Additional info regarding Samba 2.0.10/iX.1 This is a complete rework of my prior Samba-2/iX experiments. It is not supported by HP (i.e. *use at your own risk*) but comes with Open Source. It aims to minimize changes to original sources by placing more stuff in the mpe subdir. It "lies" to the Samba code about the existence of "root" (uid = 0) on MPE/iX. It can be run in "sandbox" mode (with no PM required) or "full power" mode (requires PM). Both modes to handle encrypted passwords with the smbpasswd file and utility. Sandbox mode Allows running Samba without any kind of PM capability. Cannot bind port numbers below 1024 and must thus be run under inetd. Cannot validate MPE passwords, but will handle smbpasswd properly. Samba gets the "illusion" of being root and able to setuid() as needed. However, MPE setuid() is never called. All access is done by the same user. Programs run by their owner (or an SM user) "think" they are run by "root". Access to other accounts (eg Apache) needs "custom" permission setup. Might be faster than "full power" mode due to lack of setuid() overhead. Can only run Swat in demo mode (-a) and cannot run Nmbd at all. Full Power mode Requires SMBD and SWAT and NMBD copied to SAMBA.SYS by MANAGER.SYS Must add PM capability with LINKEDIT and *should* restrict X access with ACD. Notice that the user running SMBD is no longer required to have PM capability! Will be able to bind low port numbers and thus runs standalone or under inetd. Is able to validate MPE passwords, but will also handle smbpasswd properly. Samba gets the "illusion" of being "root" and being able to setuid() as needed. Programs in SAMBA.SYS *do* actually call MPE setuid() to switch user id's. Access is thus not only done by the "initial user" but all configured/validated ones. Make sure that you understand Samba security configuration before using this. To use Samba/iX in "sandbox" mode, you need the following steps... Create or copy an smb.conf (and maybe user.map and printcap) in the lib directory. Run the bin/smbd server program as SAMBA.ORG user for "sandbox" mode. You will need to configure it under inetd to use the default (low) port number 139. It will not be able (ie reject) MPE user passwords, so use "encrypted passwords = yes". Run bin/smbpasswd as SAMBA.ORG or SM user for "root" tasks like adding users. To run bin/swat under inetd, you need to use the -a option (beware the risks). Remember that in "sandbox" mode, smbd will access all files/directories as SAMBA.ORG Don't get mislead by the fact that smbstatus will show you other user IDs from smbpasswd Also keep in mind that nmbd cannot be used as it needs PM to bind low port number(s). To migrate to "full power" mode, you need the following steps... :hello manager.sys :newgroup samba :altgroup samba; cap=+ph,PM; access=() :chgroup samba :copy /ORG/SAMBA/v2.0.10/bin/smbd, smbd2010 :copy /ORG/SAMBA/v2.0.10/bin/swat, swat2010 :copy /ORG/SAMBA/v2.0.10/bin/nmbd, nmbd2010 :altsec smbd2010; repacd=(x:samba.org) :altsec swat2010; repacd=(x:samba.org) :altsec nmbd2010; repacd=(x:samba.org) :### you must secure and trust the samba.org user now ### :linkedit "altprog smbd2010; cap=ia,ba,ph,pm" :linkedit "altprog swat2010; cap=ia,ba,ph,pm" :linkedit "altprog nmbd2010; cap=ia,ba,ph,pm" Update your inetd.conf (and/or samba server job) to now use the programs in /SYS/SAMBA. Remember that in "full power" mode, Samba will use setuid() to run under other user IDs. You can either use MPE password validation (userpw,acctpw) or continue with smbpasswd. The former is used for "encrypted passwords=no", the latter for "encrypted passwords=yes". Version history 2.0.7/iX.1 = initial port, only smbd and swat working (sandbox or full power) 2.0.7/iX.2 = added nmbd (needs PM) and fixed intermittent mpe_auth bug in swat 2.0.10/iX.1 = rebuild with 2.0.10 sources (security fix) plus fix in web/cgi.c Have fun using Samba 2.0.10/iX, but keep in mind: *use at your own risk* Lars Appel, June 2001 PS: Using free RedHat SourceNavigator on Windows was helpful to explore the Samba sources!