Name
findsmb — list info about machines that respond to SMB - name queries on a subnet
Synopsis
findsmb [subnet broadcast address]
Synopsis
findsmb [subnet broadcast address]
DESCRIPTION
This perl script is part of the samba(7) suite.
findsmb is a perl script that prints out several pieces of information about machines on a subnet that respond to SMB name query requests. It uses nmblookup(1) and smbclient(1) to obtain this information. -
OPTIONS
- -r
Controls whether findsmb takes +
OPTIONS
- -r
Controls whether findsmb takes bugs in Windows95 into account when trying to find a Netbios name registered of the remote machine. This option is disabled by default because it is specific to Windows 95 and Windows 95 machines only. @@ -16,7 +16,7 @@ findsmb(1) is run. This value is passed to nmblookup(1) - as part of the -B option.
EXAMPLES
The output of findsmb lists the following information for all machines that respond to the initial nmblookup for any name: IP address, NetBIOS name, Workgroup name, operating system, and SMB server version.
There will be a '+' in front of the workgroup name for @@ -48,10 +48,10 @@ 192.168.35.88 SCNT2 +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0] 192.168.35.93 FROGSTAR-PC [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager] 192.168.35.97 HERBNT1 *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0] -
AUTHOR
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/lmhosts.5.html samba-3.0.12/docs/htmldocs/lmhosts.5.html --- samba-3.0.11/docs/htmldocs/lmhosts.5.html 2005-02-03 21:51:01.000000000 -0600 +++ samba-3.0.12/docs/htmldocs/lmhosts.5.html 2005-03-17 15:14:44.000000000 -0600 @@ -1,8 +1,8 @@ -
Name
lmhosts — The Samba NetBIOS hosts file
Synopsis
lmhosts is the samba(7) NetBIOS name to IP address mapping file.
DESCRIPTION
This file is part of the samba(7) suite.
lmhosts is the Samba
+ lmhosts — The Samba NetBIOS hosts file lmhosts is the samba(7) NetBIOS name to IP address mapping file. This file is part of the samba(7) suite. lmhosts is the Samba
NetBIOS name to IP address mapping file. It
is very similar to the /etc/hosts file
format, except that the hostname component must correspond
- to the NetBIOS naming format. It is an ASCII file containing one line for NetBIOS name.
+ to the NetBIOS naming format. It is an ASCII file containing one line for NetBIOS name.
The two fields on each line are separated from each other by
white space. Any entry beginning with '#' is ignored. Each line
in the lmhosts file contains the following information: IP Address - in dotted decimal format. NetBIOS Name - This name format is a
@@ -23,10 +23,10 @@
the NetBIOS name requested. The second mapping will be returned only when the "0x20" name
type for a name "NTSERVER" is queried. Any other name type will not
be resolved. The default location of the lmhosts file
- is in the same directory as the smb.conf(5) file. lmhosts is loaded from the configuration directory. This is
+ is in the same directory as the smb.conf(5) file. lmhosts is loaded from the configuration directory. This is
usually /etc/samba or /usr/local/samba/lib.
- The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/log2pcap.1.html samba-3.0.12/docs/htmldocs/log2pcap.1.html
--- samba-3.0.11/docs/htmldocs/log2pcap.1.html 2005-02-03 21:51:08.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/log2pcap.1.html 2005-03-17 15:14:48.000000000 -0600
@@ -1,11 +1,11 @@
- log2pcap — Extract network traces from Samba log files log2pcap [-h] [-q] [logfile] [pcap_file] This tool is part of the samba(7) suite. log2pcap reads in a
+ log2pcap — Extract network traces from Samba log files log2pcap [-h] [-q] [logfile] [pcap_file] This tool is part of the samba(7) suite. log2pcap reads in a
samba log file and generates a pcap file (readable
by most sniffers, such as ethereal or tcpdump) based on the packet
dumps in the log file. The log file must have a log level
of at least 5 to get the SMB header/parameters
right, 10 to get the first 512 data bytes of the
packet and 50 to get the whole packet.
- If this parameter is
+ If this parameter is
specified the output file will be a
hex dump, in a format that is readable
by the text2pcap utility. Be quiet. No warning messages about missing
@@ -17,13 +17,13 @@
If this argument is not specified, output data will be written
to stdout.
Print a summary of command line options.
- Extract all network traffic from all samba log files: Convert to pcap using text2pcap: mount.cifs — mount using the Common Internet File System (CIFS) mount.cifs {service} {mount-point} [-o options] This tool is part of the samba(7) suite. mount.cifs mounts a Linux CIFS filesystem. It
+ mount.cifs — mount using the Common Internet File System (CIFS) mount.cifs {service} {mount-point} [-o options] This tool is part of the samba(7) suite. mount.cifs mounts a Linux CIFS filesystem. It
is usually invoked indirectly by
the mount(8) command when using the
"-t cifs" option. This command only works in Linux, and the kernel must
@@ -20,7 +20,7 @@
mount.cifs causes the cifs vfs to launch a thread named cifsd. After mounting it keeps running until
the mounted resource is unmounted (usually via the umount utility).
- specifies the username to connect as. If
+ specifies the username to connect as. If
this is not given, then the environment variable USER is used. This option can also take the
form "user%password" or "user/workgroup" or
"user/workgroup%password" to allow the password and workgroup
@@ -68,7 +68,7 @@
not specified then the nls_default specified
during the local client kernel build will be used.
If server does not support Unicode, this parameter is
- unused. mount read-only mount read-write default network read size default network write size
The variable USER may contain the username of the
person to be used to authenticate to the server.
The variable can be used to set both username and
@@ -80,13 +80,13 @@
The variable PASSWD_FILE may contain the pathname
of a file to read the password from. A single line of input is
read and used as the password.
- This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled. This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.
The primary mechanism for making configuration changes and for reading
debug information for the cifs vfs is via the Linux /proc filesystem.
In the directory /proc/fs/cifs are various
configuration files and pseudo files which can display debug information.
For more information see the kernel file fs/cifs/README.
- Passwords and other options containing , can not be handled.
For passwords an alternative way of passing them is in a credentials
file or in the PASSWD environment. The credentials file does not handle usernames or passwords with
leading space.
@@ -95,11 +95,11 @@
and always include which versions you use of relevant software
when reporting bugs (minimum: mount.cifs (try mount.cifs -V), kernel (see /proc/version) and
server type you are trying to contact.
- This man page is correct for version 1.0.6 of
- the cifs vfs filesystem (roughly Linux kernel 2.6.6). This man page is correct for version 1.0.6 of
+ the cifs vfs filesystem (roughly Linux kernel 2.6.6).
Documentation/filesystems/cifs.txt and fs/cifs/README in the linux kernel
source tree may contain additional options and information.
- Steve French The syntax and manpage were loosely based on that of smbmount. It
was converted to Docbook/XML by Jelmer Vernooij. The maintainer of the Linux cifs vfs and the userspace
tool mount.cifs is Steve French.
The Linux CIFS Mailing list
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/net.8.html samba-3.0.12/docs/htmldocs/net.8.html
--- samba-3.0.11/docs/htmldocs/net.8.html 2005-02-03 21:51:21.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/net.8.html 2005-03-17 15:14:55.000000000 -0600
@@ -1,13 +1,13 @@
net — Tool for administration of Samba and remote
CIFS servers.
- net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-D debuglevel] This tool is part of the samba(7) suite. The samba net utility is meant to work just like the net utility
+ net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-D debuglevel] This tool is part of the samba(7) suite. The samba net utility is meant to work just like the net utility
available for windows and DOS. The first argument should be used
to specify the protocol to use when executing a certain command.
ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
clients and RPC can be used for NT4 and Windows 2000. If this
argument is omitted, net will try to determine it automatically.
Not all commands are available on all protocols.
- Print a summary of command line options.
+ Print a summary of command line options.
Sets target workgroup or domain. You have to specify
either this option or the IP address or the name of a server.
@@ -24,7 +24,7 @@
Defaults to trying 445 first, then 139.
This option allows you to override
the NetBIOS name that Samba uses for itself. This is identical
-to setting the netbios name parameter in the smb.conf file.
+to setting the parameter in the smb.conf file.
However, a command
line setting will take precedence over settings in
smb.conf. The file specified contains the
@@ -53,19 +53,19 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the log level parameter
-in the smb.conf file. This command allows the Samba machine account password to be set from an external application
to a machine account password that has already been stored in Active Directory. DO NOT USE this command
unless you know exactly what you are doing. The use of this command requires that the force flag (-f)
be used also. There will be NO command prompt. Whatever information is piped into stdin, either by
typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use
this without care and attention as it will overwrite a legitimate machine password without warning.
YOU HAVE BEEN WARNED.
- The NET TIME command allows you to view the time on a remote server
- or synchronise the time on the local server with the time on the remote server. The NET TIME command allows you to view the time on a remote server
+ or synchronise the time on the local server with the time on the remote server.
Join a domain. If the account already exists on the server, and
[TYPE] is MEMBER, the machine will attempt to join automatically.
(Assuming that the machine has been created in server manager)
@@ -73,60 +73,60 @@
be created.
[TYPE] may be PDC, BDC or MEMBER to specify the type of server
joining the domain.
- Join a domain. Use the OLDJOIN option to join the domain
using the old style of domain joining - you need to create a trust
-account in server manager first. Enumerates all exported resources (network shares) on target server. Adds a share from a server (makes the export active). Maxusers
+account in server manager first. Enumerates all exported resources (network shares) on target server.
Validate whether the specified user can log in to the
remote server. If the password is not specified on the commandline, it
will be prompted.
- Currently NOT implemented. Execute the specified command on
the remote server. Only works with OS/2 servers.
- Currently NOT implemented. Samba uses a general caching interface called 'gencache'. It
can be controlled using 'NET CACHE'. All the timeout parameters support the suffixes:
- Print the SID of the specified domain, or if the parameter is
+omitted, the SID of the domain the local server is in. Manage the mappings between Windows group SIDs and UNIX groups.
Parameters take the for "parameter=value". Common options include: unixgroup - Name of the UNIX group ntgroup - Name of the Windows NT group (must be
resolvable to a SID rid - Unsigned 32-bit integer sid - Full SID in the form of "S-1-..." type - Type of the group; either 'domain', 'local',
- or 'builtin' comment - Freeform text description of the group Add a new group mapping entry net groupmap add {rid=int|sid=string} unixgroup=string [type={domain|local}] [ntgroup=string] [comment=string] Delete a group mapping entry. If more then one group name matches, the first entry found is deleted. net groupmap delete {ntgroup=string|sid=SID} Prints out the highest RID currently in use on the local
+ or 'builtin' comment - Freeform text description of the group Add a new group mapping entry net groupmap add {rid=int|sid=string} unixgroup=string [type={domain|local}] [ntgroup=string] [comment=string] Delete a group mapping entry. If more then one group name matches, the first entry found is deleted. net groupmap delete {ntgroup=string|sid=SID} Prints out the highest RID currently in use on the local
server (by the active 'passdb backend').
- Print information about the domain of the remote server,
such as domain name, domain sid and number of users and groups.
- Remove interdomain trust account for
DOMAIN from the remote server.
- Currently NOT implemented. Shut down the remote server.
+can be found in the Samba-HOWTO-Collection. Shut down the remote server.
Reboot after shutdown.
Force shutting down all applications.
@@ -134,22 +134,22 @@
Timeout before system will be shut down. An interactive
user of the system can use this time to cancel the shutdown.
Display the specified message on the screen to
-announce the shutdown. Export users, aliases and groups from remote server to
local server. Can only be run an a BDC.
- Print out status of machine account of the local machine in ADS.
Prints out quite some debug info. Aimed at developers, regular
-users should use NET ADS TESTJOIN. Perform a raw LDAP search on a ADS server and dump the results. The
expression is a standard LDAP search expression, and the
attributes are a list of LDAP fields to show in the results. Example: net ads search '(objectCategory=group)' sAMAccountName
- nmbd — NetBIOS name server to provide NetBIOS
- over IP naming services to clients nmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>] This program is part of the samba(7) suite. nmbd is a server that understands
+ over IP naming services to clients nmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>] This program is part of the samba(7) suite. nmbd is a server that understands
and can reply to NetBIOS over IP name service requests, like
those produced by SMB/CIFS clients such as Windows 95/98/ME,
Windows NT, Windows 2000, Windows XP and LanManager clients. It also
@@ -11,7 +11,7 @@
specified it will respond with the IP number of the host it
is running on. Its "own NetBIOS name" is by
default the primary DNS name of the host it is running on,
- but this can be overridden by the netbios name
+ but this can be overridden by the netbios name
in smb.conf. Thus nmbd will
reply to broadcast queries for its own name(s). Additional
names for nmbd to respond on can be set
@@ -22,7 +22,7 @@
replying to queries from clients for these names. In addition, nmbd can act as a WINS
proxy, relaying broadcast queries from clients that do
not understand how to talk the WINS protocol to a WINS
- server. If specified, this parameter causes
+ server. If specified, this parameter causes
nmbd to operate as a daemon. That is,
it detaches itself and runs in the background, fielding
requests on the appropriate port. By default, nmbd
@@ -51,7 +51,7 @@
NetBIOS lmhosts file. The lmhosts
file is a list of NetBIOS names to IP addresses that
is loaded by the nmbd server and used via the name
- resolution mechanism name resolve order described in smb.conf(5) to resolve any
+ resolution mechanism name resolve order described in smb.conf(5) to resolve any
NetBIOS name queries needed by the server. Note
that the contents of this file are NOT
used by nmbd to answer any name queries.
@@ -80,7 +80,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the log level parameter
+override the parameter
in the smb.conf file. Base directory name for log/debug files. The extension
".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -88,7 +88,7 @@
This option changes the default UDP port number (normally 137)
that nmbd responds to name queries on. Don't
use this option unless you are an expert, in which case you
- won't need help! If the server is to be run by the
inetd meta-daemon, this file
must contain suitable startup information for the
meta-daemon.
@@ -104,18 +104,18 @@
configuration file. Other common places that systems
install this file are /usr/samba/lib/smb.conf
and /etc/samba/smb.conf. When run as a WINS server (see the
- wins support
+ wins support
parameter in the smb.conf(5) man page),
nmbd
will store the WINS database in the file wins.dat
in the var/locks directory configured under
wherever Samba was configured to install itself. If nmbd is acting as a
- browse master (see the local master
+ browse master (see the local master
parameter in the smb.conf(5) man page, nmbd
will store the browsing database in the file browse.dat
in the var/locks directory
configured under wherever Samba was configured to install itself.
- To shut down an nmbd process it is recommended
that SIGKILL (-9) NOT be used, except as a last
resort, as this may leave the name database in an inconsistent state.
The correct way to terminate nmbd is to send it
@@ -129,13 +129,13 @@
using smbcontrol(1) (SIGUSR[1|2] signals
are no longer used since Samba 2.2). This is to allow
transient problems to be diagnosed, whilst still running
- at a normally low log level.
inetd(8), smbd(8), smb.conf(5), smbclient(1), testparm(1), testprns(1), and the Internet
RFC's rfc1001.txt, rfc1002.txt.
In addition the CIFS (formerly SMB) specification is available
as a link from the Web page
- http://samba.org/cifs/. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/nmblookup.1.html samba-3.0.12/docs/htmldocs/nmblookup.1.html
--- samba-3.0.11/docs/htmldocs/nmblookup.1.html 2005-02-03 21:51:33.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/nmblookup.1.html 2005-03-17 15:15:03.000000000 -0600
@@ -1,9 +1,9 @@
nmblookup — NetBIOS over TCP/IP client used to lookup NetBIOS
- names nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name} nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name} This tool is part of the samba(7) suite. nmblookup is used to query NetBIOS names
and map them to IP addresses in a network using NetBIOS over TCP/IP
queries. The options allow the name queries to be directed at a
particular IP broadcast area or to a particular machine. All queries
- are done over UDP. Searches for a master browser by looking
+ are done over UDP. Searches for a master browser by looking
up the NetBIOS name name with a
type of 0x1d. If
name is "-" then it does a lookup on the special name
@@ -28,7 +28,7 @@
Interpret name as
an IP Address and do a node status query on this address. This option allows you to override
the NetBIOS name that Samba uses for itself. This is identical
-to setting the netbios name parameter in the smb.conf file.
+to setting the parameter in the smb.conf file.
However, a command
line setting will take precedence over settings in
smb.conf. This specifies a NetBIOS scope that
@@ -73,7 +73,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the log level parameter
+override the parameter
in the smb.conf file. Base directory name for log/debug files. The extension
".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -88,12 +88,12 @@
If a NetBIOS name then the different name types may be specified
by appending '#<type>' to the name. This name may also be
'*', which will return all registered names within a broadcast
- area. nmblookup can be used to query
a WINS server (in the same way nslookup is
used to query DNS servers). To query a WINS server, nmblookup
must be called like this: nmblookup -U server -R 'name' For example, running : nmblookup -U samba.org -R 'IRIX#1B' would query the WINS server samba.org for the domain
- master browser (1B name type) for the IRIX workgroup. The original Samba software and related utilities
+ master browser (1B name type) for the IRIX workgroup. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/ntlm_auth.1.html samba-3.0.12/docs/htmldocs/ntlm_auth.1.html
--- samba-3.0.11/docs/htmldocs/ntlm_auth.1.html 2005-02-03 21:51:38.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/ntlm_auth.1.html 2005-03-17 15:15:13.000000000 -0600
@@ -1,18 +1,18 @@
- ntlm_auth — tool to allow external access to Winbind's NTLM authentication function ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>] This tool is part of the samba(7) suite. ntlm_auth is a helper utility that authenticates
+ ntlm_auth — tool to allow external access to Winbind's NTLM authentication function ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>] This tool is part of the samba(7) suite. ntlm_auth is a helper utility that authenticates
users using NT/LM authentication. It returns 0 if the users is authenticated
successfully and 1 if access was denied. ntlm_auth uses winbind to access
the user and authentication data for a domain. This utility
is only indended to be used by other programs (currently
Squid
and mod_ntlm_winbind)
-
The winbindd(8) daemon must be operational
for many of these commands to function. Some of these commands also require access to the directory
winbindd_privileged in
$LOCKDIR. This should be done either by running
this command as root or providing group access
to the winbindd_privileged directory. For
- security reasons, this directory should not be world-accessable.
+ security reasons, this directory should not be world-accessable.
Operate as a stdio-based helper. Valid helper protocols are:
Server-side helper for use with Squid 2.4's basic (plaintext)
@@ -64,34 +64,33 @@
any data (such as usernames/passwords) that may contain malicous user data, such as
a newline. They may also need to decode strings from
the helper, which likewise may have been base64 encoded. The user's domain, expected to be in
- Samba's unix charset.
- The fully qualified username, expected to be in
- Samba's unix
- charset and qualified with the
- winbind separator.
- The 8 byte LANMAN Challenge value,
+ Samba's unix charset.
+ The user's domain, expected to be in
+ Samba's unix charset.
+ The fully qualified username, expected to be in
+ Samba's and qualified with the
+ winbind separator.
+ The 8 byte LANMAN Challenge value,
generated randomly by the server, or (in cases such as
MSCHAPv2) generated in some way by both the server and
the client.
- The 24 byte LANMAN Response value,
+ The 24 byte LANMAN Response value,
calculated from the user's password and the supplied
LANMAN Challenge. Typically, this
is provided over the network by a client wishing to authenticate.
- The >= 24 byte NT Response
+ The >= 24 byte NT Response
calculated from the user's password and the supplied
LANMAN Challenge. Typically, this is
provided over the network by a client wishing to authenticate.
- The user's password. This would be
+ The user's password. This would be
provided by a network client, if the helper is being
used in a legacy situation that exposes plaintext
passwords in this way.
- Apon sucessful authenticaiton, return
+ Apon sucessful authenticaiton, return
the user session key associated with the login.
- Apon sucessful authenticaiton, return
+ Apon sucessful authenticaiton, return
the LANMAN session key associated with the login.
-
+
Specify username of user to authenticate
Specify domain of user to authenticate
@@ -124,12 +123,12 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the log level parameter
+override the parameter
in the smb.conf file. Base directory name for log/debug files. The extension
".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
Print a summary of command line options.
- To setup ntlm_auth for use by squid 2.5, with both basic and
NTLMSSP authentication, the following
should be placed in the squid.conf file.
If you're experiencing problems with authenticating Internet Explorer running
under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
helper (--helper-protocol=squid-2.5-ntlmssp), then please read
the Microsoft Knowledge Base article #239869 and follow instructions described there.
- The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The ntlm_auth manpage was written by Jelmer Vernooij and
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/pam_winbind.8.html samba-3.0.12/docs/htmldocs/pam_winbind.8.html
--- samba-3.0.11/docs/htmldocs/pam_winbind.8.html 2005-02-03 21:51:41.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/pam_winbind.8.html 2005-03-17 15:15:21.000000000 -0600
@@ -1,5 +1,5 @@
- pam_winbind — PAM module for Winbind This tool is part of the samba(7) suite. pam_winbind is a PAM module that can authenticate users against the local domain
- by talking to the Winbind daemon.
+ pam_winbind — PAM module for Winbind This tool is part of the samba(7) suite. pam_winbind is a PAM module that can authenticate users against the local domain
+ by talking to the Winbind daemon. pdbedit — manage the SAM database (Database of Samba Users) pdbedit [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control] This tool is part of the samba(7) suite. The pdbedit program is used to manage the users accounts
+ pdbedit — manage the SAM database (Database of Samba Users) pdbedit [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control] This tool is part of the samba(7) suite. The pdbedit program is used to manage the users accounts
stored in the sam database and can only be run by root. The pdbedit tool uses the passdb modular interface and is
independent from the kind of users database used (currently there
are smbpasswd, ldap, nis+ and tdb based and more can be added
without changing the tool). There are five main ways to use pdbedit: adding a user account,
removing a user account, modifing a user account, listing user
- accounts, importing users accounts. This option lists all the user accounts
+ accounts, importing users accounts. This option lists all the user accounts
present in the users database.
This option prints a list of user/uid pairs separated by
the ':' character. Example: pdbedit -L
pdbedit does not call the unix password syncronisation
- script if unix password sync
+ script if unix password sync
has been set. It only updates the data in the Samba
user database.
If you wish to add a user and synchronise the password
@@ -130,12 +130,12 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the log level parameter
+override the parameter
in the smb.conf file. Base directory name for log/debug files. The extension
".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
- profiles — A utility to report and change SIDs in registry files
- profiles [-v] [-c SID] [-n SID] {file} profiles [-v] [-c SID] [-n SID] {file} This tool is part of the samba(7) suite. profiles is a utility that
reports and changes SIDs in windows registry files. It currently only
supports NT.
- rpcclient — tool for executing client side
- MS-RPC functions rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server} This tool is part of the samba(7) suite. rpcclient is a utility initially developed
+ MS-RPC functions rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server} This tool is part of the samba(7) suite. rpcclient is a utility initially developed
to test MS-RPC functionality in Samba itself. It has undergone
several stages of development and stability. Many system administrators
have now written scripts around it to manage Windows NT clients from
- their UNIX workstation. NetBIOS name of Server to which to connect.
+ their UNIX workstation. NetBIOS name of Server to which to connect.
The server can be any SMB/CIFS server. The name is
- resolved using the name resolve order line from smb.conf(5). execute semicolon separated commands (listed
+ resolved using the name resolve order line from smb.conf(5). execute semicolon separated commands (listed
below)) IP address is the address of the server to connect to.
It should be specified in standard "a.b.c.d" notation. Normally the client would attempt to locate a named
SMB/CIFS server by looking it up via the NetBIOS name resolution
@@ -35,7 +35,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the log level parameter
+override the parameter
in the smb.conf file. Base directory name for log/debug files. The extension
".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -46,7 +46,7 @@
password.
Try to authenticate with kerberos. Only useful in
an Active Directory environment.
- This option allows
+ This option allows
you to specify a file from which to read the username and
password used in the connection. The format of the file is
This option allows you to override
the NetBIOS name that Samba uses for itself. This is identical
-to setting the netbios name parameter in the smb.conf file.
+to setting the parameter in the smb.conf file.
However, a command
line setting will take precedence over settings in
smb.conf. This specifies a NetBIOS scope that
@@ -87,11 +87,11 @@
socket. See the socket options parameter in
the smb.conf manual page for the list of valid
options. Print a summary of command line options.
- Query info policy Resolve a list
of SIDs to usernames.
Resolve a list
of usernames to SIDs.
- Enumerate trusted domains Enumerate privileges Get the privilege name Enumerate the LSA SIDS Enumerate the privileges of an SID Enumerate the rights of an SID Enumerate accounts with a right Add rights to an account Remove rights from an account Get a privilege value given its name Query LSA security object Get Primary Domain Information DFS Query DFS support Add a DFS share Remove a DFS share Query DFS share info Enumerate dfs shares Server query info Enumerate shares Enumerate open files Fetch remote time of day Query user info Query group info Query user groups Query group membership Query alias membership Query display info Query domain info Enumerate domain users Enumerate domain groups Enumerate alias groups Create domain user Look up names Look up names Delete domain user Query SAMR security object Retrieve domain password info Look up domain
+ Enumerate trusted domains Enumerate privileges Get the privilege name Enumerate the LSA SIDS Enumerate the privileges of an SID Enumerate the rights of an SID Enumerate accounts with a right Add rights to an account Remove rights from an account Get a privilege value given its name Query LSA security object Get Primary Domain Information DFS Query DFS support Add a DFS share Remove a DFS share Query DFS share info Enumerate dfs shares Server query info Enumerate shares Enumerate open files Fetch remote time of day Query user info Query group info Query user groups Query group membership Query alias membership Query display info Query domain info Enumerate domain users Enumerate domain groups Enumerate alias groups Create domain user Look up names Look up names Delete domain user Query SAMR security object Retrieve domain password info Look up domain
Execute an AddPrinterDriver() RPC to install the printer driver
information on the server. Note that the driver files should
already exist in the directory returned by
@@ -176,11 +176,11 @@
already be correctly installed on the print server. See also the enumprinters and
enumdrivers commands for obtaining a list of
of installed printers and drivers. Add form Set form Get form Delete form Enumerate form Set printer comment Set REG_SZ printer data Set printer name Rffpcnex test Logon Control 2 Logon Control Sam Synchronisation Query Sam Deltas Sam Logon rpcclient is designed as a developer testing tool
and may not be robust in certain areas (such as command line parsing).
It has been known to generate a core dump upon failures when invalid
parameters where passed to the interpreter. From Luke Leighton's original rpcclient man page: WARNING! The MSRPC over SMB code has
@@ -193,8 +193,8 @@
versions of smbd(8) and rpcclient(1) that are incompatible for some commands or services. Additionally,
the developers are sending reports to Microsoft, and problems found
or reported to Microsoft are fixed in Service Packs, which may
- result in incompatibilities. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original rpcclient man page was written by Matthew
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/samba.7.html samba-3.0.12/docs/htmldocs/samba.7.html
--- samba-3.0.11/docs/htmldocs/samba.7.html 2005-02-03 21:51:58.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/samba.7.html 2005-03-17 15:15:35.000000000 -0600
@@ -1,4 +1,4 @@
- samba — A Windows SMB/CIFS fileserver for UNIX samba The Samba software suite is a collection of programs
+ samba — A Windows SMB/CIFS fileserver for UNIX samba The Samba software suite is a collection of programs
that implements the Server Message Block (commonly abbreviated
as SMB) protocol for UNIX systems. This protocol is sometimes
also referred to as the Common Internet File System (CIFS). For a
@@ -65,7 +65,7 @@
smbmnt(8) smbmount,smbumount and smbmnt are commands that can be used to
mount CIFS/SMB shares on Linux.
smbcquotas is a tool that
- can set remote QUOTA's on server with NTFS 5. The Samba suite is made up of several components. Each
component is described in a separate manual page. It is strongly
recommended that you read the documentation that comes with Samba
and the manual pages of those components that you use. If the
@@ -74,7 +74,7 @@
for information on how to file a bug report or submit a patch. If you require help, visit the Samba webpage at
http://www.samba.org/ and
explore the many option available to you.
- The Samba software suite is licensed under the
GNU Public License(GPL). A copy of that license should
have come with the package in the file COPYING. You are
encouraged to distribute copies of the Samba suite, but
@@ -88,14 +88,14 @@
the README file that comes with Samba. If you have access to a WWW viewer (such as Mozilla
or Konqueror) then you will also find lots of useful information,
including back issues of the Samba mailing list, at
- http://lists.samba.org. If you wish to contribute to the Samba project,
then I suggest you join the Samba mailing list at
http://lists.samba.org.
If you have patches to submit, visit
http://devel.samba.org/
for information on how to do it properly. We prefer patches
- in diff -u format. Contributors to the project are now too numerous
to mention here but all deserve the thanks of all Samba
users. To see a full list, look at the
change-log in the source package
@@ -103,7 +103,7 @@
http://cvs.samba.org/
for the contributors to Samba post-CVS. CVS is the Open Source
source code control system used by the Samba Team to develop
- Samba. The project would have been unmanageable without it. The original Samba software and related utilities
+ Samba. The project would have been unmanageable without it. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/architecture.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/architecture.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/architecture.html 2005-02-03 21:54:17.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/architecture.html 2005-03-17 15:17:27.000000000 -0600
@@ -1,4 +1,4 @@
-
+
This document gives a general overview of how Samba works
internally. The Samba Team has tried to come up with a model which is
the best possible compromise between elegance, portability, security
@@ -9,7 +9,7 @@
Is Samba secure when running on Unix? The xyz platform?
What about the root priveliges issue?
- Pros and cons of multithreading in various parts of Samba Why not have a separate process for name resolution, WINS, and browsing?
People sometimes tout threads as a uniformly good thing. They are very
nice in their place but are quite inappropriate for smbd. nmbd is
another matter, and multi-threading it would be very nice.
@@ -26,7 +26,7 @@
slower, less scalable, less portable and much less robust. The fact
that we use a separate process for each connection is one of Samba's
biggest advantages.
-
A few problems that would arise from a threaded smbd are:
It's not only to create threads instead of processes, but you
@@ -51,7 +51,7 @@
we couldn't use the system locking calls as the locking context of
fcntl() is a process, not a thread.
-
This would be ideal, but gets sunk by portability requirements.
Andrew tried to write a test threads library for nmbd that used only
@@ -78,7 +78,7 @@
nasty to program cleanly due to the enormous amount of shared data (in
complex structures) between the processes. We can't rely on each
platform having a shared memory system.
-
Originally Andrew used recursion to simulate a multi-threaded
environment, which use the stack enormously and made for really
confusing debugging sessions. Luke Leighton rewrote it to use a
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/debug.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/debug.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/debug.html 2005-02-03 21:54:17.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/debug.html 2005-03-17 15:17:27.000000000 -0600
@@ -1,4 +1,4 @@
- Table of Contents
+ Table of Contents
The syntax of a debugging log file is represented as:
Use of the DEBUG() macro is unchanged. DEBUG() takes two parameters.
The first is the message level, the second is the body of a function
call to the Debug1() function.
@@ -102,7 +102,7 @@
[1998/07/30 16:00:51, 0] file.c:function(261)
.
Which isn't much use. The format buffer kludge fixes this problem.
-
In addition to the kludgey solution to the broken line problem
described above, there is a clean solution. The DEBUGADD() macro never
generates a header. It will append new text to the current debug
@@ -116,7 +116,7 @@
This is the first line.
This is the second line.
This is the third line.
-
This function prints debug message text to the debug file (and
possibly to syslog) via the format buffer. The function uses a
variable argument list just like printf() or Debug1(). The
@@ -160,7 +160,7 @@
If you use DEBUGLVL() you will probably print the body of the
message using dbgtext().
-
This is the function that writes a debug message header.
Headers are not processed via the format buffer. Also note that
if the format buffer is not empty, a call to dbghdr() will not
@@ -168,7 +168,7 @@
It is not likely that this function will be called directly. It
is used by DEBUG() and DEBUGADD().
-
This is a static function in debug.c. It stores the output text
for the body of the message in a buffer until it encounters a
newline. When the newline character is found, the buffer is
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/index.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/index.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/index.html 2005-02-03 21:54:20.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/index.html 2005-03-17 15:17:29.000000000 -0600
@@ -26,12 +26,12 @@
This documentation is distributed under the GNU General Public License (GPL)
version 2. A copy of the license is included with the Samba source
distribution. A copy can be found on-line at http://www.fsf.org/licenses/gpl.txt
- Table of Contents Table of Contents Table of Contents
+ Table of Contents
This section describes character set handling in Samba, as implemented in
Samba 3.0 and above
@@ -8,7 +8,7 @@
telling if a particular char* is in dos codepage or unix
codepage. This led to a nightmare of code that tried to cope with
particular cases without handlingt the general case.
-
The new system works like this:
all char* strings inside Samba are "unix" strings. These are
@@ -70,28 +70,28 @@
parameters is gone.
all vfs functions take unix strings. Don't convert when passing to them
-
This section describes the macros defined in byteorder.h. These macros
are used extensively in the Samba code.
-
+
returns the value of the unsigned short (16 bit) little-endian integer at
offset pos within buffer buf. An integer of this type is sometimes
refered to as "USHORT".
- returns the value of the unsigned 32 bit little-endian integer at offset
-pos within buffer buf. returns the value of the signed short (16 bit) little-endian integer at
-offset pos within buffer buf. returns the value of the signed 32 bit little-endian integer at offset pos
-within buffer buf. sets the unsigned short (16 bit) little-endian integer at offset pos within
-buffer buf to value val. sets the unsigned 32 bit little-endian integer at offset pos within buffer
-buf to the value val. sets the short (16 bit) signed little-endian integer at offset pos within
-buffer buf to the value val. sets the signed 32 bit little-endian integer at offset pos withing buffer
-buf to the value val. returns the value of the unsigned short (16 bit) big-endian integer at
-offset pos within buffer buf. returns the value of the unsigned 32 bit big-endian integer at offset
-pos within buffer buf. returns the value of the unsigned 32 bit little-endian integer at offset
+pos within buffer buf. returns the value of the signed short (16 bit) little-endian integer at
+offset pos within buffer buf. returns the value of the signed 32 bit little-endian integer at offset pos
+within buffer buf. sets the unsigned short (16 bit) little-endian integer at offset pos within
+buffer buf to value val. sets the unsigned 32 bit little-endian integer at offset pos within buffer
+buf to the value val. sets the short (16 bit) signed little-endian integer at offset pos within
+buffer buf to the value val. sets the signed 32 bit little-endian integer at offset pos withing buffer
+buf to the value val. returns the value of the unsigned short (16 bit) big-endian integer at
+offset pos within buffer buf. returns the value of the unsigned 32 bit big-endian integer at offset
+pos within buffer buf. sets the value of the unsigned short (16 bit) big-endian integer at
offset pos within buffer buf to value val.
-refered to as "USHORT".
This section describes the functions need to make a LAN Manager RPC call.
This information had been obtained by examining the Samba code and the LAN
Manager 2.0 API documentation. It should not be considered entirely
@@ -104,7 +104,7 @@
This function is defined in client.c. It uses an SMB transaction to call a
remote api.
- The parameters are as follows:
+ The parameters are as follows:
prcnt: the number of bytes of parameters begin sent.
drcnt: the number of bytes of data begin sent.
@@ -149,7 +149,7 @@
The code in client.c always calls call_api() with no data. It is unclear
when a non-zero length data buffer would be sent.
-
The returned parameters (pointed to by rparam), in their order of appearance
are:
An unsigned 16 bit integer which contains the API function's return code.
@@ -180,7 +180,7 @@
The third parameter (which may be read as "SVAL(rparam,4)") has something to
do with indicating the amount of data returned or possibly the amount of
data which can be returned if enough buffer space is allowed.
-
Certain data structures are described by means of ASCIIz strings containing
code characters. These are the code characters:
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/modules.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/modules.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/modules.html 2005-02-03 21:54:18.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/modules.html 2005-03-17 15:17:28.000000000 -0600
@@ -1,7 +1,7 @@
- Table of Contents
+ Table of Contents
The new modules system has the following advantages:
+for a subsystem to know about modules)
Some subsystems in samba use different backends. These backends can be
either statically linked in to samba or available as a plugin. A subsystem
should have a function that allows a module to register itself. For example,
@@ -11,7 +11,7 @@
This function will be called by the initialisation function of the module to
register itself.
-
+
The modules system compiles a list of initialisation functions for the
static modules of each subsystem. This is a define. For example,
it is here currently (from include/config.h):
@@ -21,7 +21,7 @@
These functions should be called before the subsystem is used. That
should be done when the subsystem is initialised or first used.
-
If a subsystem needs a certain backend, it should check if it has
already been registered. If the backend hasn't been registered already,
the subsystem should call smb_probe_module(char *subsystem, char *backend).
@@ -31,7 +31,7 @@
absolute path specified in 'backend'.
After smb_probe_module() has been executed, the subsystem
should check again if the module has been registered.
-
Each module has an initialisation function. For modules that are
included with samba this name is 'subsystem_backend_init'. For external modules (that will never be built-in, but only available as a module) this name is always 'init_module'. (In the case of modules included with samba, the configure system will add a #define subsystem_backend_init() init_module()).
The prototype for these functions is:
@@ -46,7 +46,7 @@
smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_nua", pdb_init_ldapsam_nua);
return NT_STATUS_OK;
}
-
+
Some macros in configure.in generate the various defines and substs that
are necessary for the system to work correct. All modules that should
be built by default have to be added to the variable 'default_modules'.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/netbios.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/netbios.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/netbios.html 2005-02-03 21:54:15.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/netbios.html 2005-03-17 15:17:25.000000000 -0600
@@ -1,4 +1,4 @@
- Table of Contents
+ Table of Contents
NetBIOS runs over the following transports: TCP/IP; NetBEUI and IPX/SPX.
Samba only uses NetBIOS over TCP/IP. For details on the TCP/IP NetBIOS
Session Service NetBIOS Datagram Service, and NetBIOS Names, see
@@ -39,7 +39,7 @@
UNIQUE NetBIOS name on a network.
There are two kinds of NetBIOS Name resolution: Broadcast and Point-to-Point.
-
Clients can claim names, and therefore offer services on successfully claimed
names, on their broadcast-isolated subnet. One way to get NetBIOS services
(such as browsing: see ftp.microsoft.com/drg/developr/CIFS/browdiff.txt; and
@@ -51,7 +51,7 @@
broadcast traffic. [If you have IPX/SPX on your LAN or WAN, you will find
that this is already happening: a packet analyzer will show, roughly
every twelve minutes, great swathes of broadcast traffic!].
-
rfc1001.txt describes, amongst other things, the implementation and use
of, a 'NetBIOS Name Service'. NT/AS offers 'Windows Internet Name Service'
which is fully rfc1001/2 compliant, but has had to take specific action
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/ntdomain.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/ntdomain.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/ntdomain.html 2005-02-03 21:54:17.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/ntdomain.html 2005-03-17 15:17:27.000000000 -0600
@@ -1,4 +1,4 @@
- Table of Contents
+ Table of Contents
This document contains information to provide an NT workstation with login
services, without the need for an NT server. It is the sgml version of http://mailhost.cb1.com/~lkcl/cifsntdomain.txt, controlled by Luke.
@@ -44,7 +44,7 @@
that it is already a member of the domain. the cryptographic side of the NetrServerPasswordSet command,
which would allow the workstation to change its password. This password is
used to generate the long-term session key. [It is possible to reject this
-command, and keep the default workstation password].
+command, and keep the default workstation password].
In the SMB Transact pipes, some "Structures", described here, appear to be
4-byte aligned with the SMB header, at their start. Exactly which
"Structures" need aligning is not precisely known or documented.
@@ -72,15 +72,15 @@
the pointer is also non-zero. immediately following the pointer is the
count again, followed by an array of container sub-structures. the count
appears a third time after the last sub-structure.
- command number in the msrpc packet header 0x00 0x02 0x0B 0x0C UTIME is 32 bits, indicating time in seconds since 01jan1970. documented in cifs6.txt (section 3.5 page, page 30). num of sub-authorities in domain SID SID revision number num of sub-authorities in domain SID 6 bytes for domain SID - Identifier Authority. domain SID sub-authorities Note: the domain SID is documented elsewhere.
- length of unicode string max length of unicode string 4 - undocumented. unicode string header undocumented buffer pointer length of unicode string null-terminated string of unicode characters. padding to get unicode string 4-byte aligned with the start of the SMB header. max length of unicode string 0 - undocumented length of unicode string string of uncode characters 0x18 - length (in bytes) including the length field. 0 - root directory (pointer) 0 - object name (pointer) 0 - attributes (undocumented) 0 - security descriptior (pointer) 0 - security quality of service 5 - SID type 0 - undocumented domain SID unicode string header domain SID unicode string Note: there is a conflict between the unicode string header and the unicode string itself as to which to use to indicate string length. this will need to be resolved. Note: the SID type indicates, for example, an alias; a well-known group etc. this is documented somewhere. 5 - well-known SID. 1 - user SID (see ShowACLs) 5 - undocumented domain RID 0 - domain index out of above reference domains Note: logon server name starts with two '\' characters and is upper case. Note: account name is the logon client name from the LSA Request Challenge, with a $ on the end of it, in upper case. undocumented buffer pointer logon server unicode string account name unicode string sec_chan - security channel type logon client machine unicode string Note: logon server name starts with two '\' characters and is upper case. undocumented buffer pointer logon server unicode string undocumented buffer pointer logon client machine unicode string Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will beused in subsequent credential checks. the presumed intention is to
- maintain an authenticated request/response trail. client and server names ???? padding, for 4-byte alignment with SMB header. pointer to client credentials. client-calculated credentials + client time Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will be used in subsequent credential checks. the presumed intention is to maintain an authenticated request/response trail. logon account info client-calculated credentials + client time ptr_id_info_1 domain name unicode header param control logon ID user name unicode header workgroup name unicode header arc4 LM OWF Password arc4 NT OWF Password domain name unicode string user name unicode string workstation name unicode string Note: presumably, the return credentials is supposedly for the server to verify that the credential chain hasn't been compromised. client identification/authentication info pointer to return credentials. return credentials - ignored. logon level switch value command number in the msrpc packet header 0x00 0x02 0x0B 0x0C UTIME is 32 bits, indicating time in seconds since 01jan1970. documented in cifs6.txt (section 3.5 page, page 30). num of sub-authorities in domain SID SID revision number num of sub-authorities in domain SID 6 bytes for domain SID - Identifier Authority. domain SID sub-authorities Note: the domain SID is documented elsewhere.
+ length of unicode string max length of unicode string 4 - undocumented. unicode string header undocumented buffer pointer length of unicode string null-terminated string of unicode characters. padding to get unicode string 4-byte aligned with the start of the SMB header. max length of unicode string 0 - undocumented length of unicode string string of uncode characters 0x18 - length (in bytes) including the length field. 0 - root directory (pointer) 0 - object name (pointer) 0 - attributes (undocumented) 0 - security descriptior (pointer) 0 - security quality of service 5 - SID type 0 - undocumented domain SID unicode string header domain SID unicode string Note: there is a conflict between the unicode string header and the unicode string itself as to which to use to indicate string length. this will need to be resolved. Note: the SID type indicates, for example, an alias; a well-known group etc. this is documented somewhere. 5 - well-known SID. 1 - user SID (see ShowACLs) 5 - undocumented domain RID 0 - domain index out of above reference domains Note: logon server name starts with two '\' characters and is upper case. Note: account name is the logon client name from the LSA Request Challenge, with a $ on the end of it, in upper case. undocumented buffer pointer logon server unicode string account name unicode string sec_chan - security channel type logon client machine unicode string Note: logon server name starts with two '\' characters and is upper case. undocumented buffer pointer logon server unicode string undocumented buffer pointer logon client machine unicode string Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will beused in subsequent credential checks. the presumed intention is to
+ maintain an authenticated request/response trail. client and server names ???? padding, for 4-byte alignment with SMB header. pointer to client credentials. client-calculated credentials + client time Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will be used in subsequent credential checks. the presumed intention is to maintain an authenticated request/response trail. logon account info client-calculated credentials + client time ptr_id_info_1 domain name unicode header param control logon ID user name unicode header workgroup name unicode header arc4 LM OWF Password arc4 NT OWF Password domain name unicode string user name unicode string workstation name unicode string Note: presumably, the return credentials is supposedly for the server to verify that the credential chain hasn't been compromised. client identification/authentication info pointer to return credentials. return credentials - ignored. logon level switch value undocumented buffer pointer. num referenced domains? undocumented domain name buffer pointer. 32 - max number of entries 4 - num referenced domains? domain name unicode string header referenced domain unicode string headers domain name unicode string referenced domain SIDs ??? padding to get 4-byte alignment with start of SMB header domain name string length * 2 domain name string length * 2 undocumented domain name string buffer pointer undocumented domain SID string buffer pointer domain name (unicode string) domain SID Note: it would be nice to know what the 16 byte user session key is for. logon time logoff time kickoff time password last set time password can change time password must change time username unicode string header user's full name unicode string header logon script unicode string header profile path unicode string header home directory unicode string header home directory drive unicode string header logon count bad password count User ID Group ID num groups undocumented buffer pointer to groups. user flags user session key logon server unicode string header logon domain unicode string header undocumented logon domain id pointer 40 undocumented padding bytes. future expansion? 0 - num_other_sids? NULL - undocumented pointer to other domain SIDs. username unicode string user's full name unicode string logon script unicode string profile path unicode string home directory unicode string home directory drive unicode string num groups group info logon server unicode string logon domain unicode string domain SID other domain SIDs? Note: see cifsrap2.txt section5, page 10. shi1_netname - pointer to net name shi1_type - type of share. 0 - undocumented. shi1_remark - pointer to comment. shi1_netname - unicode string of net name shi1_remark - unicode string of comment. share container with 0 entries: 0 - EntriesRead 0 - Buffer share container with > 0 entries: EntriesRead non-zero - Buffer EntriesRead share entry pointers share entry strings padding to get unicode string 4-byte aligned with start of the SMB header. EntriesRead 0 - padding Note: see cifs6.txt section 6.4 - the fields described therein will be of assistance here. for example, the type listed below is the same as fServerType, which is described in 6.4.1. 0x00000001 All workstations 0x00000002 All servers 0x00000004 Any server running with SQL server 0x00000008 Primary domain controller 0x00000010 Backup domain controller 0x00000020 Server running the timesource service 0x00000040 Apple File Protocol servers 0x00000080 Novell servers 0x00000100 Domain Member 0x00000200 Server sharing print queue 0x00000400 Server running dialin service. 0x00000800 Xenix server 0x00001000 NT server 0x00002000 Server running Windows for 0x00008000 Windows NT non DC server 0x00010000 Server that can run the browser service 0x00020000 Backup browser server 0x00040000 Master browser server 0x00080000 Domain Master Browser server 0x40000000 Enumerate only entries marked "local" 0x80000000 Enumerate Domains. The pszServer and pszDomain parameters must be NULL. 500 - platform_id pointer to name 5 - major version 4 - minor version type (SV_TYPE_... bit field) pointer to comment sv101_name - unicode string of server name sv_101_comment - unicode string of server comment. padding to get unicode string 4-byte aligned with start of the SMB header. For details on the SMB Transact Named Pipe, see cifs6.txt undocumented buffer pointer. num referenced domains? undocumented domain name buffer pointer. 32 - max number of entries 4 - num referenced domains? domain name unicode string header referenced domain unicode string headers domain name unicode string referenced domain SIDs ??? padding to get 4-byte alignment with start of SMB header domain name string length * 2 domain name string length * 2 undocumented domain name string buffer pointer undocumented domain SID string buffer pointer domain name (unicode string) domain SID Note: it would be nice to know what the 16 byte user session key is for. logon time logoff time kickoff time password last set time password can change time password must change time username unicode string header user's full name unicode string header logon script unicode string header profile path unicode string header home directory unicode string header home directory drive unicode string header logon count bad password count User ID Group ID num groups undocumented buffer pointer to groups. user flags user session key logon server unicode string header logon domain unicode string header undocumented logon domain id pointer 40 undocumented padding bytes. future expansion? 0 - num_other_sids? NULL - undocumented pointer to other domain SIDs. username unicode string user's full name unicode string logon script unicode string profile path unicode string home directory unicode string home directory drive unicode string num groups group info logon server unicode string logon domain unicode string domain SID other domain SIDs? Note: see cifsrap2.txt section5, page 10. shi1_netname - pointer to net name shi1_type - type of share. 0 - undocumented. shi1_remark - pointer to comment. shi1_netname - unicode string of net name shi1_remark - unicode string of comment. share container with 0 entries: 0 - EntriesRead 0 - Buffer share container with > 0 entries: EntriesRead non-zero - Buffer EntriesRead share entry pointers share entry strings padding to get unicode string 4-byte aligned with start of the SMB header. EntriesRead 0 - padding Note: see cifs6.txt section 6.4 - the fields described therein will be of assistance here. for example, the type listed below is the same as fServerType, which is described in 6.4.1. 0x00000001 All workstations 0x00000002 All servers 0x00000004 Any server running with SQL server 0x00000008 Primary domain controller 0x00000010 Backup domain controller 0x00000020 Server running the timesource service 0x00000040 Apple File Protocol servers 0x00000080 Novell servers 0x00000100 Domain Member 0x00000200 Server sharing print queue 0x00000400 Server running dialin service. 0x00000800 Xenix server 0x00001000 NT server 0x00002000 Server running Windows for 0x00008000 Windows NT non DC server 0x00010000 Server that can run the browser service 0x00020000 Backup browser server 0x00040000 Master browser server 0x00080000 Domain Master Browser server 0x40000000 Enumerate only entries marked "local" 0x80000000 Enumerate Domains. The pszServer and pszDomain parameters must be NULL. 500 - platform_id pointer to name 5 - major version 4 - minor version type (SV_TYPE_... bit field) pointer to comment sv101_name - unicode string of server name sv_101_comment - unicode string of server comment. padding to get unicode string 4-byte aligned with start of the SMB header. For details on the SMB Transact Named Pipe, see cifs6.txt
The MSRPC is conducted over an SMB Transact Pipe with a name of
\PIPE\. You must first obtain a 16 bit file handle, by
sending a SMBopenX with the pipe name \PIPE\srvsvc for
@@ -121,11 +121,11 @@
initial SMBopenX request: RPC API command 0x26 params:
"\\PIPE\\lsarpc" 0x65 0x63; 0x72 0x70; 0x44 0x65;
"\\PIPE\\srvsvc" 0x73 0x76; 0x4E 0x00; 0x5C 0x43;
- [section to be rewritten, following receipt of work by Duncan Stansfield] Interesting note: if you set packed data representation to 0x0100 0000
-then all 4-byte and 2-byte word ordering is turned around! The start of each of the NTLSA and NETLOGON named pipes begins with: reply same as request (0x05) reply same as request (0x00) one of the MSRPC_Type enums reply same as request (0x00 for Bind, 0x03 for Request) reply same as request (0x00000010) the length of the data section of the SMB trans packet call identifier. (e.g. 0x00149594) the remainder of the packet depending on the "type" the interfaces are numbered. as yet I haven't seen more than one interface used on the same pipe name srvsvc [section to be rewritten, following receipt of work by Duncan Stansfield] Interesting note: if you set packed data representation to 0x0100 0000
+then all 4-byte and 2-byte word ordering is turned around! The start of each of the NTLSA and NETLOGON named pipes begins with: reply same as request (0x05) reply same as request (0x00) one of the MSRPC_Type enums reply same as request (0x00 for Bind, 0x03 for Request) reply same as request (0x00000010) the length of the data section of the SMB trans packet call identifier. (e.g. 0x00149594) the remainder of the packet depending on the "type" the interfaces are numbered. as yet I haven't seen more than one interface used on the same pipe name srvsvc the remainder of the packet after the header if "type" was Bind in the response header, "type" should be BindAck maximum transmission fragment size (0x1630) max receive fragment size (0x1630) associated group id (0x0) the number of elements (0x1) presentation context identifier (0x0) the number of syntaxes (has always been 1?)(0x1) 4-byte alignment padding, against SMB header num and vers. of interface client is using num and vers. of interface to use for replies length of the string including null terminator the string above in single byte, null terminated form the response to place after the header in the reply packet same as request same as request zero the address string, as described earlier 4-byte alignment padding, against SMB header the number of results (0x01) 4-byte alignment padding, against SMB header result (0x00 = accept) reason (0x00 = no reason specified) the transfer syntax from the request the remainder of the packet after the header for every other other request the size of the stub data in bytes presentation context identifier (0x0) operation number (0x15) a packet dependent on the pipe name (probably the interface) and the op number) The end of each of the NTLSA and NETLOGON named pipes ends with: end of data return code the remainder of the packet after the header if "type" was Bind in the response header, "type" should be BindAck maximum transmission fragment size (0x1630) max receive fragment size (0x1630) associated group id (0x0) the number of elements (0x1) presentation context identifier (0x0) the number of syntaxes (has always been 1?)(0x1) 4-byte alignment padding, against SMB header num and vers. of interface client is using num and vers. of interface to use for replies length of the string including null terminator the string above in single byte, null terminated form the response to place after the header in the reply packet same as request same as request zero the address string, as described earlier 4-byte alignment padding, against SMB header the number of results (0x01) 4-byte alignment padding, against SMB header result (0x00 = accept) reason (0x00 = no reason specified) the transfer syntax from the request the remainder of the packet after the header for every other other request the size of the stub data in bytes presentation context identifier (0x0) operation number (0x15) a packet dependent on the pipe name (probably the interface) and the op number) The end of each of the NTLSA and NETLOGON named pipes ends with: end of data return code
RPC Binds are the process of associating an RPC pipe (e.g \PIPE\lsarpc)
with a "transfer syntax" (see RPC_Iface structure). The purpose for doing
this is unknown.
@@ -133,7 +133,7 @@
returned by the SMBopenX Transact response. Note: The RPC_ResBind members maxtsize, maxrsize and assocgid are the same in the response as the same members in the RPC_ReqBind. The
RPC_ResBind member transfersyntax is the same in the response as
the Note: The RPC_ResBind response member secondaddr contains the name of what is presumed to be the service behind the RPC pipe. The
- mapping identified so far is: RPC_ResBind response: "\\PIPE\\ntsvcs" "\\PIPE\\lsass" "\\PIPE\\lsass" "\\PIPE\\wksvcs" "\\PIPE\\NETLOGON" Note: The RPC_Packet fraglength member in both the Bind Request and Bind Acknowledgment must contain the length of the entire RPC data, including the RPC_Packet header. Request: Response: The sequence of actions taken on this pipe are: Defines for this pipe, identifying the query are: 0x2c 0x07 0x0d 0xff 0xfe 0xfd 0x00 Note: The policy handle can be anything you like. buffer pointer server name - unicode string starting with two '\'s object attributes 1 - desired access Note: The info class in response must be the same as that in the request. undocumented buffer pointer info class (same as info class in request). RPC_ResBind response: "\\PIPE\\ntsvcs" "\\PIPE\\lsass" "\\PIPE\\lsass" "\\PIPE\\wksvcs" "\\PIPE\\NETLOGON" Note: The RPC_Packet fraglength member in both the Bind Request and Bind Acknowledgment must contain the length of the entire RPC data, including the RPC_Packet header. Request: Response: The sequence of actions taken on this pipe are: Defines for this pipe, identifying the query are: 0x2c 0x07 0x0d 0xff 0xfe 0xfd 0x00 Note: The policy handle can be anything you like. buffer pointer server name - unicode string starting with two '\'s object attributes 1 - desired access Note: The info class in response must be the same as that in the request. Note: num_entries in response must be same as num_entries in request. LSA policy handle num_entries undocumented domain SID buffer pointer undocumented domain name buffer pointer DOM_SID[num_entries] domain SIDs to be looked up. completely undocumented 16 bytes. Note: num_entries in response must be same as num_entries in request. LSA policy handle num_entries num_entries undocumented domain SID buffer pointer undocumented domain name buffer pointer names to be looked up. undocumented bytes - falsely translated SID structure? The sequence of actions taken on this pipe are: Defines for this pipe, identifying the query are 0x04 0x06 0x02 0x03 0x0f 0x0e Note: logon server name starts with two '\' characters and is upper case. Note: logon client is the machine, not the user. Note: the initial LanManager password hash, against which the challenge is issued, is the machine name itself (lower case). there will becalls issued (LSA Server Password Set) which will change this, later. refusing these calls allows you to always deal with the same password (i.e the LM# of the machine name in lower case). undocumented buffer pointer logon server unicode string logon client unicode string client challenge Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials). Note: neg_flags in the response is the same as that in the request. Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets. client identification info client-calculated credentials padding to 4-byte align with start of SMB header. neg_flags - negotiated flags (usual value is 0x0000 01ff) Note: the new password is suspected to be a DES encryption using the old password to generate the key. Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials). Note: the server credentials are constructed from the client-calculated credentials and the client time + 1 second. Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets. Note: num_entries in response must be same as num_entries in request. LSA policy handle num_entries undocumented domain SID buffer pointer undocumented domain name buffer pointer DOM_SID[num_entries] domain SIDs to be looked up. completely undocumented 16 bytes. Note: num_entries in response must be same as num_entries in request. LSA policy handle num_entries num_entries undocumented domain SID buffer pointer undocumented domain name buffer pointer names to be looked up. undocumented bytes - falsely translated SID structure? The sequence of actions taken on this pipe are: Defines for this pipe, identifying the query are 0x04 0x06 0x02 0x03 0x0f 0x0e Note: logon server name starts with two '\' characters and is upper case. Note: logon client is the machine, not the user. Note: the initial LanManager password hash, against which the challenge is issued, is the machine name itself (lower case). there will becalls issued (LSA Server Password Set) which will change this, later. refusing these calls allows you to always deal with the same password (i.e the LM# of the machine name in lower case). undocumented buffer pointer logon server unicode string logon client unicode string client challenge Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials). Note: neg_flags in the response is the same as that in the request. Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets. client identification info client-calculated credentials padding to 4-byte align with start of SMB header. neg_flags - negotiated flags (usual value is 0x0000 01ff) Note: the new password is suspected to be a DES encryption using the old password to generate the key. Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials). Note: the server credentials are constructed from the client-calculated credentials and the client time + 1 second. Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.
Note: valid_user is True iff the username and password hash are valid for
the requested domain.
- undocumented buffer pointer server credentials. server time stamp appears to be ignored.
Note: presumably, the SAM_INFO structure is validated, and a (currently
undocumented) error code returned if the Logoff is invalid.
-
Note: mailslots will contain a response mailslot, to which the response
should be sent. the target NetBIOS name is REQUEST_NAME<20>, where
REQUEST_NAME is the name of the machine that sent the request.
- Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request. 0x0007 - Query for PDC machine name response mailslot padding to 2-byte align with start of mailslot. machine name NTversion LMNTtoken LM20token 0x000A - Respose to Query for PDC machine name (in uppercase) padding to 2-byte align with start of mailslot. machine name domain name NTversion (same as received in request) LMNTtoken (same as received in request) LM20token (same as received in request) Note: machine name in response is preceded by two '\' characters. Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request. Note: user name in the response is presumably the same as that in the request. 0x0012 - SAM Logon request count machine name user name response mailslot alloweable account domain SID size domain SID, of sid_size bytes. ???? padding to 4? 2? -byte align with start of mailslot. NTversion LMNTtoken LM20token Defines for this pipe, identifying the query are: 0x0f 0x15 Note: share level and switch value in the response are presumably the same as those in the request. Note: cifsrap2.txt (section 5) may be of limited assistance here. pointer (to server name?) server name padding to get unicode string 4-byte aligned with the start of the SMB header. share level switch value pointer to SHARE_INFO_1_CTR share info with 0 entries preferred maximum length (0xffff ffff) Intel byte ordered addition of corresponding 4 byte words in arrays A1 and A2 DES ECB encryption of 8 byte data D using 7 byte key K Lan man hash NT hash md4(machine_password) == md4(lsadump $machine.acc) ==
+ Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request. 0x0007 - Query for PDC machine name response mailslot padding to 2-byte align with start of mailslot. machine name NTversion LMNTtoken LM20token 0x000A - Respose to Query for PDC machine name (in uppercase) padding to 2-byte align with start of mailslot. machine name domain name NTversion (same as received in request) LMNTtoken (same as received in request) LM20token (same as received in request) Note: machine name in response is preceded by two '\' characters. Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request. Note: user name in the response is presumably the same as that in the request. 0x0012 - SAM Logon request count machine name user name response mailslot alloweable account domain SID size domain SID, of sid_size bytes. ???? padding to 4? 2? -byte align with start of mailslot. NTversion LMNTtoken LM20token Defines for this pipe, identifying the query are: 0x0f 0x15 Note: share level and switch value in the response are presumably the same as those in the request. Note: cifsrap2.txt (section 5) may be of limited assistance here. pointer (to server name?) server name padding to get unicode string 4-byte aligned with the start of the SMB header. share level switch value pointer to SHARE_INFO_1_CTR share info with 0 entries preferred maximum length (0xffff ffff) Intel byte ordered addition of corresponding 4 byte words in arrays A1 and A2 DES ECB encryption of 8 byte data D using 7 byte key K Lan man hash NT hash md4(machine_password) == md4(lsadump $machine.acc) ==
pwdump(machine$) (initially) == md4(lmowf(unicode(machine)))
- ARC4 encryption of data D of length Ld with key K of length Lk subset of v from bytes m to n, optionally padded with zeroes to length l E(K[7..7,7],E(K[0..6],D)) computes a credential 4 byte current time 8 byte client and server challenges Rc,Rs: 8 byte client and server credentials ARC4 encryption of data D of length Ld with key K of length Lk subset of v from bytes m to n, optionally padded with zeroes to length l E(K[7..7,7],E(K[0..6],D)) computes a credential 4 byte current time 8 byte client and server challenges Rc,Rs: 8 byte client and server credentials
On first joining the domain the session key could be computed by
anyone listening in on the network as the machine password has a well
known value. Until the machine is rebooted it will use this session
@@ -232,15 +232,15 @@
The password OWFs should NOT be sent over the network reversibly
encrypted. They should be sent using ARC4(Ks,md4(owf)) with the server
computing the same function using the owf values in the SAM.
-
SIDs and RIDs are well documented elsewhere.
A SID is an NT Security ID (see DOM_SID structure). They are of the form:
currently, the SID revision is 1.
The Sub-Authorities are known as Relative IDs (RIDs).
- S-1-0-0 S-1-1-0 S-1-2-0 S-1-3-0 S-1-3-1 S-1-3-2 S-1-3-3 S-1-4
+ S-1-0-0 S-1-1-0 S-1-2-0 S-1-3-0 S-1-3-1 S-1-3-2 S-1-3-3 S-1-4
A RID is a sub-authority value, as part of either a SID, or in the case
of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1
structure, in the LSA SAM Logon response.
- Table of Contents Please, please update the version number in
+ Table of Contents Please, please update the version number in
source/include/version.h to include the versioning of your package. This makes it easier to distinguish standard samba builds
from custom-build samba builds (distributions often patch packages). For
example, a good version would be: Samba now has support for building parts of samba as plugins. This
makes it possible to, for example, put ldap or mysql support in a separate
package, thus making it possible to have a normal samba package not
depending on ldap or mysql. To build as much parts of samba
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/parsing.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/parsing.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/parsing.html 2005-02-03 21:54:19.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/parsing.html 2005-03-17 15:17:28.000000000 -0600
@@ -1,4 +1,4 @@
- Table of Contents
+ Table of Contents
Basically, the file is processed on a line by line basis. There are
four types of lines that are recognized by the lexical analyzer
(params.c):
@@ -25,7 +25,7 @@
These are the only tokens passed to the parameter loader
(loadparm.c). Parameter names and values are divided from one
another by an equal sign: '='.
-
+
Whitespace is defined as all characters recognized by the isspace()
function (see ctype(3C)) except for the newline character ('\n')
The newline is excluded because it identifies the end of the line.
@@ -40,7 +40,7 @@
are removed.
Leading and trailing whitespace is removed from names and values.
-
Long section header and parameter lines may be extended across
multiple lines by use of the backslash character ('\\'). Line
continuation is ignored for blank and comment lines.
@@ -63,7 +63,7 @@
Line continuation characters are ignored on blank lines and at the end
of comments. They are *only* recognized within section and parameter
lines.
- The syntax of the smb.conf file is as follows:
The parsing of the config file is a bit unusual if you are used to
lex, yacc, bison, etc. Both lexical analysis (scanning) and parsing
are performed by params.c. Values are loaded via callbacks to
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/pr01.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/pr01.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/pr01.html 2005-02-03 21:54:14.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/pr01.html 2005-03-17 15:17:25.000000000 -0600
@@ -1,4 +1,4 @@
- Definition of NetBIOS Protocol and Name Resolution Modes
+ Definition of NetBIOS Protocol and Name Resolution Modes
Luke Leighton
Andrew Tridgell
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/printing.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/printing.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/printing.html 2005-02-03 21:54:20.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/printing.html 2005-03-17 15:17:29.000000000 -0600
@@ -1,16 +1,16 @@
- Table of Contents Table of Contents
The purpose of this document is to provide some insight into
Samba's printing functionality and also to describe the semantics
of certain features of Windows client printing.
-
Samba uses a table of function pointers to seven functions. The
@@ -21,7 +21,7 @@
defined.
a generic set of functions for working with standard UNIX
printing subsystems a set of CUPS specific functions (this is only enabled if
- the CUPS libraries were located at compile time).
Samba provides periodic caching of the output from the "lpq command"
@@ -110,11 +110,11 @@
Only non-default Device Mode are stored with print jobs in the print
queue TDB. Otherwise, the Device Mode is obtained from the printer
object when the client issues a GetJob(level == 2) request.
-
When working with Windows NT+ clients, it is possible for a
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/pt01.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/pt01.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/pt01.html 2005-02-03 21:54:17.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/pt01.html 2005-03-17 15:17:27.000000000 -0600
@@ -1 +1 @@
- Table of Contents Table of Contents Table of Contents Table of Contents Table of Contents Table of Contents Table of Contents 19 Apr 1999 Table of Contents With the development of LanManager and Windows NT
compatible password encryption for Samba, it is now able
to validate user connections in exactly the same way as
a LanManager or Windows NT server. This document describes how the SMB password encryption
algorithm works and what issues there are in choosing whether
you want to use it. You should read it carefully, especially
- the part about security and the "PROS and CONS" section. LanManager encryption is somewhat similar to UNIX
+ the part about security and the "PROS and CONS" section. LanManager encryption is somewhat similar to UNIX
password encryption. The server uses a file containing a
hashed value of a user's password. This is created by taking
the user's plaintext password, capitalising it, and either
@@ -43,7 +43,7 @@
know the correct password and is denied access. Note that the Samba server never knows or stores the cleartext
of the user's password - just the 16 byte hashed values derived from
it. Also note that the cleartext password or 16 byte hashed values
- are never transmitted over the network - thus increasing security. In order for Samba to participate in the above protocol
+ are never transmitted over the network - thus increasing security. In order for Samba to participate in the above protocol
it must be able to look up the 16 byte hashed values given a user name.
Unfortunately, as the UNIX password value is also a one way hash
function (ie. it is impossible to retrieve the cleartext of the user's
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/registry.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/registry.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/registry.html 2005-02-03 21:54:19.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/registry.html 2005-03-17 15:17:28.000000000 -0600
@@ -1,6 +1,6 @@
- Table of Contents
+ Table of Contents
The new registry subsystem will work with several different backends:
- NT4 (NT4 registry files) TDB (Samba TDB files) RPC (Remote Registry over RPC, reg pipe) wine (Wine Registry Files) gconf (The GNOME configuration backend)
+ NT4 (NT4 registry files) TDB (Samba TDB files) RPC (Remote Registry over RPC, reg pipe) wine (Wine Registry Files) gconf (The GNOME configuration backend)
The following structure describes a registry key:
The following helper functions are available: There are basically two ways of reading data from the registry: loading
it all into memory and then working in this copy in memory, or
re-reading/re-opening it every time necessary. This interface aims to support both types. A registry backend should provide the following functions: open_key_abs() is optional. If it's NULL, the frontend will
provide a replacement, using open_key_rel(). get_values() and get_value() are optional. They're only called if
the values field of the REG_KEY struct is NULL. get_subkeys() and get_key() are optional. THey're only called
- if the subkeys field of the REG_KEY struct is NULL. Okay, so who's responsible for what parts of the memory? The memory is basically maintained by the backends. When the user
+ if the subkeys field of the REG_KEY struct is NULL. Okay, so who's responsible for what parts of the memory? The memory is basically maintained by the backends. When the user
is finished using a particular structure, it should call the related free
function for the structure it's freeing. The backend should then decide what to do with the structure. It may
choose to free it, or, if it's maintaining single copies of everything in
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/rpc-plugin.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/rpc-plugin.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/rpc-plugin.html 2005-02-03 21:54:19.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/rpc-plugin.html 2005-03-17 15:17:28.000000000 -0600
@@ -1,10 +1,10 @@
- Table of Contents
+ Table of Contents
This document describes how to make use the new RPC Pluggable Modules features
of Samba 3.0. This architecture was added to increase the maintainability of
Samba allowing RPC Pipes to be worked on separately from the main CVS branch.
The RPM architecture will also allow third-party vendors to add functionality
to Samba through plug-ins.
-
When an RPC call is sent to smbd, smbd tries to load a shared library by the
name librpc_<pipename>.so to handle the call if
it doesn't know how to handle the call internally. For instance, LSA calls
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/unix-smb.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/unix-smb.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/unix-smb.html 2005-02-03 21:54:15.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/unix-smb.html 2005-03-17 15:17:25.000000000 -0600
@@ -1,4 +1,4 @@
- Table of Contents
+ Table of Contents
This is a short document that describes some of the issues that
confront a SMB implementation on unix, and how Samba copes with
them. They may help people who are looking at unix<->PC
@@ -6,7 +6,7 @@
It was written to help out a person who was writing a paper on unix to
PC connectivity.
-
The SMB protocol has only a loose username concept. Early SMB
protocols (such as CORE and COREPLUS) have no username concept at
all. Even in later protocols clients often attempt operations
@@ -43,7 +43,7 @@
service%user syntax, the saving of session setup usernames for later
validation and the derivation of the username from the service name
(either directly or via the user= option).
-
The commonly used SMB protocols have no way of saying "you can't do
that because you don't own the file". They have, in fact, no concept
of file ownership at all.
@@ -61,7 +61,7 @@
There are several possible solutions to this problem, including
username mapping, and forcing a specific username for particular
shares.
-
Many SMB clients uppercase passwords before sending them. I have no
idea why they do this. Interestingly WfWg uppercases the password only
if the server is running a protocol greater than COREPLUS, so
@@ -83,7 +83,7 @@
smbpasswd file containing these password hashes is only readable
by the root user. See the documentation ENCRYPTION.txt for more
details.
-
Since samba 2.2, samba supports other types of locking as well. This
section is outdated.
@@ -114,7 +114,7 @@
the same file, at which time the client will say if it is willing to
give up its lock. Unix has no simple way of implementing
opportunistic locking, and currently Samba has no support for it.
-
When a SMB client opens a file it asks for a particular "deny mode" to
be placed on the file. These modes (DENY_NONE, DENY_READ, DENY_WRITE,
DENY_ALL, DENY_FCB and DENY_DOS) specify what actions should be
@@ -128,7 +128,7 @@
is clumsy and consumes processing and file resources,
the shared memory implementation is vastly prefered and is turned on
by default for those systems that support it.
-
A SMB session can run with several uids on the one socket. This
happens when a user connects to two shares with different
usernames. To cope with this the unix server needs to switch uids
@@ -138,7 +138,7 @@
Note that you can also get the "trapdoor uid" message for other
reasons. Please see the FAQ for details.
-
There is a convention that clients on sockets use high "unprivileged"
port numbers (>1000) and connect to servers on low "privilegedg" port
numbers. This is enforced in Unix as non-root users can't open a
@@ -161,7 +161,7 @@
back, but it goes to port 137 which the unix user can't listen
on. Interestingly WinNT3.1 got this right - it sends node status
responses back to the source port in the request.
-
There are many "protocol levels" in the SMB protocol. It seems that
each time new functionality was added to a Microsoft operating system,
they added the equivalent functions in a new protocol level of the SMB
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/vfs.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/vfs.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/vfs.html 2005-02-03 21:54:19.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/vfs.html 2005-03-17 15:17:28.000000000 -0600
@@ -1,4 +1,4 @@
- Table of Contents
+ Table of Contents
Each VFS operation has a vfs_op_type, a function pointer and a handle pointer in the
struct vfs_ops and tree macros to make it easier to call the operations.
(Take a look at include/vfs.h and include/vfs_macros.h.)
@@ -94,7 +94,7 @@
(tofd), (fsp), (fromfd), (header), (offset), (count)))
...
-
These values are used by the VFS subsystem when building the conn->vfs
and conn->vfs_opaque structs for a connection with multiple VFS modules.
Internally, Samba differentiates only opaque and transparent layers at this process.
@@ -123,7 +123,7 @@
SMB_VFS_LAYER_SCANNER /* - Checks data and possibly initiates additional */
/* file activity like logging to files _inside_ samba VFS */
} vfs_op_layer;
-
As each Samba module a VFS module should have a
function if it's staticly linked to samba or
function if it's a shared module.
@@ -163,7 +163,7 @@
{
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "example", example_op_tuples);
}
- Each VFS function has as first parameter a pointer to the modules vfs_handle_struct.
+ Each VFS function has as first parameter a pointer to the modules vfs_handle_struct.
Add "vfs_handle_struct *handle, " as first parameter to all vfs operation functions.
e.g. example_connect(connection_struct *conn, const char *service, const char *user);
-> example_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user);
@@ -527,7 +527,7 @@
Compiling & Testing...
-
Avoid writing functions like this:
Overload only the functions you really need to!
-
If you want to just implement a better version of a
default samba opaque function
(e.g. like a disk_free() function for a special filesystem)
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/windows-debug.html samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/windows-debug.html
--- samba-3.0.11/docs/htmldocs/Samba-Developers-Guide/windows-debug.html 2005-02-03 21:54:19.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Developers-Guide/windows-debug.html 2005-03-17 15:17:29.000000000 -0600
@@ -1 +1 @@
- Table of Contents Table of Contents Table of Contents
+ Table of Contents
The current Samba codebase possesses the capability to use groups of WINS
servers that share a common namespace for NetBIOS name registration and
resolution. The formal parameter syntax is
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Guide/2000users.html samba-3.0.12/docs/htmldocs/Samba-Guide/2000users.html
--- samba-3.0.11/docs/htmldocs/Samba-Guide/2000users.html 2005-02-03 21:54:47.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Guide/2000users.html 2005-03-17 15:18:00.000000000 -0600
@@ -1,4 +1,4 @@
- Table of Contents There is something indeed mystical about things that are
+ Table of Contents There is something indeed mystical about things that are
big. Large networks exhibit a certain magnetism and exude a sense of
importance that obscures reality. You and I know that it is no more
difficult to secure a large network than it is a small one. We all
@@ -22,7 +22,7 @@
implementing a DNS or a DHCP server are under control. Even the basics of
Samba are largely under control. So in this section you focus on the
specifics of implementing LDAP changes, Samba changes, and approach and
- design of the solution and its deployment.
+ design of the solution and its deployment.
Abmas is a miracle company. Most businesses would have collapsed under
the weight of rapid expansion that this company has experienced. Samba
is flexible, so there is no need to reinstall the whole operating
@@ -30,16 +30,16 @@
you can keep an old server running right up to the moment of cut-over
and then do a near-live conversion. There is no need to reinstall a
Samba server just to change the way your network should function.
-
Network growth is common to all organizations. In this exercise,
your preoccupation is with the mechanics of implementing Samba and
LDAP so that network users on each network segment can work
- without impediment.
+ without impediment.
Starting with the configuration files for the server called
MASSIVE in Chapter 6, you now deal with the
issues that are particular to large distributed networks. Your task
is simple identify the challenges, consider the
- alternatives, and then design and implement a solution.
+ alternatives, and then design and implement a solution.
Remember, you have users based in London (UK), Los Angeles,
Washington DC, and three buildings in New York. A significant portion
of your workforce have notebook computers and roam all over the
@@ -53,12 +53,12 @@
and Help desk in New York, plus one floater for
Washington DC. You have outsourced all desktop deployment and management to
DirectPointe,Inc. Your concern is server maintenance and third-level
- support. Build a plan and show what must be done.
In the previous chapter, you implemented an LDAP server that provided the
passdb backend for the Samba servers. You
explored ways to accelerate Windows desktop profile handling and you
took control of network performance.
-
The implementation of an LDAP-based passdb backend (known as
ldapsam in Samba parlance), or some form of database
that can be distributed, is essential to permit the deployment of Samba
@@ -69,34 +69,34 @@
using a tool such as rsync, but
smbpasswd suffers the drawback that it does not
support the range of account facilities demanded by modern network
- managers.
The new tdbsam facility supports functionality
that is similar to an ldapsam, but the lack of
distributed infrastructure sorely limits the scope for its
deployment. This does raise the following questions: "Why can't I just use
an XML based backend, or for that matter, why not use an SQL based
backend?" "Is support for these tools broken?" No. Answers to these
- questions require a bit of background.
+ questions require a bit of background.
What is a directory? A directory is a
collection of information regarding objects that can be accessed to
rapidly find information that is relevant in a particular and
consistent manner. A directory differs from a database in that it is
generally more often searched (read) than updated. As a consequence, the
information is organized to facilitate read access rather than to
- support transaction processing.
+ support transaction processing.
The Lightweight Directory Access Protocol (LDAP) differs
considerably from a traditional database. It has a simple search
facility that uniquely makes a highly preferred mechanism for managing
user identities. LDAP provides a scalable mechanism for distributing
the data repository and for keeping all copies (slaves) in sync with
- the master repository.
Samba is a flexible and powerful file and print sharing
technology. It can use many external authentication sources and can be
part of a total authentication and identity management
infrastructure. The two most important external sources for large sites
are Microsoft Active Directory and LDAP. Sites that specifically wish to
avoid the proprietary implications of Microsoft Active Directory
- naturally gravitate toward OpenLDAP.
+ naturally gravitate toward OpenLDAP.
In Chapter 6, you had to deal with a locally routed
network. All deployment concerns focused around making users happy,
and that simply means taking control over all network practices and
@@ -107,10 +107,10 @@
between offices. You must take into account the way users need to
access information globally. And you must make the network robust
enough so that it can sustain partial breakdown without causing loss of
- productivity. There are at least three areas that need to be addressed as you
+ productivity. There are at least three areas that need to be addressed as you
approach the challenge of designing a network solution for the newly
- expanded business. These are: Let's look at each in turn. The new company has three divisions. Staff for each division
+ expanded business. These are: Let's look at each in turn. The new company has three divisions. Staff for each division
are spread across the company. Some staff are office-bound and
some are mobile users. Mobile users travel globally. Some spend
considerable periods working in other offices. Everyone wants to be
@@ -118,7 +118,7 @@
even dial-up connectivity is poor, while in other regions political
encumbrances severely curtail user needs. Parts of the global
Internet infrastructure remain shielded-off for reasons outside
- the scope of this discussion.
+ the scope of this discussion.
Decisions must be made regarding where data is to be stored, how
it will be replicated (if at all), and what the network bandwidth
implications are. For example, one decision that can be made is
@@ -128,7 +128,7 @@
synchronization tool could be rsync, run via a
cron job. Mobile users may use off-line file storage under Windows
XP Professional. This way, they can synchronize all files that have
- changed since each logon to the network.
+ changed since each logon to the network.
No matter which way you look at this, the bandwidth requirements
for acceptable performance are substantial even if only 10 percent of
staff are global data users. A company with 3500 employees
@@ -139,10 +139,10 @@
mobile users. At that time, the average roaming profile took 480
Kbytes, while today the minimum Windows XP Professional roaming
profile involves a transfer of over 750 Kbytes from the profile
- server to/from the client.
Obviously then, user needs and wide-area practicalities
dictate the economic and technical aspects of your network
- design as well as for standard operating procedures.
Network logons that include roaming profile handling requires
from 140 Kbytes to 2 Mbytes. The inclusion of support for a minimal
set of common desktop applications can push the size of a complete
@@ -150,7 +150,7 @@
as location of user profiles is concerned. Additionally, it is a
significant factor in determining the nature and style of mandatory
profiles that may be enforced as part of a total service level
- assurance program that might be implemented.
+ assurance program that might be implemented.
One way to reduce the network bandwidth impact of user logon
traffic is through folder redirection. In Chapter 6, you
implemented this in the new Windows XP Professional standard
@@ -158,21 +158,21 @@
Documents are redirected to a network drive, they should
also be excluded from synchronization to/from the server on
logon/out. Redirected folders are analogous to network drive
- connections.
Of course, network applications should only be run off
local application servers. As a general rule, even with 2 Mbit/sec
network bandwidth, it would not make sense at all for someone who
is working out of the London office to run applications off a
- server that is located in New York.
+ server that is located in New York.
When network bandwidth becomes a precious commodity (that is most
of the time), there is a significant demand to understand network
processes and to mould the limits of acceptability around the
constraints of affordability. When a Windows NT4/200x/XP Professional client user logs onto
- the network, several important things must happen.
+ the network, several important things must happen.
The client obtains an IP address via DHCP. (DHCP is
- necessary so that users can roam between offices.)
The client must register itself with the WINS and/or DNS
- server. The client must log onto a Domain Controller and obtain as
part of that process the location of the user's profile, load
it, connect to redirected folders, and establish all network
@@ -183,15 +183,15 @@
the logon protocols and principles of operation are
concerned. The following information pertains exclusively to the
interaction between a Windows XP Professional workstation and a
- Samba-3.0.2 server. In the discussion that follows, use is made of
+ Samba-3.0.12 server. In the discussion that follows, use is made of
DHCP and WINS. As soon as the Windows workstation starts up, it obtains an
IP address. This is immediately followed by registration of its
name both by broadcast and Unicast registration that is directed
- at the WINS server.
Given that the client is already a Domain Member, it then sends
a directed (Unicast) request to the WINS server seeking the list of
IP addresses for domain controllers (NetBIOS name type 0x1C). The
- WINS server replies with the information requested.
+ WINS server replies with the information requested.
The client sends two netlogon mailslot broadcast requests
to the local network and to each of the IP addresses returned by
the WINS server. Whichever answers this request first appears to
@@ -199,7 +199,7 @@
process the network logon. The mailslot messages use UDP broadcast
to the local network and UDP Unicast directed at each machine that
was listed in the WINS server response to a request for the list of
- Domain Controllers.
The logon process begins with negotiation of the SMB/CIFS
protocols that are to be used; this is followed by an exchange of
information that ultimately includes the client sending the
@@ -208,7 +208,7 @@
connection, but that is a good point to halt for now. The priority
here must center around identification of network infrastructure
needs. A secondary fact we need to know is, what happens when
- local Domain Controllers fail or break?
+ local Domain Controllers fail or break?
Under most circumstances, the nearest Domain Controller
responds to the netlogon mailslot broadcast. The exception to this
norm occurs when the nearest Domain Controller is too busy or is out
@@ -216,19 +216,19 @@
important that every network segment should have at least two
Domain Controllers. Since there can be only one Primary Domain
Controller (PDC), all additional Domain Controllers are by definition
- Backup Domain Controllers (BDCs).
+ Backup Domain Controllers (BDCs).
The provision of sufficient servers that are BDCs is an
important design factor. The second important design factor
involves how each of the BDCs obtains user authentication
data. That is the subject of the next section as it involves key
- decisions regarding Identity Management facilities.
Network managers recognize that in large organizations users
generally need to be given resource access based on needs, while
being excluded from other resources for reasons of privacy. It is,
therefore, essential that all users identify themselves at the
point of network access. The network logon is the principal means
by which user credentials are validated and filtered, and appropriate
- rights and privileges are allocated.
+ rights and privileges are allocated.
Unfortunately, network resources tend to have their own Identity
Management facilities, the quality and manageability of which varies
from quite poor to exceptionally good. Corporations that use a mixture
@@ -238,7 +238,7 @@
was originally called Yellow Pages, and was renamed
when a telephone company objected to the use of its trademark.
What was once called Yellow Pages is today known
- as Network Information System (NIS).
+ as Network Information System (NIS).
NIS gained a strong following throughout the UNIX/VMS space in a
short period of time and retained that appeal and use
for over a decade. Security concerns as well as inherent limitations
@@ -247,17 +247,17 @@
adopted. Sun updated this to a more secure implementation called
NIS+, but even it has fallen victim to changing demands as the
demand for directory services that can be coupled with other
- information systems is catching on.
+ information systems is catching on.
Nevertheless, both NIS and NIS+ continue to hold ground in
business areas where UNIX still has major sway. Examples of
organizations that remain firmly attached to the use of NIS and
NIS+ includes large government departments, education institutions,
as well as large corporations that have a scientific or engineering
- focus.
Today's networking world needs a scalable, distributed Identity
Management infrastructure, commonly called a directory. The most
popular technologies today are Microsoft Active Directory service
- and a number of LDAP implementations.
+ and a number of LDAP implementations.
The problem of managing multiple directories has become a focal
point over the past decade. This has created a large market for
meta-directory products and services that allow organizations that
@@ -265,19 +265,19 @@
centers to provision information from one directory into
another. The attendant benefit to end users is the promise of
having to remember and deal with fewer login identities and
- passwords.
The challenge of every large network is to find the optimum
balance of internal systems and facilities for Identity
Management resources. How well the solution is chosen and
implemented has potentially significant impact on network bandwidth
- and systems response needs.
In Chapter 6, you implemented a single LDAP server for the
entire network. This may work for smaller networks, but almost
certainly fails to meet the needs of large and complex networks. The
following section documents how one may implement a single
master LDAP server, with multiple slave servers. What is the best method for implementing master/slave LDAP
servers within the context of a distributed 2000 user network is a
- question that remains to be answered.
+ question that remains to be answered.
One possibility that has great appeal is to create one single
large distributed domain. The practical implications of this
design (see ???) demands the placement of
@@ -286,7 +286,7 @@
over the wide-area links, except as a totally unavoidable
measure. Network design must balance the risk of loss of user
productivity against the cost of network management and
- maintenance.
The network design in ??? takes the
approach that management of networks that are too remote to be
capable of being managed effectively from New York ought
@@ -296,15 +296,15 @@
and can be independently managed and controlled. One of the key
drawbacks of this design is that it flies in the face of the
ability for network users to roam globally without some compromise
- in how they may access global resources.
+ in how they may access global resources.
Desk-bound users need not be negatively affected by this
design, since the use of interdomain trusts can be used to satisfy
- the need for global data sharing.
+ the need for global data sharing.
When Samba-3 is configured to use an LDAP backend, it stores the domain
account information in a directory entry. This account entry contains
the domain SID. An unintended but exploitable side effect is that
this makes it possible to operate with more than one PDC on a
- distributed network.
How might this peculiar feature be exploited? The answer is
simple. It is imperative that each network segment should have its
own WINS server. Major servers on remote network segments can be
@@ -314,7 +314,7 @@
as if it is an independent domain, while all sharing the same
domain SID. Since all domain account information can be stored in a
single LDAP backend, users have unfettered ability to
- roam.
This concept has not been exhaustively validated, though we can
see no reason why this should not work. The important facets
are: The name of the domain must be identical in all
@@ -325,7 +325,7 @@
primary name. A single master LDAP server can be based in New York,
with multiple LDAP slave servers located on every network
segment. Finally, the BDCs should each use fail-over LDAP servers
- that are in fact slave LDAP servers on the local segments.
+ that are in fact slave LDAP servers on the local segments.
With a single master LDAP server, all network updates are
effected on a single server. In the event that this should become
excessively fragile or network bandwidth limiting, one could
@@ -337,25 +337,25 @@
referential traffic. It should be noted that all directory
administrators must of necessity follow the same standard
procedures for managing the directory, as retroactive correction of
- inconsistent directory information can be exceedingly difficult. As organizations grow, the number of points of control increase
also. In a large distributed organization, it is important that the
Identity Management system must be capable of being updated from
many locations, and it is equally important that changes made should
become capable of being used in a reasonable period, typically
minutes rather than days (the old limitation of highly manual
- systems).
Samba-3 has the ability to use multiple password (authentication
and identity resolution) backends. The diagram in ??? demonstrates how Samba uses winbind, LDAP,
and NIS, the traditional system password database. The diagram only
documents the mechanisms for authentication and identity resolution
(obtaining a UNIX UID/GID) using the specific systems shown.
-
Samba is capable of using the smbpasswd,
tdbsam, xmlsam,
and mysqlsam authentication databases. The SMB
passwords can, of course, also be stored in an LDAP ldapsam
backend. LDAP is the preferred passdb backend for distributed network
- operations.
Additionally, it is possible to use multiple passdb backends
concurrently as well as have multiple LDAP backends. As a result, one
can specify a fail-over LDAP backend. The syntax for specifying a
@@ -367,8 +367,8 @@
This configuration tells Samba to use a single LDAP server as shown in
???.
-
+
The addition of a fail-over LDAP server can simply be done by adding a
second entry for the fail-over server to the single
ldapsam entry as shown here (note the particular
@@ -381,7 +381,7 @@
This configuration tells Samba to use a master LDAP server, with fail-over to a slave server if necessary,
as shown in ???.
-
+
Some folks have tried to implement this without the use of
double quotes as shown above. This is the type of entry they had
created:
@@ -391,7 +391,7 @@
ldapsam:ldap://slave.abmas.biz
...
-
+
The effect of this style of entry is that Samba lists the users
that are in both LDAP databases. If both contain the same information,
it results in each record being shown twice. This is, of course, not the
@@ -411,7 +411,7 @@
It is assumed that the network you are working with follows in a
pattern similar to what has been covered in Chapter 6. The following steps
permit the operation of a Master/Slave OpenLDAP arrangement.
-
+
Log onto the master LDAP server as root.
You are about to change the configuration of the LDAP server, so it
makes sense to temporarily halt it. Stop OpenLDAP from running on
@@ -423,7 +423,7 @@
-
Edit the /etc/openldap/slapd.conf file so it
matches the content of ???.
@@ -447,7 +447,7 @@
-
Change directory to a suitable place to dump the contents of the
LDAP server. The dump file (and LDIF file) is used to preload
the Slave LDAP server database. You can dump the database by executing:
@@ -455,7 +455,7 @@
root# slapcat -v -l LDAP-transfer-LDIF.txt
Each record is written to the file.
-
Copy the file LDAP-transfer-LDIF.txt to the intended
slave LDAP server. A good location could be in the directory
/etc/openldap/preload.
@@ -505,7 +505,7 @@
root# service ldap start
root# chkconfig ldap on
Go back to the master LDAP server. Execute the following to start LDAP as well
as slurpd, the synchronization daemon, as shown here:
@@ -515,9 +515,9 @@
root# rcslurpd start
root# chkconfig slurpd on
-
+
On Red Hat Linux, check the equivalent command to start slurpd.
-
On the master ldap server you may now add an account to validate that replication
is working. Assuming the configuration shown in Chapter 6, execute:
Example 7.3. Primary Domain Controller smb.conf File Part A
+
Where Samba-3 is used as a Domain Controller, the use of LDAP is an
essential component necessary to permit the use of BDCs.
-
Replication of the LDAP master server to create a network of BDCs
is an important mechanism for limiting wide-area network traffic.
@@ -936,40 +936,40 @@
Roaming profiles must be contained to the local network segment. Any
departure from this may clog wide-area arteries and slow legitimate network
traffic to a crawl.
-
There is much rumor and misinformation regarding the use of MS Windows networking protocols.
These questions are just a few of those frequently asked.
-
Is it true that DHCP uses lots of wide-area network bandwidth?
-
It is a smart practice to localize DHCP servers on each network segment. As a
rule, there should be two DHCP servers per network segment. This means that if
one server fails, there is always another to service user needs. DHCP requests use
only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network
routers. This makes it possible to run fewer DHCP servers.
-
A DHCP network address request and confirmation usually results in about six UDP packets.
The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP
clients and that uses a 24-hour IP address lease. This means that all clients renew
@@ -986,21 +986,21 @@
x 512 (bytes/packet) = 0.9 Mbytes/day.
From this can be seen that the traffic impact would be minimal.
-
Even when DHCP is configured to do DNS update (Dynamic DNS) over a wide-area link,
the impact of the update is no more than the DHCP IP address renewal traffic and, thus,
still insignificant for most practical purposes.
-
How much background communication takes place between a Master LDAP
server and its slave LDAP servers?
-
The process that controls the replication of data from the Master LDAP server to the Slave LDAP
servers is called slurpd. The slurpd remains nascent (quiet)
until an update must be propagated. The propagation traffic per LDAP salve to update (add/modify/delete)
two user accounts requires less than 10Kbytes traffic.
-
+
LDAP has a database. Is LDAP not just a fancy database front end?
-
LDAP does store its data in a database of sorts. In fact the LDAP backend is an application-specific
data storage system. This type of database is indexed so that records can be rapidly located, but the
database is not generic and can be used only in particular pre-programmed ways. General external
@@ -1009,41 +1009,41 @@
orientation and typically allows external programs to perform ad-hoc queries, even across data tables.
An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific
simple queries. The term database is heavily overloaded and, thus, much misunderstood.
-
Can Active Directory obtain account information from an OpenLDAP server?
-
No, at least not directly. It is possible to provision Active Directory from/to an OpenLDAP
database through use of a meta-directory server. Microsoft MMS (now called MIIS) can interface
to OpenLDAP using standard LDAP queries/updates.
-
+
What are the parts of a roaming profile? How large is each part?
-
A roaming profile consists of:
Desktop folders such as: Desktop, My Documents, My Pictures, My Music, Internet Files,
Cookies, Application Data, Local Settings, and more. See ???.
-
Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
such folders can be redirected to network drive resources. See ???
for more information regarding folder redirection.
A static or re-writable portion that is typically only a few files (2-5 Kbytes of information).
-
The registry load file that modifies the HKEY_LOCAL_USER hive. This is
the NTUSER.DAT file. It can be from 0.4-1.5 MBytes.
-
Microsoft Outlook PST files may be stored in the Local Settings\Application Data
folder. It can be up to 2 Gbytes in size per PST file.
-
+
Can the My Documents folder be stored on a network drive?
-
Yes. More correctly, such folders can be redirected to network shares. No specific network drive
connection is required. Registry settings permit this to be redirected directly to a UNC (Universal
Naming Convention) resource, though it is possible to specify a network drive letter instead of a
UNC name. See ???.
-
MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache.
This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS
server, the total bandwidth demand measured at the WINS server, averaged over an eight-hour working day,
@@ -1055,7 +1055,7 @@
In conclusion, the total load afforded through WINS traffic is again marginal to total operational
usage as it should be.
-
+
How many BDCs should I have? What is the right number of Windows clients per server?
It is recommended to have at least one BDC per network segment, including the segment served
@@ -1069,18 +1069,18 @@
As unsatisfactory as the answer might sound, it all depends on network and server load
characteristics.
-
I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
run an NIS server?
The correct answer to both questions is yes. But do understand that an LDAP server has
a configurable schema that can store far more information for many more purposes than
just NIS.
-
+
Can I use NIS in place of LDAP?
-
No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal
with the types of data necessary for interoperability with Microsoft Windows networking. The use
of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also
a Samba-specific schema extension.
- Table of Contents Table of Contents
Information presented here is considered to be either basic or well-known material that is informative
yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps
different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical,
as shown in the example given below.
-
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
This section steps through the process for making a Windows 200x/XP Professional machine a
member of a Domain Security environment. It should be noted that this process is identical
@@ -46,27 +46,27 @@
The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted.
Joining the domain is now complete.
-
The screen capture shown in ??? has a button labeled . This button opens a
panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space.
-
Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running).
-
The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to
a valid IP address.
The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
Where the client is a member of a Samba Domain, it is preferable to leave this field blank.
-
According to Microsoft documentation, “If this computer belongs to a group with Group Policy
enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used
as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
used only if Group Policy is disabled or unspecified.”
-
One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team
build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is
in the /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other
@@ -74,7 +74,7 @@
Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team
default.
-
Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy
System (FHS), have elected to locate the configuration files under the /etc/samba directory, common binary
files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the
@@ -83,13 +83,13 @@
/usr/share/swat. There are additional support files for smbd in the
/usr/lib/samba directory tree. The files located there include the dynamically loadable modules for the
passdb backend as well as for the VFS modules.
-
Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in
the /var/lib/samba directory. Log files are created in /var/log/samba.
When Samba is built and installed using the default Samba Team process, all files are located under the
/usr/local/samba directory tree. This makes it simple to find the files that Samba owns.
-
One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location
of all files called smbd. Here is an example:
Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
- executing:
+ executing:
+samba3-pdb-3.0.12-1
+samba3-vscan-0.3.5-0
+samba3-winbind-3.0.12-1
+samba3-3.0.12-1
+samba3-python-3.0.12-1
+samba3-utils-3.0.12-1
+samba3-doc-3.0.12-1
+samba3-client-3.0.12-1
+samba3-cifsmount-3.0.12-1
+
The package names, of course, vary according to how the vendor, or the binary package builder, prepared them.
-
Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services.
An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there
are three daemons, two of which are needed as a minimum.
@@ -177,19 +177,19 @@
fi
exit 0
-
-
+
+
This daemon handles all name registration and resolution requests. It is the primary vehicle involved
in network browsing. It handles all UDP-based protocols. The nmbd daemon should
be the first command started as part of the Samba startup process.
-
-
+
+
This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
manages local authentication. It should be started immediately following the startup of nmbd.
-
-
+
+
This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when
Samba has trust relationships with another Domain. The winbindd daemon will check the
smb.conf file for the presence of the idmap uid and idmap gid
@@ -243,22 +243,22 @@
echo "Usage: smb {start|stop|restart|status}"
exit 1
esac
-
SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently
executed from the command line is shown in ???. This can be located in the directory
/sbin in a file called samba. This type of control script should be
owned by user root and group root, and set so that only root can execute it.
-
A sample startup script for a Red Hat Linux system is shown in ???.
This file could be located in the directory /etc/rc.d and can be called
samba. A similar startup script is required to control winbind.
If you want to find more information regarding startup scripts please refer to the packaging section of
the Samba source code distribution tarball. The packaging files for each platform include a
startup control file.
-
The following files are common to all DNS server configurations. Rather than repeat them multiple times, they
are presented here for general reference.
-
+
The forward zone file for the loopback address never changes. An example file is shown
in ???. All traffic destined for an IP address that is hosted on a
physical interface on the machine itself is routed to the loopback adaptor. This is
@@ -275,7 +275,7 @@
IN NS @
IN A 127.0.0.1
-
The reverse zone file for the loopback address as shown in ???
is necessary so that references to the address 127.0.0.1 can be
resolved to the correct name of the interface.
@@ -335,15 +335,15 @@
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
-
The content of the root hints file as shown in ??? changes slowly over time.
Periodically this file should be updated from the source shown. Because
of its size this file is located at the end of this appendix.
-
The following procedure may be used as an alternative means of configuring
the initial LDAP database. Many administrators prefer to have greater control
over how system files get configured.
-
The first step to get the LDAP server ready for action is to create the LDIF file from
which the LDAP database will be preloaded. This is necessary to create the containers
into which the user, group, and so on, accounts is written. It is also necessary to
@@ -629,37 +629,31 @@
dc: INETDOMAIN
o: ORGNAME
description: Posix and Samba LDAP Identity Database
-structuralObjectClass: organization
dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG
objectClass: organizationalRole
cn: Manager
description: Directory Manager
-structuralObjectClass: organizationalRole
dn: ou=People,dc=INETDOMAIN,dc=TLDORG
objectClass: top
objectClass: organizationalUnit
ou: People
-structuralObjectClass: organizationalUnit
dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG
objectClass: top
objectClass: organizationalUnit
ou: Computers
-structuralObjectClass: organizationalUnit
dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG
objectClass: top
objectClass: organizationalUnit
ou: Groups
-structuralObjectClass: organizationalUnit
dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG
objectClass: top
objectClass: organizationalUnit
ou: Idmap
-structuralObjectClass: organizationalUnit
dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG
objectClass: sambaDomain
@@ -677,7 +671,6 @@
sambaGroupType: 2
displayName: Domain Admins
description: Domain Administrators
-structuralObjectClass: posixGroup
dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG
objectClass: posixGroup
@@ -688,7 +681,6 @@
sambaGroupType: 2
displayName: Domain Guests
description: Domain Guests Users
-structuralObjectClass: posixGroup
dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG
objectClass: posixGroup
@@ -699,8 +691,7 @@
sambaGroupType: 2
displayName: Domain Users
description: Domain Users
-structuralObjectClass: posixGroup
-
The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
server either using unencrypted connections or via SSL. LAM can be used to manage
@@ -711,16 +702,16 @@
home page and from its mirror sites. LAM has been released under the GNU GPL version 2.
The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early
in 2004.
- A web server that will work with PHP4. PHP4 (available from the
PHP home page.) OpenLDAP 2.0 or later. A Web browser that supports CSS. Perl. The gettext package. mcrypt + mhash (optional since version 0.4.3). It is also a good idea to install SSL support.
LAM is a useful tool that provides a simple Web-based device that can be used to
- manage the contents of the LDAP directory to:
+ manage the contents of the LDAP directory to:
Display user/group/host and Domain entries. Manages entries (Add/Delete/Edit). Filter and sort entries. Set LAM administrator accounts. Store and use multiple operating profiles. Edit organizational units (OUs). Upload accounts from a file.
When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba
user, group, and windows domain member machine accounts.
-
The default password is “lam.” It is highly recommended that you use only
an SSL connection to your Web server for all remote operations involving LAM. If you
want secure connections, you must configure your Apache Web server to permit connections
@@ -739,7 +730,7 @@
Copy the extracted files to the document root directory of your Web server.
For example, on SuSE Linux Enterprise Server 8, copy to the
/srv/web/htdocs directory.
-
Set file permissions using the following commands:
-
Using your favorite editor create the following config.cfg
LAM configuration file:
An example file is shown in ???.
This is the minimum configuration that must be completed. The LAM profile
file can be created using a convenient wizard that is part of the LAM
@@ -769,18 +760,18 @@
lam.conf_sample file to a file called
lam.conf then, using your favorite editor,
change the settings to match local site needs.
-
An example of a working file is shown here in ???.
This file has been stripped of comments to keep the size small. The comments
and help information provided in the profile file that the wizard creates
is very useful and will help many administrators to avoid pitfalls.
Your configuration file obviously reflects the configuration options that
are preferred at your site.
-
It is important that your LDAP server is running at the time that LAM is
being configured. This permits you to validate correct operation.
An example of the LAM login screen is provided in ???.
-
The LAM configuration editor has a number of options that must be managed correctly.
An example of use of the LAM configuration editor is shown in ???.
It is important that you correctly set the minimum and maximum UID/GID values that are
@@ -789,12 +780,12 @@
The best work-around is to temporarily set the minimum values to zero (0) to permit
the initial settings to be made. Do not forget to reset these to sensible values before
using LAM to add additional users and groups.
-
LAM has some nice, but unusual features. For example, one unexpected feature in most application
screens permits the generation of a PDF file that lists configuration information. This is a well
thought out facility. This option has been edited out of the following screen shots to conserve
space.
-
When you log onto LAM the opening screen drops you right into the user manager as shown in
???. This is a logical action as it permits the most-needed facility
to be used immediately. The editing of an existing user, as with the addition of a new user,
@@ -807,7 +798,7 @@
for user accounts, group accounts may be rapidly dealt with. ???
shown a sub-screen from the group editor that permits users to be assigned secondary group
memberships.
-
The final screen presented here is one that you should not normally need to use. Host accounts will
be automatically managed using the smbldap-tools scripts. This means that the screen ???
will, in most cases, not be used.
@@ -848,7 +839,7 @@
samba3: yes
cachetimeout: 5
pwdhash: SSHA
-
The setting of the SUID/SGID bits on the file or directory permissions flag has particular
consequences. If the file is executable and the SUID bit is set, it executes with the privilege
of (with the UID of) the owner of the file. For example, if you are logged onto a system as
@@ -918,34 +909,34 @@
total 1
drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
-
The integrity of shared data is often viewed as a particularly emotional issue, especially where
there are concurrent problems with multi-user data access. Contrary to the assertions of some who have
experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
The solution to concurrent multi-user data access problems must consider three separate areas
- from which the problem may stem:
- application level locking controls. client side locking controls. server side locking controls.
+ from which the problem may stem:
+ application level locking controls. client side locking controls. server side locking controls.
Many database applications use some form of application-level access control. An example of one
well-known application that uses application-level locking is Microsoft Access. Detailed guidance
is provided given that this is the most common application for which problems have been reported.
-
Common applications that are affected by client- and server-side locking controls include MS
Excel and Act!. Important locking guidance is provided here.
-
+
The best advice that can be given is to carefully read the Microsoft knowledge base articles that
cover this area. Examples of relevant documents includes:
- http://support.microsoft.com/default.aspx?scid=kb;en-us;208778 http://support.microsoft.com/default.aspx?scid=kb;en-us;299373 http://support.microsoft.com/default.aspx?scid=kb;en-us;208778 http://support.microsoft.com/default.aspx?scid=kb;en-us;299373
Make sure that your MS Access database file is configured for multi-user access (not set for
exclusive open). Open MS Access on each client workstation then set the following: ++. Set network path to Default database folder: \\server\share\folder.
You can configure MS Access file sharing behavior as follows: click .
- Set:
- Default open mode: Shared Default Record Locking: Edited Record Open databases using record_level locking Default open mode: Shared Default Record Locking: Edited Record Open databases using record_level locking
You must now commit the changes so that they will take effect. To do so, click
. At this point, you should exit MS Access, restart
it and then validate that these settings have not changed.
-
Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you
must disable opportunistic locking on the server and all workstations. Failure to do so
results in data corruption. This information is available from the Act! Web site
@@ -953,7 +944,7 @@
1998223162925
as well as from article
200110485036.
-
These documents clearly state that opportunistic locking must be disabled on both
the server (Samba in the case we are interested in here), as well as on every workstation
from which the centrally shared Act! database will be accessed. Act! provides
@@ -961,18 +952,18 @@
registry settings that may otherwise interfere with the operation of Act!
Registered Act! users may download this utility from the Act! Web
site.
-
Third-party Windows applications may not be compatible with the use of opportunistic file
- and record locking. For applications that are known not to be compatible,[14] oplock
+ and record locking. For applications that are known not to be compatible,[14] oplock
support may need to be disabled both on the Samba server and on the Windows workstations.
-
Oplocks enable a Windows client to cache parts of a file that are being
edited. Another windows client may then request to open the file with the
ability to write to it. The server will then ask the original workstation
that had the file open with a write lock to release it's lock. Before
doing so, that workstation must flush the file from cache memory to the
disk or network drive.
-
Disabling of Oplocks usage may require server and client changes.
Oplocks may be disabled by file, by file pattern, on the share, or on the
samba server.
@@ -1008,4 +999,4 @@
Comprehensive coverage of file and record locking controls is provided in TOSHARG Chapter 13.
The information provided in that chapter was obtained from a wide variety of sources.
-
+
The Samba-3 networking you explored in the previous chapter covers the finer points of
configuration of peripheral services such as DHCP and DNS, and WINS. You experienced
implementation of a simple configuration of the services that are important adjuncts
@@ -16,7 +16,7 @@
involving no print job processing intelligence. In this chapter, you maintain
that same approach to printing, but in the following chapter, there is an opportunity
to make printing more complex for the administrator while making it easier for the user.
-
The previous chapter demonstrates operation of a DHCP server and a DNS server,
as well as a central WINS server. You validated the operation of these services and
saw an effective implementation of a Samba Domain Controller using the
@@ -38,7 +38,7 @@
improve network management and control while reducing human resource overheads.
You should take the opportunity to innovate and expand on the methods presented
here and explore them to the fullest.
-
+
Business continues to go well for Abmas. Mr. Meany is driving your success and the
network continues to grow thanks to the hard work Christine has done. You recently
hired Stanley Soroka as Manager of Information Systems. Christine recommended Stan
@@ -63,7 +63,7 @@
and to allow Stan and Christine to fully stage the new network and test it before
it is rolled out. Your strategy is to complete the new network so that it
is ready for operation when the old office moves into the new premises.
-
+
The acquired business had 280 network users. The old Abmas building housed
220 network users in unbelievably cramped conditions. The network that
initially served 130 users now handles 220 users quite well.
@@ -104,7 +104,7 @@
DirectPointe Inc. receives from you a new standard desktop configuration
every four months. They automatically roll that out to each desktop system.
You must keep DirectPointe informed of all changes.
-
The new network has a single Samba Domain Controller (PDC) located in the
Network Operation Center (NOC). Buildings 1 and 2 each have a local server
for local application servicing. It is a Domain Member. The new system
@@ -112,8 +112,8 @@
Printing is based on raw pass-through facilities as it has been used so far.
All printer drivers are installed on the desktop and notebook computers.
-
+
The example you are building in this chapter is an example of a network design that works,
but this does not make it a design that is recommended. As a general rule, there should
be at least one Backup Domain Controller per 150 Windows network clients. The principle behind
@@ -124,23 +124,23 @@
responsiveness. This network will have 500 clients serviced by one central Domain
Controller. This is not a good omen for user satisfaction. You, of course, address this
very soon (see next chapter).
-
+
Stan has talked you into a horrible compromise, but it is addressed. Just make
certain that the performance of this network is well validated before going live.
Design decisions made in this design include:
-
-
-
+
+
+
A single Primary Domain Controller (PDC) is being implemented. This limitation
is based on the choice not to use LDAP. Many network administrators fear using
LDAP based on the perceived complexity of implementation and management of an
LDAP-based backend for all user identity management as well as to store network
access credentials.
-
-
+
+
Because of the refusal to use an LDAP (ldapsam) passdb backend at this time,
the only choice that makes sense with 500 users is to use the tdbsam passwd backend.
This type of backend is not receptive to replication to Backup Domain Controllers.
@@ -154,7 +154,7 @@
for a simple mode of operation, but has to be balanced with network performance and
integrity of operations considerations.
-
+
A single central WINS server is being used. The PDC is also the WINS server.
Any attempt to operate a routed network without a WINS server while using NetBIOS
over TCP/IP protocols does not work unless on each client the name resolution
@@ -165,12 +165,12 @@
At this time the Samba WINS database is not capable of being replicated. That is
why a single WINS server is being implemented. This should work without a problem.
-
+
Backup Domain Controllers make use of winbindd to provide
access to Domain security credentials for file system access and object storage.
-
-
+
+
Configuration of Windows XP Professional clients is achieved using DHCP. Each
subnet has its own DHCP server. Backup DHCP serving is provided by one
alternate DHCP server. This necessitates enabling of the DHCP Relay agent on
@@ -186,14 +186,14 @@
The network address and sub-netmask chosen provide 1022 usable IP addresses in
each subnet. If in the future more addresses are required, it would make sense
to add further subnets rather than change addressing.
-
This case gets close to the real world. You and I know the right way to implement
Domain Control. Politically, we have to navigate a mine field. In this case, the need is to
get the PDC rolled out in compliance with expectations and also to be ready to save the day
by having the real solution ready before it is needed. That real solution is presented in
the next chapter.
-
+ The following configuration process begins following installation of Red Hat Fedora Core2 on the
three servers shown in the network topology diagram in ???. You have
selected hardware that is appropriate to the task.
@@ -203,7 +203,7 @@
The abbreviation shown in this table as {VLN} means
the directory location beginning with /var/lib/named.
- Table 5.1. Domain: MEGANET, File Locations for Servers
+ Table 5.1. Domain: MEGANET, File Locations for Servers
The following steps apply to all servers. Follow each step carefully.
Using the UNIX/Linux system tools, set the name of the server as shown in the network
@@ -219,7 +219,7 @@
root# hostname -f
-
+
Edit your /etc/hosts file to include the primary names and addresses
of all network interfaces that are on the host server. This is necessary so that during
startup the system is able to resolve all its own names to the IP address prior to
@@ -227,7 +227,7 @@
CUPS print server is started before the DNS server (named), you
should also include an entry for the printers in the /etc/hosts file.
-
+
All DNS name resolution should be handled locally. To ensure that the server is configured
correctly to handle this, edit /etc/resolv.conf so it has the following
content:
@@ -238,7 +238,7 @@
This instructs the name resolver function (when configured correctly) to ask the DNS server
that is running locally to resolve names to addresses.
-
+
Add the root user to the password backend as follows:
-
+
Create the username map file to permit the root account to be called
Administrator from the Windows network environment. To do this, create
the file /etc/samba/smbusers with the following contents:
@@ -289,16 +289,16 @@
Follow the instructions in the printer manufacturer's manuals to permit printing
to port 9100. Use any other port the manufacturer specifies for direct mode,
raw printing. This allows the CUPS spooler to print using raw mode protocols.
-
-
+
+
-
+
Only on the server to which the printer is attached configure the CUPS Print
Queues as follows:
-
+
This step creates the necessary print queue to use no assigned print filter. This
is ideal for raw printing, i.e., printing without use of filters.
The name printque is the name you have assigned for
@@ -318,15 +318,15 @@
root# /usr/bin/accept printque
-
-
-
+
+
+
Edit the file /etc/cups/mime.convs to uncomment the line:
-
+
Edit the file /etc/cups/mime.types to uncomment the line:
There are some steps that apply to particular server functionality only. Each step is critical
to correct server operation.
-
+
+
The host server acts as a router between the two internal network segments as well
as for all Internet access. This necessitates that IP forwarding must be enabled. This can be
achieved by adding to the /etc/rc.d/boot.local an entry as follows:
@@ -382,7 +382,7 @@
startup files as follows: (SUSE) /etc/rc.d/boot.local, (Red Hat)
/etc/rc.d/init.d/rc.local.
-
+
The final step that must be completed is to edit the /etc/nsswitch.conf file.
This file controls the operation of the various resolver libraries that are part of the Linux
Glibc libraries. Edit this file so that it contains the following entries:
@@ -390,24 +390,24 @@
hosts: files dns wins
-
+
Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
???. Create a file containing this script. You called yours
/etc/samba/initGrps.sh. Set this file so it can be executed
and then execute the script. An example of the execution of this script as well as its
validation are shown in Chapter 4, Section 4.3.2, Step 5.
-
-
-
+
+
+
For each user who needs to be given a Windows Domain account, make an entry in the
/etc/passwd file, as well as in the Samba password backend.
Use the system tool of your choice to create the UNIX system account and use the Samba
smbpasswd to create a Domain user account.
-
-
-
+
+
+
There are a number of tools for user management under UNIX. Commonly known ones include:
useradd, adduser. In addition to these, there is a plethora of custom
tools. With the tool of your choice, create a home directory for each user.
@@ -420,7 +420,7 @@
file is /data. Format the file system as required and mount the formatted
file system partition using appropriate system tools.
-
+
Create the top-level file storage directories for data and applications as follows:
-
+
The final step that must be completed is to edit the /etc/nsswitch.conf file.
This file controls the operation of the various resolver libraries that are part of the Linux
Glibc libraries. Edit this file so that it contains the following entries:
@@ -510,13 +510,13 @@
Follow the steps outlined in ??? to start all services. Do not
start Samba at this time. Samba is controlled by the process called smb.
-
At this time, you must now attempt to join the Domain Member servers to the Domain. The following
instructions should be executed to effect this:
-
You now start the Samba services by executing:
Example 5.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf Example 5.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf Example 5.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf Example 5.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf Example 5.3. Common Samba Configuration File: /etc/samba/common.conf Example 5.4. Server: BLDG1 (Member), File: smb.conf Example 5.5. Server: BLDG2 (Member), File: smb.conf Example 5.5. Server: BLDG2 (Member), File: smb.conf Example 5.6. Common Domain Member Include File: dom-mem.conf Example 5.6. Common Domain Member Include File: dom-mem.conf Example 5.7. Server: MASSIVE, File: dhcpd.conf
-
+
There are two essential steps to process startup configuration. A process
must be configured so that it is automatically restarted each time the server
is rebooted. This step involves use of the chkconfig tool that
@@ -1062,7 +1062,7 @@
directories. Links are created so that when the system run-level is changed, the
necessary start or kill script is run.
-
+
In the event that a service is provided not as a daemon but via the inter-networking
super daemon (inetd or xinetd), then the chkconfig
tool makes the necessary entries in the /etc/xinetd.d directory
@@ -1073,7 +1073,7 @@
Use the standard system tool to configure each service to restart
automatically at every system reboot. For example:
-
+
-
-
-
+
+
+
Now start each service to permit the system to be validated.
Execute each of the following in the sequence shown:
@@ -1101,8 +1101,8 @@
Install MS Windows XP Professional. During installation, configure the client to use DHCP for
TCP/IP protocol configuration.
-
-
+
+
DHCP configures all Windows clients to use the WINS Server address that has been defined
for the local subnet.
@@ -1190,7 +1190,7 @@
user, of course.
Instruct all users to log onto the workstation using their assigned user name and password.
-
The network you have just deployed has been a valuable exercise in forced constraint.
You have deployed a network that works well, although you may soon start to see
performance problems, at which time the modifications demonstrated in the following
@@ -1206,33 +1206,33 @@
to resources on the Domain Member servers
The introduction of roaming profiles
-
+
+
The example smb.conf files in this chapter make use of the include facility.
How may I get to see what the actual working smb.conf settings are?
@@ -1240,7 +1240,7 @@
-
+
Why does the include file common.conf have an empty include statement?
The use of the empty include statement nullifies further includes. For example, let's say you
@@ -1253,7 +1253,7 @@
If the include parameter was not in the common.conf file, the final smb.conf file leaves
the include in place, even though the file it points to has already been included. This is a bug
that will be fixed at a future date.
-
+
I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam
passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend.
I tried using rsync to replicate the passdb.tdb, and it seems to work fine!
@@ -1263,7 +1263,7 @@
contents between the PDC and BDCs. The most notable symptom is that workstations may not be able
to log onto the network following a reboot and may have to re-join the Domain to recover network
access capability.
-
+
You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server
@@ -1272,26 +1272,26 @@
The only exception to this rule is when the client makes a directed request from a specific DHCP server
for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash.
-
+
How does the Windows client find the PDC?
The Windows client obtains the WINS server address from the DHCP lease information. It also
obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast)
to register itself with the WINS server and to obtain enumeration of vital network information to
enable it to operate successfully.
-
+
Why did you enable IP forwarding (routing) only on the server called MASSIVE?
The server called MASSIVE is acting as a router to the Internet. No other server
(BLDG1 or BLDG2) has any need for IP forwarding since they are attached only to their own network.
Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network
segments to the router that is its gateway to them.
-
+
You did nothing special to implement roaming profiles. Why?
Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional
clients is to use roaming profiles.
-
+
On the Domain Member computers, you configured winbind in the /etc/nsswitch.conf file.
You did not configure any PAM settings. Is this an omission?
@@ -1300,7 +1300,7 @@
Member servers using Windows networking user names and passwords, it is necessary to configure PAM
to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name
service switcher (NSS).
-
+
You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed
@@ -1309,8 +1309,8 @@
of smb.conf include files because SWAT optimizes them out into an aggregated
file but leaves in place a broken reference to the top layer include file. SWAT was not designed to
handle this functionality gracefully.
-
+
The Domain Controller has an auto-shutdown script. Isn't that dangerous?
Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though.
- Table of Contents Table of Contents
You've come a long way now. You have pretty much mastered Samba-3 for
most uses it can be put to. Up until now, you have cast Samba-3 in the leading
role and where authentication was required, you have used one or another of
@@ -9,7 +9,7 @@
implementing Samba and Samba-supported services in a domain controlled by
the latest Windows authentication technologies. Let's get started this is
leading edge.
-
+
Abmas has continued its miraculous growth; indeed, nothing seems to be able
to stop its diversification into multiple (and seemingly unrelated) fields.
Its latest acquisition is Abmas Snack Foods, a big player in the snack-food
@@ -25,13 +25,13 @@
You have decided to set the ball rolling by introducing Samba-3 into the network
gradually, taking over key services and easing the way to a full migration and,
therefore, integration into Abmas's existing business later.
-
You've promised the skeptical Abmas Snack Foods management team
that you can show them how Samba can ease itself and other Open Source
technologies into their existing infrastructure and deliver sound business
advantages. Cost cutting is high on their agenda (a major promise of the
acquisition). You have chosen Web proxying and caching as your proving ground.
-
Abmas Snack Foods has several thousand users housed at their Head Office
and multiple regional offices, plants, and warehouses. A high proportion of
the business's work is done online, so Internet access for most of these
@@ -40,7 +40,7 @@
team. The bandwidth requirements were horrific (comparable to a small ISP), and
the team soon discovered proxying and caching. In fact, they became one of
the earliest commercial users of Microsoft ISA.
-
The team is not happy with ISA. Because it never lived up to its marketing promises,
it under-performed and had reliability problems. You have pounced on the opportunity
to show what Open Source can do. The one thing they do like, however, is ISA's
@@ -51,7 +51,7 @@
This is a hands-on exercise. You build software applications so
that you obtain the functionality Abmas needs.
-
The key requirements in this business example are straightforward. You are not required
to do anything new, just to replicate an existing system, not lose any existing features,
and improve performance. The key points are:
@@ -61,7 +61,7 @@
Distributed system to accommodate load and geographical distribution of users
Seamless and transparent interoperability with the existing Active Directory domain
-
Functionally, the user's Internet Explorer requests a browsing session with the
Squid proxy, for which it offers its AD authentication token. Squid hands off
the authentication request to the Samba-3 authentication helper application
@@ -82,21 +82,21 @@
Configuring, compiling, and then installing the supporting Samba-3 components
Tying it all together
-
You are a stranger in a strange land and all eyes are upon you. Some would even like to see
you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
solution does everything the old one did, but does it better in every way. Only then
will the entrenched positions consider taking up your new way of doing things on a
wider scale.
-
First, your system needs to be prepared and in a known good state to proceed. This consists
of making sure that everything the system depends on is present and that everything that could
interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
packages and updating them if necessary. If conflicting packages of these programs are installed,
they must be removed.
-
The following packages should be available on your Red Hat Linux system:
-
In the case of SUSE Linux, these packages are called:
heimdal-lib
heimdal-devel
-
pam_krb5
@@ -120,18 +120,18 @@
If the required packages are not present on your system, you must install
them from the vendor's installation media. Follow the administrative guide
for your Linux system to ensure that the packages are correctly updated.
-
If the requirement is for interoperation with MS Windows Server 2003, it
will be necessary to ensure that you are using MIT Kerberos version 1.3.1
or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
updating.
-
Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
-
If Samba and/or Squid rpms are installed, they should be updated. You can
build both from source.
-
Locating the packages to be uninstalled can be achieved by running:
-
The systems Kerberos installation must be configured to communicate with
your primary Active Directory server (ADS KDC).
Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results,
although the current default Red Hat MIT version 1.2.7 gives acceptable results
unless you are using Windows 2003 servers.
-
Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an /etc/krb5.conf
file in order to work correctly. All ADS domains automatically create SRV records in the
DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both
@@ -156,11 +156,11 @@
automatically find the KDCs. In addition, krb5.conf only allows
specifying a single KDC, even there if there is more than one. Using the DNS lookup
allows the KRB5 libraries to use whichever KDCs are available.
-
If you find the need to manually configure the krb5.conf, you should edit it
- to have the contents shown in ???. The final fully qualified path for this file
+ to have the contents shown in ???. The final fully qualified path for this file
should be /etc/krb5.conf.
-
The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting
initial credentials”. Kerberos is picky about time synchronization. The time
@@ -175,7 +175,7 @@
/etc/hosts entry mapping the IP address of your KDC to its
NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
when you try to join the realm.
-
You are now ready to test your installation by issuing the command:
Make sure that your password is accepted by the Active Directory KDC.
-
shows the Kerberos tickets cached by the system:
-
Samba must be configured to correctly use Active Directory. Samba-3 must be used, as
this has the necessary components to interface with Active Directory.
-
Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
FTP site. The official Samba Team
RPMs for Red Hat Fedora Linux contain the ntlm_auth tool
needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use.
-
The necessary, validated RPM packages for SUSE Linux may be obtained from
the SerNet FTP site that
is located in Germany. All SerNet RPMs are validated, have the necessary
@@ -217,8 +217,8 @@
against suitably patched Heimdal 0.6 libraries.
Using your favorite editor, change the /etc/samba/smb.conf
- file so it has contents similar to the example shown in ???.
-
+ file so it has contents similar to the example shown in ???.
+
Next you need to create a computer account in the Active Directory.
This sets up the trust relationship needed for other clients to
authenticate to the Samba server with an Active Directory Kerberos ticket.
@@ -227,7 +227,7 @@
-
Your new Samba binaries must be started in the standard manner as is applicable
to the platform you are running on. Alternately, start your Active Directory
enabled Samba with the following commands:
@@ -236,7 +236,7 @@
root# nmbd -D
root# winbindd -B
-
We now need to test that Samba is communicating with the Active
Directory domain; most specifically, we want to see whether winbind
is enumerating users and groups. Issue the following commands:
@@ -268,7 +268,7 @@
LONDON+DnsUpdateProxy
This enumerates all the groups in your Active Directory tree.
-
Squid uses the ntlm_auth helper build with Samba-3.
You may test ntlm_auth with the command:
-
The ntlm_auth helper, when run from a command line as the user
“root”, authenticates against your Active Directory domain (with
the aid of winbind). It manages this by reading from the winbind privileged pipe.
@@ -297,61 +297,61 @@
root# chgrp squid /var/lib/samba/winbindd_privileged
root# chmod 750 /var/lib/samba/winbindd_privileged
-
For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
Edit your /etc/nsswitch.conf file so it has the parameters shown
- in ???.
- Example 11.2. Samba Configuration File: /etc/samba/smb.conf Example 12.2. Samba Configuration File: /etc/samba/smb.conf
If your Linux distribution is SUSE Linux 9, the version of Squid
supplied is already enabled to use the winbind helper agent. You
can, therefore, omit the steps that would build the Squid binary
programs.
-
Squid, by default, runs as the user nobody. You need to
add a system user squid and a system group
squid if they are not set up already (if the default
Red Hat squid rpms were installed, they will be). Set up a
squid user in /etc/passwd
and a squid group in /etc/group if these aren't there already.
-
You now need to change the permissions on Squid's var
directory. Enter the following command:
-
Squid must also have control over its logging. Enter the following commands:
-
The /etc/squid/squid.conf file must be edited to include the lines from
- ??? and ???.
-
You must create Squid's cache directories before it may be run. Enter the following command:
- Example 11.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section] Example 12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section] Example 11.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section] Example 12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]
Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
Windows clients use, even when accessing traditional services such as Web browsers. Depending
on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
-
The development of the ntlm_auth module was first discussed in many Open Source circles
in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
ntlm_auth during one of the late developer meetings that took place. Since that time, the
@@ -420,44 +420,44 @@
You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory.
Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
-
+
What does Samba have to do with Web proxy serving?
-
To provide transparent interoperability between Windows clients and the network services
that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit
of Open Source software is that it can readily be reused. The current ntlm_auth
module is basically a wrapper around authentication code from the core of the Samba project.
-
The ntlm_auth module supports basic plain-text authentication and NTLMSSP
protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
the user being interrupted via his/her Windows logon credentials. This facility is available with
MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
There are a few open source initiatives to provide support for these protocols in the Apache Web server
also.
-
The short answer is that by adding a wrapper around key authentication components of Samba, other
projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
-
+
What other services does Samba provide?
-
Samba-3 is a file and print server. The core components that provide this functionality are smbd,
nmbd, and the Identity resolver daemon, winbindd.
-
Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient.
-
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities.
Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switcher modules
to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
server products).
-
+
Does use of Samba (ntlm_auth) improve the performance of Squid?
Not really. Samba's ntlm_auth module handles only authentication. It requires that
@@ -465,4 +465,4 @@
little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
sufficient memory when using Squid. Just add a little more to accommodate ntlm_auth.
-
+
A detailed list of permissions granted to users or groups with respect to file and network
resource access.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.11/docs/htmldocs/Samba-Guide/HA.html samba-3.0.12/docs/htmldocs/Samba-Guide/HA.html
--- samba-3.0.11/docs/htmldocs/Samba-Guide/HA.html 2005-02-03 21:54:50.000000000 -0600
+++ samba-3.0.12/docs/htmldocs/Samba-Guide/HA.html 2005-03-17 15:18:04.000000000 -0600
@@ -1,4 +1,4 @@
-
Well, you have reached the chapter before the Appendix. It is customary to attempt
to wrap up the theme and contents of a book in what is generally regarded as the
chapter that should draw conclusions. This book is a suspense thriller and since
@@ -7,7 +7,7 @@
regarding some of the things everyone can do to deliver a reliable Samba-3 network.
In a world so full of noise, how can the sparrow be heard?
-
The sparrow is a small bird whose sounds are drowned out by the noise of the busy
world it lives in. Likewise, the simple steps that can be taken to improve the
reliability and availability of a Samba network are often drowned out by the volume
@@ -15,17 +15,17 @@
suggest that clustering is not important, because clearly it is. This chapter does not devote
itself to discussion of clustering because each clustering methodology uses its own
custom tools and methods. Only passing comments are offered concerning these methods.
-
A search
for “samba cluster” produced 71,600 hits. And a search for “highly available samba”
and “highly available windows” produced an amazing number of references.
It is clear from the resources on the Internet that Windows file and print services
availability, reliability, and scalability are of vital interest to corporate network users.
-
So without further background, you can review a checklist of simple steps that
can be taken to ensure acceptable network performance while keeping costs of ownership
well under control.
-
If it is your purpose to get the best mileage out of your Samba servers, there is one rule that
must be obeyed. If you want the best, keep your implementation as simple as possible. You may
well be forced to introduce some complexities, but you should do so only as a last resort.
@@ -33,7 +33,7 @@
Simple solutions are likely to be easier to get right than are complex ones. They certainly
make life easier for your successor. Simple implementations can be more readily audited than can
complex ones.
-
Problems reported by users fall into three categories: configurations that do not work, those
that have broken behavior, and poor performance. The term broken behavior
means that the function of a partciluar Samba component appears to work sometimes, but not at
@@ -41,7 +41,7 @@
broken behavior known to many Windows networking users occurs when the
list of Windows machines in MS Explorer changes, sometimes listing machines that are running
and at other times not listing them even though the machines are in use on the network.
-
A significant number of reports concern problems with the smbfs file system
driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that
smbfs is part of Samba, simply because Samba includes the front-end tools
@@ -50,24 +50,24 @@
facilities to core drivers that are supplied as part of the Linux kernel. These tools share a
common infrastructure with some Samba components, but they are not maintained as part of
Samba and are really foreign to it.
-
The new project, cifsfs, is destined to replace smbfs.
It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in
this project.
The following table lists typical causes of:
- Not Working (NW) Broken Behavior (BB) Poor Performance (PP) Table 12.1. Effect of Common Problems Problem NW BB PP File Locking - X - Hardware Problems X X X Incorrect Authentication X X - Incorrect Configuration X X X LDAP Problems X X - Name Resolution X X X Printing Problems X X - Slow File Transfer - - X Winbind Problems X X - Not Working (NW) Broken Behavior (BB) Poor Performance (PP) Table 13.1. Effect of Common Problems Problem NW BB PP File Locking - X - Hardware Problems X X X Incorrect Authentication X X - Incorrect Configuration X X X LDAP Problems X X - Name Resolution X X X Printing Problems X X - Slow File Transfer - - X Winbind Problems X X -
It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate
problems that affect basic network operation. This book has provided sufficient working examples
to help you to avoid all these problems.
-
Your objective is to provide a network that works correctly, can grow at all times, is resilient
at times of extreme demand, and can scale to meet future needs. The following subject areas provide
pointers that can help you today.
-
+
There are three basic current problem areas: bad hostnames, routed networks, and network collisions.
These are covered in the discussion below.
-
When configured as a DHCP client, a number of Linux distributions set the system hostname
to localhost. If the parameter netbios name is not
specified to something other than localhost, the Samba server appears
@@ -78,11 +78,11 @@
set up a NetBIOS over TCP/IP connection to it. This cannot work, because that IP address is
the local Windows machine itself. Hostnames must be valid for Windows networking to function
correctly.
-
A few sites have tried to name Windows clients and Samba servers with a name that begins
with the digits 1-9. This does not work either because it may result in the client or
server attempting to use that name as an IP address.
-
A Samba server called FRED, in a NetBIOS Domain called COLLISION
in a network environment that is part of the fully qualified Internet domain name space known
as parrots.com, results in DNS name lookups for: fred.parrots.com
@@ -90,31 +90,31 @@
(workgroup) collision.parrots.com since this results in DNS lookup
attempts to resolve: fred.parrots.com.parrots.com, which most likely
fails given that you probably do not have this in your DNS name space.
-
NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use
of UDP-based broadcast traffic. You saw that during the exercises in Chapter 1.
-
UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based
networking cannot function across routed networks (i.e., multi-subnet networks) unless
special provisions are made:
-
Either install on every Windows client an LMHOSTS file (located in the directory
C:\windows\system32\drivers\etc). It is also necessary to
add to the Samba server smb.conf file the parameters: remote announce
and remote browse sync. For more information, refer to the on-line
manual page for the smb.conf file.
-
Or configure Samba as a WINS server, and configure all network clients to use that
WINS server in their TCP/IP configuration.
-
Excessive network activity causes NetBIOS network time-outs. Time-outs may result in
blue screen of death (BSOD) experiences. High collision rates may be caused by excessive
UDP broadcast activity, by defective networking hardware, or through excessive network
@@ -122,7 +122,7 @@
The use of WINS is highly recommended to reduce network broadcast traffic, as outlined
in Chapter 1.
-
Under no circumstances should the facility be supported by many routers, known as NetBIOS
forwarding, unless you know exactly what you are doing. Inappropriate use of this
facility can result in UDP broadcast storms. In one case in 1999, a university network became
@@ -130,10 +130,10 @@
testing of a Samba server. The maximum throughput on a 100-Base-T (100 MBit/sec) network was
less than 15 KBytes/sec. After the NetBIOS forwarding was turned off, file transfer performance
immediately returned to 11 MBytes/sec.
-
As a general rule, the contents of the smb.conf file should be kept as simple as possible.
No parameter should be specified unless you know it is essential to operation.
-
Many UNIX administrators like to fully document the settings in the smb.conf file. This is a
bad idea because it adds content to the file. The smb.conf file is re-read by every smbd
process every time the file time stamp changes (or, on systems where this does not work, every 20 seconds or so).
@@ -141,7 +141,7 @@
As the size of the smb.conf file grows the risk of introduction of parsing errors increases also.
It is recommended to keep a fully documented smb.conf file on hand, and then to operate Samba only
with an optimized file.
-
The preferred way to maintain a documented file is to call it something like smb.conf.master.
You can generate the optimized file by executing:
-
+
You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C.
The important thing to note is the noted Server role, as well as warning messages. Noted configuration
conflicts must be remedied before proceeding. For example, the following error message represents a
@@ -176,18 +176,18 @@
ERROR: both 'wins support = true' and 'wins server = <server list>'
cannot be set in the smb.conf file. nmbd will abort with this setting.
-
There are two parameters that can cause severe network performance degradation, socket options
and socket address. The socket options parameter was often necessary
when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from
this parameter being set. Do not use either parameter unless it has been proven necessary to use them.
-
Another smb.conf parameter that may cause severe network performance degradation is the
strict sync parameter. Do not use this at all. There is no good reason
to use this with any modern Windows client. The strict sync is often
used together with the sync always parameter. This, too, can severely
degrade network performance, so do not set it or if you must, do so with caution.
-
Finally, many network administrators deliberately disable opportunistic locking support. While this
does not degrade Samba performance, it significantly degrades Windows client performance because
this disables local file caching on Windows clients and forces every file read and written to
@@ -195,19 +195,19 @@
support, do so on the share on which it is required only. That way, all other shares can provide
oplock support for operations that are tolerant of it. See ??? for more
information.
-
On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon
processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of
authentication and logon processing. When a sole BDC on a routed network segment gets heavily
loaded, it is possible that network logon requests and authentication requests may be directed
to a BDC on a distant network segment. This significantly hinders wide-area network operations
and is undesirable.
-
As a general guide, instead of adding Domain Member servers to a network, you would be better advised
to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
Domain Member servers. This practice ensures that there is always sufficient Domain Controllers
to handle logon requests and authentication traffic.
-
Every network client has its own peculiarities. From a management perspective, it is easier to deal
with one version of MS Windows that is maintained to a consistent update level, than it is to deal
with a mixture of clients.
@@ -215,37 +215,37 @@
On a number of occasions, particular Microsoft service pack updates of a Windows server or client
have necessitated special handling from the Samba server end. If you want to remain sane, keep you
client workstation configurations consistent.
-
Many SAN-based storage systems permit more than one server to share a common data store.
Use of a shared SAN data store means that you do not need to use time- and resource-hungry data
synchronization techniques.
-
The use of a collection of relatively low-cost front-end Samba servers that are coupled to
a shared backend SAN data store permits load distribution while containing costs below that
of installing and managing a complex clustering facility.
-
Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits
data to be accessed from a single share and yet to actually be distributed across multiple actual
servers. Refer to TOSHARG, Chapter 16, for information regarding implementation of an MSDFS installation.
-
The combination of multiple back end servers together with a front-end server and use of MSDFS
can achieve almost the same as you would obtain with a clustered Samba server.
-
Consider using rsync to replicate data across the wide-area network during times
of low utilization. Users can then access the replicated data store rather than needing to do so
across the wide-area network. This works best for read-only data, but with careful planning can be
implemented so that modified files get replicated back to the point of origin. Be careful with your
implementation if you choose to permit modification and return replication of the modified file;
otherwise, you may inadvertently overwrite important data.
-
Networking hardware prices have fallen sharply over the past five years. A surprising number
of Samba networking problems over this time have been traced to defective network interface
cards (NICs) or defective hubs, switches, and cables.
-
Not surprising is the fact that network administrators do not like to be shown to have made
a bad decision. Money saved in buying low-cost hardware may result in high costs incurred
in corrective action.
-
Defective NICs, hubs, and switches may appear as intermittent network access problems, intermittent
or persistent data corruption, slow network throughput, low performance, or even as blue-screen-of-death (BSOD)
problems with MS Windows clients. In one case, a company updated several workstations with newer, faster
@@ -253,14 +253,14 @@
an older PC that was unaffected so long as the new machines were kept shut down.
Defective hardware problems may take patience and persistence before the real cause can be discovered.
-
Networking hardware defects can significantly impact perceived Samba performance, but defective
RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server
operations. One business came to this realization only after replacing a Samba installation with MS
Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network
administrator until the entire server was replaced. While you may well think that this would never
happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone.
-
This chapter has touched in broad sweeps on a number of simple steps that can be taken
to ensure that your Samba network is resilient, scalable, and reliable, and that it
performs well.
@@ -268,9 +268,9 @@
Always keep in mind that someone is responsible to maintain and manage your design.
In the long term, that may not be you. Spare a thought for your successor and give him or
her an even break.
-
Last, but not least, you should not only keep the network design simple, but it should
be well documented. This book may serve as your pattern for documenting every
aspect of your design, its implementation, and particularly the objects and assumptions
that underlie it.
- Table of Contents
+ Table of Contents
It has been said, “A day that is without troubles is not fulfilling. Rather, give
me a day of troubles well handled so that I can be content with my achievements.”
@@ -6,13 +6,25 @@
or experience them. The design of the network implemented in the last chapter may
create problems for some network users. The following lists some of the problems that
may occur:
-
+Notice: A significant number of network administrators have responded to the guidance given
+below. It should be noted that there are sites that have a single PDC for many hundreds of
+concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
+are among the factors that will determine the maximum number of Windows clients that
+can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
+to operate with only a single PDC over a routed network. What is possible is not necessarily
+best practice. When Windows client network logons begin to fail with
+the message that the domain controller can not be found, or that the user account can not
+be found (when you know it exists), that may be an indication that the DC is overloaded or
+network bandwidth is overloaded. The guidance given in respect of PDC/BDC ratio to Windows
+clients is conservative and if followed will minimize problems - but it is not absolute.
+
+
When a Windows client logs onto the network, many data packets are exchanged
between the client and the server that is providing the network logon services.
Each request between the client and the server must complete within a specific
time limit. This is one of the primary factors that govern the installation of
-
+
multiple domain controllers (usually called secondary or backup controllers).
As a rough rule, there should be one such backup controller for every
30 to 150 clients. The actual limits are determined by network operational
@@ -28,26 +40,26 @@
and a common rule is not to exceed 30 machines (Windows workstations plus
Domain Member servers) per Domain Controller.
-
+
Slow logons and log-offs may be caused by many factors that include:
-
Excessive delays in the resolution of a NetBIOS name to its IP
address. This may be observed when an overloaded domain controller
is also the WINS server. Another cause may be the failure to use
a WINS server (this assumes that there is a single network segment).
-
Network traffic collisions due to overloading of the network
segment one short-term workaround to this may be to replace
network HUBs with Ether-switches.
-
Defective networking hardware. Over the past few years, we have seen
on the Samba mailing list a significant increase in the number of
problems that were traced to a defective network interface controller,
a defective HUB or Etherswitch, or defective cabling. In most cases,
it was the erratic nature of the problem that ultimately pointed to
the cause of the problem.
-
Excessively large roaming profiles. This type of problem is typically
the result of poor user eduction, as well as poor network management.
It can be avoided by users not storing huge quantities of email in
@@ -56,7 +68,7 @@
on the part of network management.
- <listitem>
+ <listitem>
You should verify that the Windows XP WebClient service is not running.
The use of the WebClient service has been implicated in many Windows
networking related problems.
@@ -65,22 +77,22 @@
Loss of access to network resources during client operation may be caused by a number
of factors including:
-
No matter what the cause, a sudden operational loss of access to network resources can
result in BSOD (blue screen of death) situations that necessitate rebooting of the client
workstation. In the case of a mild problem, retrying to access the network drive of printer
may restore operations, but in any case this is a serious problem as it may lead to the next
problem, data corruption.
-
Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
frustration, and generally precipitates immediate corrective demands. Management response
to this type of problem may be rational, as well as highly irrational. There have been
@@ -94,7 +106,48 @@
anticipate and to combat network performance issues. You can work through complex and thorny
methods to improve the reliability of your network environment, but be warned that all such steps
demand the price of complexity.
-
+
+
+ Computer (machine) accounts can be placed where ever you like in an LDAP directory subject to some
+ constraints that are described in this section.
+
+
+
+
+
+ The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
+ i.e.: Machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
+ them. A user account and a machine account are indistinquishable from each other, except that
+ the machine account ends in a '$' character, as do trust accounts.
+
+
+
+ The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX UID
+ is a design decision that was made a long way back in the history of Samba development. It is
+ unlikely that this decision will be reversed of changed during the remaining life of the
+ Samba-3.x series.
+
+
+
+ The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
+ must refer back to the host operating system on which Samba is running. The Name Service
+ Switcher (NSS) is the preferred mechanism that shields applications (like Samba) from the
+ need to know everything about every host OS it runs on.
+
+ Samba asks the host OS to provide a UID via the “passwd”, “shadow”
+ and “group” facilities in the NSS control (configuration) file. The best tool
+ for achieving this is left up to the UNIX administrator to determine. It is not imposed by
+ Samba. Samba provides winbindd together with its support libraries as one method. It is
+ possible to do this via LDAP - and for that Samba provides the appropriate hooks so that
+ all account entities can be located in an LDAP directory.
+
+
+ For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
+ be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
+ is fundamentally an LDAP design question. The information provided on the Samba list and
+ in the documentation is directed at providing working examples only. The design
+ of an LDAP directory is a complex subject that is beyond the scope of this documentation.
+
Mr. Bob Jordan just opened an email from Christine that reads:
Bob,
@@ -122,7 +175,7 @@
the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
regain control of our vital IT operations.
-
Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a
single domain controller is a poor design that has obvious operational effects that may
frustrate users. Here is Bob's reply:
@@ -133,37 +186,37 @@
Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
for approval; I appreciate the urgency.
-
+
The priority of assigned tasks in this chapter is:
-
Implement Backup Domain Controllers (BDCs) in each building. This involves
a change from use of a tdbsam backend that was used in the previous
chapter, to use an LDAP-based backend.
You can implement a single central LDAP server for this purpose.
-
Rectify the problem of excessive logon times. This involves redirection of
folders to network shares as well as modification of all user desktops to
exclude the redirected folders from being loaded at login time. You can also
create a new default profile that can be used for all new users.
-
You configure a new MS Windows XP Professional Workstation disk image that you
roll out to all desktop users. The instructions you have created are followed on a
staging machine from which all changes can be carefully tested before inflicting them on
your network users.
-
This is the last network example in which specific mention of printing is made. The example
again makes use of the CUPS printing system.
-
The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
LDAP servers in current use with Samba-3 include:
- Novell eDirectory.
+ Novell eDirectory.
eDirectory is being successfully used by some sites. Information on how to use eDirectory can be
- obtained from the Samba mailing lists or from Novell. IBM
Tivoli Directory Server,
can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba
- source code tarball under the directory ~samba/example/LDAP. Sun
+ source code tarball under the directory ~samba/example/LDAP. Sun
ONE Identity Server.
This product suite provides an LDAP server that can be used for Samba. Example schema files are
provided in the Samba source code tarball under the directory
@@ -173,13 +226,13 @@
offerings, it requires that you manually edit the server configuration files and manually
initialize the LDAP directory database. OpenLDAP itself has only command line tools to
help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
-
For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
adequate. If you are migrating from Microsoft Active Directory, be
warned that OpenLDAP does not include
GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
-
When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
High availability operation may be obtained through directory replication/synchronization and
master/slave server configurations. OpenLDAP is a mature platform to host the organizational
@@ -188,7 +241,7 @@
of management tools is well rewarded by performance and flexibility, and the freedom to manage directory
contents with greater ability to back up, restore, and modify the directory than is generally possible
with Microsoft Active Directory.
-
A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured
for a specific task orientation. It comes with a set of administrative tools that is entirely customized
@@ -199,7 +252,7 @@
MS ADAM that provides more-generic LDAP services, yet it does not have the vanilla-like services
of OpenLDAP.
-
You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
if you find the challenge of learning about LDAP directories, schemas, configuration, and management
tools, and the creation of shell and Perl scripts a bit
@@ -207,10 +260,12 @@
many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
that is required for use as a passdb backend.
+
For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
- The Web-based tools you might like to consider include: The LDAP
- Account Manager (LAM), as well as the Webmin-based Idealx
+ The Web-based tools you might like to consider include: The
+ LDAP Account Manager (LAM), as well as the
+ Webmin-based Idealx
CGI tools.
Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
@@ -220,35 +275,35 @@
JXplorer (by Computer Associates),
and the last is called phpLDAPadmin.
- The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly lacks
- security. No form of secure LDAP communications is attempted. The LDAP configuration information provided
+ The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
+ security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
LDAP before attempting to deploy it in a business-critical environment.
Information to help you get started with OpenLDAP is available from the
-
- OpenLDAP Web Site. Many people have found the book
- LDAP System Administration, written by Jerry Carter, quite useful.
-
+ OpenLDAP Web Site. Many people have found the book
+ LDAP System Administration,
+ written by Jerry Carter, quite useful.
+
Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly
improves overall network performance for most users, but this is not enough. You must gain control over
user desktops, and this must be done in a way that wins their support and does not cause further loss of
staff morale. The following procedures solve this problem.
-
There is also an opportunity to implement smart printing features. You add this to the Samba configuration
so that future printer changes can be managed without need to change desktop configurations.
You add the ability to automatically download new printer drivers, even if they are not installed
in the default desktop profile. Only one example of printing configuration is given. It is assumed that
you can extrapolate the principles and use this to install all printers that may be needed.
-
The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account
attributes Samba needs. Samba-3 can use the LDAP backend to store:
- Windows Networking User Accounts Windows NT Group Accounts Mapping Information between UNIX Groups and Windows NT Groups ID Mappings for SIDs to UIDs (also for foreign Domain SIDs) Windows Networking User Accounts Windows NT Group Accounts Mapping Information between UNIX Groups and Windows NT Groups ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
accounts in the LDAP backend. This implies the need to use the
PADL LDAP tools. The resolution
@@ -257,11 +312,11 @@
or from the LDAP backend. This requires the use of the PADL nss_ldap toolset
that integrates with the name service switcher (NSS). The same requirements exist for resolution
of the UNIX username to the UID. The relationships are demonstrated in ???.
-
You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
ought to learn how to configure secure communications over LDAP so that sites security is not
at risk. This is not covered in the following guidance.
-
When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC)
called MASSIVE. You initialize the Samba
secrets.tdb
@@ -270,21 +325,35 @@
hints are, of course, provided. You can also find on the enclosed
CD-ROM, in the Chap06
directory, a few tools that help to manage user and group configuration.
-
In order to effect folder redirection and to add robustness to the implementation,
create a network Default Profile. All network users workstations are configured to use
the new profile. Roaming profiles will automatically be deleted from the workstation
when the user logs off.
-
The profile is configured so that users cannot change the appearance
of their desktop. This is known as a mandatory profile. You make certain that users
are able to use their computers efficiently.
-
A network logon script is used to deliver flexible but consistent network drive
connections.
-
+
+
+
+
+
+ Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
+ that maps to the UNIX UID=0. The UNIX operating system permits only the root
+ user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
+ Privilieges. This new facility introduced four new privileges that
+ can be assigned to users and/or groups:
+ Table 6.1. Current Privilege Capabilities SeMachineAccountPrivilege Add machines to domain SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeRemoteShutdownPrivilege Force shutdown from a remote system SeDiskOperatorPrivilege Manage disk share
+ In this network example use will be made of one of the supported privileges purely to demonstrate
+ how any user can now be given the ability to add machines to the domain using a normal user account
+ that has been given the appropriate privileges.
+
As XP roaming profiles grow, so does the amount of time it takes to log in and out.
-
An XP Roaming Profile consists of the HKEY_CURRENT_USER hive file
NTUSER.DAT and a number of folders (My Documents, Application Data,
Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
@@ -306,15 +375,15 @@
Java plug-in's cache (the .jpi_cache directory in the profile), as well as training the
user to not place large files on the Desktop and to use his mapped home directory for
saving documents instead of the My Documents folder.
-
Using a folder other than My Documents is a nuisance for
some users since many applications use it by default.
-
The secret to rapid loading of roaming profiles is to prevent unnecessary data from
being copied back and forth, without losing any functionality. This is not difficult;
it can be done by making changes to the Local Group Policy on each client as well
as changing some paths in each user's NTUSER.DAT hive.
-
Every user profile has their own NTUSER.DAT file. This means
you need to edit every user's profile, unless a better method can be
followed. Fortunately, with the right preparations, this is not difficult.
@@ -322,7 +391,7 @@
user's profile. Then just create a Network Default Profile. Of course, it is
necessary to copy all files from redirected folders to the network share to which
they are redirected.
-
Without an Active Directory PDC, you cannot take full advantage of Group Policy
Objects. However, you can still make changes to the Local Group Policy by using
the Group Policy editor (gpedit.msc).
@@ -336,13 +405,13 @@
Simply add the folders you do not wish to be copied back and forth to this
semi-colon separated list. Note that this change must be made on all clients
that are using roaming profiles.
-
There are two changes that should be done to each user's profile. Move each of
the directories that you have excluded from being copied back and forth out of
the usual profile path. Modify each user's NTUSER.DAT file
to point to the new paths that are shared over the network, instead of the default
path (C:\Documents and Settings\%USERNAME%).
-
The above modifies existing user profiles. So that newly created profiles have
these settings, you will need to modify the NTUSER.DAT in
the C:\Documents and Settings\Default User folder on each
@@ -350,7 +419,7 @@
NTUSER.DAT to a Linux box and using
regedt32.
The basic method is described under ???.
-
If you are using Samba as your PDC, you should create a file-share called
NETLOGON and within that create a directory called
Default User, which is a copy of the desired default user
@@ -359,7 +428,7 @@
the first login from a new account pulls its configuration from it.
See also:
the Real Men Don't Click Web site.
-
The subject of printing is quite topical. Printing problems run second place to name
resolution issues today. So far in this book, you have experienced only what is generally
known as “dumb” printing. Dumb printing is the arrangement where all drivers
@@ -367,7 +436,7 @@
or intelligent processing. Dumb printing is easily understood. It usually works without
many problems, but it has its limitations also. Dumb printing is better known as
Raw Print Through printing.
-
Samba permits the configuration of Smart printing using the Microsoft
Windows point-and-click (also called drag-and-drop) printing. What this provides is
essentially the ability to print to any printer. If the local client does not yet have a
@@ -380,7 +449,7 @@
printing that automatically senses the file format of data submitted for printing and
then invokes a suitable print filter to convert the incoming data stream into a format
suited to the printer to which the job is dispatched.
-
The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
detect the data format and apply a print filter. This means that it is feasible to install
on all Windows clients a single printer driver for use with all printers that are routed
@@ -397,12 +466,183 @@
This book is about Samba-3, so you can confine the printing style to just the smart
style of installation. Those interested in further information regarding intelligent
printing should review documentation on the Easy Software Products Web site.
-
+ It has often been said that there are three types of people in the world: Those who
+ have sharp minds and those that forget things. Please do not ask what the third group
+ are like! Well, it seems that many of us have company in the second group. There must
+ be a good explanation why so many network administrators fail to solve apparently
+ simple problems efficiently and effectively.
+
+ Here are some diagnostic guidelines that can be referred to when things go wrong:
+
+ The best advice regarding how best to mend a broken leg was “never break a leg!”
+
+ New comers to Samba and LDAP seem to struggle a great deal at first. If you want advice
+ regarding the best way to remedy LDAP and Samba problems: “Avoid them like the plague!”
+
+ If you are now asking yourself how can problems be avoided? The best advice is to start
+ out your learning experience with an known-to-work solution. After
+ you have seen a fully working solution, a good way to learn is to make slow and progressive
+ changes that cause things to break, then observe carefully how and why things ceased to work.
+
+ The examples in this chapter (also in the book as a whole) are known to work. That means
+ that they could serve as the kick-off point for your journey through fields of knowledge.
+ Use this resource carefully; we hope it serves you well.
+
+ Warning: Do not be lulled into thinking that you can easily adopt the examples in this
+ book and adapt them without first working through the working examples provided. A little
+ thing over-looked can cause untold pain and may permanently tarnish your experience.
+
+ In the example /etc/openldap/slapd.conf control file
+ (see ???) there is an entry for loglevel 256.
+ To enable logging via the syslog infrastructure it is necessary to uncomment this parameter
+ and restart slapd.
+
+ LDAP log information can be directed into a file that is separate from the normal system
+ log files by changing the /etc/syslog.conf file so it has the following
+ contents:
+
+ In the above case, all LDAP related logs will be directed to the file
+ /var/log/ldaplogs. This makes it easy to track LDAP errors.
+
+ The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
+ /etc/ldap.conf file the following parameters:
+
+ Create the log directory as follows:
+
+
+ The diagnostic process should follow the following steps:
+
+ Verify the nss_base_passwd, nss_base_shadow, nss_base_group entries
+ in the /etc/ldap.conf file and compare them closely with the directory
+ tree location that was chosen in when the directory was first created.
+
+ One was this can be done is by executing:
+
+ The first line is the DIT entry point for the container for POSIX groups. The correct entry
+ for the /etc/ldap.conf for the nss_base_group
+ parameter therefore is the distinquished name (dn) as applied here:
+
+ The same process may be followed to determine the appropriate dn for user accounts.
+ If the container for computer accounts is not the same as that for users (see the smb.conf
+ file entry for ldap machine suffix, it may be necessary to set the
+ following DIT dn in the /etc/ldap.conf:
+
+ This instructs LDAP to search for machine as well as user entries from the top of the DIT
+ down. This is inefficient, but at least should work.
+
+ Perform lookups such as:
+
+ Each such lookup will create an entry in the /data/log directory
+ for each such process executed. The contents of that file may provide a hint as to
+ the cause of the failure that is being investigated.
+
+ Check the contents of the /var/log/messages to see what error messages are being
+ generated as a result of the LDAP lookups. Here is an example of a successful lookup:
+
+
+ Check that the bindpw entry in the /etc/ldap.conf or in the
+ /etc/ldap.secrets file is correct. i.e.: As specified in the
+ /etc/openldap/slapd.conf file.
+
+ The following parameters in the smb.conf file can be useful in tracking down Samba related problems:
+
+ This will result in the creation of a separate log file for every client from which connections
+ are made. The log file will be quite verbose and will grow continually. Do not forget to
+ change these lines to the following when debugging has been completed:
+
+
+ The log file can be analyzed by executing:
+
+
+ Search for hints of what may have failed by lokking for the words fail
+ and error.
+
+ MS Windows 2000 Professional and Windows XP Professional clients are capable of being configured
+ to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
+ the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
+ version of MS Windows.
+
MS Windows network users are generally very sensitive to limits that may be imposed when
confronted with locked-down workstation configurations. The challenge you face must
be promoted as a choice between reliable and fast network operation, and a constant flux
of problems that result in user irritation.
-
You are starting a complex project. Even though you have gone through the installation
of a complex network in chapter 5, this network is a bigger challenge because of the
large number of complex applications that must be configured before the first few steps
@@ -410,56 +650,109 @@
frequently review the steps ahead while making at least a mental note of what has already
been completed. The following task list may help you to keep track of the task items
that are covered:
- Samba-3 PDC Server Configuration DHCP and DNS Servers OpenLDAP Server PAM and NSS Client Tools Samba-3 PDC Idealx SMB-LDAP Scripts LDAP Initialization Create User and Group Accounts Printers Share Point Directory Roots Profile Directories Samba-3 BDC Server Configuration DHCP and DNS Servers PAM and NSS Client Tools Printers Share Point Directory Roots Profiles Directories Samba-3 BDC Server Configuration Windows XP Client Configuration Default Profile Folder Redirection MS Outlook PST File Relocation Delete Roaming Profile on Logout Upload Printer Drivers to Samba Servers Install Software Creation of Roll-out Images Samba-3 PDC Server Configuration DHCP and DNS Servers OpenLDAP Server PAM and NSS Client Tools Samba-3 PDC Idealx SMB-LDAP Scripts LDAP Initialization Create User and Group Accounts Printers Share Point Directory Roots Profile Directories Samba-3 BDC Server Configuration DHCP and DNS Servers PAM and NSS Client Tools Printers Share Point Directory Roots Profiles Directories Samba-3 BDC Server Configuration Windows XP Client Configuration Default Profile Folder Redirection MS Outlook PST File Relocation Delete Roaming Profile on Logout Upload Printer Drivers to Samba Servers Install Software Creation of Roll-out Images
The network design shown in ??? is not comprehensive. It is assumed
that you will install additional file servers, and possibly additional BDCs.
-
- All configuration files and locations are shown for SUSE Linux 9.0. The file locations for
- Red Hat Linux are similar. You may need to adjust the locations for your particular
- Linux system distribution/implementation.
-
+
+ All configuration files and locations are shown for SUSE Linux 9.2 and are equaly valid for SUSE
+ Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
+ adjust the locations for your particular Linux system distribution/implementation.
+
+The following information applies to Samba-3.0.12 when used with the Idealx smbldap-tools scripts
+version 0.8.7. If using a different version of Samba, or of the smbldap-tools tarball, please
+verify that the versions you are about to use are matching.
+
The steps in the process involve changes from the network configuration
shown in ???.
Before implementing the following steps, you must have completed the network implementation shown
in that chapter. If you are starting with newly installed Linux servers, you must complete
the steps shown in ??? before commencing
at ???:
-
- Confirm that the packages shown in ??? are installed on your system.
- Table 6.1. Required OpenLDAP Linux Packages
+
+ Confirm that the packages shown in ??? are installed on your system.
+ Table 6.2. Required OpenLDAP Linux Packages
Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method
for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you
follow these guidelines, the resulting system should work fine.
-
- Install the file shown in ??? in the directory
+
+ Install the file shown in ??? in the directory
/etc/openldap.
-
- Remove all files from the directory /var/lib/ldap, making certain that
+
+ Remove all files from the directory /data/ldap, making certain that
the directory exists with permissions:
This may require you to add a user and a group account for LDAP if they do not exist.
- Example 6.1. LDAP Master Configuration File /etc/openldap/slapd.conf
+ Install the file shown in ??? in the directory
+ /data/ldap. In the event that this file is added after ldap
+ has been started, it is possible to cause the new settings to take effect by shutting down
+ the LDAP server, executing the db_recover command inside the
+ /data/ldap directory, and then restarting the LDAP server.
+
+ Performance logging can be enabled and should preferrably be sent to a file on
+ a file system that is large enough to handle significantly sized logs. To enable
+ the logging at a verbose level to permit detailed analysis uncomment the entry in
+ the /etc/openldap/slapd.conf shown as “loglevel 256”.
+
+ Edit the /etc/syslog.conf file to add the following at the end
+ of the file:
+
+ Note: The path /data/ldap/log should be set a a location
+ that is convenient and that can store a large volume of data.
+ Example 6.1. LDAP DB_CONFIG File Example 6.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A
The steps that follow involve configuration of LDAP, Name Service Switch (NSS) LDAP-based resolution
of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead
configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
@@ -481,49 +774,61 @@
Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
correct configuration of the Pluggable Authentication
- Modules
+ Modules
(PAM). The pam_ldap
open source package provides the PAM modules that most people would use. On SUSE Linux systems,
the pam_unix2.so module also has the ability to redirect authentication requests
through LDAP.
-
You have chosen to configure these services by directly editing the system files but, of course, you
know that this configuration can be done using system tools provided by the Linux system vendor.
SUSE Linux has a facility in YaST (the system admin tool) through ->-> that permits
configuration of SUSE Linux as an LDAP client. Red Hat Linux provides
the authconfig
tool for this.
- Example 6.2. Configuration File for NSS LDAP Support /etc/ldap.conf Example 6.4. Configuration File for NSS LDAP Support /etc/ldap.conf Example 6.3. Configuration File for NSS LDAP Clients Support /etc/ldap.conf Example 6.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
Execute the following command to find where the nss_ldap module
expects to find its control file:
On the server MASSIVE, install the file shown in
- ??? into the path that was obtained from the step above.
+ ??? into the path that was obtained from the step above.
On the servers called BLDG1 and BLDG2, install the file shown in
- ??? into the path that was obtained from the step above.
-
+ ??? into the path that was obtained from the step above.
+
Edit the NSS control file (/etc/nsswitch.conf) so that the lines that
control user and group resolution will obtain information from the normal system files as
well as from ldap as follows:
@@ -549,7 +854,7 @@
added, you can validate resolution of the LDAP resolver process. The inclusion of
WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
resolved to their IP addresses, whether or not they are DHCP clients.
-
For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
files in the /etc/pam.d directory:
login, password, samba, sshd.
@@ -572,7 +877,7 @@
session required pam_unix2.so none use_ldap # debug or trace
session required pam_limits.so
-
On other Linux systems that do not have an LDAP-enabled pam_unix2.so module,
you must edit these files by adding the pam_ldap.so modules as shown here:
+ Verify that the Samba-3.0.12 (or later) packages are installed on each SUSE Linux server
+ before following the steps below. If Samba-3.0.12 (or later) is not installed, you have the
choice to either build your own or to obtain the packages from a dependable source.
- Packages for SUSE Linux 8.2 and 9.0, and Red Hat 9.0 are included on the CD-ROM that
+ Packages for SUSE Linux 8.x, 9.x and SUSE Linux Enterprise Server 9, as well as for
+ Red Hat Fedora Core and Red Hat Enteprise Linux Server 3 and 4 are included on the CD-ROM that
is included at the back of this book.
- Procedure 6.3. Configuration of PDC Called: MASSIVE
- Install the files in ???,
- ???, ???,
- and ??? into the /etc/samba/
+ Procedure 6.4. Configuration of PDC Called: MASSIVE
+ Install the files in ???,
+ ???, ???,
+ and ??? into the /etc/samba/
directory. The three files should be added together to form the smb.conf
- file.
-
- Verify the contents of the smb.conf file that is generated by Samba
- as it collates all the included files. You do this by executing:
+ master file. It is a good practice to call this file something like
+ smb.conf.master, and then to perform all file edits
+ on the master file. The operational smb.conf is then generated as shown in
+ the next step.
+
+ Create and verify the contents of the smb.conf file that is generated by:
+
+ Immediately follow this with the following:
The output that is created should be free from errors, as shown here:
Delete all run-time files from prior Samba operation by executing (for SUSE
@@ -637,7 +952,7 @@
root# rm /var/lib/samba/*dat
root# rm /var/log/samba/*
-
Samba-3 communicates with the LDAP server. The password that it uses to
authenticate to the LDAP server must be stored in the secrets.tdb
file. Execute the following to create the new secrets.tdb files
@@ -649,7 +964,7 @@
-
Samba-3 generates a Windows Security Identifier only when smbd
has been started. For this reason, you start Samba. After a few seconds delay,
execute:
@@ -660,11 +975,17 @@
A report such as the following means that the Domain Security Identifier (SID) has not yet
been written to the secrets.tdb or to the LDAP backend:
- When the Domain has been created and written to the secrets.tdb
- file, the output should look like this:
+[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
+ failed to bind to server ldap://massive.abmas.biz
+with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
+ (unknown)
+[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
+ smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out)
+
+ The attempt to read the SID will attempt to bind to the LDAP server. Because the LDAP server
+ is not running this operation will fail by way of a time out, as shown above. This is
+ normal output, do not worry about this error message. When the Domain has been created and
+ written to the secrets.tdb file, the output should look like this:
@@ -676,10 +997,10 @@
When a positive Domain SID has been reported, stop Samba.
-
-
-
-
+
+
+
+
Configure the NFS server for your Linux system. So you can complete the steps that
follow, enter into the /etc/exports the following entry:
Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
configuration of the LDAP server.
- Example 6.4. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A Example 6.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A Example 6.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B Example 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
- on the LDAP server. You have chosen the Idealx scripts since they are part of the
- Samba-3 package distribution. On your SUSE Linux system, you find these scripts in the
- /usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools
- directory. On a Red Hat Linux system, they are in a similar path. If you cannot find
- the scripts on your system, it is easy enough to download them from the Idealx
+ on the LDAP server. You have chosen the Idealx scripts since they are the best known
+ LDAP configuration scripts. The use of these scripts will help avoid the necessity
+ to create custom scripts. It is easy to download them from the Idealx
Web Site. The tarball may
- be directly downloaded
- for this site, also.
-
- In your installation, the smbldap-tools are located in /var/lib/samba/sbin.
- They can be installed in any convenient directory of your choice, in which case you must
- change the path to them in your smb.conf file on the PDC (MASSIVE).
-
+ be directly downloaded
+ for this site, also. Alternately, you may obtain the
+ smbldap-tools-0.8.7-3.src.rpm
+ file that may be used to build an installable RPM package for your Linux system.
+
+The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
+change the path to them in your smb.conf file on the PDC (MASSIVE).
+
+ The smbldap-tools are located in /opt/IDEALX/sbin.
The scripts are not needed on BDC machines because all LDAP updates are handled by
the PDC alone.
+
+ To perform a manual installation of the smbldap-tools scripts the following procedure may be used:
- Create the /var/lib/samba/sbin directory, and set its permissions
+ Create the /opt/IDEALX/sbin directory, and set its permissions
and ownership as shown here:
If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
Change into either the directory extracted from the tarball, or else into the smbldap-tools
directory in your /usr/share/doc/packages directory tree.
- Copy all the .pl and .pm files into the
- /var/lib/samba/sbin directory, as shown here:
+ Copy all the smbldap-* and the configure.pl files into the
+ /opt/IDEALX/sbin directory, as shown here:
-
- You must compile the mkntpasswd tool and then install it into
- the /var/lib/samba/sbin directory, as shown here:
-
- The smbldap-tools scripts must now be configured.
- Change to the /var/lib/samba/sbin directory, and edit the
- /var/lib/samba/sbin/smbldap_conf.pm to affect the changes
+ The smbldap-tools scripts master control file must now be configured.
+ Change to the /opt/IDEALX/sbin directory, then edit the
+ smbldap_tools.pm to affect the changes
shown here:
To complete the configuration of the smbldap-tools, set the permissions and ownership
by executing the following commands:
+ The smbldap-tools scripts are now ready for the configuration step outlined in
+ Configuration of smbldap-tools.
+
+ In the event that you have elected to use the RPM package provided by Idealx, download the
+ source RPM smbldap-tools-0.8.7-3.src.rpm, then follow the following procedure:
+
+ Install the source RPM that has been downloaded as follows:
+
- The smbldap-tools scripts are now ready for use.
-
+
+ Change into the directory in which the SPEC files are located. On SUSE Linux:
+
+ On Red Hat Linux systems:
+
+
+ Edit the smbldap-tools.spec file to change the value of the
+ _sysconfig macro as shown here:
+
+ Note: Any suitable directory can be specified.
+
+ Build the package by executing:
+
+ A build process that has completed without error will place the installable binary
+ files in the directory ../RPMS/noarch.
+
+ Install the binary package by executing:
+
+
+ The Idealx scripts should now be ready for configuration using the steps outlined in
+ Configuration of smbldap-tools.
+
+ Prior to use the smbldap-tools must be configured to match the settings in the smb.conf file
+ and to match the settings in the /etc/openldap/slapd.conf file. The assumption
+ is made that the smb.conf file has correct contents. The following procedure will ensure that
+ this is completed correctly:
+
+ The smbldap-tools require that the netbios name (machine name) of the Samba server be included
+ in the smb.conf file.
+
+ Change into the directory that contains the configure.pl script.
+
+
+ Execute the configure.pl script as follows:
+
+ The interactive use of this script for the PDC is demonstrated here:
+
+ Since a slave LDAP server has not been configured it is necessary to specify the IP
+ address of the master LDAP server for both the master and the slave configuration
+ prompts.
+
+ Change to the directory that contains the smbldap.conf file
+ then verify its contents.
+
+ The smbldap-tools are now ready for use.
+
The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group
accounts before Samba can be used. The following procedures step you through the process.
@@ -941,7 +1352,7 @@
does not need to ask LDAP.
Addition of an account to the LDAP backend can be done in a number of ways:
-
If you always have a user account in the /etc/passwd on every
server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in
LDAP. In this case, you can add Windows Domain user accounts using the
@@ -953,15 +1364,15 @@
In the example system you are installing in this exercise, you are making use of the
Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system,
is included on the enclosed CD-ROM under Chap06/Tools.
-
If you wish to have more control over how the LDAP database is initialized or
want not to use the Idealx smbldap-tools, you should refer to ???.
-
The following steps initialize the LDAP database, and then you can add user and group
- accounts that Samba can use. You use the smbldap-populate.pl to
- seed the LDAP database. You then manually add the accounts shown in ???.
+ accounts that Samba can use. You use the smbldap-populate to
+ seed the LDAP database. You then manually add the accounts shown in ???.
The list of users does not cover all 500 network users; it provides examples only.
-
In the following examples, as the LDAP database is initialized, we do create a container
for Computer (machine) accounts. In the Samba-3 smb.conf files, specific use is made
of the People container, not the Computers container, for domain member accounts. This is not a
@@ -971,38 +1382,57 @@
are able to side-step this bug. It is expected that at some time in the future this problem will
be resolved. At that time, it will be possible to use the Computers container in order to keep
machine accounts separate from user accounts.
- Table 6.2. Abmas Network Users and Groups Table 6.3. Abmas Network Users and Groups
Start the LDAP server by executing:
- Change to the /var/lib/samba/sbin directory.
+ Change to the /opt/IDEALX/sbin directory.
Execute the script that will populate the LDAP database as shown here:
+ The expected output from this is:
+
+
+ Edit the /etc/smbldap-tools/smbldap.conf file so that the following
+ information is changed from:
+
+ to read, after modification:
+
It is necessary to restart the LDAP server as shown here:
@@ -1011,7 +1441,7 @@
Shutting down ldap-server done
Starting ldap-server done
-
So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data.
There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
the simplest is to execute:
@@ -1020,16 +1450,16 @@
dn: ou=Idmap,dc=abmas,dc=biz
ou: idmap
-
+
If the execution of this command does not return IDMAP entries, you need to create an LDIF
- template file (see ???). You can add the required entries using
+ template file (see ???). You can add the required entries using
the following command:
Samba automatically populates this LDAP directory container when it needs to.
-
It looks like all has gone well, as expected. Let's confirm that this is the case
by running a few tests. First we check the contents of the database directly
by running slapcat as follows (the output has been cut down):
@@ -1066,7 +1496,7 @@
modifyTimestamp: 20031217234206Z
This looks good so far.
-
The next step is to prove that the LDAP server is running and responds to a
search request. Execute the following as shown (output has been cut to save space):
Good. It is all working just fine.
-
You must now make certain that the NSS resolver can interrogate LDAP also.
Execute the following commands:
This demonstrates that the nss_ldap library is functioning
as it should.
-
Our database is now ready for the addition of network users. For each user for
whom an account must be created, execute the following:
Where username is the login ID for each user.
-
Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the
following:
+ This demonstates that user account resolution via LDAP is working.
+
+ This step will determin
+
- This confirms that the UNIX (Posix) user accounts can be resolved from LDAP.
-
- In the above listing, you can see that the user Administrator
- has been given UID=998. This means that operations conducted from a Windows client
- using tools such as the Domain User Manager fails under UNIX because the
- management of user and group accounts requires that the UID=0. You decide to rectify
- this immediately as demonstrated here:
+ This confirms that the UNIX (Posix) user account information can be resolved from LDAP
+ by system tools that make a getentpw() system call.
+
+ The 'root' account must have UID=0, if not this means that operations conducted from
+ a Windows client using tools such as the Domain User Manager fails under UNIX because
+ the management of user and group accounts requires that the UID=0. Additionally, it is
+ a good idea to make certain that no matter how 'root' account credentials are resolved
+ that the home directory and shell are valid. You decide to effect this immediately
+ as demonstrated here:
+ Verify that the changes just made to the root account were
+ accepted by executing:
+
+ This demonstrates that the changes were accepted.
+
Make certain that a home directory has been created for every user by listing the
directories in /home as follows:
This is precisely what we want to see.
-
The final validation step involves making certain that Samba-3 can obtain the user
accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
This looks good. Of course, you fully expected that it would all work, didn't you?
-
Now you add the group accounts that are used on the Abmas network. Execute
the following exactly as shown:
The addition of groups does not involve keyboard interaction, so the lack of console
output is of no concern.
-
You really do want to confirm that UNIX group resolution from LDAP is functioning
as it should. Let's do this as shown here:
The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
as our own site-specific group accounts, are correctly listed. This is looking good.
-
The final step we need to validate is that Samba can see all the Windows Domain Groups
and that they are correctly mapped to the respective UNIX group account. To do this,
just execute the following command:
@@ -1269,20 +1719,25 @@
The next step might seem a little odd at this point, but take note that you are about to
start winbindd which must be able to authenticate to the PDC via the
- localhost interface. This requires a Domain account for the PDC. This account can be
+ localhost interface with the smbd process. This account can be
easily created by joining the PDC to the Domain by executing the following command:
+ Note: Before executing this command on the PDC both nmbd and
+ smbd must be started so that the net command
+ can communicate with smbd. The expected output is:
+
- This indicates that the Domain security account for the BDC has been correctly created.
+ This indicates that the Domain security account for the PDC has been correctly created.
At this time it is necessary to restart winbindd so that it can
correctly authenticate to the PDC. The following command achieves that:
-
You may now check Samba-3 operation as follows:
The server MASSIVE is now configured, and it is time to move onto the next task.
-
The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
taken care of in the smb.conf file. The only preparation needed for
smart
@@ -1345,16 +1800,17 @@
Follow the instructions in the printer manufacturers' manuals to permit printing
to port 9100. Use any other port the manufacturer specifies for direct mode,
raw printing. This allows the CUPS spooler to print using raw mode protocols.
-
-
-
+
Only on the server to which the printer is attached, configure the CUPS Print
Queues as follows:
-
+
This step creates the necessary print queue to use no assigned print filter. This
is ideal for raw printing, i.e., printing without use of filters.
The name printque is the name you have assigned for
@@ -1374,15 +1830,15 @@
root# /usr/bin/accept printque
-
-
-
+
+
+
Edit the file /etc/cups/mime.convs to uncomment the line:
-
+
Edit the file /etc/cups/mime.types to uncomment the line:
- Procedure 6.10. Configuration of BDC Called: BLDG1
+ Install the files in ???,
+ ???, and ???
into the /etc/samba/ directory. The three files
should be added together to form the smb.conf file.
@@ -1434,7 +1890,7 @@
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
...
-Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
+root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
nobody:x:999:514:nobody:/dev/null:/bin/false
bobj:x:1000:513:System User:/home/bobj:/bin/bash
stans:x:1001:513:System User:/home/stans:/bin/bash
@@ -1444,7 +1900,7 @@
bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
-
The next step in the verification process involves testing the operation of UNIX group
resolution via the NSS LDAP resolver. Execute these commands:
You must now set the LDAP administrative password into the
Samba-3 secrets.tdb
file by executing this command:
@@ -1502,16 +1958,16 @@
To join the Samba BDC to the Domain execute the following:
This indicates that the Domain security account for the BDC has been correctly created.
-
+
Verify that user and group account resolution works via Samba-3 tools as follows:
Your new BLDG1, BLDG2 servers do not have home directories for users.
- To rectify this using the SUSE yast2 utility or by manually
- editing the /etc/fstab
+ To rectify this using the SUSE yast2 utility or by manually editing the /etc/fstab
file, add a mount entry to mount the home directory that has been exported
from the MASSIVE server. Mount this resource before proceeding. An alternate
approach could be to create local home directories for users who are to use these machines.
@@ -1583,226 +2038,230 @@
57681 blocks of size 524288. 57128 blocks available
smb: \> q
- Example 6.6. LDAP Based smb.conf File, Server: BLDG1 Example 6.8. LDAP Based smb.conf File, Server: BLDG1 Example 6.7. LDAP Based smb.conf File, Server: BLDG2 Example 6.9. LDAP Based smb.conf File, Server: BLDG2 Example 6.8. LDAP Based smb.conf File, Shares Section Part A Example 6.10. LDAP Based smb.conf File, Shares Section Part A Example 6.9. LDAP Based smb.conf File, Shares Section Part B Example 6.11. LDAP Based smb.conf File, Shares Section Part BName
Synopsis
DESCRIPTION
FILE FORMAT
FILE FORMAT
FILES
FILES
AUTHOR
Name
Synopsis
DESCRIPTION
Name
Synopsis
DESCRIPTION
OPTIONS
OPTIONS
EXAMPLES
$ log2pcap < /var/log/* > trace.pcap
$ log2pcap -h samba.log | text2pcap -T 139,139 - trace.pcap
-
Name
Synopsis
DESCRIPTION
Name
Synopsis
DESCRIPTION
OPTIONS
OPTIONS
ENVIRONMENT VARIABLES
NOTES
NOTES
CONFIGURATION
BUGS
VERSION
VERSION
SEE ALSO
AUTHOR
Name
Synopsis
DESCRIPTION
Synopsis
DESCRIPTION
OPTIONS
OPTIONS
COMMANDS
CHANGESECRETPW
TIME
TIME
[RPC|ADS] JOIN [TYPE] [-U username[%password]] [options]
[RPC] OLDJOIN [options]
[RAP|RPC] SHARE
[RAP|RPC] SHARE [misc. options] [targets]
[RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
[RAP|RPC] SHARE
[RAP|RPC] SHARE [misc. options] [targets]
[RPC|RAP] FILE
SESSION
SESSION
RAP VALIDATE user [password]
Note
RAP ADMIN command
Note
RAP SERVICE
RAP SERVICE
LOOKUP
CACHE
s - Seconds m - Minutes h - Hours d - Days w - Weeks GETLOCALSID [DOMAIN]
GROUPMAP
GROUPMAP ADD
GROUPMAP DELETE
MAXRID
GROUPMAP ADD
GROUPMAP DELETE
MAXRID
RPC INFO
RPC TRUSTDOM
RPC TRUSTDOM
RPC TRUSTDOM DEL DOMAIM
Note
SHUTDOWN [-t timeout] [-r] [-f] [-C message]
SHUTDOWN [-t timeout] [-r] [-f] [-C message]
VAMPIRE
ADS STATUS
ADS PRINTER
ADS PRINTER
ADS SEARCH EXPRESSION ATTRIBUTES...
Name
Synopsis
DESCRIPTION
Synopsis
DESCRIPTION
OPTIONS
OPTIONS
FILES
SIGNALS
SEE ALSO
AUTHOR
Name
Synopsis
Synopsis
DESCRIPTION
OPTIONS
OPTIONS
EXAMPLES
AUTHOR
AUTHOR
Name
Synopsis
DESCRIPTION
Name
Synopsis
DESCRIPTION
OPERATIONAL REQUIREMENTS
OPTIONS
OPTIONS
EXAMPLE SETUP
@@ -145,13 +144,13 @@
auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
-
TROUBLESHOOTING
AUTHOR
Name
DESCRIPTION
OPTIONS
Name
DESCRIPTION
Name
Synopsis
DESCRIPTION
Name
Synopsis
DESCRIPTION
OPTIONS
OPTIONS
@@ -74,7 +74,7 @@
retype new password
Note
Name
Synopsis
Synopsis
DESCRIPTION
Name
Synopsis
DESCRIPTION
Synopsis
DESCRIPTION
OPTIONS
OPTIONS
@@ -70,7 +70,7 @@
rpcclient to prompt for a password and type
it in directly. COMMANDS
COMMANDS
LSARPC
LSARPC-DS
SRVSVC
SAMR
SPOOLSS
LSARPC-DS
SRVSVC
SAMR
SPOOLSS
NETLOGON
BUGS
AUTHOR
Name
Synopsis
DESCRIPTION
Name
Synopsis
DESCRIPTION
COMPONENTS
AVAILABILITY
CONTRIBUTIONS
CONTRIBUTORS
AUTHOR
AUTHOR
>debugfile< :== { >debugmsg< }
@@ -51,7 +51,7 @@
Note that in the above example the function names are not listed on
the header line. That's because the example above was generated on an
SGI Indy, and the SGI compiler doesn't support the __FUNCTION__ macro.
-Transparent loading of static and shared modules (no need
-for a subsystem to know about modules) Simple selection between shared and static modules at configure time "preload modules" option for increasing performance for stable modules No nasty #define stuff anymore All backends are available as plugin now (including pdb_ldap and pdb_tdb) Simple selection between shared and static modules at configure time "preload modules" option for increasing performance for stable modules No nasty #define stuff anymore All backends are available as plugin now (including pdb_ldap and pdb_tdb) cket Traces from Netmonitor (Service Pack 1 and above) ul Ashton and Luke Leighton's other "NT Domain" doc. FS documentation - cifs6.txt FS documentation - cifsrap2.txt Paul Ashton: loads of work with Net Monitor; understanding the NT authentication system; reference implementation of the NT domain support on which this document is originally based. Duncan Stansfield: low-level analysis of MSRPC Pipes. Linus Nordberg: producing c-code from Paul's crypto spec. Windows Sourcer development team cket Traces from Netmonitor (Service Pack 1 and above) ul Ashton and Luke Leighton's other "NT Domain" doc. FS documentation - cifs6.txt FS documentation - cifsrap2.txt Paul Ashton: loads of work with Net Monitor; understanding the NT authentication system; reference implementation of the NT domain support on which this document is originally based. Duncan Stansfield: low-level analysis of MSRPC Pipes. Linus Nordberg: producing c-code from Paul's crypto spec. Windows Sourcer development team
+
switch (switch_value)
case 1:
{
ID_INFO_1 id_info_1;
}
-0 for shi1_type indicates a Disk. 1 for shi1_type indicates a Print Queue. 2 for shi1_type indicates a Device. 3 for shi1_type indicates an IPC pipe. 0x8000 0000 (top bit set in shi1_type) indicates a hidden share. 0 for shi1_type indicates a Disk. 1 for shi1_type indicates a Print Queue. 2 for shi1_type indicates a Device. 3 for shi1_type indicates an IPC pipe. 0x8000 0000 (top bit set in shi1_type) indicates a hidden share.
+
abstract (0x4B324FC8, 0x01D31670, 0x475A7812, 0x88E16EBF, 0x00000003)
transfer (0x8A885D04, 0x11C91CEB, 0x0008E89F, 0x6048102B, 0x00000002)
-
RPC_Packet RPC_ReqBind RPC_Packet RPC_ResBind Establish a connection to the IPC$ share (SMBtconX). use encrypted passwords. Open an RPC Pipe with the name "\\PIPE\\lsarpc". Store the file handle. Using the file handle, send a Set Named Pipe Handle state to 0x4300. Send an LSA Open Policy request. Store the Policy Handle. Using the Policy Handle, send LSA Query Info Policy requests, etc. Using the Policy Handle, send an LSA Close. Close the IPC$ share.
+ mapping identified so far is:
RPC_Packet RPC_ReqBind RPC_Packet RPC_ResBind Establish a connection to the IPC$ share (SMBtconX). use encrypted passwords. Open an RPC Pipe with the name "\\PIPE\\lsarpc". Store the file handle. Using the file handle, send a Set Named Pipe Handle state to 0x4300. Send an LSA Open Policy request. Store the Policy Handle. Using the Policy Handle, send LSA Query Info Policy requests, etc. Using the Policy Handle, send an LSA Close. Close the IPC$ share. tablish a connection to the IPC$ share (SMBtconX). use encrypted passwords. en an RPC Pipe with the name "\\PIPE\\NETLOGON". Store the file handle. ing the file handle, send a Set Named Pipe Handle state to 0x4300. eate Client Challenge. Send LSA Request Challenge. Store Server Challenge. lculate Session Key. Send an LSA Auth 2 Challenge. Store Auth2 Challenge. lc/Verify Client Creds. Send LSA Srv PW Set. Calc/Verify Server Creds. lc/Verify Client Creds. Send LSA SAM Logon . Calc/Verify Server Creds. lc/Verify Client Creds. Send LSA SAM Logoff. Calc/Verify Server Creds. ose the IPC$ share. tablish a connection to the IPC$ share (SMBtconX). use encrypted passwords. en an RPC Pipe with the name "\\PIPE\\NETLOGON". Store the file handle. ing the file handle, send a Set Named Pipe Handle state to 0x4300. eate Client Challenge. Send LSA Request Challenge. Store Server Challenge. lculate Session Key. Send an LSA Auth 2 Challenge. Store Auth2 Challenge. lc/Verify Client Creds. Send LSA Srv PW Set. Calc/Verify Server Creds. lc/Verify Client Creds. Send LSA SAM Logon . Calc/Verify Server Creds. lc/Verify Client Creds. Send LSA SAM Logoff. Calc/Verify Server Creds. ose the IPC$ share.
+
+
C->S ReqChal,Cc
S->C Cs
@@ -211,7 +211,7 @@
S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc)
C: assert(Rs == Cred(Ks,Cred(Rc+Tc+1))
C: Rc = Cred(Ks,Rc+Tc+1)
-
revision-NN-SubAuth1-SubAuth2-SubAuth3... revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3...
Version 2.999+3.0.alpha21-5 for Debian
-
<file> :== { <section> } EOF
<section> :== <section header> { <parameter line> }
<section header> :== '[' NAME ']'
@@ -106,7 +106,7 @@
A parameter line is divided into a NAME and a VALUE. The *first*
equal sign on the line separates the NAME from the VALUE. The
VALUE is terminated by a newline character (NL = '\n').
-
typedef struct reg_key_s {
@@ -46,7 +46,7 @@
REG_KEY *root; /* NULL if not available */
void *backend_data;
} REG_HANDLE;
-
REG_HANDLE *reg_open(char *backend, char *location, BOOL try_full_load);
REG_KEY *reg_open_key(REG_KEY *parent, char *name);
REG_VAL *reg_key_get_val(REG_KEY *key, char *name);
@@ -63,7 +63,7 @@
void reg_free(REG_HANDLE *h);
void reg_free_key_list(REG_KEY_LIST *list):
void reg_free_val_list(REG_VAL_LIST *list):
-
void reg_key_list_init( REG_KEY_LIST *ctr );
int reg_key_list_addkey( REG_KEY_LIST *ctr, const char *keyname );
int reg_key_list_numkeys( REG_KEY_LIST *ctr );
@@ -82,7 +82,7 @@
int reg_val_list_copyvalue( REG_VAL_LIST *ctr, REG_VAL *val );
int reg_val_list_delvalue( REG_VAL_LIST *ctr, const char *name );
void reg_val_list_destroy( REG_VAL_LIST *ctr );
-
typedef struct {
@@ -112,7 +112,7 @@
root field of the REG_HANDLE struct is NULL.NTSTATUS vfs_example_init(void);
NTSTATUS init_module(void);
typedef struct vfs_handle_struct {
struct vfs_handle_struct *next, *prev;
@@ -264,7 +264,7 @@
(handle)->vfs_next.handles.sendfile,\
(tofd), (fsp), (fromfd), (header), (offset), (count)))
...
-./configure --enable-developer ... make Try to fix all compiler warnings make Testing, Testing, Testing ...
@@ -538,7 +538,7 @@
root# service ldap stop
root# slapadd -v -l admin-accts.ldif
@@ -560,7 +560,7 @@
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
-database ldbm
+database bdb
suffix "dc=abmas,dc=biz"
rootdn "cn=Manager,dc=abmas,dc=biz"
@@ -603,7 +603,7 @@
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
-database ldbm
+database bdb
suffix "dc=abmas,dc=biz"
rootdn "cn=Manager,dc=abmas,dc=biz"
@@ -632,299 +632,299 @@
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
-
+
@@ -117,26 +117,26 @@
If you wish to locate the Samba version, just run:
root# /path-to-binary-file/smbd -V
-Version 3.0.2-SUSE
+Version 3.0.12-SUSE
root# rpm -qa | grep samba
-samba3-pdb-3.0.2-1
-samba3-vscan-0.3.4-0
-samba3-winbind-3.0.2-1
-samba3-3.0.2-1
-samba3-python-3.0.2-1
-samba3-utils-3.0.2-1
-samba3-doc-3.0.2-1
-samba3-client-3.0.2-1
-samba3-cifsmount-3.0.2-1
-
root# chown -R wwwrun.www /srv/www/htdocs/lam
@@ -748,14 +739,14 @@
root# chmod 755 /srv/www/htdocs/lam/config
root# chmod 755 /srv/www/htdocs/lam/lib/*pl
root# cd /srv/www/htdocs/lam/config
root# cp config.cfg_sample config.cfg
root# vi config.cfg
-
File Information Server Name Source Target Location MASSIVE BLDG1 BLDG2 ??? /etc/samba/smb.conf Yes No No ??? /etc/samba/dc-common.conf Yes No No ??? /etc/samba/common.conf Yes Yes Yes ??? /etc/samba/smb.conf No Yes No ??? /etc/samba/smb.conf No No Yes ??? /etc/samba/dommem.conf No Yes Yes ??? /etc/dhcpd.conf Yes No No ??? /etc/dhcpd.conf No Yes No ??? /etc/dhcpd.conf No No Yes ??? /etc/named.conf (part A) Yes No No ??? /etc/named.conf (part B) Yes No No ??? /etc/named.conf (part C) Yes No No ??? {VLN}/master/abmas.biz.hosts Yes No No ??? {VLN}/master/abmas.us.hosts Yes No No ??? /etc/named.conf (part A) No Yes Yes ??? /etc/named.conf (part B) No Yes Yes ??? {VLN}/localhost.zone Yes Yes Yes ??? {VLN}/127.0.0.zone Yes Yes Yes ??? {VLN}/root.hint Yes Yes Yes File Information Server Name Source Target Location MASSIVE BLDG1 BLDG2 ??? /etc/samba/smb.conf Yes No No ??? /etc/samba/dc-common.conf Yes No No ??? /etc/samba/common.conf Yes Yes Yes ??? /etc/samba/smb.conf No Yes No ??? /etc/samba/smb.conf No No Yes ??? /etc/samba/dommem.conf No Yes Yes ??? /etc/dhcpd.conf Yes No No ??? /etc/dhcpd.conf No Yes No ??? /etc/dhcpd.conf No No Yes ??? /etc/named.conf (part A) Yes No No ??? /etc/named.conf (part B) Yes No No ??? /etc/named.conf (part C) Yes No No ??? {VLN}/master/abmas.biz.hosts Yes No No ??? {VLN}/master/abmas.us.hosts Yes No No ??? /etc/named.conf (part A) No Yes Yes ??? /etc/named.conf (part B) No Yes Yes ??? {VLN}/localhost.zone Yes Yes Yes ??? {VLN}/127.0.0.zone Yes Yes Yes ??? {VLN}/root.hint Yes Yes Yes
root# smbpasswd -a root
@@ -251,7 +251,7 @@
deleted. If for any reason the account is deleted, you may not be able to recreate this account
without considerable trouble.
root# lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E
application/octet-stream application/vnd.cups-raw 0 -
application/octet-stream
@@ -349,12 +349,12 @@
processes to auto-map Windows client drives to an application server that is nearest to the client. This
is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
as elegantly as you see in the next chapter.
-
root# mkdir -p /data/{accounts,finsvcs,pidata}
@@ -498,7 +498,7 @@
??? until after the operation of the server has been
validated following the same methods as outlined in ???.
root# net rpc join
root# service smb start
@@ -525,183 +525,183 @@
Your server is ready for validation testing. Do not proceed with the steps in
??? until after the operation of the server has been
validated following the same methods as outlined in ???.
- # Global parameters [global]
+ # Global parameters
- workgroup = MEGANET
+ workgroup = MEGANET
- netbios name = MASSIVE
+ netbios name = MASSIVE
- interfaces = eth1, lo
+ interfaces = eth1, lo
- bind interfaces only = Yes
+ bind interfaces only = Yes
- passdb backend = tdbsam
+ passdb backend = tdbsam
- add user script = /usr/sbin/useradd -m '%u'
+ add user script = /usr/sbin/useradd -m '%u'
- delete user script = /usr/sbin/userdel -r '%u'
+ delete user script = /usr/sbin/userdel -r '%u'
- add group script = /usr/sbin/groupadd '%g'
+ add group script = /usr/sbin/groupadd '%g'
- delete group script = /usr/sbin/groupdel '%g'
+ delete group script = /usr/sbin/groupdel '%g'
- add user to group script = /usr/sbin/usermod -G '%g' '%u'
+ add user to group script = /usr/sbin/usermod -G '%g' '%u'
- add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
+ add machine script = /usr/sbin/ useradd -s /bin/false -d /var/lib/nobody '%u'
- preferred master = Yes
+ preferred master = Yes
- wins support = Yes
+ wins support = Yes
- include = /etc/samba/dc-common.conf [IPC$]
+ include = /etc/samba/dc-common.conf
- path = /tmp
+ path = /tmp
- hosts allow = 172.16.0.0/16, 127.0.0.1
+ hosts allow = 172.16.0.0/16, 127.0.0.1
- hosts deny = 0.0.0.0/0 [accounts]
+ hosts deny = 0.0.0.0/0
- comment = Accounting Files
+ comment = Accounting Files
- path = /data/accounts
+ path = /data/accounts
- read only = No [service]
+ read only = No
- comment = Financial Services Files
+ comment = Financial Services Files
- path = /data/service
+ path = /data/service
- read only = No [pidata]
+ read only = No
- comment = Property Insurance Files
+ comment = Property Insurance Files
- path = /data/pidata
+ path = /data/pidata
- read only = No # Global parameters [global]
+ read only = No # Global parameters
- shutdown script = /var/lib/samba/scripts/shutdown.sh
+ shutdown script = /var/lib/samba/scripts/shutdown.sh
- abort shutdown script = /sbin/shutdown -c
+ abort shutdown script = /sbin/shutdown -c
- logon script = scripts\logon.bat
+ logon script = scripts\logon.bat
- logon path = \%L\profiles\%U
+ logon path = \%L\profiles\%U
- logon drive = X:
+ logon drive = X:
- logon home = \%L\%U
+ logon home = \%L\%U
- domain logons = Yes
+ domain logons = Yes
- preferred master = Yes
+ preferred master = Yes
- include = /etc/samba/common.conf [homes]
+ include = /etc/samba/common.conf
- comment = Home Directories
+ comment = Home Directories
- valid users = %S
+ valid users = %S
- read only = No
+ read only = No
- browseable = No [netlogon]
+ browseable = No
- comment = Network Logon Service
+ comment = Network Logon Service
- path = /var/lib/samba/netlogon
+ path = /var/lib/samba/netlogon
- guest ok = Yes
+ guest ok = Yes
- locking = No [profiles]
+ locking = No
- comment = Profile Share
+ comment = Profile Share
- path = /var/lib/samba/profiles
+ path = /var/lib/samba/profiles
- read only = No
+ read only = No
- profile acls = Yes
- username map = /etc/samba/smbusers
+ username map = /etc/samba/smbusers
- log level = 1
+ log level = 1
- syslog = 0
+ syslog = 0
- log file = /var/log/samba/%m
+ log file = /var/log/samba/%m
- max log size = 50
+ max log size = 50
- smb ports = 139 445
+ smb ports = 139 445
- name resolve order = wins bcast hosts
+ name resolve order = wins bcast hosts
- time server = Yes
+ time server = Yes
- printcap name = CUPS
+ printcap name = CUPS
- show add printer wizard = No
+ show add printer wizard = No
- shutdown script = /var/lib/samba/scripts/shutdown.sh
+ shutdown script = /var/lib/samba/scripts/shutdown.sh
- abort shutdown script = /sbin/shutdown -c
+ abort shutdown script = /sbin/shutdown -c
- utmp = Yes
+ utmp = Yes
- map acl inherit = Yes
+ map acl inherit = Yes
- printing = cups
+ printing = cups
- veto files = /*.eml/*.nws/*.{*}/
+ veto files = /*.eml/*.nws/*.{*}/
- veto oplock files = /*.doc/*.xls/*.mdb/
+ veto oplock files = /*.doc/*.xls/*.mdb/
- include = # Share and Service Definitions are common to all servers [printers]
+ include = # Share and Service Definitions are common to all servers
- comment = SMB Print Spool
+ comment = SMB Print Spool
- path = /var/spool/samba
+ path = /var/spool/samba
- guest ok = Yes
+ guest ok = Yes
- printable = Yes
+ printable = Yes
- use client driver = Yes
+ use client driver = Yes
- default devmode = Yes
+ default devmode = Yes
- browseable = No [apps]
+ browseable = No
- comment = Application Files
+ comment = Application Files
- path = /apps
+ path = /apps
- admin users = bjordan
+ admin users = bjordan
- read only = No # Global parameters
- workgroup = MEGANET
+ workgroup = MEGANET
- netbios name = BLDG1
+ netbios name = BLDG1
- include = /etc/samba/dom-mem.conf # Global parameters [global]
+ include = /etc/samba/dom-mem.conf # Global parameters
- workgroup = MEGANET
+ workgroup = MEGANET
- netbios name = BLDG2
+ netbios name = BLDG2
- include = /etc/samba/dom-mem.conf # Global parameters [global]
+ include = /etc/samba/dom-mem.conf # Global parameters
- shutdown script = /var/lib/samba/scripts/shutdown.sh
+ shutdown script = /var/lib/samba/scripts/shutdown.sh
- abort shutdown script = /sbin/shutdown -c
+ abort shutdown script = /sbin/shutdown -c
- preferred master = Yes
+ preferred master = Yes
- wins server = 172.16.0.1
+ wins server = 172.16.0.1
- idmap uid = 15000-20000
+ idmap uid = 15000-20000
- idmap gid = 15000-20000
+ idmap gid = 15000-20000
include = /etc/samba/common.conf
# Abmas Accounting Inc. - Chapter 5/MASSIVE
@@ -1053,7 +1053,7 @@
net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
root# chkconfig dhpc on
root# chkconfig named on
@@ -1082,9 +1082,9 @@
root# chkconfig swat on
+
root# testparm -s | less
Note
Note
root# rpm -qa | grep -i samba
@@ -141,14 +141,14 @@
root# rpm -e samba-common
root# kinit [USERNAME@REALM]
@@ -187,7 +187,7 @@
Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
root# klist -e
root# net ads join -U administrator%vulcon
@@ -279,7 +279,7 @@
root# NT_STATUS_OK: Success (0x0)
[global]
+ in ???.
+
- workgroup = LONDON
+ workgroup = LONDON
- netbios name = W2K3S
+ netbios name = W2K3S
- realm = LONDON.ABMAS.BIZ
+ realm = LONDON.ABMAS.BIZ
- security = ads
+ security = ads
- encrypt passwords = yes
+ encrypt passwords = yes
- password server = w2k3s.london.abmas.biz # separate domain and username with '/', like DOMAIN/username
+ password server = w2k3s.london.abmas.biz # separate domain and username with '/', like DOMAIN/username
- winbind separator = / # use UIDs from 10000 to 20000 for domain users
+ winbind separator = / # use UIDs from 10000 to 20000 for domain users
- idmap uid = 10000-20000
+ idmap uid = 10000-20000
- idmap gid = 10000-20000 # allow enumeration of winbind users and groups
+ idmap gid = 10000-20000 # allow enumeration of winbind users and groups
- winbind enum users = yes
+ winbind enum users = yes
- winbind enum groups = yes
+ winbind enum groups = yes
- winbind user default domain = yes
root# chown -R squid /var/cache/squid
root# chown -R chown squid:squid /var/log/squid
@@ -364,10 +364,10 @@
root# chown -R chown squid:squid /var/cache/squid
root# chmod 770 /var/cache/squid
root# squid -z
@@ -378,10 +378,10 @@
root# squid
+
cache_effective_user squid
cache_effective_group squid
-
+
auth_param ntlm program /usr/bin/ntlm_auth \
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
@@ -394,14 +394,14 @@
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
-
+ --Anonymous --Anonymous Note
@@ -167,7 +167,7 @@
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
Caution
--Christine --Bob Note
Privilege Description
+# Some foreign boot scripts require local7
+#
+local0,local1.* -/var/log/localmessages
+local2,local3.* -/var/log/localmessages
+local5.* -/var/log/localmessages
+local6,local7.* -/var/log/localmessages
+local4.* -/var/log/ldaplogs
+
+debug 256
+logdir /data/logs
+
+root# mkdir /data/logs
+
+root# slapcat | grep Group | grep dn
+dn: ou=Groups,dc=abmas,dc=biz
+dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
+dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
+dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
+dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
+dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
+dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
+dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
+dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
+
+nss_base_group ou=Groups,dc=abmas,dc=biz?one
+
+nss_base_passwd dc=abmas,dc=biz?sub
+
+root# getent passwd
+
+slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
+(IP=0.0.0.0:389)
+slapd[12164]: conn=0 op=0 BIND dn="" method=128
+slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
+slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
+filter="(objectClass=*)"
+slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
+nentries=1 text=
+slapd[12164]: conn=0 op=2 UNBIND
+slapd[12164]: conn=0 fd=10 closed
+slapd[12164]: conn=1 fd=10 ACCEPT from
+IP=127.0.0.1:33540 (IP=0.0.0.0:389)
+slapd[12164]: conn=1 op=0 BIND
+dn="cn=Manager,dc=abmas,dc=biz" method=128
+slapd[12164]: conn=1 op=0 BIND
+dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
+slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
+slapd[12164]: conn=1 op=1 SRCH
+base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
+filter="(objectClass=posixAccount)"
+slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
+uidNumber gidNumber cn
+homeDirectory loginShell gecos description objectClass
+slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
+nentries=2 text=
+slapd[12164]: conn=1 fd=10 closed
+
+
+[global]
+ ...
+ log level = 5
+ log file = /var/log/samba/%m.log
+ max log size = 0
+ ...
+
+[global]
+ ...
+ log level = 1
+ log file = /var/log/samba/%m.log
+ max log size = 50
+ ...
+
+root# cd /var/log/samba
+root# grep -v "^\[200" machine_name.log
+
Note
SUSE Linux 8.x SUSE Linux 9 Red Hat Linux 9 nss_ldap nss_ldap nss_ldap pam_ldap pam_ldap pam_ldap openldap2 openldap2 openldap openldap2-client openldap2-client openldap2-back-perl openldap2-back-monitor openldap2-back-ldap openldap2-back-meta SUSE Linux 8.x SUSE Linux 9.x Red Hat Linux nss_ldap nss_ldap nss_ldap pam_ldap pam_ldap pam_ldap openldap2 openldap2 openldap openldap2-client openldap2-client
-root# ls -al /var/lib | grep ldap
+root# ls -al /data | grep ldap
drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
+
+local4.* -/data/ldap/log/openldap.log
+
+set_cachesize 0 150000000 1
+set_lg_regionmax 262144
+set_lg_bsize 2097152
+#set_lg_dir /var/log/bdb
+set_flags DB_LOG_AUTOREMOVE
+
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
-include /etc/openldap/schema/samba.schema
+include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
-database ldbm
+access to dn.base=""
+ by self write
+ by * auth
+
+access to attr=userPassword
+ by self write
+ by * auth
+
+access to attr=shadowLastChange
+ by self write
+ by * read
+
+access to *
+ by * read
+ by anonymous auth
+
+#loglevel 256
+
+schemacheck on
+idletimeout 30
+backend bdb
+database bdb
+checkpoint 1024 5
+cachesize 10000
+
suffix "dc=abmas,dc=biz"
rootdn "cn=Manager,dc=abmas,dc=biz"
# rootpw = not24get
rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
-directory /var/lib/ldap
-
+directory /data/ldap
+
-SIZELIMIT 200
-TIMELIMIT 15
-DEREF never
-
+
host 127.0.0.1
+
base dc=abmas,dc=biz
+
binddn cn=Manager,dc=abmas,dc=biz
bindpw not24get
+timelimit 50
+bind_timelimit 50
+bind_policy hard
+
+idle_timelimit 3600
+
pam_password exop
-nss_base_passwd ou=People,dc=abmas,dc=biz?one
-nss_base_shadow ou=People,dc=abmas,dc=biz?one
+nss_base_passwd ou=People,dc=abmas,dc=biz?one
+nss_base_shadow ou=People,dc=abmas,dc=biz?one
nss_base_group ou=Groups,dc=abmas,dc=biz?one
-
-SIZELIMIT 200
-TIMELIMIT 15
-DEREF never
-host 172.16.0.1
+ssl off
+
+host 172.16.0.1
+
base dc=abmas,dc=biz
+
binddn cn=Manager,dc=abmas,dc=biz
bindpw not24get
+timelimit 50
+bind_timelimit 50
+bind_policy hard
+
+idle_timelimit 3600
+
pam_password exop
nss_base_passwd ou=People,dc=abmas,dc=biz?one
nss_base_shadow ou=People,dc=abmas,dc=biz?one
nss_base_group ou=Groups,dc=abmas,dc=biz?one
-
@@ -532,10 +837,10 @@
The preferred and usual location is /etc/ldap.conf.
@@ -595,38 +900,48 @@
demonstrates the use of the pam_ldap.so module. You can use either
implementation, but if the pam_unix2.so on your system supports
LDAP, you probably want to use it, rather than add an additional module.
-
+root# testparm -s smb.conf.master > smb.conf
+
-root# testparm -s > test.conf
+root# testparm
+Load smb config files from /etc/samba/smb.conf
+Processing section "[accounts]"
+Processing section "[service]"
+Processing section "[pidata]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[apps]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[profdata]"
-Processing section "[IPC$]"
-Processing section "[accounts]"
-Processing section "[service]"
-Processing section "[pidata]"
+Processing section "[print$]"
Loaded services file OK.
+Server role: ROLE_DOMAIN_PDC
+Press enter to see a dump of your service definitions
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
-[2003/12/16 22:32:20, 0] utils/net.c:net_getlocalsid(414)
- Can't fetch domain SID for name: MASSIVE
-
SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
@@ -692,244 +1013,334 @@
of the PDC. rsync is a useful tool here as it resembles the NT replication service quite
closely. If you do use NFS, do not forget to start the NFS server as follows:
-root# rcnfs start
+root# rcnfsserver start
# Global parameters [global]
+ # Global parameters
+
+ unix charset = LOCALE
- unix charset = LOCALE
+ workgroup = MEGANET2
- workgroup = MEGANET2
+ netbios name = MASSIVE
- netbios name = MASSIVE
+ interfaces = eth1, lo
- interfaces = eth1, lo
+ bind interfaces only = Yes
- bind interfaces only = Yes
+ passdb backend = ldapsam:ldap://massive.abmas.biz
- passdb backend = ldapsam:ldap://massive.abmas.biz
+ enable privileges = Yes
- username map = /etc/samba/smbusers
+ username map = /etc/samba/smbusers
- log level = 1
+ log level = 1
- syslog = 0
+ syslog = 0
- log file = /var/log/samba/%m
+ log file = /var/log/samba/%m
- max log size = 50
+ max log size = 50
- smb ports = 139 445
+ smb ports = 139 445
- name resolve order = wins bcast hosts
+ name resolve order = wins bcast hosts
- time server = Yes
+ time server = Yes
- printcap name = CUPS
+ printcap name = CUPS
- show add printer wizard = No
+ show add printer wizard = No
- add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
+ add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
- delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
+ delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
- add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
+ add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
- delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
+ delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
- add user to group script = /var/lib/samba/sbin/ smbldap-groupmod.pl -m '%u' '%g'
+ add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m "%u" "%g"
- delete user from group script = /var/lib/samba/sbin/ smbldap-groupmod.pl -x '%u' '%g'
+ delete user from group script = /opt/IDEALX/sbin/ smbldap-groupmod -x "%u" "%g"
- set primary group script = /var/lib/samba/sbin/ smbldap-usermod.pl -g '%g' '%u'
+ set primary group script = /opt/IDEALX/sbin/ smbldap-usermod -g "%g" "%u"
- add machine script = /var/lib/samba/sbin/ smbldap-useradd.pl -w '%u'
+ add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
- logon script = scripts\logon.bat
+ logon script = scripts\logon.bat
- logon path = \\%L\profiles\%U
+ logon path = \\%L\profiles\%U
- logon drive = X:
+ logon drive = X:
- domain logons = Yes
+ domain logons = Yes
- preferred master = Yes
+ preferred master = Yes
- wins support = Yes
+ wins support = Yes
- ldap suffix = dc=abmas,dc=biz
+ ldap suffix = dc=abmas,dc=biz
- ldap machine suffix = ou=People
+ ldap machine suffix = ou=People
- ldap user suffix = ou=People
+ ldap user suffix = ou=People
- ldap group suffix = ou=Groups
+ ldap group suffix = ou=Groups
- ldap idmap suffix = ou=Idmap
+ ldap idmap suffix = ou=Idmap
- ldap admin dn = cn=Manager,dc=abmas,dc=biz
+ ldap admin dn = cn=Manager,dc=abmas,dc=biz
- idmap backend = ldap:ldap://massive.abmas.biz
+ idmap backend = ldap:ldap://massive.abmas.biz
- idmap uid = 10000-20000
+ idmap uid = 10000-20000
- idmap gid = 10000-20000
+ idmap gid = 10000-20000
- map acl inherit = Yes
+ map acl inherit = Yes
- printing = cups
+ printing = cups
- printer admin = Administrator, chrisr Note
-root# mkdir -p /var/lib/samba/sbin
-root# chown root.root /var/lib/samba/sbin
-root# chmod 755 /var/lib/samba/sbin
+root# mkdir -p /opt/IDEALX/sbin
+root# chown root.root /opt/IDEALX/sbin
+root# chmod 755 /opt/IDEALX/sbin
+root# mkdir -p /etc/smbldap-tools
+root# chown root.root /etc/smbldap-tools
+root# chmod 755 /etc/smbldap-tools
-root# cd /usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools
-root# cp *.pl *.pm /var/lib/samba/sbin
-
-root# cd mkntpwd
-root# make
-gcc -O2 -DMPU8086 -c -o getopt.o getopt.c
-gcc -O2 -DMPU8086 -c -o md4.o md4.c
-gcc -O2 -DMPU8086 -c -o mkntpwd.o mkntpwd.c
-mkntpwd.c: In function `main':
-mkntpwd.c:37: warning: return type of `main' is not `int'
-gcc -O2 -DMPU8086 -c -o smbdes.o smbdes.c
-gcc -O2 -DMPU8086 -o mkntpwd getopt.o md4.o mkntpwd.o smbdes.o
-root# cp mkntpwd /var/lib/samba/sbin
+root# cd smbldap-tools-0.8.7/
+root# cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
+root# cp smbldap*conf /etc/smbldap-tools/
+root# chmod 750 /opt/IDEALX/sbin/smbldap-*
+root# chmod 750 /opt/IDEALX/sbin/configure.pl
+root# chmod 640 /etc/smbldap-tools/smbldap.conf
+root# chmod 600 /etc/smbldap-tools/smbldap_bind.conf
-# Put your own SID
-# to obtain this number do: "net getlocalsid"
-#$SID='S-1-5-21-1671648649-242858427-2873575837';
-$SID='S-1-5-21-3504140859-1010554828-2431957765';
...
-# LDAP Suffix
-# Ex: $suffix = "dc=IDEALX,dc=ORG";
-$suffix = "dc=abmas,dc=biz";
-...
-# Where are stored Users
-# Ex: $usersdn = "ou=Users,$suffix"; ...
-$usersou = q(People);
-$usersdn = "ou=$usersou,$suffix";
-
-# Where are stored Computers
-# Ex: $computersdn = "ou=Computers,$suffix"; ...
-$computersou = q(People);
-$computersdn = "ou=$computersou,$suffix";
-
-# Where are stored Groups
-# Ex $groupsdn = "ou=Groups,$suffix"; ...
-$groupsou = q(Groups);
-$groupsdn = "ou=$groupsou,$suffix";
-
-# Default scope Used
-$scope = "sub";
+# ugly funcs using global variables and spawning openldap clients
-# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
-$hash_encrypt="MD5";
-...
-############################
-# Credential Configuration #
-############################
-# Bind DN used
-# Ex: $binddn = "cn=admin,$suffix"; ...
-$binddn = "cn=Manager,$suffix";
-
-# Bind DN passwd used
-# Ex: $bindpasswd = 'secret'; for 'secret'
-$bindpasswd = 'not24get';
-...
-# Login defs
-# Default Login Shell
-# Ex: $_userLoginShell = q(/bin/bash);
-#$_userLoginShell = q(_LOGINSHELL_);
-$_userLoginShell = q(/bin/bash);
-
-# Home directory prefix (without username)
-# Ex: $_userHomePrefix = q(/home/);
-#$_userHomePrefix = q(_HOMEPREFIX_);
-$_userHomePrefix = q(/home/);
-...
-# The UNC path to home drives location without the
-# username last extension (will be dynamically prepended)
-# Ex: q(\\\\My-PDC-netbios-name\\homes)
-# Just comment this if you want to use the smb.conf
-# 'logon home' directive # and/or desabling roaming profiles
-#$_userSmbHome = q(\\\\_PDCNAME_\\homes);
-$_userSmbHome = q(\\\\MASSIVE\\homes);
-
-# The UNC path to profiles locations without the username
-# last extension (will be dynamically prepended)
-# Ex: q(\\\\My-PDC-netbios-name\\profiles\\)
-# Just comment this if you want to use the smb.conf
-# 'logon path' directive and/or desabling roaming profiles
-$_userProfile = q(\\\\MASSIVE\\profiles\\);
-
-# The default Home Drive Letter mapping
-# (automatically mapped at logon time if home directory exists)
-# Ex: q(U:) for U:
-#$_userHomeDrive = q(_HOMEDRIVE_);
-$_userHomeDrive = q(H:);
-...
-# Allows not to use smbpasswd
-# (if $with_smbpasswd == 0 in smbldap_conf.pm) but
-# prefer mkntpwd... most of the time, it's a wise choice :-)
-$with_smbpasswd = 0;
-$smbpasswd = "/usr/bin/smbpasswd";
-$mk_ntpasswd = "/var/lib/samba/sbin/mkntpwd";
+my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
+my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
...
-root# chown root.root /var/lib/samba/sbin/*
-root# chmod 755 /var/lib/samba/sbin/smb*pl
-root# chmod 640 /var/lib/samba/sbin/smb*pm
-root# chmod 555 /var/lib/samba/sbin/mkntpwd
+root# chown root.root /opt/IDEALX/sbin/*
+root# chmod 755 /opt/IDEALX/sbin/smbldap-*
+root# chmod 640 /opt/IDEALX/sbin/smb*pm
+
+root# rpm -i smbldap-tools-0.8.7-5.src.rpm
+root# cd /usr/src/packages/SPECS
+
+root# cd /usr/src/redhat/SPECS
+
+%define _prefix /opt/IDEALX
+%define _sysconfdir /etc
+
+root# rpmbuild -ba -v smbldap-tools.spec
+
+root# rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.7-5.noarch.rpm
+
+root# cd /opt/IDEALX/sbin
+
+root# ./configure.pl
+
+Unrecognized escape \p passed through at ./configure.pl line 194.
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+ smbldap-tools script configuration
+ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Before starting, check
+ . if your samba controller is up and running.
+ . if the domain SID is defined (you can get it with the 'net getlocalsid')
+
+ . you can leave the configuration using the Crtl-c key combination
+ . empty value can be set with the "." caracter
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Looking for configuration files...
+
+Samba Config File Location [/etc/samba/smb.conf] >
+smbldap Config file Location (global parameters)
+ [/etc/smbldap-tools/smbldap.conf] >
+smbldap Config file Location (bind parameters)
+ [/etc/smbldap-tools/smbldap_bind.conf] >
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Let's start configuring the smbldap-tools scripts ...
+
+. workgroup name: name of the domain Samba act as a PDC
+ workgroup name [MEGANET2] >
+. netbios name: netbios name of the samba controler
+ netbios name [MASSIVE] >
+. logon drive: local path to which the home directory
+ will be connected (for NT Workstations). Ex: 'H:'
+ logon drive [X:] >
+. logon home: home directory location (for Win95/98 or NT Workstation).
+ (use %U as username) Ex:'\\MASSIVE\home\%U'
+ logon home (leave blank if you don't want homeDirectory)
+ [\\MASSIVE\home\%U] > \\MASSIVE\%U
+. logon path: directory where roaming profiles are stored.
+ Ex:'\\MASSIVE\profiles\%U'
+ logon path (leave blank if you don't want roaming profile)
+ [\\MASSIVE\profiles\%U] >
+. home directory prefix (use %U as username)
+ [/home/%U] > /home/users/%U
+. default user netlogon script (use %U as username)
+ [%U.cmd] > scripts\login.cmd
+ default password validation time (time in days) [45] > 0
+. ldap suffix [dc=abmas,dc=biz] >
+. ldap group suffix [ou=Groups] >
+. ldap user suffix [ou=People] >
+. ldap machine suffix [ou=People] >
+. Idmap suffix [ou=Idmap] >
+. sambaUnixIdPooldn: object where you want to store the next uidNumber
+ and gidNumber available for new users and groups
+ sambaUnixIdPooldn object (relative to ${suffix}) [cn=NextFreeUnixId] >
+. ldap master server: IP adress or DNS name
+ of the master (writable) ldap server
+Use of uninitialized value in scalar chomp at ./configure.pl
+ line 138, <STDIN> line 17.
+Use of uninitialized value in hash element at ./configure.pl
+ line 140, <STDIN> line 17.
+Use of uninitialized value in concatenation (.) or string at
+ ./configure.pl line 144, <STDIN> line 17.
+Use of uninitialized value in string at ./configure.pl
+ line 145, <STDIN> line 17.
+ ldap master server [] > 127.0.0.1
+. ldap master port [389] >
+. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] >
+. ldap master bind password [] >
+. ldap slave server: IP adress or DNS name of the slave
+ ldap server: can also be the master one
+Use of uninitialized value in scalar chomp at ./configure.pl
+ line 138, <STDIN> line 21.
+Use of uninitialized value in hash element at ./configure.pl
+ line 140, <STDIN> line 21.
+Use of uninitialized value in concatenation (.) or string at
+ ./configure.pl line 144, <STDIN> line 21.
+Use of uninitialized value in string at ./configure.pl line 145,
+ <STDIN> line 21.
+ ldap slave server [] > 127.0.0.1
+. ldap slave port [389] >
+. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] >
+. ldap slave bind password [] >
+. ldap tls support (1/0) [0] >
+. SID for domain MEGANET2: SID of the domain
+ (can be obtained with 'net getlocalsid MASSIVE')
+ SID for domain MEGANET2
+ [S-1-5-21-3504140859-1010554828-2431957765] >
+. unix password encryption: encryption used for unix passwords
+ unix password encryption
+ (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
+. default user gidNumber [513] >
+. default computer gidNumber [515] >
+. default login shell [/bin/bash] >
+. default domain name to append to mail adress [] > abmas.biz
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+backup old configuration files:
+ /etc/smbldap-tools/smbldap.conf->
+ etc/smbldap-tools/smbldap.conf.old
+ /etc/smbldap-tools/smbldap_bind.conf->
+ etc/smbldap-tools/smbldap_bind.conf.old
+writing new configuration file:
+ /etc/smbldap-tools/smbldap.conf done.
+ /etc/smbldap-tools/smbldap_bind.conf done.
+Note
Note
Account Name Type ID Password Robert Jordan User bobj n3v3r2l8 Stanley Soroka User stans impl13dst4r Christine Roberson User chrisr S9n0nw4ll Mary Vortexis User maryv kw13t0n3 Accounts Group Accounts Finances Group Finances Insurance Group PIOps Account Name Type ID Password Robert Jordan User bobj n3v3r2l8 Stanley Soroka User stans impl13dst4r Christine Roberson User chrisr S9n0nw4ll Mary Vortexis User maryv kw13t0n3 Accounts Group Accounts Finances Group Finances Insurance Group PIOps
root# rcldap start
Starting ldap-server done
-root# ./smbldap-populate.pl
+root# ./smbldap-populate -a root -k 0
+
+Using workgroup name from smb.conf: sambaDomainName=MEGANET2
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+=> Warning: you must update smbldap.conf configuration file to :
+=> sambaUnixIdPooldn parameter must be set
+ to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Using builtin directory structure
adding new entry: dc=abmas,dc=biz
adding new entry: ou=People,dc=abmas,dc=biz
adding new entry: ou=Groups,dc=abmas,dc=biz
-adding new entry: ou=Computers,dc=abmas,dc=biz
-adding new entry: uid=Administrator,ou=People,dc=abmas,dc=biz
+entry ou=People,dc=abmas,dc=biz already exist.
+adding new entry: ou=Idmap,dc=abmas,dc=biz
+adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
+adding new entry: uid=root,ou=People,dc=abmas,dc=biz
adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Users,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Guests,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Power Users,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Account Operators,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Server Operators,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Replicator,ou=Groups,dc=abmas,dc=biz
-adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
+
+# Where to store next uidNumber and gidNumber available
+sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+
+# Where to store next uidNumber and gidNumber available
+#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
root# ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
-w not24get < /etc/openldap/idmap.LDIF
@@ -1110,27 +1540,27 @@
# numEntries: 19
-root# getent passwd | grep Administrator
-Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
+root# getent passwd | grep root
+root:x:998:512:Netbios Domain Administrator:/home:/bin/false
root# getent group | grep Domain
-Domain Admins:x:512:Administrator
+Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:553:
-
-root# ./smbldap-useradd.pl -m -a username
-root# ./smbldap-passwd.pl username
+root# ./smbldap-useradd -m -a username
+root# ./smbldap-passwd username
Changing password for username
New password : XXXXXXXX
Retype new password : XXXXXXXX
@@ -1140,34 +1570,51 @@
Retype new SMB password: XXXXXXXX
root# getent passwd
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/bin/bash
...
-Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
+root:x:0:512:Netbios Domain Administrator:/home:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
bobj:x:1000:513:System User:/home/bobj:/bin/bash
stans:x:1001:513:System User:/home/stans:/bin/bash
chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
maryv:x:1003:513:System User:/home/maryv:/bin/bash
-
+
root# id chrisr
uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
-root# cd /var/lib/samba/sbin
-root# ./smbldap-usermod.pl -u 0 Administrator
+root# cd /opt/IDEALX/sbin
+root# ./smbldap-usermod -u 0 -d /root -s /bin/bash root
+root# getent passwd | grep root
+root:x:0:0:root:/root:/bin/bash
+root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
+
@@ -1180,7 +1627,7 @@
drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
@@ -1193,7 +1640,7 @@
Full Name: System User
Home Directory: \\MASSIVE\homes
HomeDir Drive: H:
-Logon Script: chrisr.cmd
+Logon Script: scripts\login.cmd
Profile Path: \\MASSIVE\profiles\chrisr
Domain: MEGANET2
Account desc: System User
@@ -1205,25 +1652,28 @@
Password last set: Wed, 17 Dec 2003 17:17:40 GMT
Password can change: Wed, 17 Dec 2003 17:17:40 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+Last bad password : 0
+Bad password count : 0
+Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-root# ./smbldap-groupadd.pl -a Accounts
-root# ./smbldap-groupadd.pl -a Finances
-root# ./smbldap-groupadd.pl -a PIOps
+root# ./smbldap-groupadd -a Accounts
+root# ./smbldap-groupadd -a Finances
+root# ./smbldap-groupadd -a PIOps
root# getent group
...
-Domain Admins:x:512:Administrator
+Domain Admins:x:512:root
Domain Users:x:513:bobj,stans,chrisr,maryv
Domain Guests:x:514:
...
@@ -1233,7 +1683,7 @@
-root# net rpc join -U Administrator%not24get
+root# net rpc join -S MASSIVE -U root%not24get
+
Joined domain MEGANET2.
root# rcwinbind restart
root# smbclient -L massive -U%
@@ -1327,7 +1782,7 @@
Well done. All is working fine.
-root# lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E
+root# lpadmin -p printque
+ -v socket://printer-name.abmas.biz:9100 -E
application/octet-stream application/vnd.cups-raw 0 -
application/octet-stream
@@ -1401,9 +1857,9 @@
root# chown -R root.root /var/lib/samba/drivers
root# chmod -R ug=rwx,o=rx /var/lib/samba/drivers
@@ -1454,7 +1910,7 @@
daemon:x:2:
sys:x:3:
...
-Domain Admins:x:512:Administrator
+Domain Admins:x:512:root
Domain Users:x:513:bobj,stans,chrisr,maryv,jht
Domain Guests:x:514:
Administrators:x:544:
@@ -1474,7 +1930,7 @@
This is also the correct and desired output, because it demonstrates that the LDAP client
is able to communicate correctly with the LDAP server
(MASSIVE).
-
-root# net rpc join -U Administrator%not24get
+root# net rpc join -U root%not24get
Joined domain MEGANET2.
root# pdbedit -L
-Administrator:0:Administrator
+root:0:root
nobody:65534:nobody
bobj:1000:System User
stans:1001:System User
@@ -1548,8 +2004,7 @@
Samba-3 should now be running and is ready for a quick test. But not quite yet!
# Global parameters [global]
+ # Global parameters
- unix charset = LOCALE
+ unix charset = LOCALE
- workgroup = MEGANET2
+ workgroup = MEGANET2
- netbios name = BLDG1
+ netbios name = BLDG1
- passdb backend = ldapsam:ldap://massive.abmas.biz
+ passdb backend = ldapsam:ldap://massive.abmas.biz
- username map = /etc/samba/smbusers
+ enable privileges = Yes
- log level = 1
+ username map = /etc/samba/smbusers
- syslog = 0
+ log level = 1
- log file = /var/log/samba/%m
+ syslog = 0
- max log size = 50
+ log file = /var/log/samba/%m
- smb ports = 139 445
+ max log size = 50
- name resolve order = wins bcast hosts
+ smb ports = 139 445
- printcap name = CUPS
+ name resolve order = wins bcast hosts
- show add printer wizard = No
+ printcap name = CUPS
- logon script = scripts\logon.bat
+ show add printer wizard = No
- logon path = \\%L\profiles\%U
+ logon script = scripts\logon.bat
- logon drive = X:
+ logon path = \\%L\profiles\%U
- domain logons = Yes
+ logon drive = X:
- domain master = No
+ domain logons = Yes
- wins server = 172.16.0.1
+ domain master = No
- ldap suffix = dc=abmas,dc=biz
+ wins server = 172.16.0.1
- ldap machine suffix = ou=People
+ ldap suffix = dc=abmas,dc=biz
- ldap user suffix = ou=People
+ ldap machine suffix = ou=People
- ldap group suffix = ou=Groups
+ ldap user suffix = ou=People
- ldap idmap suffix = ou=Idmap
+ ldap group suffix = ou=Groups
- ldap admin dn = cn=Manager,dc=abmas,dc=biz
+ ldap idmap suffix = ou=Idmap
- idmap backend = ldap:ldap://massive.abmas.biz
+ ldap admin dn = cn=Manager,dc=abmas,dc=biz
- idmap uid = 10000-20000
+ idmap backend = ldap:ldap://massive.abmas.biz
- idmap gid = 10000-20000
+ idmap uid = 10000-20000
- printing = cups
+ idmap gid = 10000-20000
- printer admin = Administrator, chrisr # Global parameters [global]
+ printing = cups
- unix charset = LOCALE
+ printer admin = root, chrisr # Global parameters
- workgroup = MEGANET2
+ unix charset = LOCALE
- netbios name = BLDG2
+ workgroup = MEGANET2
- passdb backend = ldapsam:ldap://massive.abmas.biz
+ netbios name = BLDG2
- username map = /etc/samba/smbusers
+ passdb backend = ldapsam:ldap://massive.abmas.biz
- log level = 1
+ enable privileges = Yes
- syslog = 0
+ username map = /etc/samba/smbusers
- log file = /var/log/samba/%m
+ log level = 1
- max log size = 50
+ syslog = 0
- smb ports = 139 445
+ log file = /var/log/samba/%m
- name resolve order = wins bcast hosts
+ max log size = 50
- printcap name = CUPS
+ smb ports = 139 445
- show add printer wizard = No
+ name resolve order = wins bcast hosts
- logon script = scripts\logon.bat
+ printcap name = CUPS
- logon path = \\%L\profiles\%U
+ show add printer wizard = No
- logon drive = X:
+ logon script = scripts\logon.bat
- domain logons = Yes
+ logon path = \\%L\profiles\%U
- domain master = No
+ logon drive = X:
- wins server = 172.16.0.1
+ domain logons = Yes
- ldap suffix = dc=abmas,dc=biz
+ domain master = No
- ldap machine suffix = ou=People
+ wins server = 172.16.0.1
- ldap user suffix = ou=People
+ ldap suffix = dc=abmas,dc=biz
- ldap group suffix = ou=Groups
+ ldap machine suffix = ou=People
- ldap idmap suffix = ou=Idmap
+ ldap user suffix = ou=People
- ldap admin dn = cn=Manager,dc=abmas,dc=biz
+ ldap group suffix = ou=Groups
- idmap backend = ldap://massive.abmas.biz
+ ldap idmap suffix = ou=Idmap
- idmap uid = 10000-20000
+ ldap admin dn = cn=Manager,dc=abmas,dc=biz
- idmap gid = 10000-20000
+ idmap backend = ldap:ldap://massive.abmas.biz
- printing = cups
+ idmap uid = 10000-20000
- printer admin = Administrator, chrisr [accounts]
+ idmap gid = 10000-20000
- comment = Accounting Files
+ printing = cups
- path = /data/accounts
+ printer admin = root, chrisr
- read only = No [service]
+ comment = Accounting Files
- comment = Financial Services Files
+ path = /data/accounts
- path = /data/service
+ read only = No
- read only = No [pidata]
+ comment = Financial Services Files
- comment = Property Insurance Files
+ path = /data/service
- path = /data/pidata
+ read only = No
- read only = No [homes]
+ comment = Property Insurance Files
- comment = Home Directories
+ path = /data/pidata
- valid users = %S
+ read only = No
- read only = No
+ comment = Home Directories
- browseable = No [printers]
+ valid users = %S
- comment = SMB Print Spool
+ read only = No
- path = /var/spool/samba
+ browseable = No
- guest ok = Yes
+ comment = SMB Print Spool
- printable = Yes
+ path = /var/spool/samba
- browseable = No [apps]
+ guest ok = Yes
- comment = Application Files
+ printable = Yes
- path = /apps
+ browseable = No
- admin users = bjordan
+ comment = Application Files
- read only = No [netlogon]
+ path = /apps
- comment = Network Logon Service
+ admin users = bjordan
- path = /var/lib/samba/netlogon
+ read only = No
- guest ok = Yes
+ comment = Network Logon Service
- locking = No [profiles]
+ path = /var/lib/samba/netlogon
- comment = Profile Share
+ guest ok = Yes
- path = /var/lib/samba/profiles
+ locking = No
- read only = No
+ comment = Profile Share
- profile acls = Yes [profdata]
+ path = /var/lib/samba/profiles
- comment = Profile Data Share
+ read only = No
- path = /var/lib/samba/profdata
+ profile acls = Yes
- read only = No
+ comment = Profile Data Share
- profile acls = Yes [print$]
+ path = /var/lib/samba/profdata
- comment = Printer Drivers
+ read only = No
- path = /var/lib/samba/drivers
+ profile acls = Yes
- browseable = yes
+ comment = Printer Drivers
- guest ok = no
+ path = /var/lib/samba/drivers
- read only = yes
+ browseable = yes
- write list = Administrator, chrisr
+
+ read only = yes
+
+ write list = root, chrisr
