SAMBA Project Documentation
   Next

SAMBA Project Documentation

Edited by

Jelmer R. Vernooij

John H. Terpstra

Gerald (Jerry) Carter

Monday April 21, 2003

Abstract

This book is a collection of HOWTOs added to Samba documentation over the years. Samba is always under development, and so is its' documentation. This release of the documentation represents a major revision or layout as well as contents. The most recent version of this document can be found at http://www.samba.org/ on the "Documentation" page. Please send updates to Jelmer Vernooij, John H. Terpstra or Gerald (Jerry) Carter.

The Samba-Team would like to express sincere thanks to the many people who have with or without their knowledge contributed to this update. The size and scope of this project would not have been possible without significant community contribution. A not insignificant number of ideas for inclusion (if not content itself) has been obtained from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered. Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and application knowledge that is most to be desired by many Samba users and administrators.

Table of Contents

Legal Notice
Attributions
I. General Installation
1. Introduction to Samba
Background
Terminology
Related Projects
SMB Methodology
Epilogue
Miscellaneous
2. How to Install and Test SAMBA
Obtaining and installing samba
Configuring samba (smb.conf)
Example Configuration
SWAT
Try listing the shares available on your server
Try connecting with the unix client
Try connecting from another SMB client
What If Things Don't Work?
Common Errors
Large number of smbd processes
"open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested"
"The network name cannot be found"
3. Fast Start for the Impatient
Note
II. Server Configuration Basics
4. Server Types and Security Modes
Features and Benefits
Server Types
Samba Security Modes
User Level Security
Share Level Security
Domain Security Mode (User Level Security)
ADS Security Mode (User Level Security)
Server Security (User Level Security)
Password checking
Common Errors
What makes Samba a SERVER?
What makes Samba a Domain Controller?
What makes Samba a Domain Member?
Constantly Losing Connections to Password Server
5. Domain Control
Features and Benefits
Basics of Domain Control
Domain Controller Types
Preparing for Domain Control
Domain Control - Example Configuration
Samba ADS Domain Control
Domain and Network Logon Configuration
Domain Network Logon Service
Security Mode and Master Browsers
Common Errors
'$' cannot be included in machine name
Joining domain fails because of existing machine account
The system can not log you on (C000019B)....
The machine trust account not accessible
Account disabled
Domain Controller Unavailable
Can not log onto domain member workstation after joining domain
6. Backup Domain Control
Features And Benefits
Essential Background Information
MS Windows NT4 Style Domain Control
Active Directory Domain Control
What qualifies a Domain Controller on the network?
How does a Workstation find its domain controller?
Backup Domain Controller Configuration
Example Configuration
Common Errors
Machine Accounts keep expiring, what can I do?
Can Samba be a Backup Domain Controller to an NT4 PDC?
How do I replicate the smbpasswd file?
Can I do this all with LDAP?
7. Domain Membership
Features and Benefits
MS Windows Workstation/Server Machine Trust Accounts
Manual Creation of Machine Trust Accounts
Using NT4 Server Manager to Add Machine Accounts to the Domain
"On-the-Fly" Creation of Machine Trust Accounts
Making an MS Windows Workstation or Server a Domain Member
Domain Member Server
Joining an NT4 type Domain with Samba-3
Why is this better than security = server?
Samba ADS Domain Membership
Setup your smb.conf
Setup your /etc/krb5.conf
Create the computer account
Test your server setup
Testing with smbclient
Notes
Common Errors
Can Not Add Machine Back to Domain
Adding Machine to Domain Fails
I can't join a Windows 2003 PDC
8. Stand-Alone Servers
Features and Benefits
Background
Example Configuration
Reference Documentation Server
Central Print Serving
Common Errors
9. MS Windows Network Configuration Guide
Note
III. Advanced Configuration
10. Samba / MS Windows Network Browsing Guide
Features and Benefits
What is Browsing?
Discussion
NetBIOS over TCP/IP
TCP/IP - without NetBIOS
DNS and Active Directory
How Browsing Functions
Setting up WORKGROUP Browsing
Setting up DOMAIN Browsing
Forcing Samba to be the master
Making Samba the domain master
Note about broadcast addresses
Multiple interfaces
Use of the Remote Announce parameter
Use of the Remote Browse Sync parameter
WINS - The Windows Internetworking Name Server
Setting up a WINS server
WINS Replication
Static WINS Entries
Helpful Hints
Windows Networking Protocols
Name Resolution Order
Technical Overview of browsing
Browsing support in Samba
Problem resolution
Browsing across subnets
Common Errors
How can one flush the Samba NetBIOS name cache without restarting Samba?
My client reports "This server is not configured to list shared resources"
I get an Unable to browse the network error
11. Account Information Databases
Features and Benefits
Backwards Compatibility Backends
New Backends
Technical Information
Important Notes About Security
Mapping User Identifiers between MS Windows and UNIX
Mapping Common UIDs/GIDs on Distributed Machines
Account Management Tools
The smbpasswd Command
The pdbedit Command
Password Backends
Plain Text
smbpasswd - Encrypted Password Database
tdbsam
ldapsam
MySQL
XML
Common Errors
Users can not logon
Users being added to wrong backend database
auth methods does not work
12. Mapping MS Windows and UNIX Groups
Features and Benefits
Discussion
Example Configuration
Configuration Scripts
Sample smb.conf add group script
Script to configure Group Mapping
Common Errors
Adding Groups Fails
Adding MS Windows Groups to MS Windows Groups Fails
Adding Domain Users to the Power Users group
13. File, Directory and Share Access Controls
Features and Benefits
File System Access Controls
MS Windows NTFS Comparison with UNIX File Systems
Managing Directories
File and Directory Access Control
Share Definition Access Controls
User and Group Based Controls
File and Directory Permissions Based Controls
Miscellaneous Controls
Access Controls on Shares
Share Permissions Management
MS Windows Access Control Lists and UNIX Interoperability
Managing UNIX permissions Using NT Security Dialogs
Viewing File Security on a Samba Share
Viewing file ownership
Viewing File or Directory Permissions
Modifying file or directory permissions
Interaction with the standard Samba create mask parameters
Interaction with the standard Samba file attribute mapping
Common Errors
Users can not write to a public share
I have set force user but Samba still makes root the owner of all the files I touch!
MS Word with Samba changes owner of file
14. File and Record Locking
Features and Benefits
Discussion
Opportunistic Locking Overview
Samba Opportunistic Locking Control
Example Configuration
MS Windows Opportunistic Locking and Caching Controls
Workstation Service Entries
Server Service Entries
Persistent Data Corruption
Common Errors
locking.tdb error messages
Problems saving files in MS Office on Windows XP
Long delays deleting files over network with XP SP1
Additional Reading
15. Securing Samba
Introduction
Features and Benefits
Technical Discussion of Protective Measures and Issues
Using host based protection
User based protection
Using interface protection
Using a firewall
Using a IPC$ share deny
NTLMv2 Security
Upgrading Samba
Common Errors
Smbclient works on localhost, but the network is dead
Why can users access home directories of other users?
16. Interdomain Trust Relationships
Features and Benefits
Trust Relationship Background
Native MS Windows NT4 Trusts Configuration
Creating an NT4 Domain Trust
Completing an NT4 Domain Trust
Inter-Domain Trust Facilities
Configuring Samba NT-style Domain Trusts
Samba as the Trusted Domain
Samba as the Trusting Domain
NT4-style Domain Trusts with Windows 2000
Common Errors
17. Hosting a Microsoft Distributed File System tree on Samba
Features and Benefits
Common Errors
18. Classical Printing Support
Features and Benefits
Technical Introduction
What happens if you send a Job from a Client
Printing Related Configuration Parameters
Parameters Recommended for Use
A simple Configuration to Print
Verification of "Settings in Use" with testparm
A little Experiment to warn you
Extended Sample Configuration to Print
Detailed Explanation of the Example's Settings
The [global] Section
The [printers] Section
Any [my_printer_name] Section
Print Commands
Default Print Commands for various UNIX Print Subsystems
Setting up your own Print Commands
Innovations in Samba Printing since 2.2
Client Drivers on Samba Server for Point'n'Print
The [printer$] Section is removed from Samba 3
Creating the [print$] Share
Parameters in the [print$] Section
Subdirectory Structure in [print$]
Installing Drivers into [print$]
Setting Drivers for existing Printers with a Client GUI
Setting Drivers for existing Printers with rpcclient
Client Driver Install Procedure
The first Client Driver Installation
IMPORTANT! Setting Device Modes on new Printers
Further Client Driver Install Procedures
Always make first Client Connection as root or "printer admin"
Other Gotchas
Setting Default Print Options for the Client Drivers
Supporting large Numbers of Printers
Adding new Printers with the Windows NT APW
Weird Error Message Cannot connect under a different Name
Be careful when assembling Driver Files
Samba and Printer Ports
Avoiding the most common Misconfigurations of the Client Driver
The Imprints Toolset
What is Imprints?
Creating Printer Driver Packages
The Imprints Server
The Installation Client
Add Network Printers at Logon without User Interaction
The addprinter command
Migration of "Classical" printing to Samba
Publishing Printer Information in Active Directory or LDAP
Common Errors
I give my root password but I don't get access
My printjobs get spooled into the spooling directory, but then get lost
19. CUPS Printing Support in Samba 3.0
Introduction
Features and Benefits
Overview
Basic Configuration of CUPS support
Linking of smbd with libcups.so
Simple smb.conf Settings for CUPS
More complex smb.conf Settings for CUPS
Advanced Configuration
Central spooling vs. "Peer-to-Peer" printing
CUPS/Samba as a "spooling-only" Print Server; "raw" printing with Vendor Drivers on Windows Clients
Driver Installation Methods on Windows Clients
Explicitly enable "raw" printing for application/octet-stream!
Three familiar Methods for driver upload plus a new one
Using CUPS/Samba in an advanced Way -- intelligent printing with PostScript Driver Download
GDI on Windows -- PostScript on UNIX
Windows Drivers, GDI and EMF
UNIX Printfile Conversion and GUI Basics
PostScript and Ghostscript
Ghostscript -- the Software RIP for non-PostScript Printers
PostScript Printer Description (PPD) Specification
CUPS can use all Windows-formatted Vendor PPDs
CUPS also uses PPDs for non-PostScript Printers
The CUPS Filtering Architecture
MIME types and CUPS Filters
MIME type Conversion Rules
Filter Requirements
Prefilters
pstops
pstoraster
imagetops and imagetoraster
rasterto [printers specific]
CUPS Backends
cupsomatic/Foomatic -- how do they fit into the Picture?
The Complete Picture
mime.convs
"Raw" printing
"application/octet-stream" printing
PostScript Printer Descriptions (PPDs) for non-PS Printers
Difference between cupsomatic/foomatic-rip and native CUPS printing
Examples for filtering Chains
Sources of CUPS drivers / PPDs
Printing with Interface Scripts
Network printing (purely Windows)
From Windows Clients to an NT Print Server
Driver Execution on the Client
Driver Execution on the Server
Network Printing (Windows clients -- UNIX/Samba Print Servers)
From Windows Clients to a CUPS/Samba Print Server
Samba receiving Jobfiles and passing them to CUPS
Network PostScript RIP: CUPS Filters on Server -- clients use PostScript Driver with CUPS-PPDs
PPDs for non-PS Printers on UNIX
PPDs for non-PS Printers on Windows
Windows Terminal Servers (WTS) as CUPS Clients
Printer Drivers running in "Kernel Mode" cause many Problems
Workarounds impose Heavy Limitations
CUPS: a "Magical Stone"?
PostScript Drivers with no major problems -- even in Kernel Mode
Setting up CUPS for driver Download
cupsaddsmb: the unknown Utility
Prepare your smb.conf for cupsaddsmb
CUPS Package of "PostScript Driver for WinNT/2k/XP"
Recognize the different Driver Files
Acquiring the Adobe Driver Files
ESP Print Pro Package of "PostScript Driver for WinNT/2k/XP"
Caveats to be considered
Benefits of using "CUPS PostScript Driver for Windows NT/2k/XP" instead of Adobe Driver
Run "cupsaddsmb" (quiet Mode)
Run "cupsaddsmb" with verbose Output
Understanding cupsaddsmb
How to recognize if cupsaddsmb completed successfully
cupsaddsmb with a Samba PDC
cupsaddsmb Flowchart
Installing the PostScript Driver on a Client
Avoiding critical PostScript Driver Settings on the Client
Installing PostScript Driver Files manually (using rpcclient)
A Check of the rpcclient man Page
Understanding the rpcclient man page
Producing an Example by querying a Windows Box
What is required for adddriver and setdriver to succeed
Manual Driver Installation in 15 Steps
Troubleshooting revisited
The printing *.tdb Files
Trivial DataBase Files
Binary Format
Losing *.tdb Files
Using tdbbackup
CUPS Print Drivers from Linuxprinting.org
foomatic-rip and Foomatic explained
foomatic-rip and Foomatic-PPD Download and Installation
Page Accounting with CUPS
Setting up Quotas
Correct and incorrect Accounting
Adobe and CUPS PostScript Drivers for Windows Clients
The page_log File Syntax
Possible Shortcomings
Future Developments
Other Accounting Tools
Additional Material
Auto-Deletion or Preservation of CUPS Spool Files
CUPS Configuration Settings explained
Pre-conditions
Manual Configuration
In Case of Trouble.....
Printing from CUPS to Windows attached Printers
More CUPS filtering Chains
Common Errors
Win9x client can't install driver
"cupsaddsmb" keeps asking for root password in neverending loop
"cupsaddsmb" gives "No PPD file for printer..." message while PPD file is present
Client can't connect to Samba printer
Can't reconnect to Samba under new account from Win2K/XP
Avoid being connected to the Samba server as the "wrong" user
Upgrading to CUPS drivers from Adobe drivers on NT/2K/XP clients gives problems
Can't use "cupsaddsmb" on Samba server which is a PDC
Deleted Win2K printer driver is still shown
Win2K/XP "Local Security Policies"
WinXP clients: "Administrator can not install printers for all local users"
"Print Change Notify" functions on NT-clients
WinXP-SP1
Print options for all users can't be set on Win2K/XP
Most common blunders in driver settings on Windows clients
cupsaddsmb does not work with newly installed printer
Permissions on /var/spool/samba/ get reset after each reboot
Printer named "lp" intermittently swallows jobs and spits out completely different ones
Location of Adobe PostScript driver files necessary for "cupsaddsmb"
An Overview of the CUPS Printing Processes
20. Stackable VFS modules
Features and Benefits
Discussion
Included modules
audit
extd_audit
fake_perms
recycle
netatalk
VFS modules available elsewhere
DatabaseFS
vscan
21. Winbind: Use of Domain Accounts
Features and Benefits
Introduction
What Winbind Provides
Target Uses
How Winbind Works
Microsoft Remote Procedure Calls
Microsoft Active Directory Services
Name Service Switch
Pluggable Authentication Modules
User and Group ID Allocation
Result Caching
Installation and Configuration
Introduction
Requirements
Testing Things Out
Conclusion
Common Errors
NSCD Problem Warning
22. Advanced Network Management
Features and Benefits
Remote Server Administration
Remote Desktop Management
Remote Management from NoMachines.Com
Network Logon Script Magic
Adding printers without user intervention
Common Errors
23. System and Account Policies
Features and Benefits
Creating and Managing System Policies
Windows 9x/Me Policies
Windows NT4 Style Policy Files
MS Windows 200x / XP Professional Policies
Managing Account/User Policies
Samba Editreg Toolset
Windows NT4/200x
Samba PDC
System Startup and Logon Processing Overview
Common Errors
Policy Does Not Work
24. Desktop Profile Management
Features and Benefits
Roaming Profiles
Samba Configuration for Profile Handling
Windows Client Profile Configuration Information
Sharing Profiles between W9x/Me and NT4/200x/XP workstations
Profile Migration from Windows NT4/200x Server to Samba
Mandatory profiles
Creating/Managing Group Profiles
Default Profile for Windows Users
MS Windows 9x/Me
MS Windows NT4 Workstation
MS Windows 200x/XP
Common Errors
Setting up roaming profiles for just a few user's or group's?
Can NOT use Roaming Profiles
Changing the default profile
25. PAM based Distributed Authentication
Features and Benefits
Technical Discussion
PAM Configuration Syntax
Example System Configurations
smb.conf PAM Configuration
Remote CIFS Authentication using winbindd.so
Password Synchronization using pam_smbpass.so
Common Errors
pam_winbind problem
Winbind is not resolving users and groups
26. Integrating MS Windows networks with Samba
Features and Benefits
Background Information
Name Resolution in a pure UNIX/Linux world
/etc/hosts
/etc/resolv.conf
/etc/host.conf
/etc/nsswitch.conf
Name resolution as used within MS Windows networking
The NetBIOS Name Cache
The LMHOSTS file
HOSTS file
DNS Lookup
WINS Lookup
Common Errors
Pinging works only in one way
Very Slow Network Connections
Samba server name change problem
27. Unicode/Charsets
Features and Benefits
What are charsets and unicode?
Samba and charsets
Conversion from old names
Japanese charsets
Common errors
CP850.so can't be found
28. Samba Backup Techniques
Note
Features and Benefits
29. High Availability Options
Note
IV. Migration and Updating
30. Upgrading from Samba-2.x to Samba-3.0.0
New Features in Samba-3
Configuration Parameter Changes
Removed Parameters
New Parameters
Modified Parameters (changes in behavior):
New Functionality
Databases
Changes in Behavior
Charsets
Passdb Backends and Authentication
Charsets
LDAP
31. Migration from NT4 PDC to Samba-3 PDC
Planning and Getting Started
Objectives
Steps In Migration Process
Migration Options
Planning for Success
Samba-3 Implementation Choices
32. SWAT - The Samba Web Administration Tool
Features and Benefits
Enabling SWAT for use
Securing SWAT through SSL
The SWAT Home Page
Global Settings
Share Settings
Printers Settings
The SWAT Wizard
The Status Page
The View Page
The Password Change Page
V. Troubleshooting
33. The Samba checklist
Introduction
Assumptions
The tests
34. Analysing and solving samba problems
Diagnostics tools
Debugging with Samba itself
Tcpdump
Ethereal
The Windows Network Monitor
Useful URLs
Getting help from the mailing lists
How to get off the mailing lists
35. Reporting Bugs
Introduction
General info
Debug levels
Internal errors
Attaching to a running process
Patches
VI. Appendixes
36. How to compile Samba
Access Samba source code via CVS
Introduction
CVS Access to samba.org
Accessing the samba sources via rsync and ftp
Verifying Samba's PGP signature
Building the Binaries
Compiling samba with Active Directory support
Starting the smbd and nmbd
Starting from inetd.conf
Alternative: starting it as a daemon
37. Portability
HPUX
SCO UNIX
DNIX
RedHat Linux Rembrandt-II
AIX
Sequential Read Ahead
Solaris
Locking improvements
Winbind on Solaris 9
38. Samba and other CIFS clients
Macintosh clients?
OS2 Client
Configuring OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba
Configuring OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba
Printer driver download for for OS/2 clients?
Windows for Workgroups
Latest TCP/IP stack from Microsoft
Delete .pwl files after password change
Configuring WfW password handling
Case handling of passwords
Use TCP/IP as default protocol
Speed improvement
Windows '95/'98
Speed improvement
Windows 2000 Service Pack 2
Windows NT 3.1
39. Samba Performance Tuning
Comparisons
Socket options
Read size
Max xmit
Log level
Read raw
Write raw
Slow Logins
Client tuning
Samba performance problem due changing kernel
Corrupt tdb Files
40. DNS and DHCP Configuration Guide
Note
41. Further Resources
Websites
Related updates from Microsoft
Index

List of Figures

5.1. An Example Domain
10.1. Cross subnet browsing example
11.1. IDMAP
12.1. IDMAP groups
13.1. Overview of unix permissions field
16.1. Trusts overview
19.1. Windows Printing to a local Printer
19.2. Printing to a Postscript Printer
19.3. Ghostscript as a RIP for non-postscript printers
19.4. Prefiltering in CUPS to form Postscript
19.5. Adding Device-specific Print Options
19.6. Postscript to intermediate Raster format
19.7. CUPS-raster production using Ghostscript
19.8. Image format to CUPS-raster format conversion
19.9. Raster to Printer Specific formats
19.10. cupsomatic/foomatic processing versus Native CUPS
19.11. PDF to socket chain
19.12. PDF to USB chain
19.13. Print Driver execution on the Client
19.14. Print Driver execution on the Server
19.15. Printing via CUPS/samba server
19.16. cupsaddsmb flowchart
19.17. Filtering chain 1
19.18. Filtering chain with cupsomatic
19.19. CUPS Printing Overview

List of Tables

7.1. Assumptions
10.1. Browse subnet example 1
10.2. Browse subnet example 2
10.3. Browse subnet example 3
10.4. Browse subnet example 4
11.1. Attributes in the sambaSamAccount objectclass (LDAP)
11.2. Basic smb.conf options for MySQL passdb backend
11.3. MySQL field names for MySQL passdb backend
13.1. Managing directories with unix and windows
13.2. User and Group Based Controls
13.3. File and Directory Permission Based Controls
13.4. Other Controls
19.1. PPD's shipped with CUPS
20.1. Extended Auditing Log Information
24.1. User Shell Folder registry keys default values
24.2. Defaults of profile settings registry keys
24.3. Defaults of default user profile paths registry keys
25.1. Options recognized by pam_smbpass
26.1. Unique NetBIOS names
26.2. Group Names
30.1. TDB File Descriptions
31.1. The 3 Major Site Types
31.2. Nature of the Conversion Choices

List of Examples

2.1. Simplest possible smb.conf file
5.1. smb.conf for being a PDC
5.2. smb.conf for being a PDC
6.1. Minimal smb.conf for being a PDC
6.2. Minimal setup for being a BDC
8.1. smb.conf for Reference Documentation Server
8.2. smb.conf for anonymous printing
10.1. Domain master browser smb.conf
10.2. Local master browser smb.conf
10.3. smb.conf for not being a master browser
10.4. Local master browser smb.conf
10.5. smb.conf for not being a master browser
11.1.
11.2. Configuration with LDAP
12.1. smbgrpadd.sh
13.1. Example File
14.1. Share with some files oplocked
14.2.
17.1. smb.conf with DFS configured
18.1. Simple configuration with BSD printing
18.2. Extended configuration with BSD printing
18.3. [print\$] example
19.1. Simplest printing-related smb.conf
19.2. Overriding global CUPS settings for one printer
19.3. smb.conf for cupsaddsmb usage
20.1. smb.conf with VFS modules
20.2. smb.conf with multiple VFS modules
21.1. smb.conf for winbind set-up
33.1. smb.conf with [tmp] share
38.1. Minimal profile share
   Next
   Legal Notice