If this global parameter is a non-null string, it specifies the name of a file to read for the names of hosts and users who will be allowed access without specifying a password. -
This is not be confused with hosts allow which is about hosts +
This is not be confused with hosts allow which is about hosts
access to services and is more useful for guest services.
hosts equiv may be useful for NT clients which will
not supply passwords to Samba.
Note
The use of hosts equiv
@@ -1759,12 +1759,12 @@
roaming profile directory are actually owner by the user.
Default: inherit owner = no
- The permissions on new files and directories are normally governed by create mask, - directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this. + The permissions on new files and directories are normally governed by create mask, + directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.
New directories inherit the mode of the parent directory, including bits such as setgid.
New files inherit their read/write bits from the parent directory. Their execute bits continue to be - determined by map archive, map hidden and map system as usual. + determined by map archive, map hidden and map system as usual.
Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).
This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] @@ -1815,7 +1815,7 @@
Example: invalid users = root fred admin @wheel
- This parameter is only applicable if printing is set to iprint.
+ This parameter is only applicable if printing is set to iprint.
If set, this option overrides the ServerName option in the CUPS client.conf. This is
necessary if you have virtual samba servers that connect to different CUPS daemons.
@@ -1828,7 +1828,7 @@
packets. If this parameter is zero, no keepalive packets will be
sent. Keepalive packets, if sent, allow the server to tell whether
a client is still present and responding.
Keepalives should, in general, not be needed if the socket - has the SO_KEEPALIVE attribute set on it by default. (see socket options). + has the SO_KEEPALIVE attribute set on it by default. (see socket options). Basically you should only use this option if you strike difficulties.
Default: keepalive = 300
Example: keepalive = 600
@@ -1840,7 +1840,7 @@
change notification to user programs, using the F_NOTIFY fcntl.
Default: kernel change notify = yes
-
For UNIXes that support kernel based oplocks (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off.
Kernel oplocks support allows Samba oplocks
to be broken whenever a local UNIX process or NFS operation
@@ -1877,13 +1877,13 @@
tested as some other Samba code paths.
Default: large readwrite = yes
- The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact
- the ldap server when retreiving user account information. The ldap admin dn is used
+ The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact
+ the ldap server when retreiving user account information. The ldap admin dn is used
in conjunction with the admin dn password stored in the private/secrets.tdb
file. See the smbpasswd(8)
man page for more information on how to accomplish this.
- The ldap admin dn requires a fully specified DN. The ldap suffix is not appended to the ldap admin dn. + The ldap admin dn requires a fully specified DN. The ldap suffix is not appended to the ldap admin dn.
No default
This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba. @@ -1891,23 +1891,23 @@
This parameters specifies the suffix that is used for groups when these are added to the LDAP directory. - If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the - ldap suffix string so use a partial DN.
Default: ldap group suffix =
+ If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the
+ ldap suffix string so use a partial DN.
Default: ldap group suffix =
Example: ldap group suffix = ou=Groups
This parameters specifies the suffix that is used when storing idmap mappings. If this parameter - is unset, the value of ldap suffix will be used instead. The suffix - string is pre-pended to the ldap suffix string so use a partial DN. + is unset, the value of ldap suffix will be used instead. The suffix + string is pre-pended to the ldap suffix string so use a partial DN.
Default: ldap idmap suffix =
Example: ldap idmap suffix = ou=Idmap
It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of - ldap suffix will be used instead. The suffix string is pre-pended to the - ldap suffix string so use a partial DN. + ldap suffix will be used instead. The suffix string is pre-pended to the + ldap suffix string so use a partial DN.
Default: ldap machine suffix =
Example: ldap machine suffix = ou=Computers
@@ -1917,7 +1917,7 @@
and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password
change via SAMBA.
- The ldap passwd sync can be set to one of three values: + The ldap passwd sync can be set to one of three values:
Yes= Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.No= Update NT and LM passwords and update the pwdLastSet time.Only= Only update @@ -1928,7 +1928,7 @@ --with-ldapsam option at compile time.This option is used to control the tcp port number used to contact the - ldap server. The default is to use the stand LDAPS port 636. + ldap server. The default is to use the stand LDAPS port 636.
Default:
ldap port= 636 # if ldap ssl = on @@ -1956,11 +1956,11 @@ counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that are used to deal with user and group attributes lack such optimization.- o make Samba scale well in large environments, the ldapsam:trusted = yes + o make Samba scale well in large environments, the ldapsam:trusted = yes option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are stored together with the POSIX data in the same LDAP object. If these assumptions are met, - ldapsam:trusted = yes can be activated and Samba can completely bypass the + ldapsam:trusted = yes can be activated and Samba can completely bypass the NSS system to query user information. Optimized LDAP queries can greatly speed up domain logon and administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries is easily achieved. @@ -1977,19 +1977,19 @@ This is NOT related to Samba's previous SSL support which was enabled by specifying the --with-ssl option to the
configure- script.The ldap ssl can be set to one of three values:
Off= Never + script.The ldap ssl can be set to one of three values:
Off= Never use SSL when querying the directory.Start_tls= Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.On= Use SSL on the ldaps port when contacting theldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified - to configure. See passdb backend
Default:
ldap ssl= start_tls + to configure. See passdb backend
Default:
ldap ssl= start_tls- ldap suffix (G)
Specifies the base for all ldap suffixes and for storing the sambaDomain object.
- The ldap suffix will be appended to the values specified for the ldap user suffix, - ldap group suffix, ldap machine suffix, and the - ldap idmap suffix. Each of these should be given only a DN relative to the - ldap suffix. + The ldap suffix will be appended to the values specified for the ldap user suffix, + ldap group suffix, ldap machine suffix, and the + ldap idmap suffix. Each of these should be given only a DN relative to the + ldap suffix.
Default:
ldap suffix=Example:
ldap suffix= dc=samba,dc=org @@ -2002,8 +2002,8 @@- ldap user suffix (G)
This parameter specifies where users are added to the tree. If this parameter is unset, - the value of ldap suffix will be used instead. The suffix - string is pre-pended to the ldap suffix string so use a partial DN. + the value of ldap suffix will be used instead. The suffix + string is pre-pended to the ldap suffix string so use a partial DN.
Default:
ldap user suffix=Example:
ldap user suffix= ou=people @@ -2022,9 +2022,9 @@ or waited for) and told to break their oplocks to "none" and delete any read-ahead caches.It is recommended that this parameter be turned on to speed access to shared executables.
For more discussions on level2 oplocks see the CIFS spec.
- Currently, if kernel oplocks are supported then + Currently, if kernel oplocks are supported then level2 oplocks are not granted (even if this parameter is set to -
yes). Note also, the oplocks +yes). Note also, the oplocks parameter must be set toyeson this share in order for this parameter to have any effect.Default:
level2 oplocks= yes @@ -2036,27 +2036,27 @@ If set tonoSamba will never produce these broadcasts. If set toyesSamba will produce Lanman announce broadcasts at a frequency set by the parameter - lm interval. If set toauto+ lm interval. If set toautoSamba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameter - lm interval.Default:
lm announce= auto + lm interval.Default:
lm announce= autoExample:
lm announce= yes- lm interval (G)
If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the - lm announce parameter) then this + lm announce parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman announcements will be - made despite the setting of the lm announce + made despite the setting of the lm announce parameter.
Default:
lm interval= 60Example:
lm interval= 120- load printers (G)
A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. - See the printers section for + See the printers section for more details.
Default:
load printers= yes- local master (G)
This option allows nmbd(8) to try and become a local master browser @@ -2071,7 +2071,7 @@
- lock dir
This parameter is a synonym for lock directory.
- lock directory (G)
This option specifies the directory where lock files will be placed. The lock files are used to implement the - max connections option. + max connections option.
Default:
lock directory= ${prefix}/var/locksExample:
lock directory= /var/run/samba/locks @@ -2098,7 +2098,7 @@- lock spin time (G)
The time in microseconds that smbd should pause before attempting to gain a failed lock. See - lock spin count for more details.
Default:
lock spin time= 10 + lock spin count for more details.Default:
lock spin time= 10- log file (G)
This option allows you to override the name of the Samba log file (also known as the debug file). @@ -2117,7 +2117,7 @@
- logon drive (G)
This parameter specifies the local path to which the home directory will be - connected (see logon home) and is only used by NT + connected (see logon home) and is only used by NT Workstations.
Note that this option is only useful if Samba is set up as a logon server. @@ -2144,12 +2144,12 @@ in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does net use /home but use the whole string when dealing with profiles.
- Note that in prior versions of Samba, the logon path was returned rather than + Note that in prior versions of Samba, the logon path was returned rather than
logon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.- Disable this feature by setting logon home = "" - using the empty string. + Disable this feature by setting logon home = "" - using the empty string.
This option is only useful if Samba is set up as a logon server.
Default:
logon home= \\%N\%U @@ -2160,7 +2160,7 @@ This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the - logon home parameter. + logon home parameter.This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also specifies the directory from which the "Application Data", (
desktop,start menu,network neighborhood,programsand other @@ -2189,7 +2189,7 @@ provided system tool.
Note that this option is only useful if Samba is set up as a domain controller.
Disable the use of roaming profiles by setting the value of this parameter to the empty string. For - example, logon path = "". Take note that even if the default setting + example, logon path = "". Take note that even if the default setting in the smb.conf file is the empty string, any value specified in the user account settings in the passdb backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use requires that the user account settings must also be blank. @@ -2206,7 +2206,7 @@ must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
The script must be a relative path to the [netlogon] service. If the [netlogon]
- service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
+ service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
/usr/local/samba/netlogon/STARTUP.BAT
@@ -2246,7 +2246,7 @@ will have the SPOOLED or PRINTING status.
Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server.
Default: lppause command =
# Currently no default value is given to
- this string, unless the value of the printing
+ this string, unless the value of the printing
parameter is SYSV, in which case the default is :
lp -i %p-%j -H hold or if the value of the
printing parameter is
@@ -2294,11 +2294,11 @@
executed on the server host in order to restart or continue
printing or spooling a specific print job.
This command should be a program or script which takes a printer name and job number to resume the print job. See - also the lppause command parameter.
If a %p is given then the printer name
+ also the lppause command parameter.
If a %p is given then the printer name
is put in its place. A %j is replaced with
the job number (an integer).
Note that it is good practice to include the absolute path
in the lpresume command as the PATH may not
- be available to the server.
See also the printing parameter.
Default: Currently no default value is given + be available to the server.
See also the printing parameter.
Default: Currently no default value is given
to this string, unless the value of the printing
parameter is SYSV, in which case the default is :
lp -i %p-%j -H resume
or if the value of the printing parameter
is SOFTQ, then the default is:
qstat -s -j%j -r
Default: lpresume command = lpresume command = /usr/bin/lpalt %p-%j -p2
@@ -2321,18 +2321,18 @@
Default: lprm command = determined by printing parameter
- If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change
+ If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change
the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb
. This parameter specifies how often this password will be changed, in seconds. The default is one
week (expressed in seconds), the same as a Windows NT Domain member server.
See also smbpasswd(8), - and the security = domain parameter. + and the security = domain parameter.
Default: machine password timeout = 604800
This parameter specifies the name of a file which will contain output created by a magic script (see the - magic script parameter below). + magic script parameter below).
Warning
If two clients use the same magic script
in the same directory the output file content is undefined.
Default: magic output = <magic script name>.out
@@ -2345,7 +2345,7 @@
executed on behalf of the connected user.
Scripts executed in this way will be deleted upon completion assuming that the user has the appropriate level of privilege and the file permissions allow the deletion.
If the script generates output, output will be sent to - the file specified by the magic output + the file specified by the magic output parameter (see above).
Note that some shells are unable to interpret scripts
containing CR/LF instead of CR as
the end-of-line marker. Magic scripts must be executable
@@ -2366,7 +2366,7 @@
So to map html to htm
you would use:
- mangled map = (*.html *.htm). + mangled map = (*.html *.htm).
One very useful case is to remove the annoying ;1 off
the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of
@@ -2378,7 +2378,7 @@
This controls whether non-DOS names under UNIX should be mapped to DOS-compatible names ("mangled") and made visible, - or whether non-DOS names should simply be ignored.
See the section on name mangling for + or whether non-DOS names should simply be ignored.
See the section on name mangling for details on how to control the mangling process.
If mangling is used then the mangling algorithm is as follows:
The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters @@ -2388,7 +2388,7 @@ extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters.
Note that the character to use may be specified using - the mangling char + the mangling char option, if you don't like '~'.
Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as @@ -2412,7 +2412,7 @@
Example:
mangle prefix= 4- mangling char (S)
This controls what character is used as - the magic character in name mangling. The + the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set it to whatever you prefer. This is effective only when mangling method is hash.
Default:
mangling char= ~ @@ -2445,23 +2445,23 @@ any file it touches from becoming executable under UNIX. This can be quite annoying for shared source code, documents, etc...- Note that this requires the create mask parameter to be set such that owner + Note that this requires the create mask parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter - create mask for details. + create mask for details.
Default:
map archive= yes- map hidden (S)
This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
- Note that this requires the create mask to be set such that the world execute - bit is not masked out (i.e. it must include 001). See the parameter create mask + Note that this requires the create mask to be set such that the world execute + bit is not masked out (i.e. it must include 001). See the parameter create mask for details.
No default
- map read only (S)
This controls how the DOS read only attribute should be mapped from a UNIX filesystem.
This parameter can take three different values, which tell smbd(8) how to display the read only attribute on files, where either - store dos attributes is set to
No, or no extended attribute is - present. If store dos attributes is set toyesthen this + store dos attributes is set toNo, or no extended attribute is + present. If store dos attributes is set toyesthen this parameter is ignored. This is a new parameter introduced in Samba version 3.0.21.The three settings are :
Yes- The read only DOS attribute is mapped to the inverse of the user @@ -2474,18 +2474,18 @@ is reported as being set on the file.No- The read only DOS attribute is unaffected by permissions, and can only be set by - the store dos attributes method. This may be useful for exporting mounted CDs. + the store dos attributes method. This may be useful for exporting mounted CDs.
Default:
map read only= yes- map system (S)
This controls whether DOS style system files should be mapped to the UNIX group execute bit.
- Note that this requires the create mask to be set such that the group + Note that this requires the create mask to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter - create mask for details. + create mask for details.
Default:
map system= no -- map to guest (G)
- map to guest (G)
This parameter is only useful in SECURITY = security modes other than
security = share- i.e.user,server, anddomain.This parameter can take four different values, which tell @@ -2495,9 +2495,9 @@ default.
Bad User- Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and - mapped into the guest account.Bad Password- Means user logins + mapped into the guest account.Bad Password- Means user logins with an invalid password are treated as a guest login and mapped - into the guest account. Note that + into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think @@ -2527,7 +2527,7 @@ Ifmax connectionsis greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made.Record lock files are used to implement this feature. The lock files will be stored in - the directory specified by the lock directory option.
Default:
max connections= 0 + the directory specified by the lock directory option.Default:
max connections= 0Example:
max connections= 10 @@ -2617,7 +2617,7 @@ never need to change this parameter. The default is 3 days.Default:
max ttl= 259200- max wins ttl (G)
This option tells smbd(8) when acting as a WINS server - (wins support = yes) what the maximum + (wins support = yes) what the maximum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds).
Default:
max wins ttl= 518400 @@ -2678,18 +2678,18 @@- min protocol (G)
The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer - to the max protocol + to the max protocol parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C source code in
source/smbd/negprot.cfor a listing of known protocol dialects supported by clients.If you are viewing this parameter as a security measure, you should - also refer to the lanman auth parameter. Otherwise, you should never need + also refer to the lanman auth parameter. Otherwise, you should never need to change this parameter.
Default:
min protocol= COREExample:
min protocol= NT1- min wins ttl (G)
This option tells nmbd(8) - when acting as a WINS server (wins support = yes) what the minimum 'time to live' + when acting as a WINS server (wins support = yes) what the minimum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 hours (21600 seconds).
Default:
min wins ttl= 21600 @@ -2699,7 +2699,7 @@ the value of the parameter. When clients attempt to connect to this share, they are redirected to the proxied share using the SMB-Dfs protocol.Only Dfs roots can act as proxy shares. Take a look at the - msdfs root and host msdfs + msdfs root and host msdfs options to find out how to set up a Dfs root share.
No default
Example:
msdfs proxy= \otherserver\someshare- msdfs root (S)
If set to
yes, Samba treats the @@ -2735,9 +2735,9 @@ useful for active directory domains and results in a DNS query for the SRV RR entry matching _ldap._tcp.domain.wins: Query a name with - the IP address listed in the WINSSERVER parameter. If no WINS server has + the IP address listed in the WINSSERVER parameter. If no WINS server has been specified this method will be ignored.bcast: Do a broadcast on - each of the known local interfaces listed in the interfaces + each of the known local interfaces listed in the interfaces parameter. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet.
The example below will cause the local lmhosts file to be examined @@ -2789,7 +2789,7 @@ it will be mounted on the Samba client directly from the directory server. When Samba is returning the home share to the client, it will consult the NIS map specified in - homedir map and return the server + homedir map and return the server listed there.
Note that for this option to work there must be a working NIS system and the Samba server with this option must also be a logon server.
Default: nis homedir = no
@@ -2826,7 +2826,7 @@
should obey PAM's account and session management directives. The
default behavior is to use PAM for clear text authentication only
and to ignore any account or session management. Note that Samba
- always ignores PAM for authentication in the case of encrypt passwords = yes. The reason
+ always ignores PAM for authentication in the case of encrypt passwords = yes. The reason
is that PAM modules cannot support the challenge/response
authentication mechanism needed in the presence of SMB password encryption.
Default: obey pam restrictions = no
@@ -2837,7 +2837,7 @@
client can supply a username to be used by the server. Enabling
this parameter will force the server to only use the login
names from the user list and is only really
- useful in security = share level security.
Note that this also means Samba won't try to deduce + useful in security = share level security.
Note that this also means Samba won't try to deduce
usernames from the service name. This can be annoying for
the [homes] section. To get around this you could use user =
%S which means your user list
@@ -2877,11 +2877,11 @@
docs/ directory.
Oplocks may be selectively turned off on certain files with a share. See - the veto oplock files parameter. On some systems + the veto oplock files parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process. See the - kernel oplocks parameter for details. + kernel oplocks parameter for details.
Default: oplocks = yes
The parameter is used to define the absolute @@ -2897,7 +2897,7 @@
This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd(8) -has a chance of becoming a local master browser for the workgroup in the local broadcast area.
+has a chance of becoming a local master browser for the workgroup in the local broadcast area.
Note :By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3 @@ -2911,9 +2911,9 @@ this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in - passwd program. + passwd program. It should be possible to enable this without changing your - passwd chat parameter for most setups.
Default: pam password change = no
+ passwd chat parameter for most setups.
Default: pam password change = no
This is a Samba developer option that allows a system command to be called when either smbd(8) or smbd(8) crashes. This is usually used to @@ -2942,10 +2942,10 @@ backend. Takes a path to the smbpasswd file as an optional argument.
tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the private dir directory.
ldapsam - The LDAP based passdb + in the private dir directory.
ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost)
LDAP connections should be secured where possible. This may be done using either
- Start-TLS (see ldap ssl) or by
+ Start-TLS (see ldap ssl) or by
specifying ldaps:// in
the URL argument.
Multiple servers may also be specified in double-quotes, if your LDAP libraries supports the LDAP URL notation. @@ -2991,15 +2991,15 @@ conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the - passwd program and what to expect back. If the expected output is not + passwd program and what to expect back. If the expected output is not received then the password is not changed.
This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS - etc).
Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is
+ etc).
Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is
then called AS ROOT when the SMB password in the
smbpasswd file is being changed, without access to the old password
cleartext. This means that root must be able to reset the user's password without
knowing the text of the previous password. In the presence of
- NIS/YP, this means that the passwd program must
+ NIS/YP, this means that the passwd program must
be executed on the NIS master.
The string can contain the macro %n which is substituted
for the new password. The chat sequence can also contain the standard
@@ -3008,7 +3008,7 @@
a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces
in them into a single string.
If the send string in any part of the chat sequence is a full stop ".", then no string is sent. Similarly, if the - expect string is a full stop then no string is expected.
If the pam password change parameter is set to yes, the
+ expect string is a full stop then no string is expected.
If the pam password change parameter is set to yes, the
chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
output. The \n macro is ignored for PAM conversions.
Default: passwd chat = *new*password* %n\n*new*password* %n\n *changed*
@@ -3019,13 +3019,13 @@
parameter is run in debug mode. In this mode the
strings passed to and received from the passwd chat are printed
in the smbd(8) log with a
- debug level
+ debug level
of 100. This is a dangerous option as it will allow plaintext passwords
to be seen in the smbd log. It is available to help
Samba admins debug their passwd chat scripts
when calling the passwd program and should
be turned off after this has been done. This option has no effect if the
- pam password change
+ pam password change
paramter is set. This parameter is off by default.
Default: passwd chat debug = no
This integer specifies the number of seconds smbd will wait for an initial @@ -3072,7 +3072,7 @@ process a new connection.
A value of zero will cause only two attempts to be made - the password as is and the password in all-lower case.
This parameter is used only when using plain-text passwords. It is not at all used when encrypted passwords as in use (that is the default - since samba-3.0.0). Use this only when encrypt passwords = No.
Default: password level = 0
+ since samba-3.0.0). Use this only when encrypt passwords = No.
Default: password level = 0
Example: password level = 4
@@ -3088,7 +3088,7 @@
Samba will use the standard LDAP port of tcp/389. Note that port numbers
have no effect on password servers for Windows NT 4.0 domains or netbios
connections.
If parameter is a name, it is looked up using the - parameter name resolve order and so may resolved + parameter name resolve order and so may resolved by any method and order described in that parameter.
The password server must be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.
Note
Using a password server means your UNIX box (running
@@ -3150,7 +3150,7 @@
on this connection. Any occurrences of %m
will be replaced by the NetBIOS name of the machine they are
connecting from. These replacements are very useful for setting
- up pseudo home directories for users.
Note that this path will be based on root dir + up pseudo home directories for users.
Note that this path will be based on root dir if one was specified.
Default: path =
Example: path = /home/fred
@@ -3184,13 +3184,13 @@
preexec = csh -c 'echo \"Welcome to %S!\" |
/usr/local/samba/bin/smbclient -M %m -I %I' &
Of course, this could get annoying after a while :-)
- See also preexec close and postexec. + See also preexec close and postexec.
Default: preexec =
Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log
- This boolean option controls whether a non-zero return code from preexec + This boolean option controls whether a non-zero return code from preexec should close the service being connected to.
Default: preexec close = no
@@ -3199,7 +3199,7 @@
If this is set to yes, on startup, nmbd will force
an election, and it will have a slight advantage in winning the election. It is recommended that this
- parameter is used in conjunction with domain master = yes, so that
+ parameter is used in conjunction with domain master = yes, so that
nmbd can guarantee becoming a domain master.
Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) @@ -3213,7 +3213,7 @@ for homes and printers services that would otherwise not be visible.
Note that if you just want all printers in your - printcap file loaded then the load printers + printcap file loaded then the load printers option is easier.
Default: preload =
@@ -3227,7 +3227,7 @@
This controls if new filenames are created with the case that the client passes, or if - they are forced to be the default case. + they are forced to be the default case.
See the section on NAME MANGLING for a fuller discussion.
Default: preserve case = yes
@@ -3236,7 +3236,7 @@
clients may open, write to and submit spool files on the directory
specified for the service.
Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling - of print data. The read only parameter controls only non-printing access to + of print data. The read only parameter controls only non-printing access to the resource.
Default: printable = no
This option specifies the number of seconds before the printing
@@ -3254,7 +3254,7 @@
/etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.
To use the CUPS printing interface set printcap name = cups . This should - be supplemented by an addtional setting printing = cups in the [global] + be supplemented by an addtional setting printing = cups in the [global] section. printcap name = cups will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file.
@@ -3307,17 +3307,17 @@ printable service nor a global print command, spool files will be created but not processed and (most importantly) not removed.
Note that printing may fail on some UNIXes from the
nobody account. If this happens then create
- an alternative guest account that can print and set the guest account
+ an alternative guest account that can print and set the guest account
in the [global] section.
You can form quite complex print commands by realizing that they are just passed to a shell. For example the following will log a print job, print the file, then remove it. Note that ';' is the usual separator for command in shell scripts.
print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s
You may have to vary this command considerably depending on how you normally print files on your system. The default for - the parameter varies depending on the setting of the printing + the parameter varies depending on the setting of the printing parameter.
Default: For printing = BSD, AIX, QNX, LPRNG or PLP :
print command = lpr -r -P%p %s
For printing = SYSV or HPUX :
print command = lp -c -d%p %s; rm %s
For printing = SOFTQ :
print command = lp -d%p -s %s; rm %s
For printing = CUPS : If SAMBA is compiled against - libcups, then printcap = cups + libcups, then printcap = cups uses the CUPS API to submit jobs, etc. Otherwise it maps to the System V commands with the -oraw option for printing, i.e. it @@ -3349,7 +3349,7 @@ If specified in the [global] section, the printer name given will be used for any printable service that does not have its own printer name specified.
- The default value of the printer name may be lp on many
+ The default value of the printer name may be lp on many
systems.
Default: printer name = none
@@ -3416,7 +3416,7 @@
This parameter specifies the command to be executed on the server host in order to resume the printer queue. It is the command to undo the behavior that is caused by the - previous parameter (queuepause command).
This command should be a program or script which takes + previous parameter (queuepause command).
This command should be a program or script which takes a printer name as its only parameter and resumes the printer queue, such that queued jobs are resubmitted to the printer.
This command is not supported by Windows for Workgroups, but can be issued from the Printers window under Windows 95 @@ -3436,15 +3436,15 @@
This is a list of users that are given read-only access to a service. If the connecting user is in this list - then they will not be given write access, no matter what the read only option is set - to. The list can include group names using the syntax described in the invalid users + then they will not be given write access, no matter what the read only option is set + to. The list can include group names using the syntax described in the invalid users parameter. -
This parameter will not work with the security = share in +
This parameter will not work with the security = share in Samba 3.0. This is by design.
Default: read list =
Example: read list = mary, @students
-
An inverted synonym is writeable.
If this parameter is yes, then users
+
An inverted synonym is writeable.
If this parameter is yes, then users
of a service may not create or modify files in the service's
directory.
Note that a printable service (printable = yes) will ALWAYS allow writing to the directory @@ -3480,7 +3480,7 @@
the above line would cause nmbd to announce itself to the two given IP addresses using the given workgroup names. If you leave out the - workgroup name then the one given in the workgroup parameter + workgroup name then the one given in the workgroup parameter is used instead.
The IP addresses you choose would normally be the broadcast addresses of the remote @@ -3517,7 +3517,7 @@ that the remote machine is available, is listening, nor that it is in fact the browse master on its segment.
- The remote browse sync may be used on networks + The remote browse sync may be used on networks where there is no WINS server, and may be used on disjoint networks where each network has its own WINS server.
Default: remote browse sync =
@@ -3579,7 +3579,7 @@
means.
Note
The security advantage of using restrict anonymous = 2 is removed - by setting guest ok = yes on any share. + by setting guest ok = yes on any share.
Default: restrict anonymous = 0
This parameter is a synonym for root directory.
This parameter is a synonym for root directory.
The server will chroot() (i.e. @@ -3589,7 +3589,7 @@ It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use ".." in file names to access other directories (depending on the setting of the - wide smbconfoptions parameter). + wide smbconfoptions parameter).
Adding a root directory entry other
than "/" adds an extra level of security, but at a price. It
absolutely ensures that no access is given to files not in the
@@ -3644,9 +3644,9 @@
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server. It is more difficult
to setup guest shares with security = user, see
- the map to guestparameter for details.
It is possible to use smbd in a + the map to guestparameter for details.
It is possible to use smbd in a hybrid mode where it is offers both user and share - level security under different NetBIOS aliases.
The different settings will now be explained.
When clients connect to a share level security server they + level security under different NetBIOS aliases.
The different settings will now be explained.
When clients connect to a share level security server they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with @@ -3659,10 +3659,10 @@ in share level security, smbd uses several techniques to determine the correct UNIX user to use on behalf of the client.
A list of possible UNIX usernames to match with the given - client password is constructed using the following methods :
If the guest only parameter is set, then all the other - stages are missed and only the guest account username is checked. + client password is constructed using the following methods :
If the guest only parameter is set, then all the other + stages are missed and only the guest account username is checked.
Is a username is sent with the share connection - request, then this username (after mapping - see username map), + request, then this username (after mapping - see username map), is added as a potential username.
If the client did a previous logon request (the SessionSetup SMB call) then the @@ -3671,7 +3671,7 @@ added as a potential username.
The NetBIOS name of the client is added to the list as a potential username. -
Any users on the user list are added as potential usernames. +
Any users on the user list are added as potential usernames.
If the
guest onlyparameter is not set, then this list is then tried with the supplied password. The first user for whom the password matches will be used as the @@ -3683,17 +3683,17 @@ be used in granting access.See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
This is the default security setting in Samba 3.0. With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the username map - parameter). Encrypted passwords (see the encrypted passwords parameter) can also - be used in this security mode. Parameters such as user and guest only if set are then applied and + valid username and password (which can be mapped using the username map + parameter). Encrypted passwords (see the encrypted passwords parameter) can also + be used in this security mode. Parameters such as user and guest only if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated.
Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest parameter for details on doing this.
See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
This mode will only work correctly if net(8) has been used to add this - machine into a Windows NT Domain. It expects the encrypted passwords + the server to automatically map unknown users into the guest account. + See the map to guest parameter for details on doing this.
See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
This mode will only work correctly if net(8) has been used to add this + machine into a Windows NT Domain. It expects the encrypted passwords parameter to be set to
yes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly @@ -3707,13 +3707,13 @@ requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest parameter for details on doing this.See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION.
See also the password server parameter and - the encrypted passwords parameter.
+ the server to automatically map unknown users into the guest account. + See the map to guest parameter for details on doing this.
See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION.
See also the password server parameter and + the encrypted passwords parameter.
In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user. It expects the - encrypted passwords parameter to be set to
yes, unless the remote + encrypted passwords parameter to be set toyes, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a validsmbpasswdfile to check users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up. @@ -3733,10 +3733,10 @@ requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest parameter for details on doing this.See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION.
See also the password server parameter and the - encrypted passwords parameter.
In this mode, Samba will act as a domain member in an ADS realm. To operate + the server to automatically map unknown users into the guest account. + See the map to guest parameter for details on doing this.
See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION.
See also the password server parameter and the + encrypted passwords parameter.
In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility.
Note that this mode does NOT make Samba operate as a Active Directory Domain @@ -3749,7 +3749,7 @@ UNIX permission on a file using the native NT security dialog box.
This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not - in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND. + in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
@@ -3764,7 +3764,7 @@
- server schannel (G)
This controls whether the server offers or even demands the use of the netlogon schannel. - server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. + server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4.
Please note that with this set to
noyou will have to apply the WindowsXP @@ -3838,8 +3838,8 @@- short preserve case (S)
This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced - to be the default case - . This option can be use with preserve case = yes + to be the default case + . This option can be use with preserve case = yes to permit long filenames to retain their case, while short names are lowered.
See the section on NAME MANGLING.
Default:
short preserve case= yes @@ -3939,10 +3939,10 @@- store dos attributes (S)
If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such - as occurs with map hidden and map readonly). When set, DOS + as occurs with map hidden and map readonly). When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or - directory. For no other mapping to occur as a fall-back, the parameters map hidden, - map system, map archive and map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended + directory. For no other mapping to occur as a fall-back, the parameters map hidden, + map system, map archive and map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel. @@ -4079,8 +4079,8 @@ passwords to be made over a longer period. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to
no.- In order for this parameter to be operative the encrypt passwords parameter must - be set to
no. The default value of encrypt passwords = Yes. Note: This must be set tonofor this update encrypted to work. + In order for this parameter to be operative the encrypt passwords parameter must + be set tono. The default value of encrypt passwords = Yes. Note: This must be set tonofor this update encrypted to work.Note that even when this parameter is set a user authenticating to smbd must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) @@ -4152,7 +4152,7 @@ they will be able to do no more damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.
To restrict a service to a particular set of users you - can use the valid users parameter.
If any of the usernames begin with a '@' then the name + can use the valid users parameter.
If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users @@ -4242,7 +4242,7 @@ Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and
fredis remapped tomarythen you will actually be connecting to \\server\mary and will need to supply a password suitable formarynot -fred. The only exception to this is the username passed to the password server (if you have one). The password server will receive whatever username the client +fred. The only exception to this is the username passed to the password server (if you have one). The password server will receive whatever username the client supplies without modification.Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been @@ -4270,7 +4270,7 @@ # no username map
- username map script (G)
This script is a mutually exclusive alternative to the - username map parameter. This parameter + username map parameter. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which @@ -4354,11 +4354,11 @@ Each entry must be a unix path, not a DOS path and must not include the unix directory separator '/'.
- Note that the case sensitive option is applicable in vetoing files. + Note that the case sensitive option is applicable in vetoing files.
One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this - deletion will fail unless you also set the delete veto files + deletion will fail unless you also set the delete veto files parameter to
yes.Setting this parameter will affect the performance of Samba, as it will be forced to check all files @@ -4378,11 +4378,11 @@
Default:
veto files= No files or directories are vetoed.- veto oplock files (S)
- This parameter is only valid when the oplocks + This parameter is only valid when the oplocks parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that match a wildcarded list, similar to the wildcarded list used in the - veto files parameter. + veto files parameter.
You might want to do this on files that you know will be heavily contended for by clients. A good example of this is in the NetBench SMB benchmark @@ -4554,12 +4554,12 @@
- workgroup (G)
This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with - the security = domain + the security = domain setting.
Default:
workgroup= WORKGROUPExample:
workgroup= MYGROUP -- writable
This parameter is a synonym for writeable.
- writeable (S)
Inverted synonym for read only.
No default
- write cache size (S)
If this integer parameter is set to non-zero value, +
- writable
This parameter is a synonym for writeable.
- writeable (S)
Inverted synonym for read only.
No default
- write cache size (S)
If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request @@ -4580,14 +4580,14 @@
- write list (S)
This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter - what the read only option is set to. The list can + what the read only option is set to. The list can include group names using the @group syntax.
Note that if a user is in both the read list and the write list then they will be given write access.
By design, this parameter will not work with the - security = share in Samba 3.0. + security = share in Samba 3.0.
Default:
write list=Example:
write list= admin, root, @staff @@ -4608,7 +4608,7 @@Example:
wtmp directory= /var/log/wtmp -
WARNINGS
Although the configuration file permits service names to contain spaces, your client software may not. Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
@@ -4621,8 +4621,8 @@ for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct. -
SEE ALSO
- samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).
SEE ALSO
+ samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).
AUTHOR
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.21a/docs/htmldocs/Samba3-ByExample/2000users.html samba-3.0.21b/docs/htmldocs/Samba3-ByExample/2000users.html --- samba-3.0.21a/docs/htmldocs/Samba3-ByExample/2000users.html 2005-12-29 10:24:19.000000000 -0600 +++ samba-3.0.21b/docs/htmldocs/Samba3-ByExample/2000users.html 2006-01-29 10:18:12.000000000 -0600 @@ -1,4 +1,4 @@ -
Table of Contents
+
Table of Contents
There is something indeed mystical about things that are big. Large networks exhibit a certain magnetism and exude a sense of importance that obscures reality. You and I know that it is no more @@ -30,7 +30,7 @@ Samba are largely under control. So in this section you focus on the specifics of implementing LDAP changes, Samba changes, and approach and design of the solution and its deployment. -
+
Abmas is a miracle company. Most businesses would have collapsed under the weight of rapid expansion that this company has experienced. Samba is flexible, so there is no need to reinstall the whole operating @@ -39,19 +39,19 @@ and then do a near-live conversion. There is no need to reinstall a Samba server just to change the way your network should function.
- + Network growth is common to all organizations. In this exercise, your preoccupation is with the mechanics of implementing Samba and LDAP so that network users on each network segment can work without impediment. -
+
Starting with the configuration files for the server called
MASSIVE in ???, you now deal with the
issues that are particular to large distributed networks. Your task
is simple identify the challenges, consider the
alternatives, and then design and implement a solution.
- + Remember, you have users based in London (UK), Los Angeles, Washington. DC, and, three buildings in New York. A significant portion of your workforce have notebook computers and roam all over the @@ -72,18 +72,18 @@ You have outsourced all desktop deployment and management to DirectPointe. Your concern is server maintenance and third-level support. Build a plan and show what must be done. -
+
+
In ???, you implemented an LDAP server that provided the
passdb backend for the Samba servers. You
explored ways to accelerate Windows desktop profile handling and you
took control of network performance.
- - - - + + + + The implementation of an LDAP-based passdb backend (known as ldapsam in Samba parlance), or some form of database that can be distributed, is essential to permit the deployment of Samba @@ -96,8 +96,8 @@ support the range of account facilities demanded by modern network managers.
- - + + The new tdbsam facility supports functionality that is similar to an ldapsam, but the lack of distributed infrastructure sorely limits the scope for its @@ -105,10 +105,10 @@ an XML-based backend, or for that matter, why not use an SQL-based backend? Is support for these tools broken? Answers to these questions require a bit of background.
- - - - + + + + What is a directory? A directory is a collection of information regarding objects that can be accessed to rapidly find information that is relevant in a particular and @@ -116,19 +116,19 @@ generally more often searched (read) than updated. As a consequence, the information is organized to facilitate read access rather than to support transaction processing.
- - - - + + + + The Lightweight Directory Access Protocol (LDAP) differs considerably from a traditional database. It has a simple search facility that uniquely makes a highly preferred mechanism for managing user identities. LDAP provides a scalable mechanism for distributing the data repository and for keeping all copies (slaves) in sync with the master repository.
- - - + + + Samba is a flexible and powerful file and print sharing technology. It can use many external authentication sources and can be part of a total authentication and identity management @@ -136,7 +136,7 @@ are Microsoft Active Directory and LDAP. Sites that specifically wish to avoid the proprietary implications of Microsoft Active Directory naturally gravitate toward OpenLDAP.
- + In ???, you had to deal with a locally routed network. All deployment concerns focused around making users happy, and that simply means taking control over all network practices and @@ -147,12 +147,12 @@ between offices. You must take into account the way users need to access information globally. And you must make the network robust enough so that it can sustain partial breakdown without causing loss of -productivity.
+productivity.
There are at least three areas that need to be addressed as you approach the challenge of designing a network solution for the newly expanded business: -
Let's look at each in turn.
+
Let's look at each in turn.
The new company has three divisions. Staff for each division are spread across the company. Some staff are office-bound and some are mobile users. Mobile users travel globally. Some spend considerable periods working in other offices. @@ -163,7 +163,7 @@ curtail user needs. Parts of the global Internet infrastructure remain shielded off for reasons outside the scope of this discussion.
- + Decisions must be made regarding where data is to be stored, how it will be replicated (if at all), and what the network bandwidth implications are. For example, one decision that can be made is to give each office its own master @@ -174,8 +174,8 @@ This way, they can synchronize all files that have changed since each logon to the network.
- - + + No matter which way you look at this, the bandwidth requirements for acceptable performance are substantial even if only 10 percent of staff are global data users. A company with 3,500 employees, @@ -188,11 +188,11 @@ profile involves a transfer of over 750 KB from the profile server to and from the client.
- + Obviously then, user needs and wide-area practicalities dictate the economic and technical aspects of your network design as well as for standard operating procedures. -
+ Network logons that include roaming profile handling requires from 140 KB to 2 MB. The inclusion of support for a minimal set of common desktop applications can push the size of a complete profile to over 15 MB. This has substantial implications @@ -200,8 +200,8 @@ determining the nature and style of mandatory profiles that may be enforced as part of a total service-level assurance program that might be implemented.
- - + + One way to reduce the network bandwidth impact of user logon traffic is through folder redirection. In ???, you implemented this in the new Windows XP Professional standard @@ -210,14 +210,14 @@ also be excluded from synchronization to and from the server on logon or logout. Redirected folders are analogous to network drive connections. -
Of course, network applications should only be run off local application servers. As a general rule, even with 2 Mb/sec network bandwidth, it would not make sense at all for someone who is working out of the London office to run applications off a server that is located in New York.
- + When network bandwidth becomes a precious commodity (that is most of the time), there is a significant demand to understand network processes and to mold the limits of acceptability around the @@ -226,15 +226,15 @@ When a Windows NT4/200x/XP Professional client user logs onto the network, several important things must happen.
- + The client obtains an IP address via DHCP. (DHCP is necessary so that users can roam between offices.)
- - + + The client must register itself with the WINS and/or DNS server.
The client must log onto a domain controller and obtain as part of @@ -256,15 +256,15 @@ name both by broadcast and Unicast registration that is directed at the WINS server.
- - + + Given that the client is already a domain member, it then sends a directed (Unicast) request to the WINS server seeking the list of IP addresses for domain controllers (NetBIOS name type 0x1C). The WINS server replies with the information requested.
- - - + + + The client sends two netlogon mailslot broadcast requests to the local network and to each of the IP addresses returned by the WINS server. Whichever answers this request first appears to @@ -274,9 +274,9 @@ was listed in the WINS server response to a request for the list of domain controllers.
- - - + + + The logon process begins with negotiation of the SMB/CIFS protocols that are to be used; this is followed by an exchange of information that ultimately includes the client sending the @@ -287,10 +287,10 @@ needs. A secondary fact we need to know is, what happens when local domain controllers fail or break?
- - - - + + + + Under most circumstances, the nearest domain controller responds to the netlogon mailslot broadcast. The exception to this norm occurs when the nearest domain controller is too busy or is out @@ -299,18 +299,18 @@ domain controllers. Since there can be only one PDC, all additional domain controllers are by definition BDCs.
- - + + The provision of sufficient servers that are BDCs is an important design factor. The second important design factor involves how each of the BDCs obtains user authentication data. That is the subject of the next section, which involves key decisions regarding Identity Management facilities. -
+ + + + Network managers recognize that in large organizations users generally need to be given resource access based on needs, while being excluded from other resources for reasons of privacy. It is @@ -319,9 +319,9 @@ by which user credentials are validated and filtered and appropriate rights and privileges are allocated.
-
-
-
+
+
+
Unfortunately, network resources tend to have their own Identity
Management facilities, the quality and manageability of which varies
from quite poor to exceptionally good. Corporations that use a mixture
@@ -333,7 +333,7 @@
What was once called Yellow Pages is today known
as Network Information System (NIS).
- + NIS gained a strong following throughout the UNIX/VMS space in a short period of time and retained that appeal and use for over a decade. Security concerns and inherent limitations have caused it to enter its @@ -343,9 +343,9 @@ demands as the demand for directory services that can be coupled with other information systems is catching on.
- - - + + + Nevertheless, both NIS and NIS+ continue to hold ground in business areas where UNIX still has major sway. Examples of organizations that remain firmly attached to the use of NIS and @@ -353,14 +353,14 @@ and large corporations that have a scientific or engineering focus.
- - + + Today's networking world needs a scalable, distributed Identity Management infrastructure, commonly called a directory. The most popular technologies today are Microsoft Active Directory service and a number of LDAP implementations.
- + The problem of managing multiple directories has become a focal point over the past decade, creating a large market for metadirectory products and services that allow organizations that @@ -369,15 +369,15 @@ another. The attendant benefit to end users is the promise of having to remember and deal with fewer login identities and passwords.
- + The challenge of every large network is to find the optimum balance of internal systems and facilities for Identity Management resources. How well the solution is chosen and implemented has potentially significant impact on network bandwidth and systems response needs.
+ + - - In ???, you implemented a single LDAP server for the entire network. This may work for smaller networks, but almost certainly fails to meet the needs of large and complex networks. The @@ -386,8 +386,8 @@ What is the best method for implementing master/slave LDAP servers within the context of a distributed 2,000-user network is a question that remains to be answered.
- - + + One possibility that has great appeal is to create a single, large distributed domain. The practical implications of this design (see ???) demands the placement of @@ -398,7 +398,7 @@ productivity against the cost of network management and maintenance.
- + The network design in ??? takes the approach that management of networks that are too remote to be managed effectively from New York ought to be given a certain degree of @@ -409,22 +409,22 @@ the ability for network users to roam globally without some compromise in how they may access global resources.
- + Desk-bound users need not be negatively affected by this design, since the use of interdomain trusts can be used to satisfy the need for global data sharing.
- - - + + + When Samba-3 is configured to use an LDAP backend, it stores the domain account information in a directory entry. This account entry contains the domain SID. An unintended but exploitable side effect is that this makes it possible to operate with more than one PDC on a distributed network.
- - - + + + How might this peculiar feature be exploited? The answer is simple. It is imperative that each network segment have its own WINS server. Major servers on remote network segments can be given a static WINS entry in @@ -434,8 +434,8 @@ same domain SID. Since all domain account information can be stored in a single LDAP backend, users have unfettered ability to roam.
- - + + This concept has not been exhaustively validated, though we can see no reason why this should not work. The important facets are the following: The name of the domain must be identical in all locations. Each network segment must have @@ -446,10 +446,10 @@ on every network segment. Finally, the BDCs should each use failover LDAP servers that are in fact slave LDAP servers on the local segments.
- + + + - - With a single master LDAP server, all network updates are effected on a single server. In the event that this should become excessively fragile or network bandwidth limiting, one could implement a delegated LDAP domain. This is also @@ -463,7 +463,7 @@ administrators must of necessity follow the same standard procedures for managing the directory, because retroactive correction of inconsistent directory information can be exceedingly difficult. -
As organizations grow, the number of points of control increases also. In a large distributed organization, it is important that the Identity Management system be capable of being updated from @@ -471,11 +471,11 @@ become usable in a reasonable period, typically minutes rather than days (the old limitation of highly manual systems). -
+ + + + Samba-3 has the ability to use multiple password (authentication and identity resolution) backends. The diagram in ??? demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system @@ -483,13 +483,13 @@ authentication and identity resolution (obtaining a UNIX UID/GID) using the specific systems shown.
-
-
-
-
-
-
-
+
+
+
+
+
+
+
Samba is capable of using the smbpasswd,
tdbsam, xmlsam,
and mysqlsam authentication databases. The SMB
@@ -497,7 +497,7 @@
backend. LDAP is the preferred passdb backend for distributed network
operations.
- + Additionally, it is possible to use multiple passdb backends concurrently as well as have multiple LDAP backends. As a result, you can specify a failover LDAP backend. The syntax for specifying a @@ -509,8 +509,8 @@
This configuration tells Samba to use a single LDAP server, as shown in ???.
-
-
+
+
The addition of a failover LDAP server can simply be done by adding a
second entry for the failover server to the single ldapsam
entry, as shown here (note the particular use of the double quotes):
@@ -532,7 +532,7 @@
ldapsam:ldap://slave.abmas.biz
...
- + The effect of this style of entry is that Samba lists the users that are in both LDAP databases. If both contain the same information, it results in each record being shown twice. This is, of course, not the @@ -553,9 +553,9 @@ It is assumed that the network you are working with follows in a pattern similar to what was covered in ???. The following steps permit the operation of a master/slave OpenLDAP arrangement. -
Procedure 6.1. Implementation Steps for an LDAP Slave Server
Procedure 6.1. Implementation Steps for an LDAP Slave Server
+ + Log onto the master LDAP server as
root. You are about to change the configuration of the LDAP server, so it makes sense to temporarily halt it. Stop OpenLDAP from running on @@ -568,7 +568,7 @@root#service ldap stop- + Edit the
/etc/openldap/slapd.conffile so it matches the content of ???.@@ -592,8 +592,8 @@
root#slapadd -v -l admin-accts.ldif- - + + Change directory to a suitable place to dump the contents of the LDAP server. The dump file (and LDIF file) is used to preload the slave LDAP server database. You can dump the database by executing: @@ -602,7 +602,7 @@
Each record is written to the file.
- + Copy the file
LDAP-transfer-LDIF.txtto the intended slave LDAP server. A good location could be in the directory/etc/openldap/preload. @@ -652,9 +652,9 @@root#chkconfig ldap on- - - + + + Go back to the master LDAP server. Execute the following to start LDAP as well as slurpd, the synchronization daemon, as shown here:
@@ -663,10 +663,10 @@
root#rcslurpd startroot#chkconfig slurpd on- + On Red Hat Linux, check the equivalent command to start slurpd.
- + On the master LDAP server you may now add an account to validate that replication is working. Assuming the configuration shown in ???, execute:
@@ -791,12 +791,12 @@ index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub -
Example 6.3. Primary Domain Controller
smb.confFile Part AExample 6.4. Primary Domain Controller
smb.confFile Part BExample 6.5. Primary Domain Controller
smb.confFile Part CExample 6.6. Backup Domain Controller
smb.confFile Part AExample 6.7. Backup Domain Controller
smb.confFile Part BExample 6.3. Primary Domain Controller
smb.confFile Part AExample 6.4. Primary Domain Controller
smb.confFile Part BExample 6.5. Primary Domain Controller
smb.confFile Part CExample 6.6. Backup Domain Controller
smb.confFile Part AExample 6.7. Backup Domain Controller
smb.confFile Part B+ Where Samba-3 is used as a domain controller, the use of LDAP is an essential component to permit the use of BDCs.
- + Replication of the LDAP master server to create a network of BDCs is an important mechanism for limiting WAN traffic.
@@ -808,55 +808,55 @@ Roaming profiles must be contained to the local network segment. Any departure from this may clog wide-area arteries and slow legitimate network traffic to a crawl. -
There is much rumor and misinformation regarding the use of MS Windows networking protocols. These questions are just a few of those frequently asked. -
-
+
- DHCP networkbandwidth Is it true that DHCP uses lots of WAN bandwidth? -
- +
- background communication LDAPmaster/slavebackground communication How much background communication takes place between a master LDAP server and its slave LDAP servers? -
- +
- LDAP has a database. Is LDAP not just a fancy database front end? -
- +
- OpenLDAP Can Active Directory obtain account information from an OpenLDAP server? -
- +
- What are the parts of a roaming profile? How large is each part? -
- +
- Can the My Documents folder be stored on a network drive? -
- +
- wide-area networkbandwidth WINS How much WAN bandwidth does WINS consume? -
- +
- How many BDCs should I have? What is the right number of Windows clients per server? -
- +
- NIS serverLDAP I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to run an NIS server? -
- +
- Can I use NIS in place of LDAP? -
