pam_winbind

Chapter�40.�Reporting Bugs
Prev�	Part�V.�Troubleshooting	�Next

Chapter�40.�Reporting Bugs
Prev�	Part�V.�Troubleshooting	�Next

Function Name	Function Name
all	passdb
tdb	sam
printdrivers	auth
lanman	winbind
smb	vfs
rpc_parse	idmap
rpc_srv	quota
rpc_cli	acls

Function Name	Function Name
all	passdb
tdb	sam
printdrivers	auth
lanman	winbind
smb	vfs
rpc_parse	idmap
rpc_srv	quota
rpc_cli	acls

Chapter�47.�Samba Support
Prev�	Part�VI.�Reference Section	�Next

Chapter�47.�Samba Support
Prev�	Part�VI.�Reference Section	�Next

Chapter�46.�LDAP and Transport Layer Security
Prev�	Part�VI.�Reference Section	�Next

This a full path name to a script called by smbd(8) that should start a shutdown procedure.

If the connected user posseses the SeRemoteShutdownPrivilege, - right, this command will be run as user.

The %z %t %r %f variables are expanded as follows:

%z will be substituted with the + right, this command will be run as root.
The %z %t %r %f variables are expanded as follows:
- %z will be substituted with the shutdown message sent to the server.
- %t will be substituted with the number of seconds to wait before effectively starting the shutdown procedure.
- %r will be substituted with the @@ -5594,8 +5594,8 @@

unix extensions (G) -

: This boolean parameter controls whether Samba - implments the CIFS UNIX extensions, as defined by HP. +

This boolean parameter controls whether Samba + implements the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/AccessControls.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/AccessControls.html --- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/AccessControls.html 2009-06-02 09:49:47.000000000 +0200 +++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/AccessControls.html 2009-06-19 11:14:40.000000000 +0200 @@ -1,59 +1,59 @@ -Chapter�16.�File, Directory, and Share Access Controls

Chapter�16.�File, Directory, and Share Access Controls
Prev�	Part�III.�Advanced Configuration	�Next

Chapter�16.�File, Directory, and Share Access Controls

John H. Samba Team Terpstra

Samba Team

<jht@samba.org>

Jeremy Samba Team Allison

Samba Team

<jra@samba.org>

Jelmer R. The Samba Team Vernooij

drawing�

The Samba Team

<jelmer@samba.org>

May 10, 2003

Table of Contents

Features and Benefits

File System Access Controls

MS Windows NTFS Comparison with UNIX File Systems
Managing Directories
File and Directory Access Control

Share Definition Access Controls

User- and Group-Based Controls
File and Directory Permissions-Based Controls
Miscellaneous Controls

Access Controls on Shares

Share Permissions Management

MS Windows Access Control Lists and UNIX Interoperability

Managing UNIX Permissions Using NT Security Dialogs
Viewing File Security on a Samba Share
Viewing File Ownership
Viewing File or Directory Permissions
Modifying File or Directory Permissions
Interaction with the Standard Samba create mask Parameters
Interaction with the Standard Samba File Attribute Mapping
Windows NT/200X ACLs and POSIX ACLs Limitations

Common Errors

Users Cannot Write to a Public Share
File Operations Done as root with force user Set
MS Word with Samba Changes Owner of File

- - +Chapter�16.�File, Directory, and Share Access Controls

Chapter�16.�File, Directory, and Share Access Controls
Prev�	Part�III.�Advanced Configuration	�Next

Chapter�16.�File, Directory, and Share Access Controls

John H. Samba Team Terpstra

Samba Team

<jht@samba.org>

Jeremy Samba Team Allison

Samba Team

<jra@samba.org>

Jelmer R. The Samba Team Vernooij

drawing�

The Samba Team

<jelmer@samba.org>

May 10, 2003

Table of Contents

Features and Benefits

File System Access Controls

MS Windows NTFS Comparison with UNIX File Systems
Managing Directories
File and Directory Access Control

Share Definition Access Controls

User- and Group-Based Controls
File and Directory Permissions-Based Controls
Miscellaneous Controls

Access Controls on Shares

Share Permissions Management

MS Windows Access Control Lists and UNIX Interoperability

Managing UNIX Permissions Using NT Security Dialogs
Viewing File Security on a Samba Share
Viewing File Ownership
Viewing File or Directory Permissions
Modifying File or Directory Permissions
Interaction with the Standard Samba create mask Parameters
Interaction with the Standard Samba File Attribute Mapping
Windows NT/200X ACLs and POSIX ACLs Limitations

Common Errors

Users Cannot Write to a Public Share
File Operations Done as root with force user Set
MS Word with Samba Changes Owner of File

+ + Advanced MS Windows users are frequently perplexed when file, directory, and share manipulation of resources shared via Samba do not behave in the manner they might expect. MS Windows network administrators are often confused regarding network access controls and how to provide users with the access they need while protecting resources from unauthorized access.

- - + + Many UNIX administrators are unfamiliar with the MS Windows environment and in particular have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file and directory access permissions.

- - + + The problem lies in the differences in how file and directory permissions and controls work between the two environments. This difference is one that Samba cannot completely hide, even though it does try to bridge the chasm to a degree.

- - - - + + + + POSIX Access Control List technology has been available (along with extended attributes) for UNIX for many years, yet there is little evidence today of any significant use. This explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows administrators are astounded at this, given that ACLs were a foundational capability of the now decade-old MS Windows NT operating system.

- + The purpose of this chapter is to present each of the points of control that are possible with Samba-3 in the hope that this will help the network administrator to find the optimum method for delivering the best environment for MS Windows desktop users.

- - + + This is an opportune point to mention that Samba was created to provide a means of interoperability and interchange of data between differing operating environments. Samba has no intent to change UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient level of exchange of data between the two environments. What is available today extends well beyond early plans and expectations, yet the gap continues to shrink. -

Features and Benefits

Samba offers much flexibility in file system access management. These are the key access control facilities present in Samba today:

Samba Access Control Facilities

- + UNIX File and Directory Permissions
- - + + Samba honors and implements UNIX file system access controls. Users who access a Samba server will do so as a particular MS Windows user. This information is passed to the Samba server as part of the logon or @@ -64,7 +64,7 @@
Samba Share Definitions
- + In configuring share settings and controls in the smb.conf file, the network administrator can exercise overrides to native file system permissions and behaviors. This can be handy and convenient @@ -73,20 +73,20 @@ The basic options and techniques are described herein.
Samba Share ACLs - +
- + Just as it is possible in MS Windows NT to set ACLs on shares themselves, so it is possible to do in Samba. Few people make use of this facility, yet it remains one of the easiest ways to affect access controls (restrictions) and can often do so with minimum invasiveness compared with other methods.
- - + + MS Windows ACLs through UNIX POSIX ACLs
- + The use of POSIX ACLs on UNIX/Linux is possible only if the underlying operating system supports them. If not, then this option will not be available to you. Current UNIX technology platforms have native support @@ -94,16 +94,16 @@ this support. Sadly, few Linux platforms ship today with native ACLs and extended attributes enabled. This chapter has pertinent information for users of platforms that support them. -

File System Access Controls

Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP implement a totally divergent file system technology from what is provided in the UNIX operating system environment. First we consider what the most significant differences are, then we look at how Samba helps to bridge the differences. -

MS Windows NTFS Comparison with UNIX File Systems

- - - - +

MS Windows NTFS Comparison with UNIX File Systems

+ + + + Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions and permissions. It also means that if the MS Windows networking environment requires file system behavior, that differs from UNIX file system behavior then somehow Samba is responsible for emulating @@ -114,7 +114,7 @@ but for the greater part we stay within the bounds of default behavior. Those wishing to explore the depths of control ability should review the smb.conf man page.

The following compares file system features for UNIX with those of MS Windows NT/200x: - +

Name Space

MS Windows NT4/200x/XP file names may be up to 254 characters long, and UNIX file names @@ -123,8 +123,8 @@

What MS Windows calls a folder, UNIX calls a directory.

Case Sensitivity

- - + + MS Windows file names are generally uppercase if made up of 8.3 (8-character file name and 3 character extension. File names that are longer than 8.3 are case preserving and case insensitive. @@ -151,26 +151,26 @@ event that the UNIX directory contains multiple files that would match a case insensitive file listing.

Directory Separators

- + MS Windows and DOS use the backslash \ as a directory delimiter, and UNIX uses the forward-slash / as its directory delimiter. This is handled transparently by Samba.

Drive Identification

- + MS Windows products support a notion of drive letters, like C:, to represent disk partitions. UNIX has no concept of separate identifiers for file partitions; each such file system is mounted to become part of the overall directory tree. The UNIX directory tree begins at / just as the root of a DOS drive is specified as C:\.

File Naming Conventions

- + MS Windows generally never experiences file names that begin with a dot (.), while in UNIX these are commonly found in a user's home directory. Files that begin with a dot (.) are typically startup files for various UNIX applications, or they may be files that contain startup configuration data.

Links and Short-Cuts

- - - + + + MS Windows make use of links and shortcuts that are actually special types of files that will redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory links, but they are entirely different from what MS Windows users are used to. @@ -183,17 +183,17 @@ There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the purpose of UNIX/Linux training and education. -

Managing Directories

- - +

Managing Directories

+ + There are three basic operations for managing directories: create, delete, rename. Managing Directories with UNIX and Windows compares the commands in Windows and UNIX that implement these operations. -

Table�16.1.�Managing Directories with UNIX and Windows

Action	MS Windows Command	UNIX Command
create	md folder	mkdir folder
delete	rd folder	rmdir folder
rename	rename oldname newname	mv oldname newname

File and Directory Access Control

- - - +

Table�16.1.�Managing Directories with UNIX and Windows

Action	MS Windows Command	UNIX Command
create	md folder	mkdir folder
delete	rd folder	rmdir folder
rename	rename oldname newname	mv oldname newname

File and Directory Access Control

+ + + The network administrator is strongly advised to read basic UNIX training manuals and reference materials regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions without having to resort to more complex facilities like POSIX ACLs or extended attributes (EAs). @@ -226,47 +226,47 @@

Figure�16.1.�Overview of UNIX permissions field.

Any bit flag may be unset. An unset bit flag is the equivalent of "cannot" and is represented as a “-” character (see “Example File”) - - - + + +

Example�16.1.�Example File

 -rwxr-x---   Means: 
  ^^^                The owner (user) can read, write, execute
     ^^^             the group can read and execute
        ^^^          everyone else cannot do anything with it.

- - + + Additional possibilities in the [type] field are c = character device, b = block device, p = pipe device, s = UNIX Domain Socket.

- - + + The letters rwxXst set permissions for the user, group, and others as read (r), write (w), execute (or access for directories) (x), execute only if the file is a directory or already has execute permission for some user (X), set user (SUID) or group ID (SGID) on execution (s), sticky (t).

- - + + When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable.

- - - + + + When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or group whose `set user or group' bit is set. This can be helpful in setting up directories for which it is desired that all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file @@ -276,11 +276,11 @@ the (r) read flags are not set, files cannot be listed (seen) in the directory by anyone. The group can read files in the directory but cannot create new files. If files in the directory are set to be readable and writable for the group, then group members will be able to write to (or delete) them. -

Protecting Directories and Files from Deletion

- - +

Protecting Directories and Files from Deletion

+ + People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to @@ -288,27 +288,27 @@ anyone who has the ability to create a file can write to it. Anyone who has write permission on the directory that contains a file and has write permission for it has the capability to delete it.

- - - + + + For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on the directory that the file is in. In other words, a user can delete a file in a directory to which that user has write access, even if that user does not own the file.

- - + + Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs a "best fit" translation to POSIX ACLs. Some UNIX file systems do, however support, a feature known as extended attributes. Only the Windows concept of inheritance is implemented by Samba through the appropriate extended attribute.

- - - + + + The specific semantics of the extended attributes are not consistent across UNIX and UNIX-like systems such as Linux. For example, it is possible on some implementations of the extended attributes to set a flag that prevents the directory or file from being deleted. The extended attribute that may achieve this is called the immutible bit. @@ -322,7 +322,7 @@

A simple test can be done to check if the immutible flag is supported on files in the file system of the Samba host server. -

Procedure�16.1.�Test for File Immutibility Support

+
Procedure�16.1.�Test for File Immutibility Support
1. Create a file called filename.
2. Login as the root user, then set the immutibile flag on a test file as follows: @@ -340,11 +340,11 @@ that cannot be deleted. Check the man page on your particular host system to determine whether or not immutable directories are writable. If they are not, then the entire directory and its contents will effectively be protected from writing (file creation also) and deletion. -

Share Definition Access Controls

- +

Share Definition Access Controls

+ The following parameters in the smb.conf file sections define a share control or affect access controls. Before using any of the following options, please refer to the man page for smb.conf. -

User- and Group-Based Controls

User- and group-based controls can prove quite useful. In some situations it is distinctly desirable to force all file system operations as if a single user were doing so. The use of the force user and force group behavior will achieve this. @@ -385,7 +385,7 @@ List of users that should be allowed to login to this service.

write list

List of users that are given read-write access to a service. -

File and Directory Permissions-Based Controls

Directory permission-based controls, if misused, can result in considerable difficulty in diagnosing the causes of misconfiguration. Use them sparingly and carefully. By gradually introducing each, one at a time, undesirable side effects may be detected. In the event of a problem, always comment all of them out and then gradually reintroduce @@ -416,7 +416,7 @@ This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT ACLs.

security mask

Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. -

Miscellaneous Controls

The parameters documented in Other Controls are often used by administrators in ways that create inadvertent barriers to file access. Such are the consequences of not understanding the full implications of smb.conf file settings. @@ -449,70 +449,70 @@ If this parameter is yes, then users of a service may not create or modify files in the service's directory.

veto files

List of files and directories that are neither visible nor accessible. -

Access Controls on Shares

- - +

Access Controls on Shares

- - + + + + This section deals with how to configure Samba per-share access control restrictions. By default, Samba sets no restrictions on the share itself. Restrictions on the share itself can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can connect to a share. In the absence of specific restrictions, the default setting is to allow the global user Everyone - Full Control (full control, change and read).

- - - + + + At this time Samba does not provide a tool for configuring access control settings on the share itself the only way to create those settings is to use either the NT4 Server Manager or the Windows 200x Microsoft Management Console (MMC) for Computer Management. There are currently no plans to provide this capability in the Samba command-line tool set.

- - + + Samba stores the per-share access control settings in a file called share_info.tdb. The location of this file on your system will depend on how Samba was compiled. The default location for Samba's tdb files is under /usr/local/samba/var. If the tdbdump utility has been compiled and installed on your system, then you can examine the contents of this file by executing tdbdump share_info.tdb in the directory containing the tdb files. -

Share Permissions Management

The best tool for share permissions management is platform-dependent. Choose the best tool for your environment. -

Windows NT4 Workstation/Server

- - - +

Windows NT4 Workstation/Server

+ + + The tool you need to manage share permissions on a Samba server from a Windows NT4 Workstation or Server is the NT Server Manager. Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. You can obtain the NT Server Manager for MS Windows NT4 Workstation from the Microsoft web site support section. -

Procedure�16.2.�Instructions

+
Procedure�16.2.�Instructions
1. Launch the NT4 Server Manager and click on the Samba server you want to administer. From the menu select Computer, then click on Shared Directories.
2. Click on the share that you wish to manage and click the Properties tab, then click the Permissions tab. Now you can add or change access control settings as you wish. -

Windows 200x/XP

- - +

Windows 200x/XP

+ + On MS Windows NT4/200x/XP systems, ACLs on the share itself are set using tools like the MS Explorer. For example, in Windows 200x, right-click on the shared folder, then select Sharing, then click on Permissions. The default Windows NT4/200x permissions allow the group "Everyone" full control on the share.

- - - + + + MS Windows 200x and later versions come with a tool called the Computer Management snap-in for the MMC. This tool can be accessed via Control Panel -> Administrative Tools -> Computer Management. -

Procedure�16.3.�Instructions

+
Procedure�16.3.�Instructions
1. After launching the MMC with the Computer Management snap-in, click the menu item Action and select Connect to another computer. If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate you to the domain. @@ -523,7 +523,7 @@ System Tools, then on the [+] next to Shared Folders in the left panel.
2. - + In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you @@ -534,8 +534,8 @@ ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access. -

MS Windows Access Control Lists and UNIX Interoperability

Managing UNIX Permissions Using NT Security Dialogs

- +

MS Windows Access Control Lists and UNIX Interoperability

Managing UNIX Permissions Using NT Security Dialogs

+ Windows NT clients can use their native security settings dialog box to view and modify the underlying UNIX permissions.

@@ -549,7 +549,7 @@ When trying to figure out file access problems, it is vitally important to find the identity of the Windows user as it is presented by Samba at the point of file access. This can best be determined from the Samba log files. -

Viewing File Security on a Samba Share

From an NT4/2000/XP client, right-click on any file or directory in a Samba-mounted drive letter or UNC path. When the menu pops up, click on the Properties entry at the bottom of the menu. This brings up the file Properties dialog box. Click on the @@ -560,7 +560,7 @@ to add auditing requirements to a file if the user is logged on as the NT administrator. This dialog is nonfunctional with a Samba share at this time, because the only useful button, the Add button, will not currently allow a list of users to be seen. -

Viewing File Ownership

Clicking on the Ownership button brings up a dialog box telling you who owns the given file. The owner name will be displayed like this:

@@ -574,7 +574,7 @@
 		If the parameter nt acl support is set to false,
 		the file owner will be shown as the NT user Everyone.
 		

-
+
 		The Take Ownership button will not allow you to change the ownership of this file to
 		yourself (clicking it will display a dialog box complaining that the user as whom you are currently logged onto
 		the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged
@@ -582,14 +582,14 @@
 		NT to attempt to change the ownership of a file to the current user logged into the NT client, this will
 		not work with Samba at this time.
 		

-
-
-
+
+
+
 		There is an NT chown command that will work with Samba and allow a user with administrator
 		privilege connected to a Samba server as root to change the ownership of files on both a local NTFS file system
 		or remote mounted NTFS or Samba drive. This is available as part of the Seclib NT
 		security library written by Jeremy Allison of the Samba Team and is downloadable from the main Samba FTP site.
-

Viewing File or Directory Permissions

The third button is the Permissions button. Clicking on it brings up a dialog box that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this:

SERVER\ @@ -603,7 +603,7 @@ shown as NT Full Control.

The permissions field is displayed differently for files and directories. Both are discussed next. -

`File Permissions`

+

`File Permissions`

The standard UNIX user/group/world triplet and the corresponding read, write, execute permissions triplets are mapped by Samba into a three-element NT ACL with the “r”, “w”, and “x” bits mapped into the corresponding NT @@ -621,7 +621,7 @@ Take Ownership ACL attribute (which has no meaning in UNIX) and reports a component with no permissions as having the NT O bit set. This was chosen, of course, to make it look like a zero, meaning zero permissions. More details on the decision behind this action are given below. -

`Directory Permissions`

+

`Directory Permissions`

Directories on an NT NTFS file system have two different sets of permissions. The first set is the ACL set on the directory itself, which is usually displayed in the first set of parentheses in the normal RW NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described @@ -632,7 +632,7 @@

Samba synthesizes these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file created by Samba on this share would receive. -

`Modifying File or Directory Permissions`

+

`Modifying File or Directory Permissions`

Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box and clicking on OK. However, there are limitations that a user needs to be aware of, and also interactions with the standard Samba permission masks and mapping of DOS attributes that also need to @@ -665,7 +665,7 @@ If you wish to remove all permissions from a user/group/world component, you may either highlight the component and click on the Remove button or set the component to only have the special Take Ownership permission (displayed as O) highlighted. -

`Interaction with the Standard Samba “create mask” Parameters`

There are four parameters that control interaction with the standard Samba create mask parameters: +

`Interaction with the Standard Samba “create mask” Parameters`

There are four parameters that control interaction with the standard Samba create mask parameters:

@@ -719,7 +719,7 @@ does not force any particular bits to be set on, then set the following parameters in the smb.conf file in that share-specific section: -

security mask = 0777

force security mode = 0

directory security mask = 0777

force directory security mode = 0

`Interaction with the Standard Samba File Attribute Mapping`

`Note`

+

security mask = 0777

force security mode = 0

directory security mask = 0777

force directory security mode = 0

`Interaction with the Standard Samba File Attribute Mapping`

`Note`

Samba maps some of the DOS attribute bits (such as “read-only”) into the UNIX permissions of a file. This means there can be a conflict between the permission bits set via the security @@ -740,7 +740,7 @@ attributes dialog, you should always press Cancel rather than OK to ensure that your changes are not overridden. -

`Windows NT/200X ACLs and POSIX ACLs Limitations`

+

`Windows NT/200X ACLs and POSIX ACLs Limitations`

Windows administrators are familiar with simple ACL controls, and they typically consider that UNIX user/group/other (ugo) permissions are inadequate and not sufficiently fine-grained. @@ -768,7 +768,7 @@ ACLs as implemented in UNIX file systems. Samba provides support for masks that permit normal ugo and ACLs functionality to be overrided. This further complicates the way in which Windows ACLs must be implemented. -

`UNIX POSIX ACL Overview`

+

`UNIX POSIX ACL Overview`

In examining POSIX ACLs we must consider the manner in which they operate for both files and directories. File ACLs have the following significance:

@@ -797,7 +797,7 @@
 default:mask:rwx      <-- inherited default mask
 default:other:---     <-- inherited permissions for everyone (other)

-

`Mapping of Windows File ACLs to UNIX POSIX ACLs`

+

`Mapping of Windows File ACLs to UNIX POSIX ACLs`

Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs. The mappings for file permissions are shown in How Windows File ACLs Map to UNIX POSIX File ACLs. @@ -816,7 +816,7 @@ The UNIX administrator can set any directory permission from within the UNIX environment. The Windows administrator is more restricted in that it is not possible from within Windows Explorer to remove read permission for the file owner. -

`Mapping of Windows Directory ACLs to UNIX POSIX ACLs`

+

`Mapping of Windows Directory ACLs to UNIX POSIX ACLs`

Interesting things happen in the mapping of UNIX POSIX directory permissions and UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete components of an ACL) are mapped to Windows directory ACLs. @@ -824,10 +824,10 @@ Directory permissions function in much the same way as shown for file permissions, but there are some notable exceptions and a few peculiarities that the astute administrator will want to take into account in the setting up of directory permissions. -

`Common Errors`

+

`Common Errors`

File, directory, and share access problems are common topics on the mailing list. The following are examples recently taken from the mailing list. -

`Users Cannot Write to a Public Share`

+

`Users Cannot Write to a Public Share`

The following complaint has frequently been voiced on the Samba mailing list: “ We are facing some troubles with file/directory permissions. I can log on the domain as admin user (root), @@ -887,11 +887,11 @@

If the user that must have write permission in the directory is not a member of the group engr set in the smb.conf entry for the share: -

force group = engr

-

`File Operations Done as root with force user Set`

+

force group = engr

+

`File Operations Done as root with force user Set`

When you have a user in admin users, Samba will always do file operations for this user as root, even if force user has been set. -

`MS Word with Samba Changes Owner of File`

+

`MS Word with Samba Changes Owner of File`

Question: “When user B saves a word document that is owned by user A, the updated file is now owned by user B. Why is Samba doing this? How do I fix this?”

@@ -906,7 +906,7 @@ in which you are changing Word documents: chmod g+s `directory_name'. This ensures that all files will be created with the group that owns the directory. In smb.conf share declaration section set:

-

force create mode = 0660

force directory mode = 0770

+

force create mode = 0660

force directory mode = 0770

These two settings will ensure that all directories and files that get created in the share will be readable/writable by the owner and group set on the directory itself. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html --- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html 2009-06-02 09:49:57.000000000 +0200 +++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html 2009-06-19 11:14:50.000000000 +0200 @@ -1,9 +1,9 @@ -Chapter�25.�Advanced Network Management

Chapter�25.�Advanced Network Management
Prev�	Part�III.�Advanced Configuration	�Next

`Chapter�25.�Advanced Network Management`

`John H. Samba Team Terpstra`

Samba Team
<jht@samba.org>

June 15 2005

Table of Contents

Features and Benefits

Remote Server Administration

Remote Desktop Management

Remote Management from NoMachine.Com
Remote Management with ThinLinc

Network Logon Script Magic

Adding Printers without User Intervention
Limiting Logon Connections

- +Chapter�25.�Advanced Network Management

Chapter�25.�Advanced Network Management
Prev�	Part�III.�Advanced Configuration	�Next

`Chapter�25.�Advanced Network Management`

`John H. Samba Team Terpstra`

Samba Team
<jht@samba.org>

June 15 2005

Table of Contents

Features and Benefits

Remote Server Administration

Remote Desktop Management

Remote Management from NoMachine.Com
Remote Management with ThinLinc

Network Logon Script Magic

Adding Printers without User Intervention
Limiting Logon Connections

+ This section documents peripheral issues that are of great importance to network administrators who want to improve network resource access control, to automate the user environment, and to make their lives a little easier. -

`Features and Benefits`

+

`Features and Benefits`

Often the difference between a working network environment and a well-appreciated one can best be measured by the little things that make everything work more harmoniously. A key part of every network environment solution is the ability to remotely @@ -13,48 +13,48 @@

This chapter presents information on each of these areas. They are placed here, and not in other chapters, for ease of reference. -

`Remote Server Administration`

“How do I get User Manager and Server Manager?”

- - +

`Remote Server Administration`

“How do I get User Manager and Server Manager?”

+ + Since I do not need to buy an NT4 server, how do I get the User Manager for Domains and the Server Manager?

- - + + Microsoft distributes a version of these tools called Nexus.exe for installation on Windows 9x/Me systems. The tools set includes:

Server Manager
User Manager for Domains
Event Viewer

Download the archived file at the Microsoft Nexus link.

- - + + The Windows NT 4.0 version of the User Manager for Domains and Server Manager are available from Microsoft via ftp. -

`Remote Desktop Management`

- - +

`Remote Desktop Management`

+ + There are a number of possible remote desktop management solutions that range from free through costly. Do not let that put you off. Sometimes the most costly solution is the most cost effective. In any case, you will need to draw your own conclusions as to which is the best tool in your network environment. -

`Remote Management from NoMachine.Com`

- +

`Remote Management from NoMachine.Com`

+ The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. It is presented in slightly edited form (with author details omitted for privacy reasons). The entire answer is reproduced below with some comments removed.

“ - + I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote desktop capabilities so users outside could login to the system and get their desktop up from home or another country. ”

“ - - - + + + Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login even if the computer is in a domain? @@ -62,22 +62,22 @@ Answer provided: Check out the new offer of “NX” software from NoMachine.

- - - + + + It implements an easy-to-use interface to the Remote X protocol as well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed performance much better than anything you may have ever seen.

- + Remote X is not new at all, but what they did achieve successfully is a new way of compression and caching technologies that makes the thing fast enough to run even over slow modem/ISDN connections.

- - - - + + + + I test drove their (public) Red Hat machine in Italy, over a loaded Internet connection, with enabled thumbnail previews in KDE konqueror, which popped up immediately on “mouse-over”. From inside that (remote X) @@ -85,18 +85,18 @@ To test the performance, I played Pinball. I am proud to announce that my score was 631,750 points at first try.

- - - - + + + + NX performs better on my local LAN than any of the other “pure” connection methods I use from time to time: TightVNC, rdesktop or Remote X. It is even faster than a direct crosslink connection between two nodes.

- - + + I even got sound playing from the Remote X app to my local boxes, and had a working “copy'n'paste” from an NX window (running a KDE session in Italy) to my Mozilla mailing agent. These guys are certainly doing @@ -118,7 +118,7 @@ full-screen, and after a short time you forget that it is a remote session at all).

- + Now the best thing for last: All the core compression and caching technologies are released under the GPL and available as source code to anybody who wants to build on it! These technologies are working, @@ -140,37 +140,37 @@ you can now use a (very inconvenient) command line at no cost, but you can buy a comfortable (proprietary) NX GUI front end for money.

- - - + + + NoMachine is encouraging and offering help to OSS/Free Software implementations for such a front-end too, even if it means competition to them (they have written to this effect even to the LTSP, KDE, and GNOME developer mailing lists). -

`Remote Management with ThinLinc`

+

`Remote Management with ThinLinc`

Another alternative for remote access is ThinLinc from Cendio.

- - - - - - + + + + + + ThinLinc is a terminal server solution that is available for Linux and Solaris based on standard protocols such as SSH, TightVNC, NFS and PulseAudio.

- - + + ThinLinc an be used both in the LAN environment to implement a Thin Client strategy for an organization, and as secure remote access solution for people working from remote locations, even over smallband connections. ThinLinc is free to use for a single concurrent user.

- - + + The product can also be used as a frontend to access Windows Terminal Server or Citrix farms, or even Windows XP machines, securing the connection via the ssh protocol. The client is available both for Linux (supporting all Linux distributions as well as numerous thin terminals) and for Windows. A Java-based Web client is also @@ -185,7 +185,7 @@ PulseAudio , unfsd, Python and rdesktop. -

`Network Logon Script Magic`

+

`Network Logon Script Magic`

There are several opportunities for creating a custom network startup configuration environment.

No Logon Script.
Simple universal Logon Script that applies to all users.
Use of a conditional Logon Script that applies per-user or per-group attributes.
Use of Samba's preexec and postexec functions on access to the NETLOGON share to create a custom logon script and then execute it.
User of a tool such as KixStart.

@@ -195,7 +195,7 @@

The following listings are from the genlogon directory.

- + This is the genlogon.pl file:

@@ -274,15 +274,15 @@

Those wishing to use a more elaborate or capable logon processing system should check out these sites: -

`Adding Printers without User Intervention`

- +

`Adding Printers without User Intervention`

+ Printers may be added automatically during logon script processing through the use of:

 C:\> rundll32 printui.dll,PrintUIEntry /?

See the documentation in the Microsoft Knowledge Base article 189105. -

`Limiting Logon Connections`

+

`Limiting Logon Connections`

Sometimes it is necessary to limit the number of concurrent connections to a Samba shared resource. For example, a site may wish to permit only one network logon per user. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/apa.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/apa.html --- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/apa.html 2009-06-02 09:50:10.000000000 +0200 +++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/apa.html 2009-06-19 11:15:03.000000000 +0200 @@ -1,50 +1,50 @@ Appendix�A.� GNU General Public License version 3

Appendix�A.� GNU General Public License version 3 -
Prev�	�	�Next

`Appendix�A.� + Prev��Next`

`Appendix�A.� GNU General Public License version 3 -`

Table of Contents

A. +

Table of Contents

A. Preamble -
A. +
A. TERMS AND CONDITIONS -
A. +
A. 0. Definitions. -
A. +
A. 1. Source Code. -
A. +
A. 2. Basic Permissions. -
A. +
A. 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. -
A. +
A. 4. Conveying Verbatim Copies. -
A. +
A. 5. Conveying Modified Source Versions. -
A. +
A. 6. Conveying Non-Source Forms. -
A. +
A. 7. Additional Terms. -
A. +
A. 8. Termination. -
A. +
A. 9. Acceptance Not Required for Having Copies. -
A. +
A. 10. Automatic Licensing of Downstream Recipients. -
A. +
A. 11. Patents. -
A. +
A. 12. No Surrender of Others’ Freedom. -
A. +
A. 13. Use with the ???TITLE??? Affero General Public License. -
A. +
A. 14. Revised Versions of this License. -
A. +
A. 15. Disclaimer of Warranty. -
A. +
A. 16. Limitation of Liability. -
A. +
A. 17. Interpretation of Sections 15 and 16. -
A. +
A. END OF TERMS AND CONDITIONS -
A. +
A. How to Apply These Terms to Your New Programs

Version 3, 29 June 2007 @@ -54,7 +54,7 @@

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. -


+  

     Preamble
   

     The GNU General Public License is a free, copyleft
@@ -118,9 +118,9 @@
   

     The precise terms and conditions for copying, distribution and modification
     follow.
-  

+  

     TERMS AND CONDITIONS
-  

+  

     0. Definitions.
   

     “This License” refers to version 3 of the GNU
@@ -162,7 +162,7 @@
     License, and how to view a copy of this License.  If the interface presents
     a list of user commands or options, such as a menu, a prominent item in the
     list meets this criterion.
-  

+  

     1. Source Code.
   

     The “source code” for a work means the preferred form of the
@@ -202,7 +202,7 @@
     automatically from other parts of the Corresponding Source.
   

     The Corresponding Source for a work in source code form is that same work.
-  

+  

     2. Basic Permissions.
   

     All rights granted under this License are granted for the term of copyright
@@ -227,7 +227,7 @@
     Conveying under any other circumstances is permitted solely under the
     conditions stated below.  Sublicensing is not allowed; section 10 makes it
     unnecessary.
-  

+  

     3. Protecting Users’ Legal Rights From Anti-Circumvention Law.
   

     No covered work shall be deemed part of an effective technological measure
@@ -242,7 +242,7 @@
     the work as a means of enforcing, against the work’s users, your or
     third parties’ legal rights to forbid circumvention of technological
     measures.
-  

+  

     4. Conveying Verbatim Copies.
   

     You may convey verbatim copies of the Program’s source code as you
@@ -255,7 +255,7 @@
   

     You may charge any price or no price for each copy that you convey, and you
     may offer support or warranty protection for a fee.
-  

+  

     5. Conveying Modified Source Versions.
   

     You may convey a work based on the Program, or the modifications to produce
@@ -291,7 +291,7 @@
     or legal rights of the compilation’s users beyond what the individual works
     permit.  Inclusion of a covered work in an aggregate does not cause
     this License to apply to the other parts of the aggregate.
-  

+  

     6. Conveying Non-Source Forms.
   

     You may convey a covered work in object code form under the terms of
@@ -386,7 +386,7 @@
     (and with an implementation available to the public in source code form),
     and must require no special password or key for unpacking, reading or
     copying.
-  

+  

      7. Additional Terms.
    

      “Additional permissions” are terms that supplement the terms of
@@ -450,7 +450,7 @@
      Additional terms, permissive or non-permissive, may be stated in the form
      of a separately written license, or stated as exceptions; the above
      requirements apply either way.
-   

+   

      8. Termination.
    

      You may not propagate or modify a covered work except as expressly provided
@@ -476,7 +476,7 @@
      License.  If your rights have been terminated and not permanently
      reinstated, you do not qualify to receive new licenses for the same
      material under section 10.
-   

+   

      9. Acceptance Not Required for Having Copies.
    

      You are not required to accept this License in order to receive or run a
@@ -487,7 +487,7 @@
      These actions infringe copyright if you do not accept this License.
      Therefore, by modifying or propagating a covered work, you indicate your
      acceptance of this License to do so.
-   

+   

      10. Automatic Licensing of Downstream Recipients.
    

      Each time you convey a covered work, the recipient automatically receives a
@@ -512,7 +512,7 @@
      or counterclaim in a lawsuit) alleging that any patent claim is infringed
      by making, using, selling, offering for sale, or importing the Program or
      any portion of it.
-   

+   

     11. Patents.
   

     A “contributor” is a copyright holder who authorizes use under
@@ -579,7 +579,7 @@
     Nothing in this License shall be construed as excluding or limiting any
     implied license or other defenses to infringement that may otherwise be
     available to you under applicable patent law.
-  

+  

     12. No Surrender of Others’ Freedom.
   

     If conditions are imposed on you (whether by court order, agreement or
@@ -591,7 +591,7 @@
     to collect a royalty for further conveying from those to whom you convey the
     Program, the only way you could satisfy both those terms and this License
     would be to refrain entirely from conveying the Program.
-  

+  

     13. Use with the GNU Affero General Public License.
   

     Notwithstanding any other provision of this License, you have permission to
@@ -602,7 +602,7 @@
     requirements of the GNU Affero General Public License,
     section 13, concerning interaction through a network will apply to the
     combination as such.
-  

+  

     14. Revised Versions of this License.
   

     The Free Software Foundation may publish revised and/or new versions of the
@@ -627,7 +627,7 @@
     Later license versions may give you additional or different permissions.
     However, no additional obligations are imposed on any author or copyright
     holder as a result of your choosing to follow a later version.
-  

+  

     15. Disclaimer of Warranty.
   

     THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE
@@ -638,7 +638,7 @@
     THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH
     YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
     NECESSARY SERVICING, REPAIR OR CORRECTION.
-  

+  

     16. Limitation of Liability.
   

     IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL
@@ -650,7 +650,7 @@
     PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
     EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
     SUCH DAMAGES.
-  

+  

     17. Interpretation of Sections 15 and 16.
   

     If the disclaimer of warranty and limitation of liability provided above
@@ -659,9 +659,9 @@
     waiver of all civil liability in connection with the Program, unless a
     warranty or assumption of liability accompanies a copy of the Program in
     return for a fee.
-  

+  

     END OF TERMS AND CONDITIONS
-  

+  

     How to Apply These Terms to Your New Programs
   

     If you develop a new program, and you want it to be of the greatest possible
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/Appendix.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/Appendix.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/Appendix.html	2009-06-02 09:50:09.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/Appendix.html	2009-06-19 11:15:02.000000000 +0200
@@ -1 +1 @@
-Part�VI.�Reference Section
Part�VI.�Reference Section
Prev� � �Next
Part�VI.�Reference Section
Table of Contents
42. How to Compile Samba
Access Samba Source Code via Subversion
Introduction
Subversion Access to samba.org
Accessing the Samba Sources via rsync and ftp
Verifying Samba's PGP Signature
Building the Binaries
Compiling Samba with Active Directory Support
Starting the smbd nmbd and winbindd
Starting from inetd.conf
Alternative: Starting smbd as a Daemon
43. Portability
HPUX
SCO UNIX
DNIX
Red Hat Linux
AIX: Sequential Read Ahead
Solaris
Locking Improvements
Winbind on Solaris 9
44. Samba and Other CIFS Clients
Macintosh Clients
OS2 Client
Configuring OS/2 Warp Connect or OS/2 Warp 4
Configuring Other Versions of OS/2
Printer Driver Download for OS/2 Clients
Windows for Workgroups
Latest TCP/IP Stack from Microsoft
Delete .pwl Files After Password Change
Configuring Windows for Workgroups Password Handling
Password Case Sensitivity
Use TCP/IP as Default Protocol
Speed Improvement
Windows 95/98
Speed Improvement
Windows 2000 Service Pack 2
Windows NT 3.1
45. Samba Performance Tuning
Comparisons
Socket Options
Read Size
Max Xmit
Log Level
Read Raw
Write Raw
Slow Logins
Client Tuning
Samba Performance Problem Due to Changing Linux Kernel
Corrupt tdb Files
Samba Performance is Very Slow
46. LDAP and Transport Layer Security
Introduction
Configuring
Generating the Certificate Authority
Generating the Server Certificate
Installing the Certificates
Testing
Troubleshooting
47. Samba Support
Free Support
Commercial Support
48. DNS and DHCP Configuration Guide
Features and Benefits
Example Configuration
Dynamic DNS
DHCP Server
Prev� � �Next
Chapter�41.�Managing TDB Files� Home �Chapter�42.�How to Compile Samba
+Part�VI.�Reference SectionPart�VI.�Reference Section
Prev� � �Next
Part�VI.�Reference Section
Table of Contents
42. How to Compile Samba
Access Samba Source Code via Subversion
Introduction
Subversion Access to samba.org
Accessing the Samba Sources via rsync and ftp
Verifying Samba's PGP Signature
Building the Binaries
Compiling Samba with Active Directory Support
Starting the smbd nmbd and winbindd
Starting from inetd.conf
Alternative: Starting smbd as a Daemon
43. Portability
HPUX
SCO UNIX
DNIX
Red Hat Linux
AIX: Sequential Read Ahead
Solaris
Locking Improvements
Winbind on Solaris 9
44. Samba and Other CIFS Clients
Macintosh Clients
OS2 Client
Configuring OS/2 Warp Connect or OS/2 Warp 4
Configuring Other Versions of OS/2
Printer Driver Download for OS/2 Clients
Windows for Workgroups
Latest TCP/IP Stack from Microsoft
Delete .pwl Files After Password Change
Configuring Windows for Workgroups Password Handling
Password Case Sensitivity
Use TCP/IP as Default Protocol
Speed Improvement
Windows 95/98
Speed Improvement
Windows 2000 Service Pack 2
Windows NT 3.1
45. Samba Performance Tuning
Comparisons
Socket Options
Read Size
Max Xmit
Log Level
Read Raw
Write Raw
Slow Logins
Client Tuning
Samba Performance Problem Due to Changing Linux Kernel
Corrupt tdb Files
Samba Performance is Very Slow
46. LDAP and Transport Layer Security
Introduction
Configuring
Generating the Certificate Authority
Generating the Server Certificate
Installing the Certificates
Testing
Troubleshooting
47. Samba Support
Free Support
Commercial Support
48. DNS and DHCP Configuration Guide
Features and Benefits
Example Configuration
Dynamic DNS
DHCP Server
Prev� � �Next
Chapter�41.�Managing TDB Files� Home �Chapter�42.�How to Compile Samba
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/Backup.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/Backup.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/Backup.html	2009-06-02 09:50:00.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/Backup.html	2009-06-19 11:14:53.000000000 +0200
@@ -1,33 +1,33 @@
-Chapter�31.�Backup TechniquesChapter�31.�Backup Techniques
Prev� Part�III.�Advanced Configuration �Next

Chapter�31.�Backup Techniques
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Table of Contents
Features and Benefits
Discussion of Backup Solutions
BackupPC
Rsync
Amanda
BOBS: Browseable Online Backup System

Features and Benefits

-
-
-
-
+Chapter�31.�Backup Techniques
Chapter�31.�Backup Techniques
Prev� Part�III.�Advanced Configuration �Next

Chapter�31.�Backup Techniques
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Table of Contents
Features and Benefits
Discussion of Backup Solutions
BackupPC
Rsync
Amanda
BOBS: Browseable Online Backup System
Features and Benefits

+
+
+
+
 The Samba project is over 10 years old. During the early history
 of Samba, UNIX administrators were its key implementors. UNIX administrators
 use UNIX system tools to backup UNIX system files. Over the past
 4 years, an increasing number of Microsoft network administrators have
 taken an interest in Samba. This is reflected in the questions about backup
 in general on the Samba mailing lists.
-
Discussion of Backup Solutions

-
-
+
Discussion of Backup Solutions

+
+
 During discussions at a Microsoft Windows training course, one of
 the pro-UNIX delegates stunned the class when he pointed out that Windows
 NT4 is limiting compared with UNIX. He likened UNIX to a Meccano set
 that has an unlimited number of tools that are simple, efficient,
 and, in combination, capable of achieving any desired outcome.
 

-
-
+
+
 One of the Windows networking advocates retorted that if she wanted a
 Meccano set, she would buy one. She made it clear that a complex single
 tool that does more than is needed but does it with a clear purpose and
 intent is preferred by some like her.
 

-
-
-
+
+
+
 Please note that all information here is provided as is and without recommendation
 of fitness or suitability. The network administrator is strongly encouraged to
 perform due diligence research before implementing any backup solution, whether free
@@ -38,31 +38,31 @@
 www.allmerchants.com.
 

 The following three free software projects might also merit consideration.
-
BackupPC

-	
-
-
+
BackupPC

+	
+
+
 	BackupPC version 2.0.0 has been released on SourceForge.
 	 New features include support for rsync/rsyncd and internationalization of the CGI interface
 	(including English, French, Spanish, and German).
 	

-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
 	BackupPC is a high-performance Perl-based package for backing up Linux,
 	UNIX, and Windows PCs and laptops to a server's disk. BackupPC is highly
 	configurable and easy to install and maintain. SMB (via smbclient),
 	tar over rsh/ssh, or rsync/rsyncd
 	 are used to extract client data.
 	

-
-
 
+
+
 	Given the ever-decreasing cost of disks and RAID systems, it is now
 	practical and cost effective to backup a large number of machines onto
 	a server's local disk or network storage. This is what BackupPC does.
@@ -71,24 +71,24 @@
 	space), compression, and a comprehensive CGI interface that allows users
 	to browse backups and restore files.
 	

-
+
 	BackupPC is free software distributed under a GNU GPL license.
 	BackupPC runs on Linux/UNIX/freenix servers and has been tested
 	on Linux, UNIX, Windows 9x/Me, Windows 98, Windows 200x, Windows XP, and Mac OSX clients.
-	
Rsync

-
-
-
-
+	
Rsync

+
+
 
-
+
+
+
 	rsync is a flexible program for efficiently copying files or
 		directory trees.
rsync has many options to select which files will be copied
 	  and how they are to be transferred. It may be used as an
 	  alternative to ftp, http, scp, or rcp.

-
-
 
+
+
 	The rsync remote-update protocol allows rsync to transfer just
 	  the differences between two sets of files across the network link,
 	  using an efficient checksum-search algorithm described in the
@@ -107,10 +107,10 @@
 		  

 		    Support for anonymous or authenticated rsync servers (ideal for
 		    mirroring).
-		  
Amanda

-	
-
-
+		  
Amanda

+	
+
+
 	Amanda, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that
 	allows the administrator of a LAN to set up a single master backup server to back up
 	multiple hosts to a single large capacity tape drive. Amanda uses native dump and/or
@@ -119,8 +119,8 @@
 	

 	For more information regarding Amanda, please check the 
 	www.amanda.org/ site.
-	
BOBS: Browseable Online Backup System

-	
+

BOBS: Browseable Online Backup System

+	
 	Browseable Online Backup System (BOBS) is a complete online backup system. Uses large
 	disks for storing backups and lets users browse the files using a Web browser. Handles
 	some special files like AppleDouble and icon files.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/bugreport.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/bugreport.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/bugreport.html	2009-06-02 09:50:05.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/bugreport.html	2009-06-19 11:14:58.000000000 +0200
@@ -1,6 +1,6 @@
-Chapter�40.�Reporting Bugs
Chapter�40.�Reporting Bugs
Prev� Part�V.�Troubleshooting �Next

Chapter�40.�Reporting Bugs
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Jelmer R. The Samba Team Vernooij
The Samba Team
<jelmer@samba.org>
Andrew Samba Team Tridgell
Samba Team
<tridge@samba.org>
 27 June 1997 
Table of Contents
Introduction
General Information
Debug Levels
Debugging-Specific Operations
Internal Errors
Attaching to a Running Process
Patches

Introduction

-
-
+Chapter�40.�Reporting Bugs
Chapter�40.�Reporting Bugs
Prev� Part�V.�Troubleshooting �Next

Chapter�40.�Reporting Bugs
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Jelmer R. The Samba Team Vernooij
The Samba Team
<jelmer@samba.org>
Andrew Samba Team Tridgell
Samba Team
<tridge@samba.org>
 27 June 1997 
Table of Contents
Introduction
General Information
Debug Levels
Debugging-Specific Operations
Internal Errors
Attaching to a Running Process
Patches
Introduction

+
+
 Please report bugs using Samba's Bugzilla facilities and take
 the time to read this file before you submit a bug report. Also, check to see if it has changed between
 releases, as we may be changing the bug reporting mechanism at some point.
@@ -12,9 +12,9 @@
 and a fix if you send us a “developer-friendly” bug report that lets
 us fix it fast. 
 

-
-
-
+
+
+
 If you post the bug to the comp.protocols.smb
 newsgroup or the mailing list, do not assume that we will read it. If you suspect that your 
 problem is not a bug but a configuration problem, it is better to send 
@@ -24,7 +24,7 @@
 You may also like to look though the recent mailing list archives,
 which are conveniently accessible on the Samba Web pages
 at http://samba.org/samba/.
-
General Information

+
General Information

 Before submitting a bug report, check your config for silly
 errors. Look in your log files for obvious messages that tell
 you've misconfigured something. Run testparm to check your config
@@ -42,13 +42,13 @@
 10 showing the problem may be appropriate. A higher level gives more
 detail but may use too much disk space.
 

-
-
+
+
 To set the debug level, use the log level in your 
 smb.conf. You may also find it useful to set the log 
 level higher for just one machine and keep separate logs for each machine. 
 To do this, add the following lines to your main smb.conf file:
-
log level = 10
log file = /usr/local/samba/lib/log.%m
include = /usr/local/samba/lib/smb.conf.%m

+
log level = 10
log file = /usr/local/samba/lib/log.%m
include = /usr/local/samba/lib/smb.conf.%m

 and create a file /usr/local/samba/lib/smb.conf.machine where
 machine is the name of the client you wish to debug. In that file put any
 smb.conf commands you want; for example, log level may be useful. This also allows
@@ -61,23 +61,23 @@
 debugging information. For most debugging operations, you may not need a setting higher than
 3. Nearly all bugs can be tracked at a setting of 10, but be
 prepared for a large volume of log data.
-
Debugging-Specific Operations

-
-
-
-
+
Debugging-Specific Operations

+
+
+
+
 	Samba-3.x permits debugging (logging) of specific functional components without unnecessarily
 	cluttering the log files with detailed logs for all operations. An example configuration to 
 	achieve this is shown in:
 	

-
log level = 0 tdb:3 passdb:5 auth:4 vfs:2
max log size = 0
log file = /var/log/samba/%U.%m.log

+
log level = 0 tdb:3 passdb:5 auth:4 vfs:2
max log size = 0
log file = /var/log/samba/%U.%m.log

 

 	This will cause the level of detail to be expanded to the debug class (log level) passed to
 	each functional area per the value shown above. The first value passed to the log level
 	of 0 means turn off all unnecessary debugging except the debug classes set for
 	the functional areas as specified. The table shown in Debuggable Functions
 	may be used to attain very precise analysis of each SMB operation Samba is conducting.
-	
Table�40.1.�Debuggable Functions
Function Name Function Name
all passdb
tdb sam
printdrivers auth
lanman winbind
smb vfs
rpc_parse idmap
rpc_srv quota
rpc_cli acls

Internal Errors

+	
Table�40.1.�Debuggable Functions
Function Name Function Name
all passdb
tdb sam
printdrivers auth
lanman winbind
smb vfs
rpc_parse idmap
rpc_srv quota
rpc_cli acls

Internal Errors

 If you get the message “INTERNAL ERROR” in your log files, 
 it means that Samba got an unexpected signal while running. It is probably a
 segmentation fault and almost certainly means a bug in Samba (unless
@@ -91,35 +91,35 @@
 You should also detail how to reproduce the problem, if
 possible. Please make this reasonably detailed.
 

-
+
 You may also find that a core file appeared in a corefiles
 subdirectory of the directory where you keep your Samba log
 files. This file is the most useful tool for tracking down the bug. To
 use it, you do this:
-
-
+
+
 
 $ gdb smbd core
 

 

-
-
+
+
 adding appropriate paths to smbd and core so gdb can find them. If you
 do not have gdb, try dbx. Then within the debugger,
 use the command where to give a stack trace of where the
 problem occurred. Include this in your report.
 

-
+
 If you know any assembly language, do a disass of the routine
 where the problem occurred (if it's in a library routine, then
 disassemble the routine that called it) and try to work out exactly
 where the problem is by looking at the surrounding code. Even if you
 do not know assembly, including this information in the bug report can be
 useful. 
-
Attaching to a Running Process

-
-
-
+
Attaching to a Running Process

+
+
+
 Unfortunately, some UNIXes (in particular some recent Linux kernels)
 refuse to dump a core file if the task has changed UID (which smbd
 does often). To debug with this sort of system, you could try to attach
@@ -145,12 +145,12 @@
 
 root#  gdb /usr/local/samba/sbin/smbd
 

-
+
 then “attach `pid'” (of the spinning process), then type “bt” to
 get a backtrace to see where the smbd is in the call path.
-
Patches

-
-
+

Patches

+
+
 The best sort of bug report is one that includes a fix! If you send us
 patches, please use diff -u format if your version of 
 diff supports it; otherwise, use diff -c4. Make sure 
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/cfgsmarts.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/cfgsmarts.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/cfgsmarts.html	2009-06-02 09:50:02.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/cfgsmarts.html	2009-06-19 11:14:55.000000000 +0200
@@ -1,52 +1,52 @@
-Chapter�34.�Advanced Configuration Techniques
Chapter�34.�Advanced Configuration Techniques
Prev� Part�III.�Advanced Configuration �Next
Chapter�34.�Advanced Configuration Techniques
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
June 30, 2005
Table of Contents
Implementation
Multiple Server Hosting
Multiple Virtual Server Personalities
Multiple Virtual Server Hosting

-
-
+Chapter�34.�Advanced Configuration Techniques
Chapter�34.�Advanced Configuration Techniques
Prev� Part�III.�Advanced Configuration �Next
Chapter�34.�Advanced Configuration Techniques
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
June 30, 2005
Table of Contents
Implementation
Multiple Server Hosting
Multiple Virtual Server Personalities
Multiple Virtual Server Hosting

+
+
 Since the release of the first edition of this book there have been repeated requests to better document
 configuration techniques that may help a network administrator to get more out of Samba. Some users have asked
 for documentation regarding the use of the include = file-name parameter.
 

-
-
+
+
 Commencing around mid-2004 there has been increasing interest in the ability to host multiple Samba servers on
 one machine. There has also been an interest in the hosting of multiple Samba server personalities on one
 server.
 

-
-
+
+
 Feedback from technical reviewers made the inclusion of this chapter a necessity. So, here is an 
 answer the questions that have to date not been adequately addressed. Additional user input is welcome as
 it will help this chapter to mature. What is presented here is just a small beginning.
 

-
-
 
+
+
 There are a number of ways in which multiple servers can be hosted on a single Samba server. Multiple server
 hosting makes it possible to host multiple domain controllers on one machine. Each such machine is
 independent, and each can be stopped or started without affecting another.
 

-
-
 
+
+
 Sometimes it is desirable to host multiple servers, each with its own security mode. For example, a single
 UNIX/Linux host may be a domain member server (DMS) as well as a generic anonymous print server. In this case,
 only domain member machines and domain users can access the DMS, but even guest users can access the generic
 print server. Another example of a situation where it may be beneficial to host a generic (anonymous) server
 is to host a CDROM server.
 

-
-
+
+
 Some environments dictate the need to have separate servers, each with their own resources, each of which are
 accessible only by certain users or groups. This is one of the simple, but highly effective, ways that Samba
 can replace many physical Windows servers in one Samba installation.
-
Implementation

-
Multiple Server Hosting

-
-
+
Implementation

+
Multiple Server Hosting

 
 
-
-
-
+
+
+
+
+
 The use of multiple server hosting involves running multiple separate instances of Samba, each with it's own
 configuration file. This method is complicated by the fact that each instance of nmbd, smbd and winbindd
 must have write access to entirely separate TDB files. The ability to keep separate the TDB files used by
@@ -54,58 +54,58 @@
 own default TDB directories, or by configuring these in the smb.conf file, in which case each instance of
 nmbd, smbd and winbindd must be told to start up with its own smb.conf configuration file.
 

-
-
-
-
+
+
+
+
 Each instance should operate on its own IP address (that independent IP address can be an IP Alias).
 Each instance of nmbd, smbd and winbindd should listen only on its own IP socket. This can be secured
 using the socket address parameter. Each instance of the Samba server will have its
 own SID also, this means that the servers are discrete and independent of each other.
 

-
-
-
-
+
+
 
 
 
 
-
+
+
+
 The user of multiple server hosting is non-trivial, and requires careful configuration of each aspect of
 process management and start up. The smb.conf parameters that must be carefully configured includes:
 private dir, pid directory,lock directory, interfaces, bind interfaces only, netbios name, workgroup, socket address.
 

-
-
-
+
+
+
 Those who elect to create multiple Samba servers should have the ability to read and follow
 the Samba source code, and to modify it as needed. This mode of deployment is considered beyond the scope of
 this book. However, if someone will contribute more comprehensive documentation we will gladly review it, and
 if it is suitable extend this section of this chapter. Until such documentation becomes available the hosting
 of multiple samba servers on a single host is considered not supported for Samba-3 by the Samba Team.
-
Multiple Virtual Server Personalities

-
-
+
Multiple Virtual Server Personalities

 
+
+
 Samba has the ability to host multiple virtual servers, each of which have their own personality.  This is
 achieved by configuring an smb.conf file that is common to all personalities hosted.  Each server
 personality is hosted using its own netbios alias name, and each has its own distinct
 [global] section. Each server may have its own stanzas for services and meta-services.
 

-
-
-
+
+
+
 When hosting multiple virtual servers, each with their own personality, each can be in a different workgroup.
 Only the primary server can be a domain member or a domain controller. The personality is defined by the
 combination of the security mode it is operating in, the netbios aliases it has, and the workgroup that is defined for it.
 

-
-
-
+
 
 
 
+
+
 This configuration style can be used either with NetBIOS names, or using NetBIOS-less SMB over TCP services.
 If run using NetBIOS mode (the most common method) it is important that the parameter smb ports = 139 should be specified in the primary smb.conf file. Failure to do this will result
 in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain
@@ -114,10 +114,10 @@
 the value of this parameter is set at 139 445 then the %L macro
 is not serviceable.
 

-
-
 
 
+
+
 It is possible to host multiple servers, each with their own personality, using port 445 (the NetBIOS-less SMB
 port), in which case the %i macro can be used to provide separate server identities (by
 IP Address). Each can have its own security mode. It will be necessary to use the
@@ -125,7 +125,7 @@
 the netbios name parameters to create the virtual servers. This method is considerably
 more complex than that using NetBIOS names only using TCP port 139.
 

-
+
 Consider an example environment that consists of a standalone, user-mode security Samba server and a read-only
 Windows 95 file server that has to be replaced. Instead of replacing the Windows 95 machine with a new PC, it
 is possible to add this server as a read-only anonymous file server that is hosted on the Samba server. Here
@@ -135,46 +135,46 @@
 The CDROM server is called CDSERVER and its workgroup is ARTSDEPT. A
 possible implementation is shown here:
 

-
-
 
 
+
+
 The smb.conf file for the master server is shown in Elastic smb.conf File.
 This file is placed in the /etc/samba directory. Only the nmbd and the smbd daemons
 are needed. When started the server will appear in Windows Network Neighborhood as the machine
 ELASTIC under the workgroup ROBINSNEST. It is helpful if the Windows
 clients that must access this server are also in the workgroup ROBINSNEST as this will make
 browsing much more reliable.
-
Example�34.1.�Elastic smb.conf File
# Global parameters
 
[global]
workgroup = ROBINSNEST
netbios name = ELASTIC
netbios aliases = CDSERVER
smb ports = 139
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
printing = cups
include = /etc/samba/smb-%L.conf
 
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
 
[office]
comment = Data
path = /data
read only = No
 
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No


-
+
Example�34.1.�Elastic smb.conf File
# Global parameters
 
[global]
workgroup = ROBINSNEST
netbios name = ELASTIC
netbios aliases = CDSERVER
smb ports = 139
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
printing = cups
include = /etc/samba/smb-%L.conf
 
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
 
[office]
comment = Data
path = /data
read only = No
 
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No


+
 The configuration file for the CDROM server is listed in CDROM Server
 smb-cdserver.conf file. This file is called smb-cdserver.conf and it should be
 located in the /etc/samba directory. Machines that are in the workgroup
 ARTSDEPT will be able to browse this server freely.
-
Example�34.2.�CDROM Server smb-cdserver.conf file
# Global parameters
 
[global]
workgroup = ARTSDEPT
netbios name = CDSERVER
map to guest = Bad User
guest ok = Yes
 
[carousel]
comment = CDROM Share
path = /export/cddata
read only = Yes
guest ok = Yes


-
-
+
Example�34.2.�CDROM Server smb-cdserver.conf file
# Global parameters
 
[global]
workgroup = ARTSDEPT
netbios name = CDSERVER
map to guest = Bad User
guest ok = Yes
 
[carousel]
comment = CDROM Share
path = /export/cddata
read only = Yes
guest ok = Yes


 
 
+
+
 The two servers have different resources and are in separate workgroups. The server ELASTIC
 can only be accessed by uses who have an appropriate account on the host server. All users will be able to
 access the CDROM data that is stored in the /export/cddata directory. File system
 permissions should set so that the others user has read-only access to the directory and its
 contents. The files can be owned by root (any user other than the nobody account).
-
Multiple Virtual Server Hosting

-
-
+
Multiple Virtual Server Hosting

 
+
+
 In this example, the requirement is for a primary domain controller for the domain called
 MIDEARTH. The PDC will be called MERLIN. An extra machine called
 SAURON is required. Each machine will have only its own shares. Both machines belong to the
 same domain/workgroup.
 

-
-
 
+
+
 The master smb.conf file is shown in the Master smb.conf File Global Section.
 The two files that specify the share information for each server are shown in the
 smb-merlin.conf File Share Section, and the smb-sauron.conf File Share
 Section. All three files are locate in the /etc/samba directory.
-
Example�34.3.�Master smb.conf File Global Section
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = MERLIN
netbios aliases = SAURON
passdb backend = tdbsam
smb ports = 139
syslog = 0
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
logon script = scripts\login.bat
logon path =  
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
printing = CUPS
include = /etc/samba/smb-%L.conf

Example�34.4.�MERLIN smb-merlin.conf File Share Section
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = MERLIN
 
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
 
[office]
comment = Data
path = /data
read only = No
 
[netlogon]
comment = NETLOGON
path = /var/lib/samba/netlogon
read only = Yes
browseable = No
 
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
use client driver = Yes
browseable = No

Example�34.5.�SAURON smb-sauron.conf File Share Section
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = SAURON
 
[www]
comment = Web Pages
path = /srv/www/htdocs
read only = No

Prev� Up �Next
Chapter�33.�Handling Large Directories� Home �Part�IV.�Migration and Updating
+
Example�34.3.�Master smb.conf File Global Section
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = MERLIN
netbios aliases = SAURON
passdb backend = tdbsam
smb ports = 139
syslog = 0
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
logon script = scripts\login.bat
logon path =  
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
printing = CUPS
include = /etc/samba/smb-%L.conf

Example�34.4.�MERLIN smb-merlin.conf File Share Section
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = MERLIN
 
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
 
[office]
comment = Data
path = /data
read only = No
 
[netlogon]
comment = NETLOGON
path = /var/lib/samba/netlogon
read only = Yes
browseable = No
 
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
use client driver = Yes
browseable = No

Example�34.5.�SAURON smb-sauron.conf File Share Section
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = SAURON
 
[www]
comment = Web Pages
path = /srv/www/htdocs
read only = No

Prev� Up �Next
Chapter�33.�Handling Large Directories� Home �Part�IV.�Migration and Updating
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/ch47.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/ch47.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/ch47.html	2009-06-02 09:50:08.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/ch47.html	2009-06-19 11:15:02.000000000 +0200
@@ -1,9 +1,9 @@
-Chapter�47.�Samba SupportChapter�47.�Samba Support
Prev� Part�VI.�Reference Section �Next
Chapter�47.�Samba Support
Table of Contents
Free Support
Commercial Support

-
+Chapter�47.�Samba Support
Chapter�47.�Samba Support
Prev� Part�VI.�Reference Section �Next
Chapter�47.�Samba Support
Table of Contents
Free Support
Commercial Support

+
 One of the most difficult to answer questions in the information technology industry is, “What is
 support?”. That question irritates some folks, as much as common answers may annoy others.
 

-
+
 The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to
 an Internet service provider who, instead of listening to the problem to find a solution, blandly replies:
 “Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen
@@ -15,50 +15,50 @@
 at the right time, no matter the situation. Support is all that it takes to take away pain, disruption,
 inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk.
 

-
-
-
+
+
+
 One of the forces that has become a driving force for the adoption of open source software is the fact that
 many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or
 that have been found wanting for other reasons.
 

-
-
+
+
 In recognition of the need for needs satisfaction as the primary experience an information technology user or
 consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience
 in respect of problem resolution.
 

-
-
-
+
+
+
 In the open source software arena there are two support options: free support and paid-for (commercial)
 support.
-
Free Support

-
-
-
-
-
-
+
Free Support

+
+
+
+
+
+
 	Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help
 	facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user
 	supported mutual assistance.
 	

-
-
-
-
-
+
+
+
+
+
 	The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments.
 	Information regarding subscription to the Samba mailing list can be found on the Samba web site. The public mailing list that can be used to obtain
 	free, user contributed, support is called the samba list. The email address for this list
 	is at mail:samba@samba.org.  Information regarding the Samba IRC channels may be found on
 	the Samba IRC web page.
 	

-
-
-
-
+
+
+
+
 	As a general rule, it is considered poor net behavior to contact a Samba Team member directly
 	for free support. Most active members of the Samba Team work exceptionally long hours to assist
 	users who have demonstrated a qualified problem. Some team members may respond to direct email
@@ -66,9 +66,9 @@
 	Team members actually provide professional paid-for Samba support and it is therefore wise
 	to show appropriate discretion and reservation in all direct contact.
 	

-
-
-
+
+
+
 	When you stumble across a Samba bug, often the quickest way to get it resolved is by posting
 	a bug report. All such reports are mailed to
 	the responsible code maintainer for action. The better the report, and the more serious it is,
@@ -76,16 +76,16 @@
 	the reported bug it is likely to be rejected. It is up to you to provide sufficient information
 	that will permit the problem to be reproduced.
 	

-
+
 	We all recognize that sometimes free support does not provide the answer that is sought within
 	the time-frame required. At other times the problem is elusive and you may lack the experience
 	necessary to isolate the problem and thus to resolve it. This is a situation where is may be
 	prudent to purchase paid-for support.
-	
Commercial Support

+	
Commercial Support

 	There are six basic support oriented services that are most commonly sought by Samba sites:
 	
Assistance with network design
Staff Training
Assistance with Samba network deployment and installation
Priority telephone or email Samba configuration assistance
Trouble-shooting and diagnostic assistance
Provision of quality assured ready-to-install Samba binary packages

-
-
+
+
 	Information regarding companies that provide professional Samba support can be obtained by performing a Google
 	search, as well as by reference to the Samba Support web page. Companies who notify the Samba Team
 	that they provide commercial support are given a free listing that is sorted by the country of origin.
@@ -93,13 +93,13 @@
 	provider and to satisfy yourself that both the company and its staff are able to deliver what is required of
 	them.
 	

-
+
 	The policy within the Samba Team is to treat all commercial support providers equally and to show no
 	preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else.
 	You are encouraged to obtain the services needed from a company in your local area. The open source movement
 	is pro-community; so do what you can to help a local business to prosper.
 	

-
+
 	Open source software support can be found in any quality, at any price and in any place you can
 	to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for
 	suffering in the mistaken belief that Samba is unsupported software  it is supported.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/ChangeNotes.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/ChangeNotes.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/ChangeNotes.html	2009-06-02 09:49:40.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/ChangeNotes.html	2009-06-19 11:14:33.000000000 +0200
@@ -1,10 +1,10 @@
-Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series
Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series
Prev� Part�III.�Advanced Configuration �Next
Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Gerald (Jerry) Samba Team Carter
Samba Team
<jerry@samba.org>
Table of Contents
Important Samba-3.2.x Change Notes
Important Samba-3.0.x Change Notes
User and Group Changes
Essential Group Mappings
Passdb Changes
Group Mapping Changes in Samba-3.0.23
LDAP Changes in Samba-3.0.23

+Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series
Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series
Prev� Part�III.�Advanced Configuration �Next
Chapter�9.�Important and Critical Change Notes for the Samba 3.x Series
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Gerald (Jerry) Samba Team Carter
Samba Team
<jerry@samba.org>
Table of Contents
Important Samba-3.2.x Change Notes
Important Samba-3.0.x Change Notes
User and Group Changes
Essential Group Mappings
Passdb Changes
Group Mapping Changes in Samba-3.0.23
LDAP Changes in Samba-3.0.23

 Please read this chapter carefully before update or upgrading Samba.  You should expect to find only critical
 or very important information here. Comprehensive change notes and guidance information can be found in the
 section Updating and Upgrading Samba.
-
Important Samba-3.2.x Change Notes

+
Important Samba-3.2.x Change Notes

 !!!!!!!!!!!!Add all critical update notes here!!!!!!!!!!!!!
-
Important Samba-3.0.x Change Notes

+
Important Samba-3.0.x Change Notes

 These following notes pertain in particular to Samba 3.0.23 through Samba 3.0.25c (or more recent 3.0.25
 update).  Samba is a fluid and ever changing project. Changes throughout the 3.0.x series release are
 documented in this documention - See Upgrading from Samba-2.x to Samba-3.0.25.
@@ -21,35 +21,35 @@
 

 This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided
 in the WHATSNEW.txt file that is included with the Samba source code release tarball.
-
User and Group Changes

+
User and Group Changes

 The change documented here affects unmapped user and group accounts only.
 

-
-
-
-
-
+
+
+
+
+
 The user and group internal management routines have been rewritten to prevent overlaps of
 assigned Relative Identifiers (RIDs).  In the past the has been a potential problem when
 either manually mapping Unix groups with the net groupmap command or
 when migrating a Windows domain to a Samba domain by executing:
 net rpc vampire.
 

-
-
-
-
+
+
+
+
 Unmapped users are now assigned a SID in the S-1-22-1 domain and unmapped
 groups are assigned a SID in the S-1-22-2 domain.  Previously they were
 assigned a RID within the SAM on the Samba server.  For a domain controller this would have been under the
 authority of the domain SID where as on a member server or standalone server, this would have
 been under the authority of the local SAM (see the man page for net getlocalsid).
 

-
-
-
-
-
+
+
+
+
+
 The result is that any unmapped users or groups on an upgraded Samba domain controller may
 be assigned a new SID.  Because the SID rather than a name is stored in Windows security
 descriptors, this can cause a user to no longer have access to a resource for example if a
@@ -59,19 +59,19 @@
 

 An example helps to illustrate the change:
 

-
-
-
-
+
+
+
+
 Assume that a group named developers exists with a UNIX GID of 782. In this
 case this user does not exist in Samba's group mapping table. It would be perfectly normal for
 this group to be appear in an ACL editor.  Prior to Samba-3.0.23, the group SID might appear as
 S-1-5-21-647511796-4126122067-3123570092-2565.
 

-
-
-
-
+
+
+
+
 With the release of Samba-3.0.23, the group SID would be reported as S-1-22-2-782.  Any
 security descriptors associated with files stored on a Windows NTFS disk partition will not allow access based
 on the group permissions if the user was not a member of the
@@ -79,13 +79,13 @@
 S-1-22-2-782 and not reported in a user's token, Windows would fail the authorization check
 even though both SIDs in some respect refer to the same UNIX group.
 

-
-
+
+
 The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping
 entry for the group developers to point at the
 S-1-5-21-647511796-4126122067-3123570092-2565 SID. With the release of Samba-3.0.23 this
 workaround is no longer needed.
-
Essential Group Mappings

+
Essential Group Mappings

 Samba 3.0.x series  releases before 3.0.23 automatically created group mappings for the essential Windows
 domain groups Domain Admins, Domain Users, Domain Guests. Commencing with Samba 3.0.23
 these mappings need to be created by the Samba administrator. Failure to do this may result in a failure to
@@ -102,39 +102,39 @@
 

 For further information regarding group mappings see Group Mapping: MS Windows
 and UNIX.
-
Passdb Changes

-
-
-
-
+
Passdb Changes

+
+
+
+
 The passdb backend parameter no long accepts multiple passdb backends in a
 chained configuration.  Also be aware that the SQL and XML based passdb modules have been
 removed in the Samba-3.0.23 release.  More information regarding external support for a SQL
 passdb module can be found on the  pdbsql web site.
-
Group Mapping Changes in Samba-3.0.23

-
-
-
-
-
-
-
-
-
-
-
+
Group Mapping Changes in Samba-3.0.23

+
+
+
+
+
+
+
+
+
+
+
 The default mapping entries for groups such as Domain Admins are no longer
 created when using an smbpasswd file or a tdbsam passdb
 backend.  This means that it is necessary to explicitly execute the net groupmap add
 to create group mappings, rather than use the net groupmap modify method to create the
 Windows group SID to UNIX GID mappings.  This change has no effect on winbindd's IDMAP functionality
 for domain groups.
-
LDAP Changes in Samba-3.0.23

-
-
-
-
-
+
LDAP Changes in Samba-3.0.23

+
+
+
+
+
 There has been a minor update the Samba LDAP schema file. A substring matching rule has been
 added to the sambaSID attribute definition.  For OpenLDAP servers, this
 will require the addition of index sambaSID sub to the
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html	2009-06-02 09:50:08.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html	2009-06-19 11:15:01.000000000 +0200
@@ -1,40 +1,40 @@
 Chapter�46.�LDAP and Transport Layer Security
Chapter�46.�LDAP and Transport Layer Security
Prev� Part�VI.�Reference Section �Next
Chapter�46.�LDAP and Transport Layer Security
Gavin Suretec Systems Limited, UK Henry
Suretec Systems Limited, UK
<ghenry@suretecsystems.com>
July 8, 2005
Table of Contents
Introduction
Configuring
Generating the Certificate Authority
Generating the Server Certificate
Installing the Certificates
Testing
Troubleshooting
Introduction

-	
-
+	
+
 	Up until now, we have discussed the straightforward configuration of OpenLDAP™,
 	with some advanced features such as ACLs. This does not however, deal with the fact that the network
 	transmissions are still in plain text. This is where Transport Layer Security (TLS)
 	comes in.
 	

-
+
 	OpenLDAP™ clients and servers are capable of using the Transport Layer Security (TLS)
 	framework to provide integrity and confidentiality protections in accordance with RFC 2830; Lightweight Directory Access Protocol (v3):
 	Extension for Transport Layer Security.
 	

-
+
 	TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates
 	are optional. We will only be discussing server certificates.
 	
Tip

-
-
-
+
+
+
 	The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the
 	server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the
 	subjectAltName certificate extension. More details on server certificate names are in RFC2830.
 	

 	We will discuss this more in the next sections.
 	
Configuring

-	
+	
 	Now on to the good bit.
 	
Generating the Certificate Authority

-
+
 	In order to create the relevant certificates, we need to become our own Certificate Authority (CA).
-	^[8] This is necessary, so we can sign the server certificate.
+	^[8] This is necessary, so we can sign the server certificate.
 	

-
-	We will be using the OpenSSL ^[9] software for this, which is included with every great Linux� distribution.
+
+	We will be using the OpenSSL ^[9] software for this, which is included with every great Linux� distribution.
 	

-	TLS is used for many types of servers, but the instructions^[10] presented here, are tailored for OpenLDAP.
+	TLS is used for many types of servers, but the instructions^[10] presented here, are tailored for OpenLDAP.
 	
Note

 	The Common Name (CN), in the following example, MUST be
 	the fully qualified domain name (FQDN) of your ldap server.
@@ -51,7 +51,7 @@
 root#  cd myCA
 
 

-	Now generate the CA:^[11]
+	Now generate the CA:^[11]
 
 
 root#  /usr/share/ssl/misc/CA.pl -newca
@@ -209,7 +209,7 @@
 	

 	That's all there is to it. Now on to the section called “Testing”
 	
Testing

-
+
 This is the easy part. Restart the server:
 
 
@@ -220,7 +220,7 @@
 
 

 	Then, using ldapsearch, test an anonymous search with the
-	-ZZ^[12] option:
+	-ZZ^[12] option:
 
 
 root#  ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \
@@ -265,7 +265,7 @@
 

 	If you have any problems, please read the section called “Troubleshooting”
 
Troubleshooting

-
+
 The most common error when configuring TLS, as I have already mentioned numerous times, is that the
 Common Name (CN) you entered in the section called “Generating the Server Certificate” is
 NOT the Fully Qualified Domain Name (FQDN) of your ldap server.
@@ -275,13 +275,13 @@
 files. They should be set with chmod 640, as per the section called “Installing the Certificates”.
 

 For anything else, it's best to read through your ldap logfile or join the OpenLDAP mailing list.
-

^[8]We could however, get our generated server certificate signed by proper CAs, like Thawte and VeriSign, which
+

^[8]We could however, get our generated server certificate signed by proper CAs, like Thawte and VeriSign, which
 	you pay for, or the free ones, via CAcert
-	
^[9]The downside to
+	
^[9]The downside to
 	making our own CA, is that the certificate is not automatically recognized by clients, like the commercial
-	ones are.
^[10]For information straight from the
+	ones are.
^[10]For information straight from the
 	horse's mouth, please visit http://www.openssl.org/docs/HOWTO/; the main OpenSSL
-	site.
^[11]Your CA.pl or CA.sh might not be
+	site.
^[11]Your CA.pl or CA.sh might not be
 	in the same location as mine is, you can find it by using the locate command, i.e.,
 	locate CA.pl.  If the command complains about the database being too old, run
-	updatedb as root to update it.
^[12]See man ldapsearch
Prev� Up �Next
Chapter�45.�Samba Performance Tuning� Home �Chapter�47.�Samba Support

+	updatedb as root to update it.
^[12]See man ldapsearch
Prev� Up �Next
Chapter�45.�Samba Performance Tuning� Home �Chapter�47.�Samba Support

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/classicalprinting.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/classicalprinting.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/classicalprinting.html	2009-06-02 09:49:50.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/classicalprinting.html	2009-06-19 11:14:43.000000000 +0200
@@ -1,22 +1,22 @@
-Chapter�21.�Classical Printing SupportChapter�21.�Classical Printing Support
Prev� Part�III.�Advanced Configuration �Next
Chapter�21.�Classical Printing Support
Kurt Danka Deutschland GmbH Pfeifle
Danka Deutschland GmbH
<kpfeifle@danka.de>
Gerald (Jerry) Samba Team Carter
Samba Team
<jerry@samba.org>
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
May 31, 2003
Table of Contents
Features and Benefits
Technical Introduction
Client to Samba Print Job Processing
Printing-Related Configuration Parameters
Simple Print Configuration
Verifying Configuration with testparm
Rapid Configuration Validation
Extended Printing Configuration
Detailed Explanation Settings
Printing Developments Since Samba-2.2
Point'n'Print Client Drivers on Samba Servers
The Obsoleted [printer$] Section
Creating the [print$] Share
[print$] Stanza Parameters
The [print$] Share Directory
Installing Drivers into [print$]
Add Printer Wizard Driver Installation
Installing Print Drivers Using rpcclient
Client Driver Installation Procedure
First Client Driver Installation
Setting Device Modes on New Printers
Additional Client Driver Installation
Always Make First Client Connection as root or printer admin
Other Gotchas
Setting Default Print Options for Client Drivers
Supporting Large Numbers of Printers
Adding New Printers with the Windows NT APW
Error Message: Cannot connect under a different Name
Take Care When Assembling Driver Files
Samba and Printer Ports
Avoiding Common Client Driver Misconfiguration
The Imprints Toolset
What Is Imprints?
Creating Printer Driver Packages
The Imprints Server
The Installation Client
Adding Network Printers without User Interaction
The addprinter Command
Migration of Classical Printing to Samba
Publishing Printer Information in Active Directory or LDAP
Common Errors
I Give My Root Password but I Do Not Get Access
My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost
Features and Benefits

-
+Chapter�21.�Classical Printing Support
Chapter�21.�Classical Printing Support
Prev� Part�III.�Advanced Configuration �Next
Chapter�21.�Classical Printing Support
Kurt Danka Deutschland GmbH Pfeifle
Danka Deutschland GmbH
<kpfeifle@danka.de>
Gerald (Jerry) Samba Team Carter
Samba Team
<jerry@samba.org>
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
May 31, 2003
Table of Contents
Features and Benefits
Technical Introduction
Client to Samba Print Job Processing
Printing-Related Configuration Parameters
Simple Print Configuration
Verifying Configuration with testparm
Rapid Configuration Validation
Extended Printing Configuration
Detailed Explanation Settings
Printing Developments Since Samba-2.2
Point'n'Print Client Drivers on Samba Servers
The Obsoleted [printer$] Section
Creating the [print$] Share
[print$] Stanza Parameters
The [print$] Share Directory
Installing Drivers into [print$]
Add Printer Wizard Driver Installation
Installing Print Drivers Using rpcclient
Client Driver Installation Procedure
First Client Driver Installation
Setting Device Modes on New Printers
Additional Client Driver Installation
Always Make First Client Connection as root or printer admin
Other Gotchas
Setting Default Print Options for Client Drivers
Supporting Large Numbers of Printers
Adding New Printers with the Windows NT APW
Error Message: Cannot connect under a different Name
Take Care When Assembling Driver Files
Samba and Printer Ports
Avoiding Common Client Driver Misconfiguration
The Imprints Toolset
What Is Imprints?
Creating Printer Driver Packages
The Imprints Server
The Installation Client
Adding Network Printers without User Interaction
The addprinter Command
Migration of Classical Printing to Samba
Publishing Printer Information in Active Directory or LDAP
Common Errors
I Give My Root Password but I Do Not Get Access
My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost
Features and Benefits

+
 Printing is often a mission-critical service for the users. Samba can provide this service reliably and
 seamlessly for a client network consisting of Windows workstations.
 

-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 A Samba print service may be run on a standalone or domain member server, side by side with file serving
 functions, or on a dedicated print server.  It can be made as tightly or as loosely secured as needs dictate.
 Configurations may be simple or complex. Available authentication schemes are essentially the same as
@@ -30,23 +30,23 @@
 page and supplying the raw data for all sorts of statistical reports) is required, this function is best
 supported by the newer Common UNIX Printing System (CUPS) as the print subsystem underneath the Samba hood.
 

-
-
+
+
 This chapter outlines the fundamentals of Samba printing as implemented by the more traditional UNIX
 BSD- and System V-style printing systems. Much of the information in this chapter applies also to CUPS.  If
 you use CUPS, you may be tempted to jump to the next chapter, but you will certainly miss a few things if you
 do. For further information refer to CUPS Printing Support.
 
Note

-
-
-
+
+
+
 Most of the following examples have been verified on Windows XP Professional clients. Where this document
 describes the responses to commands given, bear in mind that Windows 200x/XP clients are quite similar but may
 differ in minor details. Windows NT4 is somewhat different again.
-
Technical Introduction

-
-
-
+
Technical Introduction

+
+
+
 Samba's printing support always relies on the installed print subsystem of the UNIX OS it runs on. Samba is a
 middleman. It takes print files from Windows (or other SMB) clients and passes them to the real
 printing system for further processing; therefore, it needs to communicate with both sides: the Windows print
@@ -54,42 +54,42 @@
 of which behave differently, as well as the various UNIX print subsystems, which themselves have different
 features and are accessed differently.
 

-
-
+
+
 This chapter deals with the traditional way of UNIX printing. The next chapter covers in great detail the more
 modern CUPS.
 
Important

-
+
 CUPS users, be warned: do not just jump on to the next chapter. You might miss important information only found here!
 

-
-
-
-
+
+
+
+
 It is apparent from postings on the Samba mailing list that print configuration is one of the most problematic
 aspects of Samba administration today. Many new Samba administrators have the impression that Samba performs
 some sort of print processing. Rest assured, Samba does not perform any type of print processing. It does not
 do any form of print filtering.
 

-
-
-
-
+
+
+
+
 Samba obtains from its clients a data stream (print job) that it spools to a local spool area. When the entire
 print job has been received, Samba invokes a local UNIX/Linux print command and passes the spooled file to it.
 It is up to the local system printing subsystems to correctly process the print job and to submit it to the
 printer.
-
Client to Samba Print Job Processing

+
Client to Samba Print Job Processing

 Successful printing from a Windows client via a Samba print server to a UNIX
 printer involves six (potentially seven) stages:
 
Windows opens a connection to the printer share.
Samba must authenticate the user.
Windows sends a copy of the print file over the network
 	into Samba's spooling area.
Windows closes the connection.
Samba invokes the print command to hand the file over
 	to the UNIX print subsystem's spooling area.
The UNIX print subsystem processes the print job.
The print file may need to be explicitly deleted
 	from the Samba spooling area. This item depends on your print spooler
-	configuration settings.
Printing-Related Configuration Parameters

-
-
-
+	configuration settings.
Printing-Related Configuration Parameters

+
+
+
 There are a number of configuration parameters to control Samba's printing behavior. Please refer to the man
 page for smb.conf for an overview of these. As with other parameters, there are global-level (tagged with a
 G in the listings) and service-level (S) parameters.
@@ -103,20 +103,20 @@
 		or service-level shares (provided they do not have a different
 		setting defined for the same parameter, thus overriding the
 		global default).
-		
Simple Print Configuration

-
-
-
-
+		
Simple Print Configuration

+
+
+
+
 Simple Configuration with BSD Printing shows a simple printing configuration.
 If you compare this with your own, you may find additional parameters that have been preconfigured by your OS
 vendor. Following is a discussion and explanation of the parameters. This example does not use many
 parameters.  However, in many environments these are enough to provide a valid smb.conf file that enables
 all clients to print.
-
Example�21.1.�Simple Configuration with BSD Printing
 
[global]
printing = bsd
load printers = yes
 
[printers]
path = /var/spool/samba
printable = yes
public = yes
writable = no


-
-
-
+
Example�21.1.�Simple Configuration with BSD Printing
 
[global]
printing = bsd
load printers = yes
 
[printers]
path = /var/spool/samba
printable = yes
public = yes
writable = no


+
+
+
 This is only an example configuration. Samba assigns default values to all configuration parameters. The
 defaults are conservative and sensible. When a parameter is specified in the smb.conf file, this overwrites
 the default value. The testparm utility when run as root is capable of reporting all
@@ -124,26 +124,26 @@
 misconfigured settings. The complete output is easily 360 lines and more, so you may want to pipe it through a
 pager program.
 
  
-
-
-
+
+
+
 The syntax for the configuration file is easy to grasp. You should know that  is not very picky about its
 syntax. As has been explained elsewhere in this book, Samba tolerates some spelling errors (such as
 browseable instead of browsable), and spelling is
 case-insensitive. It is permissible to use Yes/No or True/False
 for Boolean settings. Lists of names may be separated by commas, spaces, or tabs.
-
Verifying Configuration with testparm

-
-
-
-
-
-
-
+
Verifying Configuration with testparm

+
 
-
-
-
+
+
+
+
+
+
+
+
+
 To see all (or at least most) printing-related settings in Samba, including the implicitly used ones, try the
 command outlined below. This command greps for all occurrences of lp,
 print, spool, driver,
@@ -194,11 +194,11 @@
 The testparm in Samba-3 behaves differently from that in 2.2.x: used without the
 “-v” switch, it only shows you the settings actually written into! To see the complete
 configuration used, add the “-v” parameter to testparm.
-
Rapid Configuration Validation
 
-
-
-
-
+
Rapid Configuration Validation
 
+
+
+
+
 Should you need to troubleshoot at any stage, please always come back to this point first and verify if
 testparm shows the parameters you expect. To give you a warning from personal experience,
 try to just comment out the load printers parameter. If your 2.2.x system behaves like
@@ -211,8 +211,8 @@
 root# testparm -v /etc/samba/smb.conf | egrep "(load printers)"
         load printers = Yes
 

-
-
+
+
 I assumed that commenting out of this setting should prevent Samba from
 publishing my printers, but it still did. It took some time to figure out
 the reason. But I am no longer fooled ... at least not by this.
@@ -226,7 +226,7 @@
 root# testparm -s -v smb.conf.simpleprinting | egrep "(load printers)"
         load printers = No
 

-
+
 Only when the parameter is explicitly set to load printers = No would
 Samba conform with my intentions. So, my strong advice is:
 
Never rely on commented-out parameters.
Always set parameters explicitly as you intend them to
@@ -237,8 +237,8 @@
 root# cat /etc/samba/smb.conf-minimal
         [printers]
 

-
-
+
+
 This example should show that you can use testparm to test any Samba configuration file.
 Actually, we encourage you not to change your working system (unless you know exactly
 what you are doing). Don't rely on the assumption that changes will only take effect after you restart smbd!
@@ -276,10 +276,10 @@
 

 testparm issued two warnings:
 
We did not specify the [printers] section as printable.
We did not tell Samba which spool directory to use.

-
-
-
-
+
+
+
+
 However, this was not fatal, and Samba will default to values that will work. Please, do not rely on this and
 do not use this example. This was included to encourage you to be careful to design and specify your setup to
 do precisely what you require. The outcome on your system may vary for some parameters given, since Samba may
@@ -288,15 +288,15 @@
 put the comment sign at the front). At first I regarded this as a bug in my Samba versions. But the man page
 clearly says: Internal whitespace in a parameter value is retained verbatim. This means
 that a line consisting of, for example,
-
# This defines LPRng as the printing system
printing =  lprng

+
# This defines LPRng as the printing system
printing =  lprng

 

 will regard the whole of the string after the = sign as the value you want to define. This
 is an invalid value that will be ignored, and a default value will be used in its place.
-
Extended Printing Configuration

-
-
-
-
+
Extended Printing Configuration

+
+
+
+
 Extended BSD Printing Configuration shows a more verbose configuration for
 print-related settings in a BSD-style printing environment. What follows is a discussion and explanation of
 the various parameters. We chose to use BSD-style printing here because it is still the most commonly used
@@ -304,22 +304,22 @@
 separate chapter. The example explicitly names many parameters that do not need to be specified because they
 are set by default. You could use a much leaner smb.conf file, or you can use testparm or
 SWAT to optimize the smb.conf file to remove all parameters that are set at default.
-
Example�21.2.�Extended BSD Printing Configuration
 
[global]
printing = bsd
load printers = yes
show add printer wizard = yes
printcap name = /etc/printcap
printer admin = @ntadmin, root
max print jobs = 100
lpq cache time = 20
use client driver = no
 
[printers]
comment = All Printers
printable = yes
path = /var/spool/samba
browseable = no
guest ok = yes
public = yes
read only = yes
writable = no       
 
[my_printer_name]
comment = Printer with Restricted Access
path = /var/spool/samba_my_printer
printer admin = kurt
browseable = yes
printable = yes
writable = no
hosts allow = 0.0.0.0
hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60
guest ok = no


-
-
-
+
Example�21.2.�Extended BSD Printing Configuration
 
[global]
printing = bsd
load printers = yes
show add printer wizard = yes
printcap name = /etc/printcap
printer admin = @ntadmin, root
max print jobs = 100
lpq cache time = 20
use client driver = no
 
[printers]
comment = All Printers
printable = yes
path = /var/spool/samba
browseable = no
guest ok = yes
public = yes
read only = yes
writable = no       
 
[my_printer_name]
comment = Printer with Restricted Access
path = /var/spool/samba_my_printer
printer admin = kurt
browseable = yes
printable = yes
writable = no
hosts allow = 0.0.0.0
hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60
guest ok = no


+
+
+
 This is an example configuration. You may not find all the settings that are in the configuration file that
 was provided by the OS vendor. Samba configuration parameters, if not explicitly set, default to a sensible
 value.  To see all settings, as root use the testparm utility.
 testparm gives warnings for misconfigured settings.
-
Detailed Explanation Settings

+
Detailed Explanation Settings

 The following is a discussion of the settings from Extended BSD Printing
 Configuration Extended BSD Printing Configuration.
-
The [global] Section

-
-
-
-
+
The [global] Section

+
+
+
+
 The [global] section is one of four special sections (along with [homes], [printers], and [print$]). The
 [global] contains all parameters that apply to the server as a whole. It is the place
 for parameters that have only a global meaning. It may also contain service-level parameters that define
@@ -327,33 +327,33 @@
 setting the same value repeatedly. (Within each individual section or share, you may, however, override these
 globally set share settings and specify other values).
 
printing = bsd 

-
-
-
-
-
-
 
-
-
+
+
 
-
-
+
+
+
+
+
+
+
+
 		Causes Samba to use default print commands applicable for the BSD (also known as RFC 1179 style or LPR/LPD)
 		printing system. In general, the printing parameter informs Samba about the print
 		subsystem it should expect. Samba supports CUPS, LPD, LPRNG, SYSV, HPUX, AIX, QNX, and PLP. Each of these
 		systems defaults to a different print command (and other queue control commands).
 		
Caution

-
-
+
+
 		The printing parameter is normally a service-level parameter. Since it is included
 		here in the [global] section, it will take effect for all printer shares that are not
 		defined differently. Samba-3 no longer supports the SOFTQ printing system.
 		
load printers = yes 

-
-
-
-
+
+
+
+
 		Tells Samba to create automatically all available printer shares. Available printer shares are discovered by
 		scanning the printcap file. All created printer shares are also loaded for browsing. If you use this
 		parameter, you do not need to specify separate shares for each printer. Each automatically created printer
@@ -361,11 +361,11 @@
 		load printers = no setting will allow you to specify each UNIX printer you want to
 		share separately, leaving out some you do not want to be publicly visible and available).
 		
show add printer wizard = yes 

-
-
-
-
-
+
+
+
+
+
 		Setting is normally enabled by default (even if the parameter is not specified in smb.conf).  It causes the
 		Add Printer Wizard icon to appear in the Printers folder of the Samba
 		host's share listing (as shown in Network Neighborhood or by the net
@@ -374,23 +374,23 @@
 		the [print$] share and associate it with a printer (if the respective queue exists
 		before the action), or exchange a printer's driver for any other previously uploaded driver.
 		
max print jobs = 100 

-
+
 		Sets the upper limit to 100 print jobs being active on the Samba server at any one time. Should a client
 		submit a job that exceeds this number, a "no more space available on server" type of error message will be
 		returned by Samba to the client. A setting of zero (the default) means there is no limit
 		at all.
 		
printcap name = /etc/printcap 

-
-
-
+
+
+
 		Tells Samba where to look for a list of available printer names. Where CUPS is used, make sure that a printcap
 		file is written. This is controlled by the Printcap directive in the
 		cupsd.conf file.
 	
printer admin = @ntadmin 

-
-
-
-
+
+
+
+
 		Members of the ntadmin group should be able to add drivers and set printer properties
 		(ntadmin is only an example name; it needs to be a valid UNIX group name); root is
 		implicitly always a printer admin. The @ sign precedes group names
@@ -399,20 +399,20 @@
 		Samba-2.2).  In larger installations, the printer admin parameter is normally a
 		per-share parameter. This permits different groups to administer each printer share.
 	
lpq cache time = 20 

-
-
+
+
 		Controls the cache time for the results of the lpq command. It prevents the lpq command being called too often
 		and reduces the load on a heavily used print server.
 	
use client driver = no 

-
+
 		If set to yes, only takes effect for Windows NT/200x/XP clients (and not for Win
 		95/98/ME). Its default value is No (or False).  It must
 		not be enabled on print shares (with a yes or
 		true setting) that have valid drivers installed on the Samba server. For more detailed
 		explanations, see the smb.conf man page.
 	
The [printers] Section

-
-
+
+
 The printers section is the second special section. If a section with this name appears in the smb.conf,
 users are able to connect to any printer specified in the Samba host's printcap file, because Samba on startup
 then creates a printer share for every printer name it finds in the printcap file. You could regard this
@@ -468,9 +468,9 @@
 		connection), but only via print spooling operations. Normal write operations are not permitted.
 		
writable = no 

 		Is a synonym for read only = yes.
-		
Any [my_printer_name] Section

-
-
+		
Any [my_printer_name] Section

+
+
 If a [my_printer_name] section appears in the smb.conf file, which includes the
 parameter printable = yes Samba will configure it as a printer share.
 Windows 9x/Me clients may have problems with connecting or loading printer drivers if the share name has more
@@ -502,11 +502,11 @@
 		you can see, you could name IP addresses as well as NetBIOS hostnames here.
 		
guest ok = no 

 		This printer is not open for the guest account.
-		
Print Commands

-
-
-
-
+		
Print Commands

+
+
+
+
 In each section defining a printer (or in the [printers] section),
 a print command parameter may be defined. It sets a command to process the files
 that have been placed into the Samba print spool directory for that printer. (That spool directory was,
@@ -518,8 +518,8 @@
 to debug printing. If you craft your own print commands (or even develop print command shell scripts),
 make sure you pay attention to the need to remove the files from the Samba spool directory. Otherwise,
 your hard disk may soon suffer from shortage of free space.
-
Default UNIX System Printing Commands

-
+
Default UNIX System Printing Commands

+
 You learned earlier that Samba, in most cases, uses its built-in settings for many parameters if it cannot
 find an explicitly stated one in its configuration file. The same is true for the print command. The default print command varies depending on the printing parameter
 setting. In the commands listed in Default Printing Settings , you will
@@ -528,29 +528,29 @@
 explained in more detail in Default Printing Settings presents an overview
 of key printing options but excludes the special case of CUPS, is discussed in CUPS Printing Support.
 
Table�21.1.�Default Printing Settings
Setting Default Printing Commands
printing = bsd|aix|lprng|plp print command is lpr -r -P%p %s
printing = sysv|hpux print command is lp -c -P%p %s; rm %s
 printing = qnx print command is lp -r -P%p -s %s
printing = bsd|aix|lprng|plp lpq command is lpq -P%p
printing = sysv|hpux lpq command is lpstat -o%p
printing = qnx lpq command is lpq -P%p
printing = bsd|aix|lprng|plp lprm command is lprm -P%p %j
printing = sysv|hpux lprm command is cancel %p-%j
printing = qnx lprm command is cancel %p-%j
printing = bsd|aix|lprng|plp lppause command is lp -i %p-%j -H hold
printing = sysv|hpux lppause command   (...is empty)
printing = qnx lppause command   (...is empty)
printing = bsd|aix|lprng|plp lpresume command is lp -i %p-%j -H resume
printing = sysv|hpux lpresume command   (...is empty)
printing = qnx lpresume command   (...is empty)


-
-
-
-
+
+
+
+
 For printing = CUPS, if Samba is compiled against libcups, it uses the CUPS API to
 submit jobs. (It is a good idea also to set printcap = cups in case your
 cupsd.conf is set to write its autogenerated printcap file to an unusual place).
 Otherwise, Samba maps to the System V printing commands with the -oraw option for printing; that is, it uses
 lp -c -d%p -oraw; rm %s. With printing = cups, and if Samba is
 compiled against libcups, any manually set print command will be ignored!
-
Custom Print Commands

-
-
+
Custom Print Commands

+
+
 After a print job has finished spooling to a service, the print command will be used
 by Samba via a system() call to process the spool file. Usually the command specified will submit the spool
 file to the host's printing subsystem. But there is no requirement at all that this must be the case. The
 print subsystem may not remove the spool file on its own, so whatever command you specify, you should ensure
 that the spool file is deleted after it has been processed.
 

-
-
-
-
+
+
+
+
 There is no difficulty with using your own customized print commands with the traditional printing systems.
 However, if you do not wish to roll your own, you should be well informed about the default built-in commands
 that Samba uses for each printing subsystem (see Default Printing
@@ -560,28 +560,28 @@
 appropriate value automatically. Print commands can handle all Samba macro substitutions. In regard to
 printing, the following ones do have special relevance:
 
%s, %f  the path to the spool file name.
%p  the appropriate printer name.
%J  the job name as transmitted by the client.
%c  the number of printed pages of the spooled job (if known).
%z  the size of the spooled print job (in bytes).

-
+
 The print command must contain at least one occurrence of %s or
 %f. The %p is optional. If no printer name is supplied,
 the %p will be silently removed from the print command. In this case, the job is
 sent to the default printer.
 

-
-
+
+
 If specified in the [global] section, the print command given will be
 used for any printable service that does not have its own print command specified. If there is neither a
 specified print command for a printable service nor a global print command, spool files will be created
 but not processed! Most importantly, print files will not be removed, so they will consume disk space.
 

-
-
+
+
 Printing may fail on some UNIX systems when using the nobody account. If this happens, create an
 alternative guest account and give it the privilege to print. Set up this guest account in the
 [global] section with the guest account parameter.
 

-
-
-
+
+
+
 You can form quite complex print commands. You need to realize that print commands are just
 passed to a UNIX shell. The shell is able to expand the included environment variables as
 usual. (The syntax to include a UNIX environment variable $variable
@@ -589,15 +589,15 @@
 print command example, the following will log a print job
 to /tmp/print.log, print the file, then remove it. The semicolon (“;”
 is the usual separator for commands in shell scripts:
-
print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

+
print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

 You may have to vary your own command considerably from this example depending on how you normally print
 files on your system. The default for the print command
 parameter varies depending on the setting of the printing
 parameter. Another example is:
-
print command = /usr/local/samba/bin/myprintscript %p %s
Printing Developments Since Samba-2.2

-
-
-
+
print command = /usr/local/samba/bin/myprintscript %p %s
Printing Developments Since Samba-2.2

+
+
+
 Prior to Samba-2.2.x, print server support for Windows clients was limited to LanMan
 printing calls. This is the same protocol level as Windows 9x/Me PCs offer when they share printers.
 Beginning with the 2.2.0 release, Samba started to support the native Windows NT printing mechanisms. These
@@ -606,67 +606,67 @@
 

 The additional functionality provided by the new SPOOLSS support includes:
 

-
+
 	Support for downloading printer driver files to Windows 95/98/NT/2000 clients upon
 	demand (Point'n'Print).
 	

-
+
 	Uploading of printer drivers via the Windows NT Add Printer Wizard (APW)
 	or the Imprints tool set.
 	
	
-
-
-
-
-
+
+
+
+
+
 	Support for the native MS-RPC printing calls such as StartDocPrinter, EnumJobs(), and so on. (See the
 	MSDN documentation for more information on the
 	Win32 printing API).
 	

-
-
+
+
 	Support for NT Access Control Lists (ACL) on printer objects.
 	

-
+
 	Improved support for printer queue manipulation through the use of internal databases for spooled
 	job information (implemented by various *.tdb files).
 	

-
-
+
+
 A benefit of updating is that Samba-3 is able to publish its printers to Active Directory (or LDAP).
 

-
+
 A fundamental difference exists between MS Windows NT print servers and Samba operation. Windows NT
 permits the installation of local printers that are not shared. This is an artifact of the fact that
 any Windows NT machine (server or client) may be used by a user as a workstation. Samba will publish all
 printers that are made available, either by default or by specific declaration via printer-specific shares.
 

-
-
-
-
-
+
+
+
+
+
 Windows NT/200x/XP Professional clients do not have to use the standard SMB printer share; they can
 print directly to any printer on another Windows NT host using MS-RPC. This, of course, assumes that
 the client has the necessary privileges on the remote host that serves the printer resource. The
 default permissions assigned by Windows NT to a printer gives the print permissions to the well-known
 Everyone group. (The older clients of type Windows 9x/Me can only print to shared
 printers.)
-
Point'n'Print Client Drivers on Samba Servers

-
+
Point'n'Print Client Drivers on Samba Servers

+
 There is much confusion about what all this means. The question is often asked, “Is it or is
 it not necessary for printer drivers to be installed on a Samba host in order to support printing from
 Windows clients?” The answer to this is no, it is not necessary.
 

-
-
+
+
 Windows NT/2000 clients can, of course, also run their APW to install drivers locally
 (which then connect to a Samba-served print queue). This is the same method used by Windows 9x/Me
 clients. (However, a bug existed in Samba 2.2.0 that made Windows NT/2000 clients
 require that the Samba server possess a valid driver for the printer. This was fixed in Samba 2.2.1).
 

-
-
+
+
 But it is a new capability to install the printer drivers into the [print$]
 share of the Samba server, and a big convenience, too. Then all clients
 (including 95/98/ME) get the driver installed when they first connect to this printer share. The
@@ -682,16 +682,16 @@
 	

 	Using cupsaddsmb (only works for the CUPS printing system, not for LPR/LPD, LPRng, and so on).
 	

-
-
+
+
 Samba does not use these uploaded drivers in any way to process spooled files. These drivers are utilized
 entirely by the clients who download and install them via the “Point'n'Print” mechanism
 supported by Samba. The clients use these drivers to generate print files in the format the printer
 (or the UNIX print system) requires. Print files received by Samba are handed over to the UNIX printing
 system, which is responsible for all further processing, as needed.
-
The Obsoleted [printer$] Section

-
-
+
The Obsoleted [printer$] Section

+
+
 	Versions of Samba prior to 2.2 made it possible to use a share named [printer$]. This
 	name was taken from the same named service created by Windows 9x/Me clients when a printer was shared by them.
 	Windows 9x/Me printer servers always have a [printer$] service that provides
@@ -701,9 +701,9 @@
 	parameter named printer driver provided a means of defining the printer driver name to
 	be sent to the client.
 	

-
-
-
+
+
+
 	These parameters, including the printer driver file parameter,
 	are now removed and cannot be used in installations of Samba-3. The share name
 	[print$] is now used for the location of downloadable printer
@@ -713,8 +713,8 @@
 	of its ACLs) to support printer driver downloads and uploads. This does not mean Windows
 	9x/Me clients are now thrown aside. They can use Samba's [print$]
 	share support just fine.
-	
Creating the [print$] Share

-
+	
Creating the [print$] Share

+
 In order to support the uploading and downloading of printer driver files, you must first configure a
 file share named [print$]. The public name of this share is hard coded
 in the MS Windows clients. It cannot be renamed, since Windows clients are programmed to search for a
@@ -724,15 +724,15 @@
 [print$] file share (of course, some of the parameter values, such
 as path, are arbitrary and should be replaced with appropriate values for your
 site). See [print\$] Example.
-
Example�21.3.�[print$] Example
 
[global]
# members of the ntadmin group should be able to add drivers and set
# printer properties. root is implicitly always a 'printer admin'.
printer admin = @ntadmin
# ...
 
[printers]
# ...
 
[print$]
comment = Printer Driver Download Area
path = /etc/samba/drivers
browseable = yes
guest ok = yes
read only = yes
write list = @ntadmin, root


+
Example�21.3.�[print$] Example
 
[global]
# members of the ntadmin group should be able to add drivers and set
# printer properties. root is implicitly always a 'printer admin'.
printer admin = @ntadmin
# ...
 
[printers]
# ...
 
[print$]
comment = Printer Driver Download Area
path = /etc/samba/drivers
browseable = yes
guest ok = yes
read only = yes
write list = @ntadmin, root


 Of course, you also need to ensure that the directory named by the
 path parameter exists on the UNIX file system.
-
[print$] Stanza Parameters

-
-
-
-
-
+
[print$] Stanza Parameters

+
+
+
+
+
 The [print$] is a special section in smb.conf. It contains settings relevant to
 potential printer driver download and is used by Windows clients for local print driver installation.
 The following parameters are frequently needed in this share section:
@@ -777,7 +777,7 @@
 		can copy files to the share. If this is a non-root account, then the account should also
 		be mentioned in the global printer admin
 		parameter. See the smb.conf man page for more information on configuring file shares.
-		
The [print$] Share Directory

+		
The [print$] Share Directory

 In order for a Windows NT print server to support the downloading of driver files by multiple client
 architectures, you must create several subdirectories within the [print$]
 service (i.e., the UNIX directory named by the path
@@ -812,7 +812,7 @@
 Neighborhood or My Network Places and browse for the Samba host. Once you
 have located the server, navigate to its Printers and Faxes folder. You should see
 an initial listing of printers that matches the printer shares defined on your Samba host.
-
Installing Drivers into [print$]

+
Installing Drivers into [print$]

 Have you successfully created the [print$] share in smb.conf, and have you forced
 Samba to reread its smb.conf file? Good. But you are not yet ready to use the new facility. The client
 driver files need to be installed into this share. So far, it is still an empty share. Unfortunately, it is
@@ -828,7 +828,7 @@
 	from any Windows NT/200x/XP client workstation.
 	

 The latter option is probably the easier one (even if the process may seem a little bit weird at first).
-
Add Printer Wizard Driver Installation

+
Add Printer Wizard Driver Installation

 The printers initially listed in the Samba host's Printers folder accessed from a
 client's Explorer will have no real printer driver assigned to them. By default this driver name is set
 to a null string. This must be changed now. The local Add Printer Wizard (APW), run from
@@ -879,10 +879,10 @@
 	Run rpcclient a second time with the setdriver subcommand.
 	

 We provide detailed hints for each of these steps in the paragraphs that follow.
-
Identifying Driver Files

-
-
-
+
Identifying Driver Files

+
+
+
 To find out about the driver files, you have two options. You can check the contents of the driver
 CDROM that came with your printer. Study the *.inf files located on the CD-ROM. This
 may not be possible, since the *.inf file might be missing. Unfortunately, vendors have now started
@@ -890,14 +890,14 @@
 archive format. Additionally, the files may be re-named during the installation process. This makes it
 extremely difficult to identify the driver files required.
 

-
+
 Then you have the second option. Install the driver locally on a Windows client and
 investigate which filenames and paths it uses after they are installed. (You need to repeat
 this procedure for every client platform you want to support. We show it here for the
 W32X86 platform only, a name used by Microsoft for all Windows NT/200x/XP
 clients.)
 

-
+
 A good method to recognize the driver files is to print the test page from the driver's
 Properties dialog (General tab). Then look at the list of
 driver files named on the printout. You'll need to recognize what Windows (and Samba) are calling the
@@ -905,9 +905,9 @@
 Help File, and (optionally) Dependent Driver Files
 (this may vary slightly for Windows NT). You need to note all filenames for the next steps.
 

-
-
-
+
+
+
 Another method to quickly test the driver filenames and related paths is provided by the
 rpcclient utility. Run it with enumdrivers or with the
 getdriver subcommand, each at the 3 info level. In the following example,
@@ -948,10 +948,10 @@
   Monitorname: []
   Defaultdatatype: []
 

-
-
-
-
+
+
+
+
 You may notice that this driver has quite a large number of Dependent files
 (there are worse cases, however). Also, strangely, the
 Driver File is tagged here
@@ -961,9 +961,9 @@
 addition to those for W32X86 (i.e., the Windows NT 2000/XP clients) onto a
 Windows PC. This PC can also host the Windows 9x/Me drivers, even if it runs on Windows NT, 2000, or XP.
 

-
-
-
+
+
+
 Since the [print$] share is usually accessible through the Network
 Neighborhood, you can also use the UNC notation from Windows Explorer to poke at it. The Windows
 9x/Me driver files will end up in subdirectory 0 of the WIN40
@@ -974,7 +974,7 @@
 mode. Windows 2000 changed this. While it still can use the kernel mode drivers (if this is enabled by
 the Admin), its native mode for printer drivers is user mode execution. This requires drivers designed
 for this purpose. These types of drivers install into the “3” subdirectory.
-
Obtaining Driver Files from Windows Client [print$] Shares

+
Obtaining Driver Files from Windows Client [print$] Shares

 Now we need to collect all the driver files we identified in our previous step. Where do we get them
 from? Well, why not retrieve them from the very PC and the same [print$]
 share that we investigated in our last step to identify the files? We can use smbclient
@@ -999,12 +999,12 @@
 This ensures that all commands are executed in sequence on the remote Windows server before
 smbclient exits again.
 

-
+
 Remember to repeat the procedure for the WIN40 architecture should you need to
 support Windows 9x/Me/XP clients. Remember too, the files for these architectures are in the
 WIN40/0/ subdirectory. Once this is complete, we can run smbclient. .
 .put to store the collected files on the Samba server's [print$] share.
-
Installing Driver Files into [print$]

+
Installing Driver Files into [print$]

 We are now going to locate the driver files into the [print$] share. Remember, the
 UNIX path to this share has been defined previously in your smb.conf file. You also have created
 subdirectories for the different Windows client types you want to support. If, for example, your
@@ -1017,8 +1017,8 @@
 	For all Windows 95, 98, and Me clients, /etc/samba/drivers/WIN40/ but not
 	(yet) into the 0 subdirectory.
 	

-
-
+
+
 We again use smbclient to transfer the driver files across the network. We specify the same files
 and paths as were leaked to us by running getdriver against the original
 Windows install. However, now we are going to store the files into a
@@ -1055,18 +1055,18 @@
 putting file HDNIS01Aux.dll as \W32X86\HDNIS01Aux.dll
 putting file HDNIS01_de.NTF as \W32X86\HDNIS01_de.NTF
 

-
-
-
+
+
+
 Whew  that was a lot of typing! Most drivers are a lot smaller  many have only three generic
 PostScript driver files plus one PPD. While we did retrieve the files from the 2
 subdirectory of the W32X86 directory from the Windows box, we do not put them
 (for now) in this same subdirectory of the Samba box. This relocation will automatically be done by the
 adddriver command, which we will run shortly (and do not forget to also put the files
 for the Windows 9x/Me architecture into the WIN40/ subdirectory should you need them).
-

`smbclient to Confirm Driver Installation`

- - +

`smbclient to Confirm Driver Installation`

+ + For now we verify that our files are there. This can be done with smbclient, too (but, of course, you can log in via SSH also and do this through a standard UNIX shell access):

@@ -1107,9 +1107,9 @@
 PDFcreator2.PPD                     A    15746  Sun Apr 20 22:24:07 2003
               40976 blocks of size 262144. 709 blocks available

- - - + + + Notice that there are already driver files present in the 2 subdirectory (probably from a previous installation). Once the files for the new driver are there too, you are still a few steps away from being able to use them on the clients. The only thing you could do now is retrieve them from a client just @@ -1117,10 +1117,10 @@ install them per Point'n'Print. The reason is that Samba does not yet know that these files are something special, namely printer driver files, and it does not know to which print queue(s) these driver files belong. -

`Running rpcclient with adddriver`

- - - +

`Running rpcclient with adddriver`

+ + + Next, you must tell Samba about the special category of the files you just uploaded into the [print$] share. This is done by the adddriver command. It will prompt Samba to register the driver files into its internal TDB database files. The @@ -1144,16 +1144,16 @@ Printer Driver dm9110 successfully installed.

- - - + + + After this step, the driver should be recognized by Samba on the print server. You need to be very careful when typing the command. Don't exchange the order of the fields. Some changes would lead to an NT_STATUS_UNSUCCESSFUL error message. These become obvious. Other changes might install the driver files successfully but render the driver unworkable. So take care! Hints about the syntax of the adddriver command are in the man page. provides a more detailed description, should you need it. -

`Checking adddriver Completion`

+

`Checking adddriver Completion`

One indication for Samba's recognition of the files as driver files is the successfully installed message. Another one is the fact that our files have been moved by the adddriver command into the 2 subdirectory. You can check this @@ -1198,17 +1198,17 @@

Another verification is that the timestamp of the printing TDB files is now updated (and possibly their file size has increased). -

`Check Samba for Driver Recognition`

- +

`Check Samba for Driver Recognition`

+ Now the driver should be registered with Samba. We can easily verify this and will do so in a moment. However, this driver is not yet associated with a particular printer. We may check the driver status of the files by at least three methods:

- - - - - + + + + + From any Windows client browse Network Neighborhood, find the Samba host, and open the Samba Printers and Faxes folder. Select any printer icon, right-click and select the printer Properties. Click the Advanced @@ -1218,7 +1218,7 @@ see only its own architecture's list. If you do not have every driver installed for each platform, the list will differ if you look at it from Windows95/98/ME or Windows NT/2000/XP.)
- + From a Windows 200x/XP client (not Windows NT) browse Network Neighborhood, search for the Samba server, open the server's Printers folder, and right-click on the white background (with no printer highlighted). Select Server @@ -1247,8 +1247,8 @@ for Windows NT 4.0 or 2000. To have it present for Windows 95, 98, and Me, you'll have to repeat the whole procedure with the WIN40 architecture and subdirectory. -

`Specific Driver Name Flexibility`

- +

`Specific Driver Name Flexibility`

+ You can name the driver as you like. If you repeat the adddriver step with the same files as before but with a different driver name, it will work the same:

@@ -1271,18 +1271,18 @@
 
 Printer Driver mydrivername successfully installed.

- - - + + + You will be able to bind that driver to any print queue (however, you are responsible that you associate drivers to queues that make sense with respect to target printers). You cannot run the rpcclient adddriver command repeatedly. Each run consumes the files you had put into the [print$] share by moving them into the respective subdirectories, so you must execute an smbclient ... put command before each rpcclient ... adddriver command. -

`Running rpcclient with setdriver`

- - +

`Running rpcclient with setdriver`

+ + Samba needs to know which printer owns which driver. Create a mapping of the driver to a printer, and store this information in Samba's memory, the TDB files. The rpcclient setdriver command achieves exactly this: @@ -1309,11 +1309,11 @@ bug in 2.2.x prevented Samba from recognizing freshly installed printers. You had to restart Samba, or at least send an HUP signal to all running smbd processes to work around this: kill -HUP `pidof smbd`. -

`Client Driver Installation Procedure`

+

`Client Driver Installation Procedure`

As Don Quixote said, “The proof of the pudding is in the eating.” The proof for our setup lies in the printing. So let's install the printer driver onto the client PCs. This is not as straightforward as it may seem. Read on. -

`First Client Driver Installation`

+

`First Client Driver Installation`

Especially important is the installation onto the first client PC (for each architectural platform separately). Once this is done correctly, all further clients are easy to set up and shouldn't need further attention. What follows is a description for the recommended first procedure. You now work from a client @@ -1347,7 +1347,7 @@ Settings -> Control Panel -> Printers and Faxes).

- + Most likely you are tempted to try to print a test page. After all, you now can open the printer properties, and on the General tab there is a button offering to do just that. But chances are that you get an error message saying "Unable to print Test Page." The @@ -1359,18 +1359,18 @@

`Setting Device Modes on New Printers`

For a printer to be truly usable by a Windows NT/200x/XP client, it must possess:

- + A valid device mode generated by the driver for the printer (defining things like paper size, orientation and duplex settings).
- + A complete set of printer driver data generated by the driver.

- - - - - + + + + + If either of these is incomplete, the clients can produce less than optimal output at best. In the worst cases, unreadable garbage or nothing at all comes from the printer, or it produces a harvest of error messages when attempting to print. Samba stores the named values and all printing-related information in @@ -1396,7 +1396,7 @@ the server's printer. This executes enough of the printer driver program on the client for the desired effect to happen and feeds back the new device mode to our Samba server. You can use the native Windows NT/200x/XP printer properties page from a Window client for this: -

Procedure�21.1.�Procedure to Initialize the Printer Driver Settings

+
Procedure�21.1.�Procedure to Initialize the Printer Driver Settings

 	Browse the Network Neighborhood.
 	

 	Find the Samba server.
@@ -1426,13 +1426,13 @@
 you can follow the analogous steps by accessing the local Printers
 folder, too, if you are a Samba printer admin user. From now on, printing should work as expected.
 

-
+
 Samba includes a service-level parameter name default devmode for generating a default
 device mode for a printer. Some drivers function well with Samba's default set of properties. Others
 may crash the client's spooler service. So use this parameter with caution. It is always better to have
 the client generate a valid device mode for the printer and store it on the server for you.
-
Additional Client Driver Installation

-
+
Additional Client Driver Installation

+
 Every additional driver may be installed in the same way as just described.  Browse Network
 Neighborhood, open the Printers folder on Samba server, right-click on
 Printer, and choose Connect.... Once this completes (should be
@@ -1445,14 +1445,14 @@
 rundll32 shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder
 

 or this command on Windows NT 4.0 workstations:
-
+
 
 rundll32 shell32.dll,Control_RunDLL MAIN.CPL @2
 

 

 You can enter the commands either inside a DOS box window or in the Run
 command... field from the Start menu.
-
Always Make First Client Connection as root or “printer admin”

+
Always Make First Client Connection as root or “printer admin”

 After you installed the driver on the Samba server (in its [print$] share), you
 should always make sure that your first client installation completes correctly. Make it a habit for yourself
 to build the very first connection from a client as printer admin. This is to make
@@ -1467,7 +1467,7 @@
 Letter when you are all using A4, right? You may want to set the
 printer for duplex as the default, and so on).
 

-
+
 To connect as root to a Samba printer, try this command from a Windows 200x/XP DOS box command prompt:
 
 C:\> runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /p /t3 /n 
@@ -1481,13 +1481,13 @@
 Now all the other users downloading and installing the driver the same way (using
 Point'n'Print) will have the same defaults set for them. If you miss this step, you'll get a
 lot of help desk calls from your users, but maybe you like to talk to people.
-

`Other Gotchas`

+

`Other Gotchas`

Your driver is installed. It is now ready for Point'n'Print installation by the clients. You may have tried to download and use it on your first client machine, but wait. Let's make sure you are acquainted first with a few tips and tricks you may find useful. For example, suppose you did not set the defaults on the printer, as advised in the preceding paragraphs. Your users complain about various issues (such as, “We need to set the paper size for each job from Letter to A4 and it will not store it”). -

`Setting Default Print Options for Client Drivers`

+

`Setting Default Print Options for Client Drivers`

The last sentence might be viewed with mixed feelings by some users and Admins. They have struggled for hours and could not arrive at a point where their settings seemed to be saved. It is not their fault. The confusing thing is that in the multitabbed dialog that pops up when you right-click on the printer name and select @@ -1536,7 +1536,7 @@ there is now a different path to arrive at an identical-looking, but functionally different, dialog to set defaults for all users.

`Tip`

Try (on Windows 200x/XP) to run this command (as a user with the right privileges): - +

rundll32 printui.dll,PrintUIEntry /p /t3 /n\\SAMBA-SERVER\printersharename

@@ -1547,7 +1547,7 @@ To see the tab with the Printing Preferences button (the one that does not set systemwide defaults), you can start the commands from inside a DOS box or from Start -> Run. -

`Supporting Large Numbers of Printers`

+

`Supporting Large Numbers of Printers`

One issue that has arisen during the recent development phase of Samba is the need to support driver downloads for hundreds of printers. Using Windows NT APW for this task is somewhat awkward (to say the least). If you do not want to acquire RSS pains from the printer installation clicking orgy alone, you need @@ -1630,7 +1630,7 @@ “dm9110” printer with an empty string where the driver should have been listed (between the two commas in the description field). After the setdriver command succeeds, all is well. -

`Adding New Printers with the Windows NT APW`

+

`Adding New Printers with the Windows NT APW`

By default, Samba exhibits all printer shares defined in smb.conf in the Printers folder. Also located in this folder is the Windows NT Add Printer Wizard icon. The APW will be shown only if:

@@ -1670,11 +1670,11 @@ necessarily a root account. A map to guest = bad user may have connected you unwittingly under the wrong privilege. You should check it by using the smbstatus command. -

`Error Message: “Cannot connect under a different Name”`

+

`Error Message: “Cannot connect under a different Name”`

Once you are connected with the wrong credentials, there is no means to reverse the situation other than to close all Explorer windows, and perhaps reboot.

- + The net use \\SAMBA-SERVER\sharename /user:root gives you an error message: “Multiple connections to a server or a shared resource by the same user utilizing several user names are not allowed. Disconnect all previous connections to the server, @@ -1700,7 +1700,7 @@ C:\> net use * /delete
This will also disconnect all mapped drives and will allow you create fresh connection as required. -

`Take Care When Assembling Driver Files`

+

`Take Care When Assembling Driver Files`

You need to be extremely careful when you take notes about the files belonging to a particular driver. Don't confuse the files for driver version “0” (for Windows 9x/Me, going into [print$]/WIN/0/), driver version 2 (kernel mode driver for Windows NT, @@ -1831,11 +1831,11 @@ In my example were even more differences than shown here. Conclusion: you must be careful to select the correct driver files for each driver version. Don't rely on the names alone, and don't interchange files belonging to different driver versions. -

`Samba and Printer Ports`

- - - - +

`Samba and Printer Ports`

+ + + + Windows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, and so on. Samba must also support the concept of ports associated with a printer. By default, only one printer port, named “Samba @@ -1844,22 +1844,22 @@ they request this information; otherwise, they throw an error message at you. So Samba fakes the port information to keep the Windows clients happy.

- + Samba does not support the concept of Printer Pooling internally either. Printer pooling assigns a logical printer to multiple ports as a form of load balancing or failover.

If you require multiple ports to be defined for some reason or another (my users and my boss should not know that they are working with Samba), configure the enumports command, which can be used to define an external program that generates a listing of ports on a system. -

`Avoiding Common Client Driver Misconfiguration`

+

`Avoiding Common Client Driver Misconfiguration`

So now the printing works, but there are still problems. Most jobs print well, some do not print at all. Some jobs have problems with fonts, which do not look good. Some jobs print fast and some are dead-slow. We cannot cover it all, but we want to encourage you to read the brief paragraph about “Avoiding the Wrong PostScript Driver Settings” in CUPS Printing Chapter, Avoiding Critical PostScript Driver Settings on the Client. -

`The Imprints Toolset`

- +

`The Imprints Toolset`

+ The Imprints tool set provides a UNIX equivalent of the Windows NT APW. For complete information, please refer to the Imprints Web site as well as the documentation included with the Imprints source distribution. This section provides only a brief introduction @@ -1871,7 +1871,7 @@ mailing list. The toolset is still in usable form, but only for a series of older printer models where there are prepared packages to use. Packages for more up-to-date print devices are needed if Imprints should have a future. Information regarding the Imprints toolset can be obtained from the Imprints home page. -

`What Is Imprints?`

+

`What Is Imprints?`

Imprints is a collection of tools for supporting these goals:

Providing a central repository of information regarding Windows NT and 95/98 printer driver packages. @@ -1880,19 +1880,19 @@
Providing an installation client that will obtain printer drivers from a central Internet (or intranet) Imprints Server repository and install them on remote Samba and Windows NT4 print servers. -

`Creating Printer Driver Packages`

+

`Creating Printer Driver Packages`

The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt, included with the Samba distribution for more information). In short, an Imprints driver package is a gzipped tarball containing the driver files, related INF files, and a control file needed by the installation client. -

`The Imprints Server`

+

`The Imprints Server`

The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer entry in the database has an associated URL for the actual downloading of the package. Each package is digitally signed via GnuPG, which can be used to verify that the package downloaded is actually the one referred in the Imprints database. It is strongly recommended that this security check not be disabled. -

`The Installation Client`

+

`The Installation Client`

More information regarding the Imprints installation client is available from the documentation file Imprints-Client-HOWTO.ps that is included with the Imprints source package. The Imprints installation client comes in two forms: @@ -1922,7 +1922,7 @@

The way of sidestepping this limitation is to require that all Imprints printer driver packages include both the Intel Windows NT and 95/98 printer drivers and that the NT driver is installed first. -

`Adding Network Printers without User Interaction`

+

`Adding Network Printers without User Interaction`

The following MS Knowledge Base article may be of some help if you need to handle Windows 2000 clients: How to Add Printers with No User Interaction in Windows 2000, (Microsoft KB 189105). It also applies to Windows XP Professional clients. The ideas sketched out in this section are inspired by this @@ -1981,7 +1981,7 @@ up to date. The few extra seconds at logon time will not really be noticeable. Printers can be centrally added, changed, and deleted at will on the server with no user intervention required from the clients (you just need to keep the logon scripts up to date). -

`The addprinter Command`

+

`The addprinter Command`

The addprinter command can be configured to be a shell script or program executed by Samba. It is triggered by running the APW from a client against the Samba print server. The APW asks the user to fill in several fields (such as printer name, driver to be used, comment, port monitor, @@ -1989,7 +1989,7 @@ way that it can create a new printer (through writing correct printcap entries on legacy systems or by executing the lpadmin command on more modern systems) and create the associated share, then the APW will in effect really create a new printer on Samba and the UNIX print subsystem! -

`Migration of Classical Printing to Samba`

+

`Migration of Classical Printing to Samba`

The basic NT-style printer driver management has not changed considerably in 3.0 over the 2.2.x releases (apart from many small improvements). Here migration should be quite easy, especially if you followed previous advice to stop using deprecated parameters in your setup. For migrations from an existing 2.0.x @@ -2019,11 +2019,11 @@ solution is to use the Windows NT APW to install the NT drivers and the 9x/Me drivers. This can be scripted using smbclient and rpcclient. See the Imprints installation client on the Imprints web site for example. See also the discussion of rpcclient usage in CUPS Printing. -

`Publishing Printer Information in Active Directory or LDAP`

+

`Publishing Printer Information in Active Directory or LDAP`

This topic has also been addressed in Remote and Local Management The Net Command. If you wish to volunteer your services to help document this further, please contact John H. Terpstra. -

`Common Errors`

`I Give My Root Password but I Do Not Get Access`

+

`Common Errors`

`I Give My Root Password but I Do Not Get Access`

Do not confuse the root password, which is valid for the UNIX system (and in most cases stored in the form of a one-way hash in a file named /etc/shadow), with the password used to authenticate against Samba. Samba does not know the UNIX password. Root access to Samba resources @@ -2034,7 +2034,7 @@ New SMB password: secret Retype new SMB password: secret

-

`My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost`

+

`My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost`

Do not use the existing UNIX print system spool directory for the Samba spool directory. It may seem convenient and a savings of space, but it only leads to problems. The two must be separate. The UNIX/Linux system print spool directory (e.g., /var/spool/cups) is typically owned by a diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/ClientConfig.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/ClientConfig.html --- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/ClientConfig.html 2009-06-02 09:49:38.000000000 +0200 +++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/ClientConfig.html 2009-06-19 11:14:32.000000000 +0200 @@ -1,20 +1,20 @@ -Chapter�8.�MS Windows Network Configuration Guide

Chapter�8.�MS Windows Network Configuration Guide
Prev�	Part�II.�Server Configuration Basics	�Next

`Chapter�8.�MS Windows Network Configuration Guide`

`John H. Samba Team Terpstra`

Samba Team
<jht@samba.org>

Table of Contents

Features and Benefits

Technical Details

TCP/IP Configuration
Joining a Domain: Windows 2000/XP Professional
Domain Logon Configuration: Windows 9x/Me

Common Errors

`Features and Benefits`

- - - +Chapter�8.�MS Windows Network Configuration Guide

Chapter�8.�MS Windows Network Configuration Guide
Prev�	Part�II.�Server Configuration Basics	�Next

`Chapter�8.�MS Windows Network Configuration Guide`

`John H. Samba Team Terpstra`

Samba Team
<jht@samba.org>

Table of Contents

Features and Benefits

Technical Details

TCP/IP Configuration
Joining a Domain: Windows 2000/XP Professional
Domain Logon Configuration: Windows 9x/Me

Common Errors

`Features and Benefits`

+ + + Occasionally network administrators report difficulty getting Microsoft Windows clients to interoperate correctly with Samba servers. It seems that some folks just cannot accept the fact that the right way to configure an MS Windows network client is precisely as one would do when using MS Windows NT4 or 200x servers. Yet there is repetitious need to provide detailed Windows client configuration instructions.

- - + + The purpose of this chapter is to graphically illustrate MS Windows client configuration for the most common critical aspects of such configuration. An experienced network administrator will not be interested in the details of this chapter. -

`Technical Details`

- - +

`Technical Details`

+ + This chapter discusses TCP/IP protocol configuration as well as network membership for the platforms that are in common use today. These are:

@@ -23,27 +23,27 @@ Windows 2000 Professional
Windows Millennium edition (Me) -

`TCP/IP Configuration`

- - +

`TCP/IP Configuration`

+ + The builder of a house must ensure that all construction takes place on a firm foundation. The same is true for the builder of a TCP/IP-based networking system. Fundamental network configuration problems will plague all network users until they are resolved.

- - + + MS Windows workstations and servers can be configured either with fixed IP addresses or via DHCP. The examples that follow demonstrate the use of DHCP and make only passing reference to those situations where fixed IP configuration settings can be effected.

- - + + It is possible to use shortcuts or abbreviated keystrokes to arrive at a particular configuration screen. The decision was made to base all examples in this chapter on use of the Start button. -

`MS Windows XP Professional`

- +

`MS Windows XP Professional`

+ There are two paths to the Windows XP TCP/IP configuration panel. Choose the access method that you prefer:

Click Start -> Control Panel -> Network Connections. @@ -51,48 +51,48 @@ Alternately, click Start ->, and right-click My Network Places then select Properties.

- + The following procedure steps through the Windows XP Professional TCP/IP configuration process:

- - - + + + On some installations the interface will be called Local Area Connection and on others it will be called Network Bridge. On our system it is called Network Bridge. Right-click on Network Bridge -> Properties. See “Network Bridge Configuration.”.
Figure�8.1.�Network Bridge Configuration.
- - + + The Network Bridge Configuration, or Local Area Connection, panel is used to set TCP/IP protocol settings. In This connection uses the following items: box, click on Internet Protocol (TCP/IP), then click on Properties.
- - + + The default setting is DHCP-enabled operation (i.e., “Obtain an IP address automatically”). See “Internet Protocol (TCP/IP) Properties.”.
Figure�8.2.�Internet Protocol (TCP/IP) Properties.
- - - - + + + + Many network administrators will want to use DHCP to configure all client TCP/IP protocol stack settings. (For information on how to configure the ISC DHCP server for Windows client support see the DNS and DHCP Configuration Guide, DHCP Server.
- - - + + + If it is necessary to provide a fixed IP address, click on “Use the following IP address” and enter the IP Address, the subnet mask, and the default gateway address in the boxes provided.
- - - - + + + + Click the Advanced button to proceed with TCP/IP configuration. This opens a panel in which it is possible to create additional IP addresses for this interface. The technical name for the additional addresses is IP aliases, and additionally this @@ -100,28 +100,28 @@ necessary to create additional settings. See “Advanced Network Settings” to see the appearance of this panel.
Figure�8.3.�Advanced Network Settings
- - - + + + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP.
- - + + Click the DNS tab to add DNS server settings. The example system uses manually configured DNS settings. When finished making changes, click the OK to commit the settings. See “DNS Configuration.”.
Figure�8.4.�DNS Configuration.
- - + + Click the WINS tab to add manual WINS server entries. This step demonstrates an example system that uses manually configured WINS settings. When finished making changes, click OK to commit the settings. See “WINS Configuration”.
Figure�8.5.�WINS Configuration
-

`MS Windows 2000`

- - +

`MS Windows 2000`

+ + There are two paths to the Windows 2000 Professional TCP/IP configuration panel. Choose the access method that you prefer:

Click Start -> Control Panel -> Network and Dial-up Connections. @@ -129,33 +129,33 @@ Alternatively, click Start, then right-click My Network Places, and select Properties.

- + The following procedure steps through the Windows XP Professional TCP/IP configuration process:

Right-click on Local Area Connection, then click Properties. See “Local Area Connection Properties.”.
Figure�8.6.�Local Area Connection Properties.
- - + + The Local Area Connection Properties is used to set TCP/IP protocol settings. Click on Internet Protocol (TCP/IP) in the Components checked are used by this connection: box, then click the Properties button.
- - + + The default setting is DHCP-enabled operation (i.e., “Obtain an IP address automatically”). See “Internet Protocol (TCP/IP) Properties.”.
Figure�8.7.�Internet Protocol (TCP/IP) Properties.
- - + + Many network administrators will want to use DHCP to configure all client TCP/IP protocol stack settings. (For information on how to configure the ISC DHCP server for Windows client support, see, “DHCP Server”.
- - + + If it is necessary to provide a fixed IP address, click on “Use the following IP address” and enter the IP Address, the subnet mask, and the default gateway address in the boxes provided. For this example we are assuming that all network clients will be configured using DHCP. @@ -164,50 +164,50 @@ Refer to “Advanced Network Settings.”.
Figure�8.8.�Advanced Network Settings.
- - - + + + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP.
- - + + Click the DNS tab to add DNS server settings. The example system uses manually configured DNS settings. When finished making changes, click OK to commit the settings. See “DNS Configuration.”.
Figure�8.9.�DNS Configuration.
- - + + Click the WINS tab to add manual WINS server entries. This step demonstrates an example system that uses manually configured WINS settings. When finished making changes, click OK to commit the settings. See “WINS Configuration.”.
Figure�8.10.�WINS Configuration.
-

`MS Windows Me`

- - - +

`MS Windows Me`

+ + + There are two paths to the Windows Millennium edition (Me) TCP/IP configuration panel. Choose the access method that you prefer:

Click Start -> Control Panel -> Network Connections.

- - + + Alternatively, click on Start ->, and right click on My Network Places then select Properties.

- + The following procedure steps through the Windows Me TCP/IP configuration process:

- + In the box labeled The following network components are installed:, click on Internet Protocol TCP/IP, then click on the Properties button. See “The Windows Me Network Configuration Panel.”.
Figure�8.11.�The Windows Me Network Configuration Panel.
- - - + + + Many network administrators will want to use DHCP to configure all client TCP/IP protocol stack settings. (For information on how to configure the ISC DHCP server for Windows client support see the DNS and DHCP Configuration Guide, @@ -215,41 +215,41 @@ (i.e., Obtain IP address automatically is enabled). See “IP Address.”.
Figure�8.12.�IP Address.
- - - + + + If it is necessary to provide a fixed IP address, click on Specify an IP address and enter the IP Address and the subnet mask in the boxes provided. For this example we are assuming that all network clients will be configured using DHCP.
- - + + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP.
- + If necessary, click the DNS Configuration tab to add DNS server settings. Click the WINS Configuration tab to add WINS server settings. The Gateway tab allows additional gateways (router addresses) to be added to the network interface settings. In most cases where DHCP is used, it will not be necessary to create these manual settings.
- - + + The following example uses manually configured WINS settings. See “DNS Configuration.”. When finished making changes, click OK to commit the settings.
Figure�8.13.�DNS Configuration.
- - + + This is an example of a system that uses manually configured WINS settings. One situation where this might apply is on a network that has a single DHCP server that provides settings for multiple Windows workgroups or domains. See “WINS Configuration.”.
Figure�8.14.�WINS Configuration.
-

`Joining a Domain: Windows 2000/XP Professional`

- - - - +

`Joining a Domain: Windows 2000/XP Professional`

+ + + + Microsoft Windows NT/200x/XP Professional platforms can participate in domain security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a domain security environment. It should be noted that this process is identical @@ -259,18 +259,18 @@

Right-click My Computer, then select Properties.

- + The opening panel is the same one that can be reached by clicking System on the Control Panel. See “The General Panel.”.

Figure�8.15.�The General Panel.

- + Click the Computer Name tab. This panel shows the Computer Description, the Full computer name, and the Workgroup or Domain name.

- - + + Clicking the Network ID button will launch the configuration wizard. Do not use this with Samba-3. If you wish to change the computer name or join or leave the domain, click the Change button. See “The Computer Name Panel.”. @@ -280,38 +280,38 @@ We will join the domain called MIDEARTH. See “The Computer Name Changes Panel.”.

Figure�8.17.�The Computer Name Changes Panel.

- + Enter the name MIDEARTH in the field below the domain radio button.

This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See “The Computer Name Changes Panel Domain MIDEARTH.”.

Figure�8.18.�The Computer Name Changes Panel  Domain MIDEARTH.

- - + + Now click the OK button. A dialog box should appear to allow you to provide the credentials (username and password) of a domain administrative account that has the rights to add machines to the domain.

- + Enter the name “root” and the root password from your Samba-3 server. See “Computer Name Changes Username and Password Panel.”.

Figure�8.19.�Computer Name Changes  Username and Password Panel.

Click on OK.

- - + + The “Welcome to the MIDEARTH domain.” dialog box should appear. At this point the machine must be rebooted. Joining the domain is now complete. -

`Domain Logon Configuration: Windows 9x/Me`

- - - +

`Domain Logon Configuration: Windows 9x/Me`

+ + + We follow the convention used by most in saying that Windows 9x/Me machines can participate in domain logons. The truth is that these platforms can use only the LanManager network logon protocols.

`Note`

- - - + + + Windows XP Home edition cannot participate in domain or LanManager network logons.

Right-click on the Network Neighborhood icon. @@ -320,44 +320,44 @@ See “The Network Panel.”.
Figure�8.20.�The Network Panel.
- - + + Make sure that the Client for Microsoft Networks driver is installed as shown. Click on the Client for Microsoft Networks entry in The following network components are installed: box. Then click the Properties button.
- - + + The Client for Microsoft Networks Properties panel is the correct location to configure network logon settings. See “Client for Microsoft Networks Properties Panel.”.
Figure�8.21.�Client for Microsoft Networks Properties Panel.
- - + + Enter the Windows NT domain name, check the Log on to Windows NT domain box, and click OK.
- - - + + + Click on the Identification button. This is the location at which the workgroup (domain) name and the machine name (computer name) need to be set. See “Identification Panel.”.
Figure�8.22.�Identification Panel.
- - - - + + + + Now click the Access Control button. If you want to be able to assign share access permissions using domain user and group accounts, it is necessary to enable User-level access control as shown in this panel. See “Access Control Panel.”.
Figure�8.23.�Access Control Panel.
-

`Common Errors`

- - +

`Common Errors`

+ + The most common errors that can afflict Windows networking systems include:

Incorrect IP address.
Incorrect or inconsistent netmasks.
Incorrect router address.
Incorrect DNS server address.
Incorrect WINS server address.
Use of a Network Scope setting watch out for this one!

- - + + The most common reasons for which a Windows NT/200x/XP Professional client cannot join the Samba controlled domain are:

smb.conf does not have correct add machine script settings.
“root” account is not in password backend database.
Attempt to use a user account instead of the “root” account to join a machine to the domain.
Open connections from the workstation to the server.
Firewall or filter configurations in place on either the client or the Samba server.

Prev�	Up	�Next
Chapter�7.�Standalone Servers�	Home	�Part�III.�Advanced Configuration


diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/compiling.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/compiling.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/compiling.html	2009-06-02 09:50:06.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/compiling.html	2009-06-19 11:15:00.000000000 +0200
@@ -1,9 +1,9 @@
-Chapter�42.�How to Compile SambaChapter�42.�How to Compile Samba
Prev� Part�VI.�Reference Section �Next
Chapter�42.�How to Compile Samba
Jelmer R. The Samba Team Vernooij
The Samba Team
<jelmer@samba.org>
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Andrew Samba Team Tridgell
Samba Team
<tridge@samba.org>
 22 May 2001 
 18 March 2003 
 June 2005 
Table of Contents
Access Samba Source Code via Subversion
Introduction
Subversion Access to samba.org
Accessing the Samba Sources via rsync and ftp
Verifying Samba's PGP Signature
Building the Binaries
Compiling Samba with Active Directory Support
Starting the smbd nmbd and winbindd
Starting from inetd.conf
Alternative: Starting smbd as a Daemon

+Chapter�42.�How to Compile Samba
Chapter�42.�How to Compile Samba
Prev� Part�VI.�Reference Section �Next
Chapter�42.�How to Compile Samba
Jelmer R. The Samba Team Vernooij
The Samba Team
<jelmer@samba.org>
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Andrew Samba Team Tridgell
Samba Team
<tridge@samba.org>
 22 May 2001 
 18 March 2003 
 June 2005 
Table of Contents
Access Samba Source Code via Subversion
Introduction
Subversion Access to samba.org
Accessing the Samba Sources via rsync and ftp
Verifying Samba's PGP Signature
Building the Binaries
Compiling Samba with Active Directory Support
Starting the smbd nmbd and winbindd
Starting from inetd.conf
Alternative: Starting smbd as a Daemon

 You can obtain the Samba source file from the
 Samba Web site. To obtain a development version, 
 you can download Samba from Subversion or using rsync.
-
Access Samba Source Code via Subversion
Introduction

-
+
Access Samba Source Code via Subversion
Introduction

+
 Samba is developed in an open environment. Developers use a
 Subversion to “checkin” (also known as 
 “commit”) new source code. Samba's various Subversion branches can
@@ -12,13 +12,13 @@
 

 This chapter is a modified version of the instructions found at the
 Samba Web site.
-
Subversion Access to samba.org

+
Subversion Access to samba.org

 The machine samba.org runs a publicly accessible Subversion
 repository for access to the source code of several packages, 
 including Samba, rsync, distcc, ccache, and jitterbug. There are two main ways
 of accessing the Subversion server on this host.
-
Access via ViewCVS

-
+
Access via ViewCVS

+
 You can access the source code via your favorite WWW browser. This allows you to access
 the contents of individual files in the repository and also to look at the revision 
 history and commit logs of individual files. You can also ask for a diff 
@@ -26,8 +26,8 @@
 

 Use the URL
 http://viewcvs.samba.org/.
-
Access via Subversion

-
+
Access via Subversion

+
 You can also access the source code via a normal Subversion client. This gives you much more control over what
 you can do with the repository and allows you to check out whole source trees and keep them up to date via
 normal Subversion commands. This is the preferred method of access if you are a developer and not just a
@@ -37,7 +37,7 @@
 sources from http://subversion.tigris.org/.
 

 To gain access via anonymous Subversion, use the following steps. 
-
Procedure�42.1.�Retrieving Samba using Subversion

+
Procedure�42.1.�Retrieving Samba using Subversion

 	Install a recent copy of Subversion. All you really need is a 
 	copy of the Subversion client binary. 
 	

@@ -62,9 +62,9 @@
 	
 	svn update
 	

-	
Accessing the Samba Sources via rsync and ftp

-	
-	
+	
Accessing the Samba Sources via rsync and ftp

+	
+	
 	pserver.samba.org also exports unpacked copies of most parts of the Subversion tree
 	at the Samba pserver location and also
 	via anonymous rsync at the Samba rsync server location.  I recommend using rsync rather
@@ -74,9 +74,9 @@
 	The disadvantage of the unpacked trees is that they do not support automatic
 	merging of local changes as Subversion does. rsync access is most convenient 
 	for an initial install.                      
-	
Verifying Samba's PGP Signature

-
-
+	
Verifying Samba's PGP Signature

+
+
 It is strongly recommended that you verify the PGP signature for any source file before
 installing it. Even if you're not downloading from a mirror site, verifying PGP signatures
 should be a standard reflex. Many people today use the GNU GPG tool set in place of PGP.
@@ -87,7 +87,7 @@
 $ wget http://us1.samba.org/samba/ftp/samba-3.0.20.tar.asc
 $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc
 

-
+
 The first file is the PGP signature for the Samba source file; the other is the Samba public
 PGP key itself. Import the public PGP key with:
 
@@ -105,9 +105,9 @@
 
 gpg: BAD signature from “Samba Distribution Verification Key”
 

-
Building the Binaries

-	
-
+
Building the Binaries

+	
+
 	After the source tarball has been unpacked, the next step involves
 	configuration to match Samba to your operating system platform.
 	If your source directory does not contain the configure script,
@@ -120,7 +120,7 @@
 root#  ./autogen.sh
 

 	

-	
+	
 	To build the binaries, run the program ./configure
 	 in the source directory. This should automatically 
 	configure Samba for your operating system. If you have unusual 
@@ -135,7 +135,7 @@
 root# ./configure [... arguments ...]
 

 	

-	
+	
 	Execute the following create the binaries:
 
 root#  make
@@ -164,7 +164,7 @@
 

 	As you can see from this, building and installing Samba does not need to
 	result in disaster!
-	
Compiling Samba with Active Directory Support

+	
Compiling Samba with Active Directory Support

 	In order to compile Samba with ADS support, you need to have installed
 	on your system:
 	

@@ -187,13 +187,13 @@
 	If it does not, configure did not find your KRB5 libraries or
 	your LDAP libraries. Look in config.log to figure
 	out why and fix it.
-	
Installing the Required Packages for Debian
On Debian, you need to install the following packages:

+	
Installing the Required Packages for Debian
On Debian, you need to install the following packages:

 		
libkrb5-dev
krb5-user

-	
Installing the Required Packages for Red Hat Linux
On Red Hat Linux, this means you should have at least: 

+	
Installing the Required Packages for Red Hat Linux
On Red Hat Linux, this means you should have at least: 

 		
krb5-workstation (for kinit)
krb5-libs (for linking with)
krb5-devel (because you are compiling from source)

 	
in addition to the standard development environment.
If these files are not installed on your system, you should check the installation
 	CDs to find which has them and install the files using your tool of choice. If in doubt
-	about what tool to use, refer to the Red Hat Linux documentation.
SuSE Linux Package Requirements

+	about what tool to use, refer to the Red Hat Linux documentation.
SuSE Linux Package Requirements

 	SuSE Linux installs Heimdal packages that may be required to allow you to build
 	binary packages. You should verify that the development libraries have been installed on
 	your system.
@@ -204,7 +204,7 @@
 	the maximum capabilities that are available. You should consider using SuSE-provided
 	packages where they are available.
 	
Starting the smbd nmbd and winbindd

-	
+	
 	You must choose to start smbd, winbindd  and nmbd either as daemons or from
 	inetd. Don't try to do both!  Either you can put
 	them in  inetd.conf and have them started on demand by
@@ -216,7 +216,7 @@
 	

 	The main advantage of starting smbd and nmbd using the recommended daemon method
 	is that they will respond slightly more quickly to an initial connection request.
-	
Starting from inetd.conf
Note
The following will be different if 
+	
Starting from inetd.conf
Note
The following will be different if 
 	you use NIS, NIS+, or LDAP to distribute services maps.
Look at your /etc/services. 
 	What is defined at port 139/tcp? If nothing is defined, 
 	then add a line like this:
netbios-ssn     139/tcp
Similarly for 137/udp, you should have an entry like:
netbios-ns	137/udp

@@ -225,12 +225,12 @@
 netbios-ssn stream tcp nowait root /usr/local/samba/sbin/smbd smbd 
 netbios-ns dgram udp wait root /usr/local/samba/sbin/nmbd nmbd 
 

-	

+	

 	The exact syntax of /etc/inetd.conf 
 	varies between UNIXes. Look at the other entries in inetd.conf 
 	for a guide.
 	

-	
+	
 	Some distributions use xinetd instead of inetd. Consult the 
 	xinetd manual for configuration information.
 	
Note
Some UNIXes already have entries like netbios_ns 
@@ -238,7 +238,7 @@
 	You must edit /etc/services or
 	/etc/inetd.conf to make them consistent.
 	
Note

-	
+	
 	On many systems you may need to use the
 	interfaces option in smb.conf to specify
 	the IP address and netmask of your interfaces. Run 
@@ -253,13 +253,13 @@
 	

 	Restart inetd, perhaps just send it a HUP,
 	like this:
-
+
 
 root# killall -HUP inetd
 

-	
Alternative: Starting smbd as a Daemon

-	
-
+	
Alternative: Starting smbd as a Daemon

+	
+
 	To start the server as a daemon, you should create a script something
 	like this one, perhaps calling it startsmb.
 	
@@ -278,7 +278,7 @@
 	If you use the SVR4-style init system, you may like to look at the
 	examples/svr4-startup script to make Samba fit
 	into that system.
-	
Starting Samba for Red Hat Linux

+	
Starting Samba for Red Hat Linux

 	Red Hat Linux has not always included all Samba components in the standard installation.
 	So versions of Red Hat Linux do not install the winbind utility, even though it is present
 	on the installation CDROM media. Check to see if the winbindd is present
@@ -311,7 +311,7 @@
 root#  chkconfig winbind on
 

 	Samba will be started automatically at every system reboot.
-	
Starting Samba for Novell SUSE Linux

+	
Starting Samba for Novell SUSE Linux

 	Novell SUSE Linux products automatically install all essential Samba components in a default installation.
 	Configure your smb.conf file, then execute the following to start Samba:
 
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/CUPS-printing.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/CUPS-printing.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/CUPS-printing.html	2009-06-02 09:49:55.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/CUPS-printing.html	2009-06-19 11:14:48.000000000 +0200
@@ -1,8 +1,8 @@
-Chapter�22.�CUPS Printing SupportChapter�22.�CUPS Printing Support
Prev� Part�III.�Advanced Configuration �Next
Chapter�22.�CUPS Printing Support
Kurt Danka Deutschland GmbH  Pfeifle
Danka Deutschland GmbH 
<kpfeifle@danka.de>
Ciprian Vizitiu
drawings�<CVizitiu@gbif.org>
Jelmer R. The Samba Team Vernooij
drawings�The Samba Team
<jelmer@samba.org>
 (27 Jan 2004) 
Table of Contents
Introduction
Features and Benefits
Overview
Basic CUPS Support Configuration
Linking smbd with libcups.so
Simple smb.conf Settings for CUPS
More Complex CUPS smb.conf Settings
Advanced Configuration
Central Spooling vs. Peer-to-Peer Printing
Raw Print Serving: Vendor Drivers on Windows Clients
Installation of Windows Client Drivers
Explicitly Enable raw Printing for application/octet-stream
Driver Upload Methods
Advanced Intelligent Printing with PostScript Driver Download
GDI on Windows, PostScript on UNIX
Windows Drivers, GDI, and EMF
UNIX Printfile Conversion and GUI Basics
PostScript and Ghostscript
Ghostscript: The Software RIP for Non-PostScript Printers
PostScript Printer Description (PPD) Specification
Using Windows-Formatted Vendor PPDs
CUPS Also Uses PPDs for Non-PostScript Printers
The CUPS Filtering Architecture
MIME Types and CUPS Filters
MIME Type Conversion Rules
Filtering  Overview
Prefilters
pstops
pstoraster
imagetops and imagetoraster
rasterto [printers specific]
CUPS Backends
The Role of cupsomatic/foomatic
The Complete Picture
mime.convs
Raw Printing
application/octet-stream Printing
PostScript Printer Descriptions for Non-PostScript Printers
cupsomatic/foomatic-rip Versus Native CUPS Printing
Examples for Filtering Chains
Sources of CUPS Drivers/PPDs
Printing with Interface Scripts
Network Printing (Purely Windows)
From Windows Clients to an NT Print Server
Driver Execution on the Client
Driver Execution on the Server
Network Printing (Windows Clients and UNIX/Samba Print
-Servers)
From Windows Clients to a CUPS/Samba Print Server
Samba Receiving Job-Files and Passing Them to CUPS
Network PostScript RIP
PPDs for Non-PS Printers on UNIX
PPDs for Non-PS Printers on Windows
Windows Terminal Servers (WTS) as CUPS Clients
Printer Drivers Running in Kernel Mode Cause Many
-Problems
Workarounds Impose Heavy Limitations
CUPS: A Magical Stone?
PostScript Drivers with No Major Problems, Even in Kernel
-Mode
Configuring CUPS for Driver Download
cupsaddsmb: The Unknown Utility
Prepare Your smb.conf for cupsaddsmb
CUPS PostScript Driver for Windows NT/200x/XP
Recognizing Different Driver Files
Acquiring the Adobe Driver Files
ESP Print Pro PostScript Driver for Windows NT/200x/XP
Caveats to Be Considered
Windows CUPS PostScript Driver Versus Adobe Driver
Run cupsaddsmb (Quiet Mode)
Run cupsaddsmb with Verbose Output
Understanding cupsaddsmb
How to Recognize If cupsaddsmb Completed Successfully
cupsaddsmb with a Samba PDC
cupsaddsmb Flowchart
Installing the PostScript Driver on a Client
Avoiding Critical PostScript Driver Settings on the Client
Installing PostScript Driver Files Manually Using rpcclient
A Check of the rpcclient man Page
Understanding the rpcclient man Page
Producing an Example by Querying a Windows Box
Requirements for adddriver and setdriver to Succeed
Manual Driver Installation in 15 Steps
Troubleshooting Revisited
The Printing *.tdb Files
Trivial Database Files
Binary Format
Losing *.tdb Files
Using tdbbackup
CUPS Print Drivers from Linuxprinting.org
foomatic-rip and Foomatic Explained
foomatic-rip and Foomatic PPD Download and Installation
Page Accounting with CUPS
Setting Up Quotas
Correct and Incorrect Accounting
Adobe and CUPS PostScript Drivers for Windows Clients
The page_log File Syntax
Possible Shortcomings
Future Developments
Other Accounting Tools
Additional Material
Autodeletion or Preservation of CUPS Spool Files
CUPS Configuration Settings Explained
Preconditions
Manual Configuration
Printing from CUPS to Windows-Attached Printers
More CUPS Filtering Chains
Common Errors
Windows 9x/Me Client Can't Install Driver
cupsaddsmb Keeps Asking for Root Password in Never-ending Loop
cupsaddsmb or rpcclient addriver Emit Error
cupsaddsmb Errors
Client Can't Connect to Samba Printer
New Account Reconnection from Windows 200x/XP Troubles
Avoid Being Connected to the Samba Server as the Wrong User
Upgrading to CUPS Drivers from Adobe Drivers
Can't Use cupsaddsmb on Samba Server, Which Is a PDC
Deleted Windows 200x Printer Driver Is Still Shown
Windows 200x/XP Local Security Policies
Administrator Cannot Install Printers for All Local Users
Print Change, Notify Functions on NT Clients
Windows XP SP1
Print Options for All Users Can't Be Set on Windows 200x/XP
Most Common Blunders in Driver Settings on Windows Clients
cupsaddsmb Does Not Work with Newly Installed Printer
Permissions on /var/spool/samba/ Get Reset After Each Reboot
Print Queue Called lp Mishandles Print Jobs
Location of Adobe PostScript Driver Files for cupsaddsmb
Overview of the CUPS Printing Processes
Introduction
Features and Benefits

-
+Chapter�22.�CUPS Printing Support
Chapter�22.�CUPS Printing Support
Prev� Part�III.�Advanced Configuration �Next
Chapter�22.�CUPS Printing Support
Kurt Danka Deutschland GmbH  Pfeifle
Danka Deutschland GmbH 
<kpfeifle@danka.de>
Ciprian Vizitiu
drawings�<CVizitiu@gbif.org>
Jelmer R. The Samba Team Vernooij
drawings�The Samba Team
<jelmer@samba.org>
 (27 Jan 2004) 
Table of Contents
Introduction
Features and Benefits
Overview
Basic CUPS Support Configuration
Linking smbd with libcups.so
Simple smb.conf Settings for CUPS
More Complex CUPS smb.conf Settings
Advanced Configuration
Central Spooling vs. Peer-to-Peer Printing
Raw Print Serving: Vendor Drivers on Windows Clients
Installation of Windows Client Drivers
Explicitly Enable raw Printing for application/octet-stream
Driver Upload Methods
Advanced Intelligent Printing with PostScript Driver Download
GDI on Windows, PostScript on UNIX
Windows Drivers, GDI, and EMF
UNIX Printfile Conversion and GUI Basics
PostScript and Ghostscript
Ghostscript: The Software RIP for Non-PostScript Printers
PostScript Printer Description (PPD) Specification
Using Windows-Formatted Vendor PPDs
CUPS Also Uses PPDs for Non-PostScript Printers
The CUPS Filtering Architecture
MIME Types and CUPS Filters
MIME Type Conversion Rules
Filtering  Overview
Prefilters
pstops
pstoraster
imagetops and imagetoraster
rasterto [printers specific]
CUPS Backends
The Role of cupsomatic/foomatic
The Complete Picture
mime.convs
Raw Printing
application/octet-stream Printing
PostScript Printer Descriptions for Non-PostScript Printers
cupsomatic/foomatic-rip Versus Native CUPS Printing
Examples for Filtering Chains
Sources of CUPS Drivers/PPDs
Printing with Interface Scripts
Network Printing (Purely Windows)
From Windows Clients to an NT Print Server
Driver Execution on the Client
Driver Execution on the Server
Network Printing (Windows Clients and UNIX/Samba Print
+Servers)
From Windows Clients to a CUPS/Samba Print Server
Samba Receiving Job-Files and Passing Them to CUPS
Network PostScript RIP
PPDs for Non-PS Printers on UNIX
PPDs for Non-PS Printers on Windows
Windows Terminal Servers (WTS) as CUPS Clients
Printer Drivers Running in Kernel Mode Cause Many
+Problems
Workarounds Impose Heavy Limitations
CUPS: A Magical Stone?
PostScript Drivers with No Major Problems, Even in Kernel
+Mode
Configuring CUPS for Driver Download
cupsaddsmb: The Unknown Utility
Prepare Your smb.conf for cupsaddsmb
CUPS PostScript Driver for Windows NT/200x/XP
Recognizing Different Driver Files
Acquiring the Adobe Driver Files
ESP Print Pro PostScript Driver for Windows NT/200x/XP
Caveats to Be Considered
Windows CUPS PostScript Driver Versus Adobe Driver
Run cupsaddsmb (Quiet Mode)
Run cupsaddsmb with Verbose Output
Understanding cupsaddsmb
How to Recognize If cupsaddsmb Completed Successfully
cupsaddsmb with a Samba PDC
cupsaddsmb Flowchart
Installing the PostScript Driver on a Client
Avoiding Critical PostScript Driver Settings on the Client
Installing PostScript Driver Files Manually Using rpcclient
A Check of the rpcclient man Page
Understanding the rpcclient man Page
Producing an Example by Querying a Windows Box
Requirements for adddriver and setdriver to Succeed
Manual Driver Installation in 15 Steps
Troubleshooting Revisited
The Printing *.tdb Files
Trivial Database Files
Binary Format
Losing *.tdb Files
Using tdbbackup
CUPS Print Drivers from Linuxprinting.org
foomatic-rip and Foomatic Explained
foomatic-rip and Foomatic PPD Download and Installation
Page Accounting with CUPS
Setting Up Quotas
Correct and Incorrect Accounting
Adobe and CUPS PostScript Drivers for Windows Clients
The page_log File Syntax
Possible Shortcomings
Future Developments
Other Accounting Tools
Additional Material
Autodeletion or Preservation of CUPS Spool Files
CUPS Configuration Settings Explained
Preconditions
Manual Configuration
Printing from CUPS to Windows-Attached Printers
More CUPS Filtering Chains
Common Errors
Windows 9x/Me Client Can't Install Driver
cupsaddsmb Keeps Asking for Root Password in Never-ending Loop
cupsaddsmb or rpcclient addriver Emit Error
cupsaddsmb Errors
Client Can't Connect to Samba Printer
New Account Reconnection from Windows 200x/XP Troubles
Avoid Being Connected to the Samba Server as the Wrong User
Upgrading to CUPS Drivers from Adobe Drivers
Can't Use cupsaddsmb on Samba Server, Which Is a PDC
Deleted Windows 200x Printer Driver Is Still Shown
Windows 200x/XP Local Security Policies
Administrator Cannot Install Printers for All Local Users
Print Change, Notify Functions on NT Clients
Windows XP SP1
Print Options for All Users Can't Be Set on Windows 200x/XP
Most Common Blunders in Driver Settings on Windows Clients
cupsaddsmb Does Not Work with Newly Installed Printer
Permissions on /var/spool/samba/ Get Reset After Each Reboot
Print Queue Called lp Mishandles Print Jobs
Location of Adobe PostScript Driver Files for cupsaddsmb
Overview of the CUPS Printing Processes
Introduction
Features and Benefits

+
 		The Common UNIX Print System (CUPS)
 		has become quite popular. All major Linux distributions now ship it as their default printing
 		system. To many, it is still a mystical tool. Mostly, it just works.  People tend to regard
@@ -11,21 +11,21 @@
 		Classical Printing, which contains much information
 		that is also relevant to CUPS.
 		

-
+
 		CUPS sports quite a few unique and powerful features. While its basic functions may be grasped quite
 		easily, they are also new. Because it is different from other, more traditional printing systems, it is best
 		not to try to apply any prior knowledge about printing to this new system. Rather, try to understand CUPS from
 		the beginning. This documentation will lead you to a complete understanding of CUPS. Let's start with the most
 		basic things first.
-		
Overview

-
-
-
-
-
-
-
-
+		
Overview

+
+
+
+
+
+
+
+
 	CUPS is more than just a print spooling system. It is a complete printer management system that
 	complies with the new Internet Printing Protocol (IPP). IPP is an industry and Internet Engineering Task Force
 	(IETF) standard for network printing. Many of its functions can be managed remotely (or locally) via a Web
@@ -33,19 +33,19 @@
 	traditional command line and several more modern GUI interfaces (GUI interfaces developed by third parties,
 	like KDE's overwhelming KDEPrint).
 	

-
-
+
+
 	CUPS allows creation of raw printers (i.e., no print file format translation) as
 	well as smart printers (i.e., CUPS does file format conversion as required for the
 	printer). In many ways, this gives CUPS capabilities similar to the MS Windows print monitoring system. Of
 	course, if you are a CUPS advocate, you would argue that CUPS is better! In any case, let us now explore how
 	to configure CUPS for interfacing with MS Windows print clients via Samba.
-	
Basic CUPS Support Configuration

-
-
-
-
-
+	
Basic CUPS Support Configuration

+
+
+
+
+
 Printing with CUPS in the most basic smb.conf setup in Samba-3.0 (as was true for 2.2.x) requires just two
 parameters: printing = cups and printcap = cups. CUPS does not need a printcap file.  However, the
 cupsd.conf configuration file knows of two related directives that control how such a
@@ -55,16 +55,16 @@
 print. Make sure CUPS is set to generate and maintain a printcap file. For details, see man
 cupsd.conf and other CUPS-related documentation, like the wealth of documents regarding the CUPS
 server itself available from the CUPS web site.
-	
Linking smbd with libcups.so

-
+	
Linking smbd with libcups.so

+
 	Samba has a special relationship to CUPS. Samba can be compiled with CUPS library support.
 	Most recent installations have this support enabled. By default, CUPS linking is compiled
 	into smbd and other Samba binaries. Of course, you can use CUPS even
 	if Samba is not linked against libcups.so  but
 	there are some differences in required or supported configuration.
 	

-
-
+
+
 	When Samba is compiled and linked with libcups, printcap = cups
 	uses the CUPS API to list printers, submit jobs, query queues, and so on. Otherwise it maps to the System V
 	commands with an additional -oraw option for printing. On a Linux
@@ -79,7 +79,7 @@
 [....]
 

 	

-
+
 	The line libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) shows
 	there is CUPS support compiled into this version of Samba. If this is the case, and printing = cups
 	is set, then any otherwise manually set print command in smb.conf is ignored.
@@ -95,14 +95,14 @@
 	lprm command,
 	queuepause command and
 	queue resume command).
-	
Simple smb.conf Settings for CUPS

+	
Simple smb.conf Settings for CUPS

 	To summarize, the Simplest Printing-Related 
 	smb.conf file shows the simplest printing-related setup for smb.conf to 
 	enable basic CUPS support:
-	
Example�22.1.�Simplest Printing-Related smb.conf
 
[global]
load printers = yes
printing = cups
printcap name = cups
 
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
printer admin = root, @ntadmins, @smbprintadm


-
-
-
+	
Example�22.1.�Simplest Printing-Related smb.conf
 
[global]
load printers = yes
printing = cups
printcap name = cups
 
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
printer admin = root, @ntadmins, @smbprintadm


+
+
+
 	This is all you need for basic printing setup for CUPS. It will print all graphic, text, PDF, and PostScript
 	files submitted from Windows clients. However, most of your Windows users would not know how to send these
 	kinds of files to print without opening a GUI application. Windows clients tend to have local printer drivers
@@ -112,25 +112,25 @@
 	hooked between the application's native format and the print data stream. If the backend printer is not a
 	PostScript device, the print data stream is “binary,” sensible only for the target printer. Read
 	on to learn what problem this may cause and how to avoid it.
-	
More Complex CUPS smb.conf Settings

+	
More Complex CUPS smb.conf Settings

 	The Overriding Global CUPS Settings for One Printer example 
 	is a slightly more complex printing-related setup for smb.conf. It enables general CUPS printing
 	support for all printers, but defines one printer share, which is set up differently. 
-	
Example�22.2.�Overriding Global CUPS Settings for One Printer
 
[global]
printing = cups
printcap name = cups
load printers = yes
 
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = yes
writable = no
printable = yes
printer admin = root, @ntadmins, @smbprintadm
 
[special_printer]
comment = A special printer with his own settings
path = /var/spool/samba-special
printing = sysv
printcap = lpstat
print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ; echo "     `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ; echo "     `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log ; rm %f 
guest ok = no
writable = no
printable = yes
printer admin = kurt
hosts deny = 0.0.0.0
hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60


+	
Example�22.2.�Overriding Global CUPS Settings for One Printer
 
[global]
printing = cups
printcap name = cups
load printers = yes
 
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = yes
writable = no
printable = yes
printer admin = root, @ntadmins, @smbprintadm
 
[special_printer]
comment = A special printer with his own settings
path = /var/spool/samba-special
printing = sysv
printcap = lpstat
print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ; echo "     `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ; echo "     `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log ; rm %f 
guest ok = no
writable = no
printable = yes
printer admin = kurt
hosts deny = 0.0.0.0
hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60


 	This special share is only for testing purposes. It does not write the print job to a file. It just logs the job parameters
 	known to Samba into the /tmp/smbprn.log file and deletes the job-file. Moreover, the
 	printer admin of this share is “kurt” (not the “@ntadmins” group),
 	guest access is not allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it
 	allows access from only three hosts. To prevent CUPS from kicking in and taking over the print jobs for that share, we need to set
 	printing = sysv and printcap = lpstat.
-	
Advanced Configuration

+	
Advanced Configuration

 	Before we delve into all the configuration options, let us clarify a few points. Network printing
 	needs to be organized and set up correctly. This frequently doesn't happen. Legacy systems or small
 	business LAN environments often lack design and good housekeeping.
-	
Central Spooling vs. “Peer-to-Peer” Printing

-
-	
-	
+	
Central Spooling vs. “Peer-to-Peer” Printing

+
+	
+	
 	Many small office or home networks, as well as badly organized larger environments, allow each client a direct
 	access to available network printers. This is generally a bad idea. It often blocks one client's access to the
 	printer when another client's job is printing. It might freeze the first client's application while it is
@@ -138,9 +138,9 @@
 	pages mixed with each other. A better concept is the use of a print server: it routes all jobs through one
 	central system, which responds immediately, takes jobs from multiple concurrent clients, and transfers them to
 	the printer(s) in the correct order.
-	
Raw Print Serving: Vendor Drivers on Windows Clients

-	
-	
+	
Raw Print Serving: Vendor Drivers on Windows Clients

+	
+	
 	Most traditionally configured UNIX print servers acting on behalf of
 	Samba's Windows clients represented a really simple setup. Their only
 	task was to manage the “raw” spooling of all jobs handed to them by
@@ -149,8 +149,8 @@
 	device. In this case, a native (vendor-supplied) Windows printer driver needs to
 	be installed on each and every client for the target device.
 	

-
-
+
+
 	It is possible to configure CUPS, Samba, and your Windows clients in the
 	same traditional and simple way. When CUPS printers are configured
 	for raw print-through mode operation, it is the responsibility of the
@@ -164,15 +164,15 @@
 	This is achieved by installation of the printer as if it were physically
 	attached to the Windows client. You then redirect output to a raw network
 	print queue. This procedure may be followed to achieve this:
-	
Procedure�22.1.�Configuration Steps for Raw CUPS Printing Support

-
+	
Procedure�22.1.�Configuration Steps for Raw CUPS Printing Support

+
 		Edit /etc/cups/mime.types to uncomment the line
 		near the end of the file that has:
 
 #application/octet-...
 

 		

-
+
 		Do the same for the file /etc/cups/mime.convs.
 		

 		Add a raw printer using the Web interface. Point your browser at
@@ -193,14 +193,14 @@
 		you have configured above. Example: \\server\raw_q.
 		Here, the name raw_q is the name you gave the print
 		queue in the CUPS environment.
-		
Installation of Windows Client Drivers

+		
Installation of Windows Client Drivers

 	The printer drivers on the Windows clients may be installed
 	in two functionally different ways:
 	
Manually install the drivers locally on each client,
 	one by one; this yields the old LanMan style
 	printing and uses a \\sambaserver\printershare
 	type of connection.

-	
+	
 			Deposit and prepare the drivers (for later download) on
 			the print server (Samba); this enables the clients to use
 	“Point'n'Print” to get drivers semi-automatically installed the
@@ -211,9 +211,9 @@
 	administrative efforts and prevents that different versions of the drivers
 	are used accidentally.
 	
Explicitly Enable “raw” Printing for application/octet-stream

-	
-	
-	
+	
+	
+	
 	If you use the first option (drivers are installed on the client
 	side), there is one setting to take care of: CUPS needs to be told
 	that it should allow “raw” printing of deliberate (binary) file
@@ -225,10 +225,10 @@
 
 application/octet-stream
 

-	
-	
+	
+	
 	In /etc/cups/mime.convs, have this line:
-	
+	
 
 application/octet-stream   application/vnd.cups-raw   0   - 
 

@@ -239,8 +239,8 @@
 	Editing the mime.convs and the mime.types file does
 	not enforce “raw” printing, it only allows it.
 	
Background.�
-	
-
+	
+
 	That CUPS is a more security-aware printing system than traditional ones does not by default allow a user to
 	send deliberate (possibly binary) data to printing devices. This could be easily abused to launch a
 	“Denial of Service” attack on your printer(s), causing at least the loss of a lot of paper and
@@ -254,11 +254,11 @@
 	locally installed. If you are not interested in background information about
 	more advanced CUPS/Samba printing, simply skip the remaining sections
 	of this chapter.
-	
Driver Upload Methods

+	
Driver Upload Methods

 	This section describes three familiar methods, plus one new one, by which
 	printer drivers may be uploaded.
 	

-	
+	
 	If you want to use the MS-RPC-type printing, you must upload the
 	drivers onto the Samba server first ([print$]
 	share). For a discussion on how to deposit printer drivers on the
@@ -267,27 +267,27 @@
 	chapter of this book. There you will find a description or reference to
 	three methods of preparing the client drivers on the Samba server:
 	

-		
+		
 		The GUI, “Add Printer Wizard” upload-from-a-Windows-client method.
 		

 		The command line, “smbclient/rpcclient” upload-from-a-UNIX-workstation method.
 		

-		
+		
 		The Imprints tool set method.
 		
 
-
+
 	These three methods apply to CUPS all the same. The cupsaddsmb utility is a new and more
 	convenient way to load the Windows drivers into Samba and is provided if you use CUPS.
 	

 	cupsaddsmb is discussed in much detail later in this chapter. But we first
 	explore the CUPS filtering system and compare the Windows and UNIX printing architectures.
-	
Advanced Intelligent Printing with PostScript Driver Download

-	
+	
Advanced Intelligent Printing with PostScript Driver Download

+	
 	We now know how to set up a “dump” print server, that is, a server that spools
 	print jobs “raw”, leaving the print data untouched.
 	

 	You might need to set up CUPS in a smarter way. The reasons could be manifold:
-	
Maybe your boss wants to get monthly statistics: Which
+	
Maybe your boss wants to get monthly statistics: Which
 	printer did how many pages? What was the average data size of a job?
 	What was the average print run per day? What are the typical hourly
 	peaks in printing? Which department prints how much?
Maybe you are asked to set up a print quota system:
@@ -303,28 +303,28 @@
 	Windows and UNIX printing, then a description of the
 	CUPS filtering system, how it works, and how you can tweak it.
 	
GDI on Windows, PostScript on UNIX

-	
-	
+	
+	
 	Network printing is one of the most complicated and error-prone
 	day-to-day tasks any user or administrator may encounter. This is
 	true for all OS platforms, and there are reasons it is so.
 	

-	
-	
-
-
-
+	
+	
+
+
+
 	You can't expect to throw just any file format at a printer and have it get printed. A file format conversion
 	must take place. The problem is that there is no common standard for print file formats across all
 	manufacturers and printer types. While PostScript (trademark held by Adobe) and, to an extent, PCL (trademark
 	held by Hewlett-Packard) have developed into semi-official “standards” by being the most widely
 	used page description languages (PDLs), there are still many manufacturers who “roll their own”
 	(their reasons may be unacceptable license fees for using printer-embedded PostScript interpreters, and so on).
-	
Windows Drivers, GDI, and EMF

-	
-	
-	
-
+	
Windows Drivers, GDI, and EMF

+	
+	
+	
+
 	In Windows OS, the format conversion job is done by the printer drivers. On MS Windows OS platforms all
 	application programmers have at their disposal a built-in API, the graphical device interface (GDI), as part
 	and parcel of the OS itself to base themselves on. This GDI core is used as one common unified ground for all
@@ -335,21 +335,21 @@
 	the GDI, often produces a file format called Enhanced MetaFile (EMF). The EMF is processed by the printer
 	driver and converted to the printer-specific file format.
 	
Note

-	
-
-
+	
+
+
 	To the GDI foundation in MS Windows, Apple has chosen to put paper and screen output on a common foundation
-	for its (BSD-UNIX-based, did you know?) Mac OS X and Darwin operating  
-	  systems.
+	for its (BSD-UNIX-based, did you know?) Mac OS X and Darwin operating  
+	  systems.
 	Apple's core graphic engine uses a PDF derivative for all display work.
 	

 	The example in Windows Printing to a Local Printer illustrates local Windows
 	printing.
-	
Figure�22.1.�Windows Printing to a Local Printer.

UNIX Printfile Conversion and GUI Basics

-	
-	
-	
-	
+	
Figure�22.1.�Windows Printing to a Local Printer.

UNIX Printfile Conversion and GUI Basics

+	
+	
+	
+	
 	In UNIX and Linux, there is no comparable layer built into the OS kernel(s) or the X (screen display) server.
 	Every application is responsible for itself to create its print output. Fortunately, most use PostScript and
 	that at least gives some common ground. Unfortunately, there are many different levels of quality for this
@@ -363,16 +363,16 @@
 	unfavorable inheritance up to the present day by looking into the various “font” directories on
 	your system; there are separate ones for fonts used for X display and fonts to be used on paper.
 	
Background.�
-	
-
-
-
-
-
-
-
-
-
+	
+
+
+
+
+
+
+
+
+
 	The PostScript programming language is an “invention” by Adobe, but its specifications have been
 	published extensively. Its strength lies in its powerful abilities to describe graphical objects (fonts,
 	shapes, patterns, lines, curves, and dots), their attributes (color, linewidth), and the way to manipulate
@@ -384,11 +384,11 @@
 	interpreted by a rasterizer. Rasterizers produce pixel images, which may be displayed on screen by a viewer
 	program or on paper by a printer.
 	
PostScript and Ghostscript

-	
-	
-	
-
-
+	
+	
+	
+
+
 	So UNIX is lacking a common ground for printing on paper and displaying on screen. Despite this unfavorable
 	legacy for UNIX, basic printing is fairly easy if you have PostScript printers at your disposal. The reason is
 	that these devices have a built-in PostScript language “interpreter,” also called a raster image
@@ -397,31 +397,31 @@
 	commands into a bitmap picture as you see it on paper, in a resolution as done by your printer. This is no
 	different than PostScript printing a file from a Windows origin.
 	
Note

-	
-
-
+	
+
+
 	Traditional UNIX programs and printing systems  while using PostScript  are largely not
 	PPD-aware. PPDs are “PostScript Printer Description” files. They enable you to specify and
 	control all options a printer supports: duplexing, stapling, and punching. Therefore, UNIX users for a long
 	time couldn't choose many of the supported device and job options, unlike Windows or Apple users. But now
 	there is CUPS. as illustrated in Printing to a PostScript Printer.
 	
Figure�22.2.�Printing to a PostScript Printer.


-	
+	
 	However, there are other types of printers out there. These do not know how to print PostScript. They use
 	their own PDL, often proprietary. To print to them is much more demanding. Since your UNIX applications mostly
 	produce PostScript, and since these devices do not understand PostScript, you need to convert the print files
 	to a format suitable for your printer on the host before you can send it away.
-	
Ghostscript: The Software RIP for Non-PostScript Printers

-	
+	
Ghostscript: The Software RIP for Non-PostScript Printers

+	
 	Here is where Ghostscript kicks in. Ghostscript is the traditional (and quite powerful) PostScript interpreter
 	used on UNIX platforms. It is a RIP in software, capable of doing a lot of file format
 	conversions for a very broad spectrum of hardware devices as well as software file formats.  Ghostscript
 	technology and drivers are what enable PostScript printing to non-PostScript hardware. This is shown in
 	Ghostscript as a RIP for Non-PostScript Printers.
 	
Figure�22.3.�Ghostscript as a RIP for Non-PostScript Printers.

Tip

-
-
-
+
+
+
 	Use the “gs -h” command to check for all built-in “devices” on your Ghostscript
 	version. If you specify a parameter of -sDEVICE=png256 on your Ghostscript command
 	line, you are asking Ghostscript to convert the input into a PNG file. Naming a “device” on the
@@ -429,14 +429,14 @@
 	input. New Ghostscript versions are released at fairly regular intervals, now by artofcode LLC. They are
 	initially put under the “AFPL” license, but re-released under the GNU GPL as soon as the next
 	AFPL version appears. GNU Ghostscript is probably the version installed on most Samba systems. But it has some
-	deficiencies.   Therefore, ESP Ghostscript was developed as an enhancement over GNU Ghostscript,
+	deficiencies.   Therefore, ESP Ghostscript was developed as an enhancement over GNU Ghostscript,
 	with lots of bug-fixes, additional devices, and improvements. It is jointly maintained by developers from
 	CUPS, Gutenprint, MandrakeSoft, SuSE, Red Hat, and Debian. It includes the “cups” device
 	(essential to print to non-PS printers from CUPS).
-	
PostScript Printer Description (PPD) Specification

-	
-
-
+	
PostScript Printer Description (PPD) Specification

+	
+
+
 	While PostScript in essence is a PDL to represent the page layout in a device-independent way, real-world
 	print jobs are always ending up being output on hardware with device-specific features. To take care of all
 	the differences in hardware and to allow for innovations, Adobe has specified a syntax and file format for
@@ -458,17 +458,17 @@
 	PostScript, PJL, JCL, or vendor-dependent commands) into the PostScript
 	file created by the driver.
 	
Warning

-	
-
+	
+
 	A PostScript file that was created to contain device-specific commands
 	for achieving a certain print job output (e.g., duplexed, stapled, and
 	punched) on a specific target machine may not print as expected, or
 	may not be printable at all on other models; it also may not be fit
 	for further processing by software (e.g., by a PDF distilling program).
-	
Using Windows-Formatted Vendor PPDs

-
-
-
+	
Using Windows-Formatted Vendor PPDs

+
+
+
 	CUPS can handle all spec-compliant PPDs as supplied by the manufacturers for their PostScript models. Even if
 	a vendor does not mention our favorite OS in his or her manuals and brochures, you can safely trust this:
 	If you get the Windows NT version of the PPD, you can use it unchanged in CUPS and thus
@@ -479,31 +479,31 @@
 	parsing and checking code enabled; in case of printing trouble, this online resource should be one of your
 	first pit stops.
 	
Warning

-	
-	
+	
+	
 	For real PostScript printers, do not use the Foomatic or
 	cupsomatic PPDs from Linuxprinting.org. With these devices, the original vendor-provided
 	PPDs are always the first choice.
 	
Tip

-
+
 	If you are looking for an original vendor-provided PPD of a specific device, and you know that an NT4 box (or
 	any other Windows box) on your LAN has the PostScript driver installed, just use smbclient
 	//NT4-box/print\$ -U username to access the Windows directory where all printer driver files are
 	stored. First look in the W32X86/2 subdirectory for the PPD you are seeking.
-	
CUPS Also Uses PPDs for Non-PostScript Printers

-
-
-
+	
CUPS Also Uses PPDs for Non-PostScript Printers

+
+
+
 	CUPS also uses specially crafted PPDs to handle non-PostScript printers. These PPDs are usually not available
 	from the vendors (and no, you can't just take the PPD of a PostScript printer with the same model name and
 	hope it works for the non-PostScript version too). To understand how these PPDs work for non-PS printers, we
 	first need to dive deeply into the CUPS filtering and file format conversion architecture. Stay tuned.
-	
The CUPS Filtering Architecture

-
-
-
-
-
+	
The CUPS Filtering Architecture

+
+
+
+
+
 The core of the CUPS filtering system is based on Ghostscript. In addition to Ghostscript, CUPS uses some
 other filters of its own. You (or your OS vendor) may have plugged in even more filters. CUPS handles all data
 file formats under the label of various MIME types. Every incoming print file is subjected to an initial
@@ -514,82 +514,82 @@
 

 If CUPS rasterizes a PostScript file natively to a bitmap, this is done in two stages:
 

-
-
+
+
 	The first stage uses a Ghostscript device named “cups”
 	(this is since version 1.1.15) and produces a generic raster format
 	called “CUPS raster”.
 	

-
+
 	The second stage uses a “raster driver” that converts
 	the generic CUPS raster to a device-specific raster.
 	

-
-
-
+
+
+
 Make sure your Ghostscript version has the “cups” device compiled in (check with gs -h |
 grep cups). Otherwise you may encounter the dreaded Unable to convert file
 0 in your CUPS error_log file. To have “cups” as a device in your Ghostscript,
 you either need to patch GNU Ghostscript and recompile or use
-ESP Ghostscript. The superior alternative is ESP
+ESP Ghostscript. The superior alternative is ESP
 Ghostscript. It supports not just CUPS, but 300 other devices (while GNU Ghostscript supports only about 180).
 Because of this broad output device support, ESP Ghostscript is the first choice for non-CUPS spoolers, too.
 It is now recommended by Linuxprinting.org for all spoolers.
 

-
-
-
-
+
+
+
+
 CUPS printers may be set up to use external rendering paths. One of the most common is provided by the
 Foomatic/cupsomatic concept from Linuxprinting.org. This
 uses the classical Ghostscript approach, doing everything in one step.  It does not use the
 “cups” device, but one of the many others. However, even for Foomatic/cupsomatic usage, best
-results and  broadest printer
+results and  broadest printer
 model support is provided by ESP Ghostscript (more about Foomatic/cupsomatic, particularly the new version
 called now foomatic-rip, follows).
-
MIME Types and CUPS Filters

-	
-	
-
-
-
+
MIME Types and CUPS Filters

+	
+	
+
+
+
 	CUPS reads the file /etc/cups/mime.types (and all other files carrying a
 	*.types suffix in the same directory) upon startup. These files contain the MIME type
 	recognition rules that are applied when CUPS runs its autotyping routines. The rule syntax is explained in the
 	man page for mime.types and in the comments section of the
 	mime.types file itself. A simple rule reads like this:
-	
+	
 
 application/pdf         pdf string(0,%PDF)
 

-
-
+
+
 	This means if a filename has a .pdf suffix or if the magic string
 	%PDF is right at the beginning of the file itself (offset 0 from the start), then it is a
 	PDF file (application/pdf).  Another rule is this:
 
 application/postscript  ai eps ps string(0,%!) string(0,<04>%!)
 

-
-
-
-
-
-
+
+
+
+
+
+
 	If the filename has one of the suffixes .ai, .eps,
 	.ps, or if the file itself starts with one of the strings %! or
 	<04>%!, it is a generic PostScript file
 	(application/postscript).
 	
Warning

-
+
 	Don't confuse the other mime.types files your system might be using
 	with the one in the /etc/cups/ directory.
 	
Note

-
-
-
-
-
+
+
+
+
+
 	There is an important difference between two similar MIME types in CUPS: one is
 	application/postscript, the other is
 	application/vnd.cups-postscript. While application/postscript is
@@ -600,32 +600,32 @@
 	(application/vnd.cups-postscript) is the responsibility of the CUPS
 	pstops filter. pstops uses information contained in the PPD to do the transformation.
 	

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 	CUPS can handle ASCII text, HP-GL, PDF, PostScript, DVI, and
 	many image formats (GIF, PNG, TIFF, JPEG, Photo-CD, SUN-Raster,
 	PNM, PBM, SGI-RGB, and more) and their associated MIME types
 	with its filters.
-	
MIME Type Conversion Rules

-	
-	
-
-
-
+	
MIME Type Conversion Rules

+	
+	
+
+
+
 	CUPS reads the file /etc/cups/mime.convs
 	(and all other files named with a *.convs
 	suffix in the same directory) upon startup. These files contain
@@ -636,44 +636,44 @@
 
 application/pdf         application/postscript   33   pdftops
 

-
+
 	This means that the pdftops filter will take
 	application/pdf as input and produce
 	application/postscript as output; the virtual
 	cost of this operation is 33 CUPS-$. The next filter is more
 	expensive, costing 66 CUPS-$:
-	
+	
 
 application/vnd.hp-HPGL application/postscript   66   hpgltops
 

-
+
 	This is the hpgltops, which processes HP-GL
 	plotter files to PostScript.
-	
+	
 
 application/octet-stream
 

 	Here are two more examples: 
-	
-
-
-
+	
+
+
+
 
 application/x-shell     application/postscript   33    texttops
 text/plain              application/postscript   33    texttops
 

-
+
 	The last two examples name the texttops filter to work on
 	text/plain as well as on application/x-shell. (Hint: This
 	differentiation is needed for the syntax highlighting feature of texttops).
-	
Filtering  Overview

-	
+	
Filtering  Overview

+	
 	There are many more combinations named in mime.convs. However, you are not limited to use
 	the ones predefined there. You can plug in any filter you like to the CUPS framework. It must meet, or must be
 	made to meet, some minimal requirements. If you find (or write) a cool conversion filter of some kind, make
 	sure it complies with what CUPS needs and put in the right lines in mime.types and
 	mime.convs; then it will work seamlessly inside CUPS.
-	
Filter Requirements

+	
Filter Requirements

 	The “CUPS requirements” for filters are simple. Take filenames or stdin as
 	input and write to stdout. They should take these arguments:
 	
printer

@@ -692,24 +692,24 @@
 			(optionally) The print request file (if missing, filters expect data
 			fed through stdin). In most cases, it is easy to
 			write a simple wrapper script around existing filters to make them work with CUPS.
-			
Prefilters

-	
-
-
+			
Prefilters

+	
+
+
 	As previously stated, PostScript is the central file format to any UNIX-based
 	printing system. From PostScript, CUPS generates raster data to feed
 	non-PostScript printers.
 	

-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
 	But what happens if you send one of the supported non-PS formats to print? Then CUPS runs
 	“prefilters” on these input formats to generate PostScript first. There are prefilters to create
 	PostScript from ASCII text, PDF, DVI, or HP-GL. The outcome of these filters is always of MIME type
@@ -719,14 +719,14 @@
 	MIME type application/vnd.cups-postscript (not application/postscript), meaning it has
 	the print options already embedded into the file. This is shown in Prefiltering in
 	CUPS to Form PostScript.
-	
Figure�22.4.�Prefiltering in CUPS to Form PostScript.

pstops

-
-
-
-
-
-
-
+	
Figure�22.4.�Prefiltering in CUPS to Form PostScript.

pstops

+
+
+
+
+
+
+
 	pstops is a filter that is used to convert application/postscript to
 	application/vnd.cups-postscript. As stated earlier, this filter inserts all
 	device-specific print options (commands to the printer to ask for the duplexing of output, or stapling and
@@ -742,10 +742,10 @@
 		so-called “number-up” function).
 		
Counting the pages of the job to insert the accounting
 		information into the /var/log/cups/page_log.
-		
pstoraster

-
-
-
+		
pstoraster

+
+
+
 	pstoraster is at the core of the CUPS filtering system. It is responsible for the first
 	stage of the rasterization process. Its input is of MIME type application/vnd.cups-postscript; its output is
 	application/vnd.cups-raster. This output format is not yet meant to be printable. Its aim is to serve as a
@@ -753,10 +753,10 @@
 	generate device-specific printer data. This is shown in the PostScript to
 	Intermediate Raster Format diagram.
 	
Figure�22.6.�PostScript to Intermediate Raster Format.


-
-
-
-
+
+
+
+
 	CUPS raster is a generic raster format with powerful features. It is able to include per-page information,
 	color profiles, and more, to be used by the downstream raster drivers. Its MIME type is registered with IANA
 	and its specification is, of course, completely open. It is designed to make it quite easy and inexpensive for
@@ -766,10 +766,10 @@
 	raster drivers). This is illustrated in the CUPS-Raster Production Using
 	Ghostscript illustration.
 	
Figure�22.7.�CUPS-Raster Production Using Ghostscript.


-
-
-
-
+
+
+
+
 	CUPS versions before version 1.1.15 shipped a binary (or source code) standalone filter, named
 	pstoraster. pstoraster, which was derived from GNU Ghostscript
 	5.50 and could be installed instead of and in addition to any GNU or AFPL Ghostscript package without
@@ -780,27 +780,27 @@
 	now a simple shell script calling gs with the -sDEVICE=cups parameter.
 	If your Ghostscript fails when this command is executed: gs -h |grep cups, you might not 
 	be able to print, update your Ghostscript.
-	
imagetops and imagetoraster

-
-
+	
imagetops and imagetoraster

+
+
 	In the section about prefilters, we mentioned the prefilter
 	that generates PostScript from image formats. The imagetoraster
 	filter is used to convert directly from image to raster, without the
 	intermediate PostScript stage. It is used more often than the previously
 	mentioned prefilters. We summarize in a flowchart the image file
 	filtering in the Image Format to CUPS-Raster Format Conversion illustration.
-	
Figure�22.8.�Image Format to CUPS-Raster Format Conversion.

rasterto [printers specific]

-
-
-
-
-
-
-
-
-
-
-
+	
Figure�22.8.�Image Format to CUPS-Raster Format Conversion.

rasterto [printers specific]

+
+
+
+
+
+
+
+
+
+
+
 	CUPS ships with quite a variety of raster drivers for processing CUPS raster. On my system, I find in
 	/usr/lib/cups/filter/ the following: rastertoalps, rastertobj,
 	rastertoepson, rastertoescp, rastertopcl,
@@ -811,9 +811,9 @@
 	rastertoprinter) by third-party driver development projects (such as Gutenprint)
 	wanting to cooperate as closely as possible with CUPS. See the Raster to
 	Printer-Specific Formats illustration.
-	
Figure�22.9.�Raster to Printer-Specific Formats.

CUPS Backends

-
-
+	
Figure�22.9.�Raster to Printer-Specific Formats.

CUPS Backends

+
+
 	The last part of any CUPS filtering chain is a backend. Backends
 	are special programs that send the print-ready file to the final
 	device. There is a separate backend program for any transfer
@@ -887,8 +887,8 @@
 	email back to the $USER asking him or her to always specify the correct
 	printer name.)
 	

-
-
+
+
 	Not all of the mentioned backends may be present on your system or
 	usable (depending on your hardware configuration). One test for all
 	available CUPS backends is provided by the lpinfo
@@ -896,12 +896,12 @@
 	all available backends:
 	
 	$ lpinfo -v
-	
The Role of cupsomatic/foomatic

-	
-	
-
-
-
+	
The Role of cupsomatic/foomatic

+	
+	
+
+
+
 	cupsomatic filters may be the most widely used on CUPS
 	installations. You must be clear that these were not
 	developed by the CUPS people. They are a third-party add-on to
@@ -925,17 +925,17 @@
 	autoconstructed from the selected PPD and command line options given to
 	the print job.
 	

-	
-
-
-
-
-
-
-
-
-
-
+	
+
+
+
+
+
+
+
+
+
+
 	However, cupsomatic is now deprecated. Its PPDs (especially the first
 	generation of them, still in heavy use out there) are not meeting the
 	Adobe specifications. You might also suffer difficulties when you try
@@ -957,11 +957,11 @@
 	best thing is that the new foomatic-rip works seamlessly with all
 	legacy spoolers too (like LPRng, BSD-LPD, PDQ, PPR, and so on), providing
 	for them access to use PPDs for their printing.
-	
The Complete Picture

+	
The Complete Picture

 	If you want to see an overview of all the filters and how they
 	relate to each other, the complete picture of the puzzle is at the end
 	of this chapter.
-	
mime.convs

+	
mime.convs

 	CUPS autoconstructs all possible filtering chain paths for any given
 	MIME type and every printer installed. But how does it decide in
 	favor of or against a specific alternative?  (There may be cases
@@ -971,8 +971,8 @@
 	assigned to this filter. Every possible filtering chain will sum up to
 	a total “filter cost.” CUPS decides for the most “inexpensive” route.
 	
Tip

-
-
+
+
 	Setting FilterLimit 1000 in
 	cupsd.conf will not allow more filters to
 	run concurrently than will consume a total of 1000 virtual filter
@@ -980,10 +980,10 @@
 	server by setting an appropriate “FilterLimit” value. A FilterLimit of
 	200 allows roughly one job at a time, while a FilterLimit of 1000 allows
 	approximately five jobs maximum at a time.
-	
“Raw” Printing

-
-
-
+	
“Raw” Printing

+
+
+
 	You can tell CUPS to print (nearly) any file “raw”. “Raw” means it will not be
 	filtered. CUPS will send the file to the printer “as is” without bothering if the printer is able
 	to digest it. Users need to take care themselves that they send sensible data formats only. Raw printing can
@@ -1001,9 +1001,9 @@
 	if it can't find a PPD associated with the queue. However, CUPS will
 	only send known MIME types (as defined in its own mime.types file) and
 	refuse others.
-	
application/octet-stream Printing

-
-
+	
application/octet-stream Printing

+
+
 	Any MIME type with no rule in the /etc/cups/mime.types file is regarded as unknown
 	or application/octet-stream and will not be
 	sent. Because CUPS refuses to print unknown MIME types by default,
@@ -1016,11 +1016,11 @@
 	To enable the printing of application/octet-stream files, edit
 	these two files:
 	
/etc/cups/mime.convs
/etc/cups/mime.types

-
+
 	Both contain entries (at the end of the respective files) that must be uncommented to allow raw mode
 	operation for application/octet-stream. In /etc/cups/mime.types
 	make sure this line is present:
-	
+	
 
 application/octet-stream
 

@@ -1031,7 +1031,7 @@
 
 application/octet-stream   application/vnd.cups-raw   0   -
 

-	
+	
 	This line tells CUPS to use the Null Filter
 	(denoted as “-”, doing nothing at all) on
 	application/octet-stream, and tag the result as
@@ -1042,10 +1042,10 @@
 	Editing the mime.convs and the mime.types file does not
 	enforce “raw” printing, it only allows it.
 	
Background.�
-
-
-
-
+
+
+
+
 	That CUPS is a more security-aware printing system than traditional ones
 	does not by default allow one to send deliberate (possibly binary)
 	data to printing devices. (This could be easily abused to launch a
@@ -1057,13 +1057,13 @@
 	/etc/cups/mime.types defines the “rules” of how CUPS
 	recognizes MIME types. The file /etc/cups/mime.convs decides which file
 	conversion filter(s) may be applied to which MIME types.
-

`PostScript Printer Descriptions for Non-PostScript Printers`

- - - - - - +

`PostScript Printer Descriptions for Non-PostScript Printers`

+ + + + + + Originally PPDs were meant to be used for PostScript printers only. Here, they help to send device-specific commands and settings to the RIP, which processes the job file. CUPS has extended this @@ -1076,7 +1076,7 @@

PPDs for a non-PostScript printer have a few lines that are unique to CUPS. The most important one looks similar to this: - +

 *cupsFilter: application/vnd.cups-raster  66   rastertoprinter

@@ -1094,14 +1094,14 @@ several hundred printer models. You may not be able to control different paper trays, or you may get larger margins than your specific model supports. See Table 21.1“PPDs Shipped with CUPS” for summary information. -

Table�22.1.�PPDs Shipped with CUPS
PPD file Printer type
deskjet.ppd older HP inkjet printers and compatible
deskjet2.ppd newer HP inkjet printers and compatible 
dymo.ppd label printers 
epson9.ppd Epson 24-pin impact printers and compatible 
epson24.ppd Epson 24-pin impact printers and compatible 
okidata9.ppd Okidata 9-pin impact printers and compatible 
okidat24.ppd Okidata 24-pin impact printers and compatible 
stcolor.ppd older Epson Stylus Color printers 
stcolor2.ppd newer Epson Stylus Color printers 
stphoto.ppd older Epson Stylus Photo printers 
stphoto2.ppd newer Epson Stylus Photo printers 
laserjet.ppd all PCL printers

`cupsomatic/foomatic-rip Versus Native CUPS Printing`

- - +

Table�22.1.�PPDs Shipped with CUPS
PPD file Printer type
deskjet.ppd older HP inkjet printers and compatible
deskjet2.ppd newer HP inkjet printers and compatible 
dymo.ppd label printers 
epson9.ppd Epson 24-pin impact printers and compatible 
epson24.ppd Epson 24-pin impact printers and compatible 
okidata9.ppd Okidata 9-pin impact printers and compatible 
okidat24.ppd Okidata 24-pin impact printers and compatible 
stcolor.ppd older Epson Stylus Color printers 
stcolor2.ppd newer Epson Stylus Color printers 
stphoto.ppd older Epson Stylus Photo printers 
stphoto2.ppd newer Epson Stylus Photo printers 
laserjet.ppd all PCL printers

`cupsomatic/foomatic-rip Versus Native CUPS Printing`

+ + Native CUPS rasterization works in two steps:

- + First is the pstoraster step. It uses the special CUPS - + device from ESP Ghostscript 7.05.x as its tool.
Second is the rasterdriver step. It uses various @@ -1116,7 +1116,7 @@ One other method is the cupsomatic/foomatic-rip way. Note that cupsomatic is not made by the CUPS developers. It is an independent contribution to printing development, - made by people from Linuxprinting.org.^[6] + made by people from Linuxprinting.org.^[6] cupsomatic is no longer developed, maintained, or supported. It now been replaced by foomatic-rip. foomatic-rip is a complete rewrite of the old cupsomatic idea, but very much improved and generalized to @@ -1124,8 +1124,8 @@ advised, especially if you are upgrading to a recent version of CUPS, too.
- - + + Like the old cupsomatic method, the foomatic-rip (new) method from Linuxprinting.org uses the traditional Ghostscript print file processing, doing everything in a single step. It therefore relies on all the other devices built into Ghostscript. The quality is as good (or bad) as @@ -1135,12 +1135,12 @@ Of course, you can use both methods side by side on one system (and even for one printer, if you set up different queues) and find out which works best for you.
- - - - - - + + + + + + cupsomatic kidnaps the print file after the application/vnd.cups-postscript stage and deviates it through the CUPS-external, systemwide Ghostscript installation. Therefore, the print file bypasses the pstoraster @@ -1149,14 +1149,14 @@ backend. cupsomatic/foomatic Processing Versus Native CUPS, illustrates the difference between native CUPS rendering and the Foomatic/cupsomatic method. -

`Examples for Filtering Chains`

+

`Examples for Filtering Chains`

Here are a few examples of commonly occurring filtering chains to illustrate the workings of CUPS.

- - - - + + + + Assume you want to print a PDF file to an HP JetDirect-connected PostScript printer, but you want to print pages 3-5, 7, and 11-13 only, and you want to print them “two-up” and “duplex”: @@ -1175,10 +1175,10 @@ backend, which transfers the job to the printers.

The resulting filter chain, therefore, is as shown in the PDF to socket chain illustration. -

Figure�22.11.�PDF to Socket Chain.


-
-
-
+	
Figure�22.11.�PDF to Socket Chain.


+
+
+
 	Assume you want to print the same filter to an USB-connected Epson Stylus Photo Printer installed with the CUPS
 	stphoto2.ppd. The first few filtering stages are nearly the same:
 	

@@ -1188,14 +1188,14 @@
 		The (complete) PDF file is sent to CUPS and autotyped as
 		application/pdf.
 		

-
-
+
+
 		The file must first pass the pdftops prefilter, which produces PostScript
 		MIME type application/postscript (a preview here would still show all
 		pages of the original PDF).
 		

-
-
+
+
 		The file then passes the “pstops” filter that applies
 		the command line options: it selects the pages 2-5, 7, and 11-13,
 		creates the imposed layout “two pages on one sheet,” and inserts the
@@ -1207,7 +1207,7 @@
 		The file then passes the pstoraster stage and becomes MIME type
 		application/cups-raster.
 		

-
+
 		Finally, the rastertoepson filter
 		does its work (as indicated in the printer's PPD), creating the
 		printer-specific raster data and embedding any user-selected
@@ -1217,11 +1217,11 @@
 		

 	The resulting filter chain therefore is as shown in the PDF to USB Chain
 	illustration.
-	
Figure�22.12.�PDF to USB Chain.

`Sources of CUPS Drivers/PPDs`

+

Figure�22.12.�PDF to USB Chain.

`Sources of CUPS Drivers/PPDs`

On the Internet you can now find many thousands of CUPS-PPD files (with their companion filters), in many national languages supporting more than 1,000 non-PostScript models. -


+	

 		ESP PrintPro
 		(commercial, non-free) is packaged with more than 3,000 PPDs, ready for
 		successful use “out of the box” on Linux, Mac OS X, IBM-AIX,
@@ -1249,9 +1249,9 @@
 		Foomatic/cupsomatic 
 		(LPGL, free) from Linuxprinting.org provide PPDs for practically every Ghostscript
 		filter known to the world (including Omni, Gutenprint, and HPIJS).
-

`Printing with Interface Scripts`

- - +

`Printing with Interface Scripts`

+ + CUPS also supports the use of “interface scripts” as known from System V AT&T printing systems. These are often used for PCL printers, from applications that generate PCL print jobs. Interface @@ -1273,16 +1273,16 @@ use of interface scripts is found at http://playground.sun.com/printing/documentation/interface.html). -

`Network Printing (Purely Windows)`

+

`Network Printing (Purely Windows)`

Network printing covers a lot of ground. To understand what exactly goes on with Samba when it is printing on behalf of its Windows clients, let's first look at a “purely Windows” setup: Windows clients with a Windows NT print server. -

`From Windows Clients to an NT Print Server`

+

`From Windows Clients to an NT Print Server`

Windows clients printing to an NT-based print server have two options. They may: - - + +

Execute the driver locally and render the GDI output (EMF) into the printer-specific format on their own.
Send the GDI output (EMF) to the server, where the @@ -1291,7 +1291,7 @@ Both print paths are shown in the flowcharts in Print Driver Execution on the Client, and Print Driver Execution on the Server. -

`Driver Execution on the Client`

+

`Driver Execution on the Client`

In the first case, the print server must spool the file as raw, meaning it shouldn't touch the job file and try to convert it in any way. This is what a traditional UNIX-based print server can do too, and at a better performance and more reliably than an NT print server. This is what most Samba administrators probably are @@ -1299,12 +1299,12 @@ even if no driver(s) for UNIX is available. It is sufficient to have the Windows client drivers available and installed on the clients. This is illustrated in the Print Driver Execution on the Client diagram. -

Figure�22.13.�Print Driver Execution on the Client.

`Driver Execution on the Server`

- - - - - +

Figure�22.13.�Print Driver Execution on the Client.

`Driver Execution on the Server`

+ + + + + The other path executes the printer driver on the server. The client transfers print files in EMF format to the server. The server uses the PostScript, PCL, ESC/P, or other driver to convert the EMF file into the printer-specific language. It is not possible for UNIX to do the same. Currently, there is no program or @@ -1312,14 +1312,14 @@ This is illustrated in the Print Driver Execution on the Server diagram.

Figure�22.14.�Print Driver Execution on the Server.



 However, something similar is possible with CUPS, so read on.
-

`Network Printing (Windows Clients and UNIX/Samba Print +`

`Network Printing (Windows Clients and UNIX/Samba Print Servers)`

Since UNIX print servers cannot execute the Win32 program code on their platform, the picture is somewhat different. However, this does not limit your options all that much. On the contrary, you may have a way here to implement printing features that are not possible otherwise. -

`From Windows Clients to a CUPS/Samba Print Server`

+

`From Windows Clients to a CUPS/Samba Print Server`

Here is a simple recipe showing how you can take advantage of CUPS's powerful features for the benefit of your Windows network printing clients: @@ -1331,7 +1331,7 @@

First, to enable CUPS-based printing through Samba, the following options should be set in your smb.conf file [global] section: -

printing = cups

printcap = cups

+

printing = cups

printcap = cups

When these parameters are specified, all manually set print directives (like print command or lppause command) in smb.conf (as well as in Samba itself) will be ignored. Instead, Samba will directly interface with CUPS through its application program interface (API), as long as Samba has been compiled with CUPS library (libcups) support. If Samba has not been compiled with CUPS @@ -1339,7 +1339,7 @@ AT&T command set, with the -oraw option automatically passing through (if you want your own defined print commands to work with a Samba server that has CUPS support compiled in, simply use classicalprinting = sysv). This is illustrated in the Printing via CUPS/Samba Server diagram. -

Figure�22.15.�Printing via CUPS/Samba Server.

`Samba Receiving Job-Files and Passing Them to CUPS`

+

Figure�22.15.�Printing via CUPS/Samba Server.

`Samba Receiving Job-Files and Passing Them to CUPS`

Samba must use its own spool directory (it is set by a line similar to path = /var/spool/samba, in the [printers] or [printername] section of smb.conf). Samba receives the job in its own spool space and passes it into the spool directory of CUPS (the CUPS spool directory is set by the RequestRoot directive in a line that defaults to RequestRoot /var/spool/cups). CUPS checks the @@ -1351,13 +1351,13 @@ configured). If Samba runs on the same host as CUPS, you only need to allow “localhost” to print. If it runs on different machines, you need to make sure the Samba host gets access to printing on CUPS. -

`Network PostScript RIP`

+

`Network PostScript RIP`

This section discusses the use of CUPS filters on the server configuration where clients make use of a PostScript driver with CUPS-PPDs.

- - - + + + PPDs can control all print device options. They are usually provided by the manufacturer if you own a PostScript printer, that is. PPD files are always a component of PostScript printer drivers on MS Windows or Apple Mac OS systems. They are ASCII files containing user-selectable print options, mapped to appropriate @@ -1370,8 +1370,8 @@ lpoptions or see if you have lphelp on your system). There are also some different GUI front-ends on Linux/UNIX, which can present PPD options to users. PPD options are normally meant to be evaluated by the PostScript RIP on the real PostScript printer. -

`PPDs for Non-PS Printers on UNIX`

- +

`PPDs for Non-PS Printers on UNIX`

+ CUPS does not limit itself to “real” PostScript printers in its use of PPDs. The CUPS developers have extended the scope of the PPD concept to also describe available device and driver options for non-PostScript printers through CUPS-PPDs. @@ -1383,8 +1383,8 @@ for the interpretation of the supplied PostScript. Thus CUPS lets all its printers appear as PostScript devices to its clients, because it can act as a PostScript RIP for those printers, processing the received PostScript code into a proper raster print format. -

`PPDs for Non-PS Printers on Windows`

- +

`PPDs for Non-PS Printers on Windows`

+ CUPS-PPDs can also be used on Windows clients, on top of a “core” PostScript driver (now recommended is the CUPS PostScript Driver for Windows NT/200x/XP; you can also use the Adobe one, with limitations). This feature enables CUPS to do a few tricks no other spooler can do: @@ -1398,11 +1398,11 @@ Enable clients to consolidate on a single PostScript driver, even for many different target printers.

Using CUPS PPDs on Windows clients enables them to control all print job settings just as a UNIX client can do. -

`Windows Terminal Servers (WTS) as CUPS Clients`

+

`Windows Terminal Servers (WTS) as CUPS Clients`

This setup may be of special interest to people experiencing major problems in WTS environments. WTS often need a multitude of non-PostScript drivers installed to run their clients' variety of different printer models. This often imposes the price of much increased instability. -

Printer Drivers Running in “Kernel Mode” Cause Many + Printer Drivers Running in “Kernel Mode” Cause Many Problems Windows NT printer drivers, which run in “kernel mode”, introduce a high risk for the stability of the system if the driver is not really stable and well-tested. And there are a lot of bad drivers out @@ -1414,14 +1414,14 @@ run in kernel mode. This might be because until now there have been only two different PostScript drivers: the one from Adobe and the one from Microsoft. Both are well-tested and are as stable as you can imagine on Windows. The CUPS driver is derived from the Microsoft one. - Workarounds Impose Heavy Limitations + Workarounds Impose Heavy Limitations In an attempt to work around problems, site administrators have resorted to restricting the allowed drivers installed on their WTS to one generic PCL and one PostScript driver. This, however, restricts the number of printer options available for clients to use. Often they can't get out more than simplex prints from one standard paper tray, while their devices could do much better if driven by a different driver! - CUPS: A “Magical Stone”? - - + CUPS: A “Magical Stone”? + + Using a PostScript driver, enabled with a CUPS-PPD, seems to be a very elegant way to overcome all these shortcomings. There are, depending on the version of Windows OS you use, up to three different PostScript drivers now available: Adobe, Microsoft, and CUPS PostScript drivers. None of them is known to cause major @@ -1430,14 +1430,14 @@ server acting as a PostScript RIP for its clients requires more CPU and RAM than when just acting as a “raw spooling” device. Plus, this setup is not yet widely tested, although the first feedbacks look very promising. - PostScript Drivers with No Major Problems, Even in Kernel + PostScript Drivers with No Major Problems, Even in Kernel Mode - - - - - - + + + + + + More recent printer drivers on W200x and XP no longer run in kernel mode (unlike Windows NT). However, both operating systems can still use the NT drivers, running in kernel mode (you can roughly tell which is which as the drivers in subdirectory “2” of “W32X86” are “old” ones). As was @@ -1449,13 +1449,13 @@ allow them to publish the whole of the source code. However, they have released the “diff” under the GPL, and if you are the owner of an “MS DDK for Windows NT,” you can check the driver yourself. - Configuring CUPS for Driver Download + Configuring CUPS for Driver Download As we have said before, all previously known methods to prepare client printer drivers on the Samba server for download and Point'n'Print convenience of Windows workstations are working with CUPS, too. These methods were described in Classical Printing. In reality, this is a pure Samba business and relates only to the Samba-Windows client relationship. - cupsaddsmb: The Unknown Utility - + cupsaddsmb: The Unknown Utility + The cupsaddsmb utility (shipped with all current CUPS versions) is an alternative method to transfer printer drivers into the Samba [print$] share. Remember, this share is where clients expect drivers deposited and set up for download and installation. It makes the sharing @@ -1472,11 +1472,11 @@ However, currently only Windows NT, 2000, and XP are supported by the CUPS drivers. You will also need to get the respective part of the Adobe driver if you need to support Windows 95, 98, and Me clients. - Prepare Your smb.conf for cupsaddsmb + Prepare Your smb.conf for cupsaddsmb Prior to running cupsaddsmb, you need the settings in smb.conf as shown in the smb.conf for cupsaddsmb Usage. - Example�22.3.�smb.conf for cupsaddsmb Usage [global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no # setting depends on your requirements guest ok = yes writable = no printable = yes printer admin = root [print$] comment = Printer Drivers path = /etc/samba/drivers browseable = yes guest ok = no read only = yes write list = root, @smbprintadm CUPS “PostScript Driver for Windows NT/200x/XP” - + Example�22.3.�smb.conf for cupsaddsmb Usage [global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no # setting depends on your requirements guest ok = yes writable = no printable = yes printer admin = root [print$] comment = Printer Drivers path = /etc/samba/drivers browseable = yes guest ok = no read only = yes write list = root, @smbprintadm CUPS “PostScript Driver for Windows NT/200x/XP” + CUPS users may get the exact same package from http://www.cups.org/software.html. It is a separate package from the CUPS-based software files, tagged as CUPS 1.1.x Windows NT/200x/XP Printer Driver for Samba (tar.gz, 192k). The filename to download is cups-samba-1.1.x.tar.gz. Upon untar and unzipping, it @@ -1489,8 +1489,8 @@ cups-samba.remove cups-samba.ss - - + + These have been packaged with the ESP meta-packager software EPM. The .install and .remove files are simple shell scripts, which untar the .ss (the .ss is nothing else but a tar archive, which can be untarred by “tar” too). @@ -1522,32 +1522,32 @@ around this, copy/move the file (after running the ./cups-samba.install script) manually to the correct place. - + This new CUPS PostScript driver is currently binary only, but free of charge. No complete source code is provided (yet). The reason is that it has been developed with the help of the Microsoft DDK and compiled with Microsoft Visual Studio 6. Driver developers are not allowed to distribute the whole of the source code as free software. However, CUPS developers released the “diff” in source code under the GPL, so anybody with a license for Visual Studio and a DDK will be able to compile for himself or herself. - Recognizing Different Driver Files + Recognizing Different Driver Files The CUPS drivers do not support the older Windows 95/98/Me, but only the Windows NT/2000/XP client. Windows NT, 2000, and XP are supported by: cups.hlp cupsdrvr.dll cupsui.dll Adobe drivers are available for the older Windows 95/98/Me as well as for Windows NT/2000/XP clients. The set of files is different from the different platforms. Windows 95, 98, and ME are supported by: ADFONTS.MFM ADOBEPS4.DRV ADOBEPS4.HLP DEFPRTR2.PPD ICONLIB.DLL PSMON.DLL Windows NT, 2000, and XP are supported by: ADOBEPS5.DLL ADOBEPSU.DLL ADOBEPSU.HLP Note - + If both the Adobe driver files and the CUPS driver files for the support of Windows NT/200x/XP are presently installed on the server, the Adobe files will be ignored and the CUPS files will be used. If you prefer for whatever reason to use Adobe-only drivers, move away the three CUPS driver files. The Windows 9x/Me clients use the Adobe drivers in any case. - Acquiring the Adobe Driver Files + Acquiring the Adobe Driver Files Acquiring the Adobe driver files seems to be unexpectedly difficult for many users. They are not available on the Adobe Web site as single files, and the self-extracting and/or self-installing Windows-.exe is not easy to locate either. You probably need to use the included native installer and run the installation process on one client once. This will install the drivers (and one generic PostScript printer) locally on the client. When they are installed, share the generic PostScript printer. After this, the client's [print$] share holds the Adobe files, which you can get with smbclient from the CUPS host. - ESP Print Pro PostScript Driver for Windows NT/200x/XP - + ESP Print Pro PostScript Driver for Windows NT/200x/XP + Users of the ESP Print Pro software are able to install the ESP print drivers package as an alternative to the Adobe PostScript drivers. To do so, retrieve the driver files from the normal download area of the ESP Print Pro software at Easy Software web site. @@ -1557,19 +1557,19 @@ the menu. Of course, you need to have prepared Samba beforehand to handle the driver files; that is, set up the [print$] share, and so on. The ESP Print Pro package includes the CUPS driver files as well as a (licensed) set of Adobe drivers for the Windows 95/98/Me client family. - Caveats to Be Considered - - - - + Caveats to Be Considered + + + + Once you have run the install script (and possibly manually moved the cups.hlp file to /usr/share/cups/drivers/), the driver is ready to be put into Samba's [print$] share (which often maps to /etc/samba/drivers/ and contains a subdirectory tree with WIN40 and W32X86 branches). You do this by running cupsaddsmb (see also man cupsaddsmb for CUPS since release 1.1.16). Tip - - + + You may need to put root into the smbpasswd file by running smbpasswd; this is especially important if you should run this whole procedure for the first time and are not working in an environment where everything is configured for single sign-on to a Windows Domain Controller. @@ -1584,8 +1584,8 @@ in the /usr/share/cups/drivers/ directory. The new cupsaddsmb (from 1.1.16) will automatically prefer its own drivers if it finds both. Note - - + + Should your Windows clients have had the old ADOBE. files for the Adobe PostScript driver installed, the download and installation of the new CUPS PostScript driver for Windows NT/200x/XP will fail at first. You need to wipe the old driver from the clients first. It is not enough to @@ -1599,43 +1599,43 @@ printers using this driver in the Printers folder first. You will need Administrator privileges to do this. Note - - + + Once you have successfully downloaded the CUPS PostScript driver to a client, you can easily switch all printers to this one by proceeding as described in Classical Printing Support. Either change a driver for an existing printer by running the Printer Properties dialog, or use rpcclient with the setdriver subcommand. - Windows CUPS PostScript Driver Versus Adobe Driver + Windows CUPS PostScript Driver Versus Adobe Driver Are you interested in a comparison between the CUPS and the Adobe PostScript drivers? For our purposes, these are the most important items that weigh in favor of CUPS: No hassle with the Adobe EULA. No hassle with the question, “Where do I get the ADOBE. driver files?” - + The Adobe drivers (on request of the printer PPD associated with them) often put a PJL header in front of the main PostScript part of the print file. Thus, the print file starts with <1B >%-12345X or <escape>%-12345X instead of %!PS. This leads to the CUPS daemon autotyping the incoming file as a print-ready file, not initiating a pass through the pstops filter (to speak more technically, it is not - regarded as the generic MIME-type + regarded as the generic MIME-type application/postscript, but as the more special MIME type - + application/cups.vnd-postscript), which therefore also leads to the page accounting in /var/log/cups/page_log not receiving the exact number of pages; instead the dummy page number of “1” is logged in a standard setup). The Adobe driver has more options to misconfigure the - + PostScript generated by it (like setting it inadvertently to Optimize for Speed instead of Optimize for Portability, which could lead to CUPS being unable to process it). The CUPS PostScript driver output sent by Windows - + clients to the CUPS server is guaranteed to autotype as the generic MIME type application/postscript, thus passing through the CUPS pstops filter and logging the correct number of pages in the page_log for accounting and quota purposes. - + The CUPS PostScript driver supports the sending of additional standard (IPP) print options by Windows NT/200x/XP clients. Such additional print options are naming the CUPS standard banner pages (or the custom ones, should they be installed at the time of driver download), using the CUPS @@ -1648,9 +1648,9 @@ not disturb any other applications because they will regard it as a comment and simply ignore it). The CUPS PostScript driver will be the heart of the fully fledged CUPS IPP client for Windows NT/200x/XP to be released soon - (probably alongside the first beta release for CUPS 1.2). Run cupsaddsmb (Quiet Mode) - - + (probably alongside the first beta release for CUPS 1.2).

`Run cupsaddsmb (Quiet Mode)`

+ + The cupsaddsmb command copies the needed files into your [print$] share. Additionally, the PPD associated with this printer is copied from /etc/cups/ppd/ to [print$]. There the files wait for convenient Windows client installations via @@ -1658,26 +1658,26 @@ Samba. If you have a small network, you are probably using user-level security (security = user).

Here is an example of a successfully run cupsaddsmb command: - - + +

 root# cupsaddsmb -U root infotec_IS2027
 Password for root required to access localhost via Samba: ['secret']

- + To share all printers and drivers, use the -a parameter instead of a printer name. Since cupsaddsmb “exports” the printer drivers to Samba, it should be obvious that it only works for queues with a CUPS driver associated. -

`Run cupsaddsmb with Verbose Output`

- +

`Run cupsaddsmb with Verbose Output`

+ Probably you want to see what's going on. Use the -v parameter to get a more verbose output. The output below was edited for better readability: all “\” at the end of a line indicate that I inserted an artificial line break plus some indentation here: - - + +

 root# cupsaddsmb -U root -v infotec_2105
 Password for root required to access localhost via GANDALF:
@@ -1746,17 +1746,17 @@
 Also, if you look further, you may discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in the output.
 This will occur when the directories WIN40 and W32X86 already existed in the [print$]
 driver download share (from a previous driver installation). These are harmless warning messages.
-

`Understanding cupsaddsmb`

- +

`Understanding cupsaddsmb`

+ What has happened? What did cupsaddsmb do? There are five stages of the procedure:

- + Call the CUPS server via IPP and request the driver files and the PPD file for the named printer.
Store the files temporarily in the local TEMPDIR (as defined in cupsd.conf).
Connect via smbclient to the Samba server's [print$] share and put the files into the share's WIN40 (for Windows 9x/Me) and W32X86 (for Windows NT/200x/XP) subdirectories.
- + Connect via rpcclient to the Samba server and execute the adddriver command with the correct parameters.
- + Connect via rpcclient to the Samba server a second time and execute the setdriver command.

`Note`

You can run the cupsaddsmb utility with parameters to specify one remote host as Samba host and a second remote host as CUPS host. Especially if you want to get a deeper understanding, it is a good idea @@ -1765,7 +1765,7 @@

 root# cupsaddsmb -H sambaserver -h cupsserver -v printer

-

`How to Recognize If cupsaddsmb Completed Successfully`

+

`How to Recognize If cupsaddsmb Completed Successfully`

You must always check if the utility completed successfully in all fields. You need at minimum these three messages among the output: @@ -1794,9 +1794,9 @@ It is impossible to see any diagnostic output if you do not run cupsaddsmb in verbose mode. Therefore, we strongly recommend against use of the default quiet mode. It will hide any problems from you that might occur. -

`cupsaddsmb with a Samba PDC`

- - +

`cupsaddsmb with a Samba PDC`

+ + Can't get the standard cupsaddsmb command to run on a Samba PDC? Are you asked for the password credential again and again, and the command just will not take off at all? Try one of these variations: @@ -1806,20 +1806,20 @@ root# cupsaddsmb -H SAURON -U MIDEARTH\\root -h cups-server -v printername

(Note the two backslashes: the first one is required to “escape” the second one). -

`cupsaddsmb Flowchart`

- - +

`cupsaddsmb Flowchart`

+ + The cupsaddsmb Flowchart shows a chart about the procedures, command flows, and data flows of the cupaddsmb command. Note again: cupsaddsmb is not intended to, and does not work with, raw print queues! -

Figure�22.16.�cupsaddsmb Flowchart.

`Installing the PostScript Driver on a Client`

- - +

Figure�22.16.�cupsaddsmb Flowchart.

`Installing the PostScript Driver on a Client`

+ + After cupsaddsmb is completed, your driver is prepared for the clients to use. Here are the steps you must perform to download and install it via Point'n'Print. From a Windows client, browse to the CUPS/Samba server:

- + Open the Printers share of Samba in Network Neighborhood.
Right-click on the printer in question.
From the opening context menu select Install... or Connect... (depending on the Windows version you use).

@@ -1830,9 +1830,9 @@ the new printer appears in a \\SambaServer\PrinterName entry in the drop-down list of available printers.

- - - + + + cupsaddsmb will only reliably work with CUPS version 1.1.15 or higher and with Samba version 2.2.4, or later. If it does not work, or if the automatic printer driver download to the clients does not succeed, you can still manually install the CUPS printer PPD on top of the Adobe PostScript driver on @@ -1861,34 +1861,34 @@ Sometimes you can choose PostScript Language Level: in case of problems try 2 instead of 3 (the latest ESP Ghostscript package handles Level 3 PostScript very well; Adobe).

- Say Yes to PostScript Error Handler (Adobe).

`Installing PostScript Driver Files Manually Using rpcclient`

+ Say Yes to PostScript Error Handler (Adobe).

`Installing PostScript Driver Files Manually Using rpcclient`

Of course, you can run all the commands that are embedded into the cupsaddsmb convenience utility yourself, one by one, and upload and prepare the driver files for future client downloads.

Prepare Samba (a CUPS print queue with the name of the printer should be there. We are providing the driver now).
Copy all files to [print$].
- + Run rpcclient adddriver (for each client architecture you want to support).
- + Run rpcclient setdriver.

- - - - - + + + + + We are going to do this now. First, read the man page on rpcclient to get a first idea. Look at all the printing-related subcommands: enumprinters, enumdrivers, enumports, adddriver, and setdriver are among the most interesting ones. rpcclient implements an important part of the MS-RPC protocol. You can use it to query (and command) a Windows NT (or 200x/XP) PC, too. MS-RPC is used by Windows clients, among other things, to benefit from the Point'n'Print features. Samba can now mimic this as well. -

`A Check of the rpcclient man Page`

+

`A Check of the rpcclient man Page`

First let's check the rpcclient man page. Here are two relevant passages:

- - - + + + adddriver <arch> <config> Execute an AddPrinterDriver() RPC to install the printer driver information on the server. The driver files should already exist in the directory returned by getdriverdir. Possible values for arch are the @@ -1911,18 +1911,18 @@ NT print server, the print monitor for a driver must already be installed before adding the driver or else the RPC will fail.

- - + + setdriver <printername> <drivername> Execute a SetPrinter() command to update the printer driver associated with an installed printer. The printer driver must already be correctly installed on the print server.

- - + + See also the enumprinters and enumdrivers commands to obtain a list of installed printers and drivers. -

`Understanding the rpcclient man Page`

- +

`Understanding the rpcclient man Page`

+ The exact format isn't made too clear by the man page, since you have to deal with some parameters containing spaces. Here is a better description for it. We have line-broken the command and indicated the breaks with “\”. Usually you would type the command in one line without the line @@ -1946,9 +1946,9 @@ listening to the traffic caused by Windows computers on the wire. We may as well turn to a Windows box now and access it from a UNIX workstation. We will query it with rpcclient to see what it tells us and try to understand the man page more clearly. -

`Producing an Example by Querying a Windows Box`

- - +

`Producing an Example by Querying a Windows Box`

+ + We could run rpcclient with a getdriver or a getprinter subcommand (in level 3 verbosity) against it. Just sit down at a UNIX or Linux workstation with the Samba utilities installed, then type the following command: @@ -1956,7 +1956,7 @@ root# rpcclient -U'user%secret' NT-SERVER -c 'getdriver printername 3'

From the result it should become clear which is which. Here is an example from my installation: - +

 root# rpcclient -U'Danka%xxxx' W200xSERVER \
     -c'getdriver "DANKA InfoStream Virtual Printer" 3'
@@ -1987,10 +1987,10 @@
 would go into the last field ListOfFiles,Comma-separated. For the CUPS PostScript
 drivers, we do not need any (nor would we for the Adobe PostScript driver); therefore, the field will get a
 “NULL” entry.
-

`Requirements for adddriver and setdriver to Succeed`

- - - +

`Requirements for adddriver and setdriver to Succeed`

+ + + From the man page (and from the quoted output of cupsaddsmb above) it becomes clear that you need to have certain conditions in order to make the manual uploading and initializing of the driver files succeed. The two rpcclient subcommands (adddriver and @@ -2007,19 +2007,19 @@ the [print$] share and create subdirectories.

The printer you are going to set up for the Windows clients needs to be installed in CUPS already.

- - + + The CUPS printer must be known to Samba; otherwise the setdriver subcommand fails with an NT_STATUS_UNSUCCESSFUL error. To check if the printer is known by Samba, you may use the enumprinters subcommand to rpcclient. A long-standing bug prevented a proper update of the printer list until every smbd process had received a SIGHUP or was restarted. Remember this in case you've created the CUPS printer just recently and encounter problems: try restarting Samba. -

`Manual Driver Installation in 15 Steps`

+

`Manual Driver Installation in 15 Steps`

We are going to install a printer driver now by manually executing all required commands. Because this may seem a rather complicated process at first, we go through the procedure step by step, explaining every single action item as it comes up. -

Procedure�22.2.�Manual Driver Installation
Install the printer on CUPS.
+
Procedure�22.2.�Manual Driver Installation
Install the printer on CUPS.
 	root# lpadmin -p mysmbtstprn -v socket://10.160.51.131:9100 -E \
 				-P canonIR85.ppd
 	

@@ -2028,7 +2028,7 @@
 	(a.k.a. JetDirect or Direct TCP/IP) connection. You need to be root
 	for this step.
 	
(Optional.) Check if the printer is recognized by Samba.

-	
+	
 
 root# rpcclient -Uroot%xxxx -c 'enumprinters' localhost \
   | grep -C2 mysmbtstprn
@@ -2048,8 +2048,8 @@
 	of the following steps. Alternatively, you can authenticate as one of the users from the “write
 	list” as defined in smb.conf for [print$].
 	
(Optional.) Check if Samba knows a driver for the printer.

-	
-	
+	
+	
 
 root# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2'\
  localhost | grep driver 
@@ -2105,7 +2105,7 @@
 The driver files now are in the W32X86 architecture “root” of
 [print$].
 
Tell Samba that these are driver files (adddriver).

-
+
 
 root# rpcclient -Uroot%xxxx -c 'adddriver "Windows NT x86" \
 	"mydrivername:cupsdrvr.dll:mysmbtstprn.PPD: \
@@ -2136,7 +2136,7 @@
 Notice how step 6 also moved the driver files to the appropriate
 subdirectory. Compare this with the situation after step 5.
 
(Optional.) Verify if Samba now recognizes the driver.

-
+
 
 root# rpcclient -Uroot%xxxx -c 'enumdrivers 3' \
 	localhost | grep -B2 -A5 mydrivername
@@ -2152,7 +2152,7 @@
 Remember, this command greps for the name you chose for the
 driver in step 6. This command must succeed before you can proceed.
 
Tell Samba which printer should use these driver files (setdriver).

-
+
 
 root# rpcclient -Uroot%xxxx -c 'setdriver mysmbtstprn mydrivername' \
 	localhost
@@ -2163,9 +2163,9 @@
 succeed. The only preconditions are that enumdrivers must find the driver and
 enumprinters must find the printer.
 
(Optional) Verify if Samba has recognized this association.

-
-
-
+
+
+
 
 root# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
   | grep driver
@@ -2205,13 +2205,13 @@
      comment:[mysmbtstprn]
 
 

-
+
 Compare these results with the ones from steps 2 and 3. Every one of these commands show the driver is installed. Even
 the enumprinters command now lists the driver
 on the “description” line.
 
(Optional.) Tickle the driver into a correct
 device mode.

-
+
 You certainly know how to install the driver on the client. In case
 you are not particularly familiar with Windows, here is a short
 recipe: Browse the Network Neighborhood, go to the Samba server, and look
@@ -2234,12 +2234,12 @@
 Change any printer setting once (like changing portrait to
 landscape), click on Apply, and change the setting back.
 
Install the printer on a client (Point'n'Print).

-
+
 
 C:\> rundll32 printui.dll,PrintUIEntry /in /n "\\sambaserver\mysmbtstprn"
 

 If it does not work, it could be a permissions problem with the [print$] share.
-
(Optional) Print a test page.
+
(Optional) Print a test page.
 C:\> rundll32 printui.dll,PrintUIEntry /p /n "\\sambaserver\mysmbtstprn"
 

 Then hit [TAB] five times, [ENTER] twice, [TAB] once, and [ENTER] again, and march to the printer.
@@ -2249,8 +2249,8 @@
  why not just throw it away!
 
(Obligatory.) Enjoy. Jump. Celebrate your success.
 root# echo "Cheeeeerioooooo! Success..." >> /var/log/samba/log.smbd
-

`Troubleshooting Revisited`

- +

`Troubleshooting Revisited`

+ The setdriver command will fail if in Samba's mind the queue is not already there. A successful installation displys the promising message that the:

@@ -2261,20 +2261,20 @@
 
 result was NT_STATUS_UNSUCCESSFUL
 

-
-
+
+
 It is not good enough that you can see the queue in CUPS, using the lpstat -p ir85wm
 command. A bug in most recent versions of Samba prevents the proper update of the queue list. The recognition
 of newly installed CUPS printers fails unless you restart Samba or send a HUP to all smbd processes. To verify
 if this is the reason why Samba does not execute the setdriver command successfully, check
 if Samba “sees” the printer:
-
+
 
 root# rpcclient transmeta -N -U'root%xxxx' -c 'enumprinters 0'|grep ir85wm
         printername:[ir85wm]
 

 An alternate command could be this: 
-
+
 
 root# rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm' 
         cmd = getprinter ir85wm
@@ -2284,28 +2284,28 @@
         comment:[CUPS PostScript-Treiber for Windows NT/200x/XP]
 

 By the way, you can use these commands, plus a few more, of course, to install drivers on remote Windows NT print servers too!
-

`The Printing *.tdb Files`

- - - - - - - - - - - - - +

`The Printing *.tdb Files`

+ + + + + + + + + + + + + Some mystery is associated with the series of files with a tdb suffix appearing in every Samba installation. They are connections.tdb, printing.tdb, share_info.tdb, ntdrivers.tdb, unexpected.tdb, brlock.tdb, locking.tdb, ntforms.tdb, messages.tdb , ntprinters.tdb, sessionid.tdb, and secrets.tdb. What is their purpose? -

`Trivial Database Files`

- +

`Trivial Database Files`

+ A Windows NT (print) server keeps track of all information needed to serve its duty toward its clients by storing entries in the Windows registry. Client queries are answered by reading from the registry, Administrator or user configuration settings that are saved by writing into the registry. Samba and UNIX @@ -2314,7 +2314,7 @@ /var/lib/samba/ or /var/lock/samba/. The printing-related files are ntprinters.tdb, printing.tdb,ntforms.tdb, and ntdrivers.tdb. -

`Binary Format`

+

`Binary Format`

*.tdb files are not human readable. They are written in a binary format. “Why not ASCII?”, you may ask. “After all, ASCII configuration files are a good and proven tradition on UNIX.” The reason for this design decision by the Samba Team is mainly performance. Samba needs to be @@ -2323,16 +2323,16 @@ *.tdb file at the same time. The file format of Samba's *.tdb files allows for this provision. Many smbd processes may write to the same *.tdb file at the same time. This wouldn't be possible with pure ASCII files. -

`Losing *.tdb Files`

+

`Losing *.tdb Files`

It is very important that all *.tdb files remain consistent over all write and read accesses. However, it may happen that these files do get corrupted. (A kill -9 `pidof smbd' while a write access is in progress could do the damage, as could a power interruption, etc.). In cases of trouble, a deletion of the old printing-related *.tdb files may be the only option. After that, you need to re-create all print-related setups unless you have made a backup of the *.tdb files in time. -

`Using tdbbackup`

- - +

`Using tdbbackup`

+ + Samba ships with a little utility that helps the root user of your system to backup your *.tdb files. If you run it with no argument, it prints a usage message:

@@ -2359,10 +2359,10 @@
  -rw-------    1 root     root        40960 May  2 03:44 printing.tdb
  -rw-------    1 root     root        40960 May  2 03:44 printing.tdb.bak
 
-

`CUPS Print Drivers from Linuxprinting.org`

- +

`CUPS Print Drivers from Linuxprinting.org`

+ CUPS ships with good support for HP LaserJet-type printers. You can install the generic driver as follows: - +

 root# lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd

@@ -2378,9 +2378,9 @@ the tireless work of Till Kamppeter from Mandrakesoft, who is also the principal author of the foomatic-rip utility.

`Note`

- - - + + + The former cupsomatic concept is now being replaced by the new successor, a much more powerful foomatic-rip. cupsomatic is no longer maintained. Here is the new URL to the Foomatic-3.0 @@ -2389,9 +2389,9 @@ cupsomatic. The new-style PPDs are 100% compliant with the Adobe PPD specification. They are also intended to be used by Samba and the cupsaddsmb utility, to provide the driver files for the Windows clients! -

`foomatic-rip and Foomatic Explained`

- - +

`foomatic-rip and Foomatic Explained`

+ + Nowadays, most Linux distributions rely on the utilities from the Linuxprinting.org to create their printing-related software (which, by the way, works on all UNIXes and on Mac OS X and Darwin, too). The utilities from this sire have a very end-user-friendly interface that allows for an easy update of drivers and PPDs for all supported models, @@ -2402,8 +2402,8 @@ Linuxprinting.org keeps all the important facts about printer drivers, supported models, and which options are available for the various driver/printer combinations in its Foomatic database. Currently there are 245 drivers in the database. Many drivers support various models, and many models may be driven by different drivers its your choice! -

`690 “Perfect” Printers`

- +

`690 “Perfect” Printers`

+ At present, there are 690 devices dubbed as working perfectly: 181 are mostly perfect, 96 are partially perfect, and 46 are paperweights. Keeping in mind that most of these are non-PostScript models (PostScript printers are automatically supported by CUPS to perfection by using their @@ -2411,7 +2411,7 @@ if it does not also scan and copy and fax under GNU/Linux then this is a truly astonishing achievement! Three years ago the number was not more than 500, and Linux or UNIX printing at the time wasn't anywhere near the quality it is today. -

`How the Printing HOWTO Started It All`

+

`How the Printing HOWTO Started It All`

A few years ago Grant Taylor started it all. The roots of today's Linuxprinting.org are in the first Linux Printing HOWTO that he authored. As a side-project to this document, which served many Linux users and admins to guide their first steps in this @@ -2420,8 +2420,8 @@ Postgres database with information about the hardware and driver zoo that made up Linux printing of the time. This database became the core component of today's Foomatic collection of tools and data. In the meantime, it has moved to an XML representation of the data. -

`Foomatic's Strange Name`

- +

`Foomatic's Strange Name`

+ “Why the funny name?” you ask. When it really took off, around spring 2000, CUPS was far less popular than today, and most systems used LPD, LPRng, or even PDQ to print. CUPS shipped with a few generic drivers (good for a few hundred different printer models). These didn't support many device-specific options. @@ -2439,10 +2439,10 @@ to CUPS users (because often the traditional Ghostscript way of printing was the only one available).

It gave all the advanced CUPS options (Web interface, GUI driver configurations) to users wanting (or needing) to use - Ghostscript filters.

`cupsomatic, pdqomatic, lpdomatic, directomatic`

- - + Ghostscript filters.

`cupsomatic, pdqomatic, lpdomatic, directomatic`

+ + CUPS worked through a quickly hacked-up filter script named cupsomatic. cupsomatic ran the printfile through Ghostscript, constructing automatically the rather complicated command line needed. It just needed to be copied into the CUPS system to make it work. To configure the way cupsomatic controls the @@ -2463,8 +2463,8 @@ behind the “*omatic” scripts. Foomatic, up to versions 2.0.x, required (ugly) Perl data structures attached to Linuxprinting.org PPDs for CUPS. It had a different “*omatic” script for every spooler, as well as different printer configuration files. -

`The Grand Unification Achieved`

- +

`The Grand Unification Achieved`

+ This has all changed in Foomatic versions 2.9 (beta) and released as “stable” 3.0. It has now achieved the convergence of all *omatic scripts and is called the foomatic-rip. This single script is the unification of the previously different spooler-specific *omatic scripts. @@ -2473,18 +2473,18 @@ have the power of PPDs at their disposal. Users only need to plug foomatic-rip into their system. For users there is improved media type and source support paper sizes and trays are easier to configure.

- - - + + + Also, the new generation of Linuxprinting.org PPDs no longer contains Perl data structures. If you are a distro maintainer and have used the previous version of Foomatic, you may want to give the new one a spin, but remember to generate a new-version set of PPDs via the new foomatic-db-engine!. Individual users just need to generate a single new PPD specific to their model by following the steps outlined in the Foomatic tutorial or in this chapter. This new development is truly amazing.

- - - + + + foomatic-rip is a very clever wrapper around the need to run Ghostscript with a different syntax, options, device selections, and/or filters for each different printer or spooler. At the same time, it can read the PPD associated with a print queue and modify the print job according to the user selections. Together with this @@ -2492,8 +2492,8 @@ Foomatic concept may surprise users. It will support custom paper sizes for many printers and will support printing on media drawn from different paper trays within the same job (in both cases, even where there is no support for this from Windows-based vendor printer drivers). -

`Driver Development Outside`

- +

`Driver Development Outside`

+ Most driver development itself does not happen within Linuxprinting.org. Drivers are written by independent maintainers. Linuxprinting.org just pools all the information and stores it in its database. In addition, it also provides the Foomatic glue to integrate the many drivers into any modern (or legacy) printing system @@ -2501,25 +2501,25 @@

Speaking of the different driver development groups, most of the work is currently done in three projects:

- + Omni a free software project by IBM that tries to convert its printer driver knowledge from good-ol' OS/2 times into a modern, modular, universal driver architecture for Linux/UNIX (still beta). This currently supports 437 models.
- + HPIJS a free software project by HP to provide the support for its own range of models (very mature, printing in most cases is perfect and provides true photo quality). This currently supports 369 models.
- + Gutenprint a free software effort, started by Michael Sweet (also lead developer for CUPS), now directed by Robert Krawitz, which has achieved an amazing level of photo print quality (many Epson users swear that its quality is better than the vendor drivers provided by Epson for the Microsoft - platforms). This currently supports 522 models.

`Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)`

+ platforms). This currently supports 522 models.

`Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)`

Linuxprinting.org today is the one-stop shop to download printer drivers. Look for printer information and tutorials or solve printing problems in its popular forums. This @@ -2528,9 +2528,9 @@ Mac OS X forum has turned out to be one of the most frequented forums after only a few weeks.

- - - + + + Linuxprinting.org and the Foomatic driver wrappers around Ghostscript are now a standard tool-chain for printing on all the important distros. Most of them also have CUPS underneath. While in recent years most printer data had been added by Kamppeter, many additional contributions came from engineers with SuSE, Red @@ -2539,16 +2539,16 @@

`Note`

Till Kamppeter from Mandrakesoft is doing an excellent job in his spare time to maintain Linuxprinting.org and Foomatic. So if you use it often, please send him a note showing your appreciation. -

`Foomatic Database-Generated PPDs`

- - - +

`Foomatic Database-Generated PPDs`

+ - - - + + + + + The Foomatic database is an amazing piece of ingenuity in itself. Not only does it keep the printer and driver information, but it is organized in a way that it can generate PPD files on the fly from its internal XML-based datasets. While these PPDs are modeled to the Adobe specification of PPDs, the @@ -2563,7 +2563,7 @@ This usage of PPDs to describe the options of non-PostScript printers was the invention of the CUPS developers. The rest is easy. GUI tools (like KDE's marvelous kprinter or the GNOME gtklp xpp and the CUPS Web interface) read the PPD as well and use this information to present the available settings to the user as an intuitive menu selection. -

`foomatic-rip and Foomatic PPD Download and Installation`

+

`foomatic-rip and Foomatic PPD Download and Installation`

Here are the steps to install a foomatic-rip-driven LaserJet 4 Plus-compatible printer in CUPS (note that recent distributions of SuSE, UnitedLinux and Mandrake may ship with a complete package of Foomatic-PPDs plus the @@ -2656,8 +2656,8 @@ fit for your printer model's consumption.

Ghostscript must (depending on the driver/model) contain support for a certain device representing the selected driver for your model (as shown by gs -h).

foomatic-rip needs a new version of PPDs (PPD versions - produced for cupsomatic do not work with foomatic-rip).

`Page Accounting with CUPS`

- + produced for cupsomatic do not work with foomatic-rip).

`Page Accounting with CUPS`

+ Often there are questions regarding print quotas where Samba users (that is, Windows clients) should not be able to print beyond a certain number of pages or data volume per day, week, or month. This feature is dependent on the real print subsystem you're using. Samba's part is always to receive the job files from the @@ -2665,18 +2665,18 @@

Of course one could hack things with one's own scripts. But then there is CUPS. CUPS supports quotas that can be based on the size of jobs or on the number of pages or both, and can span any time period you want. -

`Setting Up Quotas`

- +

`Setting Up Quotas`

+ This is an example command of how root would set a print quota in CUPS, assuming an existing printer named “quotaprinter”: - +

 root# lpadmin -p quotaprinter -o job-quota-period=604800 \
 	-o job-k-limit=1024 -o job-page-limit=100

This would limit every single user to print no more than 100 pages or 1024 KB of data (whichever comes first) within the last 604,800 seconds ( = 1 week). -

`Correct and Incorrect Accounting`

+

`Correct and Incorrect Accounting`

For CUPS to count correctly, the printfile needs to pass the CUPS pstops filter; otherwise it uses a dummy count of “one”. Some print files do not pass it (e.g., image files), but then those are mostly one-page jobs anyway. This also means that proprietary drivers for the target printer running on the client @@ -2687,12 +2687,12 @@ accounting done. If the printer is a non-PostScript model, you need to let CUPS do the job to convert the file to a print-ready format for the target printer. This is currently working for about a thousand different printer models. Linuxprinting.org has a driver list. -

`Adobe and CUPS PostScript Drivers for Windows Clients`

- - - - - +

`Adobe and CUPS PostScript Drivers for Windows Clients`

+ + + + + Before CUPS 1.1.16, your only option was to use the Adobe PostScript driver on the Windows clients. The output of this driver was not always passed through the pstops filter on the CUPS/Samba side, and therefore was not counted correctly (the reason is that it often, depending on the PPD being used, wrote a @@ -2703,13 +2703,13 @@ clients (which is tagged in the download area of http://www.cups.org/ as the cups-samba-1.1.16.tar.gz package). It does not work for Windows 9x/Me clients, but it guarantees: -

To not write a PJL-header.
To still read and support all PJL-options named in the +
- To not write a PJL-header.
- To still read and support all PJL-options named in the driver PPD with its own means.
- That the file will pass through the pstops filter on the CUPS/Samba server.
- To page-count correctly the print file.
You can read more about the setup of this combination in the man page for cupsaddsmb (which is only present with CUPS installed, and only current from CUPS 1.1.16). -

`The page_log File Syntax`

- +

`The page_log File Syntax`

+ These are the items CUPS logs in the page_log for every page of a job:

Printer name
User name
Job ID
Time of printing
Page number
Number of copies
A billing information string (optional)
The host that sent the job (included since version 1.1.19)

Here is an extract of my CUPS server's page_log file to illustrate the @@ -2727,7 +2727,7 @@ The next job had ID 402, was sent by user boss from IP address 10.160.51.33, printed from one page 440 copies, and is set to be billed to finance-dep. -

`Possible Shortcomings`

+

`Possible Shortcomings`

What flaws or shortcomings are there with this quota system?

The ones named above (wrongly logged job in case of printer hardware failure, and so on).
In reality, CUPS counts the job pages that are being @@ -2741,7 +2741,7 @@ “used-up” number of current quota.
A user having used up 99 sheets of a 100 quota will still be able to send and print a 1,000 sheet job.
A user being denied a job because of a filled-up quota does not get a meaningful error message from CUPS other than - “client-error-not-possible”.

`Future Developments`

+ “client-error-not-possible”.

`Future Developments`

This is the best system currently available, and there are huge improvements under development for CUPS 1.2:

Page counting will go into the backends (these talk @@ -2749,10 +2749,10 @@ actual printing process; thus, a jam at the fifth sheet will lead to a stop in the counting).
Quotas will be handled more flexibly.
Probably there will be support for users to inquire about their accounts in advance.
Probably there will be support for some other tools - around this topic.

`Other Accounting Tools`

+ around this topic.

`Other Accounting Tools`

Other accounting tools that can be used includes: PrintAnalyzer, pyKota, printbill, LogReport. For more information regarding these tools you can try a Google search. -

`Additional Material`

+

`Additional Material`

A printer queue with no PPD associated to it is a “raw” printer, and all files will go directly there as received by the spooler. The exceptions are file types application/octet-stream @@ -2831,15 +2831,15 @@ allowed to have direct access (such as when the operators often need to load the proper paper type before running the 10,000 page job requested by marketing for the mailing, and so on). -

`Autodeletion or Preservation of CUPS Spool Files`

- - +

`Autodeletion or Preservation of CUPS Spool Files`

+ + Samba print files pass through two spool directories. One is the incoming directory managed by Samba (set in the path = /var/spool/samba directive in the [printers] section of smb.conf). The other is the spool directory of your UNIX print subsystem. For CUPS it is normally /var/spool/cups/, as set by the cupsd.conf directive RequestRoot /var/spool/cups. -

`CUPS Configuration Settings Explained`

+

`CUPS Configuration Settings Explained`

Some important parameter settings in the CUPS configuration file cupsd.conf are:

PreserveJobHistory Yes: @@ -2863,7 +2863,7 @@

(There are also additional settings for MaxJobsPerUser and MaxJobsPerPrinter.) -

`Preconditions`

+

`Preconditions`

For everything to work as it should, you need to have three things:

A Samba smbd that is compiled against libcups (check on Linux by running ldd `which smbd').
A Samba-smb.conf setting of @@ -2876,14 +2876,14 @@ lppause command, and lpresume command) are ignored, and they should normally have no influence whatsoever on your printing. -

`Manual Configuration`

+

`Manual Configuration`

If you want to do things manually, replace the printing = cups by printing = bsd. Then your manually set commands may work (I haven't tested this), and a print command = lp -d %P %s; rm %s may do what you need. -

`Printing from CUPS to Windows-Attached Printers`

- - +

`Printing from CUPS to Windows-Attached Printers`

+ + From time to time the question arises, how can you print to a Windows-attached printer from Samba? Normally the local connection from Windows host to printer would be done by USB or parallel cable, but this does not matter to Samba. From here only an SMB connection needs to be opened @@ -2918,8 +2918,8 @@

 root# ln -s `which smbspool` /usr/lib/cups/backend/smb

- - + + smbspool was written by Mike Sweet from the CUPS folks. It is included and ships with Samba. It may also be used with print subsystems other than CUPS, to spool jobs to Windows printer shares. To set up printer winprinter on CUPS, you need to have a driver for it. Essentially @@ -2934,9 +2934,9 @@ root# lpadmin -p winprinter -v smb://WINDOWSNETBIOSNAME/printersharename \ -P /path/to/PPD

- - + + The PPD must be able to direct CUPS to generate the print data for the target model. For PostScript printers, just use the PPD that would be used with the Windows NT PostScript driver. But what can you do if the printer is only accessible with a password? Or if the printer's host is part of another workgroup? This is provided @@ -2949,10 +2949,10 @@ Printing will only work if you have a working NetBIOS name resolution up and running. Note that this is a feature of CUPS and you do not necessarily need to have smbd running. -

`More CUPS Filtering Chains`

+

`More CUPS Filtering Chains`

The diagrams in Filtering Chain 1 and Filtering Chain with cupsomatic show how CUPS handles print jobs. -

Figure�22.17.�Filtering Chain 1.


Figure�22.18.�Filtering Chain with cupsomatic

`Common Errors`

`Windows 9x/Me Client Can't Install Driver`

For Windows 9x/Me, clients require the printer names to be eight +

Figure�22.17.�Filtering Chain 1.


Figure�22.18.�Filtering Chain with cupsomatic

`Common Errors`

`Windows 9x/Me Client Can't Install Driver`

For Windows 9x/Me, clients require the printer names to be eight characters (or “8 plus 3 chars suffix”) max; otherwise, the driver files will not get transferred when you want to download them from Samba.

`“cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop`

Have you set security = user? Have you used smbpasswd to give root a Samba account? @@ -2963,10 +2963,10 @@ password).

If the error is “Tree connect failed: NT_STATUS_BAD_NETWORK_NAME”, you may have forgotten to create the /etc/samba/drivers directory. -

`“cupsaddsmb” or “rpcclient addriver” Emit Error`

+

`“cupsaddsmb” or “rpcclient addriver” Emit Error`

If cupsaddsmb, or rpcclient addriver emit the error message WERR_BAD_PASSWORD, refer to the previous common error. -

`“cupsaddsmb” Errors`

+

`“cupsaddsmb” Errors`

The use of “cupsaddsmb” gives “No PPD file for printer...” message while PPD file is present. What might the problem be?

@@ -2977,10 +2977,10 @@ cupsaddsmb -H sambaserver -h cupsserver -v printername.

Is your TempDir directive in cupsd.conf set to a valid value, and is it writable? -

`Client Can't Connect to Samba Printer`

Use smbstatus to check which user +

`Client Can't Connect to Samba Printer`

Use smbstatus to check which user you are from Samba's point of view. Do you have the privileges to write into the [print$] - share?

`New Account Reconnection from Windows 200x/XP Troubles`

+ share?

`New Account Reconnection from Windows 200x/XP Troubles`

Once you are connected as the wrong user (for example, as nobody, which often occurs if you have map to guest = bad user), Windows Explorer will not accept an attempt to connect again as a different user. There will not be any bytes transferred on the wire to Samba, @@ -2995,44 +2995,44 @@ connected under a different account. Now open the Printers folder (on the Samba server in the Network Neighborhood), right-click on the printer in question, and select Connect..... -

`Avoid Being Connected to the Samba Server as the Wrong User`

- +

`Avoid Being Connected to the Samba Server as the Wrong User`

+ You see per smbstatus that you are connected as user nobody, but you want to be root or printer admin. This is probably due to map to guest = bad user, which silently connected you under the guest account when you gave (maybe by accident) an incorrect username. Remove map to guest if you want to prevent this. -

`Upgrading to CUPS Drivers from Adobe Drivers`

+

`Upgrading to CUPS Drivers from Adobe Drivers`

This information came from a mailing list posting regarding problems experienced when upgrading from Adobe drivers to CUPS drivers on Microsoft Windows NT/200x/XP clients.

First delete all old Adobe-using printers. Then delete all old Adobe drivers. (On Windows 200x/XP, right-click in the background of Printers folder, select Server Properties..., select -tab Drivers, and delete here).

`Can't Use “cupsaddsmb” on Samba Server, Which Is a PDC`

Do you use the “naked” root user name? Try to do it +tab Drivers, and delete here).

`Can't Use “cupsaddsmb” on Samba Server, Which Is a PDC`

Do you use the “naked” root user name? Try to do it this way: cupsaddsmb -U DOMAINNAME\\root -v printername> (note the two backslashes: the first one is -required to “escape” the second one).

`Deleted Windows 200x Printer Driver Is Still Shown`

Deleting a printer on the client will not delete the +required to “escape” the second one).

`Deleted Windows 200x Printer Driver Is Still Shown`

Deleting a printer on the client will not delete the driver too (to verify, right-click on the white background of the Printers folder, select Server Properties and click on the Drivers tab). These same old drivers will be re-used when you try to install a printer with the same name. If you want to update to a new driver, delete the old ones first. Deletion is only possible if no -other printer uses the same driver.

`Windows 200x/XP Local Security Policies`

Local security policies may not allow the installation of unsigned drivers  “local
-security policies” may not allow the installation of printer drivers at all.

`Administrator Cannot Install Printers for All Local Users`

- - +other printer uses the same driver.

`Windows 200x/XP Local Security Policies`

Local security policies may not allow the installation of unsigned drivers  “local
+security policies” may not allow the installation of printer drivers at all.

`Administrator Cannot Install Printers for All Local Users`

+ + Windows XP handles SMB printers on a “per-user” basis. This means every user needs to install the printer himself or herself. To have a printer available for everybody, you might want to use the built-in IPP client capabilities of Win XP. Add a printer with the print path of http://cupsserver:631/printers/printername. We're still looking into this one. Maybe a logon script could automatically install printers for all users. -

`Print Change, Notify Functions on NT Clients`

For print change, notify functions on NT++ clients. These need to run the Server -service first (renamed to File & Print Sharing for MS Networks in XP).

`Windows XP SP1`

Windows XP SP1 introduced a Point and Print Restriction Policy (this restriction does not apply to +

`Print Change, Notify Functions on NT Clients`

For print change, notify functions on NT++ clients. These need to run the Server +service first (renamed to File & Print Sharing for MS Networks in XP).

`Windows XP SP1`

Windows XP SP1 introduced a Point and Print Restriction Policy (this restriction does not apply to “Administrator” or “Power User” groups of users). In Group Policy Object Editor, go to User Configuration -> Administrative Templates -> Control Panel -> Printers. The policy is automatically set to Enabled and the Users can only Point and Print to machines in their Forest . You probably need to change it to Disabled or Users can only Point and Print to these servers to make driver downloads from Samba possible. -

`Print Options for All Users Can't Be Set on Windows 200x/XP`

How are you doing it? I bet the wrong way (it is not easy to find out, though). There are three +

`Print Options for All Users Can't Be Set on Windows 200x/XP`

How are you doing it? I bet the wrong way (it is not easy to find out, though). There are three different ways to bring you to a dialog that seems to set everything. All three dialogs look the same, yet only one of them does what you intend. You need to be Administrator or Print Administrator to do this for all users. Here is how I do it on XP: @@ -3065,33 +3065,33 @@ (printer admin in smb.conf) before a client downloads the driver (the clients can later set their own per-user defaults by following the procedures A or B). -

`Most Common Blunders in Driver Settings on Windows Clients`

+

`Most Common Blunders in Driver Settings on Windows Clients`

Don't use Optimize for Speed, but use Optimize for Portability instead (Adobe PS Driver). Don't use Page Independence: No. Always settle with Page Independence: Yes (Microsoft PS Driver and CUPS PS Driver for Windows NT/200x/XP). If there are problems with fonts, use Download as Softfont into printer (Adobe PS Driver). For TrueType Download Options choose Outline. Use PostScript Level 2 if you are having trouble with a non-PS printer and if there is a choice. -

`cupsaddsmb Does Not Work with Newly Installed Printer`

+

`cupsaddsmb Does Not Work with Newly Installed Printer`

Symptom: The last command of cupsaddsmb does not complete successfully. If the cmd = setdriver printername printername result was NT_STATUS_UNSUCCESSFUL, then possibly the printer was not yet recognized by Samba. Did it show up in Network Neighborhood? Did it show up in rpcclient hostname -c `enumprinters'? Restart smbd (or send a kill -HUP to all processes listed by smbstatus, and try again. -

`Permissions on /var/spool/samba/ Get Reset After Each Reboot`

+

`Permissions on /var/spool/samba/ Get Reset After Each Reboot`

Have you ever by accident set the CUPS spool directory to the same location (RequestRoot /var/spool/samba/ in cupsd.conf or the other way round: /var/spool/cups/ is set as path> in the [printers] section)? These must be different. Set RequestRoot /var/spool/cups/ in cupsd.conf and path = /var/spool/samba in the [printers] section of smb.conf. Otherwise, cupsd will sanitize permissions to its spool directory with each restart and printing will not work reliably. -

`Print Queue Called “lp” Mishandles Print Jobs`

+

`Print Queue Called “lp” Mishandles Print Jobs`

In this case a print queue called “lp” intermittently swallows jobs and spits out completely different ones from what was sent.

- - + + It is a bad idea to name any printer “lp”. This is the traditional UNIX name for the default printer. CUPS may be set up to do an automatic creation of Implicit Classes. This means, to group all printers with the same name to a pool of devices and load-balance the jobs across them in a round-robin fashion. @@ -3100,13 +3100,13 @@ BrowseShortNames No. It will present any printer as printername@cupshost, which gives you better control over what may happen in a large networked environment. -

`Location of Adobe PostScript Driver Files for “cupsaddsmb”`

+

`Location of Adobe PostScript Driver Files for “cupsaddsmb”`

Use smbclient to connect to any Windows box with a shared PostScript printer: smbclient //windowsbox/print\$ -U guest. You can navigate to the W32X86/2 subdir to mget ADOBE* and other files or to WIN40/0 to do the same. Another option is to download the *.exe packaged files from the Adobe Web site. -

`Overview of the CUPS Printing Processes`

+

`Overview of the CUPS Printing Processes`

A complete overview of the CUPS printing processes can be found in the CUPS Printing Overview diagram. -

Figure�22.19.�CUPS Printing Overview.


^[6]See also http://www.cups.org/cups-help.html

Prev�	Up	�Next
Chapter�21.�Classical Printing Support�	Home	�Chapter�23.�Stackable VFS modules


+
Figure�22.19.�CUPS Printing Overview.


^[6]See also http://www.cups.org/cups-help.html
Prev� Up �Next
Chapter�21.�Classical Printing Support� Home �Chapter�23.�Stackable VFS modules
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/diagnosis.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/diagnosis.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/diagnosis.html	2009-06-02 09:50:04.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/diagnosis.html	2009-06-19 11:14:57.000000000 +0200
@@ -1,5 +1,5 @@
-Chapter�38.�The Samba ChecklistChapter�38.�The Samba Checklist
Prev� Part�V.�Troubleshooting �Next
Chapter�38.�The Samba Checklist
Andrew Samba Team Tridgell
Samba Team
<tridge@samba.org>
Jelmer R. The Samba Team Vernooij
The Samba Team
<jelmer@samba.org>
Dan Samba Team Shearer
Samba Team
<dan@samba.org>
Wed Jan 15
Table of Contents
Introduction
Assumptions
The Tests
Introduction

-
+Chapter�38.�The Samba Checklist
Chapter�38.�The Samba Checklist
Prev� Part�V.�Troubleshooting �Next
Chapter�38.�The Samba Checklist
Andrew Samba Team Tridgell
Samba Team
<tridge@samba.org>
Jelmer R. The Samba Team Vernooij
The Samba Team
<jelmer@samba.org>
Dan Samba Team Shearer
Samba Team
<dan@samba.org>
Wed Jan 15
Table of Contents
Introduction
Assumptions
The Tests
Introduction

+
 This file contains a list of tests you can perform to validate your
 Samba server. It also tells you what the likely cause of the problem
 is if it fails any one of these steps. If it passes all these tests,
@@ -14,7 +14,7 @@
 If you send one of the Samba mailing lists  an email saying, “It does not work,”
 and you have not followed this test procedure, you should not be surprised
 if your email is ignored.
-
Assumptions

+
Assumptions

 In all of the tests, it is assumed you have a Samba server called 
 BIGSERVER and a PC called ACLIENT, both in workgroup TESTGROUP.
 

@@ -24,31 +24,31 @@
 smb.conf. I for our examples this share is called tmp.
 You can add a tmp share like this by adding the
 lines shown in the next example.
-
Example�38.1.�smb.conf with [tmp] Share
 
[tmp]
comment = temporary files 
path = /tmp
read only = yes

Note

+
Example�38.1.�smb.conf with [tmp] Share
 
[tmp]
comment = temporary files 
path = /tmp
read only = yes

Note

 These tests assume version 3.0.0 or later of the Samba suite.
 Some commands shown did not exist in earlier versions. 
 

-
-
-
+
+
+
 Please pay attention to the error messages you receive. If any error message
 reports that your server is being unfriendly, you should first check that your
 IP name resolution is correctly set up. Make sure your /etc/resolv.conf
 file points to name servers that really do exist.
 

-
-
-
-
+
+
+
+
 Also, if you do not have DNS server access for name resolution, please check
 that the settings for your smb.conf file results in dns proxy = no. The
 best way to check this is with testparm smb.conf.
 

-
-
-
-
-
+
+
+
+
+
 It is helpful to monitor the log files during testing by using the
 tail -F log_file_name in a separate
 terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). 
@@ -59,36 +59,36 @@
 

 If you make changes to your smb.conf file while going through these test,
 remember to restart smbd and nmbd.
-
The Tests
Procedure�38.1.�Diagnosing Your Samba Server

-
+
The Tests
Procedure�38.1.�Diagnosing Your Samba Server

+
 In the directory in which you store your smb.conf file, run the command
 testparm smb.conf. If it reports any errors, then your smb.conf
 configuration file is faulty.
 
Note

-
-
+
+
 Your smb.conf file may be located in /etc/samba
 or in /usr/local/samba/lib.
 

-
+
 Run the command ping BIGSERVER from the PC and
 ping ACLIENT from the UNIX box. If you do not get a valid response,
 then your TCP/IP software is not correctly installed. 
 

 You will need to start a “DOS prompt” window on the PC to run ping.
 

-
-
-
+
+
+
 If you get a message saying “host not found” or a similar message, then
 your DNS software or /etc/hosts file is not correctly set up.  If using DNS, check that
 the /etc/resolv.conf has correct, current, entries in it. It is possible to run
 Samba without DNS entries for the server and client, but it is assumed you do have correct entries for the
 remainder of these tests.
 

-
-
-
+
+
+
 Another reason why ping might fail is if your host is running firewall 
 software. You will need to relax the rules to let in the workstation
 in question, perhaps by allowing access from another subnet (on Linux
@@ -98,8 +98,8 @@
 Modern Linux distributions install ipchains/iptables by default. 
 This is a common problem that is often overlooked.
 

-
-
+
+
 If you wish to check what firewall rules may be present in a system under test, simply run
 iptables -L -v, or if ipchains-based firewall rules are in use,
 ipchains -L -v.
@@ -133,12 +133,12 @@
 Run the command smbclient -L BIGSERVER
 on the UNIX box. You should get back a list of available shares. 
 

-
-
-
-
-
-
+
+
+
+
+
+
 If you get an error message containing the string “bad password”, then
 you probably have either an incorrect hosts allow, 
 hosts deny, or valid users line in your 
@@ -146,15 +146,15 @@
 temporarily remove any hosts allow, hosts deny,
 valid users, or invalid users lines.
 

-
+
 If you get a message connection refused response, then the smbd server may
 not be running. If you installed it in inetd.conf, then you probably edited
 that file incorrectly. If you installed it as a daemon, then check that
 it is running and check that the netbios-ssn port is in a LISTEN
 state using netstat -a.
 
Note

-
-
+
+
 Some UNIX/Linux systems use xinetd in place of
 inetd. Check your system documentation for the location
 of the control files for your particular system implementation of
@@ -171,36 +171,36 @@
 There are a number of reasons for which smbd may refuse or decline
 a session request. The most common of these involve one or more of
 the smb.conf file entries as shown in the next example.
-
Example�38.2.�Configuration for Allowing Connections Only from a Certain Subnet
 
[globals]
hosts deny = ALL
hosts allow = xxx.xxx.xxx.xxx/yy
interfaces = eth0
bind interfaces only = Yes


-
+
Example�38.2.�Configuration for Allowing Connections Only from a Certain Subnet
 
[globals]
hosts deny = ALL
hosts allow = xxx.xxx.xxx.xxx/yy
interfaces = eth0
bind interfaces only = Yes


+
 In Configuration for Allowing Connections Only from a Certain Subnet, no
 allowance has been made for any session requests that will automatically translate to the loopback adapter
 address 127.0.0.1.  To solve this problem, change these lines as shown in the following
 example.
-
Example�38.3.�Configuration for Allowing Connections from a Certain Subnet and localhost
 
[globals]
hosts deny = ALL
hosts allow = xxx.xxx.xxx.xxx/yy 127.
interfaces = eth0 lo


-
-
+
Example�38.3.�Configuration for Allowing Connections from a Certain Subnet and localhost
 
[globals]
hosts deny = ALL
hosts allow = xxx.xxx.xxx.xxx/yy 127.
interfaces = eth0 lo


+
+
 Another common cause of these two errors is having something already running on port 139,
 such as Samba (smbd is running from inetd already) or Digital's Pathworks. Check
 your inetd.conf file before trying to start smbd as a daemon  it can avoid a
 lot of frustration!
 

-
-
-
-
-
+
+
+
+
+
 And yet another possible cause for failure of this test is when the subnet mask and/or broadcast address
 settings are incorrect. Please check that the network interface IP address/broadcast address/subnet mask
 settings are correct and that Samba has correctly noted these in the log.nmbd file.
 

-
+
 Run the command nmblookup -B BIGSERVER __SAMBA__.
 You should get back the IP address of your Samba server.
 

-
-
-
+
+
+
 If you do not, then nmbd is incorrectly installed. Check your inetd.conf
 if you run it from there, or that the daemon is running and listening to UDP port 137.
 

@@ -209,7 +209,7 @@
 one-line script that contains the right parameters and run that from
 inetd.
 

-
+
 Run the command nmblookup -B ACLIENT `*'.
 

 You should get the PC's IP address back. If you do not, then the client
@@ -228,7 +228,7 @@
 should see the got a positive name query response
 messages from several hosts.
 

-
+
 If this does not give a result similar to the previous test, then nmblookup isn't correctly getting your
 broadcast address through its automatic mechanism. In this case you should experiment with the interfaces option in smb.conf to manually configure your IP address, broadcast, and netmask.
 

@@ -238,7 +238,7 @@
 This test will probably fail if your subnet mask and broadcast address are
 not correct. (Refer to test 3 notes above).
 

-
+
 Run the command smbclient //BIGSERVER/TMP. You should 
 then be prompted for a password. You should use the password of the account
 with which you are logged into the UNIX box. If you want to test with
@@ -266,20 +266,20 @@
 	You enabled password encryption but didn't map UNIX to Samba users. Run
 	smbpasswd -a username
 	

-
-
-
-
+
+
+
+
 Once connected, you should be able to use the commands dir, get,
 put, and so on. Type help command for instructions. You should
 especially check that the amount of free disk space shown is correct when you type dir.
 

-
+
 On the PC, type the command net view \\BIGSERVER. You will 
 need to do this from within a DOS prompt window. You should get back a 
 list of shares available on the server.
 

-
+
 If you get a message network name not found or similar error, then NetBIOS
 name resolution is not working. This is usually caused by a problem in nmbd.
 To overcome it, you could do one of the following (you only need to choose one of them):
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/DNSDHCP.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/DNSDHCP.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/DNSDHCP.html	2009-06-02 09:50:08.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/DNSDHCP.html	2009-06-19 11:15:02.000000000 +0200
@@ -1,6 +1,6 @@
-Chapter�48.�DNS and DHCP Configuration Guide
Chapter�48.�DNS and DHCP Configuration Guide
Prev� Part�VI.�Reference Section �Next
Chapter�48.�DNS and DHCP Configuration Guide
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Table of Contents
Features and Benefits
Example Configuration
Dynamic DNS
DHCP Server
Features and Benefits

-
-
+Chapter�48.�DNS and DHCP Configuration Guide
Chapter�48.�DNS and DHCP Configuration Guide
Prev� Part�VI.�Reference Section �Next
Chapter�48.�DNS and DHCP Configuration Guide
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Table of Contents
Features and Benefits
Example Configuration
Dynamic DNS
DHCP Server
Features and Benefits

+
+
 There are few subjects in the UNIX world that might raise as much contention as
 Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP).
 Not all opinions held for or against particular implementations of DNS and DHCP
@@ -10,16 +10,16 @@
 and freedom. Microsoft Windows users in particular expect to be able to plug their
 notebook computer into a network port and have things “just work.”
 

-
+
 UNIX administrators have a point. Many of the normative practices in the Microsoft
 Windows world at best border on bad practice from a security perspective.
 Microsoft Windows networking protocols allow workstations to arbitrarily register
 themselves on a network. Windows 2000 Active Directory registers entries in the DNS namespace
 that are equally perplexing to UNIX administrators. Welcome to the new world!
 

-
-
-
+
+
+
 The purpose of this chapter is to demonstrate the configuration of the Internet
 Software Consortium (ISC) DNS and DHCP servers to provide dynamic services that are
 compatible with their equivalents in the Microsoft Windows 2000 Server products.
@@ -27,26 +27,26 @@
 This chapter provides no more than a working example of configuration files for both DNS and DHCP servers. The
 examples used match configuration examples used elsewhere in this document.
 

-
-
-
+
+
+
 This chapter explicitly does not provide a tutorial, nor does it pretend to be a reference guide on DNS and
 DHCP, as this is well beyond the scope and intent of this document as a whole. Anyone who wants more detailed
 reference materials on DNS or DHCP should visit the ISC Web site at  http://www.isc.org.  Those wanting a written text might also be interested
 in the O'Reilly publications on DNS, see the O'Reilly web site, and the BIND9.NET web site for details.
 The books are:
-
DNS and BIND, By Cricket Liu, Paul Albitz, ISBN: 1-56592-010-4
DNS & Bind Cookbook, By Cricket Liu, ISBN: 0-596-00410-9
The DHCP Handbook (2nd Edition), By: Ralph Droms, Ted Lemon, ISBN 0-672-32327-3
Example Configuration

-
-
+
DNS and BIND, By Cricket Liu, Paul Albitz, ISBN: 1-56592-010-4
DNS & Bind Cookbook, By Cricket Liu, ISBN: 0-596-00410-9
The DHCP Handbook (2nd Edition), By: Ralph Droms, Ted Lemon, ISBN 0-672-32327-3
Example Configuration

+
+
 The DNS is to the Internet what water is to life. Nearly all information resources (host names) are resolved
 to their Internet protocol (IP) addresses through DNS.  Windows networking tried hard to avoid the
-complexities of DNS, but alas, DNS won.   The alternative to
+complexities of DNS, but alas, DNS won.   The alternative to
 DNS, the Windows Internet Name Service (WINS)  an artifact of NetBIOS networking over the TCP/IP
 protocols  has demonstrated scalability problems as well as a flat, nonhierarchical namespace that
 became unmanageable as the size and complexity of information technology networks grew.
 

-
-
+
+
 WINS is a Microsoft implementation of the RFC1001/1002 NetBIOS Name Service (NBNS).
 It allows NetBIOS clients (like Microsoft Windows machines) to register an arbitrary
 machine name that the administrator or user has chosen together with the IP
@@ -66,13 +66,13 @@
 

 The following configurations demonstrate a simple, insecure dynamic DNS server and
 a simple DHCP server that matches the DNS configuration.
-
Dynamic DNS

-	
+
Dynamic DNS

+	
 	The example DNS configuration is for a private network in the IP address
 	space for network 192.168.1.0/24. The private class network address space
 	is set forth in RFC1918.
 	

-	
+	
 	It is assumed that this network will be situated behind a secure firewall.
 	The files that follow work with ISC BIND version 9. BIND is the Berkeley
 	Internet Name Daemon.
@@ -223,8 +223,8 @@
 2                       PTR     marvel.quenya.org.
 

 	

-
-
+
+
 	The configuration files shown here were copied from a fully working system. All dynamically registered
 	entries have been removed. In addition to these files, BIND version 9 will
 	create for each of the dynamic registration files a file that has a 
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/domain-member.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/domain-member.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/domain-member.html	2009-06-02 09:49:37.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/domain-member.html	2009-06-19 11:14:30.000000000 +0200
@@ -1,14 +1,14 @@
-Chapter�6.�Domain Membership
Chapter�6.�Domain Membership
Prev� Part�II.�Server Configuration Basics �Next
Chapter�6.�Domain Membership
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Jeremy Samba Team Allison
Samba Team
<jra@samba.org>
Gerald (Jerry) Samba Team Carter
Samba Team
<jerry@samba.org>
Andrew Samba Team Tridgell
Samba Team
<tridge@samba.org>
Jelmer R. The Samba Team Vernooij
The Samba Team
<jelmer@samba.org>
Guenther SuSE Deschner
LDAP updates�SuSE
<gd@suse.de>
Table of Contents
Features and Benefits
MS Windows Workstation/Server Machine Trust Accounts
Manual Creation of Machine Trust Accounts
Managing Domain Machine Accounts using NT4 Server Manager
On-the-Fly Creation of Machine Trust Accounts
Making an MS Windows Workstation or Server a Domain Member
Domain Member Server
Joining an NT4-type Domain with Samba-3
Why Is This Better Than security = server?
Samba ADS Domain Membership
Configure smb.conf
Configure /etc/krb5.conf
Create the Computer Account
Testing Server Setup
Testing with smbclient
Notes
Sharing User ID Mappings between Samba Domain Members
Common Errors
Cannot Add Machine Back to Domain
Adding Machine to Domain Fails
I Can't Join a Windows 2003 PDC

-
-
-
+Chapter�6.�Domain Membership
Chapter�6.�Domain Membership
Prev� Part�II.�Server Configuration Basics �Next
Chapter�6.�Domain Membership
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Jeremy Samba Team Allison
Samba Team
<jra@samba.org>
Gerald (Jerry) Samba Team Carter
Samba Team
<jerry@samba.org>
Andrew Samba Team Tridgell
Samba Team
<tridge@samba.org>
Jelmer R. The Samba Team Vernooij
The Samba Team
<jelmer@samba.org>
Guenther SuSE Deschner
LDAP updates�SuSE
<gd@suse.de>
Table of Contents
Features and Benefits
MS Windows Workstation/Server Machine Trust Accounts
Manual Creation of Machine Trust Accounts
Managing Domain Machine Accounts using NT4 Server Manager
On-the-Fly Creation of Machine Trust Accounts
Making an MS Windows Workstation or Server a Domain Member
Domain Member Server
Joining an NT4-type Domain with Samba-3
Why Is This Better Than security = server?
Samba ADS Domain Membership
Configure smb.conf
Configure /etc/krb5.conf
Create the Computer Account
Testing Server Setup
Testing with smbclient
Notes
Sharing User ID Mappings between Samba Domain Members
Common Errors
Cannot Add Machine Back to Domain
Adding Machine to Domain Fails
I Can't Join a Windows 2003 PDC

+
+
+
 Domain membership is a subject of vital concern. Samba must be able to
 participate as a member server in a Microsoft domain security context, and
 Samba must be capable of providing domain machine member trust accounts;
 otherwise it would not be able to offer a viable option for many users.
 

-
-
+
+
 This chapter covers background information pertaining to domain membership,
 the Samba configuration for it, and MS Windows client procedures for joining a
 domain. Why is this necessary? Because both are areas in which there exists
@@ -16,10 +16,10 @@
 UNIX/Linux networking and administration world, a considerable level of
 misinformation, incorrect understanding, and lack of knowledge. Hopefully
 this chapter will fill the voids.
-
Features and Benefits

-
-
-
+
Features and Benefits

+
+
+
 MS Windows workstations and servers that want to participate in domain security need to
 be made domain members. Participating in domain security is often called 
 single sign-on, or SSO for short. This
@@ -27,68 +27,68 @@
 (or another server  be it an MS Windows NT4/200x
 server) or a Samba server a member of an MS Windows domain security context.
 

-
-
-
-
+
+
+
+
 Samba-3 can join an MS Windows NT4-style domain as a native member server, an 
 MS Windows Active Directory domain as a native member server, or a Samba domain
 control network. Domain membership has many advantages:
 

-	
+	
 	MS Windows workstation users get the benefit of SSO.
 	

-	
-	
-	
-	
+	
+	
+	
+	
 	Domain user access rights and file ownership/access controls can be set
 	from the single Domain Security Account Manager (SAM) database 
 	(works with domain member servers as well as with MS Windows workstations
 	that are domain members).
 	

-	
-	
+	
+	
 	Only MS Windows NT4/200x/XP Professional
 	workstations that are domain members can use network logon facilities.
 	

-	
-	
-	
-	
+	
+	
+	
+	
 	Domain member workstations can be better controlled through the use of
 	policy files (NTConfig.POL) and desktop profiles.
 	

-	
-	
-	
+	
+	
+	
 	Through the use of logon scripts, users can be given transparent access to network
 	applications that run off application servers.
 	

-	
-	
-	
-	
+	
+	
+	
+	
 	Network administrators gain better application and user access management
 	abilities because there is no need to maintain user accounts on any network
 	client or server other than the central domain database 
 	(either NT4/Samba SAM-style domain, NT4 domain that is backend-ed with an
 	LDAP directory, or via an Active Directory infrastructure).
 	
MS Windows Workstation/Server Machine Trust Accounts

-
-
-
-
+
+
+
+
 A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user) to
 the domain controller server. In Windows terminology, this is known as a “computer account.” The
 purpose of the machine trust account is to prevent a rogue user and domain controller from colluding to gain
 access to a domain member workstation.
 

-
-
-
-
-
+
+
+
+
+
 The password of a Machine Trust Account acts as the shared secret for secure communication with the domain
 controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from
 joining the domain, participating in domain security operations, and gaining access to domain user/group
@@ -96,10 +96,10 @@
 clients do not. Hence, a Windows 9x/Me/XP Home client is never a true member of a domain because it does not
 possess a Machine Trust Account, and, thus, has no shared secret with the domain controller.
 

-
-
-
-
+
+
+
+
 A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry.
 The introduction of MS Windows 2000 saw the introduction of Active Directory,
 the new repository for Machine Trust Accounts. A Samba PDC, however, stores
@@ -107,69 +107,69 @@
 as follows:
 
 

-	
-	
-	
+	
+	
+	
 	A domain security account (stored in the passdb backend) that has been configured in
 	the smb.conf file. The precise nature of the account information that is stored depends on the type of
 	backend database that has been chosen.
 	

-	
-	
-	
-	
-	
-	
+	
+	
+	
+	
+	
+	
 	The older format of this data is the smbpasswd database
 	that contains the UNIX login ID, the UNIX user identifier (UID), and the
 	LanMan and NT-encrypted passwords. There is also some other information in
 	this file that we do not need to concern ourselves with here.
 	

-	
-	
-	
-	
+	
+	
+	
+	
 	The two newer database types are called ldapsam and tdbsam. Both store considerably more data than the older
 	smbpasswd file did. The extra information enables new user account controls to be
 	implemented.
 	

-	
-	
+	
+	
 	A corresponding UNIX account, typically stored in /etc/passwd. Work is in progress to
 	allow a simplified mode of operation that does not require UNIX user accounts, but this has not been a feature
 	of the early releases of Samba-3, and is not currently planned for release either.
 	

 

-
+
 There are three ways to create Machine Trust Accounts:
 

-	
+	
 	Manual creation from the UNIX/Linux command line. Here, both the Samba and
 	corresponding UNIX account are created by hand.
 	

-	
-	
+	
+	
 	Using the MS Windows NT4 Server Manager, either from an NT4 domain member
 	server or using the Nexus toolkit available from the Microsoft Web site.
 	This tool can be run from any MS Windows machine as long as the user is
 	logged on as the administrator account.
 	

-	
-	
+	
+	
 	“On-the-fly” creation. The Samba Machine Trust Account is automatically
 	created by Samba at the time the client is joined to the domain.
 	(For security, this is the recommended method.) The corresponding UNIX
 	account may be created automatically or manually. 
 	

-
-
+
+
 Neither MS Windows NT4/200x/XP Professional, nor Samba, provide any method for enforcing the method of machine
 trust account creation. This is a matter of the administrator's choice.
-
Manual Creation of Machine Trust Accounts

-
-
-
-
+
Manual Creation of Machine Trust Accounts

+
+
+
+
 The first step in manually creating a Machine Trust Account is to manually
 create the corresponding UNIX account in /etc/passwd. 
 This can be done using vipw or another “adduser” command
@@ -183,25 +183,25 @@
 root# passwd -l machine_name$
 

 

-
-
-
+
+
+
 In the example above there is an existing system group “machines” which is used
 as the primary group for all machine accounts. In the following examples the “machines” group
 numeric GID is 100.
 

-
-
+
+
 On *BSD systems, this can be done using the chpass utility:
 
 root# chpass -a \
 'machine_name$:*:101:100::0:0:Windows machine_name:/dev/null:/sbin/nologin'
 

 

-
-
-
-
+
+
+
+
 The /etc/passwd entry will list the machine name 
 with a “$” appended, and will not have a password, will have a null shell and no 
 home directory. For example, a machine named “doppy” would have an 
@@ -210,9 +210,9 @@
 doppy$:x:505:100:machine_nickname:/dev/null:/bin/false
 

 

-
-
-
+
+
+
 in which machine_nickname can be any
 descriptive name for the client, such as BasementComputer.
 machine_name absolutely must be the NetBIOS
@@ -220,9 +220,9 @@
 appended to the NetBIOS name of the client or Samba will not recognize
 this as a Machine Trust Account.
 

-
-
-
+
+
+
 Now that the corresponding UNIX account has been created, the next step is to create 
 the Samba account for the client containing the well-known initial 
 Machine Trust Account password. This can be done using the 
@@ -232,48 +232,48 @@
 root# smbpasswd -a -m machine_name
 

 

-
-
-
-
+
+
+
+
 where machine_name is the machine's NetBIOS
 name. The RID of the new machine account is generated from the UID of 
 the corresponding UNIX account.
 
Join the client to the domain immediately

-
-
-
-
-
+
+
+
+
+
 Manually creating a Machine Trust Account using this method is the 
 equivalent of creating a Machine Trust Account on a Windows NT PDC using 
-
+
 the Server Manager. From the time at which the 
 account is created to the time the client joins the domain and 
 changes the password, your domain is vulnerable to an intruder joining 
 your domain using a machine with the same NetBIOS name. A PDC inherently 
 trusts members of the domain and will serve out a large degree of user 
 information to such clients. You have been warned!
-
Managing Domain Machine Accounts using NT4 Server Manager

-
-
-
+
Managing Domain Machine Accounts using NT4 Server Manager

+
+
+
 A working add machine script is essential
 for machine trust accounts to be automatically created. This applies no matter whether
 you use automatic account creation or the NT4 Domain Server Manager.
 

-
-
-
-
+
+
+
+
 If the machine from which you are trying to manage the domain is an 
 MS Windows NT4 workstation or MS Windows 200x/XP Professional,
 the tool of choice is the package called SRVTOOLS.EXE. 
 When executed in the target directory it will unpack SrvMgr.exe
 and UsrMgr.exe (both are domain management tools for MS Windows NT4 workstation).
 

-
-
+
+
 If your workstation is a Microsoft Windows 9x/Me family product,
  you should download the Nexus.exe package from the Microsoft Web site.
 When executed from the target directory, it will unpack the same tools but for use on 
@@ -283,10 +283,10 @@
 173673, and
 172540
 

-
-
+
+
 Launch the srvmgr.exe (Server Manager for Domains) and follow these steps:
-
Procedure�6.1.�Server Manager Account Machine Account Management

+
Procedure�6.1.�Server Manager Account Machine Account Management

 	From the menu select Computer.
 	

 	Click Select Domain.
@@ -303,82 +303,82 @@
 	Add NT Workstation of Server, then
 	enter the machine name in the field provided, and click the 
 	Add button.
-	
On-the-Fly Creation of Machine Trust Accounts

-
+	
On-the-Fly Creation of Machine Trust Accounts

+
 The third (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to
 create them as needed when the client is joined to the domain.
 

-
-
-
+
+
+
 Since each Samba Machine Trust Account requires a corresponding UNIX account, a method
 for automatically creating the UNIX account is usually supplied; this requires configuration of the
 add machine script option in smb.conf. This method is not required; however, corresponding UNIX
 accounts may also be created manually.
 

-
-
+
+
 Here is an example for a Red Hat Linux system:
-
 
[global]
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u

-
Making an MS Windows Workstation or Server a Domain Member

+
 
[global]
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u

+
Making an MS Windows Workstation or Server a Domain Member

 The procedure for making an MS Windows workstation or server a member of the domain varies
 with the version of Windows.
-
Windows 200x/XP Professional Client

-
-
-
-
+
Windows 200x/XP Professional Client

+
+
+
+
 	When the user elects to make the client a domain member, Windows 200x prompts for
 	an account and password that has privileges to create  machine accounts in the domain.
 	A Samba administrator account (i.e., a Samba account that has root privileges on the
 	Samba server) must be entered here; the operation will fail if an ordinary user
 	account is given. 
 	

-
-
+
+
 	For security reasons, the password for this administrator account should be set
 	to a password that is other than that used for the root user in /etc/passwd.
 	

-
-
-
-
+
+
+
+
 	The name of the account that is used to create domain member machine trust accounts can be
 	anything the network administrator may choose. If it is other than root,
 	then this is easily mapped to root in the file named in the smb.conf parameter
 	username map = /etc/samba/smbusers.
 	

-
-
-
+
+
+
 	The session key of the Samba administrator account acts as an encryption key for setting the password of the machine trust
 	account. The Machine Trust Account will be created on-the-fly, or updated if it already exists.
-	
Windows NT4 Client

-
-
-
+	
Windows NT4 Client

+
+
+
 	If the Machine Trust Account was created manually, on the
 	Identification Changes menu enter the domain name, but do not
 	check the box Create a Computer Account in the Domain.
 	In this case, the existing Machine Trust Account is used to join the machine 
 	to the domain.
 	

-
-
-
-
+
+
+
+
 	If the Machine Trust Account is to be created on the fly, on the Identification Changes menu enter the domain
 	name and check the box Create a Computer Account in the Domain. In this case, joining
 	the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrator account when
 	prompted).
-	
Samba Client

-
+	
Samba Client

+
 	Joining a Samba client to a domain is documented in the next section.
 	
Domain Member Server

-
-
-
-
+
+
+
+
 This mode of server operation involves the Samba machine being made a member
 of a domain security context. This means by definition that all user
 authentication will be done from a centrally defined authentication regime. 
@@ -387,106 +387,106 @@
 MS Windows 2000 or later.
 

 
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
 Of course it should be clear that the authentication backend itself could be
 from any distributed directory architecture server that is supported by Samba.
 This can be LDAP (from OpenLDAP), or Sun's iPlanet, or Novell e-Directory
 Server, and so on.
 
 
Note

-
-
-
+
+
+
 When Samba is configured to use an LDAP or other identity management and/or
 directory service, it is Samba that continues to perform user and machine
 authentication. It should be noted that the LDAP server does not perform
 authentication handling in place of what Samba is designed to do.
 

-
-
-
+
+
+
 Please refer to Domain Control, for more information regarding
 how to create a domain machine account for a domain member server as well as for
 information on how to enable the Samba domain member machine to join the domain
 and be fully trusted by it.
-
Joining an NT4-type Domain with Samba-3
Assumptions lists names that are used in the remainder of this chapter.
Table�6.1.�Assumptions
Samba DMS NetBIOS name: SERV1
Windows 200x/NT domain name: MIDEARTH
Domain's PDC NetBIOS name: DOMPDC
Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2


-
+
Joining an NT4-type Domain with Samba-3
Assumptions lists names that are used in the remainder of this chapter.
Table�6.1.�Assumptions
Samba DMS NetBIOS name: SERV1
Windows 200x/NT domain name: MIDEARTH
Domain's PDC NetBIOS name: DOMPDC
Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2


+
 First, you must edit your smb.conf file to tell Samba it should now use domain security.
 

-
-
-
-
+
+
+
+
 Change (or add) your security line in the [global] section 
 of your smb.conf to read:
-
security = domain

+
security = domain

 Note that if the parameter security = user is used, this machine would function as a
 standalone server and not as a domain member server. Domain security mode causes Samba to work within the
 domain security context.
 

 Next change the workgroup line in the [global]
 section to read: 
-
workgroup = MIDEARTH

+
workgroup = MIDEARTH

 This is the name of the domain we are joining.
 

-
-
+
+
 You must also have the parameter encrypt passwords
 set to yes in order for your users to authenticate to the NT PDC.
 This is the default setting if this parameter is not specified. There is no need to specify this
 parameter, but if it is specified in the smb.conf file, it must be set to Yes.
 

-
-
-
-
+
+
+
+
 Finally, add (or modify) a password server line in the [global]
 section to read: 
-
password server = DOMPDC DOMBDC1 DOMBDC2

+
password server = DOMPDC DOMBDC1 DOMBDC2

 These are the PDC and BDCs Samba 
 will attempt to contact in order to authenticate users. Samba will 
 try to contact each of these servers in order, so you may want to 
 rearrange this list in order to spread out the authentication load 
 among Domain Controllers.
 

-
-
-
-
+
+
+
+
 Alternatively, if you want smbd to determine automatically the list of domain controllers to use for
 authentication, you may set this line to be:
-
password server = *

-
+
password server = *

+
 This method allows Samba to use exactly the same mechanism that NT does. The 
 method either uses broadcast-based name resolution, performs a WINS database
 lookup in order to find a domain controller against which to authenticate,
 or locates the domain controller using DNS name resolution.
 

 To join the domain, run this command:
-
+
 
 root# net rpc join -S DOMPDC -UAdministrator%password
 

 

-
-
-
-
+
+
+
+
 If the -S DOMPDC argument is not given, the domain name will be obtained from smb.conf and
 the NetBIOS name of the PDC will be obtained either using a WINS lookup or via NetBIOS broadcast based name
 look up.
 

-
-
-
-
+
+
+
+
 The machine is joining the domain DOM, and the PDC for that domain (the only machine
 that has write access to the domain SAM database) is DOMPDC; therefore, use the -S
 option. The Administrator%password is the login name and
@@ -497,9 +497,9 @@
 Joined domain DOM.
 

 

-
-
-
+
+
+
 Where Active Directory is used, the command used to join the ADS domain is:
 
 root#  net ads join -UAdministrator%password
@@ -512,64 +512,64 @@
 Refer to the net man page and to the chapter on remote
 administration for further information.
 

-
-
-
+
+
+
 This process joins the server to the domain without separately having to create the machine
 trust account on the PDC beforehand.
 

-
-
-
-
+
+
+
+
 This command goes through the machine account password change protocol, then writes the new (random) machine
 account password for this Samba server into a file in the same directory in which a smbpasswd file would be
 normally stored. The trust account information that is needed by the DMS is written into the file
 /usr/local/samba/private/secrets.tdb or /etc/samba/secrets.tdb.
 

-
-
+
+
 This file is created and owned by root and is not readable by any other user. It is
 the key to the domain-level security for your system and should be treated as carefully 
 as a shadow password file.
 

-
-
-
+
+
+
 Finally, restart your Samba daemons and get ready for clients to begin using domain
 security. The way you can restart your Samba daemons depends on your distribution,
 but in most cases the following will suffice:
 
 root# /etc/init.d/samba restart
 

-
Why Is This Better Than security = server?

-
-
-
+
Why Is This Better Than security = server?

+
+
+
 Currently, domain security in Samba does not free you from having to create local UNIX users to represent the
 users attaching to your server. This means that if domain user DOM\fred attaches to your
 domain security Samba server, there needs to be a local UNIX user fred to represent that user in the UNIX file
 system. This is similar to the older Samba security mode security = server, where Samba would pass through the authentication request to a Windows
 NT server in the same way as a Windows 95 or Windows 98 server would.
 

-
-
-
+
+
+
 Please refer to Winbind: Use of Domain Accounts, for information on a system
 to automatically assign UNIX UIDs and GIDs to Windows NT domain users and groups.
 

-
-
-
+
+
+
 The advantage of domain-level security is that the authentication in domain-level security is passed down the
 authenticated RPC channel in exactly the same way that an NT server would do it. This means Samba servers now
 participate in domain trust relationships in exactly the same way NT servers do (i.e., you can add Samba
 servers into a resource domain and have the authentication passed on from a resource domain PDC to an account
 domain PDC).
 

-
-
-
+
+
+
 In addition, with security = server, every Samba daemon on a server has to
 keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the
 connection resources on a Microsoft NT server and cause it to run out of available connections. With
@@ -577,10 +577,10 @@
 only for as long as is necessary to authenticate the user and then drop the connection, thus conserving PDC
 connection resources.
 

-
-
-
-
+
+
+
+
 Finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the
 authentication reply, the Samba server gets the user identification information such as the user SID, the list
 of NT groups the user belongs to, and so on.
@@ -589,58 +589,58 @@
 LinuxWorld as the article http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html
 Doing the NIS/NT Samba.
 
Samba ADS Domain Membership

-
-
-
-
+
+
+
+
 This is a rough guide to setting up Samba-3 with Kerberos authentication against a
 Windows 200x KDC. A familiarity with Kerberos is assumed.
-
Configure smb.conf

+
Configure smb.conf

 You must use at least the following three options in smb.conf:
-
realm = your.kerberos.REALM
security = ADS
# The following parameter need only be specified if present.
# The default setting if not present is Yes.
encrypt passwords = yes

-
-
-
-
-
+
realm = your.kerberos.REALM
security = ADS
# The following parameter need only be specified if present.
# The default setting if not present is Yes.
encrypt passwords = yes

+
+
+
+
+
 In case samba cannot correctly identify the appropriate ADS server using the realm name, use the 
 password server option in smb.conf:
-
password server = your.kerberos.server

+
password server = your.kerberos.server

 The most common reason for which Samba may not be able to locate the ADS domain controller is a consequence of
 sites maintaining some DNS servers on UNIX systems without regard for the DNS requirements of the ADS
 infrastructure. There is no harm in specifying a preferred ADS domain controller using the password
 server.
 
Note

-
-
+
+
 You do not need an smbpasswd file, and older clients will be authenticated as 
 if security = domain, although it will not do any harm and 
 allows you to have local users not in the domain.
-
Configure /etc/krb5.conf

-
-
-
-
+
Configure /etc/krb5.conf

+
+
+
+
 With both MIT and Heimdal Kerberos, it is unnecessary to configure the /etc/krb5.conf,
 and it may be detrimental.
 

-
-
-
-
-
+
+
+
+
+
 Microsoft ADS automatically create SRV records in the DNS zone 
 _kerberos._tcp.REALM.NAME for each KDC in the realm. This is part
 of the installation and configuration process used to create an Active Directory domain.
 A KDC is a Kerberos Key Distribution Center and forms an integral part of the Microsoft
 active directory infrastructure.
 

-
-
-
-
-
-
+
+
+
+
+
+
 UNIX systems can use kinit and the DES-CBC-MD5 or DES-CBC-CRC encryption types to authenticate to the Windows
 2000 KDC. For further information regarding Windows 2000 ADS kerberos interoperability please refer to the
 Microsoft Windows 2000 Kerberos Interoperability
@@ -648,18 +648,18 @@
 interoperability is RFC1510. This RFC
 explains much of the magic behind the operation of Kerberos.
 

-
-
-
-
-
-
+
+
+
+
+
+
 MIT's, as well as Heimdal's, recent KRB5 libraries default to checking for SRV records, so they will 
 automatically find the KDCs. In addition, krb5.conf only allows specifying 
 a single KDC, even there if there may be more than one. Using the DNS lookup allows the KRB5 
 libraries to use whichever KDCs are available.
 

-
+
 When manually configuring krb5.conf, the minimal configuration is:
 
 [libdefaults]
@@ -674,7 +674,7 @@
 	.kerberos.server = YOUR.KERBEROS.REALM
 

 

-
+
 When using Heimdal versions before 0.6, use the following configuration settings:
 
 [libdefaults]
@@ -691,16 +691,16 @@
         .kerberos.server = YOUR.KERBEROS.REALM
 

 

-
-
+
+
 Test your config by doing a kinit
 USERNAME@REALM and
 making sure that your password is accepted by the Win2000 KDC.
 

-
-
-
-
+
+
+
+
 With Heimdal versions earlier than 0.6.x you can use only newly created accounts
 in ADS or accounts that have had the password changed once after migration, or
 in case of Administrator after installation. At the
@@ -708,50 +708,50 @@
 (and no default etypes in krb5.conf). Unfortunately, this whole area is still
 in a state of flux.
 
Note

-
-
-
+
+
+
 The realm must be in uppercase or you will get a “Cannot find KDC for
 requested realm while getting initial credentials” error (Kerberos
 is case-sensitive!).
 
Note

-
-
-
-
+
+
+
+
 Time between the two servers must be synchronized. You will get a “kinit(v5): Clock skew too
 great while getting initial credentials” if the time difference (clock skew) is more than five minutes.
 

-
-
+
+
 Clock skew limits are configurable in the Kerberos protocols. The default setting is five minutes.
 

-
-
-
-
+
+
+
+
 You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that
 this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain
 attached) or it can be the NetBIOS name followed by the realm.
 

-
-
-
+
+
+
 The easiest way to ensure you get this right is to add a /etc/hosts entry mapping the IP
 address of your KDC to its NetBIOS name. If you do not get this correct, then you will get a local
 error when you try to join the realm.
 

-
-
-
-
+
+
+
+
 If all you want is Kerberos support in smbclient, then you can skip directly to Testing with smbclient now.  Create the Computer Account and Testing Server Setup are needed only if you want Kerberos support for smbd
 and winbindd.
 
Create the Computer Account

-
-
-
-
+
+
+
+
 As a user who has write permission on the Samba private directory (usually root), run:
 
 root#  net ads join -U Administrator%password
@@ -760,12 +760,12 @@
 permission to add machines to the ADS domain. It is, of course, a good idea to use an account other than Administrator.
 On the UNIX/Linux system, this command must be executed by an account that has UID=0 (root).
 

-
-
-
-
-
-
+
+
+
+
+
+
 When making a Windows client a member of an ADS domain within a complex organization, you
 may want to create the machine trust account within a particular organizational unit. Samba-3 permits
 this to be done using the following syntax:
@@ -775,10 +775,10 @@
 

 Your ADS manager will be able to advise what should be specified for the "organizational_unit" parameter.
 

-
-
-
-
+
+
+
+
 For example, you may want to create the machine trust account in a container called “Servers”
 under the organizational directory “Computers/BusinessUnit/Department,” like this:
 
@@ -789,90 +789,90 @@
 before executing this command.  Please note that forward slashes must be used, because backslashes are both
 valid characters in an OU name and used as escapes for other characters.  If you need a backslash in an OU 
 name, it may need to be quadrupled to pass through the shell escape and ldap escape.
-
Possible Errors

+
Possible Errors

 
ADS support not compiled in

-	
-	
-	
+	
+	
+	
 	Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the
 	Kerberos libraries and headers files are installed.
 	
net ads join prompts for user name

-	
-	
+	
+	
 	You need to log in to the domain using kinit
 	USERNAME@REALM.
 	USERNAME must be a user who has rights to add a machine to the domain.
 	
Unsupported encryption/or checksum types

-	
-	
-	
+	
+	
+	
 	Make sure that the /etc/krb5.conf is correctly configured
 	for the type and version of Kerberos installed on the system.
 	

 
Testing Server Setup

-
-
-
+
+
+
 If the join was successful, you will see a new computer account with the
 NetBIOS name of your Samba server in Active Directory (in the “Computers”
 folder under Users and Computers.
 

-
-
-
+
+
+
 On a Windows 2000 client, try net use * \\server\share. You should
 be logged in with Kerberos without needing to know a password. If this fails, then run
 klist tickets. Did you get a ticket for the server? Does it have
 an encryption type of DES-CBC-MD5? 
 
Note

-
-
-
+
+
+
 Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding.
 
Testing with smbclient

-
-
-
+
+
+
 On your Samba server try to log in to a Windows 2000 server or your Samba
 server using smbclient and Kerberos. Use smbclient as usual, but
 specify the -k option to choose Kerberos authentication.
-
Notes

-
-
-
+
Notes

+
+
+
 You must change the administrator password at least once after installing a domain controller, 
 to create the right encryption types.
 

-
-
-
+
+
+
 Windows 200x does not seem to create the _kerberos._udp and
 _ldap._tcp in the default DNS setup. Perhaps this will be fixed later in service packs.
-
Sharing User ID Mappings between Samba Domain Members

-
-
-
-
+
Sharing User ID Mappings between Samba Domain Members

+
+
+
+
 Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs).
 These mappings are done by the idmap subsystem of Samba.
 

-
-
-
+
+
+
 In some cases it is useful to share these mappings between Samba domain members,
 so name->id mapping is identical on all machines.
 This may be needed in particular when sharing files over both CIFS and NFS.
 

-
-
+
+
 To use the LDAP ldap idmap suffix, set:
-
ldap idmap suffix = ou=Idmap

+
ldap idmap suffix = ou=Idmap

 See the smb.conf man page entry for the ldap idmap suffix
 parameter for further information.
 

-
-
-
+
+
+
 Do not forget to specify also the ldap admin dn
 and to make certain to set the LDAP administrative password into the secrets.tdb using:
 
@@ -880,9 +880,9 @@
 

 In place of ldap-admin-password, substitute the LDAP administration password for your
 system.
-
Common Errors

-
-
+
Common Errors

+
+
 In the process of adding/deleting/re-adding domain member machine trust accounts, there are
 many traps for the unwary player and many “little” things that can go wrong.
 It is particularly interesting how often subscribers on the Samba mailing list have concluded
@@ -890,16 +890,16 @@
 MS Windows on the machine. In truth, it is seldom necessary to reinstall because of this type
 of problem. The real solution is often quite simple, and with an understanding of how MS Windows
 networking functions, it is easy to overcome.
-
Cannot Add Machine Back to Domain

-
-
+
Cannot Add Machine Back to Domain

+
+
 “A Windows workstation was reinstalled. The original domain machine trust
 account was deleted and added immediately. The workstation will not join the domain if I use 
 the same machine name. Attempts to add the machine fail with a message that the machine already
 exists on the network  I know it does not. Why is this failing?”
 

-
-
+
+
 The original name is still in the NetBIOS name cache and must expire after machine account
 deletion before adding that same name as a domain member again. The best advice is to delete
 the old account and then add the machine with a new name. Alternately, the name cache can be flushed and
@@ -907,14 +907,14 @@
 
 C:\>  nbtstat -R
 

-
Adding Machine to Domain Fails

-
-
+
Adding Machine to Domain Fails

+
+
 “Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a
 message that says, "The machine could not be added at this time, there is a network problem.
 Please try again later." Why?”
 

-
+
 You should check that there is an add machine script in your smb.conf
 file. If there is not, please add one that is appropriate for your OS platform. If a script
 has been defined, you will need to debug its operation. Increase the log level
@@ -923,38 +923,38 @@
 

 Possible causes include:
 

-
-
+
+
 	The script does not actually exist, or could not be located in the path specified.
 	

-
-
+
+
 	Corrective action: Fix it. Make sure when run manually
 	that the script will add both the UNIX system account and the Samba SAM account.
 	

-
-
+
+
 	The machine could not be added to the UNIX system accounts file /etc/passwd.
 	

-
-
+
+
 	Corrective action: Check that the machine name is a legal UNIX
 	system account name. If the UNIX utility useradd is called,
 	then make sure that the machine name you are trying to add can be added using this
 	tool. Useradd on some systems will not allow any uppercase characters
 	nor will it allow spaces in the name.
 	

-
-
-
+
+
+
 The add machine script does not create the
 machine account in the Samba backend database; it is there only to create a UNIX system
 account to which the Samba backend database account can be mapped.
-
I Can't Join a Windows 2003 PDC

-
-
-
-
+
I Can't Join a Windows 2003 PDC

+
+
+
+
 	Windows 2003 requires SMB signing. Client-side SMB signing has been implemented in Samba-3.0.
 	Set client use spnego = yes when communicating 
 	with a Windows 2003 server. This will not interfere with other Windows clients that do not
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/FastStart.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/FastStart.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/FastStart.html	2009-06-02 09:49:34.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/FastStart.html	2009-06-19 11:14:28.000000000 +0200
@@ -587,7 +587,7 @@
 			distributions tend to install the Idealx scripts in the 
 			/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools directory.
 			Idealx scripts version smbldap-tools-0.9.1 are known to work well.
-			
Example�2.9.�LDAP backend smb.conf for PDC
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = FRODO
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
ldap suffix = dc=quenya,dc=org
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=People
ldap idmap suffix = ou=People
ldap admin dn = cn=Manager
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups


+			
Example�2.9.�LDAP backend smb.conf for PDC
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = FRODO
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
ldap suffix = dc=quenya,dc=org
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=People
ldap idmap suffix = ou=People
ldap admin dn = cn=Manager,dc=quenya,dc=org
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups


 				Obtain from the Samba sources ~/examples/LDAP/samba.schema
 				and copy it to the /etc/openldap/schema/ directory.
 				

@@ -684,11 +684,11 @@
 				Add users and groups as required. Users and groups added using Samba tools
 				will automatically be added to both the LDAP backend and the operating
 				system as required.
-				
Backup Domain Controller

+				
Backup Domain Controller

 			“Remote LDAP BDC smb.conf” shows the example configuration for the BDC. Note that
 			the smb.conf file does not specify the smbldap-tools scripts  they are
 			not needed on a BDC. Add additional stanzas for shares and printers as required.
-			
Example�2.10.�Remote LDAP BDC smb.conf
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = GANDALF
passdb backend = ldapsam:ldap://frodo.quenya.org
username map = /etc/samba/smbusers
printcap name = cups
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 33
preferred master = Yes
domain master = No
ldap suffix = dc=quenya,dc=org
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=People
ldap idmap suffix = ou=People
ldap admin dn = cn=Manager
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups


+			
Example�2.10.�Remote LDAP BDC smb.conf
# Global parameters
 
[global]
workgroup = MIDEARTH
netbios name = GANDALF
passdb backend = ldapsam:ldap://frodo.quenya.org
username map = /etc/samba/smbusers
printcap name = cups
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 33
preferred master = Yes
domain master = No
ldap suffix = dc=quenya,dc=org
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=People
ldap idmap suffix = ou=People
ldap admin dn = cn=Manager,dc=quenya,dc=org
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups


 				Decide if the BDC should have its own LDAP server or not. If the BDC is to be
 				the LDAP server, change the following smb.conf as indicated. The default
 				configuration in Remote LDAP BDC smb.conf
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/go01.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/go01.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/go01.html	2009-06-02 09:50:10.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/go01.html	2009-06-19 11:15:04.000000000 +0200
@@ -1,4 +1,4 @@
-Glossary
Glossary
Prev� � �Next
Glossary
Access Control List

+Glossary
Glossary
Prev� � �Next
Glossary
Access Control List

 		A detailed list of permissions granted to users or groups with respect to file and network resource access.
 		 See “File, Directory, and Share Access Controls”, 
 		for details.
Active Directory Service

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/groupmapping.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/groupmapping.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/groupmapping.html	2009-06-02 09:49:44.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/groupmapping.html	2009-06-19 11:14:36.000000000 +0200
@@ -1,38 +1,38 @@
-Chapter�12.�Group Mapping: MS Windows and UNIX
Chapter�12.�Group Mapping: MS Windows and UNIX
Prev� Part�III.�Advanced Configuration �Next
Chapter�12.�Group Mapping: MS Windows and UNIX
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Jean Fran�ois Micouleau
Gerald (Jerry) Samba Team Carter
Samba Team
<jerry@samba.org>
Table of Contents
Features and Benefits
Discussion
Warning: User Private Group Problems
Nested Groups: Adding Windows Domain Groups to Windows Local Groups
Important Administrative Information
Default Users, Groups, and Relative Identifiers
Example Configuration
Configuration Scripts
Sample smb.conf Add Group Script
Script to Configure Group Mapping
Common Errors
Adding Groups Fails
Adding Domain Users to the Workstation Power Users Group

-
-
+Chapter�12.�Group Mapping: MS Windows and UNIX
Chapter�12.�Group Mapping: MS Windows and UNIX
Prev� Part�III.�Advanced Configuration �Next
Chapter�12.�Group Mapping: MS Windows and UNIX
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Jean Fran�ois Micouleau
Gerald (Jerry) Samba Team Carter
Samba Team
<jerry@samba.org>
Table of Contents
Features and Benefits
Discussion
Warning: User Private Group Problems
Nested Groups: Adding Windows Domain Groups to Windows Local Groups
Important Administrative Information
Default Users, Groups, and Relative Identifiers
Example Configuration
Configuration Scripts
Sample smb.conf Add Group Script
Script to Configure Group Mapping
Common Errors
Adding Groups Fails
Adding Domain Users to the Workstation Power Users Group

+
 
 
-
+
 
+
 	Starting with Samba-3, new group mapping functionality is available to create associations
 	between Windows group SIDs and UNIX group GIDs. The groupmap subcommand
 	included with the net tool can be used to manage these associations.
 	

-
 
+
 	The new facility for mapping NT groups to UNIX system groups allows the administrator to decide
 	which NT domain groups are to be exposed to MS Windows clients. Only those NT groups that map
 	to a UNIX group that has a value other than the default (-1) will be exposed
 	in group selection lists in tools that access domain users and groups.
 	
Warning

-	
-
+	
+
 	The domain admin group parameter has been removed in Samba-3 and should no longer
 	be specified in smb.conf. In Samba-2.2.x, this parameter was used to give the listed users membership in the
 	Domain Admins Windows group, which gave local admin rights on their workstations
 	(in default configurations).
-	
Features and Benefits

+	
Features and Benefits

 	Samba allows the administrator to create MS Windows NT4/200x group accounts and to
 	arbitrarily associate them with UNIX/Linux group accounts.
 	

-	
-	
+	
 	
-
-
+	
+
 
 
+
 	Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools.
 	Appropriate interface scripts should be provided in smb.conf if it is desired that UNIX/Linux system
 	accounts should be automatically created when these tools are used. In the absence of these scripts, and
@@ -41,19 +41,19 @@
 	idmap uid/idmap gid
 	parameters in the smb.conf file.
 	
Figure�12.1.�IDMAP: Group SID-to-GID Resolution.

Figure�12.2.�IDMAP: GID Resolution to Matching SID.


-	
-
-
-
+	
+
+
+
 	In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
 	IDMAP: Group SID-to-GID Resolution and IDMAP: GID Resolution to Matching SID.  The net groupmap is
 	used to establish UNIX group to NT SID mappings as shown in IDMAP: storing
 	group mappings.
 	
Figure�12.3.�IDMAP Storing Group Mappings.


-	
 	
-
+	
 
+
 	Administrators should be aware that where smb.conf group interface scripts make
 	direct calls to the UNIX/Linux system tools (the shadow utilities, groupadd,
 	groupdel, and groupmod), the resulting UNIX/Linux group names will be subject
@@ -62,48 +62,48 @@
 	Engineering Managers will attempt to create an identically named
 	UNIX/Linux group, an attempt that will of course fail.
 	

-	
-	
+	
+	
 	There are several possible workarounds for the operating system tools limitation. One
 	method is to use a script that generates a name for the UNIX/Linux system group that
 	fits the operating system limits and that then just passes the UNIX/Linux group ID (GID)
 	back to the calling Samba interface. This will provide a dynamic workaround solution.
 	

-
+
 	Another workaround is to manually create a UNIX/Linux group, then manually create the
 	MS Windows NT4/200x group on the Samba server, and then use the net groupmap
 	tool to connect the two to each other.
-	
Discussion

-
+	
Discussion

 
+
 	When you install MS Windows NT4/200x on a computer, the installation
 	program creates default users and groups, notably the Administrators group,
 	and gives that group privileges necessary to perform essential system tasks,
 	such as the ability to change the date and time or to kill (or close) any process running on the
 	local machine.
 	

-	
+	
 	The Administrator user is a member of the Administrators group, and thus inherits
 	Administrators group privileges. If a joe user is created to be a member of the
 	Administrators group, joe has exactly the same rights as the user
 	Administrator.
 	

-
 
 
 
+
 	When an MS Windows NT4/200x/XP machine is made a domain member, the “Domain Admins” group of the
 	PDC is added to the local Administrators group of the workstation. Every member of the
 	Domain Admins group inherits the rights of the local Administrators group when
 	logging on the workstation.
 	

-
 
+
 	The following steps describe how to make Samba PDC users members of the Domain Admins group.
 	

 		Create a UNIX group (usually in /etc/group); let's call it domadm.
 		

-
+
 		Add to this group the users that must be “Administrators”. For example,
 		if you want joe, john, and mary to be administrators,
 		your entry in /etc/group will look like this:
@@ -117,13 +117,13 @@
 root# net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
 

 		

-		
+		
 		The quotes around “Domain Admins” are necessary due to the space in the group name.
 		Also make sure to leave no white space surrounding the equal character (=).
 		

 	Now joe, john, and mary are domain administrators.
 	

-	
+	
 	It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as
 	to make any UNIX group a Windows domain group. For example, if you wanted to include a
 	UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine,
@@ -135,54 +135,54 @@
 	The ntgroup value must be in quotes if it contains space characters to prevent
 	the space from being interpreted as a command delimiter.
 	

-
 
+
 	Be aware that the RID parameter is an unsigned 32-bit integer that should
 	normally start at 1000. However, this RID must not overlap with any RID assigned
 	to a user. Verification for this is done differently depending on the passdb backend
 	you are using. Future versions of the tools may perform the verification automatically,
 	but for now the burden is on you.
-	
Warning: User Private Group Problems

-
+	
Warning: User Private Group Problems

 
 
+
 	Windows does not permit user and group accounts to have the same name.
 	This has serious implications for all sites that use private group accounts.
 	A private group account is an administrative practice whereby users are each
 	given their own group account. Red Hat Linux, as well as several free distributions
 	of Linux, by default create private groups.
 	

-
 
+
 	When mapping a UNIX/Linux group to a Windows group account, all conflict can
 	be avoided by assuring that the Windows domain group name does not overlap
 	with any user account name.
-	
Nested Groups: Adding Windows Domain Groups to Windows Local Groups

-
+	
Nested Groups: Adding Windows Domain Groups to Windows Local Groups

+
 	This functionality is known as nested groups and was first added to
 	Samba-3.0.3.
 	

-
+
 	All MS Windows products since the release of Windows NT 3.10 support the use of nested groups.
 	Many Windows network administrators depend on this capability because it greatly simplifies security
 	administration.
 	

-
 
 
 
 
 
 
+
 	The nested group architecture was designed with the premise that day-to-day user and group membership
 	management should be performed on the domain security database. The application of group security
 	should be implemented on domain member servers using only local groups. On the domain member server,
 	all file system security controls are then limited to use of the local groups, which will contain
 	domain global groups and domain global users.
 	

-
 
 
+
 	You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed
 	the dark depths of Windows networking architecture. Consider for a moment a server on which are stored
 	200,000 files, each with individual domain user and domain group settings. The company that owns the
@@ -190,10 +190,10 @@
 	it is made a member of a different domain. Who would you think now owns all the files and directories?
 	Answer: Account Unknown.
 	

-
 
 
-
+
+
 	Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply
 	by using local groups to control all file and directory access control. In this case, only the members
 	of the local groups will have been lost. The files and directories in the storage subsystem will still
@@ -201,7 +201,6 @@
 	to delete the Account Unknown membership entries inside local groups with appropriate
 	entries for domain global groups in the new domain that the server has been made a member of.
 	

-
 
 
 
@@ -209,6 +208,7 @@
 
 
 
+
 	Another prominent example of the use of nested groups involves implementation of administrative privileges
 	on domain member workstations and servers. Administrative privileges are given to all members of the
 	built-in local group Administrators on each domain member machine. To ensure that all domain
@@ -217,10 +217,10 @@
 	logged into the domain as a member of the Domain Admins group is also granted local administrative
 	privileges on each domain member.
 	

-
 
 
 
+
 	UNIX/Linux has no concept of support for nested groups, and thus Samba has for a long time not supported
 	them either. The problem is that you would have to enter UNIX groups as auxiliary members of a group in
 	/etc/group. This does not work because it was not a design requirement at the time
@@ -228,11 +228,11 @@
 	/etc/group entries on demand by obtaining user and group information from the domain
 	controller that the Samba server is a member of.
 	

-
 
 
 
 
+
 	In effect, Samba supplements the /etc/group data via the dynamic
 	libnss_winbind mechanism. Beginning with Samba-3.0.3, this facility is used to provide
 	local groups in the same manner as Windows. It works by expanding the local groups on the
@@ -242,13 +242,13 @@
 	group. By definition, it can only contain user objects, which can then be faked to be member of the
 	UNIX/Linux group demo.
 	

-
 
-
+
 
 
 
 
+
 	To enable the use of nested groups, winbindd must be used with NSS winbind.
 	Creation and administration of the local groups is done best via the Windows Domain User Manager or its
 	Samba equivalent, the utility net rpc group. Creating the local group
@@ -256,8 +256,8 @@
 	
 	root#  net rpc group add demo -L -Uroot%not24get
 	

-
 
+
 	Here the -L switch means that you want to create a local group. It may be necessary to add -S and -U
 	switches for accessing the correct host with appropriate user or root privileges. Adding and removing
 	group members can be done via the addmem and delmem subcommands of
@@ -266,10 +266,10 @@
 	
 	net rpc group addmem demo "DOM\Domain Users"
 	

-
 
 
 
+
 	Having completed these two steps, the execution of getent group demo will show demo
 	members of the global Domain Users group as members of  the group
 	demo.  This also works with any local or domain user. In case the domain DOM trusts
@@ -277,46 +277,46 @@
 	demo. The users from the foreign domain who are members of the group that has been
 	added to the demo group now have the same local access permissions as local domain
 	users have. 
-	
Important Administrative Information

+	
Important Administrative Information

 	Administrative rights are necessary in two specific forms:
 	
For Samba-3 domain controllers and domain member servers/clients.
To manage domain member Windows workstations.

-
-
+
 
+
 	Versions of Samba up to and including 3.0.10 do not provide a means for assigning rights and privileges
 	that are necessary for system administration tasks from a Windows domain member client machine, so
 	domain administration tasks such as adding, deleting, and changing user and group account information, and
 	managing workstation domain membership accounts, can be handled by any account other than root.
 	

-
 
 
+
 	Samba-3.0.11 introduced a new privilege management interface (see User Rights and Privileges)
 	that permits these tasks to be delegated to non-root (i.e., accounts other than the equivalent of the
 	MS Windows Administrator) accounts.
 	

-
-
+
+
 	Administrative tasks on a Windows domain member workstation can be done by anyone who is a member of the
 	Domain Admins group. This group can be mapped to any convenient UNIX group.
-	
Applicable Only to Versions Earlier than 3.0.11

-
+	
Applicable Only to Versions Earlier than 3.0.11

+
 	Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires
 	root-level privilege. The addition of a Windows client to a Samba domain involves the
 	addition of a user account for the Windows client.
 	

-
 
+
 	Many UNIX administrators continue to request that the Samba Team make it possible to add Windows workstations, or 
 	the ability to add, delete, or modify user accounts, without requiring root privileges. 
 	Such a request violates every understanding of basic UNIX system security.
 	

-
 
 
 
 
 
+
 	There is no safe way to provide access on a UNIX/Linux system without providing
 	root-level privileges. Provision of root privileges can be done
 	either by logging on to the Domain as the user root or by permitting particular users to
@@ -324,15 +324,15 @@
 	can use tools like the NT4 Domain User Manager and the NT4 Domain Server Manager to manage user and group
 	accounts as well as domain member server and client accounts. This level of privilege is also needed to manage
 	share-level ACLs.
-	
Default Users, Groups, and Relative Identifiers

-	
-	
-
+	
Default Users, Groups, and Relative Identifiers

+	
+	
 
 
 
 
-
+
+
 	When first installed, Windows NT4/200x/XP are preconfigured with certain user, group, and
 	alias entities. Each has a well-known RID. These must be preserved for continued
 	integrity of operation. Samba must be provisioned with certain essential domain groups that require
@@ -340,23 +340,23 @@
 	domain groups are automatically created. It is the LDAP administrator's responsibility to create
 	(provision) the default NT groups.
 	

-
 
 
 
+
 	Each essential domain group must be assigned its respective well-known RID. The default users, groups,
 	aliases, and RIDs are shown in Well-Known User Default RIDs.
 	
Note

-
 
 
 
 
+
 	It is the administrator's responsibility to create the essential domain groups and to assign each
 	its default RID.
 	

-
 
+
 	It is permissible to create any domain group that may be necessary; just make certain that the essential
 	domain groups (well known) have been created and assigned their default RIDs. Other groups you create may
 	be assigned any arbitrary RID you care to use.
@@ -365,12 +365,12 @@
 	will be available for use as an NT domain group.
 	

 	
Table�12.1.�Well-Known User Default RIDs
Well-Known Entity RID Type Essential
Domain Administrator 500 User No
Domain Guest 501 User No
Domain KRBTGT 502 User No
Domain Admins 512 Group Yes
Domain Users 513 Group Yes
Domain Guests 514 Group Yes
Domain Computers 515 Group No
Domain Controllers 516 Group No
Domain Certificate Admins 517 Group No
Domain Schema Admins 518 Group No
Domain Enterprise Admins 519 Group No
Domain Policy Admins 520 Group No
Builtin Admins 544 Alias No
Builtin users 545 Alias No
Builtin Guests 546 Alias No
Builtin Power Users 547 Alias No
Builtin Account Operators 548 Alias No
Builtin System Operators 549 Alias No
Builtin Print Operators 550 Alias No
Builtin Backup Operators 551 Alias No
Builtin Replicator 552 Alias No
Builtin RAS Servers 553 Alias No


-	
Example Configuration

-
+	
Example Configuration

+
 		You can list the various groups in the mapping database by executing
 		net groupmap list. Here is an example:
 		

-
+
 
 root#  net groupmap list
 Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
@@ -379,15 +379,15 @@
 

 		

 		For complete details on net groupmap, refer to the net(8) man page.
-		
Configuration Scripts

+		
Configuration Scripts

 	Everyone needs tools. Some of us like to create our own, others prefer to use canned tools
 	(i.e., prepared by someone else for general use). 
-	
Sample smb.conf Add Group Script

-		
+	
Sample smb.conf Add Group Script

 		
 		
-
+		
 
+
 		A script to create complying group names for use by the Samba group interfaces
 		is provided in smbgrpadd.sh. This script
 		adds a temporary entry in the /etc/group file and then renames
@@ -415,15 +415,15 @@
 		The smb.conf entry for the above script shown in the configuration of
 		smb.conf for the add group Script demonstrates how it may be used.
 
-
Example�12.2.�Configuration of smb.conf for the add group Script
 
[global]
add group script = /path_to_tool/smbgrpadd.sh "%g"


-		
Script to Configure Group Mapping

-
+
Example�12.2.�Configuration of smb.conf for the add group Script
 
[global]
add group script = /path_to_tool/smbgrpadd.sh "%g"


+		
Script to Configure Group Mapping

+
 	In our example we have created a UNIX/Linux group called ntadmin.
 	Our script will create the additional groups Orks, Elves, and Gnomes.
 	It is a good idea to save this shell script for later use just in case you ever need to rebuild your mapping database.
 	For the sake of convenience we elect to save this script as a file called initGroups.sh.
 	This script is given in intGroups.sh.
-
+
 
Example�12.3.�Script to Set Group Mapping
 #!/bin/bash
 
@@ -450,32 +450,32 @@
 	trouble. Commencing with Samba-3.0.23 this annomaly has been fixed - thus all Windows groups
 	must now be manually and explicitly created and mapped to a valid UNIX GID by the Samba 
 	administrator.
-	
Common Errors

+	
Common Errors

 At this time there are many little surprises for the unwary administrator. In a real sense
 it is imperative that every step of automated control scripts be carefully tested
 manually before putting it into active service.
-
Adding Groups Fails

-
+
Adding Groups Fails

+
 		This is a common problem when the groupadd is called directly
 		by the Samba interface script for the add group script in
 		the smb.conf file.
 		

-
 
+
 		The most common cause of failure is an attempt to add an MS Windows group account
 		that has an uppercase character and/or a space character in it.
 		

-
+
 		There are three possible workarounds. First, use only group names that comply
 		with the limitations of the UNIX/Linux groupadd system tool.
 		Second, it involves the use of the script mentioned earlier in this chapter, and
 		third is the option is to manually create a UNIX/Linux group account that can substitute
 		for the MS Windows group name, then use the procedure listed above to map that group
 		to the MS Windows group.
-		
Adding Domain Users to the Workstation Power Users Group
“
+		
Adding Domain Users to the Workstation Power Users Group
“
 		What must I do to add domain users to the Power Users group?
 		”

-
+
 		The Power Users group is a group that is local to each Windows 200x/XP Professional workstation.
 		You cannot add the Domain Users group to the Power Users group automatically, it must be done on
 		each workstation by logging in as the local workstation administrator and
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/idmapper.html samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/idmapper.html
--- samba-3.4.0pre2//docs/htmldocs/Samba3-HOWTO/idmapper.html	2009-06-02 09:49:45.000000000 +0200
+++ samba-3.4.0rc1//docs/htmldocs/Samba3-HOWTO/idmapper.html	2009-06-19 11:14:38.000000000 +0200
@@ -1,11 +1,11 @@
-Chapter�14.�Identity Mapping (IDMAP)
Chapter�14.�Identity Mapping (IDMAP)
Prev� Part�III.�Advanced Configuration �Next
Chapter�14.�Identity Mapping (IDMAP)
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Table of Contents
Samba Server Deployment Types and IDMAP
Standalone Samba Server
Domain Member Server or Domain Member Client
Primary Domain Controller
Backup Domain Controller
Examples of IDMAP Backend Usage
Default Winbind TDB
IDMAP_RID with Winbind
IDMAP Storage in LDAP Using Winbind
IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension

-
-
-
+Chapter�14.�Identity Mapping (IDMAP)
Chapter�14.�Identity Mapping (IDMAP)
Prev� Part�III.�Advanced Configuration �Next
Chapter�14.�Identity Mapping (IDMAP)
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
Table of Contents
Samba Server Deployment Types and IDMAP
Standalone Samba Server
Domain Member Server or Domain Member Client
Primary Domain Controller
Backup Domain Controller
Examples of IDMAP Backend Usage
Default Winbind TDB
IDMAP_RID with Winbind
IDMAP Storage in LDAP Using Winbind
IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension

+
+
+
+
 
-
-
-
+
+
 The Microsoft Windows operating system has a number of features that impose specific challenges
 to interoperability with the operating systems on which Samba is implemented. This chapter deals
 explicitly with the mechanisms Samba-3 (version 3.0.8 and later) uses to overcome one of the
@@ -16,24 +16,24 @@
 To ensure sufficient coverage, each possible Samba deployment type is discussed.
 This is followed by an overview of how the IDMAP facility may be implemented.
 

-
-
-
-
+
+
+
+
 The IDMAP facility is of concern where more than one Samba server (or Samba network client)
 is installed in a domain. Where there is a single Samba server, do not be too concerned regarding
 the IDMAP infrastructure  the default behavior of Samba is nearly always sufficient.
 Where mulitple Samba servers are used it is often necessary to move data off one server and onto
 another, and that is where the fun begins!
 

-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
 Where user and group account information is stored in an LDAP directory every server can have the same
 consistent UID and GID for users and groups. This is achieved using NSS and the nss_ldap tool. Samba
 can be configured to use only local accounts, in which case the scope of the IDMAP problem is somewhat
@@ -41,75 +41,75 @@
 are not needed. On the other hand, if the Samba servers are NT4 domain members, or ADS  domain members,
 or if there is a need to keep the security name-space separate (i.e., the user
 DOMINICUS\FJones must not be given access to the account resources of the user 
-FRANCISCUS\FJones^[4] free from inadvertent cross-over, close attention should be given
+FRANCISCUS\FJones^[4] free from inadvertent cross-over, close attention should be given
 to the way that the IDMAP facility is configured.
 

-
-
-
-
-
-
+
+
+
+
+
+
 The use of IDMAP is important where the Samba server will be accessed by workstations or servers from
 more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping)
 of foreign SIDs to local UNIX UIDs and GIDs.
 

-
+
 The use of the IDMAP facility requires the execution of the winbindd upon Samba startup.
-
Samba Server Deployment Types and IDMAP

-
+
Samba Server Deployment Types and IDMAP

+
 There are four basic server deployment types, as documented in the chapter
 on Server Types and Security Modes.
-
Standalone Samba Server

-	
-	
-	
+
Standalone Samba Server

+	
+	
+	
 	A standalone Samba server is an implementation that is not a member of a Windows NT4 domain,
 	a Windows 200X Active Directory domain, or a Samba domain.
 	

-	
-	
-	
+	
+	
+	
 	By definition, this means that users and groups will be created and controlled locally, and
 	the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility
 	is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility
 	will not be relevant or of interest.
-	
Domain Member Server or Domain Member Client

-	
-	
-	
-	
-	
+	
Domain Member Server or Domain Member Client

+	
+	
+	
+	
+	
 	Samba-3 can act as a Windows NT4 PDC or BDC, thereby providing domain control protocols that
 	are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with
 	all versions of MS Windows products. Windows NT4, as with MS Active Directory,
 	extensively makes use of Windows SIDs.
 	

-	
-	
-	
+	
+	
+	
 	Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming
 	Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba
 	server must provide to MS Windows clients and servers appropriate SIDs.
 	

-	
-	
+	
+	
 	A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle 
 	identity mapping in a variety of ways. The mechanism it uses depends on whether or not
 	the winbindd daemon is used and how the winbind functionality is configured.
 	The configuration options are briefly described here:
 	
Winbind is not used; users and groups are local: 

-				
-				
-				
-				
-				
-				
-				
-				
-				
-				
-				
+				
+				
+				
+				
+				
+				
+				
+				
+				
+				
+				
 				Where winbindd is not used Samba (smbd)
 				uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming
 				network traffic. This is done using the LoginID (account name) in the
@@ -119,51 +119,51 @@
 				we are implying that they are stored only on the local system, in the
 				/etc/passwd and /etc/group respectively.
 				

-				
-				
+				
+				
 				For example, when the user BERYLIUM\WambatW tries to open a
 				connection to a Samba server the incoming SessionSetupAndX request will make a 
 				system call to look up the user WambatW in the
 				/etc/passwd file.
 				

-				
-				
-				
-				
-				
-				
-				
-				
+				
+				
+				
+				
+				
+				
+				
+				
 				This configuration may be used with standalone Samba servers, domain member
 				servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
 				or a tdbsam-based Samba passdb backend.
 				
Winbind is not used; users and groups resolved via NSS: 

-				
-				
-				
-				
-				
-				
+				
+				
+				
+				
+				
+				
 				In this situation user and group accounts are treated as if they are local
 				accounts. The only way in which this differs from having local accounts is
 				that the accounts are stored in a repository that can be shared. In practice
 				this means that they will reside in either an NIS-type database or else in LDAP.
 				

-				
-				
-				
-				
-				
-				
-				
+				
+				
+				
+				
+				
+				
+				
 				This configuration may be used with standalone Samba servers, domain member
 				servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
 				or a tdbsam-based Samba passdb backend.
 				
Winbind/NSS with the default local IDMAP table: 

-				
-				
-				
-				
+				
+				
+				
+				
 				There are many sites that require only a simple Samba server or a single Samba
 				server that is a member of a Windows NT4 domain or an ADS domain. A typical example
 				is an appliance like file server on which no local accounts are configured and
@@ -171,21 +171,21 @@
 				domain. The domain control can be provided by Samba-3, MS Windows NT4, or MS Windows
 				Active Directory.
 				

-				
-				
-				
-				
-				
+				
+				
+				
+				
+				
 				Winbind is a great convenience in this situation. All that is needed is a range of
 				UID numbers and GID numbers that can be defined in the smb.conf file. The
 				/etc/nsswitch.conf file is configured to use winbind,
 				which does all the difficult work of mapping incoming SIDs to appropriate UIDs and GIDs.
 				The SIDs are allocated a UID/GID in the order in which winbind receives them.
 				

-				
-				
-				
-				
+				
+				
+				
+				
 				This configuration is not convenient or practical in sites that have more than one
 				Samba server and that require the same UID or GID for the same user or group across
 				all servers. One of the hazards of this method is that in the event that the winbind
@@ -194,10 +194,10 @@
 				result that MS Windows files that are stored on the Samba server may now not belong to
 				the rightful owners.
 				
Winbind/NSS uses RID based IDMAP: 

-				
-				
-				
-				
+				
+				
+				
+				
 				The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier
 				for a number of sites that are committed to use of MS ADS, that do not apply
 				an ADS schema extension, and that do not have an installed an LDAP directory server just for
@@ -205,14 +205,14 @@
 				domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the
 				IDMAP table problem, then IDMAP_RID is an obvious choice.
 				

-				
-				
-				
-				
-				
-				
-				
-				
+				
+				
+				
+				
+				
+				
+				
+				
 				This facility requires the allocation of the idmap uid and the
 				idmap gid ranges, and within the idmap uid
 				it is possible to allocate a subset of this range for automatic mapping of the relative
@@ -222,23 +222,23 @@
 				a SID is encountered that has the value S-1-5-21-34567898-12529001-32973135-1234,
 				the resulting UID will be 1000 + 1234 = 2234.
 				
Winbind with an NSS/LDAP backend-based IDMAP facility: 

-				
-				
-				
-				
-				
-				
-				
-				
+				
+				
+				
+				
+				
+				
+				
+				
 				In this configuration winbind resolved SIDs to UIDs and GIDs from
 				the idmap uid and idmap gid ranges specified
 				in the smb.conf file, but instead of using a local winbind IDMAP table, it is stored
 				in an LDAP directory so that all domain member machines (clients and servers) can share
 				a common IDMAP table.
 				

-				
-				
-				
+				
+				
+				
 				It is important that all LDAP IDMAP clients use only the master LDAP server because the
 				idmap backend facility in the smb.conf file does not correctly
 				handle LDAP redirects.
@@ -247,17 +247,17 @@
 				domain member servers. It is a neat method for assuring that UIDs, GIDs, and the matching
 				SIDs are consistent across all servers.
 				

-				
-				
+				
+				
 				The use of the LDAP-based passdb backend requires use of the PADL nss_ldap utility or
 				an equivalent. In this situation winbind is used to handle foreign SIDs, that is, SIDs from
 				standalone Windows clients (i.e., not a member of our domain) as well as SIDs from 
 				another domain. The foreign UID/GID is mapped from allocated ranges (idmap uid and idmap gid)
 				in precisely the same manner as when using winbind with a local IDMAP table.
 				

-				
-				
-				
+				
+				
+				
 				The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active
 				Directory. In order to use Active Directory, it is necessary to modify the ADS schema by
 				installing either the AD4UNIX schema extension or using the Microsoft Services for UNIX
@@ -266,11 +266,11 @@
 				installed to permit the UNIX credentials to be set and managed from the ADS User and Computer
 				Management tool. Each account must be separately UNIX-enabled before the UID and GID data can
 				be used by Samba.
-				
Primary Domain Controller

-	
-	
-	
-	
+				
Primary Domain Controller

+	
+	
+	
+	
 	Microsoft Windows domain security systems generate the user and group SID as part
 	of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID; rather,
 	it has its own type of security descriptor. When Samba is used as a domain controller, it provides a method
@@ -278,50 +278,50 @@
 	adds an RID that is calculated algorithmically from a base value that can be specified
 	in the smb.conf file, plus twice (2x) the UID or GID. This method is called “algorithmic mapping”.
 	

-	
+	
 	For example, if a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will
 	be 1000 + (2 x 4321) = 9642. Thus, if the domain SID is
 	S-1-5-21-89238497-92787123-12341112, the resulting SID is
 	S-1-5-21-89238497-92787123-12341112-9642.
 	

-	
-	
-	
-	
+	
+	
+	
+	
 	The foregoing type of SID is produced by Samba as an automatic function and is either produced on the fly
 	(as is the case when using a passdb backend = [tdbsam | smbpasswd]), or may be stored
 	as a permanent part of an account in an LDAP-based ldapsam.
 	

-	
-	
-	
-	
-	
-	
-	
-	
-	
+	
+	
+	
+	
+	
+	
+	
+	
+	
 	ADS uses a directory schema that can be extended to accommodate additional
 	account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand
 	the normal ADS schema to include UNIX account attributes. These must of course be managed separately
 	through a snap-in module to the normal ADS account management MMC interface.
 	

-	
-	
-	
-	
+	
+	
+	
+	
 	Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity.
 	In an NT4 domain context, the PDC manages the distribution of all security credentials to the backup
 	domain controllers (BDCs). At this time the only passdb backend for a Samba domain controller that is suitable
 	for such information is an LDAP backend.
-	
Backup Domain Controller

-	
-	
-	
-	
-	
-	
-	
+	
Backup Domain Controller

+	
+	
+	
+	
+	
+	
+	
 	BDCs have read-only access to security credentials that are stored in LDAP.
 	Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write
 	changes to the directory.
@@ -330,27 +330,27 @@
 	have access to the master (writable) LDAP server. Samba-3 at this time does not handle LDAP redirects
 	in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with
 	the IDMAP facility.
-	
Examples of IDMAP Backend Usage

+	
Examples of IDMAP Backend Usage

+
 
-
-
-
-
+
+
+
 Anyone who wishes to use winbind will find the following example configurations helpful.
 Remember that in the majority of cases winbind is of primary interest for use with
 domain member servers (DMSs) and domain member clients (DMCs).
-
Default Winbind TDB

+
Default Winbind TDB

 	Two common configurations are used:
 	

 		Networks that have an NT4 PDC (with or without BDCs) or a Samba PDC (with or without BDCs).
 		

 		Networks that use MS Windows 200x ADS.
-		
NT4-Style Domains (Includes Samba Domains)

+		
NT4-Style Domains (Includes Samba Domains)

 	NT4 Domain Member Server smb.con is a simple example of an NT4 DMS
 	smb.conf file that shows only the global section.
-	
Example�14.1.�NT4 Domain Member Server smb.conf
# Global parameters
 
[global]
workgroup = MEGANET2
security = DOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash


-	
-	
+	
Example�14.1.�NT4 Domain Member Server smb.conf
# Global parameters
 
[global]
workgroup = MEGANET2
security = DOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash


+	
+	
 	The use of winbind requires configuration of NSS. Edit the /etc/nsswitch.conf
 	so it includes the following entries:
 
@@ -373,37 +373,37 @@
 root#  net rpc join -UAdministrator%password
 Joined domain MEGANET2.
 

-	
+	
 	The success of the join can be confirmed with the following command:
 
 root#  net rpc testjoin
 Join to 'MIDEARTH' is OK
 

 		A failed join would report an error message like the following:
-		
+		
 
 root#  net rpc testjoin
 [2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66)
 Join to domain 'MEGANET2' is not valid
 

 		

-		
-		
-		
+		
+		
+		
 		Start the nmbd, winbind, and smbd daemons in the order shown.
-		
ADS Domains

-	
-	
+		
ADS Domains

+	
+	
 	The procedure for joining an ADS domain is similar to the NT4 domain join, except the smb.conf file
 	will have the contents shown in ADS Domain Member Server smb.conf
-	
Example�14.2.�ADS Domain Member Server smb.conf
# Global parameters
 
[global]
workgroup = BUTTERNET
netbios name = GARGOYLE
realm = BUTTERNET.BIZ
security = ADS
template shell = /bin/bash
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind use default domain = Yes
winbind nested groups = Yes
printer admin = "BUTTERNET\Domain Admins"


-	
-	
-	
-	
-	
-	
-	
+	
Example�14.2.�ADS Domain Member Server smb.conf
# Global parameters
 
[global]
workgroup = BUTTERNET
netbios name = GARGOYLE
realm = BUTTERNET.BIZ
security = ADS
template shell = /bin/bash
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind use default domain = Yes
winbind nested groups = Yes
printer admin = "BUTTERNET\Domain Admins"


+	
+	
+	
+	
+	
+	
+	
 	ADS DMS operation requires use of kerberos (KRB). For this to work, the krb5.conf
 	must be configured. The exact requirements depends on which version of MIT or Heimdal Kerberos is being
 	used. It is sound advice to use only the latest version, which at this time are MIT Kerberos version
@@ -416,7 +416,7 @@
 		Edit the /etc/nsswitch.conf file as shown above.
 		

 		Execute:
-		
+		
 
 root#  net ads join -UAdministrator%password
 Joined domain BUTTERNET.
@@ -436,30 +436,30 @@
   ads_connect: No results returned
 Join to domain is not valid
 

-		
-		
-		
-		
+		
+		
+		
+		
 		The specific error message may differ from the above because it depends on the type of failure that
 		may have occurred. Increase the log level to 10, repeat the test,
 		and then examine the log files produced to identify the nature of the failure.
 		

 		Start the nmbd, winbind, and smbd daemons in the order shown.
-		
IDMAP_RID with Winbind

-	
-	
-	
-	
+		
IDMAP_RID with Winbind

+	
+	
+	
+	
 	The idmap_rid facility is a new tool that, unlike native winbind, creates a
 	predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method
 	of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data
 	in a central place. The downside is that it can be used only within a single ADS domain and
 	is not compatible with trusted domain implementations.
 	

-	
-	
-	
-	
+	
+	
+	
+	
 	This alternate method of SID to UID/GID  mapping can be achieved using the idmap_rid
         plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the
         RID to a base value specified. This utility requires that the parameter
@@ -467,19 +467,19 @@
         with multiple domain environments. The idmap uid and 
 	idmap gid ranges must be specified.
 	

-	
-	
+	
+	
 	The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory.
 	To use this with an NT4 domain, do not include the realm parameter; additionally, the
 	method used to join the domain uses the net rpc join process.
 	

 	An example smb.conf file for and ADS domain environment is shown in ADS
 	Domain Member smb.conf using idmap_rid.
-	
Example�14.3.�ADS Domain Member smb.conf using idmap_rid
# Global parameters
 
[global]
workgroup = KPAK
netbios name = BIGJOE
realm = CORP.KPAK.COM
server string = Office Server
security = ADS
allow trusted domains = No
idmap backend = idmap_rid:KPAK=500-100000000
idmap uid = 500-100000000
idmap gid = 500-100000000
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
printer admin = "Domain Admins"


-	
-	
-	
-	
+	
Example�14.3.�ADS Domain Member smb.conf using idmap_rid
# Global parameters
 
[global]
workgroup = KPAK
netbios name = BIGJOE
realm = CORP.KPAK.COM
server string = Office Server
security = ADS
allow trusted domains = No
idmap backend = idmap_rid:KPAK=500-100000000
idmap uid = 500-100000000
idmap gid = 500-100000000
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
printer admin = "Domain Admins"


+	
+	
+	
+	
 	In a large domain with many users it is imperative to disable enumeration of users and groups.
 	For example, at a site that has 22,000 users in Active Directory the winbind-based user and
 	group resolution is unavailable for nearly 12 minutes following first startup of 
@@ -488,8 +488,8 @@
 	or groups using the getent passwd and getent group
 	commands. It will be possible to perform the lookup for individual users, as shown in the following procedure.
 	

-	
-	
+	
+	
 	The

Prev�	�	�Next
Chapter�41.�Managing TDB Files�	Home	�Chapter�42.�How to Compile Samba

Prev�	Up	�Next
Chapter�33.�Handling Large Directories�	Home	�Part�IV.�Migration and Updating

Prev�	Up	�Next
Chapter�45.�Samba Performance Tuning�	Home	�Chapter�47.�Samba Support

Setting	Default Printing Commands
printing = bsd\|aix\|lprng\|plp	print command is `lpr -r -P%p %s`
printing = sysv\|hpux	print command is `lp -c -P%p %s; rm %s`
printing = qnx	print command is `lp -r -P%p -s %s`
printing = bsd\|aix\|lprng\|plp	lpq command is `lpq -P%p`
printing = sysv\|hpux	lpq command is `lpstat -o%p`
printing = qnx	lpq command is `lpq -P%p`
printing = bsd\|aix\|lprng\|plp	lprm command is `lprm -P%p %j`
printing = sysv\|hpux	lprm command is `cancel %p-%j`
printing = qnx	lprm command is `cancel %p-%j`
printing = bsd\|aix\|lprng\|plp	lppause command is `lp -i %p-%j -H hold`
printing = sysv\|hpux	lppause command (...is empty)
printing = qnx	lppause command (...is empty)
printing = bsd\|aix\|lprng\|plp	lpresume command is `lp -i %p-%j -H resume`
printing = sysv\|hpux	lpresume command (...is empty)
printing = qnx	lpresume command (...is empty)

PPD file	Printer type
deskjet.ppd	older HP inkjet printers and compatible
deskjet2.ppd	newer HP inkjet printers and compatible
dymo.ppd	label printers
epson9.ppd	Epson 24-pin impact printers and compatible
epson24.ppd	Epson 24-pin impact printers and compatible
okidata9.ppd	Okidata 9-pin impact printers and compatible
okidat24.ppd	Okidata 24-pin impact printers and compatible
stcolor.ppd	older Epson Stylus Color printers
stcolor2.ppd	newer Epson Stylus Color printers
stphoto.ppd	older Epson Stylus Photo printers
stphoto2.ppd	newer Epson Stylus Photo printers
laserjet.ppd	all PCL printers

Samba DMS NetBIOS name:	SERV1
Windows 200x/NT domain name:	MIDEARTH
Domain's PDC NetBIOS name:	DOMPDC
Domain's BDC NetBIOS names:	DOMBDC1 and DOMBDC2

Well-Known Entity	RID	Type	Essential
Domain Administrator	500	User	No
Domain Guest	501	User	No
Domain KRBTGT	502	User	No
Domain Admins	512	Group	Yes
Domain Users	513	Group	Yes
Domain Guests	514	Group	Yes
Domain Computers	515	Group	No
Domain Controllers	516	Group	No
Domain Certificate Admins	517	Group	No
Domain Schema Admins	518	Group	No
Domain Enterprise Admins	519	Group	No
Domain Policy Admins	520	Group	No
Builtin Admins	544	Alias	No
Builtin users	545	Alias	No
Builtin Guests	546	Alias	No
Builtin Power Users	547	Alias	No
Builtin Account Operators	548	Alias	No
Builtin System Operators	549	Alias	No
Builtin Print Operators	550	Alias	No
Builtin Backup Operators	551	Alias	No
Builtin Replicator	552	Alias	No
Builtin RAS Servers	553	Alias	No

SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]

SAM SHOW <NAME>

SAM RIGHTS LIST

SAM RIGHTS GRANT <NAME> <PRIVILEGE>

SAM RIGHTS REVOKE <NAME> <PRIVILEGE>

SAM SHOW <NAME>

SAM SET HOMEDIR <NAME> <DIRECTORY>

SAM SET HOMEDIR <NAME> <DIRECTORY>

SAM SET PROFILEPATH <NAME> <PATH>

SAM SET PROFILEPATH <NAME> <PATH>

SAM SET COMMENT <NAME> <COMMENT>

SAM SET COMMENT <NAME> <COMMENT>

SAM SET FULLNAME <NAME> <FULL NAME>

SAM SET FULLNAME <NAME> <FULL NAME>

SAM SET LOGONSCRIPT <NAME> <SCRIPT>

SAM SET LOGONSCRIPT <NAME> <SCRIPT>

SAM SET HOMEDRIVE <NAME> <DRIVE>

SAM SET HOMEDRIVE <NAME> <DRIVE>

SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>

SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>

SAM SET DISABLE <NAME>

SAM SET DISABLE <NAME>

SAM SET PWNOTREQ <NAME>

SAM SET PWNOTREQ <NAME>

SAM SET AUTOLOCK <NAME>

SAM SET AUTOLOCK <NAME>

SAM SET PWNOEXP <NAME>

SAM SET PWNOEXP <NAME>

SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]

SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]

SAM POLICY LIST

SAM POLICY LIST

SAM POLICY SHOW <account policy>

SAM POLICY SHOW <account policy>

SAM POLICY SET <account policy> <value>

SAM POLICY SET <account policy> <value>

SAM PROVISION

SAM PROVISION

IDMAP DUMP <local tdb file name>

IDMAP DUMP <local tdb file name>

IDMAP RESTORE [input file]

IDMAP RESTORE [input file]

IDMAP SECRET <DOMAIN>|ALLOC <secret>

IDMAP SECRET <DOMAIN>|ALLOC <secret>

USERSHARE

USERSHARE

USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]

USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]

USERSHARE DELETE sharename

USERSHARE DELETE sharename

USERSHARE INFO [-l|--long] [wildcard sharename]

USERSHARE INFO [-l|--long] [wildcard sharename]

USERSHARE LIST [-l|--long] wildcard sharename

USERSHARE LIST [-l|--long] wildcard sharename

CONF

CONF

CONF LIST

CONF LIST

CONF IMPORT [--test|-T] filename [section]

CONF IMPORT [--test|-T] filename [section]

CONF LISTSHARES

CONF LISTSHARES

CONF DROP

CONF DROP

CONF SHOWSHARE sharename

CONF SHOWSHARE sharename

CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N} [comment]]]

CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N} [comment]]]

CONF DELSHARE sharename

CONF DELSHARE sharename

CONF SETPARM section parameter value

CONF SETPARM section parameter value

CONF GETPARM section parameter

CONF GETPARM section parameter

CONF DELPARM section parameter

CONF DELPARM section parameter

CONF GETINCLUDES section

CONF GETINCLUDES section

CONF SETINCLUDES section [filename]+

CONF SETINCLUDES section [filename]+

USERSHARE ADD `sharename` `path` `[comment]` `[acl]` `[guest_ok=[y|n]]`

USERSHARE ADD `sharename` `path` `[comment]` `[acl]` `[guest_ok=[y|n]]`

USERSHARE DELETE `sharename`

USERSHARE DELETE `sharename`

USERSHARE INFO `[-l|--long]` `[wildcard sharename]`

USERSHARE INFO `[-l|--long]` `[wildcard sharename]`

USERSHARE LIST `[-l|--long]` `wildcard sharename`

USERSHARE LIST `[-l|--long]` `wildcard sharename`

CONF IMPORT `[--test|-T]` `filename` `[section]`

CONF IMPORT `[--test|-T]` `filename` `[section]`

CONF SHOWSHARE `sharename`

CONF SHOWSHARE `sharename`

CONF ADDSHARE `sharename` `path` [`writeable={y|N}` [`guest_ok={y|N}` [`comment`]]]

CONF ADDSHARE `sharename` `path` [`writeable={y|N}` [`guest_ok={y|N}` [`comment`]]]

CONF DELSHARE `sharename`

CONF DELSHARE `sharename`

CONF SETPARM `section` `parameter` `value`

CONF SETPARM `section` `parameter` `value`

CONF GETPARM `section` `parameter`

CONF GETPARM `section` `parameter`

CONF DELPARM `section` `parameter`

CONF DELPARM `section` `parameter`

CONF GETINCLUDES `section`

CONF GETINCLUDES `section`

CONF SETINCLUDES `section` [`filename`]+

CONF SETINCLUDES `section` [`filename`]+

CONF DELINCLUDES `section`

CONF DELINCLUDES `section`

EVENTLOG DUMP `filename`

EVENTLOG DUMP `filename`

EVENTLOG IMPORT `filename` `eventlog`

EVENTLOG IMPORT `filename` `eventlog`

EVENTLOG EXPORT `filename` `eventlog`

EVENTLOG EXPORT `filename` `eventlog`

DOM JOIN `domain=DOMAIN` `ou=OU` `account=ACCOUNT` `password=PASSWORD` `reboot`

DOM JOIN `domain=DOMAIN` `ou=OU` `account=ACCOUNT` `password=PASSWORD` `reboot`

DOM UNJOIN `account=ACCOUNT` `password=PASSWORD` `reboot`

DOM UNJOIN `account=ACCOUNT` `password=PASSWORD` `reboot`

DOM RENAMECOMPUTER `newname=NEWNAME` `account=ACCOUNT` `password=PASSWORD` `reboot`

DOM RENAMECOMPUTER `newname=NEWNAME` `account=ACCOUNT` `password=PASSWORD` `reboot`