Samba-HOWTO-Collection in Chinese

Chapter 3. Configuring a Microsoft Distributed File System Tree in Samba

3.1. Introduction

Using a Distributed File System (DFS) can isolate the user's logical view of the directory to the physical location of the corresponding network resource. It has the characteristics of higher reliability, more transparent storage scalability, and load balancing. Details about DFS can be found in Microsoft documents.

This article describes how to use Samba to implement distributed file system trees in UNIX hosts (with clients that support DFS).

To open the DFS function, you can configure Samba with the -with-msdfs option. Once the compilation is complete, you can set the global option Host MSDFS to make Samba a DFS server in the SMB.CONF file. Then use the shared option MSDFS root to specify a shared entry as a DFS root directory, which is used to connect other servers in the form of symbolic links. For example, there is a symbolic link Junction-> MSDFS: Storage1 / Share1, which represents a DFS node. When a client supported by DFS accesses such a node link, it is redirected to the actual storage location (// borage1 / share1 in this case).

Samba's DFS system can work with all clients supporting DFS (from Windows 95 to 2000).

The following example shows how to set Samba to a DFS server. First establish a SMB.conf file like this

[global]

Netbios Name = Samba

Host MSDFS = YES

[DFS]

Path = / export / dfsroot

MSDFS root = yes

In the / export / dfsroot directory, we set some DFS links to other web servers.

root # cd / export / dfsroot

Root # chown root / export / dfsroot

root # chmod 755 / export / dfsroot

Root # ln -s msdfs: Storagea // Sharea Linka

Root # ln -s msdfs: serverb // Share, Serverc // Share Linkb

You should set certain permissions for the DFS root directory, so that only the specified user can establish, delete or modify the DFS link. Also note that the symbolic link name should be written in lowercase. Through this limit, Samba will not attempt to all cases in the link name. Finally, set the symbolic link to point to the required network sharing, and then restart Samba.

In supporting the DFS client, the user can browse the DFS tree on the server via // samba / dfs. When accessing linka or linkb (client display directory), you will immediately go to the appropriate network sharing.

3.1.1. Description

If the non-DFS sharing that Windows client already load is now used as a DFS root directory, you need to restart and vice versa. In fact, you should use a new shared item as the DFS root directory. Currently, the DFS symbolic link name must be all lowercase letters. For security purposes, the directory of the DFS root should set appropriate permissions, only allow the specified user to modify the symbolic link in the directory.

Chapter 4. Print Support in Samba 2.2.x

4.1. Introduction

In version 2.2.0, Samba implements a local Windows NT printing mechanism using MS-RPC (such as a SpoolsS Named Pipe). Previous versions only support lantman print calls. The new Spoolss provides the following additional features:

Supports Windows 95/98 / NT / 2000 client download printer drivers as needed. Add a printer guide (reference http://imprints.sourceforge.net) to upload the printer driver using the Windows NT to add the printer wizard (APW) or the Imprints Kit Support local MS-RPC print calls, such as StartDocprinter, NumJobs (), etc. For details on Win32 Print API, please refer to the MSDN document http://msdn.microsoft.com/). Support for Print Objects Access Control Tables (ACLs). Save the offline task information by using the internal information database, better support the print queue operation.

Note that the Windows NT / 2000 client requires the Samba server to assign a legal driver to the printer. To this end, we must consider supporting MSRPC print calls; and Windows 9x clients do not have Samba hosts to install the printer driver. Moreover, Samba also does not use these drivers to handle spool files, the driver is completely used by the client.

4.2. Configuration

[Print $] and [Printer $] In previous versions, Samba recommends using a shared called [Printer $], which is created by the PRINTER $ service created when the Windows 9x shared printer. The Windows 9x print server always uses this Printer $ service to download the printer driver without your password. In addition, there are two options related to this: Printer Driver Location, Printer Driver. The former is used to specify the directory where the printer driver is saved, and the latter defines the printer driver name. Now they have been ignored, so please don't use it. For additional updates, please refer to the ported part.

4.2.1. Establish [Print $] item

To upload printer driver files, you must first configure shared items [Print $]. Note that its name is important (Print $ is the service item for the Windows NT print server to provide the printer driver download, don't write wrong. You can refer to the following example (of course, some option values, such as 'path' is arbitrary, can be replaced with the appropriate value):

[Print $]

PATH = / usr / local / samba / printers

Guest OK = YES

Browseable = yes

oud all = yes

Due to the configuration of it is read-only, there is a 'WRITE LIST'. Check file

System authority to ensure that the account can share a copy of the file. If this account

; Not the root account, should be used as 'printer admin'.

Write List = NTADMIN

Using the WRITE List option allows the specified user to write permissions so that he / she can update the file in this share. See the SMB.CONF (5) man page for details of the configuration file sharing.

Guest OK = YES This option will depend on how your site is configured. If each user on the Samba server has an account, there is no need to use.

Author Note: The meaningless meaning is that if all Windows NT users can verify via the Samba server (this shows that domain users and NT local users can verify through the domain controller), then guest access is unnecessary. Of course, if you do not have some users from accessing the server, there is also no security concerns, or you can use this feature. To prohibit users, you can join the map to guest = Bad user option in the [Global] segment, but it is best to completely understand the meaning of this option before use. - JerryWindows NT Print Server To support a variety of client platforms to download the corresponding driver file, you must establish a subdirectory corresponding to each platform in the [Print $] service item, and Samba uses this method.

You can establish a corresponding subdirectory for each of the desired supported platforms under [Print $] shared item.

[Print $] -----

| -W32x86; "Windows NT X86"

| -Win40; "Windows 95/98"

| -W32alpha; "Windows NT Alpha_AXP"

| -W32MIPS; "Windows NT R4000"

| -W32ppc; "Windows NT PowerPC"

note! Need permission to add a new printer for the Samba server to meet any of the following two conditions to add a new printer for the Samba server:

Add a printer's account to the Samba server, which must be 0 (eg, the root account). Add printers to the Samba server must be one of the members in the Printer Admin list. Of course, the account should also have the right to add a file in the [Print $] subdirectory. Remember, all file sharing items are 'read-only' by default.

When the required [Print $] service item and the related subdirectory are established, just log in to the Samba server in the Windows NT 4.0 client with the root account (or Printer Admin). In the "Printer" folder of the Samba server, you should see the server-defined printer sharing list.

4.2.2. Setting the driver for existing printer

As mentioned above, the printer list in the Samba server printer folder has not been assigned a actual driver. However, in the default, Samba will set the driver name to "No Printer Driver Available for This Printer". If you try to view the printer attribute, you will get the following information:

Device Settings Cannot Be Displayed. The Driver for the Specified Printer Is Not Installed, Only Spooler Properties Will Be Displayed. Do you want to install the driver?

The printer property window will appear after clicking "NO" in the dialog box, there are two optional methods to install the driver:

Click the "New Driver ..." button to install a new set, or select from the installed driver drop-down list. Initially this list is empty.

If you are using an operating system driver other than Windows NT x86, you should use the "Sharing" bookmark in the Printer Properties dialog box. (Translator Note: There is a button "Other Driver" in this bookmark.

If you connect to the server using the root account, you can also modify the properties of other printers in this dialog, such as ACLS and device settings.

Finally, you have to explain that the Windows NT print server may list the printer folder in the printer folder. But Samba does not consider this situation, depending on the definition, it only share the printers specified by the SMB.conf file. There is also a little interesting, the Windows NT client does not use SMB print sharing, but prefer to print directly to the remote NT host using MS-RPC. Of course, this must be printed must have certain permissions on the remote host, and Windows NT is the default permission assigned by the printer: "Everyone" group can print.

4.2.3. Support a large number of printers

When we develop Samba 2.2, there was a problem, which is to support the driver of 100 printers. If you implement with Windows NT APW, you will be a bit a bit trouble. If you share the driver by multiple printers, you can associate the installed drivers with the RPCCLIENT's setDriver command. E.g:

$ RPCCLIENT POGO -U Root% Secret-C "EnumDrivers"

Domain = [Narnia] OS = [UNIX] Server = [Samba 2.2.0-alpha3]

[Windows NT X86]

Printer Driver Info 1:

Driver name: [HP LaserJet 4000 Series PS]

Printer Driver Info 1:

Driver name: [HP LaserJet 2100 Series PS]

Printer Driver Info 1:

Driver name: [HP LaserJet 4Si / 4SIMX PS]

$ RPCCLIENT POGO -U Root% Secret-C "Enumprinters"

Domain = [Narnia] OS = [UNIX] Server = [Samba 2.2.0-alpha3]

Flags: [0x800000]

Name: [// pogo / hp-print]

Description: [Pogo // Pogo / HP-print, no driver available for this printer,]

Comment: []

$ RPCCLIENT POGO -U Root% Secret /

> -c "setDriver HP-Print /" HP LaserJet 4000 Series PS / ""

Domain = [Narnia] OS = [UNIX] Server = [Samba 2.2.0-alpha3]

SuccessFully Set HP-Print to Driver HP LaserJet 4000 Series PS.

4.2.4. Add new print by Windows NT APW

By default, Samba provides all shared printers defined by the SMB.conf file in the Printer folder. At the same time, if the following conditions are met, the icon of adding the printer wizard is provided in this folder:

Connected users can call OpenPrinterex (// Server) with administrative privileges such as root account or printer admin. Specify the option show address wizard = yes (default).

To add a printer with an APW, you must define the Add Printer Command option. The program specified by this option must also be used to add a printer to the system (eg / etc / printcap or corresponding file) and SMB.conf.

When the client does not exist when the client uses the APW icon, the SMBD will execute the Add Printer Command and re-analyze the SMB.conf file, then find the new printer sharing. If the share has not been defined, return "Deny Access" error message to the client. Note that the Add Printer Program is performed as a connected user, it does not require root to execute. There is also an additional option delete printer Command that can be used to remove the printer item from the Printer folder.

4.2.5. Samba and printer ports

Windows NT / 2000 Print Server Assigns a port for each printer, usually lpt1:, com1:, file:, and more. Similarly, Samba must also support this concept of printer ports, but only one printer port is default, called "Samba Printer Port", which is not a real print port, because only Windows clients need it.

Note that Samba does not support the concept of "printer buffer pool", when a logical printer assigns multiple ports, buffer pools are used as load balancing or failure retry.

If you need to define multiple ports, there is an enumports command option in the SMB.conf file, you can use it to specify an external program, generating a column port on the system through this program.

4.3. Imprints Kit

The Imprints Kit provides a set of Unix programs with Windows NT APW equivalent. For details, please refer to IMP: //imprints.sourceforge.net/. In addition, there is a detailed documentation in its source code publisher to refer to this section. This section is only briefly introduced.

4.3.1. What is Imprints?

Imprints is a kit that supports the following features:

Uniform storage of Windows NT and 95/98 printer drivers. Provide the toolset that establishes the Imprints printer driver. Provides a program for customer access, installation of remote Samba, and Windows NT Server printers.

4.3.2. Establish a printer driver package

The details of the establishment of the printer driver package beyond the scope of this article (see the Imprints.txt file in the Samba release package). In short, the Imprints driver package is a compressed package that contains the control file required for the driver, related INF file, and client installation.

4.3.3. Imprints Server

The Imprints server is actually a database server, you can query it through a standard HTTP mechanism. Each print driver item in the database has a related URL for download. And each package is also included with a digital signature generated by gnupg, using this signature to verify the authenticity of the lower carrier. It is recommended to "don't" prohibit this security feature.

4.3.4. Client Setup

For details on the IMPRINTS client installer, see the imports-client-howto.ps file included in the source code package.

There are two forms of the Imprints client installer:

A set of perl command line scripts a graphical interface based on the PERL command line script based on GTK

With client programs, you can query the printer model known to the Imprints database server, and you can download and install the drivers provided by the remote Samba and Windows NT print servers.

The basic installation process has four steps and packages the Perl code with SMBCLIENT and RPCCCLIENT.

Foreach (supported printer architecture platform)

{

1. RPCCLIENT: Get the appropriate upload directory on the remote server

2. SMBCLIENT: Upload driver file

3. RPCCLIENT: Send AddPrinterDriver () MS-RPC call

}

4. RPCCLIENT: Send AddPrinterex () MS-RPC call, actually establish a printer

The problem of the driver name is encountered when the Imprints kit is executed on a variety of client platforms. For example, Windows NT uses driver names such as "Apple LaserWriter II NTX V51.8", while Windows 95 uses "Apple LaserWriter II NTX". The problem is that what is the client driver to update for the printer? Experienced readers will remember that the Windows NT's Printer Properties dialog uses only one printer driver name. You can take a look at the registry key of the Windows NT 4.0 system:

HKLM / System / CurrentControlSet / Control / Print / Environment

You will find that Windows NT always uses NT's driver name, which is of course no problem, because NT only looks for existing NT drivers. However, Samba does not have this feature, so when the driver is not installed, only one driver name is only used?

To solve this problem, you need to make the Imprints printer driver package simultaneously contains the Windows NT and 95/98 drivers and install NT first.

Proofreading ...

4.4. From Samba 2.0.x to 2.2.x migration

In Samba 2.2, the management of printer drivers has changed from previous versions (we hope to have improved), from your existing version to 2.2 migration may encounter problems below.

Generally speaking, the Windows system has a certain memory function. If the Windows NT client is connected to the Samba 2.0 server, it remembers this is a Lanman print server. The Samba2.2 version will support MSRPC as much as possible. After you upgrade, NT customers still remember the previous settings.

To use a new MSRPC print function, first stop using the following command to stop the client's spiking service, then delete the registration key related to the print server in [HKLM / System / CurrentControlSet / Control / Print].

C: / Winnt /> NET STOP SPOOLER

Be careful to operate the registry.

When the corresponding registry key is deleted, replace the STOP in the just command to restart the fake offline service.

On the other hand, Windows 9X uses Lanman print calls without any modification.

WARNING We will consider removating the following SMB.conf options, so please do not use it in a new installation.

Printer Driver File (s) Printer Driver Location (s)

In the migration process, you may face the following scenarios:

You can support the Windows NT printer driver, you can use the existing options. If you want to support the NT printer driver, but do not want to migrate the 9X driver to the new server, please keep an existing printers.def file. When the SMBD finds the 9x driver of the printer in TDB fails, use the printers.def file (and all related options). The Make_printerDef tool will remain backwards, but this is already a tool for the old teeth. If the printer's Windows 9x driver is installed on the Samba server, then the priority of this program is the highest, the three old print options will be ignored (including Printer Driver location). If you want to migrate the existing printers.def file to the new server, you can only install the NT and 9X drivers with the APW of Windows NT. See SMBCLIENT and RPCCCLIENT for details. Also at http://imprints.sourceforge.net/ examples of an Imprints client installer.

Chapter 5. SAMBA 2.x SAMBA 2.X 5.1. Add Samba 2.2 to NT Domain

To add the Samba server to the NT domain, you must add its NetBIOS hostname in the PDC's Domain Server Manager, which adds its machine account in the PDC's domain SAM. It should be noted that the Samba server is used as a "Windows NT Workstation or Server" while adding the Samba server, not the "main or backup domain controller".

Assume that you want to add a SAMBA server named Serv1 to the NT domain DOM, and the domain's primary domain controller and two backup domain controllers are DOMPDC, DOMBDC1, and DOMBDC2, respectively. Then first stop all Samba background processes, then run the following command:

Root # smbpasswd -j dan -r Dompdc

If the operation is smooth, you will get the following information:

SMBPasswd: Joined Domain Dom.

For the usage of SMBPASSWD (8), please refer to its handbook.

In the subsequent release, you don't have to create a machine trust account on the PDC when you join the domain.

By the above command, the Samba server uses the machine account password to change the protocol, and writes its machine account password to a file and saved in the directory where the SMBPASSWD file is stored, usually:

/ usr / local / samba / privat

In Samba 2.0.x, the name of this machine account password file is like:

. .mac

The .mac suffix represents this is a machine account password file. Therefore, according to the above example, this password file should be named:

Dom.Serv1.mac

In Samba 2.2, the file has been replaced by TDB (Trivial Database) file secrets.tdb. Only the root account has the file, and others are unhappy. It is the key to the system's use domain security level, please carefully maintained.

Now, you have to edit the SMB.CONF (5) file to use the domain security level.

Modify (or add) the security = option in the [Global] segment.

Security = domain

Simultaneously modify Workgroup =:

Workgroup = DOM

It should be the domain name to be added.

You also need to set the Encrypt Passwords option to YES to use the encrypted password.

Finally, add (or modify) [The Password Server in the [Global] section specifies the password verification server:

Password server = DOMPDC DOMBDC1 DOMBDC2

Samba uses these primary domains and backup domain controllers in order when performing user authentication, so if the load is to be dispersed, the order of this list can be changed as needed.

Or, use the following settings so that the SMBD automatically detects the domain controller when verifying:

PASSWORD Server = *

Note: In fact, in Samba 2.0.6, there is already the same working mechanism as NT. It uses broadcast or query the WINS database to find verified domain controllers.

Finally, restart the Samba background process, customers can use the domain security level.

5.2. Samba and Windows 2000 domain

Many people have been concerned about the work of Samba and Windows 2000 domain. Now, in a mixed mode or local mode Windows 2000 domain, Samba 2.2 can already be used as the member server.

There are many confusing places between the two modes described above. Only Windows NT backup domains must be in the same domain, the Win2k domain controller needs to be run in "mixed mode". By default, Win2k domain controllers in the Local Mode still support NetBIOS and NTLMV1 authentication protocols of regular clients, which are: Windows 9X and NT 4.0. The Samba server works similar to the Windows NT 4.0 member server. Steps to add Samba 2.2 to Win2k domains to add Samba servers to the Windows NT 4.0 domain. However, the "Server Manager" of NT 4 is now replaced with Win2K "Active Directory User and Computer".

5.3. Why is better than the security = Server option?

Now, use Samba's domain security level, or need to establish a local UNIX user account to represent those domain users connected to the server. That is, if the domain user DOM / FRED wants to connect to your domain security Samba server, you need a local account FRED to correspond to the UNIX system. This is very similar to the previous security = Server security model. In that old mode, the Samba server uses the same method as Windows 95 or Windows 98 to send the verification request to the NT server.

The contents of UID and GIDs that automatically assign Unix for Windows NT domain users are mentioned in WINBIND Paper. This feature is now only available in the development branch, but will soon join the publishing version.

The Samba Server uses the domain security level in that it can be transmitted using RPC channels like the NT server. That is, it can participate in the domain trust relationship like the NT server (for example, the Samba server can be added to the resource domain, and then passed the verification to the domain controller in the account domain through the controller of the domain).

Also, if you use Security = Server, each Samba process on the server keeps the verification server's connection at runtime, which may deplete the connection resources of the NT server. If you use security = domain, the Samba process is only connected to the PDC / BDC when the user verifies, and it is disconnected after completion, so the server's connection resources are saved.

Finally, the same manner as the NT server is verified to the PDC, which allows the Samba server to obtain the user's authentication information, like the user's SID and its NT group list, and the like. In future versions, Samba will extend some features, developers call it "Appliance" mode. In this mode, Samba generates the corresponding UNIX UID and GID from the user verification information returned from the PDC, without having to manually establish a local user account, in which, in the NT domain environment, the Samba server can really be considered. Plug and play. Please pay attention to this feature in the future code.

Note: Many texts in this article quote LinuxWorld's article doing the NIS / NT Samba.

Chapter 6. Configure Samba 2.2 into the primary domain controller

6.1. Description

Note that the author reminder: This article is a combination of David Bannon's Samba 2.2 PDC HOWTO and Samba NT Domain FAQ.

The previous version of Samba 2.2 has implemented a small amount of Windows NT 4.0 main domain controller. The 2.2 version has also completed the following features:

WINDOWS NT 4.0 / 2000 Customer Domain Log in During the User Security level Add Windows 9X Customers to receive Windows Customer users and group list roaming users to set up Windows NT 4.0-style system policies

But there are also these features that do not implement:

Windows NT 4 domain Trusts the security account database replication of the Windows NT 4.0 domain controller (eg, the Samba primary domain controller is copied by the NT backup domain controller, or vice versus) Windows 2000 domain to add a user account to the domain Controller features (such as Kerberos and Active Directory) Please note that Windows 9x customers described herein are not true members in the domain. Therefore, the protocol that supports Windows 9x domain login style is completely different from NT4 domain, and this feature is officially supported.

Starting from Samba 2.2.0, the NT4 style login is officially supported, which is suitable for Windows NT 4.0 and Windows 2000 (including SP1) customers. This article describes the steps necessary to configure Samba into a PDC. Before you start, please make sure it works normally, otherwise please refer to UNIX_INSTALL.HTML and the man page of SMB.CONF (5).

The specific implementation is basically divided into two steps:

Configure Samba as a PDC to establish a machine trust account and join the customer to the domain.

There are also some secondary things such as user configuration, system policies, etc. But these are not necessarily, and this is almost like this and Windows NT's network concept. Here is simply mentioned.

6.2. Configure Samba Domain Controller

The first is the SMB.conf option that the server work must be explained, here is not explained in detail, see the man page of SMB.CONF (5) for details. For the convenience of readers, we have linked these options to actual description in SMB.conf (Translator Note: If you get this file separately, put it in the HTML version of the manual page directory).

The following is a sample profile that implements PDC:

[global]

Basic server settings

NetBIOS Name = Pogo

Workgroup = NARNIA

Become a domain and local master browser

OS level = 64

preferred master = yes

Domain master = yes

Local Master = YES

; Security settings (must use security = user)

Security = user

; PDC must use encryption password

Encrypt passwords = yes

Support domain login

Domain logons = yes

Specify the directory that saves the user configuration

Logon Path = //% n / profiles /% u

Specify the user's home directory and the corresponding mapping drive letter

Logon Drive = H:

Logon Home = // HOMESERVER /% U

; Specify a universal login script for all users and use the [Netlogon] shared item relative DOS path

Logon script = logon.cmd

; Domain controller must have a shared item

[Netlogon]

PATH = / usr / local / samba / lib / Netlogon

Writeable = NO

Write List = NTADMIN

Saving a user-configured sharing item

[PROFILES]

PATH = / export / smb / ntprofile

Writeable = yes

Create Mask = 0600

Directory Mask = 0700

For the above configuration, there are a few things to emphasize:

You must use the encryption password, see the Encryption.html file. The server must support domain logins and have the [NetLogon] shared item. In order for Windows customers to find domain controllers, Samba servers must become domain master browsers.

Since Samba 2.2 does not really implement mapping between NT group accounts and UNIX group accounts (whose reason is difficult), you should refer to Domain Admin Uses and Domain Admin Group in the smb.conf file to establish domain administrators. account number. 6.3. Establish a machine trust account and add the customer to the domain

The machine trust account is the computer account. Its password is a confidentiality that the domain controller must be reliable and shared. Windows 9x cannot be a real domain member because it does not have machine trust accounts, which cannot work with domain controllers.

The password of the machine trust account is saved in the registry of the NT primary domain controller. The Samba domain controller saves them in the same directory with the user's LANMAN and NT Hatt (usually the SMBPasswd file). But the machine trust account only uses the NT hash password.

There are two ways to establish a machine trust account:

Established by manual use before adding customers to the domain. If this method is used, then the password of this machine trusted account is a known value - lowercase machine NetBIOS name. Create a machine account when the customer is added to the domain. If this method uses this method, the session keyword used to add the management account of the customer is used as a key to generating a random port.

In order to generate the SID of Windows NT, Samba needs to have a UNIX UID, so all machine accounts must have corresponding items in / etc / passwd and SMBPasswd. In the future version will not be necessary to establish a corresponding item in / etc / passwd.

In the / etc / passwd file, the name of the machine account should be the machine name and the number of symbols, and there is no password, log in to the shell and home directory. For example, the account of a computer named 'doppy' should be:

Doppy $: 505: 501: ntmachine: / dev / null: / bin / false

If you use manual way to establish a machine account, you must first create a respect in the / etc / passwd (or Nis password), then use the following command format to add a machine account in the SMBPasswd file:

root # smbpasswd -a -m machine_name

The machine_name is the NetBIOS name of the computer.

At this point, please add the computer to the domain immediately. Intruders can use this open account access to user information in the domain.

If you use the method of automatically establishing its machine account when the client is joined the domain, you need to use the Add User Script option in SMB.conf and specify the appropriate value. The following example can be used in the Redhat 6.2 Linux system:

Add user script = / usr / sbin / usradd -d / dev / null -g 100 -s / bin / false -m% u

In Samba 2.2, only the root account can be used to create a machine account. So there is also a root account in the SMBPASSWD file. However, for security reasons, it is best to set the password, not the same password as the / etc / passwd.

6.4. Frequently Asked Questions and Errors

The '$' symbol cannot be added after the machine account.

FreeBSD (and other BSD systems) cannot create a username with '$' symbol. The above problem is only encountered when the account is created, and the account will work properly after the establishment. So you can create a user account without the '$' symbol, then use the VIPW to edit your account username, add '$' later. Or, the index uses VIPW to create an entire account, but pay attention to use a unique UID!

System prompts "You have been connected to the domain" when establishing a machine account.

This shows that you use a non-legitable account to create a machine account for your computer on the client. Exit first, close the initial connection and try again with other legal user accounts.

Also, if your computer is already a 'group member', and the group name it belongs is the same name with the domain you want to join (it is a bad idea), and you will get this information. Just replace the name of the working group, you can try again after restart. System Tips "There is an error when adding to the domain, providing conflicts with existing settings"

This is the same problem with the "you have connected to the domain" mentioned above.

"The system does not provide you with login (C000019B)"

I have successfully joined the domain, but after replacing the Samba version, I get this information when you try to log in: "The system cannot provide you (C000019B), please try again or contact your administrator."

This is because the domain SID in the private / Workgroup.sid file has changed. For example, you delete this file, but SMBD automatically creates one; or, you are in exchange for replacement between version 2.0.7, TNG and Head branch code (not recommended to do this). There is only one way to solve this problem, that is, restore the original domain SID information, or remove the domain customer from the domain and re-join.

"The computer's machine account does not exist or inaccessible"

What is the problem when I try to get the client to get the client?

This shows that there is no machine account corresponding to the current client on the PDC. If you are using the Add User Script option to create an account, then this script has a problem when working, so it must be ensured that the domain user management is normal.

Also, if you create an account by manual manual, then this information shows a problem with the created account. Look at the / etc / passwd and the SMBPasswd file whether there is a machine account and make sure its account name is a '$' symbol (such as Computer_Name $) after the client's NetBIOS name. In addition, it is said that some people have found that if the Samba server is inconsistent with the NT client's subnet mask, this will happen, so you should know how to solve it.

6.5. System Policy and Profile

Setting up a system policy and roaming user profile in the Samba domain and is the same in the NT4 domain. You should read Microsoft's White Paper IMPLEMENTING Profiles and Policies in Windows NT 4.0.

There are some extra information here:

What is the Windows NT Policy Editor?

To establish or edit NTConfig.pol files must use the NT Server Policy Editor Poledit.exe, the NT Server version provides this program. Although the work site also has a policy editor, it cannot be used to establish a domain policy. In addition, you can also install Windows 95 policy editor on the NT workstation / server, but it cannot work in NT. However, some of the corresponding files in the server version can be used in the work station. The required file is Poledit.exe, Common.adm and Winnt.adm, just put two * .adm files in the C: / WinNT / INF directory, the program will easily find. It should be noted that the INF directory is 'hidden'.

The NT Policy Editor is also available in the Service Pack 3 (and higher) of Windows NT 4.0. Just use the servicePackname / x command to unlock the file, for example, NT4sp6ai.exe / x for Service Pack 6A. This policy editor can also be found in the Office 97 policy template file and Microsoft's zero management kit.

Can Win95 executive strategy?

As long as you install the Group Policy Manager in Win9x, you can control the group strategy. This program is located in the WIN98 CD / Tools / Reskit / Netadmin / Poledit directory, you can complete the installation in GroupPol.inf Then repeat registration / login several times to check if Win98 executes group policies. But every Win9x host is installed, it is very troublesome.

If you find that there is no normal execution group policy, you can upgrade Win9x's GroupPol.dll file. The corresponding group list will be obtained from the server / etc / group. Where is the 'User Manager' and 'Server Manager'?

Because I didn't buy the NT server version of the disc, where did I find the 'Domain User Manager' and 'Server Manager'?

Microsoft released a tool called Nexus for Windows 95 systems, which contains:

Server Manager Domain Manager Event Viewer

This tool can be downloaded from ftp://ftp.microsoft.com/softlib/mslfiles/nexus.exe.

Windows NT 4.0 version of 'Domain User Manager' and 'Server Manager' can be downloaded by Microsoft's FTP site ftp://ftp.microsoft.com/softlib/mslfiles/srvtools.exe.

6.6. Other available help

Many information can be obtained in mailing lists, RFC, and documentation. The common SMB issues are well described in the documentation provided with the Samba release package, such as browsing problems.

Is there a diagnostic tool for debugging domain login operation?

Samba itself is the best debug diagnostic tool. You can use the -d option for SMBD and NMBD to specify a debug level for them. About this option, you can refer to the man page of these two processes and SMB.conf files. Wherein, the debug level is from 1 (default) to 10 (for debug password).

Another useful method is to compile Samba with GCC -G options. This will contain debugging features in the binary, you can use GDB to connect to the SMBD / NMBD process being running. To connect GDB to a SMBD process that provides services to NT workstations, first establish a connection at one end of the workstation, select Enter to the domain when logging in, which will generate 'LSAenumTrustedDomains'. Then, let the workstation keep this open connection, there will be a corresponding SMBD process in the running state (assuming that there is no time to set it too short), when you enter a password at the workstation, you can use GDB Connect.

Other Samba commands worth studying:

Testparam | more smbclient -l // {NetBIOS name}

At http://www.tcpdup.org/ There is a TCPDUMP SMB dedicated version. In addition, another package sniffer Ethereal for UNIX and WIN32 hosts can be found at http://www.ethereal.com.

To make monitoring on Windows NT, you can use the MSDN CD, NT Server Edition CD, or Network Monitor (NETMON) provided in the SMS CD. The versions provided in SMS can monitor the communication packets between any two computers (to put network interfaces as hybrid modes). The NT server version of the CD can only monitor communication packets that flow to their own and broadcast addresses in the local subnet. Also, pay attention to Ethereal to read and write data files in NETMON format.

How to install 'Network Monitor' on the NT Workstation or Win9x machine?

Installing NETMON on the NT workstation can follow the steps below, in this example, the installed NETMON version is 4.00.349, which is from Windows NT Server 4.0, and is installed to Windows NT Workstation 4.0, but also need these two versions. installation CD. Other versions of NetMON installation steps are similar.

First, you need to install 'Network Monitoring Tools and Proxy' on the NT Server Edition:

Click 'Start' - 'Setting' - 'Control Panel' - 'Network' - 'Services' - 'Add' Select 'Network Monitoring Tools and Proxy' and Click 'OK' to click on 'OK' on the Network Control Panel to insert intosert Windows NT Server 4.0 Installation CD

In this way, the NETMON program is saved in% systemroot% / system32 / netmon /*. There are also two subdirectories, captures / and piers /, the latter stores the DLL library that must be analyzed by the data package. Then install on the workstation:

Click 'Start' - 'Settings' - 'Control Panel' - 'Network' - 'Services' - 'Add' Select 'Network Monitoring Tools and Proxy' and Click 'OK' on the Network Control Panel. Insert Windows NT Workstation 4.0 Installation CD

Now, copy the% systemroot% / system32 / netmon /*.* of the NT server to the workstation, and set the appropriate permissions. Note that the administrator privilege is required to run NETMON on NT.

If you install a monitoring tool for Windows 9x, you need to install Network Monitoring Agent (/ Admin / NetTools / Netmon) from its CD. There is also a readme file in this directory, which introduces the installation step.

6.6.1. Link and similar resources

Samba master station. Here we offer a mirror site closest to you! The development document in the Samba mirror station may mention your problem. If this is the case, it means that the developer is solving it. See how Scott Merrill is to simulate the backup domain controller: http://www.skippy.net/linux/smb-howto.html. In http://bioserve.latrobe.edu.au/samba, David Bannon maintains an article that puts 2.0.7 as a PDC. There are other information about CIFS in http://samba.org/cifs/. In http://mailhost.cb1.com/~lkcl/ntdom/ About the contents of the NT domain on UNIX. Early SMB specification: ftp://ftp.microsoft.com/developr/drg/cifs/

6.6.2. Mail list

How do I get help from the mailing list?

Samba has many related mailing lists. Please go to http://samba.org to choose the nearest mirror site, then select Samba Related Mailing Lists in the Support column.

For questions related to Samba TNG, please rate to http://www.samba-tng.org. But please don't send this type of question to the Samba's home list.

Follow the following rules when using your mailing list:

Remember, developers are volunteers, they don't have any benefits, and they don't guarantee that their views is hundreds of hundreds of hundreds, usually can only be considered best suggestions. Provide the version of Samba and operating systems you are using, as well as the relevant part of SMB.conf, at least the options in the [Global] segment that affects the PDC function. If you get code through CVS, then in addition to the code version, you should provide the last refresh date. Please try as possible to express problems as possible, do not use the HTML format to send emails. Don't discuss the problem of nothing. Do not cross delivery, please select the most appropriate list for questions. Many people have subscribed to multiple lists that they hate too much to see the same topic. If someone sees a problem, it is more suitable for other lists, it will help you forward the past. If you want to discuss a debugging problem, please don't send the entire record, provide the corresponding error message. If you have a complete NetMon trace information (from opening the pipe to an error), then send the * .cap file. In the email, the attachment is entrained, please think twice, it is best to provide a related part. To know that Samba's mailing list has a large number of subscribers, not everyone wants to receive a smb.conf.

How to cancel the mailing list?

To unsubscribe, please go to the place to subscribe to the place: http://lists.samba.org, or look here. Please do not ask how to unsubscribe in your email. 6.7. Domain_Control.txt: Samba & Windows NT Domain Control

The original author of the appendix is ​​John H Terpstra in the Samba Development Team.

Note: "Domain Controller" and those related terms belong to a special verification method, this method is to establish the foundation of the SMB domain. Before Windows NT Server 3.1, each company has developed a domain controller separately, and its extension of the LAN Manager 2.1 protocol. Windows NT uses Microsoft's own way to distribute user authentication databases. The domain.txt file illustrates how Samba participates or establishes the SMB domain based on shared verification database mechanisms, which is different from the SAM of Windows NT.

Windows NT Server can be used as a stand-alone file and print server, as as a server that participates in domain control (domain members, primary domain controllers, or backup domain controllers).

OS / 2 WARP Server, Digital PathWorks and other similar products are similar in this area, they can participate in domain control with Windows NT. But only those servers containing Windows NT code can be used as the primary domain controller (such as Windows NT Server, Advanced Server For UNIX).

For many people, these terms are really confused, so let us explain.

Each Windows NT system (workstation or server) has a registry database. The registry includes all initial information that is running service (a background process with UNIX) in the NT environment. At the same time, the registry also includes the location of the dynamic library required for the application. In fact, it includes all the information required for system operation.

On any Windows NT machine, you can find the registry file as long as you open a command prompt and enter the following command:

C: / Winnt /> DIR% SystemRoot% / System32 / Config

The environment variable% systemroot% can be obtained by the following commands:

C: / winnt /> echo% systemroot%

Several files you need to understand are these files: Default, System, Software, SAM, and Security.

In a domain environment, the Windows NT domain controller copies the SAM and Security files to each other, which ensures consistency of all controller data in the domain.

The Windows NT system is composed of a security mode. In this mode, all applications and services to be run must first test the appropriate privileges to the Security Manager. And the NT user database is also in the registry, which includes the security identifier, main directory, group member qualification, desktop configuration, and more.

Each NT system (workstation and server) has its own registry. Participate in the domain security control NT server shares a public database, while the workstation and independent servers have a completely independent registry database. At this point, these two systems are different.

NT's user database is called SAM (Security Access Manager), using it to complete all user authentication work, and cross-validation (eg, ensuring that the user requested the service item works according to the user's permissions).

The Samba Development Team has provided a tool to convert NT's SAM to the SMBPASSWD format. This tool can be found in / pub / samba / pwdump from your nearest Samba mirror station. For details, please refer to the Encryption.txt file. Although this tool is useful, it is not so easy to use it to copy SAM to the Samba system.

In a secure domain system controlled by a configured NT server, Windows for Workgroups, Windows 95, and Windows NT Workstations / Servers can work together. Each such domain can only have a primary domain controller (PDC); and at least one backup domain controller (BDC) per domain is available. These domain controllers must copy the SAM database to each other, so they have the latest SAM information in their registry. Chapter 7. Unified login with WinBind in Windows NT with Unix

7.1. Summary

Integrated UNIX and Windows NT systems have been the goal of people's pursuits through unified log in to integrate UNIX and Windows NT systems. We recommend a Samba component called WinBind to solve the problem of unified login. It implements Microsoft's RPC calls, plug-in authentication modules, and name service switches on UNIX, allowing NT domain users to operate as a UNIX user on UNIX hosts. This article describes the WinBind system to explain the functions of the features and configuration and internal working principles.

7.2. Introduction

Everyone knows that UNIX and Windows NT systems use different technologies and methods to represent users and group information. This makes it more difficult to integrate both systems.

One of the common methods now is to create the same user account on both systems and provide files and print servers between both Samba. But this method is not perfect because maintaining the account on a large pile of machines is troublesome, and two sets of passwords between two systems are both easy to cause synchronous problems, but also make users confusing.

So, we divide the unified login issues of the UNIX host into three small problems:

Get a Windows NT user and group information verify that Windows NT users change the password for Windows NT users

The most ideal situation is that the methods used should be able to solve all the above problems, and do not need to copy information on UNIX hosts, and there is no additional burden on the system administrators to maintain the user and group information of these two systems. The WinBind system provides a set of simple and beautiful solutions to the above three issues.

7.3. WINBIND features

Winbind turns a UNIX host into a full domain member so that you can manage the accounts on UNIX and NT. At this time, this Unix host will be able to view NT's user and group information, as if this information is UNIX local, while users can use NIS to use NIS in a pure UNIX environment.

The final achievement is that when the UNIX host queries any user or group name to the operating system, the query is sent to the NT domain controller in the specified domain. Because WinBind is redirected by the system low-level (using the NSS name parsing module in the C library), this is completely transparent to the NT domain controller.

Users on UNIX hosts can use NT users and group names as "local" accounts, and they can also change files to NT domain users, and even log in to UNIX hosts as a domain user and run a X -Window session.

The only problem that uses Winbind to be careful, that is, username and group name use Domain / User and Domain / Group. This is Winbind must be because it uses this form to detect the target domain controller of the query, And consider the problem of trust domain.

In addition, WINBIND also utilizes a pluggable verification module (PAM) to provide verification services to any application using PAM via NT domain. This solves the password synchronization problem between the system, as all passwords are saved in a single location (in the domain controller).

7.3.1. Use the goal

Winbind's service goals are those that need to add UNIX workstations or servers to an existing NT domain structure. These agencies can use WINBIND to configure UNIX workstations without maintaining a separate account structure, which reduces the management cost of adding UNIX workstations to the NT structure. Also, using WINBIND can integrate UNIX-based device environments to the domain structure based on Microsoft systems. 7.4. How to work WINBIND

The WinBind system is designed by the client / server structure. A continuous running WinBindd process monitors a UNIX socket and waits for the request to arrive. These requests are generated by clients running NSS and PAM, and the server processes them in order.

The implementation technology of WinBind is described in detail below.

7.4.1. Microsoft Remote Process Call

In the past two years, members of the Samba Development Team have analyzed Microsoft's remote process call system (MSRPC)! On the Windows NT host, many of the services related to the network use this system, such as remote management, user verification, and print spooling. Although the analysis of the system is only to help help the primary domain controller function in Samba, it also produces a large number of other uses.

Winbind uses various MSRPC call to process domain users and group information, and obtain detailed information about individual users or groups here. MSRPC calls can also be used to verify NT domain users and change their passwords. WINBIND queries user and group information to the NT main domain controller, and maps these NT account information to UNIX's username and group name.

7.4.2. Name Service

Name Service Switching (NSS) is a function of many UNIX operating systems. Use it to resolve system information from different resources, such as hostnames, mail aliases, and user information. For example, a separate UNIX workstation can parse system information from a series of flat files on the local system; and network workstations can first obtain system information from the local file, refer to the NIS database query user information or query the host from the DNS server information.

When parsing UNIX usernames and groups, Winbind using the NSS application programming interface is like a system source. On the other hand, it provides a new account information table by using the MSRPC call to obtain the NT server and use the above interface. The advantage of using this set of standard UNIX libraries is that you can view all users and group messages in the NT domain and its hopped domain as soon as you run the WINBIND UNIX host.

The main control of NSS is included in the /etc/nsswitch.conf file. When a UNIX application generates a query request, the C library looks for rows that match the requested service type in this file. For example, when querying the user and group information, use the "passwd" service type. Further lookups for the specified service type are performed in their configuration order, for example, if the Passwd configuration behavior:

Passwd: Files EXAMPLE

Then the standard C library first loads module /lib/libnss_files.so, then /Lib/Libnss_example.so. As can be seen from here, it will be dynamically loaded, then use the module to call the parser function to try to parse the request, return the result to the application.

With NSS interface, WinBind can be conveniently coupled to the operating system. What we have to do is to put libnss_winbind.so in the / lib / directory, add "Winbind" in the appropriate position of the /etc/nsswitch.conf file, when the C library calls WINB to resolve the username and group name.

7.4.3. Plugable verification module

Plugable Verification Module (PAM) is a system for abstracting verification and authorization technology. Using the PAM module, you can specify a different verification method for different system applications without recompiling these applications. In addition, special authorization strategies can also be implemented using PAM. For example, a system administrator can restrict the user using a local password file when logging in to the console, using the NIS database when logging in to the network. Winbind uses verification management and password management These two PAM interfaces integrate NT users into UNIX systems. In this way, NT users can verify by the appropriate primary domain controller, then log in to the UNIX host, which can then change their password and make changes to the primary domain controller.

A set of configuration files in PAM is located in /etc/pam.d/, which is used for various verification services. When an application generates a verification request, the PAM code finds these configuration files to determine which modules are loaded to perform verification checks. This multi-interface form using PAM can easily add new authentication services for WINBIND. Only copy the PAM_WINBIND.SO module to the / lib / security / directory, and update the configuration file, enabling the relevant service to verify via WINBIND. Please refer to the PAM documentation for details.

7.4.4. Assignment of users and group IDs

When a user or group account is established in Windows NT, the system assigns a digital relational (RID), and UNIX generates UID and GID using the appropriate value within a certain number range. WINBIND is to perform transformations for both identifiers, which look for values ​​that can be used to save NT users and group accounts in the UID and GID range available in UNIX systems. When the NT user is first parsed, the next UID value available in this range is assigned to him, and the resolution group account is also the same. In the future, WinBind can fully map the NT account to the UNIX account. WINBIND saves the mapping result in the TDB database to ensure the reliability of the mapping operation.

7.4.5. Cache results

Continuously running systems produce a large number of users and group account queries. In order to make these queries do not affect network traffic, WINBIND uses a cache mechanism, which is based on the SAM serial number provided by the PDC. Winbind cache the users and group account information and serial numbers returned by the PDC, as long as the user or group account information is modified, NT will value the corresponding serial number, if Winbind found a buffered serial number expired, A request is issued to the PDC and compare the return result with the cache item. If you do not match, discard the cache information directly, you can update it directly to the PDC.

7.5. Installation and configuration

The easiest way to install WINBIND is to use the toolkit provided by the Samba mirror station, which is located in the Pub / Samba / AppLiance / directory of the site. These kits provide you with Samba source code in the Snapshots phase, as well as a full-feature WINBID binary. Since WinBind requires a small amount of Samba_Tng code, Samba_tng is still in the development phase, so it is a bit more complicated than ordinary Samba versions.

It is best to read the WinBindd (8) man page after completing the installation, which provides a complete configuration information and configuration samples.

7.6. Restriction

In the current version, WinBind has some restrictions, we want to overcome these restrictions in future versions:

Winbind is now only Linux version, of course, it is entirely possible to transplant it to other operating systems. To achieve such a goal, there is a need for the C library in other operating systems to support "Name Service Switch" and "Insertable Verification Module", and the two are usually available for most UNIX systems. Winbind does not use a better algorithm when mapping the identifier of the two systems, which is based on the order of unmapped users and group accounts. It is difficult to recover if the file containing mapping information is problematic or destroyed. Now, WinBind's PAM module is still unable to record the login workstation and login time restrictions set by NT users. It takes a long time when compiling WinBind's source code because it is combined with the source code of two Samba branches. The solution that is considering is that all necessary features are available in the main branch code. 7.7. Conclusion

The WINBIND system provides seamless integration of NT domain users by using the "Name Service Switching", "Plug Verification Modules", and the appropriate MSRPC call to reduce the seamless integration of NT domain users, reducing network management burden using a hybrid system.

Chapter 8. UNIX Permission Bit and Windows NT Access Control Table

8.1. Browse and modify UNIX permissions with the NT safety dialog

A new feature is provided in the Samba version 2.0.4, allowing NT customers to use the Security Settings dialog box on NT to browse and modify UNIX permissions. However, it should be noted that this does not affect UNIX hosts that run the Samba server, which is still to succeed from the file permissions set by the Samba administrator. In Samba 2.0.4 and above, we have changed the default value of the option NT ACL Support from False to TRUE, so the default is allowed.

8.2. How to browse file permissions on the Samba shared item

On NT 4.0, right-click any file or directory on the Samba shared disk or UNC path, select the file attribute dialog box, and Samba 2.0.4 will be in it. Add a new bookmark: safe. There are three buttons on this page: permissions, audits, owners. Among them, the privilege of the audit button depends on your account identity. At this point, this dialog is nothing to use for Samba shared items, because the use of this useful button is now not visible to the user list.

8.3. Browse the file ownership

Click the "Owner" button to see the owner of the selected file, the main name is:

"Server name / username (long name)"

The server name is the NetBIOS name of the Samba server, and the username is a UNIX user name that has the file, the later (long name) is the user's description information (usually the Gecos field of the password database).

If you set the option NT ACL Support to false, then the file owner displayed is NT user "Everyone". However, you can't change the file owner now, because this is a privileged action that belongs to root.

The Samba Development Team writes a set of NT security libraries, which is called SECLIB. Users on the NT can use it to connect to the Samba 2.0.1 server as administrator privileges, and then change the local NTFS file system, remote NTFS file system, or Samba shared file as sovereignty as root. You can find this library on the FTP of the Samba master.

8.4. Browse files or directory permissions

Use the Permissions button to view the permissions of the selected file or directory and the UNIX host. The launched master format is:

"Server name / username (long name)"

The meaning of these nouns is the same as those mentioned above. If you set the option NT ACL Support to false, then the displayed file owner is NT user "everyone", and the corresponding permissions are "complete control".

The permissions displayed by the file and directory are different, and the following is introduced.

8.4.1. File permission

Samba "Read", "Write", "Execute" in standard UNIX permissions, and "Perform" to NT's three ACL elements 'r', 'w', and 'x' to respectively correspond to NT permissions. Other people permissions of UNIX are mapped to the global group of NT, and UNIX's file owner and the group's permissions correspond to NT's users and local groups. Since many UNIX permission settings cannot map "Read", "Change", "and" Full Control "that cannot be mapped to NT, this permission is displayed on the NT only with" Special Access "prefix.

So, in UNIX, how does an universal access file say? For the user to view and modify "No right access", Samba put this in the NT ACL property "Acquired permissions" (meaningless in UNIX), and represents "0" permission bit, which also explains There is no permission. More details on the decisionness behind this will be given below.

8.4.2. Directory Permissions

NTFS file systems have two different directory permissions settings. The first is the ACL setting of the directory itself, usually in the form of "RW" in the first parentheses of the permissions list. Samba handles this directory permission as the above file permission.

The second is "inheritance" permissions, any file in this directory inherits its permissions when creating. There is no such concept in UNIX. Samba uses NT's ACL to achieve this inheritance, so you can get the shared Unix permission when you create a new file in the Samba shared item.

8.5. Modify file or directory permissions

To modify the permissions of the files and directories, as long as you change the displayed permissions in the Security dialog box. However, the user is still limited when operating the standard Samba permission mask, and also considers the mapping problem of the DOS attribute. Of course, if you set the option NT ACL Support to false, then you can't set the permissions, you can only get information such as "Reject Access".

First of all, you should pay attention to the "Add" button, you can't get the list of users on the Samba 2.0.4 system (you will get "remote procedure call execution failure"). At this point, you can only operate existing permissions listed in the dialog, in fact, this is enough because of these permissions on the UNIX system. (Translator Note: I found new version 2.2.0 to get a list of users.)

If you delete the settings in the NT Security dialog (user, group or others), then clear the right limit on the UNIX system. When you view the permissions of the file or directory again, you will see the "0" flag mentioned earlier. Of course, you can change back to the original permissions setting here.

Also, UNIX only supports three NT ACL permission bits "R", "W", "X", so the Samba server will ignore those other NT security properties.

When you set permissions to the directory, the permissions in the second parentheses of the permissions list are applied to all files in this directory. If you don't want to produce this effect, just clear "Replace the existing file permission" check box.

If you want to clear an item, just select the "Delete" button; or set it to "get permissions", then NT will display the item as "0".

8.6. Use the creation mask option

Samba 2.0.5 provides four new creative mask options to users:

Security Mask

FORCE Security Mode

Directory Security Mask

Force Directory Security Mode

When the user changes the permissions of the remote file on the NT, Samba maps them to UNIX standard permissions and compares them to the value of the Security Mask option. If this option does not set the one corresponding to the changed permissions to 1. Ignore this bit of changes (12 digits of standard UNIX permissions). If a bit of this option is set to 0, then the user cannot change the authority corresponding to this bit.

If you don't make a clear place, then its value is the same as the value of the CREATE MASK option. If you want to allow users to modify all permissions of the file (three permission groups), set it to 0777. Then, Samba compares the changed permissions to the FORCE SECURITY MODE option, and the right position bit that corresponds to the one of the selected value is forced to be set to 1. If a bit of this option is set to 1, the one corresponding to the user's modified permissions is always set to 1.

As in the above, the value of the default this option is the same as the Force Create Mode option. If you do not want to limit the user's modification of the file (three permission groups), set it to 000.

Note that it is performed in the order of the above in the order of the above.

For directory, Samba execution is similar to files, which uses two options for Directory Security Mask and Force Directory Security Mode. Their default values ​​are the same as Directory Mask and Force Directory Mode.

Samba administrators can use these methods to permission to permissions for each share, so that users can limit the modification of the privilege bit.

If you want to allow users to completely control the files and directory permissions in a shared item, do not open the mandatory option, follow this below in the SMB.conf file:

Security mask = 0777

Force Security Mode = 0

Directory Security Mask = 0777

Force Directory SECURITY MODE = 0

As mentioned above, the following options in Samba 2.0.4:

Create Mask

Force Create Mode

Directory Mask

Force Directory Mode

Can be used to replace the four options in front.

8.7. Use the file attribute mapping

Samba can map the DOS attribute of the file to UNIX permissions, but this will conflict with those permission bit set in the Security dialog.

If there is a UNIX file, its owner does not read permissions, in the standard properties dialog box in the NT, the file is "Read-only" (Translator Note: Is there a boring situation?). Of course, in this property dialog box, the user can also use the "security" bookmark mentioned above to change the read rights limit for the file, but if you click the "OK" button in the Properties dialog, then NT will The file attribute becomes read-only (because the "Read-only" is displayed in the Properties dialog), so you can only use the "Cancel" button to exit this dialog to take effect.

Chapter 9. OS2 Customer HOWTO

9.1. Common Questions and Answers

9.1.1 How do I configure OS / 2 WARP Connect or OS / 2 WARP 4 into Samba's client?

For complete solutions, please refer to: http://carol.wins.uva.nl/ ~leuw/samba/warp.html.

Basically require three components:

File and print client ('IBM peer') TCP / IP ('Internet Support') "NetBIOS over TCP / IP" driver ('tcpbeui ")

You can refer to WARP's manual to install the first two components. If the system has been installed, if you want to join the network support, select Network Installation in the System Settings folder.

However, there is no mention of how to install the "NetBIOS over TCP / IP" driver in the manual. In fact, just start MPTS.exe programs, click "Configure LAPS", click "IBM OS / 2 NetBIOS over TCP / IP" in the Protocol, click "Change Number" in the "Current Configuration" line, change 0 to 1 Then save the configuration. If the Samba server is not in the local subnet, add their IP addresses and host names in the Server Name List; or specify a WINS server (IBM and RFC call it as 'NetBIOS Name Server'). If you use Warp Connect, you also need to update 'IBM Peer' on the same version as WARP 4. Please refer to the above URL for details.

9.1.2. How to configure how CAN I Configure OS / 2 WARP 3 (non-Connect version), OS / 2 1.2, 1.3 or 2.x as a client client?

From ftp://ftp.microsoft.com/bussys/clients/lanman.os2/ Get Microsoft to provide free LAN Manager 2.2c Client programs for OS / 2 customers, please refer to http:// carol. Wins.uva.nl/~leuw/lanman.html. Here is a brief introduction, before installing this client program, edit the / os / 2 boot partition root directory, add the following line:

20 = setup.exe

20 = NetWksta.sys

20 = Netvdd.sys

Also, don't use the NE2000 driver it provides because it has a lot of errors. Please go to ftp://ftp.cdrom.com/pub/os2/neetwork/ndis/ to find it.

9.1.3. Does OS / 2 (any version) As the client, have other questions?

When you use the Net View command or "File Print Customer Resource Browser", you will not see the Samba server. http://carol.wins.uva.nl/leeuw/samba/fix.html provides a solution. This issue will also be solved in the updated Samba version. It also fixes some other problems, such as moving the object when dragging the object to the Samba server from the workspace.

9.1.4. How to let OS / 2 customers download printer drivers?

First create a shared item called [PrintDRV]. Put the driver file of the OS / 2 printer (must use the original installation file) to that directory.

Then, the printer is installed on the server, and then the option "S2 Driver Map = File Name" is added to the SMB.conf file. The NT driver name is mapped to OS / 2 in the following form:

= .

Such as: HP LaserJet 5L = laserjet.hp laserjet 5L

Of course, you can mapping multiple drivers in this file.

Note that if there is no specified device name in the above mapping, the OS / 2 system will prompt the driver file when the first download is called, and it can be successful. The solution is to add equipment famous!

Translator Note: Since the translator has never used OS / 2, if there is any questions about this chapter, please refer to the original text: Samba-HOWTO-Collection.html

Chapter 9. Chinese translation acknowledgment

During the translation of this article, he got the strong support of Layman, Solobaby, thanked them to provide the most correct and most rigorous advice when I ran out my brains! - 5/15/2001