diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/manpages/idmap_rid.8.html samba-3.4.0pre2//docs/htmldocs/manpages/idmap_rid.8.html --- samba-3.4.0pre1//docs/htmldocs/manpages/idmap_rid.8.html 2009-04-30 10:05:49.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/manpages/idmap_rid.8.html 2009-06-02 09:45:44.000000000 +0200 @@ -23,7 +23,7 @@ ID = RID - BASE_RID + LOW_RANGE_ID.

- Correspondingly, the formula for calculationg the RID for a + Correspondingly, the formula for calculating the RID for a given Unix ID is this: 

 			RID = ID + BASE_RID - LOW_RANGE_ID.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/manpages/net.8.html samba-3.4.0pre2//docs/htmldocs/manpages/net.8.html
--- samba-3.4.0pre1//docs/htmldocs/manpages/net.8.html	2009-04-30 10:06:06.000000000 +0200
+++ samba-3.4.0pre2//docs/htmldocs/manpages/net.8.html	2009-06-02 09:46:01.000000000 +0200
@@ -447,22 +447,53 @@
 
net eventlog dump - Dump a eventlog *.evt file on the screen.
net eventlog import - Import a eventlog *.evt into the samba internal
 tdb based representation of eventlogs.
net eventlog export - Export the samba internal tdb based representation
 of eventlogs into an eventlog *.evt file.

-
EVENTLOG DUMP

+
EVENTLOG DUMP filename

 Prints a eventlog *.evt file to standard output.
-
EVENTLOG IMPORT filename eventlog

+
EVENTLOG IMPORT filename eventlog

 Imports a eventlog *.evt file defined by filename into the
 samba internal tdb representation of eventlog defined by eventlog.
 eventlog needs to part of the eventlog list
 defined in smb.conf.
 See the smb.conf(5) manpage for details.
-
EVENTLOG EXPORT filename eventlog

+
EVENTLOG EXPORT filename eventlog

 Exports the samba internal tdb representation of eventlog defined by eventlog
 to a eventlog *.evt file defined by filename.
 eventlog needs to part of the eventlog list
 defined in smb.conf.
 See the smb.conf(5) manpage for details.
-
HELP [COMMAND]
Gives usage information for the specified command.
VERSION
This man page is complete for version 3 of the Samba 
-	suite.
AUTHOR
The original Samba software and related utilities 
+
DOM
Starting with version 3.2.0 Samba has support for remote join and unjoin APIs, both client and server-side. Windows supports remote join capabilities since Windows 2000.
+
In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege.
+
The client side support for remote join is implemented in the net dom commands which are:
+
net dom join - Join a remote computer into a domain.
net dom unjoin - Unjoin a remote computer from a domain.
net dom renamecomputer - Renames a remote computer joined to a domain.

+
DOM JOIN	domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot

+Joins a computer into a domain. This command supports the following additional parameters:
+
  • DOMAIN can be a NetBIOS domain name (also known as short domain name) or a DNS domain name for Active Directory Domains. As in Windows, it is also possible to control which Domain Controller to use. This can be achieved by appending the DC name using the \ separator character. Example: MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
  • OU can be set to a RFC 1779 LDAP DN, like ou=mymachines,cn=Users,dc=example,dc=com in order to create the machine account in a non-default LDAP containter. This optional parameter is only supported when joining Active Directory Domains.
  • ACCOUNT defines a domain account that will be used to join the machine to the domain. This domain account needs to have sufficient privileges to join machines.
  • PASSWORD defines the password for the domain account defined with ACCOUNT.
  • REBOOT is an optional parameter that can be set to reboot the remote machine after successful join to the domain.

+Note that you also need to use standard net paramters to connect and authenticate to the remote machine that you want to join. These additional parameters include: -S computer and -U user.
+

+	Example:
+	net dom join -S xp -U XP\\administrator%secret domain=MYDOM account=MYDOM\\administrator password=topsecret reboot.
+

+This example would connect to a computer named XP as the local administrator using password secret, and join the computer into a domain called MYDOM using the MYDOM domain administrator account and password topsecret. After successful join, the computer would reboot.
+
DOM UNJOIN account=ACCOUNT password=PASSWORD reboot

+Unjoins a computer from a domain. This command supports the following additional parameters:
+
  • ACCOUNT defines a domain account that will be used to unjoin the machine from the domain. This domain account needs to have sufficient privileges to unjoin machines.
  • PASSWORD defines the password for the domain account defined with ACCOUNT.
  • REBOOT is an optional parameter that can be set to reboot the remote machine after successful unjoin from the domain.

+Note that you also need to use standard net paramters to connect and authenticate to the remote machine that you want to unjoin. These additional parameters include: -S computer and -U user.
+

+	Example:
+	net dom unjoin -S xp -U XP\\administrator%secret account=MYDOM\\administrator password=topsecret reboot.
+

+This example would connect to a computer named XP as the local administrator using password secret, and unjoin the computer from the domain using the MYDOM domain administrator account and password topsecret. After successful unjoin, the computer would reboot.
+
DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot

+Renames a computer that is joined to a domain. This command supports the following additional parameters:
+
  • NEWNAME defines the new name of the machine in the domain.
  • ACCOUNT defines a domain account that will be used to rename the machine in the domain. This domain account needs to have sufficient privileges to rename machines.
  • PASSWORD defines the password for the domain account defined with ACCOUNT.
  • REBOOT is an optional parameter that can be set to reboot the remote machine after successful rename in the domain.

+Note that you also need to use standard net paramters to connect and authenticate to the remote machine that you want to rename in the domain. These additional parameters include: -S computer and -U user.
+

+	Example:
+	net dom renamecomputer -S xp -U XP\\administrator%secret newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
+

+This example would connect to a computer named XP as the local administrator using password secret, and rename the joined computer to XPNEW using the MYDOM domain administrator account and password topsecret. After successful rename, the computer would reboot.
+
HELP [COMMAND]
Gives usage information for the specified command.
VERSION
This man page is complete for version 3 of the Samba 
+	suite.
AUTHOR
The original Samba software and related utilities 
 	were created by Andrew Tridgell. Samba is now developed
 	by the Samba Team as an Open Source project similar 
 	to the way the Linux kernel is developed.
The net manpage was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/manpages/smb.conf.5.html samba-3.4.0pre2//docs/htmldocs/manpages/smb.conf.5.html
--- samba-3.4.0pre1//docs/htmldocs/manpages/smb.conf.5.html	2009-04-30 10:06:27.000000000 +0200
+++ samba-3.4.0pre2//docs/htmldocs/manpages/smb.conf.5.html	2009-06-02 09:46:22.000000000 +0200
@@ -3606,8 +3606,29 @@
 
 

 
+map untrusted to domain (G)
+

+    If a client connects to smbd using an untrusted domain name, such as
+    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before
+    attempting to authenticate that user.  In the case where smbd is acting as
+    a PDC this will be DOMAIN\user.  In the case where smbd is acting as a
+    domain member server or a standalone server this will be WORKSTATION\user.
+    

+    In previous versions of Samba (pre 3.4), if smbd was acting as a domain
+    member server, the BOGUS domain name would instead be replaced by the
+    primary domain which smbd was a member of.  In this case authentication
+    would be deferred off to a DC using the credentials DOMAIN\user.
+    

+    When this parameter is set to yes smbd provides the
+    legacy behavior of mapping untrusted domain names to the primary domain.
+    When smbd is not acting as a domain member server, this parameter has no
+    effect.
+    
Default: map untrusted to domain = no
+
+

+
 max connections (S)
-
This option allows the number of simultaneous connections to a service to be limited.
+
This option allows the number of simultaneous connections to a service to be limited.
     If max connections is greater than 0 then connections
     will be refused if this number of connections to the service are already open. A value 
     of zero mean an unlimited number of connections may be made.
Record lock files are used to implement this feature. The lock files will be stored in 
@@ -3615,10 +3636,10 @@
 
 
Example: max connections = 10
 
-

+

 
 max disk size (G)
-
This option allows you to put an upper limit 
+
This option allows you to put an upper limit 
     on the apparent size of disks. If you set this option to 100 
     then all shares will appear to be not larger than 100 MB in 
     size.
Note that this option does not limit the amount of 
@@ -3632,10 +3653,10 @@
 
 
Example: max disk size = 1000
 
-

+

 
 max log size (G)
-

+

     This option (an integer in kilobytes) specifies the max size the log file should grow to. 
     Samba periodically checks the size and if it is exceeded it will rename the file, adding 
 	a .old extension.
@@ -3644,17 +3665,17 @@
 
 
Example: max log size = 1000
 
-

+

 
 max mux (G)
-
This option controls the maximum number of 
+
This option controls the maximum number of 
     outstanding simultaneous SMB operations that Samba tells the client 
 	it will allow. You should never need to set this parameter.
Default: max mux = 50
 
-

+

 
 max open files (G)
-
This parameter limits the maximum number of 
+
This parameter limits the maximum number of 
     open files that one smbd(8) file 
     serving process may have open for a client at any one time. The 
     default for this parameter is set very high (10,000) as Samba uses 
@@ -3662,23 +3683,23 @@
     by the UNIX per-process file descriptor limit rather than 
     this parameter so you should never need to touch this parameter.
Default: max open files = 10000
 
-

+

 
 max print jobs (S)
-
This parameter limits the maximum number of 
+
This parameter limits the maximum number of 
     jobs allowable in a Samba printer queue at any given moment.
     If this number is exceeded, smbd(8) will remote "Out of Space" to the client.
 	
Default: max print jobs = 1000
 
 
Example: max print jobs = 5000
 
-

+

 
 protocol
-
This parameter is a synonym for max protocol.

+
This parameter is a synonym for max protocol.

 
 max protocol (G)
-
The value of the parameter (a string) is the highest 
+
The value of the parameter (a string) is the highest 
     protocol level that will be supported by the server.
Possible values are :
  • CORE: Earliest version. No 
 	    concept of user names.
  • COREPLUS: Slight improvements on 
 	    CORE for efficiency.
  • LANMAN1: First 
@@ -3690,10 +3711,10 @@
 
 
    Example: max protocol = LANMAN1
 
-

+

 
 max reported print jobs (S)
-

+

     This parameter limits the maximum number of jobs displayed in a port monitor for 
     Samba printer queue at any given moment. If this number is exceeded, the excess 
     jobs will not be shown. A value of zero means there is no limit on the number of 
@@ -3702,10 +3723,10 @@
 
 
Example: max reported print jobs = 1000
 
-

+

 
 max smbd processes (G)
-
This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended
+
This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended
     as a stopgap to prevent degrading service to clients in the event that the server has insufficient
     resources to handle more than this number of connections.  Remember that under normal operating
     conditions, each user will have an smbd(8) associated with him or her to handle connections to all
@@ -3713,10 +3734,10 @@
 
 
Example: max smbd processes = 1000
 
-

+

 
 max stat cache size (G)
-
This parameter limits the size in memory of any 
+
This parameter limits the size in memory of any 
 	  stat cache being used
 	  to speed up case insensitive name mappings. It represents
 	  the number of kilobyte (1024) units the stat cache can use.
@@ -3727,27 +3748,27 @@
 
 
Example: max stat cache size = 100
 
-

+

 
 max ttl (G)
-
This option tells nmbd(8) what the default 'time to live' 
+
This option tells nmbd(8) what the default 'time to live' 
     of NetBIOS names should be (in seconds) when nmbd is 
     requesting a name using either a broadcast packet or from a WINS server. You should 
 	never need to change this parameter. The default is 3 days.
Default: max ttl = 259200
 
-

+

 
 max wins ttl (G)
-
This option tells smbd(8) when acting as a WINS server
+
This option tells smbd(8) when acting as a WINS server
 	(wins support = yes) what the maximum
     'time to live' of NetBIOS names that nmbd 
     will grant will be (in seconds). You should never need to change this
 	parameter.  The default is 6 days (518400 seconds).
Default: max wins ttl = 518400
 
-

+

 
 max xmit (G)
-
This option controls the maximum packet size 
+
This option controls the maximum packet size 
     that will be negotiated by Samba. The default is 16644, which 
     matches the behavior of Windows 2000.  A value below 2048 is likely to cause problems.
     You should never need to change this parameter from its default value.
@@ -3755,10 +3776,10 @@
 
 
Example: max xmit = 8192
 
-

+

 
 message command (G)
-
This specifies what command to run when the 
+
This specifies what command to run when the 
 	server receives a WinPopup style message.
This would normally be a command that would 
 	deliver the message somehow. How this is to be done is 
 	up to your imagination.
An example is:
@@ -3797,20 +3818,20 @@
 
 
Example: message command = csh -c 'xedit %s; rm %s' &
 
-

+

 
 min print space (S)
-
This sets the minimum amount of free disk 
+
This sets the minimum amount of free disk 
     space that must be available before a user will be able to spool 
     a print job. It is specified in kilobytes. The default is 0, which 
     means a user can always spool a print job.
Default: min print space = 0
 
 
Example: min print space = 2000
 
-

+

 
 min protocol (G)
-
The value of the parameter (a string) is the 
+
The value of the parameter (a string) is the 
     lowest SMB protocol dialect than Samba will support.  Please refer
     to the max protocol
     parameter for a list of valid protocol names and a brief description
@@ -3822,10 +3843,10 @@
 
 
Example: min protocol = NT1
 
-

+

 
 min receivefile size (G)
-
This option changes the behavior of smbd(8) when processing SMBwriteX calls. Any incoming
+
This option changes the behavior of smbd(8) when processing SMBwriteX calls. Any incoming
 SMBwriteX call on a non-signed SMB/CIFS connection greater than this value will not be processed in the normal way but will
 be passed to any underlying kernel recvfile or splice system call (if there is no such
 call Samba will emulate in user space). This allows zero-copy writes directly from network
@@ -3834,19 +3855,19 @@
 normal way. To enable POSIX large write support (SMB/CIFS writes up to 16Mb) this option must be
 nonzero. The maximum value is 128k. Values greater than 128k will be silently set to 128k.
Note this option will have NO EFFECT if set on a SMB signed connection.
The default is zero, which diables this option.
Default: min receivefile size = 0
 
-

+

 
 min wins ttl (G)
-
This option tells nmbd(8)
+
This option tells nmbd(8)
     when acting as a WINS server (wins support = yes) what the minimum 'time to live' 
     of NetBIOS names that nmbd will grant will be (in 
     seconds). You should never need to change this parameter.  The default 
     is 6 hours (21600 seconds).
Default: min wins ttl = 21600
 
-

+

 
 msdfs proxy (S)
-
This parameter indicates that the share is a
+
This parameter indicates that the share is a
 	stand-in for another CIFS share whose location is specified by
 	the value of the parameter. When clients attempt to connect to
 	this share, they are redirected to the proxied share using
@@ -3854,10 +3875,10 @@
 	msdfs root and host msdfs
 	options to find out how to set up a Dfs root share.
No default
Example: msdfs proxy = \otherserver\someshare
 
-

+

 
 msdfs root (S)
-
If set to yes, Samba treats the
+
If set to yes, Samba treats the
 	share as a Dfs root and allows clients to browse the
 	distributed file system tree rooted at the share directory.
 	Dfs links are specified in the share directory by symbolic
@@ -3865,20 +3886,20 @@
 	and so on.  For more information on setting up a Dfs tree on
 	Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.
Default: msdfs root = no
 
-

+

 
 name cache timeout (G)
-
Specifies the number of seconds it takes before 
+
Specifies the number of seconds it takes before 
     entries in samba's hostname resolve cache time out. If 
     the timeout is set to 0. the caching is disabled.
 
Default: name cache timeout = 660
 
 
Example: name cache timeout = 0
 
-

+

 
 name resolve order (G)
-
This option is used by the programs in the Samba 
+
This option is used by the programs in the Samba 
     suite to determine what naming services to use and in what order 
     to resolve host names to IP addresses. Its main purpose to is to
     control how netbios name resolution is performed.  The option takes a space 
@@ -3909,10 +3930,10 @@
 
 
Example: name resolve order = lmhosts bcast host
 
-

+

 
 netbios aliases (G)
-
This is a list of NetBIOS names that nmbd will 
+
This is a list of NetBIOS names that nmbd will 
         advertise as additional names by which the Samba server is known. This allows one machine 
 	to appear in browse lists under multiple names. If a machine is acting as a browse server 
         or logon server none of these names will be advertised as either browse server or logon 
@@ -3922,10 +3943,10 @@
 
 
Example: netbios aliases = TEST TEST1 TEST2
 
-

+

 
 netbios name (G)
-

+

 		This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component
 		of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of
 		the hosts DNS name) will be the name that these services are advertised under.
@@ -3938,17 +3959,17 @@
 
 
Example: netbios name = MYNAME
 
-

+

 
 netbios scope (G)
-
This sets the NetBIOS scope that Samba will 
+
This sets the NetBIOS scope that Samba will 
 	operate under. This should not be set unless every machine 
 	on your LAN also sets this value.
Default: netbios scope = 
 
-

+

 
 nis homedir (G)
-
Get the home share server from a NIS map. For 
+
Get the home share server from a NIS map. For 
 	UNIX systems that use an automounter, the user's home directory 
 	will often be mounted on a workstation on demand from a remote 
 	server. 
When the Samba logon server is not the actual home directory 
@@ -3967,20 +3988,20 @@
 	NIS system and the Samba server with this option must also 
 	be a logon server.
Default: nis homedir = no
 
-

+

 
 nt acl support (S)
-
This boolean parameter controls whether smbd(8) will attempt to map 
+
This boolean parameter controls whether smbd(8) will attempt to map 
     UNIX permissions into Windows NT access control lists.  The UNIX
     permissions considered are the the traditional UNIX owner and
     group permissions, as well as POSIX ACLs set on any files or
     directories.  This parameter was formally a global parameter in
     releases prior to 2.2.2.
Default: nt acl support = yes
 
-

+

 
 ntlm auth (G)
-
This parameter determines whether or not smbd(8) will attempt to
+
This parameter determines whether or not smbd(8) will attempt to
     authenticate users using the NTLM encrypted password response.
     If disabled, either the lanman password hash or an NTLMv2 response
     will need to be sent by the client.
If this option, and lanman
@@ -3988,33 +4009,33 @@
     permited.  Not all clients support NTLMv2, and most will require
 	special configuration to use it.
Default: ntlm auth = yes
 
-

+

 
 nt pipe support (G)
-
This boolean parameter controls whether 
+
This boolean parameter controls whether 
     smbd(8) will allow Windows NT 
     clients to connect to the NT SMB specific IPC$ 
     pipes. This is a developer debugging option and can be left
 	alone.
Default: nt pipe support = yes
 
-

+

 
 nt status support (G)
-
This boolean parameter controls whether smbd(8) will negotiate NT specific status
+
This boolean parameter controls whether smbd(8) will negotiate NT specific status
     support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone.
     If this option is set to no then Samba offers
     exactly the same DOS error codes that versions prior to Samba 2.2.3
     reported.
You should not need to ever disable this parameter.
Default: nt status support = yes
 
-

+

 
 null passwords (G)
-
Allow or disallow client access to accounts that have null passwords. 
See also smbpasswd(5).
Default: null passwords = no
+
Allow or disallow client access to accounts that have null passwords. 
See also smbpasswd(5).
Default: null passwords = no
 
-

+

 
 obey pam restrictions (G)
-
When Samba 3.0 is configured to enable PAM support
+
When Samba 3.0 is configured to enable PAM support
     (i.e. --with-pam), this parameter will control whether or not Samba
     should obey PAM's account and session management directives.  The 
     default behavior is to use PAM for clear text authentication only
@@ -4024,10 +4045,10 @@
     authentication mechanism needed in the presence of SMB password encryption.
 
Default: obey pam restrictions = no
 
-

+

 
 only user (S)
-
This is a boolean option that controls whether 
+
This is a boolean option that controls whether 
     connections with usernames not in the user 
     list will be allowed. By default this option is disabled so that a 
     client can supply a username to be used by the server.  Enabling
@@ -4040,10 +4061,10 @@
     will be just the service name, which for home directories is the 
     name of the user.
Default: only user = no
 
-

+

 
 oplock break wait time (G)
-

+

 	This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too 
 	quickly when that client issues an SMB that can cause an oplock break request, then the network client can 
 	fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount 
@@ -4052,10 +4073,10 @@
 	DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.
 	
Default: oplock break wait time = 0
 
-

+

 
 oplock contention limit (S)
-

+

 	This is a very advanced smbd(8) tuning option to improve the efficiency of the 
 	granting of oplocks under multiple client contention for the same file.
 	

@@ -4067,10 +4088,10 @@
 	DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.
 	
Default: oplock contention limit = 2
 
-

+

 
 oplocks (S)
-

+

 	This boolean option tells smbd whether to 
 	issue oplocks (opportunistic locks) to file open requests on this 
 	share. The oplock code can dramatically (approx. 30% or more) improve 
@@ -4089,10 +4110,10 @@
 	kernel oplocks parameter for details.
 	
Default: oplocks = yes
 
-

+

 
 os2 driver map (G)
-
The parameter is used to define the absolute
+
The parameter is used to define the absolute
     path to a file containing a mapping of Windows NT printer driver
     names to OS/2 printer driver names.  The format is:
<nt driver name> = <os2 driver name>.<device name>
For example, a valid entry using the HP LaserJet 5
     printer driver would appear as HP LaserJet 5L = LASERJET.HP 
@@ -4102,10 +4123,10 @@
     details on OS/2 clients, please refer to chapter on other clients in the Samba3-HOWTO book.
     
Default: os2 driver map = 
 
-

+

 
 os level (G)
-

+

 	This integer value controls what level Samba advertises itself as for browse elections. The value of this
 	parameter determines whether nmbd(8) has a chance of becoming a local master browser for the workgroup in the local broadcast area.
 

@@ -4121,10 +4142,10 @@
 
 
Example: os level = 65
 
-

+

 
 pam password change (G)
-
With the addition of better PAM support in Samba 2.2, 
+
With the addition of better PAM support in Samba 2.2, 
     this parameter, it is possible to use PAM's password change control 
     flag for Samba.  If enabled, then PAM will be used for password
     changes when requested by an SMB client instead of the program listed in 
@@ -4132,20 +4153,20 @@
     It should be possible to enable this without changing your 
     passwd chat parameter for most setups.
Default: pam password change = no
 
-

+

 
 panic action (G)
-
This is a Samba developer option that allows a 
+
This is a Samba developer option that allows a 
 	system command to be called when either smbd(8) or nmbd(8)	crashes. This is usually used to 
 	draw attention to the fact that a problem occurred.
 	
Default: panic action = 
 
 
Example: panic action = "/bin/sleep 90000"
 
-

+

 
 paranoid server security (G)
-
Some version of NT 4.x allow non-guest 
+
Some version of NT 4.x allow non-guest 
     users with a bad passowrd. When this option is enabled, samba will not 
     use a broken NT 4.x server as password server, but instead complain
     to the logs and exit.  
@@ -4153,16 +4174,18 @@
     this check, which involves deliberatly attempting a
     bad logon to the remote server.
Default: paranoid server security = yes
 
-

+

 
 passdb backend (G)
-
This option allows the administrator to chose which backend
+
This option allows the administrator to chose which backend
     will be used for storing user and possibly group information.  This allows 
     you to swap between different storage mechanisms without recompile. 
The parameter value is divided into two parts, the backend's name, and a 'location'
     string that has meaning only to that particular backed.  These are separated
     by a : character.
Available backends can include:
-	
  • smbpasswd - The default smbpasswd
-		backend. Takes a path to the smbpasswd file as an optional argument.
+	
    • smbpasswd - The old plaintext passdb
+		backend. Some Samba features will not work if this passdb
+		backend is used. Takes a path to the smbpasswd file as an
+		optional argument.
 		
    • tdbsam - The TDB based password storage
                 backend.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb 
                 in the private dir directory.
    • ldapsam - The LDAP based passdb 
@@ -4187,21 +4210,21 @@
 or multi server LDAP URL with Netscape based LDAP library:
 
 passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"
-

Default: passdb backend = smbpasswd +

Default: passdb backend = tdbsam -

+

passdb expand explicit (G) -

+

This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable %G_osver% in which %G would have been substituted by the user's primary group.

Default: passdb expand explicit = no -

+

passwd chat debug (G) -

This boolean specifies if the passwd chat script +

This boolean specifies if the passwd chat script parameter is run in debug mode. In this mode the strings passed to and received from the passwd chat are printed in the smbd(8) log with a @@ -4214,18 +4237,18 @@ pam password change parameter is set. This parameter is off by default.

Default: passwd chat debug = no -

+

passwd chat timeout (G) -

This integer specifies the number of seconds smbd will wait for an initial +

This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run. Once the initial answer is received the subsequent answers must be received in one tenth of this time. The default it two seconds.

Default: passwd chat timeout = 2 -

+

passwd chat (G) -

This string controls the "chat" +

This string controls the "chat" conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the @@ -4256,10 +4279,10 @@

Example: passwd chat = "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" -

+

passwd program (G) -

The name of a program that can be used to set +

The name of a program that can be used to set UNIX user passwords. Any occurrences of %u will be replaced with the user name. The user name is checked for existence before calling the password changing program.

Also note that many passwd programs insist in reasonable @@ -4280,10 +4303,10 @@

Example: passwd program = /bin/passwd %u -

+

password level (G) -

Some client/server combinations have difficulty +

Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when @@ -4305,10 +4328,10 @@

Example: password level = 4 -

+

password server (G) -

By specifying the name of another SMB server +

By specifying the name of another SMB server or Active Directory domain controller with this option, and using security = [ads|domain|server] it is possible to get Samba @@ -4368,13 +4391,13 @@

Example: password server = windc.mydomain.com:389 192.168.1.101 * -

+

directory -

This parameter is a synonym for path.

+

This parameter is a synonym for path.

path (S) -

This parameter specifies a directory to which +

This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.

For a printable service offering guest access, the service @@ -4391,25 +4414,25 @@

Example: path = /home/fred -

+

perfcount module (G) -

This parameter specifies the perfcount backend to be used when monitoring SMB +

This parameter specifies the perfcount backend to be used when monitoring SMB operations. Only one perfcount module may be used, and it must implement all of the apis contained in the smb_perfcount_handler structure defined in smb.h. -

No default

+

No default

pid directory (G) -

+

This option specifies the directory where pid files will be placed.

Default: pid directory = ${prefix}/var/locks

Example: pid directory = pid directory = /var/run/ -

+

posix locking (S) -

+

The smbd(8) daemon maintains an database of file locks obtained by SMB clients. The default behavior is to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are @@ -4417,10 +4440,10 @@ method (e.g. NFS or local file access). You should never need to disable this parameter.

Default: posix locking = yes -

+

postexec (S) -

This option specifies a command to be run +

This option specifies a command to be run whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.

An interesting example may be to unmount server @@ -4428,21 +4451,21 @@

Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log -

+

preexec close (S) -

+

This boolean option controls whether a non-zero return code from preexec should close the service being connected to.

Default: preexec close = no -

+

exec -

This parameter is a synonym for preexec.

+

This parameter is a synonym for preexec.

preexec (S) -

This option specifies a command to be run whenever +

This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.

An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:

@@ -4454,13 +4477,13 @@

Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log -

+

prefered master -

This parameter is a synonym for preferred master.

+

This parameter is a synonym for preferred master.

preferred master (G) -

+

This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup.

If this is set to yes, on startup, nmbd will force @@ -4474,22 +4497,22 @@ capabilities.

Default: preferred master = auto -

+

preload modules (G) -

This is a list of paths to modules that should +

This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat.

Default: preload modules =

Example: preload modules = /usr/lib/samba/passdb/mysql.so -

+

auto services -

This parameter is a synonym for preload.

+

This parameter is a synonym for preload.

preload (G) -

This is a list of services that you want to be +

This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible.

@@ -4500,33 +4523,33 @@

Example: preload = fred lp colorlp -

+

preserve case (S) -

+

This controls if new filenames are created with the case that the client passes, or if they are forced to be the default case.

See the section on NAME MANGLING for a fuller discussion.

Default: preserve case = yes -

+

print ok -

This parameter is a synonym for printable.

+

This parameter is a synonym for printable.

printable (S) -

If this parameter is yes, then +

If this parameter is yes, then clients may open, write to and submit spool files on the directory specified for the service.

Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The read only parameter controls only non-printing access to the resource.

Default: printable = no -

+

printcap cache time (G) -

This option specifies the number of seconds before the printing +

This option specifies the number of seconds before the printing subsystem is again asked for the known printers. If the value is greater than 60 the initial waiting time is set to 60 seconds to allow an earlier first rescan of the printing subsystem. @@ -4536,13 +4559,13 @@

Example: printcap cache time = 600 -

+

printcap -

This parameter is a synonym for printcap name.

+

This parameter is a synonym for printcap name.

printcap name (G) -

+

This parameter may be used to override the compiled-in default printcap name used by the server (usually /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.

@@ -4577,10 +4600,10 @@

Example: printcap name = /etc/myprintcap -

+

print command (S) -

After a print job has finished spooling to +

After a print job has finished spooling to a service, this command will be used via a system() call to process the spool file. Typically the command specified will submit the spool file to the host's printing subsystem, but there @@ -4622,10 +4645,10 @@ and if SAMBA is compiled against libcups, any manually set print command will be ignored.

No default

Example: print command = /usr/local/samba/bin/myprintscript %p %s -

+

printer admin (S) -

+

This lists users who can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation). @@ -4641,13 +4664,13 @@

Example: printer admin = admin, @staff -

+

printer -

This parameter is a synonym for printer name.

+

This parameter is a synonym for printer name.

printer name (S) -

+

This parameter specifies the name of the printer to which print jobs spooled through a printable service will be sent.

@@ -4660,10 +4683,10 @@

Example: printer name = laserwriter -

+

printing (S) -

This parameters controls how printer status information is +

This parameters controls how printer status information is interpreted on your system. It also affects the default values for the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the [global] section.

Currently nine printing styles are supported. They are @@ -4680,27 +4703,27 @@ [printers] section.

Default: printing = Depends on the operating system, see testparm -v. -

+

printjob username (S) -

This parameter specifies which user information will be +

This parameter specifies which user information will be passed to the printing system. Usually, the username is sent, but in some cases, e.g. the domain prefix is useful, too.

Default: printjob username = %U

Example: printjob username = %D\%U -

+

private dir (G) -

This parameters defines the directory +

This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb.

Default: private dir = ${prefix}/private -

+

profile acls (S) -

+

This boolean parameter was added to fix the problems that people have been having with storing user profiles on Samba shares from Windows 2000 or Windows XP clients. New versions of Windows 2000 or Windows XP service @@ -4728,10 +4751,10 @@ tree to the owning user.

Default: profile acls = no -

+

queuepause command (S) -

This parameter specifies the command to be +

This parameter specifies the command to be executed on the server host in order to pause the printer queue.

This command should be a program or script which takes a printer name as its only parameter and stops the printer queue, such that no longer jobs are submitted to the printer.

This command is not supported by Windows for Workgroups, @@ -4742,10 +4765,10 @@ path in the command as the PATH may not be available to the server.

No default

Example: queuepause command = disable %p -

+

queueresume command (S) -

This parameter specifies the command to be +

This parameter specifies the command to be executed on the server host in order to resume the printer queue. It is the command to undo the behavior that is caused by the previous parameter (queuepause command).

This command should be a program or script which takes @@ -4760,10 +4783,10 @@

Example: queueresume command = enable %p -

+

read list (S) -

+

This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the read only option is set to. The list can include group names using the syntax described in the invalid users @@ -4773,19 +4796,19 @@

Example: read list = mary, @students -

+

read only (S) -

An inverted synonym is writeable.

If this parameter is yes, then users +

An inverted synonym is writeable.

If this parameter is yes, then users of a service may not create or modify files in the service's directory.

Note that a printable service (printable = yes) will ALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations.

Default: read only = yes -

+

read raw (G) -

This parameter controls whether or not the server +

This parameter controls whether or not the server will support the raw read SMB requests when transferring data to clients.

If enabled, raw reads allow reads of 65535 bytes in one packet. This typically provides a major performance benefit. @@ -4794,20 +4817,20 @@ sizes, and for these clients you may need to disable raw reads.

In general this parameter should be viewed as a system tuning tool and left severely alone.

Default: read raw = yes -

+

realm (G) -

This option specifies the kerberos realm to use. The realm is +

This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server.

Default: realm =

Example: realm = mysambabox.mycompany.com -

+

registry shares (G) -

+

This turns on or off support for share definitions read from registry. Shares defined in smb.conf take precedence over shares with the same name defined in @@ -4822,10 +4845,10 @@

Example: registry shares = yes -

+

remote announce (G) -

+

This option allows you to setup nmbd(8) to periodically announce itself to arbitrary IP addresses with an arbitrary workgroup name.

@@ -4849,10 +4872,10 @@ See the chapter on Network Browsing in the Samba-HOWTO book.

Default: remote announce = -

+

remote browse sync (G) -

+

This option allows you to setup nmbd(8) to periodically request synchronization of browse lists with the master browser of a Samba server that is on a remote segment. This option will allow you to @@ -4884,10 +4907,10 @@ each network has its own WINS server.

Default: remote browse sync = -

+

rename user script (G) -

+

This is the full pathname to a script that will be run as root by smbd(8) under special circumstances described below.

When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager @@ -4905,10 +4928,10 @@ needs to change for other applications using the same directory.

Default: rename user script = no -

+

reset on zero vc (G) -

+

This boolean option controls whether an incoming session setup should kill other connections coming from the same IP. This matches the default Windows 2003 behaviour. @@ -4927,10 +4950,10 @@

Default: reset on zero vc = no -

+

restrict anonymous (G) -

The setting of this parameter determines whether user and +

The setting of this parameter determines whether user and group list information is returned for an anonymous connection. and mirrors the effects of the 

@@ -4953,16 +4976,16 @@
     by setting guest ok = yes on any share.

Default: restrict anonymous = 0 -

+

root -

This parameter is a synonym for root directory.

+

This parameter is a synonym for root directory.

root dir -

This parameter is a synonym for root directory.

+

This parameter is a synonym for root directory.

root directory (G) -

The server will chroot() (i.e. +

The server will chroot() (i.e. Change its root directory) to this directory on startup. This is not strictly necessary for secure operation. Even without it the server will deny access to files not in one of the service entries. @@ -4985,34 +5008,34 @@

Example: root directory = /homes/smb -

+

root postexec (S) -

+

This is the same as the postexec parameter except that the command is run as root. This is useful for unmounting filesystems (such as CDROMs) after a connection is closed.

Default: root postexec = -

+

root preexec close (S) -

This is the same as the preexec close +

This is the same as the preexec close parameter except that the command is run as root.

Default: root preexec close = no -

+

root preexec (S) -

+

This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.

Default: root preexec = -

+

security mask (S) -

+

This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.

@@ -5031,10 +5054,10 @@

Example: security mask = 0770 -

+

security (G) -

This option affects how clients respond to +

This option affects how clients respond to Samba and is one of the most important settings in the smb.conf file.

The option sets the "security mode bit" in replies to protocol negotiations with smbd(8) to turn share level security on or off. Clients decide @@ -5158,10 +5181,10 @@

Example: security = DOMAIN -

+

server schannel (G) -

+

This controls whether the server offers or even demands the use of the netlogon schannel. server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4. @@ -5172,20 +5195,20 @@

Example: server schannel = yes -

+

server signing (G) -

This controls whether the client is allowed or required to use SMB signing. Possible values +

This controls whether the client is allowed or required to use SMB signing. Possible values are auto, mandatory and disabled.

When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either.

Default: server signing = Disabled -

+

server string (G) -

This controls what string will show up in the printer comment box in print +

This controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. It can be any string that you wish to show to your users.

It also sets what will appear in browse lists next to the machine name.

A %v will be replaced with the Samba @@ -5194,10 +5217,10 @@

Example: server string = University of GNUs Samba Server -

+

set directory (S) -

+

If set directory = no, then users of the service may not use the setdir command to change directory.

@@ -5206,10 +5229,10 @@ for details.

Default: set directory = no -

+

set primary group script (G) -

Thanks to the Posix subsystem in NT a Windows User has a +

Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user @@ -5221,10 +5244,10 @@

Example: set primary group script = /usr/sbin/usermod -g '%g' '%u' -

+

set quota command (G) -

The set quota command should only be used +

The set quota command should only be used whenever there is no operating system API available from the OS that samba can use.

This option is only available if Samba was configured with the argument --with-sys-quotas or on linux when ./configure --with-quotas was used and a working quota api @@ -5234,10 +5257,10 @@

Example: set quota command = /usr/local/sbin/set_quota -

+

share modes (S) -

This enables or disables the honoring of +

This enables or disables the honoring of the share modes during a file open. These modes are used by clients to gain exclusive read or write access to a file.

This is a deprecated option from old versions of @@ -5249,20 +5272,20 @@ by default.

You should NEVER turn this parameter off as many Windows applications will break if you do so.

Default: share modes = yes -

+

short preserve case (S) -

+

This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the default case. This option can be use with preserve case = yes to permit long filenames to retain their case, while short names are lowered.

See the section on NAME MANGLING.

Default: short preserve case = yes -

+

show add printer wizard (G) -

With the introduction of MS-RPC based printing support +

With the introduction of MS-RPC based printing support for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is @@ -5280,10 +5303,10 @@

Note

This does not prevent the same user from having administrative privilege on an individual printer.

Default: show add printer wizard = yes -

+

shutdown script (G) -

This a full path name to a script called by +

This a full path name to a script called by smbd(8) that should start a shutdown procedure.

If the connected user posseses the SeRemoteShutdownPrivilege, right, this command will be run as user.

The %z %t %r %f variables are expanded as follows:

  • %z will be substituted with the @@ -5308,10 +5331,10 @@

    Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f -

+

smb encrypt (S) -

This is a new feature introduced with Samba 3.2 and above. It is an +

This is a new feature introduced with Samba 3.2 and above. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream. When @@ -5339,10 +5362,10 @@ When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated.

Default: smb encrypt = auto -

+

smb passwd file (G) -

This option sets the path to the encrypted smbpasswd file. By +

This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

An example of use is: 

@@ -5350,15 +5373,15 @@

Default: smb passwd file = ${prefix}/private/smbpasswd -

+

smb ports (G) -

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139 +

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139 -

+

socket address (G) -

This option allows you to control what +

This option allows you to control what address Samba will listen for connections on. This is used to support multiple virtual interfaces on the one server, each with a different configuration.

Setting this option should never be necessary on usual Samba @@ -5367,10 +5390,10 @@

Example: socket address = 192.168.2.20 -

+

socket options (G) -

This option allows you to set socket options +

This option allows you to set socket options to be used when talking with the client.

Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned.

This option will typically be used to tune your Samba server @@ -5398,17 +5421,17 @@

Example: socket options = IPTOS_LOWDELAY -

+

stat cache (G) -

This parameter determines if smbd(8) will use a cache in order to +

This parameter determines if smbd(8) will use a cache in order to speed up case insensitive name mappings. You should never need to change this parameter.

Default: stat cache = yes -

+

store dos attributes (S) -

+

If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such as occurs with map hidden and map readonly). When set, DOS @@ -5420,10 +5443,10 @@ extended attributes to work, also extended attributes must be compiled into the Linux kernel.

Default: store dos attributes = no -

+

strict allocate (S) -

This is a boolean that controls the handling of +

This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour @@ -5435,10 +5458,10 @@ out of quota messages on systems that are restricting the disk quota of users.

Default: strict allocate = no -

+

strict locking (S) -

+

This is an enumerated type that controls the handling of file locking in the server. When this is set to yes, the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on some systems. @@ -5454,10 +5477,10 @@ strict locking = no is acceptable.

Default: strict locking = Auto -

+

strict sync (S) -

Many Windows applications (including the Windows 98 explorer +

Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk. Under UNIX, a sync call forces the process to be suspended until the kernel has ensured that all outstanding data in @@ -5471,10 +5494,10 @@ addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies.

Default: strict sync = no -

+

svcctl list (G) -

This option defines a list of init scripts that smbd +

This option defines a list of init scripts that smbd will use for starting and stopping Unix services via the Win32 ServiceControl API. This allows Windows administrators to utilize the MS Management Console plug-ins to manage a @@ -5487,10 +5510,10 @@

Example: svcctl list = cups postfix portmap httpd -

+

sync always (S) -

This is a boolean parameter that controls +

This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns. If this is no then the server will be guided by the client's request in each write call (clients can @@ -5501,19 +5524,19 @@ yes in order for this parameter to have any effect.

Default: sync always = no -

+

syslog only (G) -

+

If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files. There still will be some logging to log.[sn]mbd even if syslog only is enabled.

Default: syslog only = no -

+

syslog (G) -

+

This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug level zero maps onto syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps onto LOG_NOTICE, @@ -5524,10 +5547,10 @@ logging to log.[sn]mbd even if syslog only is enabled.

Default: syslog = 1 -

+

template homedir (G) -

When filling out the user information for a Windows NT +

When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it @@ -5535,31 +5558,31 @@ string %U is present it is substituted with the user's Windows NT user name.

Default: template homedir = /home/%D/%U -

+

template shell (G) -

When filling out the user information for a Windows NT +

When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this - parameter to fill in the login shell for that user.

No default

+ parameter to fill in the login shell for that user.

No default

time offset (G) -

This parameter is a setting in minutes to add +

This parameter is a setting in minutes to add to the normal GMT to local time conversion. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling.

Default: time offset = 0

Example: time offset = 60 -

+

time server (G) -

This parameter determines if nmbd(8) advertises itself as a time server to Windows +

This parameter determines if nmbd(8) advertises itself as a time server to Windows clients.

Default: time server = no -

+

unix charset (G) -

Specifies the charset the unix machine +

Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

This is also the charset Samba will use when specifying arguments @@ -5568,20 +5591,20 @@

Example: unix charset = ASCII -

+

unix extensions (G) -

This boolean parameter controls whether Samba +

This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

Default: unix extensions = yes -

+

unix password sync (G) -

This boolean parameter controls whether Samba +

This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to yes the program specified in the passwd @@ -5590,10 +5613,10 @@ old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new).

Default: unix password sync = no -

+

update encrypted (G) -

+

This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the @@ -5611,10 +5634,10 @@ passwords.

Default: update encrypted = no -

+

use client driver (S) -

This parameter applies only to Windows NT/2000 +

This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required @@ -5639,10 +5662,10 @@ on a print share which has valid print driver installed on the Samba server.

Default: use client driver = no -

+

use mmap (G) -

This global parameter determines if the tdb internals of Samba can +

This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to no by @@ -5651,10 +5674,10 @@ the tdb internal code.

Default: use mmap = yes -

+

username level (G) -

This option helps Samba to try and 'guess' at +

This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the @@ -5669,10 +5692,10 @@

Example: username level = 5 -

+

username map script (G) -

This script is a mutually exclusive alternative to the +

This script is a mutually exclusive alternative to the username map parameter. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication @@ -5683,10 +5706,10 @@

Example: username map script = /etc/samba/scripts/mapusers.sh -

+

username map (G) -

+

This option allows you to specify a file containing a mapping of usernames from the clients to the server. This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they @@ -5770,16 +5793,16 @@

Default: username map = # no username map -

+

user -

This parameter is a synonym for username.

+

This parameter is a synonym for username.

users -

This parameter is a synonym for username.

+

This parameter is a synonym for username.

username (S) -

Multiple users may be specified in a comma-delimited +

Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).

The username line is needed only when the PC is unable to supply its own username. This is the case @@ -5817,28 +5840,28 @@

Example: username = fred, mary, jack, jane, @users, @pcgroup -

+

usershare allow guests (G) -

This parameter controls whether user defined shares are allowed +

This parameter controls whether user defined shares are allowed to be accessed by non-authenticated users or not. It is the equivalent of allowing people who can create a share the option of setting guest ok = yes in a share definition. Due to its security sensitive nature, the default is set to off.

Default: usershare allow guests = no -

+

usershare max shares (G) -

This parameter specifies the number of user defined shares +

This parameter specifies the number of user defined shares that are allowed to be created by users belonging to the group owning the usershare directory. If set to zero (the default) user defined shares are ignored.

Default: usershare max shares = 0 -

+

usershare owner only (G) -

This parameter controls whether the pathname exported by +

This parameter controls whether the pathname exported by a user defined shares must be owned by the user creating the user defined share or not. If set to True (the default) then smbd checks that the directory path being shared is owned by @@ -5848,10 +5871,10 @@ regardless of who owns it.

Default: usershare owner only = True -

+

usershare path (G) -

This parameter specifies the absolute path of the directory on the +

This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files. This directory must be owned by root, and have no access for other, and be writable only by the group owner. In addition the @@ -5872,10 +5895,10 @@ In this case, only members of the group "power_users" can create user defined shares.

Default: usershare path = NULL -

+

usershare prefix allow list (G) -

This parameter specifies a list of absolute pathnames +

This parameter specifies a list of absolute pathnames the root of which are allowed to be exported by user defined share definitions. If the pathname to be exported doesn't start with one of the strings in this list, the user defined share will not be allowed. This allows the Samba @@ -5890,10 +5913,10 @@

Example: usershare prefix allow list = /home /data /space -

+

usershare prefix deny list (G) -

This parameter specifies a list of absolute pathnames +

This parameter specifies a list of absolute pathnames the root of which are NOT allowed to be exported by user defined share definitions. If the pathname exported starts with one of the strings in this list the user defined share will not be allowed. Any pathname not @@ -5909,10 +5932,10 @@

Example: usershare prefix deny list = /etc /dev /private -

+

usershare template share (G) -

User defined shares only have limited possible parameters +

User defined shares only have limited possible parameters such as path, guest ok, etc. This parameter allows usershares to "cloned" from an existing share. If "usershare template share" is set to the name of an existing share, then all usershares @@ -5927,10 +5950,10 @@

Example: usershare template share = template_share -

+

use sendfile (S) -

If this parameter is yes, and the sendfile() +

If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's @@ -5939,10 +5962,10 @@ Windows 9x (using sendfile from Linux will cause these clients to fail).

Default: use sendfile = false -

+

use spnego (G) -

This variable controls controls whether samba will try +

This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism.

@@ -5950,10 +5973,10 @@ implementation, there is no reason this should ever be disabled.

Default: use spnego = yes -

+

utmp directory (G) -

This parameter is only available if Samba has +

This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that @@ -5965,10 +5988,10 @@

Example: utmp directory = /var/run/utmp -

+

utmp (G) -

+

This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records @@ -5980,10 +6003,10 @@ to find this number. This may impede performance on large installations.

Default: utmp = no -

+

valid users (S) -

+

This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter. @@ -5999,10 +6022,10 @@

Example: valid users = greg, @pcusers -

+

-valid (S) -

This parameter indicates whether a share is +

This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.

@@ -6011,10 +6034,10 @@ Samba uses this option internally to mark shares as deleted.

Default: -valid = yes -

+

veto files (S) -

+

This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards. @@ -6045,10 +6068,10 @@

Default: veto files = No files or directories are vetoed. -

+

veto oplock files (S) -

+

This parameter is only valid when the oplocks parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that @@ -6069,31 +6092,31 @@

Default: veto oplock files = # No files are vetoed for oplock grants -

+

vfs object -

This parameter is a synonym for vfs objects.

+

This parameter is a synonym for vfs objects.

vfs objects (S) -

This parameter specifies the backend names which +

This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects.

Default: vfs objects =

Example: vfs objects = extd_audit recycle -

+

volume (S) -

This allows you to override the volume label +

This allows you to override the volume label returned for a share. Useful for CDROMs with installation programs that insist on a particular volume label.

Default: volume = # the name of the share -

+

wide links (S) -

This parameter controls whether or not links +

This parameter controls whether or not links in the UNIX file system may be followed by the server. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only @@ -6101,10 +6124,10 @@ effect on your server performance due to the extra system calls that Samba has to do in order to perform the link checks.

Default: wide links = yes -

+

winbind cache time (G) -

This parameter specifies the number of +

This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again.

@@ -6112,10 +6135,10 @@ evaluated in real time unless the winbind offline logon option has been enabled.

Default: winbind cache time = 300 -

+

winbind enum groups (G) -

On large installations using winbindd(8) it may be necessary to suppress +

On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If @@ -6123,10 +6146,10 @@ no, calls to the getgrent() system call will not return any data.

Warning

Turning off group enumeration may cause some programs to behave oddly.

Default: winbind enum groups = no -

+

winbind enum users (G) -

On large installations using winbindd(8) it may be +

On large installations using winbindd(8) it may be necessary to suppress the enumeration of users through the setpwent(), getpwent() and endpwent() group of system calls. If @@ -6138,10 +6161,10 @@ full user list when searching for matching usernames.

Default: winbind enum users = no -

+

winbind expand groups (G) -

This option controls the maximum depth that winbindd +

This option controls the maximum depth that winbindd will traverse when flattening nested group memberships of Windows domain groups. This is different from the winbind nested groups option @@ -6153,10 +6176,10 @@ must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time.

Default: winbind expand groups = 1 -

+

winbind nested groups (G) -

If set to yes, this parameter activates the support for nested +

If set to yes, this parameter activates the support for nested groups. Nested groups are also called local groups or aliases. They work like their counterparts in Windows: Nested groups are defined locally on any machine (they are shared @@ -6164,10 +6187,10 @@ global groups from any trusted SAM. To be able to use nested groups, you need to run nss_winbind.

Default: winbind nested groups = yes -

+

winbind normalize names (G) -

This parameter controls whether winbindd will replace +

This parameter controls whether winbindd will replace whitespace in user and group names with an underscore (_) character. For example, whether the name "Space Kadet" should be replaced with the string "space_kadet". @@ -6187,10 +6210,10 @@

Example: winbind normalize names = yes -

+

winbind nss info (G) -

This parameter is designed to control how Winbind retrieves Name +

This parameter is designed to control how Winbind retrieves Name Service Information to construct a user's home directory and login shell. Currently the following settings are available: @@ -6212,10 +6235,10 @@

Example: winbind nss info = template sfu -

+

winbind offline logon (G) -

This parameter is designed to control whether Winbind should +

This parameter is designed to control whether Winbind should allow to login with the pam_winbind module using Cached Credentials. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache. @@ -6223,37 +6246,37 @@

Example: winbind offline logon = true -

+

winbind reconnect delay (G) -

This parameter specifies the number of +

This parameter specifies the number of seconds the winbindd(8) daemon will wait between attempts to contact a Domain controller for a domain that is determined to be down or not contactable.

Default: winbind reconnect delay = 30 -

+

winbind refresh tickets (G) -

This parameter is designed to control whether Winbind should refresh Kerberos Tickets +

This parameter is designed to control whether Winbind should refresh Kerberos Tickets retrieved using the pam_winbind module.

Default: winbind refresh tickets = false

Example: winbind refresh tickets = true -

+

winbind rpc only (G) -

+

Setting this parameter to yes forces winbindd to use RPC instead of LDAP to retrieve information from Domain Controllers.

Default: winbind rpc only = no -

+

winbind separator (G) -

This parameter allows an admin to define the character +

This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \user. This parameter is only applicable when using the pam_winbind.so @@ -6264,10 +6287,10 @@

Example: winbind separator = + -

+

winbind trusted domains only (G) -

+

This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. @@ -6278,10 +6301,10 @@ Refer to the idmap_nss(8) man page for more information.

Default: winbind trusted domains only = no -

+

winbind use default domain (G) -

This parameter specifies whether the +

This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own @@ -6291,10 +6314,10 @@

Example: winbind use default domain = yes -

+

wins hook (G) -

When Samba is running as a WINS server this +

When Samba is running as a WINS server this allows you to call an external program for all changes to the WINS database. The primary use for this option is to allow the dynamic update of external name resolution databases such as @@ -6315,17 +6338,17 @@ addresses currently registered for that name. If this list is empty then the name should be deleted.

An example script that calls the BIND dynamic DNS update program nsupdate is provided in the examples - directory of the Samba source code.

No default

+ directory of the Samba source code.

No default

wins proxy (G) -

This is a boolean that controls if nmbd(8) will respond to broadcast name +

This is a boolean that controls if nmbd(8) will respond to broadcast name queries on behalf of other hosts. You may need to set this to yes for some older clients.

Default: wins proxy = no -

+

wins server (G) -

This specifies the IP address (or DNS name: IP +

This specifies the IP address (or DNS name: IP address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on your network then you should set this to the WINS server's IP.

You should point this at your WINS server if you have a multi-subnetted network.

If you want to work in multiple namespaces, you can @@ -6344,19 +6367,19 @@

Example: wins server = 192.9.200.1 192.168.2.61 -

+

wins support (G) -

This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should +

This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should not set this to yes unless you have a multi-subnetted network and you wish a particular nmbd to be your WINS server. Note that you should NEVER set this to yes on more than one machine in your network.

Default: wins support = no -

+

workgroup (G) -

This controls what workgroup your server will +

This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain @@ -6364,18 +6387,18 @@

Example: workgroup = MYGROUP -

+

writable -

This parameter is a synonym for writeable.

+

This parameter is a synonym for writeable.

writeable (S) -

Inverted synonym for read only.

Default: writeable = no +

Inverted synonym for read only.

Default: writeable = no -

+

write cache size (S) -

If this integer parameter is set to non-zero value, +

If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request @@ -6393,10 +6416,10 @@

Example: write cache size = 262144 # for a 256k cache size per file -

+

write list (S) -

+

This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the read only option is set to. The list can @@ -6411,17 +6434,17 @@

Example: write list = admin, root, @staff -

+

write raw (G) -

This parameter controls whether or not the server +

This parameter controls whether or not the server will support raw write SMB's when transferring data from clients. You should never need to change this parameter.

Default: write raw = yes -

+

wtmp directory (G) -

+

This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact @@ -6433,7 +6456,7 @@

Example: wtmp directory = /var/log/wtmp -

WARNINGS

+

WARNINGS

Although the configuration file permits service names to contain spaces, your client software may not. Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.

@@ -6446,8 +6469,8 @@ for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct. -

VERSION

This man page is correct for version 3 of the Samba suite.

SEE ALSO

- samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

AUTHOR

+

VERSION

This man page is correct for version 3 of the Samba suite.

SEE ALSO

+ samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/apa.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/apa.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/apa.html 2009-04-30 10:08:55.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/apa.html 2009-06-02 09:48:50.000000000 +0200 @@ -1,50 +1,50 @@ Appendix A.  GNU General Public License version 3

Appendix A.  GNU General Public License version 3 -
Prev Part III. Reference Section Next

Appendix A.  + Prev Part III. Reference Section Next

Appendix A.  GNU General Public License version 3 -

Table of Contents

A. +

Table of Contents

A. Preamble -
A. +
A. TERMS AND CONDITIONS -
A. +
A. 0. Definitions. -
A. +
A. 1. Source Code. -
A. +
A. 2. Basic Permissions. -
A. +
A. 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. -
A. +
A. 4. Conveying Verbatim Copies. -
A. +
A. 5. Conveying Modified Source Versions. -
A. +
A. 6. Conveying Non-Source Forms. -
A. +
A. 7. Additional Terms. -
A. +
A. 8. Termination. -
A. +
A. 9. Acceptance Not Required for Having Copies. -
A. +
A. 10. Automatic Licensing of Downstream Recipients. -
A. +
A. 11. Patents. -
A. +
A. 12. No Surrender of Others’ Freedom. -
A. - 13. Use with the ???TITLE??? Affero General Public License.
A. + 13. Use with the ???TITLE??? Affero General Public License. +
A. 14. Revised Versions of this License. -
A. +
A. 15. Disclaimer of Warranty. -
A. +
A. 16. Limitation of Liability. -
A. +
A. 17. Interpretation of Sections 15 and 16. -
A. +
A. END OF TERMS AND CONDITIONS -
A. +
A. How to Apply These Terms to Your New Programs

Version 3, 29 June 2007 @@ -54,7 +54,7 @@

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. -

+

Preamble

The GNU General Public License is a free, copyleft @@ -118,9 +118,9 @@

The precise terms and conditions for copying, distribution and modification follow. -

+

TERMS AND CONDITIONS -

+

0. Definitions.

“This License” refers to version 3 of the GNU @@ -162,7 +162,7 @@ License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. -

+

1. Source Code.

The “source code” for a work means the preferred form of the @@ -202,7 +202,7 @@ automatically from other parts of the Corresponding Source.

The Corresponding Source for a work in source code form is that same work. -

+

2. Basic Permissions.

All rights granted under this License are granted for the term of copyright @@ -227,7 +227,7 @@ Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. -

+

3. Protecting Users’ Legal Rights From Anti-Circumvention Law.

No covered work shall be deemed part of an effective technological measure @@ -242,7 +242,7 @@ the work as a means of enforcing, against the work’s users, your or third parties’ legal rights to forbid circumvention of technological measures. -

+

4. Conveying Verbatim Copies.

You may convey verbatim copies of the Program’s source code as you @@ -255,7 +255,7 @@

You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. -

+

5. Conveying Modified Source Versions.

You may convey a work based on the Program, or the modifications to produce @@ -291,7 +291,7 @@ or legal rights of the compilation’s users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. -

+

6. Conveying Non-Source Forms.

You may convey a covered work in object code form under the terms of @@ -386,7 +386,7 @@ (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. -

+

7. Additional Terms.

“Additional permissions” are terms that supplement the terms of @@ -450,7 +450,7 @@ Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. -

+

8. Termination.

You may not propagate or modify a covered work except as expressly provided @@ -476,7 +476,7 @@ License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. -

+

9. Acceptance Not Required for Having Copies.

You are not required to accept this License in order to receive or run a @@ -487,7 +487,7 @@ These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. -

+

10. Automatic Licensing of Downstream Recipients.

Each time you convey a covered work, the recipient automatically receives a @@ -512,7 +512,7 @@ or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. -

+

11. Patents.

A “contributor” is a copyright holder who authorizes use under @@ -579,7 +579,7 @@ Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. -

+

12. No Surrender of Others’ Freedom.

If conditions are imposed on you (whether by court order, agreement or @@ -591,7 +591,7 @@ to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. -

+

13. Use with the GNU Affero General Public License.

Notwithstanding any other provision of this License, you have permission to @@ -602,7 +602,7 @@ requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. -

+

14. Revised Versions of this License.

The Free Software Foundation may publish revised and/or new versions of the @@ -627,7 +627,7 @@ Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. -

+

15. Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE @@ -638,7 +638,7 @@ THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. -

+

16. Limitation of Liability.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL @@ -650,7 +650,7 @@ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -

+

17. Interpretation of Sections 15 and 16.

If the disclaimer of warranty and limitation of liability provided above @@ -659,9 +659,9 @@ waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. -

+

END OF TERMS AND CONDITIONS -

+

How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/appendix.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/appendix.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/appendix.html 2009-04-30 10:08:53.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/appendix.html 2009-06-02 09:48:48.000000000 +0200 @@ -1,18 +1,18 @@ -Chapter 15. A Collection of Useful Tidbits

Chapter 15. A Collection of Useful Tidbits
Prev Part III. Reference Section Next

Chapter 15. A Collection of Useful Tidbits

Table of Contents

Joining a Domain: Windows 200x/XP Professional
Samba System File Location
Starting Samba
DNS Configuration Files
The Forward Zone File for the Loopback Adaptor
The Reverse Zone File for the Loopback Adaptor
DNS Root Server Hint File
Alternative LDAP Database Initialization
Initialization of the LDAP Database
The LDAP Account Manager
IDEALX Management Console
Effect of Setting File and Directory SUID/SGID Permissions Explained
Shared Data Integrity
Microsoft Access
Act! Database Sharing
Opportunistic Locking Controls

- - +Chapter 15. A Collection of Useful Tidbits

Chapter 15. A Collection of Useful Tidbits
Prev Part III. Reference Section Next

Chapter 15. A Collection of Useful Tidbits

Table of Contents

Joining a Domain: Windows 200x/XP Professional
Samba System File Location
Starting Samba
DNS Configuration Files
The Forward Zone File for the Loopback Adaptor
The Reverse Zone File for the Loopback Adaptor
DNS Root Server Hint File
Alternative LDAP Database Initialization
Initialization of the LDAP Database
The LDAP Account Manager
IDEALX Management Console
Effect of Setting File and Directory SUID/SGID Permissions Explained
Shared Data Integrity
Microsoft Access
Act! Database Sharing
Opportunistic Locking Controls

+ + Information presented here is considered to be either basic or well-known material that is informative yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, as shown in the example given below.

Joining a Domain: Windows 200x/XP Professional

- + Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a Domain Security environment. It should be noted that this process is identical when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. -

Procedure 15.1. Steps to Join a Domain

  1. +

    Procedure 15.1. Steps to Join a Domain

    1. Click Start.

    2. Right-click My Computer, and then select Properties. @@ -50,19 +50,19 @@ The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted. Joining the domain is now complete.

    - - + + The screen capture shown in “The Computer Name Changes Panel Domain MIDEARTH” has a button labeled More.... This button opens a panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.

    - - + + Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server to find the services (like which machines are domain controllers or which machines have the Netlogon service running).

    - + The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to a valid IP address. @@ -70,12 +70,12 @@ The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. Where the client is a member of a Samba domain, it is preferable to leave this field blank.

    - + According to Microsoft documentation, “If this computer belongs to a group with Group Policy enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is used only if Group Policy is disabled or unspecified.” -

Samba System File Location

+

Samba System File Location

One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is in the /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other @@ -83,7 +83,7 @@

Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team default. -

+

Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy System (FHS), have elected to locate the configuration files under the /etc/samba directory, common binary files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the @@ -92,13 +92,13 @@ /usr/share/swat. There are additional support files for smbd in the /usr/lib/samba directory tree. The files located there include the dynamically loadable modules for the passdb backend as well as for the VFS modules. -

+

Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in the /var/lib/samba directory. Log files are created in /var/log/samba.

When Samba is built and installed using the default Samba Team process, all files are located under the /usr/local/samba directory tree. This makes it simple to find the files that Samba owns. -

+

One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location of all files called smbd. Here is an example: 

@@ -131,7 +131,7 @@
 	

 	Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
 	by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
-	executing:
+	executing:
 
 root#  rpm -qa | grep samba
 samba3-pdb-3.0.20-1
@@ -143,9 +143,9 @@
 samba3-doc-3.0.20-1
 samba3-client-3.0.20-1
 samba3-cifsmount-3.0.20-1
-	

+

The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. -

Starting Samba

+

Starting Samba

Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there are three daemons, two of which are needed as a minimum. @@ -186,19 +186,19 @@ fi exit 0


nmbd

- - + + This daemon handles all name registration and resolution requests. It is the primary vehicle involved in network browsing. It handles all UDP-based protocols. The nmbd daemon should be the first command started as part of the Samba startup process.

smbd

- - + + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also manages local authentication. It should be started immediately following the startup of nmbd.

winbindd

- - + + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when Samba has trust relationships with another domain. The winbindd daemon will check the smb.conf file for the presence of the idmap uid and idmap gid @@ -252,22 +252,22 @@ echo "Usage: smb {start|stop|restart|status}" exit 1 esac -


+


SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently executed from the command line is shown in “A Useful Samba Control Script for SUSE Linux”. This can be located in the directory /sbin in a file called samba. This type of control script should be owned by user root and group root, and set so that only root can execute it. -

+

A sample startup script for a Red Hat Linux system is shown in “A Sample Samba Control Script for Red Hat Linux”. This file could be located in the directory /etc/rc.d and can be called samba. A similar startup script is required to control winbind. If you want to find more information regarding startup scripts please refer to the packaging section of the Samba source code distribution tarball. The packaging files for each platform include a startup control file. -

DNS Configuration Files

+

DNS Configuration Files

The following files are common to all DNS server configurations. Rather than repeat them multiple times, they are presented here for general reference. -

The Forward Zone File for the Loopback Adaptor

+

The Forward Zone File for the Loopback Adaptor

The forward zone file for the loopback address never changes. An example file is shown in “DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”. All traffic destined for an IP address that is hosted on a physical interface on the machine itself is routed to the loopback adaptor. This is @@ -284,7 +284,7 @@ IN NS @ IN A 127.0.0.1 -


The Reverse Zone File for the Loopback Adaptor

+


The Reverse Zone File for the Loopback Adaptor

The reverse zone file for the loopback address as shown in “DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone” is necessary so that references to the address 127.0.0.1 can be resolved to the correct name of the interface. @@ -344,15 +344,15 @@ . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 ; End of File -


DNS Root Server Hint File

+


DNS Root Server Hint File

The content of the root hints file as shown in “DNS Root Name Server Hint File: /var/lib/named/root.hint” changes slowly over time. Periodically this file should be updated from the source shown. Because of its size, this file is located at the end of this chapter. -

Alternative LDAP Database Initialization

+

Alternative LDAP Database Initialization

The following procedure may be used as an alternative means of configuring the initial LDAP database. Many administrators prefer to have greater control over how system files get configured. -

Initialization of the LDAP Database

+

Initialization of the LDAP Database

The first step to get the LDAP server ready for action is to create the LDIF file from which the LDAP database will be preloaded. This is necessary to create the containers into which the user, group, and other accounts are written. It is also necessary to @@ -705,14 +705,14 @@ sambaGroupType: 2 displayName: Domain Users description: Domain Users -


The LDAP Account Manager

- - - - - - - +


The LDAP Account Manager

+ + + + + + + The LDAP Account Manager (LAM) is an application suite that has been written in PHP. LAM can be used with any Web server that has PHP4 support. It connects to the LDAP server either using unencrypted connections or via SSL/TLS. LAM can be used to manage @@ -724,24 +724,24 @@ The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter of 2005.

- - - + + + Requirements:

  • A web server that will work with PHP4.

  • PHP4 (available from the PHP home page.)

  • OpenLDAP 2.0 or later.

  • A Web browser that supports CSS.

  • Perl.

  • The gettext package.

  • mcrypt + mhash (optional).

  • It is also a good idea to install SSL support.

LAM is a useful tool that provides a simple Web-based device that can be used to manage the contents of the LDAP directory to: - - - + + +

  • Display user/group/host and Domain entries.

  • Manage entries (Add/Delete/Edit).

  • Filter and sort entries.

  • Store and use multiple operating profiles.

  • Edit organizational units (OUs).

  • Upload accounts from a file.

  • Is compatible with Samba-2.2.x and Samba-3.

When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba user, group, and windows domain member machine accounts.

- - - - + + + + The default password is “lam.” It is highly recommended that you use only an SSL connection to your Web server for all remote operations involving LAM. If you want secure connections, you must configure your Apache Web server to permit connections @@ -760,7 +760,7 @@ For example, on SUSE Linux Enterprise Server 9, copy to the /srv/www/htdocs directory.

  • - + Set file permissions using the following commands: 

     root#  chown -R wwwrun:www /srv/www/htdocs/lam
@@ -770,7 +770,7 @@
 root#  chmod 755 /srv/www/htdocs/lam/lib/*pl

  • - + Using your favorite editor create the following config.cfg LAM configuration file: 

    @@ -778,8 +778,8 @@
 root#  cp config.cfg_sample config.cfg
 root#  vi config.cfg

    - - + + An example file is shown in “Example LAM Configuration File config.cfg”. This is the minimum configuration that must be completed. The LAM profile file can be created using a convenient wizard that is part of the LAM @@ -794,7 +794,7 @@ lam.conf then, using your favorite editor, change the settings to match local site needs.

    • - + An example of a working file is shown here in “LAM Profile Control File lam.conf”. This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates @@ -802,12 +802,12 @@ Your configuration file obviously reflects the configuration options that are preferred at your site.

    - + It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in “The LDAP Account Manager Login Screen”.

    Figure 15.6. The LDAP Account Manager Login Screen

    The LDAP Account Manager Login Screen

    - + The LAM configuration editor has a number of options that must be managed correctly. An example of use of the LAM configuration editor is shown in “The LDAP Account Manager Configuration Screen”. It is important that you correctly set the minimum and maximum UID/GID values that are @@ -817,13 +817,13 @@ the initial settings to be made. Do not forget to reset these to sensible values before using LAM to add additional users and groups.

    Figure 15.7. The LDAP Account Manager Configuration Screen

    The LDAP Account Manager Configuration Screen

    - + LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space.

    - + When you log onto LAM the opening screen drops you right into the user manager as shown in “The LDAP Account Manager User Edit Screen”. This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, @@ -837,7 +837,7 @@ shows a sub-screen from the group editor that permits users to be assigned secondary group memberships.

    Figure 15.9. The LDAP Account Manager Group Edit Screen

    The LDAP Account Manager Group Edit Screen

    Figure 15.10. The LDAP Account Manager Group Membership Edit Screen

    The LDAP Account Manager Group Membership Edit Screen

    - + The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen “The LDAP Account Manager Host Edit Screen” will, in most cases, not be used. @@ -883,7 +883,7 @@ samba3: yes cachetimeout: 5 pwdhash: SSHA -

    IDEALX Management Console

    +


    IDEALX Management Console

    IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive web-based management interface for UNIX and Linux systems.

    @@ -897,7 +897,7 @@

    For further information regarding IMC refer to the web site. Prebuilt RPM packages are also available. -

    Effect of Setting File and Directory SUID/SGID Permissions Explained

    +

    Effect of Setting File and Directory SUID/SGID Permissions Explained

    The setting of the SUID/SGID bits on the file or directory permissions flag has particular consequences. If the file is executable and the SUID bit is set, it executes with the privilege of (with the UID of) the owner of the file. For example, if you are logged onto a system as @@ -967,34 +967,34 @@ total 1 drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt

    -

    Shared Data Integrity

    +

    Shared Data Integrity

    The integrity of shared data is often viewed as a particularly emotional issue, especially where there are concurrent problems with multiuser data access. Contrary to the assertions of some who have experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.

    The solution to concurrent multiuser data access problems must consider three separate areas - from which the problem may stem: -

    • application-level locking controls

    • client-side locking controls

    • server-side locking controls

    + from which the problem may stem: +

    • application-level locking controls

    • client-side locking controls

    • server-side locking controls

    Many database applications use some form of application-level access control. An example of one well-known application that uses application-level locking is Microsoft Access. Detailed guidance is provided here because this is the most common application for which problems have been reported. -

    +

    Common applications that are affected by client- and server-side locking controls include MS Excel and Act!. Important locking guidance is provided here. -

    Microsoft Access

    +

    Microsoft Access

    The best advice that can be given is to carefully read the Microsoft knowledgebase articles that cover this area. Examples of relevant documents include: -

    • http://support.microsoft.com/default.aspx?scid=kb;en-us;208778

    • http://support.microsoft.com/default.aspx?scid=kb;en-us;299373

    +

    • http://support.microsoft.com/default.aspx?scid=kb;en-us;208778

    • http://support.microsoft.com/default.aspx?scid=kb;en-us;299373

    Make sure that your MS Access database file is configured for multiuser access (not set for exclusive open). Open MS Access on each client workstation, then set the following: (Menu bar) Tools+Options+[tab] General. Set network path to Default database folder: \\server\share\folder.

    You can configure MS Access file sharing behavior as follows: click [tab] Advanced. - Set: -

    • Default open mode: Shared

    • Default Record Locking: Edited Record

    • Open databases using record_level locking

    + Set: +

    • Default open mode: Shared

    • Default Record Locking: Edited Record

    • Open databases using record_level locking

    You must now commit the changes so that they will take effect. To do so, click ApplyOk. At this point, you should exit MS Access, restart it, and then validate that these settings have not changed. -

    Act! Database Sharing

    +

    Act! Database Sharing

    Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you must disable opportunistic locking on the server and all workstations. Failure to do so results in data corruption. This information is available from the Act! Web site @@ -1002,7 +1002,7 @@ 1998223162925 as well as from article 200110485036. -

    +

    These documents clearly state that opportunistic locking must be disabled on both the server (Samba in the case we are interested in here), as well as on every workstation from which the centrally shared Act! database will be accessed. Act! provides @@ -1010,18 +1010,18 @@ registry settings that may otherwise interfere with the operation of Act! Registered Act! users may download this utility from the Act! Web site. -

    Opportunistic Locking Controls

    +

    Opportunistic Locking Controls

    Third-party Windows applications may not be compatible with the use of opportunistic file - and record locking. For applications that are known not to be compatible,[14] oplock + and record locking. For applications that are known not to be compatible,[14] oplock support may need to be disabled both on the Samba server and on the Windows workstations. -

    +

    Oplocks enable a Windows client to cache parts of a file that are being edited. Another windows client may then request to open the file with the ability to write to it. The server will then ask the original workstation that had the file open with a write lock to release its lock. Before doing so, that workstation must flush the file from cache memory to the disk or network drive. -

    +

    Disabling of Oplocks usage may require server and client changes. Oplocks may be disabled by file, by file pattern, on the share, or on the Samba server. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/ch14.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/ch14.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/ch14.html 2009-04-30 10:08:52.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/ch14.html 2009-06-02 09:48:47.000000000 +0200 @@ -1,9 +1,9 @@ -Chapter 14. Samba Support

    Chapter 14. Samba Support
    Prev Part III. Reference Section Next

    Chapter 14. Samba Support

    Table of Contents

    Free Support
    Commercial Support

    - +Chapter 14. Samba Support

    Chapter 14. Samba Support
    Prev Part III. Reference Section Next

    Chapter 14. Samba Support

    Table of Contents

    Free Support
    Commercial Support

    + One of the most difficult to answer questions in the information technology industry is, “What is support?”. That question irritates some folks, as much as common answers may annoy others.

    - + The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: “Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen @@ -15,50 +15,50 @@ at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk.

    - - - + + + One of the forces that has become a driving force for the adoption of open source software is the fact that many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or that have been found wanting for other reasons.

    - - + + In recognition of the need for needs satisfaction as the primary experience an information technology user or consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience in respect of problem resolution.

    - - - + + + In the open source software arena there are two support options: free support and paid-for (commercial) support. -

    Free Support

    - - - - - - +

    Free Support

    + + + + + + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user supported mutual assistance.

    - - - - - + + + + + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. Information regarding subscription to the Samba mailing list can be found on the Samba web site. The public mailing list that can be used to obtain free, user contributed, support is called the samba list. The email address for this list is at mail:samba@samba.org. Information regarding the Samba IRC channels may be found on the Samba IRC web page.

    - - - - + + + + As a general rule, it is considered poor net behavior to contact a Samba Team member directly for free support. Most active members of the Samba Team work exceptionally long hours to assist users who have demonstrated a qualified problem. Some team members may respond to direct email @@ -66,9 +66,9 @@ Team members actually provide professional paid-for Samba support and it is therefore wise to show appropriate discretion and reservation in all direct contact.

    - - - + + + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting a bug report. All such reports are mailed to the responsible code maintainer for action. The better the report, and the more serious it is, @@ -76,16 +76,16 @@ the reported bug it is likely to be rejected. It is up to you to provide sufficient information that will permit the problem to be reproduced.

    - + We all recognize that sometimes free support does not provide the answer that is sought within the time-frame required. At other times the problem is elusive and you may lack the experience necessary to isolate the problem and thus to resolve it. This is a situation where is may be prudent to purchase paid-for support. -

    Commercial Support

    +

    Commercial Support

    There are six basic support oriented services that are most commonly sought by Samba sites:

    • Assistance with network design

    • Staff Training

    • Assistance with Samba network deployment and installation

    • Priority telephone or email Samba configuration assistance

    • Trouble-shooting and diagnostic assistance

    • Provision of quality assured ready-to-install Samba binary packages

    - - + + Information regarding companies that provide professional Samba support can be obtained by performing a Google search, as well as by reference to the Samba Support web page. Companies who notify the Samba Team that they provide commercial support are given a free listing that is sorted by the country of origin. @@ -93,13 +93,13 @@ provider and to satisfy yourself that both the company and its staff are able to deliver what is required of them.

    - + The policy within the Samba Team is to treat all commercial support providers equally and to show no preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. You are encouraged to obtain the services needed from a company in your local area. The open source movement is pro-community; so do what you can to help a local business to prosper.

    - + Open source software support can be found in any quality, at any price and in any place you can to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for suffering in the mistaken belief that Samba is unsupported software it is supported. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/DomApps.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/DomApps.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/DomApps.html 2009-04-30 10:08:51.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/DomApps.html 2009-06-02 09:48:46.000000000 +0200 @@ -1,9 +1,9 @@ -Chapter 12. Integrating Additional Services

    Chapter 12. Integrating Additional Services
    Prev Part III. Reference Section Next

    Chapter 12. Integrating Additional Services

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers

    - - - - - +Chapter 12. Integrating Additional Services

    Chapter 12. Integrating Additional Services
    Prev Part III. Reference Section Next

    Chapter 12. Integrating Additional Services

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers

    + + + + + You've come a long way now. You have pretty much mastered Samba-3 for most uses it can be put to. Up until now, you have cast Samba-3 in the leading role, and where authentication was required, you have used one or another of @@ -14,7 +14,7 @@ implementing Samba and Samba-supported services in a domain controlled by the latest Windows authentication technologies. Let's get started this is leading edge. -

    Introduction

    +

    Introduction

    Abmas has continued its miraculous growth; indeed, nothing seems to be able to stop its diversification into multiple (and seemingly unrelated) fields. Its latest acquisition is Abmas Snack Foods, a big player in the snack-food @@ -30,17 +30,17 @@ You have decided to set the ball rolling by introducing Samba-3 into the network gradually, taking over key services and easing the way to a full migration and, therefore, integration into Abmas's existing business later. -

    Assignment Tasks

    - +

    Assignment Tasks

    + You've promised the skeptical Abmas Snack Foods management team that you can show them how Samba can ease itself and other Open Source technologies into their existing infrastructure and deliver sound business advantages. Cost cutting is high on their agenda (a major promise of the acquisition). You have chosen Web proxying and caching as your proving ground.

    - - + + Abmas Snack Foods has several thousand users housed at its head office and multiple regional offices, plants, and warehouses. A high proportion of the business's work is done online, so Internet access for most of these @@ -50,9 +50,9 @@ the team soon discovered proxying and caching. In fact, they became one of the earliest commercial users of Microsoft ISA.

    - - - + + + The team is not happy with ISA. Because it never lived up to its marketing promises, it underperformed and had reliability problems. You have pounced on the opportunity to show what Open Source can do. The one thing they do like, however, is ISA's @@ -63,7 +63,7 @@

    This is a hands-on exercise. You build software applications so that you obtain the functionality Abmas needs. -

    Dissection and Discussion

    +

    Dissection and Discussion

    The key requirements in this business example are straightforward. You are not required to do anything new, just to replicate an existing system, not lose any existing features, and improve performance. The key points are: @@ -73,20 +73,20 @@ Distributed system to accommodate load and geographical distribution of users

  • Seamless and transparent interoperability with the existing Active Directory domain -

    • Technical Issues

    - - - - - - - - - - - - - +

    Technical Issues

    + + + + + + + + + + + + + Functionally, the user's Internet Explorer requests a browsing session with the Squid proxy, for which it offers its AD authentication token. Squid hands off the authentication request to the Samba-3 authentication helper application @@ -107,25 +107,25 @@ Configuring, compiling, and then installing the supporting Samba-3 components

  • Tying it all together -

    • Political Issues

    +

    Political Issues

    You are a stranger in a strange land, and all eyes are upon you. Some would even like to see you fail. For you to gain the trust of your newly acquired IT people, it is essential that your solution does everything the old one did, but does it better in every way. Only then will the entrenched positions consider taking up your new way of doing things on a wider scale. -

    Implementation

    - +

    Implementation

    + First, your system needs to be prepared and in a known good state to proceed. This consists of making sure that everything the system depends on is present and that everything that could interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 packages and updating them if necessary. If conflicting packages of these programs are installed, they must be removed.

    - + The following packages should be available on your Red Hat Linux system:

    • - - + + krb5-libs

    • krb5-devel @@ -136,14 +136,14 @@

    • pam_krb5

    - + In the case of SUSE Linux, these packages are called:

    • heimdal-lib

    • heimdal-devel

    • - + heimdal

    • pam_krb5 @@ -152,26 +152,26 @@ them from the vendor's installation media. Follow the administrative guide for your Linux system to ensure that the packages are correctly updated.

      Note

      - - - + + + If the requirement is for interoperation with MS Windows Server 2003, it will be necessary to ensure that you are using MIT Kerberos version 1.3.1 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires updating.

      - - + + Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.

      Removal of Pre-Existing Conflicting RPMs

      - + If Samba and/or Squid RPMs are installed, they should be updated. You can build both from source.

      - - - + + + Locating the packages to be un-installed can be achieved by running: 

       root#  rpm -qa | grep -i samba
@@ -181,11 +181,11 @@
 
       root#  rpm -e samba-common
 
      
-	
      Kerberos Configuration
      
-	
-	
-	
-	
+	
      Kerberos Configuration
      
+	
+	
+	
+	
 	The systems Kerberos installation must be configured to communicate with 
 	your primary Active Directory server (ADS KDC).
 	
      
@@ -193,13 +193,13 @@
 	although the current default Red Hat MIT version 1.2.7 gives acceptable results 
 	unless you are using Windows 2003 servers.
 	
      
-	
-	
-	
 	
-	
-	
-	
+	
+	
+	
+	
+	
+	
 	Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an /etc/krb5.conf 
 	file in order to work correctly. All ADS domains automatically create SRV records in the 
 	DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both 
@@ -207,25 +207,25 @@
 	automatically find the KDCs. In addition, krb5.conf allows 
 	specifying only a single KDC, even if there is more than one. Using the DNS lookup 
 	allows the KRB5 libraries to use whichever KDCs are available.
-	
      Procedure 12.1. Kerberos Configuration Steps
      1. 
-		
+	
        Procedure 12.1. Kerberos Configuration Steps
        1. 
+		
 		If you find the need to manually configure the krb5.conf, you should edit it
 		to have the contents shown in “Kerberos Configuration  File: /etc/krb5.conf”. The final fully qualified path for this file 
 		should be /etc/krb5.conf.
 		
        2. 
-		
-		
-		
-		
+		
 		
 		
-		
-		
-		
-		
-		
-		
+		
+		
+		
+		
+		
+		
 		
+		
+		
+		
 		The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
 		be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting
 		initial credentials”.  Kerberos is picky about time synchronization. The time
@@ -241,7 +241,7 @@
 		NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
 		when you try to join the realm.
 		
        3. 
-		
+		
 		You are now ready to test your installation by issuing the command:
 
           root#  kinit [USERNAME@REALM]
@@ -261,29 +261,29 @@
 	LONDON.ABMAS.BIZ = {
 	kdc = w2k3s.london.abmas.biz
 	}
-

      
+

    The command 

     root#  klist -e

    shows the Kerberos tickets cached by the system. -

    Samba Configuration

    - +

    Samba Configuration

    + Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it has the necessary components to interface with Active Directory. -

    Procedure 12.2. Securing Samba-3 With ADS Support Steps

    1. - - - - - +

      Procedure 12.2. Securing Samba-3 With ADS Support Steps

      1. + + + + + Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team FTP site. The official Samba Team RPMs for Red Hat Fedora Linux contain the ntlm_auth tool needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.

        - - + + The necessary, validated RPM packages for SUSE Linux may be obtained from the SerNet FTP site that is located in Germany. All SerNet RPMs are validated, have the necessary @@ -293,11 +293,11 @@ Using your favorite editor, change the /etc/samba/smb.conf file so it has contents similar to the example shown in “Samba Configuration File: /etc/samba/smb.conf”.

      2. - - - i - - + + + i + + Next you need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the Samba server with an Active Directory Kerberos ticket. @@ -307,11 +307,11 @@ root# net ads join -U administrator%vulcon

      3. - - - - + + + + Your new Samba binaries must be started in the standard manner as is applicable to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands: 

        @@ -320,11 +320,11 @@
 root#  winbindd -D

      4. - - - - - + + + + + We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands: @@ -357,8 +357,8 @@

        This enumerates all the groups in your Active Directory tree.

      5. - - + + Squid uses the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command: 

        @@ -370,14 +370,14 @@
 root#  NT_STATUS_OK: Success (0x0)

      6. - - - - - - - + + + + + + + The ntlm_auth helper, when run from a command line as the user “root”, authenticates against your Active Directory domain (with the aid of winbind). It manages this by reading from the winbind privileged pipe. @@ -395,37 +395,37 @@ root# chgrp squid /var/lib/samba/winbindd_privileged root# chmod 750 /var/lib/samba/winbindd_privileged

        -

    NSS Configuration

    - - - +

    NSS Configuration

    + + + For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.

    Edit your /etc/nsswitch.conf file so it has the parameters shown in “NSS Configuration File Extract File: /etc/nsswitch.conf”. -

    Example 12.2. Samba Configuration File: /etc/samba/smb.conf

    [global]
    workgroup = LONDON
    netbios name = W2K3S
    realm = LONDON.ABMAS.BIZ
    security = ads
    encrypt passwords = yes
    password server = w2k3s.london.abmas.biz
    # separate domain and username with '/', like DOMAIN/username
    winbind separator = /
    # use UIDs from 10000 to 20000 for domain users
    idmap uid = 10000-20000
    # use GIDs from 10000 to 20000 for domain groups
    idmap gid = 10000-20000
    # allow enumeration of winbind users and groups
    winbind enum users = yes
    winbind enum groups = yes
    winbind user default domain = yes

    Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf

    +	
    Example 12.2. Samba Configuration  File: /etc/samba/smb.conf
     
    [global]
    workgroup = LONDON
    netbios name = W2K3S
    realm = LONDON.ABMAS.BIZ
    security = ads
    encrypt passwords = yes
    password server = w2k3s.london.abmas.biz
    # separate domain and username with '/', like DOMAIN/username
    winbind separator = /
    # use UIDs from 10000 to 20000 for domain users
    idmap uid = 10000-20000
    # use GIDs from 10000 to 20000 for domain groups
    idmap gid = 10000-20000
    # allow enumeration of winbind users and groups
    winbind enum users = yes
    winbind enum groups = yes
    winbind user default domain = yes

    Example 12.3. NSS Configuration File Extract  File: /etc/nsswitch.conf
     passwd: files winbind
 shadow: files
 group: files winbind
-

    Squid Configuration

    - - +


    Squid Configuration

    + + Squid must be configured correctly to interact with the Samba-3 components that handle Active Directory authentication. -

    Configuration

    Procedure 12.3. Squid Configuration Steps

    1. - - - +

    Configuration

    Procedure 12.3. Squid Configuration Steps

    1. + + + If your Linux distribution is SUSE Linux 9, the version of Squid supplied is already enabled to use the winbind helper agent. You can therefore omit the steps that would build the Squid binary programs.

    2. - - - - - + + + + + Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already (if the default @@ -433,16 +433,16 @@ squid user in /etc/passwd and a squid group in /etc/group if these aren't there already.

    3. - - + + You now need to change the permissions on Squid's var directory. Enter the following command: 

       root#  chown -R squid /var/cache/squid

    4. - - + + Squid must also have control over its logging. Enter the following commands: 

       root#  chown -R chown squid:squid /var/log/squid
@@ -456,11 +456,11 @@
 root#  chmod 770 /var/cache/squid

    5. - + The /etc/squid/squid.conf file must be edited to include the lines from “Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]” and “Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]”.

    6. - + You must create Squid's cache directories before it may be run. Enter the following command: 

       root#  squid -z
@@ -487,23 +487,23 @@
 	auth_param basic credentialsttl 2 hours
 	acl AuthorizedUsers proxy_auth REQUIRED
 	http_access allow all AuthorizedUsers
-

    Key Points Learned

    - - - - - +


    Key Points Learned

    + + + + + Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft Windows clients use, even when accessing traditional services such as Web browsers. Depending on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over the cookie-based authentication regime used by all competing browsers. It is Samba's implementation of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. -

    Questions and Answers

    - - - - +

    Questions and Answers

    + + + + The development of the ntlm_auth module was first discussed in many Open Source circles in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of ntlm_auth during one of the late developer meetings that took place. Since that time, the @@ -522,34 +522,34 @@ You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. -

    +

    What does Samba have to do with Web proxy serving? -
    +
    What other services does Samba provide? -
    +
    Does use of Samba (ntlm_auth) improve the performance of Squid? -

    +

    What does Samba have to do with Web proxy serving?

    - - - - - + + + + + To provide transparent interoperability between Windows clients and the network services that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit of Open Source software is that it can readily be reused. The current ntlm_auth module is basically a wrapper around authentication code from the core of the Samba project.

    - - - - + - - - - + + + + + + + The ntlm_auth module supports basic plain-text authentication and NTLMSSP protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without the user being interrupted via his or her Windows logon credentials. This facility is available with @@ -557,36 +557,36 @@ There are a few open source initiatives to provide support for these protocols in the Apache Web server also.

    - + The short answer is that by adding a wrapper around key authentication components of Samba, other projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. -

    +

    What other services does Samba provide?

    - - - - + + + + Samba-3 is a file and print server. The core components that provide this functionality are smbd, nmbd, and the identity resolver daemon, winbindd.

    - - + + Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient.

    - - - - + + + + Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial server products). -

    +

    Does use of Samba (ntlm_auth) improve the performance of Squid?

    Not really. Samba's ntlm_auth module handles only authentication. It requires that diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/go01.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/go01.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/go01.html 2009-04-30 10:08:55.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/go01.html 2009-06-02 09:48:50.000000000 +0200 @@ -1,4 +1,4 @@ -Glossary

    Glossary
    Prev   Next

    Glossary

    Access Control List

    +Glossary

    Glossary
    Prev   Next

    Glossary

    Access Control List

    A detailed list of permissions granted to users or groups with respect to file and network resource access.

    Active Directory Service

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/HA.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/HA.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/HA.html 2009-04-30 10:08:51.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/HA.html 2009-06-02 09:48:47.000000000 +0200 @@ -1,7 +1,7 @@ -Chapter 13. Performance, Reliability, and Availability

    Chapter 13. Performance, Reliability, and Availability
    Prev Part III. Reference Section Next

    Chapter 13. Performance, Reliability, and Availability

    Table of Contents

    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned

    - - - +Chapter 13. Performance, Reliability, and Availability

    Chapter 13. Performance, Reliability, and Availability
    Prev Part III. Reference Section Next

    Chapter 13. Performance, Reliability, and Availability

    Table of Contents

    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned

    + + + Well, you have reached one of the last chapters of this book. It is customary to attempt to wrap up the theme and contents of a book in what is generally regarded as the chapter that should draw conclusions. This book is a suspense thriller, and since @@ -10,8 +10,8 @@ regarding some of the things everyone can do to deliver a reliable Samba-3 network.

     

    In a world so full of noise, how can the sparrow be heard? -

    		 
     --Anonymous

    Introduction

    - +

    		 
     --Anonymous

    Introduction

    + The sparrow is a small bird whose sounds are drowned out by the noise of the busy world it lives in. Likewise, the simple steps that can be taken to improve the reliability and availability of a Samba network are often drowned out by the volume @@ -20,22 +20,22 @@ itself to discussion of clustering because each clustering methodology uses its own custom tools and methods. Only passing comments are offered concerning these methods.

    - - - + + + A search for “samba cluster” produced 71,600 hits. And a search for “highly available samba” and “highly available windows” produced an amazing number of references. It is clear from the resources on the Internet that Windows file and print services availability, reliability, and scalability are of vital interest to corporate network users.

    - + So without further background, you can review a checklist of simple steps that can be taken to ensure acceptable network performance while keeping costs of ownership well under control. -

    Dissection and Discussion

    - - +

    Dissection and Discussion

    + + If it is your purpose to get the best mileage out of your Samba servers, there is one rule that must be obeyed. If you want the best, keep your implementation as simple as possible. You may well be forced to introduce some complexities, but you should do so only as a last resort. @@ -44,8 +44,8 @@ make life easier for your successor. Simple implementations can be more readily audited than can complex ones.

    - - + + Problems reported by users fall into three categories: configurations that do not work, those that have broken behavior, and poor performance. The term broken behavior means that the function of a particular Samba component appears to work sometimes, but not at @@ -54,12 +54,12 @@ list of Windows machines in MS Explorer changes, sometimes listing machines that are running and at other times not listing them even though the machines are in use on the network.

    - - - - - - + + + + + + A significant number of reports concern problems with the smbfs file system driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that smbfs is part of Samba, simply because Samba includes the front-end tools @@ -70,32 +70,32 @@ common infrastructure with some Samba components, but they are not maintained as part of Samba and are really foreign to it.

    - + The new project, cifsfs, is destined to replace smbfs. It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in this project.

    Table 13.1 lists typical causes of:

    • Not Working (NW)

    • Broken Behavior (BB)

    • Poor Performance (PP)

    Table 13.1. Effect of Common Problems

    Problem

    NW

    BB

    PP

    File locking

    -

    X

    -

    Hardware problems

    X

    X

    X

    Incorrect authentication

    X

    X

    -

    Incorrect configuration

    X

    X

    X

    LDAP problems

    X

    X

    -

    Name resolution

    X

    X

    X

    Printing problems

    X

    X

    -

    Slow file transfer

    -

    -

    X

    Winbind problems

    X

    X

    -


    - + It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate problems that affect basic network operation. This book has provided sufficient working examples to help you to avoid all these problems. -

    Guidelines for Reliable Samba Operation

    - - +

    Guidelines for Reliable Samba Operation

    + + Your objective is to provide a network that works correctly, can grow at all times, is resilient at times of extreme demand, and can scale to meet future needs. The following subject areas provide pointers that can help you today. -

    Name Resolution

    +

    Name Resolution

    There are three basic current problem areas: bad hostnames, routed networks, and network collisions. These are covered in the following discussion. -

    Bad Hostnames

    - - - - - +

    Bad Hostnames

    + + + + + When configured as a DHCP client, a number of Linux distributions set the system hostname to localhost. If the parameter netbios name is not specified to something other than localhost, the Samba server appears @@ -107,13 +107,13 @@ the local Windows machine itself. Hostnames must be valid for Windows networking to function correctly.

    - + A few sites have tried to name Windows clients and Samba servers with a name that begins with the digits 1-9. This does not work either because it may result in the client or server attempting to use that name as an IP address.

    - - + + A Samba server called FRED in a NetBIOS domain called COLLISION in a network environment that is part of the fully-qualified Internet domain namespace known as parrots.com, results in DNS name lookups for fred.parrots.com @@ -122,49 +122,49 @@ attempts to resolve fred.parrots.com.parrots.com, which most likely fails given that you probably do not have this in your DNS namespace.

    Note

    - - - + + + An Active Directory realm called collision.parrots.com is perfectly okay, although it too must be capable of being resolved via DNS, something that functions correctly if Windows 200x ADS has been properly installed and configured. -

    Routed Networks

    - - - +

    Routed Networks

    + + + NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use of UDP-based broadcast traffic, as you saw during the exercises in “Networking Primer”.

    - - - + + + UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based networking cannot function across routed networks (i.e., multi-subnet networks) unless special provisions are made:

    • - - - + + + Either install on every Windows client an LMHOSTS file (located in the directory C:\windows\system32\drivers\etc). It is also necessary to add to the Samba server smb.conf file the parameters remote announce and remote browse sync. For more information, refer to the online manual page for the smb.conf file.

    • - + Or configure Samba as a WINS server, and configure all network clients to use that WINS server in their TCP/IP configuration.

    Note

    - - + + The use of DNS is not an acceptable substitute for WINS. DNS does not store specific information regarding NetBIOS networking particulars that get stored in the WINS name resolution database and that Windows clients require and depend on. -

    Network Collisions

    - - - - +

    Network Collisions

    + + + + Excessive network activity causes NetBIOS network timeouts. Timeouts may result in blue screen of death (BSOD) experiences. High collision rates may be caused by excessive UDP broadcast activity, by defective networking hardware, or through excessive network @@ -173,9 +173,9 @@ The use of WINS is highly recommended to reduce network broadcast traffic, as outlined in “Networking Primer”.

    - - - + + + Under no circumstances should the facility be supported by many routers, known as NetBIOS forwarding, unless you know exactly what you are doing. Inappropriate use of this facility can result in UDP broadcast storms. In one case in 1999, a university network became @@ -183,13 +183,13 @@ testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance immediately returned to 11 MB/sec. -

    Samba Configuration

    +

    Samba Configuration

    As a general rule, the contents of the smb.conf file should be kept as simple as possible. No parameter should be specified unless you know it is essential to operation.

    - - - + + + Many UNIX administrators like to fully document the settings in the smb.conf file. This is a bad idea because it adds content to the file. The smb.conf file is re-read by every smbd process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so). @@ -197,7 +197,7 @@ As the size of the smb.conf file grows, the risk of introducing parsing errors also increases. It is recommended to keep a fully documented smb.conf file on hand, and then to operate Samba only with an optimized file. -

    +

    The preferred way to maintain a documented file is to call it something like smb.conf.master. You can generate the optimized file by executing: 

    @@ -223,7 +223,7 @@
 Server role: ROLE_DOMAIN_PDC
 Press enter to see a dump of your service definitions

    - + You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C. The important thing to note is the noted Server role, as well as warning messages. Noted configuration conflicts must be remedied before proceeding. For example, the following error message represents a @@ -233,28 +233,28 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.

    - - - + + + There are two parameters that can cause severe network performance degradation: socket options and socket address. The socket options parameter was often necessary when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from this parameter being set. Do not use either parameter unless it has been proven necessary to use them.

    - - - - + + + + Another smb.conf parameter that may cause severe network performance degradation is the strict sync parameter. Do not use this at all. There is no good reason to use this with any modern Windows client. The strict sync is often used with the sync always parameter. This, too, can severely degrade network performance, so do not set it; if you must, do so with caution.

    - - - - + + + + Finally, many network administrators deliberately disable opportunistic locking support. While this does not degrade Samba performance, it significantly degrades Windows client performance because this disables local file caching on Windows clients and forces every file read and written to @@ -262,12 +262,12 @@ support, do so only on the share on which it is required. That way, all other shares can provide oplock support for operations that are tolerant of it. See “Shared Data Integrity” for more information. -

    Use and Location of BDCs

    - - - - - +

    Use and Location of BDCs

    + + + + + On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of authentication and logon processing. When a sole BDC on a routed network segment gets heavily @@ -275,13 +275,13 @@ to a BDC on a distant network segment. This significantly hinders WAN operations and is undesirable.

    - - + + As a general guide, instead of adding domain member servers to a network, you would be better advised to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add domain member servers. This practice ensures that there are always sufficient domain controllers to handle logon requests and authentication traffic. -

    Use One Consistent Version of MS Windows Client

    +

    Use One Consistent Version of MS Windows Client

    Every network client has its own peculiarities. From a management perspective, it is easier to deal with one version of MS Windows that is maintained to a consistent update level than it is to deal with a mixture of clients. @@ -289,61 +289,61 @@ On a number of occasions, particular Microsoft service pack updates of a Windows server or client have necessitated special handling from the Samba server end. If you want to remain sane, keep you client workstation configurations consistent. -

    For Scalability, Use SAN-Based Storage on Samba Servers

    - - +

    For Scalability, Use SAN-Based Storage on Samba Servers

    + + Many SAN-based storage systems permit more than one server to share a common data store. Use of a shared SAN data store means that you do not need to use time- and resource-hungry data synchronization techniques.

    - - + + The use of a collection of relatively low-cost front-end Samba servers that are coupled to a shared backend SAN data store permits load distribution while containing costs below that of installing and managing a complex clustering facility. -

    Distribute Network Load with MSDFS

    - - +

    Distribute Network Load with MSDFS

    + + Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits data to be accessed from a single share and yet to actually be distributed across multiple actual servers. Refer to TOSHARG2, Chapter 19, for information regarding implementation of an MSDFS installation.

    - - + + The combination of multiple backend servers together with a front-end server and use of MSDFS can achieve almost the same as you would obtain with a clustered Samba server. -

    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth

    - - - +

    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth

    + + + Consider using rsync to replicate data across the WAN during times of low utilization. Users can then access the replicated data store rather than needing to do so across the WAN. This works best for read-only data, but with careful planning can be implemented so that modified files get replicated back to the point of origin. Be careful with your implementation if you choose to permit modification and return replication of the modified file; otherwise, you may inadvertently overwrite important data. -

    Hardware Problems

    - - - - - - +

    Hardware Problems

    + + + + + + Networking hardware prices have fallen sharply over the past 5 years. A surprising number of Samba networking problems over this time have been traced to defective network interface cards (NICs) or defective HUBs, switches, and cables.

    - + Not surprising is the fact that network administrators do not like to be shown to have made a bad decision. Money saved in buying low-cost hardware may result in high costs incurred in corrective action.

    - - - - - + + + + + Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent or persistent data corruption, slow network throughput, low performance, or even as BSOD problems with MS Windows clients. In one case, a company updated several workstations with newer, faster @@ -352,14 +352,14 @@

    Defective hardware problems may take patience and persistence before the real cause can be discovered.

    - + Networking hardware defects can significantly impact perceived Samba performance, but defective RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server operations. One business came to this realization only after replacing a Samba installation with MS Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network administrator until the entire server was replaced. While you may well think that this would never happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone. -

    Large Directories

    +

    Large Directories

    There exist applications that create or manage directories containing many thousands of files. Such applications typically generate many small files (less than 100 KB). At the best of times, under UNIX, listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, @@ -399,7 +399,7 @@ All files and directories under the path directory must be in the same case as specified in the smb.conf stanza. This means that smbd will not be able to find lower case filenames with these settings. Note, this is done on a per-share basis. -

    Key Points Learned

    +

    Key Points Learned

    This chapter has touched in broad sweeps on a number of simple steps that can be taken to ensure that your Samba network is resilient, scalable, and reliable, and that it performs well. @@ -408,7 +408,7 @@ In the long term, that may not be you. Spare a thought for your successor and give him or her an even break.

    - + Last, but not least, you should not only keep the network design simple, but also be sure it is well documented. This book may serve as your pattern for documenting every aspect of your design, its implementation, and particularly the objects and assumptions diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/index.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/index.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/index.html 2009-04-30 10:09:17.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/index.html 2009-06-02 09:49:12.000000000 +0200 @@ -1,47 +1,47 @@ -Samba-3 by Example

    Samba-3 by Example
       Next

    Samba-3 by Example

    Practical Exercises in Successful Samba Deployment

    John H. Samba Team Terpstra

    Samba Team

    July, 2006

    Table of Contents

    About the Cover Artwork
    Acknowledgments
    Foreword
    By John M. Weathersby, Executive Director, OSSI
    Preface
    Why Is This Book Necessary?
    Samba 3.0.20 Update Edition
    Prerequisites
    Approach
    Summary of Topics
    Conventions Used
    I. Example Network Configurations
    1. No-Frills Samba Servers
    Introduction
    Assignment Tasks
    Drafting Office
    Charity Administration Office
    Accounting Office
    Questions and Answers
    2. Small Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Validation
    Notebook Computers: A Special Case
    Key Points Learned
    Questions and Answers
    3. Secure Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Basic System Configuration
    Samba Configuration
    Configuration of DHCP and DNS Servers
    Printer Configuration
    Process Startup Configuration
    Validation
    Application Share Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    4. The 500-User Office
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Installation of DHCP, DNS, and Samba Control Files
    Server Preparation: All Servers
    Server-Specific Preparation
    Process Startup Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    5. Making Happy Users
    Regarding LDAP Directories and Windows Computer Accounts
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Installation Checklist
    Samba Server Implementation
    OpenLDAP Server Configuration
    PAM and NSS Client Configuration
    Samba-3 PDC Configuration
    Install and Configure Idealx smbldap-tools Scripts
    LDAP Initialization and Creation of User and Group Accounts
    Printer Configuration
    Samba-3 BDC Configuration
    Miscellaneous Server Preparation Tasks
    Configuring Directory Share Point Roots
    Configuring Profile Directories
    Preparation of Logon Scripts
    Assigning User Rights and Privileges
    Windows Client Configuration
    Configuration of Default Profile with Folder Redirection
    Configuration of MS Outlook to Relocate PST File
    Configure Delete Cached Profiles on Logout
    Uploading Printer Drivers to Samba Servers
    Software Installation
    Roll-out Image Creation
    Key Points Learned
    Questions and Answers
    6. A Distributed 2000-User Network
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Key Points Learned
    Questions and Answers
    II. Domain Members, Updating Samba and Migration
    7. Adding Domain Member Servers and Clients
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Samba Domain with Samba Domain Member Server Using NSS LDAP
    NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    NT4/Samba Domain with Samba Domain Member Server without NSS Support
    Active Directory Domain with Samba Domain Member Server
    UNIX/Linux Client Domain Member
    Key Points Learned
    Questions and Answers
    8. Updating Samba-3
    Introduction
    Cautions and Notes
    Upgrading from Samba 1.x and 2.x to Samba-3
    Samba 1.9.x and 2.x Versions Without LDAP
    Applicable to All Samba 2.x to Samba-3 Upgrades
    Samba-2.x with LDAP Support
    Updating a Samba-3 Installation
    Samba-3 to Samba-3 Updates on the Same Server
    Migrating Samba-3 to a New Server
    Migration of Samba Accounts to Active Directory
    9. Migrating NT4 Domain to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    NT4 Migration Using LDAP Backend
    NT4 Migration Using tdbsam Backend
    Key Points Learned
    Questions and Answers
    10. Migrating NetWare Server to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    NetWare Migration Using LDAP Backend
    III. Reference Section
    11. Active Directory, Kerberos, and Security
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers
    12. Integrating Additional Services
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers
    13. Performance, Reliability, and Availability
    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned
    14. Samba Support
    Free Support
    Commercial Support
    15. A Collection of Useful Tidbits
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    16. Networking Primer
    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers
    A. +Samba-3 by Example
    Samba-3 by Example
       Next

    Samba-3 by Example

    Practical Exercises in Successful Samba Deployment

    John H. Samba Team Terpstra

    Samba Team

    July, 2006

    Table of Contents

    About the Cover Artwork
    Acknowledgments
    Foreword
    By John M. Weathersby, Executive Director, OSSI
    Preface
    Why Is This Book Necessary?
    Samba 3.0.20 Update Edition
    Prerequisites
    Approach
    Summary of Topics
    Conventions Used
    I. Example Network Configurations
    1. No-Frills Samba Servers
    Introduction
    Assignment Tasks
    Drafting Office
    Charity Administration Office
    Accounting Office
    Questions and Answers
    2. Small Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Validation
    Notebook Computers: A Special Case
    Key Points Learned
    Questions and Answers
    3. Secure Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Basic System Configuration
    Samba Configuration
    Configuration of DHCP and DNS Servers
    Printer Configuration
    Process Startup Configuration
    Validation
    Application Share Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    4. The 500-User Office
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Installation of DHCP, DNS, and Samba Control Files
    Server Preparation: All Servers
    Server-Specific Preparation
    Process Startup Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    5. Making Happy Users
    Regarding LDAP Directories and Windows Computer Accounts
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Installation Checklist
    Samba Server Implementation
    OpenLDAP Server Configuration
    PAM and NSS Client Configuration
    Samba-3 PDC Configuration
    Install and Configure Idealx smbldap-tools Scripts
    LDAP Initialization and Creation of User and Group Accounts
    Printer Configuration
    Samba-3 BDC Configuration
    Miscellaneous Server Preparation Tasks
    Configuring Directory Share Point Roots
    Configuring Profile Directories
    Preparation of Logon Scripts
    Assigning User Rights and Privileges
    Windows Client Configuration
    Configuration of Default Profile with Folder Redirection
    Configuration of MS Outlook to Relocate PST File
    Configure Delete Cached Profiles on Logout
    Uploading Printer Drivers to Samba Servers
    Software Installation
    Roll-out Image Creation
    Key Points Learned
    Questions and Answers
    6. A Distributed 2000-User Network
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Key Points Learned
    Questions and Answers
    II. Domain Members, Updating Samba and Migration
    7. Adding Domain Member Servers and Clients
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Samba Domain with Samba Domain Member Server Using NSS LDAP
    NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    NT4/Samba Domain with Samba Domain Member Server without NSS Support
    Active Directory Domain with Samba Domain Member Server
    UNIX/Linux Client Domain Member
    Key Points Learned
    Questions and Answers
    8. Updating Samba-3
    Introduction
    Cautions and Notes
    Upgrading from Samba 1.x and 2.x to Samba-3
    Samba 1.9.x and 2.x Versions Without LDAP
    Applicable to All Samba 2.x to Samba-3 Upgrades
    Samba-2.x with LDAP Support
    Updating a Samba-3 Installation
    Samba-3 to Samba-3 Updates on the Same Server
    Migrating Samba-3 to a New Server
    Migration of Samba Accounts to Active Directory
    9. Migrating NT4 Domain to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    NT4 Migration Using LDAP Backend
    NT4 Migration Using tdbsam Backend
    Key Points Learned
    Questions and Answers
    10. Migrating NetWare Server to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    NetWare Migration Using LDAP Backend
    III. Reference Section
    11. Active Directory, Kerberos, and Security
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers
    12. Integrating Additional Services
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers
    13. Performance, Reliability, and Availability
    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned
    14. Samba Support
    Free Support
    Commercial Support
    15. A Collection of Useful Tidbits
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    16. Networking Primer
    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers
    A. GNU General Public License version 3 -
    A. +
    A. Preamble -
    A. +
    A. TERMS AND CONDITIONS -
    A. +
    A. 0. Definitions. -
    A. +
    A. 1. Source Code. -
    A. +
    A. 2. Basic Permissions. -
    A. +
    A. 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. -
    A. +
    A. 4. Conveying Verbatim Copies. -
    A. +
    A. 5. Conveying Modified Source Versions. -
    A. +
    A. 6. Conveying Non-Source Forms. -
    A. +
    A. 7. Additional Terms. -
    A. +
    A. 8. Termination. -
    A. +
    A. 9. Acceptance Not Required for Having Copies. -
    A. +
    A. 10. Automatic Licensing of Downstream Recipients. -
    A. +
    A. 11. Patents. -
    A. +
    A. 12. No Surrender of Others’ Freedom. -
    A. - 13. Use with the ???TITLE??? Affero General Public License.
    A. + 13. Use with the ???TITLE??? Affero General Public License. +
    A. 14. Revised Versions of this License. -
    A. +
    A. 15. Disclaimer of Warranty. -
    A. +
    A. 16. Limitation of Liability. -
    A. +
    A. 17. Interpretation of Sections 15 and 16. -
    A. +
    A. END OF TERMS AND CONDITIONS -
    A. +
    A. How to Apply These Terms to Your New Programs
    Glossary
    Index

    List of Figures

    1.1. Charity Administration Office Network
    1.2. Accounting Office Network Topology
    2.1. Abmas Accounting 52-User Network Topology
    3.1. Abmas Network Topology 130 Users
    4.1. Network Topology 500 User Network Using tdbsam passdb backend.
    5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
    5.2. Network Topology 500 User Network Using ldapsam passdb backend
    5.3. Windows XP Professional User Shared Folders
    6.1. Samba and Authentication Backend Search Pathways
    6.2. Samba Configuration to Use a Single LDAP Server
    6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server
    6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!
    6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.
    6.6. Network Topology 2000 User Complex Design A
    6.7. Network Topology 2000 User Complex Design B
    7.1. Open Magazine Samba Survey
    7.2. Samba Domain: Samba Member Server
    7.3. Active Directory Domain: Samba Member Server
    9.1. Schematic Explaining the net rpc vampire Process
    9.2. View of Accounts in NT4 Domain User Manager
    15.1. The General Panel.
    15.2. The Computer Name Panel.
    15.3. The Computer Name Changes Panel
    15.4. The Computer Name Changes Panel Domain MIDEARTH
    15.5. Computer Name Changes User name and Password Panel
    15.6. The LDAP Account Manager Login Screen
    15.7. The LDAP Account Manager Configuration Screen
    15.8. The LDAP Account Manager User Edit Screen
    15.9. The LDAP Account Manager Group Edit Screen
    15.10. The LDAP Account Manager Group Membership Edit Screen
    15.11. The LDAP Account Manager Host Edit Screen
    15.12. The IMC Samba User Account Screen
    16.1. Windows Me Broadcasts The First 10 Minutes
    16.2. Windows Me Later Broadcast Sample
    16.3. Typical Windows 9x/Me Host Announcement
    16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request
    16.5. Typical Windows 9x/Me User SessionSetUp AndX Request
    16.6. Typical Windows XP NULL Session Setup AndX Request
    16.7. Typical Windows XP User Session Setup AndX Request

    List of Tables

    1. Samba Changes 3.0.2 to 3.0.20
    1.1. Accounting Office Network Information
    3.1. Abmas.US ISP Information
    3.2. DNS (named) Resource Files
    4.1. Domain: MEGANET, File Locations for Servers
    5.1. Current Privilege Capabilities
    5.2. Required OpenLDAP Linux Packages
    5.3. Abmas Network Users and Groups
    5.4. Default Profile Redirections
    9.1. Samba smb.conf Scripts Essential to Samba Operation
    13.1. Effect of Common Problems
    16.1. Windows Me Startup Broadcast Capture Statistics
    16.2. Second Machine (Windows 98) Capture Statistics

    List of Examples

    1.1. Drafting Office smb.conf File
    1.2. Charity Administration Office smb.conf New-style File
    1.3. Charity Administration Office smb.conf Old-style File
    1.4. Windows Me Registry Edit File: Disable Password Caching
    1.5. Accounting Office Network smb.conf Old Style Configuration File
    2.1. Script to Map Windows NT Groups to UNIX Groups
    2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf
    2.3. Accounting Office Network smb.conf File [globals] Section
    2.4. Accounting Office Network smb.conf File Services and Shares Section
    3.1. Estimation of Memory Requirements
    3.2. Estimation of Disk Storage Requirements
    3.3. NAT Firewall Configuration Script
    3.4. 130 User Network with tdbsam [globals] Section
    3.5. 130 User Network with tdbsam Services Section Part A
    3.6. 130 User Network with tdbsam Services Section Part B
    3.7. Script to Map Windows NT Groups to UNIX Groups
    3.8. DHCP Server Configuration File /etc/dhcpd.conf
    3.9. DNS Master Configuration File /etc/named.conf Master Section
    3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section
    3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section
    3.12. DNS 192.168.1 Reverse Zone File
    3.13. DNS 192.168.2 Reverse Zone File
    3.14. DNS Abmas.biz Forward Zone File
    3.15. DNS Abmas.us Forward Zone File
    4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
    4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
    4.3. Common Samba Configuration File: /etc/samba/common.conf
    4.4. Server: BLDG1 (Member), File: smb.conf
    4.5. Server: BLDG2 (Member), File: smb.conf
    4.6. Common Domain Member Include File: dom-mem.conf
    4.7. Server: MASSIVE, File: dhcpd.conf
    4.8. Server: BLDG1, File: dhcpd.conf
    4.9. Server: BLDG2, File: dhcpd.conf
    4.10. Server: MASSIVE, File: named.conf, Part: A
    4.11. Server: MASSIVE, File: named.conf, Part: B
    4.12. Server: MASSIVE, File: named.conf, Part: C
    4.13. Forward Zone File: abmas.biz.hosts
    4.14. Forward Zone File: abmas.biz.hosts
    4.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A
    4.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B
    4.17. Initialize Groups Script, File: /etc/samba/initGrps.sh
    5.1. LDAP DB_CONFIG File
    5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A
    5.3. LDAP Master Configuration File /etc/openldap/slapd.conf Part B
    5.4. Configuration File for NSS LDAP Support /etc/ldap.conf
    5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
    5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
    5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
    5.8. LDAP Based smb.conf File, Server: BLDG1
    5.9. LDAP Based smb.conf File, Server: BLDG2
    5.10. LDAP Based smb.conf File, Shares Section Part A
    5.11. LDAP Based smb.conf File, Shares Section Part B
    5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
    6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf
    6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf
    6.3. Primary Domain Controller smb.conf File Part A
    6.4. Primary Domain Controller smb.conf File Part B
    6.5. Primary Domain Controller smb.conf File Part C
    6.6. Backup Domain Controller smb.conf File Part A
    6.7. Backup Domain Controller smb.conf File Part B
    7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File
    7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
    7.3. Configuration File for NSS LDAP Support /etc/ldap.conf
    7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf
    7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain
    7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain
    7.7. Samba Domain Member smb.conf File for Active Directory Membership
    7.8. Example smb.conf File Using idmap_rid
    7.9. Typical ADS Style Domain smb.conf File
    7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File
    7.11. SUSE: PAM login Module Using Winbind
    7.12. SUSE: PAM xdm Module Using Winbind
    7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind
    9.1. NT4 Migration Samba-3 Server smb.conf Part: A
    9.2. NT4 Migration Samba-3 Server smb.conf Part: B
    9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A
    9.4. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part B
    9.5. NT4 Migration NSS LDAP File: /etc/ldap.conf
    9.6. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)
    9.7. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)
    10.1. A Rough Tool to Create an LDIF File from the System Account Files
    10.2. NSS LDAP Control File /etc/ldap.conf
    10.3. The PAM Control File /etc/security/pam_unix2.conf
    10.4. Samba Configuration File smb.conf Part A
    10.5. Samba Configuration File smb.conf Part B
    10.6. Samba Configuration File smb.conf Part C
    10.7. Samba Configuration File smb.conf Part D
    10.8. Samba Configuration File smb.conf Part E
    10.9. Rsync Script
    10.10. Rsync Files Exclusion List /root/excludes.txt
    10.11. Idealx smbldap-tools Control File Part A
    10.12. Idealx smbldap-tools Control File Part B
    10.13. Idealx smbldap-tools Control File Part C
    10.14. Idealx smbldap-tools Control File Part D
    10.15. Kixtart Control File File: logon.kix
    10.16. Kixtart Control File File: main.kix
    10.17. Kixtart Control File File: setup.kix, Part A
    10.18. Kixtart Control File File: setup.kix, Part B
    10.19. Kixtart Control File File: acct.kix
    12.1. Kerberos Configuration File: /etc/krb5.conf
    12.2. Samba Configuration File: /etc/samba/smb.conf
    12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
    12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]
    12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]
    15.1. A Useful Samba Control Script for SUSE Linux
    15.2. A Sample Samba Control Script for Red Hat Linux
    15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone
    15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone
    15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint
    15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A
    15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B
    15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C
    15.9. LDIF Pattern File Used to Pre-configure LDAP Part A
    15.10. LDIF Pattern File Used to Pre-configure LDAP Part B
    15.11. Example LAM Configuration File config.cfg
    15.12. LAM Profile Control File lam.conf
       Next
       About the Cover Artwork
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/ix01.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/ix01.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/ix01.html 2009-04-30 10:09:17.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/ix01.html 2009-06-02 09:49:12.000000000 +0200 @@ -1 +1 @@ -Index
    Index
    Prev   

    Index

    Symbols

    %LOGONSERVER%, Configuration of Default Profile with Folder Redirection
    %USERNAME%, Roaming Profile Background, Profile Changes
    %USERPROFILE%, Configuration of Default Profile with Folder Redirection
    /data/ldap, OpenLDAP Server Configuration
    /etc/cups/mime.convs, Implementation, Implementation
    /etc/cups/mime.types, Implementation, Implementation
    /etc/dhcpd.conf, Implementation, Validation, Configuration of DHCP and DNS Servers, Validation
    /etc/exports, Samba-3 PDC Configuration
    /etc/group, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Replacing a Domain Member Server, Questions and Answers, Removal of Pre-Existing Conflicting RPMs
    /etc/hosts, Implementation, Implementation, Basic System Configuration, Validation, Server Preparation: All Servers, Questions and Answers, Kerberos Configuration, Bad Hostnames
    /etc/krb5.conf, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
    /etc/ldap.conf, PAM and NSS Client Configuration, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    /etc/mime.convs, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    /etc/mime.types, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    /etc/named.conf, Configuration of DHCP and DNS Servers
    /etc/nsswitch.conf, Implementation, Configuration of DHCP and DNS Servers, Validation, Configuration for Server: MASSIVE, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, PAM and NSS Client Configuration, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, NT4 Migration Using LDAP Backend
    /etc/openldap/slapd.conf, Debugging LDAP, OpenLDAP Server Configuration, Implementation
    /etc/passwd, Implementation, Samba Configuration, Configuration for Server: MASSIVE, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Replacing a Domain Member Server, Technical Issues, Questions and Answers, Technical Issues, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
    /etc/rc.d/boot.local, Basic System Configuration, Configuration for Server: MASSIVE
    /etc/rc.d/rc.local, Implementation
    /etc/resolv.conf, Configuration of DHCP and DNS Servers, Server Preparation: All Servers
    /etc/samba, Samba System File Location
    /etc/samba/secrets.tdb, Active Directory Domain with Samba Domain Member Server
    /etc/samba/smbusers, Server Preparation: All Servers
    /etc/shadow, Replacing a Domain Member Server, Technical Issues
    /etc/squid/squid.conf, Removal of Pre-Existing Conflicting RPMs
    /etc/syslog.conf, Debugging LDAP
    /etc/xinetd.d, Process Startup Configuration, Process Startup Configuration
    /lib/libnss_ldap.so.2, PAM and NSS Client Configuration
    /opt/IDEALX/sbin, NT4 Migration Using LDAP Backend
    /proc/sys/net/ipv4/ip_forward, Implementation, Basic System Configuration
    /usr/bin, Samba System File Location
    /usr/lib/samba, Samba System File Location
    /usr/local, Samba System File Location
    /usr/local/samba, Samba System File Location
    /usr/local/samba/var/locks, Samba 1.9.x and 2.x Versions Without LDAP
    /usr/sbin, Samba System File Location
    /usr/share, Samba System File Location
    /usr/share/samba/swat, Samba System File Location
    /usr/share/swat, Samba System File Location
    /var/cache/samba, Samba 1.9.x and 2.x Versions Without LDAP
    /var/lib/samba, Samba 1.9.x and 2.x Versions Without LDAP, Samba System File Location
    /var/log/ldaplogs, Debugging LDAP
    /var/log/samba, Samba System File Location
    8-bit, International Language Support

    , Implementation, Implementation, Implementation, Implementation, Samba Configuration, Application Share Configuration, Implementation, Addition of Machines to the Domain, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Location of config files, NT4 Migration Using LDAP Backend, LDAP Server Configuration, NSS Configuration
    Domain account, Technical Issues
    liability, Dissection and Discussion
    logon, Implementation
    problem, Dissection and Discussion
    transparent inter-operability, Questions and Answers

    A

    abmas-netfw.sh, Basic System Configuration
    accept, Printer Configuration
    accepts liability, Dissection and Discussion
    access, Technical Issues, Checkpoint Controls
    access control, Kerberos Exposed, Using the MMC Computer Management Interface
    Access Control Lists (see ACLs)
    access control settings, Share Access Controls
    access controls, Technical Issues, Share Definition Controls
    accessible, Share Point Directory and File Permissions
    account, Regarding LDAP Directories and Windows Computer Accounts, Share Access Controls
    ADS Domain, Technical Issues
    account credentials, Findings and Comments
    account information, Questions and Answers
    account names, Questions and Answers
    account policies, The LDAP Account Manager
    accountable, Introduction, Dissection and Discussion
    accounts
    authoritative, Technical Issues
    Domain, Introduction, Questions and Answers
    group, Introduction, Questions and Answers, Introduction
    machine, Introduction, Questions and Answers
    manage, The LDAP Account Manager
    user, Introduction, Questions and Answers, Introduction
    ACL, Security Identifiers (SIDs), Checkpoint Controls
    ACLs, Key Points Learned, Share Access Controls, Share Definition Controls
    acquisitions, Introduction
    Act!, Shared Data Integrity
    ACT! database, Act! Database Sharing
    Act!Diag, Act! Database Sharing
    Active Directory, Dissection and Discussion, The Local Group Policy, Dissection and Discussion, Assignment Tasks, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, Questions and Answers, Introduction, Key Points Learned, Questions and Answers, Integrating Additional Services, Assignment Tasks, Technical Issues, Samba Configuration, Joining a Domain: Windows 200x/XP Professional
    authentication, Squid Configuration
    domain, Samba Configuration
    join, Active Directory Domain with Samba Domain Member Server
    management tools, Technical Issues
    realm, Bad Hostnames
    Replacement, Technical Issues
    server, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration
    Server, Technical Issues
    tree, Samba Configuration
    active directory, Technical Issues
    AD printer publishing, Uploading Printer Drivers to Samba Servers
    ADAM, Dissection and Discussion, IDMAP Storage in LDAP using Winbind
    add group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    add machine script, Applicable to All Samba 2.x to Samba-3 Upgrades
    Add Printer Wizard
    APW, Uploading Printer Drivers to Samba Servers
    add user script, Applicable to All Samba 2.x to Samba-3 Upgrades
    add user to group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    adduser, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    adequate precautions, Introduction
    administrative installation, Application Share Configuration
    administrative rights, Checkpoint Controls
    administrator, Implementation, Samba Configuration, Server Preparation: All Servers
    ADMT, Migration of Samba Accounts to Active Directory
    ADS, IDMAP Storage in LDAP using Winbind, Technical Issues, Kerberos Configuration, Bad Hostnames
    server, Technical Issues
    ADS Domain, Technical Issues
    affordability, The Nature of Windows Networking Protocols
    alarm, Introduction
    algorithm, Technical Issues
    allow trusted domains, IDMAP_RID with Winbind
    alternative, Dissection and Discussion
    analysis, Technical Issues
    anonymous connection, Validation, Validation
    Apache Web server, Questions and Answers
    appliance mode, Technical Issues
    application server, Technical Issues, Application Share Configuration
    application servers, The Nature of Windows Networking Protocols
    application/octet-stream, Implementation, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    APW, Uploading Printer Drivers to Samba Servers
    arp, Validation
    assessment, Introduction
    assistance, Free Support
    assumptions, Key Points Learned
    authconfig, PAM and NSS Client Configuration
    authenticate, LDAP Server Configuration, Samba Configuration
    authenticated, Assignment Tasks
    authenticated connection, Validation, Validation
    authentication, The Nature of Windows Networking Protocols, Questions and Answers, Dissection and Discussion, Integrating Additional Services, Technical Issues, NSS Configuration, Questions and Answers
    plain-text, Questions and Answers
    authentication process, Implementation
    authentication protocols, Key Points Learned
    authoritative, Technical Issues
    authorized location, Kerberos Exposed
    auto-generated SID, Questions and Answers
    automatically allocate, Technical Issues
    availability, Performance, Reliability, and Availability

    B

    backends, Integrating Additional Services
    background communication, Questions and Answers
    Backup, Introduction
    Backup Domain Controller (see BDC)
    bandwidth, Assignment Tasks
    requirements, User Needs
    bandwidth calculations, Hardware Requirements
    BDC, Technical Issues, Making Happy Users, Assignment Tasks, Dissection and Discussion, Samba Server Implementation, Samba-3 PDC Configuration, The Nature of Windows Networking Protocols, Key Points Learned, Technical Issues, Questions and Answers, Security Identifiers (SIDs), NT4 Migration Using tdbsam Backend, Use and Location of BDCs
    benefit, Questions and Answers, Dissection and Discussion
    best practices, Introduction
    bias, Questions and Answers
    binary database, Implementation
    binary files, Updating a Samba-3 Installation
    binary package, Updating a Samba-3 Installation
    bind interfaces only, Implementation
    broadcast, Routed Networks, Questions and Answers
    directed, The Nature of Windows Networking Protocols
    mailslot, The Nature of Windows Networking Protocols
    broadcast messages, Implementation
    broadcast storms, Network Collisions
    broken, Dissection and Discussion
    broken behavior, Dissection and Discussion
    browse, Technical Issues
    browse master, Findings
    Browse Master, Questions and Answers
    browse.dat, Replacing a Domain Member Server
    Browser Election Service, Questions and Answers
    browsing, Technical Issues, Technical Issues, Assignment Tasks
    budgetted, Introduction
    bug fixes, Introduction
    bug report, Free Support

    C

    cache, Opportunistic Locking Controls
    cache directories, Removal of Pre-Existing Conflicting RPMs
    caching, Samba Configuration
    case-sensitive, Kerberos Configuration
    centralized storage, Questions and Answers
    character set, International Language Support
    check samba daemons, Validation, Validation
    check-point, Share Definition Controls
    check-point controls, Checkpoint Controls
    Checkpoint Controls, Checkpoint Controls
    chgrp, Samba Configuration
    chkconfig, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration, Implementation
    chmod, Samba Configuration
    choice, Dissection and Discussion, Technical Issues
    chown, Removal of Pre-Existing Conflicting RPMs
    CIFS, Security Identifiers (SIDs), Findings
    cifsfs, Dissection and Discussion
    clean database, Questions and Answers
    clients per DC, Making Happy Users
    Clock skew, Kerberos Configuration
    cluster, Introduction
    clustering, Introduction, For Scalability, Use SAN-Based Storage on Samba Servers
    code maintainer, Free Support
    codepage, International Language Support
    collision rates, Network Collisions
    commercial, Dissection and Discussion
    commercial software, Dissection and Discussion
    commercial support, Samba Support, Commercial Support
    Common Internet File System (see CIFS)
    comparison
    Active Directory & OpenLDAP, Dissection and Discussion
    compat, Samba Domain with Samba Domain Member Server Using NSS LDAP
    compatible, Technical Issues
    compile-time, Location of config files
    complexities, Dissection and Discussion
    compromise, Introduction, Introduction, Technical Issues
    computer account, Samba Configuration
    Computer Management, Share Access Controls, Questions and Answers
    computer name, Security Identifiers (SIDs)
    condemns, Technical Issues
    conferences, Technical Issues
    configuration files, Introduction
    configure.pl, NT4 Migration Using LDAP Backend
    connection, Share Access Controls
    connectivity, Questions and Answers
    consequential risk, Technical Issues
    consultant, Drafting Office, Introduction, Dissection and Discussion
    consumer, Dissection and Discussion, Technical Issues
    consumer expects, Samba Support
    contiguous directory, Implementation
    contributions, Updating Samba-3
    control files, Updating a Samba-3 Installation
    convmv, International Language Support
    copy, Questions and Answers
    corrective action, Hardware Problems
    cost, Dissection and Discussion
    cost-benefit, Assignment Tasks
    country of origin, Commercial Support
    Courier-IMAP, LDAP Server Configuration
    credential, Share Definition Controls
    credentials, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Technical Issues
    crippled, Dissection and Discussion
    criticism, Active Directory, Kerberos, and Security, Introduction
    Critics, Technical Issues
    Cryptographic, Technical Issues
    CUPS, Dissection and Discussion, Technical Issues, Implementation, Key Points Learned, Implementation, Printer Configuration, Server Preparation: All Servers, Assignment Tasks, Installation of Printer Driver Auto-Download, Printer Configuration
    queue, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    cupsd, Basic System Configuration
    customer expected, Samba Support
    customers, Samba Support

    D

    daemon, Validation, Basic System Configuration, Security Identifiers (SIDs), Technical Issues, Questions and Answers, Starting Samba
    daemon control, Process Startup Configuration
    data
    corruption, Making Happy Users
    integrity, Questions and Answers
    data corruption, Hardware Problems, Act! Database Sharing
    data integrity, Hardware Problems, Shared Data Integrity
    data storage, Implementation
    database, Dissection and Discussion, Questions and Answers, Dissection and Discussion
    database applications, Shared Data Integrity
    DB_CONFIG, OpenLDAP Server Configuration
    DCE, Kerberos Exposed
    DDNS (see dynamic DNS)
    Debian, Migrating NetWare Server to Samba-3
    default installation, Samba System File Location
    default password, The LDAP Account Manager
    default profile, Assignment Tasks, Technical Issues
    Default User, Profile Changes, Configuration of Default Profile with Folder Redirection
    defective
    cables, Hardware Problems
    HUBs, Hardware Problems
    switches, Hardware Problems
    defects, Technical Issues
    defensible standards, Technical Issues
    defragmentation, Windows Client Configuration
    delete group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    delete user from group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    delimiter, Checkpoint Controls
    dependability, Technical Issues
    deployment, Free Support
    desired security setting, Setting Posix ACLs in UNIX/Linux
    development, Technical Issues
    DHCP, Technical Issues, Implementation, Key Points Learned, Windows Client Configuration, Windows Client Configuration, The Nature of Windows Networking Protocols, Questions and Answers
    client, Bad Hostnames
    relay, Technical Issues
    Relay Agent, Questions and Answers
    request, Questions and Answers
    requests, Technical Issues
    servers, Questions and Answers
    traffic, Questions and Answers
    dhcp client validation, Validation, Validation
    DHCP Server, Implementation
    DHCP server, Technical Issues
    diagnostic, IDMAP Storage in LDAP using Winbind
    diffusion, Technical Issues
    digital rights, Technical Issues
    digital sign'n'seal, Technical Issues
    digits, Bad Hostnames
    diligence, Technical Issues
    directory, Dissection and Discussion, Political Issues, Location of config files
    Computers container, LDAP Initialization and Creation of User and Group Accounts
    management, Dissection and Discussion
    People container, LDAP Initialization and Creation of User and Group Accounts
    replication, Dissection and Discussion
    schema, Dissection and Discussion
    server, Technical Issues
    synchronization, Dissection and Discussion
    directory tree, Setting Posix ACLs in UNIX/Linux
    disable, Introduction
    disaster recovery, Introduction
    disk image, Assignment Tasks
    disruptive, Dissection and Discussion
    distributed, Identity Management Needs, Implementation, Questions and Answers, Distribute Network Load with MSDFS
    distributed domain, Identity Management Needs
    DMB, Questions and Answers
    DMS, Security Identifiers (SIDs), Replacing a Domain Member Server
    DNS, Technical Issues, Implementation, Technical Issues, The Nature of Windows Networking Protocols, LDAP Server Configuration, Bad Hostnames, Routed Networks, Joining a Domain: Windows 200x/XP Professional
    configuration, Questions and Answers
    Dynamic, Questions and Answers
    dynamic, Joining a Domain: Windows 200x/XP Professional
    lookup, Questions and Answers, Kerberos Configuration
    name lookup, Bad Hostnames
    SRV records, Kerberos Configuration
    suffix, Joining a Domain: Windows 200x/XP Professional
    DNS server, Implementation, Configuration of DHCP and DNS Servers
    document the settings, Samba Configuration
    documentation, Dissection and Discussion, Technical Issues
    documented, Samba Configuration
    Domain, Technical Issues
    groups, Technical Issues
    domain
    Active Directory, Technical Issues
    controller, Replacing a Domain Controller
    joining, A Collection of Useful Tidbits
    trusted, Questions and Answers
    Domain accounts, Technical Issues
    Domain Administrator, Share Access Controls
    Domain Controller, Key Points Learned, The Nature of Windows Networking Protocols, Technical Issues, Implementation, Use and Location of BDCs
    closest, The Nature of Windows Networking Protocols
    domain controller, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades
    domain controllers, Technical Issues
    Domain Controllers, Questions and Answers
    Domain Groups
    well-known, Initialization of the LDAP Database
    Domain join, Samba Domain with Samba Domain Member Server Using NSS LDAP
    domain master, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
    Domain Master Browser (see DMB)
    Domain Member, Use and Location of BDCs
    authoritative
    local accounts, Technical Issues
    client, Implementation
    desktop, Introduction
    server, Introduction, Technical Issues, Implementation, Active Directory Domain with Samba Domain Member Server
    servers, Questions and Answers, Checkpoint Controls
    workstations, Implementation
    domain member
    servers, Technical Issues
    Domain Member server, Technical Issues, Questions and Answers
    Domain Member servers, Questions and Answers
    domain members, Questions and Answers
    domain name space, Identity Management Needs
    domain replication, Questions and Answers
    domain SID, Security Identifiers (SIDs)
    Domain SID, Technical Issues, Questions and Answers
    domain tree, Identity Management Needs
    Domain User Manager, Configuring Profile Directories
    Domain users, Technical Issues
    DOS, Security Identifiers (SIDs)
    dos2unix, Samba Configuration, Configuration for Server: MASSIVE
    down-grade, Introduction
    drive letters, LDAP Server Configuration
    drive mapping, Technical Issues
    dumb printing, Installation of Printer Driver Auto-Download
    dump, Technical Issues, Questions and Answers
    duplicate accounts, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    dynamic DNS, Technical Issues

    E

    e-Directory, Dissection and Discussion
    Easy Software Products, Installation of Printer Driver Auto-Download
    economically sustainable, Dissection and Discussion
    eDirectory, Dissection and Discussion
    education, Identity Management Needs
    election, Findings
    employment, Introduction, Dissection and Discussion
    enable, Printer Configuration
    encrypted, Findings and Comments
    encrypted password, Windows 200x/XP Client Interaction with Samba-3
    encrypted passwords, Questions and Answers
    End User License Agreement (see EULA)
    enumerating, Samba Configuration
    essential, Introduction
    ethereal, Exercises
    Ethernet switch, Technical Issues
    ethernet switch, Making Happy Users
    EULA, Dissection and Discussion
    Everyone, Share Access Controls
    Excel, Share Point Directory and File Permissions
    exclusive open, Microsoft Access
    experiment, Active Directory, Kerberos, and Security
    export, Technical Issues
    extent, Dissection and Discussion
    External Domains, Technical Issues
    extreme demand, Guidelines for Reliable Samba Operation

    F

    fail, The Nature of Windows Networking Protocols
    fail-over, Identity Management Needs, Implementation
    failed, Samba Domain with Samba Domain Member Server Using NSS LDAP
    failed join, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
    failure, Samba Configuration
    familiar, Technical Issues
    fatal problem, Samba Configuration
    fear, Technical Issues
    fears, Technical Issues
    Fedora, Drafting Office
    FHS, Samba System File Location
    file and print server, Questions and Answers
    file and print service, Dissection and Discussion
    file caching, Samba Configuration, Opportunistic Locking Controls
    File Hierarchy System (see FHS)
    file locations, Samba System File Location
    file permissions, The LDAP Account Manager
    file server
    read-only, Dissection and Discussion
    file servers, Samba Server Implementation
    file system, Technical Issues
    access control, Samba Configuration
    Ext3, Implementation
    permissions, Samba Configuration, Configuration for Server: MASSIVE
    file system security, Questions and Answers
    filter, Share Access Controls
    financial responsibility, Introduction
    firewall, Technical Issues, Basic System Configuration, Introduction
    fix, Dissection and Discussion
    flaws, Introduction
    flexibility, Technical Issues
    flush
    cache memory, Opportunistic Locking Controls
    folder redirection, Technical Issues, Configuration of Default Profile with Folder Redirection, Questions and Answers
    force group, Override Controls, Questions and Answers
    force user, Dissection and Discussion, Override Controls, Questions and Answers
    forced settings, Override Controls
    foreign, Samba Domain with Samba Domain Member Server Using NSS LDAP
    foreign SID, Samba Domain with Samba Domain Member Server Using NSS LDAP
    forwarded, Routed Networks
    foundation members, Technical Issues
    Free Standards Group (see FSG)
    free support, Samba Support, Free Support
    front-end, Dissection and Discussion
    server, Distribute Network Load with MSDFS
    frustration, Introduction
    FSG, Samba System File Location
    FTP
    proxy, Questions and Answers
    full control, Share Access Controls, Using MS Windows Explorer (File Manager)
    fully qualified, Checkpoint Controls
    functional differences, Cautions and Notes

    G

    generation, Cautions and Notes
    Gentoo, Migrating NetWare Server to Samba-3
    getent, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
    getfacl, Setting Posix ACLs in UNIX/Linux
    getgrnam, Technical Issues
    getpwnam, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP
    getpwnam(), Questions and Answers
    GID, Implementation, Questions and Answers, Questions and Answers
    Goettingen, Questions and Answers
    government, Identity Management Needs
    GPL, Comments Regarding Software Terms of Use
    group account, Implementation, OpenLDAP Server Configuration
    group management, Implementation
    group mapping, LDAP Server Configuration
    group membership, Implementation, Samba Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
    group names, Questions and Answers
    group policies, Introduction
    Group Policy, Joining a Domain: Windows 200x/XP Professional
    Group Policy editor, The Local Group Policy
    Group Policy Objects, The Local Group Policy
    groupadd, Implementation, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    groupdel, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    groupmem, NT4 Migration Using LDAP Backend
    groupmod, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    GSS-API, Windows 200x/XP Client Interaction with Samba-3
    guest account, Findings and Comments, Dissection and Discussion, Technical Issues, Questions and Answers

    H

    hackers, Introduction
    hardware prices, Hardware Problems
    hardware problems, Hardware Problems
    Heimdal, Implementation, Kerberos Configuration
    Heimdal Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    Heimdal kerberos, IDMAP Storage in LDAP using Winbind
    help, Free Support
    helper agent, Removal of Pre-Existing Conflicting RPMs
    hesiod, Samba Domain with Samba Domain Member Server Using NSS LDAP
    hierarchy of control, Share Definition Controls
    high availability, Dissection and Discussion
    hire, Dissection and Discussion
    HKEY_CURRENT_USER, Roaming Profile Background
    HKEY_LOCAL_MACHINE, Configuration of Default Profile with Folder Redirection
    HKEY_LOCAL_USER, Questions and Answers
    host announcement, Assignment Tasks, Findings
    hostname, Basic System Configuration, Security Identifiers (SIDs)
    hosts, Questions and Answers
    HUB, Making Happy Users
    Hybrid, Questions and Answers
    hypothetical, Introduction

    I

    Idealx, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
    smbldap-tools, Install and Configure Idealx smbldap-tools Scripts, LDAP Initialization and Creation of User and Group Accounts
    identifiers, Technical Issues
    identity, Questions and Answers, Kerberos Exposed
    management, Technical Issues
    identity management, Technical Issues, Dissection and Discussion, Political Issues, Dissection and Discussion
    Identity Management, Dissection and Discussion, The Nature of Windows Networking Protocols, Identity Management Needs
    Identity management, UNIX/Linux Client Domain Member
    Identity resolution, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, UNIX/Linux Client Domain Member, Questions and Answers
    Identity resolver, Questions and Answers
    IDMAP, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP_RID with Winbind
    idmap backend, Technical Issues
    IDMAP backend, Questions and Answers
    idmap gid, IDMAP_RID with Winbind
    idmap uid, IDMAP_RID with Winbind
    idmap_rid, IDMAP_RID with Winbind
    IMAP, Technical Issues
    import, Technical Issues
    income, Dissection and Discussion
    independent expert, Introduction
    inetd, Process Startup Configuration
    inetOrgPerson, Technical Issues
    inheritance, Setting Posix ACLs in UNIX/Linux
    initGrps.sh, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    initial credentials, Kerberos Configuration
    inoperative, Dissection and Discussion
    install, Updating Samba-3
    installation, Dissection and Discussion
    integrate, Technical Issues
    integrity, Introduction, Kerberos Exposed
    inter-domain, Applicable to All Samba 2.x to Samba-3 Upgrades
    inter-operability, Dissection and Discussion, Technical Issues, Key Points Learned, Questions and Answers
    interactive help, Free Support
    interdomain trusts, Identity Management Needs
    interfaces, Implementation
    intermittent, Hardware Problems
    internationalization, International Language Support
    Internet Explorer, Technical Issues
    Internet Information Server, Questions and Answers
    interoperability, Dissection and Discussion
    IP forwarding, Implementation, Basic System Configuration, Configuration for Server: MASSIVE
    IPC$, Findings and Comments
    iptables, Technical Issues
    IRC, Free Support
    isolated, Introduction
    Italian, Questions and Answers

    J

    jobs, Introduction
    joining a domain, Joining a Domain: Windows 200x/XP Professional

    K

    KDC, Kerberos Configuration
    Kerberos, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Key Points Learned, Technical Issues, Implementation, Kerberos Configuration
    Heimdal, Active Directory Domain with Samba Domain Member Server
    interoperability, Kerberos Exposed
    libraries, Active Directory Domain with Samba Domain Member Server
    MIT, Active Directory Domain with Samba Domain Member Server
    unspecified fields, Kerberos Exposed
    kerberos, Kerberos Exposed
    server, Kerberos Exposed
    Kerberos ticket, Samba Configuration
    kinit, Kerberos Configuration
    Kixtart, LDAP Server Configuration
    klist, Kerberos Configuration
    krb5, Implementation
    krb5.conf, Kerberos Configuration

    L

    LAM, The LDAP Account Manager
    configuration editor, The LDAP Account Manager
    configuration file, The LDAP Account Manager
    login screen, The LDAP Account Manager
    opening screen, The LDAP Account Manager
    profile, The LDAP Account Manager
    wizard, The LDAP Account Manager
    large domain, IDMAP_RID with Winbind
    LDAP, Technical Issues, Assignment Tasks, Dissection and Discussion, Technical Issues, Preliminary Advice: Dangers Can Be Avoided, PAM and NSS Client Configuration, Introduction, Dissection and Discussion, Identity Management Needs, Implementation, Key Points Learned, Questions and Answers, Technical Issues, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Assignment Tasks, Technical Issues, Questions and Answers, Dissection and Discussion, LDAP Server Configuration, Technical Issues
    backend, Identity Management Needs
    database, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Alternative LDAP Database Initialization
    directory, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs
    fail-over, Implementation
    initial configuration, Alternative LDAP Database Initialization
    master, Identity Management Needs
    master/slave
    background communication, Questions and Answers
    preload, Implementation
    schema, Updating from Samba Versions between 3.0.6 and 3.0.10
    secure, Technical Issues
    server, Questions and Answers
    slave, Identity Management Needs
    updates, Identity Management Needs
    ldap, Samba Domain with Samba Domain Member Server Using NSS LDAP
    LDAP Account Manager (see LAM)
    LDAP backend, Technical Issues
    LDAP database, Questions and Answers
    LDAP Interchange Format (see LDIF)
    LDAP server, Identity Management Needs
    LDAP-transfer-LDIF.txt, Implementation
    ldap.conf, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapadd, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapsam, LDAP Initialization and Creation of User and Group Accounts, Dissection and Discussion, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Integrating Additional Services
    ldapsam backend, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapsearch, LDAP Initialization and Creation of User and Group Accounts
    LDIF, Technical Issues, Implementation, Technical Issues, LDAP Server Configuration, Initialization of the LDAP Database
    leadership, Technical Issues
    Lightweight Directory Access Protocol (see LDAP)
    limit, Questions and Answers
    Linux desktop, Introduction
    Linux Standards Base (see LSB)
    LMB, Findings, Questions and Answers
    LMHOSTS, Routed Networks
    load distribution, For Scalability, Use SAN-Based Storage on Samba Servers
    local accounts, Technical Issues
    Local Group Policy, Roaming Profile Background
    Local Master Announcement, Findings
    Local Master Browser (see LMB)
    localhost, Basic System Configuration, Bad Hostnames
    lock directory, Samba 1.9.x and 2.x Versions Without LDAP
    locking
    Application level, Shared Data Integrity
    Client side, Shared Data Integrity
    Server side, Shared Data Integrity
    logging, Removal of Pre-Existing Conflicting RPMs
    login, Technical Issues
    loglevel, Debugging LDAP
    logon credentials, Questions and Answers
    logon hours, Technical Issues, Key Points Learned
    logon machines, Technical Issues
    logon path, Implementation
    logon process, Implementation
    logon scrip, Samba Configuration
    logon script, Implementation, Technical Issues, Preparation of Logon Scripts, Technical Issues
    logon server, The Nature of Windows Networking Protocols
    logon services, Implementation
    logon time, Assignment Tasks
    logon traffic, The Nature of Windows Networking Protocols
    logon.kix, LDAP Server Configuration
    loopback, Validation
    low performance, Hardware Problems
    lower-case, Implementation
    lpadmin, Implementation, Implementation, Implementation, Printer Configuration, Printer Configuration
    LSB, Samba System File Location

    M

    machine, Security Identifiers (SIDs)
    machine account, Regarding LDAP Directories and Windows Computer Accounts
    machine accounts, Questions and Answers
    machine secret password, Technical Issues
    MACHINE.SID, Security Identifiers (SIDs)
    mailing list, Free Support
    mailing lists, Free Support
    managed, Technical Issues
    management, Political Issues, Questions and Answers
    group, Technical Issues
    User, Technical Issues
    mandatory profile, Technical Issues, Configuring Profile Directories
    Mandrake, Migrating NetWare Server to Samba-3
    mapped drives, Questions and Answers
    mapping, Technical Issues, Kerberos Configuration
    consistent, Samba Domain with Samba Domain Member Server Using NSS LDAP
    Mars_NWE, Migrating NetWare Server to Samba-3
    master, Dissection and Discussion
    material, A Collection of Useful Tidbits
    memberUID, LDAP Server Configuration
    memory requirements, Hardware Requirements
    merge, Technical Issues, Questions and Answers
    merged, Technical Issues
    meta-directory, Questions and Answers
    meta-service, Questions and Answers
    Microsoft Access, Shared Data Integrity
    Microsoft Excel, Shared Data Integrity
    Microsoft ISA, Assignment Tasks
    Microsoft Management Console (see MMC)
    Microsoft Office, Application Share Configuration, Share Point Directory and File Permissions
    Microsoft Outlook
    PST files, Questions and Answers
    migrate, Updating Samba-3, Technical Issues
    migration, Implementation, Implementation, Assignment Tasks, Introduction, Questions and Answers, Migrating NetWare Server to Samba-3
    objectives, Dissection and Discussion
    Migration speed, Questions and Answers
    mime type, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    mime types, Implementation
    missing RPC's, Technical Issues
    MIT, Implementation, Kerberos Configuration
    MIT Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    MIT kerberos, IDMAP Storage in LDAP using Winbind
    MIT KRB5, Samba Configuration
    mixed mode, Active Directory Domain with Samba Domain Member Server
    mixed-mode, Questions and Answers
    MMC, Configure Delete Cached Profiles on Logout, Technical Issues, Questions and Answers
    mobile computing, Dissection and Discussion
    mobility, Technical Issues
    modularization, Technical Issues
    modules, Questions and Answers
    MS Access
    validate, Microsoft Access
    MS Outlook, Configuration of MS Outlook to Relocate PST File
    PST, Configuration of MS Outlook to Relocate PST File
    PST file, Making Happy Users
    MS Windows Server 2003, Implementation
    MS Word, Share Point Directory and File Permissions
    MSDFS, Distribute Network Load with MSDFS
    multi-subnet, Routed Networks
    multi-user
    access, Microsoft Access
    data access, Shared Data Integrity
    multiple directories, Identity Management Needs
    multiple domain controllers, Making Happy Users
    multiple group mappings, Questions and Answers
    mutual assistance, Free Support
    My Documents, Roaming Profile Background
    My Network Places, Implementation
    mysqlsam, Implementation

    N

    name resolution, Configuration of DHCP and DNS Servers, Questions and Answers, Assignment Tasks
    Defective, Active Directory Domain with Samba Domain Member Server
    name resolve order, Implementation
    name service switch, Implementation (see NSS)
    named, Basic System Configuration, Validation, Server Preparation: All Servers
    NAT, Technical Issues
    native, Questions and Answers
    net
    ads
    info, Active Directory Domain with Samba Domain Member Server
    join, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Samba Configuration
    status, Active Directory Domain with Samba Domain Member Server
    getlocalsid, Samba-3 PDC Configuration, Security Identifiers (SIDs)
    group, NT4 Migration Using tdbsam Backend
    groupmap
    add, Samba Configuration
    list, Samba Configuration, LDAP Initialization and Creation of User and Group Accounts
    modify, Samba Configuration
    rpc
    info, Security Identifiers (SIDs)
    join, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, Questions and Answers, NT4 Migration Using tdbsam Backend
    vampire, Updating Samba-3, NT4 Migration Using tdbsam Backend
    setlocalsid, Security Identifiers (SIDs)
    NetBIOS, The Nature of Windows Networking Protocols, Questions and Answers, Bad Hostnames, Routed Networks, Questions and Answers
    name cache, Questions and Answers
    name resolution
    delays, Making Happy Users
    Node Type, Questions and Answers
    netbios
    machine name, Change of hostname
    netbios forwarding, Network Collisions
    NetBIOS name, Kerberos Configuration
    aliases, Identity Management Needs
    netbios name, Security Identifiers (SIDs), Change of hostname, Bad Hostnames
    NETLOGON, Using a Network Default User Profile, Windows Client Configuration
    netlogon, The Nature of Windows Networking Protocols, LDAP Server Configuration
    Netlogon, Joining a Domain: Windows 200x/XP Professional
    netmask, Implementation
    Netware, Small Office Networking
    NetWare, Migrating NetWare Server to Samba-3, LDAP Server Configuration
    network
    administrators, Technical Issues
    analyzer, Assignment Tasks
    bandwidth, Identity Management Needs, Questions and Answers
    broadcast, Introduction
    captures, Requirements and Notes
    collisions, Network Collisions
    load, Network Collisions
    logon, Making Happy Users
    logon scripts, Dissection and Discussion
    management, Introduction
    multi-segment, Introduction
    overload, Making Happy Users
    performance, Samba Configuration
    routed, Dissection and Discussion
    secure, Introduction
    segment, Dissection and Discussion
    services, Questions and Answers
    sniffer, Requirements and Notes
    timeout, Making Happy Users
    timeouts, Network Collisions
    trace, Assignment Tasks
    traffic
    observation, Technical Issues
    wide-area, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    Network Address Translation (see NAT)
    network administrators, Technical Issues
    network attached storage (see NAS)
    network bandwidth
    utilization, Making Happy Users
    Network Default Profile, Roaming Profile Background
    network hardware
    defective, Making Happy Users
    network hygiene, Dissection and Discussion
    network Identities, Questions and Answers
    network load factors, Dissection and Discussion
    Network Neighborhood, Validation, Technical Issues
    network segment, Use and Location of BDCs
    network segments, Hardware Requirements
    network share, Assignment Tasks
    networking
    client, Security Identifiers (SIDs)
    networking hardware
    defective, Making Happy Users
    networking protocols, Technical Issues
    next generation, Technical Issues
    NextFreeUnixId, NT4 Migration Using LDAP Backend
    NFS server, Samba-3 PDC Configuration
    NICs, Hardware Problems
    NIS, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Technical Issues, Political Issues, Questions and Answers
    nis, Samba Domain with Samba Domain Member Server Using NSS LDAP
    NIS schema, Questions and Answers
    NIS server, Questions and Answers
    NIS+, Identity Management Needs
    nisplus, Samba Domain with Samba Domain Member Server Using NSS LDAP
    NLM, Migrating NetWare Server to Samba-3
    nmap, Validation
    nmbd, Validation, Validation, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Starting Samba
    nobody, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
    Novell, Migrating NetWare Server to Samba-3, Introduction
    Novell SUSE SLES 9, NT4 Migration Using LDAP Backend
    NSS, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, PAM and NSS Client Configuration, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, UNIX/Linux Client Domain Member, Questions and Answers, LDAP Server Configuration, NSS Configuration (see same service switch)
    nss_ldap, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, OpenLDAP Server Configuration, PAM and NSS Client Configuration, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Replacing a Domain Member Server, NT4 Migration Using LDAP Backend
    nt acl support, Dissection and Discussion
    NT4 registry, Dissection and Discussion
    NTLM, Technical Issues
    NTLM authentication daemon, Technical Issues
    NTLMSSP, Key Points Learned, Questions and Answers, Windows 200x/XP Client Interaction with Samba-3
    NTLMSSP_AUTH, Windows 200x/XP Client Interaction with Samba-3
    ntlm_auth, Samba Configuration, Questions and Answers
    NTP, Kerberos Configuration
    NTUSER.DAT, Roaming Profile Background, Profile Changes, Using a Network Default User Profile, Questions and Answers
    NULL connection, Validation
    NULL session, Findings and Comments
    NULL-Session, Discussion

    O

    objectClass, LDAP Server Configuration
    off-site storage, Introduction
    Open Magazine, Adding Domain Member Servers and Clients
    Open Source, Dissection and Discussion
    OpenLDAP, Dissection and Discussion, Dissection and Discussion, Questions and Answers, Political Issues, Technical Issues, Introduction, Technical Issues, Key Points Learned, The LDAP Account Manager
    openldap, OpenLDAP Server Configuration
    OpenOffice, Application Share Configuration
    operating profiles, The LDAP Account Manager
    oplock break, Override Controls
    oplocks, Samba Configuration
    Oplocks
    disabled, Opportunistic Locking Controls
    opportunistic
    locking, Override Controls
    opportunistic locking, Implementation, Samba Configuration, Act! Database Sharing
    optimized, Samba Configuration
    organizational units, The LDAP Account Manager
    OS/2, Security Identifiers (SIDs)
    Outlook
    PST, Configuration of MS Outlook to Relocate PST File
    Outlook Address Book, Configuration of MS Outlook to Relocate PST File
    Outlook Express, Political Issues, Configuration of MS Outlook to Relocate PST File
    over-ride, Technical Issues
    over-ride controls, Override Controls
    over-rule, Share Access Controls, Using MS Windows Explorer (File Manager)
    overheads, Override Controls
    ownership, Share Point Directory and File Permissions

    P

    package, Implementation
    package names, Samba System File Location
    packages, Updating a Samba-3 Installation
    PADL, Technical Issues, IDMAP Storage in LDAP using Winbind
    PADL LDAP tools, Technical Issues
    PADL Software, Samba Domain with Samba Domain Member Server Using NSS LDAP
    paid-for support, Samba Support
    PAM, PAM and NSS Client Configuration, UNIX/Linux Client Domain Member, LDAP Server Configuration
    pam_ldap, OpenLDAP Server Configuration
    pam_ldap.so, PAM and NSS Client Configuration
    pam_unix2.so, PAM and NSS Client Configuration
    use_ldap, PAM and NSS Client Configuration
    parameters, Applicable to All Samba 2.x to Samba-3 Upgrades
    passdb backend, Implementation, The 500-User Office, Dissection and Discussion, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Questions and Answers
    passdb.tdb, Technical Issues
    passwd, Implementation, Implementation, Samba Configuration
    password
    backend, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    password caching, Implementation
    password change, Key Points Learned
    password length, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    payroll, Introduction
    pdbedit, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, NT4 Migration Using tdbsam Backend, Questions and Answers
    PDC, Assignment Tasks, Technical Issues, Making Happy Users, Technical Issues, The Local Group Policy, The Nature of Windows Networking Protocols, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Use and Location of BDCs
    PDC/BDC ratio, Making Happy Users
    PDF, The LDAP Account Manager
    performance, Dissection and Discussion, Questions and Answers, Performance, Reliability, and Availability, Introduction, Network Collisions
    performance degradation, Override Controls, Samba Configuration
    Perl, LDAP Server Configuration, The LDAP Account Manager
    permission, Share Point Directory and File Permissions
    permissions, Implementation, Technical Issues, Share Access Controls, Checkpoint Controls, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs
    excessive, Technical Issues
    group, Share Point Directory and File Permissions
    user, Share Point Directory and File Permissions
    Permissions, Using the MMC Computer Management Interface
    permits, Technical Issues
    permitted group, Using the MMC Computer Management Interface
    PHP, The LDAP Account Manager
    PHP4, The LDAP Account Manager
    pile-driver, Share Definition Controls
    ping, Validation
    pitfalls, The LDAP Account Manager
    plain-text, Questions and Answers
    Pluggable Authentication Modules (see PAM)
    policy, Questions and Answers, Introduction
    poor performance, Dissection and Discussion
    POP3, Technical Issues
    Posix, Dissection and Discussion, Technical Issues, Questions and Answers, Implementation, Questions and Answers, The LDAP Account Manager
    POSIX, Regarding LDAP Directories and Windows Computer Accounts, LDAP Server Configuration
    Posix accounts, LDAP Initialization and Creation of User and Group Accounts, Technical Issues
    Posix ACLs, Managing Windows 200x ACLs
    PosixAccount, LDAP Initialization and Creation of User and Group Accounts
    posixAccount, LDAP Server Configuration
    Postfix, LDAP Server Configuration
    Postscript, Installation of Printer Driver Auto-Download
    powers, Share Definition Controls
    practices, Introduction
    precaution, Introduction
    presence and leadership, Technical Issues
    price paid, Dissection and Discussion
    primary group, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
    principals, Kerberos Exposed
    print filter, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    print queue, Charity Administration Office, Dissection and Discussion
    print spooler, Charity Administration Office
    Print Test Page, Uploading Printer Drivers to Samba Servers
    printcap name, Implementation
    printer validation, Validation, Validation
    printers
    Advanced, Uploading Printer Drivers to Samba Servers
    Default Settings, Uploading Printer Drivers to Samba Servers
    General, Uploading Printer Drivers to Samba Servers
    Properties, Uploading Printer Drivers to Samba Servers
    Security, Uploading Printer Drivers to Samba Servers
    Sharing, Uploading Printer Drivers to Samba Servers
    printing, Implementation
    drag-and-drop, Installation of Printer Driver Auto-Download, Uploading Printer Drivers to Samba Servers
    dumb, Installation of Printer Driver Auto-Download
    point-n-click, Installation of Printer Driver Auto-Download
    raw, Dissection and Discussion
    privacy, Identity Management Needs
    Privilege Attribute Certificates (see PAC)
    privilege controls, Share Point Directory and File Permissions
    privileged pipe, Samba Configuration
    privileges, Identity Management Needs, Updating from Samba Versions after 3.0.6 to a Current Release, Technical Issues, Share Definition Controls
    problem report, Free Support
    problem resolution, Samba Support
    product defects, Dissection and Discussion
    professional support, Free Support
    profile
    default, Assignment Tasks
    mandatory, The Nature of Windows Networking Protocols
    roaming, Making Happy Users
    profile path, Technical Issues
    profile share, Implementation
    profiles, Security Identifiers (SIDs)
    profiles share, Dissection and Discussion
    programmer, Dissection and Discussion
    project, Free Support
    project maintainers, Technical Issues
    Properties, Using the MMC Computer Management Interface
    proprietary, Technical Issues
    protected, Technical Issues
    protection, Technical Issues
    protocol
    negotiation, The Nature of Windows Networking Protocols
    protocol analysis, Requirements and Notes
    protocols, Technical Issues
    provided services, Samba Support
    proxy, Assignment Tasks, Technical Issues
    PST file, Configuration of MS Outlook to Relocate PST File
    public specifications, Technical Issues
    purchase support, Free Support

    Q

    Qbasic, LDAP Server Configuration
    qualified problem, Free Support

    R

    RAID, Hardware Requirements
    RAID controllers, Hardware Problems
    Raw Print Through, Installation of Printer Driver Auto-Download
    raw printing, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    Rbase, LDAP Server Configuration
    rcldap, Implementation
    realm, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
    recognize, Technical Issues
    record locking, Microsoft Access
    recursively, Setting Posix ACLs in UNIX/Linux
    Red Hat, Drafting Office, Migrating NetWare Server to Samba-3
    Red Hat Fedora Linux, Samba Configuration
    Red Hat Linux, Dissection and Discussion, Accounting Office, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Samba Configuration
    redirected folders, Roaming Profile Background, The Nature of Windows Networking Protocols
    refereed standards, Technical Issues
    regedit, Implementation
    regedt32, Profile Changes, Configuration of Default Profile with Folder Redirection
    registry, Questions and Answers
    keys
    SAM, Dissection and Discussion
    SECURITY, Dissection and Discussion
    registry change, Questions and Answers
    Registry Editor, Configuration of Default Profile with Folder Redirection
    registry hacks, Questions and Answers
    registry keys, Configuration of Default Profile with Folder Redirection
    reimburse, Dissection and Discussion
    rejected, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Access Controls
    rejoin, Questions and Answers
    reliability, Performance, Reliability, and Availability
    remote announce, Routed Networks
    remote browse sync, Routed Networks
    remote procedure call (see RPC)
    replicate, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    replicated, Dissection and Discussion
    requesting payment, Free Support
    resilient, Guidelines for Reliable Samba Operation
    resolution, Replacing a Domain Member Server
    resolve, Technical Issues, Bad Hostnames
    response, IDMAP_RID with Winbind
    responsibility, Dissection and Discussion
    responsible, Technical Issues
    restrict anonymous, Samba Domain with Samba Domain Member Server Using NSS LDAP
    restricted export, Kerberos Exposed
    Restrictive security, Active Directory Domain with Samba Domain Member Server
    reverse DNS, Kerberos Configuration
    rfc2307bis, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension
    RID, IDMAP_RID with Winbind, LDAP Server Configuration
    risk, Technical Issues, Questions and Answers, Questions and Answers, Introduction
    road-map, Technical Issues
    published, Technical Issues
    roaming profile, Technical Issues, Roaming Profile Background, Configuring Profile Directories, User Needs, Questions and Answers
    roaming profiles, Technical Issues, Implementation, Roaming Profile Background
    routed network, Use and Location of BDCs
    router, Implementation
    routers, Questions and Answers, Routed Networks
    RPC, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    rpc, Security Identifiers (SIDs)
    rpcclient, Security Identifiers (SIDs)
    RPM, Security Identifiers (SIDs), Samba 1.9.x and 2.x Versions Without LDAP, Dissection and Discussion
    install, Implementation
    rpm, Removal of Pre-Existing Conflicting RPMs, Samba System File Location
    RPMs, Samba Configuration
    rpms, Removal of Pre-Existing Conflicting RPMs
    rsync, Samba-3 PDC Configuration, Questions and Answers, LDAP Server Configuration, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    rsyncd.conf, LDAP Server Configuration
    run-time control files, Samba System File Location

    S

    safe-guards, Technical Issues
    SAM, Dissection and Discussion
    samba, Removal of Pre-Existing Conflicting RPMs
    starting samba, Implementation
    Samba, Samba Configuration
    Samba accounts, Technical Issues
    samba cluster, Introduction
    samba control script, Starting Samba
    Samba Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers
    Samba Domain server, Using the MMC Computer Management Interface
    Samba RPM Packages, Samba-3 PDC Configuration
    Samba Tea, Samba Configuration
    sambaDomainName, NT4 Migration Using LDAP Backend
    sambaGroupMapping, LDAP Server Configuration
    SambaSAMAccount, Regarding LDAP Directories and Windows Computer Accounts
    SambaSamAccount, LDAP Initialization and Creation of User and Group Accounts
    sambaSamAccount, LDAP Server Configuration
    SambaXP conference, Questions and Answers
    SAN, For Scalability, Use SAN-Based Storage on Samba Servers
    SAS, Security Identifiers (SIDs)
    scalability, Introduction
    scalable, Identity Management Needs
    schannel, Technical Issues, Key Points Learned, Questions and Answers
    schema, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, Samba-2.x with LDAP Support, Updating from Samba Versions between 3.0.6 and 3.0.10
    scripts, The LDAP Account Manager
    secondary group, Samba Domain with Samba Domain Member Server Using NSS LDAP
    secret, Kerberos Exposed
    secrets.tdb, Technical Issues, Samba-3 PDC Configuration, Security Identifiers (SIDs), Location of config files
    secure, Introduction
    secure account password, Questions and Answers
    secure connections, The LDAP Account Manager
    secure networking, Technical Issues
    secure networking protocols, Technical Issues
    security, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Introduction, Technical Issues, Share Point Directory and File Permissions, Questions and Answers
    identifier, Security Identifiers (SIDs)
    share mode, Dissection and Discussion
    user mode, Dissection and Discussion
    Security, Technical Issues, Using the MMC Computer Management Interface
    Security Account Manager (see SAM)
    security controls, Technical Issues
    security descriptors, Dissection and Discussion
    security fixes, Technical Issues
    security updates, Technical Issues
    SerNet, Active Directory Domain with Samba Domain Member Server, Samba Configuration
    server
    domain member, Security Identifiers (SIDs)
    stand-alone, Security Identifiers (SIDs)
    service, Implementation
    smb
    start, Configuration Specific to Domain Member Servers: BLDG1, BLDG2
    Service Packs, Application Share Configuration
    services, Key Points Learned
    services provided, Samba Support
    session setup, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    Session Setup, Simple Windows Client Connection Characteristics
    SessionSetUpAndX, Security Identifiers (SIDs)
    set primary group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    setfacl, Setting Posix ACLs in UNIX/Linux
    severely degrade, Samba Configuration
    SFU, IDMAP, Active Directory, and MS Services for UNIX 3.5
    SGID, Dissection and Discussion, Share Point Directory and File Permissions, Effect of Setting File and Directory SUID/SGID Permissions Explained
    shadow-utils, Questions and Answers
    Share Access Controls, Share Access Controls
    share ACLs, Questions and Answers
    share definition, Technical Issues
    Share Definition
    Controls, Share Definition Controls
    share definition controls, Share Definition Controls, Checkpoint Controls, Share Point Directory and File Permissions, Questions and Answers
    share level access controls, Questions and Answers
    share level ACL, Questions and Answers
    Share Permissions, Share Access Controls
    shared resource, Technical Issues, Setting Posix ACLs in UNIX/Linux
    shares, Technical Issues
    SID, Windows Client Configuration, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs, Technical Issues, IDMAP_RID with Winbind, Security Identifiers (SIDs), Change of Workgroup (Domain) Name, Questions and Answers, Initialization of the LDAP Database
    side effects, Managing Windows 200x ACLs
    Sign'n'seal, Key Points Learned, Questions and Answers
    silent return, Active Directory Domain with Samba Domain Member Server
    simple, Dissection and Discussion
    Single Sign-On (see SSO)
    slapcat, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, LDAP Server Configuration
    slapd, Debugging LDAP
    slapd.conf, NT4 Migration Using LDAP Backend
    slave, Dissection and Discussion
    slow logon, Making Happy Users
    slow network, Hardware Problems
    slurpd, Implementation, Questions and Answers
    smart printing, Dissection and Discussion
    SMB, Security Identifiers (SIDs)
    SMB passwords, Implementation
    SMB/CIFS, Questions and Answers
    smbclient, Validation, Validation, LDAP Initialization and Creation of User and Group Accounts, Questions and Answers
    smbd, Validation, Implementation, Validation, Validation, Samba-3 PDC Configuration, Technical Issues, Active Directory Domain with Samba Domain Member Server, Security Identifiers (SIDs), Location of config files, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
    location of files, Samba System File Location
    smbfs, Dissection and Discussion
    smbldap-groupadd, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
    smbldap-groupmod, LDAP Server Configuration
    smbldap-passwd, LDAP Initialization and Creation of User and Group Accounts
    smbldap-populate, LDAP Initialization and Creation of User and Group Accounts
    smbldap-tools, NT4 Migration Using LDAP Backend, LDAP Server Configuration, The LDAP Account Manager
    smbldap-tools updating, NT4 Migration Using LDAP Backend
    smbldap-useradd, LDAP Initialization and Creation of User and Group Accounts, Implementation
    smbldap-usermod, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
    smbmnt, Dissection and Discussion
    smbmount, Dissection and Discussion
    smbpasswd, Implementation, Technical Issues, Implementation, Technical Issues, Samba Configuration, Server Preparation: All Servers, Configuration for Server: MASSIVE, Samba-3 PDC Configuration, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Technical Issues, Questions and Answers, Integrating Additional Services
    smbumnt, Dissection and Discussion
    smbumount, Dissection and Discussion
    SMTP, Technical Issues
    snap-shot, Dissection and Discussion
    socket address, Samba Configuration
    socket options, Samba Configuration
    software, Dissection and Discussion
    solve, Dissection and Discussion
    source code, Dissection and Discussion
    SPNEGO, Windows 200x/XP Client Interaction with Samba-3
    SQL, Dissection and Discussion, Questions and Answers
    Squid, Implementation, Removal of Pre-Existing Conflicting RPMs, Samba Configuration, Squid Configuration
    squid, Removal of Pre-Existing Conflicting RPMs, Samba Configuration
    Squid proxy, Technical Issues
    SRVTOOLS.EXE, Implementation, Configuring Profile Directories, Questions and Answers, Questions and Answers
    SSL, The LDAP Account Manager
    stand-alone server, Security Identifiers (SIDs)
    starting CUPS, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
    starting dhcpd, Implementation, Process Startup Configuration, Process Startup Configuration
    starting samba, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
    nmbd, Starting Samba
    smbd, Starting Samba
    winbindd, Starting Samba
    startingCUPS, Implementation
    startup script, Starting Samba
    sticky bit, Implementation
    storage capacity, Hardware Requirements
    strategic, Technical Issues
    strategy, Questions and Answers
    straw-man, Active Directory, Kerberos, and Security
    strict sync, Samba Configuration
    stripped, Samba 1.9.x and 2.x Versions Without LDAP
    strong cryptography, Kerberos Exposed
    subscription, Free Support
    SUID, Dissection and Discussion, Questions and Answers, Effect of Setting File and Directory SUID/SGID Permissions Explained
    Sun ONE Identity Server, Dissection and Discussion
    super daemon, Process Startup Configuration
    support, Dissection and Discussion, Samba Support
    survey, Adding Domain Member Servers and Clients
    SUSE, Migrating NetWare Server to Samba-3
    SUSE Enterprise Linux Server, Charity Administration Office, Basic System Configuration, Implementation
    SUSE Linux, Dissection and Discussion, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Removal of Pre-Existing Conflicting RPMs
    SWAT, Samba System File Location
    sync always, Samba Configuration
    synchronization, Kerberos Configuration, For Scalability, Use SAN-Based Storage on Samba Servers
    synchronize, User Needs, LDAP Server Configuration
    synchronized, Questions and Answers
    syslog, OpenLDAP Server Configuration
    system level logins, Questions and Answers
    system security, Technical Issues

    T

    tattooing, Questions and Answers
    TCP/IP, Questions and Answers
    tdbdump, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
    tdbsam, Technical Issues, Implementation, The 500-User Office, Assignment Tasks, Dissection and Discussion, Implementation, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Technical Issues, Questions and Answers
    testparm, Validation, Validation, Samba-3 PDC Configuration, Active Directory Domain with Samba Domain Member Server, Samba 1.9.x and 2.x Versions Without LDAP, Samba Configuration
    ticket, Samba Configuration
    time server, Implementation
    Tivoli Directory Server, Dissection and Discussion
    TLS, LDAP Server Configuration
    token, Technical Issues
    tool, Questions and Answers, Dissection and Discussion
    TOSHARG2, Implementation
    track record, Dissection and Discussion
    traffic collisions, Making Happy Users
    transaction processing, Dissection and Discussion
    transactional, Questions and Answers
    transfer, Questions and Answers
    translate, Managing Windows 200x ACLs
    traverse, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    tree, Dissection and Discussion
    Tree Connect, Simple Windows Client Connection Characteristics
    trust account, Regarding LDAP Directories and Windows Computer Accounts
    trusted computing, Introduction
    Trusted Domains, Technical Issues
    trusted domains, Questions and Answers
    trusted third-party, Kerberos Exposed
    trusting, Kerberos Exposed
    turn-around time, Technical Issues

    U

    UDP
    broadcast, Routed Networks
    UID, Dissection and Discussion, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, Implementation, Questions and Answers, Questions and Answers
    un-join, Questions and Answers
    unauthorized activities, Kerberos Exposed
    UNC name, Questions and Answers
    unencrypted, The LDAP Account Manager
    Unicast, The Nature of Windows Networking Protocols
    unicode, International Language Support
    Universal Naming Convention (see UNC name)
    UNIX, LDAP Server Configuration
    groups, Technical Issues, Implementation
    UNIX accounts, Technical Issues
    UNIX/Linux server, Technical Issues
    unix2dos, Samba Configuration, Configuration for Server: MASSIVE
    unknown, Technical Issues
    unsupported software, Commercial Support
    update, Introduction, Cautions and Notes
    updates, Introduction, Technical Issues
    updating smbldap-tools, NT4 Migration Using LDAP Backend
    upgrade, Introduction, Cautions and Notes, LDAP Server Configuration
    uppercase, Implementation
    user
    management, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    user account, Making Happy Users, OpenLDAP Server Configuration
    User and Group Controls, Technical Issues
    user credentials, Identity Management Needs, UNIX/Linux Client Domain Member
    user errors, Questions and Answers
    user groups, Free Support
    user identities, Implementation
    user logins, Questions and Answers
    user management, Implementation
    User Manager, NT4 Migration Using LDAP Backend
    User Mode, Implementation, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    useradd, Implementation, Implementation, Implementation, Samba Configuration, Configuration for Server: MASSIVE, Applicable to All Samba 2.x to Samba-3 Upgrades
    userdel, Applicable to All Samba 2.x to Samba-3 Upgrades
    usermod, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
    username, Security Identifiers (SIDs)
    username map, Implementation, Samba Configuration, Server Preparation: All Servers
    UTF-8, International Language Support
    utilities, Questions and Answers

    V

    valid users, Questions and Answers, Checkpoint Controls, Questions and Answers
    validate, Questions and Answers, Checkpoint Controls
    validated, Identity Management Needs, Active Directory Domain with Samba Domain Member Server, Introduction
    validation, Validation, Validation, Questions and Answers
    vampire, Questions and Answers
    vendor, Dissection and Discussion
    vendors, Updating a Samba-3 Installation
    VFS modules, Samba System File Location
    virus, Implementation
    VPN, Assignment Tasks
    vulnerabilities, Introduction

    W

    wbinfo, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Samba Configuration
    weakness, Technical Issues
    web
    caching, Assignment Tasks
    proxying, Assignment Tasks
    Web
    proxy, Questions and Answers
    access, Key Points Learned
    Web browsers, Key Points Learned
    WebClient, Making Happy Users
    WHATSNEW.txt, Samba-2.x with LDAP Support
    white-pages, Technical Issues, LDAP Server Configuration
    wide-area, User Needs, Identity Management Needs, Key Points Learned, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    wide-area network, Use and Location of BDCs, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    winbind, Implementation, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Introduction, Technical Issues, Technical Issues, Samba Configuration, NSS Configuration
    Winbind, Questions and Answers, Technical Issues, Key Points Learned
    winbind trusted domains only, Technical Issues, Questions and Answers
    winbind use default domain, Checkpoint Controls
    winbindd, Validation, Validation, Technical Issues, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Questions and Answers, Samba 1.9.x and 2.x Versions Without LDAP, Updating from Samba Versions after 3.0.6 to a Current Release, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
    winbindd_cache.tdb, Technical Issues
    winbindd_idmap.tdb, Technical Issues
    Windows, LDAP Server Configuration
    client, Security Identifiers (SIDs)
    NT, Security Identifiers (SIDs)
    Windows 2000 ACLs, Managing Windows 200x ACLs
    Windows 2003 Serve, Introduction
    Windows 200x ACLs, Questions and Answers
    Windows accounts, Technical Issues
    Windows ACLs, Setting Posix ACLs in UNIX/Linux
    Windows Address Book, LDAP Server Configuration
    Windows ADS Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    Windows clients, Questions and Answers
    Windows Explorer, Validation
    Windows explorer, Questions and Answers
    Windows security identifier (see SID)
    Windows Servers, Introduction
    Windows Services for UNIX (see SUS)
    Windows XP, Assignment Tasks
    WINS, Implementation, Technical Issues, Implementation, Windows Client Configuration, Technical Issues, Windows Client Configuration, The Nature of Windows Networking Protocols, Identity Management Needs, Questions and Answers, Questions and Answers
    lookup, Questions and Answers
    name resolution, Routed Networks
    server, Making Happy Users, Routed Networks
    WINS server, The 500-User Office, Questions and Answers
    WINS serving, Implementation
    wins support, Implementation
    wins.dat, Identity Management Needs, Replacing a Domain Member Server
    Wireshark, Requirements and Notes
    wireshark, Exercises
    Word, Share Point Directory and File Permissions
    workgroup, Implementation, Security Identifiers (SIDs), Change of Workgroup (Domain) Name
    Workgroup Announcement, Findings
    workstation, Implementation
    wrapper, Questions and Answers
    write lock, Opportunistic Locking Controls

    X

    xinetd, Process Startup Configuration
    XML, Dissection and Discussion
    xmlsam, Implementation

    Y

    YaST, PAM and NSS Client Configuration
    Yellow Pages, Identity Management Needs
    yellow pages (see NIS)
    Prev   
    Glossary Home 
    +Index
    Index
    Prev   

    Index

    Symbols

    %LOGONSERVER%, Configuration of Default Profile with Folder Redirection
    %USERNAME%, Roaming Profile Background, Profile Changes
    %USERPROFILE%, Configuration of Default Profile with Folder Redirection
    /data/ldap, OpenLDAP Server Configuration
    /etc/cups/mime.convs, Implementation, Implementation
    /etc/cups/mime.types, Implementation, Implementation
    /etc/dhcpd.conf, Implementation, Validation, Configuration of DHCP and DNS Servers, Validation
    /etc/exports, Samba-3 PDC Configuration
    /etc/group, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Replacing a Domain Member Server, Questions and Answers, Removal of Pre-Existing Conflicting RPMs
    /etc/hosts, Implementation, Implementation, Basic System Configuration, Validation, Server Preparation: All Servers, Questions and Answers, Kerberos Configuration, Bad Hostnames
    /etc/krb5.conf, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
    /etc/ldap.conf, PAM and NSS Client Configuration, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    /etc/mime.convs, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    /etc/mime.types, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    /etc/named.conf, Configuration of DHCP and DNS Servers
    /etc/nsswitch.conf, Implementation, Configuration of DHCP and DNS Servers, Validation, Configuration for Server: MASSIVE, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, PAM and NSS Client Configuration, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, NT4 Migration Using LDAP Backend
    /etc/openldap/slapd.conf, Debugging LDAP, OpenLDAP Server Configuration, Implementation
    /etc/passwd, Implementation, Samba Configuration, Configuration for Server: MASSIVE, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Replacing a Domain Member Server, Technical Issues, Questions and Answers, Technical Issues, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
    /etc/rc.d/boot.local, Basic System Configuration, Configuration for Server: MASSIVE
    /etc/rc.d/rc.local, Implementation
    /etc/resolv.conf, Configuration of DHCP and DNS Servers, Server Preparation: All Servers
    /etc/samba, Samba System File Location
    /etc/samba/secrets.tdb, Active Directory Domain with Samba Domain Member Server
    /etc/samba/smbusers, Server Preparation: All Servers
    /etc/shadow, Replacing a Domain Member Server, Technical Issues
    /etc/squid/squid.conf, Removal of Pre-Existing Conflicting RPMs
    /etc/syslog.conf, Debugging LDAP
    /etc/xinetd.d, Process Startup Configuration, Process Startup Configuration
    /lib/libnss_ldap.so.2, PAM and NSS Client Configuration
    /opt/IDEALX/sbin, NT4 Migration Using LDAP Backend
    /proc/sys/net/ipv4/ip_forward, Implementation, Basic System Configuration
    /usr/bin, Samba System File Location
    /usr/lib/samba, Samba System File Location
    /usr/local, Samba System File Location
    /usr/local/samba, Samba System File Location
    /usr/local/samba/var/locks, Samba 1.9.x and 2.x Versions Without LDAP
    /usr/sbin, Samba System File Location
    /usr/share, Samba System File Location
    /usr/share/samba/swat, Samba System File Location
    /usr/share/swat, Samba System File Location
    /var/cache/samba, Samba 1.9.x and 2.x Versions Without LDAP
    /var/lib/samba, Samba 1.9.x and 2.x Versions Without LDAP, Samba System File Location
    /var/log/ldaplogs, Debugging LDAP
    /var/log/samba, Samba System File Location
    8-bit, International Language Support

    , Implementation, Implementation, Implementation, Implementation, Samba Configuration, Application Share Configuration, Implementation, Addition of Machines to the Domain, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Location of config files, NT4 Migration Using LDAP Backend, LDAP Server Configuration, NSS Configuration
    Domain account, Technical Issues
    liability, Dissection and Discussion
    logon, Implementation
    problem, Dissection and Discussion
    transparent inter-operability, Questions and Answers

    A

    abmas-netfw.sh, Basic System Configuration
    accept, Printer Configuration
    accepts liability, Dissection and Discussion
    access, Technical Issues, Checkpoint Controls
    access control, Kerberos Exposed, Using the MMC Computer Management Interface
    Access Control Lists (see ACLs)
    access control settings, Share Access Controls
    access controls, Technical Issues, Share Definition Controls
    accessible, Share Point Directory and File Permissions
    account, Regarding LDAP Directories and Windows Computer Accounts, Share Access Controls
    ADS Domain, Technical Issues
    account credentials, Findings and Comments
    account information, Questions and Answers
    account names, Questions and Answers
    account policies, The LDAP Account Manager
    accountable, Introduction, Dissection and Discussion
    accounts
    authoritative, Technical Issues
    Domain, Introduction, Questions and Answers
    group, Introduction, Questions and Answers, Introduction
    machine, Introduction, Questions and Answers
    manage, The LDAP Account Manager
    user, Introduction, Questions and Answers, Introduction
    ACL, Security Identifiers (SIDs), Checkpoint Controls
    ACLs, Key Points Learned, Share Access Controls, Share Definition Controls
    acquisitions, Introduction
    Act!, Shared Data Integrity
    ACT! database, Act! Database Sharing
    Act!Diag, Act! Database Sharing
    Active Directory, Dissection and Discussion, The Local Group Policy, Dissection and Discussion, Assignment Tasks, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, Questions and Answers, Introduction, Key Points Learned, Questions and Answers, Integrating Additional Services, Assignment Tasks, Technical Issues, Samba Configuration, Joining a Domain: Windows 200x/XP Professional
    authentication, Squid Configuration
    domain, Samba Configuration
    join, Active Directory Domain with Samba Domain Member Server
    management tools, Technical Issues
    realm, Bad Hostnames
    Replacement, Technical Issues
    server, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration
    Server, Technical Issues
    tree, Samba Configuration
    active directory, Technical Issues
    AD printer publishing, Uploading Printer Drivers to Samba Servers
    ADAM, Dissection and Discussion, IDMAP Storage in LDAP using Winbind
    add group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    add machine script, Applicable to All Samba 2.x to Samba-3 Upgrades
    Add Printer Wizard
    APW, Uploading Printer Drivers to Samba Servers
    add user script, Applicable to All Samba 2.x to Samba-3 Upgrades
    add user to group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    adduser, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    adequate precautions, Introduction
    administrative installation, Application Share Configuration
    administrative rights, Checkpoint Controls
    administrator, Implementation, Samba Configuration, Server Preparation: All Servers
    ADMT, Migration of Samba Accounts to Active Directory
    ADS, IDMAP Storage in LDAP using Winbind, Technical Issues, Kerberos Configuration, Bad Hostnames
    server, Technical Issues
    ADS Domain, Technical Issues
    affordability, The Nature of Windows Networking Protocols
    alarm, Introduction
    algorithm, Technical Issues
    allow trusted domains, IDMAP_RID with Winbind
    alternative, Dissection and Discussion
    analysis, Technical Issues
    anonymous connection, Validation, Validation
    Apache Web server, Questions and Answers
    appliance mode, Technical Issues
    application server, Technical Issues, Application Share Configuration
    application servers, The Nature of Windows Networking Protocols
    application/octet-stream, Implementation, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    APW, Uploading Printer Drivers to Samba Servers
    arp, Validation
    assessment, Introduction
    assistance, Free Support
    assumptions, Key Points Learned
    authconfig, PAM and NSS Client Configuration
    authenticate, LDAP Server Configuration, Samba Configuration
    authenticated, Assignment Tasks
    authenticated connection, Validation, Validation
    authentication, The Nature of Windows Networking Protocols, Questions and Answers, Dissection and Discussion, Integrating Additional Services, Technical Issues, NSS Configuration, Questions and Answers
    plain-text, Questions and Answers
    authentication process, Implementation
    authentication protocols, Key Points Learned
    authoritative, Technical Issues
    authorized location, Kerberos Exposed
    auto-generated SID, Questions and Answers
    automatically allocate, Technical Issues
    availability, Performance, Reliability, and Availability

    B

    backends, Integrating Additional Services
    background communication, Questions and Answers
    Backup, Introduction
    Backup Domain Controller (see BDC)
    bandwidth, Assignment Tasks
    requirements, User Needs
    bandwidth calculations, Hardware Requirements
    BDC, Technical Issues, Making Happy Users, Assignment Tasks, Dissection and Discussion, Samba Server Implementation, Samba-3 PDC Configuration, The Nature of Windows Networking Protocols, Key Points Learned, Technical Issues, Questions and Answers, Security Identifiers (SIDs), NT4 Migration Using tdbsam Backend, Use and Location of BDCs
    benefit, Questions and Answers, Dissection and Discussion
    best practices, Introduction
    bias, Questions and Answers
    binary database, Implementation
    binary files, Updating a Samba-3 Installation
    binary package, Updating a Samba-3 Installation
    bind interfaces only, Implementation
    broadcast, Routed Networks, Questions and Answers
    directed, The Nature of Windows Networking Protocols
    mailslot, The Nature of Windows Networking Protocols
    broadcast messages, Implementation
    broadcast storms, Network Collisions
    broken, Dissection and Discussion
    broken behavior, Dissection and Discussion
    browse, Technical Issues
    browse master, Findings
    Browse Master, Questions and Answers
    browse.dat, Replacing a Domain Member Server
    Browser Election Service, Questions and Answers
    browsing, Technical Issues, Technical Issues, Assignment Tasks
    budgetted, Introduction
    bug fixes, Introduction
    bug report, Free Support

    C

    cache, Opportunistic Locking Controls
    cache directories, Removal of Pre-Existing Conflicting RPMs
    caching, Samba Configuration
    case-sensitive, Kerberos Configuration
    centralized storage, Questions and Answers
    character set, International Language Support
    check samba daemons, Validation, Validation
    check-point, Share Definition Controls
    check-point controls, Checkpoint Controls
    Checkpoint Controls, Checkpoint Controls
    chgrp, Samba Configuration
    chkconfig, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration, Implementation
    chmod, Samba Configuration
    choice, Dissection and Discussion, Technical Issues
    chown, Removal of Pre-Existing Conflicting RPMs
    CIFS, Security Identifiers (SIDs), Findings
    cifsfs, Dissection and Discussion
    clean database, Questions and Answers
    clients per DC, Making Happy Users
    Clock skew, Kerberos Configuration
    cluster, Introduction
    clustering, Introduction, For Scalability, Use SAN-Based Storage on Samba Servers
    code maintainer, Free Support
    codepage, International Language Support
    collision rates, Network Collisions
    commercial, Dissection and Discussion
    commercial software, Dissection and Discussion
    commercial support, Samba Support, Commercial Support
    Common Internet File System (see CIFS)
    comparison
    Active Directory & OpenLDAP, Dissection and Discussion
    compat, Samba Domain with Samba Domain Member Server Using NSS LDAP
    compatible, Technical Issues
    compile-time, Location of config files
    complexities, Dissection and Discussion
    compromise, Introduction, Introduction, Technical Issues
    computer account, Samba Configuration
    Computer Management, Share Access Controls, Questions and Answers
    computer name, Security Identifiers (SIDs)
    condemns, Technical Issues
    conferences, Technical Issues
    configuration files, Introduction
    configure.pl, NT4 Migration Using LDAP Backend
    connection, Share Access Controls
    connectivity, Questions and Answers
    consequential risk, Technical Issues
    consultant, Drafting Office, Introduction, Dissection and Discussion
    consumer, Dissection and Discussion, Technical Issues
    consumer expects, Samba Support
    contiguous directory, Implementation
    contributions, Updating Samba-3
    control files, Updating a Samba-3 Installation
    convmv, International Language Support
    copy, Questions and Answers
    corrective action, Hardware Problems
    cost, Dissection and Discussion
    cost-benefit, Assignment Tasks
    country of origin, Commercial Support
    Courier-IMAP, LDAP Server Configuration
    credential, Share Definition Controls
    credentials, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Technical Issues
    crippled, Dissection and Discussion
    criticism, Active Directory, Kerberos, and Security, Introduction
    Critics, Technical Issues
    Cryptographic, Technical Issues
    CUPS, Dissection and Discussion, Technical Issues, Implementation, Key Points Learned, Implementation, Printer Configuration, Server Preparation: All Servers, Assignment Tasks, Installation of Printer Driver Auto-Download, Printer Configuration
    queue, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    cupsd, Basic System Configuration
    customer expected, Samba Support
    customers, Samba Support

    D

    daemon, Validation, Basic System Configuration, Security Identifiers (SIDs), Technical Issues, Questions and Answers, Starting Samba
    daemon control, Process Startup Configuration
    data
    corruption, Making Happy Users
    integrity, Questions and Answers
    data corruption, Hardware Problems, Act! Database Sharing
    data integrity, Hardware Problems, Shared Data Integrity
    data storage, Implementation
    database, Dissection and Discussion, Questions and Answers, Dissection and Discussion
    database applications, Shared Data Integrity
    DB_CONFIG, OpenLDAP Server Configuration
    DCE, Kerberos Exposed
    DDNS (see dynamic DNS)
    Debian, Migrating NetWare Server to Samba-3
    default installation, Samba System File Location
    default password, The LDAP Account Manager
    default profile, Assignment Tasks, Technical Issues
    Default User, Profile Changes, Configuration of Default Profile with Folder Redirection
    defective
    cables, Hardware Problems
    HUBs, Hardware Problems
    switches, Hardware Problems
    defects, Technical Issues
    defensible standards, Technical Issues
    defragmentation, Windows Client Configuration
    delete group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    delete user from group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    delimiter, Checkpoint Controls
    dependability, Technical Issues
    deployment, Free Support
    desired security setting, Setting Posix ACLs in UNIX/Linux
    development, Technical Issues
    DHCP, Technical Issues, Implementation, Key Points Learned, Windows Client Configuration, Windows Client Configuration, The Nature of Windows Networking Protocols, Questions and Answers
    client, Bad Hostnames
    relay, Technical Issues
    Relay Agent, Questions and Answers
    request, Questions and Answers
    requests, Technical Issues
    servers, Questions and Answers
    traffic, Questions and Answers
    dhcp client validation, Validation, Validation
    DHCP Server, Implementation
    DHCP server, Technical Issues
    diagnostic, IDMAP Storage in LDAP using Winbind
    diffusion, Technical Issues
    digital rights, Technical Issues
    digital sign'n'seal, Technical Issues
    digits, Bad Hostnames
    diligence, Technical Issues
    directory, Dissection and Discussion, Political Issues, Location of config files
    Computers container, LDAP Initialization and Creation of User and Group Accounts
    management, Dissection and Discussion
    People container, LDAP Initialization and Creation of User and Group Accounts
    replication, Dissection and Discussion
    schema, Dissection and Discussion
    server, Technical Issues
    synchronization, Dissection and Discussion
    directory tree, Setting Posix ACLs in UNIX/Linux
    disable, Introduction
    disaster recovery, Introduction
    disk image, Assignment Tasks
    disruptive, Dissection and Discussion
    distributed, Identity Management Needs, Implementation, Questions and Answers, Distribute Network Load with MSDFS
    distributed domain, Identity Management Needs
    DMB, Questions and Answers
    DMS, Security Identifiers (SIDs), Replacing a Domain Member Server
    DNS, Technical Issues, Implementation, Technical Issues, The Nature of Windows Networking Protocols, LDAP Server Configuration, Bad Hostnames, Routed Networks, Joining a Domain: Windows 200x/XP Professional
    configuration, Questions and Answers
    Dynamic, Questions and Answers
    dynamic, Joining a Domain: Windows 200x/XP Professional
    lookup, Questions and Answers, Kerberos Configuration
    name lookup, Bad Hostnames
    SRV records, Kerberos Configuration
    suffix, Joining a Domain: Windows 200x/XP Professional
    DNS server, Implementation, Configuration of DHCP and DNS Servers
    document the settings, Samba Configuration
    documentation, Dissection and Discussion, Technical Issues
    documented, Samba Configuration
    Domain, Technical Issues
    groups, Technical Issues
    domain
    Active Directory, Technical Issues
    controller, Replacing a Domain Controller
    joining, A Collection of Useful Tidbits
    trusted, Questions and Answers
    Domain accounts, Technical Issues
    Domain Administrator, Share Access Controls
    Domain Controller, Key Points Learned, The Nature of Windows Networking Protocols, Technical Issues, Implementation, Use and Location of BDCs
    closest, The Nature of Windows Networking Protocols
    domain controller, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades
    domain controllers, Technical Issues
    Domain Controllers, Questions and Answers
    Domain Groups
    well-known, Initialization of the LDAP Database
    Domain join, Samba Domain with Samba Domain Member Server Using NSS LDAP
    domain master, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
    Domain Master Browser (see DMB)
    Domain Member, Use and Location of BDCs
    authoritative
    local accounts, Technical Issues
    client, Implementation
    desktop, Introduction
    server, Introduction, Technical Issues, Implementation, Active Directory Domain with Samba Domain Member Server
    servers, Questions and Answers, Checkpoint Controls
    workstations, Implementation
    domain member
    servers, Technical Issues
    Domain Member server, Technical Issues, Questions and Answers
    Domain Member servers, Questions and Answers
    domain members, Questions and Answers
    domain name space, Identity Management Needs
    domain replication, Questions and Answers
    domain SID, Security Identifiers (SIDs)
    Domain SID, Technical Issues, Questions and Answers
    domain tree, Identity Management Needs
    Domain User Manager, Configuring Profile Directories
    Domain users, Technical Issues
    DOS, Security Identifiers (SIDs)
    dos2unix, Samba Configuration, Configuration for Server: MASSIVE
    down-grade, Introduction
    drive letters, LDAP Server Configuration
    drive mapping, Technical Issues
    dumb printing, Installation of Printer Driver Auto-Download
    dump, Technical Issues, Questions and Answers
    duplicate accounts, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    dynamic DNS, Technical Issues

    E

    e-Directory, Dissection and Discussion
    Easy Software Products, Installation of Printer Driver Auto-Download
    economically sustainable, Dissection and Discussion
    eDirectory, Dissection and Discussion
    education, Identity Management Needs
    election, Findings
    employment, Introduction, Dissection and Discussion
    enable, Printer Configuration
    encrypted, Findings and Comments
    encrypted password, Windows 200x/XP Client Interaction with Samba-3
    encrypted passwords, Questions and Answers
    End User License Agreement (see EULA)
    enumerating, Samba Configuration
    essential, Introduction
    ethereal, Exercises
    Ethernet switch, Technical Issues
    ethernet switch, Making Happy Users
    EULA, Dissection and Discussion
    Everyone, Share Access Controls
    Excel, Share Point Directory and File Permissions
    exclusive open, Microsoft Access
    experiment, Active Directory, Kerberos, and Security
    export, Technical Issues
    extent, Dissection and Discussion
    External Domains, Technical Issues
    extreme demand, Guidelines for Reliable Samba Operation

    F

    fail, The Nature of Windows Networking Protocols
    fail-over, Identity Management Needs, Implementation
    failed, Samba Domain with Samba Domain Member Server Using NSS LDAP
    failed join, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
    failure, Samba Configuration
    familiar, Technical Issues
    fatal problem, Samba Configuration
    fear, Technical Issues
    fears, Technical Issues
    Fedora, Drafting Office
    FHS, Samba System File Location
    file and print server, Questions and Answers
    file and print service, Dissection and Discussion
    file caching, Samba Configuration, Opportunistic Locking Controls
    File Hierarchy System (see FHS)
    file locations, Samba System File Location
    file permissions, The LDAP Account Manager
    file server
    read-only, Dissection and Discussion
    file servers, Samba Server Implementation
    file system, Technical Issues
    access control, Samba Configuration
    Ext3, Implementation
    permissions, Samba Configuration, Configuration for Server: MASSIVE
    file system security, Questions and Answers
    filter, Share Access Controls
    financial responsibility, Introduction
    firewall, Technical Issues, Basic System Configuration, Introduction
    fix, Dissection and Discussion
    flaws, Introduction
    flexibility, Technical Issues
    flush
    cache memory, Opportunistic Locking Controls
    folder redirection, Technical Issues, Configuration of Default Profile with Folder Redirection, Questions and Answers
    force group, Override Controls, Questions and Answers
    force user, Dissection and Discussion, Override Controls, Questions and Answers
    forced settings, Override Controls
    foreign, Samba Domain with Samba Domain Member Server Using NSS LDAP
    foreign SID, Samba Domain with Samba Domain Member Server Using NSS LDAP
    forwarded, Routed Networks
    foundation members, Technical Issues
    Free Standards Group (see FSG)
    free support, Samba Support, Free Support
    front-end, Dissection and Discussion
    server, Distribute Network Load with MSDFS
    frustration, Introduction
    FSG, Samba System File Location
    FTP
    proxy, Questions and Answers
    full control, Share Access Controls, Using MS Windows Explorer (File Manager)
    fully qualified, Checkpoint Controls
    functional differences, Cautions and Notes

    G

    generation, Cautions and Notes
    Gentoo, Migrating NetWare Server to Samba-3
    getent, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
    getfacl, Setting Posix ACLs in UNIX/Linux
    getgrnam, Technical Issues
    getpwnam, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP
    getpwnam(), Questions and Answers
    GID, Implementation, Questions and Answers, Questions and Answers
    Goettingen, Questions and Answers
    government, Identity Management Needs
    GPL, Comments Regarding Software Terms of Use
    group account, Implementation, OpenLDAP Server Configuration
    group management, Implementation
    group mapping, LDAP Server Configuration
    group membership, Implementation, Samba Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
    group names, Questions and Answers
    group policies, Introduction
    Group Policy, Joining a Domain: Windows 200x/XP Professional
    Group Policy editor, The Local Group Policy
    Group Policy Objects, The Local Group Policy
    groupadd, Implementation, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    groupdel, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    groupmem, NT4 Migration Using LDAP Backend
    groupmod, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    GSS-API, Windows 200x/XP Client Interaction with Samba-3
    guest account, Findings and Comments, Dissection and Discussion, Technical Issues, Questions and Answers

    H

    hackers, Introduction
    hardware prices, Hardware Problems
    hardware problems, Hardware Problems
    Heimdal, Implementation, Kerberos Configuration
    Heimdal Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    Heimdal kerberos, IDMAP Storage in LDAP using Winbind
    help, Free Support
    helper agent, Removal of Pre-Existing Conflicting RPMs
    hesiod, Samba Domain with Samba Domain Member Server Using NSS LDAP
    hierarchy of control, Share Definition Controls
    high availability, Dissection and Discussion
    hire, Dissection and Discussion
    HKEY_CURRENT_USER, Roaming Profile Background
    HKEY_LOCAL_MACHINE, Configuration of Default Profile with Folder Redirection
    HKEY_LOCAL_USER, Questions and Answers
    host announcement, Assignment Tasks, Findings
    hostname, Basic System Configuration, Security Identifiers (SIDs)
    hosts, Questions and Answers
    HUB, Making Happy Users
    Hybrid, Questions and Answers
    hypothetical, Introduction

    I

    Idealx, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
    smbldap-tools, Install and Configure Idealx smbldap-tools Scripts, LDAP Initialization and Creation of User and Group Accounts
    identifiers, Technical Issues
    identity, Questions and Answers, Kerberos Exposed
    management, Technical Issues
    identity management, Technical Issues, Dissection and Discussion, Political Issues, Dissection and Discussion
    Identity Management, Dissection and Discussion, The Nature of Windows Networking Protocols, Identity Management Needs
    Identity management, UNIX/Linux Client Domain Member
    Identity resolution, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, UNIX/Linux Client Domain Member, Questions and Answers
    Identity resolver, Questions and Answers
    IDMAP, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP_RID with Winbind
    idmap backend, Technical Issues
    IDMAP backend, Questions and Answers
    idmap gid, IDMAP_RID with Winbind
    idmap uid, IDMAP_RID with Winbind
    idmap_rid, IDMAP_RID with Winbind
    IMAP, Technical Issues
    import, Technical Issues
    income, Dissection and Discussion
    independent expert, Introduction
    inetd, Process Startup Configuration
    inetOrgPerson, Technical Issues
    inheritance, Setting Posix ACLs in UNIX/Linux
    initGrps.sh, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    initial credentials, Kerberos Configuration
    inoperative, Dissection and Discussion
    install, Updating Samba-3
    installation, Dissection and Discussion
    integrate, Technical Issues
    integrity, Introduction, Kerberos Exposed
    inter-domain, Applicable to All Samba 2.x to Samba-3 Upgrades
    inter-operability, Dissection and Discussion, Technical Issues, Key Points Learned, Questions and Answers
    interactive help, Free Support
    interdomain trusts, Identity Management Needs
    interfaces, Implementation
    intermittent, Hardware Problems
    internationalization, International Language Support
    Internet Explorer, Technical Issues
    Internet Information Server, Questions and Answers
    interoperability, Dissection and Discussion
    IP forwarding, Implementation, Basic System Configuration, Configuration for Server: MASSIVE
    IPC$, Findings and Comments
    iptables, Technical Issues
    IRC, Free Support
    isolated, Introduction
    Italian, Questions and Answers

    J

    jobs, Introduction
    joining a domain, Joining a Domain: Windows 200x/XP Professional

    K

    KDC, Kerberos Configuration
    Kerberos, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Key Points Learned, Technical Issues, Implementation, Kerberos Configuration
    Heimdal, Active Directory Domain with Samba Domain Member Server
    interoperability, Kerberos Exposed
    libraries, Active Directory Domain with Samba Domain Member Server
    MIT, Active Directory Domain with Samba Domain Member Server
    unspecified fields, Kerberos Exposed
    kerberos, Kerberos Exposed
    server, Kerberos Exposed
    Kerberos ticket, Samba Configuration
    kinit, Kerberos Configuration
    Kixtart, LDAP Server Configuration
    klist, Kerberos Configuration
    krb5, Implementation
    krb5.conf, Kerberos Configuration

    L

    LAM, The LDAP Account Manager
    configuration editor, The LDAP Account Manager
    configuration file, The LDAP Account Manager
    login screen, The LDAP Account Manager
    opening screen, The LDAP Account Manager
    profile, The LDAP Account Manager
    wizard, The LDAP Account Manager
    large domain, IDMAP_RID with Winbind
    LDAP, Technical Issues, Assignment Tasks, Dissection and Discussion, Technical Issues, Preliminary Advice: Dangers Can Be Avoided, PAM and NSS Client Configuration, Introduction, Dissection and Discussion, Identity Management Needs, Implementation, Key Points Learned, Questions and Answers, Technical Issues, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Assignment Tasks, Technical Issues, Questions and Answers, Dissection and Discussion, LDAP Server Configuration, Technical Issues
    backend, Identity Management Needs
    database, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Alternative LDAP Database Initialization
    directory, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs
    fail-over, Implementation
    initial configuration, Alternative LDAP Database Initialization
    master, Identity Management Needs
    master/slave
    background communication, Questions and Answers
    preload, Implementation
    schema, Updating from Samba Versions between 3.0.6 and 3.0.10
    secure, Technical Issues
    server, Questions and Answers
    slave, Identity Management Needs
    updates, Identity Management Needs
    ldap, Samba Domain with Samba Domain Member Server Using NSS LDAP
    LDAP Account Manager (see LAM)
    LDAP backend, Technical Issues
    LDAP database, Questions and Answers
    LDAP Interchange Format (see LDIF)
    LDAP server, Identity Management Needs
    LDAP-transfer-LDIF.txt, Implementation
    ldap.conf, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapadd, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapsam, LDAP Initialization and Creation of User and Group Accounts, Dissection and Discussion, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Integrating Additional Services
    ldapsam backend, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapsearch, LDAP Initialization and Creation of User and Group Accounts
    LDIF, Technical Issues, Implementation, Technical Issues, LDAP Server Configuration, Initialization of the LDAP Database
    leadership, Technical Issues
    Lightweight Directory Access Protocol (see LDAP)
    limit, Questions and Answers
    Linux desktop, Introduction
    Linux Standards Base (see LSB)
    LMB, Findings, Questions and Answers
    LMHOSTS, Routed Networks
    load distribution, For Scalability, Use SAN-Based Storage on Samba Servers
    local accounts, Technical Issues
    Local Group Policy, Roaming Profile Background
    Local Master Announcement, Findings
    Local Master Browser (see LMB)
    localhost, Basic System Configuration, Bad Hostnames
    lock directory, Samba 1.9.x and 2.x Versions Without LDAP
    locking
    Application level, Shared Data Integrity
    Client side, Shared Data Integrity
    Server side, Shared Data Integrity
    logging, Removal of Pre-Existing Conflicting RPMs
    login, Technical Issues
    loglevel, Debugging LDAP
    logon credentials, Questions and Answers
    logon hours, Technical Issues, Key Points Learned
    logon machines, Technical Issues
    logon path, Implementation
    logon process, Implementation
    logon scrip, Samba Configuration
    logon script, Implementation, Technical Issues, Preparation of Logon Scripts, Technical Issues
    logon server, The Nature of Windows Networking Protocols
    logon services, Implementation
    logon time, Assignment Tasks
    logon traffic, The Nature of Windows Networking Protocols
    logon.kix, LDAP Server Configuration
    loopback, Validation
    low performance, Hardware Problems
    lower-case, Implementation
    lpadmin, Implementation, Implementation, Implementation, Printer Configuration, Printer Configuration
    LSB, Samba System File Location

    M

    machine, Security Identifiers (SIDs)
    machine account, Regarding LDAP Directories and Windows Computer Accounts
    machine accounts, Questions and Answers
    machine secret password, Technical Issues
    MACHINE.SID, Security Identifiers (SIDs)
    mailing list, Free Support
    mailing lists, Free Support
    managed, Technical Issues
    management, Political Issues, Questions and Answers
    group, Technical Issues
    User, Technical Issues
    mandatory profile, Technical Issues, Configuring Profile Directories
    Mandrake, Migrating NetWare Server to Samba-3
    mapped drives, Questions and Answers
    mapping, Technical Issues, Kerberos Configuration
    consistent, Samba Domain with Samba Domain Member Server Using NSS LDAP
    Mars_NWE, Migrating NetWare Server to Samba-3
    master, Dissection and Discussion
    material, A Collection of Useful Tidbits
    memberUID, LDAP Server Configuration
    memory requirements, Hardware Requirements
    merge, Technical Issues, Questions and Answers
    merged, Technical Issues
    meta-directory, Questions and Answers
    meta-service, Questions and Answers
    Microsoft Access, Shared Data Integrity
    Microsoft Excel, Shared Data Integrity
    Microsoft ISA, Assignment Tasks
    Microsoft Management Console (see MMC)
    Microsoft Office, Application Share Configuration, Share Point Directory and File Permissions
    Microsoft Outlook
    PST files, Questions and Answers
    migrate, Updating Samba-3, Technical Issues
    migration, Implementation, Implementation, Assignment Tasks, Introduction, Questions and Answers, Migrating NetWare Server to Samba-3
    objectives, Dissection and Discussion
    Migration speed, Questions and Answers
    mime type, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    mime types, Implementation
    missing RPC's, Technical Issues
    MIT, Implementation, Kerberos Configuration
    MIT Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    MIT kerberos, IDMAP Storage in LDAP using Winbind
    MIT KRB5, Samba Configuration
    mixed mode, Active Directory Domain with Samba Domain Member Server
    mixed-mode, Questions and Answers
    MMC, Configure Delete Cached Profiles on Logout, Technical Issues, Questions and Answers
    mobile computing, Dissection and Discussion
    mobility, Technical Issues
    modularization, Technical Issues
    modules, Questions and Answers
    MS Access
    validate, Microsoft Access
    MS Outlook, Configuration of MS Outlook to Relocate PST File
    PST, Configuration of MS Outlook to Relocate PST File
    PST file, Making Happy Users
    MS Windows Server 2003, Implementation
    MS Word, Share Point Directory and File Permissions
    MSDFS, Distribute Network Load with MSDFS
    multi-subnet, Routed Networks
    multi-user
    access, Microsoft Access
    data access, Shared Data Integrity
    multiple directories, Identity Management Needs
    multiple domain controllers, Making Happy Users
    multiple group mappings, Questions and Answers
    mutual assistance, Free Support
    My Documents, Roaming Profile Background
    My Network Places, Implementation
    mysqlsam, Implementation

    N

    name resolution, Configuration of DHCP and DNS Servers, Questions and Answers, Assignment Tasks
    Defective, Active Directory Domain with Samba Domain Member Server
    name resolve order, Implementation
    name service switch, Implementation (see NSS)
    named, Basic System Configuration, Validation, Server Preparation: All Servers
    NAT, Technical Issues
    native, Questions and Answers
    net
    ads
    info, Active Directory Domain with Samba Domain Member Server
    join, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Samba Configuration
    status, Active Directory Domain with Samba Domain Member Server
    getlocalsid, Samba-3 PDC Configuration, Security Identifiers (SIDs)
    group, NT4 Migration Using tdbsam Backend
    groupmap
    add, Samba Configuration
    list, Samba Configuration, LDAP Initialization and Creation of User and Group Accounts
    modify, Samba Configuration
    rpc
    info, Security Identifiers (SIDs)
    join, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, Questions and Answers, NT4 Migration Using tdbsam Backend
    vampire, Updating Samba-3, NT4 Migration Using tdbsam Backend
    setlocalsid, Security Identifiers (SIDs)
    NetBIOS, The Nature of Windows Networking Protocols, Questions and Answers, Bad Hostnames, Routed Networks, Questions and Answers
    name cache, Questions and Answers
    name resolution
    delays, Making Happy Users
    Node Type, Questions and Answers
    netbios
    machine name, Change of hostname
    netbios forwarding, Network Collisions
    NetBIOS name, Kerberos Configuration
    aliases, Identity Management Needs
    netbios name, Security Identifiers (SIDs), Change of hostname, Bad Hostnames
    NETLOGON, Using a Network Default User Profile, Windows Client Configuration
    netlogon, The Nature of Windows Networking Protocols, LDAP Server Configuration
    Netlogon, Joining a Domain: Windows 200x/XP Professional
    netmask, Implementation
    Netware, Small Office Networking
    NetWare, Migrating NetWare Server to Samba-3, LDAP Server Configuration
    network
    administrators, Technical Issues
    analyzer, Assignment Tasks
    bandwidth, Identity Management Needs, Questions and Answers
    broadcast, Introduction
    captures, Requirements and Notes
    collisions, Network Collisions
    load, Network Collisions
    logon, Making Happy Users
    logon scripts, Dissection and Discussion
    management, Introduction
    multi-segment, Introduction
    overload, Making Happy Users
    performance, Samba Configuration
    routed, Dissection and Discussion
    secure, Introduction
    segment, Dissection and Discussion
    services, Questions and Answers
    sniffer, Requirements and Notes
    timeout, Making Happy Users
    timeouts, Network Collisions
    trace, Assignment Tasks
    traffic
    observation, Technical Issues
    wide-area, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    Network Address Translation (see NAT)
    network administrators, Technical Issues
    network attached storage (see NAS)
    network bandwidth
    utilization, Making Happy Users
    Network Default Profile, Roaming Profile Background
    network hardware
    defective, Making Happy Users
    network hygiene, Dissection and Discussion
    network Identities, Questions and Answers
    network load factors, Dissection and Discussion
    Network Neighborhood, Validation, Technical Issues
    network segment, Use and Location of BDCs
    network segments, Hardware Requirements
    network share, Assignment Tasks
    networking
    client, Security Identifiers (SIDs)
    networking hardware
    defective, Making Happy Users
    networking protocols, Technical Issues
    next generation, Technical Issues
    NextFreeUnixId, NT4 Migration Using LDAP Backend
    NFS server, Samba-3 PDC Configuration
    NICs, Hardware Problems
    NIS, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Technical Issues, Political Issues, Questions and Answers
    nis, Samba Domain with Samba Domain Member Server Using NSS LDAP
    NIS schema, Questions and Answers
    NIS server, Questions and Answers
    NIS+, Identity Management Needs
    nisplus, Samba Domain with Samba Domain Member Server Using NSS LDAP
    NLM, Migrating NetWare Server to Samba-3
    nmap, Validation
    nmbd, Validation, Validation, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Starting Samba
    nobody, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
    Novell, Migrating NetWare Server to Samba-3, Introduction
    Novell SUSE SLES 9, NT4 Migration Using LDAP Backend
    NSS, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, PAM and NSS Client Configuration, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, UNIX/Linux Client Domain Member, Questions and Answers, LDAP Server Configuration, NSS Configuration (see same service switch)
    nss_ldap, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, OpenLDAP Server Configuration, PAM and NSS Client Configuration, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Replacing a Domain Member Server, NT4 Migration Using LDAP Backend
    nt acl support, Dissection and Discussion
    NT4 registry, Dissection and Discussion
    NTLM, Technical Issues
    NTLM authentication daemon, Technical Issues
    NTLMSSP, Key Points Learned, Questions and Answers, Windows 200x/XP Client Interaction with Samba-3
    NTLMSSP_AUTH, Windows 200x/XP Client Interaction with Samba-3
    ntlm_auth, Samba Configuration, Questions and Answers
    NTP, Kerberos Configuration
    NTUSER.DAT, Roaming Profile Background, Profile Changes, Using a Network Default User Profile, Questions and Answers
    NULL connection, Validation
    NULL session, Findings and Comments
    NULL-Session, Discussion

    O

    objectClass, LDAP Server Configuration
    off-site storage, Introduction
    Open Magazine, Adding Domain Member Servers and Clients
    Open Source, Dissection and Discussion
    OpenLDAP, Dissection and Discussion, Dissection and Discussion, Questions and Answers, Political Issues, Technical Issues, Introduction, Technical Issues, Key Points Learned, The LDAP Account Manager
    openldap, OpenLDAP Server Configuration
    OpenOffice, Application Share Configuration
    operating profiles, The LDAP Account Manager
    oplock break, Override Controls
    oplocks, Samba Configuration
    Oplocks
    disabled, Opportunistic Locking Controls
    opportunistic
    locking, Override Controls
    opportunistic locking, Implementation, Samba Configuration, Act! Database Sharing
    optimized, Samba Configuration
    organizational units, The LDAP Account Manager
    OS/2, Security Identifiers (SIDs)
    Outlook
    PST, Configuration of MS Outlook to Relocate PST File
    Outlook Address Book, Configuration of MS Outlook to Relocate PST File
    Outlook Express, Political Issues, Configuration of MS Outlook to Relocate PST File
    over-ride, Technical Issues
    over-ride controls, Override Controls
    over-rule, Share Access Controls, Using MS Windows Explorer (File Manager)
    overheads, Override Controls
    ownership, Share Point Directory and File Permissions

    P

    package, Implementation
    package names, Samba System File Location
    packages, Updating a Samba-3 Installation
    PADL, Technical Issues, IDMAP Storage in LDAP using Winbind
    PADL LDAP tools, Technical Issues
    PADL Software, Samba Domain with Samba Domain Member Server Using NSS LDAP
    paid-for support, Samba Support
    PAM, PAM and NSS Client Configuration, UNIX/Linux Client Domain Member, LDAP Server Configuration
    pam_ldap, OpenLDAP Server Configuration
    pam_ldap.so, PAM and NSS Client Configuration
    pam_unix2.so, PAM and NSS Client Configuration
    use_ldap, PAM and NSS Client Configuration
    parameters, Applicable to All Samba 2.x to Samba-3 Upgrades
    passdb backend, Implementation, The 500-User Office, Dissection and Discussion, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Questions and Answers
    passdb.tdb, Technical Issues
    passwd, Implementation, Implementation, Samba Configuration
    password
    backend, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    password caching, Implementation
    password change, Key Points Learned
    password length, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    payroll, Introduction
    pdbedit, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, NT4 Migration Using tdbsam Backend, Questions and Answers
    PDC, Assignment Tasks, Technical Issues, Making Happy Users, Technical Issues, The Local Group Policy, The Nature of Windows Networking Protocols, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Use and Location of BDCs
    PDC/BDC ratio, Making Happy Users
    PDF, The LDAP Account Manager
    performance, Dissection and Discussion, Questions and Answers, Performance, Reliability, and Availability, Introduction, Network Collisions
    performance degradation, Override Controls, Samba Configuration
    Perl, LDAP Server Configuration, The LDAP Account Manager
    permission, Share Point Directory and File Permissions
    permissions, Implementation, Technical Issues, Share Access Controls, Checkpoint Controls, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs
    excessive, Technical Issues
    group, Share Point Directory and File Permissions
    user, Share Point Directory and File Permissions
    Permissions, Using the MMC Computer Management Interface
    permits, Technical Issues
    permitted group, Using the MMC Computer Management Interface
    PHP, The LDAP Account Manager
    PHP4, The LDAP Account Manager
    pile-driver, Share Definition Controls
    ping, Validation
    pitfalls, The LDAP Account Manager
    plain-text, Questions and Answers
    Pluggable Authentication Modules (see PAM)
    policy, Questions and Answers, Introduction
    poor performance, Dissection and Discussion
    POP3, Technical Issues
    Posix, Dissection and Discussion, Technical Issues, Questions and Answers, Implementation, Questions and Answers, The LDAP Account Manager
    POSIX, Regarding LDAP Directories and Windows Computer Accounts, LDAP Server Configuration
    Posix accounts, LDAP Initialization and Creation of User and Group Accounts, Technical Issues
    Posix ACLs, Managing Windows 200x ACLs
    PosixAccount, LDAP Initialization and Creation of User and Group Accounts
    posixAccount, LDAP Server Configuration
    Postfix, LDAP Server Configuration
    Postscript, Installation of Printer Driver Auto-Download
    powers, Share Definition Controls
    practices, Introduction
    precaution, Introduction
    presence and leadership, Technical Issues
    price paid, Dissection and Discussion
    primary group, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
    principals, Kerberos Exposed
    print filter, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    print queue, Charity Administration Office, Dissection and Discussion
    print spooler, Charity Administration Office
    Print Test Page, Uploading Printer Drivers to Samba Servers
    printcap name, Implementation
    printer validation, Validation, Validation
    printers
    Advanced, Uploading Printer Drivers to Samba Servers
    Default Settings, Uploading Printer Drivers to Samba Servers
    General, Uploading Printer Drivers to Samba Servers
    Properties, Uploading Printer Drivers to Samba Servers
    Security, Uploading Printer Drivers to Samba Servers
    Sharing, Uploading Printer Drivers to Samba Servers
    printing, Implementation
    drag-and-drop, Installation of Printer Driver Auto-Download, Uploading Printer Drivers to Samba Servers
    dumb, Installation of Printer Driver Auto-Download
    point-n-click, Installation of Printer Driver Auto-Download
    raw, Dissection and Discussion
    privacy, Identity Management Needs
    Privilege Attribute Certificates (see PAC)
    privilege controls, Share Point Directory and File Permissions
    privileged pipe, Samba Configuration
    privileges, Identity Management Needs, Updating from Samba Versions after 3.0.6 to a Current Release, Technical Issues, Share Definition Controls
    problem report, Free Support
    problem resolution, Samba Support
    product defects, Dissection and Discussion
    professional support, Free Support
    profile
    default, Assignment Tasks
    mandatory, The Nature of Windows Networking Protocols
    roaming, Making Happy Users
    profile path, Technical Issues
    profile share, Implementation
    profiles, Security Identifiers (SIDs)
    profiles share, Dissection and Discussion
    programmer, Dissection and Discussion
    project, Free Support
    project maintainers, Technical Issues
    Properties, Using the MMC Computer Management Interface
    proprietary, Technical Issues
    protected, Technical Issues
    protection, Technical Issues
    protocol
    negotiation, The Nature of Windows Networking Protocols
    protocol analysis, Requirements and Notes
    protocols, Technical Issues
    provided services, Samba Support
    proxy, Assignment Tasks, Technical Issues
    PST file, Configuration of MS Outlook to Relocate PST File
    public specifications, Technical Issues
    purchase support, Free Support

    Q

    Qbasic, LDAP Server Configuration
    qualified problem, Free Support

    R

    RAID, Hardware Requirements
    RAID controllers, Hardware Problems
    Raw Print Through, Installation of Printer Driver Auto-Download
    raw printing, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    Rbase, LDAP Server Configuration
    rcldap, Implementation
    realm, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
    recognize, Technical Issues
    record locking, Microsoft Access
    recursively, Setting Posix ACLs in UNIX/Linux
    Red Hat, Drafting Office, Migrating NetWare Server to Samba-3
    Red Hat Fedora Linux, Samba Configuration
    Red Hat Linux, Dissection and Discussion, Accounting Office, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Samba Configuration
    redirected folders, Roaming Profile Background, The Nature of Windows Networking Protocols
    refereed standards, Technical Issues
    regedit, Implementation
    regedt32, Profile Changes, Configuration of Default Profile with Folder Redirection
    registry, Questions and Answers
    keys
    SAM, Dissection and Discussion
    SECURITY, Dissection and Discussion
    registry change, Questions and Answers
    Registry Editor, Configuration of Default Profile with Folder Redirection
    registry hacks, Questions and Answers
    registry keys, Configuration of Default Profile with Folder Redirection
    reimburse, Dissection and Discussion
    rejected, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Access Controls
    rejoin, Questions and Answers
    reliability, Performance, Reliability, and Availability
    remote announce, Routed Networks
    remote browse sync, Routed Networks
    remote procedure call (see RPC)
    replicate, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    replicated, Dissection and Discussion
    requesting payment, Free Support
    resilient, Guidelines for Reliable Samba Operation
    resolution, Replacing a Domain Member Server
    resolve, Technical Issues, Bad Hostnames
    response, IDMAP_RID with Winbind
    responsibility, Dissection and Discussion
    responsible, Technical Issues
    restrict anonymous, Samba Domain with Samba Domain Member Server Using NSS LDAP
    restricted export, Kerberos Exposed
    Restrictive security, Active Directory Domain with Samba Domain Member Server
    reverse DNS, Kerberos Configuration
    rfc2307bis, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension
    RID, IDMAP_RID with Winbind, LDAP Server Configuration
    risk, Technical Issues, Questions and Answers, Questions and Answers, Introduction
    road-map, Technical Issues
    published, Technical Issues
    roaming profile, Technical Issues, Roaming Profile Background, Configuring Profile Directories, User Needs, Questions and Answers
    roaming profiles, Technical Issues, Implementation, Roaming Profile Background
    routed network, Use and Location of BDCs
    router, Implementation
    routers, Questions and Answers, Routed Networks
    RPC, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    rpc, Security Identifiers (SIDs)
    rpcclient, Security Identifiers (SIDs)
    RPM, Security Identifiers (SIDs), Samba 1.9.x and 2.x Versions Without LDAP, Dissection and Discussion
    install, Implementation
    rpm, Removal of Pre-Existing Conflicting RPMs, Samba System File Location
    RPMs, Samba Configuration
    rpms, Removal of Pre-Existing Conflicting RPMs
    rsync, Samba-3 PDC Configuration, Questions and Answers, LDAP Server Configuration, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    rsyncd.conf, LDAP Server Configuration
    run-time control files, Samba System File Location

    S

    safe-guards, Technical Issues
    SAM, Dissection and Discussion
    samba, Removal of Pre-Existing Conflicting RPMs
    starting samba, Implementation
    Samba, Samba Configuration
    Samba accounts, Technical Issues
    samba cluster, Introduction
    samba control script, Starting Samba
    Samba Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers
    Samba Domain server, Using the MMC Computer Management Interface
    Samba RPM Packages, Samba-3 PDC Configuration
    Samba Tea, Samba Configuration
    sambaDomainName, NT4 Migration Using LDAP Backend
    sambaGroupMapping, LDAP Server Configuration
    SambaSAMAccount, Regarding LDAP Directories and Windows Computer Accounts
    SambaSamAccount, LDAP Initialization and Creation of User and Group Accounts
    sambaSamAccount, LDAP Server Configuration
    SambaXP conference, Questions and Answers
    SAN, For Scalability, Use SAN-Based Storage on Samba Servers
    SAS, Security Identifiers (SIDs)
    scalability, Introduction
    scalable, Identity Management Needs
    schannel, Technical Issues, Key Points Learned, Questions and Answers
    schema, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, Samba-2.x with LDAP Support, Updating from Samba Versions between 3.0.6 and 3.0.10
    scripts, The LDAP Account Manager
    secondary group, Samba Domain with Samba Domain Member Server Using NSS LDAP
    secret, Kerberos Exposed
    secrets.tdb, Technical Issues, Samba-3 PDC Configuration, Security Identifiers (SIDs), Location of config files
    secure, Introduction
    secure account password, Questions and Answers
    secure connections, The LDAP Account Manager
    secure networking, Technical Issues
    secure networking protocols, Technical Issues
    security, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Introduction, Technical Issues, Share Point Directory and File Permissions, Questions and Answers
    identifier, Security Identifiers (SIDs)
    share mode, Dissection and Discussion
    user mode, Dissection and Discussion
    Security, Technical Issues, Using the MMC Computer Management Interface
    Security Account Manager (see SAM)
    security controls, Technical Issues
    security descriptors, Dissection and Discussion
    security fixes, Technical Issues
    security updates, Technical Issues
    SerNet, Active Directory Domain with Samba Domain Member Server, Samba Configuration
    server
    domain member, Security Identifiers (SIDs)
    stand-alone, Security Identifiers (SIDs)
    service, Implementation
    smb
    start, Configuration Specific to Domain Member Servers: BLDG1, BLDG2
    Service Packs, Application Share Configuration
    services, Key Points Learned
    services provided, Samba Support
    session setup, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    Session Setup, Simple Windows Client Connection Characteristics
    SessionSetUpAndX, Security Identifiers (SIDs)
    set primary group script, Applicable to All Samba 2.x to Samba-3 Upgrades
    setfacl, Setting Posix ACLs in UNIX/Linux
    severely degrade, Samba Configuration
    SFU, IDMAP, Active Directory, and MS Services for UNIX 3.5
    SGID, Dissection and Discussion, Share Point Directory and File Permissions, Effect of Setting File and Directory SUID/SGID Permissions Explained
    shadow-utils, Questions and Answers
    Share Access Controls, Share Access Controls
    share ACLs, Questions and Answers
    share definition, Technical Issues
    Share Definition
    Controls, Share Definition Controls
    share definition controls, Share Definition Controls, Checkpoint Controls, Share Point Directory and File Permissions, Questions and Answers
    share level access controls, Questions and Answers
    share level ACL, Questions and Answers
    Share Permissions, Share Access Controls
    shared resource, Technical Issues, Setting Posix ACLs in UNIX/Linux
    shares, Technical Issues
    SID, Windows Client Configuration, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs, Technical Issues, IDMAP_RID with Winbind, Security Identifiers (SIDs), Change of Workgroup (Domain) Name, Questions and Answers, Initialization of the LDAP Database
    side effects, Managing Windows 200x ACLs
    Sign'n'seal, Key Points Learned, Questions and Answers
    silent return, Active Directory Domain with Samba Domain Member Server
    simple, Dissection and Discussion
    Single Sign-On (see SSO)
    slapcat, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, LDAP Server Configuration
    slapd, Debugging LDAP
    slapd.conf, NT4 Migration Using LDAP Backend
    slave, Dissection and Discussion
    slow logon, Making Happy Users
    slow network, Hardware Problems
    slurpd, Implementation, Questions and Answers
    smart printing, Dissection and Discussion
    SMB, Security Identifiers (SIDs)
    SMB passwords, Implementation
    SMB/CIFS, Questions and Answers
    smbclient, Validation, Validation, LDAP Initialization and Creation of User and Group Accounts, Questions and Answers
    smbd, Validation, Implementation, Validation, Validation, Samba-3 PDC Configuration, Technical Issues, Active Directory Domain with Samba Domain Member Server, Security Identifiers (SIDs), Location of config files, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
    location of files, Samba System File Location
    smbfs, Dissection and Discussion
    smbldap-groupadd, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
    smbldap-groupmod, LDAP Server Configuration
    smbldap-passwd, LDAP Initialization and Creation of User and Group Accounts
    smbldap-populate, LDAP Initialization and Creation of User and Group Accounts
    smbldap-tools, NT4 Migration Using LDAP Backend, LDAP Server Configuration, The LDAP Account Manager
    smbldap-tools updating, NT4 Migration Using LDAP Backend
    smbldap-useradd, LDAP Initialization and Creation of User and Group Accounts, Implementation
    smbldap-usermod, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
    smbmnt, Dissection and Discussion
    smbmount, Dissection and Discussion
    smbpasswd, Implementation, Technical Issues, Implementation, Technical Issues, Samba Configuration, Server Preparation: All Servers, Configuration for Server: MASSIVE, Samba-3 PDC Configuration, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Technical Issues, Questions and Answers, Integrating Additional Services
    smbumnt, Dissection and Discussion
    smbumount, Dissection and Discussion
    SMTP, Technical Issues
    snap-shot, Dissection and Discussion
    socket address, Samba Configuration
    socket options, Samba Configuration
    software, Dissection and Discussion
    solve, Dissection and Discussion
    source code, Dissection and Discussion
    SPNEGO, Windows 200x/XP Client Interaction with Samba-3
    SQL, Dissection and Discussion, Questions and Answers
    Squid, Implementation, Removal of Pre-Existing Conflicting RPMs, Samba Configuration, Squid Configuration
    squid, Removal of Pre-Existing Conflicting RPMs, Samba Configuration
    Squid proxy, Technical Issues
    SRVTOOLS.EXE, Implementation, Configuring Profile Directories, Questions and Answers, Questions and Answers
    SSL, The LDAP Account Manager
    stand-alone server, Security Identifiers (SIDs)
    starting CUPS, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
    starting dhcpd, Implementation, Process Startup Configuration, Process Startup Configuration
    starting samba, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
    nmbd, Starting Samba
    smbd, Starting Samba
    winbindd, Starting Samba
    startingCUPS, Implementation
    startup script, Starting Samba
    sticky bit, Implementation
    storage capacity, Hardware Requirements
    strategic, Technical Issues
    strategy, Questions and Answers
    straw-man, Active Directory, Kerberos, and Security
    strict sync, Samba Configuration
    stripped, Samba 1.9.x and 2.x Versions Without LDAP
    strong cryptography, Kerberos Exposed
    subscription, Free Support
    SUID, Dissection and Discussion, Questions and Answers, Effect of Setting File and Directory SUID/SGID Permissions Explained
    Sun ONE Identity Server, Dissection and Discussion
    super daemon, Process Startup Configuration
    support, Dissection and Discussion, Samba Support
    survey, Adding Domain Member Servers and Clients
    SUSE, Migrating NetWare Server to Samba-3
    SUSE Enterprise Linux Server, Charity Administration Office, Basic System Configuration, Implementation
    SUSE Linux, Dissection and Discussion, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Removal of Pre-Existing Conflicting RPMs
    SWAT, Samba System File Location
    sync always, Samba Configuration
    synchronization, Kerberos Configuration, For Scalability, Use SAN-Based Storage on Samba Servers
    synchronize, User Needs, LDAP Server Configuration
    synchronized, Questions and Answers
    syslog, OpenLDAP Server Configuration
    system level logins, Questions and Answers
    system security, Technical Issues

    T

    tattooing, Questions and Answers
    TCP/IP, Questions and Answers
    tdbdump, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
    tdbsam, Technical Issues, Implementation, The 500-User Office, Assignment Tasks, Dissection and Discussion, Implementation, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Technical Issues, Questions and Answers
    testparm, Validation, Validation, Samba-3 PDC Configuration, Active Directory Domain with Samba Domain Member Server, Samba 1.9.x and 2.x Versions Without LDAP, Samba Configuration
    ticket, Samba Configuration
    time server, Implementation
    Tivoli Directory Server, Dissection and Discussion
    TLS, LDAP Server Configuration
    token, Technical Issues
    tool, Questions and Answers, Dissection and Discussion
    TOSHARG2, Implementation
    track record, Dissection and Discussion
    traffic collisions, Making Happy Users
    transaction processing, Dissection and Discussion
    transactional, Questions and Answers
    transfer, Questions and Answers
    translate, Managing Windows 200x ACLs
    traverse, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    tree, Dissection and Discussion
    Tree Connect, Simple Windows Client Connection Characteristics
    trust account, Regarding LDAP Directories and Windows Computer Accounts
    trusted computing, Introduction
    Trusted Domains, Technical Issues
    trusted domains, Questions and Answers
    trusted third-party, Kerberos Exposed
    trusting, Kerberos Exposed
    turn-around time, Technical Issues

    U

    UDP
    broadcast, Routed Networks
    UID, Dissection and Discussion, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, Implementation, Questions and Answers, Questions and Answers
    un-join, Questions and Answers
    unauthorized activities, Kerberos Exposed
    UNC name, Questions and Answers
    unencrypted, The LDAP Account Manager
    Unicast, The Nature of Windows Networking Protocols
    unicode, International Language Support
    Universal Naming Convention (see UNC name)
    UNIX, LDAP Server Configuration
    groups, Technical Issues, Implementation
    UNIX accounts, Technical Issues
    UNIX/Linux server, Technical Issues
    unix2dos, Samba Configuration, Configuration for Server: MASSIVE
    unknown, Technical Issues
    unsupported software, Commercial Support
    update, Introduction, Cautions and Notes
    updates, Introduction, Technical Issues
    updating smbldap-tools, NT4 Migration Using LDAP Backend
    upgrade, Introduction, Cautions and Notes, LDAP Server Configuration
    uppercase, Implementation
    user
    management, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    user account, Making Happy Users, OpenLDAP Server Configuration
    User and Group Controls, Technical Issues
    user credentials, Identity Management Needs, UNIX/Linux Client Domain Member
    user errors, Questions and Answers
    user groups, Free Support
    user identities, Implementation
    user logins, Questions and Answers
    user management, Implementation
    User Manager, NT4 Migration Using LDAP Backend
    User Mode, Implementation, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    useradd, Implementation, Implementation, Implementation, Samba Configuration, Configuration for Server: MASSIVE, Applicable to All Samba 2.x to Samba-3 Upgrades
    userdel, Applicable to All Samba 2.x to Samba-3 Upgrades
    usermod, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
    username, Security Identifiers (SIDs)
    username map, Implementation, Samba Configuration, Server Preparation: All Servers
    UTF-8, International Language Support
    utilities, Questions and Answers

    V

    valid users, Questions and Answers, Checkpoint Controls, Questions and Answers
    validate, Questions and Answers, Checkpoint Controls
    validated, Identity Management Needs, Active Directory Domain with Samba Domain Member Server, Introduction
    validation, Validation, Validation, Questions and Answers
    vampire, Questions and Answers
    vendor, Dissection and Discussion
    vendors, Updating a Samba-3 Installation
    VFS modules, Samba System File Location
    virus, Implementation
    VPN, Assignment Tasks
    vulnerabilities, Introduction

    W

    wbinfo, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Samba Configuration
    weakness, Technical Issues
    web
    caching, Assignment Tasks
    proxying, Assignment Tasks
    Web
    proxy, Questions and Answers
    access, Key Points Learned
    Web browsers, Key Points Learned
    WebClient, Making Happy Users
    WHATSNEW.txt, Samba-2.x with LDAP Support
    white-pages, Technical Issues, LDAP Server Configuration
    wide-area, User Needs, Identity Management Needs, Key Points Learned, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    wide-area network, Use and Location of BDCs, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    winbind, Implementation, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Introduction, Technical Issues, Technical Issues, Samba Configuration, NSS Configuration
    Winbind, Questions and Answers, Technical Issues, Key Points Learned
    winbind trusted domains only, Technical Issues, Questions and Answers
    winbind use default domain, Checkpoint Controls
    winbindd, Validation, Validation, Technical Issues, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Questions and Answers, Samba 1.9.x and 2.x Versions Without LDAP, Updating from Samba Versions after 3.0.6 to a Current Release, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
    winbindd_cache.tdb, Technical Issues
    winbindd_idmap.tdb, Technical Issues
    Windows, LDAP Server Configuration
    client, Security Identifiers (SIDs)
    NT, Security Identifiers (SIDs)
    Windows 2000 ACLs, Managing Windows 200x ACLs
    Windows 2003 Serve, Introduction
    Windows 200x ACLs, Questions and Answers
    Windows accounts, Technical Issues
    Windows ACLs, Setting Posix ACLs in UNIX/Linux
    Windows Address Book, LDAP Server Configuration
    Windows ADS Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    Windows clients, Questions and Answers
    Windows Explorer, Validation
    Windows explorer, Questions and Answers
    Windows security identifier (see SID)
    Windows Servers, Introduction
    Windows Services for UNIX (see SUS)
    Windows XP, Assignment Tasks
    WINS, Implementation, Technical Issues, Implementation, Windows Client Configuration, Technical Issues, Windows Client Configuration, The Nature of Windows Networking Protocols, Identity Management Needs, Questions and Answers, Questions and Answers
    lookup, Questions and Answers
    name resolution, Routed Networks
    server, Making Happy Users, Routed Networks
    WINS server, The 500-User Office, Questions and Answers
    WINS serving, Implementation
    wins support, Implementation
    wins.dat, Identity Management Needs, Replacing a Domain Member Server
    Wireshark, Requirements and Notes
    wireshark, Exercises
    Word, Share Point Directory and File Permissions
    workgroup, Implementation, Security Identifiers (SIDs), Change of Workgroup (Domain) Name
    Workgroup Announcement, Findings
    workstation, Implementation
    wrapper, Questions and Answers
    write lock, Opportunistic Locking Controls

    X

    xinetd, Process Startup Configuration
    XML, Dissection and Discussion
    xmlsam, Implementation

    Y

    YaST, PAM and NSS Client Configuration
    Yellow Pages, Identity Management Needs
    yellow pages (see NIS)
    Prev   
    Glossary Home 
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/kerberos.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/kerberos.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/kerberos.html 2009-04-30 10:08:50.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/kerberos.html 2009-06-02 09:48:46.000000000 +0200 @@ -1,4 +1,4 @@ -Chapter 11. Active Directory, Kerberos, and Security
    Chapter 11. Active Directory, Kerberos, and Security
    Prev Part III. Reference Section Next

    Chapter 11. Active Directory, Kerberos, and Security

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers

    +Chapter 11. Active Directory, Kerberos, and Security

    Chapter 11. Active Directory, Kerberos, and Security
    Prev Part III. Reference Section Next

    Chapter 11. Active Directory, Kerberos, and Security

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers

    By this point in the book, you have been exposed to many Samba-3 features and capabilities. More importantly, if you have implemented the examples given, you are well on your way to becoming a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to @@ -526,8 +526,10 @@ One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence:

    1. - A user opens a Work document from a network drive. The file was owned by user janetp + A user opens a Word document from a network drive. The file was owned by user janetp and [users], and was set read/write-enabled for everyone. + A user opens a Word document from a network drive. The file was owned by user janetp + and users, and was set read/write-enabled for everyone.

    2. File changes and edits are made.

    3. @@ -542,7 +544,7 @@ There have been many postings over the years that report the same basic problem. Frequently Samba users want to know when this “bug” will be fixed. The fact is, this is not a bug in Samba at all. Here is the real sequence of what happens in this case. -

      +

      When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned by the user who creates the file (billc) and has the permissions that follow that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing @@ -560,7 +562,7 @@ The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these simple steps to create a share in which all files will consistently be owned by the same user and the same group: -

      Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership

      1. +

        Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership

        1. Change your share definition so that it matches this pattern: 

           [finance]
@@ -568,18 +570,18 @@
         browseable = Yes
         read only = No

          -

        2. +

        3. Set consistent user and group permissions recursively down the directory tree as shown here: 

           root#  chown -R janetp.users /usr/data/finance

          -

        4. +

        5. Set the files and directory permissions to be read/write for owner and group, and not accessible to others (everyone), using the following command: 

           root#  chmod ug+rwx,o-rwx /usr/data/finance

          -

        6. +

        7. Set the SGID (supergroup) bit on all directories from the top down. This means all files can be created with the permissions of the group set on the directory. It means all users who are members of the group finance can read and write all files in @@ -589,11 +591,11 @@ root# find /usr/data/finance -type d -exec chmod ug+s {}\;

          -

        8. +

        9. Make sure all users that must have read/write access to the directory have finance group membership as their primary group, for example, the group they belong to in /etc/passwd. -

      Managing Windows 200x ACLs

      +

    Managing Windows 200x ACLs

    Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means that some transactions are not possible from MS Windows clients. One of these is to reset the ownership @@ -601,7 +603,7 @@

    There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. -

    Using the MMC Computer Management Interface

    1. +

      Using the MMC Computer Management Interface

      1. From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator account (on Samba domains, this is usually the account called root).

      2. @@ -616,14 +618,14 @@ the Computer Management entry should now say: Computer Management (FRODO).

      3. In the left panel, click Computer Management (FRODO)[+] Shared FoldersShares. -

      4. +

      5. In the right panel, double-click on the share on which you wish to set/edit ACLs. This brings up the Properties panel. Click the Security tab. It is best to edit ACLs using the Advanced editing features. Click the Advanced button. This opens a panel that has four tabs. Only the functionality under the Permissions tab can be utilized with respect to a Samba domain server. -

      6. +

      7. You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -632,7 +634,7 @@

      8. When you are done with editing, close all panels by clicking through the OK buttons until the last panel closes. -

      Using MS Windows Explorer (File Manager)

      +

    Using MS Windows Explorer (File Manager)

    The following alternative method may be used from a Windows workstation. In this example we work with a domain called MEGANET, a server called MASSIVE, and a share called Apps. The underlying UNIX/Linux share point for this share is @@ -640,7 +642,7 @@

    1. Click Start[right-click] My ComputerExplore[left panel] [+] My Network Places[+] Entire Network[+] Microsoft Windows Network[+] Meganet[+] Massive[right-click] AppsPropertiesSecurityAdvanced. This opens a panel that has four tabs. Only the functionality under the Permissions tab can be utilized for a Samba domain server. -

    2. +

    3. You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -649,7 +651,7 @@

    4. When you are done with editing, close all panels by clicking through the OK buttons until the last panel closes. -

    Setting Posix ACLs in UNIX/Linux

    +

    Setting Posix ACLs in UNIX/Linux

    Yet another alternative method for setting desired security settings on the shared resource files and directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 @@ -672,7 +674,7 @@ group::rwx other::r-x

    -

  • +

  • You want to add permission for AppsMgrs to enable them to manage the applications (apps) share. It is important to set the ACL recursively so that the AppsMgrs have this capability throughout the directory tree that is @@ -695,26 +697,26 @@ other::r-x

    This confirms that the change of POSIX ACL permissions has been effective. -

  • +

  • It is highly recommended that you read the online manual page for the setfacl and getfacl commands. This provides information regarding how to set/read the default ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent of setting inheritance properties. -

    • Key Points Learned

    +

    Key Points Learned

    The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. Looking back, this chapter could be broken into two, but it's too late now. It has been done. The highlights covered are as follows: -

    • +

      • Winbind honors and does not override account controls set in Active Directory. This means that password change, logon hours, and so on, are (or soon will be) enforced by Samba winbind. At this time, an out-of-hours login is denied and password change is enforced. At this time, if logon hours expire, the user is not forcibly logged off. That may be implemented at some later date. -

      • +

      • Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential problems acknowledged by Microsoft as having been fixed but reported by some as still possibly an open issue. -

      • +

      • The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft Active Directory. The possibility to do this is not planned in the current Samba-3 roadmap. Samba-3 does aim to provide further improvements in interoperability so that @@ -723,83 +725,83 @@ This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of the four key methodologies was reviewed with specific reference to example deployment techniques. -

    Questions and Answers

    -

    +

    Questions and Answers

    +

    Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? -
    +
    Does Samba-3 support Active Directory? -
    +
    When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? -
    +
    Is it safe to set share-level access controls in Samba? -
    +
    Is it mandatory to set share ACLs to get a secure Samba-3 server? -
    +
    The valid users did not work on the [homes]. Has this functionality been restored yet? -
    +
    Is the bias against use of the force user and force group really warranted? -
    +
    The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file? -
    +
    In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? -
    +
    I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now? -

    +

    Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? -

    +

    No. Samba-3 fully supports Sign'n'seal as well as schannel operation. The registry change should not be applied when Samba-3 is used as a domain controller. -

    +

    Does Samba-3 support Active Directory? -

    +

    Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not provide Active Directory services. It cannot be used to replace a Microsoft Active Directory server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, and it can function as an Active Directory domain member server. -

    +

    When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? -

    +

    No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, because Samba-3 can join a native Windows 2003 Server ADS domain. -

    +

    Is it safe to set share-level access controls in Samba?

    Yes. Share-level access controls have been supported since early versions of Samba-2. This is very mature technology. Not enough sites make use of this powerful capability, neither on Windows server or with Samba servers. -

    +

    Is it mandatory to set share ACLs to get a secure Samba-3 server? -

    +

    No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides means of securing shares through share definition controls in the smb.conf file. The additional support for share-level ACLs is like frosting on the cake. It adds to security but is not essential to it. -

    +

    The valid users did not work on the [homes]. Has this functionality been restored yet? -

    +

    Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard on the [homes] meta-service. The correct way to specify this is: valid users = %S. -

    +

    Is the bias against use of the force user and force group really warranted? -

    +

    There is no bias. There is a determination to recommend the right tool for the task at hand. After all, it is better than putting users through performance problems, isn't it? -

    +

    The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file? -

    +

    Sure. You do not have to set the SUID bit on the directory. Simply execute the following command to permit file ownership to be retained by the user who created it: 

    @@ -807,17 +809,17 @@

    Note that this required no more than removing the u argument so that the SUID bit is not set for the owner. -

    +

    In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? -

    +

    Either tool can be used with equal effect. There is no benefit of one over the other, except that the MMC utility is present on all Windows 200x/XP systems and does not require additional software to be downloaded and installed. Note that if you want to manage user and group accounts in your Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which is provided as part of the SRVTOOLS.EXE utility. -

    +

    I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now?

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/primer.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/primer.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/primer.html 2009-04-30 10:08:54.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/primer.html 2009-06-02 09:48:49.000000000 +0200 @@ -1,4 +1,4 @@ -Chapter 16. Networking Primer

    Chapter 16. Networking Primer
    Prev Part III. Reference Section Next

    Chapter 16. Networking Primer

    Table of Contents

    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers

    +Chapter 16. Networking Primer

    Chapter 16. Networking Primer
    Prev Part III. Reference Section Next

    Chapter 16. Networking Primer

    Table of Contents

    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers

    You are about to use the equivalent of a microscope to look at the information that runs through the veins of a Windows network. We do more to observe the information than to interrogate it. When you are done with this primer, you should have a good understanding @@ -8,7 +8,7 @@

    Samba can be configured with a minimum of complexity. Simplicity should be mastered before you get too deeply into complexities. Let's get moving: we have work to do. -

    Requirements and Notes

    +

    Requirements and Notes

    Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet card connected using a hub. Also required is one additional server (either Windows @@ -16,7 +16,7 @@ sniffer and analysis application (Wireshark is a good choice). All work should be undertaken on a quiet network where there is no other traffic. It is best to use a dedicated hub with only the machines under test connected at the time of the exercises. -

    +

    Wireshark (formerly Ethereal) has become the network protocol analyzer of choice for many network administrators. You may find more information regarding this tool from the Wireshark Web site. Wireshark installation @@ -36,11 +36,11 @@ filter. Ethernet switches may filter out traffic that is not directed at the machine that is used to monitor traffic; this would not allow you to complete the projects.

    - + Do not worry too much if you do not have access to all this equipment; network captures from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly into the analytical part of the exercises if you so desire. -

    +

    Please do not be alarmed at the use of a high-powered analysis tool (Wireshark) in this primer. We expose you only to a minimum of detail necessary to complete the exercises. If you choose to use any other network sniffer and protocol @@ -54,11 +54,11 @@

    “Questions and Answers” also provides useful information that may help you to avoid significantly time-consuming networking problems. -

    Introduction

    +

    Introduction

    The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows network computing. If you want a solid technical grounding, do not gloss over these exercises. The points covered are recurrent issues on the Samba mailing lists. -

    +

    You can see from these exercises that Windows networking involves quite a lot of network broadcast traffic. You can look into the contents of some packets, but only to see some particular information that the Windows client sends to a server in the course of @@ -74,18 +74,18 @@ Recommended preparatory reading: The Official Samba-3 HOWTO and Reference Guide, Second Edition (TOSHARG2) Chapter 9, “Network Browsing,” and Chapter 3, “Server Types and Security Modes.” -

    Assignment Tasks

    +

    Assignment Tasks

    You are about to witness how Microsoft Windows computer networking functions. The exercises step through identification of how a client machine establishes a connection to a remote Windows server. You observe how Windows machines find each other (i.e., how browsing works) and how the two key types of user identification (share mode security and user mode security) are affected. -

    +

    The networking protocols used by MS Windows networking when working with Samba use TCP/IP as the transport protocol. The protocols that are specific to Windows networking are encapsulated in TCP/IP. The network analyzer we use (Wireshark) is able to show you the contents of the TCP/IP packets (or messages). -

    Procedure 16.1. Diagnostic Tasks

    1. +

      Procedure 16.1. Diagnostic Tasks

      1. Examine network traces to witness SMB broadcasts, host announcements, and name resolution processes.

      2. @@ -95,8 +95,8 @@

      3. Review traces of network logons for a Windows 9x/Me client as well as a domain logon for a Windows XP Professional client. -

    Exercises

    - +

    Exercises

    + You are embarking on a course of discovery. The first part of the exercise requires two MS Windows 9x/Me systems. We called one machine WINEPRESSME and the other MILGATE98. Each needs an IP address; we used 10.1.1.10 @@ -111,7 +111,7 @@

    • Windows 98 name: MILGATE98

    • Windows Me name: WINEPRESSME

    • Windows XP Professional name: LightrayXP

    • Samba-3.0.20 running on a SUSE Enterprise Linux 9

    Choose a workgroup name (MIDEARTH) for each exercise.

    - + The network captures provided on the CD-ROM included with this book were captured using Ethereal version 0.10.6. A later version suffices without problems (i.e. you should be using Wireshark), but an earlier version may not expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all @@ -119,9 +119,9 @@ perform the time-consuming equipment configuration and test work. This is a good time to point out that the value that can be derived from this book really does warrant your taking sufficient time to practice each exercise with care and attention to detail. -

    Single-Machine Broadcast Activity

    +

    Single-Machine Broadcast Activity

    In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes. -

    Procedure 16.2. Monitoring Windows 9x Steps

    1. +

      Procedure 16.2. Monitoring Windows 9x Steps

      1. Start the machine from which network activity will be monitored (using Wireshark). Launch Wireshark, click CaptureStart. @@ -138,28 +138,28 @@

      2. Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol was used. Identify the timing between messages of identical types. -

      Findings

      +

    Findings

    The summary of the first 10 minutes of the packet capture should look like “Windows Me Broadcasts The First 10 Minutes”. A screenshot of a later stage of the same capture is shown in “Windows Me Later Broadcast Sample”. -

    Figure 16.1. Windows Me Broadcasts The First 10 Minutes

    Windows Me Broadcasts The First 10 Minutes

    Figure 16.2. Windows Me Later Broadcast Sample

    Windows Me Later Broadcast Sample

    +

    Figure 16.1. Windows Me Broadcasts The First 10 Minutes

    Windows Me Broadcasts The First 10 Minutes

    Figure 16.2. Windows Me Later Broadcast Sample

    Windows Me Later Broadcast Sample

    Broadcast messages observed are shown in “Windows Me Startup Broadcast Capture Statistics”. Actual observations vary a little, but not by much. Early in the startup process, the Windows Me machine broadcasts its name for two reasons: first to ensure that its name would not result in a name clash, and second to establish its presence with the Local Master Browser (LMB). -

    Table 16.1. Windows Me Startup Broadcast Capture Statistics

    MessageTypeNumNotes
    WINEPRESSME<00>Reg84 lots of 2, 0.6 sec apart
    WINEPRESSME<03>Reg84 lots of 2, 0.6 sec apart
    WINEPRESSME<20>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<00>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1d>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1e>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1b>Qry84300 sec apart at stable operation
    __MSBROWSE__Reg8Registered after winning election to Browse Master
    JHT<03>Reg84 x 2. This is the name of the user that logged onto Windows
    Host Announcement WINEPRESSMEAnn2Observed at 10 sec
    Domain/Workgroup Announcement MIDEARTHAnn18300 sec apart at stable operation
    Local Master Announcement WINEPRESSMEAnn18300 sec apart at stable operation
    Get Backup List RequestQry126 x 2 early in startup, 0.5 sec apart
    Browser Election RequestAnn105 x 2 early in startup
    Request Announcement WINEPRESSMEAnn4Early in startup

    +

    Table 16.1. Windows Me Startup Broadcast Capture Statistics

    MessageTypeNumNotes
    WINEPRESSME<00>Reg84 lots of 2, 0.6 sec apart
    WINEPRESSME<03>Reg84 lots of 2, 0.6 sec apart
    WINEPRESSME<20>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<00>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1d>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1e>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1b>Qry84300 sec apart at stable operation
    __MSBROWSE__Reg8Registered after winning election to Browse Master
    JHT<03>Reg84 x 2. This is the name of the user that logged onto Windows
    Host Announcement WINEPRESSMEAnn2Observed at 10 sec
    Domain/Workgroup Announcement MIDEARTHAnn18300 sec apart at stable operation
    Local Master Announcement WINEPRESSMEAnn18300 sec apart at stable operation
    Get Backup List RequestQry126 x 2 early in startup, 0.5 sec apart
    Browser Election RequestAnn105 x 2 early in startup
    Request Announcement WINEPRESSMEAnn4Early in startup

    From the packet trace, it should be noted that no messages were propagated over TCP/IP; all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle of various announcements, re-election of a browse master, and name queries. These create the symphony of announcements by which network browsing is made possible. -

    +

    For detailed information regarding the precise behavior of the CIFS/SMB protocols, refer to the book “Implementing CIFS: The Common Internet File System,” by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).

    Second Machine Startup Broadcast Interaction

    At this time, the machine you used to capture the single-system startup trace should still be running. The objective of this task is to identify the interaction of two machines in respect to broadcast activity. -

    Procedure 16.3. Monitoring of Second Machine Activity

    1. +

      Procedure 16.3. Monitoring of Second Machine Activity

      1. On the machine from which network activity will be monitored (using Wireshark), launch Wireshark and click CaptureStart. @@ -176,7 +176,7 @@

      2. Analyze the capture trace, taking note of the transport protocols used, the types of messages observed, and what interaction took place between the two machines. Leave both machines running for the next task. -

      Findings

      +

    Findings

    “Second Machine (Windows 98) Capture Statistics” summarizes capture statistics observed. As in the previous case, all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash @@ -184,18 +184,18 @@ to explore the inner details of the precise mechanism of how this functions should refer to “Implementing CIFS: The Common Internet File System.

    Table 16.2. Second Machine (Windows 98) Capture Statistics

    MessageTypeNumNotes
    MILGATE98<00>Reg84 lots of 2, 0.6 sec apart
    MILGATE98<03>Reg84 lots of 2, 0.6 sec apart
    MILGATE98<20>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<00>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1d>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1e>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1b>Qry18900 sec apart at stable operation
    JHT<03>Reg2This is the name of the user that logged onto Windows
    Host Announcement MILGATE98Ann14Every 120 sec
    Domain/Workgroup Announcement MIDEARTHAnn6900 sec apart at stable operation
    Local Master Announcement WINEPRESSMEAnn6Insufficient detail to determine frequency

    - - - + + + Observation of the contents of Host Announcements, Domain/Workgroup Announcements, and Local Master Announcements is instructive. These messages convey a significant level of detail regarding the nature of each machine that is on the network. An example dissection of a Host Announcement is given in “Typical Windows 9x/Me Host Announcement”. -

    Figure 16.3. Typical Windows 9x/Me Host Announcement

    Typical Windows 9x/Me Host Announcement

    Simple Windows Client Connection Characteristics

    +

    Figure 16.3. Typical Windows 9x/Me Host Announcement

    Typical Windows 9x/Me Host Announcement

    Simple Windows Client Connection Characteristics

    The purpose of this exercise is to discover how Microsoft Windows clients create (establish) connections with remote servers. The methodology involves analysis of a key aspect of how Windows clients access remote servers: the session setup protocol. -

    Procedure 16.4. Client Connection Exploration Steps

    1. +

      Procedure 16.4. Client Connection Exploration Steps

      1. Configure a Windows 9x/Me machine (MILGATE98) with a share called Stuff. Create a Full Access control password on this share.

      2. @@ -216,11 +216,11 @@ When the share called Stuff is being displayed, stop the capture. Save the captured data in case it is needed for later analysis.

      3. - + From the top of the packets captured, scan down to locate the first packet that has interpreted as Session Setup AndX, User: anonymous; Tree Connect AndX, Path: \\MILGATE98\IPC$. -

      4. +

      5. In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request, and Tree Connect AndX Request. Examine both operations. Identify the name of the user Account and what password was used. The Account name should be empty. @@ -230,29 +230,29 @@ decoded of the type Session Setup AndX. Locate the last such packet that was targeted at the \\MILGATE98\IPC$ service.

      6. - - + + Dissect this packet as per the previous one. This packet should have a password length of 24 (characters) and should have a password field, the contents of which is a long hexadecimal number. Observe the name in the Account field. This is a User Mode session setup packet. -

      Findings and Comments

      - - The IPC$ share serves a vital purpose[15] +

    Findings and Comments

    + + The IPC$ share serves a vital purpose[15] in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of resources that are available on the server. The server responds with the shares and print queues that are available. In most but not all cases, the connection is made with a NULL username and a NULL password.

    - + The two packets examined are material evidence of how Windows clients may interoperate with Samba. Samba requires every connection setup to be authenticated using valid UNIX account credentials (UID/GID). This means that even a NULL session setup can be established only by automatically mapping it to a valid UNIX account.

    - - + + Samba has a special name for the NULL, or empty, user account: it calls it the guest account. The default value of this parameter is nobody; however, this can be @@ -261,9 +261,9 @@ FTP account. A sample NULL Session Setup AndX packet dissection is shown in “Typical Windows 9x/Me NULL SessionSetUp AndX Request”.

    Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request

    Typical Windows 9x/Me NULL SessionSetUp AndX Request

    - - - + + + When a UNIX/Linux system does not have a nobody user account (/etc/passwd), the operation of the NULL account cannot validate and thus connections that utilize the guest account @@ -271,11 +271,11 @@ problem reported on the Samba mailing list. A sample User Mode session setup AndX is shown in “Typical Windows 9x/Me User SessionSetUp AndX Request”.

    Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request

    Typical Windows 9x/Me User SessionSetUp AndX Request

    - + The User Mode connection packet contains the account name and the domain name. The password is provided in Microsoft encrypted form, and its length is shown as 24 characters. This is the length of Microsoft encrypted passwords. -

    Windows 200x/XP Client Interaction with Samba-3

    +

    Windows 200x/XP Client Interaction with Samba-3

    By now you may be asking, “Why did you choose to work with Windows 9x/Me?

    First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise @@ -290,7 +290,7 @@ To complete this exercise, you need a Windows XP Professional client that has been configured as a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain. Here we do not provide details for how to configure this, as full coverage is provided earlier in this book. -

    Procedure 16.5. Steps to Explore Windows XP Pro Connection Set-up

    1. +

      Procedure 16.5. Steps to Explore Windows XP Pro Connection Set-up

      1. Start your domain controller. Also, start the Wireshark monitoring machine, launch Wireshark, and then wait for the next step to complete.

      2. @@ -319,14 +319,14 @@ If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises in this chapter.

      3. - - + + From the top of the packets captured, scan down to locate the first packet that has interpreted as Session Setup AndX Request, NTLMSSP_AUTH.

      4. - - - + + + In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP @@ -338,7 +338,7 @@ decoded of the type Session Setup AndX Request. Click the last such packet that has been decoded as Session Setup AndX Request, NTLMSSP_AUTH.

      5. - + In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP @@ -349,18 +349,18 @@ The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan password and then the NT (case-preserving) password hash.

      6. - - + + The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode session setup packet. -

      Figure 16.6. Typical Windows XP NULL Session Setup AndX Request

      Typical Windows XP NULL Session Setup AndX Request

      Figure 16.7. Typical Windows XP User Session Setup AndX Request

      Typical Windows XP User Session Setup AndX Request

      Discussion

      +

    Figure 16.6. Typical Windows XP NULL Session Setup AndX Request

    Typical Windows XP NULL Session Setup AndX Request

    Figure 16.7. Typical Windows XP User Session Setup AndX Request

    Typical Windows XP User Session Setup AndX Request

    Discussion

    This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a NULL-Session connection to query and locate resources on an advanced network technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated connection must be made before resources can be used. -

    Conclusions to Exercises

    +

    Conclusions to Exercises

    In summary, the following points have been established in this chapter:

    • When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services. @@ -379,7 +379,7 @@ file or in an LDAP database. Samba-3 permits use of multiple passdb backend databases in concurrent deployment. Refer to TOSHARG2, Chapter 10, “Account Information Databases.

    Dissection and Discussion

    - + The exercises demonstrate the use of the guest account, the way that MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections between a client and a server are established. @@ -387,8 +387,8 @@ Those wishing background information regarding NetBIOS name types should refer to the Microsoft knowledgebase article Q102878. -

    Technical Issues

    - +

    Technical Issues

    + Network browsing involves SMB broadcast announcements, SMB enumeration requests, connections to the IPC$ share, share enumerations, and SMB connection setup processes. The use of anonymous connections to a Samba server involve the use of @@ -396,44 +396,44 @@

    Questions and Answers

    The questions and answers given in this section are designed to highlight important aspects of Microsoft Windows networking. -

    +

    What is the significance of the MIDEARTH<1b> type query? -
    +
    What is the significance of the MIDEARTH<1d> type name registration? -
    +
    What is the role and significance of the <01><02>__MSBROWSE__<02><01> name registration? -
    +
    What is the significance of the MIDEARTH<1e> type name registration? -
    +
    What is the significance of the guest account in smb.conf? -
    +
    Is it possible to reduce network broadcast activity with Samba-3? -
    +
    Can I just use plain-text passwords with Samba? -
    +
    What parameter in the smb.conf file is used to enable the use of encrypted passwords? -
    +
    Is it necessary to specify encrypt passwords = Yes when Samba-3 is configured as a domain member? -
    +
    Is it necessary to specify a guest account when Samba-3 is configured as a domain member server? -

    +

    What is the significance of the MIDEARTH<1b> type query?

    - - + + This is a broadcast announcement by which the Windows machine is attempting to locate a Domain Master Browser (DMB) in the event that it might exist on the network. Refer to TOSHARG2, Chapter 9, Section 9.7, “Technical Overview of Browsing,” for details regarding the function of the DMB and its role in network browsing. -

    +

    What is the significance of the MIDEARTH<1d> type name registration?

    - - + + This name registration records the machine IP addresses of the LMBs. Network clients can query this name type to obtain a list of browser servers from the master browser. @@ -451,25 +451,25 @@ The IP address of the DMB (if one exists)

  • The IP address of the LMB on the local segment -

    • +

    What is the role and significance of the <01><02>__MSBROWSE__<02><01> name registration?

    - + This name is registered by the browse master to broadcast and receive domain announcements. Its scope is limited to the local network segment, or subnet. By querying this name type, master browsers on networks that have multiple domains can find the names of master browsers for each domain. -

    +

    What is the significance of the MIDEARTH<1e> type name registration?

    - + This name is registered by all browse masters in a domain or workgroup. The registration name type is known as the Browser Election Service. Master browsers register themselves with this name type so that DMBs can locate them to perform cross-subnet browse list updates. This name type is also used to initiate elections for Master Browsers. -

    - +

    + What is the significance of the guest account in smb.conf?

    This parameter specifies the default UNIX account to which MS Windows networking @@ -482,19 +482,19 @@ Samba operation. Either the operating system must have an account called nobody or there must be an entry in the smb.conf file with a valid UNIX account, such as guest account = ftp. -

    +

    Is it possible to reduce network broadcast activity with Samba-3?

    - - + + Yes, there are two ways to do this. The first involves use of WINS (See TOSHARG2, Chapter 9, Section 9.5, “WINS The Windows Inter-networking Name Server”); the alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires a correctly configured DNS server (see TOSHARG2, Chapter 9, Section 9.3, “Discussion”).

    - - - + + + The use of WINS reduces network broadcast traffic. The reduction is greatest when all network clients are configured to operate in Hybrid Mode. This can be effected through use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is @@ -502,7 +502,7 @@

    Note

    Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as well as with Samba-3. -

    +

    Can I just use plain-text passwords with Samba?

    Yes, you can configure Samba to use plain-text passwords, though this does create a few problems. @@ -525,17 +525,17 @@ a UNIX system account for that user. On systems that run winbindd to access the Samba PDC/BDC to provide Windows user and group accounts, the idmap uid, idmap gid ranges set in the smb.conf file provide the local UID/GIDs needed for local identity management purposes. -

    +

    What parameter in the smb.conf file is used to enable the use of encrypted passwords?

    The parameter in the smb.conf file that controls this behavior is known as encrypt passwords. The default setting for this in Samba-3 is Yes (Enabled). -

    +

    Is it necessary to specify encrypt passwords = Yes when Samba-3 is configured as a domain member?

    No. This is the default behavior. -

    +

    Is it necessary to specify a guest account when Samba-3 is configured as a domain member server?

    @@ -543,6 +543,6 @@ nobody. If this account does not exist on the UNIX server, then it is necessary to provide a guest account = an_account, where an_account is a valid local UNIX user account. -


    [15] TOSHARG2, Sect 4.5.1

    Prev Up Next
    Chapter 15. A Collection of Useful Tidbits Home Appendix A.  +


    [15] TOSHARG2, Sect 4.5.1

    Prev Up Next
    Chapter 15. A Collection of Useful Tidbits Home Appendix A.  GNU General Public License version 3
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/RefSection.html samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/RefSection.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-ByExample/RefSection.html 2009-04-30 10:08:55.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-ByExample/RefSection.html 2009-06-02 09:48:50.000000000 +0200 @@ -3,50 +3,50 @@ that may help you to solve network performance issues, to answer some of the critiques published regarding Samba, or just to gain a more broad understanding of how Samba can play in a Windows networking world. -

    Table of Contents

    11. Active Directory, Kerberos, and Security
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers
    12. Integrating Additional Services
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers
    13. Performance, Reliability, and Availability
    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned
    14. Samba Support
    Free Support
    Commercial Support
    15. A Collection of Useful Tidbits
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    16. Networking Primer
    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers
    A. +

    Table of Contents

    11. Active Directory, Kerberos, and Security
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers
    12. Integrating Additional Services
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers
    13. Performance, Reliability, and Availability
    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned
    14. Samba Support
    Free Support
    Commercial Support
    15. A Collection of Useful Tidbits
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    16. Networking Primer
    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers
    A. GNU General Public License version 3 -
    A. +
    A. Preamble -
    A. +
    A. TERMS AND CONDITIONS -
    A. +
    A. 0. Definitions. -
    A. +
    A. 1. Source Code. -
    A. +
    A. 2. Basic Permissions. -
    A. +
    A. 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. -
    A. +
    A. 4. Conveying Verbatim Copies. -
    A. +
    A. 5. Conveying Modified Source Versions. -
    A. +
    A. 6. Conveying Non-Source Forms. -
    A. +
    A. 7. Additional Terms. -
    A. +
    A. 8. Termination. -
    A. +
    A. 9. Acceptance Not Required for Having Copies. -
    A. +
    A. 10. Automatic Licensing of Downstream Recipients. -
    A. +
    A. 11. Patents. -
    A. +
    A. 12. No Surrender of Others’ Freedom. -
    A. - 13. Use with the ???TITLE??? Affero General Public License.
    A. + 13. Use with the ???TITLE??? Affero General Public License. +
    A. 14. Revised Versions of this License. -
    A. +
    A. 15. Disclaimer of Warranty. -
    A. +
    A. 16. Limitation of Liability. -
    A. +
    A. 17. Interpretation of Sections 15 and 16. -
    A. +
    A. END OF TERMS AND CONDITIONS -
    A. +
    A. How to Apply These Terms to Your New Programs
    Prev   Next
    Chapter 10. Migrating NetWare Server to Samba-3 Home Chapter 11. Active Directory, Kerberos, and Security
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-HOWTO/AccessControls.html samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/AccessControls.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-HOWTO/AccessControls.html 2009-04-30 10:09:50.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/AccessControls.html 2009-06-02 09:49:47.000000000 +0200 @@ -1,59 +1,59 @@ -Chapter 16. File, Directory, and Share Access Controls
    Chapter 16. File, Directory, and Share Access Controls
    Prev Part III. Advanced Configuration Next

    Chapter 16. File, Directory, and Share Access Controls

    John H. Samba Team Terpstra

    Samba Team

    Jeremy Samba Team Allison

    Samba Team

    Jelmer R. The Samba Team Vernooij

    drawing 
    The Samba Team

    May 10, 2003

    Table of Contents

    Features and Benefits
    File System Access Controls
    MS Windows NTFS Comparison with UNIX File Systems
    Managing Directories
    File and Directory Access Control
    Share Definition Access Controls
    User- and Group-Based Controls
    File and Directory Permissions-Based Controls
    Miscellaneous Controls
    Access Controls on Shares
    Share Permissions Management
    MS Windows Access Control Lists and UNIX Interoperability
    Managing UNIX Permissions Using NT Security Dialogs
    Viewing File Security on a Samba Share
    Viewing File Ownership
    Viewing File or Directory Permissions
    Modifying File or Directory Permissions
    Interaction with the Standard Samba create mask Parameters
    Interaction with the Standard Samba File Attribute Mapping
    Windows NT/200X ACLs and POSIX ACLs Limitations
    Common Errors
    Users Cannot Write to a Public Share
    File Operations Done as root with force user Set
    MS Word with Samba Changes Owner of File

    - - - - +Chapter 16. File, Directory, and Share Access Controls

    Chapter 16. File, Directory, and Share Access Controls
    Prev Part III. Advanced Configuration Next

    Chapter 16. File, Directory, and Share Access Controls

    John H. Samba Team Terpstra

    Samba Team

    Jeremy Samba Team Allison

    Samba Team

    Jelmer R. The Samba Team Vernooij

    drawing 
    The Samba Team

    May 10, 2003

    Table of Contents

    Features and Benefits
    File System Access Controls
    MS Windows NTFS Comparison with UNIX File Systems
    Managing Directories
    File and Directory Access Control
    Share Definition Access Controls
    User- and Group-Based Controls
    File and Directory Permissions-Based Controls
    Miscellaneous Controls
    Access Controls on Shares
    Share Permissions Management
    MS Windows Access Control Lists and UNIX Interoperability
    Managing UNIX Permissions Using NT Security Dialogs
    Viewing File Security on a Samba Share
    Viewing File Ownership
    Viewing File or Directory Permissions
    Modifying File or Directory Permissions
    Interaction with the Standard Samba create mask Parameters
    Interaction with the Standard Samba File Attribute Mapping
    Windows NT/200X ACLs and POSIX ACLs Limitations
    Common Errors
    Users Cannot Write to a Public Share
    File Operations Done as root with force user Set
    MS Word with Samba Changes Owner of File

    + + + + Advanced MS Windows users are frequently perplexed when file, directory, and share manipulation of resources shared via Samba do not behave in the manner they might expect. MS Windows network administrators are often confused regarding network access controls and how to provide users with the access they need while protecting resources from unauthorized access.

    - - + + Many UNIX administrators are unfamiliar with the MS Windows environment and in particular have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file and directory access permissions.

    - - - - + + + + The problem lies in the differences in how file and directory permissions and controls work between the two environments. This difference is one that Samba cannot completely hide, even though it does try to bridge the chasm to a degree.

    - - - - + + + + POSIX Access Control List technology has been available (along with extended attributes) for UNIX for many years, yet there is little evidence today of any significant use. This explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows administrators are astounded at this, given that ACLs were a foundational capability of the now decade-old MS Windows NT operating system.

    - + The purpose of this chapter is to present each of the points of control that are possible with Samba-3 in the hope that this will help the network administrator to find the optimum method for delivering the best environment for MS Windows desktop users.

    - - + + This is an opportune point to mention that Samba was created to provide a means of interoperability and interchange of data between differing operating environments. Samba has no intent to change UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient level of exchange of data between the two environments. What is available today extends well beyond early plans and expectations, yet the gap continues to shrink. -

    Features and Benefits

    +

    Features and Benefits

    Samba offers much flexibility in file system access management. These are the key access control facilities present in Samba today:

    Samba Access Control Facilities

    • - + UNIX File and Directory Permissions

      - - - + + + Samba honors and implements UNIX file system access controls. Users who access a Samba server will do so as a particular MS Windows user. This information is passed to the Samba server as part of the logon or @@ -64,7 +64,7 @@

    • Samba Share Definitions

      - + In configuring share settings and controls in the smb.conf file, the network administrator can exercise overrides to native file system permissions and behaviors. This can be handy and convenient @@ -73,20 +73,20 @@ The basic options and techniques are described herein.

    • Samba Share ACLs - +

      - + Just as it is possible in MS Windows NT to set ACLs on shares themselves, so it is possible to do in Samba. Few people make use of this facility, yet it remains one of the easiest ways to affect access controls (restrictions) and can often do so with minimum invasiveness compared with other methods.

    • - - + + MS Windows ACLs through UNIX POSIX ACLs

      - + The use of POSIX ACLs on UNIX/Linux is possible only if the underlying operating system supports them. If not, then this option will not be available to you. Current UNIX technology platforms have native support @@ -94,16 +94,16 @@ this support. Sadly, few Linux platforms ship today with native ACLs and extended attributes enabled. This chapter has pertinent information for users of platforms that support them. -

    File System Access Controls

    +

    File System Access Controls

    Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP implement a totally divergent file system technology from what is provided in the UNIX operating system environment. First we consider what the most significant differences are, then we look at how Samba helps to bridge the differences. -

    MS Windows NTFS Comparison with UNIX File Systems

    - - - - +

    MS Windows NTFS Comparison with UNIX File Systems

    + + + + Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions and permissions. It also means that if the MS Windows networking environment requires file system behavior, that differs from UNIX file system behavior then somehow Samba is responsible for emulating @@ -114,7 +114,7 @@ but for the greater part we stay within the bounds of default behavior. Those wishing to explore the depths of control ability should review the smb.conf man page.

    The following compares file system features for UNIX with those of MS Windows NT/200x: - +

    Name Space

    MS Windows NT4/200x/XP file names may be up to 254 characters long, and UNIX file names @@ -123,8 +123,8 @@

    What MS Windows calls a folder, UNIX calls a directory.

    Case Sensitivity

    - - + + MS Windows file names are generally uppercase if made up of 8.3 (8-character file name and 3 character extension. File names that are longer than 8.3 are case preserving and case insensitive. @@ -151,26 +151,26 @@ event that the UNIX directory contains multiple files that would match a case insensitive file listing.

    Directory Separators

    - + MS Windows and DOS use the backslash \ as a directory delimiter, and UNIX uses the forward-slash / as its directory delimiter. This is handled transparently by Samba.

    Drive Identification

    - + MS Windows products support a notion of drive letters, like C:, to represent disk partitions. UNIX has no concept of separate identifiers for file partitions; each such file system is mounted to become part of the overall directory tree. The UNIX directory tree begins at / just as the root of a DOS drive is specified as C:\.

    File Naming Conventions

    - + MS Windows generally never experiences file names that begin with a dot (.), while in UNIX these are commonly found in a user's home directory. Files that begin with a dot (.) are typically startup files for various UNIX applications, or they may be files that contain startup configuration data.

    Links and Short-Cuts

    - - - + + + MS Windows make use of links and shortcuts that are actually special types of files that will redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory links, but they are entirely different from what MS Windows users are used to. @@ -183,17 +183,17 @@ There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the purpose of UNIX/Linux training and education. -

    Managing Directories

    - - - +

    Managing Directories

    + + + There are three basic operations for managing directories: create, delete, rename. Managing Directories with UNIX and Windows compares the commands in Windows and UNIX that implement these operations. -

    Table 16.1. Managing Directories with UNIX and Windows

    ActionMS Windows CommandUNIX Command
    createmd foldermkdir folder
    deleterd folderrmdir folder
    renamerename oldname newnamemv oldname newname

    File and Directory Access Control

    - - - +

    Table 16.1. Managing Directories with UNIX and Windows

    ActionMS Windows CommandUNIX Command
    createmd foldermkdir folder
    deleterd folderrmdir folder
    renamerename oldname newnamemv oldname newname

    File and Directory Access Control

    + + + The network administrator is strongly advised to read basic UNIX training manuals and reference materials regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions without having to resort to more complex facilities like POSIX ACLs or extended attributes (EAs). @@ -226,47 +226,47 @@

    Figure 16.1. Overview of UNIX permissions field.

    Overview of UNIX permissions field.

    Any bit flag may be unset. An unset bit flag is the equivalent of "cannot" and is represented as a “-” character (see “Example File”) - - - - - - + + + + + +

    Example 16.1. Example File

     -rwxr-x---   Means: 
  ^^^                The owner (user) can read, write, execute
     ^^^             the group can read and execute
        ^^^          everyone else cannot do anything with it.

    - - - - + + + + Additional possibilities in the [type] field are c = character device, b = block device, p = pipe device, s = UNIX Domain Socket.

    - - - - - + + + + + The letters rwxXst set permissions for the user, group, and others as read (r), write (w), execute (or access for directories) (x), execute only if the file is a directory or already has execute permission for some user (X), set user (SUID) or group ID (SGID) on execution (s), sticky (t).

    - - - - + + + + When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable.

    - - - - - + + + + + When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or group whose `set user or group' bit is set. This can be helpful in setting up directories for which it is desired that all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file @@ -276,11 +276,11 @@ the (r) read flags are not set, files cannot be listed (seen) in the directory by anyone. The group can read files in the directory but cannot create new files. If files in the directory are set to be readable and writable for the group, then group members will be able to write to (or delete) them. -

    Protecting Directories and Files from Deletion

    - - - - +

    Protecting Directories and Files from Deletion

    + + + + People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to @@ -288,27 +288,27 @@ anyone who has the ability to create a file can write to it. Anyone who has write permission on the directory that contains a file and has write permission for it has the capability to delete it.

    - - - + + + For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on the directory that the file is in. In other words, a user can delete a file in a directory to which that user has write access, even if that user does not own the file.

    - - - - + + + + Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs a "best fit" translation to POSIX ACLs. Some UNIX file systems do, however support, a feature known as extended attributes. Only the Windows concept of inheritance is implemented by Samba through the appropriate extended attribute.

    - - - - + + + + The specific semantics of the extended attributes are not consistent across UNIX and UNIX-like systems such as Linux. For example, it is possible on some implementations of the extended attributes to set a flag that prevents the directory or file from being deleted. The extended attribute that may achieve this is called the immutible bit. @@ -322,7 +322,7 @@

    A simple test can be done to check if the immutible flag is supported on files in the file system of the Samba host server. -

    Procedure 16.1. Test for File Immutibility Support

    1. +

      Procedure 16.1. Test for File Immutibility Support

      1. Create a file called filename.

      2. Login as the root user, then set the immutibile flag on a test file as follows: @@ -340,11 +340,11 @@ that cannot be deleted. Check the man page on your particular host system to determine whether or not immutable directories are writable. If they are not, then the entire directory and its contents will effectively be protected from writing (file creation also) and deletion. -

    Share Definition Access Controls

    - +

    Share Definition Access Controls

    + The following parameters in the smb.conf file sections define a share control or affect access controls. Before using any of the following options, please refer to the man page for smb.conf. -

    User- and Group-Based Controls

    +

    User- and Group-Based Controls

    User- and group-based controls can prove quite useful. In some situations it is distinctly desirable to force all file system operations as if a single user were doing so. The use of the force user and force group behavior will achieve this. @@ -385,7 +385,7 @@ List of users that should be allowed to login to this service.

    write list

    List of users that are given read-write access to a service. -


    File and Directory Permissions-Based Controls

    +


    File and Directory Permissions-Based Controls

    Directory permission-based controls, if misused, can result in considerable difficulty in diagnosing the causes of misconfiguration. Use them sparingly and carefully. By gradually introducing each, one at a time, undesirable side effects may be detected. In the event of a problem, always comment all of them out and then gradually reintroduce @@ -416,7 +416,7 @@ This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT ACLs.

    security mask

    Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. -


    Miscellaneous Controls

    +


    Miscellaneous Controls

    The parameters documented in Other Controls are often used by administrators in ways that create inadvertent barriers to file access. Such are the consequences of not understanding the full implications of smb.conf file settings. @@ -449,70 +449,70 @@ If this parameter is yes, then users of a service may not create or modify files in the service's directory.

    veto files

    List of files and directories that are neither visible nor accessible. -


    Access Controls on Shares

    - - - - - +


    Access Controls on Shares

    + + + + + This section deals with how to configure Samba per-share access control restrictions. By default, Samba sets no restrictions on the share itself. Restrictions on the share itself can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can connect to a share. In the absence of specific restrictions, the default setting is to allow the global user Everyone - Full Control (full control, change and read).

    - - - + + + At this time Samba does not provide a tool for configuring access control settings on the share itself the only way to create those settings is to use either the NT4 Server Manager or the Windows 200x Microsoft Management Console (MMC) for Computer Management. There are currently no plans to provide this capability in the Samba command-line tool set.

    - - - - + + + + Samba stores the per-share access control settings in a file called share_info.tdb. The location of this file on your system will depend on how Samba was compiled. The default location for Samba's tdb files is under /usr/local/samba/var. If the tdbdump utility has been compiled and installed on your system, then you can examine the contents of this file by executing tdbdump share_info.tdb in the directory containing the tdb files. -

    Share Permissions Management

    +

    Share Permissions Management

    The best tool for share permissions management is platform-dependent. Choose the best tool for your environment. -

    Windows NT4 Workstation/Server

    - - - - +

    Windows NT4 Workstation/Server

    + + + + The tool you need to manage share permissions on a Samba server from a Windows NT4 Workstation or Server is the NT Server Manager. Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. You can obtain the NT Server Manager for MS Windows NT4 Workstation from the Microsoft web site support section. -

    Procedure 16.2. Instructions

    1. +

      Procedure 16.2. Instructions

      1. Launch the NT4 Server Manager and click on the Samba server you want to administer. From the menu select Computer, then click on Shared Directories.

      2. Click on the share that you wish to manage and click the Properties tab, then click the Permissions tab. Now you can add or change access control settings as you wish. -

    Windows 200x/XP

    - - - - +

    Windows 200x/XP

    + + + + On MS Windows NT4/200x/XP systems, ACLs on the share itself are set using tools like the MS Explorer. For example, in Windows 200x, right-click on the shared folder, then select Sharing, then click on Permissions. The default Windows NT4/200x permissions allow the group "Everyone" full control on the share.

    - - - + + + MS Windows 200x and later versions come with a tool called the Computer Management snap-in for the MMC. This tool can be accessed via Control Panel -> Administrative Tools -> Computer Management. -

    Procedure 16.3. Instructions

    1. +

      Procedure 16.3. Instructions

      1. After launching the MMC with the Computer Management snap-in, click the menu item Action and select Connect to another computer. If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate you to the domain. @@ -523,7 +523,7 @@ System Tools, then on the [+] next to Shared Folders in the left panel.

      2. - + In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you @@ -534,8 +534,8 @@ ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access. -

    MS Windows Access Control Lists and UNIX Interoperability

    Managing UNIX Permissions Using NT Security Dialogs

    - +

    MS Windows Access Control Lists and UNIX Interoperability

    Managing UNIX Permissions Using NT Security Dialogs

    + Windows NT clients can use their native security settings dialog box to view and modify the underlying UNIX permissions.

    @@ -549,7 +549,7 @@ When trying to figure out file access problems, it is vitally important to find the identity of the Windows user as it is presented by Samba at the point of file access. This can best be determined from the Samba log files. -

    Viewing File Security on a Samba Share

    +

    Viewing File Security on a Samba Share

    From an NT4/2000/XP client, right-click on any file or directory in a Samba-mounted drive letter or UNC path. When the menu pops up, click on the Properties entry at the bottom of the menu. This brings up the file Properties dialog box. Click on the @@ -560,7 +560,7 @@ to add auditing requirements to a file if the user is logged on as the NT administrator. This dialog is nonfunctional with a Samba share at this time, because the only useful button, the Add button, will not currently allow a list of users to be seen. -

    Viewing File Ownership

    +

    Viewing File Ownership

    Clicking on the Ownership button brings up a dialog box telling you who owns the given file. The owner name will be displayed like this: 

    @@ -574,7 +574,7 @@
 		If the parameter nt acl support is set to false,
 		the file owner will be shown as the NT user Everyone.
 		
    
-
+
 		The Take Ownership button will not allow you to change the ownership of this file to
 		yourself (clicking it will display a dialog box complaining that the user as whom you are currently logged onto
 		the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged
@@ -582,14 +582,14 @@
 		NT to attempt to change the ownership of a file to the current user logged into the NT client, this will
 		not work with Samba at this time.
 		
    
-
-
-
+
+
+
 		There is an NT chown command that will work with Samba and allow a user with administrator
 		privilege connected to a Samba server as root to change the ownership of files on both a local NTFS file system
 		or remote mounted NTFS or Samba drive. This is available as part of the Seclib NT
 		security library written by Jeremy Allison of the Samba Team and is downloadable from the main Samba FTP site.
-

    Viewing File or Directory Permissions

    +

    Viewing File or Directory Permissions

    The third button is the Permissions button. Clicking on it brings up a dialog box that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this:

    SERVER\ @@ -603,7 +603,7 @@ shown as NT Full Control.

    The permissions field is displayed differently for files and directories. Both are discussed next. -

    File Permissions

    +

    File Permissions

    The standard UNIX user/group/world triplet and the corresponding read, write, execute permissions triplets are mapped by Samba into a three-element NT ACL with the “r”, “w”, and “x” bits mapped into the corresponding NT @@ -621,7 +621,7 @@ Take Ownership ACL attribute (which has no meaning in UNIX) and reports a component with no permissions as having the NT O bit set. This was chosen, of course, to make it look like a zero, meaning zero permissions. More details on the decision behind this action are given below. -

    Directory Permissions

    +

    Directory Permissions

    Directories on an NT NTFS file system have two different sets of permissions. The first set is the ACL set on the directory itself, which is usually displayed in the first set of parentheses in the normal RW NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described @@ -632,7 +632,7 @@

    Samba synthesizes these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file created by Samba on this share would receive. -

    Modifying File or Directory Permissions

    +

    Modifying File or Directory Permissions

    Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box and clicking on OK. However, there are limitations that a user needs to be aware of, and also interactions with the standard Samba permission masks and mapping of DOS attributes that also need to @@ -665,7 +665,7 @@ If you wish to remove all permissions from a user/group/world component, you may either highlight the component and click on the Remove button or set the component to only have the special Take Ownership permission (displayed as O) highlighted. -

    Interaction with the Standard Samba “create mask” Parameters

    There are four parameters that control interaction with the standard Samba create mask parameters: +

    Interaction with the Standard Samba “create mask” Parameters

    There are four parameters that control interaction with the standard Samba create mask parameters:

    @@ -719,7 +719,7 @@ does not force any particular bits to be set on, then set the following parameters in the smb.conf file in that share-specific section: -

    security mask = 0777
    force security mode = 0
    directory security mask = 0777
    force directory security mode = 0

    Interaction with the Standard Samba File Attribute Mapping

    Note

    +

    security mask = 0777
    force security mode = 0
    directory security mask = 0777
    force directory security mode = 0

    Interaction with the Standard Samba File Attribute Mapping

    Note

    Samba maps some of the DOS attribute bits (such as “read-only”) into the UNIX permissions of a file. This means there can be a conflict between the permission bits set via the security @@ -740,7 +740,7 @@ attributes dialog, you should always press Cancel rather than OK to ensure that your changes are not overridden. -

    Windows NT/200X ACLs and POSIX ACLs Limitations

    +

    Windows NT/200X ACLs and POSIX ACLs Limitations

    Windows administrators are familiar with simple ACL controls, and they typically consider that UNIX user/group/other (ugo) permissions are inadequate and not sufficiently fine-grained. @@ -768,7 +768,7 @@ ACLs as implemented in UNIX file systems. Samba provides support for masks that permit normal ugo and ACLs functionality to be overrided. This further complicates the way in which Windows ACLs must be implemented. -

    UNIX POSIX ACL Overview

    +

    UNIX POSIX ACL Overview

    In examining POSIX ACLs we must consider the manner in which they operate for both files and directories. File ACLs have the following significance: 

    @@ -797,7 +797,7 @@
 default:mask:rwx      <-- inherited default mask
 default:other:---     <-- inherited permissions for everyone (other)

    -

    Mapping of Windows File ACLs to UNIX POSIX ACLs

    +

    Mapping of Windows File ACLs to UNIX POSIX ACLs

    Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs. The mappings for file permissions are shown in How Windows File ACLs Map to UNIX POSIX File ACLs. @@ -816,7 +816,7 @@ The UNIX administrator can set any directory permission from within the UNIX environment. The Windows administrator is more restricted in that it is not possible from within Windows Explorer to remove read permission for the file owner. -

    Mapping of Windows Directory ACLs to UNIX POSIX ACLs

    +

    Mapping of Windows Directory ACLs to UNIX POSIX ACLs

    Interesting things happen in the mapping of UNIX POSIX directory permissions and UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete components of an ACL) are mapped to Windows directory ACLs. @@ -824,10 +824,10 @@ Directory permissions function in much the same way as shown for file permissions, but there are some notable exceptions and a few peculiarities that the astute administrator will want to take into account in the setting up of directory permissions. -

    Common Errors

    +

    Common Errors

    File, directory, and share access problems are common topics on the mailing list. The following are examples recently taken from the mailing list. -

    Users Cannot Write to a Public Share

    +

    Users Cannot Write to a Public Share

    The following complaint has frequently been voiced on the Samba mailing list: “ We are facing some troubles with file/directory permissions. I can log on the domain as admin user (root), @@ -887,11 +887,11 @@

  • If the user that must have write permission in the directory is not a member of the group engr set in the smb.conf entry for the share: -

    force group = engr

    -

    • File Operations Done as root with force user Set

    +

    force group = engr

    +

    File Operations Done as root with force user Set

    When you have a user in admin users, Samba will always do file operations for this user as root, even if force user has been set. -

    MS Word with Samba Changes Owner of File

    +

    MS Word with Samba Changes Owner of File

    Question:When user B saves a word document that is owned by user A, the updated file is now owned by user B. Why is Samba doing this? How do I fix this?

    @@ -906,7 +906,7 @@ in which you are changing Word documents: chmod g+s `directory_name'. This ensures that all files will be created with the group that owns the directory. In smb.conf share declaration section set:

    -

    force create mode = 0660
    force directory mode = 0770

    +

    force create mode = 0660
    force directory mode = 0770

    These two settings will ensure that all directories and files that get created in the share will be readable/writable by the owner and group set on the directory itself. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre1//docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html --- samba-3.4.0pre1//docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html 2009-04-30 10:10:00.000000000 +0200 +++ samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html 2009-06-02 09:49:57.000000000 +0200 @@ -1,9 +1,9 @@ -Chapter 25. Advanced Network Management

    Chapter 25. Advanced Network Management
    Prev Part III. Advanced Configuration Next

    Chapter 25. Advanced Network Management

    John H. Samba Team Terpstra

    Samba Team

    June 15 2005

    Table of Contents

    Features and Benefits
    Remote Server Administration
    Remote Desktop Management
    Remote Management from NoMachine.Com
    Remote Management with ThinLinc
    Network Logon Script Magic
    Adding Printers without User Intervention
    Limiting Logon Connections

    - +Chapter 25. Advanced Network Management

    Chapter 25. Advanced Network Management
    Prev Part III. Advanced Configuration Next

    Chapter 25. Advanced Network Management

    John H. Samba Team Terpstra

    Samba Team

    June 15 2005

    Table of Contents

    Features and Benefits
    Remote Server Administration
    Remote Desktop Management
    Remote Management from NoMachine.Com
    Remote Management with ThinLinc
    Network Logon Script Magic
    Adding Printers without User Intervention
    Limiting Logon Connections

    + This section documents peripheral issues that are of great importance to network administrators who want to improve network resource access control, to automate the user environment, and to make their lives a little easier. -

    Features and Benefits

    +

    Features and Benefits

    Often the difference between a working network environment and a well-appreciated one can best be measured by the little things that make everything work more harmoniously. A key part of every network environment solution is the ability to remotely @@ -13,48 +13,48 @@

    This chapter presents information on each of these areas. They are placed here, and not in other chapters, for ease of reference. -

    Remote Server Administration

    How do I get User Manager and Server Manager?

    - - - +

    Remote Server Administration

    How do I get User Manager and Server Manager?

    + + + Since I do not need to buy an NT4 server, how do I get the User Manager for Domains and the Server Manager?

    - - + + Microsoft distributes a version of these tools called Nexus.exe for installation on Windows 9x/Me systems. The tools set includes:

    • Server Manager

    • User Manager for Domains

    • Event Viewer

    Download the archived file at the Microsoft Nexus link.

    - - - + + + The Windows NT 4.0 version of the User Manager for Domains and Server Manager are available from Microsoft via ftp. -

    Remote Desktop Management

    - - +

    Remote Desktop Management

    + + There are a number of possible remote desktop management solutions that range from free through costly. Do not let that put you off. Sometimes the most costly solution is the most cost effective. In any case, you will need to draw your own conclusions as to which is the best tool in your network environment. -

    Remote Management from NoMachine.Com

    - +

    Remote Management from NoMachine.Com

    + The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. It is presented in slightly edited form (with author details omitted for privacy reasons). The entire answer is reproduced below with some comments removed.

    - + I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote desktop capabilities so users outside could login to the system and get their desktop up from home or another country.

    - - - - + + + + Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login even if the computer is in a domain? @@ -62,22 +62,22 @@ Answer provided: Check out the new offer of “NX” software from NoMachine.

    - - - + + + It implements an easy-to-use interface to the Remote X protocol as well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed performance much better than anything you may have ever seen.

    - + Remote X is not new at all, but what they did achieve successfully is a new way of compression and caching technologies that makes the thing fast enough to run even over slow modem/ISDN connections.

    - - - - + + + + I test drove their (public) Red Hat machine in Italy, over a loaded Internet connection, with enabled thumbnail previews in KDE konqueror, which popped up immediately on “mouse-over”. From inside that (remote X) @@ -85,18 +85,18 @@ To test the performance, I played Pinball. I am proud to announce that my score was 631,750 points at first try.

    - - - - + + + + NX performs better on my local LAN than any of the other “pure” connection methods I use from time to time: TightVNC, rdesktop or Remote X. It is even faster than a direct crosslink connection between two nodes.

    - - - + + + I even got sound playing from the Remote X app to my local boxes, and had a working “copy'n'paste” from an NX window (running a KDE session in Italy) to my Mozilla mailing agent. These guys are certainly doing @@ -118,7 +118,7 @@ full-screen, and after a short time you forget that it is a remote session at all).

    - + Now the best thing for last: All the core compression and caching technologies are released under the GPL and available as source code to anybody who wants to build on it! These technologies are working, @@ -140,37 +140,37 @@ you can now use a (very inconvenient) command line at no cost, but you can buy a comfortable (proprietary) NX GUI front end for money.

  • - - - - - + + + + + NoMachine is encouraging and offering help to OSS/Free Software implementations for such a front-end too, even if it means competition to them (they have written to this effect even to the LTSP, KDE, and GNOME developer mailing lists). -

    • Remote Management with ThinLinc

    +

    Remote Management with ThinLinc

    Another alternative for remote access is ThinLinc from Cendio.

    - -