameter"><tt>encrypt passwords</tt></i> = no in <tt class="filename">smb.conf</tt>
14976 Turn it back on to fix.
14977 </p></li><li><p>
14978 Run the command <b class="userinput"><tt>nmblookup -M <i class="replaceable"><tt>testgroup</tt></i></tt></b> where
14979 <i class="replaceable"><tt>testgroup</tt></i> is the name of the workgroup that your Samba server and
14980 Windows PCs belong to. You should get back the IP address of the
14981 master browser for that workgroup.
14982 </p><p>
14983 If you don't then the election process has failed. Wait a minute to
14984 see if it is just being slow then try again. If it still fails after
14985 that then look at the browsing options you have set in <tt class="filename">smb.conf</tt>. Make
14986 sure you have <a class="indexterm" name="id2939847"></a><i class="parameter"><tt>preferred master</tt></i> = yes to ensure that
14987 an election is held at startup.
14988 </p></li><li><p>
14989 From file manager try to browse the server. Your samba server should
14990 appear in the browse list of your local workgroup (or the one you
14991 specified in <tt class="filename">smb.conf</tt>). You should be able to double click on the name
14992 of the server and get a list of shares. If you get a "invalid
14993 password" error when you do then you are probably running WinNT and it
14994 is refusing to browse a server that has no encrypted password
14995 capability and is in user level security mode. In this case either set
14996 <a class="indexterm" name="id2939889"></a><i class="parameter"><tt>security</tt></i> = server AND
14997 <a class="indexterm" name="id2939902"></a><i class="parameter"><tt>password server</tt></i> = Windows_NT_Machine in your
14998 <tt class="filename">smb.conf</tt> file, or make sure <a class="indexterm" name="id2939924"></a><i class="parameter"><tt>encrypt passwords</tt></i> is
14999 set to "yes".
15000 </p></li></ol></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="problems"></a>Chapter 34. Analysing and solving samba problems</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">8 Apr 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2940060">Diagnostics tools</a></dt><dd><dl><dt><a href="#id2940082">Debugging with Samba itself</a></dt><dt><a href="#id2940195">Tcpdump</a></dt><dt><a href="#id2940216">Ethereal</a></dt><dt><a href="#id2940268">The Windows Network Monitor</a></dt></dl></dd><dt><a href="#id2940586">Useful URLs</a></dt><dt><a href="#id2940626">Getting help from the mailing lists</a></dt><dt><a href="#id2940778">How to get off the mailing lists</a></dt></dl></div><p>
15001 There are many sources of information available in the form
15002 of mailing lists, RFC's and documentation. The docs that come
15003 with the samba distribution contain very good explanations of
15004 general SMB topics such as browsing.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2940060"></a>Diagnostics tools</h2></div></div><div></div></div><p>With SMB networking, it is often not immediately clear what
15005 the cause is of a certain problem. Samba itself provides rather
15006 useful information, but in some cases you might have to fall back
15008 listens on your LAN, analyses the data sent on it and displays it
15009 on the screen.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940082"></a>Debugging with Samba itself</h3></div></div><div></div></div><p>
15010 One of the best diagnostic tools for debugging problems is Samba itself.
15011 You can use the <tt class="option">-d option</tt> for both <span class="application">smbd</span> and <span class="application">nmbd</span> to specify what
15012 <a class="indexterm" name="id2940113"></a><i class="parameter"><tt>debug level</tt></i> at which to run. See the man pages on smbd, nmbd and
15013 smb.conf for more information on debugging options. The debug
15015 </p><p>
15016 Another helpful method of debugging is to compile samba using the
15018 information in the binaries and allow you to attach gdb to the
15019 running smbd / nmbd process. In order to attach gdb to an smbd
15020 process for an NT workstation, first get the workstation to make the
15021 connection. Pressing ctrl-alt-delete and going down to the domain box
15022 is sufficient (at least, on the first time you join the domain) to
15023 generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
15024 maintains an open connection, and therefore there will be an smbd
15025 process running (assuming that you haven't set a really short smbd
15026 idle timeout) So, in between pressing ctrl alt delete, and actually
15027 typing in your password, you can attach gdb and continue.
15028 </p><p>
15029 Some useful samba commands worth investigating:
15032 <tt class="prompt">$ </tt><b class="userinput"><tt>smbclient -L //{netbios name of server}</tt></b>
15033 </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940195"></a>Tcpdump</h3></div></div><div></div></div><p><a href="http://www.tcpdump.org/" target="_top">Tcpdump</a> was the first
15034 unix sniffer with SMB support. It is a command-line utility and
15035 nowadays, it's SMB support is somewhat less then that of ethereal
15036 and tethereal.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940216"></a>Ethereal</h3></div></div><div></div></div><p>
15038 sniffer, available for both unix (Gtk) and Windows. Ethereal's
15039 SMB support is very good.</p><p>For details on the use of ethereal, read the well-written
15040 ethereal User Guide.</p><p>
15042 use the filter <b class="userinput"><tt>port 137 or port 138 or port 139 or port 445</tt></b>.</p><p>A console version of ethereal is available as well and is called
15043 <b class="command">tethereal</b>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940268"></a>The Windows Network Monitor</h3></div></div><div></div></div><p>
15044 For tracing things on the Microsoft Windows NT, Network Monitor
15045 (aka. netmon) is available on the Microsoft Developer Network CD's,
15046 the Windows NT Server install CD and the SMS CD's. The version of
15047 netmon that ships with SMS allows for dumping packets between any two
15048 computers (i.e. placing the network interface in promiscuous mode).
15049 The version on the NT Server install CD will only allow monitoring
15050 of network traffic directed to the local NT box and broadcasts on the
15051 local subnet. Be aware that Ethereal can read and write netmon
15052 formatted files.
15053 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2940289"></a>Installing 'Network Monitor' on an NT Workstation</h4></div></div><div></div></div><p>
15054 Installing netmon on an NT workstation requires a couple
15055 of steps. The following are for installing Netmon V4.00.349, which comes
15056 with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
15057 Workstation 4.0. The process should be similar for other versions of
15058 Windows NT / Netmon. You will need both the Microsoft Windows
15060 </p><p>
15061 Initially you will need to install <span class="application">Network Monitor Tools and Agent</span>
15062 on the NT Server. To do this
15063 </p><div class="itemizedlist"><ul type="disc"><li><p>Goto <span class="guibutton">Start</span> - <span class="guibutton">Settings</span> - <span class="guibutton">Control Panel</span> -
15064 <span class="guibutton">Network</span> - <span class="guibutton">Services</span> - <span class="guibutton">Add</span> </p></li><li><p>Select the <span class="guilabel">Network Monitor Tools and Agent</span> and
15065 click on <span class="guibutton">OK</span>.</p></li><li><p>Click <span class="guibutton">OK</span> on the Network Control Panel.
15067 when prompted.</p></li></ul></div><p>
15068 At this point the Netmon files should exist in
15071 which contains the necessary DLL's for parsing the netmon packet
15073 </p><p>
15074 In order to install the Netmon tools on an NT Workstation, you will
15075 first need to install the 'Network Monitor Agent' from the Workstation
15076 install CD.
15077 </p><div class="itemizedlist"><ul type="disc"><li><p>Goto <span class="guibutton">Start</span> - <span class="guibutton">Settings</span> - <span class="guibutton">Control Panel</span> -
15078 <span class="guibutton">Network</span> - <span class="guibutton">Services</span> - <span class="guibutton">Add</span></p></li><li><p>Select the <span class="guilabel">Network Monitor Agent</span> and click
15079 on <span class="guibutton">OK</span>.</p></li><li><p>Click <span class="guibutton">OK</span> on the Network Control Panel.
15081 CD when prompted.</p></li></ul></div><p>
15082 Now copy the files from the NT Server in <tt class="filename">%SYSTEMROOT%\System32\netmon\*.*</tt>
15084 permissions as you deem appropriate for your site. You will need
15085 administrative rights on the NT box to run netmon.
15086 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2940558"></a>Installing 'Network Monitor' on an 9x Workstation</h4></div></div><div></div></div><p>
15087 To install Netmon on a Windows 9x box install the network monitor agent
15089 file located with the netmon driver files on the CD if you need
15090 information on how to do this. Copy the files from a working
15091 Netmon installation.
15092 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2940586"></a>Useful URLs</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>See how Scott Merrill simulates a BDC behavior at
15096 ftp://ftp.microsoft.com/developr/drg/CIFS/</a></p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2940626"></a>Getting help from the mailing lists</h2></div></div><div></div></div><p>
15097 There are a number of Samba related mailing lists. Go to <a href="http://samba.org" target="_top">http://samba.org</a>, click on your nearest mirror
15099 Samba related mailing lists</b>.
15100 </p><p>
15101 For questions relating to Samba TNG go to
15103 It has been requested that you don't post questions about Samba-TNG to the
15104 main stream Samba lists.</p><p>
15105 If you post a message to one of the lists please observe the following guide lines :
15106 </p><div class="itemizedlist"><ul type="disc"><li><p>Always remember that the developers are volunteers, they are
15107 not paid and they never guarantee to produce a particular feature at
15108 a particular time. Any time lines are 'best guess' and nothing more.
15109 </p></li><li><p>Always mention what version of samba you are using and what
15110 operating system its running under. You should probably list the
15112 in [global] that affect PDC support.</p></li><li><p>In addition to the version, if you obtained Samba via
15113 CVS mention the date when you last checked it out.</p></li><li><p> Try and make your question clear and brief, lots of long,
15114 convoluted questions get deleted before they are completely read !
15115 Don't post html encoded messages (if you can select colour or font
15116 size its html).</p></li><li><p> If you run one of those nifty 'I'm on holidays' things when
15117 you are away, make sure its configured to not answer mailing lists.
15118 </p></li><li><p> Don't cross post. Work out which is the best list to post to
15119 and see what happens, i.e. don't post to both samba-ntdom and samba-technical.
15120 Many people active on the lists subscribe to more
15121 than one list and get annoyed to see the same message two or more times.
15122 Often someone will see a message and thinking it would be better dealt
15123 with on another, will forward it on for you.</p></li><li><p>You might include <span class="emphasis"><em>partial</em></span>
15124 log files written at a debug level set to as much as 20.
15125 Please don't send the entire log but enough to give the context of the
15126 error messages.</p></li><li><p>(Possibly) If you have a complete netmon trace ( from the opening of
15127 the pipe to the error ) you can send the *.CAP file as well.</p></li><li><p>Please think carefully before attaching a document to an email.
15128 Consider pasting the relevant parts into the body of the message. The samba
15129 mailing lists go to a huge number of people, do they all need a copy of your
15130 smb.conf in their attach directory?</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2940778"></a>How to get off the mailing lists</h2></div></div><div></div></div><p>To have your name removed from a samba mailing list, go to the
15131 same place you went to to get on it. Go to <a href="http://lists.samba.org/" target="_top">http://lists.samba.org</a>,
15134 </p><p>
15135 Please don't post messages to the list asking to be removed, you will just
15136 be referred to the above address (unless that process failed in some way...)
15137 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="bugreport"></a>Chapter 35. Reporting Bugs</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> 27 June 1997 </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2940906">Introduction</a></dt><dt><a href="#id2940969">General info</a></dt><dt><a href="#id2941006">Debug levels</a></dt><dt><a href="#id2941215">Internal errors</a></dt><dt><a href="#id2941348">Attaching to a running process</a></dt><dt><a href="#id2941395">Patches</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2940906"></a>Introduction</h2></div></div><div></div></div><p>Please report bugs using
15139 Please take the time to read this file before you submit a bug
15140 report. Also, please see if it has changed between releases, as we
15141 may be changing the bug reporting mechanism at some time.
15142 </p><p>
15143 Please also do as much as you can yourself to help track down the
15144 bug. Samba is maintained by a dedicated group of people who volunteer
15145 their time, skills and efforts. We receive far more mail about it than
15146 we can possibly answer, so you have a much higher chance of an answer
15147 and a fix if you send us a "developer friendly" bug report that lets
15148 us fix it fast.
15149 </p><p>
15150 Do not assume that if you post the bug to the comp.protocols.smb
15151 newsgroup or the mailing list that we will read it. If you suspect that your
15152 problem is not a bug but a configuration problem then it is better to send
15153 it to the Samba mailing list, as there are (at last count) 5000 other users on
15154 that list that may be able to help you.
15155 </p><p>
15156 You may also like to look though the recent mailing list archives,
15157 which are conveniently accessible on the Samba web pages
15159 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2940969"></a>General info</h2></div></div><div></div></div><p>
15160 Before submitting a bug report check your config for silly
15161 errors. Look in your log files for obvious messages that tell you that
15162 you've misconfigured something and run testparm to test your config
15163 file for correct syntax.
15164 </p><p>
15165 Have you run through the <a href="#diagnosis" title="Chapter 33. The Samba checklist">diagnosis</a>?
15166 This is very important.
15167 </p><p>
15168 If you include part of a log file with your bug report then be sure to
15169 annotate it with exactly what you were doing on the client at the
15170 time, and exactly what the results were.
15171 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941006"></a>Debug levels</h2></div></div><div></div></div><p>
15172 If the bug has anything to do with Samba behaving incorrectly as a
15173 server (like refusing to open a file) then the log files will probably
15174 be very useful. Depending on the problem a log level of between 3 and
15175 10 showing the problem may be appropriate. A higher level gives more
15176 detail, but may use too much disk space.
15177 </p><p>
15178 To set the debug level use the <a class="indexterm" name="id2941026"></a><i class="parameter"><tt>log level</tt></i> in your
15180 level higher for just one machine and keep separate logs for each machine.
15182 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>log level = 10</tt></i></td></tr><tr><td><i class="parameter"><tt>log file = /usr/local/samba/lib/log.%m</tt></i></td></tr><tr><td><i class="parameter"><tt>include = /usr/local/samba/lib/smb.conf.%m</tt></i></td></tr></table><p>
15183 then create a file
15184 <tt class="filename">/usr/local/samba/lib/smb.conf.<i class="replaceable"><tt>machine</tt></i></tt> where
15185 <i class="replaceable"><tt>machine</tt></i> is the name of the client you wish to debug. In that file
15187 <a class="indexterm" name="id2941118"></a><i class="parameter"><tt>log level</tt></i> may be useful. This also allows you to
15188 experiment with different security systems, protocol levels etc on just
15189 one machine.
15190 </p><p>
15191 The <tt class="filename">smb.conf</tt> entry <a class="indexterm" name="id2941145"></a><i class="parameter"><tt>log level</tt></i>
15192 is synonymous with the parameter <a class="indexterm" name="id2941160"></a><i class="parameter"><tt>debuglevel</tt></i> that has
15193 been used in older versions of Samba and is being retained for backwards
15195 </p><p>
15196 As the <a class="indexterm" name="id2941186"></a><i class="parameter"><tt>log level</tt></i> value is increased you will record
15197 a significantly increasing level of debugging information. For most
15198 debugging operations you may not need a setting higher than
15201 prepared for a VERY large volume of log data.
15202 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941215"></a>Internal errors</h2></div></div><div></div></div><p>
15204 it means that Samba got an unexpected signal while running. It is probably a
15205 segmentation fault and almost certainly means a bug in Samba (unless
15206 you have faulty hardware or system software).
15207 </p><p>
15208 If the message came from smbd then it will probably be accompanied by
15209 a message which details the last SMB message received by smbd. This
15210 info is often very useful in tracking down the problem so please
15211 include it in your bug report.
15212 </p><p>
15213 You should also detail how to reproduce the problem, if
15214 possible. Please make this reasonably detailed.
15217 subdirectory of the directory where you keep your samba log
15218 files. This file is the most useful tool for tracking down the bug. To
15219 use it you do this:
15220 </p><a class="indexterm" name="id2941273"></a><a class="indexterm" name="id2941281"></a><pre class="screen">
15222 </pre><p>
15223 adding appropriate paths to smbd and core so gdb can find them. If you
15226 problem occurred. Include this in your report.
15227 </p><p>
15228 If you know any assembly language then do a
15230 where the problem occurred (if its in a library routine then
15231 disassemble the routine that called it) and try to work out exactly
15232 where the problem is by looking at the surrounding code. Even if you
15233 don't know assembly, including this info in the bug report can be
15234 useful.
15235 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941348"></a>Attaching to a running process</h2></div></div><div></div></div><p>
15236 Unfortunately some unixes (in particular some recent linux kernels)
15237 refuse to dump a core file if the task has changed uid (which smbd
15238 does often). To debug with this sort of system you could try to attach
15239 to the running process using
15240 <b class="userinput"><tt>gdb smbd <i class="replaceable"><tt>PID</tt></i></tt></b> where you get
15243 using the client. The debugger should catch the fault and tell you
15244 where it occurred.
15245 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941395"></a>Patches</h2></div></div><div></div></div><a class="indexterm" name="id2941403"></a><a class="indexterm" name="id2941411"></a><p>
15246 The best sort of bug report is one that includes a fix! If you send us
15249 you do the diff against a clean version of the source and let me know
15250 exactly what version you used.
15251 </p></div></div></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="#compiling">How to compile Samba</a></dt><dd><dl><dt><a href="#id2941554">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="#id2941570">Introduction</a></dt><dt><a href="#id2941600">CVS Access to samba.org</a></dt></dl></dd><dt><a href="#id2941849">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="#id2941913">Verifying Samba's PGP signature</a></dt><dt><a href="#id2942063">Building the Binaries</a></dt><dd><dl><dt><a href="#id2942242">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="#id2942409">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="#id2942516">Starting from inetd.conf</a></dt><dt><a href="#id2942763">Alternative: starting it as a daemon</a></dt></dl></dd></dl></dd><dt>37. <a href="#Portability">Portability</a></dt><dd><dl><dt><a href="#id2942927">HPUX</a></dt><dt><a href="#id2943015">SCO UNIX</a></dt><dt><a href="#id2943044">DNIX</a></dt><dt><a href="#id2943217">RedHat Linux Rembrandt-II</a></dt><dt><a href="#id2943261">AIX</a></dt><dd><dl><dt><a href="#id2943268">Sequential Read Ahead</a></dt></dl></dd><dt><a href="#id2943294">Solaris</a></dt><dd><dl><dt><a href="#id2943299">Locking improvements</a></dt><dt><a href="#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="#Other-Clients">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="#id2943452">Macintosh clients?</a></dt><dt><a href="#id2943531">OS2 Client</a></dt><dd><dl><dt><a href="#id2943538">Configuring OS/2 Warp Connect or
15252 OS/2 Warp 4 as a client for Samba</a></dt><dt><a href="#id2943607">Configuring OS/2 Warp 3 (not Connect),
15253 OS/2 1.2, 1.3 or 2.x for Samba</a></dt><dt><a href="#id2943660">Printer driver download for for OS/2 clients?</a></dt></dl></dd><dt><a href="#id2943760">Windows for Workgroups</a></dt><dd><dl><dt><a href="#id2943768">Latest TCP/IP stack from Microsoft</a></dt><dt><a href="#id2943858">Delete .pwl files after password change</a></dt><dt><a href="#id2943888">Configuring WfW password handling</a></dt><dt><a href="#id2943941">Case handling of passwords</a></dt><dt><a href="#id2943979">Use TCP/IP as default protocol</a></dt><dt><a href="#id2943996">Speed improvement</a></dt></dl></dd><dt><a href="#id2944042">Windows '95/'98</a></dt><dd><dl><dt><a href="#id2944116">Speed improvement</a></dt></dl></dd><dt><a href="#id2944140">Windows 2000 Service Pack 2</a></dt><dt><a href="#id2944326">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="#speed">Samba Performance Tuning</a></dt><dd><dl><dt><a href="#id2944458">Comparisons</a></dt><dt><a href="#id2944501">Socket options</a></dt><dt><a href="#id2944592">Read size</a></dt><dt><a href="#id2944641">Max xmit</a></dt><dt><a href="#id2944701">Log level</a></dt><dt><a href="#id2944732">Read raw</a></dt><dt><a href="#id2944816">Write raw</a></dt><dt><a href="#id2944879">Slow Logins</a></dt><dt><a href="#id2944908">Client tuning</a></dt><dt><a href="#id2944932">Samba performance problem due changing kernel</a></dt><dt><a href="#id2944965">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="#DNSDHCP">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="#id2945070">Note</a></dt></dl></dd><dt>41. <a href="#Further-Resources">Further Resources</a></dt><dd><dl><dt><a href="#id2945137">Websites</a></dt><dt><a href="#id2945545">Related updates from Microsoft</a></dt></dl></dd></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="compiling"></a>Chapter 36. How to compile Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> 22 May 2001 </p></div><div><p class="pubdate"> 18 March 2003 </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2941554">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="#id2941570">Introduction</a></dt><dt><a href="#id2941600">CVS Access to samba.org</a></dt></dl></dd><dt><a href="#id2941849">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="#id2941913">Verifying Samba's PGP signature</a></dt><dt><a href="#id2942063">Building the Binaries</a></dt><dd><dl><dt><a href="#id2942242">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="#id2942409">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="#id2942516">Starting from inetd.conf</a></dt><dt><a href="#id2942763">Alternative: starting it as a daemon</a></dt></dl></dd></dl></div><p>
15254 You can obtain the samba source from the
15256 you can download samba from CVS or using rsync.
15257 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941554"></a>Access Samba source code via CVS</h2></div></div><div></div></div><a class="indexterm" name="id2941562"></a><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941570"></a>Introduction</h3></div></div><div></div></div><p>
15258 Samba is developed in an open environment. Developers use CVS
15259 (Concurrent Versioning System) to "checkin" (also known as
15260 "commit") new source code. Samba's various CVS branches can
15261 be accessed via anonymous CVS using the instructions
15262 detailed in this chapter.
15263 </p><p>
15264 This chapter is a modified version of the instructions found at
15266 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941600"></a>CVS Access to samba.org</h3></div></div><div></div></div><p>
15267 The machine samba.org runs a publicly accessible CVS
15268 repository for access to the source code of several packages,
15269 including samba, rsync, distcc, ccache and jitterbug. There are two main ways
15270 of accessing the CVS server on this host.
15271 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2941616"></a>Access via CVSweb</h4></div></div><div></div></div><a class="indexterm" name="id2941625"></a><p>
15272 You can access the source code via your
15273 favourite WWW browser. This allows you to access the contents of
15274 individual files in the repository and also to look at the revision
15275 history and commit logs of individual files. You can also ask for a diff
15276 listing between any two versions on the repository.
15277 </p><p>
15278 Use the URL : <a href="http://samba.org/cgi-bin/cvsweb" target="_top">http://samba.org/cgi-bin/cvsweb</a>
15279 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2941658"></a>Access via cvs</h4></div></div><div></div></div><p>
15280 You can also access the source code via a
15281 normal cvs client. This gives you much more control over what you can
15282 do with the repository and allows you to checkout whole source trees
15283 and keep them up to date via normal cvs commands. This is the
15284 preferred method of access if you are a developer and not
15285 just a casual browser.
15286 </p><p>
15287 To download the latest cvs source code, point your
15288 browser at the URL :
15290 and click on the 'How to get cvs' link. CVS is free software under
15291 the GNU GPL (as is Samba). Note that there are several graphical CVS clients
15292 which provide a graphical interface to the sometimes mundane CVS commands.
15293 Links to theses clients are also available from the Cyclic website.
15294 </p><p>
15295 To gain access via anonymous cvs use the following steps.
15296 For this example it is assumed that you want a copy of the
15297 samba source code. For the other source code repositories
15298 on this system just substitute the correct package name
15299 </p><div class="procedure"><p class="title"><b>Procedure 36.1. Retrieving samba using CVS</b></p><ol type="1"><li><p>
15300 Install a recent copy of cvs. All you really need is a
15301 copy of the cvs client binary.
15302 </p></li><li><p>
15303 Run the command
15304 </p><p>
15306 </p></li><li><p>
15308 </p></li><li><p>
15309 Run the command
15310 </p><p>
15312 </p><p>
15313 This will create a directory called samba containing the
15314 latest samba source code (i.e. the HEAD tagged cvs branch). This
15315 currently corresponds to the 3.0 development tree.
15316 </p><p>
15317 CVS branches other then HEAD can be obtained by using the
15319 can be found on the "Development" page of the samba web site. A common
15320 request is to obtain the latest 3.0 release code. This could be done by
15321 using the following command:
15322 </p><p>
15323 <b class="userinput"><tt>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_3_0 samba</tt></b>
15324 </p></li><li><p>
15325 Whenever you want to merge in the latest code changes use
15326 the following command from within the samba directory:
15327 </p><p>
15329 </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941849"></a>Accessing the samba sources via rsync and ftp</h2></div></div><div></div></div><a class="indexterm" name="id2941857"></a><a class="indexterm" name="id2941865"></a><p>
15330 pserver.samba.org also exports unpacked copies of most parts of the CVS
15331 tree at <a href="ftp://pserver.samba.org/pub/unpacked" target="_top">ftp://pserver.samba.org/pub/unpacked</a> and also via anonymous rsync at
15332 <a href="rsync://pserver.samba.org/ftp/unpacked/" target="_top">rsync://pserver.samba.org/ftp/unpacked/</a>. I recommend using rsync rather than ftp.
15333 See <a href="http://rsync.samba.org/" target="_top">the rsync homepage</a> for more info on rsync.
15334 </p><p>
15335 The disadvantage of the unpacked trees is that they do not support automatic
15336 merging of local changes like CVS does. rsync access is most convenient
15337 for an initial install.
15338 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941913"></a>Verifying Samba's PGP signature</h2></div></div><div></div></div><p>
15339 In these days of insecurity, it's strongly recommended that you verify the PGP
15340 signature for any source file before installing it. Even if you're not
15341 downloading from a mirror site, verifying PGP signatures should be a
15342 standard reflex.
15343 </p><p>
15344 With that said, go ahead and download the following files:
15346 <tt class="prompt">$ </tt><b class="userinput"><tt>wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc</tt></b>
15347 <tt class="prompt">$ </tt><b class="userinput"><tt>wget http://us1.samba.org/samba/ftp/samba-pubkey.asc</tt></b>
15348 </pre><p>
15350 The first file is the PGP signature for the Samba source file; the other is the Samba public
15351 PGP key itself. Import the public PGP key with:
15354 </pre><p>
15355 And verify the Samba source code integrity with:
15359 </pre><p>
15360 If you receive a message like, "Good signature from Samba Distribution
15361 Verification Key..."
15362 then all is well. The warnings about trust relationships can be ignored. An
15363 example of what you would not want to see would be:
15364 </p><p>
15366 gpg: BAD signature from "Samba Distribution Verification Key"
15367 </tt>
15368 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2942063"></a>Building the Binaries</h2></div></div><div></div></div><a class="indexterm" name="id2942071"></a><p>
15370 </tt></b> in the source directory. This should automatically
15371 configure Samba for your operating system. If you have unusual
15372 needs then you may wish to run</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>./configure --help
15373 </tt></b></pre><p>first to see what special options you can enable.
15374 Then executing</p><a class="indexterm" name="id2942117"></a><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make</tt></b></pre><p>will create the binaries. Once it's successfully
15375 compiled you can use </p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make install</tt></b></pre><p>to install the binaries and manual pages. You can
15376 separately install the binaries and/or man pages using</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make installbin
15377 </tt></b></pre><p>and</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make installman
15378 </tt></b></pre><p>Note that if you are upgrading for a previous version
15379 of Samba you might like to know that the old versions of
15380 the binaries will be renamed with a ".old" extension. You
15381 can go back to the previous version with</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make revert
15382 </tt></b></pre><p>if you find this version a disaster!</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942242"></a>Compiling samba with Active Directory support</h3></div></div><div></div></div><p>In order to compile samba with ADS support, you need to have installed
15383 on your system:</p><div class="itemizedlist"><ul type="disc"><li><p>the MIT kerberos development libraries
15384 (either install from the sources or use a package). The
15385 Heimdal libraries will not work.</p></li><li><p>the OpenLDAP development libraries.</p></li></ul></div><p>If your kerberos libraries are in a non-standard location then
15386 remember to add the configure option
15387 <tt class="option">--with-krb5=<i class="replaceable"><tt>DIR</tt></i></tt>.</p><p>After you run configure make sure that
15390 #define HAVE_KRB5 1
15391 #define HAVE_LDAP 1
15392 </pre><p>If it doesn't then configure did not find your krb5 libraries or
15394 out why and fix it.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2942323"></a>Installing the required packages for Debian</h4></div></div><div></div></div><p>On Debian you need to install the following packages:</p><p>
15395 </p><div class="itemizedlist"><ul type="disc"><li><p>libkrb5-dev</p></li><li><p>krb5-user</p></li></ul></div><p>
15396 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2942355"></a>Installing the required packages for RedHat</h4></div></div><div></div></div><p>On RedHat this means you should have at least: </p><p>
15397 </p><div class="itemizedlist"><ul type="disc"><li><p>krb5-workstation (for kinit)</p></li><li><p>krb5-libs (for linking with)</p></li><li><p>krb5-devel (because you are compiling from source)</p></li></ul></div><p>
15398 </p><p>in addition to the standard development environment.</p><p>Note that these are not standard on a RedHat install, and you may need
15399 to get them off CD2.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2942409"></a>Starting the <span class="application">smbd</span> and <span class="application">nmbd</span></h2></div></div><div></div></div><a class="indexterm" name="id2942429"></a><p>You must choose to start <span class="application">smbd</span> and <span class="application">nmbd</span> either
15402 inetd.conf</tt> and have them started on demand
15404 or you can start them as
15406 /etc/rc.local</tt>. See the man pages for details
15407 on the command line options. Take particular care to read
15408 the bit about what user you need to be in order to start
15409 Samba. In many cases you must be root.</p><p>The main advantage of starting <span class="application">smbd</span>
15411 is that they will respond slightly more quickly to an initial connection
15412 request.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942516"></a>Starting from inetd.conf</h3></div></div><div></div></div><a class="indexterm" name="id2942524"></a><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The following will be different if
15413 you use NIS, NIS+ or LDAP to distribute services maps.</p></div><p>Look at your <tt class="filename">/etc/services</tt>.
15414 What is defined at port 139/tcp. If nothing is defined
15415 then add a line like this:</p><pre class="programlisting">netbios-ssn 139/tcp</pre><p>similarly for 137/udp you should have an entry like:</p><pre class="programlisting">netbios-ns 137/udp</pre><p>Next edit your <tt class="filename">/etc/inetd.conf</tt>
15417 netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
15418 netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
15420 varies between unixes. Look at the other entries in inetd.conf
15421 for a guide. </p><a class="indexterm" name="id2942614"></a><p>Some distributions use xinetd instead of inetd. Consult the
15422 xinetd manual for configuration information.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Some unixes already have entries like netbios_ns
15426 </p></div><a class="indexterm" name="id2942657"></a><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>On many systems you may need to use the
15427 <a class="indexterm" name="id2942669"></a><i class="parameter"><tt>interfaces</tt></i> option in <tt class="filename">smb.conf</tt> to specify the IP
15428 address and netmask of your interfaces. Run
15430 as root if you don't know what the broadcast is for your
15432 time, but fails on some unixes.
15433 </p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Many unixes only accept around 5
15435 This means you shouldn't use spaces between the options and
15436 arguments, or you should use a script, and start the script
15437 from <b class="command">inetd</b>.</p></div><p>Restart <span class="application">inetd</span>, perhaps just send
15440 </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942763"></a>Alternative: starting it as a daemon</h3></div></div><div></div></div><a class="indexterm" name="id2942771"></a><p>To start the server as a daemon you should create
15441 a script something like this one, perhaps calling
15443 #!/bin/sh
15444 /usr/local/samba/bin/smbd -D
15445 /usr/local/samba/bin/nmbd -D
15449 </p><p>To kill it send a kill signal to the processes
15450 <span class="application">nmbd</span> and <span class="application">smbd</span>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If you use the SVR4 style init system then
15452 script to make Samba fit into that system.</p></div></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2942927">HPUX</a></dt><dt><a href="#id2943015">SCO UNIX</a></dt><dt><a href="#id2943044">DNIX</a></dt><dt><a href="#id2943217">RedHat Linux Rembrandt-II</a></dt><dt><a href="#id2943261">AIX</a></dt><dd><dl><dt><a href="#id2943268">Sequential Read Ahead</a></dt></dl></dd><dt><a href="#id2943294">Solaris</a></dt><dd><dl><dt><a href="#id2943299">Locking improvements</a></dt><dt><a href="#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the
15453 platforms provide is not always compatible. This chapter contains
15454 platform-specific information about compiling and using samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2942927"></a>HPUX</h2></div></div><div></div></div><p>
15455 HP's implementation of supplementary groups is, er, non-standard (for
15457 <tt class="filename">/etc/logingroup</tt>; the system maps UIDs to numbers using the former, but
15458 initgroups() reads the latter. Most system admins who know the ropes
15460 (hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the
15461 groups you're in in <tt class="filename">/etc/logingroup</tt> has what it considers to be an invalid
15462 ID, which means outside the range <tt class="constant">[0..UID_MAX]</tt>, where <tt class="constant">UID_MAX</tt> is (I think)
15463 60000 currently on HP-UX. This precludes -2 and 65534, the usual <tt class="constant">nobody</tt>
15464 GIDs.
15465 </p><p>
15466 If you encounter this problem, make sure that the programs that are failing
15467 to initgroups() be run as users not in any groups with GIDs outside the
15468 allowed range.
15470 </p><p>
15471 On HPUX you must use gcc or the HP ANSI compiler. The free compiler
15472 that comes with HP-UX is not ANSI compliant and cannot compile
15473 Samba.
15474 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943015"></a>SCO UNIX</h2></div></div><div></div></div><p>
15475 If you run an old version of SCO UNIX then you may need to get important
15476 TCP/IP patches for Samba to work correctly. Without the patch, you may
15477 encounter corrupt data transfers using samba.
15478 </p><p>
15479 The patch you need is UOD385 Connection Drivers SLS. It is available from
15481 files uod385a.Z and uod385a.ltr.Z).
15482 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943044"></a>DNIX</h2></div></div><div></div></div><p>
15483 DNIX has a problem with seteuid() and setegid(). These routines are
15484 needed for Samba to work correctly, but they were left out of the DNIX
15485 C library for some reason.
15486 </p><p>
15487 For this reason Samba by default defines the macro NO_EID in the DNIX
15488 section of includes.h. This works around the problem in a limited way,
15489 but it is far from ideal, some things still won't work right.
15490 </p><p>
15491 To fix the problem properly you need to assemble the following two
15492 functions and then either add them to your C library or link them into
15493 Samba.
15494 </p><p>
15497 .globl _setegid
15498 _setegid:
15499 moveq #47,d0
15500 movl #100,a0
15501 moveq #1,d1
15502 movl 4(sp),a1
15503 trap #9
15504 bccs 1$
15505 jmp cerror
15506 1$:
15507 clrl d0
15508 rts
15509 </pre><p>
15512 .globl _seteuid
15513 _seteuid:
15514 moveq #47,d0
15515 movl #100,a0
15516 moveq #0,d1
15517 movl 4(sp),a1
15518 trap #9
15519 bccs 1$
15520 jmp cerror
15521 1$:
15522 clrl d0
15523 rts
15524 </pre><p>
15525 after creating the above files you then assemble them using
15529 </pre><p>
15532 </p><p>
15533 then you need to add these to the LIBSM line in the DNIX section of
15534 the Samba Makefile. Your LIBSM line will then look something like this:
15536 LIBSM = setegid.o seteuid.o -ln
15537 </pre><p>
15538 You should then remove the line:
15540 #define NO_EID
15541 </pre><p>from the DNIX section of <tt class="filename">includes.h</tt></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943217"></a>RedHat Linux Rembrandt-II</h2></div></div><div></div></div><p>
15542 By default RedHat Rembrandt-II during installation adds an
15546 </pre><p>
15547 </p><p>
15548 This causes Samba to loop back onto the loopback interface.
15549 The result is that Samba fails to communicate correctly with
15550 the world and therefor may fail to correctly negotiate who
15551 is the master browse list holder and who is the master browser.
15552 </p><p>
15553 Corrective Action: Delete the entry after the word loopback
15554 in the line starting 127.0.0.1
15555 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943261"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943268"></a>Sequential Read Ahead</h3></div></div><div></div></div><p>
15557 Samba performance significantly.
15558 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943294"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943299"></a>Locking improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl
15559 when running Samba on Solaris. The built in file locking mechanism was
15560 not scalable. Performance would degrade to the point where processes would
15561 get into loops of trying to lock a file. It would try a lock, then fail,
15562 then try again. The lock attempt was failing before the grant was
15563 occurring. So the visible manifestation of this would be a handful of
15564 processes stealing all of the CPU, and when they were trussed they would
15565 be stuck if F_SETLKW64 loops.
15566 </p><p>
15568 has not been released yet.
15569 </p><p>
15572 </p><p>
15573 After the install of these patches it is recommended to reconfigure
15574 and rebuild samba.
15575 </p><p>Thanks to Joe Meslovich for reporting</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div><div></div></div><p>
15576 Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior
15578 roll-up packages.
15579 </p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and other CIFS clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><span class="contrib">OS/2</span><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email"><<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>></tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2943452">Macintosh clients?</a></dt><dt><a href="#id2943531">OS2 Client</a></dt><dd><dl><dt><a href="#id2943538">Configuring OS/2 Warp Connect or
15580 OS/2 Warp 4 as a client for Samba</a></dt><dt><a href="#id2943607">Configuring OS/2 Warp 3 (not Connect),
15581 OS/2 1.2, 1.3 or 2.x for Samba</a></dt><dt><a href="#id2943660">Printer driver download for for OS/2 clients?</a></dt></dl></dd><dt><a href="#id2943760">Windows for Workgroups</a></dt><dd><dl><dt><a href="#id2943768">Latest TCP/IP stack from Microsoft</a></dt><dt><a href="#id2943858">Delete .pwl files after password change</a></dt><dt><a href="#id2943888">Configuring WfW password handling</a></dt><dt><a href="#id2943941">Case handling of passwords</a></dt><dt><a href="#id2943979">Use TCP/IP as default protocol</a></dt><dt><a href="#id2943996">Speed improvement</a></dt></dl></dd><dt><a href="#id2944042">Windows '95/'98</a></dt><dd><dl><dt><a href="#id2944116">Speed improvement</a></dt></dl></dd><dt><a href="#id2944140">Windows 2000 Service Pack 2</a></dt><dt><a href="#id2944326">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943452"></a>Macintosh clients?</h2></div></div><div></div></div><p>
15582 Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> now has a CIFS Client / Server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>
15583 </p><p>
15584 They test it against Windows 95, Windows NT and samba for
15585 compatibility issues. At the time of writing, DAVE was at version
15587 the Thursby web site (the speed of finder copies has been greatly
15588 enhanced, and there are bug-fixes included).
15589 </p><p>
15590 Alternatives - There are two free implementations of AppleTalk for
15591 several kinds of UNIX machines, and several more commercial ones.
15592 These products allow you to run file services and print services
15593 natively to Macintosh users, with no additional support required on
15594 the Macintosh. The two free implementations are
15597 What Samba offers MS
15598 Windows users, these packages offer to Macs. For more info on these
15599 packages, Samba, and Linux (and other UNIX-based systems) see
15600 <a href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html</a>
15601 </p><p>Newer versions of the Macintosh (Mac OS X) include Samba.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943531"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943538"></a>Configuring OS/2 Warp Connect or
15602 OS/2 Warp 4 as a client for Samba</h3></div></div><div></div></div><p>Basically, you need three components:</p><div class="itemizedlist"><ul type="disc"><li><p>The File and Print Client ('IBM Peer')</p></li><li><p>TCP/IP ('Internet support') </p></li><li><p>The "NetBIOS over TCP/IP" driver ('TCPBEUI')</p></li></ul></div><p>Installing the first two together with the base operating
15603 system on a blank system is explained in the Warp manual. If Warp
15604 has already been installed, but you now want to install the
15605 networking support, use the "Selective Install for Networking"
15606 object in the "System Setup" folder.</p><p>Adding the "NetBIOS over TCP/IP" driver is not described
15607 in the manual and just barely in the online documentation. Start
15608 MPTS.EXE, click on OK, click on "Configure LAPS" and click
15609 on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
15610 is then moved to 'Current Configuration'. Select that line,
15612 configuration.</p><p>If the Samba server(s) is not on your local subnet, you
15613 can optionally add IP names and addresses of these servers
15614 to the "Names List", or specify a WINS server ('NetBIOS
15615 Nameserver' in IBM and RFC terminology). For Warp Connect you
15616 may need to download an update for 'IBM Peer' to bring it on
15617 the same level as Warp 4. See the webpage mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943607"></a>Configuring OS/2 Warp 3 (not Connect),
15618 OS/2 1.2, 1.3 or 2.x for Samba</h3></div></div><div></div></div><p>You can use the free Microsoft LAN Manager 2.2c Client
15619 for OS/2 from
15621 ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</a>.
15622 In
15623 a nutshell, edit the file \OS2VER in the root directory of
15625 20=setup.exe
15626 20=netwksta.sys
15627 20=netvdd.sys
15628 </pre><p>before you install the client. Also, don't use the
15629 included NE2000 driver because it is buggy. Try the NE2000
15630 or NS2000 driver from
15632 ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead.
15633 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943660"></a>Printer driver download for for OS/2 clients?</h3></div></div><div></div></div><p>First, create a share called <i class="parameter"><tt>[PRINTDRV]</tt></i> that is
15634 world-readable. Copy your OS/2 driver files there. Note
15635 that the .EA_ files must still be separate, so you will need
15636 to use the original install files, and not copy an installed
15638 add to your <tt class="filename">smb.conf</tt> a parameter, <a class="indexterm" name="id2943694"></a><i class="parameter"><tt>os2 driver map</tt></i> = filename. Then, in the file
15640 name of the NT driver name to the OS/2 driver name as
15641 follows:</p><p><i class="parameter"><tt><i class="replaceable"><tt>nt driver name</tt></i> = <i class="replaceable"><tt>os2 driver name</tt></i>.<i class="replaceable"><tt>device name</tt></i></tt></i>, e.g.:</p><p><i class="parameter"><tt>
15642 HP LaserJet 5L = LASERJET.HP LaserJet 5L</tt></i></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the
15643 device name, the first attempt to download the driver will
15644 actually download the files, but the OS/2 client will tell
15645 you the driver is not available. On the second attempt, it
15646 will work. This is fixed simply by adding the device name
15647 to the mapping, after which it will work on the first attempt.
15648 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943760"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943768"></a>Latest TCP/IP stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows
15649 for Workgroups.
15651 Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
15652 VxD drivers. The latest release can be found on their ftp site at
15653 ftp.microsoft.com, located in <tt class="filename">/peropsys/windows/public/tcpip/wfwt32.exe</tt>.
15654 There is an update.txt file there that describes the problems that were
15663 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943858"></a>Delete .pwl files after password change</h3></div></div><div></div></div><p>
15664 WfWg does a lousy job with passwords. I find that if I change my
15665 password on either the unix box or the PC the safest thing to do is to
15666 delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.
15667 </p><p>
15668 If you don't do this you may find that WfWg remembers and uses the old
15669 password, even if you told it a new one.
15670 </p><p>
15671 Often WfWg will totally ignore a password you give it in a dialog box.
15672 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943888"></a>Configuring WfW password handling</h3></div></div><div></div></div><p>
15673 There is a program call admincfg.exe
15676 Then add an icon
15677 for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> Menu.
15678 This program allows you to control how WFW handles passwords. ie disable Password Caching etc
15679 for use with <a class="indexterm" name="id2943925"></a><i class="parameter"><tt>security</tt></i> = user
15680 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943941"></a>Case handling of passwords</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <tt class="filename">smb.conf</tt> information on <a class="indexterm" name="id2943961"></a><i class="parameter"><tt>password level</tt></i> to specify what characters samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943979"></a>Use TCP/IP as default protocol</h3></div></div><div></div></div><p>To support print queue reporting you may find
15681 that you have to use TCP/IP as the default protocol under
15682 WfWg. For some reason if you leave NetBEUI as the default
15683 it may break the print queue reporting on some systems.
15684 It is presumably a WfWg bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943996"></a>Speed improvement</h3></div></div><div></div></div><p>
15685 Note that some people have found that setting <i class="parameter"><tt>DefaultRcvWindow</tt></i> in
15688 big improvement. I don't know why.
15689 </p><p>
15690 My own experience with DefaultRcvWindow is that I get much better
15691 performance with a large value (16384 or larger). Other people have
15692 reported that anything over 3072 slows things down enormously. One
15693 person even reported a speed drop of a factor of 30 when he went from
15695 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944042"></a>Windows '95/'98</h2></div></div><div></div></div><p>
15696 When using Windows 95 OEM SR2 the following updates are recommended where Samba
15697 is being used. Please NOTE that the above change will affect you once these
15698 updates have been installed.
15699 </p><p>
15700 There are more updates than the ones mentioned here. You are referred to the
15701 Microsoft Web site for all currently available updates to your specific version
15702 of Windows 95.
15703 </p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p>
15706 fix may stop your machine from hanging for an extended period when exiting
15707 Outlook and you may also notice a significant speedup when accessing network
15708 neighborhood services.
15709 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944116"></a>Speed improvement</h3></div></div><div></div></div><p>
15710 Configure the win95 TCPIP registry settings to give better
15712 net. There are various other utilities of this type freely available.
15713 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944140"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p>
15714 There are several annoyances with Windows 2000 SP2. One of which
15715 only appears when using a Samba server to host user profiles
15716 to Windows 2000 SP2 clients in a Windows domain. This assumes
15717 that Samba is a member of the domain, but the problem will
15718 likely occur if it is not.
15719 </p><p>
15720 In order to serve profiles successfully to Windows 2000 SP2
15721 clients (when not operating as a PDC), Samba must have
15722 <a class="indexterm" name="id2944161"></a><i class="parameter"><tt>nt acl support</tt></i> = no
15723 added to the file share which houses the roaming profiles.
15724 If this is not done, then the Windows 2000 SP2 client will
15725 complain about not being able to access the profile (Access
15726 Denied) and create multiple copies of it on disk (DOMAIN.user.001,
15727 DOMAIN.user.002, etc...). See the
15729 for more details on this option. Also note that the
15730 <a class="indexterm" name="id2944189"></a><i class="parameter"><tt>nt acl support</tt></i> parameter was formally a global parameter in
15731 releases prior to Samba 2.2.2.
15732 </p><p>
15733 The following is a minimal profile share:
15734 </p><div class="example"><a name="id2944212"></a><p class="title"><b>Example 38.1. Minimal profile share</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profile]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /export/profile</tt></i></td></tr><tr><td><i class="parameter"><tt>create mask = 0600</tt></i></td></tr><tr><td><i class="parameter"><tt>directory mask = 0700</tt></i></td></tr><tr><td><i class="parameter"><tt>nt acl support = no</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = no</tt></i></td></tr></table></div><p>
15735 The reason for this bug is that the Win2k SP2 client copies
15736 the security descriptor for the profile which contains
15737 the Samba server's SID, and not the domain SID. The client
15738 compares the SID for SAMBA\user and realizes it is
15739 different that the one assigned to DOMAIN\user. Hence the reason
15741 </p><p>
15742 By disabling the <a class="indexterm" name="id2944292"></a><i class="parameter"><tt>nt acl support</tt></i> parameter, Samba will send
15743 the Win2k client a response to the QuerySecurityDescriptor
15744 trans2 call which causes the client to set a default ACL
15745 for the profile. This default ACL includes
15746 </p><p><span class="emphasis"><em>DOMAIN\user "Full Control"</em></span>></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using winbind to
15747 create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944326"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows
15748 NT 3.1 workstations, read <a href="http://support.microsoft.com/default.aspx?scid=kb;Q103765" target="_top">this Microsoft Knowledge Base article</a>.
15750 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="speed"></a>Chapter 39. Samba Performance Tuning</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Paul</span> <span class="surname">Cochrane</span></h3><div class="affiliation"><span class="orgname">Dundee Limb Fitting Centre<br></span><div class="address"><p><tt class="email"><<a href="mailto:paulc@dth.scot.nhs.uk">paulc@dth.scot.nhs.uk</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2944458">Comparisons</a></dt><dt><a href="#id2944501">Socket options</a></dt><dt><a href="#id2944592">Read size</a></dt><dt><a href="#id2944641">Max xmit</a></dt><dt><a href="#id2944701">Log level</a></dt><dt><a href="#id2944732">Read raw</a></dt><dt><a href="#id2944816">Write raw</a></dt><dt><a href="#id2944879">Slow Logins</a></dt><dt><a href="#id2944908">Client tuning</a></dt><dt><a href="#id2944932">Samba performance problem due changing kernel</a></dt><dt><a href="#id2944965">Corrupt tdb Files</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944458"></a>Comparisons</h2></div></div><div></div></div><p>
15751 The Samba server uses TCP to talk to the client. Thus if you are
15752 trying to see if it performs well you should really compare it to
15753 programs that use the same protocol. The most readily available
15754 programs for file transfer that use TCP are ftp or another TCP based
15755 SMB server.
15756 </p><p>
15757 If you want to test against something like a NT or WfWg server then
15758 you will have to disable all but TCP on either the client or
15759 server. Otherwise you may well be using a totally different protocol
15760 (such as NetBEUI) and comparisons may not be valid.
15761 </p><p>
15762 Generally you should find that Samba performs similarly to ftp at raw
15763 transfer speed. It should perform quite a bit faster than NFS,
15764 although this very much depends on your system.
15765 </p><p>
15766 Several people have done comparisons between Samba and Novell, NFS or
15767 WinNT. In some cases Samba performed the best, in others the worst. I
15768 suspect the biggest factor is not Samba vs some other system but the
15769 hardware and drivers used on the various systems. Given similar
15770 hardware Samba should certainly be competitive in speed with other
15771 systems.
15772 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944501"></a>Socket options</h2></div></div><div></div></div><p>
15773 There are a number of socket options that can greatly affect the
15774 performance of a TCP based server like Samba.
15775 </p><p>
15776 The socket options that Samba uses are settable both on the command
15777 line with the <tt class="option">-O</tt> option, or in the <tt class="filename">smb.conf</tt> file.
15778 </p><p>
15779 The <a class="indexterm" name="id2944535"></a><i class="parameter"><tt>socket options</tt></i> section of the <tt class="filename">smb.conf</tt> manual page describes how
15780 to set these and gives recommendations.
15781 </p><p>
15782 Getting the socket options right can make a big difference to your
15783 performance, but getting them wrong can degrade it by just as
15784 much. The correct settings are very dependent on your local network.
15785 </p><p>
15786 The socket option TCP_NODELAY is the one that seems to make the
15787 biggest single difference for most networks. Many people report that
15788 adding <a class="indexterm" name="id2944572"></a><i class="parameter"><tt>socket options</tt></i> = TCP_NODELAY doubles the read
15789 performance of a Samba drive. The best explanation I have seen for this is
15790 that the Microsoft TCP/IP stack is slow in sending tcp ACKs.
15791 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944592"></a>Read size</h2></div></div><div></div></div><p>
15792 The option <a class="indexterm" name="id2944601"></a><i class="parameter"><tt>read size</tt></i> affects the overlap of disk
15793 reads/writes with network reads/writes. If the amount of data being
15794 transferred in several of the SMB commands (currently SMBwrite, SMBwriteX and
15795 SMBreadbraw) is larger than this value then the server begins writing
15796 the data before it has received the whole packet from the network, or
15797 in the case of SMBreadbraw, it begins writing to the network before
15798 all the data has been read from disk.
15799 </p><p>
15800 This overlapping works best when the speeds of disk and network access
15801 are similar, having very little effect when the speed of one is much
15802 greater than the other.
15803 </p><p>
15804 The default value is 16384, but very little experimentation has been
15805 done yet to determine the optimal value, and it is likely that the best
15806 value will vary greatly between systems anyway. A value over 65536 is
15807 pointless and will cause you to allocate memory unnecessarily.
15808 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944641"></a>Max xmit</h2></div></div><div></div></div><p>
15809 At startup the client and server negotiate a <i class="parameter"><tt>maximum transmit</tt></i> size,
15810 which limits the size of nearly all SMB commands. You can set the
15811 maximum size that Samba will negotiate using the <a class="indexterm" name="id2944662"></a><i class="parameter"><tt>max xmit</tt></i> option
15812 in <tt class="filename">smb.conf</tt>. Note that this is the maximum size of SMB requests that
15813 Samba will accept, but not the maximum size that the *client* will accept.
15814 The client maximum receive size is sent to Samba by the client and Samba
15815 honours this limit.
15816 </p><p>
15817 It defaults to 65536 bytes (the maximum), but it is possible that some
15818 clients may perform better with a smaller transmit unit. Trying values
15819 of less than 2048 is likely to cause severe problems.
15820 </p><p>
15821 In most cases the default is the best option.
15822 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944701"></a>Log level</h2></div></div><div></div></div><p>
15823 If you set the log level (also known as <a class="indexterm" name="id2944711"></a><i class="parameter"><tt>debug level</tt></i>) higher than 2
15824 then you may suffer a large drop in performance. This is because the
15825 server flushes the log file after each operation, which can be very
15826 expensive.
15827 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944732"></a>Read raw</h2></div></div><div></div></div><p>
15828 The <a class="indexterm" name="id2944742"></a><i class="parameter"><tt>read raw</tt></i> operation is designed to be an optimised, low-latency
15829 file read operation. A server may choose to not support it,
15830 however. and Samba makes support for <a class="indexterm" name="id2944758"></a><i class="parameter"><tt>read raw</tt></i> optional, with it
15831 being enabled by default.
15832 </p><p>
15833 In some cases clients don't handle <a class="indexterm" name="id2944776"></a><i class="parameter"><tt>read raw</tt></i> very well and actually
15834 get lower performance using it than they get using the conventional
15835 read operations.
15836 </p><p>
15837 So you might like to try <a class="indexterm" name="id2944797"></a><i class="parameter"><tt>read raw</tt></i> = no and see what happens on your
15838 network. It might lower, raise or not affect your performance. Only
15839 testing can really tell.
15840 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944816"></a>Write raw</h2></div></div><div></div></div><p>
15841 The <a class="indexterm" name="id2944826"></a><i class="parameter"><tt>write raw</tt></i> operation is designed to be an optimised, low-latency
15842 file write operation. A server may choose to not support it,
15843 however. and Samba makes support for <a class="indexterm" name="id2944843"></a><i class="parameter"><tt>write raw</tt></i> optional, with it
15844 being enabled by default.
15845 </p><p>
15846 Some machines may find <a class="indexterm" name="id2944861"></a><i class="parameter"><tt>write raw</tt></i> slower than normal write, in which
15847 case you may wish to change this option.
15848 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944879"></a>Slow Logins</h2></div></div><div></div></div><p>
15849 Slow logins are almost always due to the password checking time. Using
15850 the lowest practical <a class="indexterm" name="id2944890"></a><i class="parameter"><tt>password level</tt></i> will improve things.
15851 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944908"></a>Client tuning</h2></div></div><div></div></div><p>
15852 Often a speed problem can be traced to the client. The client (for
15853 example Windows for Workgroups) can often be tuned for better TCP
15854 performance. Check the sections on the various clients in
15855 <a href="#Other-Clients" title="Chapter 38. Samba and other CIFS clients">Samba and Other Clients</a>.
15856 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944932"></a>Samba performance problem due changing kernel</h2></div></div><div></div></div><p>
15857 Hi everyone. I am running Gentoo on my server and samba 2.2.8a. Recently
15858 I changed kernel version from linux-2.4.19-gentoo-r10 to
15859 linux-2.4.20-wolk4.0s. And now I have performance issue with samba. Ok
15860 many of you will probably say that move to vanilla sources...well I tried
15861 it too and it didn't work. I have 100mb LAN and two computers (linux +
15862 Windows2000). Linux server shares directory with DivX files, client
15863 (windows2000) plays them via LAN. Before when I was running 2.4.19 kernel
15864 everything was fine, but now movies freezes and stops...I tried moving
15865 files between server and Windows and it's terribly slow.
15866 </p><p>
15867 Grab mii-tool and check the duplex settings on the NIC.
15868 My guess is that it is a link layer issue, not an application
15869 layer problem. Also run ifconfig and verify that the framing
15870 error, collisions, etc... look normal for ethernet.
15871 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944965"></a>Corrupt tdb Files</h2></div></div><div></div></div><p>
15872 Well today it happened, Our first major problem using samba.
15874 [Windows NT/XP] for the last 3 years using samba, no problem.
15875 But today all shares went SLOW; very slow. Also the main smbd kept
15877 It crashed the SUN E3500 cluster twice. After a lot of searching I
15879 </p><p>
15880 Q1) Is there any method of keeping the *.tdb files in top condition or
15881 how to early detect corruption?
15882 </p><p>
15883 A1) Yes, run <b class="command">tdbbackup</b> each time after stopping nmbd and before starting nmbd.
15884 </p><p>
15885 Q2) What I also would like to mention is that the service latency seems
15886 a lot lower then before the locks cleanup, any ideas on keeping it top notch?
15887 </p><p>
15888 A2) Yes! Same answer as for Q1!
15889 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2945070">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945070"></a>Note</h2></div></div><div></div></div><p>
15890 This chapter did not make it into this release.
15891 It is planned for the published release of this document.
15892 </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="#id2945137">Websites</a></dt><dt><a href="#id2945545">Related updates from Microsoft</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945137"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
15894 <span class="emphasis"><em>CIFS: Common Insecurities Fail Scrutiny</em></span> by "Hobbit"</a>
15895 </p></li><li><p>
15898 </a>
15899 </p></li><li><p>
15902 </a>
15903 </p></li><li><p>
15906 </a>
15907 </p></li><li><p>
15910 </a>
15911 </p></li><li><p>
15914 </a>
15915 </p></li><li><p>
15918 </a>
15919 </p></li><li><p>
15922 </a>
15923 </p></li><li><p>
15926 </a>
15927 </p></li><li><p>
15929 <span class="emphasis"><em>Understanding the Network Neighborhood</em></span> by Christopher R. Hertel
15930 </a>
15931 </p></li><li><p>
15934 </a>
15935 </p></li><li><p>
15938 from the second edition of Sam's Teach Yourself Samba in 24 Hours
15940 </p></li><li><p>
15943 </a>
15944 </p></li><li><p>
15947 (written in Japanese). </a>
15948 </p></li><li><p>
15951 Chris Hertel. This article appeared in the May 2001 issue of
15952 Linux Magazine.
15953 </a>
15954 </p></li><li><p>
15957 </a>
15958 </p></li><li><p>
15961 </a>
15962 </p></li><li><p>
15965 </a>
15966 </p></li><li><p>
15969 </a>
15970 </p></li><li><p>
15973 </a>
15974 </p></li><li><p>
15977 Security</em></span> at Microsoft Knowledge Base
15978 </a>
15979 </p></li><li><p>
15982 by Arnaud Loonstra
15983 </a>
15984 </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945545"></a>Related updates from Microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
15987 </a>
15988 </p></li><li><p>
15991 </a>
15992 </p></li><li><p>
15995 </a>
15996 </p></li></ul></div></div></div></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id2945614"></a>Index</h2></div></div><div></div></div><div class="index"><div class="indexdiv"><h3>Symbols</h3><dl><dt>"Domain Admins" group, <a href="#id2885202">Discussion</a></dt><dt>"Domain Users" group, <a href="#id2885768">Adding Domain Users to the Power Users group</a></dt><dt>"Printers" folder, <a href="#id2912362">Caveats to be considered</a>, <a href="#id2913497">Installing the PostScript Driver on a Client</a>, <a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt><dt>"raw" printing, <a href="#id2905999">CUPS/Samba as a "spooling-only" Print Server; "raw" printing
15997 with Vendor Drivers on Windows Clients</a></dt><dt>/etc/host.conf, <a href="#id2932499">/etc/host.conf</a></dt><dt>/etc/hosts, <a href="#id2932315">/etc/hosts</a></dt><dt>/etc/nsswitch.conf, <a href="#id2932551">/etc/nsswitch.conf</a></dt><dt>8.3</dt><dd><dl><dt>file names, <a href="#id2886190">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></dd></dl></div><div class="indexdiv"><h3>A</h3><dl><dt>ACLs, <a href="#AccessControls">File, Directory and Share Access Controls</a></dt><dt>Active Directory, <a href="#ads-member">Samba ADS Domain Membership</a></dt><dt>add group script, <a href="#id2885674">Adding Groups Fails</a></dt><dt>add machine script, <a href="#id2871029">The machine trust account not accessible</a>, <a href="#id2874764">Adding Machine to Domain Fails</a></dt><dt>add printer command, <a href="#id2903177">Adding new Printers with the Windows NT APW</a></dt><dt>add printer wizard, <a href="#id2906306">Three familiar Methods for driver upload plus a new one</a></dt><dt>add user script, <a href="#id2880966">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>addprinter command, <a href="#id2894888">Parameters Recommended for Use</a></dt><dt>admin users, <a href="#id2886837">User and Group Based Controls</a>, <a href="#id2889969">I have set force user but Samba still makes root the owner of all the files I touch!</a></dt><dt>Administrator, <a href="#id2885202">Discussion</a></dt><dt>ADS (see Active Directory)</dt><dt>ads server, <a href="#id2874178">Setup your smb.conf</a></dt><dt>application/cups.vnd-postscript, <a href="#id2912629">Benefits of using "CUPS PostScript Driver for
15998 Windows NT/2k/XP" instead of Adobe Driver</a></dt><dt>application/octet-stream, <a href="#id2906119">Explicitly enable "raw" printing for
15999 application/octet-stream!</a>, <a href="#id2907752">MIME type Conversion Rules</a>, <a href="#id2909312">"application/octet-stream" printing</a></dt><dt>application/pdf, <a href="#id2907545">MIME types and CUPS Filters</a></dt><dt>application/postscript, <a href="#id2912629">Benefits of using "CUPS PostScript Driver for
16000 Windows NT/2k/XP" instead of Adobe Driver</a></dt><dt>application/vnd.cups-raster, <a href="#id2909544">PostScript Printer Descriptions (PPDs) for non-PS Printers</a></dt><dt>application/vnd.cups-raw, <a href="#id2906119">Explicitly enable "raw" printing for
16001 application/octet-stream!</a></dt><dt>auth methods, <a href="#id2884738">auth methods does not work</a>, <a href="#id2935529">Passdb Backends and Authentication</a></dt></dl></div><div class="indexdiv"><h3>B</h3><dl><dt>bind interfaces only, <a href="#id2938586">The tests</a></dt><dt>brlock.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>browse list, <a href="#id2875904">What is Browsing?</a>, <a href="#id2878986">Technical Overview of browsing</a></dt><dt>browseable, <a href="#id2896767">The [printers] Section</a>, <a href="#id2897210">Any [my_printer_name] Section</a>, <a href="#id2899189">Parameters in the [print$] Section</a></dt></dl></div><div class="indexdiv"><h3>C</h3><dl><dt>case sensitive, <a href="#id2887639">Miscellaneous Controls</a>, <a href="#id2926538">Windows 9x / Me Profile Setup</a></dt><dt>chpass, <a href="#id2872769">Manual Creation of Machine Trust Accounts</a></dt><dt>comment, <a href="#id2896767">The [printers] Section</a>, <a href="#id2897210">Any [my_printer_name] Section</a>, <a href="#id2899189">Parameters in the [print$] Section</a></dt><dt>configure, <a href="#id2942063">Building the Binaries</a></dt><dt>connections.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>core files, <a href="#id2941215">Internal errors</a></dt><dt>create mask, <a href="#id2887260">File and Directory Permissions Based Controls</a>, <a href="#id2889049">Interaction with the standard Samba create mask
16002 parameters</a></dt><dt>csc policy, <a href="#id2887639">Miscellaneous Controls</a></dt><dt>CUPS</dt><dd><dl><dt>Page Accounting, <a href="#id2917602">Page Accounting with CUPS</a></dt><dt>quotas, <a href="#id2917645">Setting up Quotas</a></dt></dl></dd><dt>CUPS-PPD, <a href="#id2916653">cupsomatic, pdqomatic, lpdomatic, directomatic</a></dt><dt>cupsaddsmb, <a href="#id2906306">Three familiar Methods for driver upload plus a new one</a>, <a href="#id2911524">cupsaddsmb: the unknown Utility</a>, <a href="#id2912362">Caveats to be considered</a>, <a href="#id2912835">Run "cupsaddsmb" (quiet Mode)</a>, <a href="#id2912958">Run "cupsaddsmb" with verbose Output</a>, <a href="#id2913117">Understanding cupsaddsmb</a>, <a href="#id2913349">cupsaddsmb with a Samba PDC</a>, <a href="#id2913427">cupsaddsmb Flowchart</a></dt><dt>cupsomatic, <a href="#id2907241">CUPS can use all Windows-formatted Vendor PPDs</a>, <a href="#id2907370">The CUPS Filtering Architecture</a>, <a href="#id2909039">cupsomatic/Foomatic -- how do they fit into the Picture?</a>, <a href="#id2909807">Difference between cupsomatic/foomatic-rip and
16003 native CUPS printing</a>, <a href="#id2916653">cupsomatic, pdqomatic, lpdomatic, directomatic</a></dt><dt>CVS, <a href="#id2941554">Access Samba source code via CVS</a></dt><dd><dl><dt>web, <a href="#id2941616">Access via CVSweb</a></dt></dl></dd></dl></div><div class="indexdiv"><h3>D</h3><dl><dt>daemon, <a href="#id2942763">Alternative: starting it as a daemon</a></dt><dt>DDK, <a href="#id2911445">PostScript Drivers with no major problems -- even in Kernel
16004 Mode</a>, <a href="#id2911845">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt>debug, <a href="#id2941215">Internal errors</a></dt><dt>debug level, <a href="#id2940082">Debugging with Samba itself</a>, <a href="#id2944701">Log level</a></dt><dt>debuglevel, <a href="#id2941006">Debug levels</a></dt><dt>default case, <a href="#id2887639">Miscellaneous Controls</a></dt><dt>delete printer command, <a href="#id2903177">Adding new Printers with the Windows NT APW</a></dt><dt>deleteprinter command, <a href="#id2894888">Parameters Recommended for Use</a></dt><dt>DHCP, <a href="#id2932188">Background Information</a></dt><dt>diff, <a href="#id2941395">Patches</a></dt><dt>directory mask, <a href="#id2887260">File and Directory Permissions Based Controls</a></dt><dt>directory security mask, <a href="#id2889049">Interaction with the standard Samba create mask
16005 parameters</a></dt><dt>disable spoolss, <a href="#id2894888">Parameters Recommended for Use</a></dt><dt>display charset, <a href="#id2933835">Samba and charsets</a></dt><dt>DNS, <a href="#id2876469">TCP/IP - without NetBIOS</a>, <a href="#id2933266">DNS Lookup</a></dt><dd><dl><dt>Active Directory, <a href="#id2876635">DNS and Active Directory</a></dt><dt>Dynamic, <a href="#id2932188">Background Information</a></dt></dl></dd><dt>dns proxy, <a href="#id2875904">What is Browsing?</a></dt><dt>domain admin group, <a href="#groupmapping">Mapping MS Windows and UNIX Groups</a></dt><dt>domain logons, <a href="#id2869309">Preparing for Domain Control</a></dt><dt>domain master, <a href="#id2870253">Domain Network Logon Service</a>, <a href="#id2871968">Example Configuration</a>, <a href="#id2875904">What is Browsing?</a>, <a href="#id2877716">Making Samba the domain master</a></dt><dt>dont descend, <a href="#id2887639">Miscellaneous Controls</a></dt><dt>dos charset, <a href="#id2933835">Samba and charsets</a>, <a href="#id2933992">Japanese charsets</a>, <a href="#id2934137">CP850.so can't be found</a></dt><dt>dos filemode, <a href="#id2887260">File and Directory Permissions Based Controls</a></dt><dt>dos filetime resolution, <a href="#id2887639">Miscellaneous Controls</a></dt><dt>dos filetimes, <a href="#id2887639">Miscellaneous Controls</a></dt></dl></div><div class="indexdiv"><h3>E</h3><dl><dt>EMF, <a href="#id2906600">Windows Drivers, GDI and EMF</a>, <a href="#id2910577">From Windows Clients to an NT Print Server</a>, <a href="#id2910701">Driver Execution on the Server</a></dt><dt>encrypt passwords, <a href="#id2873558">Joining an NT4 type Domain with Samba-3</a>, <a href="#id2881758">smbpasswd - Encrypted Password Database</a>, <a href="#id2931283">smb.conf PAM Configuration</a>, <a href="#id2938586">The tests</a></dt><dt>enhanced browsing, <a href="#id2875904">What is Browsing?</a></dt><dt>enumports command, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2903854">Samba and Printer Ports</a></dt><dt>EPM (see ESP meta packager)</dt><dt>ESC/P, <a href="#id2910701">Driver Execution on the Server</a></dt><dt>ESP</dt><dd><dl><dt>Ghostscript, <a href="#id2907370">The CUPS Filtering Architecture</a>, <a href="#id2909807">Difference between cupsomatic/foomatic-rip and
16006 native CUPS printing</a></dt><dt>meta packager, <a href="#id2911845">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt>Print Pro, <a href="#id2910331">Sources of CUPS drivers / PPDs</a>, <a href="#id2912301">ESP Print Pro Package of "PostScript Driver for
16007 WinNT/2k/XP"</a></dt></dl></dd><dt>Extended Attributes, <a href="#AccessControls">File, Directory and Share Access Controls</a></dt></dl></div><div class="indexdiv"><h3>F</h3><dl><dt>fake oplocks, <a href="#id2887639">Miscellaneous Controls</a></dt><dt>File System, <a href="#id2886154">File System Access Controls</a></dt><dt>foomatic, <a href="#id2907241">CUPS can use all Windows-formatted Vendor PPDs</a>, <a href="#id2907370">The CUPS Filtering Architecture</a>, <a href="#id2909039">cupsomatic/Foomatic -- how do they fit into the Picture?</a>, <a href="#id2909807">Difference between cupsomatic/foomatic-rip and
16008 native CUPS printing</a>, <a href="#id2916436">foomatic-rip and Foomatic explained</a>, <a href="#id2916577">Foomatic's strange Name</a></dt><dt>foomatic-rip, <a href="#id2909807">Difference between cupsomatic/foomatic-rip and
16009 native CUPS printing</a>, <a href="#id2916297">CUPS Print Drivers from Linuxprinting.org</a>, <a href="#id2916436">foomatic-rip and Foomatic explained</a>, <a href="#id2916817">The Grand Unification
16010 achieved...</a></dt><dt>force create mode, <a href="#id2887260">File and Directory Permissions Based Controls</a>, <a href="#id2889049">Interaction with the standard Samba create mask
16011 parameters</a></dt><dt>force directory mode, <a href="#id2887260">File and Directory Permissions Based Controls</a>, <a href="#id2889049">Interaction with the standard Samba create mask
16012 parameters</a></dt><dt>force directory security mode, <a href="#id2887260">File and Directory Permissions Based Controls</a>, <a href="#id2889049">Interaction with the standard Samba create mask
16013 parameters</a></dt><dt>force group, <a href="#id2886837">User and Group Based Controls</a></dt><dt>force security mode, <a href="#id2887260">File and Directory Permissions Based Controls</a>, <a href="#id2889049">Interaction with the standard Samba create mask
16014 parameters</a></dt><dt>force user, <a href="#id2886837">User and Group Based Controls</a>, <a href="#id2889969">I have set force user but Samba still makes root the owner of all the files I touch!</a>, <a href="#id2890942">Beware of Force User</a></dt><dt>ftp, <a href="#id2941849">Accessing the samba sources via rsync and ftp</a></dt></dl></div><div class="indexdiv"><h3>G</h3><dl><dt>gdb, <a href="#id2941215">Internal errors</a></dt><dt>GDI, <a href="#gdipost">GDI on Windows -- PostScript on UNIX</a>, <a href="#id2906600">Windows Drivers, GDI and EMF</a>, <a href="#id2910577">From Windows Clients to an NT Print Server</a>, <a href="#id2910701">Driver Execution on the Server</a></dt><dt>GhostScript, <a href="#post-and-ghost">PostScript and Ghostscript</a>, <a href="#id2907029">Ghostscript -- the Software RIP for non-PostScript Printers</a></dt><dd><dl><dt>(see also PostScript)</dt></dl></dd><dt>Ghostscript</dt><dd><dl><dt>ESP (see ESP GhostScript)</dt></dl></dd><dt>GID, <a href="#id2884967">Features and Benefits</a></dt><dt>GPG, <a href="#id2941913">Verifying Samba's PGP signature</a></dt><dt>groupadd, <a href="#id2884967">Features and Benefits</a></dt><dt>groupdel, <a href="#id2884967">Features and Benefits</a></dt><dt>groups</dt><dd><dl><dt>domain, <a href="#id2885202">Discussion</a></dt><dt>mapping, <a href="#groupmapping">Mapping MS Windows and UNIX Groups</a></dt><dt>nested, <a href="#id2885742">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd><dt>guest account, <a href="#id2879168">Problem resolution</a>, <a href="#id2879979">My client reports "This server is not configured to list shared resources"</a>, <a href="#id2896767">The [printers] Section</a></dt><dt>guest ok, <a href="#id2886837">User and Group Based Controls</a>, <a href="#id2896767">The [printers] Section</a>, <a href="#id2897210">Any [my_printer_name] Section</a>, <a href="#id2899189">Parameters in the [print$] Section</a></dt></dl></div><div class="indexdiv"><h3>H</h3><dl><dt>hide dot files, <a href="#id2887639">Miscellaneous Controls</a></dt><dt>hide files, <a href="#id2887639">Miscellaneous Controls</a></dt><dt>hide unreadable, <a href="#id2887260">File and Directory Permissions Based Controls</a></dt><dt>hide unwriteable files, <a href="#id2887260">File and Directory Permissions Based Controls</a></dt><dt>host msdfs, <a href="#id2894231">Features and Benefits</a></dt><dt>hosts allow, <a href="#id2892490">Using host based protection</a>, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2897210">Any [my_printer_name] Section</a></dt><dt>hosts deny, <a href="#id2892490">Using host based protection</a>, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2897210">Any [my_printer_name] Section</a></dt></dl></div><div class="indexdiv"><h3>I</h3><dl><dt>idmap gid, <a href="#id2884967">Features and Benefits</a>, <a href="#id2931926">Winbind is not resolving users and groups</a></dt><dt>idmap uid, <a href="#id2884967">Features and Benefits</a>, <a href="#id2931926">Winbind is not resolving users and groups</a></dt><dt>ifconfig, <a href="#id2942516">Starting from inetd.conf</a></dt><dt>imprints, <a href="#id2906306">Three familiar Methods for driver upload plus a new one</a></dt><dt>inetd, <a href="#id2938586">The tests</a>, <a href="#id2942409">Starting the smbd and nmbd</a>, <a href="#id2942516">Starting from inetd.conf</a></dt><dt>Interdomain Trusts, <a href="#InterdomainTrusts">Interdomain Trust Relationships</a></dt><dd><dl><dt>completing, <a href="#id2893500">Completing an NT4 Domain Trust</a></dt><dt>creating, <a href="#id2893400">Native MS Windows NT4 Trusts Configuration</a></dt><dt>Facilities, <a href="#id2893547">Inter-Domain Trust Facilities</a></dt></dl></dd><dt>interfaces, <a href="#id2877911">Multiple interfaces</a>, <a href="#id2938586">The tests</a>, <a href="#id2942516">Starting from inetd.conf</a></dt><dt>invalid users, <a href="#id2886837">User and Group Based Controls</a></dt><dt>IPP, <a href="#id2913117">Understanding cupsaddsmb</a></dt></dl></div><div class="indexdiv"><h3>K</h3><dl><dt>KDC, <a href="#ads-member">Samba ADS Domain Membership</a></dt><dt>Kerberos, <a href="#ads-member">Samba ADS Domain Membership</a></dt><dt>kinit, <a href="#id2874307">Setup your /etc/krb5.conf</a></dt></dl></div><div class="indexdiv"><h3>L</h3><dl><dt>ldap admin dn, <a href="#id2882509">Configuring Samba</a></dt><dt>ldap delete dn, <a href="#id2882509">Configuring Samba</a></dt><dt>ldap filter, <a href="#id2882509">Configuring Samba</a></dt><dt>ldap machine suffix, <a href="#id2882509">Configuring Samba</a></dt><dt>ldap passwd sync, <a href="#id2882509">Configuring Samba</a>, <a href="#id2883609">Password synchronisation</a></dt><dt>ldap ssl, <a href="#id2882509">Configuring Samba</a>, <a href="#id2882943">Security and sambaSamAccount</a></dt><dt>ldap suffix, <a href="#id2882509">Configuring Samba</a></dt><dt>ldap trust ids, <a href="#id2882509">Configuring Samba</a></dt><dt>ldap user suffix, <a href="#id2882509">Configuring Samba</a></dt><dt>libnss_wins.so, <a href="#id2932551">/etc/nsswitch.conf</a></dt><dt>Links</dt><dd><dl><dt>hard, <a href="#id2886190">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>soft, <a href="#id2886190">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></dd><dt>Linuxprinting.org, <a href="#id2916297">CUPS Print Drivers from Linuxprinting.org</a></dt><dt>lm announce, <a href="#id2875904">What is Browsing?</a></dt><dt>lm interval, <a href="#id2875904">What is Browsing?</a></dt><dt>LMB (see Local Master Browser)</dt><dt>LMHOSTS, <a href="#id2932985">The LMHOSTS file</a></dt><dt>load printers, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2895606">A little Experiment to warn you</a>, <a href="#id2896282">The [global] Section</a></dt><dt>local master, <a href="#id2875904">What is Browsing?</a>, <a href="#DMB">Setting up WORKGROUP Browsing</a></dt><dt>Local Master Browser, <a href="#id2877946">Use of the Remote Announce parameter</a></dt><dt>locking, <a href="#id2890336">Discussion</a></dt><dt>locking.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>log files</dt><dd><dl><dt>monitoring, <a href="#id2938359">Assumptions</a></dt></dl></dd><dt>log level, <a href="#id2874764">Adding Machine to Domain Fails</a>, <a href="#id2920835">extd_audit</a>, <a href="#id2941006">Debug levels</a></dt><dt>logon drive, <a href="#id2927080">Windows NT4 Workstation</a></dt><dt>logon home, <a href="#id2883102">LDAP special attributes for sambaSamAccounts</a>, <a href="#id2926161">Windows 9x / Me User Profiles</a>, <a href="#id2926293">Mixed Windows 9x / Me and Windows NT4/200x User Profiles</a>, <a href="#id2927080">Windows NT4 Workstation</a>, <a href="#id2927776">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt>logon path, <a href="#id2883102">LDAP special attributes for sambaSamAccounts</a>, <a href="#id2926293">Mixed Windows 9x / Me and Windows NT4/200x User Profiles</a>, <a href="#id2926538">Windows 9x / Me Profile Setup</a>, <a href="#id2927080">Windows NT4 Workstation</a>, <a href="#id2927776">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt>logon script, <a href="#id2883102">LDAP special attributes for sambaSamAccounts</a></dt><dt>lpadmin, <a href="#id2916297">CUPS Print Drivers from Linuxprinting.org</a>, <a href="#id2917645">Setting up Quotas</a></dt><dt>lppause command, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2905167">Linking of smbd with libcups.so</a>, <a href="#id2910833">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="#id2918407">Pre-conditions</a></dt><dt>lpq cache time, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896282">The [global] Section</a></dt><dt>lpq command, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2905167">Linking of smbd with libcups.so</a>, <a href="#id2918407">Pre-conditions</a></dt><dt>lpresume command, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2905167">Linking of smbd with libcups.so</a>, <a href="#id2918407">Pre-conditions</a></dt><dt>lprm command, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2905167">Linking of smbd with libcups.so</a>, <a href="#id2918407">Pre-conditions</a></dt><dt>lpstat, <a href="#id2915566">Troubleshooting revisited</a></dt></dl></div><div class="indexdiv"><h3>M</h3><dl><dt>MAC Addresses, <a href="#id2932315">/etc/hosts</a></dt><dt>machine trust accounts, <a href="#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt>creating, <a href="#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt></dl></dd><dt>make, <a href="#id2942063">Building the Binaries</a></dt><dt>mangling method, <a href="#id2933992">Japanese charsets</a></dt><dt>map to guest, <a href="#id2899189">Parameters in the [print$] Section</a>, <a href="#id2903177">Adding new Printers with the Windows NT APW</a>, <a href="#id2919497">Can't reconnect to Samba under new account
16016 "wrong" user</a></dt><dt>max print jobs, <a href="#id2894888">Parameters Recommended for Use</a></dt><dt>max xmit, <a href="#id2944641">Max xmit</a></dt><dt>messages.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>MIME, <a href="#id2907545">MIME types and CUPS Filters</a>, <a href="#id2907752">MIME type Conversion Rules</a>, <a href="#id2907903">Filter Requirements</a>, <a href="#id2909312">"application/octet-stream" printing</a></dt><dt>min print space, <a href="#id2894888">Parameters Recommended for Use</a></dt><dt>msdfs root, <a href="#id2894231">Features and Benefits</a></dt></dl></div><div class="indexdiv"><h3>N</h3><dl><dt>name resolve order, <a href="#id2875904">What is Browsing?</a></dt><dt>nbtstat, <a href="#id2932922">The NetBIOS Name Cache</a></dt><dt>NetBIOS, <a href="#id2875816">Features and Benefits</a>, <a href="#id2876469">TCP/IP - without NetBIOS</a>, <a href="#integrate-ms-networks">Integrating MS Windows networks with Samba</a>, <a href="#id2932655">Name resolution as used within MS Windows networking</a></dt><dt>NetBIOS-less, <a href="#id2876469">TCP/IP - without NetBIOS</a></dt><dt>nmblookup, <a href="#id2932922">The NetBIOS Name Cache</a></dt><dt>nt acl support, <a href="#id2887260">File and Directory Permissions Based Controls</a>, <a href="#id2888523">Viewing file ownership</a>, <a href="#id2888655">Viewing File or Directory Permissions</a>, <a href="#id2888889">Modifying file or directory permissions</a>, <a href="#id2944140">Windows 2000 Service Pack 2</a></dt><dt>ntdrivers.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>ntforms.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>NTFS, <a href="#id2886154">File System Access Controls</a></dt><dt>ntprinters.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd></dl></div><div class="indexdiv"><h3>O</h3><dl><dt>obey pam restrictions, <a href="#id2931283">smb.conf PAM Configuration</a></dt><dt>only user, <a href="#id2886837">User and Group Based Controls</a>, <a href="#id2892992">Why can users access home directories of other users?</a></dt><dt>oplock break wait time, <a href="#id2891044">Advanced Samba Opportunistic Locking Parameters</a>, <a href="#id2891378">Disabling Kernel OpLocks</a></dt><dt>oplock contention limit, <a href="#id2891044">Advanced Samba Opportunistic Locking Parameters</a></dt><dt>os level, <a href="#id2875904">What is Browsing?</a>, <a href="#DMB">Setting up WORKGROUP Browsing</a>, <a href="#id2877309">Setting up DOMAIN Browsing</a>, <a href="#browse-force-master">Forcing Samba to be the master</a>, <a href="#id2877716">Making Samba the domain master</a></dt><dt>os2 driver map, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2943660">Printer driver download for for OS/2 clients?</a></dt></dl></div><div class="indexdiv"><h3>P</h3><dl><dt>page_log, <a href="#id2917829">The page_log File Syntax</a></dt><dt>passdb backend, <a href="#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="#passdb">Account Information Databases</a>, <a href="#id2880590">Technical Information</a>, <a href="#id2881423">The pdbedit Command</a>, <a href="#id2882509">Configuring Samba</a>, <a href="#id2883816">Configuring</a>, <a href="#id2884582">Users can not logon</a>, <a href="#id2884738">auth methods does not work</a>, <a href="#id2935529">Passdb Backends and Authentication</a></dt><dt>password level, <a href="#id2868158">Password checking</a>, <a href="#id2938586">The tests</a>, <a href="#id2943941">Case handling of passwords</a>, <a href="#id2944879">Slow Logins</a></dt><dt>password server, <a href="#id2867877">Server Security (User Level Security)</a>, <a href="#id2870678">Security Mode and Master Browsers</a>, <a href="#id2873558">Joining an NT4 type Domain with Samba-3</a>, <a href="#id2938586">The tests</a></dt><dt>patch, <a href="#id2941395">Patches</a></dt><dt>path, <a href="#id2866630">"The network name cannot be found"</a>, <a href="#id2896767">The [printers] Section</a>, <a href="#id2897210">Any [my_printer_name] Section</a>, <a href="#id2897534">Print Commands</a>, <a href="#id2899004">Creating the [print$] Share</a>, <a href="#id2899189">Parameters in the [print$] Section</a>, <a href="#id2899475">Subdirectory Structure in [print$]</a>, <a href="#id2911043">Samba receiving Jobfiles and passing them to CUPS</a>, <a href="#id2918267">Auto-Deletion or Preservation of CUPS Spool Files</a>, <a href="#id2920175">Permissions on
16017 /var/spool/samba/ get reset after each
16018 reboot</a>, <a href="#id2938586">The tests</a></dt><dt>PCL, <a href="#gdipost">GDI on Windows -- PostScript on UNIX</a>, <a href="#id2906741">UNIX Printfile Conversion and GUI Basics</a>, <a href="#id2910701">Driver Execution on the Server</a>, <a href="#id2911125">Network PostScript RIP: CUPS Filters on Server -- clients use
16019 PostScript Driver with CUPS-PPDs</a></dt><dt>PDF, <a href="#id2906600">Windows Drivers, GDI and EMF</a>, <a href="#id2907154">PostScript Printer Description (PPD) Specification</a></dt><dt>pdf, <a href="#id2907752">MIME type Conversion Rules</a></dt><dt>PDL, <a href="#gdipost">GDI on Windows -- PostScript on UNIX</a>, <a href="#post-and-ghost">PostScript and Ghostscript</a></dt><dt>PJL, <a href="#id2911125">Network PostScript RIP: CUPS Filters on Server -- clients use
16020 PostScript Driver with CUPS-PPDs</a>, <a href="#id2912629">Benefits of using "CUPS PostScript Driver for
16021 Windows NT/2k/XP" instead of Adobe Driver</a>, <a href="#id2917748">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>point and print, <a href="#id2906051">Driver Installation Methods on Windows Clients</a>, <a href="#id2906306">Three familiar Methods for driver upload plus a new one</a>, <a href="#id2909039">cupsomatic/Foomatic -- how do they fit into the Picture?</a>, <a href="#id2912835">Run "cupsaddsmb" (quiet Mode)</a>, <a href="#id2913497">Installing the PostScript Driver on a Client</a>, <a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt><dt>PostScript, <a href="#id2906432">Using CUPS/Samba in an advanced Way -- intelligent printing
16022 with PostScript Driver Download</a>, <a href="#gdipost">GDI on Windows -- PostScript on UNIX</a>, <a href="#id2906741">UNIX Printfile Conversion and GUI Basics</a>, <a href="#post-and-ghost">PostScript and Ghostscript</a>, <a href="#id2908080">Prefilters</a>, <a href="#id2910701">Driver Execution on the Server</a>, <a href="#id2911125">Network PostScript RIP: CUPS Filters on Server -- clients use
16023 PostScript Driver with CUPS-PPDs</a>, <a href="#id2911400">CUPS: a "Magical Stone"?</a>, <a href="#id2911845">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dd><dl><dt>(see also Ghostscript)</dt><dt>RIP, <a href="#post-and-ghost">PostScript and Ghostscript</a></dt></dl></dd><dt>PPD, <a href="#post-and-ghost">PostScript and Ghostscript</a>, <a href="#id2907154">PostScript Printer Description (PPD) Specification</a>, <a href="#id2909544">PostScript Printer Descriptions (PPDs) for non-PS Printers</a>, <a href="#id2911206">PPDs for non-PS Printers on UNIX</a>, <a href="#id2911255">PPDs for non-PS Printers on Windows</a>, <a href="#id2911400">CUPS: a "Magical Stone"?</a>, <a href="#id2913497">Installing the PostScript Driver on a Client</a></dt><dd><dl><dt>CUPS (see CUPS-PPD)</dt></dl></dd><dt>preferred master, <a href="#id2875904">What is Browsing?</a>, <a href="#DMB">Setting up WORKGROUP Browsing</a>, <a href="#browse-force-master">Forcing Samba to be the master</a>, <a href="#id2877716">Making Samba the domain master</a>, <a href="#id2938586">The tests</a></dt><dt>preserve case, <a href="#id2926538">Windows 9x / Me Profile Setup</a></dt><dt>print command, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896282">The [global] Section</a>, <a href="#id2897592">Default Print Commands for various UNIX Print Subsystems</a>, <a href="#id2898261">Setting up your own Print Commands</a>, <a href="#id2905167">Linking of smbd with libcups.so</a>, <a href="#id2910833">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="#id2918407">Pre-conditions</a>, <a href="#id2918564">Manual Configuration</a></dt><dt>print ok , <a href="#id2894888">Parameters Recommended for Use</a></dt><dt>printable, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896767">The [printers] Section</a>, <a href="#id2897210">Any [my_printer_name] Section</a></dt><dt>printcap, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2897592">Default Print Commands for various UNIX Print Subsystems</a>, <a href="#id2905074">Basic Configuration of CUPS support</a>, <a href="#id2905167">Linking of smbd with libcups.so</a>, <a href="#id2905584">More complex smb.conf Settings for
16024 CUPS</a>, <a href="#id2910833">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="#id2918407">Pre-conditions</a></dt><dt>printcap name, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896282">The [global] Section</a></dt><dt>printer, <a href="#id2894888">Parameters Recommended for Use</a></dt><dt>printer admin, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896282">The [global] Section</a>, <a href="#id2897210">Any [my_printer_name] Section</a>, <a href="#id2899189">Parameters in the [print$] Section</a>, <a href="#id2899736">Setting Drivers for existing Printers with a Client GUI</a>, <a href="#id2901839">IMPORTANT! Setting Device Modes on new Printers</a>, <a href="#id2902231">Always make first Client Connection as root or "printer admin"</a>, <a href="#id2902431">Setting Default Print Options for the Client Drivers</a>, <a href="#id2903177">Adding new Printers with the Windows NT APW</a>, <a href="#id2905584">More complex smb.conf Settings for
16025 CUPS</a>, <a href="#id2914333">What is required for adddriver and setdriver to succeed</a>, <a href="#id2919794">Print options for all users can't be set on Win2K/XP</a></dt><dt>printer name, <a href="#id2894888">Parameters Recommended for Use</a></dt><dt>printing, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896282">The [global] Section</a>, <a href="#id2897592">Default Print Commands for various UNIX Print Subsystems</a>, <a href="#id2898261">Setting up your own Print Commands</a>, <a href="#id2905074">Basic Configuration of CUPS support</a>, <a href="#id2905167">Linking of smbd with libcups.so</a>, <a href="#id2905584">More complex smb.conf Settings for
16026 CUPS</a>, <a href="#id2910833">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="#id2918407">Pre-conditions</a>, <a href="#id2918564">Manual Configuration</a></dt><dt>printing.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>PrintPro (see ESP Print Pro)</dt><dt>public, <a href="#id2896767">The [printers] Section</a></dt></dl></div><div class="indexdiv"><h3>Q</h3><dl><dt>queue resume command, <a href="#id2905167">Linking of smbd with libcups.so</a></dt><dt>queuepause command, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2905167">Linking of smbd with libcups.so</a></dt><dt>queueresume command, <a href="#id2894888">Parameters Recommended for Use</a></dt></dl></div><div class="indexdiv"><h3>R</h3><dl><dt>read list, <a href="#id2886837">User and Group Based Controls</a></dt><dt>read only, <a href="#id2887639">Miscellaneous Controls</a>, <a href="#id2896767">The [printers] Section</a>, <a href="#id2899189">Parameters in the [print$] Section</a></dt><dt>read raw, <a href="#id2944732">Read raw</a></dt><dt>read size, <a href="#id2944592">Read size</a></dt><dt>remote announce, <a href="#id2876233">NetBIOS over TCP/IP</a>, <a href="#id2876781">How Browsing Functions</a>, <a href="#id2877946">Use of the Remote Announce parameter</a>, <a href="#id2879046">Browsing support in Samba</a></dt><dt>remote browse sync, <a href="#id2876233">NetBIOS over TCP/IP</a>, <a href="#id2876781">How Browsing Functions</a>, <a href="#id2878104">Use of the Remote Browse Sync parameter</a></dt><dt>root preexec, <a href="#id2936350">Logon Scripts</a></dt><dt>rpcclient</dt><dd><dl><dt>adddriver, <a href="#id2912958">Run "cupsaddsmb" with verbose Output</a>, <a href="#id2913117">Understanding cupsaddsmb</a>, <a href="#id2913780">Installing PostScript Driver Files manually (using
16027 rpcclient)</a>, <a href="#id2914086">Understanding the rpcclient man page</a>, <a href="#id2914333">What is required for adddriver and setdriver to succeed</a>, <a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt><dt>enumdrivers, <a href="#id2913780">Installing PostScript Driver Files manually (using
16028 rpcclient)</a>, <a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt><dt>enumports, <a href="#id2913780">Installing PostScript Driver Files manually (using
16029 rpcclient)</a></dt><dt>enumprinters, <a href="#id2913780">Installing PostScript Driver Files manually (using
16030 rpcclient)</a>, <a href="#id2914333">What is required for adddriver and setdriver to succeed</a>, <a href="#id2914542">Manual Driver Installation in 15 Steps</a>, <a href="#id2915566">Troubleshooting revisited</a></dt><dt>getdriver, <a href="#id2914186">Producing an Example by querying a Windows Box</a>, <a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt><dt>getprinter, <a href="#id2914186">Producing an Example by querying a Windows Box</a>, <a href="#id2914542">Manual Driver Installation in 15 Steps</a>, <a href="#id2915566">Troubleshooting revisited</a></dt><dt>setdriver, <a href="#id2912362">Caveats to be considered</a>, <a href="#id2912958">Run "cupsaddsmb" with verbose Output</a>, <a href="#id2913117">Understanding cupsaddsmb</a>, <a href="#id2913780">Installing PostScript Driver Files manually (using
16031 rpcclient)</a>, <a href="#id2914333">What is required for adddriver and setdriver to succeed</a>, <a href="#id2914542">Manual Driver Installation in 15 Steps</a></dt></dl></dd><dt>rsync, <a href="#id2941849">Accessing the samba sources via rsync and ftp</a></dt></dl></div><div class="indexdiv"><h3>S</h3><dl><dt>secrets.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>security, <a href="#id2867124">Samba Security Modes</a>, <a href="#id2867518">Domain Security Mode (User Level Security)</a>, <a href="#id2867877">Server Security (User Level Security)</a>, <a href="#id2868387">What makes Samba a SERVER?</a>, <a href="#id2868427">What makes Samba a Domain Controller?</a>, <a href="#id2868463">What makes Samba a Domain Member?</a>, <a href="#id2868503">Constantly Losing Connections to Password Server</a>, <a href="#id2869309">Preparing for Domain Control</a>, <a href="#id2870678">Security Mode and Master Browsers</a>, <a href="#id2873558">Joining an NT4 type Domain with Samba-3</a>, <a href="#id2873995">Why is this better than security = server?</a>, <a href="#id2874178">Setup your smb.conf</a>, <a href="#id2912835">Run "cupsaddsmb" (quiet Mode)</a>, <a href="#id2919061">"cupsaddsmb" keeps asking for root password in
16032 neverending loop</a>, <a href="#id2935529">Passdb Backends and Authentication</a>, <a href="#id2938586">The tests</a>, <a href="#id2943888">Configuring WfW password handling</a></dt><dt>security mask, <a href="#id2887260">File and Directory Permissions Based Controls</a>, <a href="#id2889049">Interaction with the standard Samba create mask
16033 parameters</a></dt><dt>Server Manager, <a href="#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="#id2872769">Manual Creation of Machine Trust Accounts</a></dt><dt>sessionid.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>share_info.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>short preserve case, <a href="#id2887639">Miscellaneous Controls</a>, <a href="#id2926538">Windows 9x / Me Profile Setup</a></dt><dt>Short-Cuts, <a href="#id2886190">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>show add printer wizard, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896282">The [global] Section</a>, <a href="#id2903177">Adding new Printers with the Windows NT APW</a></dt><dt>SID, <a href="#id2884967">Features and Benefits</a></dt><dt>Single Sign On, <a href="#id2912362">Caveats to be considered</a></dt><dt>smbclient, <a href="#ads-test-smbclient">Testing with smbclient</a>, <a href="#id2938586">The tests</a></dt><dt>socket options, <a href="#id2944501">Socket options</a></dt><dt>spooling</dt><dd><dl><dt>central, <a href="#id2905949">Central spooling vs. "Peer-to-Peer" printing</a></dt><dt>peer-to-peer, <a href="#id2905949">Central spooling vs. "Peer-to-Peer" printing</a></dt></dl></dd><dt>spooling-only, <a href="#id2905999">CUPS/Samba as a "spooling-only" Print Server; "raw" printing
16034 with Vendor Drivers on Windows Clients</a></dt><dt>strict locking, <a href="#id2890336">Discussion</a></dt></dl></div><div class="indexdiv"><h3>T</h3><dl><dt>TDB, <a href="#id2915718">The printing *.tdb Files</a>, <a href="#id2915962">Trivial DataBase Files</a></dt><dd><dl><dt>backing up (see tdbbackup)</dt></dl></dd><dt>tdbbackup, <a href="#id2916162">Using tdbbackup</a></dt><dt>template homedir, <a href="#id2923568">Linux/FreeBSD-specific PAM configuration</a></dt><dt>testparm, <a href="#id2938586">The tests</a></dt><dt>text/plain, <a href="#id2907752">MIME type Conversion Rules</a></dt><dt>total print jobs, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896282">The [global] Section</a></dt></dl></div><div class="indexdiv"><h3>U</h3><dl><dt>UDP, <a href="#id2876233">NetBIOS over TCP/IP</a></dt><dt>UID, <a href="#id2884967">Features and Benefits</a></dt><dt>unexpected.tdb, <a href="#id2915718">The printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>unix charset, <a href="#id2933835">Samba and charsets</a>, <a href="#id2933992">Japanese charsets</a></dt><dt>use client driver, <a href="#id2894888">Parameters Recommended for Use</a>, <a href="#id2896282">The [global] Section</a></dt><dt>user, <a href="#id2867382">Share Level Security</a>, <a href="#id2938586">The tests</a></dt><dt>User Manager, <a href="#samba-trusted-domain">Samba as the Trusted Domain</a>, <a href="#id2893918">Samba as the Trusting Domain</a></dt><dt>useradd, <a href="#id2872769">Manual Creation of Machine Trust Accounts</a></dt><dt>username, <a href="#id2886837">User and Group Based Controls</a></dt><dt>username level, <a href="#id2868158">Password checking</a></dt><dt>username map, <a href="#id2873360">Windows 200x XP Professional</a></dt></dl></div><div class="indexdiv"><h3>V</h3><dl><dt>valid users, <a href="#id2886837">User and Group Based Controls</a>, <a href="#id2938586">The tests</a></dt><dt>veto files, <a href="#id2887639">Miscellaneous Controls</a></dt><dt>vfs objects, <a href="#id2920556">Discussion</a></dt><dt>vipw, <a href="#id2872769">Manual Creation of Machine Trust Accounts</a></dt></dl></div><div class="indexdiv"><h3>W</h3><dl><dt>winbind separator, <a href="#id2922889">Start up the winbindd daemon and test it!</a></dt><dt>WINS, <a href="#id2875904">What is Browsing?</a>, <a href="#id2876233">NetBIOS over TCP/IP</a>, <a href="#id2933298">WINS Lookup</a></dt><dt>wins hook, <a href="#id2875904">What is Browsing?</a></dt><dt>wins proxy, <a href="#id2875904">What is Browsing?</a></dt><dt>wins server, <a href="#id2875904">What is Browsing?</a>, <a href="#id2878182">WINS - The Windows Internetworking Name Server</a>, <a href="#id2878371">Setting up a WINS server</a></dt><dt>wins support, <a href="#id2875904">What is Browsing?</a>, <a href="#id2878182">WINS - The Windows Internetworking Name Server</a>, <a href="#id2878371">Setting up a WINS server</a></dt><dt>workgroup, <a href="#id2870678">Security Mode and Master Browsers</a>, <a href="#id2873558">Joining an NT4 type Domain with Samba-3</a>, <a href="#id2879046">Browsing support in Samba</a></dt><dt>write list, <a href="#id2886837">User and Group Based Controls</a>, <a href="#id2899189">Parameters in the [print$] Section</a></dt><dt>write raw, <a href="#id2944816">Write raw</a></dt><dt>writeable, <a href="#id2896767">The [printers] Section</a>, <a href="#id2897210">Any [my_printer_name] Section</a></dt><dt>WYSIWYG, <a href="#id2906600">Windows Drivers, GDI and EMF</a></dt></dl></div><div class="indexdiv"><h3>X</h3><dl><dt>X Window System, <a href="#id2906741">UNIX Printfile Conversion and GUI Basics</a></dt><dt>xinetd, <a href="#id2942516">Starting from inetd.conf</a> (see inetd)</dt><dt>Xprint, <a href="#id2906741">UNIX Printfile Conversion and GUI Basics</a></dt></dl></div></div></div></div></body></html>