~ubuntu-branches/ubuntu/maverick/samba/maverick-security

Viewing changes to docs/htmldocs/Samba3-HOWTO/NetCommand.html

Committer: Bazaar Package Importer
Author(s): Chuck Short
Date: 2010-01-29 06:16:15 UTC
mfrom: (0.27.9 upstream) (0.34.4 squeeze)
Revision ID: james.westby@ubuntu.com-20100129061615-37hs6xqpsdhjq3ld

Tags: 2:3.4.5~dfsg-1ubuntu1

* Merge from debian testing.  Remaining changes:
  + debian/patches/VERSION.patch:
    - set SAMBA_VERSION_SUFFIX to Ubuntu.
  + debian/smb.conf:
    - Add "(Samba, Ubuntu)" to server string.
    - Comment out the default [homes] share, and add a comment about "valid users = %s"
      to show users how to restrict access to \\server\username to only username.
    - Set 'usershare allow guests', so that usershare admins are allowed to create
      public shares in additon to authenticated ones.
    - add map to guest = Bad user, maps bad username to gues access.
  + debian/samba-common.conf:
    - Do not change priority to high if dhclient3 is installed.
    - Use priority medium instead of high for the workgroup question.
  + debian/mksambapasswd.awk:
    - Do not add user with UID less than 1000 to smbpasswd.
  + debian/control:
    - Make libswbclient0 replace/conflict with hardy's likewise-open.
    - Don't build against ctdb, since its not in main yet.
  + debian/rules:
    - Enable "native" PIE hardening.
    - Add BIND_NOW to maximize benefit of RELRO hardening.
  + Add ufw integration:
    - Created debian/samba.ufw.profile.
    - debian/rules, debian/samba.dirs, debian/samba.files: install
  + Add apoort hook:
    - Created debian/source_samba.py.
    - debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
  + debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
    family... it's obviously /not/ an address family, but it's what gets
    sent when using NM, so we'll cope for now.  (LP: #462169). Taken from karmic-proposed.
  + debian/control: Recommend keyutils for smbfs (LP: #493565)
  + Dropped patches:
    - debian/patches/security-CVE-2009-3297.patch: No longer needed
    - debian/patches/fix-too-many-open-files.patch: No longer needed

files added:
.pc/debian-changes-2:3.4.5~dfsg-1ubuntu1

.pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3

.pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3/client

.pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3/client/mount.cifs.c

debian/patches/debian-changes-2:3.4.5~dfsg-1ubuntu1

docs-xml/registry/Win7_Samba3DomainMember.reg

docs-xml/smbdotconf/base/enablecorefiles.xml

docs-xml/smbdotconf/ldap/ldappagesize.xml

docs-xml/smbdotconf/misc/cachedirectory.xml

docs-xml/smbdotconf/misc/directorynamecachesize.xml

docs-xml/smbdotconf/misc/statedirectory.xml

docs-xml/smbdotconf/printing/enablespoolss.xml

docs-xml/smbdotconf/tuning/aiowritebehind.xml

docs/registry/Win7_Samba3DomainMember.reg

source3/include/krb5_protos.h

source3/include/smb_krb5.h

files removed:
.pc/fix-manpages-warnings.patch

.pc/fix-manpages-warnings.patch/docs

.pc/fix-manpages-warnings.patch/docs/manpages

.pc/fix-manpages-warnings.patch/docs/manpages/cifs.upcall.8

.pc/fix-manpages-warnings.patch/docs/manpages/eventlogadm.8

.pc/fix-manpages-warnings.patch/docs/manpages/findsmb.1

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_ad.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_adex.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_hash.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_ldap.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_nss.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_rid.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_tdb.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_tdb2.8

.pc/fix-manpages-warnings.patch/docs/manpages/ldb.3

.pc/fix-manpages-warnings.patch/docs/manpages/ldbadd.1

.pc/fix-manpages-warnings.patch/docs/manpages/ldbdel.1

.pc/fix-manpages-warnings.patch/docs/manpages/ldbedit.1

.pc/fix-manpages-warnings.patch/docs/manpages/ldbmodify.1

.pc/fix-manpages-warnings.patch/docs/manpages/ldbsearch.1

.pc/fix-manpages-warnings.patch/docs/manpages/libsmbclient.7

.pc/fix-manpages-warnings.patch/docs/manpages/lmhosts.5

.pc/fix-manpages-warnings.patch/docs/manpages/log2pcap.1

.pc/fix-manpages-warnings.patch/docs/manpages/mount.cifs.8

.pc/fix-manpages-warnings.patch/docs/manpages/net.8

.pc/fix-manpages-warnings.patch/docs/manpages/nmbd.8

.pc/fix-manpages-warnings.patch/docs/manpages/nmblookup.1

.pc/fix-manpages-warnings.patch/docs/manpages/ntlm_auth.1

.pc/fix-manpages-warnings.patch/docs/manpages/pam_winbind.8

.pc/fix-manpages-warnings.patch/docs/manpages/pdbedit.8

.pc/fix-manpages-warnings.patch/docs/manpages/profiles.1

.pc/fix-manpages-warnings.patch/docs/manpages/rpcclient.1

.pc/fix-manpages-warnings.patch/docs/manpages/samba.7

.pc/fix-manpages-warnings.patch/docs/manpages/smb.conf.5

.pc/fix-manpages-warnings.patch/docs/manpages/smbcacls.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbclient.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbcontrol.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbcquotas.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbd.8

.pc/fix-manpages-warnings.patch/docs/manpages/smbget.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbgetrc.5

.pc/fix-manpages-warnings.patch/docs/manpages/smbpasswd.5

.pc/fix-manpages-warnings.patch/docs/manpages/smbpasswd.8

.pc/fix-manpages-warnings.patch/docs/manpages/smbspool.8

.pc/fix-manpages-warnings.patch/docs/manpages/smbstatus.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbtar.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbtree.1

.pc/fix-manpages-warnings.patch/docs/manpages/swat.8

.pc/fix-manpages-warnings.patch/docs/manpages/tdbbackup.8

.pc/fix-manpages-warnings.patch/docs/manpages/tdbdump.8

.pc/fix-manpages-warnings.patch/docs/manpages/tdbtool.8

.pc/fix-manpages-warnings.patch/docs/manpages/testparm.1

.pc/fix-manpages-warnings.patch/docs/manpages/umount.cifs.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_audit.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_cacheprime.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_cap.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_catia.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_commit.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_default_quota.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_extd_audit.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_fake_perms.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_fileid.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_full_audit.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_gpfs.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_netatalk.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_notify_fam.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_prealloc.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_readahead.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_readonly.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_recycle.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_shadow_copy.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_shadow_copy2.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_smb_traffic_analyzer.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_streams_depot.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_streams_xattr.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_xattr_tdb.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfstest.1

.pc/fix-manpages-warnings.patch/docs/manpages/wbinfo.1

.pc/fix-manpages-warnings.patch/docs/manpages/winbind_krb5_locator.7

.pc/fix-manpages-warnings.patch/docs/manpages/winbindd.8

.pc/fix-too-many-open-files.patch

.pc/fix-too-many-open-files.patch/source3

.pc/fix-too-many-open-files.patch/source3/include

.pc/fix-too-many-open-files.patch/source3/include/local.h

.pc/fix-too-many-open-files.patch/source3/param

.pc/fix-too-many-open-files.patch/source3/param/loadparm.c

.pc/fix-too-many-open-files.patch/source3/smbd

.pc/fix-too-many-open-files.patch/source3/smbd/files.c

.pc/security-CVE-2009-3297.patch

.pc/security-CVE-2009-3297.patch/source3

.pc/security-CVE-2009-3297.patch/source3/client

.pc/security-CVE-2009-3297.patch/source3/client/mount.cifs.c

debian/patches/fix-too-many-open-files.patch

debian/patches/security-CVE-2009-2813.patch

debian/patches/security-CVE-2009-2906.patch

debian/patches/security-CVE-2009-2948.patch

debian/patches/security-CVE-2009-3297.patch

source4/ldap_server/devdocs/draft-armijo-ldap-syntax-00.txt

source4/ldap_server/devdocs/ldapext-ldapv3-vlv-04.txt

files modified:
.pc/VERSION.patch/source3/VERSION

.pc/adapt_machine_creation_script.patch/docs/manpages/smb.conf.5

.pc/applied-patches

.pc/autoconf.patch/source3/configure

.pc/codepages-location.patch/source3/Makefile.in

.pc/debian-changes-2:3.4.3-2ubuntu1/source3/VERSION

.pc/documentation.patch/docs/manpages/lmhosts.5

.pc/documentation.patch/docs/manpages/nmbd.8

.pc/documentation.patch/docs/manpages/ntlm_auth.1

.pc/documentation.patch/docs/manpages/smbd.8

.pc/documentation.patch/docs/manpages/swat.8

.pc/documentation.patch/docs/manpages/tdbbackup.8

.pc/documentation.patch/docs/manpages/winbindd.8

.pc/external-talloc-support.patch/source3/configure.in

.pc/smbclient-pager.patch/source3/include/local.h

.pc/undefined-symbols.patch/source3/Makefile.in

.pc/usershare.patch/docs/manpages/net.8

.pc/usershare.patch/source3/param/loadparm.c

WHATSNEW.txt

debian/changelog

debian/control

debian/patches/adapt_machine_creation_script.patch

debian/patches/autoconf.patch

debian/patches/documentation.patch

debian/patches/series

debian/samba-common.dirs

debian/samba.postinst

debian/watch

docs-xml/manpages-3/mount.cifs.8.xml

docs-xml/manpages-3/pdbedit.8.xml

docs-xml/smbdotconf/filename/manglednames.xml

docs-xml/smbdotconf/locking/oplocks.xml

docs/Samba3-ByExample.pdf

docs/Samba3-Developers-Guide.pdf

docs/Samba3-HOWTO.pdf

docs/htmldocs/Samba3-ByExample/2000users.html

docs/htmldocs/Samba3-ByExample/Big500users.html

docs/htmldocs/Samba3-ByExample/DMSMig.html

docs/htmldocs/Samba3-ByExample/DomApps.html

docs/htmldocs/Samba3-ByExample/ExNetworks.html

docs/htmldocs/Samba3-ByExample/HA.html

docs/htmldocs/Samba3-ByExample/RefSection.html

docs/htmldocs/Samba3-ByExample/apa.html

docs/htmldocs/Samba3-ByExample/appendix.html

docs/htmldocs/Samba3-ByExample/ch14.html

docs/htmldocs/Samba3-ByExample/go01.html

docs/htmldocs/Samba3-ByExample/happy.html

docs/htmldocs/Samba3-ByExample/index.html

docs/htmldocs/Samba3-ByExample/ix01.html

docs/htmldocs/Samba3-ByExample/kerberos.html

docs/htmldocs/Samba3-ByExample/ntmigration.html

docs/htmldocs/Samba3-ByExample/nw4migration.html

docs/htmldocs/Samba3-ByExample/pr01.html

docs/htmldocs/Samba3-ByExample/pr02.html

docs/htmldocs/Samba3-ByExample/pr03.html

docs/htmldocs/Samba3-ByExample/preface.html

docs/htmldocs/Samba3-ByExample/primer.html

docs/htmldocs/Samba3-ByExample/secure.html

docs/htmldocs/Samba3-ByExample/simple.html

docs/htmldocs/Samba3-ByExample/small.html

docs/htmldocs/Samba3-ByExample/unixclients.html

docs/htmldocs/Samba3-ByExample/upgrades.html

docs/htmldocs/Samba3-Developers-Guide/CodingSuggestions.html

docs/htmldocs/Samba3-Developers-Guide/Packaging.html

docs/htmldocs/Samba3-Developers-Guide/architecture.html

docs/htmldocs/Samba3-Developers-Guide/contributing.html

docs/htmldocs/Samba3-Developers-Guide/debug.html

docs/htmldocs/Samba3-Developers-Guide/devprinting.html

docs/htmldocs/Samba3-Developers-Guide/index.html

docs/htmldocs/Samba3-Developers-Guide/internals.html

docs/htmldocs/Samba3-Developers-Guide/modules.html

docs/htmldocs/Samba3-Developers-Guide/ntdomain.html

docs/htmldocs/Samba3-Developers-Guide/parsing.html

docs/htmldocs/Samba3-Developers-Guide/pr01.html

docs/htmldocs/Samba3-Developers-Guide/pt01.html

docs/htmldocs/Samba3-Developers-Guide/pt02.html

docs/htmldocs/Samba3-Developers-Guide/pt03.html

docs/htmldocs/Samba3-Developers-Guide/pt04.html

docs/htmldocs/Samba3-Developers-Guide/pt05.html

docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html

docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html

docs/htmldocs/Samba3-Developers-Guide/tracing.html

docs/htmldocs/Samba3-Developers-Guide/unix-smb.html

docs/htmldocs/Samba3-Developers-Guide/vfs.html

docs/htmldocs/Samba3-Developers-Guide/wins.html

docs/htmldocs/Samba3-HOWTO/AccessControls.html

docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html

docs/htmldocs/Samba3-HOWTO/Appendix.html

docs/htmldocs/Samba3-HOWTO/Backup.html

docs/htmldocs/Samba3-HOWTO/CUPS-printing.html

docs/htmldocs/Samba3-HOWTO/ChangeNotes.html

docs/htmldocs/Samba3-HOWTO/ClientConfig.html

docs/htmldocs/Samba3-HOWTO/DNSDHCP.html

docs/htmldocs/Samba3-HOWTO/FastStart.html

docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html

docs/htmldocs/Samba3-HOWTO/IntroSMB.html

docs/htmldocs/Samba3-HOWTO/NT4Migration.html

docs/htmldocs/Samba3-HOWTO/NetCommand.html

docs/htmldocs/Samba3-HOWTO/NetworkBrowsing.html

docs/htmldocs/Samba3-HOWTO/Other-Clients.html

docs/htmldocs/Samba3-HOWTO/PolicyMgmt.html

docs/htmldocs/Samba3-HOWTO/Portability.html

docs/htmldocs/Samba3-HOWTO/ProfileMgmt.html

docs/htmldocs/Samba3-HOWTO/SWAT.html

docs/htmldocs/Samba3-HOWTO/SambaHA.html

docs/htmldocs/Samba3-HOWTO/ServerType.html

docs/htmldocs/Samba3-HOWTO/StandAloneServer.html

docs/htmldocs/Samba3-HOWTO/TOSHpreface.html

docs/htmldocs/Samba3-HOWTO/VFS.html

docs/htmldocs/Samba3-HOWTO/apa.html

docs/htmldocs/Samba3-HOWTO/bugreport.html

docs/htmldocs/Samba3-HOWTO/cfgsmarts.html

docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html

docs/htmldocs/Samba3-HOWTO/ch47.html

docs/htmldocs/Samba3-HOWTO/classicalprinting.html

docs/htmldocs/Samba3-HOWTO/compiling.html

docs/htmldocs/Samba3-HOWTO/diagnosis.html

docs/htmldocs/Samba3-HOWTO/domain-member.html

docs/htmldocs/Samba3-HOWTO/go01.html

docs/htmldocs/Samba3-HOWTO/groupmapping.html

docs/htmldocs/Samba3-HOWTO/idmapper.html

docs/htmldocs/Samba3-HOWTO/index.html

docs/htmldocs/Samba3-HOWTO/install.html

docs/htmldocs/Samba3-HOWTO/integrate-ms-networks.html

docs/htmldocs/Samba3-HOWTO/introduction.html

docs/htmldocs/Samba3-HOWTO/ix01.html

docs/htmldocs/Samba3-HOWTO/largefile.html

docs/htmldocs/Samba3-HOWTO/locking.html

docs/htmldocs/Samba3-HOWTO/migration.html

docs/htmldocs/Samba3-HOWTO/msdfs.html

docs/htmldocs/Samba3-HOWTO/optional.html

docs/htmldocs/Samba3-HOWTO/pam.html

docs/htmldocs/Samba3-HOWTO/passdb.html

docs/htmldocs/Samba3-HOWTO/pr01.html

docs/htmldocs/Samba3-HOWTO/pr02.html

docs/htmldocs/Samba3-HOWTO/pr03.html

docs/htmldocs/Samba3-HOWTO/problems.html

docs/htmldocs/Samba3-HOWTO/rights.html

docs/htmldocs/Samba3-HOWTO/samba-bdc.html

docs/htmldocs/Samba3-HOWTO/samba-pdc.html

docs/htmldocs/Samba3-HOWTO/securing-samba.html

docs/htmldocs/Samba3-HOWTO/speed.html

docs/htmldocs/Samba3-HOWTO/tdb.html

docs/htmldocs/Samba3-HOWTO/troubleshooting.html

docs/htmldocs/Samba3-HOWTO/type.html

docs/htmldocs/Samba3-HOWTO/unicode.html

docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html

docs/htmldocs/Samba3-HOWTO/winbind.html

docs/htmldocs/manpages/cifs.upcall.8.html

docs/htmldocs/manpages/eventlogadm.8.html

docs/htmldocs/manpages/findsmb.1.html

docs/htmldocs/manpages/idmap_ad.8.html

docs/htmldocs/manpages/idmap_adex.8.html

docs/htmldocs/manpages/idmap_hash.8.html

docs/htmldocs/manpages/idmap_ldap.8.html

docs/htmldocs/manpages/idmap_nss.8.html

docs/htmldocs/manpages/idmap_rid.8.html

docs/htmldocs/manpages/idmap_tdb.8.html

docs/htmldocs/manpages/idmap_tdb2.8.html

docs/htmldocs/manpages/index.html

docs/htmldocs/manpages/ldb.3.html

docs/htmldocs/manpages/ldbadd.1.html

docs/htmldocs/manpages/ldbdel.1.html

docs/htmldocs/manpages/ldbedit.1.html

docs/htmldocs/manpages/ldbmodify.1.html

docs/htmldocs/manpages/ldbrename.1.html

docs/htmldocs/manpages/ldbsearch.1.html

docs/htmldocs/manpages/libsmbclient.7.html

docs/htmldocs/manpages/lmhosts.5.html

docs/htmldocs/manpages/log2pcap.1.html

docs/htmldocs/manpages/mount.cifs.8.html

docs/htmldocs/manpages/net.8.html

docs/htmldocs/manpages/nmbd.8.html

docs/htmldocs/manpages/nmblookup.1.html

docs/htmldocs/manpages/ntlm_auth.1.html

docs/htmldocs/manpages/pam_winbind.8.html

docs/htmldocs/manpages/pdbedit.8.html

docs/htmldocs/manpages/profiles.1.html

docs/htmldocs/manpages/rpcclient.1.html

docs/htmldocs/manpages/samba.7.html

docs/htmldocs/manpages/sharesec.1.html

docs/htmldocs/manpages/smb.conf.5.html

docs/htmldocs/manpages/smbcacls.1.html

docs/htmldocs/manpages/smbclient.1.html

docs/htmldocs/manpages/smbcontrol.1.html

docs/htmldocs/manpages/smbcquotas.1.html

docs/htmldocs/manpages/smbd.8.html

docs/htmldocs/manpages/smbget.1.html

docs/htmldocs/manpages/smbgetrc.5.html

docs/htmldocs/manpages/smbpasswd.5.html

docs/htmldocs/manpages/smbpasswd.8.html

docs/htmldocs/manpages/smbspool.8.html

docs/htmldocs/manpages/smbstatus.1.html

docs/htmldocs/manpages/smbtar.1.html

docs/htmldocs/manpages/smbtree.1.html

docs/htmldocs/manpages/swat.8.html

docs/htmldocs/manpages/tdbbackup.8.html

docs/htmldocs/manpages/tdbdump.8.html

docs/htmldocs/manpages/tdbtool.8.html

docs/htmldocs/manpages/testparm.1.html

docs/htmldocs/manpages/umount.cifs.8.html

docs/htmldocs/manpages/vfs_acl_tdb.8.html

docs/htmldocs/manpages/vfs_acl_xattr.8.html

docs/htmldocs/manpages/vfs_audit.8.html

docs/htmldocs/manpages/vfs_cacheprime.8.html

docs/htmldocs/manpages/vfs_cap.8.html

docs/htmldocs/manpages/vfs_catia.8.html

docs/htmldocs/manpages/vfs_commit.8.html

docs/htmldocs/manpages/vfs_default_quota.8.html

docs/htmldocs/manpages/vfs_dirsort.8.html

docs/htmldocs/manpages/vfs_extd_audit.8.html

docs/htmldocs/manpages/vfs_fake_perms.8.html

docs/htmldocs/manpages/vfs_fileid.8.html

docs/htmldocs/manpages/vfs_full_audit.8.html

docs/htmldocs/manpages/vfs_gpfs.8.html

docs/htmldocs/manpages/vfs_netatalk.8.html

docs/htmldocs/manpages/vfs_notify_fam.8.html

docs/htmldocs/manpages/vfs_prealloc.8.html

docs/htmldocs/manpages/vfs_preopen.8.html

docs/htmldocs/manpages/vfs_readahead.8.html

docs/htmldocs/manpages/vfs_readonly.8.html

docs/htmldocs/manpages/vfs_recycle.8.html

docs/htmldocs/manpages/vfs_shadow_copy.8.html

docs/htmldocs/manpages/vfs_shadow_copy2.8.html

docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html

docs/htmldocs/manpages/vfs_streams_depot.8.html

docs/htmldocs/manpages/vfs_streams_xattr.8.html

docs/htmldocs/manpages/vfs_xattr_tdb.8.html

docs/htmldocs/manpages/vfstest.1.html

docs/htmldocs/manpages/wbinfo.1.html

docs/htmldocs/manpages/winbind_krb5_locator.7.html

docs/htmldocs/manpages/winbindd.8.html

docs/manpages/cifs.upcall.8

docs/manpages/eventlogadm.8

docs/manpages/findsmb.1

docs/manpages/idmap_ad.8

docs/manpages/idmap_adex.8

docs/manpages/idmap_hash.8

docs/manpages/idmap_ldap.8

docs/manpages/idmap_nss.8

docs/manpages/idmap_rid.8

docs/manpages/idmap_tdb.8

docs/manpages/idmap_tdb2.8

docs/manpages/ldb.3

docs/manpages/ldbadd.1

docs/manpages/ldbdel.1

docs/manpages/ldbedit.1

docs/manpages/ldbmodify.1

docs/manpages/ldbrename.1

docs/manpages/ldbsearch.1

docs/manpages/libsmbclient.7

docs/manpages/lmhosts.5

docs/manpages/log2pcap.1

docs/manpages/mount.cifs.8

docs/manpages/net.8

docs/manpages/nmbd.8

docs/manpages/nmblookup.1

docs/manpages/ntlm_auth.1

docs/manpages/pam_winbind.8

docs/manpages/pdbedit.8

docs/manpages/profiles.1

docs/manpages/rpcclient.1

docs/manpages/samba.7

docs/manpages/sharesec.1

docs/manpages/smb.conf.5

docs/manpages/smbcacls.1

docs/manpages/smbclient.1

docs/manpages/smbcontrol.1

docs/manpages/smbcquotas.1

docs/manpages/smbd.8

docs/manpages/smbget.1

docs/manpages/smbgetrc.5

docs/manpages/smbpasswd.5

docs/manpages/smbpasswd.8

docs/manpages/smbspool.8

docs/manpages/smbstatus.1

docs/manpages/smbtar.1

docs/manpages/smbtree.1

docs/manpages/swat.8

docs/manpages/tdbbackup.8

docs/manpages/tdbdump.8

docs/manpages/tdbtool.8

docs/manpages/testparm.1

docs/manpages/umount.cifs.8

docs/manpages/vfs_acl_tdb.8

docs/manpages/vfs_acl_xattr.8

docs/manpages/vfs_audit.8

docs/manpages/vfs_cacheprime.8

docs/manpages/vfs_cap.8

docs/manpages/vfs_catia.8

docs/manpages/vfs_commit.8

docs/manpages/vfs_default_quota.8

docs/manpages/vfs_dirsort.8

docs/manpages/vfs_extd_audit.8

docs/manpages/vfs_fake_perms.8

docs/manpages/vfs_fileid.8

docs/manpages/vfs_full_audit.8

docs/manpages/vfs_gpfs.8

docs/manpages/vfs_netatalk.8

docs/manpages/vfs_notify_fam.8

docs/manpages/vfs_prealloc.8

docs/manpages/vfs_preopen.8

docs/manpages/vfs_readahead.8

docs/manpages/vfs_readonly.8

docs/manpages/vfs_recycle.8

docs/manpages/vfs_shadow_copy.8

docs/manpages/vfs_shadow_copy2.8

docs/manpages/vfs_smb_traffic_analyzer.8

docs/manpages/vfs_streams_depot.8

docs/manpages/vfs_streams_xattr.8

docs/manpages/vfs_xattr_tdb.8

docs/manpages/vfstest.1

docs/manpages/wbinfo.1

docs/manpages/winbind_krb5_locator.7

docs/manpages/winbindd.8

lib/async_req/async_req.c

lib/async_req/async_req.h

lib/util/util.c

librpc/gen_ndr/cli_echo.c

librpc/gen_ndr/cli_epmapper.c

librpc/gen_ndr/cli_eventlog.c

librpc/gen_ndr/cli_ntsvcs.c

librpc/gen_ndr/cli_spoolss.c

librpc/gen_ndr/cli_spoolss.h

librpc/gen_ndr/cli_srvsvc.c

librpc/gen_ndr/cli_svcctl.c

librpc/gen_ndr/cli_winreg.c

librpc/gen_ndr/misc.h

librpc/gen_ndr/ndr_misc.c

librpc/gen_ndr/ndr_misc.h

librpc/gen_ndr/ndr_spoolss.c

librpc/gen_ndr/ndr_spoolss.h

librpc/gen_ndr/ndr_winreg.c

librpc/gen_ndr/ndr_winreg.h

librpc/gen_ndr/spoolss.h

librpc/gen_ndr/srv_spoolss.c

librpc/gen_ndr/winreg.h

librpc/idl/misc.idl

librpc/idl/spoolss.idl

librpc/idl/winreg.idl

nsswitch/winbind_krb5_locator.c

packaging/RHEL-CTDB/samba.spec

packaging/RHEL/makerpms.git.sh

packaging/RHEL/makerpms.sh

packaging/RHEL/makerpms.sh.tmpl

packaging/RHEL/samba.spec

pidl/lib/Parse/Pidl/Samba3/ClientNDR.pm

pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm

pidl/tests/samba3-cli.pl

release-scripts/create-tarball

source3/Makefile.in

source3/VERSION

source3/auth/auth_sam.c

source3/client/cifs.upcall.c

source3/configure

source3/configure.in

source3/include/ads.h

source3/include/authdata.h

source3/include/config.h.in

source3/include/includes.h

source3/include/proto.h

source3/include/version.h

source3/lib/dbwrap_util.c

source3/lib/util_reg.c

source3/libaddns/dnsgss.c

source3/libads/ads_status.c

source3/libads/authdata.c

source3/libads/kerberos.c

source3/libads/kerberos_keytab.c

source3/libads/kerberos_verify.c

source3/libads/krb5_errs.c

source3/libads/krb5_setpw.c

source3/libads/ldap.c

source3/libnet/libnet.h

source3/librpc/gen_ndr/messaging.h

source3/librpc/gen_ndr/notify.h

source3/libsmb/cliconnect.c

source3/libsmb/clikrb5.c

source3/libsmb/clispnego.c

source3/libsmb/libsmb_context.c

source3/libsmb/libsmb_dir.c

source3/libsmb/libsmb_path.c

source3/libsmb/libsmb_setget.c

source3/m4/aclocal.m4

source3/modules/vfs_cap.c

source3/modules/vfs_default.c

source3/passdb/pdb_ldap.c

source3/rpc_client/cli_lsarpc.c

source3/rpc_client/cli_netlogon.c

source3/rpc_client/cli_pipe.c

source3/rpc_client/cli_spoolss.c

source3/rpc_server/srv_pipe_hnd.c

source3/rpc_server/srv_samr_nt.c

source3/rpc_server/srv_spoolss_nt.c

source3/smbd/blocking.c

source3/smbd/dosmode.c

source3/smbd/mangle_hash.c

source3/smbd/nttrans.c

source3/smbd/open.c

source3/smbd/pipes.c

source3/smbd/posix_acls.c

source3/smbd/reply.c

source3/smbd/trans2.c

source3/utils/net_rpc.c

source3/utils/ntlm_auth.c

source3/utils/pdbedit.c

source3/winbindd/idmap_ldap.c

source3/winbindd/winbindd_cred_cache.c

source3/winbindd/winbindd_pam.c

source3/winbindd/winbindd_rpc.c

source4/torture/rpc/spoolss.c

source4/torture/rpc/spoolss_win.c

Show diffs side-by-side

added added

removed removed

docs/htmldocs/Samba3-HOWTO/NetCommand.html

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�13.�Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter�12.�Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter�14.�Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�13.�Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter�13.�Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="orgname">Samba Team</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="orgname">SuSE</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@suse.de">gd@suse.de</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2599024">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2599319">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2599400">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2599558">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2600928">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601139">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601187">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601256">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2601339">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2601684">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2601699">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602068">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2602302">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2602524">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2602569">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602757">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602787">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2603410">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2603661">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603680">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603746">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603862">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603879">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2603923">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2603958">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p>

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�13.�Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter�12.�Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter�14.�Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�13.�Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter�13.�Remote and Local Management: The Net Command"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter�13.�Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2605091">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2605385">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2605466">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2605625">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2606994">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607206">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607254">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607322">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2607406">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2607751">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2607766">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608135">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2608369">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2608591">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2608636">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608824">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608854">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2609477">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2609728">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609747">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609812">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609928">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609946">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2609990">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2610025">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p>

The <code class="literal">net</code> command is one of the new features of Samba-3 and is an attempt to provide a useful

tool for the majority of remote management operations necessary for common tasks. The <code class="literal">net</code>

tool is flexible by design and is intended for command-line use as well as for scripted control application.

</p><p>

Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the

<code class="literal">net</code> command has morphed into a very powerful instrument that has become an essential part

of the Samba network administrator's toolbox. The Samba Team has introduced tools, such as

</p><p>

A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause

the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter.

</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599024"></a>Overview</h2></div></div></div><p>

</p><div class="sect1" title="Overview"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605091"></a>Overview</h2></div></div></div><p>

The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a

domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the

creation of user and group accounts is essential for both a standalone server and a PDC.

In the case of a BDC or a Domain Member server (DMS), domain user and group accounts are obtained from

the central domain authentication backend.

</p><p>

Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows

networking domain global group accounts. Do you ask why? Because Samba always limits its access to

the resources of the host server by way of traditional UNIX UID and GID controls. This means that local

global groups can be given access rights based on UIDs and GIDs local to the server that is hosting

Samba. Such mappings are implemented using the <code class="literal">net</code> command.

</p><p>

UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have

a machine security account in the domain authentication database (or directory). The creation of such

security (or trust) accounts is also handled using the <code class="literal">net</code> command.

</p><p>

The establishment of interdomain trusts is achieved using the <code class="literal">net</code> command also, as

may a plethora of typical administrative duties such as user management, group management, share and

printer management, file and printer migration, security identifier management, and so on.

</p><p>

The overall picture should be clear now: the <code class="literal">net</code> command plays a central role

on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is

evidence of its importance, one that has grown in complexity to the point that it is no longer considered

prudent to cover its use fully in the online UNIX man pages.

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599319"></a>Administrative Tasks and Methods</h2></div></div></div><p>

</p></div><div class="sect1" title="Administrative Tasks and Methods"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605385"></a>Administrative Tasks and Methods</h2></div></div></div><p>

The basic operations of the <code class="literal">net</code> command are documented here. This documentation is not

exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba

server, the emphasis is on the use of the Distributed Computing Environment Remote Procedure Call (DCE RPC)

automatically fall back via the <code class="constant">ads</code>, <code class="constant">rpc</code>, and

<code class="constant">rap</code> modes. Please refer to the man page for a more comprehensive overview of the

capabilities of this utility.

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599400"></a>UNIX and Windows Group Management</h2></div></div></div><p>

100

101

102

</p></div><div class="sect1" title="UNIX and Windows Group Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605466"></a>UNIX and Windows Group Management</h2></div></div></div><p>

100

101

102

103

As stated, the focus in most of this chapter is on use of the <code class="literal">net rpc</code> family of

104

operations that are supported by Samba. Most of them are supported by the <code class="literal">net ads</code>

105

mode when used in connection with Active Directory. The <code class="literal">net rap</code> operating mode is

106

also supported for some of these operations. RAP protocols are used by IBM OS/2 and by several

107

earlier SMB servers.

108

</p><p>

109

110

111

109

110

111

112

Samba's <code class="literal">net</code> tool implements sufficient capability to permit all common administrative

113

tasks to be completed from the command line. In this section each of the essential user and group management

114

facilities are explored.

115

</p><p>

116

117

118

119

116

117

118

119

120

Samba-3 recognizes two types of groups: <span class="emphasis"><em>domain groups</em></span> and <span class="emphasis"><em>local

121

groups</em></span>. Domain groups can contain (have as members) only domain user accounts. Local groups

122

can contain local users, domain users, and domain groups as members.

123

</p><p>

124

The purpose of a local group is to permit file permission to be set for a group account that, like the

125

usual UNIX/Linux group, is persistent across redeployment of a Windows file server.

126

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599558"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p>

126

</p><div class="sect2" title="Adding, Renaming, or Deletion of Group Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2605625"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p>

127

Samba provides file and print services to Windows clients. The file system resources it makes available

128

to the Windows environment must, of necessity, be provided in a manner that is compatible with the

129

Windows networking environment. UNIX groups are created and deleted as required to serve operational

143

between the UNIX group account and its members to the respective Windows group accounts. It goes on to

144

show how UNIX group members automatically pass-through to Windows group membership as soon as a logical

145

mapping has been created.

146

</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2599600"></a>Adding or Creating a New Group</h4></div></div></div><p>

146

</p><div class="sect3" title="Adding or Creating a New Group"><div class="titlepage"><div><div><h4 class="title"><a name="id2605667"></a>Adding or Creating a New Group</h4></div></div></div><p>

147

Before attempting to add a Windows group account, the currently available groups can be listed as shown

148

here:

149

150

149

150

151

</p><pre class="screen">

152

<code class="prompt">root# </code> net rpc group list -Uroot%not24get

153

Password:

161

Engineers

162

</pre><p>

163

</p><p>

164

A Windows group account called “<span class="quote">SupportEngrs</span>” can be added by executing the following

164

A Windows group account called <span class="quote">“<span class="quote">SupportEngrs</span>”</span> can be added by executing the following

165

command:

166

166

167

</p><pre class="screen">

168

<code class="prompt">root# </code> net rpc group add "SupportEngrs" -Uroot%not24get

169

</pre><p>

183

SupportEngrs

184

</pre><p>

185

</p><p>

186

187

188

186

187

188

189

The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling

190

the <a class="link" href="smb.conf.5.html#ADDGROUPSCRIPT" target="_top">add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</a> interface

191

script:

205

The following demonstrates that the use of the <code class="literal">net</code> command to add a group account

206

results in immediate mapping of the POSIX group that has been created to the Windows group account as shown

207

here:

208

208

209

</p><pre class="screen">

210

<code class="prompt">root# </code> net groupmap list

211

Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins

218

Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers

219

SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs

220

</pre><p>

221

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2599802"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p>

222

223

224

225

221

</p></div><div class="sect3" title="Mapping Windows Groups to UNIX Groups"><div class="titlepage"><div><div><h4 class="title"><a name="id2605869"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p>

222

223

224

225

226

Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls

227

can be asserted in a manner that is consistent with the methods appropriate to the operating

228

system that is hosting the Samba server.

229

</p><p>

230

231

232

233

230

231

232

233

234

All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is

235

hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override

236

or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that

238

account. The user account must also map to a locally known UID. Note that the <code class="literal">net</code>

239

command does not call any RPC-functions here but directly accesses the passdb.

240

</p><p>

241

242

243

244

245

246

247

241

242

243

244

245

246

247

248

Samba depends on default mappings for the <code class="constant">Domain Admins, Domain Users</code>, and

249

<code class="constant">Domain Guests</code> global groups. Additional groups may be added as shown in the

250

examples just given. There are times when it is necessary to map an existing UNIX group account

251

to a Windows group. This operation, in effect, creates a Windows group account as a consequence

252

of creation of the mapping.

253

</p><p>

254

255

256

254

255

256

257

The operations that are permitted include: <code class="constant">add</code>, <code class="constant">modify</code>,

258

and <code class="constant">delete</code>. An example of each operation is shown here.

259

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

259

</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

260

Commencing with Samba-3.0.23 Windows Domain Groups must be explicitly created. By default, all

261

UNIX groups are exposed to Windows networking as Windows local groups.

262

</p></div><p>

290

Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is

291

treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple

292

nested group support.

293

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600110"></a>Deleting a Group Account</h4></div></div></div><p>

294

293

</p></div><div class="sect3" title="Deleting a Group Account"><div class="titlepage"><div><div><h4 class="title"><a name="id2606176"></a>Deleting a Group Account</h4></div></div></div><p>

294

295

A group account may be deleted by executing the following command:

296

</p><pre class="screen">

297

<code class="prompt">root# </code> net rpc group delete SupportEngineers -Uroot%not24get

298

</pre><p>

299

</p><p>

300

Validation of the deletion is advisable. The same commands may be executed as shown above.

301

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600150"></a>Rename Group Accounts</h4></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

301

</p></div><div class="sect3" title="Rename Group Accounts"><div class="titlepage"><div><div><h4 class="title"><a name="id2606216"></a>Rename Group Accounts</h4></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

302

This command is not documented in the man pages; it is implemented in the source code, but it does not

303

work at this time. The example given documents, from the source code, how it should work. Watch the

304

release notes of a future release to see when this may have been fixed.

305

</p></div><p>

306

Sometimes it is necessary to rename a group account. Good administrators know how painful some managers'

307

demands can be if this simple request is ignored. The following command demonstrates how the Windows group

308

“<span class="quote">SupportEngrs</span>” can be renamed to “<span class="quote">CustomerSupport</span>”:

309

308

<span class="quote">“<span class="quote">SupportEngrs</span>”</span> can be renamed to <span class="quote">“<span class="quote">CustomerSupport</span>”</span>:

309

310

</p><pre class="screen">

311

<code class="prompt">root# </code> net rpc group rename SupportEngrs \

312

CustomerSupport -Uroot%not24get

313

</pre><p>

314

</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p>

314

</p></div></div><div class="sect2" title="Manipulating Group Memberships"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p>

315

Three operations can be performed regarding group membership. It is possible to (1) add Windows users

316

to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are

317

members of a Windows group.

349

Given that the user <code class="constant">ajt</code> is already a member of the UNIX/Linux group and, via the

350

group mapping, a member of the Windows group, an attempt to add this account again should fail. This is

351

demonstrated here:

352

352

353

</p><pre class="screen">

354

<code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get

355

Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP

359

</p><p>

360

To permit the user <code class="constant">ajt</code> to be added using the <code class="literal">net rpc group</code> utility,

361

this account must first be removed. The removal and confirmation of its effect is shown here:

362

362

363

</p><pre class="screen">

364

<code class="prompt">root# </code> net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get

365

<code class="prompt">root# </code> getent group Engineers

383

In this example the members of the Windows <code class="constant">Domain Users</code> account are validated using

384

the <code class="literal">net rpc group</code> utility. Note the this contents of the UNIX/Linux group was shown

385

four paragraphs earlier. The Windows (domain) group membership is shown here:

386

386

387

</p><pre class="screen">

388

<code class="prompt">root# </code> net rpc group members "Domain Users" -Uroot%not24get

389

MIDEARTH\jht

402

MIDEARTH\met

403

MIDEARTH\vlendecke

404

</pre><p>

405

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

405

</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

406

An attempt to specify the group name as <code class="constant">MIDEARTH\Domain Users</code> in place of

407

just simply <code class="constant">Domain Users</code> will fail. The default behavior of the net rpc group

408

is to direct the command at the local machine. The Windows group is treated as being local to the machine.

409

If it is necessary to query another machine, its name can be specified using the <code class="constant">-S

410

servername</code> parameter to the <code class="literal">net</code> command.

411

</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p>

411

</p></div></div><div class="sect2" title="Nested Group Support"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p>

412

It is possible in Windows (and now in Samba also) to create a local group that has members (contains),

413

domain users, and domain global groups. Creation of the local group <code class="constant">demo</code> is

414

achieved by executing:

421

</p><p>

422

Addition and removal of group members can be achieved using the <code class="constant">addmem</code> and

423

<code class="constant">delmem</code> subcommands of <code class="literal">net rpc group</code> command. For example,

424

addition of “<span class="quote">DOM\Domain Users</span>” to the local group <code class="constant">demo</code> would be

424

addition of <span class="quote">“<span class="quote">DOM\Domain Users</span>”</span> to the local group <code class="constant">demo</code> would be

425

done by executing:

426

</p><pre class="screen">

427

<code class="prompt">root# </code> net rpc group addmem demo "DOM\Domain Users" -Uroot%not24get

440

</p><pre class="screen">

441

<code class="prompt">root# </code> net rpc group delmem demo "DOM\jht" -Uroot%not24get

442

</pre><p>

443

</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600629"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p>

443

</p><div class="sect3" title="Managing Nest Groups on Workstations from the Samba Server"><div class="titlepage"><div><div><h4 class="title"><a name="id2606695"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p>

444

Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone

445

administrative rights on their own workstation. This is of course a very bad practice, but commonly done

446

to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC:

447

447

448

</p><pre class="screen">

449

<code class="prompt">root# </code> net rpc group addmem "Administrators" "Domain Users" \

450

-S WINPC032 -Uadministrator%secret

452

</p><p>

453

This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows

454

workstation. Here is a simple example that shows how this can be done.

455

</p><div class="procedure"><a name="id2600674"></a><p class="title"><b>Procedure�13.1.�Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example�13.1.�Script to Auto-add Domain Users to Workstation Power Users Group</b></p><div class="example-contents"><pre class="screen">

455

</p><div class="procedure" title="Procedure�13.1.�Automating User Addition to the Workstation Power Users Group"><a name="id2606741"></a><p class="title"><b>Procedure�13.1.�Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example�13.1.�Script to Auto-add Domain Users to Workstation Power Users Group</b></p><div class="example-contents"><pre class="screen">

456

#!/bin/bash

457

458

/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" \

459

-UAdministrator%secret -S $2

460

461

exit 0

462

</pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example�13.2.�A Magic Netlogon Share</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2600830"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2600841"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2600853"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2600865"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2600877"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>

462

</pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example�13.2.�A Magic Netlogon Share</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2606896"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2606908"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2606920"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2606932"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606944"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>

463

Create the script shown in <a class="link" href="NetCommand.html#autopoweruserscript" title="Example�13.1.�Script to Auto-add Domain Users to Workstation Power Users Group">“Script to Auto-add Domain Users to Workstation Power Users Group”</a> and locate it in

464

the directory <code class="filename">/etc/samba/scripts</code>, named as <code class="filename">autopoweruser.sh</code>.

465

466

467

468

</p></li><li><p>

465

466

467

468

</p></li><li class="step" title="Step 2"><p>

469

Set the permissions on this script to permit it to be executed as part of the logon process:

470

</p><pre class="screen">

471

<code class="prompt">root# </code> chown root:root /etc/samba/autopoweruser.sh

472

<code class="prompt">root# </code> chmod 755 /etc/samba/autopoweruser.sh

473

</pre><p>

474

</p></li><li><p>

474

</p></li><li class="step" title="Step 3"><p>

475

Modify the <code class="filename">smb.conf</code> file so the <code class="literal">NETLOGON</code> stanza contains the parameters

476

shown in <a class="link" href="NetCommand.html#magicnetlogon" title="Example�13.2.�A Magic Netlogon Share">the Netlogon Example smb.conf file</a>.

477

</p></li><li><p>

477

</p></li><li class="step" title="Step 4"><p>

478

Ensure that every Windows workstation Administrator account has the same password that you

479

have used in the script shown in <a class="link" href="NetCommand.html#magicnetlogon" title="Example�13.2.�A Magic Netlogon Share">the Netlogon Example smb.conf

480

file</a>

484

in which case there is little justification for the use of this procedure. The key justification

485

for the use of this method is that it will guarantee that all users have appropriate rights on

486

the workstation.

487

</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2600928"></a>UNIX and Windows User Management</h2></div></div></div><p>

488

489

490

491

492

493

494

495

487

</p></div></div></div><div class="sect1" title="UNIX and Windows User Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2606994"></a>UNIX and Windows User Management</h2></div></div></div><p>

488

489

490

491

492

493

494

495

496

Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact,

497

the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either

498

from a system (POSIX) account or from a pool (range) of UID numbers that is set aside for the purpose

503

this interface is an important method of mapping a Windows user account to a UNIX account that has a

504

different name. Refer to the man page for the <code class="filename">smb.conf</code> file for more information regarding this

505

facility. User name mappings cannot be managed using the <code class="literal">net</code> utility.

506

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeuseraddn"></a>Adding User Accounts</h3></div></div></div><p>

506

</p><div class="sect2" title="Adding User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="sbeuseraddn"></a>Adding User Accounts</h3></div></div></div><p>

507

The syntax for adding a user account via the <code class="literal">net</code> (according to the man page) is shown

508

here:

509

</p><pre class="screen">

516

</pre><p>

517

</p><p>

518

The following demonstrates the addition of an account to the server <code class="constant">FRODO</code>:

519

520

519

520

521

</p><pre class="screen">

522

<code class="prompt">root# </code> net rpc user add jacko -S FRODO -Uroot%not24get

523

Added user jacko

528

<code class="prompt">root# </code> net rpc user password jacko f4sth0rse \

529

-S FRODO -Uroot%not24get

530

</pre><p>

531

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601139"></a>Deletion of User Accounts</h3></div></div></div><p>

531

</p></div><div class="sect2" title="Deletion of User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607206"></a>Deletion of User Accounts</h3></div></div></div><p>

532

Deletion of a user account can be done using the following syntax:

533

</p><pre class="screen">

534

net [<method>] user DELETE <name> [misc. options] [targets]

535

</pre><p>

536

The following command will delete the user account <code class="constant">jacko</code>:

537

537

538

</p><pre class="screen">

539

<code class="prompt">root# </code> net rpc user delete jacko -Uroot%not24get

540

Deleted user account

541

</pre><p>

542

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601187"></a>Managing User Accounts</h3></div></div></div><p>

542

</p></div><div class="sect2" title="Managing User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607254"></a>Managing User Accounts</h3></div></div></div><p>

543

Two basic user account operations are routinely used: change of password and querying which groups a user

544

is a member of. The change of password operation is shown in <a class="link" href="NetCommand.html#sbeuseraddn" title="Adding User Accounts">“Adding User Accounts”</a>.

545

</p><p>

546

The ability to query Windows group membership can be essential. Here is how a remote server may be

547

interrogated to find which groups a user is a member of:

548

548

549

</p><pre class="screen">

550

<code class="prompt">root# </code> net rpc user info jacko -S SAURON -Uroot%not24get

551

net rpc user info jacko -S SAURON -Uroot%not24get

558

</pre><p>

559

</p><p>

560

It is also possible to rename user accounts:

561

<a class="indexterm" name="id2601240"></a>oldusername newusername

561

<a class="indexterm" name="id2607306"></a>oldusername newusername

562

Note that this operation does not yet work against Samba Servers. It is, however, possible to rename useraccounts on

563

Windows Servers.

564

565

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601256"></a>User Mapping</h3></div></div></div><p>

566

567

568

565

</p></div><div class="sect2" title="User Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id2607322"></a>User Mapping</h3></div></div></div><p>

566

567

568

569

In some situations it is unavoidable that a user's Windows logon name will differ from the login ID

570

that user has on the Samba server. It is possible to create a special file on the Samba server that

571

will permit the Windows user name to be mapped to a different UNIX/Linux user name. The <code class="filename">smb.conf</code>

578

parsonsw: "William Parsons"

579

marygee: geeringm

580

</pre><p>

581

In this example the Windows user account “<span class="quote">William Parsons</span>” will be mapped to the UNIX user

582

<code class="constant">parsonsw</code>, and the Windows user account “<span class="quote">geeringm</span>” will be mapped to the

581

In this example the Windows user account <span class="quote">“<span class="quote">William Parsons</span>”</span> will be mapped to the UNIX user

582

<code class="constant">parsonsw</code>, and the Windows user account <span class="quote">“<span class="quote">geeringm</span>”</span> will be mapped to the

583

UNIX user <code class="constant">marygee</code>.

584

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601339"></a>Administering User Rights and Privileges</h2></div></div></div><p>

585

586

587

588

589

584

</p></div></div><div class="sect1" title="Administering User Rights and Privileges"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607406"></a>Administering User Rights and Privileges</h2></div></div></div><p>

585

586

587

588

589

590

With all versions of Samba earlier than 3.0.11 the only account on a Samba server that could

591

manage users, groups, shares, printers, and such was the <code class="constant">root</code> account. This caused

592

problems for some users and was a frequent source of scorn over the necessity to hand out the

593

credentials for the most security-sensitive account on a UNIX/Linux system.

594

</p><p>

595

596

597

598

599

595

596

597

598

599

600

New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either

601

a normal user or to groups of users. The significance of the administrative privileges is documented

602

in <a class="link" href="rights.html" title="Chapter�15.�User Rights and Privileges">“User Rights and Privileges”</a>. Examples of use of the <code class="literal">net</code> for user rights and privilege

603

management is appropriate to this chapter.

604

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

604

</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

605

When user rights and privileges are correctly set, there is no longer a need for a Windows

606

network account for the <code class="constant">root</code> user (nor for any synonym of it) with a UNIX UID=0.

607

Initial user rights and privileges can be assigned by any account that is a member of the <code class="constant">

632

</p><p>

633

The <code class="literal">net</code> command can be used to obtain the currently supported capabilities for rights

634

and privileges using this method:

635

636

637

638

639

640

641

642

643

635

636

637

638

639

640

641

642

643

644

</p><pre class="screen">

645

<code class="prompt">root# </code> net rpc rights list -U root%not24get

646

SeMachineAccountPrivilege Add machines to domain

659

In this example, all rights are assigned to the <code class="constant">Domain Admins</code> group. This is a good

660

idea since members of this group are generally expected to be all-powerful. This assignment makes that

661

the reality:

662

662

663

</p><pre class="screen">

664

<code class="prompt">root# </code> net rpc rights grant "MIDEARTH\Domain Admins" \

665

SeMachineAccountPrivilege SePrintOperatorPrivilege \

678

</pre><p>

679

</p><p>

680

The following step permits validation of the changes just made:

681

681

682

</p><pre class="screen">

683

<code class="prompt">root# </code> net rpc rights list accounts -U root%not24get

684

MIDEARTH\jht

712

SeRemoteShutdownPrivilege

713

SeDiskOperatorPrivilege

714

</pre><p>

715

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601684"></a>Managing Trust Relationships</h2></div></div></div><p>

715

</p></div><div class="sect1" title="Managing Trust Relationships"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607751"></a>Managing Trust Relationships</h2></div></div></div><p>

716

There are essentially two types of trust relationships: the first is between domain controllers and domain

717

member machines (network clients), the second is between domains (called interdomain trusts). All

718

Samba servers that participate in domain security require a domain membership trust account, as do like

719

Windows NT/200x/XP workstations.

720

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601699"></a>Machine Trust Accounts</h3></div></div></div><p>

720

</p><div class="sect2" title="Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607766"></a>Machine Trust Accounts</h3></div></div></div><p>

721

The net command looks in the <code class="filename">smb.conf</code> file to obtain its own configuration settings. Thus, the following

722

command 'knows' which domain to join from the <code class="filename">smb.conf</code> file.

723

</p><p>

724

A Samba server domain trust account can be validated as shown in this example:

725

725

726

</p><pre class="screen">

727

<code class="prompt">root# </code> net rpc testjoin

728

Join to 'MIDEARTH' is OK

735

</pre><p>

736

</p><p>

737

The equivalent command for joining a Samba server to a Windows ADS domain is shown here:

738

738

739

</p><pre class="screen">

740

<code class="prompt">root# </code> net ads testjoin

741

Using short domain name -- TAKEAWAY

750

</p><p>

751

The following demonstrates the process of creating a machine trust account in the target domain for the

752

Samba server from which the command is executed:

753

753

754

</p><pre class="screen">

755

<code class="prompt">root# </code> net rpc join -S FRODO -Uroot%not24get

756

Joined domain MIDEARTH.

765

The S in the square brackets means this is a server (PDC/BDC) account. The domain join can be cast to join

766

purely as a workstation, in which case the S is replaced with a W (indicating a workstation account). The

767

following command can be used to affect this:

768

768

769

</p><pre class="screen">

770

<code class="prompt">root# </code> net rpc join member -S FRODO -Uroot%not24get

771

Joined domain MIDEARTH.

773

Note that the command-line parameter <code class="constant">member</code> makes this join specific. By default

774

the type is deduced from the <code class="filename">smb.conf</code> file configuration. To specifically join as a PDC or BDC, the

775

command-line parameter will be <code class="constant">[PDC | BDC]</code>. For example:

776

776

777

</p><pre class="screen">

778

<code class="prompt">root# </code> net rpc join bdc -S FRODO -Uroot%not24get

779

Joined domain MIDEARTH.

781

It is best to let Samba figure out the domain join type from the settings in the <code class="filename">smb.conf</code> file.

782

</p><p>

783

The command to join a Samba server to a Windows ADS domain is shown here:

784

784

785

</p><pre class="screen">

786

<code class="prompt">root# </code> net ads join -UAdministrator%not24get

787

Using short domain name -- GDANSK

792

Windows machine is withdrawn from the domain, the domain membership account is not automatically removed

793

either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the

794

machine account can be removed using the following <code class="literal">net</code> command:

795

795

796

</p><pre class="screen">

797

<code class="prompt">root# </code> net rpc user delete HERRING\$ -Uroot%not24get

798

Deleted user account.

802

</p><p>

803

A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the

804

domain:

805

805

806

</p><pre class="screen">

807

<code class="prompt">root# </code> net ads leave

808

</pre><p>

809

</p><p>

810

Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the

811

following:

812

812

813

</p><pre class="screen">

814

<code class="prompt">root# </code> net ads status

815

</pre><p>

816

The volume of information is extensive. Please refer to the book “<span class="quote">Samba-3 by Example</span>”,

816

The volume of information is extensive. Please refer to the book <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span>,

817

Chapter 7 for more information regarding its use. This book may be obtained either in print or online from

818

the <a class="ulink" href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by Example</a>.

819

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602068"></a>Interdomain Trusts</h3></div></div></div><p>

819

</p></div><div class="sect2" title="Interdomain Trusts"><div class="titlepage"><div><div><h3 class="title"><a name="id2608135"></a>Interdomain Trusts</h3></div></div></div><p>

820

Interdomain trust relationships form the primary mechanism by which users from one domain can be granted

821

access rights and privileges in another domain.

822

</p><p>

823

To discover what trust relationships are in effect, execute this command:

824

824

825

</p><pre class="screen">

826

<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get

827

Trusted domains list:

837

It is necessary to create a trust account in the local domain. A domain controller in a second domain can

838

create a trusted connection with this account. That means that the foreign domain is being trusted

839

to access resources in the local domain. This command creates the local trust account:

840

840

841

</p><pre class="screen">

842

<code class="prompt">root# </code> net rpc trustdom add DAMNATION f00db4r -Uroot%not24get

843

</pre><p>

850

A trust account will always have an I in the field within the square brackets.

851

</p><p>

852

If the trusting domain is not capable of being reached, the following command will fail:

853

853

854

</p><pre class="screen">

855

<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get

856

Trusted domains list:

876

Where a trust account has been created on a foreign domain, Samba is able to establish the trust (connect with)

877

the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This

878

command achieves the objective of joining the trust relationship:

879

879

880

</p><pre class="screen">

881

<code class="prompt">root# </code> net rpc trustdom establish DAMNATION

882

Password: xxxxxxx == f00db4r

897

</p><p>

898

Sometimes it is necessary to remove the ability for local users to access a foreign domain. The trusting

899

connection can be revoked as shown here:

900

900

901

</p><pre class="screen">

902

<code class="prompt">root# </code> net rpc trustdom revoke DAMNATION -Uroot%not24get

903

</pre><p>

907

<code class="prompt">root# </code> net rpc trustdom del DAMNATION -Uroot%not24get

908

</pre><p>

909

910

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2602302"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p>

911

912

913

914

915

910

</p></div></div><div class="sect1" title="Managing Security Identifiers (SIDS)"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2608369"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p>

911

912

913

914

915

916

The basic security identifier that is used by all Windows networking operations is the Windows security

917

identifier (SID). All Windows network machines (servers and workstations), users, and groups are

918

identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that

919

are specific to the SID of the domain to which the user belongs.

920

</p><p>

921

922

923

924

921

922

923

924

925

It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because

926

a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you

927

have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of

929

</p><p>

930

First, do not forget to store the local SID in a file. It is a good idea to put this in the directory

931

in which the <code class="filename">smb.conf</code> file is also stored. Here is a simple action to achieve this:

932

932

933

</p><pre class="screen">

934

<code class="prompt">root# </code> net getlocalsid > /etc/samba/my-sid

935

</pre><p>

945

If ever it becomes necessary to restore the SID that has been stored in the <code class="filename">my-sid</code>

946

file, simply copy the SID (the string of characters that begins with <code class="constant">S-1-5-21</code>) to

947

the command line shown here:

948

948

949

</p><pre class="screen">

950

<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635

951

</pre><p>

956

DMS and workstation clients should have their own machine SID to avoid

957

any potential namespace collision. Here is the way that the BDC SID can be synchronized to that

958

of the PDC (this is the default NT4 domain practice also):

959

959

960

</p><pre class="screen">

961

<code class="prompt">root# </code> net rpc getsid -S FRODO -Uroot%not24get

962

Storing SID S-1-5-21-726309263-4128913605-1168186429 \

964

</pre><p>

965

Usually it is not necessary to specify the target server (-S FRODO) or the administrator account

966

credentials (-Uroot%not24get).

967

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2602524"></a>Share Management</h2></div></div></div><p>

967

</p></div><div class="sect1" title="Share Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2608591"></a>Share Management</h2></div></div></div><p>

968

Share management is central to all file serving operations. Typical share operations include:

969

</p><div class="itemizedlist"><ul type="disc"><li><p>Creation/change/deletion of shares</p></li><li><p>Setting/changing ACLs on shares</p></li><li><p>Moving shares from one server to another</p></li><li><p>Change of permissions of share contents</p></li></ul></div><p>

969

</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Creation/change/deletion of shares</p></li><li class="listitem"><p>Setting/changing ACLs on shares</p></li><li class="listitem"><p>Moving shares from one server to another</p></li><li class="listitem"><p>Change of permissions of share contents</p></li></ul></div><p>

970

Each of these are dealt with here insofar as they involve the use of the <code class="literal">net</code>

971

command. Operations outside of this command are covered elsewhere in this document.

972

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602569"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p>

972

</p><div class="sect2" title="Creating, Editing, and Removing Shares"><div class="titlepage"><div><div><h3 class="title"><a name="id2608636"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p>

973

A share can be added using the <code class="literal">net rpc share</code> command capabilities.

974

The target machine may be local or remote and is specified by the -S option. It must be noted

975

that the addition and deletion of shares using this tool depends on the availability of a suitable

982

utility. In the first step a share called <code class="constant">Bulge</code> is added. The sharepoint within the

983

file system is the directory <code class="filename">/data</code>. The command that can be executed to perform the

984

addition of this share is shown here:

985

985

986

</p><pre class="screen">

987

<code class="prompt">root# </code> net rpc share add Bulge=/data -S MERLIN -Uroot%not24get

988

</pre><p>

1003

</p><p>

1004

Often it is desirable also to permit a share to be removed using a command-line tool.

1005

The following step permits the share that was previously added to be removed:

1006

1006

1007

</p><pre class="screen">

1008

<code class="prompt">root# </code> net rpc share delete Bulge -S MERLIN -Uroot%not24get

1009

</pre><p>

1019

ADMIN$

1020

kyocera

1021

</pre><p>

1022

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602757"></a>Creating and Changing Share ACLs</h3></div></div></div><p>

1022

</p></div><div class="sect2" title="Creating and Changing Share ACLs"><div class="titlepage"><div><div><h3 class="title"><a name="id2608824"></a>Creating and Changing Share ACLs</h3></div></div></div><p>

1023

At this time the <code class="literal">net</code> tool cannot be used to manage ACLs on Samba shares. In MS Windows

1024

language this is called Share Permissions.

1025

</p><p>

1026

It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager

1027

or using the Computer Management MMC snap-in. Neither is covered here,

1028

but see <a class="link" href="AccessControls.html" title="Chapter�16.�File, Directory, and Share Access Controls">“File, Directory, and Share Access Controls”</a>.

1029

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602787"></a>Share, Directory, and File Migration</h3></div></div></div><p>

1030

1029

</p></div><div class="sect2" title="Share, Directory, and File Migration"><div class="titlepage"><div><div><h3 class="title"><a name="id2608854"></a>Share, Directory, and File Migration</h3></div></div></div><p>

1030

1031

Shares and files can be migrated in the same manner as user, machine, and group accounts.

1032

It is possible to preserve access control settings (ACLs) as well as security settings

1033

throughout the migration process. The <code class="literal">net rpc vampire</code> facility is used

1058

server (or domain) as well as the processes on which the migration is critically dependant.

1059

</p><p>

1060

There are two known limitations to the migration process:

1061

</p><div class="orderedlist"><ol type="1"><li><p>

1061

</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>

1062

The <code class="literal">net</code> command requires that the user credentials provided exist on both

1063

the migration source and the migration target.

1064

</p></li><li><p>

1064

</p></li><li class="listitem"><p>

1065

Printer settings may not be fully or may be incorrectly migrated. This might in particular happen

1066

when migrating a Windows 2003 print server to Samba.

1067

</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2602897"></a>Share Migration</h4></div></div></div><p>

1067

</p></li></ol></div><div class="sect3" title="Share Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2608964"></a>Share Migration</h4></div></div></div><p>

1068

The <code class="literal">net rpc share migrate</code> command operation permits the migration of plain

1069

share stanzas. A stanza contains the parameters within which a file or print share are defined.

1070

The use of this migration method will create share stanzas that have as parameters the file

1091

When the parameter <share-name> is omitted, all shares will be migrated. The potentially

1092

large list of available shares on the system that is being migrated can be limited using the

1093

<em class="parameter"><code>--exclude</code></em> switch. For example:

1094

1094

1095

</p><pre class="screen">

1096

<code class="prompt">root# </code> net rpc share migrate shares myshare\

1097

-S win2k -U administrator%secret"

1104

identical on both systems. One precaution worth taking before commencement of migration of shares is

1105

to validate that the migrated accounts (on the Samba server) have the needed rights and privileges.

1106

This can be done as shown here:

1107

1107

1108

</p><pre class="screen">

1109

<code class="prompt">root# </code> net rpc right list accounts -Uroot%not24get

1110

</pre><p>

1111

The steps taken so far perform only the migration of shares. Directories and directory contents

1112

are not migrated by the steps covered up to this point.

1113

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603094"></a>File and Directory Migration</h4></div></div></div><p>

1113

</p></div><div class="sect3" title="File and Directory Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609160"></a>File and Directory Migration</h4></div></div></div><p>

1114

Everything covered to this point has been done in preparation for the migration of file and directory

1115

data. For many people preparation is potentially boring and the real excitement only begins when file

1116

data can be used. The next steps demonstrate the techniques that can be used to transfer (migrate)

1147

to the above command line. Original file timestamps can be preserved by specifying the

1148

<em class="parameter"><code>--timestamps</code></em> switch, and the DOS file attributes (i.e., hidden, archive, etc.) can

1149

be preserved by specifying the <em class="parameter"><code>--attrs</code></em> switch.

1150

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

1150

</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

1151

The ability to preserve ACLs depends on appropriate support for ACLs as well as the general file system

1152

semantics of the host operating system on the target server. A migration from one Windows file server to

1153

another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs

1161

</p><p>

1162

An example for migration of files from a machine called <code class="constant">nt4box</code> to the Samba server

1163

from which the process will be handled is shown here:

1164

1164

1165

</p><pre class="screen">

1166

<code class="prompt">root# </code> net rpc share migrate files -S nt4box --acls \

1167

--attrs -U administrator%secret

1170

This command will migrate all files and directories from all file shares on the Windows server called

1171

<code class="constant">nt4box</code> to the Samba server from which migration is initiated. Files that are group-owned

1172

will be owned by the user account <code class="constant">administrator</code>.

1173

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603309"></a>Share-ACL Migration</h4></div></div></div><p>

1173

</p></div><div class="sect3" title="Share-ACL Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609375"></a>Share-ACL Migration</h4></div></div></div><p>

1174

It is possible to have share-ACLs (security descriptors) that won't allow you, even as Administrator, to

1175

copy any files or directories into it. Therefor the migration of the share-ACLs has been put into a separate

1176

function:

1177

1177

1178

</p><pre class="screen">

1179

<code class="prompt">root# </code> net rpc share migrate security -S nt4box -U administrator%secret

1180

</pre><p>

1181

</p><p>

1182

This command will only copy the share-ACL of each share on nt4box to your local samba-system.

1183

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603351"></a>Simultaneous Share and File Migration</h4></div></div></div><p>

1183

</p></div><div class="sect3" title="Simultaneous Share and File Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609418"></a>Simultaneous Share and File Migration</h4></div></div></div><p>

1184

The operating mode shown here is just a combination of the previous three. It first migrates

1185

share definitions and then all shared files and directories and finally migrates the share-ACLs:

1186

</p><pre class="screen">

1189

</pre><p>

1190

</p><p>

1191

An example of simultaneous migration is shown here:

1192

1192

1193

</p><pre class="screen">

1194

<code class="prompt">root# </code> net rpc share migrate all -S w2k3server -U administrator%secret

1195

</pre><p>

1196

This will generate a complete server clone of the <em class="parameter"><code>w2k3server</code></em> server.

1197

</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2603410"></a>Printer Migration</h3></div></div></div><p>

1197

</p></div></div><div class="sect2" title="Printer Migration"><div class="titlepage"><div><div><h3 class="title"><a name="id2609477"></a>Printer Migration</h3></div></div></div><p>

1198

The installation of a new server, as with the migration to a new network environment, often is similar to

1199

building a house; progress is very rapid from the laying of foundations up to the stage at which

1200

the house can be locked up, but the finishing off appears to take longer and longer as building

1213

how extensively it has been documented.

1214

</p><p>

1215

The migration of an existing printing architecture involves the following:

1216

</p><div class="itemizedlist"><ul type="disc"><li><p>Establishment of print queues.</p></li><li><p>Installation of printer drivers (both for the print server and for Windows clients.</p></li><li><p>Configuration of printing forms.</p></li><li><p>Implementation of security settings.</p></li><li><p>Configuration of printer settings.</p></li></ul></div><p>

1216

</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Establishment of print queues.</p></li><li class="listitem"><p>Installation of printer drivers (both for the print server and for Windows clients.</p></li><li class="listitem"><p>Configuration of printing forms.</p></li><li class="listitem"><p>Implementation of security settings.</p></li><li class="listitem"><p>Configuration of printer settings.</p></li></ul></div><p>

1217

The Samba <code class="literal">net</code> utility permits printer migration from one Windows print server

1218

to another. When this tool is used to migrate printers to a Samba server <code class="literal">smbd</code>,

1219

the application that receives the network requests to create the necessary services must call out

1231

</p><p>

1232

Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the

1233

printer share to be created together with the underlying print queue:

1234

1234

1235

</p><pre class="screen">

1236

net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]

1237

</pre><p>

1238

Printer drivers can be migrated from the Windows print server to the Samba server using this

1239

command-line instruction:

1240

1240

1241

</p><pre class="screen">

1242

net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]

1243

</pre><p>

1244

Printer forms can be migrated with the following operation:

1245

1245

1246

</p><pre class="screen">

1247

net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]

1248

</pre><p>

1249

Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command:

1250

1250

1251

</p><pre class="screen">

1252

net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]

1253

</pre><p>

1254

Printer configuration settings include factors such as paper size and default paper orientation.

1255

These can be migrated from the Windows print server to the Samba server with this command:

1256

1256

1257

</p><pre class="screen">

1258

net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]

1259

</pre><p>

1263

</p><pre class="screen">

1264

net rpc printer MIGRATE ALL [printer] [misc. options] [targets]

1265

</pre><p>

1266

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603661"></a>Controlling Open Files</h2></div></div></div><p>

1266

</p></div></div><div class="sect1" title="Controlling Open Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609728"></a>Controlling Open Files</h2></div></div></div><p>

1267

The man page documents the <code class="literal">net file</code> function suite, which provides the tools to

1268

close open files using either RAP or RPC function calls. Please refer to the man page for specific

1269

usage information.

1270

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603680"></a>Session and Connection Management</h2></div></div></div><p>

1270

</p></div><div class="sect1" title="Session and Connection Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609747"></a>Session and Connection Management</h2></div></div></div><p>

1271

The session management interface of the <code class="literal">net session</code> command uses the old RAP

1272

method to obtain the list of connections to the Samba server, as shown here:

1273

1273

1274

</p><pre class="screen">

1275

<code class="prompt">root# </code> net rap session -S MERLIN -Uroot%not24get

1276

Computer User name Client Type Opens Idle time

1285

</p><pre class="screen">

1286

<code class="prompt">root# </code> net rap session close marvel -Uroot%not24get

1287

</pre><p>

1288

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603746"></a>Printers and ADS</h2></div></div></div><p>

1288

</p></div><div class="sect1" title="Printers and ADS"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609812"></a>Printers and ADS</h2></div></div></div><p>

1289

When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable

1290

until they have been published to the ADS domain. Information regarding published printers may be obtained

1291

from the ADS server by executing the <code class="literal">net ads print info</code> command following this syntax:

1292

1292

1293

</p><pre class="screen">

1294

net ads printer info <printer_name> <server_name> -Uadministrator%secret

1295

</pre><p>

1297

returned.

1298

</p><p>

1299

To publish (make available) a printer to ADS, execute the following command:

1300

1300

1301

</p><pre class="screen">

1302

net ads printer publish <printer_name> -Uadministrator%secret

1303

</pre><p>

1304

This publishes a printer from the local Samba server to ADS.

1305

</p><p>

1306

Removal of a Samba printer from ADS is achieved by executing this command:

1307

1307

1308

</p><pre class="screen">

1309

net ads printer remove <printer_name> -Uadministrator%secret

1310

</pre><p>

1311

</p><p>

1312

A generic search (query) can also be made to locate a printer across the entire ADS domain by executing:

1313

1313

1314

</p><pre class="screen">

1315

net ads printer search <printer_name> -Uadministrator%secret

1316

</pre><p>

1317

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603862"></a>Manipulating the Samba Cache</h2></div></div></div><p>

1317

</p></div><div class="sect1" title="Manipulating the Samba Cache"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609928"></a>Manipulating the Samba Cache</h2></div></div></div><p>

1318

Please refer to the <code class="literal">net</code> command man page for information regarding cache management.

1319

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603879"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p>

1319

</p></div><div class="sect1" title="Managing IDMAP UID/SID Mappings"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609946"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p>

1320

The IDMAP UID to SID, and SID to UID, mappings that are created by <code class="literal">winbindd</code> can be

1321

backed up to a text file. The text file can be manually edited, although it is highly recommended that

1322

you attempt this only if you know precisely what you are doing.

1327

</p><p>

1328

Winbind must be shut down to dump the IDMAP file. Before restoring a dump file, shut down

1329

<code class="literal">winbindd</code> and delete the old <code class="filename">winbindd_idmap.tdb</code> file.

1330

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2603923"></a>Creating an IDMAP Database Dump File</h3></div></div></div><p>

1330

</p><div class="sect2" title="Creating an IDMAP Database Dump File"><div class="titlepage"><div><div><h3 class="title"><a name="id2609990"></a>Creating an IDMAP Database Dump File</h3></div></div></div><p>

1331

The IDMAP database can be dumped to a text file as shown here:

1332

</p><pre class="screen">

1333

net idmap dump <full_path_and_tdb_filename> > dumpfile.txt

1337

</p><pre class="screen">

1338

net idmap dump /var/lib/samba/winbindd_idmap.tdb > idmap_dump.txt

1339

</pre><p>

1340

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2603958"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p>

1340

</p></div><div class="sect2" title="Restoring the IDMAP Database Dump File"><div class="titlepage"><div><div><h3 class="title"><a name="id2610025"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p>

1341

The IDMAP dump file can be restored using the following command:

1342

</p><pre class="screen">

1343

net idmap restore idmap_dump.txt

1347

</p><pre class="screen">

1348

net idmap restore /var/lib/samba/winbindd_idmap.tdb < idmap_dump.txt

1349

</pre><p>

1350

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netmisc1"></a>Other Miscellaneous Operations</h2></div></div></div><p>

1350

</p></div></div><div class="sect1" title="Other Miscellaneous Operations"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netmisc1"></a>Other Miscellaneous Operations</h2></div></div></div><p>

1351

The following command is useful for obtaining basic statistics regarding a Samba domain. This command does

1352

not work with current Windows XP Professional clients.

1353

1353

1354

</p><pre class="screen">

1355

<code class="prompt">root# </code> net rpc info

1356

Domain Name: RAPIDFLY

1363

</p><p>

1364

Another useful tool is the <code class="literal">net time</code> tool set. This tool may be used to query the

1365

current time on the target server as shown here:

1366

1366

1367

</p><pre class="screen">

1368

<code class="prompt">root# </code> net time -S SAURON

1369

Tue May 17 00:50:43 2005

1371

In the event that it is the intent to pass the time information obtained to the UNIX

1372

<code class="literal">/bin/time</code>, it is a good idea to obtain the time from the target server in a format

1373

that is ready to be passed through. This may be done by executing:

1374

1374

1375

</p><pre class="screen">

1376

<code class="prompt">root# </code> net time system -S FRODO

1377

051700532005.16

1378

</pre><p>

1379

The time can be set on a target server by executing:

1380

1380

1381

</p><pre class="screen">

1382

<code class="prompt">root# </code> net time set -S MAGGOT -U Administrator%not24get

1383

Tue May 17 00:55:30 MDT 2005

1384

</pre><p>

1385

It is possible to obtain the time zone of a server by executing the following command against it:

1386

1386

1387

</p><pre class="screen">

1388

<code class="prompt">root# </code> net time zone -S SAURON

1389

-0600

Older »