Name
findsmb — list info about machines that respond to SMB - name queries on a subnet
Synopsis
findsmb [subnet broadcast address]
Synopsis
findsmb [subnet broadcast address]
DESCRIPTION
This perl script is part of the samba(7) suite.
findsmb is a perl script that prints out several pieces of information about machines on a subnet that respond to SMB name query requests. It uses nmblookup(1) and smbclient(1) to obtain this information. -
OPTIONS
- -r
Controls whether findsmb takes +
OPTIONS
- -r
Controls whether findsmb takes bugs in Windows95 into account when trying to find a Netbios name registered of the remote machine. This option is disabled by default because it is specific to Windows 95 and Windows 95 machines only. @@ -16,7 +16,7 @@ findsmb(1) is run. This value is passed to nmblookup(1) - as part of the
-Boption.
EXAMPLES
The output of findsmb lists the following information for all machines that respond to the initial nmblookup for any name: IP address, NetBIOS name, Workgroup name, operating system, and SMB server version.
There will be a '+' in front of the workgroup name for @@ -48,10 +48,10 @@ 192.168.35.88 SCNT2 +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0] 192.168.35.93 FROGSTAR-PC [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager] 192.168.35.97 HERBNT1 *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0] -
AUTHOR
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/libsmbclient.7.html samba-3.0.23/docs/htmldocs/manpages/libsmbclient.7.html --- samba-3.0.22/docs/htmldocs/manpages/libsmbclient.7.html 2006-01-29 10:15:43.000000000 -0600 +++ samba-3.0.23/docs/htmldocs/manpages/libsmbclient.7.html 2006-07-06 05:17:38.000000000 -0500 @@ -1,6 +1,6 @@
Name
libsmbclient — An extension library for browsers and that can be used as a generic browsing API.
Synopsis
Browser URL:
smb://[[[domain:]user[:password@]]server[/share[/path[/file]]]] [?options] -
DESCRIPTION
This tool is part of the samba(7) suite.
libsmbclient is a library toolset that permits applications to manipulate CIFS/SMB network @@ -12,7 +12,7 @@ libsmbclient can not be used directly from the command line, instead it provides an extension of the capabilities of tools such as file managers and browsers. This man page describes the configuration options for this tool so that the user may obtain greatest utility of use. -
OPTIONS
What the URLs mean:
- smb://
Shows all workgroups or domains that are visible in the network. The behavior matches @@ -44,11 +44,11 @@ libsmbclient will check the users shell environment for the
USERparameter and will use its value when if theuserparameter was not included in the URL. -
AUTHOR
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/lmhosts.5.html samba-3.0.23/docs/htmldocs/manpages/lmhosts.5.html --- samba-3.0.22/docs/htmldocs/manpages/lmhosts.5.html 2006-01-29 10:15:45.000000000 -0600 +++ samba-3.0.23/docs/htmldocs/manpages/lmhosts.5.html 2006-07-06 05:17:39.000000000 -0500 @@ -1,8 +1,8 @@ -
Name
lmhosts — The Samba NetBIOS hosts file
Synopsis
lmhosts is the samba(7) NetBIOS name to IP address mapping file.
DESCRIPTION
This file is part of the samba(7) suite.
lmhosts — The Samba NetBIOS hosts file This file is part of the samba(7) suite. It is an ASCII file containing one line for NetBIOS name.
+ to the NetBIOS naming format. It is an ASCII file containing one line for NetBIOS name.
The two fields on each line are separated from each other by
white space. Any entry beginning with '#' is ignored. Each line
in the lmhosts file contains the following information: IP Address - in dotted decimal format. NetBIOS Name - This name format is a
@@ -25,10 +25,10 @@
the NetBIOS name requested. The second mapping will be returned only when the "0x20" name
type for a name "NTSERVER" is queried. Any other name type will not
be resolved. The default location of the lmhosts is loaded from the configuration directory. This is
+ is in the same directory as the smb.conf(5) file. lmhosts is loaded from the configuration directory. This is
usually The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/log2pcap.1.html samba-3.0.23/docs/htmldocs/manpages/log2pcap.1.html
--- samba-3.0.22/docs/htmldocs/manpages/log2pcap.1.html 2006-01-29 10:15:49.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/log2pcap.1.html 2006-07-06 05:17:40.000000000 -0500
@@ -1,11 +1,11 @@
- log2pcap — Extract network traces from Samba log files This tool is part of the samba(7) suite. log2pcap reads in a
+ log2pcap — Extract network traces from Samba log files This tool is part of the samba(7) suite. log2pcap reads in a
samba log file and generates a pcap file (readable
by most sniffers, such as ethereal or tcpdump) based on the packet
dumps in the log file. The log file must have a If this parameter is
+ If this parameter is
specified the output file will be a
hex dump, in a format that is readable
by the text2pcap utility. Be quiet. No warning messages about missing
@@ -17,13 +17,13 @@
If this argument is not specified, output data will be written
to stdout.
Print a summary of command line options.
- Extract all network traffic from all samba log files: Convert to pcap using text2pcap: mount.cifs — mount using the Common Internet File System (CIFS) This tool is part of the samba(7) suite. mount.cifs mounts a Linux CIFS filesystem. It
+ mount.cifs — mount using the Common Internet File System (CIFS) This tool is part of the samba(7) suite. mount.cifs mounts a Linux CIFS filesystem. It
is usually invoked indirectly by
the mount(8) command when using the
"-t cifs" option. This command only works in Linux, and the kernel must
@@ -20,7 +20,7 @@
mount.cifs causes the cifs vfs to launch a thread named cifsd. After mounting it keeps running until
the mounted resource is unmounted (usually via the umount utility).
- specifies the username to connect as. If
+ specifies the username to connect as. If
this is not given, then the environment variable USER is used. This option can also take the
form "user%password" or "workgroup/user" or
"workgroup/user%password" to allow the password and workgroup
@@ -163,7 +163,7 @@
the server lacks support for returning inode numbers or equivalent.
client generates inode numbers (rather than using the actual one
from the server) by default.
- (default) Do not allow getfattr/setfattr to get/set xattrs, even if server would support it otherwise. default network read size default network write size Print additional debugging information for the mount. Note that this parameter must be specified before the -o. For example: mount -t cifs //server/share /mnt --verbose -o user=username
+ (default) Do not allow getfattr/setfattr to get/set xattrs, even if server would support it otherwise. default network read size default network write size Print additional debugging information for the mount. Note that this parameter must be specified before the -o. For example: mount -t cifs //server/share /mnt --verbose -o user=username
The variable USER may contain the username of the
person to be used to authenticate to the server.
The variable can be used to set both username and
@@ -175,7 +175,7 @@
The variable PASSWD_FILE may contain the pathname
of a file to read the password from. A single line of input is
read and used as the password.
- This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled. This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.
The primary mechanism for making configuration changes and for reading
debug information for the cifs vfs is via the Linux /proc filesystem.
In the directory Mounting using the CIFS URL specification is currently not supported.
The credentials file does not handle usernames or passwords with
leading space.
Note that the typical response to a bug report is a suggestion
@@ -194,11 +194,11 @@
and always include which versions you use of relevant software
when reporting bugs (minimum: mount.cifs (try mount.cifs -V), kernel (see /proc/version) and
server type you are trying to contact.
- This man page is correct for version 1.39 of
- the cifs vfs filesystem (roughly Linux kernel 2.6.15). This man page is correct for version 1.39 of
+ the cifs vfs filesystem (roughly Linux kernel 2.6.15).
Documentation/filesystems/cifs.txt and fs/cifs/README in the linux kernel
source tree may contain additional options and information.
- Steve French The syntax and manpage were loosely based on that of smbmount. It
was converted to Docbook/XML by Jelmer Vernooij. The maintainer of the Linux cifs vfs and the userspace
tool mount.cifs is Steve French.
The Linux CIFS Mailing list
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/net.8.html samba-3.0.23/docs/htmldocs/manpages/net.8.html
--- samba-3.0.22/docs/htmldocs/manpages/net.8.html 2006-01-29 10:15:54.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/net.8.html 2006-07-06 05:17:42.000000000 -0500
@@ -1,13 +1,13 @@
net — Tool for administration of Samba and remote
CIFS servers.
- This tool is part of the samba(7) suite. The samba net utility is meant to work just like the net utility
+ This tool is part of the samba(7) suite. The samba net utility is meant to work just like the net utility
available for windows and DOS. The first argument should be used
to specify the protocol to use when executing a certain command.
ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
clients and RPC can be used for NT4 and Windows 2000. If this
argument is omitted, net will try to determine it automatically.
Not all commands are available on all protocols.
- Print a summary of command line options.
+ Print a summary of command line options.
Sets target workgroup or domain. You have to specify
either this option or the IP address or the name of a server.
@@ -24,7 +24,7 @@
Defaults to trying 445 first, then 139.
This option allows you to override
the NetBIOS name that Samba uses for itself. This is identical
-to setting the parameter in the The file specified contains the
@@ -53,19 +53,19 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
-in the This command allows the Samba machine account password to be set from an external application
to a machine account password that has already been stored in Active Directory. DO NOT USE this command
unless you know exactly what you are doing. The use of this command requires that the force flag (-f)
be used also. There will be NO command prompt. Whatever information is piped into stdin, either by
typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use
this without care and attention as it will overwrite a legitimate machine password without warning.
YOU HAVE BEEN WARNED.
- The NET TIME command allows you to view the time on a remote server
- or synchronise the time on the local server with the time on the remote server. The NET TIME command allows you to view the time on a remote server
+ or synchronise the time on the local server with the time on the remote server.
Join a domain. If the account already exists on the server, and
[TYPE] is MEMBER, the machine will attempt to join automatically.
(Assuming that the machine has been created in server manager)
@@ -73,71 +73,71 @@
be created.
[TYPE] may be PDC, BDC or MEMBER to specify the type of server
joining the domain.
- Join a domain. Use the OLDJOIN option to join the domain
using the old style of domain joining - you need to create a trust
-account in server manager first. Enumerates all exported resources (network shares) on target server. Adds a share from a server (makes the export active). Maxusers
+account in server manager first. Enumerates all exported resources (network shares) on target server.
Validate whether the specified user can log in to the
remote server. If the password is not specified on the commandline, it
will be prompted.
- Currently NOT implemented. Execute the specified Currently NOT implemented. Samba uses a general caching interface called 'gencache'. It
can be controlled using 'NET CACHE'. All the timeout parameters support the suffixes:
- Print the SID of the specified domain, or if the parameter is
+omitted, the SID of the domain the local server is in. Manage the mappings between Windows group SIDs and UNIX groups.
Parameters take the for "parameter=value". Common options include: unixgroup - Name of the UNIX group ntgroup - Name of the Windows NT group (must be
resolvable to a SID rid - Unsigned 32-bit integer sid - Full SID in the form of "S-1-..." type - Type of the group; either 'domain', 'local',
- or 'builtin' comment - Freeform text description of the group
Add a new group mapping entry:
- Delete a group mapping entry. If more then one group name matches, the first entry found is deleted. net groupmap delete {ntgroup=string|sid=SID} Delete a group mapping entry. If more then one group name matches, the first entry found is deleted. net groupmap delete {ntgroup=string|sid=SID} Prints out the highest RID currently in use on the local
server (by the active 'passdb backend').
- Print information about the domain of the remote server,
such as domain name, domain sid and number of users and groups.
- Remove interdomain trust account for
Currently NOT implemented. Shut down the remote server.
+can be found in the Samba-HOWTO-Collection. Shut down the remote server.
Reboot after shutdown.
Force shutting down all applications.
@@ -145,22 +145,119 @@
Timeout before system will be shut down. An interactive
user of the system can use this time to cancel the shutdown.
Display the specified message on the screen to
-announce the shutdown. Export users, aliases and groups from remote server to
local server. Can only be run an a BDC.
- Print out status of machine account of the local machine in ADS.
Prints out quite some debug info. Aimed at developers, regular
-users should use NET ADS TESTJOIN. Perform a raw LDAP search on a ADS server and dump the results. The
expression is a standard LDAP search expression, and the
attributes are a list of LDAP fields to show in the results. Example: The original Samba software and related utilities
+ Example: Starting with version 3.0.23, a Samba server now supports the ability for
+non-root users to add user define shares to be exported using the "net usershare"
+commands.
+
+To set this up, first set up your smb.conf by adding to the [global] section :
+
+usershare path = /usr/local/samba/lib/usershares
+
+Next create the directory /usr/local/samba/lib/usershares, change the owner to root and
+set the group owner to the UNIX group who should have the ability to create usershares,
+for example a group called "serverops".
+
+Set the permissions on /usr/local/samba/lib/usershares to 01770.
+
+(Owner and group all access, no access for others, plus the sticky bit,
+which means that a file in that directory can be renamed or deleted only
+by the owner of the file).
+
+Finally, tell smbd how many usershares you will allow by adding to the [global]
+section of smb.conf a line such as :
+
+usershare max shares = 100.
+
+To allow 100 usershare definitions. Now, members of the UNIX group "serverops"
+can create user defined shares on demand using the commands below.
+ The usershare commands are:
+
+
+
+
+Add or replace a new user defined share, with name "sharename".
+
+"path" specifies the absolute pathname on the system to be exported.
+Restrictions may be put on this, see the global smb.conf parameters :
+"usershare owner only", "usershare prefix allow list", and
+"usershare prefix deny list".
+
+The optional "comment" parameter is the comment that will appear
+on the share when browsed to by a client.
+ The optional "acl" field
+specifies which users have read and write access to the entire share.
+Note that guest connections are not allowed unless the smb.conf parameter
+"usershare allow guests" has been set. The definition of a user
+defined share acl is : "user:permission", where user is a valid
+username on the system and permission can be "F", "R", or "D".
+"F" stands for "full permissions", ie. read and write permissions.
+"D" stands for "deny" for a user, ie. prevent this user from accessing
+this share.
+"R" stands for "read only", ie. only allow read access to this
+share (no creation of new files or directories or writing to files).
+
+The default if no "acl" is given is "Everyone:R", which means any
+authenticated user has read-only access.
+
+The optional "guest_ok" has the same effect as the parameter of the
+same name in smb.conf, in that it allows guest access to this user
+defined share. This parameter is only allowed if the global parameter
+"usershare allow guests" has been set to true in the smb.conf.
+
+Deletes the user defined share by name. The Samba smbd daemon
+immediately notices this change, although it will not disconnect
+any users currently connected to the deleted share.
+
+Get info on user defined shares owned by the current user matching the given pattern, or all users.
+
+net usershare info on its own dumps out info on the user defined shares that were
+created by the current user, or restricts them to share names that match the given
+wildcard pattern ('*' matches one or more characters, '?' matches only one character).
+If the '-l' or '--long' option is also given, it prints out info on user defined
+shares created by other users.
+
+The information given about a share looks like :
+
+[foobar]
+path=/home/jeremy
+comment=testme
+usershare_acl=Everyone:F
+guest_ok=n
+
+And is a list of the current settings of the user defined share that can be
+modified by the "net usershare add" command.
+
+List all the user defined shares owned by the current user matching the given pattern, or all users.
+
+net usershare list on its own list out the names of the user defined shares that were
+created by the current user, or restricts the list to share names that match the given
+wildcard pattern ('*' matches one or more characters, '?' matches only one character).
+If the '-l' or '--long' option is also given, it includes the names of user defined
+shares created by other users.
+ nmbd — NetBIOS name server to provide NetBIOS
- over IP naming services to clients This program is part of the samba(7) suite. nmbd is a server that understands
+ over IP naming services to clients This program is part of the samba(7) suite. nmbd is a server that understands
and can reply to NetBIOS over IP name service requests, like
those produced by SMB/CIFS clients such as Windows 95/98/ME,
Windows NT, Windows 2000, Windows XP and LanManager clients. It also
@@ -11,7 +11,7 @@
specified it will respond with the IP number of the host it
is running on. Its "own NetBIOS name" is by
default the primary DNS name of the host it is running on,
- but this can be overridden by the netbios name
+ but this can be overridden by the netbios name
in In addition, nmbd can act as a WINS
proxy, relaying broadcast queries from clients that do
not understand how to talk the WINS protocol to a WINS
- server. If specified, this parameter causes
+ server. If specified, this parameter causes
nmbd to operate as a daemon. That is,
it detaches itself and runs in the background, fielding
requests on the appropriate port. By default, nmbd
@@ -51,7 +51,7 @@
NetBIOS lmhosts file. The lmhosts
file is a list of NetBIOS names to IP addresses that
is loaded by the nmbd server and used via the name
- resolution mechanism name resolve order described in smb.conf(5) to resolve any
+ resolution mechanism name resolve order described in smb.conf(5) to resolve any
NetBIOS name queries needed by the server. Note
that the contents of this file are NOT
used by nmbd to answer any name queries.
@@ -80,7 +80,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
If the server is to be run by the
inetd meta-daemon, this file
must contain suitable startup information for the
meta-daemon.
@@ -104,18 +104,18 @@
configuration file. Other common places that systems
install this file are When run as a WINS server (see the
- wins support
+ wins support
parameter in the smb.conf(5) man page),
nmbd
will store the WINS database in the file If nmbd is acting as a
- browse master (see the local master
+ browse master (see the local master
parameter in the smb.conf(5) man page, nmbd
will store the browsing database in the file To shut down an nmbd process it is recommended
that SIGKILL (-9) NOT be used, except as a last
resort, as this may leave the name database in an inconsistent state.
The correct way to terminate nmbd is to send it
@@ -129,13 +129,13 @@
using smbcontrol(1) (SIGUSR[1|2] signals
are no longer used since Samba 2.2). This is to allow
transient problems to be diagnosed, whilst still running
- at a normally low log level.
inetd(8), smbd(8), smb.conf(5), smbclient(1), testparm(1), testprns(1), and the Internet
RFC's The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/nmblookup.1.html samba-3.0.23/docs/htmldocs/manpages/nmblookup.1.html
--- samba-3.0.22/docs/htmldocs/manpages/nmblookup.1.html 2006-01-29 10:15:59.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/nmblookup.1.html 2006-07-06 05:17:44.000000000 -0500
@@ -1,9 +1,9 @@
nmblookup — NetBIOS over TCP/IP client used to lookup NetBIOS
- names This tool is part of the samba(7) suite. nmblookup is used to query NetBIOS names
and map them to IP addresses in a network using NetBIOS over TCP/IP
queries. The options allow the name queries to be directed at a
particular IP broadcast area or to a particular machine. All queries
- are done over UDP. Searches for a master browser by looking
+ are done over UDP. Searches for a master browser by looking
up the NetBIOS name Interpret This option allows you to override
the NetBIOS name that Samba uses for itself. This is identical
-to setting the parameter in the This specifies a NetBIOS scope that
@@ -73,7 +73,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
nmblookup can be used to query
a WINS server (in the same way nslookup is
used to query DNS servers). To query a WINS server, nmblookup
must be called like this: nmblookup -U server -R 'name' For example, running : nmblookup -U samba.org -R 'IRIX#1B' would query the WINS server samba.org for the domain
- master browser (1B name type) for the IRIX workgroup. The original Samba software and related utilities
+ master browser (1B name type) for the IRIX workgroup. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/ntlm_auth.1.html samba-3.0.23/docs/htmldocs/manpages/ntlm_auth.1.html
--- samba-3.0.22/docs/htmldocs/manpages/ntlm_auth.1.html 2006-01-29 10:16:02.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/ntlm_auth.1.html 2006-07-06 05:17:46.000000000 -0500
@@ -1,18 +1,18 @@
- ntlm_auth — tool to allow external access to Winbind's NTLM authentication function This tool is part of the samba(7) suite. ntlm_auth is a helper utility that authenticates
+ ntlm_auth — tool to allow external access to Winbind's NTLM authentication function This tool is part of the samba(7) suite. ntlm_auth is a helper utility that authenticates
users using NT/LM authentication. It returns 0 if the users is authenticated
successfully and 1 if access was denied. ntlm_auth uses winbind to access
the user and authentication data for a domain. This utility
is only indended to be used by other programs (currently
Squid
and mod_ntlm_winbind)
-
The winbindd(8) daemon must be operational
for many of these commands to function. Some of these commands also require access to the directory
+ security reasons, this directory should not be world-accessable.
Operate as a stdio-based helper. Valid helper protocols are:
Server-side helper for use with Squid 2.4's basic (plaintext)
@@ -64,33 +64,33 @@
any data (such as usernames/passwords) that may contain malicous user data, such as
a newline. They may also need to decode strings from
the helper, which likewise may have been base64 encoded. The user's domain, expected to be in
- Samba's unix charset.
- The fully qualified username, expected to be in
- Samba's and qualified with the
- winbind separator.
- The 8 byte LANMAN Challenge value,
+ Samba's unix charset.
+ The user's domain, expected to be in
+ Samba's unix charset.
+ The fully qualified username, expected to be in
+ Samba's and qualified with the
+ winbind separator.
+ The 8 byte LANMAN Challenge value,
generated randomly by the server, or (in cases such as
MSCHAPv2) generated in some way by both the server and
the client.
- The 24 byte LANMAN Response value,
+ The 24 byte LANMAN Response value,
calculated from the user's password and the supplied
LANMAN Challenge. Typically, this
is provided over the network by a client wishing to authenticate.
- The >= 24 byte NT Response
+ The >= 24 byte NT Response
calculated from the user's password and the supplied
LANMAN Challenge. Typically, this is
provided over the network by a client wishing to authenticate.
- The user's password. This would be
+ The user's password. This would be
provided by a network client, if the helper is being
used in a legacy situation that exposes plaintext
passwords in this way.
- Apon sucessful authenticaiton, return
+ Apon sucessful authenticaiton, return
the user session key associated with the login.
- Apon sucessful authenticaiton, return
+ Apon sucessful authenticaiton, return
the LANMAN session key associated with the login.
-
+
Specify username of user to authenticate
Specify domain of user to authenticate
@@ -123,12 +123,12 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
Print a summary of command line options.
- To setup ntlm_auth for use by squid 2.5, with both basic and
NTLMSSP authentication, the following
should be placed in the If you're experiencing problems with authenticating Internet Explorer running
under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
helper (--helper-protocol=squid-2.5-ntlmssp), then please read
the Microsoft Knowledge Base article #239869 and follow instructions described there.
- The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The ntlm_auth manpage was written by Jelmer Vernooij and
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/pam_winbind.7.html samba-3.0.23/docs/htmldocs/manpages/pam_winbind.7.html
--- samba-3.0.22/docs/htmldocs/manpages/pam_winbind.7.html 2006-01-29 10:16:05.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/pam_winbind.7.html 2006-07-06 05:17:47.000000000 -0500
@@ -1,12 +1,19 @@
- pam_winbind — PAM module for Winbind This tool is part of the samba(7) suite.
+ pam_winbind — PAM module for Winbind This tool is part of the samba(7) suite.
pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon.
-
+
+ pam_winbind supports several options which can either be set in
+ the PAM configuration files or in the pam_winbind configuration
+ file situated at
+ Gives debugging output to syslog.
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
can be either a group-SID, a alias-SID or even a user-SID. It is also possible to give a NAME instead of the
- SID. That name must have the form:
@@ -16,10 +23,37 @@
Set the new password to the one provided by the previously stacked password module. If this option is not set
pam_winbind will ask the user for the new password.
+
+
+ pam_winbind can authenticate using Kerberos when winbindd is
+ talking to an Active Directory domain controller. Kerberos
+ authentication must be enabled with this parameter. When
+ Kerberos authentication can not succeed (e.g. due to clock
+ skew), winbindd will fallback to samlogon authentication over
+ MSRPC. When this parameter is used in conjunction with
+
+
+ When pam_winbind is configured to try kerberos authentication
+ by enabling the
+ Winbind allows to logon using cached credentials when
- pdbedit — manage the SAM database (Database of Samba Users) This tool is part of the samba(7) suite. The pdbedit program is used to manage the users accounts
+ pdbedit — manage the SAM database (Database of Samba Users) This tool is part of the samba(7) suite. The pdbedit program is used to manage the users accounts
stored in the sam database and can only be run by root. The pdbedit tool uses the passdb modular interface and is
independent from the kind of users database used (currently there
are smbpasswd, ldap, nis+ and tdb based and more can be added
without changing the tool). There are five main ways to use pdbedit: adding a user account,
removing a user account, modifing a user account, listing user
- accounts, importing users accounts. This option lists all the user accounts
+ accounts, importing users accounts. This option lists all the user accounts
present in the users database.
This option prints a list of user/uid pairs separated by
the ':' character. Example: pdbedit -L Example: -h "\\\\BERSERKER\\sorce"
This option can be used while adding or
modifing a user account. It will specify the windows drive
- letter to be used to map the home directory. Example: -d "H:"
+ letter to be used to map the home directory. Example: -D "H:"
This option can be used while adding or
modifing a user account. It will specify the user's logon
script path. Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
@@ -78,12 +78,15 @@
retype new password
This option is used to modify an existing user
+ This option causes pdbedit to read the password
+ from standard input, rather than from /dev/tty (like the
+ passwd(1) program does). The password has
+ to be submitted twice and terminated by a newline each. This option is used to modify an existing user
in the database. This command needs a user name specified with the -u
switch. Other options can be specified to modify the properties of
the specified user. This flag is kept for backwards compatibility, but
@@ -113,7 +116,10 @@
Example: pdbedit -P "bad lockout attempt" -C 3 Print a summary of command line options.
+ If you specify This option will allow to migrate account policies from their default
+ tdb-store into a passdb backend, e.g. an LDAP directory server. Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host Print a summary of command line options.
Prints the program version number.
The file specified contains the
configuration details required by the server. The
@@ -134,12 +140,12 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
profiles — A utility to report and change SIDs in registry files
- This tool is part of the samba(7) suite. profiles is a utility that
reports and changes SIDs in windows registry files. It currently only
supports NT.
- rpcclient — tool for executing client side
- MS-RPC functions This tool is part of the samba(7) suite. rpcclient is a utility initially developed
+ MS-RPC functions This tool is part of the samba(7) suite. rpcclient is a utility initially developed
to test MS-RPC functionality in Samba itself. It has undergone
several stages of development and stability. Many system administrators
have now written scripts around it to manage Windows NT clients from
- their UNIX workstation. NetBIOS name of Server to which to connect.
+ their UNIX workstation. NetBIOS name of Server to which to connect.
The server can be any SMB/CIFS server. The name is
- resolved using the name resolve order line from smb.conf(5). execute semicolon separated commands (listed
+ resolved using the name resolve order line from smb.conf(5). execute semicolon separated commands (listed
below)) Normally the client would attempt to locate a named
SMB/CIFS server by looking it up via the NetBIOS name resolution
@@ -35,7 +35,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
This option allows you to override
the NetBIOS name that Samba uses for itself. This is identical
-to setting the parameter in the This specifies a NetBIOS scope that
@@ -87,11 +87,11 @@
socket. See the socket options parameter in
the Print a summary of command line options.
- Query info policy Resolve a list
of SIDs to usernames.
Resolve a list
of usernames to SIDs.
- Enumerate trusted domains Enumerate privileges Get the privilege name Enumerate the LSA SIDS Enumerate the privileges of an SID Enumerate the rights of an SID Enumerate accounts with a right Add rights to an account Remove rights from an account Get a privilege value given its name Query LSA security object Get Primary Domain Information DFS Query DFS support Add a DFS share Remove a DFS share Query DFS share info Enumerate dfs shares Server query info Enumerate shares Enumerate open files Fetch remote time of day Query user info Query group info Query user groups Query group membership Query alias membership Query display info Query domain info Enumerate domain users Enumerate domain groups Enumerate alias groups Create domain user Look up names Look up names Delete domain user Query SAMR security object Retrieve domain password info Look up domain
+ Enumerate trusted domains Enumerate privileges Get the privilege name Enumerate the LSA SIDS Enumerate the privileges of an SID Enumerate the rights of an SID Enumerate accounts with a right Add rights to an account Remove rights from an account Get a privilege value given its name Query LSA security object Get Primary Domain Information DFS Query DFS support Add a DFS share Remove a DFS share Query DFS share info Enumerate dfs shares Server query info Enumerate shares Enumerate open files Fetch remote time of day Query user info Query group info Query user groups Query group membership Query alias membership Query display info Query domain info Enumerate domain users Enumerate domain groups Enumerate alias groups Create domain user Look up names Look up names Delete domain user Query SAMR security object Retrieve domain password info Look up domain
Execute an AddPrinterDriver() RPC to install the printer driver
information on the server. Note that the driver files should
already exist in the directory returned by
@@ -176,11 +176,11 @@
already be correctly installed on the print server. See also the enumprinters and
enumdrivers commands for obtaining a list of
of installed printers and drivers. Add form Set form Get form Delete form Enumerate form Set printer comment Set REG_SZ printer data Set printer name Rffpcnex test Logon Control 2 Logon Control Sam Synchronisation Query Sam Deltas Sam Logon rpcclient is designed as a developer testing tool
and may not be robust in certain areas (such as command line parsing).
It has been known to generate a core dump upon failures when invalid
parameters where passed to the interpreter. From Luke Leighton's original rpcclient man page: WARNING! The MSRPC over SMB code has
@@ -193,8 +193,8 @@
versions of smbd(8) and rpcclient(1) that are incompatible for some commands or services. Additionally,
the developers are sending reports to Microsoft, and problems found
or reported to Microsoft are fixed in Service Packs, which may
- result in incompatibilities. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original rpcclient man page was written by Matthew
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/samba.7.html samba-3.0.23/docs/htmldocs/manpages/samba.7.html
--- samba-3.0.22/docs/htmldocs/manpages/samba.7.html 2006-01-29 10:16:16.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/samba.7.html 2006-07-06 05:17:51.000000000 -0500
@@ -1,4 +1,4 @@
- samba — A Windows SMB/CIFS fileserver for UNIX The Samba software suite is a collection of programs
+ samba — A Windows SMB/CIFS fileserver for UNIX The Samba software suite is a collection of programs
that implements the Server Message Block (commonly abbreviated
as SMB) protocol for UNIX systems. This protocol is sometimes
also referred to as the Common Internet File System (CIFS). For a
@@ -63,7 +63,7 @@
smbmnt(8) smbmount,smbumount and smbmnt are commands that can be used to
mount CIFS/SMB shares on Linux.
smbcquotas is a tool that
- can set remote QUOTA's on server with NTFS 5. The Samba suite is made up of several components. Each
component is described in a separate manual page. It is strongly
recommended that you read the documentation that comes with Samba
and the manual pages of those components that you use. If the
@@ -72,7 +72,7 @@
for information on how to file a bug report or submit a patch. If you require help, visit the Samba webpage at
http://www.samba.org/ and
explore the many option available to you.
- The Samba software suite is licensed under the
GNU Public License(GPL). A copy of that license should
have come with the package in the file COPYING. You are
encouraged to distribute copies of the Samba suite, but
@@ -86,14 +86,14 @@
the README file that comes with Samba. If you have access to a WWW viewer (such as Mozilla
or Konqueror) then you will also find lots of useful information,
including back issues of the Samba mailing list, at
- http://lists.samba.org. If you wish to contribute to the Samba project,
then I suggest you join the Samba mailing list at
http://lists.samba.org.
If you have patches to submit, visit
http://devel.samba.org/
for information on how to do it properly. We prefer patches
- in diff -u format. Contributors to the project are now too numerous
to mention here but all deserve the thanks of all Samba
users. To see a full list, look at the
The original Samba software and related utilities
+ Samba. The project would have been unmanageable without it. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbcacls.1.html samba-3.0.23/docs/htmldocs/manpages/smbcacls.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbcacls.1.html 2006-01-29 10:16:22.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbcacls.1.html 2006-07-06 05:17:54.000000000 -0500
@@ -1,5 +1,5 @@
- smbcacls — Set or get ACLs on an NT file or directory names This tool is part of the samba(7) suite. The smbcacls program manipulates NT Access Control
- Lists (ACLs) on SMB file shares. The following options are available to the smbcacls program.
+ smbcacls — Set or get ACLs on an NT file or directory names This tool is part of the samba(7) suite. The smbcacls program manipulates NT Access Control
+ Lists (ACLs) on SMB file shares. The following options are available to the smbcacls program.
The format of ACLs is described in the section ACL FORMAT Add the ACLs specified to the ACL list. Existing
access control entries are unchanged. Modify the mask value (permissions) for the ACLs
specified on the command line. An error will be printed for each
@@ -48,11 +48,11 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
The format of an ACL is one or more ACL entries separated by
either commas or newlines. An ACL entry is one of the following: R - Allow read access W - Allow write access X - Execute permission on the object D - Delete the object P - Change permissions O - Take ownership The following combined permissions can be specified: READ - Equivalent to 'RX'
permissions CHANGE - Equivalent to 'RXWD' permissions
FULL - Equivalent to 'RWXDPO'
- permissions The smbcacls program sets the exit status
depending on the success or otherwise of the operations performed.
The exit status may be one of the following values. If the operation succeeded, smbcacls returns and exit
status of 0. If smbcacls couldn't connect to the specified server,
or there was an error getting or setting the ACLs, an exit status
of 1 is returned. If there was an error parsing any command line
- arguments, an exit status of 2 is returned. The original Samba software and related utilities
+ arguments, an exit status of 2 is returned. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. smbcacls was written by Andrew Tridgell
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbclient.1.html samba-3.0.23/docs/htmldocs/manpages/smbclient.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbclient.1.html 2006-01-29 10:16:25.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbclient.1.html 2006-07-06 05:17:55.000000000 -0500
@@ -1,11 +1,11 @@
smbclient — ftp-like client to access SMB/CIFS resources
- on servers This tool is part of the samba(7) suite. smbclient is a client that can
'talk' to an SMB/CIFS server. It offers an interface
similar to that of the ftp program (see ftp(1)).
Operations include things like getting files from the server
to the local machine, putting files from the local machine to
the server, retrieving directory information from the server
- and so on. servicename is the name of the service
+ and so on. servicename is the name of the service
you want to use on the server. A service name takes the form
Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
This option allows you to override
the NetBIOS name that Samba uses for itself. This is identical
-to setting the parameter in the This specifies a NetBIOS scope that
@@ -207,12 +207,18 @@
date saved in the tar file. Directories currently do not get
their creation dates restored properly. smbclient //mypc/myshare "" -N -Tc
backup.tar users/docs Create the same tar file as above, but now use
a DOS path name. smbclient //mypc/myshare "" -N -tc backup.tar
- users\edocs Create a tar file of all the files and directories in
+ users\edocs Create a tar file of the files listed in the file smbclient //mypc/myshare "" -N -TcF
+ backup.tar tarlist Create a tar file of all the files and directories in
the share. smbclient //mypc/myshare "" -N -Tc backup.tar *
Change to initial directory before starting. Probably
only of any use with the tar -T option. command string is a semicolon-separated list of
commands to be executed instead of prompting from stdin. This is particularly useful in scripts and for printing stdin
- to the server, e.g. -c 'print -'. Once the client is running, the user is presented with
a prompt : The backslash ("\\") indicates the current working directory
on the server, and will change if the current working directory
is changed. The prompt indicates that the client is ready and waiting to
@@ -387,14 +394,14 @@
archive bit setting (this is the default mode). In incremental mode,
tar will only back up files with the archive bit set. In reset mode,
tar will reset the archive bit on all files it backs up (implies
- read/write share). Some servers are fussy about the case of supplied usernames,
passwords, share names (AKA service names) and machine names.
If you fail to connect try giving all parameters in uppercase.
It is often necessary to use the -n option when connecting
to some types of servers. For example OS/2 LanManager insists
on a valid NetBIOS name being used, so you need to supply a valid
name that would be known to the server. smbclient supports long file names where the server
- supports the LANMAN2 protocol or above. The variable The variable The location of the client program is a matter for
individual system administrators. The following are thus
suggestions only. It is recommended that the smbclient software be installed
in the To test the client, you will need to know the name of a
running SMB/CIFS server. It is possible to run smbd(8) as an ordinary user - running that server as a daemon
on a user-accessible port (typically any port number over 1024)
- would provide a suitable test server. Most diagnostics issued by the client are logged in a
+ would provide a suitable test server. Most diagnostics issued by the client are logged in a
specified log file. The log file name is specified at compile time,
but may be overridden on the command line. The number and nature of diagnostics available depends
on the debug level used by the client. If you have problems,
- set the debug level to 3 and peruse the log files. The original Samba software and related utilities
+ set the debug level to 3 and peruse the log files. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smb.conf.5.html samba-3.0.23/docs/htmldocs/manpages/smb.conf.5.html
--- samba-3.0.22/docs/htmldocs/manpages/smb.conf.5.html 2006-01-29 10:16:20.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smb.conf.5.html 2006-07-06 05:17:53.000000000 -0500
@@ -1,4 +1,4 @@
- smb.conf — The configuration file for the Samba suite
+ smb.conf — The configuration file for the Samba suite
The
Each section in the configuration file (except for the [global] section) describes a shared resource (known as
a “share”). The section name is the name of the shared resource and the parameters within the
section define the shares attributes.
@@ -55,8 +55,8 @@
The following sample section defines a file space share. The user has write access to the path
The following sample section defines a printable share. The share is read-only, but printable. That is,
@@ -64,12 +64,12 @@
ok parameter means access will be permitted as the default guest user (specified elsewhere):
-
Parameters in this section apply to the server as a whole, or are defaults for sections that do not
specifically define certain items. See the notes under PARAMETERS for more information.
@@ -105,7 +105,7 @@
than others. The following is a typical and suitable [homes] section:
An important point is that if guest access is specified in the [homes] section, all home directories will be
@@ -137,9 +137,9 @@
it. A typical [printers] entry looks like this:
All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned.
@@ -160,7 +160,31 @@
On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use
Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete
+ their own share definitions has been added. This capability is called usershares and
+ is controlled by a set of parameters in the Controls if usershares can permit guest access. Maximum number of user defined shares allowed. If set only directories owned by the sharing user can be shared. Points to the directory containing the user defined share definitions.
+ The filesystem permissions on this directory control who can create user defined shares. Comma-separated list of abolute pathnames restricting what directories
+ can be shared. Only directories below the pathnames in this list are permitted. Comma-separated list of abolute pathnames restricting what directories
+ can be shared. Directories below the pathnames in this list are prohibited. Names a pre-existing share used as a template for creating new usershares.
+ All other share parameters not specified in the user defined share definition
+ are copied from this named share. To allow members of the UNIX group Become root: Then add the parameters
+
+
+
+ to the global
+ section of your To create or modify (overwrite) a user defined share. To delete a user defined share. To list user defined shares. To print information about user defined shares. Parameters define the specific attributes of sections.
Some parameters are specific to the [global] section (e.g., security). Some parameters
are usable in all sections (e.g., create mask). All others are permissible only in normal
sections. For the purposes of the following descriptions the [homes] and [printers] sections will be
@@ -172,7 +196,7 @@
Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can
find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred
synonym.
-
Many of the strings that are settable in the config file can take substitutions. For example the option
“path = /tmp/%u” is interpreted as “path = /tmp/john” if the user connected with the
username john.
@@ -229,8 +253,8 @@
controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem).
Default lower. IMPORTANT NOTE: This option will be used to modify the case of
- all incoming client filenames, not just new filenames if the options case sensitive = yes, preserve case = No,
- short preserve case = No are set. This change is needed as part of the
+ all incoming client filenames, not just new filenames if the options case sensitive = yes, preserve case = No,
+ short preserve case = No are set. This change is needed as part of the
optimisations for directories containing large numbers of files.
controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case
@@ -276,8 +300,8 @@
If the service is a guest service, a connection is made as the username given in the This a full path name to a script called by smbd(8) that
- should stop a shutdown procedure issued by the shutdown script. If the connected user posseses the This a full path name to a script called by smbd(8) that
+ should stop a shutdown procedure issued by the shutdown script. If the connected user posseses the Default: Example:
- This parameter is best used with the inherit owner option and also
+ This parameter is best used with the inherit owner option and also
on on a share containing directories with the UNIX setgid bit bit set
on them, which causes new files and directories created within it to inherit the group
ownership from the containing directory.
- This is a new parameter introduced in Samba 3.0.20.
-
- This can be particularly useful to allow groups to manage their own security on a part
- of the filesystem they have group ownership of, removing the bottleneck of having only
- the user owner or superuser able to reset permissions.
+ This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now
+ implemented by the Default: This boolean parameter controls whether smbd(8)maps a POSIX ACE entry of "rwx" (read/write/execute),
@@ -362,6 +383,16 @@
Example: Samba 3.0.23 introduces support for adding printer ports
+ remotely using the Windows "Add Standard TCP/IP Port Wizard".
+ This option defines an external program to be executed when
+ smbd receives a request to add a new Port to the system.
+ he script is passed two parameters:
+ The deviceURI is in the for of socket://<hostname>[:<portnumber>]
+ or lpd://<hostname>/<queuename>. Default: Example: With the introduction of MS-RPC based printing
support for Windows NT/2000 clients in Samba 2.2, The MS Add
Printer Wizard (APW) icon is now also available in the
@@ -401,7 +432,7 @@
uid == 0).
When executed, smbd will automatically invoke the
-
This parameter is only used for add file shares. To add printer shares,
- see the addprinter command.
+ see the addprinter command.
Default: Example:
In order to use this option, smbd(8) must NOT be set to
- security = share and add user script
+ security = share and add user script
must be set to a full pathname for a script that will create a UNIX user given one argument of
When the Windows user attempts to access the Samba server, at login (session setup in
- the SMB protocol) time, smbd(8) contacts the password server
+ the SMB protocol) time, smbd(8) contacts the password server
and attempts to authenticate the given user with the given password. If the authentication
succeeds then smbd attempts to find a UNIX user in the UNIX
password database to map the Windows user into. If this lookup fails, and
- add user script is set then smbd will
+ add user script is set then smbd will
call the specified script AS ROOT, expanding any
@@ -446,8 +481,8 @@
continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to
match existing Windows NT accounts.
- See also security, password server,
- delete user script.
+ See also security, password server,
+ delete user script.
Default: Example: You should use this option very carefully, as any user in
this list will be able to do anything they like on the share,
- irrespective of file permissions. This parameter will not work with the security = share in
+ irrespective of file permissions. This parameter will not work with the security = share in
Samba 3.0. This is by design. Default: Example:
- This option only takes effect when the security option is set to
+ This option only takes effect when the security option is set to
This option allows the administrator to chose what authentication methods smbd
- will use when authenticating a user. This option defaults to sensible values based on security.
+ will use when authenticating a user. This option defaults to sensible values based on security.
This should be considered a developer option and used only in rare circumstances. In the majority (if not all)
of production servers, the default setting should be adequate.
@@ -581,33 +616,33 @@
to limit what interfaces on a machine will serve SMB requests. It
affects file service smbd(8) and name service nmbd(8) in a slightly different ways.
For name service it causes nmbd to bind to ports 137 and 138 on the
- interfaces listed in the interfaces parameter. nmbd
+ interfaces listed in the interfaces parameter. nmbd
also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of
reading broadcast messages. If this option is not set then nmbd will
- service name requests on all of these sockets. If bind interfaces only is set then
+ service name requests on all of these sockets. If bind interfaces only is set then
nmbd will check the source address of any packets coming in on the
broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
- interfaces parameter list. As unicast packets are received on the other sockets it
+ interfaces parameter list. As unicast packets are received on the other sockets it
allows nmbd to refuse to serve names to machines that send packets that
- arrive through any interfaces not listed in the interfaces list. IP Source address
+ arrive through any interfaces not listed in the interfaces list. IP Source address
spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
nmbd.
- For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will
+ For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will
serve to packets coming in those interfaces. Note that you should not use this parameter for machines that
are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with
non-permanent interfaces.
- If bind interfaces only is set then unless the network address
- 127.0.0.1 is added to the interfaces parameter list
+ If bind interfaces only is set then unless the network address
+ 127.0.0.1 is added to the interfaces parameter list
smbpasswd(8) and
swat(8) may not work as
expected due to the reasons covered below.
To change a users SMB password, the smbpasswd by default connects to the
localhost - 127.0.0.1 address as an SMB client to issue the password change request. If
- bind interfaces only is set then unless the network address
- 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using
+ bind interfaces only is set then unless the network address
+ 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using
its smbpasswd(8)
@@ -639,7 +674,11 @@
is an experimental option it may be removed in a future release.
Changing this option does not change the disk free reporting
size, just the block size unit reported to the client.
- No default This parameter is a synonym for browseable. This controls whether this share is seen in
+ Default: Example: This parameter is a synonym for browseable. This controls whether this share is seen in
the list of available shares in a net view and in the browse list. Default: This controls whether smbd(8) will serve a browse list to
@@ -647,14 +686,20 @@
set to Default: This parameter is a synonym for case sensitive. See the discussion in the section name mangling. Default: This parameter is a synonym for case sensitive. See the discussion in the section name mangling. Default: This SMB allows a client to tell a server to
+ This SMB allows a client to tell a server to
"watch" a particular directory for any changes and only reply to
the SMB request when a change has occurred. Such constant scanning of
a directory is expensive under UNIX, hence an smbd(8) daemon only performs such a scan
on each requested directory once every Default: Default: Example:
When executed, smbd will automatically invoke the
-
This parameter is only used modify existing file shares definitions. To modify
printer shares, use the "Printers..." folder as seen when browsing the Samba host.
@@ -724,9 +773,9 @@
This controls whether the client offers or even demands the use of the netlogon schannel.
- client schannel = no does not offer the schannel,
- client schannel = auto offers the schannel but does not
- enforce it, and client schannel = yes denies access
+ client schannel = no does not offer the schannel,
+ client schannel = auto offers the schannel but does not
+ enforce it, and client schannel = yes denies access
if the server is not able to speak netlogon schannel.
Default: If you want to set the string that is displayed next to the
- machine name then see the server string parameter. Default: Default: Example:
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
- force create mode parameter which is set to 000 by default.
+ force create mode parameter which is set to 000 by default.
- This parameter does not affect directory masks. See the parameter directory mask
+ This parameter does not affect directory masks. See the parameter directory mask
for details.
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
- administrator wishes to enforce a mask on access control lists also, they need to set the security mask.
+ administrator wishes to enforce a mask on access control lists also, they need to set the security mask.
Default: Example:
For example, shares containing roaming profiles can have offline caching disabled using
- csc policy = disable.
+ csc policy = disable.
Default: Example:
- This parameter is only applicable if printing is
+ This parameter is only applicable if printing is
set to
@@ -828,7 +877,7 @@
Example:
- This parameter is only applicable if printing is set to
If set, this option overrides the ServerName option in the CUPS
- Note that the parameter debug timestamp must be on for this to have an effect.
+ Note that the parameter debug timestamp must be on for this to have an effect.
Default:
@@ -860,12 +909,12 @@
message. This boolean parameter is adds the process-id to the timestamp message headers in the
logfile when turned on.
- Note that the parameter debug timestamp must be on for this to have an effect.
+ Note that the parameter debug timestamp must be on for this to have an effect.
Default: This parameter is a synonym for debug timestamp.
Samba debug log messages are timestamped by default. If you are running at a high
- debug level these timestamps can be distracting. This
+ debug level these timestamps can be distracting. This
boolean parameter allows timestamping to be turned off.
Default:
- Note that the parameter debug timestamp must be on for this to have an effect.
+ Note that the parameter debug timestamp must be on for this to have an effect.
Default: See the section on name mangling
- . Also note the short preserve case parameter. Default: See the section on name mangling
+ . Also note the short preserve case parameter. Default: This parameter is only applicable to printable services.
When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
server has a Device Mode which defines things such as paper size and
orientation and duplex settings. The device mode can only correctly be
@@ -908,7 +957,7 @@
given in the parameter value (see example below). There is no default value for this parameter. If this
parameter is not given, attempting to connect to a nonexistent
service results in an error.
- Typically the default service would be a guest ok, read-only service. Also note that the apparent service name will be changed to equal
+ Typically the default service would be a guest ok, read-only service. Also note that the apparent service name will be changed to equal
that of the requested service, this is very useful as it allows you to use macros like Note also that any "_" characters in the name of the service
used in the default service will get mapped to a "/". This allows for
@@ -940,12 +989,12 @@
possible to delete printer at run time by issuing the
DeletePrinter() RPC call. For a Samba host this means that the printer must be
physically deleted from underlying printing system. The
- deleteprinter command defines a script to be run which
+ deleteprinter command defines a script to be run which
will perform the necessary operations for removing the printer
from the print system and from The deleteprinter command is
- automatically called with only one parameter: printer name.
- Once the deleteprinter command has
+ The deleteprinter command is
+ automatically called with only one parameter: printer name.
+ Once the deleteprinter command has
been executed, smbd will reparse the
This parameter is only used to remove file shares. To delete printer shares,
- see the deleteprinter command.
+ see the deleteprinter command.
Default: Example: This option is used when Samba is attempting to
delete a directory that contains one or more vetoed directories
- (see the veto files
+ (see the veto files
option). If this option is set to If this option is set to Setting delete veto files = yes allows these
+ (e.g. Setting delete veto files = yes allows these
directories to be transparently deleted when the parent directory
is deleted (so long as the user has permissions to do so). Default:
This is a new parameter introduced in Samba version 3.0.21. It specifies in seconds the time that smbd will
cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily
- loaded server to prevent rapid spawning of dfree command scripts increasing the load.
+ loaded server to prevent rapid spawning of dfree command scripts increasing the load.
By default this parameter is zero, meaning no caching will be done.
No default Example:
In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the
- parameter dfree cache time was added to allow the output of this script to be cached
+ parameter dfree cache time was added to allow the output of this script to be cached
for systems under heavy load.
The external program will be passed a single parameter indicating a directory in the filesystem being queried.
@@ -1074,10 +1123,10 @@
created. The default value of this parameter removes the 'group'
and 'other' write bits from the UNIX mode, allowing only the
user who owns the directory to modify it. Following this Samba will bit-wise 'OR' the UNIX mode
- created from this parameter with the value of the force directory mode parameter.
+ created from this parameter with the value of the force directory mode parameter.
This parameter is set to 000 by default (i.e. no extra mode bits are added). Note that this parameter does not apply to permissions
set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the directory security mask. Default: Default: Example:
This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
- in this mask from being modified. Make sure not to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND.
+ in this mask from being modified. Make sure not to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND.
Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
If not set explicitly this parameter is set to 0777
meaning a user is allowed to modify all the user/group/world
@@ -1107,7 +1156,7 @@
Enabling this parameter will disable Samba's support
for the SPOOLSS set of MS-RPC's and will yield identical behavior
as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
- Lanman style printing commands. Windows 9x/ME will be uneffected by
+ Lanman style printing commands. Windows 9x/ME will be unaffected by
the parameter. However, this will also disable the ability to upload
printer drivers to a Samba server via the Windows NT Add Printer
Wizard or by using the NT printer properties dialog window. It will
@@ -1118,11 +1167,26 @@
Specifies the charset that samba will use
to print messages to stdout and stderr and SWAT will use.
- Should generally be the same as the unix charset.
+ Should generally be the same as the unix charset.
Default: Example: This parameter specifies whether Samba should use DMAPI to
+ determine whether a file is offline or not. This would typically
+ be used in conjunction with a hierarchical storage system that
+ automatically migrates files to tape.
+ Note that Samba infers the status of a file by examining the
+ events that a DMAPI application has registered interest in. This
+ heuristic is satisfactory for a number of hierarchical storage
+ systems, but there may be system for which it will fail. In this
+ case, Samba may erroneously report files to be offline.
+ This parameter is only available if a supported DMAPI
+ implementation was found at compilation time. It will only be used
+ if DMAPI is found to enabled on the system at run time.
+
+ Default: Specifies that nmbd(8) when acting as a WINS server and
finding that a NetBIOS name has not been registered, should treat the
NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server
@@ -1135,7 +1199,7 @@
If set to
- Note that Windows NT Primary Domain Controllers expect to be able to claim this workgroup specific special NetBIOS name that identifies them as domain master browsers for that
- workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
+ Note that Windows NT Primary Domain Controllers expect to be able to claim this workgroup specific special NetBIOS name that identifies them as domain master browsers for that
+ workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
to do this). This means that if this parameter is set and nmbd claims the
- special name for a workgroup before a Windows NT PDC is able to do so then cross
+ special name for a workgroup before a Windows NT PDC is able to do so then cross
subnet browsing will behave strangely and may fail.
- If domain logons = yes, then the default behavior is to enable the
- domain master parameter. If domain logons is not enabled (the
- default setting), then neither will domain master be enabled by default.
+ If domain logons = yes, then the default behavior is to enable the
+ domain master parameter. If domain logons is not enabled (the
+ default setting), then neither will domain master be enabled by default.
- When domain logons = Yes the default setting for this parameter is
- Yes, with the result that Samba will be a PDC. If domain master = No,
+ When domain logons = Yes the default setting for this parameter is
+ Yes, with the result that Samba will be a PDC. If domain master = No,
Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.
Default: Default: Default: Under the DOS and Windows FAT filesystem, the finest
granularity on time resolution is two seconds. Setting this parameter
@@ -1237,7 +1300,7 @@
behavior in smbd for many years. However, certain Microsoft applications
such as the Print Migrator tool require that the remote server support
an [ADMIN$} file share. Disabling this parameter allows for creating
- an [ADMIN$] file share in smb.conf. Default: Default: This parameter controls whether or not smbd will honor
privileges assigned to specific SIDs via either net rpc rights
@@ -1248,16 +1311,7 @@
of the connected user. An example of how privileges can be used is to assign
the right to join clients to a Samba controlled domain without
providing root access to the server via smbd. Please read the extended description provided in the
- Samba documentation before enabling this option. Default: This option is used to control whether or not smbd in Samba 3.0 should fallback
- to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm
- development goal is to remove the algorithmic mappings of RIDs altogether, but
- this has proved to be difficult. This parameter is mainly provided so that
- developers can turn the algorithm on and off and see what breaks. This parameter
- should not be disabled by non-developers because certain features in Samba will fail
- to work without it.
- Default: Default: This boolean controls whether encrypted passwords
will be negotiated with the client. Note that Windows NT 4.0 SP3 and
@@ -1278,7 +1332,7 @@
In order for encrypted passwords to work correctly
smbd(8) must either
have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up
- and maintain this file), or set the security = [server|domain|ads] parameter which
+ and maintain this file), or set the security = [server|domain|ads] parameter which
causes smbd to authenticate against another
server. Default: When you set fake oplocks = yes, smbd(8) will
- always grant oplock requests no matter how many clients are using the file. It is generally much better to use the real oplocks support rather
+ always grant oplock requests no matter how many clients are using the file. It is generally much better to use the real oplocks support rather
than this parameter. If you enable this option on all read-only shares or
shares that you know will only be accessed from one client at a
time such as physically read-only media like CDROMs, you will see
@@ -1363,6 +1417,16 @@
files read-write at the same time you can get data corruption. Use
this option carefully! Default: This parameter specifies whether Samba should ask the
+ FAM daemon change notifications in directories so that
+ SMB clients can refresh whenever the data on the server changes.
+ This parameter is only used when your system supports
+ change notification to user programs, using the FAM daemon. If the FAM
+ daemon is not running, this parameter is automatically disabled. The
+ Default:
This parameter allows the Samba administrator to stop smbd(8) from following symbolic links in a particular share. Setting this
parameter to
This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
- mask that the user may have modified to be on. Make sure not to mix up this parameter with directory security mask, which works in a similar manner to this one, but uses a logical AND instead
+ mask that the user may have modified to be on. Make sure not to mix up this parameter with directory security mask, which works in a similar manner to this one, but uses a logical AND instead
of an OR.
Essentially, this mask may be treated as a set of bits that, when modifying security on a directory,
@@ -1438,7 +1502,7 @@
that only users who are already in group sys will have their default
primary group assigned to sys when accessing this Samba share. All
other users will retain their ordinary primary group.
- If the force user parameter is also set the group specified in
+ If the force user parameter is also set the group specified in
Default:
This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
- mask that the user may have modified to be on. Make sure not to mix up this parameter with security mask, which works similar like this one but uses logical AND instead of OR.
+ mask that the user may have modified to be on. Make sure not to mix up this parameter with security mask, which works similar like this one but uses logical AND instead of OR.
Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
the user has always set to be on.
@@ -1540,10 +1604,10 @@
This is a tuning option. When this is enabled a
caching algorithm will be used to reduce the time taken for getwd()
calls. This can have a significant impact on performance, especially
- when the wide smbconfoptions parameter is set to Default: Default: This is a username which will be used for access
- to services which are specified as guest ok (see below). Whatever privileges this
+ to services which are specified as guest ok (see below). Whatever privileges this
user has will be available to any client connecting to the guest service.
This user must exist in the password file, but does not require
a valid login. The user account "ftp" is often a good choice
@@ -1562,14 +1626,14 @@
This parameter is a synonym for guest ok. If this parameter is This paramater nullifies the benifits of setting
- restrict anonymous = 2
- See the section below on security for more information about this option.
+ Privileges will be those of the guest account. This paramater nullifies the benifits of setting
+ restrict anonymous = 2
+ See the section below on security for more information about this option.
Default: This parameter is a synonym for guest only. If this parameter is See the section below on security for more information about this option.
+ This parameter will have no effect if guest ok is not set for the service. See the section below on security for more information about this option.
Default: This is a boolean parameter that controls whether
@@ -1611,7 +1675,7 @@
Default:
- If nis homedir is
- See also the msdfs root share level parameter. For more information on
+ See also the msdfs root share level parameter. For more information on
setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO.
- Default: Default: Specifies whether samba should use (expensive)
hostname lookups or use the ip addresses instead. An example place
@@ -1641,7 +1705,7 @@
Example: This parameter is a synonym for hosts allow. A synonym for this parameter is allow hosts. This parameter is a comma, space, or tab delimited
+ This parameter is a synonym for hosts allow. A synonym for this parameter is allow hosts. This parameter is a comma, space, or tab delimited
set of hosts which are permitted to access a service. If specified in the [global] section then it will
apply to all services, regardless of whether the individual
service has a different setting. You can specify the hosts by name or IP number. For
@@ -1651,7 +1715,7 @@
page Note that the localhost address 127.0.0.1 will always
- be allowed access unless specifically denied by a hosts deny option. You can also specify hosts by network/netmask pairs and
+ be allowed access unless specifically denied by a hosts deny option. You can also specify hosts by network/netmask pairs and
by netgroup names if your system supports netgroups. The
EXCEPT keyword can also be used to limit a
wildcard list. The following examples may provide some help: Example 1: allow all IPs in 150.203.*.*; except one hosts allow = 150.203. EXCEPT 150.203.6.66 Example 2: allow hosts that match the given network/netmask hosts allow = 150.203.15.0/255.255.255.0 Example 3: allow a couple of hosts hosts allow = lapland, arvidsjaur Example 4: allow only hosts in NIS netgroup "foonet", but
@@ -1668,56 +1732,38 @@
list takes precedence.
In the event that it is necessary to deny all by default, use the keyword
ALL (or the netmask Default: Example: If this global parameter is a non-null string,
- it specifies the name of a file to read for the names of hosts
- and users who will be allowed access without specifying a password.
- This is not be confused with hosts allow which is about hosts
- access to services and is more useful for guest services. The use of Default: Example:
The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap
- tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common
+ tdb file to obtain SID to UID / GID mappings for unmapped SIDs, but instead to obtain them from a common
LDAP backend. This way all domain members and controllers will have the same UID and GID
to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux
systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).
- An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid
+ An alternate method of SID to UID / GID mapping can be achieved using the rid
plug-in. This plug-in uses the account RID to derive the UID and GID by adding the
RID to a base value specified. This utility requires that the parameter
“allow trusted domains = No” must be specified, as it is not compatible
with multiple domain environments. The idmap uid and idmap gid ranges must also be
specified.
- Finally, using the idmap_ad module, the UID and GID can directly
+ Finally, using the ad module, the UID and GID can directly
be retrieved from an Active Directory LDAP Server that supports an
- RFC2307 compliant LDAP schema. idmap_ad supports "Services for Unix"
+ RFC2307 compliant LDAP schema. ad supports "Services for Unix"
(SFU) version 2.x and 3.0.
Default: Example: Example: Example: Example: Example: This parameter is a synonym for idmap gid. The idmap gid parameter specifies the range of group ids that are allocated for
the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no
@@ -1759,12 +1805,12 @@
roaming profile directory are actually owner by the user. Default:
- The permissions on new files and directories are normally governed by create mask,
- directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.
+ The permissions on new files and directories are normally governed by create mask,
+ directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.
New directories inherit the mode of the parent directory,
including bits such as setgid.
New files inherit their read/write bits from the parent directory. Their execute bits continue to be
- determined by map archive, map hidden and map system as usual.
+ determined by map archive, map hidden and map system as usual.
Note that the setuid bit is never set via
inheritance (the code explicitly prohibits this). This can be particularly useful on large systems with
many users, perhaps several thousand, to allow a single [homes]
@@ -1815,7 +1861,7 @@
Example:
- This parameter is only applicable if printing is set to
If set, this option overrides the ServerName option in the CUPS Keepalives should, in general, not be needed if the socket
- has the SO_KEEPALIVE attribute set on it by default. (see socket options).
+ has the SO_KEEPALIVE attribute set on it by default. (see socket options).
Basically you should only use this option if you strike difficulties. Default: Example: Default: For UNIXes that support kernel based oplocks
(currently only IRIX and the Linux 2.4 kernel), this parameter
allows the use of them to be turned on or off. Kernel oplocks support allows Samba Default:
- The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact
- the ldap server when retreiving user account information. The ldap admin dn is used
+ The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact
+ the ldap server when retreiving user account information. The ldap admin dn is used
in conjunction with the admin dn password stored in the
- The ldap admin dn requires a fully specified DN. The ldap suffix is not appended to the ldap admin dn.
+ The ldap admin dn requires a fully specified DN. The ldap suffix is not appended to the ldap admin dn.
No default This parameter specifies whether a delete
operation in the ldapsam deletes the complete entry or only the attributes
specific to Samba.
Default: This parameters specifies the suffix that is
+ This parameter specifies the suffix that is
used for groups when these are added to the LDAP directory.
- If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the
- ldap suffix string so use a partial DN. Default: Default: Example:
This parameters specifies the suffix that is used when storing idmap mappings. If this parameter
- is unset, the value of ldap suffix will be used instead. The suffix
- string is pre-pended to the ldap suffix string so use a partial DN.
+ is unset, the value of ldap suffix will be used instead. The suffix
+ string is pre-pended to the ldap suffix string so use a partial DN.
Default: Example:
It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of
- ldap suffix will be used instead. The suffix string is pre-pended to the
- ldap suffix string so use a partial DN.
+ ldap suffix will be used instead. The suffix string is pre-pended to the
+ ldap suffix string so use a partial DN.
Default: Example:
- The ldap passwd sync can be set to one of three values:
+ The ldap passwd sync can be set to one of three values:
Default:
- This parameter is only available if Samba has been configure to include the
- --with-ldapsam option at compile time.
-
- This option is used to control the tcp port number used to contact the
- ldap server. The default is to use the stand LDAPS port 636.
- Default: Default:
When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server.
This server then replicates our changes back to the 'local' server, however the replication might take some seconds,
@@ -1956,40 +1990,34 @@
counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that
are used to deal with user and group attributes lack such optimization.
- o make Samba scale well in large environments, the ldapsam:trusted = yes
+ o make Samba scale well in large environments, the ldapsam:trusted = yes
option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the
standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are
stored together with the POSIX data in the same LDAP object. If these assumptions are met,
- ldapsam:trusted = yes can be activated and Samba can completely bypass the
+ ldapsam:trusted = yes can be activated and Samba can completely bypass the
NSS system to query user information. Optimized LDAP queries can greatly speed up domain logon and
administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries
is easily achieved.
Default: This parameter is only available if Samba has been
- configure to include the --with-ldapsam
- option at compile time. This parameter should contain the FQDN of the ldap directory
- server which should be queried to locate user account information.
- Default: This option is used to define whether or not Samba should
use SSL when connecting to the ldap server
This is NOT related to
Samba's previous SSL support which was enabled by specifying the
--with-ssl option to the The ldap ssl can be set to one of three values: The ldap ssl can be set to one of three values: Default: Default: Specifies the base for all ldap suffixes and for storing the sambaDomain object.
- The ldap suffix will be appended to the values specified for the ldap user suffix,
- ldap group suffix, ldap machine suffix, and the
- ldap idmap suffix. Each of these should be given only a DN relative to the
- ldap suffix.
+ The ldap suffix will be appended to the values specified for the ldap user suffix,
+ ldap group suffix, ldap machine suffix, and the
+ ldap idmap suffix. Each of these should be given only a DN relative to the
+ ldap suffix.
Default: Example:
This parameter specifies where users are added to the tree. If this parameter is unset,
- the value of ldap suffix will be used instead. The suffix
- string is pre-pended to the ldap suffix string so use a partial DN.
+ the value of ldap suffix will be used instead. The suffix
+ string is pre-pended to the ldap suffix string so use a partial DN.
Default: Example: It is recommended that this parameter be turned on to
speed access to shared executables. For more discussions on level2 oplocks see the CIFS spec.
- Currently, if kernel oplocks are supported then
+ Currently, if kernel oplocks are supported then
level2 oplocks are not granted (even if this parameter is set to
- Default: Default: Default: Example: If Samba is set to produce Lanman announce
broadcasts needed by OS/2 clients (see the
- lm announce parameter) then this
+ lm announce parameter) then this
parameter defines the frequency in seconds with which they will be
made. If this is set to zero then no Lanman announcements will be
- made despite the setting of the lm announce
+ made despite the setting of the lm announce
parameter. Default: Example: A boolean variable that controls whether all
printers in the printcap will be loaded for browsing by default.
- See the printers section for
+ See the printers section for
more details. Default: This option allows nmbd(8) to try and become a local master browser
@@ -2071,7 +2099,7 @@
This parameter is a synonym for lock directory. This option specifies the directory where lock
files will be placed. The lock files are used to implement the
- max connections option.
+ max connections option.
Default: Example: The time in microseconds that smbd should
pause before attempting to gain a failed lock. See
- lock spin count for more details. Default: Default:
This option allows you to override the name of the Samba log file (also known as the debug file).
@@ -2117,11 +2145,11 @@
This parameter specifies the local path to which the home directory will be
- connected (see logon home) and is only used by NT
+ connected (see logon home) and is only used by NT
Workstations.
Note that this option is only useful if Samba is set up as a logon server.
- Default: Default: Example:
- Note that in prior versions of Samba, the logon path was returned rather than
+ Note that in prior versions of Samba, the logon path was returned rather than
- Disable this feature by setting logon home = "" - using the empty string.
+ Disable this feature by setting logon home = "" - using the empty string.
This option is only useful if Samba is set up as a logon server.
Default:
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
machine. It also specifies the directory from which the "Application Data", ( Note that this option is only useful if Samba is set up as a domain controller.
Disable the use of roaming profiles by setting the value of this parameter to the empty string. For
- example, logon path = "". Take note that even if the default setting
+ example, logon path = "". Take note that even if the default setting
in the smb.conf file is the empty string, any value specified in the user account settings in the passdb
backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use
requires that the user account settings must also be blank.
@@ -2206,7 +2234,7 @@
must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
The script must be a relative path to the
@@ -2246,7 +2274,7 @@
will have the SPOOLED or PRINTING status. Note that it is good practice to include the absolute path
in the lppause command as the PATH may not be available to the server. Default: This command should be a program or script which takes
a printer name and job number to resume the print job. See
- also the lppause command parameter. If a If a Note that it is good practice to include the absolute path
in the See also the printing parameter. Default: Currently no default value is given
+ be available to the server. See also the printing parameter. Default: Currently no default value is given
to this string, unless the value of the lp -i %p-%j -H resume or if the value of the qstat -s -j%j -r Default: Default:
- If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change
+ If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change
the MACHINE ACCOUNT PASSWORD stored in the TDB called
See also smbpasswd(8),
- and the security = domain parameter.
+ and the security = domain parameter.
Default:
This parameter specifies the name of a file which will contain output created by a magic script (see the
- magic script parameter below).
+ magic script parameter below).
If two clients use the same Default: Scripts executed in this way will be deleted upon
completion assuming that the user has the appropriate level
of privilege and the file permissions allow the deletion. If the script generates output, output will be sent to
- the file specified by the magic output
+ the file specified by the magic output
parameter (see above). Note that some shells are unable to interpret scripts
containing CR/LF instead of CR as
the end-of-line marker. Magic scripts must be executable
@@ -2366,7 +2394,7 @@
So to map
- mangled map = (*.html *.htm).
+ mangled map = (*.html *.htm).
One very useful case is to remove the annoying This controls whether non-DOS names under UNIX
should be mapped to DOS-compatible names ("mangled") and made visible,
- or whether non-DOS names should simply be ignored. See the section on name mangling for
+ or whether non-DOS names should simply be ignored. See the section on name mangling for
details on how to control the mangling process. If mangling is used then the mangling algorithm is as follows: The first (up to) five alphanumeric characters
before the rightmost dot of the filename are preserved, forced
to upper case, and appear as the first (up to) five characters
@@ -2388,7 +2416,7 @@
extension). The final extension is included in the hash calculation
only if it contains any upper case characters or is longer than three
characters. Note that the character to use may be specified using
- the mangling char
+ the mangling char
option, if you don't like '~'. Files whose UNIX name begins with a dot will be
presented as DOS hidden files. The mangled name will be created as
for other filenames, but with the leading dot removed and "___" as
@@ -2412,7 +2440,7 @@
Example: This controls what character is used as
- the magic character in name mangling. The
+ the magic character in name mangling. The
default is a '~' but this may interfere with some software. Use this option to set
it to whatever you prefer. This is effective only when mangling method is hash. Default:
- Note that this requires the create mask parameter to be set such that owner
+ Note that this requires the create mask parameter to be set such that owner
execute bit is not masked out (i.e. it must include 100). See the parameter
- create mask for details.
+ create mask for details.
Default:
This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
- Note that this requires the create mask to be set such that the world execute
- bit is not masked out (i.e. it must include 001). See the parameter create mask
+ Note that this requires the create mask to be set such that the world execute
+ bit is not masked out (i.e. it must include 001). See the parameter create mask
for details.
No default
This controls how the DOS read only attribute should be mapped from a UNIX filesystem.
This parameter can take three different values, which tell smbd(8) how to display the read only attribute on files, where either
- store dos attributes is set to The three settings are :
Default:
This controls whether DOS style system files should be mapped to the UNIX group execute bit.
- Note that this requires the create mask to be set such that the group
+ Note that this requires the create mask to be set such that the group
execute bit is not masked out (i.e. it must include 010). See the parameter
- create mask for details.
+ create mask for details.
Default: This parameter is only useful in SECURITY =
security modes other than This parameter can take four different values, which tell
@@ -2495,9 +2523,9 @@
default. Record lock files are used to implement this feature. The lock files will be stored in
- the directory specified by the lock directory option. Default: Default: Example: Default: This option tells smbd(8) when acting as a WINS server
- (wins support = yes) what the maximum
+ (wins support = yes) what the maximum
'time to live' of NetBIOS names that nmbd
will grant will be (in seconds). You should never need to change this
parameter. The default is 6 days (518400 seconds). Default: This option controls the maximum packet size
- that will be negotiated by Samba. The default is 65535, which
- is the maximum. In some cases you may find you get better performance
- with a smaller value. A value below 2048 is likely to cause problems.
- Default: Default: Example: The value of the parameter (a string) is the
lowest SMB protocol dialect than Samba will support. Please refer
- to the max protocol
+ to the max protocol
parameter for a list of valid protocol names and a brief description
of each. You may also wish to refer to the C source code in
If you are viewing this parameter as a security measure, you should
- also refer to the lanman auth parameter. Otherwise, you should never need
+ also refer to the lanman auth parameter. Otherwise, you should never need
to change this parameter. Default: Example: This option tells nmbd(8)
- when acting as a WINS server (wins support = yes) what the minimum 'time to live'
+ when acting as a WINS server (wins support = yes) what the minimum 'time to live'
of NetBIOS names that nmbd will grant will be (in
seconds). You should never need to change this parameter. The default
is 6 hours (21600 seconds). Default: Only Dfs roots can act as proxy shares. Take a look at the
- msdfs root and host msdfs
+ msdfs root and host msdfs
options to find out how to set up a Dfs root share. No default Example: If set to Default: Default: Specifies the number of seconds it takes before
entries in samba's hostname resolve cache time out. If
@@ -2735,9 +2763,9 @@
useful for active directory domains and results in a DNS query for the SRV RR entry matching
_ldap._tcp.domain.
The example below will cause the local lmhosts file to be examined
@@ -2789,15 +2817,17 @@
it will be mounted on the Samba client directly from the directory
server. When Samba is returning the home share to the client, it
will consult the NIS map specified in
- homedir map and return the server
+ homedir map and return the server
listed there. Note that for this option to work there must be a working
NIS system and the Samba server with this option must also
be a logon server. Default: This boolean parameter controls whether smbd(8) will attempt to map
- UNIX permissions into Windows NT access control lists.
- This parameter was formally a global parameter in releases
- prior to 2.2.2. Default: Default: This parameter determines whether or not smbd(8) will attempt to
authenticate users using the NTLM encrypted password response.
@@ -2826,7 +2856,7 @@
should obey PAM's account and session management directives. The
default behavior is to use PAM for clear text authentication only
and to ignore any account or session management. Note that Samba
- always ignores PAM for authentication in the case of encrypt passwords = yes. The reason
+ always ignores PAM for authentication in the case of encrypt passwords = yes. The reason
is that PAM modules cannot support the challenge/response
authentication mechanism needed in the presence of SMB password encryption.
Default: Note that this also means Samba won't try to deduce
+ useful in security = share level security. Note that this also means Samba won't try to deduce
usernames from the service name. This can be annoying for
the [homes] section. To get around this you could use user =
%S which means your Default: This parameter was added in Samba 3.0.23. This is an internal tuning parameter that sets
+ the hash size of the tdb used for the open file databases. The presence of this parameter
+ allows tuning of the system for very large (thousands of concurrent users) Samba setups.
+ The default setting of this parameter should be sufficient for most normal environments.
+ It is advised not to change this parameter unless advised to by a Samba Team member. Default: Example:
This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too
quickly when that client issues an SMB that can cause an oplock break request, then the network client can
@@ -2877,11 +2915,11 @@
Oplocks may be selectively turned off on certain files with a share. See
- the veto oplock files parameter. On some systems
+ the veto oplock files parameter. On some systems
oplocks are recognized by the underlying operating system. This
allows data synchronization between all access to oplocked files,
whether it be via Samba or NFS or a local UNIX process. See the
- kernel oplocks parameter for details.
+ kernel oplocks parameter for details.
Default: The parameter is used to define the absolute
@@ -2897,7 +2935,7 @@
This integer value controls what level Samba
advertises itself as for browse elections. The value of this
parameter determines whether nmbd(8)
-has a chance of becoming a local master browser for the workgroup in the local broadcast area.
+has a chance of becoming a local master browser for the workgroup in the local broadcast area.
Note :By default, Samba will win a local master browsing election over all Microsoft operating
systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can
effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3
@@ -2911,9 +2949,9 @@
this parameter, it is possible to use PAM's password change control
flag for Samba. If enabled, then PAM will be used for password
changes when requested by an SMB client instead of the program listed in
- passwd program.
+ passwd program.
It should be possible to enable this without changing your
- passwd chat parameter for most setups. Default: Default: This is a Samba developer option that allows a
system command to be called when either smbd(8) or smbd(8) crashes. This is usually used to
@@ -2942,10 +2980,10 @@
backend. Takes a path to the smbpasswd file as an optional argument.
tdbsam - The TDB based password storage
backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
- in the private dir directory. ldapsam - The LDAP based passdb
+ in the private dir directory. ldapsam - The LDAP based passdb
backend. Takes an LDAP URL as an optional argument (defaults to
ldap://localhost) LDAP connections should be secured where possible. This may be done using either
- Start-TLS (see ldap ssl) or by
+ Start-TLS (see ldap ssl) or by
specifying Multiple servers may also be specified in double-quotes, if your
LDAP libraries supports the LDAP URL notation.
@@ -2983,23 +3021,21 @@
This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We
used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable
%G_osver% in which %G would have been substituted by the user's primary group.
-
- This parameter is set to "yes" by default, but this is about to change in the future.
- Default: Default: This string controls the "chat"
conversation that takes places between smbd(8) and the local password changing
program to change the user's password. The string describes a
sequence of response-receive pairs that smbd(8) uses to determine what to send to the
- passwd program and what to expect back. If the expected output is not
+ passwd program and what to expect back. If the expected output is not
received then the password is not changed. This chat sequence is often quite site specific, depending
on what local methods are used for password control (such as NIS
- etc). Note that this parameter only is only used if the unix password sync parameter is set to Note that this parameter only is only used if the unix password sync parameter is set to The string can contain the macro If the send string in any part of the chat sequence is a full
stop ".", then no string is sent. Similarly, if the
- expect string is a full stop then no string is expected. If the pam password change parameter is set to If the pam password change parameter is set to Default: Default: This integer specifies the number of seconds smbd will wait for an initial
@@ -3072,7 +3108,7 @@
process a new connection. A value of zero will cause only two attempts to be
made - the password as is and the password in all-lower case. This parameter is used only when using plain-text passwords. It is
not at all used when encrypted passwords as in use (that is the default
- since samba-3.0.0). Use this only when encrypt passwords = No. Default: Default: Example: If parameter is a name, it is looked up using the
- parameter name resolve order and so may resolved
+ parameter name resolve order and so may resolved
by any method and order described in that parameter. The password server must be a machine capable of using
the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
user level security mode. Using a password server means your UNIX box (running
@@ -3150,7 +3186,7 @@
on this connection. Any occurrences of Note that this path will be based on root dir
+ up pseudo home directories for users. Note that this path will be based on root dir
if one was specified. Default: Example: Of course, this could get annoying after a while :-)
- See also preexec close and postexec.
+ See also preexec close and postexec.
Default: Example:
- This boolean option controls whether a non-zero return code from preexec
+ This boolean option controls whether a non-zero return code from preexec
should close the service being connected to.
Default:
If this is set to
Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT)
@@ -3213,7 +3249,7 @@
for homes and printers services that would otherwise not be
visible.
Note that if you just want all printers in your
- printcap file loaded then the load printers
+ printcap file loaded then the load printers
option is easier.
Default:
This controls if new filenames are created with the case that the client passes, or if
- they are forced to be the default case.
+ they are forced to be the default case.
See the section on NAME MANGLING for a fuller discussion.
Default: Note that a printable service will ALWAYS allow writing
to the service path (user privileges permitting) via the spooling
- of print data. The read only parameter controls only non-printing access to
+ of print data. The read only parameter controls only non-printing access to
the resource. Default: This option specifies the number of seconds before the printing
@@ -3254,7 +3290,7 @@
To use the CUPS printing interface set printcap name = cups . This should
- be supplemented by an addtional setting printing = cups in the [global]
+ be supplemented by an addtional setting printing = cups in the [global]
section. printcap name = cups will use the "dummy" printcap
created by CUPS, as specified in your CUPS configuration file.
@@ -3307,17 +3343,17 @@
printable service nor a global print command, spool files will
be created but not processed and (most importantly) not removed. Note that printing may fail on some UNIXes from the
You can form quite complex print commands by realizing
that they are just passed to a shell. For example the following
will log a print job, print the file, then remove it. Note that
';' is the usual separator for command in shell scripts. print command = echo Printing %s >>
/tmp/print.log; lpr -P %p %s; rm %s You may have to vary this command considerably depending
on how you normally print files on your system. The default for
- the parameter varies depending on the setting of the printing
+ the parameter varies depending on the setting of the printing
parameter. Default: For printing = BSD, AIX, QNX, LPRNG
or PLP : print command = lpr -r -P%p %s For printing = SYSV or HPUX : print command = lp -c -d%p %s; rm %s For printing = SOFTQ : print command = lp -d%p -s %s; rm %s For printing = CUPS : If SAMBA is compiled against
- libcups, then printcap = cups
+ libcups, then printcap = cups
uses the CUPS API to
submit jobs, etc. Otherwise it maps to the System V
commands with the -oraw option for printing, i.e. it
@@ -3349,7 +3385,7 @@
If specified in the [global] section, the printer name given will be used for any printable service that
does not have its own printer name specified.
- The default value of the printer name may be Default: This parameter specifies the command to be
executed on the server host in order to resume the printer queue. It
is the command to undo the behavior that is caused by the
- previous parameter (queuepause command). This command should be a program or script which takes
+ previous parameter (queuepause command). This command should be a program or script which takes
a printer name as its only parameter and resumes the printer queue,
such that queued jobs are resubmitted to the printer. This command is not supported by Windows for Workgroups,
but can be issued from the Printers window under Windows 95
@@ -3436,15 +3472,15 @@
This is a list of users that are given read-only access to a service. If the connecting user is in this list
- then they will not be given write access, no matter what the read only option is set
- to. The list can include group names using the syntax described in the invalid users
+ then they will not be given write access, no matter what the read only option is set
+ to. The list can include group names using the syntax described in the invalid users
parameter.
- This parameter will not work with the security = share in
+ This parameter will not work with the security = share in
Samba 3.0. This is by design. Default: Example: An inverted synonym is writeable. If this parameter is An inverted synonym is writeable. If this parameter is Note that a printable service (printable = yes)
will ALWAYS allow writing to the directory
@@ -3480,7 +3516,7 @@
the above line would cause nmbd to announce itself
to the two given IP addresses using the given workgroup names. If you leave out the
- workgroup name then the one given in the workgroup parameter
+ workgroup name then the one given in the workgroup parameter
is used instead.
The IP addresses you choose would normally be the broadcast addresses of the remote
@@ -3517,7 +3553,7 @@
that the remote machine is available, is listening, nor that it
is in fact the browse master on its segment.
- The remote browse sync may be used on networks
+ The remote browse sync may be used on networks
where there is no WINS server, and may be used on disjoint networks where
each network has its own WINS server.
Default:
The security advantage of using restrict anonymous = 2 is removed
- by setting guest ok = yes on any share.
+ by setting guest ok = yes on any share.
Default: This parameter is a synonym for root directory. This parameter is a synonym for root directory. The server will chroot() (i.e.
@@ -3589,7 +3625,7 @@
It may also check for, and deny access to, soft links to other
parts of the filesystem, or attempts to use ".." in file names
to access other directories (depending on the setting of the
- wide smbconfoptions parameter).
+ wide smbconfoptions parameter).
Adding a It is possible to use smbd in a
+ the map to guestparameter for details. It is possible to use smbd in a
hybrid mode where it is offers both user and share
- level security under different NetBIOS aliases. The different settings will now be explained. When clients connect to a share level security server they
+ level security under different NetBIOS aliases. The different settings will now be explained. When clients connect to a share level security server they
need not log onto the server with a valid username and password before
attempting to connect to a shared resource (although modern clients
such as Windows 95/98 and Windows NT will send a logon request with
@@ -3659,10 +3695,10 @@
in share level security, smbd uses several
techniques to determine the correct UNIX user to use on behalf
of the client. A list of possible UNIX usernames to match with the given
- client password is constructed using the following methods : If the guest only parameter is set, then all the other
- stages are missed and only the guest account username is checked.
+ client password is constructed using the following methods : If the guest only parameter is set, then all the other
+ stages are missed and only the guest account username is checked.
Is a username is sent with the share connection
- request, then this username (after mapping - see username map),
+ request, then this username (after mapping - see username map),
is added as a potential username.
If the client did a previous logon
request (the SessionSetup SMB call) then the
@@ -3671,7 +3707,7 @@
added as a potential username.
The NetBIOS name of the client is added to
the list as a potential username.
- Any users on the user list are added as potential usernames.
+ Any users on the user list are added as potential usernames.
If the See also the section
NOTE ABOUT USERNAME/PASSWORD VALIDATION. This is the default security setting in Samba 3.0.
With user-level security a client must first "log-on" with a
- valid username and password (which can be mapped using the username map
- parameter). Encrypted passwords (see the encrypted passwords parameter) can also
- be used in this security mode. Parameters such as user and guest only if set are then applied and
+ valid username and password (which can be mapped using the username map
+ parameter). Encrypted passwords (see the encrypted passwords parameter) can also
+ be used in this security mode. Parameters such as user and guest only if set are then applied and
may change the UNIX user to use on this connection, but only after
the user has been successfully authenticated. Note that the name of the resource being
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the guest account.
- See the map to guest parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. This mode will only work correctly if net(8) has been used to add this
- machine into a Windows NT Domain. It expects the encrypted passwords
+ the server to automatically map unknown users into the guest account.
+ See the map to guest parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. This mode will only work correctly if net(8) has been used to add this
+ machine into a Windows NT Domain. It expects the encrypted passwords
parameter to be set to See also the section
- NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the password server parameter and
- the encrypted passwords parameter.
+ the server to automatically map unknown users into the guest account.
+ See the map to guest parameter for details on doing this. See also the section
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the password server parameter and
+ the encrypted passwords parameter.
In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
NT box. If this fails it will revert to security = user. It expects the
- encrypted passwords parameter to be set to See also the section
- NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the password server parameter and the
- encrypted passwords parameter. In this mode, Samba will act as a domain member in an ADS realm. To operate
+ the server to automatically map unknown users into the guest account.
+ See the map to guest parameter for details on doing this. See also the section
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the password server parameter and the
+ encrypted passwords parameter. In this mode, Samba will act as a domain member in an ADS realm. To operate
in this mode, the machine running Samba will need to have Kerberos installed
and configured and Samba will need to be joined to the ADS realm using the
net utility. Note that this mode does NOT make Samba operate as a Active Directory Domain
@@ -3749,7 +3785,7 @@
UNIX permission on a file using the native NT security dialog box.
This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
- in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
+ in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
@@ -3764,7 +3800,7 @@
This controls whether the server offers or even demands the use of the netlogon schannel.
- server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel.
+ server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel.
This is only the case for Windows NT4 before SP4.
Please note that with this set to This boolean parameter controls if new files
which conform to 8.3 syntax, that is all in upper case and of
suitable length, are created upper case, or if they are forced
- to be the default case
- . This option can be use with preserve case = yes
+ to be the default case
+ . This option can be use with preserve case = yes
to permit long filenames to retain their case, while short
names are lowered. See the section on NAME MANGLING. Default:
If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or
READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such
- as occurs with map hidden and map readonly). When set, DOS
+ as occurs with map hidden and map readonly). When set, DOS
attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or
- directory. For no other mapping to occur as a fall-back, the parameters map hidden,
- map system, map archive and map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended
+ directory. For no other mapping to occur as a fall-back, the parameters map hidden,
+ map system, map archive and map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended
attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an
EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for
extended attributes to work, also extended attributes must be compiled into the Linux kernel.
@@ -3961,15 +3997,20 @@
of users. Default:
- This is a boolean that controls the handling of file locking in the server. When this is set to
+ When strict locking is set to Auto (the default), the server performs file lock checks only on non-oplocked files.
+ As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for
+ inproved performance.
+
When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them.
Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases,
+ strict locking = Auto or
strict locking = no is acceptable.
- Default: Default: Many Windows applications (including the Windows 98 explorer
shell) seem to confuse flushing buffer contents to disk with doing
@@ -4079,8 +4120,8 @@
passwords to be made over a longer period. Once all users have encrypted representations of their passwords
in the smbpasswd file this parameter should be set to
- In order for this parameter to be operative the encrypt passwords parameter must
- be set to
Note that even when this parameter is set a user authenticating to smbd
must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd)
@@ -4152,7 +4193,7 @@
they will be able to do no more damage than if they started a
telnet session. The daemon runs as the user that they log in as,
so they cannot do anything that user cannot do. To restrict a service to a particular set of users you
- can use the valid users parameter. If any of the usernames begin with a '@' then the name
+ can use the valid users parameter. If any of the usernames begin with a '@' then the name
will be looked up first in the NIS netgroups list (if Samba
is compiled with netgroup support), followed by a lookup in
the UNIX groups database and will expand to a list of all users
@@ -4242,7 +4283,7 @@
Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and
Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been
@@ -4270,7 +4311,7 @@
# no username map
This script is a mutually exclusive alternative to the
- username map parameter. This parameter
+ username map parameter. This parameter
specifies and external program or script that must accept a single
command line option (the username transmitted in the authentication
request) and return a line line on standard output (the name to which
@@ -4280,6 +4321,95 @@
Example: This parameter controls whether user defined shares are allowed
+ to be accessed by non-authenticated users or not. It is the equivalent
+ of allowing people who can create a share the option of setting
+ Default: This parameter specifies the number of user defined shares
+ that are allowed to be created by users belonging to the group owning the
+ usershare directory. If set to zero (the default) user defined shares are ignored.
+ Default: This parameter controls whether the pathname exported by
+ a user defined shares must be owned by the user creating the
+ user defined share or not. If set to True (the default) then
+ smbd checks that the directory path being shared is owned by
+ the user who owns the usershare file defining this share and
+ refuses to create the share if not. If set to False then no
+ such check is performed and any directory path may be exported
+ regardless of who owns it.
+ Default: This parameter specifies the absolute path of the directory on the
+ filesystem used to store the user defined share definition files.
+ This directory must be owned by root, and have no access for
+ other, and be writable only by the group owner. In addition the
+ "sticky" bit must also be set, restricting rename and delete to
+ owners of a file (in the same way the /tmp directory is usually configured).
+ Members of the group owner of this directory are the users allowed to create
+ usershares. If this parameter is undefined then no user defined
+ shares are allowed.
+
+ For example, a valid usershare directory might be /usr/local/samba/lib/usershares,
+ set up as follows.
+
+
+
+ In this case, only members of the group "power_users" can create user defined shares.
+ Default: This parameter specifies a list of absolute pathnames
+ the root of which are allowed to be exported by user defined share definitions.
+ If the pathname exported doesn't start with one of the strings in this
+ list the user defined share will not be allowed. This allows the Samba
+ administrator to restrict the directories on the system that can be
+ exported by user defined shares.
+
+ If there is a "usershare prefix deny list" and also a
+ "usershare prefix allow list" the deny list is processed
+ first, followed by the allow list, thus leading to the most
+ restrictive interpretation.
+ Default: Example: This parameter specifies a list of absolute pathnames
+ the root of which are NOT allowed to be exported by user defined share definitions.
+ If the pathname exported starts with one of the strings in this
+ list the user defined share will not be allowed. Any pathname not
+ starting with one of these strings will be allowed to be exported
+ as a usershare. This allows the Samba administrator to restrict the
+ directories on the system that can be exported by user defined shares.
+
+ If there is a "usershare prefix deny list" and also a
+ "usershare prefix allow list" the deny list is processed
+ first, followed by the allow list, thus leading to the most
+ restrictive interpretation.
+ Default: Example: User defined shares only have limited possible parameters
+ such as path, guest ok etc. This parameter allows usershares to
+ "cloned" from an existing share. If "usershare template share"
+ is set to the name of an existing share, then all usershares
+ created have their defaults set from the parameters set on this
+ share.
+
+ The target share may be set to be invalid for real file
+ sharing by setting the parameter "-valid = False" on the template
+ share definition. This causes it not to be seen as a real exported
+ share but to be able to be used as a template for usershares.
+ Default: Example: If this parameter is
- Note that the case sensitive option is applicable in vetoing files.
+ Note that the case sensitive option is applicable in vetoing files.
One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when
trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this
- deletion will fail unless you also set the delete veto files
+ deletion will fail unless you also set the delete veto files
parameter to
Setting this parameter will affect the performance of Samba, as it will be forced to check all files
@@ -4378,11 +4508,11 @@
Default:
- This parameter is only valid when the oplocks
+ This parameter is only valid when the oplocks
parameter is turned on for a share. It allows the Samba administrator
to selectively turn off the granting of oplocks on selected files that
match a wildcarded list, similar to the wildcarded list used in the
- veto files parameter.
+ veto files parameter.
You might want to do this on files that you know will be heavily contended
for by clients. A good example of this is in the NetBench SMB benchmark
@@ -4430,7 +4560,7 @@
endgrent() group of system calls. If
the Turning off group enumeration may cause some programs to behave oddly. Default: Turning off group enumeration may cause some programs to behave oddly. Default: On large installations using winbindd(8) it may be
necessary to suppress the enumeration of users through the setpwent(),
@@ -4442,7 +4572,7 @@
enumeration may cause some programs to behave oddly. For
example, the finger program relies on having access to the
full user list when searching for matching
- usernames. Default: Default: If set to yes, this parameter activates the support for nested
groups. Nested groups are also called local groups or
@@ -4450,8 +4580,7 @@
groups are defined locally on any machine (they are shared
between DC's through their SAM) and can contain users and
global groups from any trusted SAM. To be able to use nested
- groups, you need to run nss_winbind. Please note that per 3.0.3 this is a new feature, so
- handle with care. Default: Default: This parameter is designed to control how Winbind retrieves Name
Service Information to construct a user's home directory and login shell.
@@ -4473,6 +4602,21 @@
Example: This parameter is designed to control whether Winbind should
+ allow to login with the Default: Example: This parameter is designed to control whether Winbind should refresh Kerberos Tickets
+ retrieved using the Default: Example: This parameter allows an admin to define the character
used when listing a username of the form of This controls what workgroup your server will
appear to be in when queried by clients. Note that this parameter
also controls the Domain name used with
- the security = domain
+ the security = domain
setting. Default: Example: This parameter is a synonym for writeable. Inverted synonym for read only. No default If this integer parameter is set to non-zero value,
+ This parameter is a synonym for writeable. Inverted synonym for read only. No default If this integer parameter is set to non-zero value,
Samba will create an in-memory cache for each oplocked file
(it does not do this for
non-oplocked files). All writes that the client does not request
@@ -4580,14 +4724,14 @@
This is a list of users that are given read-write access to a service. If the
connecting user is in this list then they will be given write access, no matter
- what the read only option is set to. The list can
+ what the read only option is set to. The list can
include group names using the @group syntax.
Note that if a user is in both the read list and the write list then they will be
given write access.
By design, this parameter will not work with the
- security = share in Samba 3.0.
+ security = share in Samba 3.0.
Default: Example: Example:
Although the configuration file permits service names to contain spaces, your client software may not.
Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
@@ -4621,8 +4765,8 @@
for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme
care when designing these sections. In particular, ensure that the permissions on spool directories are
correct.
-
- samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).
+ samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbcontrol.1.html samba-3.0.23/docs/htmldocs/manpages/smbcontrol.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbcontrol.1.html 2006-01-29 10:16:27.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbcontrol.1.html 2006-07-06 05:17:56.000000000 -0500
@@ -1,5 +1,5 @@
- smbcontrol — send messages to smbd, nmbd or winbindd processes This tool is part of the samba(7) suite. smbcontrol is a very small program, which
- sends messages to a smbd(8), a nmbd(8), or a winbindd(8) daemon running on the system. Print a summary of command line options.
+ smbcontrol — send messages to smbd, nmbd or winbindd processes This tool is part of the samba(7) suite. smbcontrol is a very small program, which
+ sends messages to a smbd(8), a nmbd(8), or a winbindd(8) daemon running on the system. Print a summary of command line options.
The file specified contains the
configuration details required by the server. The
information in this file includes server-specific
@@ -16,7 +16,7 @@
If a single process ID is given, the message is sent
to only that process. Type of message to send. See
the section any parameters required for the message-type Available message types are: Order smbd to close the client
+ any parameters required for the message-type Available message types are: Order smbd to close the client
connections to the named share. Note that this doesn't affect client
connections to any other shares. This message-type takes an argument of the
share name for which client connections will be closed, or the
@@ -59,8 +59,8 @@
to update their local version of the driver. Can only be
sent to smbd. Force daemon to reload smb.conf configuration file. Can be sent
to The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbcquotas.1.html samba-3.0.23/docs/htmldocs/manpages/smbcquotas.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbcquotas.1.html 2006-01-29 10:16:29.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbcquotas.1.html 2006-07-06 05:17:57.000000000 -0500
@@ -1,4 +1,4 @@
- smbcquotas — Set or get QUOTAs of NTFS 5 shares This tool is part of the samba(7) suite. The smbcquotas program manipulates NT Quotas on SMB file shares. The following options are available to the smbcquotas program. Specifies the user of whom the quotas are get or set.
+ smbcquotas — Set or get QUOTAs of NTFS 5 shares This tool is part of the samba(7) suite. The smbcquotas program manipulates NT Quotas on SMB file shares. The following options are available to the smbcquotas program. Specifies the user of whom the quotas are get or set.
By default the current user's username will be used. Lists all quota records of the share. Show the share quota status and default limits. This command sets/modifies quotas for a user or on the share,
depending on the QUOTA_SET_COMMAND parameter which is described later. This option displays all QUOTA information in numeric
format. The default is to convert SIDs to names and QUOTA limits
@@ -27,7 +27,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
The format of an ACL is one or more ACL entries separated by
either commas or newlines. An ACL entry is one of the following:
for setting user quotas for the user specified by -u or the current username:
The smbcquotas program sets the exit status
depending on the success or otherwise of the operations performed.
The exit status may be one of the following values. If the operation succeeded, smbcquotas returns an exit
status of 0. If smbcquotas couldn't connect to the specified server,
or when there was an error getting or setting the quota(s), an exit status
of 1 is returned. If there was an error parsing any command line
- arguments, an exit status of 2 is returned. smbd — server to provide SMB/CIFS services to clients This program is part of the samba(7) suite. smbd is the server daemon that
+ smbd — server to provide SMB/CIFS services to clients This program is part of the samba(7) suite. smbd is the server daemon that
provides filesharing and printing services to Windows clients.
The server provides filespace and printer services to
clients using the SMB (or CIFS) protocol. This is compatible
@@ -21,7 +21,7 @@
can force a reload by sending a SIGHUP to the server. Reloading
the configuration file will not affect connections to any service
that is already established. Either the user will have to
- disconnect from the service, or smbd killed and restarted. If specified, this parameter causes
+ disconnect from the service, or smbd killed and restarted. If specified, this parameter causes
the server to operate as a daemon. That is, it detaches
itself and runs in the background, fielding requests
on the appropriate port. Operating the server as a
@@ -68,7 +68,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
Prints information about how
Samba was built. The default ports are 139 (used for SMB over NetBIOS over TCP)
+ The default value is taken from the ports parameter in The default ports are 139 (used for SMB over NetBIOS over TCP)
and port 445 (used for plain SMB over TCP).
- If the server is to be run by the
inetd meta-daemon, this file
must contain suitable startup information for the
meta-daemon.
@@ -92,20 +92,20 @@
This is the default location of the smb.conf(5) server configuration file. Other common places that systems
install this file are This file describes all the services the server
- is to make available to clients. See smb.conf(5) for more information. On some systems smbd cannot change uid back
+ is to make available to clients. See smb.conf(5) for more information. On some systems smbd cannot change uid back
to root after a setuid() call. Such systems are called
trapdoor uid systems. If you have such a system,
you will be unable to connect from a client (such as a PC) as
two different users at once. Attempts to connect the
second user will result in access denied or
- similar. If no printer name is specified to
+ similar. Samba uses PAM for authentication (when presented with a plaintext
password), for account checking (is this account disabled?) and for
session management. The degree too which samba supports PAM is restricted
- by the limitations of the SMB protocol and the obey pam restrictions smb.conf(5) paramater. When this is set, the following restrictions apply:
+ by the limitations of the SMB protocol and the obey pam restrictions smb.conf(5) paramater. When this is set, the following restrictions apply:
Account Validation: All accesses to a
samba server are checked
against PAM to see if the account is vaild, not disabled and is permitted to
@@ -115,8 +115,8 @@
is granted. Note however, that this is bypassed in share level secuirty.
Note also that some older pam configuration files may need a line
added for session support.
- Most diagnostics issued by the server are logged
in a specified log file. The log file name is specified
at compile time, but may be overridden on the command line. The number and nature of diagnostics available depends
on the debug level used by the server. If you have problems, set
@@ -125,10 +125,10 @@
available in the source code to warrant describing each and every
diagnostic. At this stage your best bet is still to grep the
source code and inspect the conditions that gave rise to the
- diagnostics you are seeing. Samba stores it's data in several TDB (Trivial Database) files, usually located in
+ diagnostics you are seeing. Samba stores it's data in several TDB (Trivial Database) files, usually located in
(*) information persistent across restarts (but not
necessarily important to backup).
- NT account policy settings such as pw expiration, etc... byte range locks browse lists share connections (used to enforce max connections, etc...) generic caching db group mapping information share modes & oplocks bad pw attempts Samba messaging system cache of user net_info_3 struct from net_samlogon() request (as a domain member) installed printer drivers installed printer forms installed printer information directory containing tdb per print queue of cached lpq output Windows registry skeleton (connect via regedit.exe) session information (e.g. support for 'utmp = yes') share acls winbindd's cache of user lists, etc... winbindd's local idmap db wins database when 'wins support = yes' Sending the smbd a SIGHUP will cause it to
+ NT account policy settings such as pw expiration, etc... byte range locks browse lists share connections (used to enforce max connections, etc...) generic caching db group mapping information share modes & oplocks bad pw attempts Samba messaging system cache of user net_info_3 struct from net_samlogon() request (as a domain member) installed printer drivers installed printer forms installed printer information directory containing tdb per print queue of cached lpq output Windows registry skeleton (connect via regedit.exe) session information (e.g. support for 'utmp = yes') share acls winbindd's cache of user lists, etc... winbindd's local idmap db wins database when 'wins support = yes' Sending the smbd a SIGHUP will cause it to
reload its To shut down a user's smbd process it is recommended
that SIGKILL (-9) NOT
@@ -143,11 +143,11 @@
smbd is in a state of waiting for an incoming SMB before
issuing them. It is possible to make the signal handlers safe
by un-blocking the signals before the select call and re-blocking
- them after, however this would affect performance. hosts_access(5), inetd(8), nmbd(8), smb.conf(5), smbclient(1), testparm(1), testprns(1), and the
+ them after, however this would affect performance. hosts_access(5), inetd(8), nmbd(8), smb.conf(5), smbclient(1), testparm(1), testprns(1), and the
Internet RFC's The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbget.1.html samba-3.0.23/docs/htmldocs/manpages/smbget.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbget.1.html 2006-01-29 10:16:35.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbget.1.html 2006-07-06 05:18:00.000000000 -0500
@@ -1,14 +1,14 @@
- smbget — wget-like utility for download files over SMB This tool is part of the samba(7) suite. smbget is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line.
+ smbget — wget-like utility for download files over SMB This tool is part of the samba(7) suite. smbget is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line.
The files should be in the smb-URL standard, e.g. use smb://host/share/file
for the UNC path \\\\HOST\\SHARE\\file.
- Work as user guest Automatically resume aborted files Recursively download files Username to use Password to use Workgroup to use (optional) Don't ask anything (non-interactive) Debuglevel to use Show dots as progress indication Set same permissions on local file as are set on remote file. Write the file that is being download to the specified file. Can not be used together with -R. Use specified rcfile. This will be loaded in the order it was specified - e.g. if you specify any options before this one, they might get overriden by the contents of the rcfile. Be quiet Be verbose Number of bytes to download in a block. Defaults to 64000. Show help message Display brief usage message Work as user guest Automatically resume aborted files Recursively download files Username to use Password to use Workgroup to use (optional) Don't ask anything (non-interactive) Debuglevel to use Show dots as progress indication Set same permissions on local file as are set on remote file. Write the file that is being download to the specified file. Can not be used together with -R. Use specified rcfile. This will be loaded in the order it was specified - e.g. if you specify any options before this one, they might get overriden by the contents of the rcfile. Be quiet Be verbose Number of bytes to download in a block. Defaults to 64000. Show help message Display brief usage message SMB URL's should be specified in the following format: smbgetrc — configuration file for smbget
+ smbgetrc — configuration file for smbget
This manual page documents the format and options of the smbgetrc
file. This is the configuration file used by the smbget(1)
utility. The file contains of key-value pairs, one pair on each line. The key
and value should be separated by a space.
By default, smbget reads its configuration from $HOME/.smbgetrc, though
- other locations can be specified using the command-line options.
The following keys can be set:
Whether aborted downloads should be automatically resumed.
Whether directories should be downloaded recursively Username to use when logging in to the remote server. Use an empty string for anonymous access.
- Password to use when logging in. Workgroup to use when logging in Turns off asking for username and password. Useful for scripts. (Samba) debuglevel to run at. Useful for tracking down protocol level problems. Whether a single dot should be printed for each block that has been downloaded, instead of the default progress indicator. Number of bytes to put in a block. The original Samba software and related utilities
+ Password to use when logging in. Workgroup to use when logging in Turns off asking for username and password. Useful for scripts. (Samba) debuglevel to run at. Useful for tracking down protocol level problems. Whether a single dot should be printed for each block that has been downloaded, instead of the default progress indicator. Number of bytes to put in a block. smbmnt — helper utility for mounting SMB filesystems smbmnt is a helper application used
+ smbmnt — helper utility for mounting SMB filesystems smbmnt is a helper application used
by the smbmount program to do the actual mounting of SMB shares.
smbmnt can be installed setuid root if you want
normal users to be able to mount their SMB shares. A setuid smbmnt will only allow mounts on directories owned
by the user, and that the user has write permission on. The smbmnt program is normally invoked
by smbmount(8). It should not be invoked directly by users. smbmount searches the normal PATH for smbmnt. You must ensure
- that the smbmnt version in your path matches the smbmount used. mount the filesystem read-only
+ that the smbmnt version in your path matches the smbmount used. mount the filesystem read-only
specify the uid that the files will
be owned by specify the gid that the files will be
owned by specify the octal file mask applied
@@ -13,7 +13,7 @@
list of options that are passed as-is to smbfs, if this
command is run on a 2.4 or higher Linux kernel.
Print a summary of command line options.
- Volker Lendecke, Andrew Tridgell, Michael H. Warfield
and others. The current maintainer of smbfs and the userspace
tools smbmount, smbumount,
and smbmnt is Urban Widmark.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbmount.8.html samba-3.0.23/docs/htmldocs/manpages/smbmount.8.html
--- samba-3.0.22/docs/htmldocs/manpages/smbmount.8.html 2006-01-29 10:16:42.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbmount.8.html 2006-07-06 05:18:03.000000000 -0500
@@ -1,4 +1,4 @@
- smbmount — mount an smbfs filesystem smbmount mounts a Linux SMB filesystem. It
+ smbmount — mount an smbfs filesystem smbmount mounts a Linux SMB filesystem. It
is usually invoked as mount.smbfs by
the mount(8) command when using the
"-t smbfs" option. This command only works in Linux, and the kernel must
@@ -13,7 +13,7 @@
smbmount process may also be called mount.smbfs. smbmount
calls smbmnt(8) to do the actual mount. You
must make sure that smbmnt is in the path so
- that it can be found.
specifies the username to connect as. If this is not given, then the environment variable The variable The variable
File systems that have been mounted using the smbmount
can be unmounted using the smbumount or the UNIX system
umount command.
- Passwords and other options containing , can not be handled.
For passwords an alternative way of passing them is in a credentials
file or in the PASSWD environment. The credentials file does not handle usernames or passwords with
leading space. One smbfs bug is important enough to mention here, even if it
@@ -95,9 +95,9 @@
trigger this bug are known. Note that the typical response to a bug report is suggestion
to try the latest version first. So please try doing that first,
and always include which versions you use of relevant software
- when reporting bugs (minimum: samba, kernel, distribution) Documentation/filesystems/smbfs.txt in the linux kernel
+ when reporting bugs (minimum: samba, kernel, distribution) Documentation/filesystems/smbfs.txt in the linux kernel
source tree may contain additional options and information. FreeBSD also has a smbfs, but it is not related to smbmount For Solaris, HP-UX and others you may want to look at smbsh(1) or at other solutions, such as
- Sharity or perhaps replacing the SMB server with a NFS server. Volker Lendecke, Andrew Tridgell, Michael H. Warfield
+ Sharity or perhaps replacing the SMB server with a NFS server. Volker Lendecke, Andrew Tridgell, Michael H. Warfield
and others. The current maintainer of smbfs and the userspace
tools smbmount, smbumount,
and smbmnt is Urban Widmark.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbpasswd.5.html samba-3.0.23/docs/htmldocs/manpages/smbpasswd.5.html
--- samba-3.0.22/docs/htmldocs/manpages/smbpasswd.5.html 2006-01-29 10:16:45.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbpasswd.5.html 2006-07-06 05:18:04.000000000 -0500
@@ -1,8 +1,8 @@
- smbpasswd — The Samba encrypted password file This tool is part of the samba(7) suite. smbpasswd is the Samba encrypted password file. It contains
+ smbpasswd — The Samba encrypted password file This tool is part of the samba(7) suite. smbpasswd is the Samba encrypted password file. It contains
the username, Unix user id and the SMB hashed passwords of the
user, as well as account flag information and the time the
password was last changed. This file format has been evolving with
- Samba and has had several different formats in the past. The format of the smbpasswd file used by Samba 2.2
+ Samba and has had several different formats in the past. The format of the smbpasswd file used by Samba 2.2
is very similar to the familiar Unix All other colon separated fields are ignored at this time. All other colon separated fields are ignored at this time. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbpasswd.8.html samba-3.0.23/docs/htmldocs/manpages/smbpasswd.8.html
--- samba-3.0.22/docs/htmldocs/manpages/smbpasswd.8.html 2006-01-29 10:16:48.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbpasswd.8.html 2006-07-06 05:18:05.000000000 -0500
@@ -1,4 +1,4 @@
- smbpasswd — change a user's SMB password This tool is part of the samba(7) suite. The smbpasswd program has several different
+ smbpasswd — change a user's SMB password This tool is part of the samba(7) suite. The smbpasswd program has several different
functions, depending on whether it is run by the root user
or not. When run as a normal user it allows the user to change
the password used for their SMB sessions on any machines that store
@@ -25,7 +25,7 @@
the attributes of the user in this file to be made. When run by root,
smbpasswd accesses the local smbpasswd file
directly, thus enabling changes to be made even if smbd is not
- running.
+ running.
This option specifies that the username following should be added to the local smbpasswd file, with the new
password typed (type <Enter> for the old password). This option is ignored if the username following
already exists in the smbpasswd file and it is treated like a regular change password command. Note that the
@@ -128,11 +128,21 @@
is to aid people writing scripts to drive smbpasswd This parameter is only available if Samba
has been compiled with LDAP support. The NOTE: This option is same as "-w"
+ except that the password should be entered using stdin.
+ This parameter is only available if Samba
+ has been compiled with LDAP support. The This option tells smbpasswd that the account
being changed is an interdomain trust account. Currently this is used
when Samba is being used as an NT Primary Domain Controller.
@@ -141,7 +151,7 @@
root only options to operate on. Only root
can specify this parameter as only root has the permission needed
to modify attributes directly in the local smbpasswd file.
- Since smbpasswd works in client-server
mode communicating with a local smbd for a non-root user then
the smbd daemon must be running for this to work. A common problem
is to add a restriction to the hosts that may access the
@@ -149,7 +159,7 @@
hosts or In addition, the smbpasswd command is only useful if Samba
- has been set up to use encrypted passwords. The original Samba software and related utilities
+ has been set up to use encrypted passwords. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbsh.1.html samba-3.0.23/docs/htmldocs/manpages/smbsh.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbsh.1.html 2006-01-29 10:16:50.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbsh.1.html 2006-07-06 05:18:06.000000000 -0500
@@ -1,9 +1,9 @@
smbsh — Allows access to remote SMB shares
- using UNIX commands This tool is part of the samba(7) suite. smbsh allows you to access an NT filesystem
+ using UNIX commands This tool is part of the samba(7) suite. smbsh allows you to access an NT filesystem
using UNIX commands such as ls,
egrep, and rcp. You must use a
shell that is dynamically linked in order for smbsh
- to work correctly. Override the default workgroup specified in the
+ to work correctly. Override the default workgroup specified in the
workgroup parameter of the smb.conf(5) file
for this session. This may be needed to connect to some
servers. Sets the SMB username or username and password.
@@ -33,7 +33,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the This option is used to determine what naming
services and in what order to resolve
host names to IP addresses. The option takes a space-separated
@@ -66,13 +66,13 @@
being on a locally connected subnet.
If this parameter is not set then the name resolve order
defined in the The default order is lmhosts, host, wins, bcast. Without
-this parameter or any entry in the parameter of the This parameter specifies the location of the
shared libraries used by smbsh. The default
value is specified at compile time.
- To use the smbsh command, execute
smbsh from the prompt and enter the username and password
that authenticates you to the machine running the Windows NT
operating system.
@@ -89,14 +89,14 @@
ls /smb/MYGROUP/<machine-name> will show the share
names for that machine. You could then, for example, use the
cd command to change directories, vi to
- edit files, and rcp to copy files. smbsh works by intercepting the standard
libc calls with the dynamically loaded versions in Programs which are not dynamically linked cannot make
use of smbsh's functionality. Most versions
of UNIX have a file command that will
- describe how a program was linked. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbspool.8.html samba-3.0.23/docs/htmldocs/manpages/smbspool.8.html
--- samba-3.0.22/docs/htmldocs/manpages/smbspool.8.html 2006-01-29 10:16:53.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbspool.8.html 2006-07-06 05:18:07.000000000 -0500
@@ -1,4 +1,4 @@
- smbspool — send a print file to an SMB printer This tool is part of the samba(7) suite. smbspool is a very small print spooling program that
+ smbspool — send a print file to an SMB printer This tool is part of the samba(7) suite. smbspool is a very small print spooling program that
sends a print file to an SMB printer. The command-line arguments
are position-dependent for compatibility with the Common UNIX
Printing System, but you can use smbspool with any printing system
@@ -10,7 +10,7 @@
or argv[1] if that is not the case. Programs using the exec(2) functions can
pass the URI in argv[0], while shell scripts must set the
The job argument (argv[1]) contains the
+ running smbspool. The job argument (argv[1]) contains the
job ID number and is presently not used by smbspool.
The user argument (argv[2]) contains the
print user's name and is presently not used by smbspool.
@@ -23,7 +23,7 @@
the print options in a single string and is currently
not used by smbspool. The filename argument (argv[6]) contains the
name of the file to print. If this argument is not specified
- then the print file is read from the standard input. smbspool was written by Michael Sweet
at Easy Software Products. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbstatus.1.html samba-3.0.23/docs/htmldocs/manpages/smbstatus.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbstatus.1.html 2006-01-29 10:16:55.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbstatus.1.html 2006-07-06 05:18:08.000000000 -0500
@@ -1,5 +1,5 @@
- smbstatus — report on current Samba connections This tool is part of the samba(7) suite. smbstatus is a very simple program to
- list the current Samba connections. If samba has been compiled with the
+ smbstatus — report on current Samba connections This tool is part of the samba(7) suite. smbstatus is a very simple program to
+ list the current Samba connections. If samba has been compiled with the
profiling option, print only the contents of the profiling
shared memory area. gives brief output. Prints the program version number.
The file specified contains the
@@ -21,15 +21,15 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
gives verbose output. causes smbstatus to only list locks. causes smbstatus to include byte range locks.
print a list of smbd(8) processes and exit.
Useful for scripting. causes smbstatus to only list shares. Print a summary of command line options.
- selects information relevant to The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbtar.1.html samba-3.0.23/docs/htmldocs/manpages/smbtar.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbtar.1.html 2006-01-29 10:16:57.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbtar.1.html 2006-07-06 05:18:09.000000000 -0500
@@ -1,6 +1,6 @@
smbtar — shell script for backing up SMB/CIFS shares
- directly to UNIX tape drives This tool is part of the samba(7) suite. smbtar is a very small shell script on top
- of smbclient(1) which dumps SMB shares directly to tape. The SMB/CIFS server that the share resides
+ directly to UNIX tape drives This tool is part of the samba(7) suite. smbtar is a very small shell script on top
+ of smbclient(1) which dumps SMB shares directly to tape. The SMB/CIFS server that the share resides
upon. The share name on the server to connect to.
The default is "backup". Exclude mode. Exclude filenames... from tar
create or restore. Change to initial Restore. Files are restored to the share
from the tar file. Log (debug) level. Corresponds to the
- The Sites that are more careful about security may not like
the way the script handles PC passwords. Backup and restore work
on entire shares; should work on file lists. smbtar works best
- with GNU tar and may not work well with other versions. The original Samba software and related utilities
+ with GNU tar and may not work well with other versions. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. Ricky Poulten
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/smbtree.1.html samba-3.0.23/docs/htmldocs/manpages/smbtree.1.html
--- samba-3.0.22/docs/htmldocs/manpages/smbtree.1.html 2006-01-29 10:16:59.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/smbtree.1.html 2006-07-06 05:18:10.000000000 -0500
@@ -1,10 +1,10 @@
smbtree — A text based smb network browser
- This tool is part of the samba(7) suite. smbtree is a smb browser program
in text mode. It is similar to the "Network Neighborhood" found
on Windows computers. It prints a tree with all
the known domains, the servers in those domains and
the shares on the servers.
- Query network nodes by sending requests
+ Query network nodes by sending requests
as broadcasts instead of querying the local master browser.
Only print a list of all
the domains known on broadcast or by the
@@ -31,7 +31,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
Print a summary of command line options.
- smbumount — smbfs umount for normal users With this program, normal users can unmount smb-filesystems,
+ smbumount — smbfs umount for normal users With this program, normal users can unmount smb-filesystems,
provided that it is suid root. smbumount has
been written to give normal Linux users more control over their
resources. It is safe to install this program suid root, because only
the user who has mounted a filesystem is allowed to unmount it again.
For root it is not necessary to use smbumount. The normal umount
- program works perfectly well. Volker Lendecke, Andrew Tridgell, Michael H. Warfield
and others. The current maintainer of smbfs and the userspace
tools smbmount, smbumount,
and smbmnt is Urban Widmark.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/swat.8.html samba-3.0.23/docs/htmldocs/manpages/swat.8.html
--- samba-3.0.22/docs/htmldocs/manpages/swat.8.html 2006-01-29 10:17:04.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/swat.8.html 2006-07-06 05:18:13.000000000 -0500
@@ -1,8 +1,8 @@
- swat — Samba Web Administration Tool This tool is part of the samba(7) suite. swat allows a Samba administrator to
+ swat — Samba Web Administration Tool This tool is part of the samba(7) suite. swat allows a Samba administrator to
configure the complex smb.conf(5) file via a Web browser. In addition,
a swat configuration page has help links
to all the configurable options in the swat is run from inetd The default configuration file path is
+ administrator to easily look up the effects of any change. swat is run from inetd The default configuration file path is
determined at compile time. The file specified contains
the configuration details required by the smbd(8) server. This is the file
that swat will modify.
@@ -36,19 +36,19 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
Print a summary of command line options.
- Swat is included as binary package with most distributions. The
package manager in this case takes care of the installation and
configuration. This section is only for those who have compiled
swat from scratch.
After you compile SWAT you need to run make install
to install the swat binary
and the various help files and images. A default install would put
- these in: /usr/local/samba/sbin/swat /usr/local/samba/swat/images/* /usr/local/samba/swat/help/* You need to edit your /usr/local/samba/sbin/swat /usr/local/samba/swat/images/* /usr/local/samba/swat/help/* You need to edit your In swat 901/tcp Note for NIS/YP and LDAP users - you may need to rebuild the
@@ -62,21 +62,21 @@
/usr/local/samba/sbin/swat swat Once you have edited To launch SWAT just run your favorite web browser and
point it at "http://localhost:901/". Note that you can attach to SWAT from any IP connected
machine but connecting from a remote machine leaves your
connection open to password sniffing as passwords will be sent
- in the clear over the wire. This file must contain suitable startup
+ in the clear over the wire. This file must contain suitable startup
information for the meta-daemon. This file must contain a mapping of service name
(e.g., swat) to service port (e.g., 901) and protocol type
(e.g., tcp). This is the default location of the smb.conf(5) server configuration file that swat edits. Other
common places that systems install this file are swat will rewrite your smb.conf(5) file. It will rearrange the entries and delete all
+ is to make available to clients. swat will rewrite your smb.conf(5) file. It will rearrange the entries and delete all
comments, The original Samba software and related utilities
+ smb.conf then back it up or don't use swat! The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/tdbbackup.8.html samba-3.0.23/docs/htmldocs/manpages/tdbbackup.8.html
--- samba-3.0.22/docs/htmldocs/manpages/tdbbackup.8.html 2006-01-29 10:17:07.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/tdbbackup.8.html 2006-07-06 05:18:14.000000000 -0500
@@ -1,8 +1,8 @@
- tdbbackup — tool for backing up and for validating the integrity of samba .tdb files This tool is part of the samba(1) suite. tdbbackup is a tool that may be used to backup samba .tdb
+ tdbbackup — tool for backing up and for validating the integrity of samba .tdb files This tool is part of the samba(1) suite. tdbbackup is a tool that may be used to backup samba .tdb
files. This tool may also be used to verify the integrity of the .tdb files prior
to samba startup or during normal operation. If it finds file damage and it finds
a prior backup the backup file will be restored.
-
+ GENERAL INFORMATION
The tdbbackup utility can safely be run at any time. It was designed so
that it can be used at any time to validate the integrity of tdb files, even during Samba
operation. Typical usage for the command will be:
@@ -29,7 +29,7 @@
*.tdb located in the /usr/local/samba/var directory or on some
systems in the /var/cache or /var/lib/samba directories.
-
The original Samba software and related utilities were created by Andrew Tridgell.
Samba is now developed by the Samba Team as an Open Source project similar to the way
the Linux kernel is developed.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/tdbdump.8.html samba-3.0.23/docs/htmldocs/manpages/tdbdump.8.html
--- samba-3.0.22/docs/htmldocs/manpages/tdbdump.8.html 2006-01-29 10:17:09.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/tdbdump.8.html 2006-07-06 05:18:15.000000000 -0500
@@ -1,9 +1,9 @@
- tdbdump — tool for printing the contents of a TDB file This tool is part of the samba(1) suite. tdbdump is a very simple utility that 'dumps' the
+ tdbdump — tool for printing the contents of a TDB file This tool is part of the samba(1) suite. tdbdump is a very simple utility that 'dumps' the
contents of a TDB (Trivial DataBase) file to standard output in a
human-readable format.
This tool can be used when debugging problems with TDB files. It is
intended for those who are somewhat familiar with Samba internals.
-
The original Samba software and related utilities were created by Andrew Tridgell.
Samba is now developed by the Samba Team as an Open Source project similar to the way
the Linux kernel is developed.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/testparm.1.html samba-3.0.23/docs/htmldocs/manpages/testparm.1.html
--- samba-3.0.22/docs/htmldocs/manpages/testparm.1.html 2006-01-29 10:17:11.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/testparm.1.html 2006-07-06 05:18:16.000000000 -0500
@@ -1,5 +1,5 @@
testparm — check an smb.conf configuration file for
- internal correctness This tool is part of the samba(7) suite. testparm is a very simple test program
+ internal correctness This tool is part of the samba(7) suite. testparm is a very simple test program
to check an smbd(8) configuration file for
internal correctness. If this program reports no problems, you
can use the configuration file with confidence that smbd
@@ -11,7 +11,7 @@
has access to each service. If testparm finds an error in the Without this option, testparm
+ to test the output from testparm. Without this option, testparm
will prompt for a carriage return after printing the service
names and before dumping the service definitions. Print a summary of command line options.
Prints the program version number.
@@ -20,6 +20,15 @@
%L macro. If this option is specified, testparm
will also output all options that were not used in smb.conf(5) and are thus set to their defaults.
Output data in specified encoding.
+
+ Dumps the named parameter. If no section-name is set the view
+ is limited by default to the global section.
+
+ It is also possible to dump a parametrical option. Therfore
+ the option has to be separated by a colon from the
+ parametername.
+
+ Dumps the named section.
This is the name of the configuration file
to check. If this parameter is not present then the
default smb.conf(5) file will be checked.
@@ -32,14 +41,14 @@
this parameter is supplied, the hostIP parameter must also
be supplied. This is the IP address of the host specified
in the previous parameter. This address must be supplied
- if the hostname parameter is supplied. This is usually the name of the configuration
+ if the hostname parameter is supplied. The program will issue a message saying whether the
configuration file loaded OK or not. This message may be preceded by
errors and warnings if the file did not load. If the file was
loaded OK, the program then dumps all known service details
- to stdout. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. The original Samba man pages were written by Karl Auer.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/umount.cifs.8.html samba-3.0.23/docs/htmldocs/manpages/umount.cifs.8.html
--- samba-3.0.22/docs/htmldocs/manpages/umount.cifs.8.html 2006-01-29 10:17:13.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/umount.cifs.8.html 2006-07-06 05:18:17.000000000 -0500
@@ -1,4 +1,4 @@
- umount.cifs — for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts This tool is part of the samba(7) suite. umount.cifs unmounts a Linux CIFS filesystem. It can be invoked
+ umount.cifs — for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts This tool is part of the samba(7) suite. umount.cifs unmounts a Linux CIFS filesystem. It can be invoked
indirectly by the
umount(8) command
when umount.cifs is in /sbin directory, unless you specify the "-i" option to umount. Specifying -i to umount avoids execution of umount helpers such as umount.cifs. The umount.cifs command only works in Linux, and the kernel must
@@ -11,24 +11,24 @@
It is possible to set the mode for umount.cifs to
setuid root (or equivalently update the /etc/permissions file) to allow non-root users to umount shares to directories for which they have write permission. The umount.cifs utility is typically
not needed if unmounts need only be performed by root users, or if user mounts and unmounts
-can rely on specifying explicit entries in /etc/fstab See print additional debugging information Do not update the mtab even if unmount completes successfully (/proc/mounts will still display the correct information) This command is normally intended to be installed setuid (since root users can already run unmount). An alternative to using umount.cifs is to add specfic entries for the user mounts that you wish a particular user or users to mount and unmount to /etc/fstab print additional debugging information Do not update the mtab even if unmount completes successfully (/proc/mounts will still display the correct information) This command is normally intended to be installed setuid (since root users can already run unmount). An alternative to using umount.cifs is to add specfic entries for the user mounts that you wish a particular user or users to mount and unmount to /etc/fstab
The primary mechanism for making configuration changes and for reading
debug information for the cifs vfs is via the Linux /proc filesystem.
In the directory At this time umount.cifs does not lock the mount table using the same lock as the umount utility does, so do not attempt to do multiple unmounts from different processes (and in particular unmounts of a cifs mount and another type of filesystem mount at the same time).
+ At this time umount.cifs does not lock the mount table using the same lock as the umount utility does, so do not attempt to do multiple unmounts from different processes (and in particular unmounts of a cifs mount and another type of filesystem mount at the same time).
If the same mount point is mounted multiple times by cifs, umount.cifs will remove all of the matching entries from the mount table (although umount.cifs will actually only unmount the last one), rather than only removing the last matching entry in /etc/mtab. The pseudofile /proc/mounts will display correct information though, and the lack of an entry in /etc/mtab does not prevent subsequent unmounts.
Note that the typical response to a bug report is a suggestion
to try the latest version first. So please try doing that first,
and always include which versions you use of relevant software
when reporting bugs (minimum: umount.cifs (try umount.cifs -V), kernel (see /proc/version) and
server type you are trying to contact.
- This man page is correct for version 1.34 of
- the cifs vfs filesystem (roughly Linux kernel 2.6.12). This man page is correct for version 1.34 of
+ the cifs vfs filesystem (roughly Linux kernel 2.6.12).
Documentation/filesystems/cifs.txt and fs/cifs/README in the linux kernel
source tree may contain additional options and information.
- Steve French The syntax was loosely based on the umount utility and the manpage was loosely based on that of mount.cifs.8. The man page was created by Steve French The maintainer of the Linux cifs vfs and the userspace
+ Steve French The syntax was loosely based on the umount utility and the manpage was loosely based on that of mount.cifs.8. The man page was created by Steve French The maintainer of the Linux cifs vfs and the userspace
tool umount.cifs is Steve French.
The Linux CIFS Mailing list
is the preferred place to ask questions regarding these programs.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/vfstest.1.html samba-3.0.23/docs/htmldocs/manpages/vfstest.1.html
--- samba-3.0.22/docs/htmldocs/manpages/vfstest.1.html 2006-01-29 10:17:16.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/vfstest.1.html 2006-07-06 05:18:18.000000000 -0500
@@ -1,8 +1,8 @@
- vfstest — tool for testing samba VFS modules This tool is part of the samba(7) suite. vfstest is a small command line
+ vfstest — tool for testing samba VFS modules This tool is part of the samba(7) suite. vfstest is a small command line
utility that has the ability to test dso samba VFS modules. It gives the
user the ability to call the various VFS functions manually and
supports cascaded VFS modules.
- Execute the specified (colon-separated) commands.
+ Execute the specified (colon-separated) commands.
See below for the commands that are available.
Print a summary of command line options.
File name for log/debug files. The extension
@@ -28,14 +28,14 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
VFS COMMANDS load <module.so> - Load specified VFS module populate <char> <size> - Populate a data buffer with the specified data
+ VFS COMMANDS load <module.so> - Load specified VFS module populate <char> <size> - Populate a data buffer with the specified data
showdata [<offset> <len>] - Show data currently in data buffer
- connect - VFS connect() disconnect - VFS disconnect() disk_free - VFS disk_free() opendir - VFS opendir() readdir - VFS readdir() mkdir - VFS mkdir() rmdir - VFS rmdir() closedir - VFS closedir() open - VFS open() close - VFS close() read - VFS read() write - VFS write() lseek - VFS lseek() rename - VFS rename() fsync - VFS fsync() stat - VFS stat() fstat - VFS fstat() lstat - VFS lstat() unlink - VFS unlink() chmod - VFS chmod() fchmod - VFS fchmod() chown - VFS chown() fchown - VFS fchown() chdir - VFS chdir() getwd - VFS getwd() utime - VFS utime() ftruncate - VFS ftruncate() lock - VFS lock() symlink - VFS symlink() readlink - VFS readlink() link - VFS link() mknod - VFS mknod() realpath - VFS realpath() GENERAL COMMANDS conf <smb.conf> - Load a different configuration file help [<command>] - Get list of commands or info about specified command debuglevel <level> - Set debug level freemem - Free memory currently in use exit - Exit vfstest The original Samba software and related utilities
+ connect - VFS connect() disconnect - VFS disconnect() disk_free - VFS disk_free() opendir - VFS opendir() readdir - VFS readdir() mkdir - VFS mkdir() rmdir - VFS rmdir() closedir - VFS closedir() open - VFS open() close - VFS close() read - VFS read() write - VFS write() lseek - VFS lseek() rename - VFS rename() fsync - VFS fsync() stat - VFS stat() fstat - VFS fstat() lstat - VFS lstat() unlink - VFS unlink() chmod - VFS chmod() fchmod - VFS fchmod() chown - VFS chown() fchown - VFS fchown() chdir - VFS chdir() getwd - VFS getwd() utime - VFS utime() ftruncate - VFS ftruncate() lock - VFS lock() symlink - VFS symlink() readlink - VFS readlink() link - VFS link() mknod - VFS mknod() realpath - VFS realpath() GENERAL COMMANDS conf <smb.conf> - Load a different configuration file help [<command>] - Get list of commands or info about specified command debuglevel <level> - Set debug level freemem - Free memory currently in use exit - Exit vfstest wbinfo — Query information from winbind daemon This tool is part of the samba(7) suite. The wbinfo program queries and returns information
+ wbinfo — Query information from winbind daemon This tool is part of the samba(7) suite. The wbinfo program queries and returns information
created and used by the winbindd(8) daemon. The winbindd(8) daemon must be configured
and running for the wbinfo program to be able
- to return information. Attempt to authenticate a user via winbindd.
+ to return information. Attempt to authenticate a user via winbindd.
This checks both authenticaion methods and reports its results.
Do not be tempted to use this
functionality for authentication in third-party
@@ -74,10 +74,10 @@
does not correspond to a UNIX group mapped by winbindd(8) then
the operation will fail. Prints the program version number.
Print a summary of command line options.
- The wbinfo program returns 0 if the operation
succeeded, or 1 if the operation failed. If the winbindd(8) daemon is not working wbinfo will always return
- failure. The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. wbinfo and winbindd
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/manpages/winbindd.8.html samba-3.0.23/docs/htmldocs/manpages/winbindd.8.html
--- samba-3.0.22/docs/htmldocs/manpages/winbindd.8.html 2006-01-29 10:17:21.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/manpages/winbindd.8.html 2006-07-06 05:18:20.000000000 -0500
@@ -1,13 +1,13 @@
winbindd — Name Service Switch daemon for resolving names
- from NT servers This program is part of the samba(7) suite. winbindd is a daemon that provides
+ from NT servers This program is part of the samba(7) suite. winbindd is a daemon that provides
a number of services to the Name Service Switch capability found
in most modern C libraries, to arbitary applications via PAM
and ntlm_auth and to Samba itself. Even if winbind is not used for nsswitch, it still provides a
service to smbd, ntlm_auth
and the pam_winbind.so PAM module, by managing connections to
domain controllers. In this configuraiton the
- idmap uid and
- idmap gid
+ idmap uid and
+ idmap gid
parameters are not required. (This is known as `netlogon proxy only mode'.) The Name Service Switch allows user
and system information to be obtained from different databases
services such as NIS or DNS. The exact behaviour can be configured
@@ -52,7 +52,7 @@
resolve hostnames from If specified, this parameter causes
+ If specified, this parameter causes
the main winbindd process to not daemonize,
i.e. double-fork and disassociate with the terminal.
Child processes are still created as normal to service
@@ -84,7 +84,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. Note that specifying this parameter here will
-override the parameter
+override the parameter
in the Base directory name for log/debug files. The extension
Users and groups on a Windows NT server are assigned
a security id (SID) which is globally unique when the
user or group is created. To convert the Windows NT user or group
into a unix user or group, a mapping between SIDs and unix user
@@ -120,21 +120,21 @@
where the user and group mappings are stored by winbindd. If this
file is deleted or corrupted, there is no way for winbindd to
determine which user and group ids correspond to Windows NT user
- and group rids. See the parameter in
+ and group rids. See the parameter in
Configuration of the winbindd daemon
is done through configuration parameters in the smb.conf(5) file. All parameters should be specified in the
[global] section of smb.conf.
To setup winbindd for user and group lookups plus
authentication from a domain controller use something like the
following setup. This was tested on an early Red Hat Linux box.
@@ -185,15 +185,15 @@
and that you can login to your unix box as a domain user, using
the DOMAIN+user syntax for the username. You may wish to use the
commands getent passwd and getent group
- to confirm the correct operation of winbindd. The following notes are useful when configuring and
+ to confirm the correct operation of winbindd. The following notes are useful when configuring and
running winbindd: nmbd(8) must be running on the local machine
for winbindd to work. PAM is really easy to misconfigure. Make sure you know what
you are doing when modifying PAM configuration files. It is possible
to set up PAM such that you can no longer log into your system. If more than one UNIX machine is running winbindd,
then in general the user and groups ids allocated by winbindd will not
be the same. The user and group ids will only be valid for the local
- machine, unless a shared is configured. If the the Windows NT SID to UNIX user and group id mapping
- file is damaged or destroyed then the mappings will be lost. The following signals can be used to manipulate the
+ machine, unless a shared is configured. If the the Windows NT SID to UNIX user and group id mapping
+ file is damaged or destroyed then the mappings will be lost. The following signals can be used to manipulate the
winbindd daemon. Reload the smb.conf(5) file and
apply any parameter changes to the running
version of winbindd. This signal also clears any cached
@@ -201,7 +201,7 @@
by winbindd is also reloaded. The SIGUSR2 signal will cause
winbindd to write status information to the winbind
log file. Log files are stored in the filename specified by the
- log file parameter. Name service switch configuration file. The UNIX pipe over which clients communicate with
+ log file parameter. Name service switch configuration file. The UNIX pipe over which clients communicate with
the winbindd program. For security reasons, the
winbind client will only attempt to connect to the winbindd daemon
if both the Storage for cached user and group information.
- The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed. wbinfo and winbindd were
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/Samba3-ByExample/2000users.html samba-3.0.23/docs/htmldocs/Samba3-ByExample/2000users.html
--- samba-3.0.22/docs/htmldocs/Samba3-ByExample/2000users.html 2006-01-29 10:18:12.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/Samba3-ByExample/2000users.html 2006-07-06 05:19:06.000000000 -0500
@@ -1,4 +1,4 @@
- Table of Contents
+ Table of Contents
There is something indeed mystical about things that are
big. Large networks exhibit a certain magnetism and exude a sense of
importance that obscures reality. You and I know that it is no more
@@ -30,7 +30,7 @@
Samba are largely under control. So in this section you focus on the
specifics of implementing LDAP changes, Samba changes, and approach and
design of the solution and its deployment.
-
+
Abmas is a miracle company. Most businesses would have collapsed under
the weight of rapid expansion that this company has experienced. Samba
is flexible, so there is no need to reinstall the whole operating
@@ -39,19 +39,19 @@
and then do a near-live conversion. There is no need to reinstall a
Samba server just to change the way your network should function.
-
+
Network growth is common to all organizations. In this exercise,
your preoccupation is with the mechanics of implementing Samba and
LDAP so that network users on each network segment can work
without impediment.
-
+
Starting with the configuration files for the server called
-
+
Remember, you have users based in London (UK), Los Angeles,
Washington. DC, and, three buildings in New York. A significant portion
of your workforce have notebook computers and roam all over the
@@ -72,18 +72,18 @@
You have outsourced all desktop deployment and management to
DirectPointe. Your concern is server maintenance and third-level
support. Build a plan and show what must be done.
-
+
+
In ???, you implemented an LDAP server that provided the
-
-
-
-
+
+
+
+
The implementation of an LDAP-based passdb backend (known as
ldapsam in Samba parlance), or some form of database
that can be distributed, is essential to permit the deployment of Samba
@@ -96,8 +96,8 @@
support the range of account facilities demanded by modern network
managers.
-
-
+
+
The new tdbsam facility supports functionality
that is similar to an ldapsam, but the lack of
distributed infrastructure sorely limits the scope for its
@@ -105,10 +105,10 @@
an XML-based backend, or for that matter, why not use an SQL-based
backend? Is support for these tools broken? Answers to these
questions require a bit of background.
-
-
-
-
+
+
+
+
What is a directory? A directory is a
collection of information regarding objects that can be accessed to
rapidly find information that is relevant in a particular and
@@ -116,19 +116,19 @@
generally more often searched (read) than updated. As a consequence, the
information is organized to facilitate read access rather than to
support transaction processing.
-
-
-
-
+
+
+
+
The Lightweight Directory Access Protocol (LDAP) differs
considerably from a traditional database. It has a simple search
facility that uniquely makes a highly preferred mechanism for managing
user identities. LDAP provides a scalable mechanism for distributing
the data repository and for keeping all copies (slaves) in sync with
the master repository.
-
-
-
+
+
+
Samba is a flexible and powerful file and print sharing
technology. It can use many external authentication sources and can be
part of a total authentication and identity management
@@ -136,7 +136,7 @@
are Microsoft Active Directory and LDAP. Sites that specifically wish to
avoid the proprietary implications of Microsoft Active Directory
naturally gravitate toward OpenLDAP.
-
+
In ???, you had to deal with a locally routed
network. All deployment concerns focused around making users happy,
and that simply means taking control over all network practices and
@@ -147,12 +147,12 @@
between offices. You must take into account the way users need to
access information globally. And you must make the network robust
enough so that it can sustain partial breakdown without causing loss of
-productivity.
+productivity.
There are at least three areas that need to be addressed as you
approach the challenge of designing a network solution for the newly
expanded business:
- Let's look at each in turn.
+ Let's look at each in turn.
The new company has three divisions. Staff for each division are spread across
the company. Some staff are office-bound and some are mobile users. Mobile
users travel globally. Some spend considerable periods working in other offices.
@@ -163,7 +163,7 @@
curtail user needs. Parts of the global Internet infrastructure remain shielded
off for reasons outside the scope of this discussion.
-
+
Decisions must be made regarding where data is to be stored, how it will be
replicated (if at all), and what the network bandwidth implications are. For
example, one decision that can be made is to give each office its own master
@@ -174,8 +174,8 @@
This way, they can synchronize all files that have changed since each logon
to the network.
-
-
+
+
No matter which way you look at this, the bandwidth requirements
for acceptable performance are substantial even if only 10 percent of
staff are global data users. A company with 3,500 employees,
@@ -188,11 +188,11 @@
profile involves a transfer of over 750 KB from the profile
server to and from the client.
-
+
Obviously then, user needs and wide-area practicalities dictate the economic and
technical aspects of your network design as well as for standard operating procedures.
-
+
Network logons that include roaming profile handling requires from 140 KB to 2 MB.
The inclusion of support for a minimal set of common desktop applications can push
the size of a complete profile to over 15 MB. This has substantial implications
@@ -200,8 +200,8 @@
determining the nature and style of mandatory profiles that may be enforced as
part of a total service-level assurance program that might be implemented.
-
-
+
+
One way to reduce the network bandwidth impact of user logon
traffic is through folder redirection. In ???, you
implemented this in the new Windows XP Professional standard
@@ -210,14 +210,14 @@
also be excluded from synchronization to and from the server on
logon or logout. Redirected folders are analogous to network drive
connections.
-
Of course, network applications should only be run off
local application servers. As a general rule, even with 2 Mb/sec
network bandwidth, it would not make sense at all for someone who
is working out of the London office to run applications off a
server that is located in New York.
-
+
When network bandwidth becomes a precious commodity (that is most
of the time), there is a significant demand to understand network
processes and to mold the limits of acceptability around the
@@ -226,15 +226,15 @@
When a Windows NT4/200x/XP Professional client user logs onto
the network, several important things must happen.
-
+
The client obtains an IP address via DHCP. (DHCP is
necessary so that users can roam between offices.)
-
-
+
+
The client must register itself with the WINS and/or DNS server.
The client must log onto a domain controller and obtain as part of
@@ -256,15 +256,15 @@
name both by broadcast and Unicast registration that is directed
at the WINS server.
-
-
+
+
Given that the client is already a domain member, it then sends
a directed (Unicast) request to the WINS server seeking the list of
IP addresses for domain controllers (NetBIOS name type 0x1C). The
WINS server replies with the information requested.
-
-
-
+
+
+
The client sends two netlogon mailslot broadcast requests
to the local network and to each of the IP addresses returned by
the WINS server. Whichever answers this request first appears to
@@ -274,9 +274,9 @@
was listed in the WINS server response to a request for the list of
domain controllers.
-
-
-
+
+
+
The logon process begins with negotiation of the SMB/CIFS
protocols that are to be used; this is followed by an exchange of
information that ultimately includes the client sending the
@@ -287,10 +287,10 @@
needs. A secondary fact we need to know is, what happens when
local domain controllers fail or break?
-
-
-
-
+
+
+
+
Under most circumstances, the nearest domain controller
responds to the netlogon mailslot broadcast. The exception to this
norm occurs when the nearest domain controller is too busy or is out
@@ -299,18 +299,18 @@
domain controllers. Since there can be only one PDC, all additional
domain controllers are by definition BDCs.
-
-
+
+
The provision of sufficient servers that are BDCs is an
important design factor. The second important design factor
involves how each of the BDCs obtains user authentication
data. That is the subject of the next section, which involves key
decisions regarding Identity Management facilities.
-
+
+
+
+
Network managers recognize that in large organizations users
generally need to be given resource access based on needs, while
being excluded from other resources for reasons of privacy. It is
@@ -319,9 +319,9 @@
by which user credentials are validated and filtered and appropriate
rights and privileges are allocated.
-
-
-
+
+
+
Unfortunately, network resources tend to have their own Identity
Management facilities, the quality and manageability of which varies
from quite poor to exceptionally good. Corporations that use a mixture
@@ -333,7 +333,7 @@
What was once called
-
+
NIS gained a strong following throughout the UNIX/VMS space in a short
period of time and retained that appeal and use for over a decade.
Security concerns and inherent limitations have caused it to enter its
@@ -343,9 +343,9 @@
demands as the demand for directory services that can be coupled with
other information systems is catching on.
-
-
-
+
+
+
Nevertheless, both NIS and NIS+ continue to hold ground in
business areas where UNIX still has major sway. Examples of
organizations that remain firmly attached to the use of NIS and
@@ -353,14 +353,14 @@
and large corporations that have a scientific or engineering
focus.
-
-
+
+
Today's networking world needs a scalable, distributed Identity
Management infrastructure, commonly called a directory. The most
popular technologies today are Microsoft Active Directory service
and a number of LDAP implementations.
-
+
The problem of managing multiple directories has become a focal
point over the past decade, creating a large market for
metadirectory products and services that allow organizations that
@@ -369,15 +369,15 @@
another. The attendant benefit to end users is the promise of
having to remember and deal with fewer login identities and
passwords.
-
+
The challenge of every large network is to find the optimum
balance of internal systems and facilities for Identity
Management resources. How well the solution is chosen and
implemented has potentially significant impact on network bandwidth
and systems response needs.
-
-
-
+
+
+
In ???, you implemented a single LDAP server for the
entire network. This may work for smaller networks, but almost
certainly fails to meet the needs of large and complex networks. The
@@ -386,8 +386,8 @@
What is the best method for implementing master/slave LDAP
servers within the context of a distributed 2,000-user network is a
question that remains to be answered.
-
-
+
+
One possibility that has great appeal is to create a single,
large distributed domain. The practical implications of this
design (see ???) demands the placement of
@@ -398,7 +398,7 @@
productivity against the cost of network management and
maintenance.
-
+
The network design in ??? takes the approach
that management of networks that are too remote to be managed
effectively from New York ought to be given a certain degree of
@@ -409,22 +409,22 @@
the ability for network users to roam globally without some compromise
in how they may access global resources.
-
+
Desk-bound users need not be negatively affected by this design, since
the use of interdomain trusts can be used to satisfy the need for global
data sharing.
-
-
-
+
+
+
When Samba-3 is configured to use an LDAP backend, it stores the domain
account information in a directory entry. This account entry contains the
domain SID. An unintended but exploitable side effect is that this makes it
possible to operate with more than one PDC on a distributed network.
-
-
-
+
+
+
How might this peculiar feature be exploited? The answer is simple. It is
imperative that each network segment have its own WINS server. Major
servers on remote network segments can be given a static WINS entry in
@@ -434,8 +434,8 @@
same domain SID. Since all domain account information can be stored in a
single LDAP backend, users have unfettered ability to roam.
-
-
+
+
This concept has not been exhaustively validated, though we can see no reason
why this should not work. The important facets are the following: The name of
the domain must be identical in all locations. Each network segment must have
@@ -446,10 +446,10 @@
on every network segment. Finally, the BDCs should each use failover LDAP servers
that are in fact slave LDAP servers on the local segments.
-
-
-
-
+
+
+
+
With a single master LDAP server, all network updates are effected on a single
server. In the event that this should become excessively fragile or network
bandwidth limiting, one could implement a delegated LDAP domain. This is also
@@ -463,7 +463,7 @@
administrators must of necessity follow the same standard
procedures for managing the directory, because retroactive correction of
inconsistent directory information can be exceedingly difficult.
-
As organizations grow, the number of points of control increases
also. In a large distributed organization, it is important that the
Identity Management system be capable of being updated from
@@ -471,11 +471,11 @@
become usable in a reasonable period, typically
minutes rather than days (the old limitation of highly manual
systems).
-
+
+
+
+
Samba-3 has the ability to use multiple password (authentication and
identity resolution) backends. The diagram in ???
demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system
@@ -483,13 +483,13 @@
authentication and identity resolution (obtaining a UNIX UID/GID)
using the specific systems shown.
-
-
-
-
-
-
-
+
+
+
+
+
+
+
Samba is capable of using the
-
+
Additionally, it is possible to use multiple passdb backends
concurrently as well as have multiple LDAP backends. As a result, you
can specify a failover LDAP backend. The syntax for specifying a
@@ -509,8 +509,8 @@
This configuration tells Samba to use a single LDAP server, as shown in ???.
-
-
+
+
The addition of a failover LDAP server can simply be done by adding a
second entry for the failover server to the single
-
+
The effect of this style of entry is that Samba lists the users
that are in both LDAP databases. If both contain the same information,
it results in each record being shown twice. This is, of course, not the
@@ -553,9 +553,9 @@
It is assumed that the network you are working with follows in a
pattern similar to what was covered in ???. The following steps
permit the operation of a master/slave OpenLDAP arrangement.
- Procedure 6.1. Implementation Steps for an LDAP Slave Server Procedure 6.1. Implementation Steps for an LDAP Slave Server
+
+
Log onto the master LDAP server as
-
+
Edit the
@@ -592,8 +592,8 @@
-
-
+
+
Change directory to a suitable place to dump the contents of the
LDAP server. The dump file (and LDIF file) is used to preload
the slave LDAP server database. You can dump the database by executing:
@@ -602,7 +602,7 @@
Each record is written to the file.
-
+
Copy the file
-
-
-
+
+
+
Go back to the master LDAP server. Execute the following to start LDAP as well
as slurpd, the synchronization daemon, as shown here:
-
+
On Red Hat Linux, check the equivalent command to start slurpd.
-
+
On the master LDAP server you may now add an account to validate that replication
is working. Assuming the configuration shown in ???, execute:
Example 6.3. Primary Domain Controller Example 6.4. Primary Domain Controller Example 6.5. Primary Domain Controller Example 6.6. Backup Domain Controller Example 6.7. Backup Domain Controller Example 6.3. Primary Domain Controller Example 6.4. Primary Domain Controller Example 6.5. Primary Domain Controller Example 6.6. Backup Domain Controller Example 6.7. Backup Domain Controller
+
Where Samba-3 is used as a domain controller, the use of LDAP is an
essential component to permit the use of BDCs.
-
+
Replication of the LDAP master server to create a network of BDCs
is an important mechanism for limiting WAN traffic.
@@ -808,55 +808,55 @@
Roaming profiles must be contained to the local network segment. Any
departure from this may clog wide-area arteries and slow legitimate network
traffic to a crawl.
-
There is much rumor and misinformation regarding the use of MS Windows networking protocols.
These questions are just a few of those frequently asked.
-
-
-
-
+
+
+
It is a smart practice to localize DHCP servers on each network segment. As a
rule, there should be two DHCP servers per network segment. This means that if
one server fails, there is always another to service user needs. DHCP requests use
only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network
routers. This makes it possible to run fewer DHCP servers.
-
-
+
+
A DHCP network address request and confirmation usually results in about six UDP packets.
The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP
clients and that uses a 24-hour IP address lease. This means that all clients renew
@@ -874,28 +874,28 @@
From this can be seen that the traffic impact would be minimal.
-
-
+
+
Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link,
the impact of the update is no more than the DHCP IP address renewal traffic and thus
still insignificant for most practical purposes.
-
+
+
How much background communication takes place between a master LDAP server and its slave LDAP servers?
-
+
The process that controls the replication of data from the master LDAP server to the slave LDAP
servers is called slurpd. The slurpd remains nascent (quiet)
until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete)
two user accounts requires less than 10KB traffic.
-
+
LDAP has a database. Is LDAP not just a fancy database front end?
-
-
-
-
+
+
+
+
LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific
data storage system. This type of database is indexed so that records can be rapidly located, but the
database is not generic and can be used only in particular pre-programmed ways. General external
@@ -904,17 +904,17 @@
orientation and typically allows external programs to perform ad hoc queries, even across data tables.
An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific
simple queries. The term
+
Can Active Directory obtain account information from an OpenLDAP server?
-
+
No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP
database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface
to OpenLDAP using standard LDAP queries and updates.
-
+
What are the parts of a roaming profile? How large is each part?
-
Desktop folders such as
-
+
Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
such folders can be redirected to network drive resources. See ???
for more information regarding folder redirection.
A static or rewritable portion that is typically only a few files (2-5 KB of information).
-
-
+
+
The registry load file that modifies the
-
+
Microsoft Outlook PST files may be stored in the
+
Can the
-
-
+
+
Yes. More correctly, such folders can be redirected to network shares. No specific network drive
connection is required. Registry settings permit this to be redirected directly to a UNC (Universal
Naming Convention) resource, though it is possible to specify a network drive letter instead of a
UNC name. See ???.
-
-
-
-
+
+
+
MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache.
This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS
server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day,
@@ -966,7 +966,7 @@
In conclusion, the total load afforded through WINS traffic is again marginal to total operational
usage as it should be.
-
+
How many BDCs should I have? What is the right number of Windows clients per server?
It is recommended to have at least one BDC per network segment, including the segment served
@@ -980,19 +980,19 @@
As unsatisfactory as the answer might sound, it all depends on network and server load
characteristics.
-
+
I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
run an NIS server?
The correct answer to both questions is yes. But do understand that an LDAP server has
a configurable schema that can store far more information for many more purposes than
just NIS.
-
+
Can I use NIS in place of LDAP?
-
-
+
+
No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal
with the types of data necessary for interoperability with Microsoft Windows networking. The use
of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/Samba3-ByExample/appendix.html samba-3.0.23/docs/htmldocs/Samba3-ByExample/appendix.html
--- samba-3.0.22/docs/htmldocs/Samba3-ByExample/appendix.html 2006-01-29 10:18:17.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/Samba3-ByExample/appendix.html 2006-07-06 05:19:12.000000000 -0500
@@ -1,18 +1,18 @@
- Table of Contents Table of Contents
+
+
Information presented here is considered to be either basic or well-known material that is informative
yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps
different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical,
as shown in the example given below.
-
+
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
This section steps through the process for making a Windows 200x/XP Professional machine a
member of a Domain Security environment. It should be noted that this process is identical
when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC.
- Procedure 15.1. Steps to Join a Domain
+ Procedure 15.1. Steps to Join a Domain
Click .
Right-click , and then select .
@@ -50,19 +50,19 @@
The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted.
Joining the domain is now complete.
-
-
+
+
The screen capture shown in ??? has a button labeled . This button opens a
panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.
-
-
+
+
Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
to find the services (like which machines are domain controllers or which machines have the Netlogon service running).
-
+
The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to
a valid IP address.
@@ -70,12 +70,12 @@
The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
Where the client is a member of a Samba domain, it is preferable to leave this field blank.
-
+
According to Microsoft documentation, “If this computer belongs to a group with
One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team
build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is
in the
Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team
default.
-
Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy
System (FHS), have elected to locate the configuration files under the
Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in
the
When Samba is built and installed using the default Samba Team process, all files are located under the
One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location
of all files called smbd. Here is an example:
Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
- executing:
+ executing:
The package names, of course, vary according to how the vendor, or the binary package builder, prepared them.
-
Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services.
An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there
are three daemons, two of which are needed as a minimum.
@@ -186,19 +186,19 @@
fi
exit 0
-
-
+
+
This daemon handles all name registration and resolution requests. It is the primary vehicle involved
in network browsing. It handles all UDP-based protocols. The nmbd daemon should
be the first command started as part of the Samba startup process.
-
-
+
+
This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
manages local authentication. It should be started immediately following the startup of nmbd.
-
-
+
+
This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when
Samba has trust relationships with another domain. The winbindd daemon will check the
SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently
executed from the command line is shown in ???. This can be located in the directory
A sample startup script for a Red Hat Linux system is shown in ???.
This file could be located in the directory
The following files are common to all DNS server configurations. Rather than repeat them multiple times, they
are presented here for general reference.
-
+
The forward zone file for the loopback address never changes. An example file is shown
in ???. All traffic destined for an IP address that is hosted on a
physical interface on the machine itself is routed to the loopback adaptor. This is
@@ -284,7 +284,7 @@
IN NS @
IN A 127.0.0.1
-
The reverse zone file for the loopback address as shown in ???
is necessary so that references to the address
The content of the root hints file as shown in ??? changes slowly over time.
Periodically this file should be updated from the source shown. Because
of its size, this file is located at the end of this chapter.
-
The following procedure may be used as an alternative means of configuring
the initial LDAP database. Many administrators prefer to have greater control
over how system files get configured.
-
The first step to get the LDAP server ready for action is to create the LDIF file from
which the LDAP database will be preloaded. This is necessary to create the containers
into which the user, group, and other accounts are written. It is also necessary to
@@ -705,14 +705,14 @@
sambaGroupType: 2
displayName: Domain Users
description: Domain Users
-
+
+
+
+
+
+
+
The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
server either using unencrypted connections or via SSL/TLS. LAM can be used to manage
@@ -724,24 +724,24 @@
The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter
of 2005.
A web server that will work with PHP4. PHP4 (available from the PHP home page.) OpenLDAP 2.0 or later. A Web browser that supports CSS. Perl. The gettext package. mcrypt + mhash (optional). It is also a good idea to install SSL support.
LAM is a useful tool that provides a simple Web-based device that can be used to
manage the contents of the LDAP directory to:
-
-
-
+
+
+
Display user/group/host and Domain entries. Manage entries (Add/Delete/Edit). Filter and sort entries. Store and use multiple operating profiles. Edit organizational units (OUs). Upload accounts from a file. Is compatible with Samba-2.2.x and Samba-3.
When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba
user, group, and windows domain member machine accounts.
-
-
-
-
+
+
+
+
The default password is “lam.” It is highly recommended that you use only
an SSL connection to your Web server for all remote operations involving LAM. If you
want secure connections, you must configure your Apache Web server to permit connections
@@ -760,7 +760,7 @@
For example, on SUSE Linux Enterprise Server 9, copy to the
-
+
Set file permissions using the following commands:
-
+
Using your favorite editor create the following
-
-
+
+
An example file is shown in ???.
This is the minimum configuration that must be completed. The LAM profile
file can be created using a convenient wizard that is part of the LAM
@@ -794,7 +794,7 @@
-
+
An example of a working file is shown here in ???.
This file has been stripped of comments to keep the size small. The comments
and help information provided in the profile file that the wizard creates
@@ -802,12 +802,12 @@
Your configuration file obviously reflects the configuration options that
are preferred at your site.
-
+
It is important that your LDAP server is running at the time that LAM is
being configured. This permits you to validate correct operation.
An example of the LAM login screen is provided in ???.
-
+
The LAM configuration editor has a number of options that must be managed correctly.
An example of use of the LAM configuration editor is shown in ???.
It is important that you correctly set the minimum and maximum UID/GID values that are
@@ -817,13 +817,13 @@
the initial settings to be made. Do not forget to reset these to sensible values before
using LAM to add additional users and groups.
-
+
LAM has some nice, but unusual features. For example, one unexpected feature in most application
screens permits the generation of a PDF file that lists configuration information. This is a well
thought out facility. This option has been edited out of the following screen shots to conserve
space.
-
+
When you log onto LAM the opening screen drops you right into the user manager as shown in
???. This is a logical action as it permits the most-needed facility
to be used immediately. The editing of an existing user, as with the addition of a new user,
@@ -837,7 +837,7 @@
shows a sub-screen from the group editor that permits users to be assigned secondary group
memberships.
-
+
The final screen presented here is one that you should not normally need to use. Host accounts will
be automatically managed using the smbldap-tools scripts. This means that the screen ???
will, in most cases, not be used.
@@ -883,7 +883,7 @@
samba3: yes
cachetimeout: 5
pwdhash: SSHA
-
IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive
web-based management interface for UNIX and Linux systems.
@@ -897,7 +897,7 @@
For further information regarding IMC refer to the web site.
Prebuilt RPM packages are also available.
-
The setting of the SUID/SGID bits on the file or directory permissions flag has particular
consequences. If the file is executable and the SUID bit is set, it executes with the privilege
of (with the UID of) the owner of the file. For example, if you are logged onto a system as
@@ -967,34 +967,34 @@
total 1
drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
-
The integrity of shared data is often viewed as a particularly emotional issue, especially where
there are concurrent problems with multiuser data access. Contrary to the assertions of some who have
experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
The solution to concurrent multiuser data access problems must consider three separate areas
- from which the problem may stem:
- application-level locking controls client-side locking controls server-side locking controls
+ from which the problem may stem:
+ application-level locking controls client-side locking controls server-side locking controls
Many database applications use some form of application-level access control. An example of one
well-known application that uses application-level locking is Microsoft Access. Detailed guidance
is provided here because this is the most common application for which problems have been reported.
-
Common applications that are affected by client- and server-side locking controls include MS
Excel and Act!. Important locking guidance is provided here.
-
+
The best advice that can be given is to carefully read the Microsoft knowledgebase articles that
cover this area. Examples of relevant documents include:
- http://support.microsoft.com/default.aspx?scid=kb;en-us;208778 http://support.microsoft.com/default.aspx?scid=kb;en-us;299373 http://support.microsoft.com/default.aspx?scid=kb;en-us;208778 http://support.microsoft.com/default.aspx?scid=kb;en-us;299373
Make sure that your MS Access database file is configured for multiuser access (not set for
exclusive open). Open MS Access on each client workstation, then set the following: ++. Set network path to Default database folder:
You can configure MS Access file sharing behavior as follows: click .
- Set:
- Default open mode: Shared Default Record Locking: Edited Record Open databases using record_level locking Default open mode: Shared Default Record Locking: Edited Record Open databases using record_level locking
You must now commit the changes so that they will take effect. To do so, click
. At this point, you should exit MS Access, restart
it, and then validate that these settings have not changed.
-
Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you
must disable opportunistic locking on the server and all workstations. Failure to do so
results in data corruption. This information is available from the Act! Web site
@@ -1002,7 +1002,7 @@
1998223162925
as well as from article
200110485036.
-
These documents clearly state that opportunistic locking must be disabled on both
the server (Samba in the case we are interested in here), as well as on every workstation
from which the centrally shared Act! database will be accessed. Act! provides
@@ -1010,18 +1010,18 @@
registry settings that may otherwise interfere with the operation of Act!
Registered Act! users may download this utility from the Act! Web
site.
-
Third-party Windows applications may not be compatible with the use of opportunistic file
- and record locking. For applications that are known not to be compatible,[14] oplock
+ and record locking. For applications that are known not to be compatible,[14] oplock
support may need to be disabled both on the Samba server and on the Windows workstations.
-
Oplocks enable a Windows client to cache parts of a file that are being
edited. Another windows client may then request to open the file with the
ability to write to it. The server will then ask the original workstation
that had the file open with a write lock to release its lock. Before
doing so, that workstation must flush the file from cache memory to the
disk or network drive.
-
Disabling of Oplocks usage may require server and client changes.
Oplocks may be disabled by file, by file pattern, on the share, or on the
Samba server.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.22/docs/htmldocs/Samba3-ByExample/Big500users.html samba-3.0.23/docs/htmldocs/Samba3-ByExample/Big500users.html
--- samba-3.0.22/docs/htmldocs/Samba3-ByExample/Big500users.html 2006-01-29 10:18:10.000000000 -0600
+++ samba-3.0.23/docs/htmldocs/Samba3-ByExample/Big500users.html 2006-07-06 05:19:04.000000000 -0500
@@ -1,4 +1,4 @@
-
+
The Samba-3 networking you explored in ??? covers the finer points of
configuration of peripheral services such as DHCP and DNS, and WINS. You experienced
implementation of a simple configuration of the services that are important adjuncts
@@ -17,9 +17,9 @@
that same approach to printing, but ??? presents an opportunity
to make printing more complex for the administrator while making it easier for the user.
-
-
-
+
+
+
??? demonstrates operation of a DHCP server and a DNS server
as well as a central WINS server. You validated the operation of these services and
saw an effective implementation of a Samba domain controller using the
@@ -41,7 +41,7 @@
improve network management and control while reducing human resource overheads.
You should take the opportunity to innovate and expand on the methods presented
here and explore them to the fullest.
-
+
Business continues to go well for Abmas. Mr. Meany is driving your success and the
network continues to grow thanks to the hard work Christine has done. You recently
hired Stanley Soroka as manager of information systems. Christine recommended Stan
@@ -66,7 +66,7 @@
and to allow Stan and Christine to fully stage the new network and test it before
it is rolled out. Your strategy is to complete the new network so that it
is ready for operation when the old office moves into the new premises.
-
+
The acquired business had 280 network users. The old Abmas building housed
220 network users in unbelievably cramped conditions. The network that
initially served 130 users now handles 220 users quite well.
@@ -107,7 +107,7 @@
DirectPointe Inc. receives from you a new standard desktop configuration
every four months. They automatically roll that out to each desktop system.
You must keep DirectPointe informed of all changes.
-
The new network has a single Samba Primary Domain Controller (PDC) located in the
Network Operation Center (NOC). Buildings 1 and 2 each have a local server
for local application servicing. It is a domain member. The new system
@@ -115,8 +115,8 @@
Printing is based on raw pass-through facilities just as it has been used so far.
All printer drivers are installed on the desktop and notebook computers.
-
+
The example you are building in this chapter is of a network design that works, but this
does not make it a design that is recommended. As a general rule, there should be at least
one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind
@@ -127,22 +127,22 @@
responsiveness. This network will have 500 clients serviced by one central domain
controller. This is not a good omen for user satisfaction. You, of course, address this
very soon (see ???).
-
+
Stan has talked you into a horrible compromise, but it is addressed. Just make
certain that the performance of this network is well validated before going live.
Design decisions made in this design include the following:
-
-
-
+
+
+
A single PDC is being implemented. This limitation is based on the choice not to
use LDAP. Many network administrators fear using LDAP because of the perceived
complexity of implementation and management of an LDAP-based backend for all user
identity management as well as to store network access credentials.
-
-
+
+
Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the
only choice that makes sense with 500 users is to use the tdbsam passwd backend.
This type of backend is not receptive to replication to BDCs. If the tdbsam
@@ -156,7 +156,7 @@
for a simple mode of operation but has to be balanced with network performance and
integrity of operations considerations.
-
+
A single central WINS server is being used. The PDC is also the WINS server.
Any attempt to operate a routed network without a WINS server while using NetBIOS
over TCP/IP protocols does not work unless on each client the name resolution
@@ -167,12 +167,12 @@
At this time the Samba WINS database cannot be replicated. That is
why a single WINS server is being implemented. This should work without a problem.
-
+
BDCs make use of winbindd to provide
access to domain security credentials for file system access and object storage.
-
-
+
+
Configuration of Windows XP Professional clients is achieved using DHCP. Each
subnet has its own DHCP server. Backup DHCP serving is provided by one
alternate DHCP server. This necessitates enabling of the DHCP Relay agent on
@@ -188,13 +188,13 @@
The network address and subnetmask chosen provide 1022 usable IP addresses in
each subnet. If in the future more addresses are required, it would make sense
to add further subnets rather than change addressing.
-
This case gets close to the real world. You and I know the right way to implement
domain control. Politically, we have to navigate a minefield. In this case, the need is to
get the PDC rolled out in compliance with expectations and also to be ready to save the day
by having the real solution ready before it is needed. That real solution is presented in
???.
-
The following configuration process begins following installation of Red Hat Fedora Core2 on the
three servers shown in the network topology diagram in ???. You have
selected hardware that is appropriate to the task.
@@ -205,9 +205,9 @@
The abbreviation shown in this table as Table 4.1. Domain:
+ Table 4.1. Domain:
The following steps apply to all servers. Follow each step carefully.
- Procedure 4.1. Server Preparation Steps
+ Procedure 4.1. Server Preparation Steps
Using the UNIX/Linux system tools, set the name of the server as shown in the network
topology diagram in ???. For SUSE Linux products, the tool
that permits this is called yast2; for Red Hat Linux products,
@@ -221,8 +221,8 @@
-
-
+
+
Edit your
-
+
All DNS name resolution should be handled locally. To ensure that the server is configured
correctly to handle this, edit
-
-
+
+
Add the
-
-
+
+
Create the username map file to permit the
-
+
Only on the server to which the printer is attached configure the CUPS Print
Queues as follows:
-
+
This step creates the necessary print queue to use no assigned print filter. This
is ideal for raw printing, that is, printing without use of filters.
The name
-
-
-
+
+
+
This step, as well as the next one, may be omitted where CUPS version 1.1.18
or later is in use. Although it does no harm to follow it anyway, and may
help to avoid time spent later trying to figure out why print jobs may be
@@ -336,7 +336,7 @@
application/octet-stream application/vnd.cups-raw 0 -
-
+
Edit the file
There are some steps that apply to particular server functionality only. Each step is critical
to correct server operation. The following step-by-step installation guidance will assist you
in working through the process of configuring the PDC and then both BDC's.
-
+
The steps presented here attempt to implement Samba installation in a generic manner. While
some steps are clearly specific to Linux, it should not be too difficult to apply them to
your platform of choice.
- Procedure 4.2. Primary Domain Controller Preparation Procedure 4.2. Primary Domain Controller Preparation
+
+
The host server acts as a router between the two internal network segments as well
as for all Internet access. This necessitates that IP forwarding be enabled. This can be
achieved by adding to the
-
+
The final step that must be completed is to edit the
-
+
Create and map Windows domain groups to UNIX groups. A sample script is provided in
???. Create a file containing this script. You called yours
-
-
-
+
+
+
For each user who needs to be given a Windows domain account, make an entry in the
-
-
-
+
+
+
There are a number of tools for user management under UNIX, such as
useradd, adduser, as well as a plethora of custom
tools. With the tool of your choice, create a home directory for each user.
@@ -435,7 +435,7 @@
file is
-
+
Create the top-level file storage directories for data and applications as follows:
-
-
+
+
Create a logon script. It is important that each line is correctly terminated with
a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
works if the right tools ( Procedure 4.3. Backup Domain Controller Configuration Steps Procedure 4.3. Backup Domain Controller Configuration Steps
+
The final step that must be completed is to edit the
-
+
You must now attempt to join the domain member servers to the domain. The following
instructions should be executed to effect this:
-
+
You now start the Samba services by executing:
Example 4.1. Server: MASSIVE (PDC), File: Example 4.2. Server: MASSIVE (PDC), File: Example 4.3. Common Samba Configuration File: Example 4.4. Server: BLDG1 (Member), File: smb.conf Example 4.5. Server: BLDG2 (Member), File: smb.conf Example 4.6. Common Domain Member Include File: dom-mem.conf Example 4.1. Server: MASSIVE (PDC), File: Example 4.2. Server: MASSIVE (PDC), File: Example 4.3. Common Samba Configuration File: Example 4.4. Server: BLDG1 (Member), File: smb.conf Example 4.5. Server: BLDG2 (Member), File: smb.conf Example 4.6. Common Domain Member Include File: dom-mem.conf Example 4.7. Server: MASSIVE, File: dhcpd.conf
-
-
+
+
There are two essential steps to process startup configuration. A process
must be configured so that it is automatically restarted each time the server
is rebooted. This step involves use of the chkconfig tool that
@@ -908,7 +908,7 @@
directories. Links are created so that when the system run-level is changed, the
necessary start or kill script is run.
-
+
In the event that a service is provided not as a daemon but via the internetworking
super daemon (inetd or xinetd), then the chkconfig
tool makes the necessary entries in the Procedure 4.4. Process Startup Configuration Steps
+ Procedure 4.4. Process Startup Configuration Steps
Use the standard system tool to configure each service to restart
automatically at every system reboot. For example,
-
+
-
-
-
+
+
+
Now start each service to permit the system to be validated.
Execute each of the following in the sequence shown:
@@ -946,11 +946,11 @@
The procedure for desktop client configuration for the network in this chapter is similar to
that used for the previous one. There are a few subtle changes that should be noted.
- Procedure 4.5. Windows Client Configuration Steps
+ Procedure 4.5. Windows Client Configuration Steps
Install MS Windows XP Professional. During installation, configure the client to use DHCP for
TCP/IP protocol configuration.
-
-
+
+
DHCP configures all Windows clients to use the WINS Server address that has been defined
for the local subnet.
@@ -985,7 +985,7 @@
also configure use of the identical printers that are located in the financial services department.
Install printers on each machine using the following steps:
-
The network you have just deployed has been a valuable exercise in forced constraint.
You have deployed a network that works well, although you may soon start to see
performance problems, at which time the modifications demonstrated in ???
@@ -1054,33 +1054,33 @@
to resources on the domain member servers
The introduction of roaming profiles
-
+
The priority of assigned tasks in this chapter is:
-
-
-
-
+
+
+
+
Implement Backup Domain Controllers (BDCs) in each building. This involves
a change from a tdbsam backend that was used in the previous
chapter to an LDAP-based backend.
You can implement a single central LDAP server for this purpose.
-
-
-
-
+
+
+
+
Rectify the problem of excessive logon times. This involves redirection of
folders to network shares as well as modification of all user desktops to
exclude the redirected folders from being loaded at login time. You can also
create a new default profile that can be used for all new users.
-
+
You configure a new MS Windows XP Professional workstation disk image that you roll out
to all desktop users. The instructions you have created are followed on a staging machine
from which all changes can be carefully tested before inflicting them on your network users.
-
+
This is the last network example in which specific mention of printing is made. The example
again makes use of the CUPS printing system.
-
+
+
+
The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
LDAP servers in current use with Samba-3 include:
-
+
Novell eDirectory
is being successfully used by some sites. Information on how to use eDirectory can be
obtained from the Samba mailing lists or from Novell.
-
+
IBM Tivoli
Directory Server can be used to provide the Samba LDAP backend. Example schema
files are provided in the Samba source code tarball under the directory
-
+
Sun ONE Identity
Server product suite provides an LDAP server that can be used for Samba.
Example schema files are provided in the Samba source code tarball under the directory
@@ -264,19 +264,19 @@
initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
-
+
For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
-
-
-
-
-
-
-
+
+
+
+
+
+
+
When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
High availability operation may be obtained through directory replication/synchronization and
master/slave server configurations. OpenLDAP is a mature platform to host the organizational
@@ -286,10 +286,10 @@
contents with greater ability to back up, restore, and modify the directory than is generally possible
with Microsoft Active Directory.
-
-
-
-
+
+
+
+
A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
for a specific task orientation. It comes with a set of administrative tools that is entirely customized
@@ -300,8 +300,8 @@
MS ADAM that provides more generic LDAP services, yet it does not have the vanilla-like services
of OpenLDAP.
-
-
+
+
You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
if you find the challenge of learning about LDAP directories, schemas, configuration, and management
tools and the creation of shell and Perl scripts a bit
@@ -309,7 +309,7 @@
many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
that is required for use as a passdb backend.
-
+
For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
The Web-based tools you might like to consider include the
@@ -334,10 +334,10 @@
LDAP System Administration,
by Jerry Carter quite useful.
-
-
-
-
+
+
+
+
Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
be loaded over the WAN connection. The addition of BDCs on each network segment significantly
@@ -345,31 +345,31 @@
user desktops, and this must be done in a way that wins their support and does not cause further loss of
staff morale. The following procedures solve this problem.
-
+
There is also an opportunity to implement smart printing features. You add this to the Samba configuration
so that future printer changes can be managed without need to change desktop configurations.
You add the ability to automatically download new printer drivers, even if they are not installed
in the default desktop profile. Only one example of printing configuration is given. It is assumed that
you can extrapolate the principles and use them to install all printers that may be needed.
-
+
+
+
The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
attributes Samba needs. Samba-3 can use the LDAP backend to store:
Windows Networking User Accounts Windows NT Group Accounts Mapping Information between UNIX Groups and Windows NT Groups ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
accounts in the LDAP backend. This implies the need to use the
PADL LDAP tools. The resolution
@@ -378,16 +378,16 @@
that integrates with the NSS. The same requirements exist for resolution
of the UNIX username to the UID. The relationships are demonstrated in ???.
-
-
+
+
You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
ought to learn how to configure secure communications over LDAP so that site security is not
at risk. This is not covered in the following guidance.
-
-
-
-
+
+
+
+
When OpenLDAP has been made operative, you configure the PDC called
-
-
-
+
+
+
In order to effect folder redirection and to add robustness to the implementation,
create a network default profile. All network users workstations are configured to use
the new profile. Roaming profiles will automatically be deleted from the workstation
when the user logs off.
-
+
The profile is configured so that users cannot change the appearance
of their desktop. This is known as a mandatory profile. You make certain that users
are able to use their computers efficiently.
-
+
A network logon script is used to deliver flexible but consistent network drive
connections.
-
-
-
-
+
+
+
+
Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
that maps to the UNIX UID=0. The UNIX operating system permits only the
As XP roaming profiles grow, so does the amount of time it takes to log in and out.
-
-
-
-
+
+
+
+
An XP roaming profile consists of the
-
+
Using a folder other than
-
-
-
+
+
+
The secret to rapid loading of roaming profiles is to prevent unnecessary data from
being copied back and forth, without losing any functionality. This is not difficult;
it can be done by making changes to the Local Group Policy on each client as well
as changing some paths in each user's
-
-
+
+
Every user profile has its own
-
-
-
-
+
+
+
+
Without an Active Directory PDC, you cannot take full advantage of Group Policy
Objects. However, you can still make changes to the Local Group Policy by using
the Group Policy editor (gpedit.msc).
@@ -492,26 +492,26 @@
Simply add the folders you do not wish to be copied back and forth to this
semicolon-separated list. Note that this change must be made on all clients
that are using roaming profiles.
-
+
+
There are two changes that should be done to each user's profile. Move each of
the directories that you have excluded from being copied back and forth out of
the usual profile path. Modify each user's
-
-
+
+
The above modifies existing user profiles. So that newly created profiles have
these settings, you need to modify the
+
+
If you are using Samba as your PDC, you should create a file share called
+
+
+
The subject of printing is quite topical. Printing problems run second place to name
resolution issues today. So far in this book, you have experienced only what is generally
known as “dumb” printing. Dumb printing is the arrangement by which all drivers
@@ -532,8 +532,8 @@
many problems, but it has its limitations also. Dumb printing is better known as
Raw-Print-Through printing.
-
-
+
+
Samba permits the configuration of smart printing using the Microsoft
Windows point-and-click (also called drag-and-drop) printing. What this provides is
essentially the ability to print to any printer. If the local client does not yet have a
@@ -547,9 +547,9 @@
then invokes a suitable print filter to convert the incoming data stream into a format
suited to the printer to which the job is dispatched.
-
-
-
+
+
+
The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
detect the data format and apply a print filter. This means that it is feasible to install
on all Windows clients a single printer driver for use with all printers that are routed
@@ -574,10 +574,10 @@
simple problems efficiently and effectively.
Here are some diagnostic guidelines that can be referred to when things go wrong:
-
+
The best advice regarding how to mend a broken leg is “Never break a leg!”
-
+
Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice
regarding the best way to remedy LDAP and Samba problems: “Avoid them like the plague!”
@@ -593,7 +593,7 @@
Do not be lulled into thinking that you can easily adopt the examples in this
book and adapt them without first working through the examples provided. A little
thing overlooked can cause untold pain and may permanently tarnish your experience.
-
The name service caching daemon (nscd) is a primary cause of difficulties with name
resolution, particularly where winbind is used. Winbind does its
own caching, thus nscd causes double caching which can lead to peculiar problems during
@@ -660,17 +660,17 @@
-
+
+
+
In the example
-
-
+
+
LDAP log information can be directed into a file that is separate from the normal system
log files by changing the
The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
The diagnostic process should follow these steps:
- Procedure 5.1. NSS_LDAP Diagnostic Steps
+ Procedure 5.1. NSS_LDAP Diagnostic Steps
Verify the
The following parameters in the
Search for hints of what may have failed by looking for the words fail
and error.
-
MS Windows 2000 Professional and Windows XP Professional clients can be configured
to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
version of MS Windows.
-
MS Windows network users are generally very sensitive to limits that may be imposed when
confronted with locked-down workstation configurations. The challenge you face must
be promoted as a choice between reliable, fast network operation and a constant flux
of problems that result in user irritation.
-
You are starting a complex project. Even though you went through the installation of a complex
network in ???, this network is a bigger challenge because of the
large number of complex applications that must be configured before the first few steps
@@ -840,14 +840,14 @@
frequently review the steps ahead while making at least a mental note of what has already
been completed. The following task list may help you to keep track of the task items
that are covered:
- Samba-3 PDC Server Configuration DHCP and DNS servers OpenLDAP server PAM and NSS client tools Samba-3 PDC Idealx smbldap scripts LDAP initialization Create user and group accounts Printers Share point directory roots Profile directories Logon scripts Configuration of user rights and privileges Samba-3 BDC Server Configuration DHCP and DNS servers PAM and NSS client tools Printers Share point directory roots Profiles directories Windows XP Client Configuration Default profile folder redirection MS Outlook PST file relocation Delete roaming profile on logout Upload printer drivers to Samba servers Install software Creation of roll-out images Samba-3 PDC Server Configuration DHCP and DNS servers OpenLDAP server PAM and NSS client tools Samba-3 PDC Idealx smbldap scripts LDAP initialization Create user and group accounts Printers Share point directory roots Profile directories Logon scripts Configuration of user rights and privileges Samba-3 BDC Server Configuration DHCP and DNS servers PAM and NSS client tools Printers Share point directory roots Profiles directories Windows XP Client Configuration Default profile folder redirection MS Outlook PST file relocation Delete roaming profile on logout Upload printer drivers to Samba servers Install software Creation of roll-out images
+
+
The network design shown in ??? is not comprehensive. It is assumed
that you will install additional file servers and possibly additional BDCs.
-
-
+
+
All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
adjust the locations for your particular Linux system distribution/implementation.
@@ -868,22 +868,22 @@
with newly installed Linux servers, you must complete the steps shown in
??? before commencing at ???.
-
-
-
+
+
+
Confirm that the packages shown in ??? are installed on your system.
Table 5.2. Required OpenLDAP Linux Packages
Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
follow these guidelines, the resulting system should work fine.
- Procedure 5.2. OpenLDAP Server Configuration Steps Procedure 5.2. OpenLDAP Server Configuration Steps
+
Install the file shown in ??? in the directory
-
-
-
+
+
+
Remove all files from the directory
This may require you to add a user and a group account for LDAP if they do not exist.
-
+
Install the file shown in ??? in the directory
-
+
Performance logging can be enabled and should preferably be sent to a file on
a file system that is large enough to handle significantly sized logs. To enable
the logging at a verbose level to permit detailed analysis, uncomment the entry in
@@ -975,31 +975,31 @@
index sambaDomainName eq
index default sub
-
-
-
+
+
+
The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
-
-
+
+
Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
correct configuration of PAM. The pam_ldap open source package provides the
PAM modules that most people would use. On SUSE Linux systems, the pam_unix2.so
module also has the ability to redirect authentication requests through LDAP.
-
-
-
-
+
+
+
+
You have chosen to configure these services by directly editing the system files, but of course, you
know that this configuration can be done using system tools provided by the Linux system vendor.
SUSE Linux has a facility in YaST (the system admin tool) through ->-> that permits
configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the authconfig
tool for this.
- Procedure 5.3. PAM and NSS Client Configuration Steps Example 5.4. Configuration File for NSS LDAP Support Procedure 5.3. PAM and NSS Client Configuration Steps Example 5.4. Configuration File for NSS LDAP Support
-
-
-
+
+
+
Execute the following command to find where the
-
+
Edit the NSS control file (
-
+
For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
files in the
-
+
On other Linux systems that do not have an LDAP-enabled pam_unix2.so module,
you must edit these files by adding the pam_ldap.so modules as shown here:
-
+
Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
choice to either build your own or obtain the packages from a dependable source.
Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
is included with this book.
- Procedure 5.4. Configuration of PDC Called
+ Procedure 5.4. Configuration of PDC Called
Install the files in ???,
???, ???,
and ??? into the
-
+
Create and verify the contents of the
-
-
+
+
Samba-3 communicates with the LDAP server. The password that it uses to
authenticate to the LDAP server must be stored in the
-
-
+
+
Samba-3 generates a Windows Security Identifier (SID) only when smbd
has been started. For this reason, you start Samba. After a few seconds delay,
execute:
@@ -1229,10 +1229,10 @@
When a positive domain SID has been reported, stop Samba.
-
-
-
-
+
+
+
+
Configure the NFS server for your Linux system. So you can complete the steps that
follow, enter into the
Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
configuration of the LDAP server.
- Example 5.6. LDAP Based Example 5.7. LDAP Based Example 5.6. LDAP Based Example 5.7. LDAP Based
+
The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
on the LDAP server. You have chosen the Idealx scripts because they are the best-known
LDAP configuration scripts. The use of these scripts will help avoid the necessity
@@ -1268,7 +1268,7 @@
The smbldap-tools are located in
+
To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
Procedure 5.5. Unpacking and Installation Steps for the
Create the
The smbldap-tools scripts are now ready for the configuration step outlined in
???.
-
In the event that you have elected to use the RPM package provided by Idealx, download the
source RPM Procedure 5.6. Installation Steps for
+ Procedure 5.6. Installation Steps for
Install the source RPM that has been downloaded as follows:
The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
in the
The LDAP database must be populated with well-known Windows domain user accounts and domain group
accounts before Samba can be used. The following procedures step you through the process.
@@ -1487,12 +1487,12 @@
Addition of an account to the LDAP backend can be done in two ways:
-
-
-
-
-
-
+
+
+
+
+
+
If you always have a user account in the
-
+
If you wish to have more control over how the LDAP database is initialized or
if you don't want to use the Idealx smbldap-tools, you should refer to
???, ???.
-
+
The following steps initialize the LDAP database, and then you can add user and group
accounts that Samba can use. You use the smbldap-populate to
seed the LDAP database. You then manually add the accounts shown in ???.
The list of users does not cover all 500 network users; it provides examples only.
-
-
-
+
+
+
In the following examples, as the LDAP database is initialized, we do create a container
for Computer (machine) accounts. In the Samba-3
-
+
So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.
There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
the simplest is to execute:
@@ -1609,7 +1609,7 @@
dn: ou=Idmap,dc=abmas,dc=biz
ou: idmap
-
+
If the execution of this command does not return IDMAP entries, you need to create an LDIF
template file (see ???). You can add the required entries using
the following command:
@@ -1619,7 +1619,7 @@
Samba automatically populates this LDAP directory container when it needs to.
-
+
It looks like all has gone well, as expected. Let's confirm that this is the case
by running a few tests. First we check the contents of the database directly
by running slapcat as follows (the output has been cut down):
@@ -1657,7 +1657,7 @@
This looks good so far.
-
+
The next step is to prove that the LDAP server is running and responds to a
search request. Execute the following as shown (output has been cut to save space):
Good. It is all working just fine.
-
+
You must now make certain that the NSS resolver can interrogate LDAP also.
Execute the following commands:
-
+
This demonstrates that the nss_ldap library is functioning
as it should. If these two steps fail to produce this information, refer to
??? for diagnostic procedures that can be followed to
isolate the cause of the problem. Proceed to the next step only when the previous steps
have been successfully completed.
-
-
-
+
+
+
Our database is now ready for the addition of network users. For each user for
whom an account must be created, execute the following:
where
-
+
Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
following:
-
+
The root account must have UID=0; if not, this means that operations conducted from
a Windows client using tools such as the Domain User Manager fails under UNIX because
the management of user and group accounts requires that the UID=0. Additionally, it is
@@ -1802,8 +1802,8 @@
This is precisely what we want to see.
-
-
+
+
The final validation step involves making certain that Samba-3 can obtain the user
accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
This looks good. Of course, you fully expected that it would all work, didn't you?
-
+
Now you add the group accounts that are used on the Abmas network. Execute
the following exactly as shown:
-
+
You really do want to confirm that UNIX group resolution from LDAP is functioning
as it should. Let's do this as shown here:
-
+
The final step we need to validate is that Samba can see all the Windows domain groups
and that they are correctly mapped to the respective UNIX group account. To do this,
just execute the following command:
@@ -1917,7 +1917,7 @@
-
+
You may now check Samba-3 operation as follows:
The server
-
+
The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
taken care of in the Procedure 5.9. Printer Configuration Steps
+ Procedure 5.9. Printer Configuration Steps
Configure all network-attached printers to have a fixed IP address.
Create an entry in the DNS database on the server
-
-
+
+
Only on the server to which the printer is attached, configure the CUPS Print
Queues as follows:
-
+
This step creates the necessary print queue to use no assigned print filter. This
is ideal for raw printing, that is, printing without use of filters.
The name
-
-
-
+
+
+
Edit the file
-
+
Edit the file
- Procedure 5.10. Configuration of BDC Called:
Install the files in ???,
???, and ???
into the
This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
-
+
The next step in the verification process involves testing the operation of UNIX group
resolution via the NSS LDAP resolver. Execute these commands:
-
+
You must now set the LDAP administrative password into the Samba-3
This indicates that the domain security account for the BDC has been correctly created.
-
+
Verify that user and group account resolution works via Samba-3 tools as follows:
Follow carefully the steps shown in ???, starting at step 2.
- Example 5.8. LDAP Based Example 5.9. LDAP Based lmhosts is the Samba
+Name
Synopsis
lmhosts is the samba(7) NetBIOS name to IP address mapping file.DESCRIPTION
lmhosts is the Samba
NetBIOS name to IP address mapping file. It
is very similar to the /etc/hosts file
format, except that the hostname component must correspond
- to the NetBIOS naming format.FILE FORMAT
FILE FORMAT
lmhosts file
- is in the same directory as the smb.conf(5) file.FILES
FILES
/etc/samba or /usr/local/samba/lib.
- AUTHOR
Name
Synopsis
log2pcap [-h] [-q] [logfile] [pcap_file]DESCRIPTION
Name
Synopsis
log2pcap [-h] [-q] [logfile] [pcap_file]DESCRIPTION
log level
of at least 5 to get the SMB header/parameters
right, 10 to get the first 512 data bytes of the
packet and 50 to get the whole packet.
- OPTIONS
OPTIONS
EXAMPLES
$ log2pcap < /var/log/* > trace.pcap
$ log2pcap -h samba.log | text2pcap -T 139,139 - trace.pcap
- Name
Synopsis
mount.cifs {service} {mount-point} [-o options]DESCRIPTION
Name
Synopsis
mount.cifs {service} {mount-point} [-o options]DESCRIPTION
OPTIONS
argOPTIONS
argargargENVIRONMENT VARIABLES
argargENVIRONMENT VARIABLES
NOTES
NOTES
CONFIGURATION
/proc/fs/cifs are various
@@ -186,7 +186,7 @@
cifs.ko which will list the options that may be passed to cifs during module
installation (device driver load).
For more information see the kernel file fs/cifs/README.
-BUGS
VERSION
VERSION
SEE ALSO
AUTHOR
Name
Synopsis
net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-d debuglevel] [-V]DESCRIPTION
Synopsis
net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-d debuglevel] [-V]DESCRIPTION
OPTIONS
OPTIONS
smb.conf file.
+to setting the parameter in the smb.conf file.
However, a command
line setting will take precedence over settings in
smb.conf.smb.conf file.COMMANDS
CHANGESECRETPW
TIME
TIME
[RPC|ADS] JOIN [TYPE] [-U username[%password]] [options]
[RPC] OLDJOIN [options]
[RAP|RPC] SHARE
[RAP|RPC] SHARE [misc. options] [targets]
[RAP|RPC] SHARE ADD
name=serverpath [-C comment] [-M maxusers] [targets][RAP|RPC] SHARE
[RAP|RPC] SHARE [misc. options] [targets]
[RPC|RAP] FILE
SESSION
SESSION
RAP VALIDATE
user [password]Note
RAP ADMIN
commandcommand on
the remote server. Only works with OS/2 servers.
-Note
RAP SERVICE
RAP SERVICE
LOOKUP
CACHE
s - Seconds m - Minutes h - Hours d - Days w - Weeks GETLOCALSID [DOMAIN]
GROUPMAP
GROUPMAP ADD
net groupmap add {rid=int|sid=string} unixgroup=string \
[type={domain|local}] [ntgroup=string] [comment=string]
GROUPMAP DELETE
GROUPMAP DELETE
MAXRID
RPC INFO
RPC TRUSTDOM
RPC TRUSTDOM
RPC TRUSTDOM DEL
DOMAIMDOMAIN from the remote server.
-Note
SHUTDOWN [-t timeout] [-r] [-f] [-C message]
SHUTDOWN [-t timeout] [-r] [-f] [-C message]
RPC VAMPIRE
ADS STATUS
ADS PRINTER
ADS PRINTER
ADS SEARCH
EXPRESSION ATTRIBUTES...net ads search '(objectCategory=group)' sAMAccountName
-AUTHOR
net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountNameUSERSHARE
net usershare add sharename path [comment] [acl] [guest_ok=[y|n]] - to add or change a user defined share. net usershare delete sharename - to delete a user defined share. net usershare info [-l|--long] [wildcard sharename] - to print info about a user defined share. net usershare list [-l|--long] [wildcard sharename] - to list user defined shares. USERSHARE ADD
sharename path [comment] [acl] [guest_ok=[y|n]]USERSHARE DELETE
sharenameUSERSHARE INFO
[-l|--long] [wildcard sharename]USERSHARE LIST
[-l|--long] wildcard sharenameName
Synopsis
nmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>]DESCRIPTION
Synopsis
nmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>]DESCRIPTION
smb.conf. Thus nmbd will
reply to broadcast queries for its own name(s). Additional
names for nmbd to respond on can be set
@@ -22,7 +22,7 @@
replying to queries from clients for these names.OPTIONS
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -88,7 +88,7 @@
This option changes the default UDP port number (normally 137)
that nmbd responds to name queries on. Don't
use this option unless you are an expert, in which case you
- won't need help!FILES
/etc/inetd.conf/usr/samba/lib/smb.conf
and /etc/samba/smb.conf.wins.dat
in the var/locks directory configured under
wherever Samba was configured to install itself.browse.dat
in the var/locks directory
configured under wherever Samba was configured to install itself.
- SIGNALS
SEE ALSO
rfc1001.txt, rfc1002.txt.
In addition the CIFS (formerly SMB) specification is available
as a link from the Web page
- http://samba.org/cifs/.AUTHOR
Name
Synopsis
nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}Synopsis
nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}DESCRIPTION
OPTIONS
OPTIONS
name with a
type of 0x1d. If
name is "-" then it does a lookup on the special name
@@ -28,7 +28,7 @@
name as
an IP Address and do a node status query on this address.smb.conf file.
+to setting the parameter in the smb.conf file.
However, a command
line setting will take precedence over settings in
smb.conf.smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -88,12 +88,12 @@
If a NetBIOS name then the different name types may be specified
by appending '#<type>' to the name. This name may also be
'*', which will return all registered names within a broadcast
- area.EXAMPLES
AUTHOR
AUTHOR
Name
Synopsis
ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>]DESCRIPTION
Name
Synopsis
ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>]DESCRIPTION
OPERATIONAL REQUIREMENTS
winbindd_privileged in
$LOCKDIR. This should be done either by running
this command as root or providing group access
to the winbindd_privileged directory. For
- security reasons, this directory should not be world-accessable. OPTIONS
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
EXAMPLE SETUP
squid.conf file.
@@ -144,13 +144,13 @@
auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
-
TROUBLESHOOTING
AUTHOR
Name
DESCRIPTION
Name
DESCRIPTION
OPTIONS
/etc/security/pam_winbind.conf. Options
+ from the PAM configuration file take precedence to those from
+ the configuration file.
+
MYDOMAIN\mygroup or
- MYDOMAIN\myuser. pam_winbind will, in that case, lookup the SID internally. Note that
+ SID. That name must have the form: MYDOMAIN\\mygroup or
+ MYDOMAIN\\myuser. pam_winbind will, in that case, lookup the SID internally. Note that
NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
user is a member of with wbinfo --user-sids=SID.
winbind refresh tickets, winbind will
+ keep your Ticket Granting Ticket (TGT) uptodate by refreshing
+ it whenever necessary.
+
+ krb5_auth option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a
+ credential cache. The type of credential cache can be set with
+ this option. Currently the only supported value is:
+ FILE. In that case a credential cache in
+ the form of /tmp/krb5cc_UID will be created, where UID is
+ replaced with the numeric user id. Leave empty to just do
+ kerberos authentication without having a ticket cache after the
+ logon has succeeded.
+
+ winbind offline logon is enabled. To use this feature from the PAM module this option must be set.
Name
Synopsis
pdbedit [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control]DESCRIPTION
Name
Synopsis
pdbedit [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-t, --password-from-stdin] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control] [-y]DESCRIPTION
OPTIONS
OPTIONS
@@ -53,7 +53,7 @@
directory network path.
account policy value for bad lockout attempt was 0
account policy value for bad lockout attempt is now 3
-
-y,
+ then -i in-backend -e out-backend
+ applies to the account policies instead of the user database.smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
-Name
Synopsis
profiles [-v] [-c SID] [-n SID] {file}Synopsis
profiles [-v] [-c SID] [-n SID] {file}DESCRIPTION
Name
Synopsis
rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}DESCRIPTION
Synopsis
rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}DESCRIPTION
OPTIONS
OPTIONS
IP address is the address of the server to connect to.
It should be specified in standard "a.b.c.d" notation. smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -70,7 +70,7 @@
rpcclient to prompt for a password and type
it in directly. smb.conf file.
+to setting the parameter in the smb.conf file.
However, a command
line setting will take precedence over settings in
smb.conf.smb.conf manual page for the list of valid
options. COMMANDS
COMMANDS
LSARPC
LSARPC-DS
SRVSVC
SAMR
SPOOLSS
LSARPC-DS
SRVSVC
SAMR
SPOOLSS
NETLOGON
BUGS
AUTHOR
Name
Synopsis
samba DESCRIPTION
Name
Synopsis
samba DESCRIPTION
COMPONENTS
AVAILABILITY
CONTRIBUTIONS
CONTRIBUTORS
change-log in the source package
@@ -101,7 +101,7 @@
http://cvs.samba.org/
for the contributors to Samba post-CVS. CVS is the Open Source
source code control system used by the Samba Team to develop
- Samba. The project would have been unmanageable without it.AUTHOR
AUTHOR
Name
Synopsis
smbcacls {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [--numeric] [-t] [-U username] [-h] [-d]DESCRIPTION
OPTIONS
Name
Synopsis
smbcacls {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [--numeric] [-t] [-U username] [-h] [-d]DESCRIPTION
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
-ACL FORMAT
REVISION:<revision number>
OWNER:<sid or name>
@@ -78,13 +78,13 @@
file permissions of the same name.
EXIT STATUS
AUTHOR
AUTHOR
Name
Synopsis
smbclient [-b <buffer size>] [-d debuglevel] [-L <netbios name>] [-U username] [-I destinationIP] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-k] [-P] [-c <command>]smbclient {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logdir] [-I destinationIP] [-E] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [-k]Synopsis
smbclient [-b <buffer size>] [-d debuglevel] [-L <netbios name>] [-U username] [-I destinationIP] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-k] [-P] [-c <command>]smbclient {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logdir] [-I destinationIP] [-E] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [-k]DESCRIPTION
OPTIONS
OPTIONS
//server/service where server
is the NetBIOS name of the SMB/CIFS server
@@ -139,7 +139,7 @@
investigating a problem. Levels above 3 are designed for
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic.smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -174,7 +174,7 @@
rpcclient to prompt for a password and type
it in directly. smb.conf file.
+to setting the parameter in the smb.conf file.
However, a command
line setting will take precedence over settings in
smb.conf.I - Include files and directories.
Is the default behavior when filenames are specified above. Causes
- tar files to be included in an extract or create (and therefore
+ files to be included in an extract or create (and therefore
everything else to be excluded). See example below. Filename globbing
- works in one of two ways. See r below. X - Exclude files and directories.
- Causes tar files to be excluded from an extract or create. See
+ works in one of two ways. See r below. X - Exclude files and directories.
+ Causes files to be excluded from an extract or create. See
example below. Filename globbing works in one of two ways now.
- See r below. b - Blocksize. Must be followed
+ See r below. F - File containing a list of files and directories.
+ The F causes the name following the tarfile to
+ create to be read as a filename that contains a list of files and directories to
+ be included in an extract or create (and therefore everything else to be excluded).
+ See example below. Filename globbing works in one of two ways.
+ See r below.
+ b - Blocksize. Must be followed
by a valid (greater than zero) blocksize. Causes tar file to be
written out in blocksize*TBLOCK (usually 512 byte) blocks.
g - Incremental. Only back up
@@ -246,13 +252,14 @@
users/docs. tarlist.
-N is implied by -c.OPERATIONS
smb:\> NOTES
ENVIRONMENT VARIABLES
USER may contain the
username of the person using the client. This information is
used only if the protocol level is high enough to support
session-level passwords.PASSWD may contain
@@ -404,7 +411,7 @@
the path, executed with system(), which the client should connect
to instead of connecting to a server. This functionality is primarily
intended as a development aid, and works best when using a LMHOSTS
- fileINSTALLATION
/usr/local/samba/bin/ or
@@ -415,11 +422,11 @@
and writeable only by the user. DIAGNOSTICS
DIAGNOSTICS
AUTHOR
AUTHOR
Name
SYNOPSIS
Name
SYNOPSIS
smb.conf file is a configuration file for the Samba suite. smb.conf contains runtime configuration information for the Samba programs. The
smb.conf file is designed to be configured and administered by the
swat(8) program. The
@@ -26,7 +26,7 @@
The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean,
which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved
in string values. Some items such as create masks are numeric.
- SECTION DESCRIPTIONS
/home/bar. The share is accessed via the share name foo:
[foo]
- path = /home/bar
- read only = no
+ path = /home/bar
+ read only = no
[aprinter]
- path = /usr/spool/public
- read only = yes
- printable = yes
- guest ok = yes
+ path = /usr/spool/public
+ read only = yes
+ printable = yes
+ guest ok = yes
SPECIAL SECTIONS
SPECIAL SECTIONS
The [global] section
The [homes] section
[homes]
-read only = no
+read only = no
[printers]
-path = /usr/spool/public
-guest ok = yes
-printable = yes
+path = /usr/spool/public
+guest ok = yes
+printable = yes
printcap name = lpstat to automatically obtain a list of printers. See the
printcap name option for more details.
- USERSHARES
section of the smb.conf.
+ The relevant parameters are :
+ foo to create user defined
+ shares, create the directory to contain the share definitions as follows:
+
+mkdir /usr/local/samba/lib/usershares
+chgrp foo /usr/local/samba/lib/usershares
+chmod 1770 /usr/local/samba/lib/usershares
+
+ usershare path = /usr/local/samba/lib/usershares
+ usershare max shares = 10 # (or the desired number of shares)
+
smb.conf. Members of the group foo may then manipulate the user defined shares
+ using the following commands.PARAMETERS
VARIABLE SUBSTITUTIONS
guest account
= for the service, irrespective of the supplied password.
- EXPLANATION OF EACH PARAMETER
SeRemoteShutdownPrivilege,
+ EXPLANATION OF EACH PARAMETER
SeRemoteShutdownPrivilege,
right, this command will be run as user.abort shutdown script =
abort shutdown script = /sbin/shutdown -c
@@ -327,16 +351,13 @@
directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to
control the permissions on a file or directory they have group ownership on.
dos filemode option.
acl group control = no
add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u
+port namedevice URIadd port command =
+
+add port command = /etc/samba/scripts/addport.sh
+
add share command with four parameters.
+ add share command with five parameters.
configFile - the location
of the global smb.conf file.
shareName - the name of the new
@@ -410,9 +441,13 @@
directory on disk.
comment - comment string to associate
with the new share.
+ max
+ connections
+ Number of maximum simultaneous connections to this
+ share.
add share command =
add share command = /usr/local/bin/addshare
@@ -429,16 +464,16 @@
ON DEMAND when a user accesses the Samba server.
%u, which expands into the UNIX user name to create.
%u argument to be the user name to create.
add user script =
add user script = /usr/local/samba/bin/add_user %u
@@ -468,7 +503,7 @@
administrative privileges on the share. This means that they
will do all file operations as the super-user (root).admin users =
admin users = jason
@@ -518,7 +553,7 @@
# (to disable roundups)
server,domain or ads.
If it is set to no, then attempts to connect to a resource from
a domain or workgroup other than the one which smbd is running
@@ -553,7 +588,7 @@
-r parameter, with remote machineremote
machine set to the IP name of the primary interface of the local host.
block size = 1024
+
+block size = 4096
+
+browseable = yes
yes. You should never need to change
this.browse list = yes
-case sensitive = no
+case sensitive = no
-change notify
- timeout seconds.change notify timeout = 60
+ timeout seconds. Note that in 3.0.23 this has been changed to a
+ per-share parameter and setting this to zero prevents any change notify directory
+ scans completely on a share. This is to allow this paramter to be set to zero on
+ shares configured for very large directories, where a Windows client will re-scan
+ the entire directory after every delete operation (when deleting many files) due to
+ the change notify triggering. This is an extremely expensive operation on some
+ systems.change notify timeout = 60
change notify timeout = 300
# Would change the scan time to every 5 minutes.
@@ -669,7 +714,7 @@
uid == 0).
change share command with four parameters.
+ change share command with five parameters.
configFile - the location
of the global smb.conf file.
shareName - the name of the new
@@ -678,6 +723,10 @@
directory on disk.
comment - comment string to associate
with the new share.
+ max
+ connections
+ Number of maximum simultaneous connections to this
+ share.
client schannel = auto
@@ -750,7 +799,7 @@
when a client does a queries the server, either via the network
neighborhood or via net view to list what shares
are available.comment =
+ machine name then see the server string parameter.comment =
# No comment
comment = Fred's Files
@@ -785,13 +834,13 @@
write and execute bits from the UNIX modes.
create mask = 0744
create mask = 0775
@@ -803,13 +852,13 @@
These values correspond to those used on Windows servers.
csc policy = manual
csc policy = programs
cups. Its value is a free form string of options
passed directly to the cups library.
cups options = "raw,media=a4,job-sheets=secret,secret"
cups.
+ This parameter is only applicable if printing is set to cups.
client.conf. This is
necessary if you have virtual samba servers that connect to different CUPS daemons.
@@ -852,7 +901,7 @@
Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this
boolean parameter adds microsecond resolution to the timestamp message header when turned on.
debug hires timestamp = no
debug pid = no
debug timestamp = yes
@@ -873,13 +922,13 @@
Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the
current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.
debug uid = no
-default case = lower
+default case = lower
-%S to make a wildcard service.
smb.conf.
-
smb.conf to associated printer no longer exists.
If the sharename is still valid, then smbd
@@ -975,7 +1024,7 @@
the existing service.
delete share command =
delete share command = /usr/local/bin/delshare
@@ -1000,7 +1049,7 @@
no (the default) then if a vetoed
directory contains any non-vetoed files or directories then the
directory delete will fail. This is usually what you want.yes, then Samba
@@ -1008,7 +1057,7 @@
the vetoed directory. This can be useful for integration with file
serving systems such as NetAtalk which create meta-files within
directories you might normally veto DOS/Windows users from seeing
- (e.g. .AppleDouble).AppleDouble)delete veto files = no
@@ -1020,7 +1069,7 @@
dfree cache time = dfree cache time = 60
@@ -1036,7 +1085,7 @@
function.
directory mask = 0755
+ a mask on access control lists also, they need to set the directory security mask.directory mask = 0755
directory mask = 0775
@@ -1086,7 +1135,7 @@
permission on a directory using the native NT security dialog
box.display charset = ASCII
display charset = UTF8
+dmapi support = no
+
yes, the Samba server will
provide the netlogon service for Windows 9X network logons for the
- workgroup it is in.
+ workgroup it is in.
This will also cause the Samba server to act as a domain
controller for NT4 style domain services. For more details on
setting up this feature see the Domain Control chapter of the
@@ -1146,25 +1210,25 @@
Tell smbd(8) to enable
WAN-wide browse list collation. Setting this option causes nmbd to claim a
special domain specific NetBIOS name that identifies it as a domain master browser for its given
- workgroup. Local master browsers in the same workgroup on
+ workgroup. Local master browsers in the same workgroup on
broadcast-isolated subnets will give this nmbd their local browse lists,
and then ask smbd(8) for a
complete copy of the browse list for the whole wide area network. Browser clients will then contact their
local master browser, and will receive the domain-wide browse list, instead of just the list for their
broadcast-isolated subnet.
domain master = auto
@@ -1189,11 +1253,10 @@
able to change the permissions on it. However, this behavior
is often confusing to DOS/Windows users. Enabling this parameter
allows a user who has write access to the file (by whatever
- means) to modify the permissions on it. Note that a user
+ means) to modify the permissions (including ACL) on it. Note that a user
belonging to the group owning the file will not be allowed to
change permissions if the group is only granted read access.
- Ownership of the file/directory is not changed, only the permissions
- are modified.dos filemode = no
+ Ownership of the file/directory may also be changed.dos filemode = no
enable asu support = yes
+ an [ADMIN$] file share in smb.conf.enable asu support = no
enable privileges = no
-
-enable rid algorithm = yes
+ Samba documentation.enable privileges = yes
encrypt passwords = yes
@@ -1354,7 +1408,7 @@
cache file data. With some oplock types the client may even cache
file open/close operations. This can give enormous performance benefits.
fake oplocks = no
+kernel change notify
+ parameter will take precedence if it is also enabled.
+ fam change notify = yes
+
no prevents any file or directory that is a symbolic link from being
@@ -1404,7 +1468,7 @@
the UNIX permission on a directory using the native NT security dialog box.
force group will override the primary group
set in force user.force group =
@@ -1472,7 +1536,7 @@
the UNIX permission on a file using the native NT security dialog box.
no.getwd cache = yes
+ when the wide smbconfoptions parameter is set to no.getwd cache = yes
yes for
a service, then no password is required to connect to the service.
- Privileges will be those of the guest account.guest ok = no
yes for
a service, then only guest connections to the service are permitted.
- This parameter will have no effect if guest ok is not set for the service.guest only = no
hide unwriteable files = no
yes, and smbd(8) is also acting as a Win95/98 logon server
+ If nis homedir is yes, and smbd(8) is also acting as a Win95/98 logon server
then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted.
At present, only the Sun auto.home map format is understood. The form of the map is:
@@ -1629,9 +1693,9 @@
If set to
yes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse
Dfs trees hosted on the server.
host msdfs = no
+ host msdfs = yes
hostname lookups = yes
-hosts_access(5). Note that this man
page may not be present on your system, so a brief description will
be given here also.0.0.0.0/0) and then explicitly specify
- to the hosts allow = hosts allow parameter those hosts
+ to the hosts allow = hosts allow parameter those hosts
that should be permitted access.
hosts deny =
# none (i.e., no hosts specifically excluded)
hosts deny = 150.203.4. badhost.mynet.edu.au
-
- hosts equiv may be useful for NT clients which will
- not supply passwords to Samba.Note
hosts equiv
- can be a major security hole. This is because you are
- trusting the PC to supply the correct username. It is very easy to
- get a PC to supply a false username. I recommend that the
- hosts equiv option be only used if you really
- know what you are doing, or perhaps on a home network where you trust
- your spouse and kids. And only if you really trust
- them :-).hosts equiv =
-# no host equivalences
-
-hosts equiv = hosts equiv = /etc/hosts.equiv
-
idmap backend =
idmap backend = ldap:ldap://ldapslave.example.com
-idmap backend = idmap_rid:BUILTIN=1000-1999,DOMNAME=2000-100000000
+idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"
-idmap backend = idmap_ad
+idmap backend = ad
inherit owner = no
invalid users = root fred admin @wheel
iprint.
+ This parameter is only applicable if printing is set to iprint.
client.conf. This is
necessary if you have virtual samba servers that connect to different CUPS daemons.
@@ -1828,7 +1874,7 @@
packets. If this parameter is zero, no keepalive packets will be
sent. Keepalive packets, if sent, allow the server to tell whether
a client is still present and responding.keepalive = 300
keepalive = 600
@@ -1840,7 +1886,7 @@
change notification to user programs, using the F_NOTIFY fcntl.
kernel change notify = yes
-oplocks
to be broken whenever a local UNIX process or NFS operation
@@ -1877,37 +1923,37 @@
tested as some other Samba code paths.large readwrite = yes
private/secrets.tdb
file. See the smbpasswd(8)
man page for more information on how to accomplish this.
ldap delete dn = no
-ldap group suffix =
+ If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the
+ ldap suffix string so use a partial DN.ldap group suffix =
ldap group suffix = ou=Groups
ldap idmap suffix =
ldap idmap suffix = ou=Idmap
ldap machine suffix =
ldap machine suffix = ou=Computers
@@ -1917,24 +1963,12 @@
and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password
change via SAMBA.
Yes = Try
to update the LDAP, NT and LM passwords and update the pwdLastSet time.No = Update NT and
LM passwords and update the pwdLastSet time.Only = Only update
the LDAP password and let the LDAP server do the rest.ldap passwd sync = no
-ldap port = 636
-# if ldap ssl = on
-
-ldap port = 389
-# if ldap ssl = off
-
ldapsam:trusted = no
-ldap server = localhost
-
configure
- script.Off = Never
+ script.Off = Never
use SSL when querying the directory.Start_tls = Use
the LDAPv3 StartTLS extended operation (RFC2830) for
communicating with the directory server.On = Use SSL
on the ldaps port when contacting the ldap server. Only available when the
backwards-compatiblity --with-ldapsam option is specified
- to configure. See passdb backendldap ssl = start_tls
+ to configure. See passdb backendldap ssl = start_tls
ldap suffix =
ldap suffix = dc=samba,dc=org
@@ -2002,8 +2030,8 @@
ldap user suffix =
ldap user suffix = ou=people
@@ -2022,9 +2050,9 @@
or waited for) and told to break their oplocks to "none" and
delete any read-ahead caches.yes). Note also, the oplocks
+ yes). Note also, the oplocks
parameter must be set to yes on this share in order for
this parameter to have any effect.level2 oplocks = yes
@@ -2036,27 +2064,27 @@
If set to no Samba will never produce these
broadcasts. If set to yes Samba will produce
Lanman announce broadcasts at a frequency set by the parameter
- lm interval. If set to auto
+ lm interval. If set to auto
Samba will not send Lanman announce broadcasts by default but will
listen for them. If it hears such a broadcast on the wire it will
then start sending them at a frequency set by the parameter
- lm interval.lm announce = auto
+ lm interval.lm announce = auto
lm announce = yes
lm interval = 60
lm interval = 120
load printers = yes
lock directory = ${prefix}/var/locks
lock directory = /var/run/samba/locks
@@ -2098,7 +2126,7 @@
lock spin time = 10
+ lock spin count for more details.lock spin time = 10
logon drive = z:
+ logon drive =
logon drive = h:
@@ -2144,12 +2172,12 @@
in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does
net use /home but use the whole string when dealing with profiles.
logon home. This broke net use /home
but allowed profiles outside the home directory. The current implementation is correct, and can be used for
profiles if you use the above trick.
logon home = \\%N\%U
@@ -2160,7 +2188,7 @@
This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are
stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
profiles. To find out how to handle roaming profiles for Win 9X system, see the
- logon home parameter.
+ logon home parameter.
desktop, start menu, network neighborhood, programs and other
@@ -2189,7 +2217,7 @@
provided system tool.
[netlogon] service. If the [netlogon]
- service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
+ service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
/usr/local/samba/netlogon/STARTUP.BAT
lppause command =
# Currently no default value is given to
- this string, unless the value of the printing
+ this string, unless the value of the printing
parameter is SYSV, in which case the default is :
lp -i %p-%j -H hold or if the value of the
printing parameter is
@@ -2294,11 +2322,11 @@
executed on the server host in order to restart or continue
printing or spooling a specific print job.%p is given then the printer name
+ also the lppause command parameter.%p is given then the printer name
is put in its place. A %j is replaced with
the job number (an integer).lpresume command as the PATH may not
- be available to the server.printing
parameter is SYSV, in which case the default is :printing parameter
is SOFTQ, then the default is:lpresume command = lpresume command = /usr/bin/lpalt %p-%j -p2
@@ -2321,18 +2349,18 @@
lprm command = determined by printing parameter
private/secrets.tdb
. This parameter specifies how often this password will be changed, in seconds. The default is one
week (expressed in seconds), the same as a Windows NT Domain member server.
machine password timeout = 604800
Warning
magic script
in the same directory the output file content is undefined.
magic output = <magic script name>.out
@@ -2345,7 +2373,7 @@
executed on behalf of the connected user.html to htm
you would use:
;1 off
the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of
@@ -2378,7 +2406,7 @@
mangle prefix = 4
mangling char = ~
@@ -2445,23 +2473,23 @@
any file it touches from becoming executable under UNIX. This can
be quite annoying for shared source code, documents, etc...
map archive = yes
No, or no extended attribute is
- present. If store dos attributes is set to yes then this
+ store dos attributes is set to No, or no extended attribute is
+ present. If store dos attributes is set to yes then this
parameter is ignored. This is a new parameter introduced in Samba version 3.0.21.
Yes - The read only DOS attribute is mapped to the inverse of the user
@@ -2474,18 +2502,18 @@
is reported as being set on the file.
No - The read only DOS attribute is unaffected by permissions, and can only be set by
- the store dos attributes method. This may be useful for exporting mounted CDs.
+ the store dos attributes method. This may be useful for exporting mounted CDs.
map read only = yes
map system = no
-security = share
- i.e. user, server,
and domain.Bad User - Means user
logins with an invalid password are rejected, unless the username
does not exist, in which case it is treated as a guest login and
- mapped into the guest account.Bad Password - Means user logins
+ mapped into the guest account.Bad Password - Means user logins
with an invalid password are treated as a guest login and mapped
- into the guest account. Note that
+ into the guest account. Note that
this can cause problems as it means that any user incorrectly typing
their password will be silently logged on as "guest" - and
will not know the reason they cannot access files they think
@@ -2527,7 +2555,7 @@
If max connections is greater than 0 then connections
will be refused if this number of connections to the service are already open. A value
of zero mean an unlimited number of connections may be made.max connections = 0
+ the directory specified by the lock directory option.max connections = 0
max connections = 10
@@ -2617,16 +2645,16 @@
never need to change this parameter. The default is 3 days.max ttl = 259200
max wins ttl = 518400
max xmit = 65535
+ that will be negotiated by Samba. The default is 16644, which
+ matches the behavior of Windows 2000. A value below 2048 is likely to cause problems.
+ You should never need to change this parameter from its default value.
+max xmit = 16644
max xmit = 8192
@@ -2678,18 +2706,18 @@
source/smbd/negprot.c for a listing of known protocol
dialects supported by clients.min protocol = CORE
min protocol = NT1
min wins ttl = 21600
@@ -2699,7 +2727,7 @@
the value of the parameter. When clients attempt to connect to
this share, they are redirected to the proxied share using
the SMB-Dfs protocol.msdfs proxy = \otherserver\someshare
yes, Samba treats the
@@ -2708,7 +2736,7 @@
Dfs links are specified in the share directory by symbolic
links of the form msdfs:serverA\\shareA,serverB\\shareB
and so on. For more information on setting up a Dfs tree on
- Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.msdfs root = no
+ Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.msdfs root = yes
wins : Query a name with
- the IP address listed in the WINSSERVER parameter. If no WINS server has
+ the IP address listed in the WINSSERVER parameter. If no WINS server has
been specified this method will be ignored.bcast : Do a broadcast on
- each of the known local interfaces listed in the interfaces
+ each of the known local interfaces listed in the interfaces
parameter. This is the least reliable of the name resolution
methods as it depends on the target host being on a locally
connected subnet.nis homedir = no
nt acl support = yes
+ UNIX permissions into Windows NT access control lists. The UNIX
+ permissions considered are the the traditional UNIX owner and
+ group permissions, as well as POSIX ACLs set on any files or
+ directories. This parameter was formally a global parameter in
+ releases prior to 2.2.2.nt acl support = yes
obey pam restrictions = no
@@ -2837,13 +2867,21 @@
client can supply a username to be used by the server. Enabling
this parameter will force the server to only use the login
names from the user list and is only really
- useful in security = share level security.user list
will be just the service name, which for home directories is the
name of the user.only user = no
+open files database hash size = 10007
+
+open files database hash size = 1338457
+
docs/ directory.
oplocks = yes
pam password change = no
+ passwd chat parameter for most setups.pam password change = no
ldaps:// in
the URL argument. passdb expand explicit = yes
+ passdb expand explicit = no
yes. This sequence is
+ etc).yes. This sequence is
then called AS ROOT when the SMB password in the
smbpasswd file is being changed, without access to the old password
cleartext. This means that root must be able to reset the user's password without
knowing the text of the previous password. In the presence of
- NIS/YP, this means that the passwd program must
+ NIS/YP, this means that the passwd program must
be executed on the NIS master.
%n which is substituted
for the new password. The chat sequence can also contain the standard
@@ -3008,7 +3044,7 @@
a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces
in them into a single string.yes, the
+ expect string is a full stop then no string is expected.yes, the
chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
output. The \n macro is ignored for PAM conversions.
passwd chat = *new*password* %n\n*new*password* %n\n *changed*
@@ -3019,13 +3055,13 @@
parameter is run in debug mode. In this mode the
strings passed to and received from the passwd chat are printed
in the smbd(8) log with a
- debug level
+ debug level
of 100. This is a dangerous option as it will allow plaintext passwords
to be seen in the smbd log. It is available to help
Samba admins debug their passwd chat scripts
when calling the passwd program and should
be turned off after this has been done. This option has no effect if the
- pam password change
+ pam password change
paramter is set. This parameter is off by default.passwd chat debug = no
password level = 0
+ since samba-3.0.0). Use this only when encrypt passwords = No.password level = 0
password level = 4
@@ -3088,7 +3124,7 @@
Samba will use the standard LDAP port of tcp/389. Note that port numbers
have no effect on password servers for Windows NT 4.0 domains or netbios
connections.Note
%m
will be replaced by the NetBIOS name of the machine they are
connecting from. These replacements are very useful for setting
- up pseudo home directories for users.path =
path = /home/fred
@@ -3184,13 +3220,13 @@
preexec = csh -c 'echo \"Welcome to %S!\" |
/usr/local/samba/bin/smbclient -M %m -I %I' &
preexec =
preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log
preexec close = no
@@ -3199,7 +3235,7 @@
yes, on startup, nmbd will force
an election, and it will have a slight advantage in winning the election. It is recommended that this
- parameter is used in conjunction with domain master = yes, so that
+ parameter is used in conjunction with domain master = yes, so that
nmbd can guarantee becoming a domain master.
preload =
@@ -3227,7 +3263,7 @@
preserve case = yes
@@ -3236,7 +3272,7 @@
clients may open, write to and submit spool files on the directory
specified for the service. printable = no
/etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.
nobody account. If this happens then create
- an alternative guest account that can print and set the guest account
+ an alternative guest account that can print and set the guest account
in the [global] section.lp on many
+ The default value of the printer name may be lp on many
systems.
printer name = none
@@ -3416,7 +3452,7 @@
read list =
read list = mary, @students
-yes, then users
+yes, then users
of a service may not create or modify files in the service's
directory.remote browse sync =
@@ -3579,7 +3615,7 @@
means.
Note
restrict anonymous = 0
root directory entry other
than "/" adds an extra level of security, but at a price. It
absolutely ensures that no access is given to files not in the
@@ -3644,9 +3680,9 @@
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server. It is more difficult
to setup guest shares with security = user, see
- the map to guestparameter for details.guest only parameter is
not set, then this list is then tried with the supplied password.
The first user for whom the password matches will be used as the
@@ -3683,17 +3719,17 @@
be used in granting access.yes. In this
mode Samba will try to validate the username/password by passing
it to a Windows NT Primary or Backup Domain Controller, in exactly
@@ -3707,13 +3743,13 @@
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the guest account.
- See the map to guest parameter for details on doing this.yes, unless the remote
+ encrypted passwords parameter to be set to yes, unless the remote
server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the chapter about the User Database in
the Samba HOWTO Collection for details on how to set this up.
@@ -3733,10 +3769,10 @@
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the guest account.
- See the map to guest parameter for details on doing this.no you will have to apply the WindowsXP
@@ -3838,8 +3874,8 @@
short preserve case = yes
@@ -3939,10 +3975,10 @@
strict allocate = no
yes,
+ This is an enumerated type that controls the handling of file locking in the server. When this is set to yes,
the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on
some systems.
strict locking = yes
+ strict locking = Auto
no.
no. The default value of encrypt passwords = Yes. Note: This must be set to no for this update encrypted to work.
+ In order for this parameter to be operative the encrypt passwords parameter must
+ be set to no. The default value of encrypt passwords = Yes. Note: This must be set to no for this update encrypted to work.
fred is remapped to mary then you will actually be connecting to
\\server\mary and will need to supply a password suitable for mary not
- fred. The only exception to this is the username passed to the password server (if you have one). The password server will receive whatever username the client
+ fred. The only exception to this is the username passed to the password server (if you have one). The password server will receive whatever username the client
supplies without modification.
username map script = /etc/samba/scripts/mapusers.sh
+guest ok = yes in a share
+ definition. Due to the security sensitive nature of this the default
+ is set to off.usershare allow guests = no
+
+usershare max shares = 0
+
+usershare owner only = True
+
+
+ ls -ld /usr/local/samba/lib/usershares/
+ drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/
+
usershare path = NULL
+
+usershare prefix allow list = NULL
+
+usershare prefix allow list = /home /data /space
+
+usershare prefix deny list = NULL
+
+usershare prefix deny list = /etc /dev /private
+
+usershare template share = NULL
+
+usershare template share = template_share
+
yes, and the sendfile()
system call is supported by the underlying operating system, then some SMB read calls
(mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that
@@ -4354,11 +4484,11 @@
Each entry must be a unix path, not a DOS path and must not include the
unix directory separator '/'.
yes.
veto files = No files or directories are vetoed.
winbind enum groups parameter is
no, calls to the getgrent() system
- call will not return any data. Warning
winbind enum groups = yes
+ call will not return any data. Warning
winbind enum groups = no
winbind enum users = yes
+ usernames. winbind enum users = no
winbind nested groups = no
+ groups, you need to run nss_winbind.winbind nested groups = yes
winbind nss info = template sfu
+pam_winbind
+ module using Cached Credentials. If enabled, winbindd will store user credentials
+ from successful logins encrypted in a local cache.
+ winbind offline logon = false
+
+winbind offline logon = true
+
+pam_winbind module.
+
+winbind refresh tickets = false
+
+winbind refresh tickets = true
+
DOMAIN
\user. This parameter
@@ -4554,12 +4698,12 @@
workgroup = WORKGROUP
workgroup = MYGROUP
-write list =
write list = admin, root, @staff
@@ -4608,7 +4752,7 @@
wtmp directory = /var/log/wtmp
-WARNINGS
SEE ALSO
SEE ALSO
AUTHOR
Name
Synopsis
smbcontrol [-i] [-s]smbcontrol [destination] [message-type] [parameter]DESCRIPTION
OPTIONS
Name
Synopsis
smbcontrol [-i] [-s]smbcontrol [destination] [message-type] [parameter]DESCRIPTION
OPTIONS
nmbd.pid file.MESSAGE-TYPES for details.
- MESSAGE-TYPES
MESSAGE-TYPES
smbd, nmbd, or winbindd.
- AUTHOR
Name
Synopsis
smbcquotas {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logdir] [-V] [-U username] [-N] [-k] [-A]DESCRIPTION
OPTIONS
Name
Synopsis
smbcquotas {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logdir] [-V] [-U username] [-N] [-k] [-A]DESCRIPTION
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -60,7 +60,7 @@
many systems the command line of a running process may be seen
via the ps command. To be safe always allow
rpcclient to prompt for a password and type
-it in directly. QUOTA_SET_COMAND
@@ -73,13 +73,13 @@
for changing the share quota settings:
FSQFLAGS:QUOTA_ENABLED/DENY_DISK/LOG_SOFTLIMIT/LOG_HARD_LIMIT
- EXIT STATUS
Name
Synopsis
smbd [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number(s)>] [-O <socket option>] [-s <configuration file>]DESCRIPTION
Name
Synopsis
smbd [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number(s)>] [-O <socket option>] [-s <configuration file>]DESCRIPTION
OPTIONS
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -76,9 +76,9 @@
port number(s) is a
space or comma-separated list of TCP ports smbd should listen on.
- The default value is taken from the ports parameter in smb.confsmb.confFILES
/etc/inetd.conf/usr/local/samba/lib/smb.conf/usr/samba/lib/smb.conf
and /etc/samba/smb.conf.LIMITATIONS
LIMITATIONS
ENVIRONMENT VARIABLES
PRINTERPAM INTERACTION
DIAGNOSTICS
TDB FILES
/var/lib/samba.TDB FILES
/var/lib/samba.SIGNALS
SIGNALS
smb.conf configuration
file within a short period of time.SEE ALSO
SEE ALSO
rfc1001.txt, rfc1002.txt.
In addition the CIFS (formerly SMB) specification is available
as a link from the Web page
- http://samba.org/cifs/.AUTHOR
Name
Synopsis
smbget [-a, --guest] [-r, --resume] [-R, --recursive] [-u, --username=STRING] [-p, --password=STRING] [-w, --workgroup=STRING] [-n, --nonprompt] [-d, --debuglevel=INT] [-D, --dots] [-P, --keep-permissions] [-o, --outputfile] [-f, --rcfile] [-q, --quiet] [-v, --verbose] [-b, --blocksize] [-?, --help] [--usage] {smb://host/share/path/to/file} [smb://url2/] [...]DESCRIPTION
Name
Synopsis
smbget [-a, --guest] [-r, --resume] [-R, --recursive] [-u, --username=STRING] [-p, --password=STRING] [-w, --workgroup=STRING] [-n, --nonprompt] [-d, --debuglevel=INT] [-D, --dots] [-P, --keep-permissions] [-o, --outputfile] [-f, --rcfile] [-q, --quiet] [-v, --verbose] [-b, --blocksize] [-?, --help] [--usage] {smb://host/share/path/to/file} [smb://url2/] [...]DESCRIPTION
OPTIONS
OPTIONS
SMB URLS
smb://[[[domain;]user[:password@]]server[/share[/path[/file]]]]
smb:// means all the workgroups
smb://name/ means, if
name is a workgroup, all the servers in this workgroup, or if name is a server, all the shares on this server.
-EXAMPLES
# Recursively download 'src' directory
smbget -R smb://rhonwyn/jelmer/src
# Download FreeBSD ISO and enable resuming
@@ -17,10 +17,10 @@
smbget -Rr smb://rhonwyn/isos
# Backup my data on rhonwyn
smbget -Rr smb://rhonwyn/
-
Name
Synopsis
smbgetrcDESCRIPTION
Name
Synopsis
smbgetrcDESCRIPTION
OPTIONS
namepasswgintintAUTHOR
passwgintintName
Synopsis
smbmnt {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] [-h]DESCRIPTION
Name
Synopsis
smbmnt {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] [-h]DESCRIPTION
OPTIONS
OPTIONS
AUTHOR
Name
Synopsis
smbmount {service} {mount-point} [-o options]DESCRIPTION
Name
Synopsis
smbmount {service} {mount-point} [-o options]DESCRIPTION
Note
OPTIONS
USER
is used. This option can also take the form "user%password" or "user/workgroup" or "user/workgroup%password"
to allow the password and workgroup to be specified as part of the username.
@@ -71,7 +71,7 @@
like 10000ms (10 seconds) is probably more reasonable
in many cases.
(Note: only kernel 2.4.2 or later)
- ENVIRONMENT VARIABLES
USER may contain the username of the
person using the client. This information is used only if the
protocol level is high enough to support session-level
passwords. The variable can be used to set both username and
@@ -80,11 +80,11 @@
protocol level is high enough to support session-level
passwords.PASSWD_FILE may contain the pathname
of a file to read the password from. A single line of input is
- read and used as the password.OTHER COMMANDS
BUGS
SEE ALSO
SEE ALSO
AUTHOR
AUTHOR
Name
Synopsis
smbpasswdDESCRIPTION
Name
Synopsis
smbpasswdDESCRIPTION
FILE FORMAT
FILE FORMAT
passwd(5)
file. It is an ASCII file containing one line for each user. Each field
ithin each line is separated from the next by a colon. Any entry
@@ -76,10 +76,10 @@
last modified. It consists of the characters 'LCT-' (standing for
"Last Change Time") followed by a numeric encoding of the UNIX time
in seconds since the epoch (1970) that the last change was made.
- AUTHOR
Name
Synopsis
smbpasswd [-a] [-c <config file>] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]DESCRIPTION
Name
Synopsis
smbpasswd [-a] [-c <config file>] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-W] [-i] [-L] [username]DESCRIPTION
OPTIONS
OPTIONS
-w
switch is used to specify the password to be used with the
- ldap admin dn. Note that the password is stored in
+ ldap admin dn. Note that the password is stored in
the secrets.tdb and is keyed off
of the admin's DN. This means that if the value of ldap
admin dn ever changes, the password will need to be
manually updated as well.
+ -W
+ switch is used to specify the password to be used with the
+ ldap admin dn. Note that the password is stored in
+ the secrets.tdb and is keyed off
+ of the admin's DN. This means that if the value of ldap
+ admin dn ever changes, the password will need to be
+ manually updated as well.
NOTES
deny hosts entry in
the smb.conf(5) file and neglecting to
allow "localhost" access to the smbd. AUTHOR
AUTHOR
Name
Synopsis
smbsh [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logdir] [-L libdir]DESCRIPTION
Synopsis
smbsh [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logdir] [-L libdir]DESCRIPTION
OPTIONS
OPTIONS
smb.conf file.smb.conf file parameter
-() will be used.
+() will be used.
smb.conf file, the name
+this parameter or any entry in the parameter of the smb.conf file, the name
resolution methods will be attempted in this order. EXAMPLES
BUGS
smbwrapper.o. Not all calls have been "wrapped", so
some programs may not function correctly under smbsh
.AUTHOR
Name
Synopsis
smbspool {job} {user} {title} {copies} {options} [filename]DESCRIPTION
Name
Synopsis
smbspool {job} {user} {title} {copies} {options} [filename]DESCRIPTION
DEVICE_URI environment variable prior to
- running smbspool.OPTIONS
OPTIONS
AUTHOR
Name
Synopsis
smbstatus [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]DESCRIPTION
OPTIONS
Name
Synopsis
smbstatus [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]DESCRIPTION
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
username only.AUTHOR
Name
Synopsis
smbtar [-r] [-i] [-a] [-v] {-s server} [-p password] [-x services] [-X] [-N filename] [-b blocksize] [-d directory] [-l loglevel] [-u user] [-t tape] {filenames}DESCRIPTION
OPTIONS
Synopsis
smbtar [-r] [-i] [-a] [-v] {-s server} [-p password] [-x services] [-X] [-N filename] [-b blocksize] [-d directory] [-l loglevel] [-u user] [-t tape] {filenames}DESCRIPTION
OPTIONS
directory
@@ -17,14 +17,14 @@
up if they have the archive bit set. The archive bit is reset
after each file is read. -d flag of smbclient(1).ENVIRONMENT VARIABLES
$TAPE variable specifies the
default tape device to write to. May be overridden
- with the -t option. CAVEATS
AUTHOR
AUTHOR
Name
Synopsis
smbtree [-b] [-D] [-S]Synopsis
smbtree [-b] [-D] [-S]DESCRIPTION
OPTIONS
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -65,8 +65,8 @@
via the ps command. To be safe always allow
rpcclient to prompt for a password and type
it in directly. Name
Synopsis
smbumount {mount-point}DESCRIPTION
Name
Synopsis
smbumount {mount-point}DESCRIPTION
AUTHOR
Name
Synopsis
swat [-s <smb config file>] [-a] [-P]DESCRIPTION
Name
Synopsis
swat [-s <smb config file>] [-a] [-P]DESCRIPTION
smb.conf file allowing an
- administrator to easily look up the effects of any change. OPTIONS
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
INSTALLATION
Inetd Installation
/etc/inetd.conf
+ these in: Inetd Installation
/etc/inetd.conf
and /etc/services
to enable SWAT to be launched via inetd./etc/services you need to
add a line like this: /etc/services
and /etc/inetd.conf you need to send a
HUP signal to inetd. To do this use kill -1 PID
- where PID is the process ID of the inetd daemon. LAUNCHING
FILES
/etc/inetd.confFILES
/etc/inetd.conf/etc/services/usr/local/samba/lib/smb.conf
/usr/samba/lib/smb.conf and /etc/smb.conf
. This file describes all the services the server
- is to make available to clients. WARNINGS
WARNINGS
include= and copy=
options. If you have a carefully crafted
- smb.conf then back it up or don't use swat! AUTHOR
AUTHOR
Name
Synopsis
tdbbackup [-s suffix] [-v] [-h]DESCRIPTION
Name
Synopsis
tdbbackup [-s suffix] [-v] [-h]DESCRIPTION
OPTIONS
COMMANDS
AUTHOR
Name
Synopsis
tdbdump {filename}DESCRIPTION
Name
Synopsis
tdbdump {filename}DESCRIPTION
AUTHOR
Name
Synopsis
testparm [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]DESCRIPTION
Synopsis
testparm [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]DESCRIPTION
smb.conf file it returns an exit code of 1 to the calling
program, else it returns an exit code of 0. This allows shell scripts
- to test the output from testparm.OPTIONS
OPTIONS
FILES
DIAGNOSTICS
AUTHOR
Name
Synopsis
umount.cifs {mount-point} [-nVvhfle]DESCRIPTION
Name
Synopsis
umount.cifs {mount-point} [-nVvhfle]DESCRIPTION
OPTIONS
NOTES
OPTIONS
NOTES
CONFIGURATION
/proc/fs/cifs are various
configuration files and pseudo files which can display debug information.
For more information see the kernel file fs/cifs/README.
-BUGS
BUGS
VERSION
VERSION
SEE ALSO
AUTHOR
AUTHOR
Name
Synopsis
vfstest [-d debuglevel] [-c command] [-l logdir] [-h]DESCRIPTION
Name
Synopsis
vfstest [-d debuglevel] [-c command] [-l logdir] [-h]DESCRIPTION
OPTIONS
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
-COMMANDS
COMMANDS
AUTHOR
Name
Synopsis
wbinfo [-a user%password] [-c username] [-C groupname] [--domain domain] [-I ip] [-s sid] [-u] [-U uid] [-g] [--get-auth-user] [-G gid] [-m] [-n name] [-N netbios-name] [-o user:group] [-O user:group] [-p] [-r user] [--set-auth-user user%password] [--sequence] [-S sid] [-t] [-x username] [-X groupname] [-Y sid]DESCRIPTION
Name
Synopsis
wbinfo [-a user%password] [-c username] [-C groupname] [--domain domain] [-I ip] [-s sid] [-u] [-U uid] [-g] [--get-auth-user] [-G gid] [-m] [-n name] [-N netbios-name] [-o user:group] [-O user:group] [-p] [-r user] [--set-auth-user user%password] [--sequence] [-S sid] [-t] [-x username] [-X groupname] [-Y sid]DESCRIPTION
OPTIONS
OPTIONS
Note
EXIT STATUS
AUTHOR
Name
Synopsis
winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]DESCRIPTION
Synopsis
winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]DESCRIPTION
/etc/hosts and then from the
WINS server.
hosts: files wins
-
OPTIONS
OPTIONS
smb.conf file.".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
@@ -105,7 +105,7 @@
as a single process (the mode of operation in Samba 2.2). Winbindd's
default behavior is to launch a child process that is responsible for
updating expired cache entries.
- NAME AND ID RESOLUTION
smb.conf for options for sharing this
- database, such as via LDAP.CONFIGURATION
EXAMPLE SETUP
NOTES
NOTES
SIGNALS
SIGNALS
FILES
/etc/nsswitch.conf(5)FILES
/etc/nsswitch.conf(5)/tmp/.winbindd directory
@@ -222,8 +222,8 @@
compiled using the --with-lockdir option.
This directory is by default /usr/local/samba/var/locks
. AUTHOR
MASSIVE in ???, you now deal with the
issues that are particular to large distributed networks. Your task
is simple identify the challenges, consider the
alternatives, and then design and implement a solution.
passdb backend for the Samba servers. You
explored ways to accelerate Windows desktop profile handling and you
took control of network performance.
Yellow Pages is today known
as Network Information System (NIS).
smbpasswd,
tdbsam, xmlsam,
and mysqlsam authentication databases. The SMB
@@ -497,7 +497,7 @@
backend. LDAP is the preferred passdb backend for distributed network
operations.
ldapsam
entry, as shown here (note the particular use of the double quotes):
@@ -532,7 +532,7 @@
ldapsam:ldap://slave.abmas.biz
...
root.
You are about to change the configuration of the LDAP server, so it
makes sense to temporarily halt it. Stop OpenLDAP from running on
@@ -568,7 +568,7 @@
root# service ldap stop
/etc/openldap/slapd.conf file so it
matches the content of ???.
root# slapadd -v -l admin-accts.ldif
LDAP-transfer-LDIF.txt to the intended
slave LDAP server. A good location could be in the directory
/etc/openldap/preload.
@@ -652,9 +652,9 @@
root# chkconfig ldap on
@@ -663,10 +663,10 @@
root# rcslurpd start
root# chkconfig slurpd on
@@ -791,12 +791,12 @@
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
-
smb.conf File Part Asmb.conf File Part Bsmb.conf File Part Csmb.conf File Part Asmb.conf File Part Bsmb.conf File Part Asmb.conf File Part Bsmb.conf File Part Csmb.conf File Part Asmb.conf File Part Bdatabase is heavily overloaded and thus much misunderstood.
- Desktop, My Documents,
@@ -922,39 +922,39 @@
Cookies, Application Data,
Local Settings, and more. See ???, ???.
HKEY_LOCAL_USER hive. This is
the NTUSER.DAT file. It can be from 0.4 to 1.5 MB.
Local Settings\Application Data
folder. It can be up to 2 GB in size per PST file.
- My Documents folder be stored on a network drive?
Group Policy
enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used
as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
used only if Group Policy is disabled or unspecified.”
- /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other
@@ -83,7 +83,7 @@
/etc/samba directory, common binary
files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the
@@ -92,13 +92,13 @@
/usr/share/swat. There are additional support files for smbd in the
/usr/lib/samba directory tree. The files located there include the dynamically loadable modules for the
passdb backend as well as for the VFS modules.
- /var/lib/samba directory. Log files are created in /var/log/samba.
/usr/local/samba directory tree. This makes it simple to find the files that Samba owns.
-
@@ -131,7 +131,7 @@
root# rpm -qa | grep samba
samba3-pdb-3.0.20-1
@@ -143,9 +143,9 @@
samba3-doc-3.0.20-1
samba3-client-3.0.20-1
samba3-cifsmount-3.0.20-1
- smb.conf file for the presence of the idmap uid and idmap gid
@@ -252,22 +252,22 @@
echo "Usage: smb {start|stop|restart|status}"
exit 1
esac
-/sbin in a file called samba. This type of control script should be
owned by user root and group root, and set so that only root can execute it.
- /etc/rc.d and can be called
samba. A similar startup script is required to control winbind.
If you want to find more information regarding startup scripts please refer to the packaging section of
the Samba source code distribution tarball. The packaging files for each platform include a
startup control file.
- 127.0.0.1 can be
resolved to the correct name of the interface.
@@ -344,15 +344,15 @@
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
-/srv/www/htdocs directory.
root# chown -R wwwrun:www /srv/www/htdocs/lam
@@ -770,7 +770,7 @@
root# chmod 755 /srv/www/htdocs/lam/lib/*pl
config.cfg
LAM configuration file:
@@ -778,8 +778,8 @@
root# cp config.cfg_sample config.cfg
root# vi config.cfg
lam.conf then, using your favorite editor,
change the settings to match local site needs.
\\server\share\folder.
{VLN} refers to
the directory location beginning with /var/lib/named.
- MEGANET, File Locations for ServersFile Information Server Name Source Target Location MASSIVE BLDG1 BLDG2 ??? /etc/samba/smb.confYes No No ??? /etc/samba/dc-common.confYes No No ??? /etc/samba/common.confYes Yes Yes ??? /etc/samba/smb.confNo Yes No ??? /etc/samba/smb.confNo No Yes ??? /etc/samba/dommem.confNo Yes Yes ??? /etc/dhcpd.confYes No No ??? /etc/dhcpd.confNo Yes No ??? /etc/dhcpd.confNo No Yes ??? /etc/named.conf (part A)Yes No No ??? /etc/named.conf (part B)Yes No No ??? /etc/named.conf (part C)Yes No No ??? {VLN}/master/abmas.biz.hostsYes No No ??? {VLN}/master/abmas.us.hostsYes No No ??? /etc/named.conf (part A)No Yes Yes ??? /etc/named.conf (part B)No Yes Yes ??? {VLN}/localhost.zoneYes Yes Yes ??? {VLN}/127.0.0.zoneYes Yes Yes ??? {VLN}/root.hintYes Yes Yes MEGANET, File Locations for ServersFile Information Server Name Source Target Location MASSIVE BLDG1 BLDG2 ??? /etc/samba/smb.confYes No No ??? /etc/samba/dc-common.confYes No No ??? /etc/samba/common.confYes Yes Yes ??? /etc/samba/smb.confNo Yes No ??? /etc/samba/smb.confNo No Yes ??? /etc/samba/dommem.confNo Yes Yes ??? /etc/dhcpd.confYes No No ??? /etc/dhcpd.confNo Yes No ??? /etc/dhcpd.confNo No Yes ??? /etc/named.conf (part A)Yes No No ??? /etc/named.conf (part B)Yes No No ??? /etc/named.conf (part C)Yes No No ??? {VLN}/master/abmas.biz.hostsYes No No ??? {VLN}/master/abmas.us.hostsYes No No ??? /etc/named.conf (part A)No Yes Yes ??? /etc/named.conf (part B)No Yes Yes ??? {VLN}/localhost.zoneYes Yes Yes ??? {VLN}/127.0.0.zoneYes Yes Yes ??? {VLN}/root.hintYes Yes Yes root# hostname -f
/etc/hosts file to include the primary names and addresses
of all network interfaces that are on the host server. This is necessary so that during
startup the system is able to resolve all its own names to the IP address prior to
@@ -230,7 +230,7 @@
CUPS print server is started before the DNS server (named), you
should also include an entry for the printers in the /etc/hosts file.
/etc/resolv.conf so it has the following
content:
@@ -241,8 +241,8 @@
This instructs the name resolver function (when configured correctly) to ask the DNS server
that is running locally to resolve names to addresses.
root user to the password backend:
root# smbpasswd -a root
@@ -255,8 +255,8 @@
deleted. If for any reason the account is deleted, you may not be able to recreate this account
without considerable trouble.
root account to be called
Administrator from the Windows network environment. To do this, create
the file /etc/samba/smbusers with the following contents:
@@ -294,16 +294,16 @@
Follow the instructions in the printer manufacturer's manuals to permit printing
to port 9100. Use any other port the manufacturer specifies for direct mode,
raw printing. This allows the CUPS spooler to print using raw mode protocols.
-
-
+
+
root# lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E
printque is the name you have assigned for
@@ -323,9 +323,9 @@
root# /usr/bin/accept printque
/etc/cups/mime.types to uncomment the line:
application/octet-stream
@@ -359,17 +359,17 @@
processes to automap Windows client drives to an application server that is nearest to the client. This
is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
as elegantly as you see in the next chapter.
-
/etc/rc.d/boot.local an entry as follows:
@@ -397,7 +397,7 @@
startup files as follows: (SUSE) /etc/rc.d/boot.local, (Red Hat)
/etc/rc.d/init.d/rc.local.
/etc/nsswitch.conf file.
This file controls the operation of the various resolver libraries that are part of the Linux
Glibc libraries. Edit this file so that it contains the following entries:
@@ -405,24 +405,24 @@
hosts: files dns wins
/etc/samba/initGrps.sh. Set this file so it can be executed
and then execute the script. An example of the execution of this script as well as its
validation are shown in Section 4.3.2, Step 5.
/etc/passwd file as well as in the Samba password backend.
Use the system tool of your choice to create the UNIX system account, and use the Samba
smbpasswd to create a domain user account.
/data. Format the file system as required and mount the formatted
file system partition using appropriate system tools.
root# mkdir -p /data/{accounts,finsvcs,pidata}
@@ -475,8 +475,8 @@
root# chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
unxi2dos and dos2unix) are installed.
@@ -518,8 +518,8 @@
The following steps will guide you through the nuances of implementing BDCs for the broadcast
isolated network segments. Remember that if the target installation platform is not Linux, it may
be necessary to adapt some commands to the equivalent on the target platform.
- /etc/nsswitch.conf file.
This file controls the operation of the various resolver libraries that are part of the Linux
Glibc libraries. Edit this file so that it contains the following entries:
@@ -532,14 +532,14 @@
Follow the steps outlined in ??? to start all services. Do not
start Samba at this time. Samba is controlled by the process called smb.
root# net rpc join
root# service smb start
@@ -548,7 +548,7 @@
Your server is ready for validation testing. Do not proceed with the steps in
??? until after the operation of the server has been
validated following the same methods as outlined in ???.
- /etc/samba/smb.conf/etc/samba/dc-common.conf/etc/samba/common.conf# Global parameters [global]workgroup = MEGANETnetbios name = BLDG1include = /etc/samba/dom-mem.conf# Global parameters [global]workgroup = MEGANETnetbios name = BLDG2include = /etc/samba/dom-mem.conf/etc/samba/smb.conf/etc/samba/dc-common.conf/etc/samba/common.conf# Global parameters [global]workgroup = MEGANETnetbios name = BLDG1include = /etc/samba/dom-mem.conf# Global parameters [global]workgroup = MEGANETnetbios name = BLDG2include = /etc/samba/dom-mem.conf
# Abmas Accounting Inc.
default-lease-time 86400;
@@ -898,8 +898,8 @@
net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
/etc/xinetd.d directory
@@ -918,10 +918,10 @@
Last, each service must be started to permit system validation to proceed. The following steps
are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you
are installing Samba.
-
root# chkconfig dhpc on
root# chkconfig named on
@@ -930,9 +930,9 @@
root# chkconfig swat on
~samba/example/LDAP.
MASSIVE.
You initialize the Samba secrets.tdb file. Then you
create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
@@ -395,27 +395,27 @@
You can also find on the enclosed CD-ROM, in the Chap06 directory, a few tools
that help to manage user and group configuration.
root
user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
@@ -425,13 +425,13 @@
In this network example use is made of one of the supported privileges purely to demonstrate
how any user can now be given the ability to add machines to the domain using a normal user account
that has been given the appropriate privileges.
- HKEY_CURRENT_USER hive file
NTUSER.DAT and a number of folders (My Documents, Application Data,
Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
@@ -453,20 +453,20 @@
user to not place large files on the desktop and to use his or her mapped home directory
instead of the My Documents folder for saving documents.
My Documents is a nuisance for
some users, since many applications use it by default.
NTUSER.DAT hive.
NTUSER.DAT file. This means
you need to edit every user's profile, unless a better method can be
followed. Fortunately, with the right preparations, this is not difficult.
@@ -475,10 +475,10 @@
necessary to copy all files from redirected folders to the network share to which
they are redirected.
NTUSER.DAT file
to point to the new paths that are shared over the network instead of to the default
path (C:\Documents and Settings\%USERNAME%).
NTUSER.DAT in
the C:\Documents and Settings\Default User folder on each
client machine, changing the same registry keys. You could do this by copying
NTUSER.DAT to a Linux box and using regedt32.
The basic method is described under ???.
- NETLOGON and within that create a directory called
Default User, which is a copy of the desired default user
@@ -520,10 +520,10 @@
the first login from a new account pulls its configuration from it.
See also
the Real Men Don't Click Web site.
- root# chkconfig nscd off
root# rcnscd off
/etc/openldap/slapd.conf control file
(see ???) there is an entry for loglevel 256.
To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
and restart slapd.
/etc/syslog.conf file so it has the following
contents:
@@ -689,7 +689,7 @@
local site needs. The configuration used later in this chapter reflects such
customization with the intent that LDAP log files will be stored at a location
that meets local site needs and wishes more fully.
- /etc/ldap.conf file the following parameters:
@@ -702,7 +702,7 @@
nss_base_passwd, nss_base_shadow, nss_base_group entries
in the /etc/ldap.conf file and compare them closely with the directory
tree location that was chosen when the directory was first created.
@@ -792,7 +792,7 @@
Check that the bindpw entry in the /etc/ldap.conf or in the
/etc/ldap.secrets file is correct, as specified in the
/etc/openldap/slapd.conf file.
- smb.conf file can be useful in tracking down Samba-related problems:
[global]
@@ -822,17 +822,17 @@
SUSE Linux 8.x SUSE Linux 9.x Red Hat Linux nss_ldap nss_ldap nss_ldap pam_ldap pam_ldap pam_ldap openldap2 openldap2 openldap openldap2-client openldap2-client /etc/openldap.
/data/ldap, making certain that
the directory exists with permissions:
@@ -892,14 +892,14 @@
/data/ldap. In the event that this file is added after ldap
has been started, it is possible to cause the new settings to take effect by shutting down
the LDAP server, executing the db_recover command inside the
/data/ldap directory, and then restarting the LDAP server.
/etc/ldap.conf
+
/etc/ldap.conf
host 127.0.0.1
base dc=abmas,dc=biz
@@ -1042,9 +1042,9 @@
ssl off
nss_ldap module
expects to find its control file:
@@ -1057,7 +1057,7 @@
On the servers called
BLDG1 and BLDG2, install the file shown in
??? into the path that was obtained from the step above.
/etc/nsswitch.conf) so that the lines that
control user and group resolution will obtain information from the normal system files as
well as from ldap:
@@ -1080,7 +1080,7 @@
Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
nsswitch.conf file is a significant cause of operational problems with LDAP.
/etc/pam.d directory: login, password,
samba, sshd. In each file, locate every entry that has the
@@ -1102,7 +1102,7 @@
session required pam_limits.so
@@ -1126,14 +1126,14 @@
implementation, but if the pam_unix2.so on your system supports
LDAP, you probably want to use it rather than add an additional module.
MASSIVEMASSIVE/etc/samba/
@@ -1143,7 +1143,7 @@
on the master file. The operational smb.conf is then generated as shown in
the next step.
smb.conf file that is generated by:
root# testparm -s smb.conf.master > smb.conf
@@ -1180,8 +1180,8 @@
root# rm /var/log/samba/*
secrets.tdb
file. Execute the following to create the new secrets.tdb files
@@ -1194,8 +1194,8 @@
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
/etc/exports the following entry:
@@ -1250,8 +1250,8 @@
smb.conf File, Server: MASSIVE global Section: Part A# Global parameters [global]unix charset = LOCALEworkgroup = MEGANET2netbios name = MASSIVEinterfaces = eth1, lobind interfaces only = Yespassdb backend = ldapsam:ldap://massive.abmas.bizenable privileges = Yesusername map = /etc/samba/smbuserslog level = 1syslog = 0log file = /var/log/samba/%mmax log size = 50smb ports = 139name resolve order = wins bcast hoststime server = Yesprintcap name = CUPSshow add printer wizard = Noadd user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"smb.conf File, Server: MASSIVE global Section: Part Blogon script = scripts\logon.batlogon path = \\%L\profiles\%Ulogon drive = X:domain logons = Yespreferred master = Yeswins support = Yesldap suffix = dc=abmas,dc=bizldap machine suffix = ou=Peopleldap user suffix = ou=Peopleldap group suffix = ou=Groupsldap idmap suffix = ou=Idmapldap admin dn = cn=Manager,dc=abmas,dc=bizidmap backend = ldap:ldap://massive.abmas.bizidmap uid = 10000-20000idmap gid = 10000-20000map acl inherit = Yesprinting = cupsprinter admin = root, chrisrsmb.conf File, Server: MASSIVE global Section: Part A# Global parameters [global]unix charset = LOCALEworkgroup = MEGANET2netbios name = MASSIVEinterfaces = eth1, lobind interfaces only = Yespassdb backend = ldapsam:ldap://massive.abmas.bizenable privileges = Yesusername map = /etc/samba/smbuserslog level = 1syslog = 0log file = /var/log/samba/%mmax log size = 50smb ports = 139name resolve order = wins bcast hoststime server = Yesprintcap name = CUPSshow add printer wizard = Noadd user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"smb.conf File, Server: MASSIVE global Section: Part Blogon script = scripts\logon.batlogon path = \\%L\profiles\%Ulogon drive = X:domain logons = Yespreferred master = Yeswins support = Yesldap suffix = dc=abmas,dc=bizldap machine suffix = ou=Peopleldap user suffix = ou=Peopleldap group suffix = ou=Groupsldap idmap suffix = ou=Idmapldap admin dn = cn=Manager,dc=abmas,dc=bizidmap backend = ldap:ldap://massive.abmas.bizidmap uid = 10000-20000idmap gid = 10000-20000map acl inherit = Yesprinting = cupsprinter admin = root, chrisr/opt/IDEALX/sbin.
The scripts are not needed on BDC machines because all LDAP updates are handled by
the PDC alone.
- smbldap-tools Tarball/opt/IDEALX/sbin directory, and set its permissions
@@ -1320,10 +1320,10 @@
smbldap-tools-0.9.1-1.src.rpm, then follow this procedure:
- smbldap-tools RPM'ssmbldap-tools RPM's
root# rpm -i smbldap-tools-0.9.1-1.src.rpm
@@ -1368,7 +1368,7 @@
smb.conf file.
- /etc/passwd on every
server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in
LDAP. In this case, you can add Windows domain user accounts using the
@@ -1510,20 +1510,20 @@
Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
is included on the enclosed CD-ROM under Chap06/Tools.
Note
smb.conf files, specific use is made
of the People container, not the Computers container, for domain member accounts. This is not a
@@ -1600,7 +1600,7 @@
Starting ldap-server done
@@ -1702,7 +1702,7 @@
@@ -1715,16 +1715,16 @@
Domain Guests:x:514:
Domain Computers:x:553:
@@ -1740,7 +1740,7 @@
username is the login ID for each user.
@@ -1768,7 +1768,7 @@
This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
by system tools that make a getentpw() system call.
@@ -1834,7 +1834,7 @@
@@ -1845,7 +1845,7 @@
The addition of groups does not involve keyboard interaction, so the lack of console
output is of no concern.
@@ -1862,7 +1862,7 @@
The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
as our own site-specific group accounts, are correctly listed. This is looking good.
root# rcwinbind restart
root# smbclient -L massive -U%
@@ -1963,12 +1963,12 @@
MASSIVE is now configured, and it is time to move onto the next task.
smb.conf file. The only preparation needed for smart
printing to be possible involves creation of the directories in which Samba-3 stores
Windows printing driver files.
- MASSIVE
@@ -1980,18 +1980,18 @@
Follow the instructions in the printer manufacturers' manuals to permit printing
to port 9100. Use any other port the manufacturer specifies for direct mode,
raw printing. This allows the CUPS spooler to print using raw mode protocols.
-
-
+
+
root# lpadmin -p printque
-v socket://printer-name.abmas.biz:9100 -E
printque is the name you have assigned for
@@ -2011,15 +2011,15 @@
root# /usr/bin/accept printque
/etc/cups/mime.convs to uncomment the line:
application/octet-stream application/vnd.cups-raw 0 -
/etc/cups/mime.types to uncomment the line:
application/octet-stream
@@ -2038,7 +2038,7 @@
root# chown -R root:root /var/lib/samba/drivers
root# chmod -R ug=rwx,o=rx /var/lib/samba/drivers
BLDG1/etc/samba/ directory. The three files
@@ -2081,7 +2081,7 @@
@@ -2111,7 +2111,7 @@
This is also the correct and desired output, because it demonstrates that the LDAP client
is able to communicate correctly with the LDAP server (
MASSIVE).
secrets.tdb
file by executing this command:
@@ -2143,7 +2143,7 @@
root# pdbedit -L
@@ -2231,19 +2231,19 @@
should be added together to form the smb.conf file.
smb.conf File, Server: BLDG1# Global parameters [global]unix charset = LOCALEworkgroup = MEGANET2netbios name = BLDG1passdb backend = ldapsam:ldap://massive.abmas.bizenable privileges = Yesusername map = /etc/samba/smbuserslog level = 1syslog = 0log file = /var/log/samba/%mmax log size = 50smb ports = 139name resolve order = wins bcast hostsprintcap name = CUPSshow add printer wizard = Nologon script = scripts\logon.batlogon path = \\%L\profiles\%Ulogon drive = X:domain logons = Yesdomain master = Nowins server = 172.16.0.1ldap suffix = dc=abmas,dc=bizldap machine suffix = ou=Peopleldap user suffix = ou=Peopleldap group suffix = ou=Groupsldap idmap suffix = ou=Idmapldap admin dn = cn=Manager,dc=abmas,dc=bizidmap backend = ldap:ldap://massive.abmas.bizidmap uid = 10000-20000idmap gid = 10000-20000printing = cupsprinter admin = root, chrisrsmb.conf File, Server: BLDG2# Global parameters [global]unix charset = LOCALEworkgroup = MEGANET2netbios name = BLDG2passdb backend = ldapsam:ldap://massive.abmas.bizenable privileges = Yesusername map = /etc/samba/smbuserslog level = 1syslog = 0log file = /var/log/samba/%mmax log size = 50smb ports = 139name resolve order = wins bcast hostsprintcap name = CUPSshow add printer wizard = Nologon script = scripts\logon.batlogon path = \\%L\profiles\%Ulogon drive = X:domain logons = Yesdomain master = Nowins server = 172.16.0.1
