diff options
| author | Jeremy Allison <jra@samba.org> | 2001-10-11 20:12:48 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2001-10-11 20:12:48 +0000 |
| commit | d981cbe37f4a15d45cb267b3e7498f4a9ce4e3ff (patch) | |
| tree | 330e732650517f620d933f129d2e9d35904c1241 /docs | |
| parent | 61b015fdeb4228bbcdf0fb65c0c93e67f5b80d4c (diff) | |
| download | samba-d981cbe37f4a15d45cb267b3e7498f4a9ce4e3ff.tar.gz | |
Sync...
Jeremy.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/docbook/.cvsignore | 3 | ||||
| -rw-r--r-- | docs/docbook/Makefile.in | 57 | ||||
| -rwxr-xr-x | docs/docbook/configure | 58 | ||||
| -rw-r--r-- | docs/docbook/configure.in | 7 | ||||
| -rw-r--r-- | docs/docbook/manpages/nmbd.8.sgml | 15 | ||||
| -rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 730 | ||||
| -rw-r--r-- | docs/docbook/manpages/smbclient.1.sgml | 4 | ||||
| -rw-r--r-- | docs/docbook/manpages/smbcontrol.1.sgml | 5 | ||||
| -rw-r--r-- | docs/docbook/manpages/smbd.8.sgml | 8 | ||||
| -rw-r--r-- | docs/docbook/manpages/smbmnt.8.sgml | 13 | ||||
| -rw-r--r-- | docs/docbook/manpages/smbmount.8.sgml | 41 | ||||
| -rw-r--r-- | docs/docbook/manpages/smbpasswd.8.sgml | 2 | ||||
| -rw-r--r-- | docs/docbook/manpages/wbinfo.1.sgml | 7 | ||||
| -rw-r--r-- | docs/docbook/manpages/winbindd.8.sgml | 51 | ||||
| -rw-r--r-- | docs/docbook/projdoc/Integrating-with-Windows.sgml | 4 | ||||
| -rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 16 | ||||
| -rw-r--r-- | docs/docbook/projdoc/UNIX_INSTALL.sgml | 35 | ||||
| -rw-r--r-- | docs/docbook/projdoc/printer_driver2.sgml | 106 | ||||
| -rw-r--r-- | docs/docbook/projdoc/samba-doc.sgml | 5 | ||||
| -rw-r--r-- | docs/docbook/projdoc/winbind.sgml | 599 |
20 files changed, 1316 insertions, 450 deletions
diff --git a/docs/docbook/.cvsignore b/docs/docbook/.cvsignore index e3c12733753..04290fcd2eb 100644 --- a/docs/docbook/.cvsignore +++ b/docs/docbook/.cvsignore @@ -1,3 +1,4 @@ -confdefs.h +Makefile config.cache config.log +config.status diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in index 49be35755cd..b0d445852ca 100644 --- a/docs/docbook/Makefile.in +++ b/docs/docbook/Makefile.in @@ -12,7 +12,6 @@ SRCDIR = @srcdir@ JADE = @JADE@ NSGMLS = @NSGMLS@ -ONSGMLS=@ONSGMLS@ SGMLSPL=@SGMLSPL@ HTMLDOC=@HTMLDOC@ PERL=@PERL@ @@ -133,7 +132,7 @@ man-all: $(SGMLMANSRC) @(for i in $?; do \ manfile=`echo $$i | sed 's,.*/,,' | sed "s/\.sgml//g"`; \ echo "Making $$manfile"; \ - $(ONSGMLS) -f /tmp/docbook2x.log $$i | $(SGMLSPL) \ + $(NSGMLS) -f /tmp/docbook2x.log $$i | $(SGMLSPL) \ $(SGML_SHARE)/docbook2X/docbook2man-spec.pl; \ cat /tmp/docbook2x.log | grep -v DTDDECL; \ /bin/rm -f /tmp/docbook2x.log; \ @@ -149,7 +148,7 @@ man-all: $(SGMLMANSRC) ## $(MANDIR)/findsmb.1: manpages/findsmb.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -157,7 +156,7 @@ $(MANDIR)/findsmb.1: manpages/findsmb.1.sgml $(MANDIR)/smbclient.1: manpages/smbclient.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -165,7 +164,7 @@ $(MANDIR)/smbclient.1: manpages/smbclient.1.sgml $(MANDIR)/smbspool.8: manpages/smbspool.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -173,7 +172,7 @@ $(MANDIR)/smbspool.8: manpages/smbspool.8.sgml $(MANDIR)/lmhosts.5: manpages/lmhosts.5.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -181,7 +180,7 @@ $(MANDIR)/lmhosts.5: manpages/lmhosts.5.sgml $(MANDIR)/smbcontrol.1: manpages/smbcontrol.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -189,7 +188,7 @@ $(MANDIR)/smbcontrol.1: manpages/smbcontrol.1.sgml $(MANDIR)/smbstatus.1: manpages/smbstatus.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -197,7 +196,7 @@ $(MANDIR)/smbstatus.1: manpages/smbstatus.1.sgml $(MANDIR)/make_smbcodepage.1: manpages/make_smbcodepage.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -205,7 +204,7 @@ $(MANDIR)/make_smbcodepage.1: manpages/make_smbcodepage.1.sgml $(MANDIR)/make_unicodemap.1: manpages/make_unicodemap.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -213,7 +212,7 @@ $(MANDIR)/make_unicodemap.1: manpages/make_unicodemap.1.sgml $(MANDIR)/smbd.8: manpages/smbd.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -221,7 +220,7 @@ $(MANDIR)/smbd.8: manpages/smbd.8.sgml $(MANDIR)/smbtar.1: manpages/smbtar.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -229,7 +228,7 @@ $(MANDIR)/smbtar.1: manpages/smbtar.1.sgml $(MANDIR)/nmbd.8: manpages/nmbd.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -237,7 +236,7 @@ $(MANDIR)/nmbd.8: manpages/nmbd.8.sgml $(MANDIR)/smbmnt.8: manpages/smbmnt.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -245,7 +244,7 @@ $(MANDIR)/smbmnt.8: manpages/smbmnt.8.sgml $(MANDIR)/smbumount.8: manpages/smbumount.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -253,7 +252,7 @@ $(MANDIR)/smbumount.8: manpages/smbumount.8.sgml $(MANDIR)/nmblookup.1: manpages/nmblookup.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -261,7 +260,7 @@ $(MANDIR)/nmblookup.1: manpages/nmblookup.1.sgml $(MANDIR)/smbmount.8: manpages/smbmount.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -269,7 +268,7 @@ $(MANDIR)/smbmount.8: manpages/smbmount.8.sgml $(MANDIR)/swat.8: manpages/swat.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -277,7 +276,7 @@ $(MANDIR)/swat.8: manpages/swat.8.sgml $(MANDIR)/rpcclient.1: manpages/rpcclient.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -285,7 +284,7 @@ $(MANDIR)/rpcclient.1: manpages/rpcclient.1.sgml $(MANDIR)/smbpasswd.5: manpages/smbpasswd.5.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -293,7 +292,7 @@ $(MANDIR)/smbpasswd.5: manpages/smbpasswd.5.sgml $(MANDIR)/testparm.1: manpages/testparm.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -301,7 +300,7 @@ $(MANDIR)/testparm.1: manpages/testparm.1.sgml $(MANDIR)/samba.7: manpages/samba.7.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -309,7 +308,7 @@ $(MANDIR)/samba.7: manpages/samba.7.sgml $(MANDIR)/smbpasswd.8: manpages/smbpasswd.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -317,7 +316,7 @@ $(MANDIR)/smbpasswd.8: manpages/smbpasswd.8.sgml $(MANDIR)/testprns.1: manpages/testprns.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -325,7 +324,7 @@ $(MANDIR)/testprns.1: manpages/testprns.1.sgml $(MANDIR)/smb.conf.5: manpages/smb.conf.5.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -333,7 +332,7 @@ $(MANDIR)/smb.conf.5: manpages/smb.conf.5.sgml $(MANDIR)/wbinfo.1: manpages/wbinfo.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -341,7 +340,7 @@ $(MANDIR)/wbinfo.1: manpages/wbinfo.1.sgml $(MANDIR)/smbcacls.1: manpages/smbcacls.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -349,7 +348,7 @@ $(MANDIR)/smbcacls.1: manpages/smbcacls.1.sgml $(MANDIR)/smbsh.1 : manpages/smbsh.1.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" @@ -357,7 +356,7 @@ $(MANDIR)/smbsh.1 : manpages/smbsh.1.sgml $(MANDIR)/winbindd.8: manpages/winbindd.8.sgml @echo "Making $@" - @$(ONSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl + @$(NSGMLS) $< | $(SGMLSPL) $(SGML_SHARE)/docbook2X/docbook2man-spec.pl @cat `echo $@ | sed 's,.*/,,'` | $(PERL) scripts/strip-links.pl > $@ @/bin/rm -f `echo $@ | sed 's,.*/,,'` @echo "Making HTML version of $@" diff --git a/docs/docbook/configure b/docs/docbook/configure index 23232148ce2..73d54a817f6 100755 --- a/docs/docbook/configure +++ b/docs/docbook/configure @@ -597,12 +597,10 @@ else echo "$ac_t""no" 1>&6 fi -fi - -# Extract the first word of "nsgmls", so it can be a program name with args. + # Extract the first word of "nsgmls", so it can be a program name with args. set dummy nsgmls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:606: checking for $ac_word" >&5 +echo "configure:604: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_NSGMLS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -634,19 +632,20 @@ else echo "$ac_t""no" 1>&6 fi -# Extract the first word of "htmldoc", so it can be a program name with args. -set dummy htmldoc; ac_word=$2 +else + # Extract the first word of "onsgmls", so it can be a program name with args. +set dummy onsgmls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:641: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_HTMLDOC'+set}'`\" = set"; then +echo "configure:640: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_NSGMLS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - case "$HTMLDOC" in + case "$NSGMLS" in /*) - ac_cv_path_HTMLDOC="$HTMLDOC" # Let the user override the test with a path. + ac_cv_path_NSGMLS="$NSGMLS" # Let the user override the test with a path. ;; ?:/*) - ac_cv_path_HTMLDOC="$HTMLDOC" # Let the user override the test with a dos path. + ac_cv_path_NSGMLS="$NSGMLS" # Let the user override the test with a dos path. ;; *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" @@ -654,7 +653,7 @@ else for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then - ac_cv_path_HTMLDOC="$ac_dir/$ac_word" + ac_cv_path_NSGMLS="$ac_dir/$ac_word" break fi done @@ -662,26 +661,28 @@ else ;; esac fi -HTMLDOC="$ac_cv_path_HTMLDOC" -if test -n "$HTMLDOC"; then - echo "$ac_t""$HTMLDOC" 1>&6 +NSGMLS="$ac_cv_path_NSGMLS" +if test -n "$NSGMLS"; then + echo "$ac_t""$NSGMLS" 1>&6 else echo "$ac_t""no" 1>&6 fi -# Extract the first word of "onsgmls", so it can be a program name with args. -set dummy onsgmls; ac_word=$2 +fi + +# Extract the first word of "htmldoc", so it can be a program name with args. +set dummy htmldoc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:676: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_path_ONSGMLS'+set}'`\" = set"; then +echo "configure:677: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_HTMLDOC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else - case "$ONSGMLS" in + case "$HTMLDOC" in /*) - ac_cv_path_ONSGMLS="$ONSGMLS" # Let the user override the test with a path. + ac_cv_path_HTMLDOC="$HTMLDOC" # Let the user override the test with a path. ;; ?:/*) - ac_cv_path_ONSGMLS="$ONSGMLS" # Let the user override the test with a dos path. + ac_cv_path_HTMLDOC="$HTMLDOC" # Let the user override the test with a dos path. ;; *) IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" @@ -689,7 +690,7 @@ else for ac_dir in $ac_dummy; do test -z "$ac_dir" && ac_dir=. if test -f $ac_dir/$ac_word; then - ac_cv_path_ONSGMLS="$ac_dir/$ac_word" + ac_cv_path_HTMLDOC="$ac_dir/$ac_word" break fi done @@ -697,9 +698,9 @@ else ;; esac fi -ONSGMLS="$ac_cv_path_ONSGMLS" -if test -n "$ONSGMLS"; then - echo "$ac_t""$ONSGMLS" 1>&6 +HTMLDOC="$ac_cv_path_HTMLDOC" +if test -n "$HTMLDOC"; then + echo "$ac_t""$HTMLDOC" 1>&6 else echo "$ac_t""no" 1>&6 fi @@ -707,7 +708,7 @@ fi # Extract the first word of "sgmlspl", so it can be a program name with args. set dummy sgmlspl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:711: checking for $ac_word" >&5 +echo "configure:712: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_SGMLSPL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -742,7 +743,7 @@ fi # Extract the first word of "perl", so it can be a program name with args. set dummy perl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:746: checking for $ac_word" >&5 +echo "configure:747: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -951,7 +952,6 @@ s%@mandir@%$mandir%g s%@JADE@%$JADE%g s%@NSGMLS@%$NSGMLS%g s%@HTMLDOC@%$HTMLDOC%g -s%@ONSGMLS@%$ONSGMLS%g s%@SGMLSPL@%$SGMLSPL%g s%@PERL@%$PERL%g s%@SGML_SHARE@%$SGML_SHARE%g diff --git a/docs/docbook/configure.in b/docs/docbook/configure.in index 5aec3058da5..ad0613f2be8 100644 --- a/docs/docbook/configure.in +++ b/docs/docbook/configure.in @@ -1,15 +1,18 @@ AC_INIT(global.ent) ## check for the necesary install tools +## Openjade includes 'onsgmls' while +## the older jade package includes 'nsgmls' AC_PATH_PROG(JADE,openjade) if test -z "$JADE"; then AC_PATH_PROG(JADE,jade) + AC_PATH_PROG(NSGMLS, nsgmls) +else + AC_PATH_PROG(NSGMLS, onsgmls) fi -AC_PATH_PROG(NSGMLS, nsgmls) AC_PATH_PROG(HTMLDOC, htmldoc) -AC_PATH_PROG(ONSGMLS, onsgmls) AC_PATH_PROG(SGMLSPL, sgmlspl) AC_PATH_PROG(PERL, perl) diff --git a/docs/docbook/manpages/nmbd.8.sgml b/docs/docbook/manpages/nmbd.8.sgml index f52e38bb776..2d873a1e40e 100644 --- a/docs/docbook/manpages/nmbd.8.sgml +++ b/docs/docbook/manpages/nmbd.8.sgml @@ -15,7 +15,7 @@ <refsynopsisdiv> <cmdsynopsis> - <command>smbd</command> + <command>nmbd</command> <arg choice="opt">-D</arg> <arg choice="opt">-a</arg> <arg choice="opt">-o</arg> @@ -292,12 +292,13 @@ directory (or the <filename>var/locks</filename> directory configured under wherever Samba was configured to install itself). This will also cause <command>nmbd</command> to dump out its server database in - the <filename>log.nmb</filename> file. In addition, the debug log level - of nmbd may be raised by sending it a SIGUSR1 (<command>kill -USR1 - <nmbd-pid></command>) and lowered by sending it a - SIGUSR2 (<command>kill -USR2 <nmbd-pid></command>). This is to - allow transient problems to be diagnosed, whilst still running at a - normally low log level.</para> + the <filename>log.nmb</filename> file.</para> + + <para>The debug log level of nmbd may be raised or lowered using + <ulink url="smbcontrol.1.html"><command>smbcontrol(1)</command> + </ulink> (SIGUSR[1|2] signals are no longer used in Samba 2.2). This is + to allow transient problems to be diagnosed, whilst still running + at a normally low log level.</para> </refsect1> diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index c8fddf0e475..1efe8acf0f4 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -92,7 +92,7 @@ <para>Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list - of usernames to check against the password using the "user=" + of usernames to check against the password using the "user =" option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary.</para> @@ -168,11 +168,11 @@ the user's home directory.</para></listitem> </itemizedlist> - <para>If you decide to use a <emphasis>path=</emphasis> line + <para>If you decide to use a <emphasis>path =</emphasis> line in your [homes] section then you may find it useful to use the %S macro. For example :</para> - <para><userinput>path=/data/pchome/%S</userinput></para> + <para><userinput>path = /data/pchome/%S</userinput></para> <para>would be useful if you have different home directories for your PCs than for UNIX access.</para> @@ -209,9 +209,9 @@ <para>Note that the <emphasis>browseable</emphasis> flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as - it means setting browseable=no in the [homes] section - will hide the [homes] share but make any auto home - directories visible.</para> + it means setting <emphasis>browseable = no</emphasis> in + the [homes] section will hide the [homes] share but make + any auto home directories visible.</para> </refsect2> <refsect2> @@ -408,7 +408,7 @@ <listitem><para>the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the <emphasis>--with-automount</emphasis> - option then this value will be the same as %.</para> + option then this value will be the same as %L.</para> </listitem> </varlistentry> @@ -484,7 +484,7 @@ <variablelist> <varlistentry> - <term>mangle case= yes/no</term> + <term>mangle case = yes/no</term> <listitem><para> controls if names that have characters that aren't of the "default" case are mangled. For example, if this is yes then a name like "Mail" would be mangled. @@ -565,9 +565,9 @@ <filename>smb.conf</filename> file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames - from the "user=" field then the connection is made as - the username in the "user=" line. If one - of the username in the "user=" list begins with a + from the "user =" field then the connection is made as + the username in the "user =" line. If one + of the username in the "user =" list begins with a '@' then that name expands to a list of names in the group of the same name.</para></listitem> @@ -586,9 +586,11 @@ each parameter for details. Note that some are synonyms.</para> <itemizedlist> + <listitem><para><link linkend="ABORTSHUTDOWNSCRIPT"><parameter>abort shutdown script</parameter></link></para></listitem> <listitem><para><link linkend="ADDPRINTERCOMMAND"><parameter>add printer command</parameter></link></para></listitem> <listitem><para><link linkend="ADDSHARECOMMAND"><parameter>add share command</parameter></link></para></listitem> <listitem><para><link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link></para></listitem> + <listitem><para><link linkend="ADDMACHINESCRIPT"><parameter>add machine script</parameter></link></para></listitem> <listitem><para><link linkend="ALLOWTRUSTEDDOMAINS"><parameter>allow trusted domains</parameter></link></para></listitem> <listitem><para><link linkend="ANNOUNCEAS"><parameter>announce as</parameter></link></para></listitem> <listitem><para><link linkend="ANNOUNCEVERSION"><parameter>announce version</parameter></link></para></listitem> @@ -614,6 +616,7 @@ <listitem><para><link linkend="DELETESHARECOMMAND"><parameter>delete share command</parameter></link></para></listitem> <listitem><para><link linkend="DELETEUSERSCRIPT"><parameter>delete user script</parameter></link></para></listitem> <listitem><para><link linkend="DFREECOMMAND"><parameter>dfree command</parameter></link></para></listitem> + <listitem><para><link linkend="DISABLESPOOLSS"><parameter>disable spoolss</parameter></link></para></listitem> <listitem><para><link linkend="DNSPROXY"><parameter>dns proxy</parameter></link></para></listitem> <listitem><para><link linkend="DOMAINADMINGROUP"><parameter>domain admin group</parameter></link></para></listitem> <listitem><para><link linkend="DOMAINGUESTGROUP"><parameter>domain guest group</parameter></link></para></listitem> @@ -633,6 +636,14 @@ <listitem><para><link linkend="KERNELOPLOCKS"><parameter>kernel oplocks</parameter></link></para></listitem> <listitem><para><link linkend="LANMANAUTH"><parameter>lanman auth</parameter></link></para></listitem> <listitem><para><link linkend="LARGEREADWRITE"><parameter>large readwrite</parameter></link></para></listitem> + + <listitem><para><link linkend="LDAPADMINDN"><parameter>ldap admin dn</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPFILTER"><parameter>ldap filter</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPPORT"><parameter>ldap port</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPSERVER"><parameter>ldap server</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPSSL"><parameter>ldap ssl</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPSUFFIX"><parameter>ldap suffix</parameter></link></para></listitem> + <listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem> <listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem> <listitem><para><link linkend="LOADPRINTERS"><parameter>load printers</parameter></link></para></listitem> @@ -702,10 +713,12 @@ <listitem><para><link linkend="SECURITY"><parameter>security</parameter></link></para></listitem> <listitem><para><link linkend="SERVERSTRING"><parameter>server string</parameter></link></para></listitem> <listitem><para><link linkend="SHOWADDPRINTERWIZARD"><parameter>show add printer wizard</parameter></link></para></listitem> + <listitem><para><link linkend="SHUTDOWNSCRIPT"><parameter>shutdown script</parameter></link></para></listitem> <listitem><para><link linkend="SMBPASSWDFILE"><parameter>smb passwd file</parameter></link></para></listitem> <listitem><para><link linkend="SOCKETADDRESS"><parameter>socket address</parameter></link></para></listitem> <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem> <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem> + <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem> <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem> <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem> @@ -713,6 +726,9 @@ <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem> <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem> <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem> + <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem> + <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem> + <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem> <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem> <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem> <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem> @@ -720,6 +736,7 @@ <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem> <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem> <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem> + <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem> <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem> <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem> @@ -733,12 +750,16 @@ <listitem><para><link linkend="TOTALPRINTJOBS"><parameter>total print jobs</parameter></link></para></listitem> <listitem><para><link linkend="UNIXPASSWORDSYNC"><parameter>unix password sync</parameter></link></para></listitem> <listitem><para><link linkend="UPDATEENCRYPTED"><parameter>update encrypted</parameter></link></para></listitem> + <listitem><para><link linkend="USEMMAP"><parameter>use mmap</parameter></link></para></listitem> <listitem><para><link linkend="USERHOSTS"><parameter>use rhosts</parameter></link></para></listitem> <listitem><para><link linkend="USERNAMELEVEL"><parameter>username level</parameter></link></para></listitem> <listitem><para><link linkend="USERNAMEMAP"><parameter>username map</parameter></link></para></listitem> + <listitem><para><link linkend="UTMP"><parameter>utmp</parameter></link></para></listitem> <listitem><para><link linkend="UTMPDIRECTORY"><parameter>utmp directory</parameter></link></para></listitem> <listitem><para><link linkend="VALIDCHARS"><parameter>valid chars</parameter></link></para></listitem> <listitem><para><link linkend="WINBINDCACHETIME"><parameter>winbind cache time</parameter></link></para></listitem> + <listitem><para><link linkend="WINBINDENUMUSERS"><parameter>winbind enum users</parameter></link></para></listitem> + <listitem><para><link linkend="WINBINDENUMGROUPS"><parameter>winbind enum groups</parameter></link></para></listitem> <listitem><para><link linkend="WINBINDGID"><parameter>winbind gid</parameter></link></para></listitem> <listitem><para><link linkend="WINBINDSEPARATOR"><parameter>winbind separator</parameter></link></para></listitem> <listitem><para><link linkend="WINBINDUID"><parameter>winbind uid</parameter></link></para></listitem> @@ -854,16 +875,16 @@ <listitem><para><link linkend="ROOTPREEXECCLOSE"><parameter>root preexec close</parameter></link></para></listitem> <listitem><para><link linkend="SECURITYMASK"><parameter>security mask</parameter></link></para></listitem> <listitem><para><link linkend="SETDIRECTORY"><parameter>set directory</parameter></link></para></listitem> - <listitem><para><link linkend="SHAREMODES"><parameter>share modes</parameter></link></para></listitem> <listitem><para><link linkend="SHORTPRESERVECASE"><parameter>short preserve case</parameter></link></para></listitem> <listitem><para><link linkend="STATUS"><parameter>status</parameter></link></para></listitem> + <listitem><para><link linkend="STRICTALLOCATE"><parameter>strict allocate</parameter></link></para></listitem> <listitem><para><link linkend="STRICTLOCKING"><parameter>strict locking</parameter></link></para></listitem> <listitem><para><link linkend="STRICTSYNC"><parameter>strict sync</parameter></link></para></listitem> <listitem><para><link linkend="SYNCALWAYS"><parameter>sync always</parameter></link></para></listitem> + <listitem><para><link linkend="USECLIENTDRIVER"><parameter>use client driver</parameter></link></para></listitem> <listitem><para><link linkend="USER"><parameter>user</parameter></link></para></listitem> <listitem><para><link linkend="USERNAME"><parameter>username</parameter></link></para></listitem> <listitem><para><link linkend="USERS"><parameter>users</parameter></link></para></listitem> - <listitem><para><link linkend="UTMP"><parameter>utmp</parameter></link></para></listitem> <listitem><para><link linkend="VALIDUSERS"><parameter>valid users</parameter></link></para></listitem> <listitem><para><link linkend="VETOFILES"><parameter>veto files</parameter></link></para></listitem> <listitem><para><link linkend="VETOOPLOCKFILES"><parameter>veto oplock files</parameter></link></para></listitem> @@ -884,7 +905,22 @@ <title>EXPLANATION OF EACH PARAMETER</title> <variablelist> - + + <varlistentry> + <term><anchor id="ABORTSHUTDOWNSCRIPT">abort shutdown script (G)</term> + <listitem><para><emphasis>This parameter only exists in the HEAD cvs branch</emphasis> + This a full path name to a script called by + <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> that + should stop a shutdown procedure issued by the <link + linkend="SHUTDOWNSCRIPT"><parameter>shutdown script</parameter></link>.</para> + + <para>This command will be run as user.</para> + + <para>Default: <emphasis>None</emphasis>.</para> + <para>Example: <command>abort shutdown script = /sbin/shutdown -c</command></para> + </listitem> + </varlistentry> + <varlistentry> <term><anchor id="ADDPRINTERCOMMAND">add printer command (G)</term> @@ -999,6 +1035,25 @@ <varlistentry> + <term><anchor id="ADDMACHINESCRIPT">add machine script (G)</term> + <listitem><para>This is the full pathname to a script that will + be run by <ulink url="smbd.8.html">smbd(8)</ulink> when a machine is added + to it's domain using the administrator username and password method. </para> + + <para>This option is only required when using sam back-ends tied to the + Unix uid method of RID calculation such as smbpasswd. This option is only + available in Samba 3.0.</para> + + <para>Default: <command>add machine script = <empty string> + </command></para> + + <para>Example: <command>add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u + </command></para> + </listitem> + </varlistentry> + + + <varlistentry> <term><anchor id="ADDUSERSCRIPT">add user script (G)</term> <listitem><para>This is the full pathname to a script that will be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">smbd(8) @@ -1013,8 +1068,8 @@ <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.</para> <para>In order to use this option, <ulink url="smbd.8.html">smbd</ulink> - must be set to <parameter>security=server</parameter> or <parameter> - security=domain</parameter> and <parameter>add user script</parameter> + must be set to <parameter>security = server</parameter> or <parameter> + security = domain</parameter> and <parameter>add user script</parameter> must be set to a full pathname for a script that will create a UNIX user given one argument of <parameter>%u</parameter>, which expands into the UNIX user name to create.</para> @@ -1132,7 +1187,7 @@ is 4.2. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server.</para> - <para>Default: <command>announce version = 4.2</command></para> + <para>Default: <command>announce version = 4.5</command></para> <para>Example: <command>announce version = 2.0</command></para> </listitem> @@ -1522,7 +1577,7 @@ <varlistentry> - <term><anchor id="CODINGSYSTEM">codingsystem (G)</term> + <term><anchor id="CODINGSYSTEM">coding system (G)</term> <listitem><para>This parameter is used to determine how incoming Shift-JIS Japanese characters are mapped from the incoming <link linkend="CLIENTCODEPAGE"><parameter>client code page</parameter> @@ -1654,7 +1709,7 @@ <para>See also the <link linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link> parameter for forcing particular mode bits to be set on created files. See also the <link linkend="DIRECTORYMODE"> - <parameter>directory mode"</parameter></link> parameter for masking + <parameter>directory mode</parameter></link> parameter for masking mode bits on created directories. See also the <link linkend="INHERITPERMISSIONS"> <parameter>inherit permissions</parameter></link> parameter.</para> @@ -1785,7 +1840,7 @@ <term><anchor id="DEFAULTCASE">default case (S)</term> <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT"> NAME MANGLING</link>. Also note the <link linkend="SHORTPRESERVECASE"> - <parameter>short preserve case"</parameter></link> parameter.</para> + <parameter>short preserve case</parameter></link> parameter.</para> <para>Default: <command>default case = lower</command></para> </listitem> @@ -1922,9 +1977,9 @@ </para> <para> - See also <link linkend="ADDSHARECOMMAND"><parameter>delete share + See also <link linkend="ADDSHARECOMMAND"><parameter>add share command</parameter></link>, <link linkend="CHANGESHARECOMMAND"><parameter>change - share</parameter></link>. + share command</parameter></link>. </para> <para>Default: <emphasis>none</emphasis></para> @@ -1953,17 +2008,17 @@ Windows NT user no longer exists.</para> <para>In order to use this option, <command>smbd</command> must be - set to <parameter>security=domain</parameter> and <parameter>delete + set to <parameter>security = domain</parameter> and <parameter>delete user script</parameter> must be set to a full pathname for a script that will delete a UNIX user given one argument of <parameter>%u </parameter>, which expands into the UNIX user name to delete. <emphasis>NOTE</emphasis> that this is different to the <link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link> - which will work with the <parameter>security=server</parameter> option - as well as <parameter>security=domain</parameter>. The reason for this + which will work with the <parameter>security = server</parameter> option + as well as <parameter>security = domain</parameter>. The reason for this is only when Samba is a domain member does it get the information on an attempted user logon that a user no longer exists. In the - <parameter>security=server</parameter> mode a missing user + <parameter>security = server</parameter> mode a missing user is treated the same as an invalid password logon attempt. Deleting the user in this circumstance would not be a good idea.</para> @@ -1984,7 +2039,7 @@ UNIX users are dynamically deleted to match existing Windows NT accounts.</para> - <para>See also <link linkend="SECURITYEQUALSDOMAIN">security=domain</link>, + <para>See also <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>, <link linkend="PASSWORDSERVER"><parameter>password server</parameter> </link>, <link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter> </link>.</para> @@ -2188,6 +2243,29 @@ <para>Example: <command>directory security mask = 0700</command></para> </listitem> </varlistentry> + + + + <varlistentry> + <term><anchor id="DISABLESPOOLSS">disable spoolss (G)</term> + <listitem><para>Enabling this parameter will disables Samba's support + for the SPOOLSS set of MS-RPC's and will yield identical behavior + as Samba 2.0.x. Windows NT/2000 clients will downgrade to using + Lanman style printing commands. Windows 9x/ME will be uneffected by + the parameter. However, this will also disable the ability to upload + printer drivers to a Samba server via the Windows NT Add Printer + Wizard or by using the NT printer properties dialog window. It will + also disable the capability of Windows NT/2000 clients to download + print drivers from the Samba host upon demand. + <emphasis>Be very careful about enabling this parameter.</emphasis> + </para> + + <para>See also <link linkend="USECLIENTDRIVER">use client driver</link> + </para> + + <para>Default : <command>disable spoolss = no</command></para> + </listitem> + </varlistentry> @@ -2411,7 +2489,7 @@ </filename></ulink> file (see the <ulink url="smbpasswd.8.html"><command> smbpasswd(8)</command></ulink> program for information on how to set up and maintain this file), or set the <link - linkend="SECURITY">security=[server|domain]</link> parameter which + linkend="SECURITY">security = [server|domain]</link> parameter which causes <command>smbd</command> to authenticate against another server.</para> @@ -2424,8 +2502,7 @@ <listitem><para>This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations. - <emphasis>These enhancements are currently only available in - the HEAD Samba CVS tree (not Samba 2.2.x).</emphasis></para> + </para> <para>The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, @@ -2927,7 +3004,7 @@ <varlistentry> - <term><anchor id="HIDEUNREADABLE">hide unreadable(G)</term> + <term><anchor id="HIDEUNREADABLE">hide unreadable (S)</term> <listitem><para>This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off.</para> @@ -3226,7 +3303,7 @@ '+' and '&' may be used at the start of the name in either order so the value <parameter>+&group</parameter> means check the UNIX group database, followed by the NIS netgroup database, and - the value <parameter>&+group"</parameter> means check the NIS + the value <parameter>&+group</parameter> means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).</para> @@ -3278,9 +3355,9 @@ SMB/CIFS, NFS and local file access (and is a <emphasis>very</emphasis> cool feature :-).</para> - <para>This parameter defaults to <constant>on</constant> on systems - that have the support, and <constant>off</constant> on systems that - don't. You should never need to touch this parameter.</para> + <para>This parameter defaults to <constant>on</constant>, but is translated + to a no-op on systems that no not have the necessary kernel support. + You should never need to touch this parameter.</para> <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter> </link> and <link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks @@ -3310,7 +3387,7 @@ <varlistentry> - <term><anchor id="LARGEREADWRITE">large readwrite(G)</term> + <term><anchor id="LARGEREADWRITE">large readwrite (G)</term> <listitem><para>This parameter determines whether or not <ulink url="smbd.8.html">smbd</ulink> supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000. Note that due to Windows 2000 client redirector bugs @@ -3326,6 +3403,150 @@ + <varlistentry> + <term><anchor id="LDAPADMINDN">ldap admin dn (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + The <parameter>ldap admin dn</parameter> defines the Distinguished + Name (DN) name used by Samba to contact the <link linkend="LDAPSERVER">ldap + server</link> when retreiving user account information. The <parameter>ldap + admin dn</parameter> is used in conjunction with the admin dn password + stored in the <filename>private/secrets.tdb</filename> file. See the + <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> man + page for more information on how to accmplish this. + </para> + + + <para>Default : <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPFILTER">ldap filter (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This parameter specifies the RFC 2254 compliant LDAP search filter. + The default is to match the login name with the <constant>uid</constant> + attribute for all entries matching the <constant>sambaAccount</constant> + objectclass. Note that this filter should only return one entry. + </para> + + + <para>Default : <command>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPPORT">ldap port (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This option is used to control the tcp port number used to contact + the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>. + The default is to use the stand LDAP port 389. + </para> + + <para>Default : <command>ldap port = 389</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPSERVER">ldap server (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This parameter should contains the FQDN of the ldap directory + server which should be queried to locate user account information. + </para> + + + + <para>Default : <command>ldap server = localhost</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPSSL">ldap ssl (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This option is used to define whether or not Samba should + use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap + server</parameter></link>. This is <emphasis>NOT</emphasis> related to + Samba SSL support which is enabled by specifying the + <command>--with-ssl</command> option to the <filename>configure</filename> + script (see <link linkend="SSL"><parameter>ssl</parameter></link>). + </para> + + <para> + The <parameter>ldap ssl</parameter> can be set to one of three values: + (a) <command>on</command> - Always use SSL when contacting the + <parameter>ldap server</parameter>, (b) <command>off</command> - + Never use SSL when querying the directory, or (c) <command>start + tls</command> - Use the LDAPv3 StartTLS extended operation + (RFC2830) for communicating with the directory server. + </para> + + + <para>Default : <command>ldap ssl = off</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPSUFFIX">ldap suffix (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + + + <para>Default : <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + + + <varlistentry> @@ -3572,7 +3793,7 @@ <para>This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to - \\server\share when a user does <command>net use /home"</command> + \\server\share when a user does <command>net use /home</command> but use the whole string when dealing with profiles.</para> <para>Note that in prior versions of Samba, the <link linkend="LOGONPATH"> @@ -3868,7 +4089,7 @@ <varlistentry> <term><anchor id="MACHINEPASSWORDTIMEOUT">machine password timeout (G)</term> <listitem><para>If a Samba server is a member of a Windows - NT Domain (see the <link linkend="SECURITYEQUALSDOMAIN">security=domain</link>) + NT Domain (see the <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>) parameter) then periodically a running <ulink url="smbd.8.html"> smbd(8)</ulink> process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called <filename>private/secrets.tdb @@ -3878,7 +4099,7 @@ <para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8) </command></ulink>, and the <link linkend="SECURITYEQUALSDOMAIN"> - security=domain</link>) parameter.</para> + security = domain</link>) parameter.</para> <para>Default: <command>machine password timeout = 604800</command></para> </listitem> @@ -4129,7 +4350,7 @@ <varlistentry> <term><anchor id="MAPTOGUEST">map to guest (G)</term> <listitem><para>This parameter is only useful in <link linkend="SECURITY"> - security</link> modes other than <parameter>security=share</parameter> + security</link> modes other than <parameter>security = share</parameter> - i.e. <constant>user</constant>, <constant>server</constant>, and <constant>domain</constant>.</para> @@ -4366,13 +4587,13 @@ <term><anchor id="MAXWINSTTL">max wins ttl (G)</term> <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8) </ulink> when acting as a WINS server (<link linkend="WINSSUPPORT"> - <parameter>wins support=yes</parameter></link>) what the maximum + <parameter>wins support = yes</parameter></link>) what the maximum 'time to live' of NetBIOS names that <command>nmbd</command> will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds).</para> <para>See also the <link linkend="MINWINSTTL"><parameter>min - wins ttl"</parameter></link> parameter.</para> + wins ttl</parameter></link> parameter.</para> <para>Default: <command>max wins ttl = 518400</command></para> </listitem> @@ -4949,11 +5170,11 @@ <listitem><para>With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password - changes when requested by an SMB client insted of the program listed in + changes when requested by an SMB client instead of the program listed in <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter></link>. It should be possible to enable this without changing your <link linkend="PASSWDCHAT"><parameter>passwd chat</parameter></link> - paramater for most setups. + parameter for most setups. </para> <para>Default: <command>pam password change = no</command></para> @@ -4991,32 +5212,32 @@ <para>This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc).</para> + <para>Note that this parameter only is only used if the <link + linkend="UNIXPASSWORDSYNC"><parameter>unix + password sync</parameter></link> parameter is set to <constant>yes</constant>. This + sequence is then called <emphasis>AS ROOT</emphasis> when the SMB password + in the smbpasswd file is being changed, without access to the old + password cleartext. This means that root must be able to reset the user's password + without knowing the text of the previous password. In the presence of NIS/YP, + this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must be + executed on the NIS master. + </para> - <para>The string can contain the macros <parameter>%o</parameter> - and <parameter>%n</parameter> which are substituted for the old - and new passwords respectively. It can also contain the standard - macros <constant>\n</constant>, <constant>\r</constant>, <constant> - \t</constant> and <constant>%s</constant> to give line-feed, - carriage-return, tab and space.</para> - - <para>The string can also contain a '*' which matches - any sequence of characters.</para> - <para>Double quotes can be used to collect strings with spaces + <para>The string can contain the macro <parameter>%n</parameter> which is substituted + for the new password. The chat sequence can also contain the standard + macros <constant>\n</constant>, <constant>\r</constant>, <constant> + \t</constant> and <constant>\s</constant> to give line-feed, + carriage-return, tab and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. + Double quotes can be used to collect strings with spaces in them into a single string.</para> <para>If the send string in any part of the chat sequence is a full stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected.</para> - <para>Note that if the <link linkend="UNIXPASSWORDSYNC"><parameter>unix - password sync</parameter></link> parameter is set to <constant>true</constant>, then this - sequence is called <emphasis>AS ROOT</emphasis> when the SMB password - in the smbpasswd file is being changed, without access to the old - password cleartext. In this case the old password cleartext is set - to "" (the empty string).</para> - - <para>Also, if the <link linkend="PAMPASSWORDCHANGE"><parameter>pam + <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter></link> parameter is set to true, the chat pairs may be matched in any order, and sucess is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions. @@ -5212,14 +5433,14 @@ <command>smbd</command> makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this <command>smbd</command>. This is a - restriction of the SMB/CIFS protocol when in <command>security=server + restriction of the SMB/CIFS protocol when in <command>security = server </command> mode and cannot be fixed in Samba.</para></listitem> <listitem><para>If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in <command> - security=server</command> mode the network logon will appear to - come from there rather than from the user's workstation.</para></listitem> + security = server</command> mode the network logon will appear to + come from there rather than from the users workstation.</para></listitem> </itemizedlist> <para>See also the <link linkend="SECURITY"><parameter>security @@ -5485,14 +5706,14 @@ the parameter varies depending on the setting of the <link linkend="PRINTING"> <parameter>printing</parameter></link> parameter.</para> - <para>Default: For <command>printing= BSD, AIX, QNX, LPRNG + <para>Default: For <command>printing = BSD, AIX, QNX, LPRNG or PLP :</command></para> <para><command>print command = lpr -r -P%p %s</command></para> - <para>For <command>printing= SYS or HPUX :</command></para> + <para>For <command>printing = SYS or HPUX :</command></para> <para><command>print command = lp -c -d%p %s; rm %s</command></para> - <para>For <command>printing=SOFTQ :</command></para> + <para>For <command>printing = SOFTQ :</command></para> <para><command>print command = lp -d%p -s %s; rm %s</command></para> <para>Example: <command>print command = /usr/local/samba/bin/myprintscript @@ -6188,7 +6409,7 @@ Windows NT.</para> <para>The alternatives are <command>security = share</command>, - <command>security = server</command> or <command>security=domain + <command>security = server</command> or <command>security = domain </command>.</para> <para>In versions of Samba prior to 2..0, the default was @@ -6296,7 +6517,7 @@ </emphasis></para> <para>This is the default security setting in Samba 2.2. - With user-level security a client must first "log=on" with a + With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the <link linkend="USERNAMEMAP"><parameter>username map</parameter></link> parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS"> @@ -6485,34 +6706,6 @@ - <varlistentry> - <term><anchor id="SHAREMODES">share modes (S)</term> - <listitem><para>This enables or disables the honoring of - the <parameter>share modes</parameter> during a file open. These - modes are used by clients to gain exclusive read or write access - to a file.</para> - - <para>These open modes are not directly supported by UNIX, so - they are simulated using shared memory, or lock files if your - UNIX doesn't support shared memory (almost all do).</para> - - <para>The share modes that are enabled by this option are - <constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>, - <constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>, - <constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>. - </para> - - <para>This option gives full share compatibility and enabled - by default.</para> - - <para>You should <emphasis>NEVER</emphasis> turn this parameter - off as many Windows applications will break if you do so.</para> - - <para>Default: <command>share modes = yes</command></para> - </listitem> - </varlistentry> - - <varlistentry> <term><anchor id="SHORTPRESERVECASE">short preserve case (S)</term> @@ -6569,6 +6762,49 @@ + <varlistentry> + <term><anchor id="SHUTDOWNSCRIPT">shutdown script (G)</term> + <listitem><para><emphasis>This parameter only exists in the HEAD cvs branch</emphasis> + This a full path name to a script called by + <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> that + should start a shutdown procedure.</para> + + <para>This command will be run as the user connected to the + server.</para> + + <para>%m %t %r %f parameters are expanded</para> + <para><parameter>%m</parameter> will be substituted with the + shutdown message sent to the server.</para> + <para><parameter>%t</parameter> will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure.</para> + <para><parameter>%r</parameter> will be substituted with the + switch <emphasis>-r</emphasis>. It means reboot after shutdown + for NT. + </para> + <para><parameter>%f</parameter> will be substituted with the + switch <emphasis>-f</emphasis>. It means force the shutdown + even if applications do not respond for NT.</para> + + <para>Default: <emphasis>None</emphasis>.</para> + <para>Example: <command>abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</command></para> + <para>Shutdown script example: + <programlisting> + #!/bin/bash + + $time=0 + let "time/60" + let "time++" + + /sbin/shutdown $3 $4 +$time $1 & + </programlisting> + Shutdown does not return so we need to launch it in background. + </para> + + <para>See also <link linkend="ABORTSHUTDOWNSCRIPT"><parameter>abort shutdown script</parameter></link>.</para> + </listitem> + </varlistentry> + <varlistentry> <term><anchor id="SMBPASSWDFILE">smb passwd file (G)</term> @@ -6652,8 +6888,8 @@ or disable the option, by default they will be enabled if you don't specify 1 or 0.</para> - <para>To specify an argument use the syntax SOME_OPTION=VALUE - for example <command>SO_SNDBUF=8192</command>. Note that you must + <para>To specify an argument use the syntax SOME_OPTION = VALUE + for example <command>SO_SNDBUF = 8192</command>. Note that you must not have any spaces before or after the = sign.</para> <para>If you are on a local network then a sensible option @@ -6690,7 +6926,7 @@ be formatted as the output of the standard Unix <command>env(1) </command> command. This is of the form :</para> <para>Example environment entry:</para> - <para><command>SAMBA_NETBIOS_NAME=myhostname</command></para> + <para><command>SAMBA_NETBIOS_NAME = myhostname</command></para> <para>Default: <emphasis>No default value</emphasis></para> <para>Examples: <command>source environment = |/etc/smb.conf.sh @@ -6710,10 +6946,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This variable enables or disables the entire SSL mode. If it is set to <constant>no</constant>, the SSL-enabled Samba behaves exactly like the non-SSL Samba. If set to <constant>yes</constant>, @@ -6722,7 +6954,7 @@ <parameter>ssl hosts resign</parameter></link> whether an SSL connection will be required.</para> - <para>Default: <command>ssl=no</command></para> + <para>Default: <command>ssl = no</command></para> </listitem> </varlistentry> @@ -6735,10 +6967,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This variable defines where to look up the Certification Authorities. The given directory should contain one file for each CA that Samba will trust. The file name must be the hash @@ -6761,10 +6989,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This variable is a second way to define the trusted CAs. The certificates of the trusted CAs are collected in one big file and this variable points to the file. You will probably @@ -6788,10 +7012,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This variable defines the ciphers that should be offered during SSL negotiation. You should not set this variable unless you know what you are doing.</para> @@ -6806,10 +7026,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>The certificate in this file is used by <ulink url="smbclient.1.html"> <command>smbclient(1)</command></ulink> if it exists. It's needed if the server requires a client certificate.</para> @@ -6828,10 +7044,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This is the private key for <ulink url="smbclient.1.html"> <command>smbclient(1)</command></ulink>. It's only needed if the client should have a certificate. </para> @@ -6850,18 +7062,77 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - - <para>This variable defines whether SSLeay should be configured + <para>This variable defines whether OpenSSL should be configured for bug compatibility with other SSL implementations. This is probably not desirable because currently no clients with SSL - implementations other than SSLeay exist.</para> + implementations other than OpenSSL exist.</para> <para>Default: <command>ssl compatibility = no</command></para> </listitem> </varlistentry> + + + <varlistentry> + <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This option is used to define the location of the communiation socket of + an EGD or PRNGD daemon, from which entropy can be retrieved. This option + can be used instead of or together with the <link + linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link> + directive. 255 bytes of entropy will be retrieved from the daemon. + </para> + + <para>Default: <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This parameter is used to define the number of bytes which should + be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy + file</parameter></link> If a -1 is specified, the entire file will + be read. + </para> + + <para>Default: <command>ssl entropy bytes = 255</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This parameter is used to specify a file from which processes will + read "random bytes" on startup. In order to seed the internal pseudo + random number generator, entropy must be provided. On system with a + <filename>/dev/urandom</filename> device file, the processes + will retrieve its entropy from the kernel. On systems without kernel + entropy support, a file can be supplied that will be read on startup + and that will be used to seed the PRNG. + </para> + + <para>Default: <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + <varlistentry> @@ -6879,10 +7150,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>These two variables define whether Samba will go into SSL mode or not. If none of them is defined, Samba will allow only SSL connections. If the <link linkend="SSLHOSTS"> @@ -6916,10 +7183,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>If this variable is set to <constant>yes</constant>, the server will not tolerate connections from clients that don't have a valid certificate. The directory/file given in <link @@ -6948,10 +7211,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>If this variable is set to <constant>yes</constant>, the <ulink url="smbclient.1.html"><command>smbclient(1)</command> </ulink> will request a certificate from the server. Same as @@ -6970,10 +7229,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This is the file containing the server's certificate. The server <emphasis>must</emphasis> have a certificate. The file may also contain the server's private key. See later for @@ -6992,10 +7247,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This file contains the private key of the server. If this variable is not defined, the key is looked up in the certificate file (it may be appended to the certificate). @@ -7016,10 +7267,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This enumeration variable defines the versions of the SSL protocol that will be used. <constant>ssl2or3</constant> allows dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results @@ -7073,6 +7320,30 @@ <varlistentry> + <term><anchor id="STRICTALLOCATE">strict allocate (S)</term> + <listitem><para>This is a boolean that controls the handling of + disk space allocation in the server. When this is set to <constant>yes</constant> + the server will change from UNIX behaviour of not committing real + disk storage blocks when a file is extended to the Windows behaviour + of actually forcing the disk system to allocate real storage blocks + when a file is created or extended to be a given size. In UNIX + terminology this means that Samba will stop creating sparse files. + This can be slow on some systems.</para> + + <para>When strict allocate is <constant>no</constant> the server does sparse + disk block allocation when a file is extended.</para> + + <para>Setting this to <constant>yes</constant> can help Samba return + out of quota messages on systems that are restricting the disk quota + of users.</para> + + <para>Default: <command>strict allocate = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> <term><anchor id="STRICTLOCKING">strict locking (S)</term> <listitem><para>This is a boolean that controls the handling of file locking in the server. When this is set to <constant>yes</constant> @@ -7184,10 +7455,7 @@ <varlistentry> <term><anchor id="TEMPLATEHOMEDIR">template homedir (G)</term> - <listitem><para><emphasis>NOTE:</emphasis> this parameter is - only available in Samba 3.0.</para> - - <para>When filling out the user information for a Windows NT + <listitem><para>When filling out the user information for a Windows NT user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon uses this parameter to fill in the home directory for that user. If the string <parameter>%D</parameter> is present it is substituted @@ -7203,10 +7471,7 @@ <varlistentry> <term><anchor id="TEMPLATESHELL">template shell (G)</term> - <listitem><para><emphasis>NOTE:</emphasis> this parameter is - only available in Samba 3.0.</para> - - <para>When filling out the user information for a Windows NT + <listitem><para>When filling out the user information for a Windows NT user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon uses this parameter to fill in the login shell for that user.</para> @@ -7325,6 +7590,61 @@ </varlistentry> + <varlistentry> + <term><anchor id="USECLIENTDRIVER">use client driver (S)</term> + <listitem><para>This parameter applies only to Windows NT/2000 + clients. It has no affect on Windows 95/98/ME clients. When + serving a printer to Windows NT/2000 clients without first installing + a valid printer driver on the Samba host, the client will be required + to install a local printer driver. From this point on, the client + will treat the print as a local printer and not a network printer + connection. This is much the same behavior that will occur + when <command>disable spoolss = yes</command>. </para> + + <para>The differentiating + factor is that under normal circumstances, the NT/2000 client will + attempt to open the network printer using MS-RPC. The problem is that + because the client considers the printer to be local, it will attempt + to issue the OpenPrinterEx() call requesting access rights associated + with the logged on user. If the user possesses local administator rights + but not root privilegde on the Samba host (often the case), the OpenPrinterEx() + call will fail. The result is that the client will now display an "Access + Denied; Unable to connect" message in the printer queue window (even though + jobs may successfully be printed). </para> + + <para>If this parameter is enabled for a printer, then any attempt + to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped + to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() + call to succeed. <emphasis>This parameter MUST not be able enabled + on a print share which has valid print driver installed on the Samba + server.</emphasis></para> + + <para>See also <link linkend="DISABLESPOOLSS">disable spoolss</link> + </para> + + <para>Default: <command>use client driver = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="USERMMAP">use mmap (G)</term> + <listitem><para>This global parameter determines if the tdb internals of Samba can + depend on mmap working correctly on the running system. Samba requires a coherent + mmap/read-write system memory cache. Currently only HPUX does not have such a + coherent cache, and so this parameter is set to <constant>false</constant> by + default on HPUX. On all other systems this parameter should be left alone. This + parameter is provided to help the Samba developers track down problems with + the tdb internal code. + </para> + + <para>Default: <command>use mmap = yes</command></para> + </listitem> + </varlistentry> + + + <varlistentry> <term><anchor id="USERHOSTS">use rhosts (G)</term> @@ -7545,7 +7865,7 @@ <varlistentry> - <term><anchor id="UTMP">utmp (S)</term> + <term><anchor id="UTMP">utmp (G)</term> <listitem><para>This boolean parameter is only available if Samba has been configured and compiled with the option <command> --with-utmp</command>. If set to <constant>true</constant> then Samba will attempt @@ -7684,13 +8004,14 @@ <para>Note that the <parameter>case sensitive</parameter> option is applicable in vetoing files.</para> - <para>One feature of the veto files parameter that it is important - to be aware of, is that if a directory contains nothing but files - that match the veto files parameter (which means that Windows/DOS - clients cannot ever see them) is deleted, the veto files within - that directory <emphasis>are automatically deleted</emphasis> along - with it, if the user has UNIX permissions to do so.</para> - + <para>One feature of the veto files parameter that it + is important to be aware of is Samba's behaviour when + trying to delete a directory. If a directory that is + to be deleted contains nothing but veto files this + deletion will <emphasis>fail</emphasis> unless you also set + the <parameter>delete veto files</parameter> parameter to + <parameter>yes</parameter>.</para> + <para>Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.</para> @@ -7737,7 +8058,7 @@ the line (either in the [global] section or in the section for the particular NetBench share :</para> - <para>Example: <command>veto oplock files = /*;.SEM/ + <para>Example: <command>veto oplock files = /*.SEM/ </command></para> </listitem> </varlistentry> @@ -7806,10 +8127,7 @@ <varlistentry> <term><anchor id="WINBINDCACHETIME">winbind cache time</term> - <listitem><para><emphasis>NOTE:</emphasis> this parameter is only - available in Samba 3.0.</para> - - <para>This parameter specifies the number of seconds the + <listitem><para>This parameter specifies the number of seconds the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache user and group information before querying a Windows NT server again.</para> @@ -7819,14 +8137,52 @@ </varlistentry> + <varlistentry> + <term><anchor id="WINBINDENUMUSERS">winbind enum + users</term> <listitem><para>On large installations using + <ulink url="winbindd.8.html">winbindd(8)</ulink> it may be + necessary to suppress the enumeration of users through the + <command> setpwent()</command>, + <command>getpwent()</command> and + <command>endpwent()</command> group of system calls. If + the <parameter>winbind enum users</parameter> parameter is + false, calls to the <command>getpwent</command> system call + will not return any data. </para> + + <para><emphasis>Warning:</emphasis> Turning off user + enumeration may cause some programs to behave oddly. For + example, the finger program relies on having access to the + full user list when searching for matching + usernames. </para> + + <para>Default: <command>winbind enum users = yes </command></para> + </listitem> + </varlistentry> + + <varlistentry> + <term><anchor id="WINBINDENUMGROUPS">winbind enum + groups</term> <listitem><para>On large installations using + <ulink url="winbindd.8.html">winbindd(8)</ulink> it may be + necessary to suppress the enumeration of groups through the + <command> setgrent()</command>, + <command>getgrent()</command> and + <command>endgrent()</command> group of system calls. If + the <parameter>winbind enum groups</parameter> parameter is + false, calls to the <command>getgrent()</command> system + call will not return any data. </para> + + <para><emphasis>Warning:</emphasis> Turning off group + enumeration may cause some programs to behave oddly. + </para> + + <para>Default: <command>winbind enum groups = yes </command> + </para></listitem> + </varlistentry> <varlistentry> <term><anchor id="WINBINDGID">winbind gid</term> - <listitem><para><emphasis>NOTE:</emphasis> this parameter is only - available in Samba 3.0.</para> - - <para>The winbind gid parameter specifies the range of group + <listitem><para>The winbind gid parameter specifies the range of group ids that are allocated by the <ulink url="winbindd.8.html"> winbindd(8)</ulink> daemon. This range of group ids should have no existing local or NIS groups within it as strange conflicts can @@ -7842,10 +8198,7 @@ <varlistentry> <term><anchor id="WINBINDSEPARATOR">winbind separator</term> - <listitem><para><emphasis>NOTE:</emphasis> this parameter is only - available in Samba 3.0.</para> - - <para>This parameter allows an admin to define the character + <listitem><para>This parameter allows an admin to define the character used when listing a username of the form of <replaceable>DOMAIN </replaceable>\<replaceable>user</replaceable>. This parameter is only applicable when using the <filename>pam_winbind.so</filename> @@ -7862,10 +8215,7 @@ <varlistentry> <term><anchor id="WINBINDUID">winbind uid</term> - <listitem><para><emphasis>NOTE:</emphasis> this parameter is only - available in Samba 3.0.</para> - - <para>The winbind gid parameter specifies the range of group + <listitem><para>The winbind gid parameter specifies the range of group ids that are allocated by the <ulink url="winbindd.8.html"> winbindd(8)</ulink> daemon. This range of ids should have no existing local or NIS users within it as strange conflicts can @@ -7988,7 +8338,7 @@ <listitem><para>This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the <link - linkend="SECURITYEQUALSDOMAIN"><command>security=domain</command></link> + linkend="SECURITYEQUALSDOMAIN"><command>security = domain</command></link> setting.</para> <para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para> diff --git a/docs/docbook/manpages/smbclient.1.sgml b/docs/docbook/manpages/smbclient.1.sgml index ece66f34d3b..6cc7be654ae 100644 --- a/docs/docbook/manpages/smbclient.1.sgml +++ b/docs/docbook/manpages/smbclient.1.sgml @@ -21,7 +21,6 @@ <arg choice="opt">-b <buffer size></arg> <arg choice="opt">-d debuglevel</arg> <arg choice="opt">-D Directory</arg> - <arg choice="opt">-S server</arg> <arg choice="opt">-U username</arg> <arg choice="opt">-W workgroup</arg> <arg choice="opt">-M <netbios name></arg> @@ -216,7 +215,8 @@ <term>-i scope</term> <listitem><para>This specifies a NetBIOS scope that smbclient will use to communicate with when generating NetBIOS names. For details - on the use of NetBIOS scopes, see <filename>rfc1001.txt</filename> and <filename>rfc1002.txt</filename>. + on the use of NetBIOS scopes, see <filename>rfc1001.txt</filename> + and <filename>rfc1002.txt</filename>. NetBIOS scopes are <emphasis>very</emphasis> rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with. </para></listitem> diff --git a/docs/docbook/manpages/smbcontrol.1.sgml b/docs/docbook/manpages/smbcontrol.1.sgml index 8e529d8b712..d2e3d39478f 100644 --- a/docs/docbook/manpages/smbcontrol.1.sgml +++ b/docs/docbook/manpages/smbcontrol.1.sgml @@ -113,6 +113,11 @@ any Windows NT clients connected to a printer. This message-type takes an argument of the printer name to send notify messages to. This message can only be sent to <constant>smbd</constant>.</para> + + <para>The <constant>close-share</constant> message-type sends a + message to smbd which forces smbd to close the share that was + specified as an argument. This may be useful if you made changes + to the access controls on the share. </para> </listitem> </varlistentry> diff --git a/docs/docbook/manpages/smbd.8.sgml b/docs/docbook/manpages/smbd.8.sgml index 7ad6a114283..05958b83dec 100644 --- a/docs/docbook/manpages/smbd.8.sgml +++ b/docs/docbook/manpages/smbd.8.sgml @@ -550,10 +550,10 @@ an <command>smbd</command> is to send it a SIGTERM (-15) signal and wait for it to die on its own.</para> - <para>The debug log level of <command>smbd</command> may be raised by sending - it a SIGUSR1 (<command>kill -USR1 <smbd-pid></command>) - and lowered by sending it a SIGUSR2 (<command>kill -USR2 <smbd-pid> - </command>). This is to allow transient problems to be diagnosed, + <para>The debug log level of <command>smbd</command> may be raised + or lowered using <ulink url="smbcontrol.1.html"><command>smbcontrol(1) + </command></ulink> program (SIGUSR[1|2] signals are no longer used in + Samba 2.2). This is to allow transient problems to be diagnosed, whilst still running at a normally low log level.</para> <para>Note that as the signal handlers send a debug write, diff --git a/docs/docbook/manpages/smbmnt.8.sgml b/docs/docbook/manpages/smbmnt.8.sgml index 859f8f441c2..55b66d5d25b 100644 --- a/docs/docbook/manpages/smbmnt.8.sgml +++ b/docs/docbook/manpages/smbmnt.8.sgml @@ -31,14 +31,19 @@ <para><command>smbmnt</command> is a helper application used by the smbmount program to do the actual mounting of SMB shares. - <command>smbmnt</command> is meant to be installed setuid root - so that normal users can mount their SMB shares. It checks - whether the user has write permissions on the mount point and - then mounts the directory.</para> + <command>smbmnt</command> can be installed setuid root if you want + normal users to be able to mount their SMB shares.</para> + + <para>A setuid smbmnt will only allow mounts on directories owned + by the user, and that the user has write permission on.</para> <para>The <command>smbmnt</command> program is normally invoked by <ulink url="smbmount.8.html"><command>smbmount(8)</command> </ulink>. It should not be invoked directly by users. </para> + + <para>smbmount searches the normal PATH for smbmnt. You must ensure + that the smbmnt version in your path matches the smbmount used.</para> + </refsect1> <refsect1> diff --git a/docs/docbook/manpages/smbmount.8.sgml b/docs/docbook/manpages/smbmount.8.sgml index 462512185d7..b4a77e51c9f 100644 --- a/docs/docbook/manpages/smbmount.8.sgml +++ b/docs/docbook/manpages/smbmount.8.sgml @@ -24,10 +24,11 @@ <refsect1> <title>DESCRIPTION</title> - <para><command>smbmount</command> mounts a SMB filesystem. It - is usually invoked as <command>mount.smb</command> from + <para><command>smbmount</command> mounts a Linux SMB filesystem. It + is usually invoked as <command>mount.smbfs</command> by the <command>mount(8)</command> command when using the - "-t smb" option. The kernel must support the smbfs filesystem. </para> + "-t smbfs" option. This command only works in Linux, and the kernel must + support the smbfs filesystem. </para> <para>Options to <command>smbmount</command> are specified as a comma-separated list of key=value pairs. It is possible to send options other @@ -149,7 +150,9 @@ <varlistentry> <term>debug=<arg></term> <listitem><para>sets the debug level. This is useful for - tracking down SMB connection problems. </para></listitem> + tracking down SMB connection problems. A suggested value to + start with is 4. If set too high there will be a lot of + output, possibly hiding the useful output.</para></listitem> </varlistentry> @@ -250,8 +253,8 @@ protocol level is high enough to support session-level passwords.</para> - <para>The variable <envar>PASSWD_FILE</envar> may contain the pathname of - a file to read the password from. A single line of input is + <para>The variable <envar>PASSWD_FILE</envar> may contain the pathname + of a file to read the password from. A single line of input is read and used as the password.</para> </refsect1> @@ -259,15 +262,22 @@ <refsect1> <title>BUGS</title> - <para>Not many known smbmount bugs. But one smbfs bug is - important enough to mention here anyway:</para> + <para>Passwords and other options containing , can not be handled. + For passwords an alternative way of passing them is in a credentials + file or in the PASSWD environment.</para> + + <para>The credentials file does not handle usernames or passwords with + leading space.</para> + + <para>One smbfs bug is important enough to mention here, even if it + is a bit misplaced:</para> <itemizedlist> <listitem><para>Mounts sometimes stop working. This is usually caused by smbmount terminating. Since smbfs needs smbmount to - reconnect when the server disconnects, the mount will go - dead. A re-mount normally fixes this. At least 2 ways to + reconnect when the server disconnects, the mount will eventually go + dead. An umount/mount normally fixes this. At least 2 ways to trigger this bug are known.</para></listitem> </itemizedlist> @@ -283,8 +293,15 @@ <refsect1> <title>SEE ALSO</title> - <para>Documentation/filesystems/smbfs.txt in the kernel source tree - may contain additional options and information.</para> + <para>Documentation/filesystems/smbfs.txt in the linux kernel + source tree may contain additional options and information.</para> + + <para>FreeBSD also has a smbfs, but it is not related to smbmount</para> + + <para>For Solaris, HP-UX and others you may want to look at + <ulink url="smbsh.1.html"><command>smbsh(1)</command></ulink> or at other + solutions, such as sharity or perhaps replacing the SMB server with + a NFS server.</para> </refsect1> diff --git a/docs/docbook/manpages/smbpasswd.8.sgml b/docs/docbook/manpages/smbpasswd.8.sgml index c07b329c5e1..e757a0c67cb 100644 --- a/docs/docbook/manpages/smbpasswd.8.sgml +++ b/docs/docbook/manpages/smbpasswd.8.sgml @@ -25,7 +25,7 @@ <arg choice="opt">-R <name resolve order></arg> <arg choice="opt">-m</arg> <arg choice="opt">-j DOMAIN</arg> - <arg choice="opt">-U username</arg> + <arg choice="opt">-U username[%password]</arg> <arg choice="opt">-h</arg> <arg choice="opt">-s</arg> <arg choice="opt">username</arg> diff --git a/docs/docbook/manpages/wbinfo.1.sgml b/docs/docbook/manpages/wbinfo.1.sgml index 7a1e738401d..7133573b140 100644 --- a/docs/docbook/manpages/wbinfo.1.sgml +++ b/docs/docbook/manpages/wbinfo.1.sgml @@ -14,7 +14,7 @@ <refsynopsisdiv> <cmdsynopsis> - <command>nmblookup</command> + <command>wbinfo</command> <arg choice="opt">-u</arg> <arg choice="opt">-g</arg> <arg choice="opt">-n name</arg> @@ -158,8 +158,7 @@ <title>VERSION</title> <para>This man page is correct for version 2.2 of - the Samba suite. winbindd is however not available in - stable release of Samba as of yet.</para> + the Samba suite.</para> </refsect1> <refsect1> @@ -177,7 +176,7 @@ to the way the Linux kernel is developed.</para> <para><command>wbinfo</command> and <command>winbindd</command> - were written by TIm Potter.</para> + were written by Tim Potter.</para> <para>The conversion to DocBook for Samba 2.2 was done by Gerald Carter</para> diff --git a/docs/docbook/manpages/winbindd.8.sgml b/docs/docbook/manpages/winbindd.8.sgml index a215c3d1af2..6a1ecd59fd0 100644 --- a/docs/docbook/manpages/winbindd.8.sgml +++ b/docs/docbook/manpages/winbindd.8.sgml @@ -15,29 +15,18 @@ <refsynopsisdiv> <cmdsynopsis> - <command>nmblookup</command> - <arg choice="opt">-d debuglevel</arg> + <command>winbindd</command> <arg choice="opt">-i</arg> - <arg choice="opt">-S</arg> - <arg choice="opt">-r</arg> - <arg choice="opt">-A</arg> - <arg choice="opt">-h</arg> - <arg choice="opt">-B <broadcast address></arg> - <arg choice="opt">-U <unicast address></arg> <arg choice="opt">-d <debug level></arg> <arg choice="opt">-s <smb config file></arg> - <arg choice="opt">-i <NetBIOS scope></arg> - <arg choice="opt">-T</arg> - <arg choice="req">name</arg> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>DESCRIPTION</title> - <para>This tool is part of the <ulink url="samba.7.html"> - Samba</ulink> suite version 3.0 and describes functionality not - yet implemented in the main version of Samba.</para> + <para>This program is part of the <ulink url="samba.7.html"> + Samba</ulink> suite.</para> <para><command>winbindd</command> is a daemon that provides a service for the Name Service Switch capability that is present @@ -318,18 +307,15 @@ auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok </command></para> <para>The next step is to join the domain. To do that use the - <command>samedit</command> program like this: </para> + <command>smbpasswd</command> program like this: </para> - <para><command>samedit -S '*' -W DOMAIN -UAdministrator</command></para> + <para><command>smbpasswd -j DOMAIN -r PDC -U + Administrator</command></para> - <para>The username after the <parameter>-U</parameter> can be any Domain - user that has administrator privileges on the machine. Next from - within <command>samedit</command>, run the command: </para> - - <para><command>createuser MACHINE$ -j DOMAIN -L</command></para> - - <para>This assumes your domain is called "DOMAIN" and your Samba - workstation is called "MACHINE". </para> + <para>The username after the <parameter>-U</parameter> can be any + Domain user that has administrator privileges on the machine. + Substitute your domain name for "DOMAIN" and the name of your PDC + for "PDC".</para> <para>Next copy <filename>libnss_winbind.so</filename> to <filename>/lib</filename> and <filename>pam_winbind.so</filename> @@ -366,7 +352,7 @@ auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok <refsect1> - <title>Notes</title> + <title>NOTES</title> <para>The following notes are useful when configuring and running <command>winbindd</command>: </para> @@ -379,8 +365,8 @@ auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok servers, it must be sent a SIGHUP signal. </para> <para>Client processes resolving names through the <command>winbindd</command> - nsswitch module read an environment variable named <parameter> - $WINBINDD_DOMAIN</parameter>. If this variable contains a comma separated + nsswitch module read an environment variable named <envar> + $WINBINDD_DOMAIN</envar>. If this variable contains a comma separated list of Windows NT domain names, then winbindd will only resolve users and groups within those Windows NT domains. </para> @@ -399,7 +385,7 @@ auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok <refsect1> - <title>Signals</title> + <title>SIGNALS</title> <para>The following signals can be used to manipulate the <command>winbindd</command> daemon. </para> @@ -428,7 +414,7 @@ auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok </refsect1> <refsect1> - <title>Files</title> + <title>FILES</title> <variablelist> <varlistentry> @@ -457,7 +443,7 @@ auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok <term>$LOCKDIR/winbindd_idmap.tdb</term> <listitem><para>Storage for the Windows NT rid to UNIX user/group id mapping. The lock directory is specified when Samba is initially - compiled using the <filename>--with-lockdir</filename> option. + compiled using the <parameter>--with-lockdir</parameter> option. This directory is by default <filename>/usr/local/samba/var/locks </filename>. </para></listitem> </varlistentry> @@ -474,9 +460,8 @@ auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok <refsect1> <title>VERSION</title> - <para>This man page is correct for version 2.2 of - the Samba suite. winbindd is however not available in - the stable release of Samba as of yet.</para> + <para>This man page is correct for version 2.2 of + the Samba suite.</para> </refsect1> <refsect1> diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml index 7c61d72a682..0b6abaf80f6 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.sgml +++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml @@ -877,7 +877,7 @@ the procedure for creating an account. </para> <para><programlisting> - # useradd -s /bin/bash -d /home/"userid" -m + # useradd -s /bin/bash -d /home/"userid" -m "userid" # passwd "userid" Enter Password: <pw> @@ -895,7 +895,7 @@ controller. Refer to the Samba-PDC-HOWTO for more details. </para> <para><programlisting> - # useradd -a /bin/false -d /dev/null "machine_name"\$ + # useradd -s /bin/false -d /dev/null "machine_name"\$ # passwd -l "machine_name"\$ # smbpasswd -a -m "machine_name" </programlisting></para> diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index bbed6c4e104..b980b99e22e 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -265,9 +265,8 @@ There are a couple of points to emphasize in the above configuration. <para> As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMINUSERS">domain -admin users</ulink> and <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain -admin group</ulink> smb.conf parameters for information of creating a Domain Admins +in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain +admin group</ulink> smb.conf parameter for information of creating "Domain Admins" style accounts. </para> @@ -334,8 +333,11 @@ based Samba server: </para> <para> -<prompt>root# </prompt>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable> -machine_nickname</replaceable> -m -s /bin/false <replaceable>machine_name</replaceable>$ +<prompt>root# </prompt>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine +nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ +</para> +<para> +<prompt>root# </prompt>passwd -l <replaceable>machine_name</replaceable>$ </para> <para> @@ -410,7 +412,7 @@ add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u In Samba 2.2.1, <emphasis>only the root account</emphasis> can be used to create machine accounts like this. Therefore, it is required to create an entry in smbpasswd for <emphasis>root</emphasis>. The password -<emphasis>SHOULD</emphasis> be set to s different password that the +<emphasis>SHOULD</emphasis> be set to a different password that the associated <filename>/etc/passwd</filename> entry for security reasons. </para> </sect2> @@ -1415,7 +1417,7 @@ as are folders "Start Menu", "Desktop", "Programs" and "Nethood". These directories and their contents will be merged with the local versions stored in c:\windows\profiles\username on subsequent logins, taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short case preserve = yes" and +options "preserve case = yes", "short preserve case = yes" and "case sensitive = no" in order to maintain capital letters in shortcuts in any of the profile folders. </para> diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index a92f2f59784..ee91f6e07aa 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -379,21 +379,26 @@ The second is the "deny modes" that are specified when a file is open.</para> - <para>Samba supports "record locking" using the fcntl() unix system - call. This is often implemented using rpc calls to a rpc.lockd process - running on the system that owns the filesystem. Unfortunately many - rpc.lockd implementations are very buggy, particularly when made to - talk to versions from other vendors. It is not uncommon for the - rpc.lockd to crash.</para> - - <para>There is also a problem translating the 32 bit lock - requests generated by PC clients to 31 bit requests supported - by most unixes. Unfortunately many PC applications (typically - OLE2 applications) use byte ranges with the top bit set - as semaphore sets. Samba attempts translation to support - these types of applications, and the translation has proved - to be quite successful.</para> - + <para>Record locking semantics under Unix is very + different from record locking under Windows. Versions + of Samba before 2.2 have tried to use the native + fcntl() unix system call to implement proper record + locking between different Samba clients. This can not + be fully correct due to several reasons. The simplest + is the fact that a Windows client is allowed to lock a + byte range up to 2^32 or 2^64, depending on the client + OS. The unix locking only supports byte ranges up to + 2^31. So it is not possible to correctly satisfy a + lock request above 2^31. There are many more + differences, too many to be listed here.</para> + + <para>Samba 2.2 and above implements record locking + completely independent of the underlying unix + system. If a byte range lock that the client requests + happens to fall into the range 0-2^31, Samba hands + this request down to the Unix system. All other locks + can not be seen by unix anyway.</para> + <para>Strictly a SMB server should check for locks before every read and write call on a file. Unfortunately with the way fcntl() works this can be slow and may overstress the diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml index 3aa9b92b5a2..4377303ffb2 100644 --- a/docs/docbook/projdoc/printer_driver2.sgml +++ b/docs/docbook/projdoc/printer_driver2.sgml @@ -155,7 +155,7 @@ appropriate values for your site):</para> <para>The <ulink url="smb.conf.5.html#WRITELIST"><parameter> write list</parameter></ulink> is used to allow administrative level user accounts to have write access in order to update files -on the share. See the <ulink url="smb./conf.5.html">smb.conf(5) +on the share. See the <ulink url="smb.conf.5.html">smb.conf(5) man page</ulink> for more information on configuring file shares.</para> <para>The requirement for <ulink url="smb.conf.5.html#GUESTOK"><command>guest @@ -554,71 +554,10 @@ foreach (supported architecture for a given driver) <para> Given that printer driver management has changed (we hope improved) in 2.2 over prior releases, migration from an existing setup to 2.2 can -follow several paths. +follow several paths. Here are the possible scenarios for +migration: </para> -<para> -Windows clients have a tendency to remember things for quite a while. -For example, if a Windows NT client has attached to a Samba 2.0 server, -it will remember the server as a LanMan printer server. Upgrading -the Samba host to 2.2 makes support for MSRPC printing possible, but -the NT client will still remember the previous setting. -</para> - -<para> -In order to give an NT client printing "amnesia" (only necessary if you -want to use the newer MSRPC printing functionality in Samba), delete -the registry keys associated with the print server contained in -<constant>[HKLM\SYSTEM\CurrentControlSet\Control\Print]</constant>. The -spooler service on the client should be stopped prior to doing this: -</para> - -<para> -<prompt>C:\WINNT\ ></prompt> <userinput>net stop spooler</userinput> -</para> - -<para> -<emphasis>All the normal disclaimers about editing the registry go -here.</emphasis> Be careful, and know what you are doing. -</para> - -<para> -The spooler service should be restarted after you have finished -removing the appropriate registry entries by replacing the -<command>stop</command> command above with <command>start</command>. -</para> - -<para> -Windows 9x clients will continue to use LanMan printing calls -with a 2.2 Samba server so there is no need to perform any of these -modifications on non-NT clients. -</para> - -<warning> -<title>Achtung!</title> - -<para> -The following smb.conf parameters are considered to be depreciated and will -be removed soon. Do not use them in new installations -</para> - -<itemizedlist> - <listitem><para><parameter>printer driver file (G)</parameter> - </para></listitem> - - <listitem><para><parameter>printer driver (S)</parameter> - </para></listitem> - - <listitem><para><parameter>printer driver location (S)</parameter> - </para></listitem> -</itemizedlist> -</warning> - - -<para> -Here are the possible scenarios for supporting migration: -</para> - <itemizedlist> <listitem><para>If you do not desire the new Windows NT print driver support, nothing needs to be done. @@ -627,13 +566,13 @@ Here are the possible scenarios for supporting migration: <listitem><para>If you want to take advantage of NT printer driver support but do not want to migrate the 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts to locate a + <filename>printers.def</filename> file. When smbd attempts + to locate a 9x driver for the printer in the TDB and fails it will drop down to using the printers.def (and all associated parameters). The <command>make_printerdef</command> tool will also remain for backwards compatibility but will - be moved to the "this tool is the old way of doing it" - pile.</para></listitem> + be removed in the next major release.</para></listitem> <listitem><para>If you install a Windows 9x driver for a printer on your Samba host (in the printing TDB), this information will @@ -650,6 +589,39 @@ Here are the possible scenarios for supporting migration: </para></listitem> </itemizedlist> + +<warning> +<title>Achtung!</title> + +<para> +The following <filename>smb.conf</filename> parameters are considered to +be deprecated and will be removed soon. Do not use them in new +installations +</para> + +<itemizedlist> + <listitem><para><parameter>printer driver file (G)</parameter> + </para></listitem> + + <listitem><para><parameter>printer driver (S)</parameter> + </para></listitem> + + <listitem><para><parameter>printer driver location (S)</parameter> + </para></listitem> +</itemizedlist> +</warning> + + +<para> +The have been two new parameters add in Samba 2.2.2 to for +better support of Samba 2.0.x backwards capability (<parameter>disable +spoolss</parameter>) and for using local printers drivers on Windows +NT/2000 clients (<parameter>use client driver</parameter>). Both of +these options are described in the smb.coinf(5) man page and are +disabled by default. +</para> + + </sect1> diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index b923303d358..f1211c0ac6a 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -23,13 +23,16 @@ <surname>SAMBA Team</surname> </author> <address><email>samba@samba.org</email></address> - <pubdate>$rcsId</pubdate> </bookinfo> <dedication> <title>Abstract</title> <para> +<emphasis>Last Update</emphasis> : Tue Jul 31 15:58:03 CDT 2001 +</para> + +<para> This book is a collection of HOWTOs added to Samba documentation over the years. I try to ensure that all are current, but sometimes the is a larger job than one person can maintain. The most recent version of this document diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index da7aecdee42..b496f30dd74 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -28,9 +28,10 @@ <para>Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous - computing environments for a long time. We present <emphasis>winbind - </emphasis>, a component of the Samba suite of programs as a - solution to the unified logon problem. Winbind uses a UNIX implementation + computing environments for a long time. We present + <emphasis>winbind</emphasis>, a component of the Samba suite + of programs as a solution to the unified logon problem. Winbind + uses a UNIX implementation of Microsoft RPC calls, Pluggable Authentication Modules, and the Name Service Switch to allow Windows NT domain users to appear and operate as UNIX users on a UNIX machine. This paper describes the winbind @@ -53,7 +54,7 @@ and use the Samba suite of programs to provide file and print services between the two. This solution is far from perfect however, as adding and deleting users on both sets of machines becomes a chore - and two sets of passwords are required both of which which + and two sets of passwords are required both of which can lead to synchronization problems between the UNIX and Windows systems and confusion for users.</para> @@ -95,7 +96,7 @@ <para>The end result is that whenever any program on the UNIX machine asks the operating system to lookup a user or group name, the query will be resolved by asking the - NT domain controller for the specied domain to do the lookup. + NT domain controller for the specified domain to do the lookup. Because Winbind hooks into the operating system at a low level (via the NSS name resolution modules in the C library) this redirection to the NT domain controller is completely @@ -112,11 +113,11 @@ that redirection to a domain controller is wanted for a particular lookup and which trusted domain is being referenced.</para> - <para>Additionally, Winbind provides a authentication service + <para>Additionally, Winbind provides an authentication service that hooks into the Pluggable Authentication Modules (PAM) system to provide authentication via a NT domain to any PAM enabled applications. This capability solves the problem of synchronizing - passwords between systems as all passwords are stored in a single + passwords between systems since all passwords are stored in a single location (on the domain controller).</para> <sect2> @@ -126,9 +127,9 @@ existing NT based domain infrastructure into which they wish to put UNIX workstations or servers. Winbind will allow these organizations to deploy UNIX workstations without having to - maintain a separate account infrastructure. This greatly simplies - the administrative overhead of deploying UNIX workstations into - a NT based organization.</para> + maintain a separate account infrastructure. This greatly + simplifies the administrative overhead of deploying UNIX + workstations into a NT based organization.</para> <para>Another interesting way in which we expect Winbind to be used is as a central part of UNIX based appliances. Appliances @@ -181,9 +182,9 @@ information such as hostnames, mail aliases and user information to be resolved from different sources. For example, a standalone UNIX workstation may resolve system information from a series of - flat files stored on the local lesystem. A networked workstation + flat files stored on the local filesystem. A networked workstation may first attempt to resolve system information from local files, - then consult a NIS database for user information or a DNS server + and then consult a NIS database for user information or a DNS server for hostname information.</para> <para>The NSS application programming interface allows winbind @@ -196,8 +197,9 @@ a NT domain plus any trusted domain as though they were local users and groups.</para> - <para>The primary control le for NSS is <filename>/etc/nsswitch.conf - </filename>. When a UNIX application makes a request to do a lookup + <para>The primary control file for NSS is + <filename>/etc/nsswitch.conf</filename>. + When a UNIX application makes a request to do a lookup the C library looks in <filename>/etc/nsswitch.conf</filename> for a line which matches the service type being requested, for example the "passwd" service type is used when user or group names @@ -241,7 +243,7 @@ UNIX system. This allows Windows NT users to log in to a UNIX machine and be authenticated against a suitable Primary Domain Controller. These users can also change their passwords and have - this change take eect directly on the Primary Domain Controller. + this change take effect directly on the Primary Domain Controller. </para> <para>PAM is configured by providing control files in the directory @@ -252,7 +254,7 @@ authentication check and in what order. This interface makes adding a new authentication service for Winbind very easy, all that needs to be done is that the <filename>pam_winbind.so</filename> module - is copied to <filename>/lib/security/</filename> and the pam + is copied to <filename>/lib/security/</filename> and the PAM control files for relevant services are updated to allow authentication via winbind. See the PAM documentation for more details.</para> @@ -264,7 +266,7 @@ <para>When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is - slightly different to UNIX which has a range of numbers which are + slightly different to UNIX which has a range of numbers that are used to identify users, and the same range in which to identify groups. It is winbind's job to convert RIDs to UNIX id numbers and vice versa. When winbind is configured it is given part of the UNIX @@ -276,7 +278,7 @@ to UNIX user ids and group ids.</para> <para>The results of this mapping are stored persistently in - a ID mapping database held in a tdb database). This ensures that + an ID mapping database held in a tdb database). This ensures that RIDs are mapped to UNIX IDs in a consistent way.</para> </sect2> @@ -302,29 +304,553 @@ <sect1> <title>Installation and Configuration</title> + +<para> +Many thanks to John Trostel <ulink +url="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</ulink> +for providing the HOWTO for this section. +</para> + +<para> +This HOWTO describes how to get winbind services up and running +to control access and authenticate users on your Linux box using +the winbind services which come with SAMBA 2.2.2. +</para> + + +<sect2> +<title>Introduction</title> + +<para> +This HOWTO describes the procedures used to get winbind up and +running on my RedHat 7.1 system. Winbind is capable of providing access +and authentication control for Windows Domain users through an NT +or Win2K PDC for 'regular' services, such as telnet a nd ftp, as +well for SAMBA services. +</para> + +<para> +This HOWTO has been written from a 'RedHat-centric' perspective, so if +you are using another distribution, you may have to modify the instructions +somewhat to fit the way your distribution works. +</para> + + +<itemizedlist> +<listitem> + <para> + <emphasis>Why should I to this?</emphasis> + </para> + + <para>This allows the SAMBA administrator to rely on the + authentication mechanisms on the NT/Win2K PDC for the authentication + of domain members. NT/Win2K users no longer need to have separate + accounts on the SAMBA server. + </para> +</listitem> + +<listitem> + <para> + <emphasis>Who should be reading this document?</emphasis> + </para> + + <para> + This HOWTO is designed for system administrators. If you are + implementing SAMBA on a file server and wish to (fairly easily) + integrate existing NT/Win2K users from your PDC onto the + SAMBA server, this HOWTO is for you. That said, I am no NT or PAM + expert, so you may find a better or easier way to accomplish + these tasks. + </para> +</listitem> +</itemizedlist> +</sect2> + + +<sect2> +<title>Requirements</title> + +<para> +If you have a samba configuration file that you are currently +using... BACK IT UP! If your system already uses PAM, BACK UP +THE <filename>/etc/pam.d</filename> directory contents! If you +haven't already made a boot disk, MAKE ON NOW! +</para> + +<para> +Messing with the pam configuration files can make it nearly impossible +to log in to yourmachine. That's why you want to be able to boot back +into your machine in single user mode and restore your +<filename>/etc/pam.d</filename> back to the original state they were in if +you get frustrated with the way things are going. ;-) +</para> + +<para> +The newest version of SAMBA (version 2.2.2), available from +cvs.samba.org, now include a functioning winbindd daemon. Please refer +to the main SAMBA web page or, better yet, your closest SAMBA mirror +site for instructions on downloading the source code. +</para> + +<para> +To allow Domain users the ability to access SAMBA shares and +files, as well as potentially other services provided by your +SAMBA machine, PAM (pluggable authentication modules) must +be setup properly on your machine. In order to compile the +winbind modules, you should have at least the pam libraries resident +on your system. For recent RedHat systems (7.1, for instance), that +means 'pam-0.74-22'. For best results, it is helpful to also +install the development packages in 'pam-devel-0.74-22'. +</para> + +</sect2> + + +<sect2> +<title>Testing Things Out</title> + +<para> +Before starting, it is probably best to kill off all the SAMBA +related daemons running on your server. Kill off all <command>smbd</command>, +<command>nmbd</command>, and <command>winbindd</command> processes that may +be running. To use PAM, you will want to make sure that you have the +standard PAM package (for RedHat) which supplies the <filename>/etc/pam.d</filename> +directory structure, including the pam modules are used by pam-aware +services, several pam libraries, and the <filename>/usr/doc</filename> +and <filename>/usr/man</filename> entries for pam. Winbind built better +in SAMBA if the pam-devel package was also installed. This package includes +the header files needed to compile pam-aware applications. For instance, my RedHat +system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed. +</para> + +<sect3> +<title>Configure and compile SAMBA</title> + +<para> +The configuration and compilation of SAMBA is pretty straightforward. +The first three steps maynot be necessary depending upon +whether or not you have previously built the Samba binaries. +</para> + +<para><programlisting> +<prompt>root# </prompt> autoconf +<prompt>root# </prompt> make clean +<prompt>root# </prompt> rm config.cache +<prompt>root# </prompt> ./configure --with-winbind +<prompt>root# </prompt> make +<prompt>root# </prompt> make install +</programlisting></para> + + +<para> +This will, by default, install SAMBA in /usr/local/samba. See the +main SAMBA documentation if you want to install SAMBA somewhere else. +It will also build the winbindd executable and libraries. +</para> + +</sect3> + +<sect3> +<title>Configure nsswitch.conf and the winbind libraries</title> + +<para> +The libraries needed to run the winbind daemon through nsswitch +need to be copied to their proper locations, so +</para> + +<para> +<prompt>root# </prompt> cp ../samba/source/nsswitch/libnss_winbind.so /lib +</para> + +<para> +I also found it necessary to make the following symbolic link: +</para> + +<para> +<prompt>root# </prompt> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 +</para> + +<para> +Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to +allow user and group entries to be visible from the <command>winbindd</command> +daemon, as well as from your /etc/hosts files and NIS servers. My +<filename>/etc/nsswitch.conf</filename> file look like this after editing: +</para> + +<para><programlisting> + passwd: files winbind + shadow: files winbind + group: files winbind +</programlisting></para> + +<para> +The libraries needed by the winbind daemon will be automatically +entered into the ldconfig cache the next time your system reboots, but it +is faster (and you don't need to reboot) if you do it manually: +</para> + +<para> +<prompt>root# </prompt> /sbin/ldconfig -v | grep winbind +</para> + +<para> +This makes <filename>libnss_winbind</filename> available to winbindd +and echos back a check to you. +</para> + +</sect3> + + +<sect3> +<title>Configure smb.conf</title> + +<para> +Several parameters are needed in the smb.conf file to control +the behavior of <command>winbindd</command>. Configure +<filename>smb.conf</filename> These are described in more detail in +the <ulink url="winbindd.8.html">winbindd(8)</ulink> man page. My +<filename>smb.conf</filename> file was modified to +include the following entries in the [global] section: +</para> + +<para><programlisting> +[global] + <...> + # separate domain and username with '+', like DOMAIN+username + winbind separator = + + # use uids from 10000 to 20000 for domain users + winbind uid = 10000-20000 + # use gids from 10000 to 20000 for domain groups + winbind gid = 10000-20000 + # allow enumeration of winbind users and groups + winbind enum users = yes + winbind enum groups = yes + # give winbind users a real shell (only needed if they have telnet access) + template shell = /bin/bash +</programlisting></para> + +</sect3> + + +<sect3> +<title>Join the SAMBA server to the PDC domain</title> + +<para> +Enter the following command to make the SAMBA server join the +PDC domain, where <replaceable>DOMAIN</replaceable> is the name of +your Windows domain and <replaceable>Administrator</replaceable> is +a domain user who has administrative privileges in the domain. +</para> + + +<para> +<prompt>root# </prompt>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator +</para> + + +<para> +The proper response to the command should be: "Joined the domain +<replaceable>DOMAIN</replaceable>" where <replaceable>DOMAIN</replaceable> +is your DOMAIN name. +</para> + +</sect3> - <para>The easiest way to install winbind is by using the packages - provided in the <filename>pub/samba/appliance/</filename> - directory on your nearest - Samba mirror. These packages provide snapshots of the Samba source - code and binaries already setup to provide the full functionality - of winbind. This setup is a little more complex than a normal Samba - build as winbind needs a small amount of functionality from a - development code branch called SAMBA_TNG.</para> + +<sect3> +<title>Start up the winbindd daemon and test it!</title> + +<para> +Eventually, you will want to modify your smb startup script to +automatically invoke the winbindd daemon when the other parts of +SAMBA start, but it is possible to test out just the winbind +portion first. To start up winbind services, enter the following +command as root: +</para> + +<para> +<prompt>root# </prompt>/usr/local/samba/bin/winbindd +</para> + +<para> +I'm always paranoid and like to make sure the daemon +is really running... +</para> + +<para> +<prompt>root# </prompt> ps -ae | grep winbindd +3025 ? 00:00:00 winbindd +</para> + +<para> +Now... for the real test, try to get some information about the +users on your PDC +</para> + +<para> +<prompt>root# </prompt> # /usr/local/samba/bin/wbinfo -u +</para> + +<para> +This should echo back a list of users on your Windows users on +your PDC. For example, I get the following response: +</para> + +<para><programlisting> +CEO+Administrator +CEO+burdell +CEO+Guest +CEO+jt-ad +CEO+krbtgt +CEO+TsInternetUser +</programlisting></para> + +<para> +Obviously, I have named my domain 'CEO' and my winbindd separator is '+'. +</para> + +<para> +You can do the same sort of thing to get group information from +the PDC: +</para> + +<para><programlisting> +<prompt>root# </prompt>/usr/local/samba/bin/wbinfo -g +CEO+Domain Admins +CEO+Domain Users +CEO+Domain Guests +CEO+Domain Computers +CEO+Domain Controllers +CEO+Cert Publishers +CEO+Schema Admins +CEO+Enterprise Admins +CEO+Group Policy Creator Owners +</programlisting></para> + +<para> +The function 'getent' can now be used to get unified +lists of both local and PDC users and groups. +Try the following command: +</para> + +<para> +<prompt>root# </prompt> getent passwd +</para> - <para>Once you have installed the packages you should read - the <command>winbindd(8)</command> man page which will provide you - with configuration information and give you sample configuration files. - You may also wish to update the main Samba daemons smbd and nmbd) - with a more recent development release, such as the recently - announced Samba 2.2 alpha release.</para> +<para> +You should get a list that looks like your <filename>/etc/passwd</filename> +list followed by the domain users with their new uids, gids, home +directories and default shells. +</para> + +<para> +The same thing can be done for groups with the command +</para> + +<para> +<prompt>root# </prompt> getent group +</para> + +</sect3> + + +<sect3> +<title>Fix the /etc/rc.d/init.d/smb startup files</title> + +<para> +The <command>winbindd</command> daemon needs to start up after the +<command>smbd</command> and <command>nmbd</command> daemons are running. +To accomplish this task, you need to modify the <filename>/etc/init.d/smb</filename> +script to add commands to invoke this daemon in the proper sequence. My +<filename>/etc/init.d/smb</filename> file starts up <command>smbd</command>, +<command>nmbd</command>, and <command>winbindd</command> from the +<filename>/usr/local/samba/bin</filename> directory directly. The 'start' +function in the script looks like this: +</para> + +<para><programlisting> +start() { + KIND="SMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/smbd $SMBDOPTIONS + RETVAL=$? + echo + KIND="NMB" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Starting $KIND services: " + daemon /usr/local/samba/bin/winbindd + RETVAL3=$? + echo + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ + RETVAL=1 + return $RETVAL +} +</programlisting></para> + +<para> +The 'stop' function has a corresponding entry to shut down the +services and look s like this: +</para> + +<para><programlisting> +stop() { + KIND="SMB" + echo -n $"Shutting down $KIND services: " + killproc smbd + RETVAL=$? + echo + KIND="NMB" + echo -n $"Shutting down $KIND services: " + killproc nmbd + RETVAL2=$? + echo + KIND="Winbind" + echo -n $"Shutting down $KIND services: " + killproc winbindd + RETVAL3=$? + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb + echo "" + return $RETVAL +} +</programlisting></para> + +</sect3> + + + +<sect3> +<title>Configure Winbind and PAM</title> + +<para> +If you have made it this far, you know that winbindd is working. +Now it is time to integrate it into the operation of samba and other +services. The pam configuration files need to be altered in +this step. (Did you remember to make backups of your original +<filename>/etc/pam.d</filename> files? If not, do it now.) +</para> + +<para> +To get samba to allow domain users and groups, I modified the +<filename>/etc/pam.d/samba</filename> file from +</para> + + +<para><programlisting> +auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_stack.so service=system-auth +</programlisting></para> + +<para> +to +</para> + +<para><programlisting> +auth required /lib/security/pam_winbind.so +auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth +</programlisting></para> + +<para> +The other services that I modified to allow the use of winbind +as an authentication service were the normal login on the console (or a terminal +session), telnet logins, and ftp service. In order to enable these +services, you may first need to change the entries in +<filename>/etc/xinetd.d</filename> (or <filename>/etc/inetd.conf</filename>). +RedHat 7.1 uses the new xinetd.d structure, in this case you need +to change the lines in <filename>/etc/xinetd.d/telnet</filename> +and <filename>/etc/xinetd.d/wu-ftp</filename> from +</para> + +<para><programlisting> +enable = no +</programlisting></para> + +<para> +to +</para> + +<para><programlisting> +enable = yes +</programlisting></para> + +<para> +For ftp services to work properly, you will also need to either +have individual directories for the domain users already present on +the server, or change the home directory template to a general +directory for all domain users. These can be easily set using +the <filename>smb.conf</filename> global entry +<command>template homedir</command>. +</para> + +<para> +The <filename>/etc/pam.d/ftp</filename> file can be changed +to allow winbind ftp access in a manner similar to the +samba file. My <filename>/etc/pam.d/ftp</filename> file was +changed to look like this: +</para> + +<para><programlisting> +auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_shells.so +account required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +</programlisting></para> + +<para> +The <filename>/etc/pam.d/login</filename> file can be changed nearly the +same way. It now looks like this: +</para> + +<para><programlisting> +auth required /lib/security/pam_securetty.so +auth sufficient /lib/security/pam_winbind.so +auth sufficient /lib/security/pam_unix.so use_first_pass +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account sufficient /lib/security/pam_winbind.so +account required /lib/security/pam_stack.so service=system-auth +password required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +session optional /lib/security/pam_console.so +</programlisting></para> + +<para> +In this case, I added the <command>auth sufficient /lib/security/pam_winbind.so</command> +lines as before, but also added the <command>required pam_securetty.so</command> +above it, to disallow root logins over the network. I also added a +<command>sufficient /lib/security/pam_unix.so use_first_pass</command> +line after the <command>winbind.so</command> line to get rid of annoying +double prompts for passwords. +</para> + +<para> +Finally, don't forget to copy the winbind pam modules from +the source directory in which you originally compiled the new +SAMBA up to the /lib/security directory so that pam can use it: +</para> + +<para> +<prompt>root# </prompt> cp ../samba/source/nsswitch/pam_winbind.so /lib/security +</para> + +</sect3> + +</sect2> + </sect1> <sect1> <title>Limitations</title> <para>Winbind has a number of limitations in its current - released version which we hope to overcome in future + released version that we hope to overcome in future releases:</para> <itemizedlist> @@ -346,12 +872,6 @@ <listitem><para>Currently the winbind PAM module does not take into account possible workstation and logon time restrictions that may be been set for Windows NT users.</para></listitem> - - <listitem><para>Building winbind from source is currently - quite tedious as it requires combining source code from two Samba - branches. Work is underway to solve this by providing all - the necessary functionality in the main Samba code branch.</para> - </listitem> </itemizedlist> </sect1> @@ -369,4 +889,3 @@ </sect1> </chapter> - |