diff options
| author | Jeremy Allison <jra@samba.org> | 2001-10-11 20:00:58 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2001-10-11 20:00:58 +0000 |
| commit | 61b015fdeb4228bbcdf0fb65c0c93e67f5b80d4c (patch) | |
| tree | 4142084a56bce4b6d9a4ff910a91ed36b2fbc972 /docs | |
| parent | 6fcdd2590d555d24bdb6bd2e30dfdd5e45666a34 (diff) | |
| download | samba-61b015fdeb4228bbcdf0fb65c0c93e67f5b80d4c.tar.gz | |
More docs sync.
Jeremy.
Diffstat (limited to 'docs')
27 files changed, 3658 insertions, 1187 deletions
diff --git a/docs/htmldocs/Integrating-with-Windows.html b/docs/htmldocs/Integrating-with-Windows.html index fbfad867bab..7c5fe316272 100644 --- a/docs/htmldocs/Integrating-with-Windows.html +++ b/docs/htmldocs/Integrating-with-Windows.html @@ -1001,7 +1001,7 @@ the procedure for creating an account.</P ><P ><PRE CLASS="PROGRAMLISTING" -> # useradd -s /bin/bash -d /home/"userid" -m +> # useradd -s /bin/bash -d /home/"userid" -m "userid" # passwd "userid" Enter Password: <pw> @@ -1023,7 +1023,7 @@ controller. Refer to the Samba-PDC-HOWTO for more details.</P ><P ><PRE CLASS="PROGRAMLISTING" -> # useradd -a /bin/false -d /dev/null "machine_name"\$ +> # useradd -s /bin/false -d /dev/null "machine_name"\$ # passwd -l "machine_name"\$ # smbpasswd -a -m "machine_name"</PRE ></P diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index d93a4543d47..c4e4b2c74b5 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -34,10 +34,14 @@ NAME="AEN4" ><HR></DIV ><HR><H1 ><A -NAME="AEN9" +NAME="AEN8" >Abstract</A ></H1 ><P +><EM +>Last Update</EM +> : Tue Jul 31 15:58:03 CDT 2001</P +><P >This book is a collection of HOWTOs added to Samba documentation over the years. I try to ensure that all are current, but sometimes the is a larger job than one person can maintain. The most recent version of this document @@ -69,27 +73,27 @@ HREF="#INSTALL" ><DL ><DT >1.1. <A -HREF="#AEN17" +HREF="#AEN18" >Step 0: Read the man pages</A ></DT ><DT >1.2. <A -HREF="#AEN25" +HREF="#AEN26" >Step 1: Building the Binaries</A ></DT ><DT >1.3. <A -HREF="#AEN53" +HREF="#AEN54" >Step 2: The all important step</A ></DT ><DT >1.4. <A -HREF="#AEN57" +HREF="#AEN58" >Step 3: Create the smb configuration file.</A ></DT ><DT >1.5. <A -HREF="#AEN71" +HREF="#AEN72" >Step 4: Test your config file with <B CLASS="COMMAND" @@ -98,80 +102,80 @@ CLASS="COMMAND" ></DT ><DT >1.6. <A -HREF="#AEN77" +HREF="#AEN78" >Step 5: Starting the smbd and nmbd</A ></DT ><DD ><DL ><DT >1.6.1. <A -HREF="#AEN87" +HREF="#AEN88" >Step 5a: Starting from inetd.conf</A ></DT ><DT >1.6.2. <A -HREF="#AEN116" +HREF="#AEN117" >Step 5b. Alternative: starting it as a daemon</A ></DT ></DL ></DD ><DT >1.7. <A -HREF="#AEN132" +HREF="#AEN133" >Step 6: Try listing the shares available on your server</A ></DT ><DT >1.8. <A -HREF="#AEN141" +HREF="#AEN142" >Step 7: Try connecting with the unix client</A ></DT ><DT >1.9. <A -HREF="#AEN157" +HREF="#AEN158" >Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></DT ><DT >1.10. <A -HREF="#AEN171" +HREF="#AEN172" >What If Things Don't Work?</A ></DT ><DD ><DL ><DT >1.10.1. <A -HREF="#AEN176" +HREF="#AEN177" >Diagnosing Problems</A ></DT ><DT >1.10.2. <A -HREF="#AEN180" +HREF="#AEN181" >Scope IDs</A ></DT ><DT >1.10.3. <A -HREF="#AEN183" +HREF="#AEN184" >Choosing the Protocol Level</A ></DT ><DT >1.10.4. <A -HREF="#AEN192" +HREF="#AEN193" >Printing from UNIX to a Client PC</A ></DT ><DT >1.10.5. <A -HREF="#AEN196" +HREF="#AEN197" >Locking</A ></DT ><DT >1.10.6. <A -HREF="#AEN206" +HREF="#AEN207" >Mapping Usernames</A ></DT ><DT >1.10.7. <A -HREF="#AEN209" +HREF="#AEN210" >Other Character Sets</A ></DT ></DL @@ -187,19 +191,19 @@ HREF="#INTEGRATE-MS-NETWORKS" ><DL ><DT >2.1. <A -HREF="#AEN223" +HREF="#AEN224" >Agenda</A ></DT ><DT >2.2. <A -HREF="#AEN245" +HREF="#AEN246" >Name Resolution in a pure Unix/Linux world</A ></DT ><DD ><DL ><DT >2.2.1. <A -HREF="#AEN261" +HREF="#AEN262" ><TT CLASS="FILENAME" >/etc/hosts</TT @@ -207,7 +211,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.2. <A -HREF="#AEN277" +HREF="#AEN278" ><TT CLASS="FILENAME" >/etc/resolv.conf</TT @@ -215,7 +219,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.3. <A -HREF="#AEN288" +HREF="#AEN289" ><TT CLASS="FILENAME" >/etc/host.conf</TT @@ -223,7 +227,7 @@ CLASS="FILENAME" ></DT ><DT >2.2.4. <A -HREF="#AEN296" +HREF="#AEN297" ><TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -233,47 +237,47 @@ CLASS="FILENAME" ></DD ><DT >2.3. <A -HREF="#AEN308" +HREF="#AEN309" >Name resolution as used within MS Windows networking</A ></DT ><DD ><DL ><DT >2.3.1. <A -HREF="#AEN320" +HREF="#AEN321" >The NetBIOS Name Cache</A ></DT ><DT >2.3.2. <A -HREF="#AEN325" +HREF="#AEN326" >The LMHOSTS file</A ></DT ><DT >2.3.3. <A -HREF="#AEN333" +HREF="#AEN334" >HOSTS file</A ></DT ><DT >2.3.4. <A -HREF="#AEN338" +HREF="#AEN339" >DNS Lookup</A ></DT ><DT >2.3.5. <A -HREF="#AEN341" +HREF="#AEN342" >WINS Lookup</A ></DT ></DL ></DD ><DT >2.4. <A -HREF="#AEN353" +HREF="#AEN354" >How browsing functions and how to deploy stable and dependable browsing using Samba</A ></DT ><DT >2.5. <A -HREF="#AEN363" +HREF="#AEN364" >MS Windows security options and how to configure Samba for seemless integration</A ></DT @@ -281,29 +285,29 @@ Samba for seemless integration</A ><DL ><DT >2.5.1. <A -HREF="#AEN391" +HREF="#AEN392" >Use MS Windows NT as an authentication server</A ></DT ><DT >2.5.2. <A -HREF="#AEN399" +HREF="#AEN400" >Make Samba a member of an MS Windows NT security domain</A ></DT ><DT >2.5.3. <A -HREF="#AEN416" +HREF="#AEN417" >Configure Samba as an authentication server</A ></DT ><DD ><DL ><DT >2.5.3.1. <A -HREF="#AEN423" +HREF="#AEN424" >Users</A ></DT ><DT >2.5.3.2. <A -HREF="#AEN428" +HREF="#AEN429" >MS Windows NT Machine Accounts</A ></DT ></DL @@ -312,7 +316,7 @@ HREF="#AEN428" ></DD ><DT >2.6. <A -HREF="#AEN433" +HREF="#AEN434" >Conclusions</A ></DT ></DL @@ -327,17 +331,17 @@ managed authentication</A ><DL ><DT >3.1. <A -HREF="#AEN454" +HREF="#AEN455" >Samba and PAM</A ></DT ><DT >3.2. <A -HREF="#AEN496" +HREF="#AEN497" >Distributed Authentication</A ></DT ><DT >3.3. <A -HREF="#AEN503" +HREF="#AEN504" >PAM Configuration in smb.conf</A ></DT ></DL @@ -351,14 +355,14 @@ HREF="#MSDFS" ><DL ><DT >4.1. <A -HREF="#AEN523" +HREF="#AEN524" >Instructions</A ></DT ><DD ><DL ><DT >4.1.1. <A -HREF="#AEN558" +HREF="#AEN559" >Notes</A ></DT ></DL @@ -374,53 +378,53 @@ HREF="#UNIX-PERMISSIONS" ><DL ><DT >5.1. <A -HREF="#AEN578" +HREF="#AEN579" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >5.2. <A -HREF="#AEN587" +HREF="#AEN588" >How to view file security on a Samba share</A ></DT ><DT >5.3. <A -HREF="#AEN598" +HREF="#AEN599" >Viewing file ownership</A ></DT ><DT >5.4. <A -HREF="#AEN618" +HREF="#AEN619" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT >5.4.1. <A -HREF="#AEN633" +HREF="#AEN634" >File Permissions</A ></DT ><DT >5.4.2. <A -HREF="#AEN647" +HREF="#AEN648" >Directory Permissions</A ></DT ></DL ></DD ><DT >5.5. <A -HREF="#AEN654" +HREF="#AEN655" >Modifying file or directory permissions</A ></DT ><DT >5.6. <A -HREF="#AEN676" +HREF="#AEN677" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >5.7. <A -HREF="#AEN740" +HREF="#AEN741" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -435,75 +439,75 @@ HREF="#PRINTING" ><DL ><DT >6.1. <A -HREF="#AEN761" +HREF="#AEN762" >Introduction</A ></DT ><DT >6.2. <A -HREF="#AEN783" +HREF="#AEN784" >Configuration</A ></DT ><DD ><DL ><DT >6.2.1. <A -HREF="#AEN794" +HREF="#AEN795" >Creating [print$]</A ></DT ><DT >6.2.2. <A -HREF="#AEN829" +HREF="#AEN830" >Setting Drivers for Existing Printers</A ></DT ><DT >6.2.3. <A -HREF="#AEN846" +HREF="#AEN847" >Support a large number of printers</A ></DT ><DT >6.2.4. <A -HREF="#AEN857" +HREF="#AEN858" >Adding New Printers via the Windows NT APW</A ></DT ><DT >6.2.5. <A -HREF="#AEN882" +HREF="#AEN883" >Samba and Printer Ports</A ></DT ></DL ></DD ><DT >6.3. <A -HREF="#AEN890" +HREF="#AEN891" >The Imprints Toolset</A ></DT ><DD ><DL ><DT >6.3.1. <A -HREF="#AEN894" +HREF="#AEN895" >What is Imprints?</A ></DT ><DT >6.3.2. <A -HREF="#AEN904" +HREF="#AEN905" >Creating Printer Driver Packages</A ></DT ><DT >6.3.3. <A -HREF="#AEN907" +HREF="#AEN908" >The Imprints server</A ></DT ><DT >6.3.4. <A -HREF="#AEN911" +HREF="#AEN912" >The Installation Client</A ></DT ></DL ></DD ><DT >6.4. <A -HREF="#AEN933" +HREF="#AEN934" ><A NAME="MIGRATION" ></A @@ -520,17 +524,17 @@ HREF="#DOMAIN-SECURITY" ><DL ><DT >7.1. <A -HREF="#AEN995" +HREF="#AEN988" >Joining an NT Domain with Samba 2.2</A ></DT ><DT >7.2. <A -HREF="#AEN1059" +HREF="#AEN1052" >Samba and Windows 2000 Domains</A ></DT ><DT >7.3. <A -HREF="#AEN1064" +HREF="#AEN1057" >Why is this better than security = server?</A ></DT ></DL @@ -544,22 +548,22 @@ HREF="#SAMBA-PDC" ><DL ><DT >8.1. <A -HREF="#AEN1097" +HREF="#AEN1090" >Prerequisite Reading</A ></DT ><DT >8.2. <A -HREF="#AEN1103" +HREF="#AEN1096" >Background</A ></DT ><DT >8.3. <A -HREF="#AEN1145" +HREF="#AEN1138" >Configuring the Samba Domain Controller</A ></DT ><DT >8.4. <A -HREF="#AEN1188" +HREF="#AEN1180" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT @@ -567,83 +571,83 @@ to the Domain</A ><DL ><DT >8.4.1. <A -HREF="#AEN1202" +HREF="#AEN1194" >Manually creating machine trust accounts</A ></DT ><DT >8.4.2. <A -HREF="#AEN1230" +HREF="#AEN1225" >Creating machine trust accounts "on the fly"</A ></DT ></DL ></DD ><DT >8.5. <A -HREF="#AEN1241" +HREF="#AEN1236" >Common Problems and Errors</A ></DT ><DT >8.6. <A -HREF="#AEN1289" +HREF="#AEN1284" >System Policies and Profiles</A ></DT ><DT >8.7. <A -HREF="#AEN1333" +HREF="#AEN1328" >What other help can I get ?</A ></DT ><DT >8.8. <A -HREF="#AEN1447" +HREF="#AEN1442" >Domain Control for Windows 9x/ME</A ></DT ><DD ><DL ><DT >8.8.1. <A -HREF="#AEN1477" +HREF="#AEN1472" >Configuration Instructions: Network Logons</A ></DT ><DT >8.8.2. <A -HREF="#AEN1511" +HREF="#AEN1506" >Configuration Instructions: Setting up Roaming User Profiles</A ></DT ><DD ><DL ><DT >8.8.2.1. <A -HREF="#AEN1519" +HREF="#AEN1514" >Windows NT Configuration</A ></DT ><DT >8.8.2.2. <A -HREF="#AEN1527" +HREF="#AEN1522" >Windows 9X Configuration</A ></DT ><DT >8.8.2.3. <A -HREF="#AEN1535" +HREF="#AEN1530" >Win9X and WinNT Configuration</A ></DT ><DT >8.8.2.4. <A -HREF="#AEN1542" +HREF="#AEN1537" >Windows 9X Profile Setup</A ></DT ><DT >8.8.2.5. <A -HREF="#AEN1578" +HREF="#AEN1573" >Windows NT Workstation 4.0</A ></DT ><DT >8.8.2.6. <A -HREF="#AEN1591" +HREF="#AEN1586" >Windows NT Server</A ></DT ><DT >8.8.2.7. <A -HREF="#AEN1594" +HREF="#AEN1589" >Sharing Profiles between W95 and NT Workstation 4.0</A ></DT ></DL @@ -652,7 +656,7 @@ HREF="#AEN1594" ></DD ><DT >8.9. <A -HREF="#AEN1604" +HREF="#AEN1599" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></DT ></DL @@ -666,75 +670,133 @@ HREF="#WINBIND" ><DL ><DT >9.1. <A -HREF="#AEN1647" +HREF="#AEN1642" >Abstract</A ></DT ><DT >9.2. <A -HREF="#AEN1651" +HREF="#AEN1646" >Introduction</A ></DT ><DT >9.3. <A -HREF="#AEN1664" +HREF="#AEN1659" >What Winbind Provides</A ></DT ><DD ><DL ><DT >9.3.1. <A -HREF="#AEN1671" +HREF="#AEN1666" >Target Uses</A ></DT ></DL ></DD ><DT >9.4. <A -HREF="#AEN1675" +HREF="#AEN1670" >How Winbind Works</A ></DT ><DD ><DL ><DT >9.4.1. <A -HREF="#AEN1680" +HREF="#AEN1675" >Microsoft Remote Procedure Calls</A ></DT ><DT >9.4.2. <A -HREF="#AEN1684" +HREF="#AEN1679" >Name Service Switch</A ></DT ><DT >9.4.3. <A -HREF="#AEN1700" +HREF="#AEN1695" >Pluggable Authentication Modules</A ></DT ><DT >9.4.4. <A -HREF="#AEN1708" +HREF="#AEN1703" >User and Group ID Allocation</A ></DT ><DT >9.4.5. <A -HREF="#AEN1712" +HREF="#AEN1707" >Result Caching</A ></DT ></DL ></DD ><DT >9.5. <A -HREF="#AEN1715" +HREF="#AEN1710" >Installation and Configuration</A ></DT +><DD +><DL +><DT +>9.5.1. <A +HREF="#AEN1715" +>Introduction</A +></DT +><DT +>9.5.2. <A +HREF="#AEN1728" +>Requirements</A +></DT +><DT +>9.5.3. <A +HREF="#AEN1736" +>Testing Things Out</A +></DT +><DD +><DL +><DT +>9.5.3.1. <A +HREF="#AEN1745" +>Configure and compile SAMBA</A +></DT +><DT +>9.5.3.2. <A +HREF="#AEN1757" +>Configure nsswitch.conf and the winbind libraries</A +></DT +><DT +>9.5.3.3. <A +HREF="#AEN1776" +>Configure smb.conf</A +></DT +><DT +>9.5.3.4. <A +HREF="#AEN1785" +>Join the SAMBA server to the PDC domain</A +></DT +><DT +>9.5.3.5. <A +HREF="#AEN1795" +>Start up the winbindd daemon and test it!</A +></DT +><DT +>9.5.3.6. <A +HREF="#AEN1822" +>Fix the /etc/rc.d/init.d/smb startup files</A +></DT +><DT +>9.5.3.7. <A +HREF="#AEN1839" +>Configure Winbind and PAM</A +></DT +></DL +></DD +></DL +></DD ><DT >9.6. <A -HREF="#AEN1721" +HREF="#AEN1880" >Limitations</A ></DT ><DT >9.7. <A -HREF="#AEN1733" +HREF="#AEN1890" >Conclusion</A ></DT ></DL @@ -748,32 +810,32 @@ HREF="#OS2" ><DL ><DT >10.1. <A -HREF="#AEN1747" +HREF="#AEN1904" >FAQs</A ></DT ><DD ><DL ><DT >10.1.1. <A -HREF="#AEN1749" +HREF="#AEN1906" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT >10.1.2. <A -HREF="#AEN1764" +HREF="#AEN1921" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT >10.1.3. <A -HREF="#AEN1773" +HREF="#AEN1930" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT >10.1.4. <A -HREF="#AEN1777" +HREF="#AEN1934" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -790,24 +852,24 @@ HREF="#CVS-ACCESS" ><DL ><DT >11.1. <A -HREF="#AEN1793" +HREF="#AEN1950" >Introduction</A ></DT ><DT >11.2. <A -HREF="#AEN1798" +HREF="#AEN1955" >CVS Access to samba.org</A ></DT ><DD ><DL ><DT >11.2.1. <A -HREF="#AEN1801" +HREF="#AEN1958" >Access via CVSweb</A ></DT ><DT >11.2.2. <A -HREF="#AEN1806" +HREF="#AEN1963" >Access via cvs</A ></DT ></DL @@ -816,7 +878,7 @@ HREF="#AEN1806" ></DD ><DT ><A -HREF="#AEN1834" +HREF="#AEN1991" >Index</A ></DT ></DL @@ -833,7 +895,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN17" +NAME="AEN18" >1.1. Step 0: Read the man pages</A ></H1 ><P @@ -865,7 +927,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN25" +NAME="AEN26" >1.2. Step 1: Building the Binaries</A ></H1 ><P @@ -964,7 +1026,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN53" +NAME="AEN54" >1.3. Step 2: The all important step</A ></H1 ><P @@ -981,7 +1043,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN57" +NAME="AEN58" >1.4. Step 3: Create the smb configuration file.</A ></H1 ><P @@ -1046,7 +1108,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN71" +NAME="AEN72" >1.5. Step 4: Test your config file with <B CLASS="COMMAND" @@ -1070,7 +1132,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN77" +NAME="AEN78" >1.6. Step 5: Starting the smbd and nmbd</A ></H1 ><P @@ -1110,7 +1172,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN87" +NAME="AEN88" >1.6.1. Step 5a: Starting from inetd.conf</A ></H2 ><P @@ -1223,7 +1285,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN116" +NAME="AEN117" >1.6.2. Step 5b. Alternative: starting it as a daemon</A ></H2 ><P @@ -1289,7 +1351,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN132" +NAME="AEN133" >1.7. Step 6: Try listing the shares available on your server</A ></H1 @@ -1330,7 +1392,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN141" +NAME="AEN142" >1.8. Step 7: Try connecting with the unix client</A ></H1 ><P @@ -1393,7 +1455,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN157" +NAME="AEN158" >1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, Win2k, OS/2, etc... client</A ></H1 @@ -1442,7 +1504,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN171" +NAME="AEN172" >1.10. What If Things Don't Work?</A ></H1 ><P @@ -1465,7 +1527,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN176" +NAME="AEN177" >1.10.1. Diagnosing Problems</A ></H2 ><P @@ -1481,7 +1543,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN180" +NAME="AEN181" >1.10.2. Scope IDs</A ></H2 ><P @@ -1497,7 +1559,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN183" +NAME="AEN184" >1.10.3. Choosing the Protocol Level</A ></H2 ><P @@ -1538,7 +1600,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN192" +NAME="AEN193" >1.10.4. Printing from UNIX to a Client PC</A ></H2 ><P @@ -1556,7 +1618,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN196" +NAME="AEN197" >1.10.5. Locking</A ></H2 ><P @@ -1568,20 +1630,25 @@ NAME="AEN196" The second is the "deny modes" that are specified when a file is open.</P ><P ->Samba supports "record locking" using the fcntl() unix system - call. This is often implemented using rpc calls to a rpc.lockd process - running on the system that owns the filesystem. Unfortunately many - rpc.lockd implementations are very buggy, particularly when made to - talk to versions from other vendors. It is not uncommon for the - rpc.lockd to crash.</P -><P ->There is also a problem translating the 32 bit lock - requests generated by PC clients to 31 bit requests supported - by most unixes. Unfortunately many PC applications (typically - OLE2 applications) use byte ranges with the top bit set - as semaphore sets. Samba attempts translation to support - these types of applications, and the translation has proved - to be quite successful.</P +>Record locking semantics under Unix is very + different from record locking under Windows. Versions + of Samba before 2.2 have tried to use the native + fcntl() unix system call to implement proper record + locking between different Samba clients. This can not + be fully correct due to several reasons. The simplest + is the fact that a Windows client is allowed to lock a + byte range up to 2^32 or 2^64, depending on the client + OS. The unix locking only supports byte ranges up to + 2^31. So it is not possible to correctly satisfy a + lock request above 2^31. There are many more + differences, too many to be listed here.</P +><P +>Samba 2.2 and above implements record locking + completely independent of the underlying unix + system. If a byte range lock that the client requests + happens to fall into the range 0-2^31, Samba hands + this request down to the Unix system. All other locks + can not be seen by unix anyway.</P ><P >Strictly a SMB server should check for locks before every read and write call on a file. Unfortunately with the @@ -1617,7 +1684,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN206" +NAME="AEN207" >1.10.6. Mapping Usernames</A ></H2 ><P @@ -1630,7 +1697,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN209" +NAME="AEN210" >1.10.7. Other Character Sets</A ></H2 ><P @@ -1654,7 +1721,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN223" +NAME="AEN224" >2.1. Agenda</A ></H1 ><P @@ -1721,7 +1788,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN245" +NAME="AEN246" >2.2. Name Resolution in a pure Unix/Linux world</A ></H1 ><P @@ -1763,7 +1830,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN261" +NAME="AEN262" >2.2.1. <TT CLASS="FILENAME" >/etc/hosts</TT @@ -1853,7 +1920,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN277" +NAME="AEN278" >2.2.2. <TT CLASS="FILENAME" >/etc/resolv.conf</TT @@ -1891,7 +1958,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN288" +NAME="AEN289" >2.2.3. <TT CLASS="FILENAME" >/etc/host.conf</TT @@ -1929,7 +1996,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN296" +NAME="AEN297" >2.2.4. <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -2007,7 +2074,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN308" +NAME="AEN309" >2.3. Name resolution as used within MS Windows networking</A ></H1 ><P @@ -2101,7 +2168,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN320" +NAME="AEN321" >2.3.1. The NetBIOS Name Cache</A ></H2 ><P @@ -2128,7 +2195,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN325" +NAME="AEN326" >2.3.2. The LMHOSTS file</A ></H2 ><P @@ -2240,7 +2307,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN333" +NAME="AEN334" >2.3.3. HOSTS file</A ></H2 ><P @@ -2262,7 +2329,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN338" +NAME="AEN339" >2.3.4. DNS Lookup</A ></H2 ><P @@ -2282,7 +2349,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN341" +NAME="AEN342" >2.3.5. WINS Lookup</A ></H2 ><P @@ -2343,7 +2410,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN353" +NAME="AEN354" >2.4. How browsing functions and how to deploy stable and dependable browsing using Samba</A ></H1 @@ -2410,7 +2477,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN363" +NAME="AEN364" >2.5. MS Windows security options and how to configure Samba for seemless integration</A ></H1 @@ -2552,7 +2619,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN391" +NAME="AEN392" >2.5.1. Use MS Windows NT as an authentication server</A ></H2 ><P @@ -2597,7 +2664,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN399" +NAME="AEN400" >2.5.2. Make Samba a member of an MS Windows NT security domain</A ></H2 ><P @@ -2669,7 +2736,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN416" +NAME="AEN417" >2.5.3. Configure Samba as an authentication server</A ></H2 ><P @@ -2715,7 +2782,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN423" +NAME="AEN424" >2.5.3.1. Users</A ></H3 ><P @@ -2731,7 +2798,7 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" -> # useradd -s /bin/bash -d /home/"userid" -m +> # useradd -s /bin/bash -d /home/"userid" -m "userid" # passwd "userid" Enter Password: <pw> @@ -2747,7 +2814,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN428" +NAME="AEN429" >2.5.3.2. MS Windows NT Machine Accounts</A ></H3 ><P @@ -2762,7 +2829,7 @@ WIDTH="100%" ><TD ><PRE CLASS="PROGRAMLISTING" -> # useradd -a /bin/false -d /dev/null "machine_name"\$ +> # useradd -s /bin/false -d /dev/null "machine_name"\$ # passwd -l "machine_name"\$ # smbpasswd -a -m "machine_name"</PRE ></TD @@ -2777,7 +2844,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN433" +NAME="AEN434" >2.6. Conclusions</A ></H1 ><P @@ -2822,7 +2889,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN454" +NAME="AEN455" >3.1. Samba and PAM</A ></H1 ><P @@ -3072,7 +3139,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN496" +NAME="AEN497" >3.2. Distributed Authentication</A ></H1 ><P @@ -3105,7 +3172,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN503" +NAME="AEN504" >3.3. PAM Configuration in smb.conf</A ></H1 ><P @@ -3153,7 +3220,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN523" +NAME="AEN524" >4.1. Instructions</A ></H1 ><P @@ -3310,7 +3377,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN558" +NAME="AEN559" >4.1.1. Notes</A ></H2 ><P @@ -3351,7 +3418,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN578" +NAME="AEN579" >5.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H1 @@ -3390,7 +3457,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN587" +NAME="AEN588" >5.2. How to view file security on a Samba share</A ></H1 ><P @@ -3436,7 +3503,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN598" +NAME="AEN599" >5.3. Viewing file ownership</A ></H1 ><P @@ -3522,7 +3589,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN618" +NAME="AEN619" >5.4. Viewing file or directory permissions</A ></H1 ><P @@ -3584,7 +3651,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN633" +NAME="AEN634" >5.4.1. File Permissions</A ></H2 ><P @@ -3646,7 +3713,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN647" +NAME="AEN648" >5.4.2. Directory Permissions</A ></H2 ><P @@ -3678,7 +3745,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN654" +NAME="AEN655" >5.5. Modifying file or directory permissions</A ></H1 ><P @@ -3776,7 +3843,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN676" +NAME="AEN677" >5.6. Interaction with the standard Samba create mask parameters</A ></H1 @@ -4049,7 +4116,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN740" +NAME="AEN741" >5.7. Interaction with the standard Samba file attribute mapping</A ></H1 @@ -4104,7 +4171,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN761" +NAME="AEN762" >6.1. Introduction</A ></H1 ><P @@ -4188,7 +4255,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN783" +NAME="AEN784" >6.2. Configuration</A ></H1 ><DIV @@ -4256,7 +4323,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN794" +NAME="AEN795" >6.2.1. Creating [print$]</A ></H2 ><P @@ -4315,7 +4382,7 @@ CLASS="PARAMETER" > is used to allow administrative level user accounts to have write access in order to update files on the share. See the <A -HREF="smb./conf.5.html" +HREF="smb.conf.5.html" TARGET="_top" >smb.conf(5) man page</A @@ -4457,7 +4524,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN829" +NAME="AEN830" >6.2.2. Setting Drivers for Existing Printers</A ></H2 ><P @@ -4529,7 +4596,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN846" +NAME="AEN847" >6.2.3. Support a large number of printers</A ></H2 ><P @@ -4604,7 +4671,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN857" +NAME="AEN858" >6.2.4. Adding New Printers via the Windows NT APW</A ></H2 ><P @@ -4710,7 +4777,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN882" +NAME="AEN883" >6.2.5. Samba and Printer Ports</A ></H2 ><P @@ -4747,7 +4814,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN890" +NAME="AEN891" >6.3. The Imprints Toolset</A ></H1 ><P @@ -4765,7 +4832,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN894" +NAME="AEN895" >6.3.1. What is Imprints?</A ></H2 ><P @@ -4797,7 +4864,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN904" +NAME="AEN905" >6.3.2. Creating Printer Driver Packages</A ></H2 ><P @@ -4813,7 +4880,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN907" +NAME="AEN908" >6.3.3. The Imprints server</A ></H2 ><P @@ -4833,7 +4900,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN911" +NAME="AEN912" >6.3.4. The Installation Client</A ></H2 ><P @@ -4936,7 +5003,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN933" +NAME="AEN934" >6.4. <A NAME="MIGRATION" ></A @@ -4945,51 +5012,67 @@ NAME="MIGRATION" ><P >Given that printer driver management has changed (we hope improved) in 2.2 over prior releases, migration from an existing setup to 2.2 can -follow several paths.</P +follow several paths. Here are the possible scenarios for +migration:</P ><P ->Windows clients have a tendency to remember things for quite a while. -For example, if a Windows NT client has attached to a Samba 2.0 server, -it will remember the server as a LanMan printer server. Upgrading -the Samba host to 2.2 makes support for MSRPC printing possible, but -the NT client will still remember the previous setting.</P +></P +><UL +><LI ><P ->In order to give an NT client printing "amnesia" (only necessary if you -want to use the newer MSRPC printing functionality in Samba), delete -the registry keys associated with the print server contained in -<TT -CLASS="CONSTANT" ->[HKLM\SYSTEM\CurrentControlSet\Control\Print]</TT ->. The -spooler service on the client should be stopped prior to doing this:</P +>If you do not desire the new Windows NT + print driver support, nothing needs to be done. + All existing parameters work the same.</P +></LI +><LI ><P -><TT -CLASS="PROMPT" ->C:\WINNT\ ></TT -> <TT -CLASS="USERINPUT" -><B ->net stop spooler</B -></TT -></P +>If you want to take advantage of NT printer + driver support but do not want to migrate the + 9x drivers to the new setup, the leave the existing + <TT +CLASS="FILENAME" +>printers.def</TT +> file. When smbd attempts + to locate a + 9x driver for the printer in the TDB and fails it + will drop down to using the printers.def (and all + associated parameters). The <B +CLASS="COMMAND" +>make_printerdef</B +> + tool will also remain for backwards compatibility but will + be removed in the next major release.</P +></LI +><LI ><P -><EM ->All the normal disclaimers about editing the registry go -here.</EM -> Be careful, and know what you are doing.</P +>If you install a Windows 9x driver for a printer + on your Samba host (in the printing TDB), this information will + take precedence and the three old printing parameters + will be ignored (including print driver location).</P +></LI +><LI ><P ->The spooler service should be restarted after you have finished -removing the appropriate registry entries by replacing the -<B +>If you want to migrate an existing <TT +CLASS="FILENAME" +>printers.def</TT +> + file into the new setup, the current only solution is to use the Windows + NT APW to install the NT drivers and the 9x drivers. This can be scripted + using <B CLASS="COMMAND" ->stop</B -> command above with <B +>smbclient</B +> and <B CLASS="COMMAND" ->start</B ->.</P -><P ->Windows 9x clients will continue to use LanMan printing calls -with a 2.2 Samba server so there is no need to perform any of these -modifications on non-NT clients.</P +>rpcclient</B +>. See the + Imprints installation client at <A +HREF="http://imprints.sourceforge.net/" +TARGET="_top" +>http://imprints.sourceforge.net/</A +> + for an example. + </P +></LI +></UL ><DIV CLASS="WARNING" ><P @@ -5009,8 +5092,12 @@ ALIGN="CENTER" ><TD ALIGN="LEFT" ><P ->The following smb.conf parameters are considered to be depreciated and will -be removed soon. Do not use them in new installations</P +>The following <TT +CLASS="FILENAME" +>smb.conf</TT +> parameters are considered to +be deprecated and will be removed soon. Do not use them in new +installations</P ><P ></P ><UL @@ -5050,63 +5137,22 @@ CLASS="PARAMETER" ></TABLE ></DIV ><P ->Here are the possible scenarios for supporting migration:</P -><P -></P -><UL -><LI -><P ->If you do not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same.</P -></LI -><LI -><P ->If you want to take advantage of NT printer - driver support but do not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The <B -CLASS="COMMAND" ->make_printerdef</B -> - tool will also remain for backwards compatibility but will - be moved to the "this tool is the old way of doing it" - pile.</P -></LI -><LI -><P ->If you install a Windows 9x driver for a printer - on your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location).</P -></LI -><LI -><P ->If you want to migrate an existing <TT -CLASS="FILENAME" ->printers.def</TT -> - file into the new setup, the current only solution is to use the Windows - NT APW to install the NT drivers and the 9x drivers. This can be scripted - using <B -CLASS="COMMAND" ->smbclient</B -> and <B -CLASS="COMMAND" ->rpcclient</B ->. See the - Imprints installation client at <A -HREF="http://imprints.sourceforge.net/" -TARGET="_top" ->http://imprints.sourceforge.net/</A -> - for an example. - </P -></LI -></UL +>The have been two new parameters add in Samba 2.2.2 to for +better support of Samba 2.0.x backwards capability (<TT +CLASS="PARAMETER" +><I +>disable +spoolss</I +></TT +>) and for using local printers drivers on Windows +NT/2000 clients (<TT +CLASS="PARAMETER" +><I +>use client driver</I +></TT +>). Both of +these options are described in the smb.coinf(5) man page and are +disabled by default.</P ></DIV ></DIV ><DIV @@ -5121,7 +5167,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN995" +NAME="AEN988" >7.1. Joining an NT Domain with Samba 2.2</A ></H1 ><P @@ -5348,7 +5394,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1059" +NAME="AEN1052" >7.2. Samba and Windows 2000 Domains</A ></H1 ><P @@ -5373,7 +5419,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1064" +NAME="AEN1057" >7.3. Why is this better than security = server?</A ></H1 ><P @@ -5467,7 +5513,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1097" +NAME="AEN1090" >8.1. Prerequisite Reading</A ></H1 ><P @@ -5495,7 +5541,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1103" +NAME="AEN1096" >8.2. Background</A ></H1 ><DIV @@ -5652,7 +5698,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1145" +NAME="AEN1138" >8.3. Configuring the Samba Domain Controller</A ></H1 ><P @@ -5857,16 +5903,11 @@ CLASS="FILENAME" >As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and UNIX groups (this is really quite complicated to explain in a short space), you should refer to the <A -HREF="smb.conf.5.html#DOMAINADMINUSERS" -TARGET="_top" ->domain -admin users</A -> and <A HREF="smb.conf.5.html#DOMAINADMINGROUP" TARGET="_top" >domain admin group</A -> smb.conf parameters for information of creating a Domain Admins +> smb.conf parameter for information of creating "Domain Admins" style accounts.</P ></DIV ><DIV @@ -5874,7 +5915,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1188" +NAME="AEN1180" >8.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H1 @@ -5932,7 +5973,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1202" +NAME="AEN1194" >8.4.1. Manually creating machine trust accounts</A ></H2 ><P @@ -5951,9 +5992,20 @@ CLASS="PROMPT" >/usr/sbin/useradd -g 100 -d /dev/null -c <TT CLASS="REPLACEABLE" ><I ->machine_nickname</I +>"machine +nickname"</I ></TT -> -m -s /bin/false <TT +> -s /bin/false <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$ </P +><P +><TT +CLASS="PROMPT" +>root# </TT +>passwd -l <TT CLASS="REPLACEABLE" ><I >machine_name</I @@ -6072,7 +6124,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1230" +NAME="AEN1225" >8.4.2. Creating machine trust accounts "on the fly"</A ></H2 ><P @@ -6108,7 +6160,7 @@ an entry in smbpasswd for <EM >. The password <EM >SHOULD</EM -> be set to s different password that the +> be set to a different password that the associated <TT CLASS="FILENAME" >/etc/passwd</TT @@ -6120,7 +6172,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1241" +NAME="AEN1236" >8.5. Common Problems and Errors</A ></H1 ><P @@ -6319,7 +6371,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1289" +NAME="AEN1284" >8.6. System Policies and Profiles</A ></H1 ><P @@ -6476,7 +6528,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1333" +NAME="AEN1328" >8.7. What other help can I get ?</A ></H1 ><P @@ -6872,7 +6924,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1447" +NAME="AEN1442" >8.8. Domain Control for Windows 9x/ME</A ></H1 ><DIV @@ -7008,7 +7060,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1477" +NAME="AEN1472" >8.8.1. Configuration Instructions: Network Logons</A ></H2 ><P @@ -7197,7 +7249,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1511" +NAME="AEN1506" >8.8.2. Configuration Instructions: Setting up Roaming User Profiles</A ></H2 ><DIV @@ -7244,7 +7296,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1519" +NAME="AEN1514" >8.8.2.1. Windows NT Configuration</A ></H3 ><P @@ -7288,7 +7340,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1527" +NAME="AEN1522" >8.8.2.2. Windows 9X Configuration</A ></H3 ><P @@ -7328,7 +7380,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1535" +NAME="AEN1530" >8.8.2.3. Win9X and WinNT Configuration</A ></H3 ><P @@ -7366,7 +7418,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1542" +NAME="AEN1537" >8.8.2.4. Windows 9X Profile Setup</A ></H3 ><P @@ -7375,7 +7427,7 @@ as are folders "Start Menu", "Desktop", "Programs" and "Nethood". These directories and their contents will be merged with the local versions stored in c:\windows\profiles\username on subsequent logins, taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short case preserve = yes" and +options "preserve case = yes", "short preserve case = yes" and "case sensitive = no" in order to maintain capital letters in shortcuts in any of the profile folders.</P ><P @@ -7522,7 +7574,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1578" +NAME="AEN1573" >8.8.2.5. Windows NT Workstation 4.0</A ></H3 ><P @@ -7604,7 +7656,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1591" +NAME="AEN1586" >8.8.2.6. Windows NT Server</A ></H3 ><P @@ -7618,7 +7670,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN1594" +NAME="AEN1589" >8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A ></H3 ><DIV @@ -7683,7 +7735,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1604" +NAME="AEN1599" >8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><DIV @@ -7812,17 +7864,18 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1647" +NAME="AEN1642" >9.1. Abstract</A ></H1 ><P >Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous - computing environments for a long time. We present <EM ->winbind - </EM ->, a component of the Samba suite of programs as a - solution to the unified logon problem. Winbind uses a UNIX implementation + computing environments for a long time. We present + <EM +>winbind</EM +>, a component of the Samba suite + of programs as a solution to the unified logon problem. Winbind + uses a UNIX implementation of Microsoft RPC calls, Pluggable Authentication Modules, and the Name Service Switch to allow Windows NT domain users to appear and operate as UNIX users on a UNIX machine. This paper describes the winbind @@ -7834,7 +7887,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1651" +NAME="AEN1646" >9.2. Introduction</A ></H1 ><P @@ -7849,7 +7902,7 @@ NAME="AEN1651" and use the Samba suite of programs to provide file and print services between the two. This solution is far from perfect however, as adding and deleting users on both sets of machines becomes a chore - and two sets of passwords are required both of which which + and two sets of passwords are required both of which can lead to synchronization problems between the UNIX and Windows systems and confusion for users.</P ><P @@ -7888,7 +7941,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1664" +NAME="AEN1659" >9.3. What Winbind Provides</A ></H1 ><P @@ -7902,7 +7955,7 @@ NAME="AEN1664" >The end result is that whenever any program on the UNIX machine asks the operating system to lookup a user or group name, the query will be resolved by asking the - NT domain controller for the specied domain to do the lookup. + NT domain controller for the specified domain to do the lookup. Because Winbind hooks into the operating system at a low level (via the NSS name resolution modules in the C library) this redirection to the NT domain controller is completely @@ -7919,18 +7972,18 @@ NAME="AEN1664" that redirection to a domain controller is wanted for a particular lookup and which trusted domain is being referenced.</P ><P ->Additionally, Winbind provides a authentication service +>Additionally, Winbind provides an authentication service that hooks into the Pluggable Authentication Modules (PAM) system to provide authentication via a NT domain to any PAM enabled applications. This capability solves the problem of synchronizing - passwords between systems as all passwords are stored in a single + passwords between systems since all passwords are stored in a single location (on the domain controller).</P ><DIV CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1671" +NAME="AEN1666" >9.3.1. Target Uses</A ></H2 ><P @@ -7938,9 +7991,9 @@ NAME="AEN1671" existing NT based domain infrastructure into which they wish to put UNIX workstations or servers. Winbind will allow these organizations to deploy UNIX workstations without having to - maintain a separate account infrastructure. This greatly simplies - the administrative overhead of deploying UNIX workstations into - a NT based organization.</P + maintain a separate account infrastructure. This greatly + simplifies the administrative overhead of deploying UNIX + workstations into a NT based organization.</P ><P >Another interesting way in which we expect Winbind to be used is as a central part of UNIX based appliances. Appliances @@ -7954,7 +8007,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1675" +NAME="AEN1670" >9.4. How Winbind Works</A ></H1 ><P @@ -7974,7 +8027,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1680" +NAME="AEN1675" >9.4.1. Microsoft Remote Procedure Calls</A ></H2 ><P @@ -8000,7 +8053,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1684" +NAME="AEN1679" >9.4.2. Name Service Switch</A ></H2 ><P @@ -8009,9 +8062,9 @@ NAME="AEN1684" information such as hostnames, mail aliases and user information to be resolved from different sources. For example, a standalone UNIX workstation may resolve system information from a series of - flat files stored on the local lesystem. A networked workstation + flat files stored on the local filesystem. A networked workstation may first attempt to resolve system information from local files, - then consult a NIS database for user information or a DNS server + and then consult a NIS database for user information or a DNS server for hostname information.</P ><P >The NSS application programming interface allows winbind @@ -8024,11 +8077,12 @@ NAME="AEN1684" a NT domain plus any trusted domain as though they were local users and groups.</P ><P ->The primary control le for NSS is <TT +>The primary control file for NSS is + <TT CLASS="FILENAME" ->/etc/nsswitch.conf - </TT ->. When a UNIX application makes a request to do a lookup +>/etc/nsswitch.conf</TT +>. + When a UNIX application makes a request to do a lookup the C library looks in <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -8079,7 +8133,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1700" +NAME="AEN1695" >9.4.3. Pluggable Authentication Modules</A ></H2 ><P @@ -8098,7 +8152,7 @@ NAME="AEN1700" UNIX system. This allows Windows NT users to log in to a UNIX machine and be authenticated against a suitable Primary Domain Controller. These users can also change their passwords and have - this change take eect directly on the Primary Domain Controller. + this change take effect directly on the Primary Domain Controller. </P ><P >PAM is configured by providing control files in the directory @@ -8118,7 +8172,7 @@ CLASS="FILENAME" is copied to <TT CLASS="FILENAME" >/lib/security/</TT -> and the pam +> and the PAM control files for relevant services are updated to allow authentication via winbind. See the PAM documentation for more details.</P @@ -8128,13 +8182,13 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1708" +NAME="AEN1703" >9.4.4. User and Group ID Allocation</A ></H2 ><P >When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is - slightly different to UNIX which has a range of numbers which are + slightly different to UNIX which has a range of numbers that are used to identify users, and the same range in which to identify groups. It is winbind's job to convert RIDs to UNIX id numbers and vice versa. When winbind is configured it is given part of the UNIX @@ -8146,7 +8200,7 @@ NAME="AEN1708" to UNIX user ids and group ids.</P ><P >The results of this mapping are stored persistently in - a ID mapping database held in a tdb database). This ensures that + an ID mapping database held in a tdb database). This ensures that RIDs are mapped to UNIX IDs in a consistent way.</P ></DIV ><DIV @@ -8154,7 +8208,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1712" +NAME="AEN1707" >9.4.5. Result Caching</A ></H2 ><P @@ -8177,43 +8231,821 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1715" +NAME="AEN1710" >9.5. Installation and Configuration</A ></H1 ><P ->The easiest way to install winbind is by using the packages - provided in the <TT +>Many thanks to John Trostel <A +HREF="mailto:jtrostel@snapserver.com" +TARGET="_top" +>jtrostel@snapserver.com</A +> +for providing the HOWTO for this section.</P +><P +>This HOWTO describes how to get winbind services up and running +to control access and authenticate users on your Linux box using +the winbind services which come with SAMBA 2.2.2.</P +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1715" +>9.5.1. Introduction</A +></H2 +><P +>This HOWTO describes the procedures used to get winbind up and +running on my RedHat 7.1 system. Winbind is capable of providing access +and authentication control for Windows Domain users through an NT +or Win2K PDC for 'regular' services, such as telnet a nd ftp, as +well for SAMBA services.</P +><P +>This HOWTO has been written from a 'RedHat-centric' perspective, so if +you are using another distribution, you may have to modify the instructions +somewhat to fit the way your distribution works.</P +><P +></P +><UL +><LI +><P +> <EM +>Why should I to this?</EM +> + </P +><P +>This allows the SAMBA administrator to rely on the + authentication mechanisms on the NT/Win2K PDC for the authentication + of domain members. NT/Win2K users no longer need to have separate + accounts on the SAMBA server. + </P +></LI +><LI +><P +> <EM +>Who should be reading this document?</EM +> + </P +><P +> This HOWTO is designed for system administrators. If you are + implementing SAMBA on a file server and wish to (fairly easily) + integrate existing NT/Win2K users from your PDC onto the + SAMBA server, this HOWTO is for you. That said, I am no NT or PAM + expert, so you may find a better or easier way to accomplish + these tasks. + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1728" +>9.5.2. Requirements</A +></H2 +><P +>If you have a samba configuration file that you are currently +using... BACK IT UP! If your system already uses PAM, BACK UP +THE <TT +CLASS="FILENAME" +>/etc/pam.d</TT +> directory contents! If you +haven't already made a boot disk, MAKE ON NOW!</P +><P +>Messing with the pam configuration files can make it nearly impossible +to log in to yourmachine. That's why you want to be able to boot back +into your machine in single user mode and restore your +<TT CLASS="FILENAME" ->pub/samba/appliance/</TT +>/etc/pam.d</TT +> back to the original state they were in if +you get frustrated with the way things are going. ;-)</P +><P +>The newest version of SAMBA (version 2.2.2), available from +cvs.samba.org, now include a functioning winbindd daemon. Please refer +to the main SAMBA web page or, better yet, your closest SAMBA mirror +site for instructions on downloading the source code.</P +><P +>To allow Domain users the ability to access SAMBA shares and +files, as well as potentially other services provided by your +SAMBA machine, PAM (pluggable authentication modules) must +be setup properly on your machine. In order to compile the +winbind modules, you should have at least the pam libraries resident +on your system. For recent RedHat systems (7.1, for instance), that +means 'pam-0.74-22'. For best results, it is helpful to also +install the development packages in 'pam-devel-0.74-22'.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN1736" +>9.5.3. Testing Things Out</A +></H2 +><P +>Before starting, it is probably best to kill off all the SAMBA +related daemons running on your server. Kill off all <B +CLASS="COMMAND" +>smbd</B +>, +<B +CLASS="COMMAND" +>nmbd</B +>, and <B +CLASS="COMMAND" +>winbindd</B +> processes that may +be running. To use PAM, you will want to make sure that you have the +standard PAM package (for RedHat) which supplies the <TT +CLASS="FILENAME" +>/etc/pam.d</TT > - directory on your nearest - Samba mirror. These packages provide snapshots of the Samba source - code and binaries already setup to provide the full functionality - of winbind. This setup is a little more complex than a normal Samba - build as winbind needs a small amount of functionality from a - development code branch called SAMBA_TNG.</P -><P ->Once you have installed the packages you should read - the <B +directory structure, including the pam modules are used by pam-aware +services, several pam libraries, and the <TT +CLASS="FILENAME" +>/usr/doc</TT +> +and <TT +CLASS="FILENAME" +>/usr/man</TT +> entries for pam. Winbind built better +in SAMBA if the pam-devel package was also installed. This package includes +the header files needed to compile pam-aware applications. For instance, my RedHat +system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.</P +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1745" +>9.5.3.1. Configure and compile SAMBA</A +></H3 +><P +>The configuration and compilation of SAMBA is pretty straightforward. +The first three steps maynot be necessary depending upon +whether or not you have previously built the Samba binaries.</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +><TT +CLASS="PROMPT" +>root# </TT +> autoconf +<TT +CLASS="PROMPT" +>root# </TT +> make clean +<TT +CLASS="PROMPT" +>root# </TT +> rm config.cache +<TT +CLASS="PROMPT" +>root# </TT +> ./configure --with-winbind +<TT +CLASS="PROMPT" +>root# </TT +> make +<TT +CLASS="PROMPT" +>root# </TT +> make install</PRE +></TD +></TR +></TABLE +></P +><P +>This will, by default, install SAMBA in /usr/local/samba. See the +main SAMBA documentation if you want to install SAMBA somewhere else. +It will also build the winbindd executable and libraries. </P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1757" +>9.5.3.2. Configure nsswitch.conf and the winbind libraries</A +></H3 +><P +>The libraries needed to run the winbind daemon through nsswitch +need to be copied to their proper locations, so</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> cp ../samba/source/nsswitch/libnss_winbind.so /lib</P +><P +>I also found it necessary to make the following symbolic link:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</P +><P +>Now, as root you need to edit <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> to +allow user and group entries to be visible from the <B CLASS="COMMAND" ->winbindd(8)</B -> man page which will provide you - with configuration information and give you sample configuration files. - You may also wish to update the main Samba daemons smbd and nmbd) - with a more recent development release, such as the recently - announced Samba 2.2 alpha release.</P +>winbindd</B +> +daemon, as well as from your /etc/hosts files and NIS servers. My +<TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> file look like this after editing:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +> passwd: files winbind + shadow: files winbind + group: files winbind</PRE +></TD +></TR +></TABLE +></P +><P +> +The libraries needed by the winbind daemon will be automatically +entered into the ldconfig cache the next time your system reboots, but it +is faster (and you don't need to reboot) if you do it manually:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> /sbin/ldconfig -v | grep winbind</P +><P +>This makes <TT +CLASS="FILENAME" +>libnss_winbind</TT +> available to winbindd +and echos back a check to you.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1776" +>9.5.3.3. Configure smb.conf</A +></H3 +><P +>Several parameters are needed in the smb.conf file to control +the behavior of <B +CLASS="COMMAND" +>winbindd</B +>. Configure +<TT +CLASS="FILENAME" +>smb.conf</TT +> These are described in more detail in +the <A +HREF="winbindd.8.html" +TARGET="_top" +>winbindd(8)</A +> man page. My +<TT +CLASS="FILENAME" +>smb.conf</TT +> file was modified to +include the following entries in the [global] section:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>[global] + <...> + # separate domain and username with '+', like DOMAIN+username + winbind separator = + + # use uids from 10000 to 20000 for domain users + winbind uid = 10000-20000 + # use gids from 10000 to 20000 for domain groups + winbind gid = 10000-20000 + # allow enumeration of winbind users and groups + winbind enum users = yes + winbind enum groups = yes + # give winbind users a real shell (only needed if they have telnet access) + template shell = /bin/bash</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1785" +>9.5.3.4. Join the SAMBA server to the PDC domain</A +></H3 +><P +>Enter the following command to make the SAMBA server join the +PDC domain, where <TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +> is the name of +your Windows domain and <TT +CLASS="REPLACEABLE" +><I +>Administrator</I +></TT +> is +a domain user who has administrative privileges in the domain.</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</P +><P +>The proper response to the command should be: "Joined the domain +<TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +>" where <TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +> +is your DOMAIN name.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1795" +>9.5.3.5. Start up the winbindd daemon and test it!</A +></H3 +><P +>Eventually, you will want to modify your smb startup script to +automatically invoke the winbindd daemon when the other parts of +SAMBA start, but it is possible to test out just the winbind +portion first. To start up winbind services, enter the following +command as root:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/winbindd</P +><P +>I'm always paranoid and like to make sure the daemon +is really running...</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> ps -ae | grep winbindd +3025 ? 00:00:00 winbindd</P +><P +>Now... for the real test, try to get some information about the +users on your PDC</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> # /usr/local/samba/bin/wbinfo -u</P +><P +> +This should echo back a list of users on your Windows users on +your PDC. For example, I get the following response:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>CEO+Administrator +CEO+burdell +CEO+Guest +CEO+jt-ad +CEO+krbtgt +CEO+TsInternetUser</PRE +></TD +></TR +></TABLE +></P +><P +>Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.</P +><P +>You can do the same sort of thing to get group information from +the PDC:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/wbinfo -g +CEO+Domain Admins +CEO+Domain Users +CEO+Domain Guests +CEO+Domain Computers +CEO+Domain Controllers +CEO+Cert Publishers +CEO+Schema Admins +CEO+Enterprise Admins +CEO+Group Policy Creator Owners</PRE +></TD +></TR +></TABLE +></P +><P +>The function 'getent' can now be used to get unified +lists of both local and PDC users and groups. +Try the following command:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> getent passwd</P +><P +>You should get a list that looks like your <TT +CLASS="FILENAME" +>/etc/passwd</TT +> +list followed by the domain users with their new uids, gids, home +directories and default shells.</P +><P +>The same thing can be done for groups with the command</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> getent group</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1822" +>9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files</A +></H3 +><P +>The <B +CLASS="COMMAND" +>winbindd</B +> daemon needs to start up after the +<B +CLASS="COMMAND" +>smbd</B +> and <B +CLASS="COMMAND" +>nmbd</B +> daemons are running. +To accomplish this task, you need to modify the <TT +CLASS="FILENAME" +>/etc/init.d/smb</TT +> +script to add commands to invoke this daemon in the proper sequence. My +<TT +CLASS="FILENAME" +>/etc/init.d/smb</TT +> file starts up <B +CLASS="COMMAND" +>smbd</B +>, +<B +CLASS="COMMAND" +>nmbd</B +>, and <B +CLASS="COMMAND" +>winbindd</B +> from the +<TT +CLASS="FILENAME" +>/usr/local/samba/bin</TT +> directory directly. The 'start' +function in the script looks like this:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>start() { + KIND="SMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/smbd $SMBDOPTIONS + RETVAL=$? + echo + KIND="NMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/winbindd + RETVAL3=$? + echo + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ + RETVAL=1 + return $RETVAL +}</PRE +></TD +></TR +></TABLE +></P +><P +>The 'stop' function has a corresponding entry to shut down the +services and look s like this:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>stop() { + KIND="SMB" + echo -n $"Shutting down $KIND services: " + killproc smbd + RETVAL=$? + echo + KIND="NMB" + echo -n $"Shutting down $KIND services: " + killproc nmbd + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Shutting down $KIND services: " + killproc winbindd + RETVAL3=$? + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb + echo "" + return $RETVAL +}</PRE +></TD +></TR +></TABLE +></P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN1839" +>9.5.3.7. Configure Winbind and PAM</A +></H3 +><P +>If you have made it this far, you know that winbindd is working. +Now it is time to integrate it into the operation of samba and other +services. The pam configuration files need to be altered in +this step. (Did you remember to make backups of your original +<TT +CLASS="FILENAME" +>/etc/pam.d</TT +> files? If not, do it now.)</P +><P +>To get samba to allow domain users and groups, I modified the +<TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file from</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_stack.so service=system-auth</PRE +></TD +></TR +></TABLE +></P +><P +>to</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_winbind.so +auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth</PRE +></TD +></TR +></TABLE +></P +><P +>The other services that I modified to allow the use of winbind +as an authentication service were the normal login on the console (or a terminal +session), telnet logins, and ftp service. In order to enable these +services, you may first need to change the entries in +<TT +CLASS="FILENAME" +>/etc/xinetd.d</TT +> (or <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +>). +RedHat 7.1 uses the new xinetd.d structure, in this case you need +to change the lines in <TT +CLASS="FILENAME" +>/etc/xinetd.d/telnet</TT +> +and <TT +CLASS="FILENAME" +>/etc/xinetd.d/wu-ftp</TT +> from </P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>enable = no</PRE +></TD +></TR +></TABLE +></P +><P +>to</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>enable = yes</PRE +></TD +></TR +></TABLE +></P +><P +> +For ftp services to work properly, you will also need to either +have individual directories for the domain users already present on +the server, or change the home directory template to a general +directory for all domain users. These can be easily set using +the <TT +CLASS="FILENAME" +>smb.conf</TT +> global entry +<B +CLASS="COMMAND" +>template homedir</B +>.</P +><P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/ftp</TT +> file can be changed +to allow winbind ftp access in a manner similar to the +samba file. My <TT +CLASS="FILENAME" +>/etc/pam.d/ftp</TT +> file was +changed to look like this:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_shells.so +account required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth</PRE +></TD +></TR +></TABLE +></P +><P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/login</TT +> file can be changed nearly the +same way. It now looks like this:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_securetty.so +auth sufficient /lib/security/pam_winbind.so +auth sufficient /lib/security/pam_unix.so use_first_pass +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account sufficient /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth +password required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +session optional /lib/security/pam_console.so</PRE +></TD +></TR +></TABLE +></P +><P +>In this case, I added the <B +CLASS="COMMAND" +>auth sufficient /lib/security/pam_winbind.so</B +> +lines as before, but also added the <B +CLASS="COMMAND" +>required pam_securetty.so</B +> +above it, to disallow root logins over the network. I also added a +<B +CLASS="COMMAND" +>sufficient /lib/security/pam_unix.so use_first_pass</B +> +line after the <B +CLASS="COMMAND" +>winbind.so</B +> line to get rid of annoying +double prompts for passwords.</P +><P +>Finally, don't forget to copy the winbind pam modules from +the source directory in which you originally compiled the new +SAMBA up to the /lib/security directory so that pam can use it:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> cp ../samba/source/nsswitch/pam_winbind.so /lib/security</P +></DIV +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1721" +NAME="AEN1880" >9.6. Limitations</A ></H1 ><P >Winbind has a number of limitations in its current - released version which we hope to overcome in future + released version that we hope to overcome in future releases:</P ><P ></P @@ -8242,13 +9074,6 @@ NAME="AEN1721" into account possible workstation and logon time restrictions that may be been set for Windows NT users.</P ></LI -><LI -><P ->Building winbind from source is currently - quite tedious as it requires combining source code from two Samba - branches. Work is underway to solve this by providing all - the necessary functionality in the main Samba code branch.</P -></LI ></UL ></DIV ><DIV @@ -8256,7 +9081,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1733" +NAME="AEN1890" >9.7. Conclusion</A ></H1 ><P @@ -8280,7 +9105,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1747" +NAME="AEN1904" >10.1. FAQs</A ></H1 ><DIV @@ -8288,7 +9113,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1749" +NAME="AEN1906" >10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H2 @@ -8347,7 +9172,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1764" +NAME="AEN1921" >10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H2 @@ -8400,7 +9225,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1773" +NAME="AEN1930" >10.1.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H2 @@ -8422,7 +9247,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1777" +NAME="AEN1934" >10.1.4. How do I get printer driver download working for OS/2 clients?</A ></H2 @@ -8478,7 +9303,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1793" +NAME="AEN1950" >11.1. Introduction</A ></H1 ><P @@ -8500,7 +9325,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN1798" +NAME="AEN1955" >11.2. CVS Access to samba.org</A ></H1 ><P @@ -8513,7 +9338,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1801" +NAME="AEN1958" >11.2.1. Access via CVSweb</A ></H2 ><P @@ -8534,7 +9359,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN1806" +NAME="AEN1963" >11.2.2. Access via cvs</A ></H2 ><P @@ -8640,14 +9465,14 @@ CLASS="COMMAND" ></DIV ><HR><H1 ><A -NAME="AEN1834" +NAME="AEN1991" >Index</A ></H1 ><DL ><DT >Primary Domain Controller, <A -HREF="x1103.htm" +HREF="x1096.htm" >Background</A > </DT diff --git a/docs/htmldocs/Samba-PDC-HOWTO.html b/docs/htmldocs/Samba-PDC-HOWTO.html index 53c466ee247..f9bde088985 100644 --- a/docs/htmldocs/Samba-PDC-HOWTO.html +++ b/docs/htmldocs/Samba-PDC-HOWTO.html @@ -410,16 +410,11 @@ CLASS="FILENAME" >As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and UNIX groups (this is really quite complicated to explain in a short space), you should refer to the <A -HREF="smb.conf.5.html#DOMAINADMINUSERS" -TARGET="_top" ->domain -admin users</A -> and <A HREF="smb.conf.5.html#DOMAINADMINGROUP" TARGET="_top" >domain admin group</A -> smb.conf parameters for information of creating a Domain Admins +> smb.conf parameter for information of creating "Domain Admins" style accounts.</P ></DIV ><DIV @@ -427,7 +422,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN94" +NAME="AEN93" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H1 @@ -485,7 +480,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN108" +NAME="AEN107" >Manually creating machine trust accounts</A ></H2 ><P @@ -504,9 +499,20 @@ CLASS="PROMPT" >/usr/sbin/useradd -g 100 -d /dev/null -c <TT CLASS="REPLACEABLE" ><I ->machine_nickname</I +>"machine +nickname"</I ></TT -> -m -s /bin/false <TT +> -s /bin/false <TT +CLASS="REPLACEABLE" +><I +>machine_name</I +></TT +>$ </P +><P +><TT +CLASS="PROMPT" +>root# </TT +>passwd -l <TT CLASS="REPLACEABLE" ><I >machine_name</I @@ -616,7 +622,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN136" +NAME="AEN138" >Creating machine trust accounts "on the fly"</A ></H2 ><P @@ -646,7 +652,7 @@ CLASS="EMPHASIS" <I CLASS="EMPHASIS" >SHOULD</I -> be set to s different password that the +> be set to a different password that the associated <TT CLASS="FILENAME" >/etc/passwd</TT @@ -658,7 +664,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN147" +NAME="AEN149" >Common Problems and Errors</A ></H1 ><P @@ -853,7 +859,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN195" +NAME="AEN197" >System Policies and Profiles</A ></H1 ><P @@ -1015,7 +1021,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN239" +NAME="AEN241" >What other help can I get ?</A ></H1 ><P @@ -1417,7 +1423,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN353" +NAME="AEN355" >Domain Control for Windows 9x/ME</A ></H1 ><DIV @@ -1553,7 +1559,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN383" +NAME="AEN385" >Configuration Instructions: Network Logons</A ></H2 ><P @@ -1715,7 +1721,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN417" +NAME="AEN419" >Configuration Instructions: Setting up Roaming User Profiles</A ></H2 ><DIV @@ -1763,7 +1769,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN425" +NAME="AEN427" >Windows NT Configuration</A ></H3 ><P @@ -1798,7 +1804,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN433" +NAME="AEN435" >Windows 9X Configuration</A ></H3 ><P @@ -1829,7 +1835,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN441" +NAME="AEN443" >Win9X and WinNT Configuration</A ></H3 ><P @@ -1858,7 +1864,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN448" +NAME="AEN450" >Windows 9X Profile Setup</A ></H3 ><P @@ -1867,7 +1873,7 @@ as are folders "Start Menu", "Desktop", "Programs" and "Nethood". These directories and their contents will be merged with the local versions stored in c:\windows\profiles\username on subsequent logins, taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short case preserve = yes" and +options "preserve case = yes", "short preserve case = yes" and "case sensitive = no" in order to maintain capital letters in shortcuts in any of the profile folders.</P ><P @@ -2015,7 +2021,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN484" +NAME="AEN486" >Windows NT Workstation 4.0</A ></H3 ><P @@ -2097,7 +2103,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN497" +NAME="AEN499" >Windows NT Server</A ></H3 ><P @@ -2111,7 +2117,7 @@ CLASS="SECT3" ><HR><H3 CLASS="SECT3" ><A -NAME="AEN500" +NAME="AEN502" >Sharing Profiles between W95 and NT Workstation 4.0</A ></H3 ><DIV @@ -2176,7 +2182,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN510" +NAME="AEN512" >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A ></H1 ><DIV diff --git a/docs/htmldocs/UNIX_INSTALL.html b/docs/htmldocs/UNIX_INSTALL.html index f979e57b67a..7194e1154ec 100644 --- a/docs/htmldocs/UNIX_INSTALL.html +++ b/docs/htmldocs/UNIX_INSTALL.html @@ -736,20 +736,25 @@ NAME="AEN182" The second is the "deny modes" that are specified when a file is open.</P ><P ->Samba supports "record locking" using the fcntl() unix system - call. This is often implemented using rpc calls to a rpc.lockd process - running on the system that owns the filesystem. Unfortunately many - rpc.lockd implementations are very buggy, particularly when made to - talk to versions from other vendors. It is not uncommon for the - rpc.lockd to crash.</P -><P ->There is also a problem translating the 32 bit lock - requests generated by PC clients to 31 bit requests supported - by most unixes. Unfortunately many PC applications (typically - OLE2 applications) use byte ranges with the top bit set - as semaphore sets. Samba attempts translation to support - these types of applications, and the translation has proved - to be quite successful.</P +>Record locking semantics under Unix is very + different from record locking under Windows. Versions + of Samba before 2.2 have tried to use the native + fcntl() unix system call to implement proper record + locking between different Samba clients. This can not + be fully correct due to several reasons. The simplest + is the fact that a Windows client is allowed to lock a + byte range up to 2^32 or 2^64, depending on the client + OS. The unix locking only supports byte ranges up to + 2^31. So it is not possible to correctly satisfy a + lock request above 2^31. There are many more + differences, too many to be listed here.</P +><P +>Samba 2.2 and above implements record locking + completely independent of the underlying unix + system. If a byte range lock that the client requests + happens to fall into the range 0-2^31, Samba hands + this request down to the Unix system. All other locks + can not be seen by unix anyway.</P ><P >Strictly a SMB server should check for locks before every read and write call on a file. Unfortunately with the diff --git a/docs/htmldocs/nmbd.8.html b/docs/htmldocs/nmbd.8.html index 29bd8180407..31afa11cf89 100644 --- a/docs/htmldocs/nmbd.8.html +++ b/docs/htmldocs/nmbd.8.html @@ -36,7 +36,7 @@ NAME="AEN8" ><P ><B CLASS="COMMAND" ->smbd</B +>nmbd</B > [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log file>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]</P ></DIV ><DIV @@ -559,23 +559,25 @@ CLASS="COMMAND" the <TT CLASS="FILENAME" >log.nmb</TT -> file. In addition, the debug log level - of nmbd may be raised by sending it a SIGUSR1 (<B -CLASS="COMMAND" ->kill -USR1 - <nmbd-pid></B ->) and lowered by sending it a - SIGUSR2 (<B +> file.</P +><P +>The debug log level of nmbd may be raised or lowered using + <A +HREF="smbcontrol.1.html" +TARGET="_top" +><B CLASS="COMMAND" ->kill -USR2 <nmbd-pid></B ->). This is to - allow transient problems to be diagnosed, whilst still running at a - normally low log level.</P +>smbcontrol(1)</B +> + </A +> (SIGUSR[1|2] signals are no longer used in Samba 2.2). This is + to allow transient problems to be diagnosed, whilst still running + at a normally low log level.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN186" +NAME="AEN187" ></A ><H2 >VERSION</H2 @@ -586,7 +588,7 @@ NAME="AEN186" ><DIV CLASS="REFSECT1" ><A -NAME="AEN189" +NAME="AEN190" ></A ><H2 >SEE ALSO</H2 @@ -651,7 +653,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN206" +NAME="AEN207" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/printer_driver2.html b/docs/htmldocs/printer_driver2.html index a4c76aad4e8..36d66c1c803 100644 --- a/docs/htmldocs/printer_driver2.html +++ b/docs/htmldocs/printer_driver2.html @@ -231,7 +231,7 @@ CLASS="PARAMETER" > is used to allow administrative level user accounts to have write access in order to update files on the share. See the <A -HREF="smb./conf.5.html" +HREF="smb.conf.5.html" TARGET="_top" >smb.conf(5) man page</A diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index a24e7bdcab1..2c7510e7491 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -150,7 +150,7 @@ NAME="AEN28" >Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list - of usernames to check against the password using the "user=" + of usernames to check against the password using the "user =" option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary.</P ><P @@ -272,7 +272,7 @@ NAME="AEN53" ></UL ><P >If you decide to use a <EM ->path=</EM +>path =</EM > line in your [homes] section then you may find it useful to use the %S macro. For example :</P @@ -280,7 +280,7 @@ NAME="AEN53" ><TT CLASS="USERINPUT" ><B ->path=/data/pchome/%S</B +>path = /data/pchome/%S</B ></TT ></P ><P @@ -336,14 +336,16 @@ CLASS="COMPUTEROUTPUT" > flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as - it means setting browseable=no in the [homes] section - will hide the [homes] share but make any auto home - directories visible.</P + it means setting <EM +>browseable = no</EM +> in + the [homes] section will hide the [homes] share but make + any auto home directories visible.</P ></DIV ><DIV CLASS="REFSECT2" ><A -NAME="AEN78" +NAME="AEN79" ></A ><H3 >The [printers] section</H3 @@ -460,7 +462,7 @@ CLASS="COMPUTEROUTPUT" ><DIV CLASS="REFSECT1" ><A -NAME="AEN101" +NAME="AEN102" ></A ><H2 >PARAMETERS</H2 @@ -498,7 +500,7 @@ NAME="AEN101" ><DIV CLASS="REFSECT1" ><A -NAME="AEN111" +NAME="AEN112" ></A ><H2 >VARIABLE SUBSTITUTIONS</H2 @@ -605,7 +607,7 @@ CLASS="VARIABLELIST" not compiled Samba with the <EM >--with-automount</EM > - option then this value will be the same as %.</P + option then this value will be the same as %L.</P ></DD ><DT >%p</DT @@ -684,7 +686,7 @@ CLASS="REPLACEABLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN201" +NAME="AEN202" ></A ><H2 >NAME MANGLING</H2 @@ -707,7 +709,7 @@ NAME="AEN201" CLASS="VARIABLELIST" ><DL ><DT ->mangle case= yes/no</DT +>mangle case = yes/no</DT ><DD ><P > controls if names that have characters that @@ -769,7 +771,7 @@ CLASS="VARIABLELIST" ><DIV CLASS="REFSECT1" ><A -NAME="AEN234" +NAME="AEN235" ></A ><H2 >NOTE ABOUT USERNAME/PASSWORD VALIDATION</H2 @@ -828,9 +830,9 @@ CLASS="FILENAME" > file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames - from the "user=" field then the connection is made as - the username in the "user=" line. If one - of the username in the "user=" list begins with a + from the "user =" field then the connection is made as + the username in the "user =" line. If one + of the username in the "user =" list begins with a '@' then that name expands to a list of names in the group of the same name.</P ></LI @@ -846,7 +848,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN253" +NAME="AEN254" ></A ><H2 >COMPLETE LIST OF GLOBAL PARAMETERS</H2 @@ -859,6 +861,18 @@ NAME="AEN253" ><LI ><P ><A +HREF="#ABORTSHUTDOWNSCRIPT" +><TT +CLASS="PARAMETER" +><I +>abort shutdown script</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#ADDPRINTERCOMMAND" ><TT CLASS="PARAMETER" @@ -895,6 +909,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#ADDMACHINESCRIPT" +><TT +CLASS="PARAMETER" +><I +>add machine script</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#ALLOWTRUSTEDDOMAINS" ><TT CLASS="PARAMETER" @@ -1195,6 +1221,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#DISABLESPOOLSS" +><TT +CLASS="PARAMETER" +><I +>disable spoolss</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#DNSPROXY" ><TT CLASS="PARAMETER" @@ -1423,6 +1461,78 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#LDAPADMINDN" +><TT +CLASS="PARAMETER" +><I +>ldap admin dn</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPFILTER" +><TT +CLASS="PARAMETER" +><I +>ldap filter</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPPORT" +><TT +CLASS="PARAMETER" +><I +>ldap port</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPSERVER" +><TT +CLASS="PARAMETER" +><I +>ldap server</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPSSL" +><TT +CLASS="PARAMETER" +><I +>ldap ssl</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#LDAPSUFFIX" +><TT +CLASS="PARAMETER" +><I +>ldap suffix</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#LMANNOUNCE" ><TT CLASS="PARAMETER" @@ -2251,6 +2361,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#SHUTDOWNSCRIPT" +><TT +CLASS="PARAMETER" +><I +>shutdown script</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#SMBPASSWDFILE" ><TT CLASS="PARAMETER" @@ -2383,6 +2505,42 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#SSLEGDSOCKET" +><TT +CLASS="PARAMETER" +><I +>ssl egd socket</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#SSLENTROPYBYTES" +><TT +CLASS="PARAMETER" +><I +>ssl entropy bytes</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#SSLENTROPYFILE" +><TT +CLASS="PARAMETER" +><I +>ssl entropy file</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#SSLHOSTS" ><TT CLASS="PARAMETER" @@ -2659,6 +2817,18 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#UTMP" +><TT +CLASS="PARAMETER" +><I +>utmp</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#UTMPDIRECTORY" ><TT CLASS="PARAMETER" @@ -2695,6 +2865,30 @@ CLASS="PARAMETER" ><LI ><P ><A +HREF="#WINBINDENUMUSERS" +><TT +CLASS="PARAMETER" +><I +>winbind enum users</I +></TT +></A +></P +></LI +><LI +><P +><A +HREF="#WINBINDENUMGROUPS" +><TT +CLASS="PARAMETER" +><I +>winbind enum groups</I +></TT +></A +></P +></LI +><LI +><P +><A HREF="#WINBINDGID" ><TT CLASS="PARAMETER" @@ -2805,7 +2999,7 @@ CLASS="PARAMETER" ><DIV CLASS="REFSECT1" ><A -NAME="AEN905" +NAME="AEN970" ></A ><H2 >COMPLETE LIST OF SERVICE PARAMETERS</H2 @@ -3958,18 +4152,6 @@ CLASS="PARAMETER" ><LI ><P ><A -HREF="#SHAREMODES" -><TT -CLASS="PARAMETER" -><I ->share modes</I -></TT -></A -></P -></LI -><LI -><P -><A HREF="#SHORTPRESERVECASE" ><TT CLASS="PARAMETER" @@ -4030,11 +4212,11 @@ CLASS="PARAMETER" ><LI ><P ><A -HREF="#USER" +HREF="#USECLIENTDRIVER" ><TT CLASS="PARAMETER" ><I ->user</I +>use client driver</I ></TT ></A ></P @@ -4042,11 +4224,11 @@ CLASS="PARAMETER" ><LI ><P ><A -HREF="#USERNAME" +HREF="#USER" ><TT CLASS="PARAMETER" ><I ->username</I +>user</I ></TT ></A ></P @@ -4054,11 +4236,11 @@ CLASS="PARAMETER" ><LI ><P ><A -HREF="#USERS" +HREF="#USERNAME" ><TT CLASS="PARAMETER" ><I ->users</I +>username</I ></TT ></A ></P @@ -4066,11 +4248,11 @@ CLASS="PARAMETER" ><LI ><P ><A -HREF="#UTMP" +HREF="#USERS" ><TT CLASS="PARAMETER" ><I ->utmp</I +>users</I ></TT ></A ></P @@ -4224,7 +4406,7 @@ CLASS="PARAMETER" ><DIV CLASS="REFSECT1" ><A -NAME="AEN1377" +NAME="AEN1438" ></A ><H2 >EXPLANATION OF EACH PARAMETER</H2 @@ -4235,6 +4417,46 @@ CLASS="VARIABLELIST" ><DL ><DT ><A +NAME="ABORTSHUTDOWNSCRIPT" +></A +>abort shutdown script (G)</DT +><DD +><P +><EM +>This parameter only exists in the HEAD cvs branch</EM +> + This a full path name to a script called by + <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> that + should stop a shutdown procedure issued by the <A +HREF="#SHUTDOWNSCRIPT" +><TT +CLASS="PARAMETER" +><I +>shutdown script</I +></TT +></A +>.</P +><P +>This command will be run as user.</P +><P +>Default: <EM +>None</EM +>.</P +><P +>Example: <B +CLASS="COMMAND" +>abort shutdown script = /sbin/shutdown -c</B +></P +></DD +><DT +><A NAME="ADDPRINTERCOMMAND" ></A >add printer command (G)</DT @@ -4543,6 +4765,37 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="ADDMACHINESCRIPT" +></A +>add machine script (G)</DT +><DD +><P +>This is the full pathname to a script that will + be run by <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> when a machine is added + to it's domain using the administrator username and password method. </P +><P +>This option is only required when using sam back-ends tied to the + Unix uid method of RID calculation such as smbpasswd. This option is only + available in Samba 3.0.</P +><P +>Default: <B +CLASS="COMMAND" +>add machine script = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u + </B +></P +></DD +><DT +><A NAME="ADDUSERSCRIPT" ></A >add user script (G)</DT @@ -4579,12 +4832,12 @@ TARGET="_top" must be set to <TT CLASS="PARAMETER" ><I ->security=server</I +>security = server</I ></TT > or <TT CLASS="PARAMETER" ><I -> security=domain</I +> security = domain</I ></TT > and <TT CLASS="PARAMETER" @@ -4823,7 +5076,7 @@ NAME="ANNOUNCEVERSION" ><P >Default: <B CLASS="COMMAND" ->announce version = 4.2</B +>announce version = 4.5</B ></P ><P >Example: <B @@ -5191,7 +5444,7 @@ NAME="CASESENSITIVE" ><DD ><P >See the discussion in the section <A -HREF="#AEN201" +HREF="#AEN202" >NAME MANGLING</A >.</P ><P @@ -5779,7 +6032,7 @@ CLASS="COMMAND" ><A NAME="CODINGSYSTEM" ></A ->codingsystem (G)</DT +>coding system (G)</DT ><DD ><P >This parameter is used to determine how incoming @@ -6043,7 +6296,7 @@ HREF="#DIRECTORYMODE" > <TT CLASS="PARAMETER" ><I ->directory mode"</I +>directory mode</I ></TT ></A > parameter for masking @@ -6286,14 +6539,14 @@ NAME="DEFAULTCASE" ><DD ><P >See the section on <A -HREF="#AEN201" +HREF="#AEN202" > NAME MANGLING</A >. Also note the <A HREF="#SHORTPRESERVECASE" > <TT CLASS="PARAMETER" ><I ->short preserve case"</I +>short preserve case</I ></TT ></A > parameter.</P @@ -6581,7 +6834,7 @@ HREF="#ADDSHARECOMMAND" ><TT CLASS="PARAMETER" ><I ->delete share +>add share command</I ></TT ></A @@ -6591,7 +6844,7 @@ HREF="#CHANGESHARECOMMAND" CLASS="PARAMETER" ><I >change - share</I + share command</I ></TT ></A >. @@ -6646,7 +6899,7 @@ CLASS="COMMAND" set to <TT CLASS="PARAMETER" ><I ->security=domain</I +>security = domain</I ></TT > and <TT CLASS="PARAMETER" @@ -6676,13 +6929,13 @@ CLASS="PARAMETER" which will work with the <TT CLASS="PARAMETER" ><I ->security=server</I +>security = server</I ></TT > option as well as <TT CLASS="PARAMETER" ><I ->security=domain</I +>security = domain</I ></TT >. The reason for this is only when Samba is a domain member does it get the information @@ -6690,7 +6943,7 @@ CLASS="PARAMETER" <TT CLASS="PARAMETER" ><I ->security=server</I +>security = server</I ></TT > mode a missing user is treated the same as an invalid password logon attempt. Deleting @@ -6745,7 +6998,7 @@ CLASS="PARAMETER" ><P >See also <A HREF="#SECURITYEQUALSDOMAIN" ->security=domain</A +>security = domain</A >, <A HREF="#PASSWORDSERVER" @@ -7162,6 +7415,38 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="DISABLESPOOLSS" +></A +>disable spoolss (G)</DT +><DD +><P +>Enabling this parameter will disables Samba's support + for the SPOOLSS set of MS-RPC's and will yield identical behavior + as Samba 2.0.x. Windows NT/2000 clients will downgrade to using + Lanman style printing commands. Windows 9x/ME will be uneffected by + the parameter. However, this will also disable the ability to upload + printer drivers to a Samba server via the Windows NT Add Printer + Wizard or by using the NT printer properties dialog window. It will + also disable the capability of Windows NT/2000 clients to download + print drivers from the Samba host upon demand. + <EM +>Be very careful about enabling this parameter.</EM +> + </P +><P +>See also <A +HREF="#USECLIENTDRIVER" +>use client driver</A +> + </P +><P +>Default : <B +CLASS="COMMAND" +>disable spoolss = no</B +></P +></DD +><DT +><A NAME="DNSPROXY" ></A >dns proxy (G)</DT @@ -7616,7 +7901,7 @@ CLASS="COMMAND" > program for information on how to set up and maintain this file), or set the <A HREF="#SECURITY" ->security=[server|domain]</A +>security = [server|domain]</A > parameter which causes <B CLASS="COMMAND" @@ -7639,10 +7924,7 @@ NAME="ENHANCEDBROWSING" >This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations. - <EM ->These enhancements are currently only available in - the HEAD Samba CVS tree (not Samba 2.2.x).</EM -></P + </P ><P >The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, @@ -8579,7 +8861,7 @@ CLASS="COMMAND" ><A NAME="HIDEUNREADABLE" ></A ->hide unreadable(G)</DT +>hide unreadable (S)</DT ><DD ><P >This parameter prevents clients from seeing the @@ -9199,7 +9481,7 @@ CLASS="PARAMETER" the value <TT CLASS="PARAMETER" ><I ->&+group"</I +>&+group</I ></TT > means check the NIS netgroup database, followed by the UNIX group database (the @@ -9317,12 +9599,9 @@ CLASS="COMMAND" >This parameter defaults to <TT CLASS="CONSTANT" >on</TT -> on systems - that have the support, and <TT -CLASS="CONSTANT" ->off</TT -> on systems that - don't. You should never need to touch this parameter.</P +>, but is translated + to a no-op on systems that no not have the necessary kernel support. + You should never need to touch this parameter.</P ><P >See also the <A HREF="#OPLOCKS" @@ -9375,7 +9654,7 @@ CLASS="COMMAND" ><A NAME="LARGEREADWRITE" ></A ->large readwrite(G)</DT +>large readwrite (G)</DT ><DD ><P >This parameter determines whether or not <A @@ -9398,6 +9677,250 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="LDAPADMINDN" +></A +>ldap admin dn (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> The <TT +CLASS="PARAMETER" +><I +>ldap admin dn</I +></TT +> defines the Distinguished + Name (DN) name used by Samba to contact the <A +HREF="#LDAPSERVER" +>ldap + server</A +> when retreiving user account information. The <TT +CLASS="PARAMETER" +><I +>ldap + admin dn</I +></TT +> is used in conjunction with the admin dn password + stored in the <TT +CLASS="FILENAME" +>private/secrets.tdb</TT +> file. See the + <A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +> man + page for more information on how to accmplish this. + </P +><P +>Default : <EM +>none</EM +></P +></DD +><DT +><A +NAME="LDAPFILTER" +></A +>ldap filter (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> This parameter specifies the RFC 2254 compliant LDAP search filter. + The default is to match the login name with the <TT +CLASS="CONSTANT" +>uid</TT +> + attribute for all entries matching the <TT +CLASS="CONSTANT" +>sambaAccount</TT +> + objectclass. Note that this filter should only return one entry. + </P +><P +>Default : <B +CLASS="COMMAND" +>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</B +></P +></DD +><DT +><A +NAME="LDAPPORT" +></A +>ldap port (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> This option is used to control the tcp port number used to contact + the <A +HREF="#LDAPSERVER" +><TT +CLASS="PARAMETER" +><I +>ldap server</I +></TT +></A +>. + The default is to use the stand LDAP port 389. + </P +><P +>Default : <B +CLASS="COMMAND" +>ldap port = 389</B +></P +></DD +><DT +><A +NAME="LDAPSERVER" +></A +>ldap server (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> This parameter should contains the FQDN of the ldap directory + server which should be queried to locate user account information. + </P +><P +>Default : <B +CLASS="COMMAND" +>ldap server = localhost</B +></P +></DD +><DT +><A +NAME="LDAPSSL" +></A +>ldap ssl (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +> This option is used to define whether or not Samba should + use SSL when connecting to the <A +HREF="#LDAPSERVER" +><TT +CLASS="PARAMETER" +><I +>ldap + server</I +></TT +></A +>. This is <EM +>NOT</EM +> related to + Samba SSL support which is enabled by specifying the + <B +CLASS="COMMAND" +>--with-ssl</B +> option to the <TT +CLASS="FILENAME" +>configure</TT +> + script (see <A +HREF="#SSL" +><TT +CLASS="PARAMETER" +><I +>ssl</I +></TT +></A +>). + </P +><P +> The <TT +CLASS="PARAMETER" +><I +>ldap ssl</I +></TT +> can be set to one of three values: + (a) <B +CLASS="COMMAND" +>on</B +> - Always use SSL when contacting the + <TT +CLASS="PARAMETER" +><I +>ldap server</I +></TT +>, (b) <B +CLASS="COMMAND" +>off</B +> - + Never use SSL when querying the directory, or (c) <B +CLASS="COMMAND" +>start + tls</B +> - Use the LDAPv3 StartTLS extended operation + (RFC2830) for communicating with the directory server. + </P +><P +>Default : <B +CLASS="COMMAND" +>ldap ssl = off</B +></P +></DD +><DT +><A +NAME="LDAPSUFFIX" +></A +>ldap suffix (G)</DT +><DD +><P +>This parameter is only available if Samba has been + configure to include the <B +CLASS="COMMAND" +>--with-ldapsam</B +> option + at compile time. This option should be considered experimental and + under active development. + </P +><P +>Default : <EM +>none</EM +></P +></DD +><DT +><A NAME="LEVEL2OPLOCKS" ></A >level2 oplocks (S)</DT @@ -9618,7 +10141,7 @@ NAME="LOADPRINTERS" >A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. See the <A -HREF="#AEN78" +HREF="#AEN79" >printers</A > section for more details.</P @@ -9892,7 +10415,7 @@ CLASS="COMMAND" in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does <B CLASS="COMMAND" ->net use /home"</B +>net use /home</B > but use the whole string when dealing with profiles.</P ><P @@ -10501,7 +11024,7 @@ NAME="MACHINEPASSWORDTIMEOUT" >If a Samba server is a member of a Windows NT Domain (see the <A HREF="#SECURITYEQUALSDOMAIN" ->security=domain</A +>security = domain</A >) parameter) then periodically a running <A HREF="smbd.8.html" @@ -10526,7 +11049,7 @@ CLASS="COMMAND" ></A >, and the <A HREF="#SECURITYEQUALSDOMAIN" -> security=domain</A +> security = domain</A >) parameter.</P ><P >Default: <B @@ -10633,7 +11156,7 @@ NAME="MANGLECASE" ><DD ><P >See the section on <A -HREF="#AEN201" +HREF="#AEN202" > NAME MANGLING</A ></P ><P @@ -10705,7 +11228,7 @@ NAME="MANGLEDNAMES" or whether non-DOS names should simply be ignored.</P ><P >See the section on <A -HREF="#AEN201" +HREF="#AEN202" > NAME MANGLING</A > for details on how to control the mangling process.</P ><P @@ -10826,7 +11349,7 @@ NAME="MANGLINGCHAR" the <EM >magic</EM > character in <A -HREF="#AEN201" +HREF="#AEN202" >name mangling</A >. The default is a '~' but this may interfere with some software. Use this option to set @@ -10955,7 +11478,7 @@ HREF="#SECURITY" > modes other than <TT CLASS="PARAMETER" ><I ->security=share</I +>security = share</I ></TT > - i.e. <TT @@ -11424,7 +11947,7 @@ HREF="#WINSSUPPORT" > <TT CLASS="PARAMETER" ><I ->wins support=yes</I +>wins support = yes</I ></TT ></A >) what the maximum @@ -11441,7 +11964,7 @@ HREF="#MINWINSTTL" CLASS="PARAMETER" ><I >min - wins ttl"</I + wins ttl</I ></TT ></A > parameter.</P @@ -12494,7 +13017,7 @@ NAME="PAMPASSWORDCHANGE" >With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password - changes when requested by an SMB client insted of the program listed in + changes when requested by an SMB client instead of the program listed in <A HREF="#PASSWDPROGRAM" ><TT @@ -12514,7 +13037,7 @@ CLASS="PARAMETER" ></TT ></A > - paramater for most setups. + parameter for most setups. </P ><P >Default: <B @@ -12589,19 +13112,39 @@ CLASS="PARAMETER" on what local methods are used for password control (such as NIS etc).</P ><P ->The string can contain the macros <TT +>Note that this parameter only is only used if the <A +HREF="#UNIXPASSWORDSYNC" +><TT CLASS="PARAMETER" ><I ->%o</I +>unix + password sync</I ></TT -> - and <TT +></A +> parameter is set to <TT +CLASS="CONSTANT" +>yes</TT +>. This + sequence is then called <EM +>AS ROOT</EM +> when the SMB password + in the smbpasswd file is being changed, without access to the old + password cleartext. This means that root must be able to reset the user's password + without knowing the text of the previous password. In the presence of NIS/YP, + this means that the <A +HREF="#PASSWDPROGRAM" +>passwd program</A +> must be + executed on the NIS master. + </P +><P +>The string can contain the macro <TT CLASS="PARAMETER" ><I >%n</I ></TT -> which are substituted for the old - and new passwords respectively. It can also contain the standard +> which is substituted + for the new password. The chat sequence can also contain the standard macros <TT CLASS="CONSTANT" >\n</TT @@ -12613,41 +13156,18 @@ CLASS="CONSTANT" > \t</TT > and <TT CLASS="CONSTANT" ->%s</TT +>\s</TT > to give line-feed, - carriage-return, tab and space.</P -><P ->The string can also contain a '*' which matches - any sequence of characters.</P -><P ->Double quotes can be used to collect strings with spaces + carriage-return, tab and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. + Double quotes can be used to collect strings with spaces in them into a single string.</P ><P >If the send string in any part of the chat sequence is a full stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected.</P ><P ->Note that if the <A -HREF="#UNIXPASSWORDSYNC" -><TT -CLASS="PARAMETER" -><I ->unix - password sync</I -></TT -></A -> parameter is set to <TT -CLASS="CONSTANT" ->true</TT ->, then this - sequence is called <EM ->AS ROOT</EM -> when the SMB password - in the smbpasswd file is being changed, without access to the old - password cleartext. In this case the old password cleartext is set - to "" (the empty string).</P -><P ->Also, if the <A +>If the <A HREF="#PAMPASSWORDCHANGE" ><TT CLASS="PARAMETER" @@ -13105,7 +13625,7 @@ CLASS="COMMAND" >. This is a restriction of the SMB/CIFS protocol when in <B CLASS="COMMAND" ->security=server +>security = server </B > mode and cannot be fixed in Samba.</P ></LI @@ -13115,9 +13635,9 @@ CLASS="COMMAND" password server then you will have to ensure that your users are able to login from the Samba server, as when in <B CLASS="COMMAND" -> security=server</B +> security = server</B > mode the network logon will appear to - come from there rather than from the user's workstation.</P + come from there rather than from the users workstation.</P ></LI ></UL ><P @@ -13508,7 +14028,7 @@ CLASS="COMMAND" ></P ><P >See the section on <A -HREF="#AEN201" +HREF="#AEN202" >NAME MANGLING</A > for a fuller discussion.</P @@ -13632,7 +14152,7 @@ CLASS="PARAMETER" ><P >Default: For <B CLASS="COMMAND" ->printing= BSD, AIX, QNX, LPRNG +>printing = BSD, AIX, QNX, LPRNG or PLP :</B ></P ><P @@ -13643,7 +14163,7 @@ CLASS="COMMAND" ><P >For <B CLASS="COMMAND" ->printing= SYS or HPUX :</B +>printing = SYS or HPUX :</B ></P ><P ><B @@ -13653,7 +14173,7 @@ CLASS="COMMAND" ><P >For <B CLASS="COMMAND" ->printing=SOFTQ :</B +>printing = SOFTQ :</B ></P ><P ><B @@ -13746,7 +14266,7 @@ NAME="PRINTCAPNAME" CLASS="FILENAME" > /etc/printcap</TT >). See the discussion of the <A -HREF="#AEN78" +HREF="#AEN79" >[printers]</A > section above for reasons why you might want to do this.</P @@ -14170,7 +14690,7 @@ TARGET="_top" >This option can be set on a per printer basis</P ><P >See also the discussion in the <A -HREF="#AEN78" +HREF="#AEN79" > [printers]</A > section.</P ></DD @@ -15004,7 +15524,7 @@ CLASS="COMMAND" >security = server</B > or <B CLASS="COMMAND" ->security=domain +>security = domain </B >.</P ><P @@ -15221,7 +15741,7 @@ CLASS="PARAMETER" be used in granting access.</P ><P >See also the section <A -HREF="#AEN234" +HREF="#AEN235" > NOTE ABOUT USERNAME/PASSWORD VALIDATION</A >.</P ><P @@ -15234,7 +15754,7 @@ NAME="SECURITYEQUALSUSER" ></P ><P >This is the default security setting in Samba 2.2. - With user-level security a client must first "log=on" with a + With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the <A HREF="#USERNAMEMAP" ><TT @@ -15302,7 +15822,7 @@ CLASS="PARAMETER" > parameter for details on doing this.</P ><P >See also the section <A -HREF="#AEN234" +HREF="#AEN235" > NOTE ABOUT USERNAME/PASSWORD VALIDATION</A >.</P ><P @@ -15378,7 +15898,7 @@ CLASS="PARAMETER" > parameter for details on doing this.</P ><P >See also the section <A -HREF="#AEN234" +HREF="#AEN235" > NOTE ABOUT USERNAME/PASSWORD VALIDATION</A >.</P ><P @@ -15493,7 +16013,7 @@ CLASS="COMMAND" Domain Controller. This issue will be addressed in a future release.</P ><P >See also the section <A -HREF="#AEN234" +HREF="#AEN235" > NOTE ABOUT USERNAME/PASSWORD VALIDATION</A >.</P ><P @@ -15671,64 +16191,6 @@ CLASS="COMMAND" ></DD ><DT ><A -NAME="SHAREMODES" -></A ->share modes (S)</DT -><DD -><P ->This enables or disables the honoring of - the <TT -CLASS="PARAMETER" -><I ->share modes</I -></TT -> during a file open. These - modes are used by clients to gain exclusive read or write access - to a file.</P -><P ->These open modes are not directly supported by UNIX, so - they are simulated using shared memory, or lock files if your - UNIX doesn't support shared memory (almost all do).</P -><P ->The share modes that are enabled by this option are - <TT -CLASS="CONSTANT" ->DENY_DOS</TT ->, <TT -CLASS="CONSTANT" ->DENY_ALL</TT ->, - <TT -CLASS="CONSTANT" ->DENY_READ</TT ->, <TT -CLASS="CONSTANT" ->DENY_WRITE</TT ->, - <TT -CLASS="CONSTANT" ->DENY_NONE</TT -> and <TT -CLASS="CONSTANT" ->DENY_FCB</TT ->. - </P -><P ->This option gives full share compatibility and enabled - by default.</P -><P ->You should <EM ->NEVER</EM -> turn this parameter - off as many Windows applications will break if you do so.</P -><P ->Default: <B -CLASS="COMMAND" ->share modes = yes</B -></P -></DD -><DT -><A NAME="SHORTPRESERVECASE" ></A >short preserve case (S)</DT @@ -15757,7 +16219,7 @@ CLASS="COMMAND" names are lowered. </P ><P >See the section on <A -HREF="#AEN201" +HREF="#AEN202" > NAME MANGLING</A >.</P ><P @@ -15840,6 +16302,115 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="SHUTDOWNSCRIPT" +></A +>shutdown script (G)</DT +><DD +><P +><EM +>This parameter only exists in the HEAD cvs branch</EM +> + This a full path name to a script called by + <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> that + should start a shutdown procedure.</P +><P +>This command will be run as the user connected to the + server.</P +><P +>%m %t %r %f parameters are expanded</P +><P +><TT +CLASS="PARAMETER" +><I +>%m</I +></TT +> will be substituted with the + shutdown message sent to the server.</P +><P +><TT +CLASS="PARAMETER" +><I +>%t</I +></TT +> will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure.</P +><P +><TT +CLASS="PARAMETER" +><I +>%r</I +></TT +> will be substituted with the + switch <EM +>-r</EM +>. It means reboot after shutdown + for NT. + </P +><P +><TT +CLASS="PARAMETER" +><I +>%f</I +></TT +> will be substituted with the + switch <EM +>-f</EM +>. It means force the shutdown + even if applications do not respond for NT.</P +><P +>Default: <EM +>None</EM +>.</P +><P +>Example: <B +CLASS="COMMAND" +>abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</B +></P +><P +>Shutdown script example: + <TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="90%" +><TR +><TD +><PRE +CLASS="PROGRAMLISTING" +> #!/bin/bash + + $time=0 + let "time/60" + let "time++" + + /sbin/shutdown $3 $4 +$time $1 & + </PRE +></TD +></TR +></TABLE +> + Shutdown does not return so we need to launch it in background. + </P +><P +>See also <A +HREF="#ABORTSHUTDOWNSCRIPT" +><TT +CLASS="PARAMETER" +><I +>abort shutdown script</I +></TT +></A +>.</P +></DD +><DT +><A NAME="SMBPASSWDFILE" ></A >smb passwd file (G)</DT @@ -15974,10 +16545,10 @@ TARGET="_top" or disable the option, by default they will be enabled if you don't specify 1 or 0.</P ><P ->To specify an argument use the syntax SOME_OPTION=VALUE +>To specify an argument use the syntax SOME_OPTION = VALUE for example <B CLASS="COMMAND" ->SO_SNDBUF=8192</B +>SO_SNDBUF = 8192</B >. Note that you must not have any spaces before or after the = sign.</P ><P @@ -16037,7 +16608,7 @@ CLASS="COMMAND" ><P ><B CLASS="COMMAND" ->SAMBA_NETBIOS_NAME=myhostname</B +>SAMBA_NETBIOS_NAME = myhostname</B ></P ><P >Default: <EM @@ -16071,14 +16642,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This variable enables or disables the entire SSL mode. If it is set to <TT CLASS="CONSTANT" @@ -16109,7 +16672,7 @@ CLASS="PARAMETER" ><P >Default: <B CLASS="COMMAND" ->ssl=no</B +>ssl = no</B ></P ></DD ><DT @@ -16127,14 +16690,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This variable defines where to look up the Certification Authorities. The given directory should contain one file for each CA that Samba will trust. The file name must be the hash @@ -16164,14 +16719,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This variable is a second way to define the trusted CAs. The certificates of the trusted CAs are collected in one big file and this variable points to the file. You will probably @@ -16202,14 +16749,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This variable defines the ciphers that should be offered during SSL negotiation. You should not set this variable unless you know what you are doing.</P @@ -16229,14 +16768,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >The certificate in this file is used by <A HREF="smbclient.1.html" TARGET="_top" @@ -16268,14 +16799,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This is the private key for <A HREF="smbclient.1.html" TARGET="_top" @@ -16307,18 +16830,10 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P ->This variable defines whether SSLeay should be configured +>This variable defines whether OpenSSL should be configured for bug compatibility with other SSL implementations. This is probably not desirable because currently no clients with SSL - implementations other than SSLeay exist.</P + implementations other than OpenSSL exist.</P ><P >Default: <B CLASS="COMMAND" @@ -16327,6 +16842,104 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="SSLEGDSOCKET" +></A +>ssl egd socket (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +> This option is used to define the location of the communiation socket of + an EGD or PRNGD daemon, from which entropy can be retrieved. This option + can be used instead of or together with the <A +HREF="#SSLENTROPYFILE" +><TT +CLASS="PARAMETER" +><I +>ssl entropy file</I +></TT +></A +> + directive. 255 bytes of entropy will be retrieved from the daemon. + </P +><P +>Default: <EM +>none</EM +></P +></DD +><DT +><A +NAME="SSLENTROPYBYTES" +></A +>ssl entropy bytes (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +> This parameter is used to define the number of bytes which should + be read from the <A +HREF="#SSLENTROPYFILE" +><TT +CLASS="PARAMETER" +><I +>ssl entropy + file</I +></TT +></A +> If a -1 is specified, the entire file will + be read. + </P +><P +>Default: <B +CLASS="COMMAND" +>ssl entropy bytes = 255</B +></P +></DD +><DT +><A +NAME="SSLENTROPYFILE" +></A +>ssl entropy file (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +> This parameter is used to specify a file from which processes will + read "random bytes" on startup. In order to seed the internal pseudo + random number generator, entropy must be provided. On system with a + <TT +CLASS="FILENAME" +>/dev/urandom</TT +> device file, the processes + will retrieve its entropy from the kernel. On systems without kernel + entropy support, a file can be supplied that will be read on startup + and that will be used to seed the PRNG. + </P +><P +>Default: <EM +>none</EM +></P +></DD +><DT +><A NAME="SSLHOSTS" ></A >ssl hosts (G)</DT @@ -16357,14 +16970,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >These two variables define whether Samba will go into SSL mode or not. If none of them is defined, Samba will allow only SSL connections. If the <A @@ -16439,14 +17044,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >If this variable is set to <TT CLASS="CONSTANT" >yes</TT @@ -16505,14 +17102,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >If this variable is set to <TT CLASS="CONSTANT" >yes</TT @@ -16558,14 +17147,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This is the file containing the server's certificate. The server <EM >must</EM @@ -16594,14 +17175,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This file contains the private key of the server. If this variable is not defined, the key is looked up in the certificate file (it may be appended to the certificate). @@ -16634,14 +17207,6 @@ CLASS="COMMAND" > was given at configure time.</P ><P -><EM ->Note</EM -> that for export control reasons - this code is <EM ->NOT</EM -> enabled by default in any - current binary version of Samba.</P -><P >This enumeration variable defines the versions of the SSL protocol that will be used. <TT CLASS="CONSTANT" @@ -16936,11 +17501,6 @@ NAME="TEMPLATEHOMEDIR" >template homedir (G)</DT ><DD ><P -><EM ->NOTE:</EM -> this parameter is - only available in Samba 3.0.</P -><P >When filling out the user information for a Windows NT user, the <A HREF="winbindd.8.html" @@ -16975,11 +17535,6 @@ NAME="TEMPLATESHELL" >template shell (G)</DT ><DD ><P -><EM ->NOTE:</EM -> this parameter is - only available in Samba 3.0.</P -><P >When filling out the user information for a Windows NT user, the <A HREF="winbindd.8.html" @@ -17199,6 +17754,56 @@ CLASS="COMMAND" ></DD ><DT ><A +NAME="USECLIENTDRIVER" +></A +>use client driver (S)</DT +><DD +><P +>This parameter applies only to Windows NT/2000 + clients. It has no affect on Windows 95/98/ME clients. When + serving a printer to Windows NT/2000 clients without first installing + a valid printer driver on the Samba host, the client will be required + to install a local printer driver. From this point on, the client + will treat the print as a local printer and not a network printer + connection. This is much the same behavior that will occur + when <B +CLASS="COMMAND" +>disable spoolss = yes</B +>. </P +><P +>The differentiating + factor is that under normal circumstances, the NT/2000 client will + attempt to open the network printer using MS-RPC. The problem is that + because the client considers the printer to be local, it will attempt + to issue the OpenPrinterEx() call requesting access rights associated + with the logged on user. If the user possesses local administator rights + but not root privilegde on the Samba host (often the case), the OpenPrinterEx() + call will fail. The result is that the client will now display an "Access + Denied; Unable to connect" message in the printer queue window (even though + jobs may successfully be printed). </P +><P +>If this parameter is enabled for a printer, then any attempt + to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped + to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() + call to succeed. <EM +>This parameter MUST not be able enabled + on a print share which has valid print driver installed on the Samba + server.</EM +></P +><P +>See also <A +HREF="#DISABLESPOOLSS" +>disable spoolss</A +> + </P +><P +>Default: <B +CLASS="COMMAND" +>use client driver = no</B +></P +></DD +><DT +><A NAME="USERHOSTS" ></A >use rhosts (G)</DT @@ -17352,7 +17957,7 @@ CLASS="PARAMETER" search.</P ><P >See the section <A -HREF="#AEN234" +HREF="#AEN235" >NOTE ABOUT USERNAME/PASSWORD VALIDATION</A > for more information on how @@ -17562,7 +18167,7 @@ CLASS="COMMAND" ><A NAME="UTMP" ></A ->utmp (S)</DT +>utmp (G)</DT ><DD ><P >This boolean parameter is only available if @@ -17837,14 +18442,25 @@ CLASS="PARAMETER" > option is applicable in vetoing files.</P ><P ->One feature of the veto files parameter that it is important - to be aware of, is that if a directory contains nothing but files - that match the veto files parameter (which means that Windows/DOS - clients cannot ever see them) is deleted, the veto files within - that directory <EM ->are automatically deleted</EM -> along - with it, if the user has UNIX permissions to do so.</P +>One feature of the veto files parameter that it + is important to be aware of is Samba's behaviour when + trying to delete a directory. If a directory that is + to be deleted contains nothing but veto files this + deletion will <EM +>fail</EM +> unless you also set + the <TT +CLASS="PARAMETER" +><I +>delete veto files</I +></TT +> parameter to + <TT +CLASS="PARAMETER" +><I +>yes</I +></TT +>.</P ><P >Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories @@ -17944,7 +18560,7 @@ CLASS="FILENAME" ><P >Example: <B CLASS="COMMAND" ->veto oplock files = /*;.SEM/ +>veto oplock files = /*.SEM/ </B ></P ></DD @@ -18033,11 +18649,6 @@ NAME="WINBINDCACHETIME" >winbind cache time</DT ><DD ><P -><EM ->NOTE:</EM -> this parameter is only - available in Samba 3.0.</P -><P >This parameter specifies the number of seconds the <A HREF="winbindd.8.html" @@ -18054,15 +18665,113 @@ CLASS="COMMAND" ></DD ><DT ><A -NAME="WINBINDGID" +NAME="WINBINDENUMUSERS" ></A ->winbind gid</DT +>winbind enum + users</DT ><DD ><P +>On large installations using + <A +HREF="winbindd.8.html" +TARGET="_top" +>winbindd(8)</A +> it may be + necessary to suppress the enumeration of users through the + <B +CLASS="COMMAND" +> setpwent()</B +>, + <B +CLASS="COMMAND" +>getpwent()</B +> and + <B +CLASS="COMMAND" +>endpwent()</B +> group of system calls. If + the <TT +CLASS="PARAMETER" +><I +>winbind enum users</I +></TT +> parameter is + false, calls to the <B +CLASS="COMMAND" +>getpwent</B +> system call + will not return any data. </P +><P ><EM ->NOTE:</EM -> this parameter is only - available in Samba 3.0.</P +>Warning:</EM +> Turning off user + enumeration may cause some programs to behave oddly. For + example, the finger program relies on having access to the + full user list when searching for matching + usernames. </P +><P +>Default: <B +CLASS="COMMAND" +>winbind enum users = yes </B +></P +></DD +><DT +><A +NAME="WINBINDENUMGROUPS" +></A +>winbind enum + groups</DT +><DD +><P +>On large installations using + <A +HREF="winbindd.8.html" +TARGET="_top" +>winbindd(8)</A +> it may be + necessary to suppress the enumeration of groups through the + <B +CLASS="COMMAND" +> setgrent()</B +>, + <B +CLASS="COMMAND" +>getgrent()</B +> and + <B +CLASS="COMMAND" +>endgrent()</B +> group of system calls. If + the <TT +CLASS="PARAMETER" +><I +>winbind enum groups</I +></TT +> parameter is + false, calls to the <B +CLASS="COMMAND" +>getgrent()</B +> system + call will not return any data. </P +><P +><EM +>Warning:</EM +> Turning off group + enumeration may cause some programs to behave oddly. + </P +><P +>Default: <B +CLASS="COMMAND" +>winbind enum groups = yes </B +> + </P +></DD +><DT +><A +NAME="WINBINDGID" +></A +>winbind gid</DT +><DD ><P >The winbind gid parameter specifies the range of group ids that are allocated by the <A @@ -18091,11 +18800,6 @@ NAME="WINBINDSEPARATOR" >winbind separator</DT ><DD ><P -><EM ->NOTE:</EM -> this parameter is only - available in Samba 3.0.</P -><P >This parameter allows an admin to define the character used when listing a username of the form of <TT CLASS="REPLACEABLE" @@ -18136,11 +18840,6 @@ NAME="WINBINDUID" >winbind uid</DT ><DD ><P -><EM ->NOTE:</EM -> this parameter is only - available in Samba 3.0.</P -><P >The winbind gid parameter specifies the range of group ids that are allocated by the <A HREF="winbindd.8.html" @@ -18335,7 +19034,7 @@ NAME="WORKGROUP" HREF="#SECURITYEQUALSDOMAIN" ><B CLASS="COMMAND" ->security=domain</B +>security = domain</B ></A > setting.</P @@ -18530,7 +19229,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN5853" +NAME="AEN6058" ></A ><H2 >WARNINGS</H2 @@ -18560,7 +19259,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN5859" +NAME="AEN6064" ></A ><H2 >VERSION</H2 @@ -18571,7 +19270,7 @@ NAME="AEN5859" ><DIV CLASS="REFSECT1" ><A -NAME="AEN5862" +NAME="AEN6067" ></A ><H2 >SEE ALSO</H2 @@ -18650,7 +19349,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN5882" +NAME="AEN6087" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbclient.1.html b/docs/htmldocs/smbclient.1.html index f25ee2341bb..16fc134405a 100644 --- a/docs/htmldocs/smbclient.1.html +++ b/docs/htmldocs/smbclient.1.html @@ -37,12 +37,12 @@ NAME="AEN8" ><B CLASS="COMMAND" >smbclient</B -> {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-S server] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E <terminal code>] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan]</P +> {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E <terminal code>] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN34" +NAME="AEN33" ></A ><H2 >DESCRIPTION</H2 @@ -70,7 +70,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN41" +NAME="AEN40" ></A ><H2 >OPTIONS</H2 @@ -363,7 +363,8 @@ CLASS="FILENAME" on the use of NetBIOS scopes, see <TT CLASS="FILENAME" >rfc1001.txt</TT -> and <TT +> + and <TT CLASS="FILENAME" >rfc1002.txt</TT >. @@ -975,7 +976,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN311" +NAME="AEN310" ></A ><H2 >OPERATIONS</H2 @@ -1408,7 +1409,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN478" +NAME="AEN477" ></A ><H2 >NOTES</H2 @@ -1429,7 +1430,7 @@ NAME="AEN478" ><DIV CLASS="REFSECT1" ><A -NAME="AEN483" +NAME="AEN482" ></A ><H2 >ENVIRONMENT VARIABLES</H2 @@ -1462,7 +1463,7 @@ CLASS="ENVAR" ><DIV CLASS="REFSECT1" ><A -NAME="AEN491" +NAME="AEN490" ></A ><H2 >INSTALLATION</H2 @@ -1500,7 +1501,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN501" +NAME="AEN500" ></A ><H2 >DIAGNOSTICS</H2 @@ -1516,7 +1517,7 @@ NAME="AEN501" ><DIV CLASS="REFSECT1" ><A -NAME="AEN505" +NAME="AEN504" ></A ><H2 >VERSION</H2 @@ -1527,7 +1528,7 @@ NAME="AEN505" ><DIV CLASS="REFSECT1" ><A -NAME="AEN508" +NAME="AEN507" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbcontrol.1.html b/docs/htmldocs/smbcontrol.1.html index 7136d3e981e..1f3b020c87b 100644 --- a/docs/htmldocs/smbcontrol.1.html +++ b/docs/htmldocs/smbcontrol.1.html @@ -231,6 +231,14 @@ CLASS="CONSTANT" CLASS="CONSTANT" >smbd</TT >.</P +><P +>The <TT +CLASS="CONSTANT" +>close-share</TT +> message-type sends a + message to smbd which forces smbd to close the share that was + specified as an argument. This may be useful if you made changes + to the access controls on the share. </P ></DD ><DT >parameters</DT @@ -244,7 +252,7 @@ CLASS="CONSTANT" ><DIV CLASS="REFSECT1" ><A -NAME="AEN76" +NAME="AEN78" ></A ><H2 >VERSION</H2 @@ -255,7 +263,7 @@ NAME="AEN76" ><DIV CLASS="REFSECT1" ><A -NAME="AEN79" +NAME="AEN81" ></A ><H2 >SEE ALSO</H2 @@ -281,7 +289,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN86" +NAME="AEN88" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbd.8.html b/docs/htmldocs/smbd.8.html index f5ce9b78fd8..be82ef6d4ec 100644 --- a/docs/htmldocs/smbd.8.html +++ b/docs/htmldocs/smbd.8.html @@ -965,16 +965,17 @@ CLASS="COMMAND" >The debug log level of <B CLASS="COMMAND" >smbd</B -> may be raised by sending - it a SIGUSR1 (<B -CLASS="COMMAND" ->kill -USR1 <smbd-pid></B ->) - and lowered by sending it a SIGUSR2 (<B +> may be raised + or lowered using <A +HREF="smbcontrol.1.html" +TARGET="_top" +><B CLASS="COMMAND" ->kill -USR2 <smbd-pid> +>smbcontrol(1) </B ->). This is to allow transient problems to be diagnosed, +></A +> program (SIGUSR[1|2] signals are no longer used in + Samba 2.2). This is to allow transient problems to be diagnosed, whilst still running at a normally low log level.</P ><P >Note that as the signal handlers send a debug write, diff --git a/docs/htmldocs/smbmnt.8.html b/docs/htmldocs/smbmnt.8.html index 6546b7c7070..a7d10b6e191 100644 --- a/docs/htmldocs/smbmnt.8.html +++ b/docs/htmldocs/smbmnt.8.html @@ -54,10 +54,11 @@ CLASS="COMMAND" <B CLASS="COMMAND" >smbmnt</B -> is meant to be installed setuid root - so that normal users can mount their SMB shares. It checks - whether the user has write permissions on the mount point and - then mounts the directory.</P +> can be installed setuid root if you want + normal users to be able to mount their SMB shares.</P +><P +>A setuid smbmnt will only allow mounts on directories owned + by the user, and that the user has write permission on.</P ><P >The <B CLASS="COMMAND" @@ -72,11 +73,14 @@ CLASS="COMMAND" > </A >. It should not be invoked directly by users. </P +><P +>smbmount searches the normal PATH for smbmnt. You must ensure + that the smbmnt version in your path matches the smbmount used.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN28" +NAME="AEN30" ></A ><H2 >OPTIONS</H2 @@ -134,7 +138,7 @@ CLASS="VARIABLELIST" ><DIV CLASS="REFSECT1" ><A -NAME="AEN55" +NAME="AEN57" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbmount.8.html b/docs/htmldocs/smbmount.8.html index 721397312ae..b7263ebf83d 100644 --- a/docs/htmldocs/smbmount.8.html +++ b/docs/htmldocs/smbmount.8.html @@ -49,16 +49,17 @@ NAME="AEN14" ><B CLASS="COMMAND" >smbmount</B -> mounts a SMB filesystem. It +> mounts a Linux SMB filesystem. It is usually invoked as <B CLASS="COMMAND" ->mount.smb</B -> from +>mount.smbfs</B +> by the <B CLASS="COMMAND" >mount(8)</B > command when using the - "-t smb" option. The kernel must support the smbfs filesystem. </P + "-t smbfs" option. This command only works in Linux, and the kernel must + support the smbfs filesystem. </P ><P >Options to <B CLASS="COMMAND" @@ -234,7 +235,9 @@ CLASS="FILENAME" ><DD ><P >sets the debug level. This is useful for - tracking down SMB connection problems. </P + tracking down SMB connection problems. A suggested value to + start with is 4. If set too high there will be a lot of + output, possibly hiding the useful output.</P ></DD ><DT >ip=<arg></DT @@ -358,8 +361,8 @@ CLASS="ENVAR" >The variable <TT CLASS="ENVAR" >PASSWD_FILE</TT -> may contain the pathname of - a file to read the password from. A single line of input is +> may contain the pathname + of a file to read the password from. A single line of input is read and used as the password.</P ></DIV ><DIV @@ -370,8 +373,15 @@ NAME="AEN133" ><H2 >BUGS</H2 ><P ->Not many known smbmount bugs. But one smbfs bug is - important enough to mention here anyway:</P +>Passwords and other options containing , can not be handled. + For passwords an alternative way of passing them is in a credentials + file or in the PASSWD environment.</P +><P +>The credentials file does not handle usernames or passwords with + leading space.</P +><P +>One smbfs bug is important enough to mention here, even if it + is a bit misplaced:</P ><P ></P ><UL @@ -379,8 +389,8 @@ NAME="AEN133" ><P >Mounts sometimes stop working. This is usually caused by smbmount terminating. Since smbfs needs smbmount to - reconnect when the server disconnects, the mount will go - dead. A re-mount normally fixes this. At least 2 ways to + reconnect when the server disconnects, the mount will eventually go + dead. An umount/mount normally fixes this. At least 2 ways to trigger this bug are known.</P ></LI ></UL @@ -393,18 +403,32 @@ NAME="AEN133" ><DIV CLASS="REFSECT1" ><A -NAME="AEN140" +NAME="AEN142" ></A ><H2 >SEE ALSO</H2 ><P ->Documentation/filesystems/smbfs.txt in the kernel source tree - may contain additional options and information.</P +>Documentation/filesystems/smbfs.txt in the linux kernel + source tree may contain additional options and information.</P +><P +>FreeBSD also has a smbfs, but it is not related to smbmount</P +><P +>For Solaris, HP-UX and others you may want to look at + <A +HREF="smbsh.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbsh(1)</B +></A +> or at other + solutions, such as sharity or perhaps replacing the SMB server with + a NFS server.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN143" +NAME="AEN149" ></A ><H2 >AUTHOR</H2 diff --git a/docs/htmldocs/smbpasswd.8.html b/docs/htmldocs/smbpasswd.8.html index f48754163b9..be82bc88098 100644 --- a/docs/htmldocs/smbpasswd.8.html +++ b/docs/htmldocs/smbpasswd.8.html @@ -36,7 +36,7 @@ NAME="AEN8" ><B CLASS="COMMAND" >smbpasswd</B -> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username] [-h] [-s] [username]</P +> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username[%password]] [-h] [-s] [username]</P ></DIV ><DIV CLASS="REFSECT1" diff --git a/docs/htmldocs/wbinfo.1.html b/docs/htmldocs/wbinfo.1.html index 129d0459e1f..badeb6961e6 100644 --- a/docs/htmldocs/wbinfo.1.html +++ b/docs/htmldocs/wbinfo.1.html @@ -35,7 +35,7 @@ NAME="AEN8" ><P ><B CLASS="COMMAND" ->nmblookup</B +>wbinfo</B > [-u] [-g] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m]</P ></DIV ><DIV @@ -258,8 +258,7 @@ NAME="AEN93" >VERSION</H2 ><P >This man page is correct for version 2.2 of - the Samba suite. winbindd is however not available in - stable release of Samba as of yet.</P + the Samba suite.</P ></DIV ><DIV CLASS="REFSECT1" @@ -299,7 +298,7 @@ CLASS="COMMAND" CLASS="COMMAND" >winbindd</B > - were written by TIm Potter.</P + were written by Tim Potter.</P ><P >The conversion to DocBook for Samba 2.2 was done by Gerald Carter</P diff --git a/docs/htmldocs/winbind.html b/docs/htmldocs/winbind.html index 429110b54d3..addf74935c1 100644 --- a/docs/htmldocs/winbind.html +++ b/docs/htmldocs/winbind.html @@ -34,12 +34,13 @@ NAME="AEN3" ><P >Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous - computing environments for a long time. We present <I + computing environments for a long time. We present + <I CLASS="EMPHASIS" ->winbind - </I ->, a component of the Samba suite of programs as a - solution to the unified logon problem. Winbind uses a UNIX implementation +>winbind</I +>, a component of the Samba suite + of programs as a solution to the unified logon problem. Winbind + uses a UNIX implementation of Microsoft RPC calls, Pluggable Authentication Modules, and the Name Service Switch to allow Windows NT domain users to appear and operate as UNIX users on a UNIX machine. This paper describes the winbind @@ -66,7 +67,7 @@ NAME="AEN7" and use the Samba suite of programs to provide file and print services between the two. This solution is far from perfect however, as adding and deleting users on both sets of machines becomes a chore - and two sets of passwords are required both of which which + and two sets of passwords are required both of which can lead to synchronization problems between the UNIX and Windows systems and confusion for users.</P ><P @@ -119,7 +120,7 @@ NAME="AEN20" >The end result is that whenever any program on the UNIX machine asks the operating system to lookup a user or group name, the query will be resolved by asking the - NT domain controller for the specied domain to do the lookup. + NT domain controller for the specified domain to do the lookup. Because Winbind hooks into the operating system at a low level (via the NSS name resolution modules in the C library) this redirection to the NT domain controller is completely @@ -136,11 +137,11 @@ NAME="AEN20" that redirection to a domain controller is wanted for a particular lookup and which trusted domain is being referenced.</P ><P ->Additionally, Winbind provides a authentication service +>Additionally, Winbind provides an authentication service that hooks into the Pluggable Authentication Modules (PAM) system to provide authentication via a NT domain to any PAM enabled applications. This capability solves the problem of synchronizing - passwords between systems as all passwords are stored in a single + passwords between systems since all passwords are stored in a single location (on the domain controller).</P ><DIV CLASS="SECT2" @@ -155,9 +156,9 @@ NAME="AEN27" existing NT based domain infrastructure into which they wish to put UNIX workstations or servers. Winbind will allow these organizations to deploy UNIX workstations without having to - maintain a separate account infrastructure. This greatly simplies - the administrative overhead of deploying UNIX workstations into - a NT based organization.</P + maintain a separate account infrastructure. This greatly + simplifies the administrative overhead of deploying UNIX + workstations into a NT based organization.</P ><P >Another interesting way in which we expect Winbind to be used is as a central part of UNIX based appliances. Appliances @@ -226,9 +227,9 @@ NAME="AEN40" information such as hostnames, mail aliases and user information to be resolved from different sources. For example, a standalone UNIX workstation may resolve system information from a series of - flat files stored on the local lesystem. A networked workstation + flat files stored on the local filesystem. A networked workstation may first attempt to resolve system information from local files, - then consult a NIS database for user information or a DNS server + and then consult a NIS database for user information or a DNS server for hostname information.</P ><P >The NSS application programming interface allows winbind @@ -241,11 +242,12 @@ NAME="AEN40" a NT domain plus any trusted domain as though they were local users and groups.</P ><P ->The primary control le for NSS is <TT +>The primary control file for NSS is + <TT CLASS="FILENAME" ->/etc/nsswitch.conf - </TT ->. When a UNIX application makes a request to do a lookup +>/etc/nsswitch.conf</TT +>. + When a UNIX application makes a request to do a lookup the C library looks in <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT @@ -315,7 +317,7 @@ NAME="AEN56" UNIX system. This allows Windows NT users to log in to a UNIX machine and be authenticated against a suitable Primary Domain Controller. These users can also change their passwords and have - this change take eect directly on the Primary Domain Controller. + this change take effect directly on the Primary Domain Controller. </P ><P >PAM is configured by providing control files in the directory @@ -335,7 +337,7 @@ CLASS="FILENAME" is copied to <TT CLASS="FILENAME" >/lib/security/</TT -> and the pam +> and the PAM control files for relevant services are updated to allow authentication via winbind. See the PAM documentation for more details.</P @@ -351,7 +353,7 @@ NAME="AEN64" ><P >When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is - slightly different to UNIX which has a range of numbers which are + slightly different to UNIX which has a range of numbers that are used to identify users, and the same range in which to identify groups. It is winbind's job to convert RIDs to UNIX id numbers and vice versa. When winbind is configured it is given part of the UNIX @@ -363,7 +365,7 @@ NAME="AEN64" to UNIX user ids and group ids.</P ><P >The results of this mapping are stored persistently in - a ID mapping database held in a tdb database). This ensures that + an ID mapping database held in a tdb database). This ensures that RIDs are mapped to UNIX IDs in a consistent way.</P ></DIV ><DIV @@ -398,39 +400,702 @@ NAME="AEN71" >Installation and Configuration</A ></H1 ><P ->The easiest way to install winbind is by using the packages - provided in the <TT +>Many thanks to John Trostel <A +HREF="mailto:jtrostel@snapserver.com" +TARGET="_top" +>jtrostel@snapserver.com</A +> +for providing the HOWTO for this section.</P +><P +>This HOWTO describes how to get winbind services up and running +to control access and authenticate users on your Linux box using +the winbind services which come with SAMBA 2.2.2.</P +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN76" +>Introduction</A +></H2 +><P +>This HOWTO describes the procedures used to get winbind up and +running on my RedHat 7.1 system. Winbind is capable of providing access +and authentication control for Windows Domain users through an NT +or Win2K PDC for 'regular' services, such as telnet a nd ftp, as +well for SAMBA services.</P +><P +>This HOWTO has been written from a 'RedHat-centric' perspective, so if +you are using another distribution, you may have to modify the instructions +somewhat to fit the way your distribution works.</P +><P +></P +><UL +><LI +><P +> <I +CLASS="EMPHASIS" +>Why should I to this?</I +> + </P +><P +>This allows the SAMBA administrator to rely on the + authentication mechanisms on the NT/Win2K PDC for the authentication + of domain members. NT/Win2K users no longer need to have separate + accounts on the SAMBA server. + </P +></LI +><LI +><P +> <I +CLASS="EMPHASIS" +>Who should be reading this document?</I +> + </P +><P +> This HOWTO is designed for system administrators. If you are + implementing SAMBA on a file server and wish to (fairly easily) + integrate existing NT/Win2K users from your PDC onto the + SAMBA server, this HOWTO is for you. That said, I am no NT or PAM + expert, so you may find a better or easier way to accomplish + these tasks. + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN89" +>Requirements</A +></H2 +><P +>If you have a samba configuration file that you are currently +using... BACK IT UP! If your system already uses PAM, BACK UP +THE <TT +CLASS="FILENAME" +>/etc/pam.d</TT +> directory contents! If you +haven't already made a boot disk, MAKE ON NOW!</P +><P +>Messing with the pam configuration files can make it nearly impossible +to log in to yourmachine. That's why you want to be able to boot back +into your machine in single user mode and restore your +<TT +CLASS="FILENAME" +>/etc/pam.d</TT +> back to the original state they were in if +you get frustrated with the way things are going. ;-)</P +><P +>The newest version of SAMBA (version 2.2.2), available from +cvs.samba.org, now include a functioning winbindd daemon. Please refer +to the main SAMBA web page or, better yet, your closest SAMBA mirror +site for instructions on downloading the source code.</P +><P +>To allow Domain users the ability to access SAMBA shares and +files, as well as potentially other services provided by your +SAMBA machine, PAM (pluggable authentication modules) must +be setup properly on your machine. In order to compile the +winbind modules, you should have at least the pam libraries resident +on your system. For recent RedHat systems (7.1, for instance), that +means 'pam-0.74-22'. For best results, it is helpful to also +install the development packages in 'pam-devel-0.74-22'.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN97" +>Testing Things Out</A +></H2 +><P +>Before starting, it is probably best to kill off all the SAMBA +related daemons running on your server. Kill off all <B +CLASS="COMMAND" +>smbd</B +>, +<B +CLASS="COMMAND" +>nmbd</B +>, and <B +CLASS="COMMAND" +>winbindd</B +> processes that may +be running. To use PAM, you will want to make sure that you have the +standard PAM package (for RedHat) which supplies the <TT +CLASS="FILENAME" +>/etc/pam.d</TT +> +directory structure, including the pam modules are used by pam-aware +services, several pam libraries, and the <TT +CLASS="FILENAME" +>/usr/doc</TT +> +and <TT +CLASS="FILENAME" +>/usr/man</TT +> entries for pam. Winbind built better +in SAMBA if the pam-devel package was also installed. This package includes +the header files needed to compile pam-aware applications. For instance, my RedHat +system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.</P +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN106" +>Configure and compile SAMBA</A +></H3 +><P +>The configuration and compilation of SAMBA is pretty straightforward. +The first three steps maynot be necessary depending upon +whether or not you have previously built the Samba binaries.</P +><P +><PRE +CLASS="PROGRAMLISTING" +><TT +CLASS="PROMPT" +>root# </TT +> autoconf +<TT +CLASS="PROMPT" +>root# </TT +> make clean +<TT +CLASS="PROMPT" +>root# </TT +> rm config.cache +<TT +CLASS="PROMPT" +>root# </TT +> ./configure --with-winbind +<TT +CLASS="PROMPT" +>root# </TT +> make +<TT +CLASS="PROMPT" +>root# </TT +> make install</PRE +></P +><P +>This will, by default, install SAMBA in /usr/local/samba. See the +main SAMBA documentation if you want to install SAMBA somewhere else. +It will also build the winbindd executable and libraries. </P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN118" +>Configure nsswitch.conf and the winbind libraries</A +></H3 +><P +>The libraries needed to run the winbind daemon through nsswitch +need to be copied to their proper locations, so</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> cp ../samba/source/nsswitch/libnss_winbind.so /lib</P +><P +>I also found it necessary to make the following symbolic link:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</P +><P +>Now, as root you need to edit <TT CLASS="FILENAME" ->pub/samba/appliance/</TT +>/etc/nsswitch.conf</TT +> to +allow user and group entries to be visible from the <B +CLASS="COMMAND" +>winbindd</B > - directory on your nearest - Samba mirror. These packages provide snapshots of the Samba source - code and binaries already setup to provide the full functionality - of winbind. This setup is a little more complex than a normal Samba - build as winbind needs a small amount of functionality from a - development code branch called SAMBA_TNG.</P -><P ->Once you have installed the packages you should read - the <B +daemon, as well as from your /etc/hosts files and NIS servers. My +<TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> file look like this after editing:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> passwd: files winbind + shadow: files winbind + group: files winbind</PRE +></P +><P +> +The libraries needed by the winbind daemon will be automatically +entered into the ldconfig cache the next time your system reboots, but it +is faster (and you don't need to reboot) if you do it manually:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> /sbin/ldconfig -v | grep winbind</P +><P +>This makes <TT +CLASS="FILENAME" +>libnss_winbind</TT +> available to winbindd +and echos back a check to you.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN137" +>Configure smb.conf</A +></H3 +><P +>Several parameters are needed in the smb.conf file to control +the behavior of <B CLASS="COMMAND" ->winbindd(8)</B -> man page which will provide you - with configuration information and give you sample configuration files. - You may also wish to update the main Samba daemons smbd and nmbd) - with a more recent development release, such as the recently - announced Samba 2.2 alpha release.</P +>winbindd</B +>. Configure +<TT +CLASS="FILENAME" +>smb.conf</TT +> These are described in more detail in +the <A +HREF="winbindd.8.html" +TARGET="_top" +>winbindd(8)</A +> man page. My +<TT +CLASS="FILENAME" +>smb.conf</TT +> file was modified to +include the following entries in the [global] section:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>[global] + <...> + # separate domain and username with '+', like DOMAIN+username + winbind separator = + + # use uids from 10000 to 20000 for domain users + winbind uid = 10000-20000 + # use gids from 10000 to 20000 for domain groups + winbind gid = 10000-20000 + # allow enumeration of winbind users and groups + winbind enum users = yes + winbind enum groups = yes + # give winbind users a real shell (only needed if they have telnet access) + template shell = /bin/bash</PRE +></P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN146" +>Join the SAMBA server to the PDC domain</A +></H3 +><P +>Enter the following command to make the SAMBA server join the +PDC domain, where <TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +> is the name of +your Windows domain and <TT +CLASS="REPLACEABLE" +><I +>Administrator</I +></TT +> is +a domain user who has administrative privileges in the domain.</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</P +><P +>The proper response to the command should be: "Joined the domain +<TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +>" where <TT +CLASS="REPLACEABLE" +><I +>DOMAIN</I +></TT +> +is your DOMAIN name.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN156" +>Start up the winbindd daemon and test it!</A +></H3 +><P +>Eventually, you will want to modify your smb startup script to +automatically invoke the winbindd daemon when the other parts of +SAMBA start, but it is possible to test out just the winbind +portion first. To start up winbind services, enter the following +command as root:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/winbindd</P +><P +>I'm always paranoid and like to make sure the daemon +is really running...</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> ps -ae | grep winbindd +3025 ? 00:00:00 winbindd</P +><P +>Now... for the real test, try to get some information about the +users on your PDC</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> # /usr/local/samba/bin/wbinfo -u</P +><P +> +This should echo back a list of users on your Windows users on +your PDC. For example, I get the following response:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>CEO+Administrator +CEO+burdell +CEO+Guest +CEO+jt-ad +CEO+krbtgt +CEO+TsInternetUser</PRE +></P +><P +>Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.</P +><P +>You can do the same sort of thing to get group information from +the PDC:</P +><P +><PRE +CLASS="PROGRAMLISTING" +><TT +CLASS="PROMPT" +>root# </TT +>/usr/local/samba/bin/wbinfo -g +CEO+Domain Admins +CEO+Domain Users +CEO+Domain Guests +CEO+Domain Computers +CEO+Domain Controllers +CEO+Cert Publishers +CEO+Schema Admins +CEO+Enterprise Admins +CEO+Group Policy Creator Owners</PRE +></P +><P +>The function 'getent' can now be used to get unified +lists of both local and PDC users and groups. +Try the following command:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> getent passwd</P +><P +>You should get a list that looks like your <TT +CLASS="FILENAME" +>/etc/passwd</TT +> +list followed by the domain users with their new uids, gids, home +directories and default shells.</P +><P +>The same thing can be done for groups with the command</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> getent group</P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN183" +>Fix the /etc/rc.d/init.d/smb startup files</A +></H3 +><P +>The <B +CLASS="COMMAND" +>winbindd</B +> daemon needs to start up after the +<B +CLASS="COMMAND" +>smbd</B +> and <B +CLASS="COMMAND" +>nmbd</B +> daemons are running. +To accomplish this task, you need to modify the <TT +CLASS="FILENAME" +>/etc/init.d/smb</TT +> +script to add commands to invoke this daemon in the proper sequence. My +<TT +CLASS="FILENAME" +>/etc/init.d/smb</TT +> file starts up <B +CLASS="COMMAND" +>smbd</B +>, +<B +CLASS="COMMAND" +>nmbd</B +>, and <B +CLASS="COMMAND" +>winbindd</B +> from the +<TT +CLASS="FILENAME" +>/usr/local/samba/bin</TT +> directory directly. The 'start' +function in the script looks like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>start() { + KIND="SMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/smbd $SMBDOPTIONS + RETVAL=$? + echo + KIND="NMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/winbindd + RETVAL3=$? + echo + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ + RETVAL=1 + return $RETVAL +}</PRE +></P +><P +>The 'stop' function has a corresponding entry to shut down the +services and look s like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>stop() { + KIND="SMB" + echo -n $"Shutting down $KIND services: " + killproc smbd + RETVAL=$? + echo + KIND="NMB" + echo -n $"Shutting down $KIND services: " + killproc nmbd + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Shutting down $KIND services: " + killproc winbindd + RETVAL3=$? + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb + echo "" + return $RETVAL +}</PRE +></P +></DIV +><DIV +CLASS="SECT3" +><HR><H3 +CLASS="SECT3" +><A +NAME="AEN200" +>Configure Winbind and PAM</A +></H3 +><P +>If you have made it this far, you know that winbindd is working. +Now it is time to integrate it into the operation of samba and other +services. The pam configuration files need to be altered in +this step. (Did you remember to make backups of your original +<TT +CLASS="FILENAME" +>/etc/pam.d</TT +> files? If not, do it now.)</P +><P +>To get samba to allow domain users and groups, I modified the +<TT +CLASS="FILENAME" +>/etc/pam.d/samba</TT +> file from</P +><P +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_stack.so service=system-auth</PRE +></P +><P +>to</P +><P +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_winbind.so +auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth</PRE +></P +><P +>The other services that I modified to allow the use of winbind +as an authentication service were the normal login on the console (or a terminal +session), telnet logins, and ftp service. In order to enable these +services, you may first need to change the entries in +<TT +CLASS="FILENAME" +>/etc/xinetd.d</TT +> (or <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +>). +RedHat 7.1 uses the new xinetd.d structure, in this case you need +to change the lines in <TT +CLASS="FILENAME" +>/etc/xinetd.d/telnet</TT +> +and <TT +CLASS="FILENAME" +>/etc/xinetd.d/wu-ftp</TT +> from </P +><P +><PRE +CLASS="PROGRAMLISTING" +>enable = no</PRE +></P +><P +>to</P +><P +><PRE +CLASS="PROGRAMLISTING" +>enable = yes</PRE +></P +><P +> +For ftp services to work properly, you will also need to either +have individual directories for the domain users already present on +the server, or change the home directory template to a general +directory for all domain users. These can be easily set using +the <TT +CLASS="FILENAME" +>smb.conf</TT +> global entry +<B +CLASS="COMMAND" +>template homedir</B +>.</P +><P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/ftp</TT +> file can be changed +to allow winbind ftp access in a manner similar to the +samba file. My <TT +CLASS="FILENAME" +>/etc/pam.d/ftp</TT +> file was +changed to look like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_shells.so +account required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth</PRE +></P +><P +>The <TT +CLASS="FILENAME" +>/etc/pam.d/login</TT +> file can be changed nearly the +same way. It now looks like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_securetty.so +auth sufficient /lib/security/pam_winbind.so +auth sufficient /lib/security/pam_unix.so use_first_pass +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account sufficient /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth +password required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +session optional /lib/security/pam_console.so</PRE +></P +><P +>In this case, I added the <B +CLASS="COMMAND" +>auth sufficient /lib/security/pam_winbind.so</B +> +lines as before, but also added the <B +CLASS="COMMAND" +>required pam_securetty.so</B +> +above it, to disallow root logins over the network. I also added a +<B +CLASS="COMMAND" +>sufficient /lib/security/pam_unix.so use_first_pass</B +> +line after the <B +CLASS="COMMAND" +>winbind.so</B +> line to get rid of annoying +double prompts for passwords.</P +><P +>Finally, don't forget to copy the winbind pam modules from +the source directory in which you originally compiled the new +SAMBA up to the /lib/security directory so that pam can use it:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +> cp ../samba/source/nsswitch/pam_winbind.so /lib/security</P +></DIV +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN77" +NAME="AEN241" >Limitations</A ></H1 ><P >Winbind has a number of limitations in its current - released version which we hope to overcome in future + released version that we hope to overcome in future releases:</P ><P ></P @@ -459,13 +1124,6 @@ NAME="AEN77" into account possible workstation and logon time restrictions that may be been set for Windows NT users.</P ></LI -><LI -><P ->Building winbind from source is currently - quite tedious as it requires combining source code from two Samba - branches. Work is underway to solve this by providing all - the necessary functionality in the main Samba code branch.</P -></LI ></UL ></DIV ><DIV @@ -473,7 +1131,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN89" +NAME="AEN251" >Conclusion</A ></H1 ><P diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index 125daccf34c..ad54228a6f4 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -36,23 +36,22 @@ NAME="AEN8" ><P ><B CLASS="COMMAND" ->nmblookup</B -> [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}</P +>winbindd</B +> [-i] [-d <debug level>] [-s <smb config file>]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN24" +NAME="AEN14" ></A ><H2 >DESCRIPTION</H2 ><P ->This tool is part of the <A +>This program is part of the <A HREF="samba.7.html" TARGET="_top" > Samba</A -> suite version 3.0 and describes functionality not - yet implemented in the main version of Samba.</P +> suite.</P ><P ><B CLASS="COMMAND" @@ -150,7 +149,7 @@ group: files winbind ><DIV CLASS="REFSECT1" ><A -NAME="AEN53" +NAME="AEN43" ></A ><H2 >OPTIONS</H2 @@ -189,7 +188,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN66" +NAME="AEN56" ></A ><H2 >NAME AND ID RESOLUTION</H2 @@ -220,7 +219,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN72" +NAME="AEN62" ></A ><H2 >CONFIGURATION</H2 @@ -485,7 +484,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN154" +NAME="AEN144" ></A ><H2 >EXAMPLE SETUP</H2 @@ -569,12 +568,13 @@ CLASS="COMMAND" >The next step is to join the domain. To do that use the <B CLASS="COMMAND" ->samedit</B +>smbpasswd</B > program like this: </P ><P ><B CLASS="COMMAND" ->samedit -S '*' -W DOMAIN -UAdministrator</B +>smbpasswd -j DOMAIN -r PDC -U + Administrator</B ></P ><P >The username after the <TT @@ -582,20 +582,10 @@ CLASS="PARAMETER" ><I >-U</I ></TT -> can be any Domain - user that has administrator privileges on the machine. Next from - within <B -CLASS="COMMAND" ->samedit</B ->, run the command: </P -><P -><B -CLASS="COMMAND" ->createuser MACHINE$ -j DOMAIN -L</B -></P -><P ->This assumes your domain is called "DOMAIN" and your Samba - workstation is called "MACHINE". </P +> can be any + Domain user that has administrator privileges on the machine. + Substitute your domain name for "DOMAIN" and the name of your PDC + for "PDC".</P ><P >Next copy <TT CLASS="FILENAME" @@ -672,10 +662,10 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN197" +NAME="AEN183" ></A ><H2 ->Notes</H2 +>NOTES</H2 ><P >The following notes are useful when configuring and running <B @@ -706,10 +696,8 @@ CLASS="COMMAND" >winbindd</B > nsswitch module read an environment variable named <TT -CLASS="PARAMETER" -><I -> $WINBINDD_DOMAIN</I -></TT +CLASS="ENVAR" +> $WINBINDD_DOMAIN</TT >. If this variable contains a comma separated list of Windows NT domain names, then winbindd will only resolve users and groups within those Windows NT domains. </P @@ -732,10 +720,10 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN213" +NAME="AEN199" ></A ><H2 ->Signals</H2 +>SIGNALS</H2 ><P >The following signals can be used to manipulate the <B @@ -783,10 +771,10 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN230" +NAME="AEN216" ></A ><H2 ->Files</H2 +>FILES</H2 ><P ></P ><DIV @@ -835,9 +823,11 @@ CLASS="FILENAME" >Storage for the Windows NT rid to UNIX user/group id mapping. The lock directory is specified when Samba is initially compiled using the <TT -CLASS="FILENAME" ->--with-lockdir</TT -> option. +CLASS="PARAMETER" +><I +>--with-lockdir</I +></TT +> option. This directory is by default <TT CLASS="FILENAME" >/usr/local/samba/var/locks @@ -857,19 +847,18 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN259" +NAME="AEN245" ></A ><H2 >VERSION</H2 ><P ->This man page is correct for version 2.2 of - the Samba suite. winbindd is however not available in - the stable release of Samba as of yet.</P +>This man page is correct for version 2.2 of + the Samba suite.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN262" +NAME="AEN248" ></A ><H2 >SEE ALSO</H2 @@ -897,7 +886,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN269" +NAME="AEN255" ></A ><H2 >AUTHOR</H2 diff --git a/docs/manpages/nmbd.8 b/docs/manpages/nmbd.8 index 4600074446a..d657ef7c4b3 100644 --- a/docs/manpages/nmbd.8 +++ b/docs/manpages/nmbd.8 @@ -3,12 +3,12 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "NMBD" "8" "09 July 2001" "" "" +.TH "NMBD" "8" "26 September 2001" "" "" .SH NAME nmbd \- NetBIOS name server to provide NetBIOS over IP naming services to clients .SH SYNOPSIS .sp -\fBsmbd\fR [ \fB-D\fR ] [ \fB-a\fR ] [ \fB-o\fR ] [ \fB-P\fR ] [ \fB-h\fR ] [ \fB-V\fR ] [ \fB-d <debug level>\fR ] [ \fB-H <lmhosts file>\fR ] [ \fB-l <log file>\fR ] [ \fB-n <primary netbios name>\fR ] [ \fB-p <port number>\fR ] [ \fB-s <configuration file>\fR ] +\fBnmbd\fR [ \fB-D\fR ] [ \fB-a\fR ] [ \fB-o\fR ] [ \fB-P\fR ] [ \fB-h\fR ] [ \fB-V\fR ] [ \fB-d <debug level>\fR ] [ \fB-H <lmhosts file>\fR ] [ \fB-l <log file>\fR ] [ \fB-n <primary netbios name>\fR ] [ \fB-p <port number>\fR ] [ \fB-s <configuration file>\fR ] .SH "DESCRIPTION" .PP This program is part of the Samba suite. @@ -208,12 +208,13 @@ it to dump out its namelists into the file \fInamelist.debug directory (or the \fIvar/locks\fR directory configured under wherever Samba was configured to install itself). This will also cause \fBnmbd\fR to dump out its server database in -the \fIlog.nmb\fR file. In addition, the debug log level -of nmbd may be raised by sending it a SIGUSR1 (\fBkill -USR1 -<nmbd-pid>\fR) and lowered by sending it a -SIGUSR2 (\fBkill -USR2 <nmbd-pid>\fR). This is to -allow transient problems to be diagnosed, whilst still running at a -normally low log level. +the \fIlog.nmb\fR file. +.PP +The debug log level of nmbd may be raised or lowered using +\fBsmbcontrol(1)\fR +(SIGUSR[1|2] signals are no longer used in Samba 2.2). This is +to allow transient problems to be diagnosed, whilst still running +at a normally low log level. .SH "VERSION" .PP This man page is correct for version 2.2 of diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index 98f614c5667..885307f9ab6 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -3,7 +3,7 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMB.CONF" "5" "09 July 2001" "" "" +.TH "SMB.CONF" "5" "11 October 2001" "" "" .SH NAME smb.conf \- The configuration file for the Samba suite .SH "SYNOPSIS" @@ -78,7 +78,7 @@ privileges in this case. Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list -of usernames to check against the password using the "user=" +of usernames to check against the password using the "user =" option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary. .PP @@ -148,12 +148,12 @@ the located username. If no path was given, the path is set to the user's home directory. .PP -If you decide to use a \fBpath=\fR line +If you decide to use a \fBpath =\fR line in your [homes] section then you may find it useful to use the %S macro. For example : .PP .PP -\fBpath=/data/pchome/%S\fR +\fBpath = /data/pchome/%S\fR .PP .PP would be useful if you have different home directories @@ -197,9 +197,9 @@ access\fR. Note that the \fBbrowseable\fR flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as -it means setting browseable=no in the [homes] section -will hide the [homes] share but make any auto home -directories visible. +it means setting \fBbrowseable = no\fR in +the [homes] section will hide the [homes] share but make +any auto home directories visible. .PP .SS "THE PRINTERS SECTION" .PP @@ -368,7 +368,7 @@ the Internet name of the client machine. the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the \fB--with-automount\fR -option then this value will be the same as %. +option then this value will be the same as %L. .TP \fB%p\fR the path of the service's home directory, @@ -421,7 +421,7 @@ All of these options can be set separately for each service .PP The options are: .TP -\fBmangle case= yes/no\fR +\fBmangle case = yes/no\fR controls if names that have characters that aren't of the "default" case are mangled. For example, if this is yes then a name like "Mail" would be mangled. @@ -487,9 +487,9 @@ If a "user = " field is given in the \fIsmb.conf\fR file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames -from the "user=" field then the connection is made as -the username in the "user=" line. If one -of the username in the "user=" list begins with a +from the "user =" field then the connection is made as +the username in the "user =" line. If one +of the username in the "user =" list begins with a \&'@' then that name expands to a list of names in the group of the same name. .IP 6. @@ -503,6 +503,9 @@ Here is a list of all global parameters. See the section of each parameter for details. Note that some are synonyms. .TP 0.2i \(bu +\fIabort shutdown script\fR +.TP 0.2i +\(bu \fIadd printer command\fR .TP 0.2i \(bu @@ -512,6 +515,9 @@ each parameter for details. Note that some are synonyms. \fIadd user script\fR .TP 0.2i \(bu +\fIadd machine script\fR +.TP 0.2i +\(bu \fIallow trusted domains\fR .TP 0.2i \(bu @@ -587,6 +593,9 @@ each parameter for details. Note that some are synonyms. \fIdfree command\fR .TP 0.2i \(bu +\fIdisable spoolss\fR +.TP 0.2i +\(bu \fIdns proxy\fR .TP 0.2i \(bu @@ -644,6 +653,24 @@ each parameter for details. Note that some are synonyms. \fIlarge readwrite\fR .TP 0.2i \(bu +\fIldap admin dn\fR +.TP 0.2i +\(bu +\fIldap filter\fR +.TP 0.2i +\(bu +\fIldap port\fR +.TP 0.2i +\(bu +\fIldap server\fR +.TP 0.2i +\(bu +\fIldap ssl\fR +.TP 0.2i +\(bu +\fIldap suffix\fR +.TP 0.2i +\(bu \fIlm announce\fR .TP 0.2i \(bu @@ -851,6 +878,9 @@ each parameter for details. Note that some are synonyms. \fIshow add printer wizard\fR .TP 0.2i \(bu +\fIshutdown script\fR +.TP 0.2i +\(bu \fIsmb passwd file\fR .TP 0.2i \(bu @@ -884,6 +914,15 @@ each parameter for details. Note that some are synonyms. \fIssl compatibility\fR .TP 0.2i \(bu +\fIssl egd socket\fR +.TP 0.2i +\(bu +\fIssl entropy bytes\fR +.TP 0.2i +\(bu +\fIssl entropy file\fR +.TP 0.2i +\(bu \fIssl hosts\fR .TP 0.2i \(bu @@ -953,6 +992,9 @@ each parameter for details. Note that some are synonyms. \fIusername map\fR .TP 0.2i \(bu +\fIutmp\fR +.TP 0.2i +\(bu \fIutmp directory\fR .TP 0.2i \(bu @@ -962,6 +1004,12 @@ each parameter for details. Note that some are synonyms. \fIwinbind cache time\fR .TP 0.2i \(bu +\fIwinbind enum users\fR +.TP 0.2i +\(bu +\fIwinbind enum groups\fR +.TP 0.2i +\(bu \fIwinbind gid\fR .TP 0.2i \(bu @@ -1278,9 +1326,6 @@ each parameter for details. Note that some are synonyms. \fIset directory\fR .TP 0.2i \(bu -\fIshare modes\fR -.TP 0.2i -\(bu \fIshort preserve case\fR .TP 0.2i \(bu @@ -1296,6 +1341,9 @@ each parameter for details. Note that some are synonyms. \fIsync always\fR .TP 0.2i \(bu +\fIuse client driver\fR +.TP 0.2i +\(bu \fIuser\fR .TP 0.2i \(bu @@ -1305,9 +1353,6 @@ each parameter for details. Note that some are synonyms. \fIusers\fR .TP 0.2i \(bu -\fIutmp\fR -.TP 0.2i -\(bu \fIvalid users\fR .TP 0.2i \(bu @@ -1344,6 +1389,18 @@ each parameter for details. Note that some are synonyms. \fIwriteable\fR .SH "EXPLANATION OF EACH PARAMETER" .TP +\fBabort shutdown script (G)\fR +\fBThis parameter only exists in the HEAD cvs branch\fR +This a full path name to a script called by +\fBsmbd(8)\fRthat +should stop a shutdown procedure issued by the \fIshutdown script\fR. + +This command will be run as user. + +Default: \fBNone\fR. + +Example: \fBabort shutdown script = /sbin/shutdown -c\fR +.TP \fBadd printer command (G)\fR With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add @@ -1456,6 +1513,19 @@ Default: \fBnone\fR Example: \fBadd share command = /usr/local/bin/addshare\fR .PP .TP +\fBadd machine script (G)\fR +This is the full pathname to a script that will +be run by smbd(8)when a machine is added +to it's domain using the administrator username and password method. + +This option is only required when using sam back-ends tied to the +Unix uid method of RID calculation such as smbpasswd. This option is only +available in Samba 3.0. + +Default: \fBadd machine script = <empty string> +\fR +Example: \fBadd machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u +\fR.TP \fBadd user script (G)\fR This is the full pathname to a script that will be run \fBAS ROOT\fR by smbd(8) @@ -1469,7 +1539,7 @@ Windows NT PDC is an onerous task. This option allows smbdto create the required \fBON DEMAND\fR when a user accesses the Samba server. In order to use this option, smbd -must be set to \fIsecurity=server\fR or \fI security=domain\fR and \fIadd user script\fR +must be set to \fIsecurity = server\fR or \fI security = domain\fR and \fIadd user script\fR must be set to a full pathname for a script that will create a UNIX user given one argument of \fI%u\fR, which expands into the UNIX user name to create. @@ -1556,7 +1626,7 @@ that nmbd will use when announcing itself as a server. The default is 4.2. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server. -Default: \fBannounce version = 4.2\fR +Default: \fBannounce version = 4.5\fR Example: \fBannounce version = 2.0\fR .TP @@ -1887,7 +1957,7 @@ Default: \fBcode page directory = ${prefix}/lib/codepages \fR Example: \fBcode page directory = /usr/share/samba/codepages \fR.TP -\fBcodingsystem (G)\fR +\fBcoding system (G)\fR This parameter is used to determine how incoming Shift-JIS Japanese characters are mapped from the incoming \fIclient code page\fR used by the client, into file names in the UNIX filesystem. @@ -2006,7 +2076,7 @@ parameter \fIdirectory mode See also the \fIforce create mode\fR parameter for forcing particular mode -bits to be set on created files. See also the \fIdirectory mode"\fR parameter for masking +bits to be set on created files. See also the \fIdirectory mode\fR parameter for masking mode bits on created directories. See also the \fIinherit permissions\fR parameter. Note that this parameter does not apply to permissions @@ -2091,7 +2161,7 @@ Synonym for \fI log level\fR. A synonym for \fI default service\fR. .TP \fBdefault case (S)\fR -See the section on NAME MANGLING. Also note the \fIshort preserve case"\fR parameter. +See the section on NAME MANGLING. Also note the \fIshort preserve case\fR parameter. Default: \fBdefault case = lower\fR .TP @@ -2194,9 +2264,9 @@ see the \fIdelete printer command\fR. .PP .PP -See also \fIdelete share +See also \fIadd share command\fR, \fIchange -share\fR. +share command\fR. .PP .PP Default: \fBnone\fR @@ -2219,16 +2289,16 @@ DEMAND\fR when a user accesses the Samba server and the Windows NT user no longer exists. In order to use this option, \fBsmbd\fR must be -set to \fIsecurity=domain\fR and \fIdelete +set to \fIsecurity = domain\fR and \fIdelete user script\fR must be set to a full pathname for a script that will delete a UNIX user given one argument of \fI%u \fR, which expands into the UNIX user name to delete. \fBNOTE\fR that this is different to the \fIadd user script\fR -which will work with the \fIsecurity=server\fR option -as well as \fIsecurity=domain\fR. The reason for this +which will work with the \fIsecurity = server\fR option +as well as \fIsecurity = domain\fR. The reason for this is only when Samba is a domain member does it get the information on an attempted user logon that a user no longer exists. In the -\fIsecurity=server\fR mode a missing user +\fIsecurity = server\fR mode a missing user is treated the same as an invalid password logon attempt. Deleting the user in this circumstance would not be a good idea. @@ -2248,7 +2318,7 @@ This script should delete the given UNIX username. In this way, UNIX users are dynamically deleted to match existing Windows NT accounts. -See also security=domain, +See also security = domain, \fIpassword server\fR , \fIadd user script\fR \&. @@ -2418,6 +2488,22 @@ Default: \fBdirectory security mask = 0777\fR Example: \fBdirectory security mask = 0700\fR .TP +\fBdisable spoolss (G)\fR +Enabling this parameter will disables Samba's support +for the SPOOLSS set of MS-RPC's and will yield identical behavior +as Samba 2.0.x. Windows NT/2000 clients will downgrade to using +Lanman style printing commands. Windows 9x/ME will be uneffected by +the parameter. However, this will also disable the ability to upload +printer drivers to a Samba server via the Windows NT Add Printer +Wizard or by using the NT printer properties dialog window. It will +also disable the capability of Windows NT/2000 clients to download +print drivers from the Samba host upon demand. +\fBBe very careful about enabling this parameter.\fR + +See also use client driver + +Default : \fBdisable spoolss = no\fR +.TP \fBdns proxy (G)\fR Specifies that nmbd(8) when acting as a WINS server and finding that a NetBIOS name has not @@ -2586,7 +2672,7 @@ In order for encrypted passwords to work correctly \fBsmbd(8)\fRmust either have access to a local \fIsmbpasswd(5) \fRprogram for information on how to set up -and maintain this file), or set the security=[server|domain] parameter which +and maintain this file), or set the security = [server|domain] parameter which causes \fBsmbd\fR to authenticate against another server. @@ -2596,8 +2682,6 @@ Default: \fBencrypt passwords = no\fR This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations. -\fBThese enhancements are currently only available in -the HEAD Samba CVS tree (not Samba 2.2.x).\fR The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, @@ -2765,7 +2849,7 @@ would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. .TP -\fBforce directory\fR +\fBforce directory security mode (S)\fR This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box. @@ -2991,7 +3075,7 @@ users (root, wheel, floppy, etc) from remote clients. Default: \fBhide local users = no\fR .TP -\fBhide unreadable(G)\fR +\fBhide unreadable (S)\fR This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off. @@ -3240,7 +3324,7 @@ by looking in the UNIX group database. A name starting with \&'+' and '&' may be used at the start of the name in either order so the value \fI+&group\fR means check the UNIX group database, followed by the NIS netgroup database, and -the value \fI&+group"\fR means check the NIS +the value \fI&+group\fR means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix). @@ -3281,9 +3365,9 @@ has oplocked. This allows complete data consistency between SMB/CIFS, NFS and local file access (and is a \fBvery\fR cool feature :-). -This parameter defaults to on on systems -that have the support, and off on systems that -don't. You should never need to touch this parameter. +This parameter defaults to on, but is translated +to a no-op on systems that no not have the necessary kernel support. +You should never need to touch this parameter. See also the \fIoplocks\fR and \fIlevel2 oplocks @@ -3300,7 +3384,7 @@ network client) will be able to connect to the Samba host. Default : \fBlanman auth = yes\fR .TP -\fBlarge readwrite(G)\fR +\fBlarge readwrite (G)\fR This parameter determines whether or not smbd supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000. Note that due to Windows 2000 client redirector bugs @@ -3311,6 +3395,88 @@ code paths. Default : \fBlarge readwrite = no\fR .TP +\fBldap admin dn (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +The \fIldap admin dn\fR defines the Distinguished +Name (DN) name used by Samba to contact the ldap +server when retreiving user account information. The \fIldap +admin dn\fR is used in conjunction with the admin dn password +stored in the \fIprivate/secrets.tdb\fR file. See the +\fBsmbpasswd(8)\fRman +page for more information on how to accmplish this. + +Default : \fBnone\fR +.TP +\fBldap filter (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +This parameter specifies the RFC 2254 compliant LDAP search filter. +The default is to match the login name with the uid +attribute for all entries matching the sambaAccount +objectclass. Note that this filter should only return one entry. + +Default : \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR +.TP +\fBldap port (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +This option is used to control the tcp port number used to contact +the \fIldap server\fR. +The default is to use the stand LDAP port 389. + +Default : \fBldap port = 389\fR +.TP +\fBldap server (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +This parameter should contains the FQDN of the ldap directory +server which should be queried to locate user account information. + +Default : \fBldap server = localhost\fR +.TP +\fBldap ssl (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +This option is used to define whether or not Samba should +use SSL when connecting to the \fIldap +server\fR. This is \fBNOT\fR related to +Samba SSL support which is enabled by specifying the +\fB--with-ssl\fR option to the \fIconfigure\fR +script (see \fIssl\fR). + +The \fIldap ssl\fR can be set to one of three values: +(a) \fBon\fR - Always use SSL when contacting the +\fIldap server\fR, (b) \fBoff\fR - +Never use SSL when querying the directory, or (c) \fBstart +tls\fR - Use the LDAPv3 StartTLS extended operation +(RFC2830) for communicating with the directory server. + +Default : \fBldap ssl = off\fR +.TP +\fBldap suffix (G)\fR +This parameter is only available if Samba has been +configure to include the \fB--with-ldapsam\fR option +at compile time. This option should be considered experimental and +under active development. + +Default : \fBnone\fR +.TP \fBlevel2 oplocks (S)\fR This parameter controls whether Samba supports level2 (read-only) oplocks on a share. @@ -3495,7 +3661,7 @@ home directory. This is done in the following way: This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to -\\\\server\\share when a user does \fBnet use /home"\fR +\\\\server\\share when a user does \fBnet use /home\fR but use the whole string when dealing with profiles. Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than @@ -3749,7 +3915,7 @@ Example 2: \fBlprm command = /usr/bin/cancel %p-%j \fR.TP \fBmachine password timeout (G)\fR If a Samba server is a member of a Windows -NT Domain (see the security=domain) +NT Domain (see the security = domain) parameter) then periodically a running smbd(8)process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called \fIprivate/secrets.tdb \fR\&. This parameter specifies how often this password @@ -3757,7 +3923,7 @@ will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server. See also \fBsmbpasswd(8) -\fR, and the security=domain) parameter. +\fR, and the security = domain) parameter. Default: \fBmachine password timeout = 604800\fR .TP @@ -3956,7 +4122,7 @@ it must include 010). See the parameter \fIcreate mask\fR for details. Default: \fBmap system = no\fR .TP \fBmap to guest (G)\fR -This parameter is only useful in security modes other than \fIsecurity=share\fR +This parameter is only useful in security modes other than \fIsecurity = share\fR - i.e. user, server, and domain. @@ -4158,13 +4324,13 @@ Default: \fBmax ttl = 259200\fR .TP \fBmax wins ttl (G)\fR This option tells nmbd(8) -when acting as a WINS server ( \fIwins support=yes\fR) what the maximum +when acting as a WINS server ( \fIwins support = yes\fR) what the maximum \&'time to live' of NetBIOS names that \fBnmbd\fR will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds). See also the \fImin -wins ttl"\fR parameter. +wins ttl\fR parameter. Default: \fBmax wins ttl = 518400\fR .TP @@ -4604,11 +4770,11 @@ Default: \fBos2 driver map = <empty string> With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password -changes when requested by an SMB client insted of the program listed in +changes when requested by an SMB client instead of the program listed in \fIpasswd program\fR. It should be possible to enable this without changing your \fIpasswd chat\fR -paramater for most setups. +parameter for most setups. Default: \fBpam password change = no\fR .TP @@ -4635,15 +4801,20 @@ This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc). -The string can contain the macros \fI%o\fR -and \fI%n\fR which are substituted for the old -and new passwords respectively. It can also contain the standard -macros \\n, \\r, \\t and %s to give line-feed, -carriage-return, tab and space. - -The string can also contain a '*' which matches -any sequence of characters. - +Note that this parameter only is only used if the \fIunix +password sync\fR parameter is set to yes. This +sequence is then called \fBAS ROOT\fR when the SMB password +in the smbpasswd file is being changed, without access to the old +password cleartext. This means that root must be able to reset the user's password +without knowing the text of the previous password. In the presence of NIS/YP, +this means that the passwd program must be +executed on the NIS master. + +The string can contain the macro \fI%n\fR which is substituted +for the new password. The chat sequence can also contain the standard +macros \\n, \\r, \\t and \\s to give line-feed, +carriage-return, tab and space. The chat sequence string can also contain +a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces in them into a single string. @@ -4651,14 +4822,7 @@ If the send string in any part of the chat sequence is a full stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected. -Note that if the \fIunix -password sync\fR parameter is set to true, then this -sequence is called \fBAS ROOT\fR when the SMB password -in the smbpasswd file is being changed, without access to the old -password cleartext. In this case the old password cleartext is set -to "" (the empty string). - -Also, if the \fIpam +If the \fIpam password change\fR parameter is set to true, the chat pairs may be matched in any order, and sucess is determined by the PAM result, not any particular output. The \\n macro is ignored for PAM conversions. @@ -4830,14 +4994,14 @@ the \fIpassword server\fR parameter, however if an \fBsmbd\fR makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this \fBsmbd\fR. This is a -restriction of the SMB/CIFS protocol when in \fBsecurity=server +restriction of the SMB/CIFS protocol when in \fBsecurity = server \fRmode and cannot be fixed in Samba. .TP 0.2i \(bu If you are using a Windows NT server as your password server then you will have to ensure that your users -are able to login from the Samba server, as when in \fB security=server\fR mode the network logon will appear to -come from there rather than from the user's workstation. +are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to +come from there rather than from the users workstation. .RE .PP See also the \fIsecurity @@ -5045,16 +5209,16 @@ You may have to vary this command considerably depending on how you normally print files on your system. The default for the parameter varies depending on the setting of the \fIprinting\fR parameter. -Default: For \fBprinting= BSD, AIX, QNX, LPRNG +Default: For \fBprinting = BSD, AIX, QNX, LPRNG or PLP :\fR \fBprint command = lpr -r -P%p %s\fR -For \fBprinting= SYS or HPUX :\fR +For \fBprinting = SYS or HPUX :\fR \fBprint command = lp -c -d%p %s; rm %s\fR -For \fBprinting=SOFTQ :\fR +For \fBprinting = SOFTQ :\fR \fBprint command = lp -d%p -s %s; rm %s\fR @@ -5551,7 +5715,7 @@ the most common setting needed when talking to Windows 98 and Windows NT. The alternatives are \fBsecurity = share\fR, -\fBsecurity = server\fR or \fBsecurity=domain +\fBsecurity = server\fR or \fBsecurity = domain \fR\&. In versions of Samba prior to 2..0, the default was @@ -5658,7 +5822,7 @@ See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. \fR.PP .PP This is the default security setting in Samba 2.2. -With user-level security a client must first "log=on" with a +With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the \fIusername map\fR parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and @@ -5829,29 +5993,6 @@ for details. Default: \fBset directory = no\fR .TP -\fBshare modes (S)\fR -This enables or disables the honoring of -the \fIshare modes\fR during a file open. These -modes are used by clients to gain exclusive read or write access -to a file. - -These open modes are not directly supported by UNIX, so -they are simulated using shared memory, or lock files if your -UNIX doesn't support shared memory (almost all do). - -The share modes that are enabled by this option are -DENY_DOS, DENY_ALL, -DENY_READ, DENY_WRITE, -DENY_NONE and DENY_FCB. - -This option gives full share compatibility and enabled -by default. - -You should \fBNEVER\fR turn this parameter -off as many Windows applications will break if you do so. - -Default: \fBshare modes = yes\fR -.TP \fBshort preserve case (S)\fR This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of @@ -5892,6 +6033,53 @@ command\fR, \fIdeleteprinter command\fR, \fIprinter admin\fR Default :\fBshow add printer wizard = yes\fR .TP +\fBshutdown script (G)\fR +\fBThis parameter only exists in the HEAD cvs branch\fR +This a full path name to a script called by +\fBsmbd(8)\fRthat +should start a shutdown procedure. + +This command will be run as the user connected to the +server. + +%m %t %r %f parameters are expanded + +\fI%m\fR will be substituted with the +shutdown message sent to the server. + +\fI%t\fR will be substituted with the +number of seconds to wait before effectively starting the +shutdown procedure. + +\fI%r\fR will be substituted with the +switch \fB-r\fR. It means reboot after shutdown +for NT. + +\fI%f\fR will be substituted with the +switch \fB-f\fR. It means force the shutdown +even if applications do not respond for NT. + +Default: \fBNone\fR. + +Example: \fBabort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f\fR + +Shutdown script example: +.sp +.nf + #!/bin/bash + + $time=0 + let "time/60" + let "time++" + + /sbin/shutdown $3 $4 +$time $1 & + +.sp +.fi +Shutdown does not return so we need to launch it in background. + +See also \fIabort shutdown script\fR. +.TP \fBsmb passwd file (G)\fR This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file @@ -5978,8 +6166,8 @@ or disable the option, by default they will be enabled if you don't specify 1 or 0. .PP .PP -To specify an argument use the syntax SOME_OPTION=VALUE -for example \fBSO_SNDBUF=8192\fR. Note that you must +To specify an argument use the syntax SOME_OPTION = VALUE +for example \fBSO_SNDBUF = 8192\fR. Note that you must not have any spaces before or after the = sign. .PP .PP @@ -6024,7 +6212,7 @@ be formatted as the output of the standard Unix \fBenv(1) Example environment entry: -\fBSAMBA_NETBIOS_NAME=myhostname\fR +\fBSAMBA_NETBIOS_NAME = myhostname\fR Default: \fBNo default value\fR @@ -6039,17 +6227,13 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - This variable enables or disables the entire SSL mode. If it is set to no, the SSL-enabled Samba behaves exactly like the non-SSL Samba. If set to yes, it depends on the variables \fI ssl hosts\fR and \fIssl hosts resign\fR whether an SSL connection will be required. -Default: \fBssl=no\fR +Default: \fBssl = no\fR .TP \fBssl CA certDir (G)\fR This variable is part of SSL-enabled Samba. This @@ -6057,10 +6241,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - This variable defines where to look up the Certification Authorities. The given directory should contain one file for each CA that Samba will trust. The file name must be the hash @@ -6077,10 +6257,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - This variable is a second way to define the trusted CAs. The certificates of the trusted CAs are collected in one big file and this variable points to the file. You will probably @@ -6098,10 +6274,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - This variable defines the ciphers that should be offered during SSL negotiation. You should not set this variable unless you know what you are doing. @@ -6112,10 +6284,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - The certificate in this file is used by \fBsmbclient(1)\fRif it exists. It's needed if the server requires a client certificate. @@ -6127,10 +6295,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - This is the private key for \fBsmbclient(1)\fR. It's only needed if the client should have a certificate. @@ -6142,17 +6306,55 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - -This variable defines whether SSLeay should be configured +This variable defines whether OpenSSL should be configured for bug compatibility with other SSL implementations. This is probably not desirable because currently no clients with SSL -implementations other than SSLeay exist. +implementations other than OpenSSL exist. Default: \fBssl compatibility = no\fR .TP +\fBssl egd socket (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This option is used to define the location of the communiation socket of +an EGD or PRNGD daemon, from which entropy can be retrieved. This option +can be used instead of or together with the \fIssl entropy file\fR +directive. 255 bytes of entropy will be retrieved from the daemon. + +Default: \fBnone\fR +.TP +\fBssl entropy bytes (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This parameter is used to define the number of bytes which should +be read from the \fIssl entropy +file\fR If a -1 is specified, the entire file will +be read. + +Default: \fBssl entropy bytes = 255\fR +.TP +\fBssl entropy file (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +This parameter is used to specify a file from which processes will +read "random bytes" on startup. In order to seed the internal pseudo +random number generator, entropy must be provided. On system with a +\fI/dev/urandom\fR device file, the processes +will retrieve its entropy from the kernel. On systems without kernel +entropy support, a file can be supplied that will be read on startup +and that will be used to seed the PRNG. + +Default: \fBnone\fR +.TP \fBssl hosts (G)\fR See \fI ssl hosts resign\fR. .TP @@ -6162,10 +6364,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - These two variables define whether Samba will go into SSL mode or not. If none of them is defined, Samba will allow only SSL connections. If the \fIssl hosts\fR variable lists @@ -6191,10 +6389,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - If this variable is set to yes, the server will not tolerate connections from clients that don't have a valid certificate. The directory/file given in \fIssl CA certDir\fR @@ -6217,10 +6411,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - If this variable is set to yes, the \fBsmbclient(1)\fR will request a certificate from the server. Same as @@ -6235,10 +6425,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - This is the file containing the server's certificate. The server \fBmust\fR have a certificate. The file may also contain the server's private key. See later for @@ -6252,10 +6438,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - This file contains the private key of the server. If this variable is not defined, the key is looked up in the certificate file (it may be appended to the certificate). @@ -6271,10 +6453,6 @@ is only available if the SSL libraries have been compiled on your system and the configure option \fB--with-ssl\fR was given at configure time. -\fBNote\fR that for export control reasons -this code is \fBNOT\fR enabled by default in any -current binary version of Samba. - This enumeration variable defines the versions of the SSL protocol that will be used. ssl2or3 allows dynamic negotiation of SSL v2 or v3, ssl2 results @@ -6390,9 +6568,6 @@ the debug log files. Default: \fBsyslog only = no\fR .TP \fBtemplate homedir (G)\fR -\fBNOTE:\fR this parameter is -only available in Samba 3.0. - When filling out the user information for a Windows NT user, the winbindd(8)daemon uses this parameter to fill in the home directory for that user. @@ -6404,9 +6579,6 @@ NT user name. Default: \fBtemplate homedir = /home/%D/%U\fR .TP \fBtemplate shell (G)\fR -\fBNOTE:\fR this parameter is -only available in Samba 3.0. - When filling out the user information for a Windows NT user, the winbindd(8)daemon uses this parameter to fill in the login shell for that user. @@ -6489,6 +6661,38 @@ password in order to connect correctly, and to update their hashed Default: \fBupdate encrypted = no\fR .TP +\fBuse client driver (S)\fR +This parameter applies only to Windows NT/2000 +clients. It has no affect on Windows 95/98/ME clients. When +serving a printer to Windows NT/2000 clients without first installing +a valid printer driver on the Samba host, the client will be required +to install a local printer driver. From this point on, the client +will treat the print as a local printer and not a network printer +connection. This is much the same behavior that will occur +when \fBdisable spoolss = yes\fR. + +The differentiating +factor is that under normal circumstances, the NT/2000 client will +attempt to open the network printer using MS-RPC. The problem is that +because the client considers the printer to be local, it will attempt +to issue the OpenPrinterEx() call requesting access rights associated +with the logged on user. If the user possesses local administator rights +but not root privilegde on the Samba host (often the case), the OpenPrinterEx() +call will fail. The result is that the client will now display an "Access +Denied; Unable to connect" message in the printer queue window (even though +jobs may successfully be printed). + +If this parameter is enabled for a printer, then any attempt +to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped +to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() +call to succeed. \fBThis parameter MUST not be able enabled +on a print share which has valid print driver installed on the Samba +server.\fR + +See also disable spoolss + +Default: \fBuse client driver = no\fR +.TP \fBuse rhosts (G)\fR If this global parameter is true, it specifies that the UNIX user's \fI.rhosts\fR file in their home directory @@ -6675,7 +6879,7 @@ Default: \fBno username map\fR Example: \fBusername map = /usr/local/samba/lib/users.map \fR.TP -\fButmp (S)\fR +\fButmp (G)\fR This boolean parameter is only available if Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to true then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a @@ -6788,12 +6992,13 @@ separator '/'. Note that the \fIcase sensitive\fR option is applicable in vetoing files. -One feature of the veto files parameter that it is important -to be aware of, is that if a directory contains nothing but files -that match the veto files parameter (which means that Windows/DOS -clients cannot ever see them) is deleted, the veto files within -that directory \fBare automatically deleted\fR along -with it, if the user has UNIX permissions to do so. +One feature of the veto files parameter that it +is important to be aware of is Samba's behaviour when +trying to delete a directory. If a directory that is +to be deleted contains nothing but veto files this +deletion will \fBfail\fR unless you also set +the \fIdelete veto files\fR parameter to +\fIyes\fR. Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories @@ -6838,7 +7043,7 @@ To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share : -Example: \fBveto oplock files = /*;.SEM/ +Example: \fBveto oplock files = /*.SEM/ \fR.TP \fBvfs object (S)\fR This parameter specifies a shared object file that @@ -6878,9 +7083,6 @@ that Samba has to do in order to perform the link checks. Default: \fBwide links = yes\fR .TP \fBwinbind cache time\fR -\fBNOTE:\fR this parameter is only -available in Samba 3.0. - This parameter specifies the number of seconds the winbindd(8)daemon will cache user and group information before querying a Windows NT server @@ -6888,10 +7090,42 @@ again. Default: \fBwinbind cache type = 15\fR .TP +\fBwinbind enum users\fR +On large installations using +winbindd(8)it may be +necessary to suppress the enumeration of users through the +\fBsetpwent()\fR, +\fBgetpwent()\fR and +\fBendpwent()\fR group of system calls. If +the \fIwinbind enum users\fR parameter is +false, calls to the \fBgetpwent\fR system call +will not return any data. + +\fBWarning:\fR Turning off user +enumeration may cause some programs to behave oddly. For +example, the finger program relies on having access to the +full user list when searching for matching +usernames. + +Default: \fBwinbind enum users = yes \fR +.TP +\fBwinbind enum groups\fR +On large installations using +winbindd(8)it may be +necessary to suppress the enumeration of groups through the +\fBsetgrent()\fR, +\fBgetgrent()\fR and +\fBendgrent()\fR group of system calls. If +the \fIwinbind enum groups\fR parameter is +false, calls to the \fBgetgrent()\fR system +call will not return any data. + +\fBWarning:\fR Turning off group +enumeration may cause some programs to behave oddly. + +Default: \fBwinbind enum groups = yes \fR +.TP \fBwinbind gid\fR -\fBNOTE:\fR this parameter is only -available in Samba 3.0. - The winbind gid parameter specifies the range of group ids that are allocated by the winbindd(8)daemon. This range of group ids should have no existing local or NIS groups within it as strange conflicts can @@ -6902,9 +7136,6 @@ Default: \fBwinbind gid = <empty string> Example: \fBwinbind gid = 10000-20000\fR .TP \fBwinbind separator\fR -\fBNOTE:\fR this parameter is only -available in Samba 3.0. - This parameter allows an admin to define the character used when listing a username of the form of \fIDOMAIN \fR\\\fIuser\fR. This parameter @@ -6916,9 +7147,6 @@ Example: \fBwinbind separator = \\\fR Example: \fBwinbind separator = +\fR .TP \fBwinbind uid\fR -\fBNOTE:\fR this parameter is only -available in Samba 3.0. - The winbind gid parameter specifies the range of group ids that are allocated by the winbindd(8)daemon. This range of ids should have no existing local or NIS users within it as strange conflicts can @@ -7013,7 +7241,7 @@ Default: \fBwins support = no\fR \fBworkgroup (G)\fR This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter -also controls the Domain name used with the \fBsecurity=domain\fR +also controls the Domain name used with the \fBsecurity = domain\fR setting. Default: \fBset at compile time to WORKGROUP\fR diff --git a/docs/manpages/smbclient.1 b/docs/manpages/smbclient.1 index 29cd3094a7c..41102ca822c 100644 --- a/docs/manpages/smbclient.1 +++ b/docs/manpages/smbclient.1 @@ -3,12 +3,12 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMBCLIENT" "1" "09 July 2001" "" "" +.TH "SMBCLIENT" "1" "15 September 2001" "" "" .SH NAME smbclient \- ftp-like client to access SMB/CIFS resources on servers .SH SYNOPSIS .sp -\fBsmbclient\fR \fBservicename\fR [ \fBpassword\fR ] [ \fB-b <buffer size>\fR ] [ \fB-d debuglevel\fR ] [ \fB-D Directory\fR ] [ \fB-S server\fR ] [ \fB-U username\fR ] [ \fB-W workgroup\fR ] [ \fB-M <netbios name>\fR ] [ \fB-m maxprotocol\fR ] [ \fB-A authfile\fR ] [ \fB-N\fR ] [ \fB-l logfile\fR ] [ \fB-L <netbios name>\fR ] [ \fB-I destinationIP\fR ] [ \fB-E <terminal code>\fR ] [ \fB-c <command string>\fR ] [ \fB-i scope\fR ] [ \fB-O <socket options>\fR ] [ \fB-p port\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-s <smb config file>\fR ] [ \fB-T<c|x>IXFqgbNan\fR ] +\fBsmbclient\fR \fBservicename\fR [ \fBpassword\fR ] [ \fB-b <buffer size>\fR ] [ \fB-d debuglevel\fR ] [ \fB-D Directory\fR ] [ \fB-U username\fR ] [ \fB-W workgroup\fR ] [ \fB-M <netbios name>\fR ] [ \fB-m maxprotocol\fR ] [ \fB-A authfile\fR ] [ \fB-N\fR ] [ \fB-l logfile\fR ] [ \fB-L <netbios name>\fR ] [ \fB-I destinationIP\fR ] [ \fB-E <terminal code>\fR ] [ \fB-c <command string>\fR ] [ \fB-i scope\fR ] [ \fB-O <socket options>\fR ] [ \fB-p port\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-s <smb config file>\fR ] [ \fB-T<c|x>IXFqgbNan\fR ] .SH "DESCRIPTION" .PP This tool is part of the Sambasuite. @@ -157,7 +157,8 @@ messages. \fB-i scope\fR This specifies a NetBIOS scope that smbclient will use to communicate with when generating NetBIOS names. For details -on the use of NetBIOS scopes, see \fIrfc1001.txt\fR and \fIrfc1002.txt\fR. +on the use of NetBIOS scopes, see \fIrfc1001.txt\fR +and \fIrfc1002.txt\fR. NetBIOS scopes are \fBvery\fR rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with. diff --git a/docs/manpages/smbcontrol.1 b/docs/manpages/smbcontrol.1 index 6e4fd851562..ee7ba6e629b 100644 --- a/docs/manpages/smbcontrol.1 +++ b/docs/manpages/smbcontrol.1 @@ -3,7 +3,7 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMBCONTROL" "1" "09 July 2001" "" "" +.TH "SMBCONTROL" "1" "03 August 2001" "" "" .SH NAME smbcontrol \- send messages to smbd or nmbd processes .SH SYNOPSIS @@ -84,6 +84,11 @@ message to smbd which in turn sends a printer notify message to any Windows NT clients connected to a printer. This message-type takes an argument of the printer name to send notify messages to. This message can only be sent to smbd. + +The close-share message-type sends a +message to smbd which forces smbd to close the share that was +specified as an argument. This may be useful if you made changes +to the access controls on the share. .TP \fBparameters\fR any parameters required for the message-type diff --git a/docs/manpages/smbd.8 b/docs/manpages/smbd.8 index 84000136083..bfcac80157d 100644 --- a/docs/manpages/smbd.8 +++ b/docs/manpages/smbd.8 @@ -3,7 +3,7 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMBD" "8" "09 July 2001" "" "" +.TH "SMBD" "8" "31 July 2001" "" "" .SH NAME smbd \- server to provide SMB/CIFS services to clients .SH SYNOPSIS @@ -445,10 +445,10 @@ memory area in an inconsistent state. The safe way to terminate an \fBsmbd\fR is to send it a SIGTERM (-15) signal and wait for it to die on its own. .PP -The debug log level of \fBsmbd\fR may be raised by sending -it a SIGUSR1 (\fBkill -USR1 <smbd-pid>\fR) -and lowered by sending it a SIGUSR2 (\fBkill -USR2 <smbd-pid> -\fR). This is to allow transient problems to be diagnosed, +The debug log level of \fBsmbd\fR may be raised +or lowered using \fBsmbcontrol(1) +\fRprogram (SIGUSR[1|2] signals are no longer used in +Samba 2.2). This is to allow transient problems to be diagnosed, whilst still running at a normally low log level. .PP Note that as the signal handlers send a debug write, diff --git a/docs/manpages/smbmnt.8 b/docs/manpages/smbmnt.8 index 37626fa19fe..93e334f25c2 100644 --- a/docs/manpages/smbmnt.8 +++ b/docs/manpages/smbmnt.8 @@ -3,7 +3,7 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMBMNT" "8" "09 July 2001" "" "" +.TH "SMBMNT" "8" "06 October 2001" "" "" .SH NAME smbmnt \- helper utility for mounting SMB filesystems .SH SYNOPSIS @@ -13,14 +13,18 @@ smbmnt \- helper utility for mounting SMB filesystems .PP \fBsmbmnt\fR is a helper application used by the smbmount program to do the actual mounting of SMB shares. -\fBsmbmnt\fR is meant to be installed setuid root -so that normal users can mount their SMB shares. It checks -whether the user has write permissions on the mount point and -then mounts the directory. +\fBsmbmnt\fR can be installed setuid root if you want +normal users to be able to mount their SMB shares. +.PP +A setuid smbmnt will only allow mounts on directories owned +by the user, and that the user has write permission on. .PP The \fBsmbmnt\fR program is normally invoked by \fBsmbmount(8)\fR . It should not be invoked directly by users. +.PP +smbmount searches the normal PATH for smbmnt. You must ensure +that the smbmnt version in your path matches the smbmount used. .SH "OPTIONS" .TP \fB-r\fR diff --git a/docs/manpages/smbmount.8 b/docs/manpages/smbmount.8 index 2c86b922400..f57c0b54da4 100644 --- a/docs/manpages/smbmount.8 +++ b/docs/manpages/smbmount.8 @@ -3,7 +3,7 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMBMOUNT" "8" "09 July 2001" "" "" +.TH "SMBMOUNT" "8" "06 October 2001" "" "" .SH NAME smbmount \- mount an smbfs filesystem .SH SYNOPSIS @@ -11,10 +11,11 @@ smbmount \- mount an smbfs filesystem \fBsmbumount\fR \fBservice\fR \fBmount-point\fR [ \fB-o options\fR ] .SH "DESCRIPTION" .PP -\fBsmbmount\fR mounts a SMB filesystem. It -is usually invoked as \fBmount.smb\fR from +\fBsmbmount\fR mounts a Linux SMB filesystem. It +is usually invoked as \fBmount.smbfs\fR by the \fBmount(8)\fR command when using the -"-t smb" option. The kernel must support the smbfs filesystem. +"-t smbfs" option. This command only works in Linux, and the kernel must +support the smbfs filesystem. .PP Options to \fBsmbmount\fR are specified as a comma-separated list of key=value pairs. It is possible to send options other @@ -102,7 +103,9 @@ The default is based on the current umask. .TP \fBdebug=<arg>\fR sets the debug level. This is useful for -tracking down SMB connection problems. +tracking down SMB connection problems. A suggested value to +start with is 4. If set too high there will be a lot of +output, possibly hiding the useful output. .TP \fBip=<arg>\fR sets the destination host or IP address. @@ -160,19 +163,26 @@ person using the client. This information is used only if the protocol level is high enough to support session-level passwords. .PP -The variable \fBPASSWD_FILE\fR may contain the pathname of -a file to read the password from. A single line of input is +The variable \fBPASSWD_FILE\fR may contain the pathname +of a file to read the password from. A single line of input is read and used as the password. .SH "BUGS" .PP -Not many known smbmount bugs. But one smbfs bug is -important enough to mention here anyway: +Passwords and other options containing , can not be handled. +For passwords an alternative way of passing them is in a credentials +file or in the PASSWD environment. +.PP +The credentials file does not handle usernames or passwords with +leading space. +.PP +One smbfs bug is important enough to mention here, even if it +is a bit misplaced: .TP 0.2i \(bu Mounts sometimes stop working. This is usually caused by smbmount terminating. Since smbfs needs smbmount to -reconnect when the server disconnects, the mount will go -dead. A re-mount normally fixes this. At least 2 ways to +reconnect when the server disconnects, the mount will eventually go +dead. An umount/mount normally fixes this. At least 2 ways to trigger this bug are known. .PP Note that the typical response to a bug report is suggestion @@ -182,8 +192,15 @@ when reporting bugs (minimum: samba, kernel, distribution) .PP .SH "SEE ALSO" .PP -Documentation/filesystems/smbfs.txt in the kernel source tree -may contain additional options and information. +Documentation/filesystems/smbfs.txt in the linux kernel +source tree may contain additional options and information. +.PP +FreeBSD also has a smbfs, but it is not related to smbmount +.PP +For Solaris, HP-UX and others you may want to look at +\fBsmbsh(1)\fRor at other +solutions, such as sharity or perhaps replacing the SMB server with +a NFS server. .SH "AUTHOR" .PP Volker Lendecke, Andrew Tridgell, Michael H. Warfield diff --git a/docs/manpages/smbpasswd.8 b/docs/manpages/smbpasswd.8 index fc68324facf..464e73240a1 100644 --- a/docs/manpages/smbpasswd.8 +++ b/docs/manpages/smbpasswd.8 @@ -3,12 +3,12 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMBPASSWD" "8" "09 July 2001" "" "" +.TH "SMBPASSWD" "8" "16 September 2001" "" "" .SH NAME smbpasswd \- change a user's SMB password .SH SYNOPSIS .sp -\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fBusername\fR ] +\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username[%password]\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fBusername\fR ] .SH "DESCRIPTION" .PP This tool is part of the Sambasuite. diff --git a/docs/manpages/smbumount.8 b/docs/manpages/smbumount.8 index efd3ba0cac7..ba5c6ea257c 100644 --- a/docs/manpages/smbumount.8 +++ b/docs/manpages/smbumount.8 @@ -3,7 +3,7 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMBUMOUNT" "8" "09 July 2001" "" "" +.TH "SMBUMOUNT" "8" "06 October 2001" "" "" .SH NAME smbumount \- smbfs umount for normal users .SH SYNOPSIS diff --git a/docs/manpages/wbinfo.1 b/docs/manpages/wbinfo.1 index 67a24f9613d..eebc67d2b7f 100644 --- a/docs/manpages/wbinfo.1 +++ b/docs/manpages/wbinfo.1 @@ -3,12 +3,12 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "WBINFO" "1" "09 July 2001" "" "" +.TH "WBINFO" "1" "26 September 2001" "" "" .SH NAME wbinfo \- Query information from winbind daemon .SH SYNOPSIS .sp -\fBnmblookup\fR [ \fB-u\fR ] [ \fB-g\fR ] [ \fB-n name\fR ] [ \fB-s sid\fR ] [ \fB-U uid\fR ] [ \fB-G gid\fR ] [ \fB-S sid\fR ] [ \fB-Y sid\fR ] [ \fB-t\fR ] [ \fB-m\fR ] +\fBwbinfo\fR [ \fB-u\fR ] [ \fB-g\fR ] [ \fB-n name\fR ] [ \fB-s sid\fR ] [ \fB-U uid\fR ] [ \fB-G gid\fR ] [ \fB-S sid\fR ] [ \fB-Y sid\fR ] [ \fB-t\fR ] [ \fB-m\fR ] .SH "DESCRIPTION" .PP This tool is part of the Sambasuite. @@ -91,8 +91,7 @@ failure. .SH "VERSION" .PP This man page is correct for version 2.2 of -the Samba suite. winbindd is however not available in -stable release of Samba as of yet. +the Samba suite. .SH "SEE ALSO" .PP \fBwinbindd(8)\fR @@ -105,7 +104,7 @@ by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. .PP \fBwbinfo\fR and \fBwinbindd\fR -were written by TIm Potter. +were written by Tim Potter. .PP The conversion to DocBook for Samba 2.2 was done by Gerald Carter diff --git a/docs/manpages/winbindd.8 b/docs/manpages/winbindd.8 index 72d4d304e93..c3d445c1c1d 100644 --- a/docs/manpages/winbindd.8 +++ b/docs/manpages/winbindd.8 @@ -3,16 +3,15 @@ .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "WINBINDD" "8" "09 July 2001" "" "" +.TH "WINBINDD" "8" "26 September 2001" "" "" .SH NAME winbindd \- Name Service Switch daemon for resolving names from NT servers .SH SYNOPSIS .sp -\fBnmblookup\fR [ \fB-d debuglevel\fR ] [ \fB-i\fR ] [ \fB-S\fR ] [ \fB-r\fR ] [ \fB-A\fR ] [ \fB-h\fR ] [ \fB-B <broadcast address>\fR ] [ \fB-U <unicast address>\fR ] [ \fB-d <debug level>\fR ] [ \fB-s <smb config file>\fR ] [ \fB-i <NetBIOS scope>\fR ] [ \fB-T\fR ] \fBname\fR +\fBwinbindd\fR [ \fB-i\fR ] [ \fB-d <debug level>\fR ] [ \fB-s <smb config file>\fR ] .SH "DESCRIPTION" .PP -This tool is part of the Sambasuite version 3.0 and describes functionality not -yet implemented in the main version of Samba. +This program is part of the Sambasuite. .PP \fBwinbindd\fR is a daemon that provides a service for the Name Service Switch capability that is present @@ -237,18 +236,15 @@ Now replace the account lines with this: \fBaccount required /lib/security/pam_winbind.so \fR.PP The next step is to join the domain. To do that use the -\fBsamedit\fR program like this: +\fBsmbpasswd\fR program like this: .PP -\fBsamedit -S '*' -W DOMAIN -UAdministrator\fR +\fBsmbpasswd -j DOMAIN -r PDC -U +Administrator\fR .PP -The username after the \fI-U\fR can be any Domain -user that has administrator privileges on the machine. Next from -within \fBsamedit\fR, run the command: -.PP -\fBcreateuser MACHINE$ -j DOMAIN -L\fR -.PP -This assumes your domain is called "DOMAIN" and your Samba -workstation is called "MACHINE". +The username after the \fI-U\fR can be any +Domain user that has administrator privileges on the machine. +Substitute your domain name for "DOMAIN" and the name of your PDC +for "PDC". .PP Next copy \fIlibnss_winbind.so\fR to \fI/lib\fR and \fIpam_winbind.so\fR @@ -295,7 +291,7 @@ on startup and when a SIGHUP is received. Thus, for a running \fB winbindd\fR to servers, it must be sent a SIGHUP signal. .PP Client processes resolving names through the \fBwinbindd\fR -nsswitch module read an environment variable named \fI $WINBINDD_DOMAIN\fR. If this variable contains a comma separated +nsswitch module read an environment variable named \fB $WINBINDD_DOMAIN\fR. If this variable contains a comma separated list of Windows NT domain names, then winbindd will only resolve users and groups within those Windows NT domains. .PP @@ -348,7 +344,7 @@ Implementation of name service switch library. \fB$LOCKDIR/winbindd_idmap.tdb\fR Storage for the Windows NT rid to UNIX user/group id mapping. The lock directory is specified when Samba is initially -compiled using the \fI--with-lockdir\fR option. +compiled using the \fI--with-lockdir\fR option. This directory is by default \fI/usr/local/samba/var/locks \fR\&. .TP @@ -356,9 +352,8 @@ This directory is by default \fI/usr/local/samba/var/locks Storage for cached user and group information. .SH "VERSION" .PP -This man page is correct for version 2.2 of -the Samba suite. winbindd is however not available in -the stable release of Samba as of yet. +This man page is correct for version 2.2 of +the Samba suite. .SH "SEE ALSO" .PP \fInsswitch.conf(5)\fR, |