diff options
| author | vorlon <vorlon@alioth.debian.org> | 2007-11-21 17:44:34 +0000 |
|---|---|---|
| committer | vorlon <vorlon@alioth.debian.org> | 2007-11-21 17:44:34 +0000 |
| commit | 951fa9619c10959654b4f7d69c08722f1e76db71 (patch) | |
| tree | 38907f3881253efb6119e4ac316f59548d9539e7 /docs/htmldocs/Samba3-ByExample | |
| parent | 6e61533d519c58d0a6360e20d42102b61dd0ddcb (diff) | |
| download | samba-951fa9619c10959654b4f7d69c08722f1e76db71.tar.gz | |
merge upstream 3.0.27a into svn
git-svn-id: svn://svn.debian.org/svn/pkg-samba/trunk/samba@1586 fc4039ab-9d04-0410-8cac-899223bdd6b0
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample')
67 files changed, 18290 insertions, 0 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/2000users.html b/docs/htmldocs/Samba3-ByExample/2000users.html new file mode 100644 index 0000000000..8e8a5fe049 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/2000users.html @@ -0,0 +1,1000 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. A Distributed 2000-User Network</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="happy.html" title="Chapter 5. Making Happy Users"><link rel="next" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. A Distributed 2000-User Network</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="2000users"></a>Chapter 6. A Distributed 2000-User Network</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="2000users.html#id347742">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id347767">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id347824">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id348070">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id348898">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id348912">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id352072">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id352211">Questions and Answers</a></span></dt></dl></div><p> +There is something indeed mystical about things that are +big. Large networks exhibit a certain magnetism and exude a sense of +importance that obscures reality. You and I know that it is no more +difficult to secure a large network than it is a small one. We all +know that over and above a particular number of network clients, the +rules no longer change; the only real dynamic is the size of the domain +(much like a kingdom) over which the network ruler (oops, administrator) +has control. The real dynamic then transforms from the technical to the +political. Then again, that point is often reached well before the +kingdom (or queendom) grows large. +</p><p> +If you have systematically worked your way to this chapter, hopefully you +have found some gems and techniques that are applicable in your +world. The network designs you have worked with in this book have their +strong points as well as weak ones. That is to be expected given that +they are based on real business environments, the specifics of which are +molded to serve the purposes of this book. +</p><p> +This chapter is intent on wrapping up issues that are central to +implementation and design of progressively larger networks. Are you ready +for this chapter? Good, it is time to move on. +</p><p> +In previous chapters, you made the assumption that your network +administration staff need detailed instruction right down to the +nuts and bolts of implementing the solution. That is still the case, +but they have graduated now. You decide to document only those issues, +methods, and techniques that are new or complex. Routine tasks such as +implementing a DNS or a DHCP server are under control. Even the basics of +Samba are largely under control. So in this section you focus on the +specifics of implementing LDAP changes, Samba changes, and approach and +design of the solution and its deployment. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347742"></a>Introduction</h2></div></div></div><p> +Abmas is a miracle company. Most businesses would have collapsed under +the weight of rapid expansion that this company has experienced. Samba +is flexible, so there is no need to reinstall the whole operating +system just because you need to implement a new network design. In fact, +you can keep an old server running right up to the moment of cutover +and then do a near-live conversion. There is no need to reinstall a +Samba server just to change the way your network should function. +</p><p> +<a class="indexterm" name="id347757"></a> +Network growth is common to all organizations. In this exercise, +your preoccupation is with the mechanics of implementing Samba and +LDAP so that network users on each network segment can work +without impediment. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id347767"></a>Assignment Tasks</h3></div></div></div><p> + Starting with the configuration files for the server called + <code class="constant">MASSIVE</code> in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you now deal with the + issues that are particular to large distributed networks. Your task + is simple identify the challenges, consider the + alternatives, and then design and implement a solution. + </p><p> + <a class="indexterm" name="id347792"></a> + Remember, you have users based in London (UK), Los Angeles, + Washington. DC, and, three buildings in New York. A significant portion + of your workforce have notebook computers and roam all over the + world. Some dial into the office, others use VPN connections over the + Internet, and others just move between buildings.i + </p><p> + What do you say to an employee who normally uses a desktop + system but must spend six weeks on the road with a notebook computer? + She is concerned about email access and how to keep coworkers current + with changing documents. + </p><p> + To top it all off, you have one network support person and one + help desk person based in London, a single person dedicated to all + network operations in Los Angeles, five staff for user administration + and help desk in New York, plus one <span class="emphasis"><em>floater</em></span> for + Washington. + </p><p> + You have outsourced all desktop deployment and management to + DirectPointe. Your concern is server maintenance and third-level + support. Build a plan and show what must be done. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347824"></a>Dissection and Discussion</h2></div></div></div><p> +<a class="indexterm" name="id347832"></a> +<a class="indexterm" name="id347838"></a> +In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you implemented an LDAP server that provided the +<em class="parameter"><code>passdb backend</code></em> for the Samba servers. You +explored ways to accelerate Windows desktop profile handling and you +took control of network performance. +</p><p> +<a class="indexterm" name="id347861"></a> +<a class="indexterm" name="id347868"></a> +<a class="indexterm" name="id347875"></a> +<a class="indexterm" name="id347882"></a> +The implementation of an LDAP-based passdb backend (known as +<span class="emphasis"><em>ldapsam</em></span> in Samba parlance), or some form of database +that can be distributed, is essential to permit the deployment of Samba +Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem +is that the <span class="emphasis"><em>tdbsam</em></span>-style passdb backend does not +lend itself to being replicated. The older plain-text-based +<span class="emphasis"><em>smbpasswd</em></span>-style passdb backend can be replicated +using a tool such as <code class="literal">rsync</code>, but +<span class="emphasis"><em>smbpasswd</em></span> suffers the drawback that it does not +support the range of account facilities demanded by modern network +managers. +</p><p> +<a class="indexterm" name="id347917"></a> +<a class="indexterm" name="id347923"></a> +The new <span class="emphasis"><em>tdbsam</em></span> facility supports functionality +that is similar to an <span class="emphasis"><em>ldapsam</em></span>, but the lack of +distributed infrastructure sorely limits the scope for its +deployment. This raises the following questions: Why can't I just use +an XML-based backend, or for that matter, why not use an SQL-based +backend? Is support for these tools broken? Answers to these +questions require a bit of background.</p><p> +<a class="indexterm" name="id347944"></a> +<a class="indexterm" name="id347951"></a> +<a class="indexterm" name="id347958"></a> +<a class="indexterm" name="id347964"></a> +<span class="emphasis"><em>What is a directory?</em></span> A directory is a +collection of information regarding objects that can be accessed to +rapidly find information that is relevant in a particular and +consistent manner. A directory differs from a database in that it is +generally more often searched (read) than updated. As a consequence, the +information is organized to facilitate read access rather than to +support transaction processing.</p><p> +<a class="indexterm" name="id347981"></a> +<a class="indexterm" name="id347990"></a> +<a class="indexterm" name="id347997"></a> +<a class="indexterm" name="id348004"></a> +The Lightweight Directory Access Protocol (LDAP) differs +considerably from a traditional database. It has a simple search +facility that uniquely makes a highly preferred mechanism for managing +user identities. LDAP provides a scalable mechanism for distributing +the data repository and for keeping all copies (slaves) in sync with +the master repository.</p><p> +<a class="indexterm" name="id348017"></a> +<a class="indexterm" name="id348024"></a> +<a class="indexterm" name="id348031"></a> +Samba is a flexible and powerful file and print sharing +technology. It can use many external authentication sources and can be +part of a total authentication and identity management +infrastructure. The two most important external sources for large sites +are Microsoft Active Directory and LDAP. Sites that specifically wish to +avoid the proprietary implications of Microsoft Active Directory +naturally gravitate toward OpenLDAP.</p><p> +<a class="indexterm" name="id348044"></a> +In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you had to deal with a locally routed +network. All deployment concerns focused around making users happy, +and that simply means taking control over all network practices and +usage so that no one user is disadvantaged by any other. The real +lesson is one of understanding that no matter how much network +bandwidth you provide, bandwidth remains a precious resource.</p><p>In this chapter, you must now consider how the overall network must +function. In particular, you must be concerned with users who move +between offices. You must take into account the way users need to +access information globally. And you must make the network robust +enough so that it can sustain partial breakdown without causing loss of +productivity.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id348070"></a>Technical Issues</h3></div></div></div><p> + There are at least three areas that need to be addressed as you + approach the challenge of designing a network solution for the newly + expanded business: + </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id348084"></a> + User needs such as mobility and data access</p></li><li><p>The nature of Windows networking protocols</p></li><li><p>Identity management infrastructure needs</p></li></ul></div><p>Let's look at each in turn.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id348107"></a>User Needs</h4></div></div></div><p> + The new company has three divisions. Staff for each division are spread across + the company. Some staff are office-bound and some are mobile users. Mobile + users travel globally. Some spend considerable periods working in other offices. + Everyone wants to be able to work without constraint of productivity. + </p><p> + The challenge is not insignificant. In some parts of the world, even dial-up + connectivity is poor, while in other regions political encumbrances severely + curtail user needs. Parts of the global Internet infrastructure remain shielded + off for reasons outside the scope of this discussion. + </p><p> + <a class="indexterm" name="id348126"></a> + Decisions must be made regarding where data is to be stored, how it will be + replicated (if at all), and what the network bandwidth implications are. For + example, one decision that can be made is to give each office its own master + file storage area that can be synchronized to a central repository in New + York. This would permit global data to be backed up from a single location. + The synchronization tool could be <code class="literal">rsync,</code> run via a cron + job. Mobile users may use off-line file storage under Windows XP Professional. + This way, they can synchronize all files that have changed since each logon + to the network. + </p><p> + <a class="indexterm" name="id348147"></a> + <a class="indexterm" name="id348157"></a> + No matter which way you look at this, the bandwidth requirements + for acceptable performance are substantial even if only 10 percent of + staff are global data users. A company with 3,500 employees, + 280 of whom are mobile users who use a similarly distributed + network, found they needed at least 2 Mb/sec connectivity + between the UK and US offices. Even over 2 Mb/sec bandwidth, this + company abandoned any attempt to run roaming profile usage for + mobile users. At that time, the average roaming profile took 480 + KB, while today the minimum Windows XP Professional roaming + profile involves a transfer of over 750 KB from the profile + server to and from the client. + </p><p> + <a class="indexterm" name="id348172"></a> + Obviously then, user needs and wide-area practicalities dictate the economic and + technical aspects of your network design as well as for standard operating procedures. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id348183"></a>The Nature of Windows Networking Protocols</h4></div></div></div><p> + <a class="indexterm" name="id348191"></a> + Network logons that include roaming profile handling requires from 140 KB to 2 MB. + The inclusion of support for a minimal set of common desktop applications can push + the size of a complete profile to over 15 MB. This has substantial implications + for location of user profiles. Additionally, it is a significant factor in + determining the nature and style of mandatory profiles that may be enforced as + part of a total service-level assurance program that might be implemented. + </p><p> + <a class="indexterm" name="id348207"></a> + <a class="indexterm" name="id348214"></a> + One way to reduce the network bandwidth impact of user logon + traffic is through folder redirection. In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you + implemented this in the new Windows XP Professional standard + desktop configuration. When desktop folders such as <span class="guimenu">My + Documents</span> are redirected to a network drive, they should + also be excluded from synchronization to and from the server on + logon or logout. Redirected folders are analogous to network drive + connections. + </p><p><a class="indexterm" name="id348238"></a> + Of course, network applications should only be run off + local application servers. As a general rule, even with 2 Mb/sec + network bandwidth, it would not make sense at all for someone who + is working out of the London office to run applications off a + server that is located in New York. + </p><p> + <a class="indexterm" name="id348251"></a> + When network bandwidth becomes a precious commodity (that is most + of the time), there is a significant demand to understand network + processes and to mold the limits of acceptability around the + constraints of affordability. + </p><p> + When a Windows NT4/200x/XP Professional client user logs onto + the network, several important things must happen. + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id348270"></a> + The client obtains an IP address via DHCP. (DHCP is + necessary so that users can roam between offices.) + </p></li><li><p> + <a class="indexterm" name="id348282"></a> + <a class="indexterm" name="id348289"></a> + The client must register itself with the WINS and/or DNS server. + </p></li><li><p> + <a class="indexterm" name="id348301"></a> + The client must locate the closest domain controller. + </p></li><li><p> + The client must log onto a domain controller and obtain as part of + that process the location of the user's profile, load it, connect to + redirected folders, and establish all network drive and printer connections. + </p></li><li><p> + The domain controller must be able to resolve the user's + credentials before the logon process is fully implemented. + </p></li></ul></div><p> + Given that this book is about Samba and that it implements the Windows + NT4-style domain semantics, it makes little sense to compare Samba with + Microsoft Active Directory insofar as the logon protocols and principles + of operation are concerned. The following information pertains exclusively + to the interaction between a Windows XP Professional workstation and a + Samba-3.0.20 server. In the discussion that follows, use is made of DHCP and WINS. + </p><p> + As soon as the Windows workstation starts up, it obtains an + IP address. This is immediately followed by registration of its + name both by broadcast and Unicast registration that is directed + at the WINS server. + </p><p> + <a class="indexterm" name="id348339"></a> + <a class="indexterm" name="id348345"></a><a class="indexterm" name="id348355"></a> + Given that the client is already a domain member, it then sends + a directed (Unicast) request to the WINS server seeking the list of + IP addresses for domain controllers (NetBIOS name type 0x1C). The + WINS server replies with the information requested.</p><p> + <a class="indexterm" name="id348367"></a> + <a class="indexterm" name="id348376"></a> + <a class="indexterm" name="id348383"></a> + The client sends two netlogon mailslot broadcast requests + to the local network and to each of the IP addresses returned by + the WINS server. Whichever answers this request first appears to + be the machine that the Windows XP client attempts to use to + process the network logon. The mailslot messages use UDP broadcast + to the local network and UDP Unicast directed at each machine that + was listed in the WINS server response to a request for the list of + domain controllers. + </p><p> + <a class="indexterm" name="id348397"></a> + <a class="indexterm" name="id348406"></a> + <a class="indexterm" name="id348413"></a> + The logon process begins with negotiation of the SMB/CIFS + protocols that are to be used; this is followed by an exchange of + information that ultimately includes the client sending the + credentials with which the user is attempting to logon. The logon + server must now approve the further establishment of the + connection, but that is a good point to halt for now. The priority + here must center around identification of network infrastructure + needs. A secondary fact we need to know is, what happens when + local domain controllers fail or break? + </p><p> + <a class="indexterm" name="id348428"></a> + <a class="indexterm" name="id348435"></a> + <a class="indexterm" name="id348441"></a> + <a class="indexterm" name="id348448"></a> + Under most circumstances, the nearest domain controller + responds to the netlogon mailslot broadcast. The exception to this + norm occurs when the nearest domain controller is too busy or is out + of service. Herein lies an important fact. This means it is + important that every network segment should have at least two + domain controllers. Since there can be only one PDC, all additional + domain controllers are by definition BDCs. + </p><p> + <a class="indexterm" name="id348461"></a> + <a class="indexterm" name="id348468"></a> + The provision of sufficient servers that are BDCs is an + important design factor. The second important design factor + involves how each of the BDCs obtains user authentication + data. That is the subject of the next section, which involves key + decisions regarding Identity Management facilities. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id348480"></a>Identity Management Needs</h4></div></div></div><p> + <a class="indexterm" name="id348488"></a> + <a class="indexterm" name="id348494"></a> + <a class="indexterm" name="id348501"></a> + <a class="indexterm" name="id348508"></a> + Network managers recognize that in large organizations users + generally need to be given resource access based on needs, while + being excluded from other resources for reasons of privacy. It is + therefore essential that all users identify themselves at the + point of network access. The network logon is the principal means + by which user credentials are validated and filtered and appropriate + rights and privileges are allocated. + </p><p> + <a class="indexterm" name="id348522"></a> + <a class="indexterm" name="id348529"></a> + <a class="indexterm" name="id348535"></a> + Unfortunately, network resources tend to have their own Identity + Management facilities, the quality and manageability of which varies + from quite poor to exceptionally good. Corporations that use a mixture + of systems soon discover that until recently, few systems were + designed to interoperate. For example, UNIX systems each have an + independent user database. Sun Microsystems developed a facility that + was originally called <code class="constant">Yellow Pages</code>, and was renamed + when a telephone company objected to the use of its trademark. + What was once called <code class="constant">Yellow Pages</code> is today known + as <code class="constant">Network Information System</code> (NIS). + </p><p> + <a class="indexterm" name="id348561"></a> + NIS gained a strong following throughout the UNIX/VMS space in a short + period of time and retained that appeal and use for over a decade. + Security concerns and inherent limitations have caused it to enter its + twilight. NIS did not gain widespread appeal outside of the UNIX world + and was not universally adopted. Sun updated this to a more secure + implementation called NIS+, but even it has fallen victim to changing + demands as the demand for directory services that can be coupled with + other information systems is catching on. + </p><p> + <a class="indexterm" name="id348580"></a> + <a class="indexterm" name="id348587"></a> + <a class="indexterm" name="id348593"></a> + Nevertheless, both NIS and NIS+ continue to hold ground in + business areas where UNIX still has major sway. Examples of + organizations that remain firmly attached to the use of NIS and + NIS+ include large government departments, education institutions, + and large corporations that have a scientific or engineering + focus. + </p><p> + <a class="indexterm" name="id348606"></a> + <a class="indexterm" name="id348613"></a> + Today's networking world needs a scalable, distributed Identity + Management infrastructure, commonly called a directory. The most + popular technologies today are Microsoft Active Directory service + and a number of LDAP implementations. + </p><p> + <a class="indexterm" name="id348625"></a> + The problem of managing multiple directories has become a focal + point over the past decade, creating a large market for + metadirectory products and services that allow organizations that + have multiple directories and multiple management and control + centers to provision information from one directory into + another. The attendant benefit to end users is the promise of + having to remember and deal with fewer login identities and + passwords.</p><p> + <a class="indexterm" name="id348639"></a> + The challenge of every large network is to find the optimum + balance of internal systems and facilities for Identity + Management resources. How well the solution is chosen and + implemented has potentially significant impact on network bandwidth + and systems response needs.</p><p> + <a class="indexterm" name="id348654"></a> + <a class="indexterm" name="id348661"></a> + <a class="indexterm" name="id348670"></a> + In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you implemented a single LDAP server for the + entire network. This may work for smaller networks, but almost + certainly fails to meet the needs of large and complex networks. The + following section documents how you may implement a single + master LDAP server with multiple slave servers.</p><p> + What is the best method for implementing master/slave LDAP + servers within the context of a distributed 2,000-user network is a + question that remains to be answered.</p><p> + <a class="indexterm" name="id348695"></a> + <a class="indexterm" name="id348702"></a> + One possibility that has great appeal is to create a single, + large distributed domain. The practical implications of this + design (see <a href="2000users.html#chap7net" title="Figure 6.6. Network Topology 2000 User Complex Design A">???</a>) demands the placement of + sufficient BDCs in each location. Additionally, network + administrators must make sure that profiles are not transferred + over the wide-area links, except as a totally unavoidable + measure. Network design must balance the risk of loss of user + productivity against the cost of network management and + maintenance. + </p><p> + <a class="indexterm" name="id348723"></a> + The network design in <a href="2000users.html#chap7net2" title="Figure 6.7. Network Topology 2000 User Complex Design B">???</a> takes the approach + that management of networks that are too remote to be managed + effectively from New York ought to be given a certain degree of + autonomy. With this rationale, the Los Angeles and London networks, + though fully integrated with those on the East Coast, each have their + own domain name space and can be independently managed and controlled. + One of the key drawbacks of this design is that it flies in the face of + the ability for network users to roam globally without some compromise + in how they may access global resources. + </p><p> + <a class="indexterm" name="id348748"></a> + Desk-bound users need not be negatively affected by this design, since + the use of interdomain trusts can be used to satisfy the need for global + data sharing. + </p><p> + <a class="indexterm" name="id348759"></a> + <a class="indexterm" name="id348766"></a> + <a class="indexterm" name="id348775"></a> + When Samba-3 is configured to use an LDAP backend, it stores the domain + account information in a directory entry. This account entry contains the + domain SID. An unintended but exploitable side effect is that this makes it + possible to operate with more than one PDC on a distributed network. + </p><p> + <a class="indexterm" name="id348788"></a> + <a class="indexterm" name="id348795"></a> + <a class="indexterm" name="id348801"></a> + How might this peculiar feature be exploited? The answer is simple. It is + imperative that each network segment have its own WINS server. Major + servers on remote network segments can be given a static WINS entry in + the <code class="filename">wins.dat</code> file on each WINS server. This allows + all essential data to be visible from all locations. Each location would, + however, function as if it is an independent domain, while all sharing the + same domain SID. Since all domain account information can be stored in a + single LDAP backend, users have unfettered ability to roam. + </p><p> + <a class="indexterm" name="id348822"></a> + <a class="indexterm" name="id348831"></a> + This concept has not been exhaustively validated, though we can see no reason + why this should not work. The important facets are the following: The name of + the domain must be identical in all locations. Each network segment must have + its own WINS server. The name of the PDC must be the same in all locations; this + necessitates the use of NetBIOS name aliases for each PDC so that they can be + accessed globally using the alias and not the PDC's primary name. A single master + LDAP server can be based in New York, with multiple LDAP slave servers located + on every network segment. Finally, the BDCs should each use failover LDAP servers + that are in fact slave LDAP servers on the local segments. + </p><p> + <a class="indexterm" name="id348847"></a> + <a class="indexterm" name="id348856"></a> + <a class="indexterm" name="id348863"></a> + <a class="indexterm" name="id348872"></a> + With a single master LDAP server, all network updates are effected on a single + server. In the event that this should become excessively fragile or network + bandwidth limiting, one could implement a delegated LDAP domain. This is also + known as a partitioned (or multiple partition) LDAP database and as a distributed + LDAP directory. + </p><p> + As the LDAP directory grows, it becomes increasingly important + that its structure is implemented in a manner that mirrors + organizational needs, so as to limit network update and + referential traffic. It should be noted that all directory + administrators must of necessity follow the same standard + procedures for managing the directory, because retroactive correction of + inconsistent directory information can be exceedingly difficult. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id348898"></a>Political Issues</h3></div></div></div><p> + As organizations grow, the number of points of control increases + also. In a large distributed organization, it is important that the + Identity Management system be capable of being updated from + many locations, and it is equally important that changes made should + become usable in a reasonable period, typically + minutes rather than days (the old limitation of highly manual + systems). + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id348912"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id348920"></a> + <a class="indexterm" name="id348927"></a> + <a class="indexterm" name="id348934"></a> + <a class="indexterm" name="id348940"></a> + Samba-3 has the ability to use multiple password (authentication and + identity resolution) backends. The diagram in <a href="2000users.html#chap7idres" title="Figure 6.1. Samba and Authentication Backend Search Pathways">???</a> + demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system + password database. The diagram only documents the mechanisms for + authentication and identity resolution (obtaining a UNIX UID/GID) + using the specific systems shown. + </p><div class="figure"><a name="chap7idres"></a><p class="title"><b>Figure 6.1. Samba and Authentication Backend Search Pathways</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-idresol.png" width="297" alt="Samba and Authentication Backend Search Pathways"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id349000"></a> + <a class="indexterm" name="id349006"></a> + <a class="indexterm" name="id349013"></a> + <a class="indexterm" name="id349020"></a> + <a class="indexterm" name="id349027"></a> + <a class="indexterm" name="id349034"></a> + <a class="indexterm" name="id349040"></a> + Samba is capable of using the <code class="constant">smbpasswd</code>, + <code class="constant">tdbsam</code>, <code class="constant">xmlsam</code>, + and <code class="constant">mysqlsam</code> authentication databases. The SMB + passwords can, of course, also be stored in an LDAP ldapsam + backend. LDAP is the preferred passdb backend for distributed network + operations. + </p><p> + <a class="indexterm" name="id349066"></a> + Additionally, it is possible to use multiple passdb backends + concurrently as well as have multiple LDAP backends. As a result, you + can specify a failover LDAP backend. The syntax for specifying a + single LDAP backend in <code class="filename">smb.conf</code> is: +</p><pre class="screen"> +... +passdb backend = ldapsam:ldap://master.abmas.biz +... +</pre><p> + This configuration tells Samba to use a single LDAP server, as shown in <a href="2000users.html#ch7singleLDAP" title="Figure 6.2. Samba Configuration to Use a Single LDAP Server">???</a>. + </p><div class="figure"><a name="ch7singleLDAP"></a><p class="title"><b>Figure 6.2. Samba Configuration to Use a Single LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-singleLDAP.png" width="351" alt="Samba Configuration to Use a Single LDAP Server"></div></div></div><p><br class="figure-break"> + <a class="indexterm" name="id349134"></a> + <a class="indexterm" name="id349144"></a> + The addition of a failover LDAP server can simply be done by adding a + second entry for the failover server to the single <em class="parameter"><code>ldapsam</code></em> + entry, as shown here (note the particular use of the double quotes): +</p><pre class="screen"> +... +passdb backend = ldapsam:"ldap://master.abmas.biz \ + ldap://slave.abmas.biz" +... +</pre><p> + This configuration tells Samba to use a master LDAP server, with failover to a slave server if necessary, + as shown in <a href="2000users.html#ch7dualLDAP" title="Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server">???</a>. + </p><div class="figure"><a name="ch7dualLDAP"></a><p class="title"><b>Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-fail-overLDAP.png" width="351" alt="Samba Configuration to Use a Dual (Fail-over) LDAP Server"></div></div></div><p><br class="figure-break"> + </p><p> + Some folks have tried to implement this without the use of double quotes. This is the type of entry they + created: +</p><pre class="screen"> +... +passdb backend = ldapsam:ldap://master.abmas.biz \ + ldapsam:ldap://slave.abmas.biz +... +</pre><p> + <a class="indexterm" name="id349224"></a> + The effect of this style of entry is that Samba lists the users + that are in both LDAP databases. If both contain the same information, + it results in each record being shown twice. This is, of course, not the + solution desired for a failover implementation. The net effect of this + configuration is shown in <a href="2000users.html#ch7dualadd" title="Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!">???</a> + </p><div class="figure"><a name="ch7dualadd"></a><p class="title"><b>Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP.png" width="297" alt="Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!"></div></div></div><br class="figure-break"><p> + If, however, each LDAP database contains unique information, this may + well be an advantageous way to effectively integrate multiple LDAP databases + into one seemingly contiguous directory. Only the first database will be updated. + An example of this configuration is shown in <a href="2000users.html#ch7dualok" title="Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.">???</a>. + </p><div class="figure"><a name="ch7dualok"></a><p class="title"><b>Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP-Ok.png" width="297" alt="Samba Configuration to Use Two LDAP Databases - The result is additive."></div></div></div><br class="figure-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + When the use of ldapsam is specified twice, as shown here, it is imperative + that the two LDAP directories must be disjoint. If the entries are for a + master LDAP server as well as its own slave server, updates to the LDAP + database may end up being lost or corrupted. You may safely use multiple + LDAP backends only if both are entirely separate from each other. + </p></div><p> + It is assumed that the network you are working with follows in a + pattern similar to what was covered in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. The following steps + permit the operation of a master/slave OpenLDAP arrangement. + </p><div class="procedure"><a name="id349353"></a><p class="title"><b>Procedure 6.1. Implementation Steps for an LDAP Slave Server</b></p><ol type="1"><li><p> + <a class="indexterm" name="id349364"></a> + <a class="indexterm" name="id349371"></a> + Log onto the master LDAP server as <code class="constant">root</code>. + You are about to change the configuration of the LDAP server, so it + makes sense to temporarily halt it. Stop OpenLDAP from running on + SUSE Linux by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap stop +</pre><p> + On Red Hat Linux, you can do this by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> service ldap stop +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id349414"></a> + Edit the <code class="filename">/etc/openldap/slapd.conf</code> file so it + matches the content of <a href="2000users.html#ch7-LDAP-master" title="Example 6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf">???</a>. + </p></li><li><p> + Create a file called <code class="filename">admin-accts.ldif</code> with the following contents: +</p><pre class="screen"> +dn: cn=updateuser,dc=abmas,dc=biz +objectClass: person +cn: updateuser +sn: updateuser +userPassword: not24get + +dn: cn=sambaadmin,dc=abmas,dc=biz +objectClass: person +cn: sambaadmin +sn: sambaadmin +userPassword: buttercup +</pre><p> + </p></li><li><p> + Add an account called “<span class="quote">updateuser</span>” to the master LDAP server as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l admin-accts.ldif +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id349483"></a> + <a class="indexterm" name="id349490"></a> + Change directory to a suitable place to dump the contents of the + LDAP server. The dump file (and LDIF file) is used to preload + the slave LDAP server database. You can dump the database by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat -v -l LDAP-transfer-LDIF.txt +</pre><p> + Each record is written to the file. + </p></li><li><p> + <a class="indexterm" name="id349520"></a> + Copy the file <code class="filename">LDAP-transfer-LDIF.txt</code> to the intended + slave LDAP server. A good location could be in the directory + <code class="filename">/etc/openldap/preload</code>. + </p></li><li><p> + Log onto the slave LDAP server as <code class="constant">root</code>. You can + now configure this server so the <code class="filename">/etc/openldap/slapd.conf</code> + file matches the content of <a href="2000users.html#ch7-LDAP-slave" title="Example 6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf">???</a>. + </p></li><li><p> + Change directory to the location in which you stored the + <code class="filename">LDAP-transfer-LDIF.txt</code> file (<code class="filename">/etc/openldap/preload</code>). + While in this directory, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l LDAP-transfer-LDIF.txt +</pre><p> + If all goes well, the following output confirms that the data is being loaded + as intended: +</p><pre class="screen"> +added: "dc=abmas,dc=biz" (00000001) +added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002) +added: "cn=updateuser,dc=abmas,dc=biz" (00000003) +added: "ou=People,dc=abmas,dc=biz" (00000004) +added: "ou=Groups,dc=abmas,dc=biz" (00000005) +added: "ou=Computers,dc=abmas,dc=biz" (00000006) +added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007) +added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008) +added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009) +added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a) +added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b) +added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c) +added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d) +added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e) +added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f) +added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010) +added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011) +added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012) +added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013) +</pre><p> + </p></li><li><p> + Now start the LDAP server and set it to run automatically on system reboot by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +<code class="prompt">root# </code> chkconfig ldap on +</pre><p> + On Red Hat Linux, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> service ldap start +<code class="prompt">root# </code> chkconfig ldap on +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id349658"></a> + <a class="indexterm" name="id349665"></a> + <a class="indexterm" name="id349672"></a> + Go back to the master LDAP server. Execute the following to start LDAP as well + as <code class="literal">slurpd</code>, the synchronization daemon, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +<code class="prompt">root# </code> chkconfig ldap on +<code class="prompt">root# </code> rcslurpd start +<code class="prompt">root# </code> chkconfig slurpd on +</pre><p> + <a class="indexterm" name="id349715"></a> + On Red Hat Linux, check the equivalent command to start <code class="literal">slurpd</code>. + </p></li><li><p> + <a class="indexterm" name="id349735"></a> + On the master LDAP server you may now add an account to validate that replication + is working. Assuming the configuration shown in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> /var/lib/samba/sbin/smbldap-useradd -a fruitloop +</pre><p> + </p></li><li><p> + On the slave LDAP server, change to the directory <code class="filename">/var/lib/ldap</code>. + There should now be a file called <code class="filename">replogfile</code>. If replication worked + as expected, the content of this file should be: +</p><pre class="screen"> +time: 1072486403 +dn: uid=fruitloop,ou=People,dc=abmas,dc=biz +changetype: modify +replace: sambaProfilePath +sambaProfilePath: \\MASSIVE\profiles\fruitloop +- +replace: sambaHomePath +sambaHomePath: \\MASSIVE\homes +- +replace: entryCSN +entryCSN: 2003122700:43:38Z#0x0005#0#0000 +- +replace: modifiersName +modifiersName: cn=Manager,dc=abmas,dc=biz +- +replace: modifyTimestamp +modifyTimestamp: 20031227004338Z +- +</pre><p> + </p></li><li><p> + Given that this first slave LDAP server is now working correctly, you may now + implement additional slave LDAP servers as required. + </p></li><li><p> + On each machine (PDC and BDCs) after the respective <code class="filename">smb.conf</code> files have been created as shown in + <a href="2000users.html#ch7-massmbconfA" title="Example 6.3. Primary Domain Controller smb.conf File Part A">Primary Domain Controller <code class="filename">smb.conf</code> File Part A + B + C</a> and + on BDCs the <a href="2000users.html#ch7-slvsmbocnfA" title="Example 6.6. Backup Domain Controller smb.conf File Part A">Backup Domain Controller <code class="filename">smb.conf</code> File Part A + + B + C</a> execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w buttercup +</pre><p> + This will install in the <code class="filename">secrets.tdb</code> file the password that Samba will need to + manage (write to) the LDAP Master server to perform account updates. + </p></li></ol></div><div class="example"><a name="ch7-LDAP-master"></a><p class="title"><b>Example 6.1. LDAP Master Server Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +replica host=lapdc.abmas.biz:389 + suffix="dc=abmas,dc=biz" + binddn="cn=updateuser,dc=abmas,dc=biz" + bindmethod=simple credentials=not24get + +access to attrs=sambaLMPassword,sambaNTPassword + by dn="cn=sambaadmin,dc=abmas,dc=biz" write + by * none + +replogfile /var/lib/ldap/replogfile + +directory /var/lib/ldap + +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"><div class="example"><a name="ch7-LDAP-slave"></a><p class="title"><b>Example 6.2. LDAP Slave Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +access to * + by dn=cn=updateuser,dc=abmas,dc=biz write + by * read + +updatedn cn=updateuser,dc=abmas,dc=biz +updateref ldap://massive.abmas.biz + +directory /var/lib/ldap + +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfA"></a><p class="title"><b>Example 6.3. Primary Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id349965"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id349978"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id349990"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id350003"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id350016"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id350028"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id350041"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id350054"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id350066"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id350079"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id350091"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id350104"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id350116"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id350129"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id350142"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id350155"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id350168"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id350181"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id350194"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id350208"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id350221"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id350233"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id350246"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id350259"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id350272"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id350284"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id350297"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id350309"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id350322"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id350334"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id350347"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id350360"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id350372"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id350385"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id350398"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id350411"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id350423"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id350436"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id350448"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfB"></a><p class="title"><b>Example 6.4. Primary Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[IPC$]</code></em></td></tr><tr><td><a class="indexterm" name="id350494"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id350515"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id350528"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id350540"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id350562"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id350575"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id350587"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id350609"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id350621"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id350634"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id350655"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id350668"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id350680"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id350693"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id350714"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id350727"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id350740"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id350752"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id350765"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfC"></a><p class="title"><b>Example 6.5. Primary Domain Controller <code class="filename">smb.conf</code> File Part C</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id350811"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id350823"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id350836"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id350848"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id350870"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id350882"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id350895"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id350908"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id350920"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id350942"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id350954"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id350967"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id350980"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id351001"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id351014"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id351026"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id351039"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id351060"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id351073"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id351086"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id351098"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfA"></a><p class="title"><b>Example 6.6. Backup Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># # Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id351147"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id351160"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id351172"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id351185"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id351198"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id351210"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id351223"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id351236"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id351248"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id351261"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id351273"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id351286"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id351298"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id351311"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id351324"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id351336"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id351349"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351362"></a><em class="parameter"><code>os level = 63</code></em></td></tr><tr><td><a class="indexterm" name="id351374"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id351387"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id351399"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id351412"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id351425"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id351437"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id351450"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id351463"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id351475"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351488"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id351501"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id351513"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id351526"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id351547"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id351560"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id351572"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id351594"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id351607"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id351619"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfB"></a><p class="title"><b>Example 6.7. Backup Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id351665"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id351678"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id351690"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id351712"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id351724"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id351737"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id351749"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id351771"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id351784"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id351796"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351809"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351821"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id351843"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id351855"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id351868"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id351880"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id351902"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id351914"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id351927"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id351940"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id351961"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id351974"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id351986"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id351999"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id352020"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id352033"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id352046"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id352058"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id352072"></a>Key Points Learned</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id352083"></a><a class="indexterm" name="id352088"></a> + Where Samba-3 is used as a domain controller, the use of LDAP is an + essential component to permit the use of BDCs. + </p></li><li><p> + <a class="indexterm" name="id352100"></a> + Replication of the LDAP master server to create a network of BDCs + is an important mechanism for limiting WAN traffic. + </p></li><li><p> + Network administration presents many complex challenges, most of which + can be satisfied by good design but that also require sound communication + and unification of management practices. This can be highly challenging in + a large, globally distributed network. + </p></li><li><p> + Roaming profiles must be contained to the local network segment. Any + departure from this may clog wide-area arteries and slow legitimate network + traffic to a crawl. + </p></li></ul></div></div><div class="figure"><a name="chap7net"></a><p class="title"><b>Figure 6.6. Network Topology 2000 User Complex Design A</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net-Ar.png" width="432" alt="Network Topology 2000 User Complex Design A"></div></div></div><br class="figure-break"><div class="figure"><a name="chap7net2"></a><p class="title"><b>Figure 6.7. Network Topology 2000 User Complex Design B</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net2-Br.png" width="432" alt="Network Topology 2000 User Complex Design B"></div></div></div><br class="figure-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352211"></a>Questions and Answers</h2></div></div></div><p> + There is much rumor and misinformation regarding the use of MS Windows networking protocols. + These questions are just a few of those frequently asked. + </p><div class="qandaset"><dl><dt> <a href="2000users.html#id352228"> + + + Is it true that DHCP uses lots of WAN bandwidth? + </a></dt><dt> <a href="2000users.html#id352348"> + + + How much background communication takes place between a master LDAP server and its slave LDAP servers? + </a></dt><dt> <a href="2000users.html#id352405"> + LDAP has a database. Is LDAP not just a fancy database front end? + </a></dt><dt> <a href="2000users.html#id352462"> + + Can Active Directory obtain account information from an OpenLDAP server? + </a></dt><dt> <a href="2000users.html#id352494"> + What are the parts of a roaming profile? How large is each part? + </a></dt><dt> <a href="2000users.html#id352635"> + Can the My Documents folder be stored on a network drive? + </a></dt><dt> <a href="2000users.html#id352680"> + + + + How much WAN bandwidth does WINS consume? + </a></dt><dt> <a href="2000users.html#id352756"> + How many BDCs should I have? What is the right number of Windows clients per server? + </a></dt><dt> <a href="2000users.html#id352784"> + + I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to + run an NIS server? + </a></dt><dt> <a href="2000users.html#id352815"> + Can I use NIS in place of LDAP? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id352228"></a><a name="id352230"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352234"></a> + <a class="indexterm" name="id352241"></a> + Is it true that DHCP uses lots of WAN bandwidth? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352257"></a> + <a class="indexterm" name="id352266"></a> + <a class="indexterm" name="id352273"></a> + It is a smart practice to localize DHCP servers on each network segment. As a + rule, there should be two DHCP servers per network segment. This means that if + one server fails, there is always another to service user needs. DHCP requests use + only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network + routers. This makes it possible to run fewer DHCP servers. + </p><p> + <a class="indexterm" name="id352289"></a> + <a class="indexterm" name="id352298"></a> + A DHCP network address request and confirmation usually results in about six UDP packets. + The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP + clients and that uses a 24-hour IP address lease. This means that all clients renew + their IP address lease every 24 hours. If we assume an average packet length equal to the + maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection, + how significant would the DHCP traffic be if all of it were to use DHCP Relay? + </p><p> + I must stress that this is a bad design, but here is the calculation: +</p><pre class="screen"> +Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte) + x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day. + +DHCP traffic: 300 (clients) x 6 (packets) + x 512 (bytes/packet) = 0.9 Mbytes/day. +</pre><p> + From this can be seen that the traffic impact would be minimal. + </p><p> + <a class="indexterm" name="id352327"></a> + <a class="indexterm" name="id352336"></a> + Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, + the impact of the update is no more than the DHCP IP address renewal traffic and thus + still insignificant for most practical purposes. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352348"></a><a name="id352350"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352355"></a> + <a class="indexterm" name="id352362"></a> + How much background communication takes place between a master LDAP server and its slave LDAP servers? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352381"></a> + The process that controls the replication of data from the master LDAP server to the slave LDAP + servers is called <code class="literal">slurpd</code>. The <code class="literal">slurpd</code> remains nascent (quiet) + until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) + two user accounts requires less than 10KB traffic. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352405"></a><a name="id352408"></a></td><td align="left" valign="top"><p> + LDAP has a database. Is LDAP not just a fancy database front end? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352419"></a> + <a class="indexterm" name="id352426"></a> + <a class="indexterm" name="id352435"></a> + <a class="indexterm" name="id352441"></a> + LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific + data storage system. This type of database is indexed so that records can be rapidly located, but the + database is not generic and can be used only in particular pre-programmed ways. General external + applications do not gain access to the data. This type of database is used also by SQL servers. Both + an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional + orientation and typically allows external programs to perform ad hoc queries, even across data tables. + An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific + simple queries. The term <code class="constant">database</code> is heavily overloaded and thus much misunderstood. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352462"></a><a name="id352464"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352468"></a> + Can Active Directory obtain account information from an OpenLDAP server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352482"></a> + No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP + database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface + to OpenLDAP using standard LDAP queries and updates. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352494"></a><a name="id352497"></a></td><td align="left" valign="top"><p> + What are the parts of a roaming profile? How large is each part? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id352507"></a> + A roaming profile consists of + </p><div class="itemizedlist"><ul type="disc"><li><p> + Desktop folders such as <code class="constant">Desktop</code>, <code class="constant">My Documents</code>, + <code class="constant">My Pictures</code>, <code class="constant">My Music</code>, <code class="constant">Internet Files</code>, + <code class="constant">Cookies</code>, <code class="constant">Application Data</code>, + <code class="constant">Local Settings,</code> and more. See <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, <a href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">???</a>. + </p><p> + <a class="indexterm" name="id352566"></a> + Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all + such folders can be redirected to network drive resources. See <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a> + for more information regarding folder redirection. + </p></li><li><p> + A static or rewritable portion that is typically only a few files (2-5 KB of information). + </p></li><li><p> + <a class="indexterm" name="id352590"></a> + <a class="indexterm" name="id352596"></a> + The registry load file that modifies the <code class="constant">HKEY_LOCAL_USER</code> hive. This is + the <code class="filename">NTUSER.DAT</code> file. It can be from 0.4 to 1.5 MB. + </p></li></ul></div><p> + <a class="indexterm" name="id352618"></a> + Microsoft Outlook PST files may be stored in the <code class="constant">Local Settings\Application Data</code> + folder. It can be up to 2 GB in size per PST file. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352635"></a><a name="id352637"></a></td><td align="left" valign="top"><p> + Can the <code class="constant">My Documents</code> folder be stored on a network drive? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352652"></a> + <a class="indexterm" name="id352659"></a> + Yes. More correctly, such folders can be redirected to network shares. No specific network drive + connection is required. Registry settings permit this to be redirected directly to a UNC (Universal + Naming Convention) resource, though it is possible to specify a network drive letter instead of a + UNC name. See <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352680"></a><a name="id352682"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352686"></a> + <a class="indexterm" name="id352693"></a> + <a class="indexterm" name="id352702"></a> + How much WAN bandwidth does WINS consume? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352716"></a> + <a class="indexterm" name="id352725"></a> + <a class="indexterm" name="id352732"></a> + MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. + This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS + server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, + was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total + of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links. + Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication + traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection + that aggregated the branch office connections plus an Internet connection. + </p><p> + In conclusion, the total load afforded through WINS traffic is again marginal to total operational + usage as it should be. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352756"></a><a name="id352759"></a></td><td align="left" valign="top"><p> + How many BDCs should I have? What is the right number of Windows clients per server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + It is recommended to have at least one BDC per network segment, including the segment served + by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the + load demand pattern of client usage. I have seen sites that function without problem with 200 + clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular + company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print + server; and an application server. While all three were BDCs, typically only the print server would + service network logon requests after the first 10 users had started to use the network. This was + a reflection of the service load placed on both the application server and the data server. + </p><p> + As unsatisfactory as the answer might sound, it all depends on network and server load + characteristics. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352784"></a><a name="id352786"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352791"></a><a class="indexterm" name="id352796"></a> + I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to + run an NIS server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The correct answer to both questions is yes. But do understand that an LDAP server has + a configurable schema that can store far more information for many more purposes than + just NIS. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352815"></a><a name="id352817"></a></td><td align="left" valign="top"><p> + Can I use NIS in place of LDAP? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id352828"></a> + <a class="indexterm" name="id352835"></a> + No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal + with the types of data necessary for interoperability with Microsoft Windows networking. The use + of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also + a Samba-specific schema extension. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Making Happy Users </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Domain Members, Updating Samba and Migration</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/Big500users.html b/docs/htmldocs/Samba3-ByExample/Big500users.html new file mode 100644 index 0000000000..284129f125 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/Big500users.html @@ -0,0 +1,1164 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. The 500-User Office</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="secure.html" title="Chapter 3. Secure Office Networking"><link rel="next" href="happy.html" title="Chapter 5. Making Happy Users"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. The 500-User Office</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="secure.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="happy.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Big500users"></a>Chapter 4. The 500-User Office</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Big500users.html#id330645">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id330675">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id330756">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id330784">Technical Issues</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id330961">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id330980">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#ch5-dnshcp-setup">Installation of DHCP, DNS, and Samba Control Files</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id331694">Server Preparation: All Servers</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id332210">Server-Specific Preparation</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id335273">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id335326">Questions and Answers</a></span></dt></dl></div><p> + The Samba-3 networking you explored in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a> covers the finer points of + configuration of peripheral services such as DHCP and DNS, and WINS. You experienced + implementation of a simple configuration of the services that are important adjuncts + to successful deployment of Samba. + </p><p> + An analysis of the history of postings to the Samba mailing list easily demonstrates + that the two most prevalent Samba problem areas are + </p><div class="itemizedlist"><ul type="disc"><li><p> + Defective resolution of a NetBIOS name to its IP address + </p></li><li><p> + Printing problems + </p></li></ul></div><p> + The exercises + so far in this book have focused on implementation of the simplest printing processes + involving no print job processing intelligence. In this chapter, you maintain + that same approach to printing, but <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> presents an opportunity + to make printing more complex for the administrator while making it easier for the user. + </p><p> + <a class="indexterm" name="id330592"></a> + <a class="indexterm" name="id330598"></a> + <a class="indexterm" name="id330605"></a> + <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a> demonstrates operation of a DHCP server and a DNS server + as well as a central WINS server. You validated the operation of these services and + saw an effective implementation of a Samba domain controller using the + <em class="parameter"><code>tdbsam</code></em> passdb backend. + </p><p> + The objective of this chapter is to introduce more complex techniques that can be used to + improve manageability of Samba as networking needs grow. In this chapter, you implement + a distributed DHCP server environment, a distributed DNS server arrangement, a centralized + WINS server, and a centralized Samba domain controller. + </p><p> + A note of caution is important regarding the Samba configuration that is used in this + chapter. The use of a single domain controller on a routed, multisegment network is + a poor design choice that leads to potential network user complaints. + This chapter demonstrates some successful + techniques in deployment and configuration management. This should be viewed as a + foundation chapter for complex Samba deployments. + </p><p> + As you master the techniques presented here, you may find much better methods to + improve network management and control while reducing human resource overheads. + You should take the opportunity to innovate and expand on the methods presented + here and explore them to the fullest. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330645"></a>Introduction</h2></div></div></div><p> + Business continues to go well for Abmas. Mr. Meany is driving your success and the + network continues to grow thanks to the hard work Christine has done. You recently + hired Stanley Soroka as manager of information systems. Christine recommended Stan + to the role. She told you Stan is so good at handling Samba that he can make a cast + iron rocking horse that is embedded in concrete kick like a horse at a rodeo. You + need skills like his. Christine and Stan get along just fine. Let's see what + you can get out of this pair as they plot the next-generation networks. + </p><p> + Ten months ago Abmas closed an acquisition of a property insurance business. The + founder lost interest in the business and decided to sell it to Mr. Meany. Because + they were former university classmates, the purchase was concluded with mutual assent. + The acquired business is located at the other end of town in much larger facilities. + The old Abmas building has become too small. Located on the same campus as the newly + acquired business are two empty buildings that are ideal to provide Abmas with + opportunity for growth. + </p><p> + Abmas has now completed the purchase of the two empty buildings, and you are + to install a new network and relocate staff in nicely furnished new facilities. + The new network is to be used to fully integrate company operations. You have + decided to locate the new network operations control center in the larger building + in which the insurance group is located to take advantage of an ideal floor space + and to allow Stan and Christine to fully stage the new network and test it before + it is rolled out. Your strategy is to complete the new network so that it + is ready for operation when the old office moves into the new premises. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330675"></a>Assignment Tasks</h3></div></div></div><p> + The acquired business had 280 network users. The old Abmas building housed + 220 network users in unbelievably cramped conditions. The network that + initially served 130 users now handles 220 users quite well. + </p><p> + The two businesses will be fully merged to create a single campus company. + The Property Insurance Group (PIG) houses 300 employees, the new Accounting + Services Group (ASG) will be in a small building (BLDG1) that houses 50 + employees, and the Financial Services Group (FSG) will be housed in a large + building that has capacity for growth (BLDG2). Building 2 houses 150 network + users. + </p><p> + You have decided to connect the building using fiber optic links between new + routers. As a backup, the buildings are interconnected using line-of-sight + high-speed infrared facilities. The infrared connection provides a + secondary route to be used during periods of high demand for network + bandwidth. + </p><p> + The Internet gateway is upgraded to 15 Mb/sec service. Your ISP + provides on your premises a fully managed Cisco PIX firewall. You no longer need + to worry about firewall facilities on your network. + </p><p> + Stanley and Christine have purchased new server hardware. Christine wants to + roll out a network that has whistles and bells. Stan wants to start off with + a simple to manage, not-too-complex network. He believes that network + users need to be gradually introduced to new features and capabilities and not + rushed into an environment that may cause disorientation and loss of productivity. + </p><p> + Your intrepid network team has decided to implement a network configuration + that closely mirrors the successful system you installed in the old Abmas building. + The new network infrastructure is owned by Abmas, but all desktop systems + are being procured through a new out-source services and leasing company. Under + the terms of a deal with Mr. M. Proper (CEO), DirectPointe, Inc., provides + all desktop systems and includes full level-one help desk support for + a flat per-machine monthly fee. The deal allows you to add workstations on demand. + This frees Stan and Christine to deal with deeper issues as they emerge and + permits Stan to work on creating new future value-added services. + </p><p> + DirectPointe Inc. receives from you a new standard desktop configuration + every four months. They automatically roll that out to each desktop system. + You must keep DirectPointe informed of all changes. + </p><p><a class="indexterm" name="id330732"></a> + The new network has a single Samba Primary Domain Controller (PDC) located in the + Network Operation Center (NOC). Buildings 1 and 2 each have a local server + for local application servicing. It is a domain member. The new system + uses the <em class="parameter"><code>tdbsam</code></em> passdb backend. + </p><p> + Printing is based on raw pass-through facilities just as it has been used so far. + All printer drivers are installed on the desktop and notebook computers. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330756"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id330764"></a> + The example you are building in this chapter is of a network design that works, but this + does not make it a design that is recommended. As a general rule, there should be at least + one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind + this recommendation is that correct operation of MS Windows clients requires rapid + network response to all SMB/CIFS requests. The same rule says that if there are more than + 50 clients per domain controller, they are too busy to service requests. Let's put such + rules aside and recognize that network load affects the integrity of domain controller + responsiveness. This network will have 500 clients serviced by one central domain + controller. This is not a good omen for user satisfaction. You, of course, address this + very soon (see <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>). + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330784"></a>Technical Issues</h3></div></div></div><p> + Stan has talked you into a horrible compromise, but it is addressed. Just make + certain that the performance of this network is well validated before going live. + </p><p> + Design decisions made in this design include the following: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id330804"></a> + <a class="indexterm" name="id330811"></a> + <a class="indexterm" name="id330817"></a> + A single PDC is being implemented. This limitation is based on the choice not to + use LDAP. Many network administrators fear using LDAP because of the perceived + complexity of implementation and management of an LDAP-based backend for all user + identity management as well as to store network access credentials. + </p></li><li><p> + <a class="indexterm" name="id330831"></a> + <a class="indexterm" name="id330838"></a> + Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the + only choice that makes sense with 500 users is to use the tdbsam passwd backend. + This type of backend is not receptive to replication to BDCs. If the tdbsam + <code class="filename">passdb.tdb</code> file is replicated to BDCs using + <code class="literal">rsync</code>, there are two potential problems: (1) data that is in + memory but not yet written to disk will not be replicated, and (2) domain member + machines periodically change the secret machine password. When this happens, there + is no mechanism to return the changed password to the PDC. + </p></li><li><p> + All domain user, group, and machine accounts are managed on the PDC. This makes + for a simple mode of operation but has to be balanced with network performance and + integrity of operations considerations. + </p></li><li><p> + <a class="indexterm" name="id330872"></a> + A single central WINS server is being used. The PDC is also the WINS server. + Any attempt to operate a routed network without a WINS server while using NetBIOS + over TCP/IP protocols does not work unless on each client the name resolution + entries for the PDC are added to the <code class="filename">LMHOSTS</code>. This file is + normally located on the Windows XP Professional client in the + <code class="filename">C:\WINDOWS\SYSTEM32\ETC\DRIVERS</code> directory. + </p></li><li><p> + At this time the Samba WINS database cannot be replicated. That is + why a single WINS server is being implemented. This should work without a problem. + </p></li><li><p> + <a class="indexterm" name="id330904"></a> + BDCs make use of <code class="literal">winbindd</code> to provide + access to domain security credentials for file system access and object storage. + </p></li><li><p> + <a class="indexterm" name="id330922"></a> + <a class="indexterm" name="id330931"></a> + Configuration of Windows XP Professional clients is achieved using DHCP. Each + subnet has its own DHCP server. Backup DHCP serving is provided by one + alternate DHCP server. This necessitates enabling of the DHCP Relay agent on + all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the + network directed at the backup DHCP server. + </p></li><li><p> + All network users are granted the ability to print to any printer that is + network-attached. All printers are available from each server. Print jobs that + are spooled to a printer that is not on the local network segment are automatically + routed to the print spooler that is in control of that printer. The specific details + of how this might be done are demonstrated for one example only. + </p></li><li><p> + The network address and subnetmask chosen provide 1022 usable IP addresses in + each subnet. If in the future more addresses are required, it would make sense + to add further subnets rather than change addressing. + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330961"></a>Political Issues</h3></div></div></div><p> + This case gets close to the real world. You and I know the right way to implement + domain control. Politically, we have to navigate a minefield. In this case, the need is to + get the PDC rolled out in compliance with expectations and also to be ready to save the day + by having the real solution ready before it is needed. That real solution is presented in + <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330980"></a>Implementation</h2></div></div></div><p> + The following configuration process begins following installation of Red Hat Fedora Core2 on the + three servers shown in the network topology diagram in <a href="Big500users.html#chap05net" title="Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.">???</a>. You have + selected hardware that is appropriate to the task. + </p><div class="figure"><a name="chap05net"></a><p class="title"><b>Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap5-net.png" width="270" alt="Network Topology 500 User Network Using tdbsam passdb backend."></div></div></div><br class="figure-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch5-dnshcp-setup"></a>Installation of DHCP, DNS, and Samba Control Files</h3></div></div></div><p> + Carefully install the configuration files into the correct locations as shown in + <a href="Big500users.html#ch5-filelocations" title="Table 4.1. Domain: MEGANET, File Locations for Servers">???</a>. You should validate that the full file path is + correct as shown. + </p><p> + The abbreviation shown in this table as <code class="constant">{VLN}</code> refers to + the directory location beginning with <code class="filename">/var/lib/named</code>. + </p><div class="table"><a name="ch5-filelocations"></a><p class="title"><b>Table 4.1. Domain: <code class="constant">MEGANET</code>, File Locations for Servers</b></p><div class="table-contents"><table summary="Domain: MEGANET, File Locations for Servers" border="1"><colgroup><col align="left"><col align="left"><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th colspan="2" align="center">File Information</th><th colspan="3" align="center">Server Name</th></tr><tr><th align="center">Source</th><th align="center">Target Location</th><th align="center">MASSIVE</th><th align="center">BLDG1</th><th align="center">BLDG2</th></tr></thead><tbody><tr><td align="left"><a href="Big500users.html#ch5-massivesmb" title="Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf">???</a></td><td align="left"><code class="filename">/etc/samba/smb.conf</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#ch5-dc-common" title="Example 4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf">???</a></td><td align="left"><code class="filename">/etc/samba/dc-common.conf</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#ch5-commonsmb" title="Example 4.3. Common Samba Configuration File: /etc/samba/common.conf">???</a></td><td align="left"><code class="filename">/etc/samba/common.conf</code></td><td align="center">Yes</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#ch5-bldg1-smb" title="Example 4.4. Server: BLDG1 (Member), File: smb.conf">???</a></td><td align="left"><code class="filename">/etc/samba/smb.conf</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#ch5-bldg2-smb" title="Example 4.5. Server: BLDG2 (Member), File: smb.conf">???</a></td><td align="left"><code class="filename">/etc/samba/smb.conf</code></td><td align="center">No</td><td align="center">No</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#ch5-dommem-smb" title="Example 4.6. Common Domain Member Include File: dom-mem.conf">???</a></td><td align="left"><code class="filename">/etc/samba/dommem.conf</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#massive-dhcp" title="Example 4.7. Server: MASSIVE, File: dhcpd.conf">???</a></td><td align="left"><code class="filename">/etc/dhcpd.conf</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#bldg1dhcp" title="Example 4.8. Server: BLDG1, File: dhcpd.conf">???</a></td><td align="left"><code class="filename">/etc/dhcpd.conf</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#bldg2dhcp" title="Example 4.9. Server: BLDG2, File: dhcpd.conf">???</a></td><td align="left"><code class="filename">/etc/dhcpd.conf</code></td><td align="center">No</td><td align="center">No</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#massive-nameda" title="Example 4.10. Server: MASSIVE, File: named.conf, Part: A">???</a></td><td align="left"><code class="filename">/etc/named.conf (part A)</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#massive-namedb" title="Example 4.11. Server: MASSIVE, File: named.conf, Part: B">???</a></td><td align="left"><code class="filename">/etc/named.conf (part B)</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#massive-namedc" title="Example 4.12. Server: MASSIVE, File: named.conf, Part: C">???</a></td><td align="left"><code class="filename">/etc/named.conf (part C)</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#abmasbizdns" title="Example 4.13. Forward Zone File: abmas.biz.hosts">???</a></td><td align="left"><code class="filename">{VLN}/master/abmas.biz.hosts</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#abmasusdns" title="Example 4.14. Forward Zone File: abmas.biz.hosts">???</a></td><td align="left"><code class="filename">{VLN}/master/abmas.us.hosts</code></td><td align="center">Yes</td><td align="center">No</td><td align="center">No</td></tr><tr><td align="left"><a href="Big500users.html#bldg12nameda" title="Example 4.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A">???</a></td><td align="left"><code class="filename">/etc/named.conf (part A)</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="Big500users.html#bldg12namedb" title="Example 4.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B">???</a></td><td align="left"><code class="filename">/etc/named.conf (part B)</code></td><td align="center">No</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a></td><td align="left"><code class="filename">{VLN}/localhost.zone</code></td><td align="center">Yes</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a></td><td align="left"><code class="filename">{VLN}/127.0.0.zone</code></td><td align="center">Yes</td><td align="center">Yes</td><td align="center">Yes</td></tr><tr><td align="left"><a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a></td><td align="left"><code class="filename">{VLN}/root.hint</code></td><td align="center">Yes</td><td align="center">Yes</td><td align="center">Yes</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id331694"></a>Server Preparation: All Servers</h3></div></div></div><p> + The following steps apply to all servers. Follow each step carefully. + </p><div class="procedure"><a name="id331704"></a><p class="title"><b>Procedure 4.1. Server Preparation Steps</b></p><ol type="1"><li><p> + Using the UNIX/Linux system tools, set the name of the server as shown in the network + topology diagram in <a href="Big500users.html#chap05net" title="Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.">???</a>. For SUSE Linux products, the tool + that permits this is called <code class="literal">yast2</code>; for Red Hat Linux products, + you can use the <code class="literal">netcfg</code> tool. + Verify that your hostname is correctly set by running: +</p><pre class="screen"> +<code class="prompt">root# </code> uname -n +</pre><p> + An alternate method to verify the hostname is: +</p><pre class="screen"> +<code class="prompt">root# </code> hostname -f +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id331765"></a> + <a class="indexterm" name="id331772"></a> + Edit your <code class="filename">/etc/hosts</code> file to include the primary names and addresses + of all network interfaces that are on the host server. This is necessary so that during + startup the system is able to resolve all its own names to the IP address prior to + startup of the DNS server. You should check the startup order of your system. If the + CUPS print server is started before the DNS server (<code class="literal">named</code>), you + should also include an entry for the printers in the <code class="filename">/etc/hosts</code> file. + </p></li><li><p> + <a class="indexterm" name="id331807"></a> + All DNS name resolution should be handled locally. To ensure that the server is configured + correctly to handle this, edit <code class="filename">/etc/resolv.conf</code> so it has the following + content: +</p><pre class="screen"> +search abmas.us abmas.biz +nameserver 127.0.0.1 +</pre><p> + This instructs the name resolver function (when configured correctly) to ask the DNS server + that is running locally to resolve names to addresses. + </p></li><li><p> + <a class="indexterm" name="id331835"></a> + <a class="indexterm" name="id331842"></a> + Add the <code class="constant">root</code> user to the password backend: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -a root +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +<code class="prompt">root# </code> +</pre><p> + The <code class="constant">root</code> account is the UNIX equivalent of the Windows domain administrator. + This account is essential in the regular maintenance of your Samba server. It must never be + deleted. If for any reason the account is deleted, you may not be able to recreate this account + without considerable trouble. + </p></li><li><p> + <a class="indexterm" name="id331883"></a> + <a class="indexterm" name="id331890"></a> + Create the username map file to permit the <code class="constant">root</code> account to be called + <code class="constant">Administrator</code> from the Windows network environment. To do this, create + the file <code class="filename">/etc/samba/smbusers</code> with the following contents: +</p><pre class="screen"> +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### +</pre><p> + </p></li><li><p> + Configure all network-attached printers to have a fixed IP address. + </p></li><li><p> + Create an entry in the DNS database on the server <code class="constant">MASSIVE</code> + in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code> + and in the reverse lookup database for the network segment that the printer is + located in. Example configuration files for similar zones were presented in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, + <a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a> and <a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a>. + </p></li><li><p> + Follow the instructions in the printer manufacturer's manuals to permit printing + to port 9100. Use any other port the manufacturer specifies for direct mode, + raw printing. This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id331970"></a> + <a class="indexterm" name="id331977"></a> + </p></li><li><p> + <a class="indexterm" name="id331990"></a> + Only on the server to which the printer is attached configure the CUPS Print + Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em> -v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E +</pre><p> + <a class="indexterm" name="id332024"></a> + This step creates the necessary print queue to use no assigned print filter. This + is ideal for raw printing, that is, printing without use of filters. + The name <em class="parameter"><code>printque</code></em> is the name you have assigned for + the particular printer. + </p></li><li><p> + Print queues may not be enabled at creation. Make certain that the queues + you have just created are enabled by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + Even though your print queue may be enabled, it is still possible that it + does not accept print jobs. A print queue services incoming printing + requests only when configured to do so. Ensure that your print queue is + set to accept incoming jobs by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id332097"></a> + <a class="indexterm" name="id332103"></a> + <a class="indexterm" name="id332110"></a> + This step, as well as the next one, may be omitted where CUPS version 1.1.18 + or later is in use. Although it does no harm to follow it anyway, and may + help to avoid time spent later trying to figure out why print jobs may be + disappearing without a trace. Look at these two steps as <span class="emphasis"><em>insurance</em></span> + against lost time. Edit file <code class="filename">/etc/cups/mime.convs</code> to + uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id332142"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + Refer to the CUPS printing manual for instructions regarding how to configure + CUPS so that print queues that reside on CUPS servers on remote networks + route print jobs to the print server that owns that queue. The default setting + on your CUPS server may automatically discover remotely installed printers and + may permit this functionality without requiring specific configuration. + </p></li><li><p> + As part of the roll-out program, you need to configure the application's + server shares. This can be done once on the central server and may then be + replicated using a tool such as <code class="literal">rsync</code>. Refer to the man + page for <code class="literal">rsync</code> for details regarding use. The notes in + <a href="secure.html#ch4appscfg" title="Application Share Configuration">???</a> may help in your decisions to use an application + server facility. + </p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Logon scripts that are run from a domain controller (PDC or BDC) are capable of using semi-intelligent + processes to automap Windows client drives to an application server that is nearest to the client. This + is considerably more difficult when a single PDC is used on a routed network. It can be done, but not + as elegantly as you see in the next chapter. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id332210"></a>Server-Specific Preparation</h3></div></div></div><p> + There are some steps that apply to particular server functionality only. Each step is critical + to correct server operation. The following step-by-step installation guidance will assist you + in working through the process of configuring the PDC and then both BDC's. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id332221"></a>Configuration for Server: <code class="constant">MASSIVE</code></h4></div></div></div><p> + The steps presented here attempt to implement Samba installation in a generic manner. While + some steps are clearly specific to Linux, it should not be too difficult to apply them to + your platform of choice. + </p><div class="procedure"><a name="id332234"></a><p class="title"><b>Procedure 4.2. Primary Domain Controller Preparation</b></p><ol type="1"><li><p> + <a class="indexterm" name="id332245"></a> + <a class="indexterm" name="id332252"></a> + The host server acts as a router between the two internal network segments as well + as for all Internet access. This necessitates that IP forwarding be enabled. This can be + achieved by adding to the <code class="filename">/etc/rc.d/boot.local</code> an entry as follows: +</p><pre class="screen"> +echo 1 > /proc/sys/net/ipv4/ip_forward +</pre><p> + To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute + that command manually also. This setting permits the Linux system to act as a router. + </p></li><li><p> + This server is dual hosted (i.e., has two network interfaces) one goes to the Internet + and the other to a local network that has a router that is the gateway to the remote networks. + You must therefore configure the server with route table entries so that it can find machines + on the remote networks. You can do this using the appropriate system tools for your Linux + server or using static entries that you place in one of the system startup files. It is best + to always use the tools that the operating system vendor provided. In the case of SUSE Linux, the + best tool to do this is YaST (refer to SUSE Administration Manual); in the case of Red Hat, + this is best done using the graphical system configuration tools (see the Red Hat documentation). + An example of how this may be done manually is as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> route add net 172.16.4.0 netmask 255.255.252.0 gw 172.16.0.128 +<code class="prompt">root# </code> route add net 172.16.8.0 netmask 255.255.252.0 gw 172.16.0.128 +</pre><p> + If you just execute these commands manually, the route table entries you have created are + not persistent across system reboots. You may add these commands directly to the local + startup files as follows: (SUSE) <code class="filename">/etc/rc.d/boot.local</code>, (Red Hat) + <code class="filename">/etc/rc.d/init.d/rc.local</code>. + </p></li><li><p> + <a class="indexterm" name="id332330"></a> + The final step that must be completed is to edit the <code class="filename">/etc/nsswitch.conf</code> file. + This file controls the operation of the various resolver libraries that are part of the Linux + Glibc libraries. Edit this file so that it contains the following entries: +</p><pre class="screen"> +hosts: files dns wins +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id332357"></a> + Create and map Windows domain groups to UNIX groups. A sample script is provided in + <a href="Big500users.html#ch5-initgrps" title="Example 4.17. Initialize Groups Script, File: /etc/samba/initGrps.sh">???</a>. Create a file containing this script. You called yours + <code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed + and then execute the script. An example of the execution of this script as well as its + validation are shown in Section 4.3.2, Step 5. + </p></li><li><p> + <a class="indexterm" name="id332386"></a> + <a class="indexterm" name="id332392"></a> + <a class="indexterm" name="id332402"></a> + For each user who needs to be given a Windows domain account, make an entry in the + <code class="filename">/etc/passwd</code> file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system account, and use the Samba + <code class="literal">smbpasswd</code> to create a domain user account. + </p><p> + <a class="indexterm" name="id332426"></a> + <a class="indexterm" name="id332433"></a> + <a class="indexterm" name="id332439"></a> + There are a number of tools for user management under UNIX, such as + <code class="literal">useradd</code>, <code class="literal">adduser</code>, as well as a plethora of custom + tools. With the tool of your choice, create a home directory for each user. + </p></li><li><p> + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously as necessary. File system access control is based on UNIX group membership. + </p></li><li><p> + Create the directory mount point for the disk subsystem that is to be mounted to provide + data storage for company files, in this case, the mount point indicated in the <code class="filename">smb.conf</code> + file is <code class="filename">/data</code>. Format the file system as required and mount the formatted + file system partition using appropriate system tools. + </p></li><li><p> + <a class="indexterm" name="id332498"></a> + Create the top-level file storage directories for data and applications as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,pidata} +<code class="prompt">root# </code> mkdir -p /apps +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R root:root /apps +<code class="prompt">root# </code> chown -R bjordan:accounts /data/accounts +<code class="prompt">root# </code> chown -R bjordan:finsvcs /data/finsvcs +<code class="prompt">root# </code> chown -R bjordan:finsvcs /data/pidata +<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps +</pre><p> + Each department is responsible for creating its own directory structure within the departmental + share. The directory root of the <code class="literal">accounts</code> share is <code class="filename">/data/accounts</code>. + The directory root of the <code class="literal">finsvcs</code> share is <code class="filename">/data/finsvcs</code>. + The <code class="filename">/apps</code> directory is the root of the <code class="constant">apps</code> share + that provides the application server infrastructure. + </p></li><li><p> + The <code class="filename">smb.conf</code> file specifies an infrastructure to support roaming profiles and network + logon services. You can now create the file system infrastructure to provide the + locations on disk that these services require. Adequate planning is essential + because desktop profiles can grow to be quite large. For planning purposes, a minimum of + 200 MB of storage should be allowed per user for profile storage. The following + commands create the directory infrastructure needed: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/spool/samba +<code class="prompt">root# </code> mkdir -p /var/lib/samba/{netlogon/scripts,profiles} +<code class="prompt">root# </code> chown -R root:root /var/spool/samba +<code class="prompt">root# </code> chown -R root:root /var/lib/samba +<code class="prompt">root# </code> chmod a+rwxt /var/spool/samba +</pre><p> + For each user account that is created on the system, the following commands should be + executed: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /var/lib/samba/profiles/'username' +<code class="prompt">root# </code> chown 'username':users /var/lib/samba/profiles/'username' +<code class="prompt">root# </code> chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id332690"></a> + <a class="indexterm" name="id332697"></a> + Create a logon script. It is important that each line is correctly terminated with + a carriage return and line-feed combination (i.e., DOS encoding). The following procedure + works if the right tools (<code class="constant">unxi2dos</code> and <code class="constant">dos2unix</code>) are installed. + First, create a file called <code class="filename">/var/lib/samba/netlogon/scripts/logon.bat.unix</code> + with the following contents: +</p><pre class="screen"> +net time \\massive /set /yes +net use h: /home +</pre><p> + Convert the UNIX file to a DOS file: +</p><pre class="screen"> +<code class="prompt">root# </code> dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \ + > /var/lib/samba/netlogon/scripts/logon.bat +</pre><p> + </p></li><li><p> + There is one preparatory step without which you cannot have a working Samba network + environment. You must add an account for each network user. You can do this by executing + the following steps for each user: +</p><pre class="screen"> +<code class="prompt">root# </code> useradd -m <em class="parameter"><code>username</code></em> +<code class="prompt">root# </code> passwd <em class="parameter"><code>username</code></em> +Changing password for <em class="parameter"><code>username</code></em>. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +<code class="prompt">root# </code> smbpasswd -a <em class="parameter"><code>username</code></em> +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +Added user <em class="parameter"><code>username</code></em>. +</pre><p> + You do, of course, use a valid user login ID in place of <em class="parameter"><code>username</code></em>. + </p></li><li><p> + Follow the processes shown in <a href="Big500users.html#ch5-procstart" title="Process Startup Configuration">???</a> to start all services. + </p></li><li><p> + Your server is ready for validation testing. Do not proceed with the steps in + <a href="Big500users.html#ch5-domsvrspec" title="Configuration Specific to Domain Member Servers: BLDG1, BLDG2">???</a> until after the operation of the server has been + validated following the same methods as outlined in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, <a href="secure.html#ch4valid" title="Validation">???</a>. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch5-domsvrspec"></a>Configuration Specific to Domain Member Servers: <code class="constant">BLDG1, BLDG2</code></h4></div></div></div><p> + The following steps will guide you through the nuances of implementing BDCs for the broadcast + isolated network segments. Remember that if the target installation platform is not Linux, it may + be necessary to adapt some commands to the equivalent on the target platform. + </p><div class="procedure"><a name="id332869"></a><p class="title"><b>Procedure 4.3. Backup Domain Controller Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id332880"></a> + The final step that must be completed is to edit the <code class="filename">/etc/nsswitch.conf</code> file. + This file controls the operation of the various resolver libraries that are part of the Linux + Glibc libraries. Edit this file so that it contains the following entries: +</p><pre class="screen"> +passwd: files winbind +group: files winbind +hosts: files dns wins +</pre><p> + </p></li><li><p> + Follow the steps outlined in <a href="Big500users.html#ch5-procstart" title="Process Startup Configuration">???</a> to start all services. Do not + start Samba at this time. Samba is controlled by the process called <code class="literal">smb</code>. + </p></li><li><p> + <a class="indexterm" name="id332927"></a> + You must now attempt to join the domain member servers to the domain. The following + instructions should be executed to effect this: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id332958"></a> + You now start the Samba services by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> service smb start +</pre><p> + </p></li><li><p> + Your server is ready for validation testing. Do not proceed with the steps in + <a href="Big500users.html#ch5-domsvrspec" title="Configuration Specific to Domain Member Servers: BLDG1, BLDG2">???</a> until after the operation of the server has been + validated following the same methods as outlined in <a href="secure.html#ch4valid" title="Validation">???</a>. + </p></li></ol></div></div></div><div class="example"><a name="ch5-massivesmb"></a><p class="title"><b>Example 4.1. Server: MASSIVE (PDC), File: <code class="filename">/etc/samba/smb.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id333040"></a><em class="parameter"><code>workgroup = MEGANET</code></em></td></tr><tr><td><a class="indexterm" name="id333052"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id333065"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id333077"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333090"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id333102"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id333115"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id333128"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id333140"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id333153"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id333166"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id333179"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id333192"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333205"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333217"></a><em class="parameter"><code>include = /etc/samba/dc-common.conf</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id333239"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id333252"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id333264"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id333286"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id333298"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id333311"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id333332"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id333345"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id333357"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-dc-common"></a><p class="title"><b>Example 4.2. Server: MASSIVE (PDC), File: <code class="filename">/etc/samba/dc-common.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id333405"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id333418"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id333431"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id333443"></a><em class="parameter"><code>logon path = \%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id333456"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id333469"></a><em class="parameter"><code>logon home = \%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id333481"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333494"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333506"></a><em class="parameter"><code>include = /etc/samba/common.conf</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id333528"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id333540"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id333553"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id333566"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id333587"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id333600"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id333612"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333625"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id333646"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id333659"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id333672"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id333684"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-commonsmb"></a><p class="title"><b>Example 4.3. Common Samba Configuration File: <code class="filename">/etc/samba/common.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id333728"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id333741"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id333753"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id333766"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id333779"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id333791"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id333804"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id333816"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333829"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id333841"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id333854"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id333867"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id333880"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333892"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id333905"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id333917"></a><em class="parameter"><code>veto files = /*.eml/*.nws/*.{*}/</code></em></td></tr><tr><td><a class="indexterm" name="id333930"></a><em class="parameter"><code>veto oplock files = /*.doc/*.xls/*.mdb/</code></em></td></tr><tr><td><a class="indexterm" name="id333943"></a><em class="parameter"><code>include = </code></em></td></tr><tr><td># Share and Service Definitions are common to all servers</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id333968"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id333981"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id333993"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334006"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334018"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334031"></a><em class="parameter"><code>default devmode = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334043"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id334065"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id334077"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id334090"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id334102"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-bldg1-smb"></a><p class="title"><b>Example 4.4. Server: BLDG1 (Member), File: smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id334145"></a><em class="parameter"><code>workgroup = MEGANET</code></em></td></tr><tr><td><a class="indexterm" name="id334158"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id334170"></a><em class="parameter"><code>include = /etc/samba/dom-mem.conf</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-bldg2-smb"></a><p class="title"><b>Example 4.5. Server: BLDG2 (Member), File: smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id334214"></a><em class="parameter"><code>workgroup = MEGANET</code></em></td></tr><tr><td><a class="indexterm" name="id334226"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id334239"></a><em class="parameter"><code>include = /etc/samba/dom-mem.conf</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch5-dommem-smb"></a><p class="title"><b>Example 4.6. Common Domain Member Include File: dom-mem.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id334282"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id334295"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id334307"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id334320"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id334333"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id334345"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id334358"></a><em class="parameter"><code>include = /etc/samba/common.conf</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="massive-dhcp"></a><p class="title"><b>Example 4.7. Server: MASSIVE, File: dhcpd.conf</b></p><div class="example-contents"><pre class="screen"> +# Abmas Accounting Inc. + +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +ddns-updates on; +ddns-update-style interim; + +option ntp-servers 172.16.0.1; +option domain-name "abmas.biz"; +option domain-name-servers 172.16.0.1, 172.16.4.1; +option netbios-name-servers 172.16.0.1; +option netbios-node-type 8; + +subnet 172.16.1.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.1.0 172.16.2.255; + option subnet-mask 255.255.252.0; + option routers 172.16.0.1, 172.16.0.128; + allow unknown-clients; + } +subnet 172.16.4.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.7.0 172.16.7.254; + option subnet-mask 255.255.252.0; + option routers 172.16.4.128; + allow unknown-clients; + } +subnet 172.16.8.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.11.0 172.16.11.254; + option subnet-mask 255.255.252.0; + option routers 172.16.4.128; + allow unknown-clients; + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +subnet 123.45.67.64 netmask 255.255.255.252 { + } +</pre></div></div><br class="example-break"><div class="example"><a name="bldg1dhcp"></a><p class="title"><b>Example 4.8. Server: BLDG1, File: dhcpd.conf</b></p><div class="example-contents"><pre class="screen"> +# Abmas Accounting Inc. + +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +ddns-updates on; +ddns-update-style ad-hoc; + +option ntp-servers 172.16.0.1; +option domain-name "abmas.biz"; +option domain-name-servers 172.16.0.1, 172.16.4.1; +option netbios-name-servers 172.16.0.1; +option netbios-node-type 8; + +subnet 172.16.1.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.3.0 172.16.3.255; + option subnet-mask 255.255.252.0; + option routers 172.16.0.1, 172.16.0.128; + allow unknown-clients; + } +subnet 172.16.4.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.5.0 172.16.6.255; + option subnet-mask 255.255.252.0; + option routers 172.16.4.128; + allow unknown-clients; + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +</pre></div></div><br class="example-break"><div class="example"><a name="bldg2dhcp"></a><p class="title"><b>Example 4.9. Server: BLDG2, File: dhcpd.conf</b></p><div class="example-contents"><pre class="screen"> +# Abmas Accounting Inc. + +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +ddns-updates on; +ddns-update-style interim; + +option ntp-servers 172.16.0.1; +option domain-name "abmas.biz"; +option domain-name-servers 172.16.0.1, 172.16.4.1; +option netbios-name-servers 172.16.0.1; +option netbios-node-type 8; + +subnet 172.16.8.0 netmask 255.255.252.0 { + range dynamic-bootp 172.16.9.0 172.16.10.255; + option subnet-mask 255.255.252.0; + option routers 172.16.8.128; + allow unknown-clients; + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +</pre></div></div><br class="example-break"><div class="example"><a name="massive-nameda"></a><p class="title"><b>Example 4.10. Server: MASSIVE, File: named.conf, Part: A</b></p><div class="example-contents"><pre class="screen"> +### +# Abmas Biz DNS Control File +### +# Date: November 15, 2003 +### +options { + directory "/var/lib/named"; + forwarders { + 123.45.12.23; + 123.45.54.32; + }; + forward first; + listen-on { + mynet; + }; + auth-nxdomain yes; + multiple-cnames yes; + notify no; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +acl mynet { + 172.16.0.0/24; + 172.16.4.0/24; + 172.16.8.0/24; + 127.0.0.1; +}; + +acl seconddns { + 123.45.54.32; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="massive-namedb"></a><p class="title"><b>Example 4.11. Server: MASSIVE, File: named.conf, Part: B</b></p><div class="example-contents"><pre class="screen"> +zone "abmas.biz" { + type master; + file "/var/lib/named/master/abmas.biz.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "abmas.us" { + type master; + file "/var/lib/named/master/abmas.us.hosts"; + allow-query { + all; + }; + allow-transfer { + seconddns; + }; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="massive-namedc"></a><p class="title"><b>Example 4.12. Server: MASSIVE, File: named.conf, Part: C</b></p><div class="example-contents"><pre class="screen"> +zone "0.16.172.in-addr.arpa" { + type master; + file "/var/lib/named/master/172.16.0.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "4.16.172.in-addr.arpa" { + type master; + file "/var/lib/named/master/172.16.4.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "8.16.172.in-addr.arpa" { + type master; + file "/var/lib/named/master/172.16.8.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="abmasbizdns"></a><p class="title"><b>Example 4.13. Forward Zone File: abmas.biz.hosts</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.biz IN SOA massive.abmas.biz. root.abmas.biz. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS massive.abmas.biz. + NS bldg1.abmas.biz. + NS bldg2.abmas.biz. + MX 10 massive.abmas.biz. +$ORIGIN abmas.biz. +massive A 172.16.0.1 +router0 A 172.16.0.128 +bldg1 A 172.16.4.1 +router4 A 172.16.4.128 +bldg2 A 172.16.8.1 +router8 A 172.16.8.128 +</pre></div></div><br class="example-break"><div class="example"><a name="abmasusdns"></a><p class="title"><b>Example 4.14. Forward Zone File: abmas.biz.hosts</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.us IN SOA server.abmas.us. root.abmas.us. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.us. + NS dns2.abmas.us. + MX 10 mail.abmas.us. +$ORIGIN abmas.us. +server A 123.45.67.66 +dns2 A 123.45.54.32 +gw A 123.45.67.65 +www CNAME server +mail CNAME server +dns CNAME server +</pre></div></div><br class="example-break"><div class="example"><a name="bldg12nameda"></a><p class="title"><b>Example 4.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A</b></p><div class="example-contents"><pre class="screen"> +### +# Abmas Biz DNS Control File +### +# Date: November 15, 2003 +### +options { + directory "/var/lib/named"; + forwarders { + 172.16.0.1; + }; + forward first; + listen-on { + mynet; + }; + auth-nxdomain yes; + multiple-cnames yes; + notify no; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +acl mynet { + 172.16.0.0/24; + 172.16.4.0/24; + 172.16.8.0/24; + 127.0.0.1; +}; + +acl seconddns { + 123.45.54.32; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="bldg12namedb"></a><p class="title"><b>Example 4.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B</b></p><div class="example-contents"><pre class="screen"> +zone "abmas.biz" { + type slave; + file "/var/lib/named/slave/abmas.biz.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; +}; + +zone "0.16.172.in-addr.arpa" { + type slave; + file "/var/lib/slave/master/172.16.0.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; +}; + +zone "4.16.172.in-addr.arpa" { + type slave; + file "/var/lib/named/slave/172.16.4.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; +}; + +zone "8.16.172.in-addr.arpa" { + type slave; + file "/var/lib/named/slave/172.16.8.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; +}; +</pre></div></div><br class="example-break"><div class="example"><a name="ch5-initgrps"></a><p class="title"><b>Example 4.17. Initialize Groups Script, File: /etc/samba/initGrps.sh</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs +groupadd piops + +# Map Windows Domain Groups to UNIX groups +net groupmap add ntgroup="Domain Admins" unixgroup=root type=d +net groupmap add ntgroup="Domain Users" unixgroup=users type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d +net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d +</pre></div></div><br class="example-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch5-procstart"></a>Process Startup Configuration</h3></div></div></div><p> + <a class="indexterm" name="id334644"></a> + <a class="indexterm" name="id334650"></a> + There are two essential steps to process startup configuration. A process + must be configured so that it is automatically restarted each time the server + is rebooted. This step involves use of the <code class="literal">chkconfig</code> tool that + created appropriate symbolic links from the master daemon control file that is + located in the <code class="filename">/etc/rc.d</code> directory to the <code class="filename">/etc/rc'x'.d</code> + directories. Links are created so that when the system run-level is changed, the + necessary start or kill script is run. + </p><p> + <a class="indexterm" name="id334682"></a> + In the event that a service is provided not as a daemon but via the internetworking + super daemon (<code class="literal">inetd</code> or <code class="literal">xinetd</code>), then the <code class="literal">chkconfig</code> + tool makes the necessary entries in the <code class="filename">/etc/xinetd.d</code> directory + and sends a hang-up (HUP) signal to the super daemon, thus forcing it to + re-read its control files. + </p><p> + Last, each service must be started to permit system validation to proceed. The following steps + are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you + are installing Samba. + </p><div class="procedure"><a name="id334722"></a><p class="title"><b>Procedure 4.4. Process Startup Configuration Steps</b></p><ol type="1"><li><p> + Use the standard system tool to configure each service to restart + automatically at every system reboot. For example, + <a class="indexterm" name="id334734"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig dhpc on +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig swat on +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id334783"></a> + <a class="indexterm" name="id334790"></a> + <a class="indexterm" name="id334797"></a> + Now start each service to permit the system to be validated. + Execute each of the following in the sequence shown: + +</p><pre class="screen"> +<code class="prompt">root# </code> service dhcp restart +<code class="prompt">root# </code> service named restart +<code class="prompt">root# </code> service cups restart +<code class="prompt">root# </code> service smb restart +<code class="prompt">root# </code> service swat restart +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch5wincfg"></a>Windows Client Configuration</h3></div></div></div><p> + The procedure for desktop client configuration for the network in this chapter is similar to + that used for the previous one. There are a few subtle changes that should be noted. + </p><div class="procedure"><a name="id334858"></a><p class="title"><b>Procedure 4.5. Windows Client Configuration Steps</b></p><ol type="1"><li><p> + Install MS Windows XP Professional. During installation, configure the client to use DHCP for + TCP/IP protocol configuration. + <a class="indexterm" name="id334870"></a> + <a class="indexterm" name="id334877"></a> + DHCP configures all Windows clients to use the WINS Server address that has been defined + for the local subnet. + </p></li><li><p> + Join the Windows domain <code class="constant">MEGANET</code>. Use the domain administrator + username <code class="constant">root</code> and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows domain is given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + Reboot the machine as prompted and then log on using the domain administrator account + (<code class="constant">root</code>). + </p></li><li><p> + Verify that the server called <code class="constant">MEGANET</code> is visible in <span class="guimenu">My Network Places</span>, + that it is possible to connect to it and see the shares <span class="guimenuitem">accounts</span>, + <span class="guimenuitem">apps</span>, and <span class="guimenuitem">finsvcs</span>, + and that it is possible to open each share to reveal its contents. + </p></li><li><p> + Create a drive mapping to the <code class="constant">apps</code> share on a server. At this time, it does + not particularly matter which application server is used. It is necessary to manually + set a persistent drive mapping to the local applications server on each workstation at the time of + installation. This step is avoided by the improvements to the design of the network configuration + in the next chapter. + </p></li><li><p> + Perform an administrative installation of each application to be used. Select the options + that you wish to use. Of course, you choose to run applications over the network, correct? + </p></li><li><p> + Now install all applications to be installed locally. Typical tools include Adobe Acrobat, + NTP-based time synchronization software, drivers for specific local devices such as fingerprint + scanners, and the like. Probably the most significant application to be locally installed + is antivirus software. + </p></li><li><p> + Now install all four printers onto the staging system. The printers you install + include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you + also configure use of the identical printers that are located in the financial services department. + Install printers on each machine using the following steps: + + </p><div class="procedure"><a name="id334992"></a><p class="title"><b>Procedure 4.6. Steps to Install Printer Drivers on Windows Clients</b></p><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. + Ensure that <span class="guimenuitem">Local printer</span> is selected. + </p></li><li><p> + Click <span class="guibutton">Next</span>. In the + <span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>. + In the <span class="guimenuitem">Printers:</span> panel, select the printer called + <code class="constant">HP LaserJet 6</code>. Click <span class="guibutton">Next</span>. + </p></li><li><p> + In the <span class="guimenuitem">Available ports:</span> panel, select + <code class="constant">FILE:</code>. Accept the default printer name by clicking + <span class="guibutton">Next</span>. When asked, “<span class="quote">Would you like to print a + test page?</span>”, click <span class="guimenuitem">No</span>. Click + <span class="guibutton">Finish</span>. + </p></li><li><p> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <span class="guiicon">HP LaserJet 6</span> → <span class="guimenuitem">Properties</span>. + </p></li><li><p> + In the <span class="guimenuitem">Network</span> panel, enter the name of + the print queue on the Samba server as follows: <code class="constant">\\BLDG1\hplj6a</code>. + Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. + </p></li><li><p> + Repeat the printer installation steps above for both HP LaserJet 6 printers + as well as for both QMS Magicolor laser printers. Remember to install all + printers but to set the destination port for each to the server on the + local network. For example, a workstation in the accounting group should + have all printers directed at the server <code class="constant">BLDG1</code>. + You may elect to point all desktop workstation configurations at the + server called <code class="constant">MASSIVE</code> and then in your deployment + procedures, it would be wise to document the need to redirect the printer + configuration (as well as the applications server drive mapping) to the + server on the network segment on which the workstation is to be located. + </p></li></ol></div><p> + </p></li><li><p> + When you are satisfied that the staging systems are complete, use the appropriate procedure to + remove the client from the domain. Reboot the system, and then log on as the local administrator + and clean out all temporary files stored on the system. Before shutting down, use the disk + defragmentation tool so that the file system is in optimal condition before replication. + </p></li><li><p> + Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the + machine to a network share on the server. + </p></li><li><p> + You may now replicate the image using the appropriate Norton Ghost procedure to the target + machines. Make sure to use the procedure that ensures each machine has a unique + Windows security identifier (SID). When the installation of the disk image is complete, boot the PC. + </p></li><li><p> + Log onto the machine as the local Administrator (the only option), and join the machine to + the domain following the procedure set out in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. You must now set the + persistent drive mapping to the applications server that the user is to use. The system is now + ready for the user to log on, provided you have created a network logon account for that + user, of course. + </p></li><li><p> + Instruct all users to log onto the workstation using their assigned username and password. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id335273"></a>Key Points Learned</h3></div></div></div><p> + The network you have just deployed has been a valuable exercise in forced constraint. + You have deployed a network that works well, although you may soon start to see + performance problems, at which time the modifications demonstrated in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> + bring the network to life. The following key learning points were experienced: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The power of using <code class="filename">smb.conf</code> include files + </p></li><li><p> + Use of a single PDC over a routed network + </p></li><li><p> + Joining a Samba-3 domain member server to a Samba-3 domain + </p></li><li><p> + Configuration of winbind to use domain users and groups for Samba access + to resources on the domain member servers + </p></li><li><p> + The introduction of roaming profiles + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id335326"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt> <a href="Big500users.html#id335341"> + The example smb.conf files in this chapter make use of the include facility. + How may I get to see what the actual working smb.conf settings are? + </a></dt><dt> <a href="Big500users.html#id335388"> + Why does the include file common.conf have an empty include statement? + </a></dt><dt> <a href="Big500users.html#id335445"> + I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam + passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. + I tried using rsync to replicate the passdb.tdb, and it seems to work fine! + So what is the problem? + </a></dt><dt> <a href="Big500users.html#id335495"> + You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash? + </a></dt><dt> <a href="Big500users.html#id335520"> + How does the Windows client find the PDC? + </a></dt><dt> <a href="Big500users.html#id335540"> + Why did you enable IP forwarding (routing) only on the server called MASSIVE? + </a></dt><dt> <a href="Big500users.html#id335567"> + You did nothing special to implement roaming profiles. Why? + </a></dt><dt> <a href="Big500users.html#id335585"> + On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. + You did not configure any PAM settings. Is this an omission? + </a></dt><dt> <a href="Big500users.html#id335612"> + You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this? + </a></dt><dt> <a href="Big500users.html#id335648"> + The domain controller has an auto-shutdown script. Isn't that dangerous? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id335341"></a><a name="id335343"></a></td><td align="left" valign="top"><p> + The example <code class="filename">smb.conf</code> files in this chapter make use of the <em class="parameter"><code>include</code></em> facility. + How may I get to see what the actual working <code class="filename">smb.conf</code> settings are? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + You may readily see the net compound effect of the included files by running: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s | less +</pre><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335388"></a><a name="id335390"></a></td><td align="left" valign="top"><p> + Why does the include file <code class="filename">common.conf</code> have an empty include statement? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The use of the empty include statement nullifies further includes. For example, let's say you + desire to have just an smb.conf file that is built from the array of include files of which the + master control file is called <code class="filename">master.conf</code>. The following command + produces a compound <code class="filename">smb.conf</code> file. +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s /etc/samba/master.conf > /etc/samba/smb.conf +</pre><p> + If the include parameter was not in the common.conf file, the final <code class="filename">smb.conf</code> file leaves + the include in place, even though the file it points to has already been included. This is a bug + that will be fixed at a future date. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335445"></a><a name="id335447"></a></td><td align="left" valign="top"><p> + I accept that the simplest configuration necessary to do the job is the best. The use of <em class="parameter"><code>tdbsam</code></em> + passdb backend is much simpler than having to manage an LDAP-based <em class="parameter"><code>ldapsam</code></em> passdb backend. + I tried using <code class="literal">rsync</code> to replicate the <code class="filename">passdb.tdb</code>, and it seems to work fine! + So what is the problem? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Replication of the <em class="parameter"><code>tdbsam</code></em> database file can result in loss of currency in its + contents between the PDC and BDCs. The most notable symptom is that workstations may not be able + to log onto the network following a reboot and may have to rejoin the domain to recover network + access capability. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335495"></a><a name="id335497"></a></td><td align="left" valign="top"><p> + You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server + offers an IP address lease, but it is the client that determines which offer is accepted, no matter how many + offers are made. Under normal operation, the client accepts the first offer it receives. + </p><p> + The only exception to this rule is when the client makes a directed request from a specific DHCP server + for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335520"></a><a name="id335522"></a></td><td align="left" valign="top"><p> + How does the Windows client find the PDC? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The Windows client obtains the WINS server address from the DHCP lease information. It also + obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast) + to register itself with the WINS server and to obtain enumeration of vital network information to + enable it to operate successfully. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335540"></a><a name="id335542"></a></td><td align="left" valign="top"><p> + Why did you enable IP forwarding (routing) only on the server called <code class="constant">MASSIVE</code>? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The server called <code class="constant">MASSIVE</code> is acting as a router to the Internet. No other server + (BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network. + Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network + segments to the router that is its gateway to them. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335567"></a><a name="id335569"></a></td><td align="left" valign="top"><p> + You did nothing special to implement roaming profiles. Why? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional + clients is to use roaming profiles. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335585"></a><a name="id335587"></a></td><td align="left" valign="top"><p> + On the domain member computers, you configured winbind in the <code class="filename">/etc/nsswitch.conf</code> file. + You did not configure any PAM settings. Is this an omission? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + PAM is needed only for authentication. When Samba is using Microsoft encrypted passwords, it makes only + marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the domain + member servers using Windows networking usernames and passwords, it is necessary to configure PAM + to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name + service switch (NSS). + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335612"></a><a name="id335614"></a></td><td align="left" valign="top"><p> + You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed + in <span class="emphasis"><em>TOSHARG2</em></span>, which has a full chapter dedicated to the subject. While we are on the + subject, it should be noted that you should definitely not use SWAT on any system that makes use + of <code class="filename">smb.conf</code> <em class="parameter"><code>include</code></em> files because SWAT optimizes them out into an aggregated + file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to + handle this functionality gracefully. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id335648"></a><a name="id335650"></a></td><td align="left" valign="top"><p> + The domain controller has an auto-shutdown script. Isn't that dangerous? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="secure.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="happy.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Secure Office Networking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Making Happy Users</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/DMSMig.html b/docs/htmldocs/Samba3-ByExample/DMSMig.html new file mode 100644 index 0000000000..4300bc336a --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/DMSMig.html @@ -0,0 +1,10 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part II. Domain Members, Updating Samba and Migration</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network"><link rel="next" href="unixclients.html" title="Chapter 7. Adding Domain Member Servers and Clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part II. Domain Members, Updating Samba and Migration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="2000users.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="unixclients.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="DMSMig"></a>Part II. Domain Members, Updating Samba and Migration</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id352865"></a>Domain Members, Updating Samba and Migration</h1></div></div></div><p> +This section <span class="emphasis"><em>Samba-3 by Example</em></span> covers two main topics: How to add +Samba Domain Member Servers and Samba Domain Member Clients to a Samba domain, the other +subject is that of how to migrate from and NT4 Domain, a NetWare server, or from an earlier +Samba version to environments that use the most recent Samba-3 release. +</p><p> +Those who are making use of the chapter on Adding UNIX clients and servers running Samba +to a Samba or a Windows networking domain may also benefit by referring to the book +<span class="emphasis"><em>The Official Samba-3 HOWTO and Reference Guide.</em></span> +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="unixclients.html">7. Adding Domain Member Servers and Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="unixclients.html#id352990">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id353039">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id353067">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id353091">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id353679">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id353760">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id359708">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id360196">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id360240">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="upgrades.html">8. Updating Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="upgrades.html#id361313">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id361397">Cautions and Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id362605">Upgrading from Samba 1.x and 2.x to Samba-3</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id363269">Samba-2.x with LDAP Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id363384">Updating a Samba-3 Installation</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id363478">Samba-3 to Samba-3 Updates on the Same Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id363662">Migrating Samba-3 to a New Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id364040">Migration of Samba Accounts to Active Directory</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="ntmigration.html">9. Migrating NT4 Domain to Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="ntmigration.html#id364185">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364261">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id364312">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364468">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id364771">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id364791">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id367537">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id367572">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="nw4migration.html">10. Migrating NetWare Server to Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="nw4migration.html#id368455">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368561">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id368660">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368732">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id368903">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368911">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="2000users.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="unixclients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 6. A Distributed 2000-User Network </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Adding Domain Member Servers and Clients</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/DomApps.html b/docs/htmldocs/Samba3-ByExample/DomApps.html new file mode 100644 index 0000000000..9cc783d649 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/DomApps.html @@ -0,0 +1,597 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Integrating Additional Services</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="kerberos.html" title="Chapter 11. Active Directory, Kerberos, and Security"><link rel="next" href="HA.html" title="Chapter 13. Performance, Reliability, and Availability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Integrating Additional Services</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DomApps"></a>Chapter 12. Integrating Additional Services</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="DomApps.html#id377711">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id377734">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id377820">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id377849">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id377995">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id378010">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id379772">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id379827">Questions and Answers</a></span></dt></dl></div><p> + <a class="indexterm" name="id377668"></a> + <a class="indexterm" name="id377674"></a> + <a class="indexterm" name="id377681"></a> + <a class="indexterm" name="id377688"></a> + <a class="indexterm" name="id377694"></a> + You've come a long way now. You have pretty much mastered Samba-3 for + most uses it can be put to. Up until now, you have cast Samba-3 in the leading + role, and where authentication was required, you have used one or another of + Samba's many authentication backends (from flat text files with smbpasswd + to LDAP directory integration with ldapsam). Now you can design a + solution for a new Abmas business. This business is running Windows Server + 2003 and Active Directory, and these are to stay. It's time to master + implementing Samba and Samba-supported services in a domain controlled by + the latest Windows authentication technologies. Let's get started this is + leading edge. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id377711"></a>Introduction</h2></div></div></div><p> + Abmas has continued its miraculous growth; indeed, nothing seems to be able + to stop its diversification into multiple (and seemingly unrelated) fields. + Its latest acquisition is Abmas Snack Foods, a big player in the snack-food + business. + </p><p> + With this acquisition comes new challenges for you and your team. Abmas Snack + Foods is a well-developed business with a huge and heterogeneous network. It + already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. + The network is mature and well-established, and there is no question of its chosen + user authentication scheme being changed for now. You need to take a wise new + approach. + </p><p> + You have decided to set the ball rolling by introducing Samba-3 into the network + gradually, taking over key services and easing the way to a full migration and, + therefore, integration into Abmas's existing business later. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id377734"></a>Assignment Tasks</h3></div></div></div><p> + <a class="indexterm" name="id377742"></a> + <a class="indexterm" name="id377750"></a> + You've promised the skeptical Abmas Snack Foods management team + that you can show them how Samba can ease itself and other Open Source + technologies into their existing infrastructure and deliver sound business + advantages. Cost cutting is high on their agenda (a major promise of the + acquisition). You have chosen Web proxying and caching as your proving ground. + </p><p> + <a class="indexterm" name="id377766"></a> + <a class="indexterm" name="id377773"></a> + Abmas Snack Foods has several thousand users housed at its head office + and multiple regional offices, plants, and warehouses. A high proportion of + the business's work is done online, so Internet access for most of these + users is essential. All Internet access, including for all regional offices, + is funneled through the head office and is the job of the (now your) networking + team. The bandwidth requirements were horrific (comparable to a small ISP), and + the team soon discovered proxying and caching. In fact, they became one of + the earliest commercial users of Microsoft ISA. + </p><p> + <a class="indexterm" name="id377788"></a> + <a class="indexterm" name="id377795"></a> + <a class="indexterm" name="id377802"></a> + The team is not happy with ISA. Because it never lived up to its marketing promises, + it underperformed and had reliability problems. You have pounced on the opportunity + to show what Open Source can do. The one thing they do like, however, is ISA's + integration with Active Directory. They like that their users, once logged on, + are automatically authenticated against the proxy. If your alternative to ISA + can operate completely seamlessly in their Active Directory domain, it will be + approved. + </p><p> + This is a hands-on exercise. You build software applications so + that you obtain the functionality Abmas needs. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id377820"></a>Dissection and Discussion</h2></div></div></div><p> + The key requirements in this business example are straightforward. You are not required + to do anything new, just to replicate an existing system, not lose any existing features, + and improve performance. The key points are: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Internet access for most employees + </p></li><li><p> + Distributed system to accommodate load and geographical distribution of users + </p></li><li><p> + Seamless and transparent interoperability with the existing Active Directory domain + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id377849"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id377857"></a> + <a class="indexterm" name="id377864"></a> + <a class="indexterm" name="id377871"></a> + <a class="indexterm" name="id377878"></a> + <a class="indexterm" name="id377884"></a> + <a class="indexterm" name="id377891"></a> + <a class="indexterm" name="id377898"></a> + <a class="indexterm" name="id377905"></a> + <a class="indexterm" name="id377912"></a> + <a class="indexterm" name="id377918"></a> + <a class="indexterm" name="id377925"></a> + <a class="indexterm" name="id377932"></a> + <a class="indexterm" name="id377941"></a><a class="indexterm" name="id377947"></a> + Functionally, the user's Internet Explorer requests a browsing session with the + Squid proxy, for which it offers its AD authentication token. Squid hands off + the authentication request to the Samba-3 authentication helper application + called <code class="literal">ntlm_auth</code>. This helper is a hook into winbind, the + Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate + against Microsoft Windows domains, including Active Directory domains. As Active + Directory authentication is a modified Kerberos authentication, winbind is assisted + in this by local Kerberos 5 libraries configured to check passwords with the Active + Directory server. Once the token has been checked, a browsing session is established. + This process is entirely transparent and seamless to the user. + </p><p> + Enabling this consists of: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Preparing the necessary environment using preconfigured packages + </p></li><li><p> + Setting up raw Kerberos authentication against the Active Directory domain + </p></li><li><p> + Configuring, compiling, and then installing the supporting Samba-3 components + </p></li><li><p> + Tying it all together + </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id377995"></a>Political Issues</h3></div></div></div><p> + You are a stranger in a strange land, and all eyes are upon you. Some would even like to see + you fail. For you to gain the trust of your newly acquired IT people, it is essential that your + solution does everything the old one did, but does it better in every way. Only then + will the entrenched positions consider taking up your new way of doing things on a + wider scale. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id378010"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id378017"></a> + First, your system needs to be prepared and in a known good state to proceed. This consists + of making sure that everything the system depends on is present and that everything that could + interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 + packages and updating them if necessary. If conflicting packages of these programs are installed, + they must be removed. + </p><p> + <a class="indexterm" name="id378031"></a> + The following packages should be available on your Red Hat Linux system: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id378045"></a> + <a class="indexterm" name="id378052"></a> + krb5-libs + </p></li><li><p> + krb5-devel + </p></li><li><p> + krb5-workstation + </p></li><li><p> + krb5-server + </p></li><li><p> + pam_krb5 + </p></li></ul></div><p> + <a class="indexterm" name="id378081"></a> + In the case of SUSE Linux, these packages are called: + </p><div class="itemizedlist"><ul type="disc"><li><p> + heimdal-lib + </p></li><li><p> + heimdal-devel + </p></li><li><p> + <a class="indexterm" name="id378105"></a> + heimdal + </p></li><li><p> + pam_krb5 + </p></li></ul></div><p> + If the required packages are not present on your system, you must install + them from the vendor's installation media. Follow the administrative guide + for your Linux system to ensure that the packages are correctly updated. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id378127"></a> + <a class="indexterm" name="id378134"></a> + <a class="indexterm" name="id378141"></a> + If the requirement is for interoperation with MS Windows Server 2003, it + will be necessary to ensure that you are using MIT Kerberos version 1.3.1 + or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires + updating. + </p><p> + <a class="indexterm" name="id378153"></a> + <a class="indexterm" name="id378160"></a> + Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise + Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch10-one"></a>Removal of Pre-Existing Conflicting RPMs</h3></div></div></div><p> + <a class="indexterm" name="id378180"></a> + If Samba and/or Squid RPMs are installed, they should be updated. You can + build both from source. + </p><p> + <a class="indexterm" name="id378191"></a> + <a class="indexterm" name="id378198"></a> + <a class="indexterm" name="id378204"></a> + Locating the packages to be un-installed can be achieved by running: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -qa | grep -i samba +<code class="prompt">root# </code> rpm -qa | grep -i squid +</pre><p> + The identified packages may be removed using: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -e samba-common +</pre><p> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id378243"></a>Kerberos Configuration</h3></div></div></div><p> + <a class="indexterm" name="id378250"></a> + <a class="indexterm" name="id378257"></a> + <a class="indexterm" name="id378266"></a> + <a class="indexterm" name="id378273"></a> + The systems Kerberos installation must be configured to communicate with + your primary Active Directory server (ADS KDC). + </p><p> + Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results, + although the current default Red Hat MIT version 1.2.7 gives acceptable results + unless you are using Windows 2003 servers. + </p><p> + <a class="indexterm" name="id378289"></a> + <a class="indexterm" name="id378296"></a> + <a class="indexterm" name="id378302"></a> + <a class="indexterm" name="id378309"></a> + <a class="indexterm" name="id378316"></a> + <a class="indexterm" name="id378325"></a> + <a class="indexterm" name="id378332"></a> + Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <code class="filename">/etc/krb5.conf</code> + file in order to work correctly. All ADS domains automatically create SRV records in the + DNS zone <code class="constant">Kerberos.REALM.NAME</code> for each KDC in the realm. Since both + MIT and Heimdal, KRB5 libraries default to checking for these records, so they + automatically find the KDCs. In addition, <code class="filename">krb5.conf</code> allows + specifying only a single KDC, even if there is more than one. Using the DNS lookup + allows the KRB5 libraries to use whichever KDCs are available. + </p><div class="procedure"><a name="id378361"></a><p class="title"><b>Procedure 12.1. Kerberos Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id378372"></a> + If you find the need to manually configure the <code class="filename">krb5.conf</code>, you should edit it + to have the contents shown in <a href="DomApps.html#ch10-krb5conf" title="Example 12.1. Kerberos Configuration File: /etc/krb5.conf">???</a>. The final fully qualified path for this file + should be <code class="filename">/etc/krb5.conf</code>. + </p></li><li><p> + <a class="indexterm" name="id378405"></a> + <a class="indexterm" name="id378412"></a> + <a class="indexterm" name="id378419"></a> + <a class="indexterm" name="id378426"></a> + <a class="indexterm" name="id378432"></a> + <a class="indexterm" name="id378439"></a> + <a class="indexterm" name="id378446"></a> + <a class="indexterm" name="id378452"></a> + <a class="indexterm" name="id378459"></a> + <a class="indexterm" name="id378468"></a> + <a class="indexterm" name="id378475"></a> + <a class="indexterm" name="id378482"></a> + <a class="indexterm" name="id378488"></a> + The following gotchas often catch people out. Kerberos is case sensitive. Your realm must + be in UPPERCASE, or you will get an error: “<span class="quote">Cannot find KDC for requested realm while getting + initial credentials</span>”. Kerberos is picky about time synchronization. The time + according to your participating servers must be within 5 minutes or you get an error: + “<span class="quote">kinit(v5): Clock skew too great while getting initial credentials</span>”. + Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is + 5 minutes). A better solution is to implement NTP throughout your server network. + Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. + Also, the name that this reverse lookup maps to must either be the NetBIOS name of + the KDC (i.e., the hostname with no domain attached) or the + NetBIOS name followed by the realm. If all else fails, you can add a + <code class="filename">/etc/hosts</code> entry mapping the IP address of your KDC to its + NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error + when you try to join the realm. + </p></li><li><p> + <a class="indexterm" name="id378524"></a> + You are now ready to test your installation by issuing the command: +</p><pre class="screen"> +<code class="prompt">root# </code> kinit [USERNAME@REALM] +</pre><p> + You are asked for your password, which you should enter. The following + is a typical console sequence: +</p><pre class="screen"> +<code class="prompt">root# </code> kinit ADMINISTRATOR@LONDON.ABMAS.BIZ +Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: +</pre><p> + Make sure that your password is accepted by the Active Directory KDC. + </p></li></ol></div><div class="example"><a name="ch10-krb5conf"></a><p class="title"><b>Example 12.1. Kerberos Configuration File: <code class="filename">/etc/krb5.conf</code></b></p><div class="example-contents"><pre class="screen"> +[libdefaults] + default_realm = LONDON.ABMAS.BIZ + +[realms] + LONDON.ABMAS.BIZ = { + kdc = w2k3s.london.abmas.biz + } +</pre></div></div><br class="example-break"><p><a class="indexterm" name="id378583"></a> + The command +</p><pre class="screen"> +<code class="prompt">root# </code> klist -e +</pre><p> + shows the Kerberos tickets cached by the system. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id378606"></a>Samba Configuration</h4></div></div></div><p> + <a class="indexterm" name="id378613"></a> + Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it + has the necessary components to interface with Active Directory. + </p><div class="procedure"><a name="id378623"></a><p class="title"><b>Procedure 12.2. Securing Samba-3 With ADS Support Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id378634"></a> + <a class="indexterm" name="id378641"></a> + <a class="indexterm" name="id378648"></a> + <a class="indexterm" name="id378654"></a> + <a class="indexterm" name="id378661"></a> + Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team + <a href="http://ftp.samba.org" target="_top">FTP site.</a> The official Samba Team + RPMs for Red Hat Fedora Linux contain the <code class="literal">ntlm_auth</code> tool + needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use. + </p><p> + <a class="indexterm" name="id378685"></a> + <a class="indexterm" name="id378692"></a> + The necessary, validated RPM packages for SUSE Linux may be obtained from + the <a href="ftp://ftp.sernet.de/pub/samba" target="_top">SerNet</a> FTP site that + is located in Germany. All SerNet RPMs are validated, have the necessary + <code class="literal">ntlm_auth</code> tool, and are statically linked + against suitably patched Heimdal 0.6 libraries. + </p></li><li><p> + Using your favorite editor, change the <code class="filename">/etc/samba/smb.conf</code> + file so it has contents similar to the example shown in <a href="DomApps.html#ch10-smbconf" title="Example 12.2. Samba Configuration File: /etc/samba/smb.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id378739"></a> + <a class="indexterm" name="id378746"></a> + <a class="indexterm" name="id378753"></a>i + <a class="indexterm" name="id378764"></a> + <a class="indexterm" name="id378771"></a> + Next you need to create a computer account in the Active Directory. + This sets up the trust relationship needed for other clients to + authenticate to the Samba server with an Active Directory Kerberos ticket. + This is done with the “<span class="quote">net ads join -U [Administrator%Password]</span>” + command, as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -U administrator%vulcon +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id378802"></a> + <a class="indexterm" name="id378809"></a> + <a class="indexterm" name="id378816"></a> + <a class="indexterm" name="id378822"></a> + <a class="indexterm" name="id378829"></a> + Your new Samba binaries must be started in the standard manner as is applicable + to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -D +<code class="prompt">root# </code> nmbd -D +<code class="prompt">root# </code> winbindd -B +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id378868"></a> + <a class="indexterm" name="id378875"></a> + <a class="indexterm" name="id378884"></a> + <a class="indexterm" name="id378891"></a> + <a class="indexterm" name="id378898"></a> + We now need to test that Samba is communicating with the Active + Directory domain; most specifically, we want to see whether winbind + is enumerating users and groups. Issue the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -t +checking the trust secret via RPC calls succeeded +</pre><p> + This tests whether we are authenticating against Active Directory: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -u +LONDON+Administrator +LONDON+Guest +LONDON+SUPPORT_388945a0 +LONDON+krbtgt +LONDON+jht +LONDON+xjht +</pre><p> + This enumerates all the users in your Active Directory tree: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -g +LONDON+Domain Computers +LONDON+Domain Controllers +LONDON+Schema Admins +LONDON+Enterprise Admins +LONDON+Domain Admins +LONDON+Domain Users +LONDON+Domain Guests +LONDON+Group Policy Creator Owners +LONDON+DnsUpdateProxy +</pre><p> + This enumerates all the groups in your Active Directory tree. + </p></li><li><p> + <a class="indexterm" name="id378954"></a> + <a class="indexterm" name="id378961"></a> + Squid uses the <code class="literal">ntlm_auth</code> helper build with Samba-3. + You may test <code class="literal">ntlm_auth</code> with the command: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/ntlm_auth --username=jht +password: XXXXXXXX +</pre><p> + You are asked for your password, which you should enter. You are rewarded with: +</p><pre class="screen"> +<code class="prompt">root# </code> NT_STATUS_OK: Success (0x0) +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id379011"></a> + <a class="indexterm" name="id379018"></a> + <a class="indexterm" name="id379025"></a> + <a class="indexterm" name="id379032"></a> + <a class="indexterm" name="id379038"></a> + <a class="indexterm" name="id379045"></a> + <a class="indexterm" name="id379052"></a> + <a class="indexterm" name="id379059"></a> + The <code class="literal">ntlm_auth</code> helper, when run from a command line as the user + “<span class="quote">root</span>”, authenticates against your Active Directory domain (with + the aid of winbind). It manages this by reading from the winbind privileged pipe. + Squid is running with the permissions of user “<span class="quote">squid</span>” and group + “<span class="quote">squid</span>” and is not able to do this unless we make a vital change. + Squid cannot read from the winbind privilege pipe unless you change the + permissions of its directory. This is the single biggest cause of failure in the + whole process. Remember to issue the following command (for Red Hat Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> chgrp squid /var/cache/samba/winbindd_privileged +<code class="prompt">root# </code> chmod 750 /var/cache/samba/winbindd_privileged +</pre><p> + For SUSE Linux 9, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> chgrp squid /var/lib/samba/winbindd_privileged +<code class="prompt">root# </code> chmod 750 /var/lib/samba/winbindd_privileged +</pre><p> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id379127"></a>NSS Configuration</h4></div></div></div><p> + <a class="indexterm" name="id379135"></a> + <a class="indexterm" name="id379141"></a> + <a class="indexterm" name="id379148"></a> + For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. + </p><p> + Edit your <code class="filename">/etc/nsswitch.conf</code> file so it has the parameters shown + in <a href="DomApps.html#ch10-etcnsscfg" title="Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf">???</a>. + </p><div class="example"><a name="ch10-smbconf"></a><p class="title"><b>Example 12.2. Samba Configuration File: <code class="filename">/etc/samba/smb.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id379204"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id379217"></a><em class="parameter"><code>netbios name = W2K3S</code></em></td></tr><tr><td><a class="indexterm" name="id379230"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id379242"></a><em class="parameter"><code>security = ads</code></em></td></tr><tr><td><a class="indexterm" name="id379255"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr><tr><td><a class="indexterm" name="id379267"></a><em class="parameter"><code>password server = w2k3s.london.abmas.biz</code></em></td></tr><tr><td># separate domain and username with '/', like DOMAIN/username</td></tr><tr><td><a class="indexterm" name="id379284"></a><em class="parameter"><code>winbind separator = /</code></em></td></tr><tr><td># use UIDs from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id379300"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td># use GIDs from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id379316"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id379333"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id379345"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td><a class="indexterm" name="id379358"></a><em class="parameter"><code>winbind user default domain = yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch10-etcnsscfg"></a><p class="title"><b>Example 12.3. NSS Configuration File Extract File: <code class="filename">/etc/nsswitch.conf</code></b></p><div class="example-contents"><pre class="screen"> +passwd: files winbind +shadow: files +group: files winbind +</pre></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id379397"></a>Squid Configuration</h4></div></div></div><p> + <a class="indexterm" name="id379405"></a> + <a class="indexterm" name="id379412"></a> + Squid must be configured correctly to interact with the Samba-3 + components that handle Active Directory authentication. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id379425"></a>Configuration</h3></div></div></div></div><div class="procedure"><a name="id379431"></a><p class="title"><b>Procedure 12.3. Squid Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id379442"></a> + <a class="indexterm" name="id379449"></a> + <a class="indexterm" name="id379457"></a> + If your Linux distribution is SUSE Linux 9, the version of Squid + supplied is already enabled to use the winbind helper agent. You + can therefore omit the steps that would build the Squid binary + programs. + </p></li><li><p> + <a class="indexterm" name="id379472"></a> + <a class="indexterm" name="id379479"></a> + <a class="indexterm" name="id379485"></a> + <a class="indexterm" name="id379492"></a> + <a class="indexterm" name="id379499"></a> + Squid, by default, runs as the user <code class="constant">nobody</code>. You need to + add a system user <code class="constant">squid</code> and a system group + <code class="constant">squid</code> if they are not set up already (if the default + Red Hat squid rpms were installed, they will be). Set up a + <code class="constant">squid</code> user in <code class="filename">/etc/passwd</code> + and a <code class="constant">squid</code> group in <code class="filename">/etc/group</code> if these aren't there already. + </p></li><li><p> + <a class="indexterm" name="id379544"></a> + <a class="indexterm" name="id379551"></a> + You now need to change the permissions on Squid's <code class="constant">var</code> + directory. Enter the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R squid /var/cache/squid +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id379581"></a> + <a class="indexterm" name="id379588"></a> + Squid must also have control over its logging. Enter the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R chown squid:squid /var/log/squid +<code class="prompt">root# </code> chmod 770 /var/log/squid +</pre><p> + </p></li><li><p> + Finally, Squid must be able to write to its disk cache! + Enter the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R chown squid:squid /var/cache/squid +<code class="prompt">root# </code> chmod 770 /var/cache/squid +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id379645"></a> + The <code class="filename">/etc/squid/squid.conf</code> file must be edited to include the lines from + <a href="DomApps.html#etcsquidcfg" title="Example 12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]">???</a> and <a href="DomApps.html#etcsquid2" title="Example 12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]">???</a>. + </p></li><li><p> + <a class="indexterm" name="id379678"></a> + You must create Squid's cache directories before it may be run. Enter the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> squid -z +</pre><p> + </p></li><li><p> + Finally, start Squid and enjoy transparent Active Directory authentication. + Enter the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> squid +</pre><p> + </p></li></ol></div><div class="example"><a name="etcsquidcfg"></a><p class="title"><b>Example 12.4. Squid Configuration File Extract <code class="filename">/etc/squid.conf</code> [ADMINISTRATIVE PARAMETERS Section]</b></p><div class="example-contents"><pre class="screen"> + cache_effective_user squid + cache_effective_group squid +</pre></div></div><br class="example-break"><div class="example"><a name="etcsquid2"></a><p class="title"><b>Example 12.5. Squid Configuration File extract File: <code class="filename">/etc/squid.conf</code> [AUTHENTICATION PARAMETERS Section]</b></p><div class="example-contents"><pre class="screen"> + auth_param ntlm program /usr/bin/ntlm_auth \ + --helper-protocol=squid-2.5-ntlmssp + auth_param ntlm children 5 + auth_param ntlm max_challenge_reuses 0 + auth_param ntlm max_challenge_lifetime 2 minutes + auth_param basic program /usr/bin/ntlm_auth \ + --helper-protocol=squid-2.5-basic + auth_param basic children 5 + auth_param basic realm Squid proxy-caching web server + auth_param basic credentialsttl 2 hours + acl AuthorizedUsers proxy_auth REQUIRED + http_access allow all AuthorizedUsers +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id379772"></a>Key Points Learned</h3></div></div></div><p> + <a class="indexterm" name="id379780"></a> + <a class="indexterm" name="id379787"></a> + <a class="indexterm" name="id379794"></a> + <a class="indexterm" name="id379801"></a> + <a class="indexterm" name="id379812"></a> + Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft + Windows clients use, even when accessing traditional services such as Web browsers. Depending + on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, + the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over + the cookie-based authentication regime used by all competing browsers. It is Samba's implementation + of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id379827"></a>Questions and Answers</h2></div></div></div><p> + <a class="indexterm" name="id379835"></a> + <a class="indexterm" name="id379842"></a> + <a class="indexterm" name="id379849"></a> + <a class="indexterm" name="id379855"></a> + The development of the <code class="literal">ntlm_auth</code> module was first discussed in many Open Source circles + in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of + <code class="literal">ntlm_auth</code> during one of the late developer meetings that took place. Since that time, the + adoption of <code class="literal">ntlm_auth</code> has spread considerably. + </p><p> + The largest report from a site that uses Squid with <code class="literal">ntlm_auth</code>-based authentication + support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000 + users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who + wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following + comments were made with respect to questions regarding the performance of this installation: + </p><div class="blockquote"><blockquote class="blockquote"><p> + [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “<span class="quote">almost</span>” + part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case + scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication]. + </p></blockquote></div><p> + You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. + Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run + out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. + </p><div class="qandaset"><dl><dt> <a href="DomApps.html#id379921"> + What does Samba have to do with Web proxy serving? + </a></dt><dt> <a href="DomApps.html#id380080"> + What other services does Samba provide? + </a></dt><dt> <a href="DomApps.html#id380216"> + Does use of Samba (ntlm_auth) improve the performance of Squid? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id379921"></a><a name="id379923"></a></td><td align="left" valign="top"><p> + What does Samba have to do with Web proxy serving? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id379934"></a> + <a class="indexterm" name="id379941"></a> + <a class="indexterm" name="id379948"></a> + <a class="indexterm" name="id379957"></a> + <a class="indexterm" name="id379964"></a> + To provide transparent interoperability between Windows clients and the network services + that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit + of Open Source software is that it can readily be reused. The current <code class="literal">ntlm_auth</code> + module is basically a wrapper around authentication code from the core of the Samba project. + </p><p> + <a class="indexterm" name="id379983"></a> + <a class="indexterm" name="id379990"></a> + <a class="indexterm" name="id379999"></a> + <a class="indexterm" name="id380008"></a> + <a class="indexterm" name="id380017"></a> + <a class="indexterm" name="id380024"></a> + <a class="indexterm" name="id380030"></a> + <a class="indexterm" name="id380037"></a> + <a class="indexterm" name="id380044"></a> + The <code class="literal">ntlm_auth</code> module supports basic plain-text authentication and NTLMSSP + protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without + the user being interrupted via his or her Windows logon credentials. This facility is available with + MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server. + There are a few open source initiatives to provide support for these protocols in the Apache Web server + also. + </p><p> + <a class="indexterm" name="id380068"></a> + The short answer is that by adding a wrapper around key authentication components of Samba, other + projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id380080"></a><a name="id380082"></a></td><td align="left" valign="top"><p> + What other services does Samba provide? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id380094"></a> + <a class="indexterm" name="id380100"></a> + <a class="indexterm" name="id380107"></a> + <a class="indexterm" name="id380114"></a> + <a class="indexterm" name="id380121"></a> + Samba-3 is a file and print server. The core components that provide this functionality are <code class="literal">smbd</code>, + <code class="literal">nmbd</code>, and the identity resolver daemon, <code class="literal">winbindd</code>. + </p><p> + <a class="indexterm" name="id380150"></a> + <a class="indexterm" name="id380157"></a> + Samba-3 is an SMB/CIFS client. The core component that provides this is called <code class="literal">smbclient</code>. + </p><p> + <a class="indexterm" name="id380174"></a> + <a class="indexterm" name="id380180"></a> + <a class="indexterm" name="id380187"></a> + <a class="indexterm" name="id380194"></a> + <a class="indexterm" name="id380201"></a> + Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. + Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux + servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts + as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules + to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial + server products). + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id380216"></a><a name="id380218"></a></td><td align="left" valign="top"><p> + Does use of Samba (<code class="literal">ntlm_auth</code>) improve the performance of Squid? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Not really. Samba's <code class="literal">ntlm_auth</code> module handles only authentication. It requires that + Squid make an external call to <code class="literal">ntlm_auth</code> and therefore actually incurs a + little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since + Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide + sufficient memory when using Squid. Just add a little more to accommodate <code class="literal">ntlm_auth</code>. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Active Directory, Kerberos, and Security </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Performance, Reliability, and Availability</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/ExNetworks.html b/docs/htmldocs/Samba3-ByExample/ExNetworks.html new file mode 100644 index 0000000000..d5d16f95fd --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/ExNetworks.html @@ -0,0 +1,23 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part I. Example Network Configurations</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="preface.html" title="Preface"><link rel="next" href="simple.html" title="Chapter 1. No-Frills Samba Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part I. Example Network Configurations</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="preface.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="simple.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="ExNetworks"></a>Part I. Example Network Configurations</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id316466"></a>Example Network Configurations</h1></div></div></div><p> +This section of <span class="emphasis"><em>Samba-3 by Example</em></span> provides example network +configurations that can be copied, or modified as needed, and deployed as-is. +The contents have been marginally updated to reflect changes made in Samba=3.0.23. +</p><p> +Best use can be made of this book by finding in this section the network design and +layout that best approximates your estimated needs. It is recommended that you will +implement the design pattern exactly as it appears, then after the installation has +been proven to work make any changes or modifications needed at your site. +</p><p> +The examples have been tested with Red Hat Fedora Core 2, Novell SUSE Linux Professional +9.3 and Novell SUSE Linux Enterprise Server (SLES) 9. The principals of implementation +apply to all Linux and UNIX systems in general, though some system files and tools will +be different and the location of some Samba file locations will be different since these +are determined by the person who packages Samba for each platform. +</p><p> +If you are deploying Samba is a mission-critical environment, or if you simply want +to save time and get your Samba network operational with minimal fuss, there is the +option to purchase commercial, professional, Samba support. Information regarding +commercial support options may be obtained from the commercial +<a href="http://www.samba.org/samba/support/" target="_top">support</a> pages from +the Samba web site. +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="simple.html">1. No-Frills Samba Servers</a></span></dt><dd><dl><dt><span class="sect1"><a href="simple.html#id316528">Introduction</a></span></dt><dt><span class="sect1"><a href="simple.html#id316559">Assignment Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="simple.html#id316598">Drafting Office</a></span></dt><dt><span class="sect2"><a href="simple.html#id317306">Charity Administration Office</a></span></dt><dt><span class="sect2"><a href="simple.html#AccountingOffice">Accounting Office</a></span></dt></dl></dd><dt><span class="sect1"><a href="simple.html#id320818">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="small.html">2. Small Office Networking</a></span></dt><dd><dl><dt><span class="sect1"><a href="small.html#id321229">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id321247">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id321293">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id321342">Technical Issues</a></span></dt><dt><span class="sect2"><a href="small.html#id321528">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id321546">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id323199">Validation</a></span></dt><dt><span class="sect2"><a href="small.html#id323822">Notebook Computers: A Special Case</a></span></dt><dt><span class="sect2"><a href="small.html#id323841">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id323907">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="secure.html">3. Secure Office Networking</a></span></dt><dd><dl><dt><span class="sect1"><a href="secure.html#id324364">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id324404">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id324626">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id324638">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id325007">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id325041">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id325866">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id330151">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id330204">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="Big500users.html">4. The 500-User Office</a></span></dt><dd><dl><dt><span class="sect1"><a href="Big500users.html#id330645">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id330675">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id330756">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id330784">Technical Issues</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id330961">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id330980">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#ch5-dnshcp-setup">Installation of DHCP, DNS, and Samba Control Files</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id331694">Server Preparation: All Servers</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id332210">Server-Specific Preparation</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id335273">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id335326">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="happy.html">5. Making Happy Users</a></span></dt><dd><dl><dt><span class="sect1"><a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id336196">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id336272">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id336400">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id336802">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id338453">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id338466">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id338636">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id345079">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id345095">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id345184">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id345412">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id345510">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id345624">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id346624">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id347264">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id347290">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id347320">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id347408">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="2000users.html">6. A Distributed 2000-User Network</a></span></dt><dd><dl><dt><span class="sect1"><a href="2000users.html#id347742">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id347767">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id347824">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id348070">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id348898">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id348912">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id352072">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id352211">Questions and Answers</a></span></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="preface.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="simple.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Preface </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 1. No-Frills Samba Servers</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/HA.html b/docs/htmldocs/Samba3-ByExample/HA.html new file mode 100644 index 0000000000..3522f72ea4 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/HA.html @@ -0,0 +1,416 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. Performance, Reliability, and Availability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="DomApps.html" title="Chapter 12. Integrating Additional Services"><link rel="next" href="ch14.html" title="Chapter 14. Samba Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. Performance, Reliability, and Availability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DomApps.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="ch14.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="HA"></a>Chapter 13. Performance, Reliability, and Availability</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="HA.html#id380314">Introduction</a></span></dt><dt><span class="sect1"><a href="HA.html#id380391">Dissection and Discussion</a></span></dt><dt><span class="sect1"><a href="HA.html#id380842">Guidelines for Reliable Samba Operation</a></span></dt><dd><dl><dt><span class="sect2"><a href="HA.html#id380866">Name Resolution</a></span></dt><dt><span class="sect2"><a href="HA.html#id381308">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="HA.html#id381603">Use and Location of BDCs</a></span></dt><dt><span class="sect2"><a href="HA.html#id381671">Use One Consistent Version of MS Windows Client</a></span></dt><dt><span class="sect2"><a href="HA.html#id381688">For Scalability, Use SAN-Based Storage on Samba Servers</a></span></dt><dt><span class="sect2"><a href="HA.html#id381733">Distribute Network Load with MSDFS</a></span></dt><dt><span class="sect2"><a href="HA.html#id381784">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></span></dt><dt><span class="sect2"><a href="HA.html#id381824">Hardware Problems</a></span></dt><dt><span class="sect2"><a href="HA.html#id381957">Large Directories</a></span></dt></dl></dd><dt><span class="sect1"><a href="HA.html#id382035">Key Points Learned</a></span></dt></dl></div><p> + <a class="indexterm" name="id380277"></a> + <a class="indexterm" name="id380283"></a> + <a class="indexterm" name="id380290"></a> + Well, you have reached one of the last chapters of this book. It is customary to attempt + to wrap up the theme and contents of a book in what is generally regarded as the + chapter that should draw conclusions. This book is a suspense thriller, and since + the plot of the stories told mostly lead you to bigger, better Samba-3 networking + solutions, it is perhaps appropriate to close this book with a few pertinent comments + regarding some of the things everyone can do to deliver a reliable Samba-3 network. + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + In a world so full of noise, how can the sparrow be heard? + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Anonymous</span></td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380314"></a>Introduction</h2></div></div></div><p> + <a class="indexterm" name="id380322"></a> + The sparrow is a small bird whose sounds are drowned out by the noise of the busy + world it lives in. Likewise, the simple steps that can be taken to improve the + reliability and availability of a Samba network are often drowned out by the volume + of discussions about grandiose Samba clustering designs. This is not intended to + suggest that clustering is not important, because clearly it is. This chapter does not devote + itself to discussion of clustering because each clustering methodology uses its own + custom tools and methods. Only passing comments are offered concerning these methods. + </p><p> + <a class="indexterm" name="id380337"></a> + <a class="indexterm" name="id380343"></a> + <a class="indexterm" name="id380350"></a> +<a href="http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=samba+cluster&btnG=Google+Search" target="_top">A search</a> + for “<span class="quote">samba cluster</span>” produced 71,600 hits. And a search for “<span class="quote">highly available samba</span>” + and “<span class="quote">highly available windows</span>” produced an amazing number of references. + It is clear from the resources on the Internet that Windows file and print services + availability, reliability, and scalability are of vital interest to corporate network users. + </p><p> + <a class="indexterm" name="id380380"></a> + So without further background, you can review a checklist of simple steps that + can be taken to ensure acceptable network performance while keeping costs of ownership + well under control. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380391"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id380399"></a> + <a class="indexterm" name="id380406"></a> + If it is your purpose to get the best mileage out of your Samba servers, there is one rule that + must be obeyed. If you want the best, keep your implementation as simple as possible. You may + well be forced to introduce some complexities, but you should do so only as a last resort. + </p><p> + Simple solutions are likely to be easier to get right than are complex ones. They certainly + make life easier for your successor. Simple implementations can be more readily audited than can + complex ones. + </p><p> + <a class="indexterm" name="id380423"></a> + <a class="indexterm" name="id380430"></a> + Problems reported by users fall into three categories: configurations that do not work, those + that have broken behavior, and poor performance. The term <span class="emphasis"><em>broken behavior</em></span> + means that the function of a particular Samba component appears to work sometimes, but not at + others. The resulting intermittent operation is clearly unacceptable. An example of + <span class="emphasis"><em>broken behavior</em></span> known to many Windows networking users occurs when the + list of Windows machines in MS Explorer changes, sometimes listing machines that are running + and at other times not listing them even though the machines are in use on the network. + </p><p> + <a class="indexterm" name="id380452"></a> + <a class="indexterm" name="id380459"></a> + <a class="indexterm" name="id380466"></a> + <a class="indexterm" name="id380472"></a> + <a class="indexterm" name="id380479"></a> + <a class="indexterm" name="id380486"></a> + A significant number of reports concern problems with the <code class="literal">smbfs</code> file system + driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that + <code class="literal">smbfs</code> is part of Samba, simply because Samba includes the front-end tools + that are used to manage <code class="literal">smbfs</code>-based file service connections. So, just + for the record, the tools <code class="literal">smbmnt</code>, <code class="literal">smbmount</code>, + <code class="literal">smbumount</code>, and <code class="literal">smbumnt</code> are front-end + facilities to core drivers that are supplied as part of the Linux kernel. These tools share a + common infrastructure with some Samba components, but they are not maintained as part of + Samba and are really foreign to it. + </p><p> + <a class="indexterm" name="id380542"></a> + The new project, <code class="literal">cifsfs</code>, is destined to replace <code class="literal">smbfs</code>. + It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in + this project. + </p><p> + Table 13.1 lists typical causes of: + </p><div class="itemizedlist"><ul type="disc"><li><p>Not Working (NW)</p></li><li><p>Broken Behavior (BB)</p></li><li><p>Poor Performance (PP)</p></li></ul></div><div class="table"><a name="ProbList"></a><p class="title"><b>Table 13.1. Effect of Common Problems</b></p><div class="table-contents"><table summary="Effect of Common Problems" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="left"><p>Problem</p></th><th align="center"><p>NW</p></th><th align="center"><p>BB</p></th><th align="center"><p>PP</p></th></tr></thead><tbody><tr><td align="left"><p>File locking</p></td><td align="center"><p>-</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr><tr><td align="left"><p>Hardware problems</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td></tr><tr><td align="left"><p>Incorrect authentication</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr><tr><td align="left"><p>Incorrect configuration</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td></tr><tr><td align="left"><p>LDAP problems</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr><tr><td align="left"><p>Name resolution</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td></tr><tr><td align="left"><p>Printing problems</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr><tr><td align="left"><p>Slow file transfer</p></td><td align="center"><p>-</p></td><td align="center"><p>-</p></td><td align="center"><p>X</p></td></tr><tr><td align="left"><p>Winbind problems</p></td><td align="center"><p>X</p></td><td align="center"><p>X</p></td><td align="center"><p>-</p></td></tr></tbody></table></div></div><br class="table-break"><p> + <a class="indexterm" name="id380831"></a> + It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate + problems that affect basic network operation. This book has provided sufficient working examples + to help you to avoid all these problems. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380842"></a>Guidelines for Reliable Samba Operation</h2></div></div></div><p> + <a class="indexterm" name="id380850"></a> + <a class="indexterm" name="id380856"></a> + Your objective is to provide a network that works correctly, can grow at all times, is resilient + at times of extreme demand, and can scale to meet future needs. The following subject areas provide + pointers that can help you today. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id380866"></a>Name Resolution</h3></div></div></div><p> + There are three basic current problem areas: bad hostnames, routed networks, and network collisions. + These are covered in the following discussion. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id380877"></a>Bad Hostnames</h4></div></div></div><p> + <a class="indexterm" name="id380884"></a> + <a class="indexterm" name="id380894"></a> + <a class="indexterm" name="id380900"></a> + <a class="indexterm" name="id380907"></a> + <a class="indexterm" name="id380914"></a> + When configured as a DHCP client, a number of Linux distributions set the system hostname + to <code class="constant">localhost</code>. If the parameter <em class="parameter"><code>netbios name</code></em> is not + specified to something other than <code class="constant">localhost</code>, the Samba server appears + in the Windows Explorer as <code class="constant">LOCALHOST</code>. Moreover, the entry in the <code class="filename">/etc/hosts</code> + on the Linux server points to IP address <code class="constant">127.0.0.1</code>. This means that + when the Windows client obtains the IP address of the Samba server called <code class="constant">LOCALHOST</code>, + it obtains the IP address <code class="constant">127.0.0.1</code> and then proceeds to attempt to + set up a NetBIOS over TCP/IP connection to it. This cannot work, because that IP address is + the local Windows machine itself. Hostnames must be valid for Windows networking to function + correctly. + </p><p> + <a class="indexterm" name="id380963"></a> + A few sites have tried to name Windows clients and Samba servers with a name that begins + with the digits 1-9. This does not work either because it may result in the client or + server attempting to use that name as an IP address. + </p><p> + <a class="indexterm" name="id380975"></a> + <a class="indexterm" name="id380984"></a> + A Samba server called <code class="constant">FRED</code> in a NetBIOS domain called <code class="constant">COLLISION</code> + in a network environment that is part of the fully-qualified Internet domain namespace known + as <code class="constant">parrots.com</code>, results in DNS name lookups for <code class="constant">fred.parrots.com</code> + and <code class="constant">collision.parrots.com</code>. It is therefore a mistake to name the domain + (workgroup) <code class="constant">collision.parrots.com</code>, since this results in DNS lookup + attempts to resolve <code class="constant">fred.parrots.com.parrots.com</code>, which most likely + fails given that you probably do not have this in your DNS namespace. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id381024"></a> + <a class="indexterm" name="id381033"></a> + <a class="indexterm" name="id381040"></a> + An Active Directory realm called <code class="constant">collision.parrots.com</code> is perfectly okay, + although it too must be capable of being resolved via DNS, something that functions correctly + if Windows 200x ADS has been properly installed and configured. + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id381054"></a>Routed Networks</h4></div></div></div><p> + <a class="indexterm" name="id381062"></a> + <a class="indexterm" name="id381069"></a> + <a class="indexterm" name="id381078"></a> + NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use + of UDP-based broadcast traffic, as you saw during the exercises in <a href="primer.html" title="Chapter 16. Networking Primer">???</a>. + </p><p> + <a class="indexterm" name="id381096"></a> + <a class="indexterm" name="id381103"></a> + <a class="indexterm" name="id381110"></a> + UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based + networking cannot function across routed networks (i.e., multi-subnet networks) unless + special provisions are made: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id381125"></a> + <a class="indexterm" name="id381132"></a> + <a class="indexterm" name="id381139"></a> + Either install on every Windows client an LMHOSTS file (located in the directory + <code class="filename">C:\windows\system32\drivers\etc</code>). It is also necessary to + add to the Samba server <code class="filename">smb.conf</code> file the parameters <em class="parameter"><code>remote announce</code></em> + and <em class="parameter"><code>remote browse sync</code></em>. For more information, refer to the online + manual page for the <code class="filename">smb.conf</code> file. + </p></li><li><p> + <a class="indexterm" name="id381182"></a> + Or configure Samba as a WINS server, and configure all network clients to use that + WINS server in their TCP/IP configuration. + </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id381197"></a> + <a class="indexterm" name="id381207"></a> + The use of DNS is not an acceptable substitute for WINS. DNS does not store specific + information regarding NetBIOS networking particulars that get stored in the WINS + name resolution database and that Windows clients require and depend on. + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id381218"></a>Network Collisions</h4></div></div></div><p> + <a class="indexterm" name="id381225"></a> + <a class="indexterm" name="id381234"></a> + <a class="indexterm" name="id381244"></a> + <a class="indexterm" name="id381250"></a> + Excessive network activity causes NetBIOS network timeouts. Timeouts may result in + blue screen of death (BSOD) experiences. High collision rates may be caused by excessive + UDP broadcast activity, by defective networking hardware, or through excessive network + loads (another way of saying that the network is poorly designed). + </p><p> + The use of WINS is highly recommended to reduce network broadcast traffic, as outlined + in <a href="primer.html" title="Chapter 16. Networking Primer">???</a>. + </p><p> + <a class="indexterm" name="id381276"></a> + <a class="indexterm" name="id381282"></a> + <a class="indexterm" name="id381289"></a> + Under no circumstances should the facility be supported by many routers, known as <code class="constant">NetBIOS + forwarding</code>, unless you know exactly what you are doing. Inappropriate use of this + facility can result in UDP broadcast storms. In one case in 1999, a university network became + unusable due to NetBIOS forwarding being enabled on all routers. The problem was discovered during performance + testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was + less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance + immediately returned to 11 MB/sec. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381308"></a>Samba Configuration</h3></div></div></div><p> + As a general rule, the contents of the <code class="filename">smb.conf</code> file should be kept as simple as possible. + No parameter should be specified unless you know it is essential to operation. + </p><p> + <a class="indexterm" name="id381326"></a> + <a class="indexterm" name="id381333"></a> + <a class="indexterm" name="id381340"></a> + Many UNIX administrators like to fully document the settings in the <code class="filename">smb.conf</code> file. This is a + bad idea because it adds content to the file. The <code class="filename">smb.conf</code> file is re-read by every <code class="literal">smbd</code> + process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so). + </p><p> + As the size of the <code class="filename">smb.conf</code> file grows, the risk of introducing parsing errors also increases. + It is recommended to keep a fully documented <code class="filename">smb.conf</code> file on hand, and then to operate Samba only + with an optimized file. + </p><p><a class="indexterm" name="id381386"></a> + The preferred way to maintain a documented file is to call it something like <code class="filename">smb.conf.master</code>. + You can generate the optimized file by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +</pre><p> + You should carefully observe all warnings issued. It is also a good practice to execute the following + command to confirm correct interpretation of the <code class="filename">smb.conf</code> file contents: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm +Load smb config files from /etc/samba/smb.conf +Can't find include file /etc/samba/machine. +Processing section "[homes]" +Processing section "[print$]" +Processing section "[netlogon]" +Processing section "[Profiles]" +Processing section "[printers]" +Processing section "[media]" +Processing section "[data]" +Processing section "[cdr]" +Processing section "[apps]" +Loaded services file OK. +'winbind separator = +' might cause problems with group membership. +Server role: ROLE_DOMAIN_PDC +Press enter to see a dump of your service definitions +</pre><p> + <a class="indexterm" name="id381437"></a> + You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C. + The important thing to note is the noted Server role, as well as warning messages. Noted configuration + conflicts must be remedied before proceeding. For example, the following error message represents a + common fatal problem: +</p><pre class="screen"> +ERROR: both 'wins support = true' and 'wins server = <server list>' +cannot be set in the smb.conf file. nmbd will abort with this setting. +</pre><p> + </p><p> + <a class="indexterm" name="id381458"></a> + <a class="indexterm" name="id381465"></a> + <a class="indexterm" name="id381472"></a> + There are two parameters that can cause severe network performance degradation: <em class="parameter"><code>socket options</code></em> + and <em class="parameter"><code>socket address</code></em>. The <em class="parameter"><code>socket options</code></em> parameter was often necessary + when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from + this parameter being set. Do not use either parameter unless it has been proven necessary to use them. + </p><p> + <a class="indexterm" name="id381503"></a> + <a class="indexterm" name="id381510"></a> + <a class="indexterm" name="id381516"></a> + <a class="indexterm" name="id381523"></a> + Another <code class="filename">smb.conf</code> parameter that may cause severe network performance degradation is the + <em class="parameter"><code>strict sync</code></em> parameter. Do not use this at all. There is no good reason + to use this with any modern Windows client. The <em class="parameter"><code>strict sync</code></em> is often + used with the <em class="parameter"><code>sync always</code></em> parameter. This, too, can severely + degrade network performance, so do not set it; if you must, do so with caution. + </p><p> + <a class="indexterm" name="id381562"></a> + <a class="indexterm" name="id381569"></a> + <a class="indexterm" name="id381576"></a> + <a class="indexterm" name="id381582"></a> + Finally, many network administrators deliberately disable opportunistic locking support. While this + does not degrade Samba performance, it significantly degrades Windows client performance because + this disables local file caching on Windows clients and forces every file read and written to + invoke a network read or write call. If for any reason you must disable oplocks (opportunistic locking) + support, do so only on the share on which it is required. That way, all other shares can provide + oplock support for operations that are tolerant of it. See <a href="appendix.html#ch12dblck" title="Shared Data Integrity">???</a> for more + information. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381603"></a>Use and Location of BDCs</h3></div></div></div><p> + <a class="indexterm" name="id381611"></a> + <a class="indexterm" name="id381617"></a> + <a class="indexterm" name="id381624"></a> + <a class="indexterm" name="id381631"></a> + <a class="indexterm" name="id381638"></a> + On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon + processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of + authentication and logon processing. When a sole BDC on a routed network segment gets heavily + loaded, it is possible that network logon requests and authentication requests may be directed + to a BDC on a distant network segment. This significantly hinders WAN operations + and is undesirable. + </p><p> + <a class="indexterm" name="id381652"></a> + <a class="indexterm" name="id381659"></a> + As a general guide, instead of adding domain member servers to a network, you would be better advised + to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add + domain member servers. This practice ensures that there are always sufficient domain controllers + to handle logon requests and authentication traffic. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381671"></a>Use One Consistent Version of MS Windows Client</h3></div></div></div><p> + Every network client has its own peculiarities. From a management perspective, it is easier to deal + with one version of MS Windows that is maintained to a consistent update level than it is to deal + with a mixture of clients. + </p><p> + On a number of occasions, particular Microsoft service pack updates of a Windows server or client + have necessitated special handling from the Samba server end. If you want to remain sane, keep you + client workstation configurations consistent. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381688"></a>For Scalability, Use SAN-Based Storage on Samba Servers</h3></div></div></div><p> + <a class="indexterm" name="id381696"></a> + <a class="indexterm" name="id381703"></a> + Many SAN-based storage systems permit more than one server to share a common data store. + Use of a shared SAN data store means that you do not need to use time- and resource-hungry data + synchronization techniques. + </p><p> + <a class="indexterm" name="id381715"></a> + <a class="indexterm" name="id381722"></a> + The use of a collection of relatively low-cost front-end Samba servers that are coupled to + a shared backend SAN data store permits load distribution while containing costs below that + of installing and managing a complex clustering facility. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381733"></a>Distribute Network Load with MSDFS</h3></div></div></div><p> + <a class="indexterm" name="id381741"></a> + <a class="indexterm" name="id381748"></a> + Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits + data to be accessed from a single share and yet to actually be distributed across multiple actual + servers. Refer to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 19, for information regarding + implementation of an MSDFS installation. + </p><p> + <a class="indexterm" name="id381764"></a> + <a class="indexterm" name="id381773"></a> + The combination of multiple backend servers together with a front-end server and use of MSDFS + can achieve almost the same as you would obtain with a clustered Samba server. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381784"></a>Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</h3></div></div></div><p> + <a class="indexterm" name="id381792"></a> + <a class="indexterm" name="id381798"></a> + <a class="indexterm" name="id381805"></a> + Consider using <code class="literal">rsync</code> to replicate data across the WAN during times + of low utilization. Users can then access the replicated data store rather than needing to do so + across the WAN. This works best for read-only data, but with careful planning can be + implemented so that modified files get replicated back to the point of origin. Be careful with your + implementation if you choose to permit modification and return replication of the modified file; + otherwise, you may inadvertently overwrite important data. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381824"></a>Hardware Problems</h3></div></div></div><p> + <a class="indexterm" name="id381832"></a> + <a class="indexterm" name="id381839"></a> + <a class="indexterm" name="id381846"></a> + <a class="indexterm" name="id381853"></a> + <a class="indexterm" name="id381862"></a> + <a class="indexterm" name="id381871"></a> + Networking hardware prices have fallen sharply over the past 5 years. A surprising number + of Samba networking problems over this time have been traced to defective network interface + cards (NICs) or defective HUBs, switches, and cables. + </p><p> + <a class="indexterm" name="id381886"></a> + Not surprising is the fact that network administrators do not like to be shown to have made + a bad decision. Money saved in buying low-cost hardware may result in high costs incurred + in corrective action. + </p><p> + <a class="indexterm" name="id381897"></a> + <a class="indexterm" name="id381904"></a> + <a class="indexterm" name="id381911"></a> + <a class="indexterm" name="id381918"></a> + <a class="indexterm" name="id381925"></a> + Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent + or persistent data corruption, slow network throughput, low performance, or even as BSOD + problems with MS Windows clients. In one case, a company updated several workstations with newer, faster + Windows client machines that triggered problems during logon as well as data integrity problems on + an older PC that was unaffected so long as the new machines were kept shut down. + </p><p> + Defective hardware problems may take patience and persistence before the real cause can be discovered. + </p><p> + <a class="indexterm" name="id381943"></a> + Networking hardware defects can significantly impact perceived Samba performance, but defective + RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server + operations. One business came to this realization only after replacing a Samba installation with MS + Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network + administrator until the entire server was replaced. While you may well think that this would never + happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id381957"></a>Large Directories</h3></div></div></div><p> + There exist applications that create or manage directories containing many thousands of files. Such + applications typically generate many small files (less than 100 KB). At the best of times, under UNIX, + listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, + and XP Pro cause network file system directory lookups on a Samba server to be performed for both + the case preserving file name as well as for the mangled (8.3) file name. This incurs a huge overhead + on the Samba server that may slow down the system dramatically. + </p><p> + In an extreme case, the performance impact was dramatic. File transfer from the Samba server to a Windows + XP Professional workstation over 1 Gigabit Ethernet for 250-500 KB files was measured at approximately + 30 MB/sec. But when tranferring a directory containing 120,000 files, all from 50KB to 60KB in size, the + transfer rate to the same workstation was measured at approximately 1.5 KB/sec. The net transfer was + on the order of a factor of 20-fold slower. + </p><p> + The symptoms that will be observed on the Samba server when a large directory is accessed will be that + aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredibly + long while at the same time the read queue is large. Close observation will show that the hard drive + that the file system is on will be thrashing wildly. + </p><p> + Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is + really in the <a class="indexterm" name="id381988"></a>case sensitive = True line. This tells smbd never to scan + for case-insensitive versions of names. So if an application asks for a file called <code class="filename">FOO</code>, + and it can not be found by a simple stat call, then smbd will return "file not found" immediately without + scanning the containing directory for a version of a different case. + </p><p> + Canonicalize all the files in the directory to have one case, upper or lower - either will do. Then set up + a new custom share for the application as follows: + </p><pre class="screen"> + [bigshare] + path = /data/xrayfiles/neurosurgeons/ + read only = no + case sensitive = True + default case = upper + preserve case = no + short preserve case = no + </pre><p> + </p><p> + All files and directories under the <em class="parameter"><code>path</code></em> directory must be in the same case + as specified in the <code class="filename">smb.conf</code> stanza. This means that smbd will not be able to find lower case + filenames with these settings. Note, this is done on a per-share basis. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id382035"></a>Key Points Learned</h2></div></div></div><p> + This chapter has touched in broad sweeps on a number of simple steps that can be taken + to ensure that your Samba network is resilient, scalable, and reliable, and that it + performs well. + </p><p> + Always keep in mind that someone is responsible to maintain and manage your design. + In the long term, that may not be you. Spare a thought for your successor and give him or + her an even break. + </p><p> + <a class="indexterm" name="id382053"></a> + Last, but not least, you should not only keep the network design simple, but also be sure it is + well documented. This book may serve as your pattern for documenting every + aspect of your design, its implementation, and particularly the objects and assumptions + that underlie it. + </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DomApps.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ch14.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Integrating Additional Services </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. Samba Support</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/RefSection.html b/docs/htmldocs/Samba3-ByExample/RefSection.html new file mode 100644 index 0000000000..fbe6a5e7d6 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/RefSection.html @@ -0,0 +1,17 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part III. Reference Section</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="nw4migration.html" title="Chapter 10. Migrating NetWare Server to Samba-3"><link rel="next" href="kerberos.html" title="Chapter 11. Active Directory, Kerberos, and Security"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part III. Reference Section</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="nw4migration.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="kerberos.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="RefSection"></a>Part III. Reference Section</h1></div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id372526"></a>Reference Section</h1></div></div></div><p> +This section <span class="emphasis"><em>Samba-3 by Example</em></span> provides important reference material +that may help you to solve network performance issues, to answer some of the critiques +published regarding Samba, or just to gain a more broad understanding of how Samba can +play in a Windows networking world. +</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="kerberos.html">11. Active Directory, Kerberos, and Security</a></span></dt><dd><dl><dt><span class="sect1"><a href="kerberos.html#id372607">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id373189">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id373203">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id373574">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id375060">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id375395">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id376321">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id377005">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id377127">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="DomApps.html">12. Integrating Additional Services</a></span></dt><dd><dl><dt><span class="sect1"><a href="DomApps.html#id377711">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id377734">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id377820">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id377849">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id377995">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id378010">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id379772">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id379827">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="HA.html">13. Performance, Reliability, and Availability</a></span></dt><dd><dl><dt><span class="sect1"><a href="HA.html#id380314">Introduction</a></span></dt><dt><span class="sect1"><a href="HA.html#id380391">Dissection and Discussion</a></span></dt><dt><span class="sect1"><a href="HA.html#id380842">Guidelines for Reliable Samba Operation</a></span></dt><dd><dl><dt><span class="sect2"><a href="HA.html#id380866">Name Resolution</a></span></dt><dt><span class="sect2"><a href="HA.html#id381308">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="HA.html#id381603">Use and Location of BDCs</a></span></dt><dt><span class="sect2"><a href="HA.html#id381671">Use One Consistent Version of MS Windows Client</a></span></dt><dt><span class="sect2"><a href="HA.html#id381688">For Scalability, Use SAN-Based Storage on Samba Servers</a></span></dt><dt><span class="sect2"><a href="HA.html#id381733">Distribute Network Load with MSDFS</a></span></dt><dt><span class="sect2"><a href="HA.html#id381784">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></span></dt><dt><span class="sect2"><a href="HA.html#id381824">Hardware Problems</a></span></dt><dt><span class="sect2"><a href="HA.html#id381957">Large Directories</a></span></dt></dl></dd><dt><span class="sect1"><a href="HA.html#id382035">Key Points Learned</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch14.html">14. Samba Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch14.html#id382184">Free Support</a></span></dt><dt><span class="sect1"><a href="ch14.html#id382382">Commercial Support</a></span></dt></dl></dd><dt><span class="chapter"><a href="appendix.html">15. A Collection of Useful Tidbits</a></span></dt><dd><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383041">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383432">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383730">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id383740">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id383783">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id383865">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id383921">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id384378">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id385293">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id385724">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id385863">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id385938">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="primer.html">16. Networking Primer</a></span></dt><dd><dl><dt><span class="sect1"><a href="primer.html#id386080">Requirements and Notes</a></span></dt><dt><span class="sect1"><a href="primer.html#id386216">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id386266">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#id386373">Exercises</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id386486">Single-Machine Broadcast Activity</a></span></dt><dt><span class="sect2"><a href="primer.html#secondmachine">Second Machine Startup Broadcast Interaction</a></span></dt><dt><span class="sect2"><a href="primer.html#id387580">Simple Windows Client Connection Characteristics</a></span></dt><dt><span class="sect2"><a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></span></dt><dt><span class="sect2"><a href="primer.html#id388566">Conclusions to Exercises</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01conc">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id388668">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01qa">Questions and Answers</a></span></dt></dl></dd><dt><span class="appendix"><a href="gpl.html">A. GNU General Public License</a></span></dt><dd><dl><dt><span class="sect1"><a href="gpl.html#gpl-1">Preamble</a></span></dt><dt><span class="sect1"><a href="gpl.html#gpl-2">TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION</a></span></dt><dd><dl><dt><span class="sect2"><a href="gpl.html#gpl-2-0">Section 0</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-1">Section 1</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-2">Section 2</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-3">Section 3 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-4">Section 4 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-5">Section 5 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-6">Section 6 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-7">Section 7 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-8">Section 8 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-9">Section 9 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-10">Section 10 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-11">NO WARRANTY Section 11 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-12">Section 12 + </a></span></dt></dl></dd><dt><span class="sect1"><a href="gpl.html#gpl-3">How to Apply These Terms to Your New Programs + </a></span></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="nw4migration.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="kerberos.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 10. Migrating NetWare Server to Samba-3 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Active Directory, Kerberos, and Security</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/appendix.html b/docs/htmldocs/Samba3-ByExample/appendix.html new file mode 100644 index 0000000000..77e695835c --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/appendix.html @@ -0,0 +1,1060 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. A Collection of Useful Tidbits</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="ch14.html" title="Chapter 14. Samba Support"><link rel="next" href="primer.html" title="Chapter 16. Networking Primer"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. A Collection of Useful Tidbits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Chapter 15. A Collection of Useful Tidbits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383041">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383432">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383730">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id383740">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id383783">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id383865">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id383921">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id384378">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id385293">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id385724">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id385863">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id385938">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p> + <a class="indexterm" name="id382496"></a> + <a class="indexterm" name="id382502"></a> + Information presented here is considered to be either basic or well-known material that is informative + yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that + the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps + different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, + as shown in the example given below. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div></div><p> + <a class="indexterm" name="id382529"></a> + Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. + This section steps through the process for making a Windows 200x/XP Professional machine a + member of a Domain Security environment. It should be noted that this process is identical + when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. + </p><div class="procedure"><a name="id382539"></a><p class="title"><b>Procedure 15.1. Steps to Join a Domain</b></p><ol type="1"><li><p> + Click <span class="guimenu">Start</span>. + </p></li><li><p> + Right-click <span class="guimenu">My Computer</span>, and then select <span class="guimenuitem">Properties</span>. + </p></li><li><p> + The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel. + See <a href="appendix.html#swxpp001" title="Figure 15.1. The General Panel.">???</a>. + </p><div class="figure"><a name="swxpp001"></a><p class="title"><b>Figure 15.1. The General Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click the <span class="guimenu">Computer Name</span> tab. + This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>, + and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>. + </p><p> + Clicking the <span class="guimenu">Network ID</span> button launches the configuration wizard. Do not use this with + Samba-3. If you wish to change the computer name, or join or leave the domain, click the <span class="guimenu">Change</span> button. + See <a href="appendix.html#swxpp004" title="Figure 15.2. The Computer Name Panel.">???</a>. + </p><div class="figure"><a name="swxpp004"></a><p class="title"><b>Figure 15.2. The Computer Name Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. + We join the domain called MIDEARTH. See <a href="appendix.html#swxpp006" title="Figure 15.3. The Computer Name Changes Panel">???</a>. + </p><div class="figure"><a name="swxpp006"></a><p class="title"><b>Figure 15.3. The Computer Name Changes Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Enter the name <span class="guimenu">MIDEARTH</span> in the field below the Domain radio button. + </p><p> + This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">???</a>. + </p><div class="figure"><a name="swxpp007"></a><p class="title"><b>Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the credentials (username and password) + of a domain administrative account that has the rights to add machines to the domain. + </p><p> + Enter the name “<span class="quote">root</span>” and the root password from your Samba-3 server. See <a href="appendix.html#swxpp008" title="Figure 15.5. Computer Name Changes User name and Password Panel">???</a>. + </p><div class="figure"><a name="swxpp008"></a><p class="title"><b>Figure 15.5. Computer Name Changes User name and Password Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes User name and Password Panel"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click <span class="guimenu">OK</span>. + </p><p> + The “<span class="quote">Welcome to the MIDEARTH domain</span>” dialog box should appear. At this point, the machine must be rebooted. + Joining the domain is now complete. + </p></li></ol></div><p> + <a class="indexterm" name="id382944"></a> + <a class="indexterm" name="id382951"></a> + The screen capture shown in <a href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">???</a> has a button labeled <span class="guimenu">More...</span>. This button opens a + panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members + of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace. + </p><p> + <a class="indexterm" name="id382974"></a> + <a class="indexterm" name="id382981"></a> + Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers + register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server + to find the services (like which machines are domain controllers or which machines have the Netlogon service running). + </p><p> + <a class="indexterm" name="id382996"></a> + The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, + this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to + a valid IP address. + </p><p> + The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. + Where the client is a member of a Samba domain, it is preferable to leave this field blank. + </p><p> + <a class="indexterm" name="id383016"></a> + According to Microsoft documentation, “<span class="quote">If this computer belongs to a group with <code class="constant">Group Policy</code> + enabled on <code class="literal">Primary DNS suffice of this computer</code>, the string specified in the Group Policy is used + as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is + used only if Group Policy is disabled or unspecified.</span>” + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383041"></a>Samba System File Location</h2></div></div></div><p><a class="indexterm" name="id383048"></a><a class="indexterm" name="id383056"></a><a class="indexterm" name="id383063"></a> + One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team + build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is + in the <code class="filename">/usr/local/samba</code> directory. This is a perfectly reasonable location, particularly given all the other + Open Source software that installs into the <code class="filename">/usr/local</code> subdirectories. + </p><p> + Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team + default. + </p><p><a class="indexterm" name="id383094"></a><a class="indexterm" name="id383105"></a><a class="indexterm" name="id383113"></a><a class="indexterm" name="id383124"></a><a class="indexterm" name="id383132"></a><a class="indexterm" name="id383143"></a><a class="indexterm" name="id383150"></a><a class="indexterm" name="id383158"></a><a class="indexterm" name="id383166"></a><a class="indexterm" name="id383174"></a><a class="indexterm" name="id383182"></a><a class="indexterm" name="id383190"></a><a class="indexterm" name="id383198"></a><a class="indexterm" name="id383205"></a><a class="indexterm" name="id383213"></a><a class="indexterm" name="id383221"></a> + Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy + System (FHS), have elected to locate the configuration files under the <code class="filename">/etc/samba</code> directory, common binary + files (those used by users) in the <code class="filename">/usr/bin</code> directory, and the administrative files (daemons) in the + <code class="filename">/usr/sbin</code> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the + <code class="filename">/usr/share</code> directory, either in <code class="filename">/usr/share/samba/swat</code> or in + <code class="filename">/usr/share/swat</code>. There are additional support files for <code class="literal">smbd</code> in the + <code class="filename">/usr/lib/samba</code> directory tree. The files located there include the dynamically loadable modules for the + passdb backend as well as for the VFS modules. + </p><p><a class="indexterm" name="id383285"></a><a class="indexterm" name="id383292"></a><a class="indexterm" name="id383300"></a> + Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in + the <code class="filename">/var/lib/samba</code> directory. Log files are created in <code class="filename">/var/log/samba.</code> + </p><p> + When Samba is built and installed using the default Samba Team process, all files are located under the + <code class="filename">/usr/local/samba</code> directory tree. This makes it simple to find the files that Samba owns. + </p><p><a class="indexterm" name="id383335"></a> + One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location + of all files called <code class="literal">smbd</code>. Here is an example: +</p><pre class="screen"> +<code class="prompt">root# </code> find / -name smbd -print +</pre><p> + You can find the location of the configuration files by running: +</p><pre class="screen"> +<code class="prompt">root# </code> /path-to-binary-file/smbd -b | more +... +Paths: + SBINDIR: /usr/sbin + BINDIR: /usr/bin + SWATDIR: /usr/share/samba/swat + CONFIGFILE: /etc/samba/smb.conf + LOGFILEBASE: /var/log/samba + LMHOSTSFILE: /etc/samba/lmhosts + LIBDIR: /usr/lib/samba + SHLIBEXT: so + LOCKDIR: /var/lib/samba + PIDDIR: /var/run/samba + SMB_PASSWD_FILE: /etc/samba/smbpasswd + PRIVATE_DIR: /etc/samba +... +</pre><p> + If you wish to locate the Samba version, just run: +</p><pre class="screen"> +<code class="prompt">root# </code> /path-to-binary-file/smbd -V +Version 3.0.20-SUSE +</pre><p> + </p><p> + Many people have been caught by installation of Samba using the default Samba Team process when it was already installed + by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by + executing:<a class="indexterm" name="id383400"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -qa | grep samba +samba3-pdb-3.0.20-1 +samba3-vscan-0.3.6-0 +samba3-winbind-3.0.20-1 +samba3-3.0.20-1 +samba3-python-3.0.20-1 +samba3-utils-3.0.20-1 +samba3-doc-3.0.20-1 +samba3-client-3.0.20-1 +samba3-cifsmount-3.0.20-1 + </pre><p><a class="indexterm" name="id383420"></a> + The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383432"></a>Starting Samba</h2></div></div></div><p><a class="indexterm" name="id383439"></a> + Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. + An example of a service is the Apache Web server for which the daemon is called <code class="literal">httpd</code>. In the case of Samba, there + are three daemons, two of which are needed as a minimum. + </p><p> + The Samba server is made up of the following daemons: + </p><div class="example"><a name="ch12SL"></a><p class="title"><b>Example 15.1. A Useful Samba Control Script for SUSE Linux</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash +# +# Script to start/stop samba +# Locate this in /sbin as a file called 'samba' + +RCD=/etc/rc.d + +if [ z$1 == 'z' ]; then + echo $0 - No arguments given; must be start or stop. + exit +fi + +if [ $1 == 'start' ]; then + ${RCD}/nmb start + ${RCD}/smb start + ${RCD}/winbind start + +fi +if [ $1 == 'stop' ]; then + ${RCD}/smb stop + ${RCD}/winbind stop + ${RCD}/nmb stop +fi +if [ $1 == 'restart' ]; then + ${RCD}/smb stop + ${RCD}/winbind stop + ${RCD}/nmb stop + sleep 5 + ${RCD}/nmb start + ${RCD}/smb start + ${RCD}/winbind start +fi +exit 0 +</pre></div></div><br class="example-break"><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p> + <a class="indexterm" name="id383493"></a> + <a class="indexterm" name="id383500"></a> + This daemon handles all name registration and resolution requests. It is the primary vehicle involved + in network browsing. It handles all UDP-based protocols. The <code class="literal">nmbd</code> daemon should + be the first command started as part of the Samba startup process. + </p></dd><dt><span class="term">smbd</span></dt><dd><p> + <a class="indexterm" name="id383527"></a> + <a class="indexterm" name="id383534"></a> + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also + manages local authentication. It should be started immediately following the startup of <code class="literal">nmbd</code>. + </p></dd><dt><span class="term">winbindd</span></dt><dd><p> + <a class="indexterm" name="id383560"></a> + <a class="indexterm" name="id383567"></a> + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when + Samba has trust relationships with another domain. The <code class="literal">winbindd</code> daemon will check the + <code class="filename">smb.conf</code> file for the presence of the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> + parameters. If they are not found, <code class="literal">winbindd</code> bails out and refuses to start. + </p></dd></dl></div><p> + When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its + integration into the platform as a whole. Please refer to your operating system platform administration manuals for + specific information pertaining to correct management of Samba startup. + </p><div class="example"><a name="ch12RHscript"></a><p class="title"><b>Example 15.2. A Sample Samba Control Script for Red Hat Linux</b></p><div class="example-contents"><pre class="screen"> +#!/bin/sh +# +# chkconfig: 345 81 35 +# description: Starts and stops the Samba smbd and nmbd daemons \ +# used to provide SMB network services. + +# Source function library. +. /etc/rc.d/init.d/functions +# Source networking configuration. +. /etc/sysconfig/network +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 +CONFIG=/etc/samba/smb.conf +# Check that smb.conf exists. +[ -f $CONFIG ] || exit 0 + +# See how we were called. +case "$1" in + start) + echo -n "Starting SMB services: " + daemon smbd -D; daemon nmbd -D; echo; + touch /var/lock/subsys/smb + ;; + stop) + echo -n "Shutting down SMB services: " + smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'` + for pid in $smbdpids; do + kill -TERM $pid + done + killproc nmbd -TERM; rm -f /var/lock/subsys/smb + echo "" + ;; + status) + status smbd; status nmbd; + ;; + restart) + echo -n "Restarting SMB services: " + $0 stop; $0 start; + echo "done." + ;; + *) + echo "Usage: smb {start|stop|restart|status}" + exit 1 +esac +</pre></div></div><br class="example-break"><p><a class="indexterm" name="id383659"></a> + SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently + executed from the command line is shown in <a href="appendix.html#ch12SL" title="Example 15.1. A Useful Samba Control Script for SUSE Linux">???</a>. This can be located in the directory + <code class="filename">/sbin</code> in a file called <code class="filename">samba</code>. This type of control script should be + owned by user root and group root, and set so that only root can execute it. + </p><p><a class="indexterm" name="id383691"></a> + A sample startup script for a Red Hat Linux system is shown in <a href="appendix.html#ch12RHscript" title="Example 15.2. A Sample Samba Control Script for Red Hat Linux">???</a>. + This file could be located in the directory <code class="filename">/etc/rc.d</code> and can be called + <code class="filename">samba</code>. A similar startup script is required to control <code class="literal">winbind</code>. + If you want to find more information regarding startup scripts please refer to the packaging section of + the Samba source code distribution tarball. The packaging files for each platform include a + startup control file. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383730"></a>DNS Configuration Files</h2></div></div></div><p> + The following files are common to all DNS server configurations. Rather than repeat them multiple times, they + are presented here for general reference. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383740"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div></div><p> + The forward zone file for the loopback address never changes. An example file is shown + in <a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a>. All traffic destined for an IP address that is hosted on a + physical interface on the machine itself is routed to the loopback adaptor. This is + a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor + is called <code class="constant">localhost</code>. + </p><div class="example"><a name="loopback"></a><p class="title"><b>Example 15.3. DNS Localhost Forward Zone File: <code class="filename">/var/lib/named/localhost.zone</code></b></p><div class="example-contents"><pre class="screen"> +$TTL 1W +@ IN SOA @ root ( + 42 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + + IN NS @ + IN A 127.0.0.1 +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383783"></a>The Reverse Zone File for the Loopback Adaptor</h3></div></div></div><p> + The reverse zone file for the loopback address as shown in <a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a> + is necessary so that references to the address <code class="constant">127.0.0.1</code> can be + resolved to the correct name of the interface. + </p><div class="example"><a name="dnsloopy"></a><p class="title"><b>Example 15.4. DNS Localhost Reverse Zone File: <code class="filename">/var/lib/named/127.0.0.zone</code></b></p><div class="example-contents"><pre class="screen"> +$TTL 1W +@ IN SOA localhost. root.localhost. ( + 42 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + + IN NS localhost. +1 IN PTR localhost. +</pre></div></div><br class="example-break"><div class="example"><a name="roothint"></a><p class="title"><b>Example 15.5. DNS Root Name Server Hint File: <code class="filename">/var/lib/named/root.hint</code></b></p><div class="example-contents"><pre class="screen"> +; This file is made available by InterNIC under anonymous FTP as +; file /domain/named.root +; on server FTP.INTERNIC.NET +; last update: Nov 5, 2002. Related version of root zone: 2002110501 +; formerly NS.INTERNIC.NET +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +; formerly NS1.ISI.EDU +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 +; formerly C.PSI.NET +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; formerly TERP.UMD.EDU +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 +; formerly NS.NASA.GOV +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; formerly NS.ISC.ORG +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +; formerly NS.NIC.DDN.MIL +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; formerly AOS.ARL.ARMY.MIL +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +; formerly NIC.NORDU.NET +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +; operated by VeriSign, Inc. +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +; housed in LINX, operated by RIPE NCC +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +; operated by IANA +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 +; housed in Japan, operated by WIDE +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +; End of File +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383865"></a>DNS Root Server Hint File</h3></div></div></div><p> + The content of the root hints file as shown in <a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a> changes slowly over time. + Periodically this file should be updated from the source shown. Because + of its size, this file is located at the end of this chapter. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div></div><p><a class="indexterm" name="id383894"></a><a class="indexterm" name="id383906"></a> + The following procedure may be used as an alternative means of configuring + the initial LDAP database. Many administrators prefer to have greater control + over how system files get configured. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383921"></a>Initialization of the LDAP Database</h3></div></div></div><p><a class="indexterm" name="id383928"></a><a class="indexterm" name="id383935"></a><a class="indexterm" name="id383947"></a> + The first step to get the LDAP server ready for action is to create the LDIF file from + which the LDAP database will be preloaded. This is necessary to create the containers + into which the user, group, and other accounts are written. It is also necessary to + preload the well-known Windows NT Domain Groups, as they must have the correct SID so + that they can be recognized as special NT Groups by the MS Windows clients. + </p><div class="procedure"><a name="ldapinit"></a><p class="title"><b>Procedure 15.2. LDAP Directory Pre-Load Steps</b></p><ol type="1"><li><p> + Create a directory in which to store the files you use to generate + the LDAP LDIF file for your system. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /etc/openldap/SambaInit +<code class="prompt">root# </code> chown root:root /etc/openldap/SambaInit +<code class="prompt">root# </code> chmod 700 /etc/openldap/SambaInit +</pre><p> + </p></li><li><p> + Install the files shown in <a href="appendix.html#sbehap-ldapreconfa" title="Example 15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A">???</a>, <a href="appendix.html#sbehap-ldapreconfb" title="Example 15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B">???</a>, + and <a href="appendix.html#sbehap-ldapreconfc" title="Example 15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C">???</a> into the directory + <code class="filename">/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</code> These three files are, + respectively, parts A, B, and C of the <code class="filename">SMBLDAP-ldif-preconfig.sh</code> file. + </p></li><li><p> + Install the files shown in <a href="appendix.html#sbehap-ldifpata" title="Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A">???</a> and <a href="appendix.html#sbehap-ldifpatb" title="Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B">???</a> into the directory + <code class="filename">/etc/openldap/SambaInit/.</code> These two files are + parts A and B, respectively, of the <code class="filename">init-ldif.pat</code> file. + </p></li><li><p> + Change to the <code class="filename">/etc/openldap/SambaInit</code> directory. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> sh SMBLDAP-ldif-preconfig.sh + +How do you wish to refer to your organization? +Suggestions: + Black Tire Company, Inc. + Cat With Hat Ltd. +How would you like your organization name to appear? +Your organization name is: My Organization +Enter a new name is this is not what you want, press Enter to Continue. +Name [My Organization]: Abmas Inc. + +Samba Config File Location [/etc/samba/smb.conf]: +Enter a new full path or press Enter to continue. +Samba Config File Location [/etc/samba/smb.conf]: +Domain Name: MEGANET2 +Domain SID: S-1-5-21-3504140859-1010554828-2431957765 + +The name of your Internet domain is now needed in a special format +as follows, if your domain name is mydomain.org, what we need is +the information in the form of: + Domain ID: mydomain + Top level: org +If your fully qualified hostname is: snoopy.bazaar.garagesale.net +where "snoopy" is the name of the machine, +Then the information needed is: + Domain ID: garagesale + Top Level: net + +Found the following domain name: abmas.biz +I think the bit we are looking for might be: abmas +Enter the domain name or press Enter to continue: + +The top level organization name I will use is: biz +Enter the top level org name or press Enter to continue: +<code class="prompt">root# </code> +</pre><p> + This creates a file called <code class="filename">MEGANET2.ldif</code>. + </p></li><li><p> + It is now time to preload the LDAP database with the following + command: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l MEGANET2.ldif +added: "dc=abmas,dc=biz" (00000001) +added: "cn=Manager,dc=abmas,dc=biz" (00000002) +added: "ou=People,dc=abmas,dc=biz" (00000003) +added: "ou=Computers,dc=abmas,dc=biz" (00000004) +added: "ou=Groups,dc=abmas,dc=biz" (00000005) +added: "ou=Domains,dc=abmas,dc=biz" (00000006) +added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007) +added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008) +added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009) +added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a) +</pre><p> + You should verify that the account information was correctly loaded by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: Abmas Inc. +description: Posix and Samba LDAP Identity Database +structuralObjectClass: organization +entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474 +creatorsName: cn=manager,dc=abmas,dc=biz +modifiersName: cn=manager,dc=abmas,dc=biz +createTimestamp: 20031217055747Z +modifyTimestamp: 20031217055747Z +entryCSN: 2003121705:57:47Z#0x0001#0#0000 +... + +dn: cn=domusers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users +structuralObjectClass: posixGroup +entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474 +creatorsName: cn=manager,dc=abmas,dc=biz +modifiersName: cn=manager,dc=abmas,dc=biz +createTimestamp: 20031217055747Z +modifyTimestamp: 20031217055747Z +entryCSN: 2003121705:57:47Z#0x000a#0#0000 +</pre><p> + </p></li><li><p> + Your LDAP database is ready for testing. You can now start the LDAP server + using the system tool for your Linux operating system. For SUSE Linux, you can + do this as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +</pre><p> + </p></li><li><p> + It is now a good idea to validate that the LDAP server is running correctly. + Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: Abmas Inc. +description: Posix and Samba LDAP Identity Database +... +# domusers, Groups, abmas.biz +dn: cn=domusers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users + +# search result +search: 2 +result: 0 Success + +# numResponses: 11 +# numEntries: 10 +</pre><p> + Your LDAP server is ready for creation of additional accounts. + </p></li></ol></div></div><div class="example"><a name="sbehap-ldapreconfa"></a><p class="title"><b>Example 15.6. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part A</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash +# +# This script prepares the ldif LDAP load file only +# + +# Pattern File Name +file=init-ldif.pat + +# The name of my organization +ORGNAME="My Organization" + +# My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets" +INETDOMAIN="my-domain" + +# In the above case, md domain is: buckets.org, TLDORG="org" +TLDORG="org" + +# This is the Samba Domain/Workgroup Name +DOMNAME="MYWORKGROUP" + +# +# Here We Go ... +# + +cat <<EOF + +How do you wish to refer to your organization? + +Suggestions: + Black Tire Company, Inc. + Cat With Hat Ltd. + +How would you like your organization name to appear? + +EOF + +echo "Your organization name is: $ORGNAME" +echo +echo "Enter a new name or, press Enter to Continue." +echo +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfb"></a><p class="title"><b>Example 15.7. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part B</b></p><div class="example-contents"><pre class="screen"> +echo -e -n "Name [$ORGNAME]: " + read name + +if [ ! -z "$name" ]; then + ORGNAME=${name} +fi +echo +sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1 + +# Try to find smb.conf + +if [ -e /usr/local/samba/lib/smb.conf ]; then + CONF=/usr/local/samba/lib/smb.conf +elif [ -e /etc/samba/smb.conf ]; then + CONF=/etc/samba/smb.conf +fi + +echo "Samba Config File Location [$CONF]: " +echo +echo "Enter a new full path or press Enter to continue." +echo +echo -n "Samba Config File Location [$CONF]: " + read name +if [ ! -z "$name" ]; then + CONF=$name +fi +echo + +# Find the name of our Domain/Workgroup +DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=` +echo Domain Name: $DOMNAME +echo + +sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2 + +DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"` +echo Domain SID: $DOMSID + +sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1 +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfc"></a><p class="title"><b>Example 15.8. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part C</b></p><div class="example-contents"><pre class="screen"> +cat >>EOL +The name of your Internet domain is now needed in a special format +as follows, if your domain name is mydomain.org, what we need is +the information in the form of: + Domain ID: mydomain + Top level: org + +If your fully qualified hostname is: snoopy.bazaar.garagesale.net +where "snoopy" is the name of the machine, +Then the information needed is: + Domain ID: garagesale + Top Level: net + +EOL +INETDOMAIN=`hostname -d | cut -f1 -d.` +echo Found the following domain name: `hostname -d` +echo "I think the bit we are looking for might be: $INETDOMAIN" +echo +echo -n "Enter the domain name or press Enter to continue: " + read domnam +if [ ! -z $domnam ]; then + INETDOMAIN=$domnam +fi +echo +sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2 +TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"` +echo "The top level organization name I will use is: ${TLDORG}" +echo +echo -n "Enter the top level org name or press Enter to continue: " + read domnam +if [ ! -z $domnam ]; then + TLDORG=$domnam +fi +sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif +rm $file.tmp* +exit 0 +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpata"></a><p class="title"><b>Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A</b></p><div class="example-contents"><pre class="screen"> +dn: dc=INETDOMAIN,dc=TLDORG +objectClass: dcObject +objectClass: organization +dc: INETDOMAIN +o: ORGNAME +description: Posix and Samba LDAP Identity Database + +dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +dn: ou=People,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: People + +dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Computers + +dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Groups + +dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Idmap + +dn: ou=Domains,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Domains + +dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG +objectClass: sambaDomain +sambaDomainName: DOMNAME +sambaSID: DOMSID +sambaAlgorithmicRidBase: 1000 +structuralObjectClass: sambaDomain +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpatb"></a><p class="title"><b>Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B</b></p><div class="example-contents"><pre class="screen"> +dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 512 +cn: domadmins +sambaSID: DOMSID-512 +sambaGroupType: 2 +displayName: Domain Admins +description: Domain Administrators + +dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 514 +cn: domguests +sambaSID: DOMSID-514 +sambaGroupType: 2 +displayName: Domain Guests +description: Domain Guests Users + +dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: DOMSID-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384378"></a>The LDAP Account Manager</h2></div></div></div><p> +<a class="indexterm" name="id384386"></a> +<a class="indexterm" name="id384392"></a> +<a class="indexterm" name="id384401"></a> +<a class="indexterm" name="id384408"></a> +<a class="indexterm" name="id384414"></a> +<a class="indexterm" name="id384421"></a> +<a class="indexterm" name="id384428"></a> +The LDAP Account Manager (LAM) is an application suite that has been written in PHP. +LAM can be used with any Web server that has PHP4 support. It connects to the LDAP +server either using unencrypted connections or via SSL/TLS. LAM can be used to manage +Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines +(hosts). +</p><p> +LAM is available from the <a href="http://sourceforge.net/projects/lam/" target="_top">LAM</a> +home page and from its mirror sites. LAM has been released under the GNU GPL version 2. +The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter +of 2005. +</p><p> +<a class="indexterm" name="id384454"></a> +<a class="indexterm" name="id384461"></a> +<a class="indexterm" name="id384468"></a> +Requirements: +</p><div class="itemizedlist"><ul type="disc"><li><p>A web server that will work with PHP4.</p></li><li><p>PHP4 (available from the <a href="http://www.php.net/" target="_top">PHP</a> home page.)</p></li><li><p>OpenLDAP 2.0 or later.</p></li><li><p>A Web browser that supports CSS.</p></li><li><p>Perl.</p></li><li><p>The gettext package.</p></li><li><p>mcrypt + mhash (optional).</p></li><li><p>It is also a good idea to install SSL support.</p></li></ul></div><p> +LAM is a useful tool that provides a simple Web-based device that can be used to +manage the contents of the LDAP directory to: +<a class="indexterm" name="id384525"></a> +<a class="indexterm" name="id384532"></a> +<a class="indexterm" name="id384539"></a> +</p><div class="itemizedlist"><ul type="disc"><li><p>Display user/group/host and Domain entries.</p></li><li><p>Manage entries (Add/Delete/Edit).</p></li><li><p>Filter and sort entries.</p></li><li><p>Store and use multiple operating profiles.</p></li><li><p>Edit organizational units (OUs).</p></li><li><p>Upload accounts from a file.</p></li><li><p>Is compatible with Samba-2.2.x and Samba-3.</p></li></ul></div><p> +When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba +user, group, and windows domain member machine accounts. +</p><p> +<a class="indexterm" name="id384590"></a> +<a class="indexterm" name="id384596"></a> +<a class="indexterm" name="id384603"></a> +<a class="indexterm" name="id384610"></a> +The default password is “<span class="quote">lam.</span>” It is highly recommended that you use only +an SSL connection to your Web server for all remote operations involving LAM. If you +want secure connections, you must configure your Apache Web server to permit connections +to LAM using only SSL. +</p><div class="procedure"><a name="sbehap-laminst"></a><p class="title"><b>Procedure 15.3. Apache Configuration Steps for LAM</b></p><ol type="1"><li><p> + Extract the LAM package by untarring it as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> tar xzf ldap-account-manager_0.4.9.tar.gz +</pre><p> + Alternatively, install the LAM DEB for your system using the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> dpkg -i ldap-account-manager_0.4.9.all.deb +</pre><p> + </p></li><li><p> + Copy the extracted files to the document root directory of your Web server. + For example, on SUSE Linux Enterprise Server 9, copy to the + <code class="filename">/srv/www/htdocs</code> directory. + </p></li><li><p> + <a class="indexterm" name="id384683"></a> + Set file permissions using the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R wwwrun:www /srv/www/htdocs/lam +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/sess +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/tmp +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/config +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/lib/*pl +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id384733"></a> + Using your favorite editor create the following <code class="filename">config.cfg</code> + LAM configuration file: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /srv/www/htdocs/lam/config +<code class="prompt">root# </code> cp config.cfg_sample config.cfg +<code class="prompt">root# </code> vi config.cfg +</pre><p> + <a class="indexterm" name="id384773"></a> + <a class="indexterm" name="id384782"></a> + An example file is shown in <a href="appendix.html#lamcfg" title="Example 15.11. Example LAM Configuration File config.cfg">???</a>. + This is the minimum configuration that must be completed. The LAM profile + file can be created using a convenient wizard that is part of the LAM + configuration suite. + </p></li><li><p> + Start your Web server then, using your Web browser, connect to + <a href="http://localhost/lam" target="_top">LAM</a> URL. Click on the + the <em class="parameter"><code>Configuration Login</code></em> link then click on the + Configuration Wizard link to begin creation of the default profile so that + LAM can connect to your LDAP server. Alternately, copy the + <code class="filename">lam.conf_sample</code> file to a file called + <code class="filename">lam.conf</code> then, using your favorite editor, + change the settings to match local site needs. + </p></li></ol></div><p> + <a class="indexterm" name="id384837"></a> + An example of a working file is shown here in <a href="appendix.html#lamconf" title="Example 15.12. LAM Profile Control File lam.conf">???</a>. + This file has been stripped of comments to keep the size small. The comments + and help information provided in the profile file that the wizard creates + is very useful and will help many administrators to avoid pitfalls. + Your configuration file obviously reflects the configuration options that + are preferred at your site. + </p><p> + <a class="indexterm" name="id384857"></a> + It is important that your LDAP server is running at the time that LAM is + being configured. This permits you to validate correct operation. + An example of the LAM login screen is provided in <a href="appendix.html#lam-login" title="Figure 15.6. The LDAP Account Manager Login Screen">???</a>. + </p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure 15.6. The LDAP Account Manager Login Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id384917"></a> + The LAM configuration editor has a number of options that must be managed correctly. + An example of use of the LAM configuration editor is shown in <a href="appendix.html#lam-config" title="Figure 15.7. The LDAP Account Manager Configuration Screen">???</a>. + It is important that you correctly set the minimum and maximum UID/GID values that are + permitted for use at your site. The default values may not be compatible with a need to + modify initial default account values for well-known Windows network users and groups. + The best work-around is to temporarily set the minimum values to zero (0) to permit + the initial settings to be made. Do not forget to reset these to sensible values before + using LAM to add additional users and groups. + </p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure 15.7. The LDAP Account Manager Configuration Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id384982"></a> + LAM has some nice, but unusual features. For example, one unexpected feature in most application + screens permits the generation of a PDF file that lists configuration information. This is a well + thought out facility. This option has been edited out of the following screen shots to conserve + space. + </p><p> + <a class="indexterm" name="id384994"></a> + When you log onto LAM the opening screen drops you right into the user manager as shown in + <a href="appendix.html#lam-user" title="Figure 15.8. The LDAP Account Manager User Edit Screen">???</a>. This is a logical action as it permits the most-needed facility + to be used immediately. The editing of an existing user, as with the addition of a new user, + is easy to follow and very clear in both layout and intent. It is a simple matter to edit + generic settings, UNIX specific parameters, and then Samba account requirements. Each step + involves clicking a button that intuitively drives you through the process. When you have + finished editing simply press the <span class="guimenu">Final</span> button. + </p><div class="figure"><a name="lam-user"></a><p class="title"><b>Figure 15.8. The LDAP Account Manager User Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-users.png" width="270" alt="The LDAP Account Manager User Edit Screen"></div></div></div><br class="figure-break"><p> + The edit screen for groups is shown in <a href="appendix.html#lam-group" title="Figure 15.9. The LDAP Account Manager Group Edit Screen">???</a>. As with the edit screen + for user accounts, group accounts may be rapidly dealt with. <a href="appendix.html#lam-group-mem" title="Figure 15.10. The LDAP Account Manager Group Membership Edit Screen">???</a> + shows a sub-screen from the group editor that permits users to be assigned secondary group + memberships. + </p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure 15.9. The LDAP Account Manager Group Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div></div><br class="figure-break"><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure 15.10. The LDAP Account Manager Group Membership Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id385162"></a><a class="indexterm" name="id385168"></a> + The final screen presented here is one that you should not normally need to use. Host accounts will + be automatically managed using the smbldap-tools scripts. This means that the screen <a href="appendix.html#lam-host" title="Figure 15.11. The LDAP Account Manager Host Edit Screen">???</a> + will, in most cases, not be used. + </p><div class="figure"><a name="lam-host"></a><p class="title"><b>Figure 15.11. The LDAP Account Manager Host Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-hosts.png" width="270" alt="The LDAP Account Manager Host Edit Screen"></div></div></div><br class="figure-break"><p> + One aspect of LAM that may annoy some users is the way it forces certain conventions on + the administrator. For example, LAM does not permit the creation of Windows user and group + accounts that contain spaces even though the underlying UNIX/Linux + operating system may exhibit no problems with them. Given the propensity for using upper-case + characters and spaces (particularly in the default Windows account names) this may cause + some annoyance. For the rest, LAM is a very useful administrative tool. + </p><p> + The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features + (e.g., logon hours). The new plugin-based architecture also allows management of much more different + account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another + important point is the tree view which allows browsing and editing LDAP objects directly. + </p><div class="example"><a name="lamcfg"></a><p class="title"><b>Example 15.11. Example LAM Configuration File <code class="filename">config.cfg</code></b></p><div class="example-contents"><pre class="screen"> +# password to add/delete/rename configuration profiles +password: not24get + +# default profile, without ".conf" +default: lam +</pre></div></div><br class="example-break"><div class="example"><a name="lamconf"></a><p class="title"><b>Example 15.12. LAM Profile Control File <code class="filename">lam.conf</code></b></p><div class="example-contents"><pre class="screen"> +ServerURL: ldap://massive.abmas.org:389 +Admins: cn=Manager,dc=abmas,dc=biz +Passwd: not24get +usersuffix: ou=People,dc=abmas,dc=biz +groupsuffix: ou=Groups,dc=abmas,dc=biz +hostsuffix: ou=Computers,dc=abmas,dc=biz +domainsuffix: ou=Domains,dc=abmas,dc=biz +MinUID: 0 +MaxUID: 65535 +MinGID: 0 +MaxGID: 65535 +MinMachine: 20000 +MaxMachine: 25000 +userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber +grouplistAttributes: #cn;#gidNumber;#memberUID;#description +hostlistAttributes: #cn;#description;#uidNumber;#gidNumber +maxlistentries: 30 +defaultLanguage: en_GB:ISO-8859-1:English (Great Britain) +scriptPath: +scriptServer: +samba3: yes +cachetimeout: 5 +pwdhash: SSHA +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385293"></a>IDEALX Management Console</h2></div></div></div><p> + IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive + web-based management interface for UNIX and Linux systems. + </p><p> + The Samba toolset is the first console developped for IMC. It offers a simple and ergonomic + interface for managing a Samba domain controler. The goal is to give Linux administrators who + need to manage production Samba servers an effective, intuitive and consistent management + experience. An IMC screenshot of the user management tool is shown in <a href="appendix.html#imcidealx" title="Figure 15.12. The IMC Samba User Account Screen">???</a>. + </p><div class="figure"><a name="imcidealx"></a><p class="title"><b>Figure 15.12. The IMC Samba User Account Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/imc-usermanager2.png" width="216" alt="The IMC Samba User Account Screen"></div></div></div><br class="figure-break"><p> + IMC is built on a set of Perl modules. Most modules are standard CPAN modules. Some are bundled with IMC, + but will soon to be hosted on the CPAN independently, like Struts4P, a port of Struts to the Perl language. + </p><p> + For further information regarding IMC refer to the web <a href="http://imc.sourceforge.net/" target="_top">site.</a> + Prebuilt RPM packages are also <a href="http://imc.sourceforge.net/download.html" target="_top">available.</a> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div></div><a class="indexterm" name="id385390"></a><a class="indexterm" name="id385396"></a><p> + The setting of the SUID/SGID bits on the file or directory permissions flag has particular + consequences. If the file is executable and the SUID bit is set, it executes with the privilege + of (with the UID of) the owner of the file. For example, if you are logged onto a system as + a normal user (let's say as the user <code class="constant">bobj</code>), and you execute a file that is owned + by the user <code class="constant">root</code> (uid = 0), and the file has the SUID bit set, then the file is + executed as if you had logged in as the user <code class="constant">root</code> and then executed the file. + The SUID bit effectively gives you (as <code class="constant">bobj</code>) administrative privilege for the + use of that executable file. + </p><p> + The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it + applies the privilege to the UNIX group setting. In other words, the file executes with the force + of capability of the group. + </p><p> + When the SUID/SGID permissions are set on a directory, all files that are created within that directory + are automatically given the ownership of the SUID user and the SGID group, as per the ownership + of the directory in which the file is created. This means that the system level <code class="literal">create()</code> + function executes with the SUID user and/or SGID group of the directory in which the file is + created. + </p><p> + If you want to obtain the SUID behavior, simply execute the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod u+s file-or-directory +</pre><p> + To set the SGID properties on a file or a directory, execute this command: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod g+s file-or-directory +</pre><p> + And to set both SUID and SGID properties, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s file-or-directory +</pre><p> + </p><p> + Let's consider the example of a directory <code class="filename">/data/accounts</code>. The permissions on this + directory before setting both SUID and SGID on this directory are: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data/accounts +total 1 +drwxr-xr-x 10 root root 232 Dec 18 17:08 . +drwxr-xr-x 21 root root 600 Dec 17 23:15 .. +drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/ +drwx------ 2 root root 48 Jan 26 2002 lost+found +</pre><p> + In this example, if the user <code class="constant">maryv</code> creates a file, it is owned by her. + If <code class="constant">maryv</code> has the primary group of <code class="constant">Accounts</code>, the file is + owned by the group <code class="constant">Accounts</code>, as shown in this listing: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt +drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53 +</pre><p> + </p><p> + Now you set the SUID and SGID and check the result as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s /data/accounts +<code class="prompt">root# </code> ls -al /data/accounts +total 1 +drwxr-xr-x 10 root root 232 Dec 18 17:08 . +drwxr-xr-x 21 root root 600 Dec 17 23:15 .. +drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts +drwx------ 2 root root 48 Jan 26 2002 lost+found +</pre><p> + If <code class="constant">maryv</code> creates a file in this directory after this change has been made, the + file is owned by the user <code class="constant">bobj</code>, and the group is set to the group + <code class="constant">Domain Users</code>, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s /data/accounts +<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt +total 1 +drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt +</pre><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div></div><p><a class="indexterm" name="id385602"></a><a class="indexterm" name="id385610"></a> + The integrity of shared data is often viewed as a particularly emotional issue, especially where + there are concurrent problems with multiuser data access. Contrary to the assertions of some who have + experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter. + </p><p> + The solution to concurrent multiuser data access problems must consider three separate areas + from which the problem may stem:<a class="indexterm" name="id385629"></a><a class="indexterm" name="id385640"></a><a class="indexterm" name="id385652"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>application-level locking controls</p></li><li><p>client-side locking controls</p></li><li><p>server-side locking controls</p></li></ul></div><p><a class="indexterm" name="id385684"></a><a class="indexterm" name="id385691"></a> + Many database applications use some form of application-level access control. An example of one + well-known application that uses application-level locking is Microsoft Access. Detailed guidance + is provided here because this is the most common application for which problems have been reported. + </p><p><a class="indexterm" name="id385705"></a><a class="indexterm" name="id385713"></a> + Common applications that are affected by client- and server-side locking controls include MS + Excel and Act!. Important locking guidance is provided here. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385724"></a>Microsoft Access</h3></div></div></div><p> + The best advice that can be given is to carefully read the Microsoft knowledgebase articles that + cover this area. Examples of relevant documents include: + </p><div class="itemizedlist"><ul type="disc"><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id385749"></a><a class="indexterm" name="id385760"></a> + Make sure that your MS Access database file is configured for multiuser access (not set for + exclusive open). Open MS Access on each client workstation, then set the following: <span class="guimenu">(Menu bar) Tools</span>+<span class="guimenu">Options</span>+<span class="guimenu">[tab] General</span>. Set network path to Default database folder: <code class="filename">\\server\share\folder</code>. + </p><p> + You can configure MS Access file sharing behavior as follows: click <span class="guimenu">[tab] Advanced</span>. + Set:<a class="indexterm" name="id385808"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Default open mode: Shared</p></li><li><p>Default Record Locking: Edited Record</p></li><li><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id385836"></a> + You must now commit the changes so that they will take effect. To do so, click + <span class="guimenu">Apply</span><span class="guimenu">Ok</span>. At this point, you should exit MS Access, restart + it, and then validate that these settings have not changed. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385863"></a>Act! Database Sharing</h3></div></div></div><p><a class="indexterm" name="id385870"></a><a class="indexterm" name="id385877"></a> + Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you + must disable opportunistic locking on the server and all workstations. Failure to do so + results in data corruption. This information is available from the Act! Web site + knowledgebase articles + <a href="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925" target="_top">1998223162925</a> + as well as from article + <a href="http://itdomino.saleslogix.com/act.nsf/docid/200110485036" target="_top">200110485036</a>. + </p><p><a class="indexterm" name="id385904"></a><a class="indexterm" name="id385912"></a> + These documents clearly state that opportunistic locking must be disabled on both + the server (Samba in the case we are interested in here), as well as on every workstation + from which the centrally shared Act! database will be accessed. Act! provides + a tool called <code class="literal">Act!Diag</code> that may be used to disable all workstation + registry settings that may otherwise interfere with the operation of Act! + Registered Act! users may download this utility from the Act! Web + <a href="http://www.act.com/support/updates/index.cfm" target="_top">site.</a> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385938"></a>Opportunistic Locking Controls</h3></div></div></div><p><a class="indexterm" name="id385945"></a> + Third-party Windows applications may not be compatible with the use of opportunistic file + and record locking. For applications that are known not to be compatible,<sup>[<a name="id385956" href="#ftn.id385956">14</a>]</sup> oplock + support may need to be disabled both on the Samba server and on the Windows workstations. + </p><p><a class="indexterm" name="id385966"></a><a class="indexterm" name="id385973"></a><a class="indexterm" name="id385981"></a> + Oplocks enable a Windows client to cache parts of a file that are being + edited. Another windows client may then request to open the file with the + ability to write to it. The server will then ask the original workstation + that had the file open with a write lock to release its lock. Before + doing so, that workstation must flush the file from cache memory to the + disk or network drive. + </p><p><a class="indexterm" name="id385999"></a> + Disabling of Oplocks usage may require server and client changes. + Oplocks may be disabled by file, by file pattern, on the share, or on the + Samba server. + </p><p> + The following are examples showing how Oplock support may be managed using + Samba <code class="filename">smb.conf</code> file settings: +</p><pre class="screen"> +By file: veto oplock files = myfile.mdb + +By Pattern: veto oplock files = /*.mdb/ + +On the Share: oplocks = No + level2 oplocks = No + +On the server: +(in [global]) oplocks = No + level2 oplocks = No +</pre><p> + </p><p> + The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4 + workstation clients must be configured as shown here: +</p><pre class="screen"> +REGEDIT4 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ + Services\LanmanServer\Parameters] + "EnableOplocks"=dword:00000000 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ + Services\LanmanWorkstation\Parameters] + "UseOpportunisticLocking"=dword:00000000 +</pre><p> + </p><p> + Comprehensive coverage of file and record-locking controls is provided in TOSHARG2, Chapter 13. + The information in that chapter was obtained from a wide variety of sources. + </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Samba Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Networking Primer</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/ch14.html b/docs/htmldocs/Samba3-ByExample/ch14.html new file mode 100644 index 0000000000..069d17c793 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/ch14.html @@ -0,0 +1,106 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Samba Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="HA.html" title="Chapter 13. Performance, Reliability, and Availability"><link rel="next" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Samba Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="HA.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="appendix.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id382069"></a>Chapter 14. Samba Support</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch14.html#id382184">Free Support</a></span></dt><dt><span class="sect1"><a href="ch14.html#id382382">Commercial Support</a></span></dt></dl></div><p> +<a class="indexterm" name="id382078"></a> +One of the most difficult to answer questions in the information technology industry is, “<span class="quote">What is +support?</span>”. That question irritates some folks, as much as common answers may annoy others. +</p><p> +<a class="indexterm" name="id382093"></a> +The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to +an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: +“<span class="quote">Oh, Linux? We do not support Linux!</span>”. It has happened to me, and similar situations happen +through-out the IT industry. Answers like that are designed to inform us that there are some customers +that a business just does not want to deal with, and well may we feel the anguish of the rejection that +is dished out. +</p><p> +One way to consider support is to view it as consisting of the right answer, in the right place, +at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, +inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk. +</p><p> +<a class="indexterm" name="id382117"></a> +<a class="indexterm" name="id382123"></a> +<a class="indexterm" name="id382130"></a> +One of the forces that has become a driving force for the adoption of open source software is the fact that +many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or +that have been found wanting for other reasons. +</p><p> +<a class="indexterm" name="id382143"></a> +<a class="indexterm" name="id382149"></a> +In recognition of the need for needs satisfaction as the primary experience an information technology user or +consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience +in respect of problem resolution. +</p><p> +<a class="indexterm" name="id382162"></a> +<a class="indexterm" name="id382168"></a> +<a class="indexterm" name="id382175"></a> +In the open source software arena there are two support options: free support and paid-for (commercial) +support. +</p><div class="sect1" lang="en-US"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id382184"></a>Free Support</h2></div></div></div><p> +<a class="indexterm" name="id382192"></a> +<a class="indexterm" name="id382199"></a> +<a class="indexterm" name="id382206"></a> +<a class="indexterm" name="id382212"></a> +<a class="indexterm" name="id382219"></a> +<a class="indexterm" name="id382226"></a> + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help + facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user + supported mutual assistance. + </p><p> +<a class="indexterm" name="id382238"></a> +<a class="indexterm" name="id382245"></a> +<a class="indexterm" name="id382252"></a> +<a class="indexterm" name="id382258"></a> +<a class="indexterm" name="id382265"></a> + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. + Information regarding subscription to the Samba mailing list can be found on the Samba <a href="https://lists.samba.org/mailman/" target="_top">web</a> site. The public mailing list that can be used to obtain + free, user contributed, support is called the <code class="literal">samba</code> list. The email address for this list + is at <code class="literal">mail:samba@samba.org</code>. Information regarding the Samba IRC channels may be found on + the Samba <a href="http://www.samba.org/samba.irc.html" target="_top">IRC</a> web page. + </p><p> +<a class="indexterm" name="id382302"></a> +<a class="indexterm" name="id382309"></a> +<a class="indexterm" name="id382316"></a> +<a class="indexterm" name="id382322"></a> + As a general rule, it is considered poor net behavior to contact a Samba Team member directly + for free support. Most active members of the Samba Team work exceptionally long hours to assist + users who have demonstrated a qualified problem. Some team members may respond to direct email + or telephone contact, with requests for assistance, by requesting payment. A few of the Samba + Team members actually provide professional paid-for Samba support and it is therefore wise + to show appropriate discretion and reservation in all direct contact. + </p><p> +<a class="indexterm" name="id382337"></a> +<a class="indexterm" name="id382344"></a> +<a class="indexterm" name="id382351"></a> + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting + a bug <a href="https://bugzilla.samba.org/" target="_top">report</a>. All such reports are mailed to + the responsible code maintainer for action. The better the report, and the more serious it is, + the sooner it will be dealt with. On the other hand, if the responsible person can not duplicate + the reported bug it is likely to be rejected. It is up to you to provide sufficient information + that will permit the problem to be reproduced. + </p><p> +<a class="indexterm" name="id382371"></a> + We all recognize that sometimes free support does not provide the answer that is sought within + the time-frame required. At other times the problem is elusive and you may lack the experience + necessary to isolate the problem and thus to resolve it. This is a situation where is may be + prudent to purchase paid-for support. + </p></div><div class="sect1" lang="en-US"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id382382"></a>Commercial Support</h2></div></div></div><p> + There are six basic support oriented services that are most commonly sought by Samba sites: + </p><div class="itemizedlist"><ul type="disc"><li><p>Assistance with network design</p></li><li><p>Staff Training</p></li><li><p>Assistance with Samba network deployment and installation</p></li><li><p>Priority telephone or email Samba configuration assistance</p></li><li><p>Trouble-shooting and diagnostic assistance</p></li><li><p>Provision of quality assured ready-to-install Samba binary packages</p></li></ul></div><p> +<a class="indexterm" name="id382426"></a> +<a class="indexterm" name="id382433"></a> + Information regarding companies that provide professional Samba support can be obtained by performing a Google + search, as well as by reference to the Samba <a href="http://www.samba.org/samba/support.html" target="_top">Support</a> web page. Companies who notify the Samba Team + that they provide commercial support are given a free listing that is sorted by the country of origin. + Multiple listings are permitted, however no guarantee is offered. It is left to you to qualify a support + provider and to satisfy yourself that both the company and its staff are able to deliver what is required of + them. + </p><p> +<a class="indexterm" name="id382454"></a> + The policy within the Samba Team is to treat all commercial support providers equally and to show no + preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. + You are encouraged to obtain the services needed from a company in your local area. The open source movement + is pro-community; so do what you can to help a local business to prosper. + </p><p> +<a class="indexterm" name="id382467"></a> + Open source software support can be found in any quality, at any price and in any place you can + to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for + suffering in the mistaken belief that Samba is unsupported software it is supported. + </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="HA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="appendix.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. Performance, Reliability, and Availability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. A Collection of Useful Tidbits</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/go01.html b/docs/htmldocs/Samba3-ByExample/go01.html new file mode 100644 index 0000000000..9084e99cc6 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/go01.html @@ -0,0 +1,113 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Glossary</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="gpl.html" title="Appendix A. GNU General Public License"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Glossary</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="gpl.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="glossary"><div class="titlepage"><div><div><h2 class="title"><a name="id389920"></a>Glossary</h2></div></div></div><dl><dt>Access Control List</dt><dd><p> + A detailed list of permissions granted to users or groups with respect to file and network + resource access. + </p></dd><dt>Active Directory Service</dt><dd><p> + A service unique to Microsoft Windows 200x servers that provides a centrally managed + directory for management of user identities and computer objects, as well as the + permissions each user or computer may be granted to access distributed network resources. + ADS uses Kerberos-based authentication and LDAP over Kerberos for directory access. + </p></dd><dt>Common Internet File System</dt><dd><p> + The new name for SMB. Microsoft renamed the SMB protocol to CIFS during + the Internet hype in the 1990s. At about the time that the SMB protocol was renamed + to CIFS, an additional dialect of the SMB protocol was in development. The need for the + deployment of the NetBIOS layer was also removed, thus paving the way for use of the SMB + protocol natively over TCP/IP (known as NetBIOS-less SMB or “<span class="quote">naked</span>” TCP + transport). + </p></dd><dt>Common UNIX Printing System</dt><dd><p> + A recent implementation of a high-capability printing system for UNIX developed by + <a href="http://www.easysw.com/" target="_top">Easy Software Inc.</a>. The design objective + of CUPS was to provide a rich print processing system that has built-in intelligence + that is capable of correctly rendering (processing) a file that is submitted for + printing even if it was formatted for an entirely different printer. + </p></dd><dt>Domain Master Browser</dt><dd><p> + The Domain Master Browser maintains a list of all the servers that + have announced their services within a given workgroup or NT domain. + </p></dd><dt>Domain Name Service</dt><dd><p> + A protocol by which computer hostnames may be resolved to the matching IP address/es. + DNS is implemented by the Berkeley Internet Name Daemon. There exists a recent version + of DNS that allows dynamic name registration by network clients or by a DHCP server. + This recent protocol is known as dynamic DNS (DDNS). + </p></dd><dt>Dynamic Host Configuration Protocol</dt><dd><p> + A protocol that was based on the BOOTP protocol that may be used to dynamically assign + an IP address, from a reserved pool of addresses, to a network client or device. + Additionally, DHCP may assign all network configuration settings and may be used to + register a computer name and its address with a dynamic DNS server. + </p></dd><dt>Ethereal</dt><dd><p> + A network analyzer, also known as a network sniffer or a protocol analyzer. Ethereal is + freely available for UNIX/Linux and Microsoft Windows systems from + <a href="http://www.ethereal.com" target="_top">the Ethereal Web site</a>. + </p></dd><dt>Group IDentifier</dt><dd><p> + The UNIX system group identifier; on older systems, a 32-bit unsigned integer, and on + newer systems, an unsigned 64-bit integer. The GID is used in UNIX-like operating systems + for all group-level access control. + </p></dd><dt>Key Distribution Center</dt><dd><p> + The Kerberos authentication protocol makes use of security keys (also called a ticket) + by which access to network resources is controlled. The issuing of Kerberos tickets + is effected by a KDC. + </p></dd><dt>Lightweight Directory Access Protocol</dt><dd><p> + The Lightweight Directory Access Protocol is a technology that + originated from the development of X.500 protocol specifications and + implementations. LDAP was designed as a means of rapidly searching + through X.500 information. Later LDAP was adapted as an engine that + could drive its own directory database. LDAP is not a database per + se; rather it is a technology that enables high-volume search and + locate activity from clients that wish to obtain simply defined + information about a subset of records that are stored in a + database. LDAP does not have a particularly efficient mechanism for + storing records in the database, and it has no concept of transaction + processing nor of mechanisms for preserving data consistency. LDAP is + premised around the notion that the search and read activity far + outweigh any need to add, delete, or modify records. LDAP does + provide a means for replication of the database to keep slave + servers up to date with a master. It also has built-in capability to + handle external references and deferral. + </p></dd><dt>Local Master Browser</dt><dd><p> + The Local Master Browser maintains a list of all servers that have announced themselves + within a given workgroup or NT domain on a particular broadcast isolated subnet. + </p></dd><dt>Media Access Control</dt><dd><p> + The hard-coded address of the physical-layer device that is attached to the network. + All network interface controllers must have a hard-coded and unique MAC address. The + MAC address is 48 bits long. + </p></dd><dt>NetBIOS Extended User Interface</dt><dd><p> + Very simple network protocol invented by IBM and Microsoft. It is used to do NetBIOS + over Ethernet with low overhead. NetBEUI is a non-routable protocol. + </p></dd><dt>Network Address Translation</dt><dd><p> + Network address translation is a form of IP address masquerading. It ensures that internal + private (RFC1918) network addresses from packets inside the network are rewritten so + that TCP/IP packets that leave the server over a public connection are seen to come only + from the external network address. + </p></dd><dt>Network Basic Input/Output System</dt><dd><p> + NetBIOS is a simple application programming interface (API) invented in the 1980s + that allows programs to send data to certain network names. NetBIOS is always run over + another network protocol such as IPX/SPX, TCP/IP, or Logical Link Control (LLC). + NetBIOS run over LLC is best known as NetBEUI (the NetBIOS Extended User Interface + a complete misnomer!). + </p></dd><dt>NetBT</dt><dd><p> + Protocol for transporting NetBIOS frames over TCP/IP. Uses ports 137, 138, and 139. + NetBT is a fully routable protocol. + </p></dd><dt>NT/LanManager Security Support Provider</dt><dd><p> + The NTLM Security Support Provider (NTLMSSP) service in Windows NT4/200x/XP is responsible for + handling all NTLM authentication requests. It is the front end for protocols such as SPNEGO, + Schannel, and other technologies. The generic protocol family supported by NTLMSSP is known as + GSSAPI, the Generic Security Service Application Program Interface specified in RFC2078. + </p></dd><dt>Server Message Block</dt><dd><p> + SMB was the original name of the protocol spoken by Samba. It was invented in the 1980s + by IBM and adopted and extended further by Microsoft. Microsoft renamed the protocol to + CIFS during the Internet hype in the 1990s. + </p></dd><dt>The Simple and Protected GSS-API Negotiation</dt><dd><p> + The purpose of SPNEGO is to allow a client and server to negotiate a security mechanism for + authentication. The protocol is specified in RFC2478 and uses tokens as built via ASN.1 DER. + DER refers to Distinguished Encoding Rules. These are a set of common rules for creating + binary encodings in a platform-independent manner. Samba has support for SPNEGO. + </p></dd><dt>The Official Samba-3 HOWTO and Reference Guide, Second Edition</dt><dd><p> + This book makes repeated reference to “<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second + Edition</span>” by John H. Terpstra and Jelmer R. Vernooij. This publication is available from + Amazon.com. Publisher: Prentice Hall PTR (August 2005), + ISBN: 013122282. + </p></dd><dt>User IDentifier</dt><dd><p> + The UNIX system user identifier; on older systems, a 32-bit unsigned integer, and on newer systems, + an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user-level access + control. + </p></dd><dt>Universal Naming Convention</dt><dd><p>A syntax for specifying the location of network resources (such as file shares). + The UNC syntax was developed in the early days of MS DOS 3.x and is used internally by the SMB protocol. + </p></dd></dl></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="gpl.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Appendix A. GNU General Public License </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/gpl.html b/docs/htmldocs/Samba3-ByExample/gpl.html new file mode 100644 index 0000000000..cb395f8976 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/gpl.html @@ -0,0 +1,294 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Appendix A. GNU General Public License</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="primer.html" title="Chapter 16. Networking Primer"><link rel="next" href="go01.html" title="Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Appendix A. GNU General Public License</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="primer.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="go01.html">Next</a></td></tr></table><hr></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="gpl"></a>GNU General Public License</h1></div><div><p class="releaseinfo"> Version 2, June 1991</p></div><div><p class="copyright">Copyright © 1989, 1991 Free Software Foundation, Inc.</p></div><div><div class="legalnotice"><a name="gpl-legalnotice"></a><p> + </p><div class="address"><p>Free Software Foundation, Inc. <br> + <span class="street">51 Franklin Street, Fifth Floor</span>, <br> + <span class="city">Boston</span>, <br> + <span class="state">MA</span> <br> + <span class="postcode">02110-1301</span><br> + <span class="country">USA</span><br> + </p></div><p> + </p><p> Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. + </p></div></div><div><p class="pubdate">Version 2, June 1991</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="gpl.html#gpl-1">Preamble</a></span></dt><dt><span class="sect1"><a href="gpl.html#gpl-2">TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION</a></span></dt><dd><dl><dt><span class="sect2"><a href="gpl.html#gpl-2-0">Section 0</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-1">Section 1</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-2">Section 2</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-3">Section 3 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-4">Section 4 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-5">Section 5 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-6">Section 6 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-7">Section 7 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-8">Section 8 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-9">Section 9 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-10">Section 10 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-11">NO WARRANTY Section 11 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-12">Section 12 + </a></span></dt></dl></dd><dt><span class="sect1"><a href="gpl.html#gpl-3">How to Apply These Terms to Your New Programs + </a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="gpl-1"></a>Preamble</h2></div></div></div><p> The licenses for most software are designed to take away your + freedom to share and change it. By contrast, the GNU General Public License is + intended to guarantee your freedom to share and change + free software - to make sure the software is free for all its users. + This General Public License applies to most of the Free Software + Foundation's software and to any other program whose authors commit + to using it. (Some other Free Software Foundation software is covered + by the GNU Library General Public License instead.) You can apply it + to your programs, too. + </p><p> When we speak of free software, we are referring to freedom, not price. + Our General Public Licenses are designed to make sure that you have the + freedom to distribute copies of free software (and charge for this + service if you wish), that you receive source code or can get it if you + want it, that you can change the software or use pieces of it in new free + programs; and that you know you can do these things. + </p><p> To protect your rights, we need to make restrictions that forbid anyone + to deny you these rights or to ask you to surrender the rights. These + restrictions translate to certain responsibilities for you if you distribute + copies of the software, or if you modify it. + </p><p> For example, if you distribute copies of such a program, whether gratis or + for a fee, you must give the recipients all the rights that you have. You + must make sure that they, too, receive or can get the source code. And you + must show them these terms so they know their rights. + </p><p> We protect your rights with two steps: + </p><div class="orderedlist"><ol type="1"><li><p> copyright the software, and + </p></li><li><p> offer you this license which gives you legal permission to copy, + distribute and/or modify the software. + </p></li></ol></div><p> + </p><p> Also, for each author's protection and ours, we want to make certain that + everyone understands that there is no warranty for this free software. If + the software is modified by someone else and passed on, we want its + recipients to know that what they have is not the original, so that any + problems introduced by others will not reflect on the original authors' + reputations. + </p><p> Finally, any free program is threatened constantly by software patents. + We wish to avoid the danger that redistributors of a free program will + individually obtain patent licenses, in effect making the program + proprietary. To prevent this, we have made it clear that any patent must be + licensed for everyone's free use or not licensed at all. + </p><p> The precise terms and conditions for copying, distribution and modification + follow. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="gpl-2"></a>TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-0"></a>Section 0</h3></div></div></div><p> This License applies to any program or other work which contains a notice + placed by the copyright holder saying it may be distributed under the terms + of this General Public License. The "Program", below, refers to any such + program or work, and a + “<span class="quote">work based on the Program + </span>” means either + the Program or any derivative work under copyright law: that is to say, a + work containing the Program or a portion of it, either verbatim or with + modifications and/or translated into another language. (Hereinafter, translation + is included without limitation in the term + “<span class="quote">modification + </span>”.) Each licensee is addressed as “<span class="quote">you</span>”. + </p><p> Activities other than copying, distribution and modification are not covered by + this License; they are outside its scope. The act of running the Program is not + restricted, and the output from the Program is covered only if its contents + constitute a work based on the Program (independent of having been made by running + the Program). Whether that is true depends on what the Program does. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-1"></a>Section 1</h3></div></div></div><p> You may copy and distribute verbatim copies of the Program's source code as you + receive it, in any medium, provided that you conspicuously and appropriately + publish on each copy an appropriate copyright notice and disclaimer of warranty; + keep intact all the notices that refer to this License and to the absence of any + warranty; and give any other recipients of the Program a copy of this License + along with the Program. + </p><p> You may charge a fee for the physical act of transferring a copy, and you may at + your option offer warranty protection in exchange for a fee. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-2"></a>Section 2</h3></div></div></div><p> You may modify your copy or copies of the Program or any portion of it, thus + forming a work based on the Program, and copy and distribute such modifications + or work under the terms of + <a href="gpl.html#gpl-2-1" title="Section 1">Section 1 + </a> above, provided + that you also meet all of these conditions: + </p><div class="orderedlist"><ol type="1"><li><p> You must cause the modified files to carry prominent notices stating that + you changed the files and the date of any change. + </p></li><li><p> You must cause any work that you distribute or publish, that in whole or + in part contains or is derived from the Program or any part thereof, to be + licensed as a whole at no charge to all third parties under the terms of + this License. + </p></li><li><p> If the modified program normally reads commands interactively when run, you + must cause it, when started running for such interactive use in the most + ordinary way, to print or display an announcement including an appropriate + copyright notice and a notice that there is no warranty (or else, saying + that you provide a warranty) and that users may redistribute the program + under these conditions, and telling the user how to view a copy of this + License. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Exception: + </h3><p> If the Program itself is interactive but does not normally print such an + announcement, your work based on the Program is not required to print an + announcement.) + </p></div><p> + </p></li></ol></div><p> + </p><p> These requirements apply to the modified work as a whole. If identifiable sections + of that work are not derived from the Program, and can be reasonably considered + independent and separate works in themselves, then this License, and its terms, + do not apply to those sections when you distribute them as separate works. But when + you distribute the same sections as part of a whole which is a work based on the + Program, the distribution of the whole must be on the terms of this License, whose + permissions for other licensees extend to the entire whole, and thus to each and + every part regardless of who wrote it. + </p><p> Thus, it is not the intent of this section to claim rights or contest your rights + to work written entirely by you; rather, the intent is to exercise the right to control + the distribution of derivative or collective works based on the Program. + </p><p> In addition, mere aggregation of another work not based on the Program with the Program + (or with a work based on the Program) on a volume of a storage or distribution medium + does not bring the other work under the scope of this License. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-3"></a>Section 3 + </h3></div></div></div><p> You may copy and distribute the Program (or a work based on it, under + <a href="gpl.html#gpl-2-2" title="Section 2">Section 2 + </a> in object code or executable form under the terms of + <a href="gpl.html#gpl-2-1" title="Section 1">Sections 1 + </a> and + <a href="gpl.html#gpl-2-2" title="Section 2">2 + </a> above provided that you also do one of the following: + </p><div class="orderedlist"><ol type="1"><li><p> Accompany it with the complete corresponding machine-readable source code, which + must be distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + </p></li><li><p> Accompany it with a written offer, valid for at least three years, to give any + third party, for a charge no more than your cost of physically performing source + distribution, a complete machine-readable copy of the corresponding source code, + to be distributed under the terms of Sections 1 and 2 above on a medium customarily + used for software interchange; or, + </p></li><li><p> Accompany it with the information you received as to the offer to distribute + corresponding source code. (This alternative is allowed only for noncommercial + distribution and only if you received the program in object code or executable form + with such an offer, in accord with Subsection b above.) + </p></li></ol></div><p> + </p><p> The source code for a work means the preferred form of the work for making modifications + to it. For an executable work, complete source code means all the source code for all modules + it contains, plus any associated interface definition files, plus the scripts used to control + compilation and installation of the executable. However, as a special exception, the source + code distributed need not include anything that is normally distributed (in either source or + binary form) with the major components (compiler, kernel, and so on) of the operating system + on which the executable runs, unless that component itself accompanies the executable. + </p><p> If distribution of executable or object code is made by offering access to copy from a + designated place, then offering equivalent access to copy the source code from the same place + counts as distribution of the source code, even though third parties are not compelled to + copy the source along with the object code. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-4"></a>Section 4 + </h3></div></div></div><p> You may not copy, modify, sublicense, or distribute the Program except as expressly provided + under this License. Any attempt otherwise to copy, modify, sublicense or distribute the + Program is void, and will automatically terminate your rights under this License. However, + parties who have received copies, or rights, from you under this License will not have their + licenses terminated so long as such parties remain in full compliance. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-5"></a>Section 5 + </h3></div></div></div><p> You are not required to accept this License, since you have not signed it. However, nothing + else grants you permission to modify or distribute the Program or its derivative works. + These actions are prohibited by law if you do not accept this License. Therefore, by modifying + or distributing the Program (or any work based on the Program), you indicate your acceptance + of this License to do so, and all its terms and conditions for copying, distributing or + modifying the Program or works based on it. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-6"></a>Section 6 + </h3></div></div></div><p> Each time you redistribute the Program (or any work based on the Program), the recipient + automatically receives a license from the original licensor to copy, distribute or modify + the Program subject to these terms and conditions. You may not impose any further restrictions + on the recipients' exercise of the rights granted herein. You are not responsible for enforcing + compliance by third parties to this License. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-7"></a>Section 7 + </h3></div></div></div><p> If, as a consequence of a court judgment or allegation of patent infringement or for any other + reason (not limited to patent issues), conditions are imposed on you (whether by court order, + agreement or otherwise) that contradict the conditions of this License, they do not excuse you + from the conditions of this License. If you cannot distribute so as to satisfy simultaneously + your obligations under this License and any other pertinent obligations, then as a consequence + you may not distribute the Program at all. For example, if a patent license would not permit + royalty-free redistribution of the Program by all those who receive copies directly or + indirectly through you, then the only way you could satisfy both it and this License would be + to refrain entirely from distribution of the Program. + </p><p> If any portion of this section is held invalid or unenforceable under any particular circumstance, + the balance of the section is intended to apply and the section as a whole is intended to apply + in other circumstances. + </p><p> It is not the purpose of this section to induce you to infringe any patents or other property + right claims or to contest validity of any such claims; this section has the sole purpose of + protecting the integrity of the free software distribution system, which is implemented by public + license practices. Many people have made generous contributions to the wide range of software + distributed through that system in reliance on consistent application of that system; it is up + to the author/donor to decide if he or she is willing to distribute software through any other + system and a licensee cannot impose that choice. + </p><p> This section is intended to make thoroughly clear what is believed to be a consequence of the + rest of this License. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-8"></a>Section 8 + </h3></div></div></div><p> If the distribution and/or use of the Program is restricted in certain countries either by patents + or by copyrighted interfaces, the original copyright holder who places the Program under this License + may add an explicit geographical distribution limitation excluding those countries, so that + distribution is permitted only in or among countries not thus excluded. In such case, this License + incorporates the limitation as if written in the body of this License. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-9"></a>Section 9 + </h3></div></div></div><p> The Free Software Foundation may publish revised and/or new versions of the General Public License + from time to time. Such new versions will be similar in spirit to the present version, but may differ + in detail to address new problems or concerns. + </p><p> Each version is given a distinguishing version number. If the Program specifies a version number of + this License which applies to it and "any later version", you have the option of following the terms + and conditions either of that version or of any later version published by the Free Software + Foundation. If the Program does not specify a version number of this License, you may choose any + version ever published by the Free Software Foundation. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-10"></a>Section 10 + </h3></div></div></div><p> If you wish to incorporate parts of the Program into other free programs whose distribution + conditions are different, write to the author to ask for permission. For software which is copyrighted + by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions + for this. Our decision will be guided by the two goals of preserving the free status of all + derivatives of our free software and of promoting the sharing and reuse of software generally. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-11"></a>NO WARRANTY Section 11 + </h3></div></div></div><p> BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT + PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR + OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE + PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gpl-2-12"></a>Section 12 + </h3></div></div></div><p> IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR + ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU + FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE + USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH + ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH + DAMAGES. + </p><p>END OF TERMS AND CONDITIONS + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="gpl-3"></a>How to Apply These Terms to Your New Programs + </h2></div></div></div><p> + If you develop a new program, and you want it to be of the greatest + possible use to the public, the best way to achieve this is to make it + free software which everyone can redistribute and change under these terms. + </p><p> + To do so, attach the following notices to the program. It is safest + to attach them to the start of each source file to most effectively + convey the exclusion of warranty; and each file should have at least + the "copyright" line and a pointer to where the full notice is found. + </p><p> + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + </p><p> + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + </p><p> + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + </p><p> + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + </p><p> + Also add information on how to contact you by electronic and paper mail. + </p><p> + If the program is interactive, make it output a short notice like this + when it starts in an interactive mode: + </p><p> + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + </p><p> + The hypothetical commands `show w' and `show c' should show the appropriate + parts of the General Public License. Of course, the commands you use may + be called something other than `show w' and `show c'; they could even be + mouse-clicks or menu items--whatever suits your program. + </p><p> + You should also get your employer (if you work as a programmer) or your + school, if any, to sign a "copyright disclaimer" for the program, if + necessary. Here is a sample; alter the names: + </p><p> + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + </p><p> + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + </p><p> + This General Public License does not permit incorporating your program into + proprietary programs. If your program is a subroutine library, you may + consider it more useful to permit linking proprietary applications with the + library. If this is what you want to do, use the GNU Lesser General + Public License instead of this License. + </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="primer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="go01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 16. Networking Primer </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Glossary</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/happy.html b/docs/htmldocs/Samba3-ByExample/happy.html new file mode 100644 index 0000000000..076a17b28f --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/happy.html @@ -0,0 +1,2878 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Making Happy Users</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter 4. The 500-User Office"><link rel="next" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter 5. Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id336196">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id336272">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id336400">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id336802">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id338453">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id338466">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id338636">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id345079">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id345095">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id345184">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id345412">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id345510">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id345624">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id346624">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id347264">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id347290">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id347320">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id347408">Questions and Answers</a></span></dt></dl></div><p> + It is said that “<span class="quote">a day that is without troubles is not fulfilling. Rather, give + me a day of troubles well handled so that I can be content with my achievements.</span>” + </p><p> + In the world of computer networks, problems are as varied as the people who create them + or experience them. The design of the network implemented in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a> + may create problems for some network users. The following lists some of the problems that + may occur: + </p><a class="indexterm" name="id335700"></a><a class="indexterm" name="id335707"></a><a class="indexterm" name="id335716"></a><a class="indexterm" name="id335722"></a><a class="indexterm" name="id335729"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p> +A significant number of network administrators have responded to the guidance given +here. It should be noted that there are sites that have a single PDC for many hundreds of +concurrent network clients. Network bandwidth, network bandwidth utilization, and server load +are among the factors that determine the maximum number of Windows clients that +can be served by a single domain controller (PDC or BDC) on a network segment. It is possible +to operate with only a single PDC over a routed network. What is possible is not necessarily +<span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with +the message that the domain controller cannot be found or that the user account cannot +be found (when you know it exists), that may be an indication that the domain controller is +overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows +clients is conservative and if followed will minimize problems but it is not absolute. +</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p> + <a class="indexterm" name="id335766"></a> + <a class="indexterm" name="id335775"></a> + When a Windows client logs onto the network, many data packets are exchanged + between the client and the server that is providing the network logon services. + Each request between the client and the server must complete within a specific + time limit. This is one of the primary factors that govern the installation of + multiple domain controllers (usually called secondary or backup controllers). + As a rough rule, there should be one such backup controller for every + 30 to 150 clients. The actual limits are determined by network operational + characteristics. + </p><p> + <a class="indexterm" name="id335790"></a> + <a class="indexterm" name="id335797"></a> + <a class="indexterm" name="id335803"></a> + If the domain controller provides only network logon services + and all file and print activity is handled by domain member servers, one domain + controller per 150 clients on a single network segment may suffice. In any + case, it is highly recommended to have a minimum of one domain controller (PDC or BDC) + per network segment. It is better to have at least one BDC on the network + segment that has a PDC. If the domain controller is also used as a file and + print server, the number of clients it can service reliably is reduced, + and generally for low powered hardware should not exceed 30 machines (Windows + workstations plus domain member servers) per domain controller. Many sites are + able to operate with more clients per domain controller, the number of clients + that can be supported is limited by the CPU speed, memory and the workload on + the Samba server as well as network bandwidth utilization. + </p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p> + <a class="indexterm" name="id335837"></a> + Slow logons and log-offs may be caused by many factors that include: + + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id335850"></a> + <a class="indexterm" name="id335861"></a> + Excessive delays in the resolution of a NetBIOS name to its IP + address. This may be observed when an overloaded domain controller + is also the WINS server. Another cause may be the failure to use + a WINS server (this assumes that there is a single network segment). + </p></li><li><p> + <a class="indexterm" name="id335877"></a> + <a class="indexterm" name="id335884"></a> + <a class="indexterm" name="id335890"></a> + Network traffic collisions due to overloading of the network + segment. One short-term workaround to this may be to replace + network HUBs with Ethernet switches. + </p></li><li><p> + <a class="indexterm" name="id335903"></a> + Defective networking hardware. Over the past few years, we have seen + on the Samba mailing list a significant increase in the number of + problems that were traced to a defective network interface controller, + a defective HUB or Ethernet switch, or defective cabling. In most cases, + it was the erratic nature of the problem that ultimately pointed to + the cause of the problem. + </p></li><li><p> + <a class="indexterm" name="id335920"></a> + <a class="indexterm" name="id335929"></a> + Excessively large roaming profiles. This type of problem is typically + the result of poor user education as well as poor network management. + It can be avoided by users not storing huge quantities of email in + MS Outlook PST files as well as by not storing files on the desktop. + These are old bad habits that require much discipline and vigilance + on the part of network management. + </p></li><li><p> + <a class="indexterm" name="id335946"></a> + You should verify that the Windows XP WebClient service is not running. + The use of the WebClient service has been implicated in many Windows + networking-related problems. + </p></li></ul></div><p> + </p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p> + Loss of access to network resources during client operation may be caused by a number + of factors, including: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id335976"></a> + Network overload (typically indicated by a high network collision rate) + </p></li><li><p> + Server overload + </p></li><li><p> + <a class="indexterm" name="id335995"></a> + Timeout causing the client to close a connection that is in use but has + been latent (no traffic) for some time (5 minutes or more) + </p></li><li><p> + <a class="indexterm" name="id336009"></a> + Defective networking hardware + </p></li></ul></div><p> + <a class="indexterm" name="id336023"></a> + No matter what the cause, a sudden loss of access to network resources can + result in BSOD (blue screen of death) situations that necessitate rebooting of the client + workstation. In the case of a mild problem, retrying to access the network drive of the printer + may restore operations, but in any case this is a serious problem that may lead to the next + problem, data corruption. + </p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p> + <a class="indexterm" name="id336047"></a> + Data corruption is one of the most serious problems. It leads to uncertainty, anger, and + frustration, and generally precipitates immediate corrective demands. Management response + to this type of problem may be rational, as well as highly irrational. There have been + cases where management has fired network staff for permitting this situation to occur without + immediate correction. There have been situations where perfectly functional hardware was thrown + out and replaced, only to find the problem caused by a low-cost network hardware item. There + have been cases where server operating systems were replaced, or where Samba was updated, + only to later isolate the problem due to defective client software. + </p></dd></dl></div><p> + In this chapter, you can work through a number of measures that significantly arm you to + anticipate and combat network performance issues. You can work through complex and thorny + methods to improve the reliability of your network environment, but be warned that all such steps + demand the price of complexity. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336072"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p> + <a class="indexterm" name="id336080"></a> + Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some + constraints that are described in this section. + </p><p> + <a class="indexterm" name="id336094"></a> + <a class="indexterm" name="id336100"></a> + <a class="indexterm" name="id336107"></a> + <a class="indexterm" name="id336114"></a> + The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. + That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats + them. A user account and a machine account are indistinguishable from each other, except that + the machine account ends in a $ character, as do trust accounts. + </p><p> + <a class="indexterm" name="id336127"></a> + <a class="indexterm" name="id336134"></a> + The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID + is a design decision that was made a long way back in the history of Samba development. It is + unlikely that this decision will be reversed or changed during the remaining life of the + Samba-3.x series. + </p><p> + <a class="indexterm" name="id336146"></a> + <a class="indexterm" name="id336153"></a> + The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that + must refer back to the host operating system on which Samba is running. The name service + switch (NSS) is the preferred mechanism that shields applications (like Samba) from the + need to know everything about every host OS it runs on. + </p><p> + Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>” + and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool + for achieving this is left up to the UNIX administrator to determine. It is not imposed by + Samba. Samba provides winbindd together with its support libraries as one method. It is + possible to do this via LDAP, and for that Samba provides the appropriate hooks so that + all account entities can be located in an LDAP directory. + </p><p> + <a class="indexterm" name="id336184"></a> + For many the weapon of choice is to use the PADL nss_ldap utility. This utility must + be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That + is fundamentally an LDAP design question. The information provided on the Samba list and + in the documentation is directed at providing working examples only. The design + of an LDAP directory is a complex subject that is beyond the scope of this documentation. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336196"></a>Introduction</h2></div></div></div><p> + You just opened an email from Christine that reads: + </p><p> + Good morning, + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + A few months ago we sat down to design the network. We discussed the challenges ahead and we all + agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated + that we would have some time to resolve any issues that might be encountered. + </p><p> + As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them + resigned yesterday afternoon because she was under duress to complete some critical projects. She + suffered a blue screen of death situation just as she was finishing four hours of intensive work, all + of which was lost. She has a unique requirement that involves storing large files on her desktop. + Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it + takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all + network logon traffic passes over the network links between our buildings, logging on may take + three or four attempts due to blue screen problems associated with network timeouts. + </p><p> + A few of us worked to help her out of trouble. We convinced her to stay and promised to fully + resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard + limits on what our users can do with their desktops. Otherwise, we face staff losses + that can surely do harm to our growth as well as to staff morale. I am sure we can better deal + with the consequences of what we know we must do than we can with the unrest we have now. + </p><p> + Stan and I have discussed the current situation. We are resolved to help our users and protect + the well being of Abmas. Please acknowledge this advice with consent to proceed as required to + regain control of our vital IT operations. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p> + </p><p> + <a class="indexterm" name="id336243"></a> + <a class="indexterm" name="id336250"></a> + Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a + single domain controller is a poor design that has obvious operational effects that may + frustrate users. Here is your reply: + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + Christine, Your diligence and attention to detail are much valued. Stan and I fully support your + proposals to resolve the issues. I am confident that your plans fully realized will significantly + boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. + Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait + for approval; I appreciate the urgency. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id336272"></a>Assignment Tasks</h3></div></div></div><p> + The priority of assigned tasks in this chapter is: + </p><div class="orderedlist"><ol type="1"><li><p> + <a class="indexterm" name="id336291"></a> + <a class="indexterm" name="id336300"></a> + <a class="indexterm" name="id336307"></a> + <a class="indexterm" name="id336314"></a><a class="indexterm" name="id336319"></a> + Implement Backup Domain Controllers (BDCs) in each building. This involves + a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous + chapter to an LDAP-based backend. + </p><p> + You can implement a single central LDAP server for this purpose. + </p></li><li><p> + <a class="indexterm" name="id336340"></a> + <a class="indexterm" name="id336346"></a> + <a class="indexterm" name="id336353"></a> + <a class="indexterm" name="id336360"></a> + Rectify the problem of excessive logon times. This involves redirection of + folders to network shares as well as modification of all user desktops to + exclude the redirected folders from being loaded at login time. You can also + create a new default profile that can be used for all new users. + </p></li></ol></div><p> + <a class="indexterm" name="id336376"></a> + You configure a new MS Windows XP Professional workstation disk image that you roll out + to all desktop users. The instructions you have created are followed on a staging machine + from which all changes can be carefully tested before inflicting them on your network users. + </p><p> + <a class="indexterm" name="id336389"></a> + This is the last network example in which specific mention of printing is made. The example + again makes use of the CUPS printing system. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336400"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id336408"></a> + <a class="indexterm" name="id336414"></a> + <a class="indexterm" name="id336421"></a> + The implementation of Samba BDCs necessitates the installation and configuration of LDAP. + For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial + LDAP servers in current use with Samba-3 include: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id336437"></a> + Novell <a href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a> + is being successfully used by some sites. Information on how to use eDirectory can be + obtained from the Samba mailing lists or from Novell. + </p></li><li><p> + <a class="indexterm" name="id336455"></a> + IBM <a href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli + Directory Server</a> can be used to provide the Samba LDAP backend. Example schema + files are provided in the Samba source code tarball under the directory + <code class="filename">~samba/example/LDAP.</code> + </p></li><li><p> + <a class="indexterm" name="id336480"></a> + Sun <a href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity + Server product suite</a> provides an LDAP server that can be used for Samba. + Example schema files are provided in the Samba source code tarball under the directory + <code class="filename">~samba/example/LDAP.</code> + </p></li></ul></div><p> + A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial + offerings, it requires that you manually edit the server configuration files and manually + initialize the LDAP directory database. OpenLDAP itself has only command-line tools to + help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. + </p><p> + <a class="indexterm" name="id336511"></a> + For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite + adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include + GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database + requires an understanding of what you are doing, why you are doing it, and the tools that you must use. + </p><p> + <a class="indexterm" name="id336525"></a> + <a class="indexterm" name="id336532"></a> + <a class="indexterm" name="id336539"></a> + <a class="indexterm" name="id336548"></a> + <a class="indexterm" name="id336557"></a> + <a class="indexterm" name="id336564"></a> + <a class="indexterm" name="id336573"></a> + When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. + High availability operation may be obtained through directory replication/synchronization and + master/slave server configurations. OpenLDAP is a mature platform to host the organizational + directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. + The price paid through learning how to design an LDAP directory schema in implementation and configuration + of management tools is well rewarded by performance and flexibility and the freedom to manage directory + contents with greater ability to back up, restore, and modify the directory than is generally possible + with Microsoft Active Directory. + </p><p> + <a class="indexterm" name="id336592"></a> + <a class="indexterm" name="id336601"></a> + <a class="indexterm" name="id336608"></a> + <a class="indexterm" name="id336615"></a> + A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory + tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured + for a specific task orientation. It comes with a set of administrative tools that is entirely customized + for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange + server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator + who wants to build a custom directory solution. Microsoft provides an application called + <a href="http://www.microsoft.com/windowsserver2003/adam/default.mspx" target="_top"> + MS ADAM</a> that provides more generic LDAP services, yet it does not have the vanilla-like services + of OpenLDAP. + </p><p> + <a class="indexterm" name="id336638"></a> + <a class="indexterm" name="id336647"></a> + You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly + if you find the challenge of learning about LDAP directories, schemas, configuration, and management + tools and the creation of shell and Perl scripts a bit + challenging. OpenLDAP can be easily customized, though it includes + many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file + that is required for use as a passdb backend. + </p><p> + <a class="indexterm" name="id336661"></a> + For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, + there are a few nice Web-based tools that may help you to manage your users and groups more effectively. + The Web-based tools you might like to consider include the + <a href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM) and the Webmin-based + <a href="http://www.webmin.com" target="_top">Webmin</a> Idealx + <a href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools</a>. + </p><p> + Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of + these, so it may be useful to them: + <a href="http://biot.com/gq" target="_top">GQ</a>, a GTK-based LDAP browser; + LDAP <a href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor</a> + <a href="http://www.jxplorer.org/" target="_top">; JXplorer</a> (by Computer Associates); + and <a href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin</a>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal + security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided + is considered to consist of the barest essentials only. You are strongly encouraged to learn more about + LDAP before attempting to deploy it in a business-critical environment. + </p></div><p> + Information to help you get started with OpenLDAP is available from the + <a href="http://www.openldap.org/pub/" target="_top">OpenLDAP web site</a>. Many people have found the book + <a href="http://www.oreilly.com/catalog/ldapsa/index.html" target="_top"><span class="emphasis"><em>LDAP System Administration</em></span>,</a> + by Jerry Carter quite useful. + </p><p> + <a class="indexterm" name="id336747"></a> + <a class="indexterm" name="id336753"></a> + <a class="indexterm" name="id336762"></a> + <a class="indexterm" name="id336769"></a> + Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the + main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must + be loaded over the WAN connection. The addition of BDCs on each network segment significantly + improves overall network performance for most users, but it is not enough. You must gain control over + user desktops, and this must be done in a way that wins their support and does not cause further loss of + staff morale. The following procedures solve this problem. + </p><p> + <a class="indexterm" name="id336786"></a> + There is also an opportunity to implement smart printing features. You add this to the Samba configuration + so that future printer changes can be managed without need to change desktop configurations. + </p><p> + You add the ability to automatically download new printer drivers, even if they are not installed + in the default desktop profile. Only one example of printing configuration is given. It is assumed that + you can extrapolate the principles and use them to install all printers that may be needed. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id336802"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id336810"></a> + <a class="indexterm" name="id336819"></a> + <a class="indexterm" name="id336828"></a> + The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory + server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system + accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account + attributes Samba needs. Samba-3 can use the LDAP backend to store: + </p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p> + <a class="indexterm" name="id336864"></a> + <a class="indexterm" name="id336871"></a> + <a class="indexterm" name="id336878"></a> + <a class="indexterm" name="id336885"></a> + <a class="indexterm" name="id336891"></a> + <a class="indexterm" name="id336898"></a> + <a class="indexterm" name="id336907"></a> + <a class="indexterm" name="id336914"></a> + <a class="indexterm" name="id336920"></a> + The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking + accounts in the LDAP backend. This implies the need to use the + <a href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution + of the UNIX group name to its GID must be enabled from either the <code class="filename">/etc/group</code> + or from the LDAP backend. This requires the use of the PADL <code class="filename">nss_ldap</code> tool-set + that integrates with the NSS. The same requirements exist for resolution + of the UNIX username to the UID. The relationships are demonstrated in <a href="happy.html#sbehap-LDAPdiag" title="Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">???</a>. + </p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id337000"></a> + <a class="indexterm" name="id337007"></a> + You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really + ought to learn how to configure secure communications over LDAP so that site security is not + at risk. This is not covered in the following guidance. + </p><p> + <a class="indexterm" name="id337021"></a> + <a class="indexterm" name="id337028"></a> + <a class="indexterm" name="id337037"></a> + <a class="indexterm" name="id337044"></a> + When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>. + You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you + create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. + You need to decide how best to create user and group accounts. A few hints are, of course, provided. + You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools + that help to manage user and group configuration. + </p><p> + <a class="indexterm" name="id337074"></a> + <a class="indexterm" name="id337081"></a> + <a class="indexterm" name="id337088"></a> + In order to effect folder redirection and to add robustness to the implementation, + create a network default profile. All network users workstations are configured to use + the new profile. Roaming profiles will automatically be deleted from the workstation + when the user logs off. + </p><p> + <a class="indexterm" name="id337100"></a> + The profile is configured so that users cannot change the appearance + of their desktop. This is known as a mandatory profile. You make certain that users + are able to use their computers efficiently. + </p><p> + <a class="indexterm" name="id337112"></a> + A network logon script is used to deliver flexible but consistent network drive + connections. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p> + <a class="indexterm" name="id337132"></a> + <a class="indexterm" name="id337138"></a> + <a class="indexterm" name="id337143"></a> + <a class="indexterm" name="id337148"></a> + Samba versions prior to 3.0.11 necessitated the use of a domain administrator account + that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code> + user to add user and group accounts. Samba 3.0.11 introduced a new facility known as + <code class="constant">Privileges</code>, which provides five new privileges that + can be assigned to users and/or groups; see Table 5.1. + </p><div class="table"><a name="sbehap-privs"></a><p class="title"><b>Table 5.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div></div><br class="table-break"><p> + In this network example use is made of one of the supported privileges purely to demonstrate + how any user can now be given the ability to add machines to the domain using a normal user account + that has been given the appropriate privileges. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337279"></a>Roaming Profile Background</h4></div></div></div><p> + As XP roaming profiles grow, so does the amount of time it takes to log in and out. + </p><p> + <a class="indexterm" name="id337291"></a> + <a class="indexterm" name="id337298"></a> + <a class="indexterm" name="id337305"></a> + <a class="indexterm" name="id337311"></a> + An XP roaming profile consists of the <code class="constant">HKEY_CURRENT_USER</code> hive file + <code class="filename">NTUSER.DAT</code> and a number of folders (My Documents, Application Data, + Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the + network with the default configuration of MS Windows NT/200x/XPP, all this data is + copied to the local machine under the <code class="filename">C:\Documents and Settings\%USERNAME%</code> + directory. While the user is logged in, any changes made to any of these folders or to the + <code class="constant">HKEY_CURRENT_USER</code> branch of the registry are made to the local copy + of the profile. At logout the profile data is copied back to the server. This behavior + can be changed through appropriate registry changes and/or through changes to the default + user profile. In the latter case, it updates the registry with the values that are set in the + profile <code class="filename">NTUSER.DAT</code> + file. + </p><p> + The first challenge is to reduce the amount of data that must be transferred to and + from the profile server as roaming profiles are processed. This includes removing + all the shortcuts in the Recent directory, making sure the cache used by the Web browser + is not being dumped into the <code class="filename">Application Data</code> folder, removing the + Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the + user to not place large files on the desktop and to use his or her mapped home directory + instead of the <code class="filename">My Documents</code> folder for saving documents. + </p><p> + <a class="indexterm" name="id337373"></a> + Using a folder other than <code class="filename">My Documents</code> is a nuisance for + some users, since many applications use it by default. + </p><p> + <a class="indexterm" name="id337390"></a> + <a class="indexterm" name="id337396"></a> + <a class="indexterm" name="id337403"></a> + The secret to rapid loading of roaming profiles is to prevent unnecessary data from + being copied back and forth, without losing any functionality. This is not difficult; + it can be done by making changes to the Local Group Policy on each client as well + as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive. + </p><p> + <a class="indexterm" name="id337422"></a> + <a class="indexterm" name="id337429"></a> + Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means + you need to edit every user's profile, unless a better method can be + followed. Fortunately, with the right preparations, this is not difficult. + It is possible to remove the <code class="filename">NTUSER.DAT</code> file from each + user's profile. Then just create a Network Default Profile. Of course, it is + necessary to copy all files from redirected folders to the network share to which + they are redirected. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p> + <a class="indexterm" name="id337464"></a> + <a class="indexterm" name="id337471"></a> + <a class="indexterm" name="id337478"></a> + <a class="indexterm" name="id337484"></a> + Without an Active Directory PDC, you cannot take full advantage of Group Policy + Objects. However, you can still make changes to the Local Group Policy by using + the Group Policy editor (<code class="literal">gpedit.msc</code>). + </p><p> + The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can + be found under + <span class="guimenu">User Configuration</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. + By default this setting contains + “<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”. + </p><p> + Simply add the folders you do not wish to be copied back and forth to this + semicolon-separated list. Note that this change must be made on all clients + that are using roaming profiles. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337546"></a>Profile Changes</h4></div></div></div><p> + <a class="indexterm" name="id337554"></a> + <a class="indexterm" name="id337561"></a> + There are two changes that should be done to each user's profile. Move each of + the directories that you have excluded from being copied back and forth out of + the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file + to point to the new paths that are shared over the network instead of to the default + path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>). + </p><p> + <a class="indexterm" name="id337586"></a> + <a class="indexterm" name="id337592"></a> + The above modifies existing user profiles. So that newly created profiles have + these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in + the <code class="filename">C:\Documents and Settings\Default User</code> folder on each + client machine, changing the same registry keys. You could do this by copying + <code class="filename">NTUSER.DAT</code> to a Linux box and using <code class="literal">regedt32</code>. + The basic method is described under <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337635"></a>Using a Network Default User Profile</h4></div></div></div><p> + <a class="indexterm" name="id337643"></a> + <a class="indexterm" name="id337649"></a> + If you are using Samba as your PDC, you should create a file share called + <code class="constant">NETLOGON</code> and within that create a directory called + <code class="filename">Default User</code>, which is a copy of the desired default user + configuration (including a copy of <code class="filename">NTUSER.DAT</code>). + If this share exists and the <code class="filename">Default User</code> folder exists, + the first login from a new account pulls its configuration from it. + See also <a href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top"> + the Real Men Don't Click</a> Web site. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337689"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p> + <a class="indexterm" name="id337697"></a> + <a class="indexterm" name="id337706"></a> + <a class="indexterm" name="id337713"></a> + The subject of printing is quite topical. Printing problems run second place to name + resolution issues today. So far in this book, you have experienced only what is generally + known as “<span class="quote">dumb</span>” printing. Dumb printing is the arrangement by which all drivers + are manually installed on each client and the printing subsystems perform no filtering + or intelligent processing. Dumb printing is easily understood. It usually works without + many problems, but it has its limitations also. Dumb printing is better known as + <code class="literal">Raw-Print-Through</code> printing. + </p><p> + <a class="indexterm" name="id337737"></a> + <a class="indexterm" name="id337746"></a> + Samba permits the configuration of <code class="literal">smart</code> printing using the Microsoft + Windows point-and-click (also called drag-and-drop) printing. What this provides is + essentially the ability to print to any printer. If the local client does not yet have a + driver installed, the driver is automatically downloaded from the Samba server and + installed on the client. Drag-and-drop printing is neat; it means the user never needs + to fuss with driver installation, and that is a <span class="trademark">Good Thing,</span>™ + isn't it? + </p><p> + There is a further layer of print job processing that is known as <code class="literal">intelligent</code> + printing that automatically senses the file format of data submitted for printing and + then invokes a suitable print filter to convert the incoming data stream into a format + suited to the printer to which the job is dispatched. + </p><p> + <a class="indexterm" name="id337786"></a> + <a class="indexterm" name="id337793"></a> + <a class="indexterm" name="id337800"></a> + The CUPS printing subsystem is capable of intelligent printing. It has the capacity to + detect the data format and apply a print filter. This means that it is feasible to install + on all Windows clients a single printer driver for use with all printers that are routed + through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately, + <a href="http://www.easysw.com" target="_top">Easy Software Products</a>, the authors of CUPS, have + released a PostScript printing driver for Windows. It can be installed into the Samba + printing backend so that it automatically downloads to the client when needed. + </p><p> + This means that so long as there is a CUPS driver for the printer, all printing from Windows + software can use PostScript, no matter what the actual printer language for the physical + device is. It also means that the administrator can swap out a printer with a totally + different type of device without ever needing to change a client workstation driver. + </p><p> + This book is about Samba-3, so you can confine the printing style to just the smart + style of installation. Those interested in further information regarding intelligent + printing should review documentation on the Easy Software Products Web site. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p> + It has often been said that there are three types of people in the world: those who + have sharp minds and those who forget things. Please do not ask what the third group + is like! Well, it seems that many of us have company in the second group. There must + be a good explanation why so many network administrators fail to solve apparently + simple problems efficiently and effectively. + </p><p> + Here are some diagnostic guidelines that can be referred to when things go wrong: + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id337852"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p> + The best advice regarding how to mend a broken leg is “<span class="quote">Never break a leg!</span>” + </p><p> + <a class="indexterm" name="id337867"></a> + Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice + regarding the best way to remedy LDAP and Samba problems: “<span class="quote">Avoid them like the plague!</span>” + </p><p> + If you are now asking yourself how problems can be avoided, the best advice is to start + out your learning experience with a <span class="emphasis"><em>known-good configuration.</em></span> After + you have seen a fully working solution, a good way to learn is to make slow and progressive + changes that cause things to break, then observe carefully how and why things ceased to work. + </p><p> + The examples in this chapter (also in the book as a whole) are known to work. That means + that they could serve as the kick-off point for your journey through fields of knowledge. + Use this resource carefully; we hope it serves you well. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Do not be lulled into thinking that you can easily adopt the examples in this + book and adapt them without first working through the examples provided. A little + thing overlooked can cause untold pain and may permanently tarnish your experience. + </p></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id337902"></a>The Name Service Caching Daemon</h5></div></div></div><p> + The name service caching daemon (nscd) is a primary cause of difficulties with name + resolution, particularly where <code class="literal">winbind</code> is used. Winbind does its + own caching, thus nscd causes double caching which can lead to peculiar problems during + debugging. As a rule, it is a good idea to turn off the name service caching daemon. + </p><p> + Operation of the name service caching daemon is controlled by the + <code class="filename">/etc/nscd.conf</code> file. Typical contents of this file are as follows: +</p><pre class="screen"> +# /etc/nscd.conf +# An example Name Service Cache config file. This file is needed by nscd. +# Legal entries are: +# logfile <file> +# debug-level <level> +# threads <threads to use> +# server-user <user to run server as instead of root> +# server-user is ignored if nscd is started with -S parameters +# stat-user <user who is allowed to request statistics> +# reload-count unlimited|<number> +# +# enable-cache <service> <yes|no> +# positive-time-to-live <service> <time in seconds> +# negative-time-to-live <service> <time in seconds> +# suggested-size <service> <prime number> +# check-files <service> <yes|no> +# persistent <service> <yes|no> +# shared <service> <yes|no> +# Currently supported cache names (services): passwd, group, hosts +# logfile /var/log/nscd.log +# threads 6 +# server-user nobody +# stat-user somebody + debug-level 0 +# reload-count 5 + enable-cache passwd yes + positive-time-to-live passwd 600 + negative-time-to-live passwd 20 + suggested-size passwd 211 + check-files passwd yes + persistent passwd yes + shared passwd yes + enable-cache group yes + positive-time-to-live group 3600 + negative-time-to-live group 60 + suggested-size group 211 + check-files group yes + persistent group yes + shared group yes +# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to +# cache hosts will cause your local system to not be able to trust +# forward/reverse lookup checks. DO NOT USE THIS if your system relies on +# this sort of security mechanism. Use a caching DNS server instead. + enable-cache hosts no + positive-time-to-live hosts 3600 + negative-time-to-live hosts 20 + suggested-size hosts 211 + check-files hosts yes + persistent hosts yes + shared hosts yes +</pre><p> + It is feasible to comment out the <code class="constant">passwd</code> and <code class="constant">group</code> + entries so they will not be cached. Alternatively, it is often simpler to just disable the + <code class="literal">nscd</code> service by executing (on Novell SUSE Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig nscd off +<code class="prompt">root# </code> rcnscd off +</pre><p> + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id338019"></a>Debugging LDAP</h5></div></div></div><p> + <a class="indexterm" name="id338027"></a> + <a class="indexterm" name="id338034"></a> + <a class="indexterm" name="id338041"></a> + In the example <code class="filename">/etc/openldap/slapd.conf</code> control file + (see <a href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">???</a>) there is an entry for <code class="constant">loglevel 256</code>. + To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter + and restart <code class="literal">slapd</code>. + </p><p> + <a class="indexterm" name="id338074"></a> + <a class="indexterm" name="id338081"></a> + LDAP log information can be directed into a file that is separate from the normal system + log files by changing the <code class="filename">/etc/syslog.conf</code> file so it has the following + contents: +</p><pre class="screen"> +# Some foreign boot scripts require local7 +# +local0,local1.* -/var/log/localmessages +local2,local3.* -/var/log/localmessages +local5.* -/var/log/localmessages +local6,local7.* -/var/log/localmessages +local4.* -/var/log/ldaplogs +</pre><p> + In this case, all LDAP-related logs will be directed to the file + <code class="filename">/var/log/ldaplogs</code>. This makes it easy to track LDAP errors. + The snippet provides a simple example of usage that can be modified to suit + local site needs. The configuration used later in this chapter reflects such + customization with the intent that LDAP log files will be stored at a location + that meets local site needs and wishes more fully. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id338115"></a>Debugging NSS_LDAP</h5></div></div></div><p> + The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the + <code class="filename">/etc/ldap.conf</code> file the following parameters: +</p><pre class="screen"> +debug 256 +logdir /data/logs +</pre><p> + Create the log directory as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /data/logs +</pre><p> + </p><p> + The diagnostic process should follow these steps: + </p><div class="procedure"><a name="id338155"></a><p class="title"><b>Procedure 5.1. NSS_LDAP Diagnostic Steps</b></p><ol type="1"><li><p> + Verify the <code class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</code> entries + in the <code class="filename">/etc/ldap.conf</code> file and compare them closely with the directory + tree location that was chosen when the directory was first created. + </p><p> + One way this can be done is by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat | grep Group | grep dn +dn: ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz +dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz +dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz +dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz +</pre><p> + The first line is the DIT entry point for the container for POSIX groups. The correct entry + for the <code class="filename">/etc/ldap.conf</code> for the <code class="constant">nss_base_group</code> + parameter therefore is the distinguished name (dn) as applied here: +</p><pre class="screen"> +nss_base_group ou=Groups,dc=abmas,dc=biz?one +</pre><p> + The same process may be followed to determine the appropriate dn for user accounts. + If the container for computer accounts is not the same as that for users (see the <code class="filename">smb.conf</code> + file entry for <code class="constant">ldap machine suffix</code>), it may be necessary to set the + following DIT dn in the <code class="filename">/etc/ldap.conf</code> file: +</p><pre class="screen"> +nss_base_passwd dc=abmas,dc=biz?sub +</pre><p> + This instructs LDAP to search for machine as well as user entries from the top of the DIT + down. This is inefficient, but at least should work. Note: It is possible to specify multiple + <code class="constant">nss_base_passwd</code> entries in the <code class="filename">/etc/ldap.conf</code> file; they + will be evaluated sequentially. Let us consider an example of use where the following DIT + has been implemented: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p> + </p><p> + The appropriate multiple entry for the <code class="constant">nss_base_passwd</code> directive + in the <code class="filename">/etc/ldap.conf</code> file may be: +</p><pre class="screen"> +nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one +nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one +</pre><p> + </p></li><li><p> + Perform lookups such as: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +</pre><p> + Each such lookup will create an entry in the <code class="filename">/data/log</code> directory + for each such process executed. The contents of each file created in this directory + may provide a hint as to the cause of the a problem that is under investigation. + </p></li><li><p> + For additional diagnostic information, check the contents of the <code class="filename">/var/log/messages</code> + to see what error messages are being generated as a result of the LDAP lookups. Here is an example of + a successful lookup: +</p><pre class="screen"> +slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539 +(IP=0.0.0.0:389) +slapd[12164]: conn=0 op=0 BIND dn="" method=128 +slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text= +slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0 +filter="(objectClass=*)" +slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0 +nentries=1 text= +slapd[12164]: conn=0 op=2 UNBIND +slapd[12164]: conn=0 fd=10 closed +slapd[12164]: conn=1 fd=10 ACCEPT from +IP=127.0.0.1:33540 (IP=0.0.0.0:389) +slapd[12164]: conn=1 op=0 BIND +dn="cn=Manager,dc=abmas,dc=biz" method=128 +slapd[12164]: conn=1 op=0 BIND +dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0 +slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text= +slapd[12164]: conn=1 op=1 SRCH +base="ou=People,dc=abmas,dc=biz" scope=1 deref=0 +filter="(objectClass=posixAccount)" +slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword +uidNumber gidNumber cn +homeDirectory loginShell gecos description objectClass +slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0 +nentries=2 text= +slapd[12164]: conn=1 fd=10 closed + +</pre><p> + </p></li><li><p> + Check that the bindpw entry in the <code class="filename">/etc/ldap.conf</code> or in the + <code class="filename">/etc/ldap.secrets</code> file is correct, as specified in the + <code class="filename">/etc/openldap/slapd.conf</code> file. + </p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id338374"></a>Debugging Samba</h5></div></div></div><p> + The following parameters in the <code class="filename">smb.conf</code> file can be useful in tracking down Samba-related problems: +</p><pre class="screen"> +[global] + ... + log level = 5 + log file = /var/log/samba/%m.log + max log size = 0 + ... +</pre><p> + This will result in the creation of a separate log file for every client from which connections + are made. The log file will be quite verbose and will grow continually. Do not forget to + change these lines to the following when debugging has been completed: +</p><pre class="screen"> +[global] + ... + log level = 1 + log file = /var/log/samba/%m.log + max log size = 50 + ... +</pre><p> + </p><p> + The log file can be analyzed by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /var/log/samba +<code class="prompt">root# </code> grep -v "^\[200" machine_name.log +</pre><p> + </p><p> + Search for hints of what may have failed by looking for the words <span class="emphasis"><em>fail</em></span> + and <span class="emphasis"><em>error</em></span>. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id338438"></a>Debugging on the Windows Client</h5></div></div></div><p> + MS Windows 2000 Professional and Windows XP Professional clients can be configured + to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search + the Microsoft knowledge base for detailed instructions. The techniques vary a little with each + version of MS Windows. + </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338453"></a>Political Issues</h3></div></div></div><p> + MS Windows network users are generally very sensitive to limits that may be imposed when + confronted with locked-down workstation configurations. The challenge you face must + be promoted as a choice between reliable, fast network operation and a constant flux + of problems that result in user irritation. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338466"></a>Installation Checklist</h3></div></div></div><p> + You are starting a complex project. Even though you went through the installation of a complex + network in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>, this network is a bigger challenge because of the + large number of complex applications that must be configured before the first few steps + can be validated. Take stock of what you are about to undertake, prepare yourself, and + frequently review the steps ahead while making at least a mental note of what has already + been completed. The following task list may help you to keep track of the task items + that are covered: + </p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>OpenLDAP server</p></li><li><p>PAM and NSS client tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx smbldap scripts</p></li><li><p>LDAP initialization</p></li><li><p>Create user and group accounts</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profile directories</p></li><li><p>Logon scripts</p></li><li><p>Configuration of user rights and privileges</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>PAM and NSS client tools</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profiles directories</p></li></ol></div></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default profile folder redirection</p></li><li><p>MS Outlook PST file relocation</p></li><li><p>Delete roaming profile on logout</p></li><li><p>Upload printer drivers to Samba servers</p></li><li><p>Install software</p></li><li><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338636"></a>Samba Server Implementation</h2></div></div></div><p> + <a class="indexterm" name="id338644"></a> + <a class="indexterm" name="id338651"></a> + The network design shown in <a href="happy.html#chap6net" title="Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend">???</a> is not comprehensive. It is assumed + that you will install additional file servers and possibly additional BDCs. + </p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id338711"></a> + <a class="indexterm" name="id338718"></a> + All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE + Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to + adjust the locations for your particular Linux system distribution/implementation. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools +scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball, +please verify that the versions you are about to use are matching. The smbldap-tools package +uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are +issued for POSIX accounts. The LDAP rdn under which this information is stored are called +<code class="constant">uidNumber</code> and <code class="constant">gidNumber</code> respectively. These may be +located in any convenient part of the directory information tree (DIT). In the examples that +follow they have been located under <code class="constant">dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</code>. +They could just as well be located under the rdn <code class="constant">cn=NextFreeUnixId</code>. +</p></div><p> + The steps in the process involve changes from the network configuration shown in + <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>. Before implementing the following steps, you must + have completed the network implementation shown in that chapter. If you are starting + with newly installed Linux servers, you must complete the steps shown in + <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> before commencing at <a href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">???</a>. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p> + <a class="indexterm" name="id338788"></a> + <a class="indexterm" name="id338794"></a> + <a class="indexterm" name="id338801"></a> + Confirm that the packages shown in <a href="happy.html#oldapreq" title="Table 5.2. Required OpenLDAP Linux Packages">???</a> are installed on your system. + </p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table 5.2. Required OpenLDAP Linux Packages</b></p><div class="table-contents"><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><p> + Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method + for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you + follow these guidelines, the resulting system should work fine. + </p><div class="procedure"><a name="id338930"></a><p class="title"><b>Procedure 5.2. OpenLDAP Server Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id338942"></a> + Install the file shown in <a href="happy.html#sbehap-slapdconf" title="Example 5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A">???</a> in the directory + <code class="filename">/etc/openldap</code>. + </p></li><li><p> + <a class="indexterm" name="id338968"></a> + <a class="indexterm" name="id338975"></a> + <a class="indexterm" name="id338982"></a> + Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that + the directory exists with permissions: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data | grep ldap +drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap +</pre><p> + This may require you to add a user and a group account for LDAP if they do not exist. + </p></li><li><p> + <a class="indexterm" name="id339015"></a> + Install the file shown in <a href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">???</a> in the directory + <code class="filename">/data/ldap</code>. In the event that this file is added after <code class="constant">ldap</code> + has been started, it is possible to cause the new settings to take effect by shutting down + the <code class="constant">LDAP</code> server, executing the <code class="literal">db_recover</code> command inside the + <code class="filename">/data/ldap</code> directory, and then restarting the <code class="constant">LDAP</code> server. + </p></li><li><p> + <a class="indexterm" name="id339064"></a> + Performance logging can be enabled and should preferably be sent to a file on + a file system that is large enough to handle significantly sized logs. To enable + the logging at a verbose level to permit detailed analysis, uncomment the entry in + the <code class="filename">/etc/openldap/slapd.conf</code> shown as “<span class="quote">loglevel 256</span>”. + </p><p> + Edit the <code class="filename">/etc/syslog.conf</code> file to add the following at the end + of the file: +</p><pre class="screen"> +local4.* -/data/ldap/log/openldap.log +</pre><p> + Note: The path <code class="filename">/data/ldap/log</code> should be set at a location + that is convenient and that can store a large volume of data. + </p></li></ol></div><div class="example"><a name="sbehap-dbconf"></a><p class="title"><b>Example 5.1. LDAP DB_CONFIG File</b></p><div class="example-contents"><pre class="screen"> +set_cachesize 0 150000000 1 +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir /var/log/bdb +set_flags DB_LOG_AUTOREMOVE +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf"></a><p class="title"><b>Example 5.2. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba3.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +access to dn.base="" + by self write + by * auth + +access to attr=userPassword + by self write + by * auth + +access to attr=shadowLastChange + by self write + by * read + +access to * + by * read + by anonymous auth + +#loglevel 256 + +schemacheck on +idletimeout 30 +backend bdb +database bdb +checkpoint 1024 5 +cachesize 10000 + +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +directory /data/ldap +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf2"></a><p class="title"><b>Example 5.3. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><div class="example-contents"><pre class="screen"> +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p> + <a class="indexterm" name="id339203"></a> + <a class="indexterm" name="id339209"></a> + <a class="indexterm" name="id339216"></a> + The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and + groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure + the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. + </p><p> + <a class="indexterm" name="id339228"></a> + <a class="indexterm" name="id339237"></a> + Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely + that you may want to use them for UNIX system (Linux) local machine logons. This necessitates + correct configuration of PAM. The <code class="literal">pam_ldap</code> open source package provides the + PAM modules that most people would use. On SUSE Linux systems, the <code class="literal">pam_unix2.so</code> + module also has the ability to redirect authentication requests through LDAP. + </p><p> + <a class="indexterm" name="id339262"></a> + <a class="indexterm" name="id339269"></a> + <a class="indexterm" name="id339276"></a> + <a class="indexterm" name="id339283"></a> + You have chosen to configure these services by directly editing the system files, but of course, you + know that this configuration can be done using system tools provided by the Linux system vendor. + SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span> → <span class="guimenuitem">system</span> → <span class="guimenuitem">ldap-client</span> that permits + configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <code class="literal">authconfig</code> + tool for this. + </p><div class="procedure"><a name="id339319"></a><p class="title"><b>Procedure 5.3. PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example 5.4. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +host 127.0.0.1 + +base dc=abmas,dc=biz + +binddn cn=Manager,dc=abmas,dc=biz +bindpw not24get + +timelimit 50 +bind_timelimit 50 +bind_policy hard + +idle_timelimit 3600 + +pam_password exop + +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_group ou=Groups,dc=abmas,dc=biz?one + +ssl off +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-nss02"></a><p class="title"><b>Example 5.5. Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +host 172.16.0.1 + +base dc=abmas,dc=biz + +binddn cn=Manager,dc=abmas,dc=biz +bindpw not24get + +timelimit 50 +bind_timelimit 50 +bind_policy hard + +idle_timelimit 3600 + +pam_password exop + +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_group ou=Groups,dc=abmas,dc=biz?one + +ssl off +</pre></div></div><br class="example-break"><ol type="1"><li><p> + <a class="indexterm" name="id339330"></a> + <a class="indexterm" name="id339337"></a> + <a class="indexterm" name="id339344"></a> + Execute the following command to find where the <code class="filename">nss_ldap</code> module + expects to find its control file: +</p><pre class="screen"> +<code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 | grep conf +</pre><p> + The preferred and usual location is <code class="filename">/etc/ldap.conf</code>. + </p></li><li><p> + On the server <code class="constant">MASSIVE</code>, install the file shown in + <a href="happy.html#sbehap-nss01" title="Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf">???</a> into the path that was obtained from the step above. + On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in + <a href="happy.html#sbehap-nss02" title="Example 5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf">???</a> into the path that was obtained from the step above. + </p></li><li><p> + <a class="indexterm" name="id339466"></a> + Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that + control user and group resolution will obtain information from the normal system files as + well as from <code class="literal">ldap</code>: +</p><pre class="screen"> +passwd: files ldap +shadow: files ldap +group: files ldap +hosts: files dns wins +</pre><p> + Later, when the LDAP database has been initialized and user and group accounts have been + added, you can validate resolution of the LDAP resolver process. The inclusion of + WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be + resolved to their IP addresses, whether or not they are DHCP clients. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Some Linux systems (Novell SUSE Linux in particular) add entries to the <code class="filename">nsswitch.conf</code> + file that may cause operational problems with the configuration methods adopted in this book. It is + advisable to comment out the entries <code class="constant">passwd_compat</code> and <code class="constant">group_compat</code> + where they are found in this file. + </p></div><p> + Even at the risk of overstating the issue, incorrect and inappropriate configuration of the + <code class="filename">nsswitch.conf</code> file is a significant cause of operational problems with LDAP. + </p></li><li><p> + <a class="indexterm" name="id339532"></a> + For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following + files in the <code class="filename">/etc/pam.d</code> directory: <code class="literal">login</code>, <code class="literal">password</code>, + <code class="literal">samba</code>, <code class="literal">sshd</code>. In each file, locate every entry that has the + <code class="literal">pam_unix2.so</code> entry and add to the line the entry <code class="literal">use_ldap</code> as shown + for the <code class="literal">login</code> module in this example: +</p><pre class="screen"> +#%PAM-1.0 +auth requisite pam_unix2.so nullok use_ldap #set_secrpc +auth required pam_securetty.so +auth required pam_nologin.so +#auth required pam_homecheck.so +auth required pam_env.so +auth required pam_mail.so +account required pam_unix2.so use_ldap +password required pam_pwcheck.s nullok +password required pam_unix2.so nullok use_first_pass \ + use_authtok use_ldap +session required pam_unix2.so none use_ldap # debug or trace +session required pam_limits.so +</pre><p> + </p><p> + <a class="indexterm" name="id339609"></a> + On other Linux systems that do not have an LDAP-enabled <code class="literal">pam_unix2.so</code> module, + you must edit these files by adding the <code class="literal">pam_ldap.so</code> modules as shown here: +</p><pre class="screen"> +#%PAM-1.0 +auth required pam_securetty.so +auth required pam_nologin.so +auth sufficient pam_ldap.so +auth required pam_unix2.so nullok try_first_pass #set_secrpc +account sufficient pam_ldap.so +account required pam_unix2.so +password required pam_pwcheck.so nullok +password required pam_ldap.so use_first_pass use_authtok +password required pam_unix2.so nullok use_first_pass use_authtok +session required pam_unix2.so none # debug or trace +session required pam_limits.so +session required pam_env.so +session optional pam_mail.so +</pre><p> + This example does have the LDAP-enabled <code class="literal">pam_unix2.so</code>, but simply + demonstrates the use of the <code class="literal">pam_ldap.so</code> module. You can use either + implementation, but if the <code class="literal">pam_unix2.so</code> on your system supports + LDAP, you probably want to use it rather than add an additional module. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p> + <a class="indexterm" name="id339674"></a> + Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server + before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the + choice to either build your own or obtain the packages from a dependable source. + Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for + Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that + is included with this book. + </p><div class="procedure"><a name="id339685"></a><p class="title"><b>Procedure 5.4. Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-massive-smbconfa" title="Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">???</a>, + <a href="happy.html#sbehap-massive-smbconfb" title="Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">???</a>, <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, + and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> into the <code class="filename">/etc/samba/</code> + directory. The three files should be added together to form the <code class="filename">smb.conf</code> + master file. It is a good practice to call this file something like + <code class="filename">smb.conf.master</code> and then to perform all file edits + on the master file. The operational <code class="filename">smb.conf</code> is then generated as shown in + the next step. + </p></li><li><p> + <a class="indexterm" name="id339758"></a> + Create and verify the contents of the <code class="filename">smb.conf</code> file that is generated by: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +</pre><p> + Immediately follow this with the following: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm +</pre><p> + The output that is created should be free from errors, as shown here: + +</p><pre class="screen"> +Load smb config files from /etc/samba/smb.conf +Processing section "[accounts]" +Processing section "[service]" +Processing section "[pidata]" +Processing section "[homes]" +Processing section "[printers]" +Processing section "[apps]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[profdata]" +Processing section "[print$]" +Loaded services file OK. +Server role: ROLE_DOMAIN_PDC +Press enter to see a dump of your service definitions +</pre><p> + </p></li><li><p> + Delete all runtime files from prior Samba operation by executing (for SUSE + Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> rm /etc/samba/*tdb +<code class="prompt">root# </code> rm /var/lib/samba/*tdb +<code class="prompt">root# </code> rm /var/lib/samba/*dat +<code class="prompt">root# </code> rm /var/log/samba/* +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id339849"></a> + <a class="indexterm" name="id339856"></a> + Samba-3 communicates with the LDAP server. The password that it uses to + authenticate to the LDAP server must be stored in the <code class="filename">secrets.tdb</code> + file. Execute the following to create the new <code class="filename">secrets.tdb</code> files + and store the password for the LDAP Manager: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +</pre><p> + The expected output from this command is: +</p><pre class="screen"> +Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id339901"></a> + <a class="indexterm" name="id339908"></a> + Samba-3 generates a Windows Security Identifier (SID) only when <code class="literal">smbd</code> + has been started. For this reason, you start Samba. After a few seconds delay, + execute: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% +<code class="prompt">root# </code> net getlocalsid +</pre><p> + A report such as the following means that the domain SID has not yet + been written to the <code class="filename">secrets.tdb</code> or to the LDAP backend: +</p><pre class="screen"> +[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852) + failed to bind to server ldap://massive.abmas.biz +with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server + (unknown) +[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169) + smbldap_search_suffix: Problem during the LDAP search: + (unknown) (Timed out) +</pre><p> + The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server + is not running, this operation will fail by way of a timeout, as shown previously. This is + normal output; do not worry about this error message. When the domain has been created and + written to the <code class="filename">secrets.tdb</code> file, the output should look like this: +</p><pre class="screen"> +SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 +</pre><p> + If, after a short delay (a few seconds), the domain SID has still not been written to + the <code class="filename">secrets.tdb</code> file, it is necessary to investigate what + may be misconfigured. In this case, carefully check the <code class="filename">smb.conf</code> file for typographical + errors (the most common problem). The use of the <code class="literal">testparm</code> is highly + recommended to validate the contents of this file. + </p></li><li><p> + When a positive domain SID has been reported, stop Samba. + </p></li><li><p> + <a class="indexterm" name="id340007"></a> + <a class="indexterm" name="id340014"></a> + <a class="indexterm" name="id340020"></a> + <a class="indexterm" name="id340027"></a> + Configure the NFS server for your Linux system. So you can complete the steps that + follow, enter into the <code class="filename">/etc/exports</code> the following entry: +</p><pre class="screen"> +/home *(rw,root_squash,sync) +</pre><p> + This permits the user home directories to be used on the BDC servers for testing + purposes. You, of course, decide what is the best way for your site to distribute + data drives, and you create suitable backup and restore procedures for Abmas + I'd strongly recommend that for normal operation the BDC is completely independent + of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite + closely. If you do use NFS, do not forget to start the NFS server as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rcnfsserver start +</pre><p> + </p></li></ol></div><p> + Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with + configuration of the LDAP server. + </p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example 5.6. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id340105"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id340117"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id340130"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id340142"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id340155"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340168"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id340180"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340193"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id340206"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id340218"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id340231"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id340243"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id340256"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id340268"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id340281"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340294"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id340306"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id340319"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id340332"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id340345"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id340358"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id340371"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id340384"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id340397"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id340410"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example 5.7. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id340447"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id340460"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id340472"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id340485"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340498"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340510"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340523"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id340535"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id340548"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id340561"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id340573"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id340586"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id340599"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id340612"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id340624"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id340637"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340649"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id340662"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p> + <a class="indexterm" name="id340688"></a> + The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts + on the LDAP server. You have chosen the Idealx scripts because they are the best-known + LDAP configuration scripts. The use of these scripts will help avoid the necessity + to create custom scripts. It is easy to download them from the Idealx + <a href="http://samba.idealx.org/index.en.html" target="_top">Web site</a>. The tarball may + be directly <a href="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz" target="_top">downloaded</a> + from this site also. Alternatively, you may obtain the + <a href="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm" target="_top">smbldap-tools-0.9.1-1.src.rpm</a> + file that may be used to build an installable RPM package for your Linux system. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must +change the path to them in your <code class="filename">smb.conf</code> file on the PDC (<code class="constant">MASSIVE</code>). +</p></div><p> + The smbldap-tools are located in <code class="filename">/opt/IDEALX/sbin</code>. + The scripts are not needed on BDC machines because all LDAP updates are handled by + the PDC alone. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id340746"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p> + To perform a manual installation of the smbldap-tools scripts, the following procedure may be used: + </p><div class="procedure"><a name="idealxscript"></a><p class="title"><b>Procedure 5.5. Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol type="1"><li><p> + Create the <code class="filename">/opt/IDEALX/sbin</code> directory, and set its permissions + and ownership as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /opt/IDEALX/sbin +<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin +<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin +<code class="prompt">root# </code> mkdir -p /etc/smbldap-tools +<code class="prompt">root# </code> chown root:root /etc/smbldap-tools +<code class="prompt">root# </code> chmod 755 /etc/smbldap-tools +</pre><p> + </p></li><li><p> + If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location. + Change into either the directory extracted from the tarball or the smbldap-tools + directory in your <code class="filename">/usr/share/doc/packages</code> directory tree. + </p></li><li><p> + Copy all the <code class="filename">smbldap-*</code> and the <code class="filename">configure.pl</code> files into the + <code class="filename">/opt/IDEALX/sbin</code> directory, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> cd smbldap-tools-0.9.1/ +<code class="prompt">root# </code> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/ +<code class="prompt">root# </code> cp smbldap*conf /etc/smbldap-tools/ +<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/smbldap-* +<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/configure.pl +<code class="prompt">root# </code> chmod 640 /etc/smbldap-tools/smbldap.conf +<code class="prompt">root# </code> chmod 600 /etc/smbldap-tools/smbldap_bind.conf +</pre><p> + </p></li><li><p> + The smbldap-tools scripts master control file must now be configured. + Change to the <code class="filename">/opt/IDEALX/sbin</code> directory, then edit the + <code class="filename">smbldap_tools.pm</code> to affect the changes + shown here: +</p><pre class="screen"> +... +# ugly funcs using global variables and spawning openldap clients + +my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; +my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; +... +</pre><p> + </p></li><li><p> + To complete the configuration of the smbldap-tools, set the permissions and ownership + by executing the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin/* +<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin/smbldap-* +<code class="prompt">root# </code> chmod 640 /opt/IDEALX/sbin/smb*pm +</pre><p> + The smbldap-tools scripts are now ready for the configuration step outlined in + <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">???</a>. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id340981"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p> + In the event that you have elected to use the RPM package provided by Idealx, download the + source RPM <code class="filename">smbldap-tools-0.9.1-1.src.rpm</code>, then follow this procedure: + </p><div class="procedure"><a name="id340998"></a><p class="title"><b>Procedure 5.6. Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol type="1"><li><p> + Install the source RPM that has been downloaded as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -i smbldap-tools-0.9.1-1.src.rpm +</pre><p> + </p></li><li><p> + Change into the directory in which the SPEC files are located. On SUSE Linux: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/src/packages/SPECS +</pre><p> + On Red Hat Linux systems: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/src/redhat/SPECS +</pre><p> + </p></li><li><p> + Edit the <code class="filename">smbldap-tools.spec</code> file to change the value of the + <code class="constant">_sysconfig</code> macro as shown here: +</p><pre class="screen"> +%define _prefix /opt/IDEALX +%define _sysconfdir /etc +</pre><p> + Note: Any suitable directory can be specified. + </p></li><li><p> + Build the package by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rpmbuild -ba -v smbldap-tools.spec +</pre><p> + A build process that has completed without error will place the installable binary + files in the directory <code class="filename">../RPMS/noarch</code>. + </p></li><li><p> + Install the binary package by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm +</pre><p> + </p></li></ol></div><p> + The Idealx scripts should now be ready for configuration using the steps outlined in + <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p> + Prior to use, the smbldap-tools must be configured to match the settings in the <code class="filename">smb.conf</code> file + and to match the settings in the <code class="filename">/etc/openldap/slapd.conf</code> file. The assumption + is made that the <code class="filename">smb.conf</code> file has correct contents. The following procedure ensures that + this is completed correctly: + </p><p> + The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included + in the <code class="filename">smb.conf</code> file. + </p><div class="procedure"><a name="id341180"></a><p class="title"><b>Procedure 5.7. Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol type="1"><li><p> + Change into the directory that contains the <code class="filename">configure.pl</code> script. +</p><pre class="screen"> +<code class="prompt">root# </code> cd /opt/IDEALX/sbin +</pre><p> + </p></li><li><p> + Execute the <code class="filename">configure.pl</code> script as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> ./configure.pl +</pre><p> + The interactive use of this script for the PDC is demonstrated here: +</p><pre class="screen"> +<code class="prompt">root# </code> /opt/IDEALX/sbin/configure.pl +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + smbldap-tools script configuration + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Before starting, check + . if your samba controller is up and running. + . if the domain SID is defined (you can get it with the + 'net getlocalsid') + + . you can leave the configuration using the Crtl-c key combination + . empty value can be set with the "." character +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Looking for configuration files... + +Samba Config File Location [/etc/samba/smb.conf] > +smbldap-tools configuration file Location (global parameters) + [/etc/opt/IDEALX/smbldap-tools/smbldap.conf] > +smbldap Config file Location (bind parameters) + [/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Let's start configuring the smbldap-tools scripts ... + +. workgroup name: name of the domain Samba act as a PDC + workgroup name [MEGANET2] > +. netbios name: netbios name of the samba controler + netbios name [MASSIVE] > +. logon drive: local path to which the home directory + will be connected (for NT Workstations). Ex: 'H:' + logon drive [H:] > +. logon home: home directory location (for Win95/98 or NT Workstation) + (use %U as username) Ex:'\\MASSIVE\%U' + logon home (press the "." character if you don't want homeDirectory) + [\\MASSIVE\%U] > +. logon path: directory where roaming profiles are stored. + Ex:'\\MASSIVE\profiles\%U' + logon path (press the "." character + if you don't want roaming profile) [\\%L\profiles\%U] > +. home directory prefix (use %U as username) + [/home/%U] > /data/users/%U +. default users' homeDirectory mode [700] > +. default user netlogon script (use %U as username) + [scripts\logon.bat] > + default password validation time (time in days) [45] > 900 +. ldap suffix [dc=abmas,dc=biz] > +. ldap group suffix [ou=Groups] > +. ldap user suffix [ou=People,ou=Users] > +. ldap machine suffix [ou=Computers,ou=Users] > +. Idmap suffix [ou=Idmap] > +. sambaUnixIdPooldn: object where you want to store the next uidNumber + and gidNumber available for new users and groups + sambaUnixIdPooldn object (relative to ${suffix}) + [sambaDomainName=MEGANET2] > +. ldap master server: IP adress or DNS name of the master + (writable) ldap server + ldap master server [massive.abmas.biz] > +. ldap master port [389] > +. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] > +. ldap master bind password [] > +. ldap slave server: IP adress or DNS name of the slave ldap server: + can also be the master one + ldap slave server [massive.abmas.biz] > +. ldap slave port [389] > +. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] > +. ldap slave bind password [] > +. ldap tls support (1/0) [0] > +. SID for domain MEGANET2: SID of the domain + (can be obtained with 'net getlocalsid MASSIVE') + SID for domain MEGANET2 + [S-1-5-21-3504140859-1010554828-2431957765]] > +. unix password encryption: encryption used for unix passwords + unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 +. default user gidNumber [513] > +. default computer gidNumber [515] > +. default login shell [/bin/bash] > +. default skeleton directory [/etc/skel] > +. default domain name to append to mail adress [] > abmas.biz +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +backup old configuration files: + /etc/opt/IDEALX/smbldap-tools/smbldap.conf-> + /etc/opt/IDEALX/smbldap-tools/smbldap.conf.old + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf-> + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old +writing new configuration file: + /etc/opt/IDEALX/smbldap-tools/smbldap.conf done. + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done. +</pre><p> + Since a slave LDAP server has not been configured, it is necessary to specify the IP + address of the master LDAP server for both the master and the slave configuration + prompts. + </p></li><li><p> + Change to the directory that contains the <code class="filename">smbldap.conf</code> file, + then verify its contents. + </p></li></ol></div><p> + The smbldap-tools are now ready for use. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id341324"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p> + The LDAP database must be populated with well-known Windows domain user accounts and domain group + accounts before Samba can be used. The following procedures step you through the process. + </p><p> + At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are + mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not + hurt to have UNIX user and group accounts in both the system files as well as in the LDAP + database. From a UNIX system perspective, the NSS resolver checks system files before + referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it + does not need to ask LDAP. + </p><p> + Addition of an account to the LDAP backend can be done in two ways: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id341352"></a> + <a class="indexterm" name="id341359"></a> + <a class="indexterm" name="id341365"></a> + <a class="indexterm" name="id341372"></a> + <a class="indexterm" name="id341379"></a> + <a class="indexterm" name="id341386"></a> + If you always have a user account in the <code class="filename">/etc/passwd</code> on every + server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in + LDAP. In this case, you can add Windows domain user accounts using the + <code class="literal">pdbedit</code> utility. Use of this tool from the command line adds the + SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user. + </p><p> + This is the least desirable method because when LDAP is used as the passwd backend Samba + expects the POSIX account to be in LDAP also. It is possible to use the PADL account + migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code> + files, or from NIS, to LDAP. + </p></li><li><p> + If you decide that it is probably a good idea to add both the PosixAccount attributes + as well as the SambaSamAccount attributes for each user, then a suitable script is needed. + In the example system you are installing in this exercise, you are making use of the + Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system, + is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code> + </p></li></ul></div><p> + <a class="indexterm" name="id341437"></a> + If you wish to have more control over how the LDAP database is initialized or + if you don't want to use the Idealx smbldap-tools, you should refer to + <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">???</a>. + </p><p> + <a class="indexterm" name="id341463"></a> + The following steps initialize the LDAP database, and then you can add user and group + accounts that Samba can use. You use the <code class="literal">smbldap-populate</code> to + seed the LDAP database. You then manually add the accounts shown in <a href="happy.html#sbehap-bigacct" title="Table 5.3. Abmas Network Users and Groups">???</a>. + The list of users does not cover all 500 network users; it provides examples only. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id341489"></a> + <a class="indexterm" name="id341498"></a> + <a class="indexterm" name="id341508"></a> + In the following examples, as the LDAP database is initialized, we do create a container + for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made + of the People container, not the Computers container, for domain member accounts. This is not a + mistake; it is a deliberate action that is necessitated by the fact that the resolution of + a machine (computer) account to a UID is done via NSS. The only way this can be handled is + using the NSS (<code class="filename">/etc/nsswitch.conf</code>) entry for <code class="constant">passwd</code>, + which is resolved using the <code class="filename">nss_ldap</code> library. The configuration file for + the <code class="filename">nss_ldap</code> library is the file <code class="filename">/etc/ldap.conf</code> that + provides only one possible LDAP search command that is specified by the entry called + <code class="constant">nss_base_passwd</code>. This means that the search path must take into account + the directory structure so that the LDAP search will commence at a level that is above + both the Computers container and the Users (or People) container. If this is done, it is + necessary to use a search that will descend the directory tree so that the machine account + can be found. Alternatively, by placing all machine accounts in the People container, we + are able to sidestep this limitation. This is the simpler solution that has been adopted + in this chapter. + </p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table 5.3. Abmas Network Users and Groups</b></p><div class="table-contents"><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left"> </td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left"> </td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><div class="procedure"><a name="creatacc"></a><p class="title"><b>Procedure 5.8. LDAP Directory Initialization Steps</b></p><ol type="1"><li><p> + Start the LDAP server by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +Starting ldap-server done +</pre><p> + </p></li><li><p> + Change to the <code class="filename">/opt/IDEALX/sbin</code> directory. + </p></li><li><p> + Execute the script that will populate the LDAP database as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-populate -a root -k 0 -m 0 +</pre><p> + The expected output from this is: +</p><pre class="screen"> +Using workgroup name from smb.conf: sambaDomainName=MEGANET2 +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +=> Warning: you must update smbldap.conf configuration file to : +=> sambaUnixIdPooldn parameter must be set + to "sambaDomainName=MEGANET2,dc=abmas,dc=biz" +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Using builtin directory structure +adding new entry: dc=abmas,dc=biz +adding new entry: ou=People,dc=abmas,dc=biz +adding new entry: ou=Groups,dc=abmas,dc=biz +entry ou=People,dc=abmas,dc=biz already exist. +adding new entry: ou=Idmap,dc=abmas,dc=biz +adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz +adding new entry: uid=root,ou=People,dc=abmas,dc=biz +adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz +adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz +</pre><p> + </p></li><li><p> + Edit the <code class="filename">/etc/smbldap-tools/smbldap.conf</code> file so that the following + information is changed from: +</p><pre class="screen"> +# Where to store next uidNumber and gidNumber available +sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +</pre><p> + to read, after modification: +</p><pre class="screen"> +# Where to store next uidNumber and gidNumber available +#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" +</pre><p> + </p></li><li><p> + It is necessary to restart the LDAP server as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap restart +Shutting down ldap-server done +Starting ldap-server done +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id341886"></a> + So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. + There are several ways you can check that your LDAP database is able to receive IDMAP information. One of + the simplest is to execute: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat | grep -i idmap +dn: ou=Idmap,dc=abmas,dc=biz +ou: idmap +</pre><p> + <a class="indexterm" name="id341906"></a> + If the execution of this command does not return IDMAP entries, you need to create an LDIF + template file (see <a href="happy.html#sbehap-ldifadd" title="Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using + the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ + -w not24get < /etc/openldap/idmap.LDIF +</pre><p> + Samba automatically populates this LDAP directory container when it needs to. + </p></li><li><p> + <a class="indexterm" name="id341942"></a> + It looks like all has gone well, as expected. Let's confirm that this is the case + by running a few tests. First we check the contents of the database directly + by running <code class="literal">slapcat</code> as follows (the output has been cut down): +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: abmas +structuralObjectClass: organization +entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43 +creatorsName: cn=Manager,dc=abmas,dc=biz +createTimestamp: 20031217234200Z +entryCSN: 2003121723:42:00Z#0x0001#0#0000 +modifiersName: cn=Manager,dc=abmas,dc=biz +modifyTimestamp: 20031217234200Z +... +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 553 +cn: Domain Computers +description: Netbios Domain Computers accounts +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 +sambaGroupType: 2 +displayName: Domain Computers +structuralObjectClass: posixGroup +entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43 +creatorsName: cn=Manager,dc=abmas,dc=biz +createTimestamp: 20031217234206Z +entryCSN: 2003121723:42:06Z#0x0002#0#0000 +modifiersName: cn=Manager,dc=abmas,dc=biz +modifyTimestamp: 20031217234206Z +</pre><p> + This looks good so far. + </p></li><li><p> + <a class="indexterm" name="id341991"></a> + The next step is to prove that the LDAP server is running and responds to a + search request. Execute the following as shown (output has been cut to save space): +</p><pre class="screen"> +<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: abmas + +# People, abmas.biz +dn: ou=People,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: People +... +# Domain Computers, Groups, abmas.biz +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 553 +cn: Domain Computers +description: Netbios Domain Computers accounts +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 +sambaGroupType: 2 +displayName: Domain Computers + +# search result +search: 2 +result: 0 Success + +# numResponses: 20 +# numEntries: 19 +</pre><p> + Good. It is all working just fine. + </p></li><li><p> + <a class="indexterm" name="id342032"></a> + You must now make certain that the NSS resolver can interrogate LDAP also. + Execute the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd | grep root +root:x:998:512:Netbios Domain Administrator:/home:/bin/false + +<code class="prompt">root# </code> getent group | grep Domain +Domain Admins:x:512:root +Domain Users:x:513: +Domain Guests:x:514: +Domain Computers:x:553: +</pre><p> + <a class="indexterm" name="id342058"></a> + This demonstrates that the <code class="literal">nss_ldap</code> library is functioning + as it should. If these two steps fail to produce this information, refer to + <a href="happy.html#sbeavoid" title="Avoiding Failures: Solving Problems Before They Happen">???</a> for diagnostic procedures that can be followed to + isolate the cause of the problem. Proceed to the next step only when the previous steps + have been successfully completed. + </p></li><li><p> + <a class="indexterm" name="id342086"></a> + <a class="indexterm" name="id342093"></a> + <a class="indexterm" name="id342100"></a> + Our database is now ready for the addition of network users. For each user for + whom an account must be created, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-useradd -m -a <code class="constant">username</code> +<code class="prompt">root# </code> ./smbldap-passwd <code class="constant">username</code> +Changing password for <code class="constant">username</code> +New password : XXXXXXXX +Retype new password : XXXXXXXX + +<code class="prompt">root# </code> smbpasswd <code class="constant">username</code> +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +</pre><p> + where <code class="constant">username</code> is the login ID for each user. + </p></li><li><p> + <a class="indexterm" name="id342158"></a> + Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the + following: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +... +root:x:0:512:Netbios Domain Administrator:/home:/bin/false +nobody:x:999:514:nobody:/dev/null:/bin/false +bobj:x:1000:513:System User:/home/bobj:/bin/bash +stans:x:1001:513:System User:/home/stans:/bin/bash +chrisr:x:1002:513:System User:/home/chrisr:/bin/bash +maryv:x:1003:513:System User:/home/maryv:/bin/bash +</pre><p> + This demonstrates that user account resolution via LDAP is working. + </p></li><li><p> + This step will determine whether or not identity resolution is working correctly. + Do not procede is this step fails, rather find the cause of the failure. The + <code class="literal">id</code> command may be used to validate your configuration so far, + as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> id chrisr +uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) +</pre><p> + This confirms that the UNIX (POSIX) user account information can be resolved from LDAP + by system tools that make a getentpw() system call. + </p></li><li><p> + <a class="indexterm" name="id342218"></a> + The root account must have UID=0; if not, this means that operations conducted from + a Windows client using tools such as the Domain User Manager fails under UNIX because + the management of user and group accounts requires that the UID=0. Additionally, it is + a good idea to make certain that no matter how root account credentials are resolved, + the home directory and shell are valid. You decide to effect this immediately + as demonstrated here: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /opt/IDEALX/sbin +<code class="prompt">root# </code> ./smbldap-usermod -u 0 -d /root -s /bin/bash root +</pre><p> + </p></li><li><p> + Verify that the changes just made to the <code class="constant">root</code> account were + accepted by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd | grep root +root:x:0:0:root:/root:/bin/bash +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash +</pre><p> + This demonstrates that the changes were accepted. + </p></li><li><p> + Make certain that a home directory has been created for every user by listing the + directories in <code class="filename">/home</code> as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /home +drwxr-xr-x 8 root root 176 Dec 17 18:50 ./ +drwxr-xr-x 21 root root 560 Dec 15 22:19 ../ +drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/ +drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/ +drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/ +drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/ +</pre><p> + This is precisely what we want to see. + </p></li><li><p> + <a class="indexterm" name="id342306"></a> + <a class="indexterm" name="id342312"></a> + The final validation step involves making certain that Samba-3 can obtain the user + accounts from the LDAP ldapsam passwd backend. Execute the following command as shown: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lv chrisr +Unix username: chrisr +NT username: chrisr +Account Flags: [U ] +User SID: S-1-5-21-3504140859-1010554828-2431957765-3004 +Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513 +Full Name: System User +Home Directory: \\MASSIVE\homes +HomeDir Drive: H: +Logon Script: scripts\login.cmd +Profile Path: \\MASSIVE\profiles\chrisr +Domain: MEGANET2 +Account desc: System User +Workstations: +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Wed, 17 Dec 2003 17:17:40 GMT +Password can change: Wed, 17 Dec 2003 17:17:40 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +</pre><p> + This looks good. Of course, you fully expected that it would all work, didn't you? + </p></li><li><p> + <a class="indexterm" name="id342355"></a> + Now you add the group accounts that are used on the Abmas network. Execute + the following exactly as shown: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-groupadd -a Accounts +<code class="prompt">root# </code> ./smbldap-groupadd -a Finances +<code class="prompt">root# </code> ./smbldap-groupadd -a PIOps +</pre><p> + The addition of groups does not involve keyboard interaction, so the lack of console + output is of no concern. + </p></li><li><p> + <a class="indexterm" name="id342394"></a> + You really do want to confirm that UNIX group resolution from LDAP is functioning + as it should. Let's do this as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +Domain Admins:x:512:root +Domain Users:x:513:bobj,stans,chrisr,maryv +Domain Guests:x:514: +... +Accounts:x:1000: +Finances:x:1001: +PIOps:x:1002: +</pre><p> + The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well + as our own site-specific group accounts, are correctly listed. This is looking good. + </p></li><li><p> + <a class="indexterm" name="id342423"></a> + The final step we need to validate is that Samba can see all the Windows domain groups + and that they are correctly mapped to the respective UNIX group account. To do this, + just execute the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins +Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users +Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests +... +Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts +Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances +PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps +</pre><p> + This is looking good. Congratulations it works! Note that in the above output + the lines were shortened by replacing the middle value (1010554828) of the SID with the + ellipsis (...). + </p></li><li><p> + The server you have so carefully built is now ready for another important step. You + start the Samba-3 server and validate its operation. Execute the following to render all + the processes needed fully operative so that, on system reboot, they are automatically + started: +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig dhcpd on +<code class="prompt">root# </code> chkconfig ldap on +<code class="prompt">root# </code> chkconfig nmb on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig winbind on +<code class="prompt">root# </code> rcnmb start +<code class="prompt">root# </code> rcsmb start +<code class="prompt">root# </code> rcwinbind start +</pre><p> + </p></li><li><p> + The next step might seem a little odd at this point, but take note that you are about to + start <code class="literal">winbindd</code>, which must be able to authenticate to the PDC via the + localhost interface with the <code class="literal">smbd</code> process. This account can be + easily created by joining the PDC to the domain by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S MASSIVE -U root%not24get +</pre><p> + Note: Before executing this command on the PDC, both <code class="literal">nmbd</code> and + <code class="literal">smbd</code> must be started so that the <code class="literal">net</code> command + can communicate with <code class="literal">smbd</code>. The expected output is as follows: +</p><pre class="screen"> +Joined domain MEGANET2. +</pre><p> + This indicates that the domain security account for the PDC has been correctly created. + </p></li><li><p> + At this time it is necessary to restart <code class="literal">winbindd</code> so that it can + correctly authenticate to the PDC. The following command achieves that: +</p><pre class="screen"> +<code class="prompt">root# </code> rcwinbind restart +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id342620"></a> + You may now check Samba-3 operation as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L massive -U% + + Sharename Type Comment + --------- ---- ------- + IPC$ IPC IPC Service (Samba 3.0.20) + accounts Disk Accounting Files + service Disk Financial Services Files + pidata Disk Property Insurance Files + apps Disk Application Files + netlogon Disk Network Logon Service + profiles Disk Profile Share + profdata Disk Profile Data Share + ADMIN$ IPC IPC Service (Samba 3.0.20) + + Server Comment + --------- ------- + MASSIVE Samba 3.0.20 + + Workgroup Master + --------- ------- + MEGANET2 MASSIVE +</pre><p> + This shows that an anonymous connection is working. + </p></li><li><p> + For your finale, let's try an authenticated connection: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //massive/bobj -Ubobj%n3v3r2l8 +smb: \> dir + . D 0 Wed Dec 17 01:16:19 2003 + .. D 0 Wed Dec 17 19:04:42 2003 + bin D 0 Tue Sep 2 04:00:57 2003 + Documents D 0 Sun Nov 30 07:28:20 2003 + public_html D 0 Sun Nov 30 07:28:20 2003 + .urlview H 311 Fri Jul 7 06:55:35 2000 + .dvipsrc H 208 Fri Nov 17 11:22:02 1995 + + 57681 blocks of size 524288. 57128 blocks available +smb: \> q +</pre><p> + Well done. All is working fine. + </p></li></ol></div><p> + The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p> + <a class="indexterm" name="id342697"></a> + The configuration for Samba-3 to enable CUPS raw-print-through printing has already been + taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code> + printing to be possible involves creation of the directories in which Samba-3 stores + Windows printing driver files. + </p><div class="procedure"><a name="id342717"></a><p class="title"><b>Procedure 5.9. Printer Configuration Steps</b></p><ol type="1"><li><p> + Configure all network-attached printers to have a fixed IP address. + </p></li><li><p> + Create an entry in the DNS database on the server <code class="constant">MASSIVE</code> + in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code> + and in the reverse lookup database for the network segment that the printer is to + be located in. Example configuration files for similar zones were presented in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, + <a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a> and in <a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a>. + </p></li><li><p> + Follow the instructions in the printer manufacturers' manuals to permit printing + to port 9100. Use any other port the manufacturer specifies for direct mode, + raw printing. This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id342772"></a> + <a class="indexterm" name="id342778"></a> + </p></li><li><p> + <a class="indexterm" name="id342792"></a> + <a class="indexterm" name="id342799"></a> + Only on the server to which the printer is attached, configure the CUPS Print + Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em> + -v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E +</pre><p> + <a class="indexterm" name="id342832"></a> + This step creates the necessary print queue to use no assigned print filter. This + is ideal for raw printing, that is, printing without use of filters. + The name <em class="parameter"><code>printque</code></em> is the name you have assigned for + the particular printer. + </p></li><li><p> + Print queues may not be enabled at creation. Make certain that the queues + you have just created are enabled by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + Even though your print queue may be enabled, it is still possible that it + may not accept print jobs. A print queue will service incoming printing + requests only when configured to do so. Ensure that your print queue is + set to accept incoming jobs by executing the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id342906"></a> + <a class="indexterm" name="id342913"></a> + <a class="indexterm" name="id342920"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id342946"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + Refer to the CUPS printing manual for instructions regarding how to configure + CUPS so that print queues that reside on CUPS servers on remote networks + route print jobs to the print server that owns that queue. The default setting + on your CUPS server may automatically discover remotely installed printers and + may permit this functionality without requiring specific configuration. + </p></li><li><p> + The following action creates the necessary directory subsystem. Follow these + steps to printing heaven: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40} +<code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers +<code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers +</pre><p> + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id343026"></a><p class="title"><b>Procedure 5.10. Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-bldg1-smbconf" title="Example 5.8. LDAP Based smb.conf File, Server: BLDG1">???</a>, + <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> + into the <code class="filename">/etc/samba/</code> directory. The three files + should be added together to form the <code class="filename">smb.conf</code> file. + </p></li><li><p> + Verify the <code class="filename">smb.conf</code> file as in step 2 of <a href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">???</a>. + </p></li><li><p> + Carefully follow the steps outlined in <a href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">???</a>, taking + particular note to install the correct <code class="filename">ldap.conf</code>. + </p></li><li><p> + Verify that the NSS resolver is working. You may need to cycle the run level + to 1 and back to 5 before the NSS LDAP resolver functions. Follow these + commands: +</p><pre class="screen"> +<code class="prompt">root# </code> init 1 +</pre><p> + After the run level has been achieved, you are prompted to provide the + <code class="constant">root</code> password. Log on, and then execute: +</p><pre class="screen"> +<code class="prompt">root# </code> init 5 +</pre><p> + When the normal logon prompt appears, log into the system as <code class="constant">root</code> + and then execute these commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +daemon:x:2:2:Daemon:/sbin:/bin/bash +lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash +mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false +... +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash +nobody:x:999:514:nobody:/dev/null:/bin/false +bobj:x:1000:513:System User:/home/bobj:/bin/bash +stans:x:1001:513:System User:/home/stans:/bin/bash +chrisr:x:1002:513:System User:/home/chrisr:/bin/bash +maryv:x:1003:513:System User:/home/maryv:/bin/bash +vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false +bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false +</pre><p> + This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem. + </p></li><li><p> + <a class="indexterm" name="id343172"></a> + The next step in the verification process involves testing the operation of UNIX group + resolution via the NSS LDAP resolver. Execute these commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +root:x:0: +bin:x:1:daemon +daemon:x:2: +sys:x:3: +... +Domain Admins:x:512:root +Domain Users:x:513:bobj,stans,chrisr,maryv,jht +Domain Guests:x:514: +Administrators:x:544: +Users:x:545: +Guests:x:546:nobody +Power Users:x:547: +Account Operators:x:548: +Server Operators:x:549: +Print Operators:x:550: +Backup Operators:x:551: +Replicator:x:552: +Domain Computers:x:553: +Accounts:x:1000: +Finances:x:1001: +PIOps:x:1002: +</pre><p> + This is also the correct and desired output, because it demonstrates that the LDAP client + is able to communicate correctly with the LDAP server (<code class="constant">MASSIVE</code>). + </p></li><li><p> + <a class="indexterm" name="id343207"></a> + You must now set the LDAP administrative password into the Samba-3 <code class="filename">secrets.tdb</code> + file by executing this command: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb +</pre><p> + </p></li><li><p> + Now you must obtain the domain SID from the PDC and store it into the + <code class="filename">secrets.tdb</code> file also. This step is not necessary with an LDAP + passdb backend because Samba-3 obtains the domain SID from the + sambaDomain object it automatically stores in the LDAP backend. It does not hurt to + add the SID to the <code class="filename">secrets.tdb</code>, and if you wish to do so, this + command can achieve that: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc getsid MEGANET2 +Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ + for Domain MEGANET2 in secrets.tdb +</pre><p> + When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take + any special action to join it to the domain. However, winbind communicates with the + domain controller that is running on the localhost and must be able to authenticate, + thus requiring that the BDC should be joined to the domain. The process of joining + the domain creates the necessary authentication accounts. + </p></li><li><p> + To join the Samba BDC to the domain, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -U root%not24get +Joined domain MEGANET2. +</pre><p> + This indicates that the domain security account for the BDC has been correctly created. + </p></li><li><p> + <a class="indexterm" name="id343296"></a> + Verify that user and group account resolution works via Samba-3 tools as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -L +root:0:root +nobody:65534:nobody +bobj:1000:System User +stans:1001:System User +chrisr:1002:System User +maryv:1003:System User +bldg1$:1006:bldg1$ + +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> + Domain Admins +Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users +Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> + Domain Guests +Administrators (S-1-5-21-3504140859-...-2431957765-544) -> + Administrators +... +Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts +Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances +PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps +</pre><p> + These results show that all things are in order. + </p></li><li><p> + The server you have so carefully built is now ready for another important step. Now + start the Samba-3 server and validate its operation. Execute the following to render all + the processes needed fully operative so that, upon system reboot, they are automatically + started: +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig dhcpd on +<code class="prompt">root# </code> chkconfig nmb on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig winbind on +<code class="prompt">root# </code> rcnmb start +<code class="prompt">root# </code> rcsmb start +<code class="prompt">root# </code> rcwinbind start +</pre><p> + Samba-3 should now be running and is ready for a quick test. But not quite yet! + </p></li><li><p> + Your new <code class="constant">BLDG1, BLDG2</code> servers do not have home directories for users. + To rectify this using the SUSE yast2 utility or by manually editing the <code class="filename">/etc/fstab</code> + file, add a mount entry to mount the <code class="constant">home</code> directory that has been exported + from the <code class="constant">MASSIVE</code> server. Mount this resource before proceeding. An alternate + approach could be to create local home directories for users who are to use these machines. + This is a choice that you, as system administrator, must make. The following entry in the + <code class="filename">/etc/fstab</code> file suffices for now: +</p><pre class="screen"> +massive.abmas.biz:/home /home nfs rw 0 0 +</pre><p> + To mount this resource, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> mount -a +</pre><p> + Verify that the home directory has been mounted as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> df | grep home +massive:/home 29532988 283388 29249600 1% /home +</pre><p> + </p></li><li><p> + Implement a quick check using one of the users that is in the LDAP database. Here you go: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //bldg1/bobj -Ubobj%n3v3r2l8 +smb: \> dir + . D 0 Wed Dec 17 01:16:19 2003 + .. D 0 Wed Dec 17 19:04:42 2003 + bin D 0 Tue Sep 2 04:00:57 2003 + Documents D 0 Sun Nov 30 07:28:20 2003 + public_html D 0 Sun Nov 30 07:28:20 2003 + .urlview H 311 Fri Jul 7 06:55:35 2000 + .dvipsrc H 208 Fri Nov 17 11:22:02 1995 + + 57681 blocks of size 524288. 57128 blocks available +smb: \> q +</pre><p> + </p></li></ol></div><p> + Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build + and configure the second BDC server (<code class="constant">BLDG2</code>) as follows: + </p><div class="procedure"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure 5.11. Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-bldg2-smbconf" title="Example 5.9. LDAP Based smb.conf File, Server: BLDG2">???</a>, + <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> + into the <code class="filename">/etc/samba/</code> directory. The three files + should be added together to form the <code class="filename">smb.conf</code> file. + </p></li><li><p> + Follow carefully the steps shown in <a href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">???</a>, starting at step 2. + </p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example 5.8. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id343601"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id343614"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id343626"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id343639"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id343652"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id343664"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id343677"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id343690"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id343702"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id343715"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id343727"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id343740"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id343752"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id343765"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id343778"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id343790"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id343803"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id343816"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id343828"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id343841"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id343853"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id343866"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id343879"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id343891"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id343904"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id343917"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id343929"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id343942"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id343955"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id343967"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id343980"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example 5.9. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id344026"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id344039"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id344051"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id344064"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id344076"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344089"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id344102"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id344114"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id344127"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id344139"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id344152"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id344164"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id344177"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id344190"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id344202"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id344215"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id344228"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id344240"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344253"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id344265"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id344278"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id344291"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id344303"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id344316"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id344329"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id344341"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id344354"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id344367"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id344379"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id344392"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id344404"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example 5.10. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id344450"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id344463"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id344475"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id344497"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id344509"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id344522"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id344543"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id344556"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id344569"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id344590"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id344603"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id344615"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id344628"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id344649"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id344662"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id344674"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344687"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344700"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example 5.11. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id344745"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id344758"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id344770"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id344783"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id344804"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id344817"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id344830"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344842"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id344864"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id344876"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id344889"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id344901"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id344923"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id344935"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id344948"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id344961"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id344982"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id344995"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id345007"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id345020"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id345032"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id345045"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: idmap +structuralObjectClass: organizationalUnit +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id345079"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p> + My father would say, “<span class="quote">Dinner is not over until the dishes have been done.</span>” + The makings of a great network environment take a lot of effort and attention to detail. + So far, you have completed most of the complex (and to many administrators, the interesting + part of server configuration) steps, but remember to tie it all together. Here are + a few more steps that must be completed so that your network runs like a well-rehearsed + orchestra. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345095"></a>Configuring Directory Share Point Roots</h3></div></div></div><p> + In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em> + parameter. Even though it is obvious to all, one of the common Samba networking problems is + caused by forgetting to verify that every such share root directory actually exists and that it + has the necessary permissions and ownership. + </p><p> + Here is an example, but remember to create the directory needed for every share: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,piops} +<code class="prompt">root# </code> mkdir -p /apps +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R root:root /apps +<code class="prompt">root# </code> chown -R bobj:Accounts /data/accounts +<code class="prompt">root# </code> chown -R bobj:Finances /data/finsvcs +<code class="prompt">root# </code> chown -R bobj:PIOps /data/piops +<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345184"></a>Configuring Profile Directories</h3></div></div></div><p> + You made a conscious decision to do everything it would take to improve network client + performance. One of your decisions was to implement folder redirection. This means that Windows + user desktop profiles are now made up of two components: a dynamically loaded part and a set of file + network folders. + </p><p> + For this arrangement to work, every user needs a directory structure for the network folder + portion of his or her profile as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/profdata +<code class="prompt">root# </code> chown root:root /var/lib/samba/profdata +<code class="prompt">root# </code> chmod 755 /var/lib/samba/profdata + +# Per user structure +<code class="prompt">root# </code> cd /var/lib/samba/profdata +<code class="prompt">root# </code> mkdir -p <span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> for i in InternetFiles Cookies History AppData \ + LocalSettings MyPictures MyDocuments Recent +<code class="prompt">root# </code> do +<code class="prompt">root# </code> mkdir <span class="emphasis"><em>username</em></span>/$i +<code class="prompt">root# </code> done +<code class="prompt">root# </code> chown -R <span class="emphasis"><em>username</em></span>:Domain\ Users <span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chmod -R 750 <span class="emphasis"><em>username</em></span> +</pre><p> + </p><p> + <a class="indexterm" name="id345294"></a> + <a class="indexterm" name="id345300"></a> + You have three options insofar as the dynamically loaded portion of the roaming profile + is concerned: + </p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p> + Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory + profile is effected by renaming the <code class="filename">NTUSER.DAT</code> to <code class="filename">NTUSER.MAN</code>, + that is, just by changing the filename extension. + </p><p> + <a class="indexterm" name="id345346"></a> + <a class="indexterm" name="id345353"></a> + The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend. + You can manage this using the Idealx smbldap-tools or using the + <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager</a>. + </p><p> + It may not be obvious that you must ensure that the root directory for the user's profile exists + and has the needed permissions. Use the following commands to create this directory: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chown <span class="emphasis"><em>username</em></span>:Domain\ Users + /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345412"></a>Preparation of Logon Scripts</h3></div></div></div><p> + <a class="indexterm" name="id345420"></a> + The use of a logon script with Windows XP Professional is an option that every site should consider. + Unless you have locked down the desktop so the user cannot change anything, there is risk that + a vital network drive setting may be broken or that printer connections may be lost. Logon scripts + can help to restore persistent network folder (drive) and printer connections in a predictable + manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook) + user attaches to another company's network that forces environment changes that are alien to your + network. + </p><p> + If you decide to use network logon scripts, by reference to the <code class="filename">smb.conf</code> files for the domain + controllers, you see that the path to the share point for the <code class="constant">NETLOGON</code> + share defined is <code class="filename">/var/lib/samba/netlogon</code>. The path defined for the logon + script inside that share is <code class="filename">scripts\logon.bat</code>. This means that as a Windows + NT/200x/XP client logs onto the network, it tries to obtain the file <code class="filename">logon.bat</code> + from the fully qualified path <code class="filename">/var/lib/samba/netlogon/scripts</code>. This fully + qualified path should therefore exist whether you install the <code class="filename">logon.bat</code>. + </p><p> + You can, of course, create the fully qualified path by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/netlogon/scripts +</pre><p> + </p><p> + You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 24, + Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon + facilities in use today is called <a href="http://www.kixtart.org" target="_top">KiXtart</a>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345510"></a>Assigning User Rights and Privileges</h3></div></div></div><p> + The ability to perform tasks such as joining Windows clients to the domain can be assigned to + normal user accounts. By default, only the domain administrator account (<code class="constant">root</code> on UNIX + systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant + this privilege in a very limited fashion to particular accounts. + </p><p> + By default, even Samba-3.0.11 does not grant any rights even to the <code class="constant">Domain Admins</code> + group. Here we grant this group all privileges. + </p><p> + Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who + are granted rights can be restricted to particular machines. It is left to the network administrator + to determine which rights should be provided and to whom. + </p><div class="procedure"><a name="id345539"></a><p class="title"><b>Procedure 5.12. Steps for Assignment of User Rights and Privileges</b></p><ol type="1"><li><p> + Log onto the PDC as the <code class="constant">root</code> account. + </p></li><li><p> + Execute the following command to grant the <code class="constant">Domain Admins</code> group all + rights and privileges: +</p><pre class="screen"> +<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \ + "MEGANET2\Domain Admins" SeMachineAccountPrivilege \ + SePrintOperatorPrivilege SeAddUsersPrivilege \ + SeDiskOperatorPrivilege SeRemoteShutdownPrivilege +Successfully granted rights. +</pre><p> + Repeat this step on each domain controller, in each case substituting the name of the server + (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE. + </p></li><li><p> + In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations + to the domain. Execute the following only on the PDC. It is not necessary to do this on + BDCs or on DMS machines because machine accounts are only ever added by the PDC: +</p><pre class="screen"> +<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \ + "MEGANET2\bobj" SeMachineAccountPrivilege +Successfully granted rights. +</pre><p> + </p></li><li><p> + Verify that privilege assignments have been correctly applied by executing: +</p><pre class="screen"> +net rpc rights list accounts -Uroot%not24get +MEGANET2\bobj +SeMachineAccountPrivilege + +S-0-0 +No privileges assigned + +BUILTIN\Print Operators +No privileges assigned + +BUILTIN\Account Operators +No privileges assigned + +BUILTIN\Backup Operators +No privileges assigned + +BUILTIN\Server Operators +No privileges assigned + +BUILTIN\Administrators +No privileges assigned + +Everyone +No privileges assigned + +MEGANET2\Domain Admins +SeMachineAccountPrivilege +SePrintOperatorPrivilege +SeAddUsersPrivilege +SeRemoteShutdownPrivilege +SeDiskOperatorPrivilege +</pre><p> + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id345624"></a>Windows Client Configuration</h2></div></div></div><p> + <a class="indexterm" name="id345632"></a> + In the next few sections, you can configure a new Windows XP Professional disk image on a staging + machine. You will configure all software, printer settings, profile and policy handling, and desktop + default profile settings on this system. When it is complete, you copy the contents of the + <code class="filename">C:\Documents and Settings\Default User</code> directory to a directory with the same + name in the <code class="constant">NETLOGON</code> share on the domain controllers. + </p><p> + Much can be learned from the Microsoft Support site regarding how best to set up shared profiles. + One knowledge-base article in particular stands out: + "<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a + Base Profile for All Users."</a> + + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p> + <a class="indexterm" name="id345675"></a> + Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>. + It is necessary to expose folders that are generally hidden to provide access to the + <code class="constant">Default User</code> folder. + </p><div class="procedure"><a name="id345692"></a><p class="title"><b>Procedure 5.13. Expose Hidden Folders</b></p><ol type="1"><li><p> + Launch the Windows Explorer by clicking + <span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>. + Select <span class="guilabel">Show hidden files and folders</span>, + and click <span class="guibutton">OK</span>. Exit Windows Explorer. + </p></li><li><p> + <a class="indexterm" name="id345756"></a> + Launch the Registry Editor. Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. Key in <code class="literal">regedt32</code>, and click + <span class="guibutton">OK</span>. + </p></li></ol></div><p> + </p><div class="procedure"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure 5.14. Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p> + <a class="indexterm" name="id345813"></a> + <a class="indexterm" name="id345820"></a> + Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel. + Click <span class="guimenu">File</span> → <span class="guimenuitem">Load Hive...</span> → <span class="guimenuitem">Documents and Settings</span> → <span class="guimenuitem">Default User</span> → <span class="guimenuitem">NTUSER</span> → <span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name + <code class="constant">Default</code> and click <span class="guibutton">OK</span>. + </p></li><li><p> + Browse inside the newly loaded Default folder to: +</p><pre class="screen"> +HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ + CurrentVersion\Explorer\User Shell Folders\ +</pre><p> + The right panel reveals the contents as shown in <a href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">???</a>. + </p></li><li><p> + <a class="indexterm" name="id345908"></a> + <a class="indexterm" name="id345915"></a> + You edit hive keys. Acceptable values to replace the + <code class="constant">%USERPROFILE%</code> variable includes: + + </p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as <code class="constant">U:</code></p></li><li><p>A direct network path such as + <code class="constant">\\MASSIVE\profdata</code></p></li><li><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p> + </p></li><li><p> + <a class="indexterm" name="id345959"></a> + Set the registry keys as shown in <a href="happy.html#proffold" title="Table 5.4. Default Profile Redirections">???</a>. Your implementation makes the assumption + that users have statically located machines. Notebook computers (mobile users) need to be + accommodated using local profiles. This is not an uncommon assumption. + </p></li><li><p> + Click back to the root of the loaded hive <code class="constant">Default</code>. + Click <span class="guimenu">File</span> → <span class="guimenuitem">Unload Hive...</span> → <span class="guimenuitem">Yes</span>. + </p></li><li><p> + <a class="indexterm" name="id346011"></a> + Click <span class="guimenu">File</span> → <span class="guimenuitem">Exit</span>. This exits the + Registry Editor. + </p></li><li><p> + Now follow the procedure given in <a href="happy.html#sbehap-locgrppol" title="The Local Group Policy">???</a>. Make sure that each folder you + have redirected is in the exclusion list. + </p></li><li><p> + You are now ready to copy<sup>[<a name="id346053" href="#ftn.id346053">11</a>]</sup> + the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer, + and use it to copy the full contents of the directory <code class="filename">Default User</code> that + is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the + <code class="constant">NETLOGON</code> share. If the <code class="constant">NETLOGON</code> share has the defined + UNIX path of <code class="filename">/var/lib/samba/netlogon</code>, when the copy is complete there must + be a directory in there called <code class="filename">Default User</code>. + </p></li></ol></div><p> + Before punching out new desktop images for the client workstations, it is perhaps a good idea that + desktop behavior should be returned to the original Microsoft settings. The following steps achieve + that ojective: + </p><div class="procedure"><a name="id346112"></a><p class="title"><b>Procedure 5.15. Reset Folder Display to Original Behavior</b></p><ul><li><p> + To launch the Windows Explorer, click + <span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>. + Deselect <span class="guilabel">Show hidden files and folders</span>, and click <span class="guibutton">OK</span>. + Exit Windows Explorer. + </p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure 5.3. Windows XP Professional User Shared Folders</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div></div><br class="figure-break"><div class="table"><a name="proffold"></a><p class="title"><b>Table 5.4. Default Profile Redirections</b></p><div class="table-contents"><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346340"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p> + <a class="indexterm" name="id346348"></a> + <a class="indexterm" name="id346357"></a> + Microsoft Outlook can store a Personal Storage file, generally known as a PST file. + It is the nature of email storage that this file grows, at times quite rapidly. + So that users' email is available to them at every workstation they may log onto, + it is common practice in well-controlled sites to redirect the PST folder to the + users' home directory. Follow these steps for each user who wishes to do this. + </p><p> + To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave + slightly differently), follow these steps: + </p><div class="procedure"><a name="id346375"></a><p class="title"><b>Procedure 5.16. Outlook PST File Relocation</b></p><ol type="1"><li><p> + Close Outlook if it is open. + </p></li><li><p> + From the <span class="guimenu">Control Panel</span>, launch the Mail icon. + </p></li><li><p> + Click <span class="guimenu">Email Accounts.</span> + </p></li><li><p> + Make a note of the location of the PST file(s). From this location, move + the files to the desired new target location. The most desired new target location + may well be the users' home directory. + </p></li><li><p> + Add a new data file, selecting the PST file in the new desired target location. + Give this entry (not the filename) a new name such as “<span class="quote">Personal Mail Folders.</span>” + </p><p> + Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems + following these instructions. Feedback from users suggests that where IMAP is used the PST + file is used to store rules and filters. When the PST store is relocated it appears to break + MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is + used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that + this warning can be removed or modified. + </p></li><li><p> + Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>. + </p></li><li><p> + Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span> + </p></li><li><p> + Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new + target location. + </p></li><li><p> + Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry. + </p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id346514"></a> + You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise + the user may be not be able to retrieve contacts when addressing a new email message. + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id346527"></a> + Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook + Express storage files can not be redirected to network shares. The options panel will not permit + this, but they can be moved to folders outside of the user's profile. They can also be excluded + from folder synchronization as part of the roaming profile. + </p><p> + While it is possible to redirect the data stores for Outlook Express data stores by editing the + registry, experience has shown that data corruption and loss of email messages will result. + </p><p> + <a class="indexterm" name="id346545"></a> + <a class="indexterm" name="id346552"></a> + In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with + roaming profiles this can result in excruciatingly long login and logout behavior will files are + synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming + profiles are used. + </p></div><p> + <a class="indexterm" name="id346565"></a> + Microsoft does not support storing PST files on network shares, although the practice does appear + to be rather popular. Anyone who does relocation the PST file to a network resource should refer + the Microsoft <a href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better + understand the issues. + </p><p> + <a class="indexterm" name="id346583"></a> + Apart from manually moving PST files to a network share, it is possible to set the default PST + location for new accounts by following the instructions at the WindowsITPro <a href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site. + </p><p> + <a class="indexterm" name="id346601"></a> + User feedback suggests that disabling of oplocks on PST files will significantly improve + network performance by reducing locking overheads. One way this can be done is to add to the + <code class="filename">smb.conf</code> file stanza for the share the PST file the following: +</p><pre class="screen"> +veto oplock files = /*.pdf/*.PST/ +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346624"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p> + Configure the Windows XP Professional client to auto-delete roaming profiles on logout: + </p><p> + <a class="indexterm" name="id346636"></a> + Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. In the dialog box, enter <code class="literal">MMC</code> and click <span class="guibutton">OK</span>. + </p><p> + Follow these steps to set the default behavior of the staging machine so that all roaming + profiles are deleted as network users log out of the system. Click + <span class="guimenu">File</span> → <span class="guimenuitem">Add/Remove Snap-in</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Group Policy</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Finish</span> → <span class="guimenuitem">Close</span> → <span class="guimenuitem">OK</span>. + </p><p> + <a class="indexterm" name="id346729"></a> + The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span> + utility that enables you to set the policies needed. In the left panel, click + <span class="guimenuitem">Local Computer Policy</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each + item as shown: + </p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p> + Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies + made of this system to deploy the new standard desktop system. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346795"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p> + <a class="indexterm" name="id346803"></a> + Users want to be able to use network printers. You have a vested interest in making + it easy for them to print. You have chosen to install the printer drivers onto the Samba + servers and to enable point-and-click (drag-and-drop) printing. This process results in + Samba being able to automatically provide the Windows client with the driver necessary to + print to the printer chosen. The following procedure must be followed for every network + printer: + </p><div class="procedure"><a name="id346817"></a><p class="title"><b>Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers</b></p><ol type="1"><li><p> + Join your Windows XP Professional workstation (the staging machine) to the + <code class="constant">MEGANET2</code> domain. If you are not sure of the procedure, + follow the guidance given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + </p></li><li><p> + After the machine has rebooted, log onto the workstation as the domain + <code class="constant">root</code> (this is the Administrator account for the + operating system that is the host platform for this implementation of Samba. + </p></li><li><p> + Launch MS Windows Explorer. Navigate in the left panel. Click + <span class="guimenu">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">Microsoft Windows Network</span> → <span class="guimenuitem">Meganet2</span> → <span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span> + <span class="guimenu">Printers and Faxes</span>. + </p></li><li><p> + Identify a printer that is shown in the right panel. Let us assume the printer is called + <code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon + and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates + that “<span class="quote">The printer driver is not installed on this computer. Some printer properties + will not be accessible unless you install the printer driver. Do you want to install the + driver now?</span>” It is important at this point you answer <span class="guimenu">No</span>. + </p></li><li><p> + The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server + <code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab. + Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span> + button that is next to the <span class="guimenu">Driver</span> box. This launches the “<span class="quote">Add Printer Wizard</span>”. + </p></li><li><p> + <a class="indexterm" name="id346996"></a> + <a class="indexterm" name="id347005"></a> + The “<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>” panel + is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the + printer manufacturer. In your case, you are adding a driver for a printer manufactured by + Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click + <span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A + progress bar appears and instructs you as each file is being uploaded and that it is being + directed at the network server <code class="constant">\\massive\ps01-color</code>. + </p></li><li><p> + <a class="indexterm" name="id347050"></a> + <a class="indexterm" name="id347059"></a> + <a class="indexterm" name="id347068"></a> + <a class="indexterm" name="id347077"></a> + <a class="indexterm" name="id347087"></a> + <a class="indexterm" name="id347096"></a> + The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, + you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel. + You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under + the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to + load additional printer drivers; there is also a check-box in this tab called “<span class="quote">List in the + directory</span>”. When this box is checked, the printer will be published in Active Directory + (Applicable to Active Directory use only.) + </p></li><li><p> + <a class="indexterm" name="id347146"></a> + Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server. + You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor. + Right-click on the printer, click <span class="guimenu">Properties</span> → <span class="guimenuitem">Device Settings</span>. Now change the settings to suit + your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if + you need to reverse the changes back to their original settings. + </p></li><li><p> + This is necessary so that the printer settings are initialized in the Samba printers + database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed + just to initialize the Samba printers database entry for this printer. If you need to revert a setting, + click <span class="guimenu">Apply</span> again. + </p></li><li><p> + <a class="indexterm" name="id347214"></a> + Verify that all printer settings are at the desired configuration. When you are satisfied that they are, + click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button. + A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span> + in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on + massive Properties</span> panel. + </p></li><li><p> + You must repeat this process for all network printers (i.e., for every printer on each server). + When you have finished uploading drivers to all printers, close all applications. The next task + is to install software your users require to do their work. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id347264"></a>Software Installation</h3></div></div></div><p> + Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is + a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. + Notebooks require special handling that is beyond the scope of this chapter. + </p><p> + For desktop systems, the installation of software onto administratively centralized application servers + make a lot of sense. This means that you can manage software maintenance from a central + perspective and that only minimal application stubware needs to be installed onto the desktop + systems. You should proceed with software installation and default configuration as far as is humanly + possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect + of software operations and configuration. + </p><p> + When you believe that the overall configuration is complete, be sure to create a shared group profile + and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in + case a user may have specific needs you had not anticipated. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id347290"></a>Roll-out Image Creation</h3></div></div></div><p> + The final steps before preparing the distribution Norton Ghost image file you might follow are: + </p><div class="blockquote"><blockquote class="blockquote"><p> + Unjoin the domain Each workstation requires a unique name and must be independently + joined into domain membership. + </p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p> + Defragment the hard disk While not obvious to the uninitiated, defragmentation results + in better performance and often significantly reduces the size of the compressed disk image. That + also means it will take less time to deploy the image onto 500 workstations. + </p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347320"></a>Key Points Learned</h2></div></div></div><p> + This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately + avoided any consideration of security. Security does not just happen; you must design it into your total + network. Security begins with a systems design and implementation that anticipates hostile behavior from + users both inside and outside the organization. Hostile and malicious intruders do not respect barriers; + they accept them as challenges. For that reason, if not simply from a desire to establish safe networking + practices, you must not deploy the design presented in this book in an environment where there is risk + of compromise. + </p><p> + <a class="indexterm" name="id347336"></a> + <a class="indexterm" name="id347345"></a> + As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be + configured to use secure protocols for all communications over the network. Of course, secure networking + does not result just from systems design and implementation but involves constant user education + training and, above all, disciplined attention to detail and constant searching for signs of unfriendly + or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources. + Jerry Carter's book <a href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top"> + <span class="emphasis"><em>LDAP System Administration</em></span></a> is a good place to start reading about OpenLDAP + as well as security considerations. + </p><p> + The substance of this chapter that has been deserving of particular attention includes: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Implementation of an OpenLDAP-based passwd backend, necessary to support distributed + domain control. + </p></li><li><p> + Implementation of Samba primary and secondary domain controllers with a common LDAP backend + for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and + pam_ldap tool-sets. + </p></li><li><p> + Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as + to manage Samba Windows user and group accounts. + </p></li><li><p> + The basics of implementation of Group Policy controls for Windows network clients. + </p></li><li><p> + Control over roaming profiles, with particular focus on folder redirection to network drives. + </p></li><li><p> + Use of the CUPS printing system together with Samba-based printer driver auto-download. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347408"></a>Questions and Answers</h2></div></div></div><p> + Well, here we are at the end of this chapter and we have only ten questions to help you to + remember so much. There are bound to be some sticky issues here. + </p><div class="qandaset"><dl><dt> <a href="happy.html#id347424"> + Why did you not cover secure practices? Isn't it rather irresponsible to instruct + network administrators to implement insecure solutions? + </a></dt><dt> <a href="happy.html#id347458"> + You have focused much on SUSE Linux and little on the market leader, Red Hat. Do + you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant + to the Linux I might be using? + </a></dt><dt> <a href="happy.html#id347502"> + You did not use SWAT to configure Samba. Is there something wrong with it? + </a></dt><dt> <a href="happy.html#id347537"> + You have exposed a well-used password not24get. Is that + not irresponsible? + </a></dt><dt> <a href="happy.html#id347559"> + The Idealx smbldap-tools create many domain group accounts that are not used. Is that + a good thing? + </a></dt><dt> <a href="happy.html#id347582"> + Can I use LDAP just for Samba accounts and not for UNIX system accounts? + </a></dt><dt> <a href="happy.html#id347602"> + Why are the Windows domain RID portions not the same as the UNIX UID? + </a></dt><dt> <a href="happy.html#id347634"> + Printer configuration examples all show printing to the HP port 9100. Does this + mean that I must have HP printers for these solutions to work? + </a></dt><dt> <a href="happy.html#id347659"> + Is folder redirection dangerous? I've heard that you can lose your data that way. + </a></dt><dt> <a href="happy.html#id347681"> + Is it really necessary to set a local Group Policy to exclude the redirected + folders from the roaming profile? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id347424"></a><a name="id347427"></a></td><td align="left" valign="top"><p> + Why did you not cover secure practices? Isn't it rather irresponsible to instruct + network administrators to implement insecure solutions? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Let's get this right. This is a book about Samba, not about OpenLDAP and secure + communication protocols for subjects other than Samba. Earlier on, you note, + that the dynamic DNS and DHCP solutions also used no protective secure communications + protocols. The reason for this is simple: There are so many ways of implementing + secure protocols that this book would have been even larger and more complex. + </p><p> + The solutions presented here all work (at least they did for me). Network administrators + have the interest and the need to be better trained and instructed in secure networking + practices and ought to implement safe systems. I made the decision, right or wrong, + to keep this material as simple as possible. The intent of this book is to demonstrate + a working solution and not to discuss too many peripheral issues. + </p><p> + This book makes little mention of backup techniques. Does that mean that I am recommending + that you should implement a network without provision for data recovery and for disaster + management? Back to our focus: The deployment of Samba has been clearly demonstrated. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347458"></a><a name="id347460"></a></td><td align="left" valign="top"><p> + You have focused much on SUSE Linux and little on the market leader, Red Hat. Do + you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant + to the Linux I might be using? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications + for a standard Linux distribution. The differences are marginal. Surely you know + your Linux platform, and you do have access to administration manuals for it. This + book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on + the Samba part of the book; all the other bits are peripheral (but important) to + creation of a total network solution. + </p><p> + What I find interesting is the attention reviewers give to Linux installation and to + the look and feel of the desktop, but does that make for a great server? In this book, + I have paid particular attention to the details of creating a whole solution framework. + I have not tightened every nut and bolt, but I have touched on all the issues you + need to be familiar with. Over the years many people have approached me wanting to + know the details of exactly how to implement a DHCP and dynamic DNS server with Samba + and WINS. In this chapter, it is plain to see what needs to be configured to provide + transparent interoperability. Likewise for CUPS and Samba interoperation. These are + key stumbling areas for many people. + </p><p> + At every critical junction, I have provided comparative guidance for both SUSE and + Red Hat Linux. Both manufacturers have done a great job in furthering the cause + of open source software. I favor neither and respect both. I like particular + features of both products (companies also). No bias in presentation is intended. + Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347502"></a><a name="id347504"></a></td><td align="left" valign="top"><p> + You did not use SWAT to configure Samba. Is there something wrong with it? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + That is a good question. As it is, the <code class="filename">smb.conf</code> file configurations are presented + in as direct a format as possible. Adding SWAT into the equation would have complicated + matters. I sought simplicity of implementation. The fact is that I did use SWAT to + create the files in the first place. + </p><p> + There are people in the Linux and open source community who feel that SWAT is dangerous + and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I + hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG2</em></span>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347537"></a><a name="id347539"></a></td><td align="left" valign="top"><p> + You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that + not irresponsible? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Well, I had to use a password of some sort. At least this one has been consistently + used throughout. I guess you can figure out that in a real deployment it would make + sense to use a more secure and original password. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347559"></a><a name="id347561"></a></td><td align="left" valign="top"><p> + The Idealx smbldap-tools create many domain group accounts that are not used. Is that + a good thing? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + I took this up with Idealx and found them most willing to change that in the next version. + Let's give Idealx some credit for the contribution they have made. I appreciate their work + and, besides, it does no harm to create accounts that are not now used at some time + Samba may well use them. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347582"></a><a name="id347584"></a></td><td align="left" valign="top"><p> + Can I use LDAP just for Samba accounts and not for UNIX system accounts? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) + group account for every Windows domain group account. But if you put your users into + the system password account, how do you plan to keep all domain controller system + password files in sync? I think that having everything in LDAP makes a lot of sense + for the UNIX administrator who is still learning the craft and is migrating from MS Windows. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347602"></a><a name="id347605"></a></td><td align="left" valign="top"><p> + Why are the Windows domain RID portions not the same as the UNIX UID? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. + This algorithm ought to ensure that there will be no clashes with well-known RIDs. + Well-known RIDs have special significance to MS Windows clients. The automatic + assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does + permit you to override that to some extent. See the <code class="filename">smb.conf</code> man page entry + for <em class="parameter"><code>algorithmic rid base</code></em>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347634"></a><a name="id347636"></a></td><td align="left" valign="top"><p> + Printer configuration examples all show printing to the HP port 9100. Does this + mean that I must have HP printers for these solutions to work? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. You can use any type of printer and must use the interfacing protocol supported + by the printer. Many networks use LPR/LPD print servers to which are attached + PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached + inkjet printer. Use the appropriate device URI (Universal Resource Interface) + argument to the <code class="constant">lpadmin -v</code> option that is right for your + printer. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347659"></a><a name="id347661"></a></td><td align="left" valign="top"><p> + Is folder redirection dangerous? I've heard that you can lose your data that way. + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The only loss of data I know of that involved folder redirection was caused by + manual misuse of the redirection tool. The administrator redirected a folder to + a network drive and said he wanted to migrate (move) the data over. Then he + changed his mind, so he moved the folder back to the roaming profile. This time, + he declined to move the data because he thought it was still in the local profile + folder. That was not the case, so by declining to move the data back, he wiped out + the data. You cannot hold the tool responsible for that. Caveat emptor still applies. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347681"></a><a name="id347683"></a></td><td align="left" valign="top"><p> + Is it really necessary to set a local Group Policy to exclude the redirected + folders from the roaming profile? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. If you do not do this, the data will still be copied from the network folder + (share) to the local cached copy of the profile. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id346053" href="#id346053">11</a>] </sup> + There is an alternate method by which a default user profile can be added to the + <code class="constant">NETLOGON</code> share. This facility in the Windows System tool + permits profiles to be exported. The export target may be a particular user or + group profile share point or else the <code class="constant">NETLOGON</code> share. + In this case, the profile directory must be named <code class="constant">Default User</code>. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. The 500-User Office </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. A Distributed 2000-User Network</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/images/AccountingNetwork.png b/docs/htmldocs/Samba3-ByExample/images/AccountingNetwork.png Binary files differnew file mode 100644 index 0000000000..ddb8fec85e --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/AccountingNetwork.png diff --git a/docs/htmldocs/Samba3-ByExample/images/Charity-Network.png b/docs/htmldocs/Samba3-ByExample/images/Charity-Network.png Binary files differnew file mode 100644 index 0000000000..d17464a99d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/Charity-Network.png diff --git a/docs/htmldocs/Samba3-ByExample/images/HostAnnouncment.png b/docs/htmldocs/Samba3-ByExample/images/HostAnnouncment.png Binary files differnew file mode 100644 index 0000000000..56f9fb8576 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/HostAnnouncment.png diff --git a/docs/htmldocs/Samba3-ByExample/images/NullConnect.png b/docs/htmldocs/Samba3-ByExample/images/NullConnect.png Binary files differnew file mode 100644 index 0000000000..5320fc6db1 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/NullConnect.png diff --git a/docs/htmldocs/Samba3-ByExample/images/UNIX-Samba-and-LDAP.png b/docs/htmldocs/Samba3-ByExample/images/UNIX-Samba-and-LDAP.png Binary files differnew file mode 100644 index 0000000000..d74aa47bbd --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/UNIX-Samba-and-LDAP.png diff --git a/docs/htmldocs/Samba3-ByExample/images/UserConnect.png b/docs/htmldocs/Samba3-ByExample/images/UserConnect.png Binary files differnew file mode 100644 index 0000000000..0b9acce15e --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/UserConnect.png diff --git a/docs/htmldocs/Samba3-ByExample/images/UserMgrNT4.png b/docs/htmldocs/Samba3-ByExample/images/UserMgrNT4.png Binary files differnew file mode 100644 index 0000000000..516c75b4b1 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/UserMgrNT4.png diff --git a/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture.png b/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture.png Binary files differnew file mode 100644 index 0000000000..3b6dc3ae56 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture.png diff --git a/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture2.png b/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture2.png Binary files differnew file mode 100644 index 0000000000..b9b82c2287 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/WINREPRESSME-Capture2.png diff --git a/docs/htmldocs/Samba3-ByExample/images/WindowsXP-NullConnection.png b/docs/htmldocs/Samba3-ByExample/images/WindowsXP-NullConnection.png Binary files differnew file mode 100644 index 0000000000..76d1ac2c9a --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/WindowsXP-NullConnection.png diff --git a/docs/htmldocs/Samba3-ByExample/images/WindowsXP-UserConnection.png b/docs/htmldocs/Samba3-ByExample/images/WindowsXP-UserConnection.png Binary files differnew file mode 100644 index 0000000000..d60fefc659 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/WindowsXP-UserConnection.png diff --git a/docs/htmldocs/Samba3-ByExample/images/XP-screen001.png b/docs/htmldocs/Samba3-ByExample/images/XP-screen001.png Binary files differnew file mode 100644 index 0000000000..6f0fe58e78 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/XP-screen001.png diff --git a/docs/htmldocs/Samba3-ByExample/images/acct2net.png b/docs/htmldocs/Samba3-ByExample/images/acct2net.png Binary files differnew file mode 100644 index 0000000000..7791092535 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/acct2net.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.png b/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.png Binary files differnew file mode 100644 index 0000000000..d6b43bc6fe --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP.png b/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP.png Binary files differnew file mode 100644 index 0000000000..951bd5f707 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch7-fail-overLDAP.png b/docs/htmldocs/Samba3-ByExample/images/ch7-fail-overLDAP.png Binary files differnew file mode 100644 index 0000000000..43ba5d9668 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch7-fail-overLDAP.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch7-singleLDAP.png b/docs/htmldocs/Samba3-ByExample/images/ch7-singleLDAP.png Binary files differnew file mode 100644 index 0000000000..f14da0135d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch7-singleLDAP.png diff --git a/docs/htmldocs/Samba3-ByExample/images/ch8-migration.png b/docs/htmldocs/Samba3-ByExample/images/ch8-migration.png Binary files differnew file mode 100644 index 0000000000..babedea7d4 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/ch8-migration.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap4-net.png b/docs/htmldocs/Samba3-ByExample/images/chap4-net.png Binary files differnew file mode 100644 index 0000000000..5718d4e699 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap4-net.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap5-net.png b/docs/htmldocs/Samba3-ByExample/images/chap5-net.png Binary files differnew file mode 100644 index 0000000000..ab19005814 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap5-net.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap6-net.png b/docs/htmldocs/Samba3-ByExample/images/chap6-net.png Binary files differnew file mode 100644 index 0000000000..5a553667b2 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap6-net.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap7-idresol.png b/docs/htmldocs/Samba3-ByExample/images/chap7-idresol.png Binary files differnew file mode 100644 index 0000000000..711414aa3c --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap7-idresol.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap7-net-Ar.png b/docs/htmldocs/Samba3-ByExample/images/chap7-net-Ar.png Binary files differnew file mode 100644 index 0000000000..2f4d80f47b --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap7-net-Ar.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap7-net2-Br.png b/docs/htmldocs/Samba3-ByExample/images/chap7-net2-Br.png Binary files differnew file mode 100644 index 0000000000..a75a47dc5d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap7-net2-Br.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap9-ADSDC.png b/docs/htmldocs/Samba3-ByExample/images/chap9-ADSDC.png Binary files differnew file mode 100644 index 0000000000..47d94fff3b --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap9-ADSDC.png diff --git a/docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png b/docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png Binary files differnew file mode 100644 index 0000000000..cf528ee957 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png diff --git a/docs/htmldocs/Samba3-ByExample/images/imc-usermanager2.png b/docs/htmldocs/Samba3-ByExample/images/imc-usermanager2.png Binary files differnew file mode 100644 index 0000000000..3cfcc6a6ec --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/imc-usermanager2.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-config.png b/docs/htmldocs/Samba3-ByExample/images/lam-config.png Binary files differnew file mode 100644 index 0000000000..15f989bf37 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-config.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-group-members.png b/docs/htmldocs/Samba3-ByExample/images/lam-group-members.png Binary files differnew file mode 100644 index 0000000000..cab8e42fc7 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-group-members.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-groups.png b/docs/htmldocs/Samba3-ByExample/images/lam-groups.png Binary files differnew file mode 100644 index 0000000000..da17b19a77 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-groups.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-hosts.png b/docs/htmldocs/Samba3-ByExample/images/lam-hosts.png Binary files differnew file mode 100644 index 0000000000..27806eb9ab --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-hosts.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-login.png b/docs/htmldocs/Samba3-ByExample/images/lam-login.png Binary files differnew file mode 100644 index 0000000000..cce500fc43 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-login.png diff --git a/docs/htmldocs/Samba3-ByExample/images/lam-users.png b/docs/htmldocs/Samba3-ByExample/images/lam-users.png Binary files differnew file mode 100644 index 0000000000..0ca4b437ec --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/lam-users.png diff --git a/docs/htmldocs/Samba3-ByExample/images/openmag.png b/docs/htmldocs/Samba3-ByExample/images/openmag.png Binary files differnew file mode 100644 index 0000000000..52eca30c35 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/openmag.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp001.png b/docs/htmldocs/Samba3-ByExample/images/wxpp001.png Binary files differnew file mode 100644 index 0000000000..2e689a17e2 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp001.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp004.png b/docs/htmldocs/Samba3-ByExample/images/wxpp004.png Binary files differnew file mode 100644 index 0000000000..656f67942e --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp004.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp006.png b/docs/htmldocs/Samba3-ByExample/images/wxpp006.png Binary files differnew file mode 100644 index 0000000000..a20b3ed583 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp006.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp007.png b/docs/htmldocs/Samba3-ByExample/images/wxpp007.png Binary files differnew file mode 100644 index 0000000000..cf41352220 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp007.png diff --git a/docs/htmldocs/Samba3-ByExample/images/wxpp008.png b/docs/htmldocs/Samba3-ByExample/images/wxpp008.png Binary files differnew file mode 100644 index 0000000000..9958c7c873 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/images/wxpp008.png diff --git a/docs/htmldocs/Samba3-ByExample/index.html b/docs/htmldocs/Samba3-ByExample/index.html new file mode 100644 index 0000000000..a42873f4dd --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/index.html @@ -0,0 +1,12 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Samba-3 by Example</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="next" href="pr01.html" title="About the Cover Artwork"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Samba-3 by Example</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="S3bE"></a>Samba-3 by Example</h1></div><div><h2 class="subtitle">Practical Exercises in Successful Samba Deployment</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div><div><p class="pubdate">July, 2006</p></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="preface"><a href="pr01.html">About the Cover Artwork</a></span></dt><dt><span class="preface"><a href="pr02.html">Acknowledgments</a></span></dt><dt><span class="preface"><a href="pr03.html">Foreword</a></span></dt><dd><dl><dt><span class="sect1"><a href="pr03.html#id275401">By John M. Weathersby, Executive Director, OSSI</a></span></dt></dl></dd><dt><span class="preface"><a href="preface.html">Preface</a></span></dt><dd><dl><dt><span class="sect1"><a href="preface.html#id274305">Why Is This Book Necessary?</a></span></dt><dd><dl><dt><span class="sect2"><a href="preface.html#id274342">Samba 3.0.20 Update Edition</a></span></dt></dl></dd><dt><span class="sect1"><a href="preface.html#id274092">Prerequisites</a></span></dt><dt><span class="sect1"><a href="preface.html#id315668">Approach</a></span></dt><dt><span class="sect1"><a href="preface.html#id315719">Summary of Topics</a></span></dt><dt><span class="sect1"><a href="preface.html#id316343">Conventions Used</a></span></dt></dl></dd><dt><span class="part"><a href="ExNetworks.html">I. Example Network Configurations</a></span></dt><dd><dl><dt><span class="chapter"><a href="simple.html">1. No-Frills Samba Servers</a></span></dt><dd><dl><dt><span class="sect1"><a href="simple.html#id316528">Introduction</a></span></dt><dt><span class="sect1"><a href="simple.html#id316559">Assignment Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="simple.html#id316598">Drafting Office</a></span></dt><dt><span class="sect2"><a href="simple.html#id317306">Charity Administration Office</a></span></dt><dt><span class="sect2"><a href="simple.html#AccountingOffice">Accounting Office</a></span></dt></dl></dd><dt><span class="sect1"><a href="simple.html#id320818">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="small.html">2. Small Office Networking</a></span></dt><dd><dl><dt><span class="sect1"><a href="small.html#id321229">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id321247">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id321293">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id321342">Technical Issues</a></span></dt><dt><span class="sect2"><a href="small.html#id321528">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id321546">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id323199">Validation</a></span></dt><dt><span class="sect2"><a href="small.html#id323822">Notebook Computers: A Special Case</a></span></dt><dt><span class="sect2"><a href="small.html#id323841">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id323907">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="secure.html">3. Secure Office Networking</a></span></dt><dd><dl><dt><span class="sect1"><a href="secure.html#id324364">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id324404">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id324626">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id324638">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id325007">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id325041">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id325866">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id330151">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id330204">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="Big500users.html">4. The 500-User Office</a></span></dt><dd><dl><dt><span class="sect1"><a href="Big500users.html#id330645">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id330675">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id330756">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#id330784">Technical Issues</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id330961">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id330980">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="Big500users.html#ch5-dnshcp-setup">Installation of DHCP, DNS, and Samba Control Files</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id331694">Server Preparation: All Servers</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id332210">Server-Specific Preparation</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#ch5wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="Big500users.html#id335273">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="Big500users.html#id335326">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="happy.html">5. Making Happy Users</a></span></dt><dd><dl><dt><span class="sect1"><a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id336196">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id336272">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id336400">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id336802">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id338453">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id338466">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id338636">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id345079">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id345095">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id345184">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id345412">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id345510">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id345624">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id346624">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id347264">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id347290">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id347320">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id347408">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="2000users.html">6. A Distributed 2000-User Network</a></span></dt><dd><dl><dt><span class="sect1"><a href="2000users.html#id347742">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id347767">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id347824">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id348070">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id348898">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id348912">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id352072">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id352211">Questions and Answers</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="DMSMig.html">II. Domain Members, Updating Samba and Migration</a></span></dt><dd><dl><dt><span class="chapter"><a href="unixclients.html">7. Adding Domain Member Servers and Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="unixclients.html#id352990">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id353039">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id353067">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id353091">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id353679">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id353760">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id359708">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id360196">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id360240">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="upgrades.html">8. Updating Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="upgrades.html#id361313">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id361397">Cautions and Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id362605">Upgrading from Samba 1.x and 2.x to Samba-3</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id363269">Samba-2.x with LDAP Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id363384">Updating a Samba-3 Installation</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id363478">Samba-3 to Samba-3 Updates on the Same Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id363662">Migrating Samba-3 to a New Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id364040">Migration of Samba Accounts to Active Directory</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="ntmigration.html">9. Migrating NT4 Domain to Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="ntmigration.html#id364185">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364261">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id364312">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364468">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id364771">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id364791">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id367537">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id367572">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="nw4migration.html">10. Migrating NetWare Server to Samba-3</a></span></dt><dd><dl><dt><span class="sect1"><a href="nw4migration.html#id368455">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368561">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id368660">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368732">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id368903">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368911">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="RefSection.html">III. Reference Section</a></span></dt><dd><dl><dt><span class="chapter"><a href="kerberos.html">11. Active Directory, Kerberos, and Security</a></span></dt><dd><dl><dt><span class="sect1"><a href="kerberos.html#id372607">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id373189">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id373203">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id373574">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id375060">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id375395">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id376321">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id377005">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id377127">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="DomApps.html">12. Integrating Additional Services</a></span></dt><dd><dl><dt><span class="sect1"><a href="DomApps.html#id377711">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id377734">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id377820">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id377849">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id377995">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id378010">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id379772">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id379827">Questions and Answers</a></span></dt></dl></dd><dt><span class="chapter"><a href="HA.html">13. Performance, Reliability, and Availability</a></span></dt><dd><dl><dt><span class="sect1"><a href="HA.html#id380314">Introduction</a></span></dt><dt><span class="sect1"><a href="HA.html#id380391">Dissection and Discussion</a></span></dt><dt><span class="sect1"><a href="HA.html#id380842">Guidelines for Reliable Samba Operation</a></span></dt><dd><dl><dt><span class="sect2"><a href="HA.html#id380866">Name Resolution</a></span></dt><dt><span class="sect2"><a href="HA.html#id381308">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="HA.html#id381603">Use and Location of BDCs</a></span></dt><dt><span class="sect2"><a href="HA.html#id381671">Use One Consistent Version of MS Windows Client</a></span></dt><dt><span class="sect2"><a href="HA.html#id381688">For Scalability, Use SAN-Based Storage on Samba Servers</a></span></dt><dt><span class="sect2"><a href="HA.html#id381733">Distribute Network Load with MSDFS</a></span></dt><dt><span class="sect2"><a href="HA.html#id381784">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></span></dt><dt><span class="sect2"><a href="HA.html#id381824">Hardware Problems</a></span></dt><dt><span class="sect2"><a href="HA.html#id381957">Large Directories</a></span></dt></dl></dd><dt><span class="sect1"><a href="HA.html#id382035">Key Points Learned</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch14.html">14. Samba Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch14.html#id382184">Free Support</a></span></dt><dt><span class="sect1"><a href="ch14.html#id382382">Commercial Support</a></span></dt></dl></dd><dt><span class="chapter"><a href="appendix.html">15. A Collection of Useful Tidbits</a></span></dt><dd><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383041">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383432">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383730">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id383740">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id383783">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id383865">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id383921">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id384378">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id385293">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id385724">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id385863">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id385938">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="primer.html">16. Networking Primer</a></span></dt><dd><dl><dt><span class="sect1"><a href="primer.html#id386080">Requirements and Notes</a></span></dt><dt><span class="sect1"><a href="primer.html#id386216">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id386266">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#id386373">Exercises</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id386486">Single-Machine Broadcast Activity</a></span></dt><dt><span class="sect2"><a href="primer.html#secondmachine">Second Machine Startup Broadcast Interaction</a></span></dt><dt><span class="sect2"><a href="primer.html#id387580">Simple Windows Client Connection Characteristics</a></span></dt><dt><span class="sect2"><a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></span></dt><dt><span class="sect2"><a href="primer.html#id388566">Conclusions to Exercises</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01conc">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id388668">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01qa">Questions and Answers</a></span></dt></dl></dd><dt><span class="appendix"><a href="gpl.html">A. GNU General Public License</a></span></dt><dd><dl><dt><span class="sect1"><a href="gpl.html#gpl-1">Preamble</a></span></dt><dt><span class="sect1"><a href="gpl.html#gpl-2">TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION</a></span></dt><dd><dl><dt><span class="sect2"><a href="gpl.html#gpl-2-0">Section 0</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-1">Section 1</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-2">Section 2</a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-3">Section 3 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-4">Section 4 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-5">Section 5 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-6">Section 6 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-7">Section 7 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-8">Section 8 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-9">Section 9 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-10">Section 10 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-11">NO WARRANTY Section 11 + </a></span></dt><dt><span class="sect2"><a href="gpl.html#gpl-2-12">Section 12 + </a></span></dt></dl></dd><dt><span class="sect1"><a href="gpl.html#gpl-3">How to Apply These Terms to Your New Programs + </a></span></dt></dl></dd></dl></dd><dt><span class="glossary"><a href="go01.html">Glossary</a></span></dt><dt><span class="index"><a href="ix01.html">Index</a></span></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>1.1. <a href="simple.html#charitynet">Charity Administration Office Network</a></dt><dt>1.2. <a href="simple.html#acctingnet2">Accounting Office Network Topology</a></dt><dt>2.1. <a href="small.html#acct2net">Abmas Accounting 52-User Network Topology</a></dt><dt>3.1. <a href="secure.html#ch04net">Abmas Network Topology 130 Users</a></dt><dt>4.1. <a href="Big500users.html#chap05net">Network Topology 500 User Network Using tdbsam passdb backend.</a></dt><dt>5.1. <a href="happy.html#sbehap-LDAPdiag">The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</a></dt><dt>5.2. <a href="happy.html#chap6net">Network Topology 500 User Network Using ldapsam passdb backend</a></dt><dt>5.3. <a href="happy.html#XP-screen001">Windows XP Professional User Shared Folders</a></dt><dt>6.1. <a href="2000users.html#chap7idres">Samba and Authentication Backend Search Pathways</a></dt><dt>6.2. <a href="2000users.html#ch7singleLDAP">Samba Configuration to Use a Single LDAP Server</a></dt><dt>6.3. <a href="2000users.html#ch7dualLDAP">Samba Configuration to Use a Dual (Fail-over) LDAP Server</a></dt><dt>6.4. <a href="2000users.html#ch7dualadd">Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</a></dt><dt>6.5. <a href="2000users.html#ch7dualok">Samba Configuration to Use Two LDAP Databases - The result is additive.</a></dt><dt>6.6. <a href="2000users.html#chap7net">Network Topology 2000 User Complex Design A</a></dt><dt>6.7. <a href="2000users.html#chap7net2">Network Topology 2000 User Complex Design B</a></dt><dt>7.1. <a href="unixclients.html#ch09openmag">Open Magazine Samba Survey</a></dt><dt>7.2. <a href="unixclients.html#ch9-sambadc">Samba Domain: Samba Member Server</a></dt><dt>7.3. <a href="unixclients.html#ch9-adsdc">Active Directory Domain: Samba Member Server</a></dt><dt>9.1. <a href="ntmigration.html#ch8-migration">Schematic Explaining the <code class="literal">net rpc vampire</code> Process</a></dt><dt>9.2. <a href="ntmigration.html#NT4DUM">View of Accounts in NT4 Domain User Manager</a></dt><dt>15.1. <a href="appendix.html#swxpp001">The General Panel.</a></dt><dt>15.2. <a href="appendix.html#swxpp004">The Computer Name Panel.</a></dt><dt>15.3. <a href="appendix.html#swxpp006">The Computer Name Changes Panel</a></dt><dt>15.4. <a href="appendix.html#swxpp007">The Computer Name Changes Panel Domain MIDEARTH</a></dt><dt>15.5. <a href="appendix.html#swxpp008">Computer Name Changes User name and Password Panel</a></dt><dt>15.6. <a href="appendix.html#lam-login">The LDAP Account Manager Login Screen</a></dt><dt>15.7. <a href="appendix.html#lam-config">The LDAP Account Manager Configuration Screen</a></dt><dt>15.8. <a href="appendix.html#lam-user">The LDAP Account Manager User Edit Screen</a></dt><dt>15.9. <a href="appendix.html#lam-group">The LDAP Account Manager Group Edit Screen</a></dt><dt>15.10. <a href="appendix.html#lam-group-mem">The LDAP Account Manager Group Membership Edit Screen</a></dt><dt>15.11. <a href="appendix.html#lam-host">The LDAP Account Manager Host Edit Screen</a></dt><dt>15.12. <a href="appendix.html#imcidealx">The IMC Samba User Account Screen</a></dt><dt>16.1. <a href="primer.html#pktcap01">Windows Me Broadcasts The First 10 Minutes</a></dt><dt>16.2. <a href="primer.html#pktcap02">Windows Me Later Broadcast Sample</a></dt><dt>16.3. <a href="primer.html#hostannounce">Typical Windows 9x/Me Host Announcement</a></dt><dt>16.4. <a href="primer.html#nullconnect">Typical Windows 9x/Me NULL SessionSetUp AndX Request</a></dt><dt>16.5. <a href="primer.html#userconnect">Typical Windows 9x/Me User SessionSetUp AndX Request</a></dt><dt>16.6. <a href="primer.html#XPCap01">Typical Windows XP NULL Session Setup AndX Request</a></dt><dt>16.7. <a href="primer.html#XPCap02">Typical Windows XP User Session Setup AndX Request</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>1. <a href="preface.html#pref-new">Samba Changes 3.0.2 to 3.0.20</a></dt><dt>1.1. <a href="simple.html#acctingnet">Accounting Office Network Information</a></dt><dt>3.1. <a href="secure.html#chap4netid">Abmas.US ISP Information</a></dt><dt>3.2. <a href="secure.html#namedrscfiles">DNS (named) Resource Files</a></dt><dt>4.1. <a href="Big500users.html#ch5-filelocations">Domain: <code class="constant">MEGANET</code>, File Locations for Servers</a></dt><dt>5.1. <a href="happy.html#sbehap-privs">Current Privilege Capabilities</a></dt><dt>5.2. <a href="happy.html#oldapreq">Required OpenLDAP Linux Packages</a></dt><dt>5.3. <a href="happy.html#sbehap-bigacct">Abmas Network Users and Groups</a></dt><dt>5.4. <a href="happy.html#proffold">Default Profile Redirections</a></dt><dt>9.1. <a href="ntmigration.html#ch8-vampire">Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</a></dt><dt>13.1. <a href="HA.html#ProbList">Effect of Common Problems</a></dt><dt>16.1. <a href="primer.html#capsstats01">Windows Me Startup Broadcast Capture Statistics</a></dt><dt>16.2. <a href="primer.html#capsstats02">Second Machine (Windows 98) Capture Statistics</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>1.1. <a href="simple.html#draft-smbconf">Drafting Office <code class="filename">smb.conf</code> File</a></dt><dt>1.2. <a href="simple.html#charity-smbconfnew">Charity Administration Office <code class="filename">smb.conf</code> New-style File</a></dt><dt>1.3. <a href="simple.html#charity-smbconf">Charity Administration Office <code class="filename">smb.conf</code> Old-style File</a></dt><dt>1.4. <a href="simple.html#MEreg">Windows Me Registry Edit File: Disable Password Caching</a></dt><dt>1.5. <a href="simple.html#acctconf">Accounting Office Network <code class="filename">smb.conf</code> Old Style Configuration File</a></dt><dt>2.1. <a href="small.html#initGrps">Script to Map Windows NT Groups to UNIX Groups</a></dt><dt>2.2. <a href="small.html#dhcp01">Abmas Accounting DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></a></dt><dt>2.3. <a href="small.html#acct2conf">Accounting Office Network <code class="filename">smb.conf</code> File [globals] Section</a></dt><dt>2.4. <a href="small.html#acct3conf">Accounting Office Network <code class="filename">smb.conf</code> File Services and Shares Section</a></dt><dt>3.1. <a href="secure.html#ch4memoryest">Estimation of Memory Requirements</a></dt><dt>3.2. <a href="secure.html#ch4diskest">Estimation of Disk Storage Requirements</a></dt><dt>3.3. <a href="secure.html#ch4natfw">NAT Firewall Configuration Script</a></dt><dt>3.4. <a href="secure.html#promisnet">130 User Network with <span class="emphasis"><em>tdbsam</em></span> [globals] Section</a></dt><dt>3.5. <a href="secure.html#promisnetsvca">130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part A</a></dt><dt>3.6. <a href="secure.html#promisnetsvcb">130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part B</a></dt><dt>3.7. <a href="secure.html#ch4initGrps">Script to Map Windows NT Groups to UNIX Groups</a></dt><dt>3.8. <a href="secure.html#prom-dhcp">DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></a></dt><dt>3.9. <a href="secure.html#ch4namedcfg">DNS Master Configuration File <code class="filename">/etc/named.conf</code> Master Section</a></dt><dt>3.10. <a href="secure.html#ch4namedvarfwd">DNS Master Configuration File <code class="filename">/etc/named.conf</code> Forward Lookup Definition Section</a></dt><dt>3.11. <a href="secure.html#ch4namedvarrev">DNS Master Configuration File <code class="filename">/etc/named.conf</code> Reverse Lookup Definition Section</a></dt><dt>3.12. <a href="secure.html#eth1zone">DNS 192.168.1 Reverse Zone File</a></dt><dt>3.13. <a href="secure.html#eth2zone">DNS 192.168.2 Reverse Zone File</a></dt><dt>3.14. <a href="secure.html#abmasbiz">DNS Abmas.biz Forward Zone File</a></dt><dt>3.15. <a href="secure.html#abmasus">DNS Abmas.us Forward Zone File</a></dt><dt>4.1. <a href="Big500users.html#ch5-massivesmb">Server: MASSIVE (PDC), File: <code class="filename">/etc/samba/smb.conf</code></a></dt><dt>4.2. <a href="Big500users.html#ch5-dc-common">Server: MASSIVE (PDC), File: <code class="filename">/etc/samba/dc-common.conf</code></a></dt><dt>4.3. <a href="Big500users.html#ch5-commonsmb">Common Samba Configuration File: <code class="filename">/etc/samba/common.conf</code></a></dt><dt>4.4. <a href="Big500users.html#ch5-bldg1-smb">Server: BLDG1 (Member), File: smb.conf</a></dt><dt>4.5. <a href="Big500users.html#ch5-bldg2-smb">Server: BLDG2 (Member), File: smb.conf</a></dt><dt>4.6. <a href="Big500users.html#ch5-dommem-smb">Common Domain Member Include File: dom-mem.conf</a></dt><dt>4.7. <a href="Big500users.html#massive-dhcp">Server: MASSIVE, File: dhcpd.conf</a></dt><dt>4.8. <a href="Big500users.html#bldg1dhcp">Server: BLDG1, File: dhcpd.conf</a></dt><dt>4.9. <a href="Big500users.html#bldg2dhcp">Server: BLDG2, File: dhcpd.conf</a></dt><dt>4.10. <a href="Big500users.html#massive-nameda">Server: MASSIVE, File: named.conf, Part: A</a></dt><dt>4.11. <a href="Big500users.html#massive-namedb">Server: MASSIVE, File: named.conf, Part: B</a></dt><dt>4.12. <a href="Big500users.html#massive-namedc">Server: MASSIVE, File: named.conf, Part: C</a></dt><dt>4.13. <a href="Big500users.html#abmasbizdns">Forward Zone File: abmas.biz.hosts</a></dt><dt>4.14. <a href="Big500users.html#abmasusdns">Forward Zone File: abmas.biz.hosts</a></dt><dt>4.15. <a href="Big500users.html#bldg12nameda">Servers: BLDG1/BLDG2, File: named.conf, Part: A</a></dt><dt>4.16. <a href="Big500users.html#bldg12namedb">Servers: BLDG1/BLDG2, File: named.conf, Part: B</a></dt><dt>4.17. <a href="Big500users.html#ch5-initgrps">Initialize Groups Script, File: /etc/samba/initGrps.sh</a></dt><dt>5.1. <a href="happy.html#sbehap-dbconf">LDAP DB_CONFIG File</a></dt><dt>5.2. <a href="happy.html#sbehap-slapdconf">LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</a></dt><dt>5.3. <a href="happy.html#sbehap-slapdconf2">LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</a></dt><dt>5.4. <a href="happy.html#sbehap-nss01">Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></a></dt><dt>5.5. <a href="happy.html#sbehap-nss02">Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></a></dt><dt>5.6. <a href="happy.html#sbehap-massive-smbconfa">LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</a></dt><dt>5.7. <a href="happy.html#sbehap-massive-smbconfb">LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</a></dt><dt>5.8. <a href="happy.html#sbehap-bldg1-smbconf">LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</a></dt><dt>5.9. <a href="happy.html#sbehap-bldg2-smbconf">LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</a></dt><dt>5.10. <a href="happy.html#sbehap-shareconfa">LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</a></dt><dt>5.11. <a href="happy.html#sbehap-shareconfb">LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</a></dt><dt>5.12. <a href="happy.html#sbehap-ldifadd">LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</a></dt><dt>6.1. <a href="2000users.html#ch7-LDAP-master">LDAP Master Server Configuration File <code class="filename">/etc/openldap/slapd.conf</code></a></dt><dt>6.2. <a href="2000users.html#ch7-LDAP-slave">LDAP Slave Configuration File <code class="filename">/etc/openldap/slapd.conf</code></a></dt><dt>6.3. <a href="2000users.html#ch7-massmbconfA">Primary Domain Controller <code class="filename">smb.conf</code> File Part A</a></dt><dt>6.4. <a href="2000users.html#ch7-massmbconfB">Primary Domain Controller <code class="filename">smb.conf</code> File Part B</a></dt><dt>6.5. <a href="2000users.html#ch7-massmbconfC">Primary Domain Controller <code class="filename">smb.conf</code> File Part C</a></dt><dt>6.6. <a href="2000users.html#ch7-slvsmbocnfA">Backup Domain Controller <code class="filename">smb.conf</code> File Part A</a></dt><dt>6.7. <a href="2000users.html#ch7-slvsmbocnfB">Backup Domain Controller <code class="filename">smb.conf</code> File Part B</a></dt><dt>7.1. <a href="unixclients.html#ch9-sdmsdc">Samba Domain Member in Samba Domain Using LDAP <code class="filename">smb.conf</code> File</a></dt><dt>7.2. <a href="unixclients.html#ch9-ldifadd">LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</a></dt><dt>7.3. <a href="unixclients.html#ch9-sdmlcnf">Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></a></dt><dt>7.4. <a href="unixclients.html#ch9-sdmnss">NSS using LDAP for Identity Resolution File: <code class="filename">/etc/nsswitch.conf</code></a></dt><dt>7.5. <a href="unixclients.html#ch0-NT4DSDM">Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</a></dt><dt>7.6. <a href="unixclients.html#ch0-NT4DSCM">Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</a></dt><dt>7.7. <a href="unixclients.html#ch9-adssdm">Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</a></dt><dt>7.8. <a href="unixclients.html#sbe-idmapridex">Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></a></dt><dt>7.9. <a href="unixclients.html#sbeunxa">Typical ADS Style Domain <code class="filename">smb.conf</code> File</a></dt><dt>7.10. <a href="unixclients.html#sbewinbindex">ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</a></dt><dt>7.11. <a href="unixclients.html#ch9-pamwnbdlogin">SUSE: PAM <code class="filename">login</code> Module Using Winbind</a></dt><dt>7.12. <a href="unixclients.html#ch9-pamwbndxdm">SUSE: PAM <code class="filename">xdm</code> Module Using Winbind</a></dt><dt>7.13. <a href="unixclients.html#ch9-rhsysauth">Red Hat 9: PAM System Authentication File: <code class="filename">/etc/pam.d/system-auth</code> Module Using Winbind</a></dt><dt>9.1. <a href="ntmigration.html#sbent4smb">NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</a></dt><dt>9.2. <a href="ntmigration.html#sbent4smb2">NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</a></dt><dt>9.3. <a href="ntmigration.html#sbentslapd">NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</a></dt><dt>9.4. <a href="ntmigration.html#sbentslapd2">NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part B</a></dt><dt>9.5. <a href="ntmigration.html#sbrntldapconf">NT4 Migration NSS LDAP File: <code class="filename">/etc/ldap.conf</code></a></dt><dt>9.6. <a href="ntmigration.html#sbentnss">NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:1)</a></dt><dt>9.7. <a href="ntmigration.html#sbentnss2">NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:2)</a></dt><dt>10.1. <a href="nw4migration.html#sbeamg">A Rough Tool to Create an LDIF File from the System Account Files</a></dt><dt>10.2. <a href="nw4migration.html#ch8ldap">NSS LDAP Control File /etc/ldap.conf</a></dt><dt>10.3. <a href="nw4migration.html#sbepu2">The PAM Control File <code class="filename">/etc/security/pam_unix2.conf</code></a></dt><dt>10.4. <a href="nw4migration.html#ch8smbconf">Samba Configuration File smb.conf Part A</a></dt><dt>10.5. <a href="nw4migration.html#ch8smbconf2">Samba Configuration File smb.conf Part B</a></dt><dt>10.6. <a href="nw4migration.html#ch8smbconf3">Samba Configuration File smb.conf Part C</a></dt><dt>10.7. <a href="nw4migration.html#ch8smbconf4">Samba Configuration File smb.conf Part D</a></dt><dt>10.8. <a href="nw4migration.html#ch8smbconf5">Samba Configuration File smb.conf Part E</a></dt><dt>10.9. <a href="nw4migration.html#sbersync">Rsync Script</a></dt><dt>10.10. <a href="nw4migration.html#sbexcld">Rsync Files Exclusion List <code class="filename">/root/excludes.txt</code></a></dt><dt>10.11. <a href="nw4migration.html#ch8ideal">Idealx smbldap-tools Control File Part A</a></dt><dt>10.12. <a href="nw4migration.html#ch8ideal2">Idealx smbldap-tools Control File Part B</a></dt><dt>10.13. <a href="nw4migration.html#ch8ideal3">Idealx smbldap-tools Control File Part C</a></dt><dt>10.14. <a href="nw4migration.html#ch8ideal4">Idealx smbldap-tools Control File Part D</a></dt><dt>10.15. <a href="nw4migration.html#ch8kix">Kixtart Control File File: logon.kix</a></dt><dt>10.16. <a href="nw4migration.html#ch8kix2">Kixtart Control File File: main.kix</a></dt><dt>10.17. <a href="nw4migration.html#ch8kix3">Kixtart Control File File: setup.kix, Part A</a></dt><dt>10.18. <a href="nw4migration.html#ch8kix3b">Kixtart Control File File: setup.kix, Part B</a></dt><dt>10.19. <a href="nw4migration.html#ch8kix4">Kixtart Control File File: acct.kix</a></dt><dt>12.1. <a href="DomApps.html#ch10-krb5conf">Kerberos Configuration File: <code class="filename">/etc/krb5.conf</code></a></dt><dt>12.2. <a href="DomApps.html#ch10-smbconf">Samba Configuration File: <code class="filename">/etc/samba/smb.conf</code></a></dt><dt>12.3. <a href="DomApps.html#ch10-etcnsscfg">NSS Configuration File Extract File: <code class="filename">/etc/nsswitch.conf</code></a></dt><dt>12.4. <a href="DomApps.html#etcsquidcfg">Squid Configuration File Extract <code class="filename">/etc/squid.conf</code> [ADMINISTRATIVE PARAMETERS Section]</a></dt><dt>12.5. <a href="DomApps.html#etcsquid2">Squid Configuration File extract File: <code class="filename">/etc/squid.conf</code> [AUTHENTICATION PARAMETERS Section]</a></dt><dt>15.1. <a href="appendix.html#ch12SL">A Useful Samba Control Script for SUSE Linux</a></dt><dt>15.2. <a href="appendix.html#ch12RHscript">A Sample Samba Control Script for Red Hat Linux</a></dt><dt>15.3. <a href="appendix.html#loopback">DNS Localhost Forward Zone File: <code class="filename">/var/lib/named/localhost.zone</code></a></dt><dt>15.4. <a href="appendix.html#dnsloopy">DNS Localhost Reverse Zone File: <code class="filename">/var/lib/named/127.0.0.zone</code></a></dt><dt>15.5. <a href="appendix.html#roothint">DNS Root Name Server Hint File: <code class="filename">/var/lib/named/root.hint</code></a></dt><dt>15.6. <a href="appendix.html#sbehap-ldapreconfa">LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part A</a></dt><dt>15.7. <a href="appendix.html#sbehap-ldapreconfb">LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part B</a></dt><dt>15.8. <a href="appendix.html#sbehap-ldapreconfc">LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part C</a></dt><dt>15.9. <a href="appendix.html#sbehap-ldifpata">LDIF Pattern File Used to Pre-configure LDAP Part A</a></dt><dt>15.10. <a href="appendix.html#sbehap-ldifpatb">LDIF Pattern File Used to Pre-configure LDAP Part B</a></dt><dt>15.11. <a href="appendix.html#lamcfg">Example LAM Configuration File <code class="filename">config.cfg</code></a></dt><dt>15.12. <a href="appendix.html#lamconf">LAM Profile Control File <code class="filename">lam.conf</code></a></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> About the Cover Artwork</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/ix01.html b/docs/htmldocs/Samba3-ByExample/ix01.html new file mode 100644 index 0000000000..13f1d61afd --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/ix01.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="go01.html" title="Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="go01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id390342"></a>Index</h2></div></div></div><div class="index"><div class="indexdiv"><h3>Symbols</h3><dl><dt>#delete group script, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>#delete user from group script, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>#delete user script, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>#wins support, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>%LOGONSERVER%, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>%USERNAME%, <a href="happy.html#id337279">Roaming Profile Background</a>, <a href="happy.html#id337546">Profile Changes</a></dt><dt>%USERPROFILE%, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>/data/ldap, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>/etc/cups/mime.convs, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>/etc/cups/mime.types, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>/etc/dhcpd.conf, <a href="small.html#id321546">Implementation</a>, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>/etc/exports, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>/etc/group, <a href="happy.html#id336802">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>/etc/hosts, <a href="simple.html#id316708">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a>, <a href="HA.html#id380877">Bad Hostnames</a></dt><dt>/etc/krb5.conf, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>/etc/ldap.conf, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>/etc/mime.convs, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>/etc/mime.types, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>/etc/named.conf, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></dt><dt>/etc/nsswitch.conf, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a>, <a href="Big500users.html#ch5-domsvrspec">Configuration Specific to Domain Member Servers: BLDG1, BLDG2</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>/etc/openldap/slapd.conf, <a href="happy.html#id338019">Debugging LDAP</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a>, <a href="2000users.html#id348912">Implementation</a></dt><dt>/etc/passwd, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a>, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a>, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="nw4migration.html#id368732">Technical Issues</a>, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="primer.html#id387800">Findings and Comments</a></dt><dt>/etc/rc.d/boot.local, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt><dt>/etc/rc.d/rc.local, <a href="small.html#id321546">Implementation</a></dt><dt>/etc/resolv.conf, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a></dt><dt>/etc/samba, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/etc/samba/secrets.tdb, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>/etc/samba/smbusers, <a href="Big500users.html#id331694">Server Preparation: All Servers</a></dt><dt>/etc/shadow, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a>, <a href="nw4migration.html#id368732">Technical Issues</a></dt><dt>/etc/squid/squid.conf, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>/etc/syslog.conf, <a href="happy.html#id338019">Debugging LDAP</a></dt><dt>/etc/xinetd.d, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dt>/lib/libnss_ldap.so.2, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dt>/opt/IDEALX/sbin, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>/proc/sys/net/ipv4/ip_forward, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a></dt><dt>/usr/bin, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/usr/lib/samba, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/usr/local, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/usr/local/samba, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/usr/local/samba/var/locks, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></dt><dt>/usr/sbin, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/usr/share, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/usr/share/samba/swat, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/usr/share/swat, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/var/cache/samba, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></dt><dt>/var/lib/samba, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>/var/log/ldaplogs, <a href="happy.html#id338019">Debugging LDAP</a></dt><dt>/var/log/samba, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>8-bit, <a href="upgrades.html#id362458">International Language Support</a></dt></dl></div><div class="indexdiv"><h3></h3><dl><dt>, <a href="secure.html#ch4appscfg">Application Share Configuration</a>, <a href="happy.html#sbehap-ppc">Addition of Machines to the Domain</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="upgrades.html#sbeug1">Location of config files</a></dt><dd><dl><dt>Domain account, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>liability, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>logon, <a href="simple.html#id317589">Implementation</a></dt><dt>problem, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>transparent inter-operability, <a href="DomApps.html#id379827">Questions and Answers</a></dt></dl></dd></dl></div><div class="indexdiv"><h3>A</h3><dl><dt>abmas-netfw.sh, <a href="secure.html#ch4bsc">Basic System Configuration</a></dt><dt>abort shutdown script, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="2000users.html#id348912">Implementation</a></dt><dt>accept, <a href="secure.html#ch4ptrcfg">Printer Configuration</a></dt><dt>accepts liability, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>access, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>access control, <a href="kerberos.html#id374766">Kerberos Exposed</a>, <a href="kerberos.html#id376370">Using the MMC Computer Management Interface</a></dt><dt>Access Control Lists (see ACLs)</dt><dt>access control settings, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dt>access controls, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id375395">Share Definition Controls</a></dt><dt>accessible, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>account, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dd><dl><dt>ADS Domain, <a href="kerberos.html#id373574">Technical Issues</a></dt></dl></dd><dt>account credentials, <a href="primer.html#id387800">Findings and Comments</a></dt><dt>account information, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>account names, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>account policies, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>accountable, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>accounts</dt><dd><dl><dt>authoritative, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>Domain, <a href="ntmigration.html#id364185">Introduction</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>group, <a href="ntmigration.html#id364185">Introduction</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="kerberos.html#id372607">Introduction</a></dt><dt>machine, <a href="ntmigration.html#id364185">Introduction</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>manage, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>user, <a href="ntmigration.html#id364185">Introduction</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="kerberos.html#id372607">Introduction</a></dt></dl></dd><dt>ACL, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>ACLs, <a href="happy.html#id347320">Key Points Learned</a>, <a href="kerberos.html#id375060">Share Access Controls</a>, <a href="kerberos.html#id375395">Share Definition Controls</a></dt><dt>acquisitions, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Act!, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>ACT! database, <a href="appendix.html#id385863">Act! Database Sharing</a></dt><dt>Act!Diag, <a href="appendix.html#id385863">Act! Database Sharing</a></dt><dt>Active Directory, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="happy.html#sbehap-locgrppol">The Local Group Policy</a>, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="unixclients.html#id353039">Assignment Tasks</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id377005">Key Points Learned</a>, <a href="kerberos.html#id377127">Questions and Answers</a>, <a href="DomApps.html">Integrating Additional Services</a>, <a href="DomApps.html#id377734">Assignment Tasks</a>, <a href="DomApps.html#id377849">Technical Issues</a>, <a href="DomApps.html#id378606">Samba Configuration</a>, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dd><dl><dt>authentication, <a href="DomApps.html#id379397">Squid Configuration</a></dt><dt>domain, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>join, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>management tools, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>realm, <a href="HA.html#id380877">Bad Hostnames</a></dt><dt>Replacement, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>server, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>Server, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>tree, <a href="DomApps.html#id378606">Samba Configuration</a></dt></dl></dd><dt>active directory, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>AD printer publishing, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>ADAM, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a></dt><dt>add group script, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>add machine script, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>Add Printer Wizard</dt><dd><dl><dt>APW, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt></dl></dd><dt>add user script, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>add user to group script, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>adduser, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt><dt>adequate precautions, <a href="upgrades.html#id361313">Introduction</a></dt><dt>admin users, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>administrative installation, <a href="secure.html#ch4appscfg">Application Share Configuration</a></dt><dt>administrative rights, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>administrator, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a></dt><dt>ADMT, <a href="upgrades.html#id364040">Migration of Samba Accounts to Active Directory</a></dt><dt>ADS, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a>, <a href="HA.html#id380877">Bad Hostnames</a></dt><dd><dl><dt>server, <a href="kerberos.html#id373574">Technical Issues</a></dt></dl></dd><dt>ADS Domain, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>affordability, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>alarm, <a href="kerberos.html#id372607">Introduction</a></dt><dt>algorithm, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>allow trusted domains, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a></dt><dt>alternative, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>analysis, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>anonymous connection, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>Apache Web server, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>appliance mode, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>application server, <a href="secure.html#id324638">Technical Issues</a>, <a href="secure.html#ch4appscfg">Application Share Configuration</a></dt><dt>application servers, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>application/octet-stream, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>APW, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>arp, <a href="secure.html#ch4valid">Validation</a></dt><dt>assessment, <a href="kerberos.html#id372607">Introduction</a></dt><dt>assistance, <a href="ch14.html#id382184">Free Support</a></dt><dt>assumptions, <a href="HA.html#id382035">Key Points Learned</a></dt><dt>authconfig, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dt>authenticate, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>authenticated, <a href="DomApps.html#id377734">Assignment Tasks</a></dt><dt>authenticated connection, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>authentication, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="nw4migration.html#id368660">Dissection and Discussion</a>, <a href="DomApps.html">Integrating Additional Services</a>, <a href="DomApps.html#id377849">Technical Issues</a>, <a href="DomApps.html#id379127">NSS Configuration</a>, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dd><dl><dt>plain-text, <a href="DomApps.html#id379827">Questions and Answers</a></dt></dl></dd><dt>authentication process, <a href="unixclients.html#id353760">Implementation</a></dt><dt>authentication protocols, <a href="DomApps.html#id379772">Key Points Learned</a></dt><dt>authoritative, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>authorized location, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>auto-generated SID, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>automatically allocate, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>availability, <a href="HA.html">Performance, Reliability, and Availability</a></dt></dl></div><div class="indexdiv"><h3>B</h3><dl><dt>backends, <a href="DomApps.html">Integrating Additional Services</a></dt><dt>background communication, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>Backup, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Backup Domain Controller (see BDC)</dt><dt>bandwidth, <a href="DomApps.html#id377734">Assignment Tasks</a></dt><dd><dl><dt>requirements, <a href="2000users.html#id348107">User Needs</a></dt></dl></dd><dt>bandwidth calculations, <a href="secure.html#id324872">Hardware Requirements</a></dt><dt>BDC, <a href="Big500users.html#id330784">Technical Issues</a>, <a href="happy.html">Making Happy Users</a>, <a href="happy.html#id336272">Assignment Tasks</a>, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="happy.html#id338636">Samba Server Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="2000users.html#id352072">Key Points Learned</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a>, <a href="HA.html#id381603">Use and Location of BDCs</a></dt><dt>benefit, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>best practices, <a href="kerberos.html#id372607">Introduction</a></dt><dt>bias, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>binary database, <a href="secure.html#id325041">Implementation</a></dt><dt>binary files, <a href="upgrades.html#id363384">Updating a Samba-3 Installation</a></dt><dt>binary package, <a href="upgrades.html#id363384">Updating a Samba-3 Installation</a></dt><dt>bind interfaces only, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>broadcast, <a href="HA.html#id381054">Routed Networks</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dd><dl><dt>directed, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>mailslot, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt></dl></dd><dt>broadcast messages, <a href="secure.html#id325041">Implementation</a></dt><dt>broadcast storms, <a href="HA.html#id381218">Network Collisions</a></dt><dt>broken, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>broken behavior, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>browse, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>browse master, <a href="primer.html#id386612">Findings</a></dt><dt>Browse Master, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>browse.dat, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a></dt><dt>browseable, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>Browser Election Service, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>browsing, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="DomApps.html#id377849">Technical Issues</a>, <a href="primer.html#id386266">Assignment Tasks</a></dt><dt>budgetted, <a href="kerberos.html#id372607">Introduction</a></dt><dt>bug fixes, <a href="kerberos.html#id372607">Introduction</a></dt><dt>bug report, <a href="ch14.html#id382184">Free Support</a></dt></dl></div><div class="indexdiv"><h3>C</h3><dl><dt>cache, <a href="appendix.html#id385938">Opportunistic Locking Controls</a></dt><dt>cache directories, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>caching, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>case sensitive, <a href="HA.html#id381957">Large Directories</a></dt><dt>case-sensitive, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>centralized storage, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>character set, <a href="upgrades.html#id362458">International Language Support</a></dt><dt>check samba daemons, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>check-point, <a href="kerberos.html#id375395">Share Definition Controls</a></dt><dt>check-point controls, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>Checkpoint Controls, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>chgrp, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>chkconfig, <a href="simple.html#id316708">Implementation</a>, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a>, <a href="2000users.html#id348912">Implementation</a></dt><dt>chmod, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>choice, <a href="kerberos.html#id373203">Dissection and Discussion</a>, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>chown, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>CIFS, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="primer.html#id386612">Findings</a></dt><dt>cifsfs, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>clean database, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>clients per DC, <a href="happy.html">Making Happy Users</a></dt><dt>Clock skew, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>cluster, <a href="HA.html#id380314">Introduction</a></dt><dt>clustering, <a href="HA.html#id380314">Introduction</a>, <a href="HA.html#id381688">For Scalability, Use SAN-Based Storage on Samba Servers</a></dt><dt>code maintainer, <a href="ch14.html#id382184">Free Support</a></dt><dt>codepage, <a href="upgrades.html#id362458">International Language Support</a></dt><dt>collision rates, <a href="HA.html#id381218">Network Collisions</a></dt><dt>comment, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>commercial, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>commercial software, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>commercial support, <a href="ch14.html">Samba Support</a>, <a href="ch14.html#id382382">Commercial Support</a></dt><dt>Common Internet File System (see CIFS)</dt><dt>comparison</dt><dd><dl><dt>Active Directory & OpenLDAP, <a href="happy.html#id336400">Dissection and Discussion</a></dt></dl></dd><dt>compat, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>compatible, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>compile-time, <a href="upgrades.html#sbeug1">Location of config files</a></dt><dt>complexities, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>compromise, <a href="happy.html#id336196">Introduction</a>, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>computer account, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>Computer Management, <a href="kerberos.html#id375060">Share Access Controls</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>computer name, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>condemns, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>conferences, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>configuration files, <a href="upgrades.html#id361313">Introduction</a></dt><dt>configure.pl, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>connection, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dt>connectivity, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>consequential risk, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>consultant, <a href="simple.html#id316598">Drafting Office</a>, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>consumer, <a href="kerberos.html#id373203">Dissection and Discussion</a>, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>consumer expects, <a href="ch14.html">Samba Support</a></dt><dt>contiguous directory, <a href="2000users.html#id348912">Implementation</a></dt><dt>contributions, <a href="upgrades.html">Updating Samba-3</a></dt><dt>control files, <a href="upgrades.html#id363384">Updating a Samba-3 Installation</a></dt><dt>convmv, <a href="upgrades.html#id362458">International Language Support</a></dt><dt>copy, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>corrective action, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>cost, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>cost-benefit, <a href="nw4migration.html#id368561">Assignment Tasks</a></dt><dt>country of origin, <a href="ch14.html#id382382">Commercial Support</a></dt><dt>Courier-IMAP, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>create mask, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>credential, <a href="kerberos.html#id375395">Share Definition Controls</a></dt><dt>credentials, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>crippled, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>criticism, <a href="kerberos.html">Active Directory, Kerberos, and Security</a>, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Critics, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>Cryptographic, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>CUPS, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="small.html#id321342">Technical Issues</a>, <a href="small.html#id321546">Implementation</a>, <a href="small.html#id323841">Key Points Learned</a>, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="happy.html#id336272">Assignment Tasks</a>, <a href="happy.html#id337689">Installation of Printer Driver Auto-Download</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dd><dl><dt>queue, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt></dl></dd><dt>cups options, <a href="secure.html#id325866">Samba Configuration</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>cupsd, <a href="secure.html#ch4bsc">Basic System Configuration</a></dt><dt>customer expected, <a href="ch14.html">Samba Support</a></dt><dt>customers, <a href="ch14.html">Samba Support</a></dt></dl></div><div class="indexdiv"><h3>D</h3><dl><dt>daemon, <a href="simple.html#validate1">Validation</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="DomApps.html#id377849">Technical Issues</a>, <a href="DomApps.html#id379827">Questions and Answers</a>, <a href="appendix.html#id383432">Starting Samba</a></dt><dt>daemon control, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dt>data</dt><dd><dl><dt>corruption, <a href="happy.html">Making Happy Users</a></dt><dt>integrity, <a href="unixclients.html#id360240">Questions and Answers</a></dt></dl></dd><dt>data corruption, <a href="HA.html#id381824">Hardware Problems</a>, <a href="appendix.html#id385863">Act! Database Sharing</a></dt><dt>data integrity, <a href="HA.html#id381824">Hardware Problems</a>, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>data storage, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>database, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="2000users.html#id352211">Questions and Answers</a>, <a href="nw4migration.html#id368660">Dissection and Discussion</a></dt><dt>database applications, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>DB_CONFIG, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>DCE, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>DDNS (see dynamic DNS)</dt><dt>Debian, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>default devmode, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a></dt><dt>default installation, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>default password, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>default profile, <a href="happy.html#id336272">Assignment Tasks</a>, <a href="happy.html#id336802">Technical Issues</a></dt><dt>Default User, <a href="happy.html#id337546">Profile Changes</a>, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>defective</dt><dd><dl><dt>cables, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>HUBs, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>switches, <a href="HA.html#id381824">Hardware Problems</a></dt></dl></dd><dt>defects, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>defensible standards, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>defragmentation, <a href="secure.html#ch4wincfg">Windows Client Configuration</a></dt><dt>delete group script, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>delete user from group script, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>delete user script, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a></dt><dt>delimiter, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>dependability, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>deployment, <a href="ch14.html#id382184">Free Support</a></dt><dt>desired security setting, <a href="kerberos.html#id376809">Setting Posix ACLs in UNIX/Linux</a></dt><dt>development, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>DHCP, <a href="small.html#id321342">Technical Issues</a>, <a href="small.html#id321546">Implementation</a>, <a href="small.html#id323841">Key Points Learned</a>, <a href="secure.html#ch4wincfg">Windows Client Configuration</a>, <a href="Big500users.html#ch5wincfg">Windows Client Configuration</a>, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="2000users.html#id352211">Questions and Answers</a></dt><dd><dl><dt>client, <a href="HA.html#id380877">Bad Hostnames</a></dt><dt>relay, <a href="Big500users.html#id330784">Technical Issues</a></dt><dt>Relay Agent, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>request, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>requests, <a href="Big500users.html#id330784">Technical Issues</a></dt><dt>servers, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>traffic, <a href="2000users.html#id352211">Questions and Answers</a></dt></dl></dd><dt>dhcp client validation, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>DHCP Server, <a href="small.html#id321546">Implementation</a></dt><dt>DHCP server, <a href="secure.html#id324638">Technical Issues</a></dt><dt>diagnostic, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a></dt><dt>diffusion, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>digital rights, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>digital sign'n'seal, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>digits, <a href="HA.html#id380877">Bad Hostnames</a></dt><dt>diligence, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>directory, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="unixclients.html#id353679">Political Issues</a>, <a href="upgrades.html#sbeug1">Location of config files</a></dt><dd><dl><dt>Computers container, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>management, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>People container, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>replication, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>schema, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>server, <a href="happy.html#id336802">Technical Issues</a></dt><dt>synchronization, <a href="happy.html#id336400">Dissection and Discussion</a></dt></dl></dd><dt>directory mask, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>directory tree, <a href="kerberos.html#id376809">Setting Posix ACLs in UNIX/Linux</a></dt><dt>disable, <a href="kerberos.html#id372607">Introduction</a></dt><dt>disable spoolss, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>disaster recovery, <a href="kerberos.html#id372607">Introduction</a></dt><dt>disk image, <a href="happy.html#id336272">Assignment Tasks</a></dt><dt>disruptive, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>distributed, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="HA.html#id381733">Distribute Network Load with MSDFS</a></dt><dt>distributed domain, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>DMB, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>DMS, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a></dt><dt>DNS, <a href="small.html#id321342">Technical Issues</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id324638">Technical Issues</a>, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="HA.html#id380877">Bad Hostnames</a>, <a href="HA.html#id381054">Routed Networks</a>, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dd><dl><dt>configuration, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>Dynamic, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>dynamic, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dt>lookup, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>name lookup, <a href="HA.html#id380877">Bad Hostnames</a></dt><dt>SRV records, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>suffix, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt></dl></dd><dt>DNS server, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></dt><dt>document the settings, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>documentation, <a href="kerberos.html#id373203">Dissection and Discussion</a>, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>documented, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>Domain, <a href="small.html#id321342">Technical Issues</a></dt><dd><dl><dt>groups, <a href="small.html#id321342">Technical Issues</a></dt></dl></dd><dt>domain</dt><dd><dl><dt>Active Directory, <a href="DomApps.html#id377849">Technical Issues</a></dt><dt>controller, <a href="upgrades.html#id363862">Replacing a Domain Controller</a></dt><dt>joining, <a href="appendix.html">A Collection of Useful Tidbits</a></dt><dt>trusted, <a href="unixclients.html#id360240">Questions and Answers</a></dt></dl></dd><dt>Domain accounts, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>Domain Administrator, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dt>Domain Controller, <a href="small.html#id323841">Key Points Learned</a>, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#id353760">Implementation</a>, <a href="HA.html#id381603">Use and Location of BDCs</a></dt><dd><dl><dt>closest, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt></dl></dd><dt>domain controller, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>domain controllers, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>Domain Controllers, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>Domain Groups</dt><dd><dl><dt>well-known, <a href="appendix.html#id383921">Initialization of the LDAP Database</a></dt></dl></dd><dt>Domain join, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>domain logons, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>domain master, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a></dt><dt>Domain Master Browser (see DMB)</dt><dt>Domain Member, <a href="HA.html#id381603">Use and Location of BDCs</a></dt><dd><dl><dt>authoritative</dt><dd><dl><dt>local accounts, <a href="unixclients.html#id353091">Technical Issues</a></dt></dl></dd><dt>client, <a href="unixclients.html#id353760">Implementation</a></dt><dt>desktop, <a href="unixclients.html#id352990">Introduction</a></dt><dt>server, <a href="unixclients.html#id352990">Introduction</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#id353760">Implementation</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>servers, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>workstations, <a href="unixclients.html#id353760">Implementation</a></dt></dl></dd><dt>domain member</dt><dd><dl><dt>servers, <a href="unixclients.html#id353091">Technical Issues</a></dt></dl></dd><dt>Domain Member server, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>Domain Member servers, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>domain members, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>domain name space, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>domain replication, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>domain SID, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>Domain SID, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>domain tree, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>Domain User Manager, <a href="happy.html#id345184">Configuring Profile Directories</a></dt><dt>Domain users, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>DOS, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>dos2unix, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt><dt>down-grade, <a href="upgrades.html#id361313">Introduction</a></dt><dt>drive letters, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>drive mapping, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>dumb printing, <a href="happy.html#id337689">Installation of Printer Driver Auto-Download</a></dt><dt>dump, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>duplicate accounts, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt><dt>dynamic DNS, <a href="secure.html#id324638">Technical Issues</a></dt></dl></div><div class="indexdiv"><h3>E</h3><dl><dt>e-Directory, <a href="nw4migration.html#id368660">Dissection and Discussion</a></dt><dt>ea support, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>Easy Software Products, <a href="happy.html#id337689">Installation of Printer Driver Auto-Download</a></dt><dt>economically sustainable, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>eDirectory, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>education, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>election, <a href="primer.html#id386612">Findings</a></dt><dt>employment, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>enable, <a href="secure.html#ch4ptrcfg">Printer Configuration</a></dt><dt>enable privileges, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></dt><dt>encrypt passwords, <a href="DomApps.html#id379127">NSS Configuration</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>encrypted, <a href="primer.html#id387800">Findings and Comments</a></dt><dt>encrypted password, <a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>encrypted passwords, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>End User License Agreement (see EULA)</dt><dt>enumerating, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>essential, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Ethereal, <a href="primer.html#id386080">Requirements and Notes</a></dt><dt>ethereal, <a href="primer.html#id386373">Exercises</a></dt><dt>Ethernet switch, <a href="small.html#id321342">Technical Issues</a></dt><dt>ethernet switch, <a href="happy.html">Making Happy Users</a></dt><dt>EULA, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>Everyone, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dt>Excel, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>exclusive open, <a href="appendix.html#id385724">Microsoft Access</a></dt><dt>experiment, <a href="kerberos.html">Active Directory, Kerberos, and Security</a></dt><dt>export, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>extent, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>External Domains, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>extreme demand, <a href="HA.html#id380842">Guidelines for Reliable Samba Operation</a></dt></dl></div><div class="indexdiv"><h3>F</h3><dl><dt>fail, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>fail-over, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="2000users.html#id348912">Implementation</a></dt><dt>failed, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>failed join, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a></dt><dt>failure, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>familiar, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>fatal problem, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>fear, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>fears, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>Fedora, <a href="simple.html#id316598">Drafting Office</a></dt><dt>FHS, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>file and print server, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>file and print service, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>file caching, <a href="HA.html#id381308">Samba Configuration</a>, <a href="appendix.html#id385938">Opportunistic Locking Controls</a></dt><dt>File Hierarchy System (see FHS)</dt><dt>file locations, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>file permissions, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>file server</dt><dd><dl><dt>read-only, <a href="simple.html#id316663">Dissection and Discussion</a></dt></dl></dd><dt>file servers, <a href="happy.html#id338636">Samba Server Implementation</a></dt><dt>file system, <a href="kerberos.html#id373574">Technical Issues</a></dt><dd><dl><dt>access control, <a href="secure.html#id325866">Samba Configuration</a></dt><dt>Ext3, <a href="simple.html#id316708">Implementation</a></dt><dt>permissions, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt></dl></dd><dt>file system security, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>filter, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dt>financial responsibility, <a href="kerberos.html#id372607">Introduction</a></dt><dt>firewall, <a href="secure.html#id324638">Technical Issues</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="kerberos.html#id372607">Introduction</a></dt><dt>fix, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>flaws, <a href="kerberos.html#id372607">Introduction</a></dt><dt>flexibility, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>flush</dt><dd><dl><dt>cache memory, <a href="appendix.html#id385938">Opportunistic Locking Controls</a></dt></dl></dd><dt>folder redirection, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a>, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>force group, <a href="simple.html#id317589">Implementation</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="kerberos.html#id375808">Override Controls</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>force printername, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>force user, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="simple.html#id317589">Implementation</a>, <a href="kerberos.html#id375808">Override Controls</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>forced settings, <a href="kerberos.html#id375808">Override Controls</a></dt><dt>foreign, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>foreign SID, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>forwarded, <a href="HA.html#id381054">Routed Networks</a></dt><dt>foundation members, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>Free Standards Group (see FSG)</dt><dt>free support, <a href="ch14.html">Samba Support</a>, <a href="ch14.html#id382184">Free Support</a></dt><dt>front-end, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dd><dl><dt>server, <a href="HA.html#id381733">Distribute Network Load with MSDFS</a></dt></dl></dd><dt>frustration, <a href="upgrades.html#id361313">Introduction</a></dt><dt>FSG, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>FTP</dt><dd><dl><dt>proxy, <a href="DomApps.html#id379827">Questions and Answers</a></dt></dl></dd><dt>full control, <a href="kerberos.html#id375060">Share Access Controls</a>, <a href="kerberos.html#id376647">Using MS Windows Explorer (File Manager)</a></dt><dt>fully qualified, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>functional differences, <a href="upgrades.html#id361397">Cautions and Notes</a></dt></dl></div><div class="indexdiv"><h3>G</h3><dl><dt>generation, <a href="upgrades.html#id361397">Cautions and Notes</a></dt><dt>Gentoo, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>getent, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a></dt><dt>getfacl, <a href="kerberos.html#id376809">Setting Posix ACLs in UNIX/Linux</a></dt><dt>getgrnam, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>getpwnam, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>getpwnam(), <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>GID, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>Goettingen, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>government, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>GPL, <a href="secure.html#id329651">Comments Regarding Software Terms of Use</a></dt><dt>group account, <a href="simple.html#AcctgNet">Implementation</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>group management, <a href="secure.html#id325041">Implementation</a></dt><dt>group mapping, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>group membership, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>group names, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>group policies, <a href="ntmigration.html#id364185">Introduction</a></dt><dt>Group Policy, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dt>Group Policy editor, <a href="happy.html#sbehap-locgrppol">The Local Group Policy</a></dt><dt>Group Policy Objects, <a href="happy.html#sbehap-locgrppol">The Local Group Policy</a></dt><dt>groupadd, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>groupdel, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>groupmem, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>groupmod, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>GSS-API, <a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>guest account, <a href="primer.html#id387800">Findings and Comments</a>, <a href="primer.html#chap01conc">Dissection and Discussion</a>, <a href="primer.html#id388668">Technical Issues</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>guest ok, <a href="simple.html#id316708">Implementation</a>, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt></dl></div><div class="indexdiv"><h3>H</h3><dl><dt>hackers, <a href="kerberos.html#id372607">Introduction</a></dt><dt>hardware prices, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>hardware problems, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>Heimdal, <a href="DomApps.html#id378010">Implementation</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>Heimdal Kerberos, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>Heimdal kerberos, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a></dt><dt>help, <a href="ch14.html#id382184">Free Support</a></dt><dt>helper agent, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>hesiod, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>hide files, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>hierarchy of control, <a href="kerberos.html#id375395">Share Definition Controls</a></dt><dt>high availability, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>hire, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>HKEY_CURRENT_USER, <a href="happy.html#id337279">Roaming Profile Background</a></dt><dt>HKEY_LOCAL_MACHINE, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>HKEY_LOCAL_USER, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>host announcement, <a href="primer.html#id386266">Assignment Tasks</a>, <a href="primer.html#id387234">Findings</a></dt><dt>hostname, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>hosts, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>hosts allow, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></dt><dt>HUB, <a href="happy.html">Making Happy Users</a></dt><dt>Hybrid, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>hypothetical, <a href="kerberos.html#id372607">Introduction</a></dt></dl></div><div class="indexdiv"><h3>I</h3><dl><dt>Idealx, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dd><dl><dt>smbldap-tools, <a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a>, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt></dl></dd><dt>identifiers, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>identity, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dd><dl><dt>management, <a href="happy.html#id336802">Technical Issues</a></dt></dl></dd><dt>identity management, <a href="Big500users.html#id330784">Technical Issues</a>, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="unixclients.html#id353679">Political Issues</a>, <a href="nw4migration.html#id368660">Dissection and Discussion</a></dt><dt>Identity Management, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>Identity management, <a href="unixclients.html#id359708">UNIX/Linux Client Domain Member</a></dt><dt>Identity resolution, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id359708">UNIX/Linux Client Domain Member</a>, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>Identity resolver, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>IDMAP, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a></dt><dt>idmap backend, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>IDMAP backend, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>idmap gid, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>idmap uid, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>idmap_rid, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a></dt><dt>IMAP, <a href="nw4migration.html#id368732">Technical Issues</a></dt><dt>import, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>include, <a href="Big500users.html#id330980">Implementation</a></dt><dt>income, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>independent expert, <a href="kerberos.html#id372607">Introduction</a></dt><dt>inetd, <a href="secure.html#procstart">Process Startup Configuration</a></dt><dt>inetOrgPerson, <a href="nw4migration.html#id368732">Technical Issues</a></dt><dt>inheritance, <a href="kerberos.html#id376809">Setting Posix ACLs in UNIX/Linux</a></dt><dt>initGrps.sh, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt><dt>initial credentials, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>inoperative, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>install, <a href="upgrades.html">Updating Samba-3</a></dt><dt>installation, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>integrate, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>integrity, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>inter-domain, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>inter-operability, <a href="kerberos.html#id373203">Dissection and Discussion</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id377005">Key Points Learned</a>, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>interactive help, <a href="ch14.html#id382184">Free Support</a></dt><dt>interdomain trusts, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>interfaces, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>intermittent, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>internationalization, <a href="upgrades.html#id362458">International Language Support</a></dt><dt>Internet Explorer, <a href="DomApps.html#id377849">Technical Issues</a></dt><dt>Internet Information Server, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>interoperability, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>IP forwarding, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt><dt>IPC$, <a href="primer.html#id387800">Findings and Comments</a></dt><dt>iptables, <a href="secure.html#id324638">Technical Issues</a></dt><dt>IRC, <a href="ch14.html#id382184">Free Support</a></dt><dt>isolated, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Italian, <a href="DomApps.html#id379827">Questions and Answers</a></dt></dl></div><div class="indexdiv"><h3>J</h3><dl><dt>jobs, <a href="kerberos.html#id372607">Introduction</a></dt><dt>joining a domain, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt></dl></div><div class="indexdiv"><h3>K</h3><dl><dt>KDC, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>Kerberos, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id377005">Key Points Learned</a>, <a href="DomApps.html#id377849">Technical Issues</a>, <a href="DomApps.html#id378010">Implementation</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dd><dl><dt>Heimdal, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>interoperability, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>libraries, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>MIT, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>unspecified fields, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt></dl></dd><dt>kerberos, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dd><dl><dt>server, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt></dl></dd><dt>Kerberos ticket, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>kinit, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>Kixtart, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>klist, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>krb5, <a href="DomApps.html#id378010">Implementation</a></dt><dt>krb5.conf, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt></dl></div><div class="indexdiv"><h3>L</h3><dl><dt>LAM, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dd><dl><dt>configuration editor, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>configuration file, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>login screen, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>opening screen, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>profile, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>wizard, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt></dl></dd><dt>large domain, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a></dt><dt>LDAP, <a href="Big500users.html#id330784">Technical Issues</a>, <a href="happy.html#id336272">Assignment Tasks</a>, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#id337852">Preliminary Advice: Dangers Can Be Avoided</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="2000users.html#id347742">Introduction</a>, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="2000users.html#id352072">Key Points Learned</a>, <a href="2000users.html#id352211">Questions and Answers</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364261">Assignment Tasks</a>, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="nw4migration.html#id368660">Dissection and Discussion</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="kerberos.html#id373574">Technical Issues</a></dt><dd><dl><dt>backend, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>database, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="2000users.html#id352211">Questions and Answers</a>, <a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></dt><dt>directory, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>fail-over, <a href="2000users.html#id348912">Implementation</a></dt><dt>initial configuration, <a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></dt><dt>master, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>master/slave</dt><dd><dl><dt>background communication, <a href="2000users.html#id352211">Questions and Answers</a></dt></dl></dd><dt>preload, <a href="2000users.html#id348912">Implementation</a></dt><dt>schema, <a href="upgrades.html#id363507">Updating from Samba Versions between 3.0.6 and 3.0.10</a></dt><dt>secure, <a href="happy.html#id336802">Technical Issues</a></dt><dt>server, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>slave, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>updates, <a href="2000users.html#id348480">Identity Management Needs</a></dt></dl></dd><dt>ldap, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>LDAP Account Manager (see LAM)</dt><dt>ldap admin dn, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>LDAP backend, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>LDAP database, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>ldap group suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>ldap idmap suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>LDAP Interchange Format (see LDIF)</dt><dt>ldap machine suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>ldap passwd sync, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>LDAP server, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>ldap ssl, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>ldap suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>ldap timeout, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>ldap user suffix, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>LDAP-transfer-LDIF.txt, <a href="2000users.html#id348912">Implementation</a></dt><dt>ldap.conf, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>ldapadd, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>ldapsam, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="upgrades.html#id363507">Updating from Samba Versions between 3.0.6 and 3.0.10</a>, <a href="ntmigration.html#id364261">Assignment Tasks</a>, <a href="DomApps.html">Integrating Additional Services</a></dt><dt>ldapsam backend, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>ldapsearch, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>LDIF, <a href="happy.html#id336802">Technical Issues</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="nw4migration.html#id368732">Technical Issues</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="appendix.html#id383921">Initialization of the LDAP Database</a></dt><dt>leadership, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>Lightweight Directory Access Protocol (see LDAP)</dt><dt>limit, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>Linux desktop, <a href="unixclients.html#id352990">Introduction</a></dt><dt>Linux Standards Base (see LSB)</dt><dt>LMB, <a href="primer.html#id386612">Findings</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>LMHOSTS, <a href="HA.html#id381054">Routed Networks</a></dt><dt>load distribution, <a href="HA.html#id381688">For Scalability, Use SAN-Based Storage on Samba Servers</a></dt><dt>local accounts, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>Local Group Policy, <a href="happy.html#id337279">Roaming Profile Background</a></dt><dt>Local Master Announcement, <a href="primer.html#id387234">Findings</a></dt><dt>Local Master Browser (see LMB)</dt><dt>localhost, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="HA.html#id380877">Bad Hostnames</a></dt><dt>lock directory, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></dt><dt>locking, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dd><dl><dt>Application level, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>Client side, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>Server side, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt></dl></dd><dt>log file, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>log level, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>logging, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>login, <a href="secure.html#id324638">Technical Issues</a></dt><dt>loglevel, <a href="happy.html#id338019">Debugging LDAP</a></dt><dt>logon credentials, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>logon drive, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>logon home, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>logon hours, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="kerberos.html#id377005">Key Points Learned</a></dt><dt>logon machines, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>logon path, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>logon process, <a href="unixclients.html#id353760">Implementation</a></dt><dt>logon scrip, <a href="secure.html#id325866">Samba Configuration</a></dt><dt>logon script, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="happy.html#id345412">Preparation of Logon Scripts</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>logon server, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>logon services, <a href="secure.html#id325041">Implementation</a></dt><dt>logon time, <a href="happy.html#id336272">Assignment Tasks</a></dt><dt>logon traffic, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>logon.kix, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>loopback, <a href="simple.html#validate1">Validation</a></dt><dt>low performance, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>lower-case, <a href="ntmigration.html#id364791">Implementation</a></dt><dt>lpadmin, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>LSB, <a href="appendix.html#id383041">Samba System File Location</a></dt></dl></div><div class="indexdiv"><h3>M</h3><dl><dt>machine, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>machine account, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a></dt><dt>machine accounts, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>machine secret password, <a href="Big500users.html#id330784">Technical Issues</a></dt><dt>MACHINE.SID, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>mailing list, <a href="ch14.html#id382184">Free Support</a></dt><dt>mailing lists, <a href="ch14.html#id382184">Free Support</a></dt><dt>managed, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>management, <a href="unixclients.html#id353679">Political Issues</a>, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dd><dl><dt>group, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>User, <a href="kerberos.html#id373574">Technical Issues</a></dt></dl></dd><dt>mandatory profile, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#id345184">Configuring Profile Directories</a></dt><dt>Mandrake, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>map acl inherit, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>map to guest, <a href="simple.html#id317589">Implementation</a></dt><dt>mapped drives, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>mapping, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dd><dl><dt>consistent, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt></dl></dd><dt>Mars_NWE, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>master, <a href="2000users.html#id347824">Dissection and Discussion</a></dt><dt>material, <a href="appendix.html">A Collection of Useful Tidbits</a></dt><dt>max log size, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>memberUID, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>memory requirements, <a href="secure.html#id324872">Hardware Requirements</a></dt><dt>merge, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>merged, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>meta-directory, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>meta-service, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>Microsoft Access, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>Microsoft Excel, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt><dt>Microsoft ISA, <a href="DomApps.html#id377734">Assignment Tasks</a></dt><dt>Microsoft Management Console (see MMC)</dt><dt>Microsoft Office, <a href="secure.html#ch4appscfg">Application Share Configuration</a>, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>Microsoft Outlook</dt><dd><dl><dt>PST files, <a href="2000users.html#id352211">Questions and Answers</a></dt></dl></dd><dt>migrate, <a href="upgrades.html">Updating Samba-3</a>, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>migration, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="happy.html#id336272">Assignment Tasks</a>, <a href="ntmigration.html#id364185">Introduction</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dd><dl><dt>objectives, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt></dl></dd><dt>Migration speed, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>mime type, <a href="simple.html#id317589">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>mime types, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>missing RPC's, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>MIT, <a href="DomApps.html#id378010">Implementation</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>MIT Kerberos, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>MIT kerberos, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a></dt><dt>MIT KRB5, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>mixed mode, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>mixed-mode, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>MMC, <a href="happy.html#id346624">Configure Delete Cached Profiles on Logout</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>mobile computing, <a href="small.html#id321293">Dissection and Discussion</a></dt><dt>mobility, <a href="2000users.html#id348070">Technical Issues</a></dt><dt>modularization, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>modules, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>MS Access</dt><dd><dl><dt>validate, <a href="appendix.html#id385724">Microsoft Access</a></dt></dl></dd><dt>MS Outlook, <a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></dt><dd><dl><dt>PST, <a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></dt><dt>PST file, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>MS Windows Server 2003, <a href="DomApps.html#id378010">Implementation</a></dt><dt>MS Word, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>MSDFS, <a href="HA.html#id381733">Distribute Network Load with MSDFS</a></dt><dt>multi-subnet, <a href="HA.html#id381054">Routed Networks</a></dt><dt>multi-user</dt><dd><dl><dt>access, <a href="appendix.html#id385724">Microsoft Access</a></dt><dt>data access, <a href="appendix.html#ch12dblck">Shared Data Integrity</a></dt></dl></dd><dt>multiple directories, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>multiple domain controllers, <a href="happy.html">Making Happy Users</a></dt><dt>multiple group mappings, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>mutual assistance, <a href="ch14.html#id382184">Free Support</a></dt><dt>My Documents, <a href="happy.html#id337279">Roaming Profile Background</a></dt><dt>My Network Places, <a href="simple.html#id317589">Implementation</a></dt><dt>mysqlsam, <a href="2000users.html#id348912">Implementation</a></dt></dl></div><div class="indexdiv"><h3>N</h3><dl><dt>name resolution, <a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="primer.html#id386266">Assignment Tasks</a></dt><dd><dl><dt>Defective, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt></dl></dd><dt>name resolve order, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dt>name service switch, <a href="small.html#id321546">Implementation</a> (see NSS)</dt><dt>named, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a></dt><dt>NAT, <a href="secure.html#id324638">Technical Issues</a></dt><dt>native, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>net</dt><dd><dl><dt>ads</dt><dd><dl><dt>info, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>join, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>status, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt></dl></dd><dt>getlocalsid, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>group, <a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a></dt><dt>groupmap</dt><dd><dl><dt>add, <a href="secure.html#id325866">Samba Configuration</a></dt><dt>list, <a href="secure.html#id325866">Samba Configuration</a>, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>modify, <a href="secure.html#id325866">Samba Configuration</a></dt></dl></dd><dt>rpc</dt><dd><dl><dt>info, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>join, <a href="Big500users.html#ch5-domsvrspec">Configuration Specific to Domain Member Servers: BLDG1, BLDG2</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a></dt><dt>vampire, <a href="upgrades.html">Updating Samba-3</a>, <a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a></dt></dl></dd><dt>setlocalsid, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt></dl></dd><dt>NetBIOS, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="HA.html#id380877">Bad Hostnames</a>, <a href="HA.html#id381054">Routed Networks</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dd><dl><dt>name cache, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>name resolution</dt><dd><dl><dt>delays, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>Node Type, <a href="primer.html#chap01qa">Questions and Answers</a></dt></dl></dd><dt>netbios</dt><dd><dl><dt>machine name, <a href="upgrades.html#id362157">Change of hostname</a></dt></dl></dd><dt>netbios forwarding, <a href="HA.html#id381218">Network Collisions</a></dt><dt>netbios name, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id362157">Change of hostname</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="DomApps.html#id379127">NSS Configuration</a>, <a href="HA.html#id380877">Bad Hostnames</a></dt><dt>NetBIOS name, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dd><dl><dt>aliases, <a href="2000users.html#id348480">Identity Management Needs</a></dt></dl></dd><dt>NETLOGON, <a href="happy.html#id337635">Using a Network Default User Profile</a>, <a href="happy.html#id345624">Windows Client Configuration</a></dt><dt>netlogon, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>Netlogon, <a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></dt><dt>netmask, <a href="simple.html#id316708">Implementation</a></dt><dt>Netware, <a href="small.html">Small Office Networking</a></dt><dt>NetWare, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>network</dt><dd><dl><dt>administrators, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>analyzer, <a href="primer.html#id386266">Assignment Tasks</a></dt><dt>bandwidth, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>broadcast, <a href="primer.html#id386216">Introduction</a></dt><dt>captures, <a href="primer.html#id386080">Requirements and Notes</a></dt><dt>collisions, <a href="HA.html#id381218">Network Collisions</a></dt><dt>load, <a href="HA.html#id381218">Network Collisions</a></dt><dt>logon, <a href="happy.html">Making Happy Users</a></dt><dt>logon scripts, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>management, <a href="kerberos.html#id372607">Introduction</a></dt><dt>multi-segment, <a href="happy.html#id336196">Introduction</a></dt><dt>overload, <a href="happy.html">Making Happy Users</a></dt><dt>performance, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>routed, <a href="2000users.html#id347824">Dissection and Discussion</a></dt><dt>secure, <a href="kerberos.html#id372607">Introduction</a></dt><dt>segment, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>services, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>sniffer, <a href="primer.html#id386080">Requirements and Notes</a></dt><dt>timeout, <a href="happy.html">Making Happy Users</a></dt><dt>timeouts, <a href="HA.html#id381218">Network Collisions</a></dt><dt>trace, <a href="primer.html#id386266">Assignment Tasks</a></dt><dt>traffic</dt><dd><dl><dt>observation, <a href="kerberos.html#id373574">Technical Issues</a></dt></dl></dd><dt>wide-area, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt></dl></dd><dt>Network Address Translation (see NAT)</dt><dt>network administrators, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>network attached storage (see NAS)</dt><dt>network bandwidth</dt><dd><dl><dt>utilization, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>Network Default Profile, <a href="happy.html#id337279">Roaming Profile Background</a></dt><dt>network hardware</dt><dd><dl><dt>defective, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>network hygiene, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>network Identities, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>network load factors, <a href="Big500users.html#id330756">Dissection and Discussion</a></dt><dt>Network Neighborhood, <a href="simple.html#validate1">Validation</a>, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>network segment, <a href="HA.html#id381603">Use and Location of BDCs</a></dt><dt>network segments, <a href="secure.html#id324872">Hardware Requirements</a></dt><dt>network share, <a href="happy.html#id336272">Assignment Tasks</a></dt><dt>networking</dt><dd><dl><dt>client, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt></dl></dd><dt>networking hardware</dt><dd><dl><dt>defective, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>networking protocols, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>next generation, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>NextFreeUnixId, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>NFS server, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>NICs, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>NIS, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="2000users.html#id352211">Questions and Answers</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#id353679">Political Issues</a>, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>nis, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>NIS schema, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>NIS server, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>NIS+, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>nisplus, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>NLM, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>nmap, <a href="secure.html#ch4valid">Validation</a></dt><dt>nmbd, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a>, <a href="DomApps.html#id378606">Samba Configuration</a>, <a href="appendix.html#id383432">Starting Samba</a></dt><dt>nobody, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="primer.html#id387800">Findings and Comments</a></dt><dt>Novell, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a>, <a href="nw4migration.html#id368455">Introduction</a></dt><dt>Novell SUSE SLES 9, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>NSS, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id359708">UNIX/Linux Client Domain Member</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="DomApps.html#id379127">NSS Configuration</a> (see same service switch)</dt><dt>nss_ldap, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>nt acl support, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="simple.html#id317589">Implementation</a></dt><dt>NT4 registry, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>NTLM, <a href="DomApps.html#id377849">Technical Issues</a></dt><dt>NTLM authentication daemon, <a href="DomApps.html#id377849">Technical Issues</a></dt><dt>NTLMSSP, <a href="DomApps.html#id379772">Key Points Learned</a>, <a href="DomApps.html#id379827">Questions and Answers</a>, <a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>NTLMSSP_AUTH, <a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>ntlm_auth, <a href="DomApps.html#id378606">Samba Configuration</a>, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>NTP, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>NTUSER.DAT, <a href="happy.html#id337279">Roaming Profile Background</a>, <a href="happy.html#id337546">Profile Changes</a>, <a href="happy.html#id337635">Using a Network Default User Profile</a>, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>NULL connection, <a href="simple.html#validate1">Validation</a></dt><dt>NULL session, <a href="primer.html#id387800">Findings and Comments</a></dt><dt>NULL-Session, <a href="primer.html#id388539">Discussion</a></dt></dl></div><div class="indexdiv"><h3>O</h3><dl><dt>objectClass, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>off-site storage, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Open Magazine, <a href="unixclients.html">Adding Domain Member Servers and Clients</a></dt><dt>Open Source, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>OpenLDAP, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="2000users.html#id352211">Questions and Answers</a>, <a href="unixclients.html#id353679">Political Issues</a>, <a href="nw4migration.html#id368732">Technical Issues</a>, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id377005">Key Points Learned</a>, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>openldap, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>OpenOffice, <a href="secure.html#ch4appscfg">Application Share Configuration</a></dt><dt>operating profiles, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>oplock break, <a href="kerberos.html#id375808">Override Controls</a></dt><dt>oplocks, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>Oplocks</dt><dd><dl><dt>disabled, <a href="appendix.html#id385938">Opportunistic Locking Controls</a></dt></dl></dd><dt>opportunistic</dt><dd><dl><dt>locking, <a href="kerberos.html#id375808">Override Controls</a></dt></dl></dd><dt>opportunistic locking, <a href="secure.html#id325041">Implementation</a>, <a href="HA.html#id381308">Samba Configuration</a>, <a href="appendix.html#id385863">Act! Database Sharing</a></dt><dt>optimized, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>organizational units, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>os level, <a href="2000users.html#id348912">Implementation</a></dt><dt>OS/2, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>Outlook</dt><dd><dl><dt>PST, <a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></dt></dl></dd><dt>Outlook Address Book, <a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></dt><dt>Outlook Express, <a href="secure.html#id325007">Political Issues</a>, <a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></dt><dt>over-ride, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>over-ride controls, <a href="kerberos.html#id375808">Override Controls</a></dt><dt>over-rule, <a href="kerberos.html#id375060">Share Access Controls</a>, <a href="kerberos.html#id376647">Using MS Windows Explorer (File Manager)</a></dt><dt>overheads, <a href="kerberos.html#id375808">Override Controls</a></dt><dt>ownership, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt></dl></div><div class="indexdiv"><h3>P</h3><dl><dt>package, <a href="simple.html#id316708">Implementation</a></dt><dt>package names, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>packages, <a href="upgrades.html#id363384">Updating a Samba-3 Installation</a></dt><dt>PADL, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a></dt><dt>PADL LDAP tools, <a href="happy.html#id336802">Technical Issues</a></dt><dt>PADL Software, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>paid-for support, <a href="ch14.html">Samba Support</a></dt><dt>PAM, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="unixclients.html#id359708">UNIX/Linux Client Domain Member</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>pam password change, <a href="secure.html#id325866">Samba Configuration</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>pam_ldap, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>pam_ldap.so, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dt>pam_unix2.so, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dd><dl><dt>use_ldap, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt></dl></dd><dt>parameters, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>passdb backend, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html">The 500-User Office</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html">Updating Samba-3</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="upgrades.html#id363507">Updating from Samba Versions between 3.0.6 and 3.0.10</a>, <a href="ntmigration.html#id364261">Assignment Tasks</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>passdb.tdb, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>passwd, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a></dt><dt>passwd chat, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a></dt><dt>passwd program, <a href="secure.html#id325866">Samba Configuration</a></dt><dt>password</dt><dd><dl><dt>backend, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt></dl></dd><dt>password caching, <a href="simple.html#id317589">Implementation</a></dt><dt>password change, <a href="kerberos.html#id377005">Key Points Learned</a></dt><dt>password length, <a href="primer.html#id387580">Simple Windows Client Connection Characteristics</a>, <a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>password server, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>path, <a href="simple.html#id316708">Implementation</a>, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>payroll, <a href="nw4migration.html#id368455">Introduction</a></dt><dt>pdbedit, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>PDC, <a href="Big500users.html#id330675">Assignment Tasks</a>, <a href="Big500users.html#id330784">Technical Issues</a>, <a href="happy.html">Making Happy Users</a>, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#sbehap-locgrppol">The Local Group Policy</a>, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364791">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a>, <a href="HA.html#id381603">Use and Location of BDCs</a></dt><dt>PDC/BDC ratio, <a href="happy.html">Making Happy Users</a></dt><dt>PDF, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>performance, <a href="happy.html#id336400">Dissection and Discussion</a>, <a href="kerberos.html#id377127">Questions and Answers</a>, <a href="HA.html">Performance, Reliability, and Availability</a>, <a href="HA.html#id380314">Introduction</a>, <a href="HA.html#id381218">Network Collisions</a></dt><dt>performance degradation, <a href="kerberos.html#id375808">Override Controls</a>, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>Perl, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>permission, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>permissions, <a href="simple.html#id317589">Implementation</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id375060">Share Access Controls</a>, <a href="kerberos.html#id375528">Checkpoint Controls</a>, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dd><dl><dt>excessive, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>group, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>user, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt></dl></dd><dt>Permissions, <a href="kerberos.html#id376370">Using the MMC Computer Management Interface</a></dt><dt>permits, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>permitted group, <a href="kerberos.html#id376370">Using the MMC Computer Management Interface</a></dt><dt>PHP, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>PHP4, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>pile-driver, <a href="kerberos.html#id375395">Share Definition Controls</a></dt><dt>ping, <a href="secure.html#ch4valid">Validation</a></dt><dt>pitfalls, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>plain-text, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>Pluggable Authentication Modules (see PAM)</dt><dt>policy, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="kerberos.html#id372607">Introduction</a></dt><dt>poor performance, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>POP3, <a href="nw4migration.html#id368732">Technical Issues</a></dt><dt>Posix, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="happy.html#id336802">Technical Issues</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="ntmigration.html#id364791">Implementation</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>POSIX, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>Posix accounts, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>Posix ACLs, <a href="kerberos.html#id376321">Managing Windows 200x ACLs</a></dt><dt>PosixAccount, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>posixAccount, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>Postfix, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>Postscript, <a href="happy.html#id337689">Installation of Printer Driver Auto-Download</a></dt><dt>powers, <a href="kerberos.html#id375395">Share Definition Controls</a></dt><dt>practices, <a href="kerberos.html#id372607">Introduction</a></dt><dt>precaution, <a href="upgrades.html#id361313">Introduction</a></dt><dt>preferred master, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>presence and leadership, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>price paid, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>primary group, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>principals, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>print filter, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>print queue, <a href="simple.html#id317306">Charity Administration Office</a>, <a href="simple.html#id317402">Dissection and Discussion</a></dt><dt>print spooler, <a href="simple.html#id317306">Charity Administration Office</a></dt><dt>Print Test Page, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>printable, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>printcap name, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>printer admin, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>printer validation, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a></dt><dt>printers</dt><dd><dl><dt>Advanced, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>Default Settings, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>General, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>Properties, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>Security, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>Sharing, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt></dl></dd><dt>printing, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dd><dl><dt>drag-and-drop, <a href="happy.html#id337689">Installation of Printer Driver Auto-Download</a>, <a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></dt><dt>dumb, <a href="happy.html#id337689">Installation of Printer Driver Auto-Download</a></dt><dt>point-n-click, <a href="happy.html#id337689">Installation of Printer Driver Auto-Download</a></dt><dt>raw, <a href="simple.html#id317402">Dissection and Discussion</a></dt></dl></dd><dt>privacy, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>Privilege Attribute Certificates (see PAC)</dt><dt>privilege controls, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>privileged pipe, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>privileges, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="upgrades.html#id363581">Updating from Samba Versions after 3.0.6 to a Current Release</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id375395">Share Definition Controls</a></dt><dt>problem report, <a href="ch14.html#id382184">Free Support</a></dt><dt>problem resolution, <a href="ch14.html">Samba Support</a></dt><dt>product defects, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>professional support, <a href="ch14.html#id382184">Free Support</a></dt><dt>profile</dt><dd><dl><dt>default, <a href="happy.html#id336272">Assignment Tasks</a></dt><dt>mandatory, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>roaming, <a href="happy.html">Making Happy Users</a></dt></dl></dd><dt>profile acls, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>profile path, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>profile share, <a href="secure.html#id325041">Implementation</a></dt><dt>profiles, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>profiles share, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>programmer, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>project, <a href="ch14.html#id382184">Free Support</a></dt><dt>project maintainers, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>Properties, <a href="kerberos.html#id376370">Using the MMC Computer Management Interface</a></dt><dt>proprietary, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>protected, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>protection, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>protocol</dt><dd><dl><dt>negotiation, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt></dl></dd><dt>protocol analysis, <a href="primer.html#id386080">Requirements and Notes</a></dt><dt>protocols, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>provided services, <a href="ch14.html">Samba Support</a></dt><dt>proxy, <a href="DomApps.html#id377734">Assignment Tasks</a>, <a href="DomApps.html#id377849">Technical Issues</a></dt><dt>PST file, <a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></dt><dt>public specifications, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>purchase support, <a href="ch14.html#id382184">Free Support</a></dt></dl></div><div class="indexdiv"><h3>Q</h3><dl><dt>Qbasic, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>qualified problem, <a href="ch14.html#id382184">Free Support</a></dt></dl></div><div class="indexdiv"><h3>R</h3><dl><dt>RAID, <a href="secure.html#id324872">Hardware Requirements</a></dt><dt>RAID controllers, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>Raw Print Through, <a href="happy.html#id337689">Installation of Printer Driver Auto-Download</a></dt><dt>raw printing, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4ptrcfg">Printer Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></dt><dt>Rbase, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>rcldap, <a href="2000users.html#id348912">Implementation</a></dt><dt>read only, <a href="simple.html#id316708">Implementation</a>, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>realm, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="DomApps.html#id378243">Kerberos Configuration</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>recognize, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>record locking, <a href="appendix.html#id385724">Microsoft Access</a></dt><dt>recursively, <a href="kerberos.html#id376809">Setting Posix ACLs in UNIX/Linux</a></dt><dt>Red Hat, <a href="simple.html#id316598">Drafting Office</a>, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>Red Hat Fedora Linux, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>Red Hat Linux, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="simple.html#AccountingOffice">Accounting Office</a>, <a href="happy.html#id338636">Samba Server Implementation</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id378010">Implementation</a>, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>redirected folders, <a href="happy.html#id337279">Roaming Profile Background</a>, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>refereed standards, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>regedit, <a href="simple.html#id317589">Implementation</a></dt><dt>regedt32, <a href="happy.html#id337546">Profile Changes</a>, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>registry, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dd><dl><dt>keys</dt><dd><dl><dt>SAM, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>SECURITY, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt></dl></dd></dl></dd><dt>registry change, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>Registry Editor, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>registry hacks, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>registry keys, <a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></dt><dt>reimburse, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>rejected, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dt>rejoin, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>reliability, <a href="HA.html">Performance, Reliability, and Availability</a></dt><dt>remote announce, <a href="HA.html#id381054">Routed Networks</a></dt><dt>remote browse sync, <a href="HA.html#id381054">Routed Networks</a></dt><dt>remote procedure call (see RPC)</dt><dt>replicate, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="HA.html#id381784">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></dt><dt>replicated, <a href="2000users.html#id347824">Dissection and Discussion</a></dt><dt>requesting payment, <a href="ch14.html#id382184">Free Support</a></dt><dt>resilient, <a href="HA.html#id380842">Guidelines for Reliable Samba Operation</a></dt><dt>resolution, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a></dt><dt>resolve, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="HA.html#id380877">Bad Hostnames</a></dt><dt>response, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a></dt><dt>responsibility, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>responsible, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>restrict anonymous, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>restricted export, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>Restrictive security, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>reverse DNS, <a href="DomApps.html#id378243">Kerberos Configuration</a></dt><dt>rfc2307bis, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>RID, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>risk, <a href="secure.html#id324638">Technical Issues</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="kerberos.html#id372607">Introduction</a></dt><dt>road-map, <a href="kerberos.html#id373574">Technical Issues</a></dt><dd><dl><dt>published, <a href="kerberos.html#id373574">Technical Issues</a></dt></dl></dd><dt>roaming profile, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#id337279">Roaming Profile Background</a>, <a href="happy.html#id345184">Configuring Profile Directories</a>, <a href="2000users.html#id348107">User Needs</a>, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>roaming profiles, <a href="secure.html#id324638">Technical Issues</a>, <a href="secure.html#id325041">Implementation</a>, <a href="happy.html#id337279">Roaming Profile Background</a></dt><dt>routed network, <a href="HA.html#id381603">Use and Location of BDCs</a></dt><dt>router, <a href="small.html#id321546">Implementation</a></dt><dt>routers, <a href="2000users.html#id352211">Questions and Answers</a>, <a href="HA.html#id381054">Routed Networks</a></dt><dt>RPC, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>rpc, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>rpcclient, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>RPM, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="nw4migration.html#id368660">Dissection and Discussion</a></dt><dd><dl><dt>install, <a href="simple.html#id316708">Implementation</a></dt></dl></dd><dt>rpm, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>RPMs, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>rpms, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>rsync, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="HA.html#id381784">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></dt><dt>rsyncd.conf, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>run-time control files, <a href="appendix.html#id383041">Samba System File Location</a></dt></dl></div><div class="indexdiv"><h3>S</h3><dl><dt>safe-guards, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>SAM, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>samba, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dd><dl><dt>starting samba, <a href="simple.html#id316708">Implementation</a></dt></dl></dd><dt>Samba, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>Samba accounts, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>samba cluster, <a href="HA.html#id380314">Introduction</a></dt><dt>samba control script, <a href="appendix.html#id383432">Starting Samba</a></dt><dt>Samba Domain, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>Samba Domain server, <a href="kerberos.html#id376370">Using the MMC Computer Management Interface</a></dt><dt>Samba RPM Packages, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></dt><dt>Samba Tea, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>sambaDomainName, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>sambaGroupMapping, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>SambaSAMAccount, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a></dt><dt>SambaSamAccount, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>sambaSamAccount, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>SambaXP conference, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>SAN, <a href="HA.html#id381688">For Scalability, Use SAN-Based Storage on Samba Servers</a></dt><dt>SAS, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>scalability, <a href="HA.html#id380314">Introduction</a></dt><dt>scalable, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>schannel, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id377005">Key Points Learned</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>schema, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html#id363269">Samba-2.x with LDAP Support</a>, <a href="upgrades.html#id363507">Updating from Samba Versions between 3.0.6 and 3.0.10</a></dt><dt>scripts, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>secondary group, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></dt><dt>secret, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>secrets.tdb, <a href="happy.html#id336802">Technical Issues</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#sbeug1">Location of config files</a></dt><dt>secure, <a href="kerberos.html#id372607">Introduction</a></dt><dt>secure account password, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>secure connections, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>secure networking, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>secure networking protocols, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>security, <a href="simple.html#id316708">Implementation</a>, <a href="simple.html#id317589">Implementation</a>, <a href="happy.html#id336802">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a>, <a href="kerberos.html#id377127">Questions and Answers</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dd><dl><dt>identifier, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>share mode, <a href="simple.html#id317402">Dissection and Discussion</a></dt><dt>user mode, <a href="simple.html#id319572">Dissection and Discussion</a></dt></dl></dd><dt>Security, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id376370">Using the MMC Computer Management Interface</a></dt><dt>Security Account Manager (see SAM)</dt><dt>security controls, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>security descriptors, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>security fixes, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>security updates, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>SerNet, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>server</dt><dd><dl><dt>domain member, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>stand-alone, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt></dl></dd><dt>server string, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>service, <a href="2000users.html#id348912">Implementation</a></dt><dd><dl><dt>smb</dt><dd><dl><dt>start, <a href="Big500users.html#ch5-domsvrspec">Configuration Specific to Domain Member Servers: BLDG1, BLDG2</a></dt></dl></dd></dl></dd><dt>Service Packs, <a href="secure.html#ch4appscfg">Application Share Configuration</a></dt><dt>services, <a href="DomApps.html#id379772">Key Points Learned</a></dt><dt>services provided, <a href="ch14.html">Samba Support</a></dt><dt>session setup, <a href="primer.html#id387580">Simple Windows Client Connection Characteristics</a>, <a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>Session Setup, <a href="primer.html#id387580">Simple Windows Client Connection Characteristics</a></dt><dt>SessionSetUpAndX, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>set primary group script, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>setfacl, <a href="kerberos.html#id376809">Setting Posix ACLs in UNIX/Linux</a></dt><dt>severely degrade, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>SFU, <a href="unixclients.html#id359663">IDMAP, Active Directory, and MS Services for UNIX 3.5</a></dt><dt>SGID, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a>, <a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></dt><dt>shadow-utils, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>Share Access Controls, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dt>share ACLs, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>share definition, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>Share Definition</dt><dd><dl><dt>Controls, <a href="kerberos.html#id375395">Share Definition Controls</a></dt></dl></dd><dt>share definition controls, <a href="kerberos.html#id375395">Share Definition Controls</a>, <a href="kerberos.html#id375528">Checkpoint Controls</a>, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>share level access controls, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>share level ACL, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>Share Permissions, <a href="kerberos.html#id375060">Share Access Controls</a></dt><dt>shared resource, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id376809">Setting Posix ACLs in UNIX/Linux</a></dt><dt>shares, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>show add printer wizard, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>shutdown script, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="2000users.html#id348912">Implementation</a></dt><dt>SID, <a href="secure.html#ch4wincfg">Windows Client Configuration</a>, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id362215">Change of Workgroup (Domain) Name</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="appendix.html#id383921">Initialization of the LDAP Database</a></dt><dt>side effects, <a href="kerberos.html#id376321">Managing Windows 200x ACLs</a></dt><dt>Sign'n'seal, <a href="kerberos.html#id377005">Key Points Learned</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>silent return, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>simple, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>Single Sign-On (see SSO)</dt><dt>slapcat, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>slapd, <a href="happy.html#id338019">Debugging LDAP</a></dt><dt>slapd.conf, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>slave, <a href="2000users.html#id347824">Dissection and Discussion</a></dt><dt>slow logon, <a href="happy.html">Making Happy Users</a></dt><dt>slow network, <a href="HA.html#id381824">Hardware Problems</a></dt><dt>slurpd, <a href="2000users.html#id348912">Implementation</a>, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>smart printing, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>SMB, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>SMB passwords, <a href="2000users.html#id348912">Implementation</a></dt><dt>smb ports, <a href="secure.html#id325866">Samba Configuration</a>, <a href="secure.html#id330204">Questions and Answers</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>SMB/CIFS, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>smbclient, <a href="simple.html#validate1">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>smbd, <a href="simple.html#validate1">Validation</a>, <a href="simple.html#id317589">Implementation</a>, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#sbeug1">Location of config files</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a>, <a href="DomApps.html#id378606">Samba Configuration</a>, <a href="DomApps.html#id379827">Questions and Answers</a>, <a href="appendix.html#id383432">Starting Samba</a></dt><dd><dl><dt>location of files, <a href="appendix.html#id383041">Samba System File Location</a></dt></dl></dd><dt>smbfs, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>smbldap-groupadd, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>smbldap-groupmod, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>smbldap-passwd, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>smbldap-populate, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></dt><dt>smbldap-tools, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>smbldap-tools updating, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>smbldap-useradd, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="2000users.html#id348912">Implementation</a></dt><dt>smbldap-usermod, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>smbmnt, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>smbmount, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>smbpasswd, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321342">Technical Issues</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id324638">Technical Issues</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html">Updating Samba-3</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="DomApps.html">Integrating Additional Services</a></dt><dt>smbumnt, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>smbumount, <a href="HA.html#id380391">Dissection and Discussion</a></dt><dt>SMTP, <a href="nw4migration.html#id368732">Technical Issues</a></dt><dt>snap-shot, <a href="ntmigration.html#id364312">Dissection and Discussion</a></dt><dt>socket address, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>socket options, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>software, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>solve, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>source code, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>SPNEGO, <a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>SQL, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>Squid, <a href="DomApps.html#id378010">Implementation</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="DomApps.html#id378606">Samba Configuration</a>, <a href="DomApps.html#id379397">Squid Configuration</a></dt><dt>squid, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a>, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>Squid proxy, <a href="DomApps.html#id377849">Technical Issues</a></dt><dt>SRVTOOLS.EXE, <a href="secure.html#id325041">Implementation</a>, <a href="happy.html#id345184">Configuring Profile Directories</a>, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>SSL, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>stand-alone server, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>starting CUPS, <a href="simple.html#id317589">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dt>starting dhcpd, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dt>starting samba, <a href="simple.html#id316708">Implementation</a>, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#procstart">Process Startup Configuration</a>, <a href="Big500users.html#ch5-procstart">Process Startup Configuration</a></dt><dd><dl><dt>nmbd, <a href="appendix.html#id383432">Starting Samba</a></dt><dt>smbd, <a href="appendix.html#id383432">Starting Samba</a></dt><dt>winbindd, <a href="appendix.html#id383432">Starting Samba</a></dt></dl></dd><dt>startingCUPS, <a href="simple.html#AcctgNet">Implementation</a></dt><dt>startup script, <a href="appendix.html#id383432">Starting Samba</a></dt><dt>sticky bit, <a href="small.html#id321546">Implementation</a></dt><dt>storage capacity, <a href="secure.html#id324872">Hardware Requirements</a></dt><dt>strategic, <a href="ntmigration.html#id364468">Technical Issues</a></dt><dt>strategy, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>straw-man, <a href="kerberos.html">Active Directory, Kerberos, and Security</a></dt><dt>strict sync, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>stripped, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></dt><dt>strong cryptography, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>subscription, <a href="ch14.html#id382184">Free Support</a></dt><dt>SUID, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="kerberos.html#id377127">Questions and Answers</a>, <a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></dt><dt>Sun ONE Identity Server, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>super daemon, <a href="secure.html#procstart">Process Startup Configuration</a></dt><dt>support, <a href="kerberos.html#id373203">Dissection and Discussion</a>, <a href="ch14.html">Samba Support</a></dt><dt>survey, <a href="unixclients.html">Adding Domain Member Servers and Clients</a></dt><dt>SUSE, <a href="nw4migration.html">Migrating NetWare Server to Samba-3</a></dt><dt>SUSE Enterprise Linux Server, <a href="simple.html#id317306">Charity Administration Office</a>, <a href="secure.html#ch4bsc">Basic System Configuration</a>, <a href="DomApps.html#id378010">Implementation</a></dt><dt>SUSE Linux, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="happy.html#id338636">Samba Server Implementation</a>, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id378010">Implementation</a>, <a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></dt><dt>SWAT, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>sync always, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>synchronization, <a href="DomApps.html#id378243">Kerberos Configuration</a>, <a href="HA.html#id381688">For Scalability, Use SAN-Based Storage on Samba Servers</a></dt><dt>synchronize, <a href="2000users.html#id348107">User Needs</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>synchronized, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>syslog, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>system level logins, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>system security, <a href="kerberos.html#id373574">Technical Issues</a></dt></dl></div><div class="indexdiv"><h3>T</h3><dl><dt>tattooing, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>TCP/IP, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>tdbdump, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>tdbsam, <a href="secure.html#id324638">Technical Issues</a>, <a href="secure.html#id325041">Implementation</a>, <a href="Big500users.html">The 500-User Office</a>, <a href="happy.html#id336272">Assignment Tasks</a>, <a href="2000users.html#id347824">Dissection and Discussion</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="upgrades.html#id363507">Updating from Samba Versions between 3.0.6 and 3.0.10</a>, <a href="ntmigration.html#id364468">Technical Issues</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>template primary group, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>template shell, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>testparm, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="HA.html#id381308">Samba Configuration</a></dt><dt>ticket, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>time server, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>Tivoli Directory Server, <a href="happy.html#id336400">Dissection and Discussion</a></dt><dt>TLS, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>token, <a href="DomApps.html#id377849">Technical Issues</a></dt><dt>tool, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>TOSHARG2, <a href="simple.html#id317589">Implementation</a></dt><dt>track record, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>traffic collisions, <a href="happy.html">Making Happy Users</a></dt><dt>transaction processing, <a href="2000users.html#id347824">Dissection and Discussion</a></dt><dt>transactional, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>transfer, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>translate, <a href="kerberos.html#id376321">Managing Windows 200x ACLs</a></dt><dt>traverse, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt><dt>tree, <a href="nw4migration.html#id368660">Dissection and Discussion</a></dt><dt>Tree Connect, <a href="primer.html#id387580">Simple Windows Client Connection Characteristics</a></dt><dt>trust account, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a></dt><dt>trusted computing, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Trusted Domains, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>trusted domains, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>trusted third-party, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>trusting, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>turn-around time, <a href="kerberos.html#id373574">Technical Issues</a></dt></dl></div><div class="indexdiv"><h3>U</h3><dl><dt>UDP</dt><dd><dl><dt>broadcast, <a href="HA.html#id381054">Routed Networks</a></dt></dl></dd><dt>UID, <a href="simple.html#id317402">Dissection and Discussion</a>, <a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a>, <a href="happy.html#id336802">Technical Issues</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>un-join, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>unauthorized activities, <a href="kerberos.html#id374766">Kerberos Exposed</a></dt><dt>UNC name, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>unencrypted, <a href="appendix.html#id384378">The LDAP Account Manager</a></dt><dt>Unicast, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a></dt><dt>unicode, <a href="upgrades.html#id362458">International Language Support</a></dt><dt>Universal Naming Convention (see UNC name)</dt><dt>UNIX, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dd><dl><dt>groups, <a href="small.html#id321342">Technical Issues</a>, <a href="small.html#id321546">Implementation</a></dt></dl></dd><dt>UNIX accounts, <a href="happy.html#id336802">Technical Issues</a></dt><dt>unix charset, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></dt><dt>unix password sync, <a href="secure.html#id325866">Samba Configuration</a></dt><dt>UNIX/Linux server, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>unix2dos, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt><dt>unknown, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>unsupported software, <a href="ch14.html#id382382">Commercial Support</a></dt><dt>update, <a href="upgrades.html#id361313">Introduction</a>, <a href="upgrades.html#id361397">Cautions and Notes</a></dt><dt>updates, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>updating smbldap-tools, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>upgrade, <a href="upgrades.html#id361313">Introduction</a>, <a href="upgrades.html#id361397">Cautions and Notes</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>uppercase, <a href="ntmigration.html#id364791">Implementation</a></dt><dt>use client driver, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>user</dt><dd><dl><dt>management, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a></dt></dl></dd><dt>user account, <a href="happy.html">Making Happy Users</a>, <a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></dt><dt>User and Group Controls, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>user credentials, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="unixclients.html#id359708">UNIX/Linux Client Domain Member</a></dt><dt>user errors, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>user groups, <a href="ch14.html#id382184">Free Support</a></dt><dt>user identities, <a href="unixclients.html#id353760">Implementation</a></dt><dt>user logins, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>user management, <a href="secure.html#id325041">Implementation</a></dt><dt>User Manager, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>User Mode, <a href="secure.html#id325041">Implementation</a>, <a href="primer.html#id387580">Simple Windows Client Connection Characteristics</a>, <a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></dt><dt>useradd, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id332221">Configuration for Server: MASSIVE</a>, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>userdel, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></dt><dt>usermod, <a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>username, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>username map, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id331694">Server Preparation: All Servers</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>UTF-8, <a href="upgrades.html#id362458">International Language Support</a></dt><dt>utilities, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>utmp, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="2000users.html#id348912">Implementation</a></dt></dl></div><div class="indexdiv"><h3>V</h3><dl><dt>valid users, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="kerberos.html#id375528">Checkpoint Controls</a>, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>validate, <a href="ntmigration.html#id367572">Questions and Answers</a>, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>validated, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="kerberos.html#id372607">Introduction</a></dt><dt>validation, <a href="simple.html#validate1">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>vampire, <a href="ntmigration.html#id367572">Questions and Answers</a></dt><dt>vendor, <a href="kerberos.html#id373203">Dissection and Discussion</a></dt><dt>vendors, <a href="upgrades.html#id363384">Updating a Samba-3 Installation</a></dt><dt>veto files, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>veto oplock files, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a></dt><dt>VFS modules, <a href="appendix.html#id383041">Samba System File Location</a></dt><dt>virus, <a href="secure.html#id325041">Implementation</a></dt><dt>VPN, <a href="2000users.html#id347767">Assignment Tasks</a></dt><dt>vulnerabilities, <a href="kerberos.html#id372607">Introduction</a></dt></dl></div><div class="indexdiv"><h3>W</h3><dl><dt>wbinfo, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id378606">Samba Configuration</a></dt><dt>weakness, <a href="kerberos.html#id373574">Technical Issues</a></dt><dt>web</dt><dd><dl><dt>caching, <a href="DomApps.html#id377734">Assignment Tasks</a></dt><dt>proxying, <a href="DomApps.html#id377734">Assignment Tasks</a></dt></dl></dd><dt>Web</dt><dd><dl><dt>proxy, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dd><dl><dt>access, <a href="DomApps.html#id379772">Key Points Learned</a></dt></dl></dd></dl></dd><dt>Web browsers, <a href="DomApps.html#id379772">Key Points Learned</a></dt><dt>WebClient, <a href="happy.html">Making Happy Users</a></dt><dt>WHATSNEW.txt, <a href="upgrades.html#id363269">Samba-2.x with LDAP Support</a></dt><dt>white-pages, <a href="nw4migration.html#id368732">Technical Issues</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>wide-area, <a href="2000users.html#id348107">User Needs</a>, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="2000users.html#id352072">Key Points Learned</a>, <a href="2000users.html#id352211">Questions and Answers</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt><dt>wide-area network, <a href="HA.html#id381603">Use and Location of BDCs</a>, <a href="HA.html#id381784">Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</a></dt><dt>winbind, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#id353067">Dissection and Discussion</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="kerberos.html#id372607">Introduction</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="DomApps.html#id377849">Technical Issues</a>, <a href="DomApps.html#id378606">Samba Configuration</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>Winbind, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="kerberos.html#id373574">Technical Issues</a>, <a href="kerberos.html#id377005">Key Points Learned</a></dt><dt>winbind enum groups, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>winbind enum users, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>winbind nested groups, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>winbind separator, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>winbind trusted domains only, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>winbind use default domain, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="kerberos.html#id375528">Checkpoint Controls</a></dt><dt>winbind user default domain, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>winbindd, <a href="small.html#id323199">Validation</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id330784">Technical Issues</a>, <a href="unixclients.html#id353091">Technical Issues</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#id360240">Questions and Answers</a>, <a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a>, <a href="upgrades.html#id363581">Updating from Samba Versions after 3.0.6 to a Current Release</a>, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a>, <a href="DomApps.html#id378606">Samba Configuration</a>, <a href="DomApps.html#id379827">Questions and Answers</a>, <a href="appendix.html#id383432">Starting Samba</a></dt><dt>winbindd_cache.tdb, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>winbindd_idmap.tdb, <a href="unixclients.html#id353091">Technical Issues</a></dt><dt>Windows, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dd><dl><dt>client, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt><dt>NT, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a></dt></dl></dd><dt>Windows 2000 ACLs, <a href="kerberos.html#id376321">Managing Windows 200x ACLs</a></dt><dt>Windows 2003 Serve, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Windows 200x ACLs, <a href="kerberos.html#id377127">Questions and Answers</a></dt><dt>Windows accounts, <a href="happy.html#id336802">Technical Issues</a></dt><dt>Windows ACLs, <a href="kerberos.html#id376809">Setting Posix ACLs in UNIX/Linux</a></dt><dt>Windows Address Book, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>Windows ADS Domain, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></dt><dt>Windows clients, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>Windows Explorer, <a href="simple.html#validate1">Validation</a></dt><dt>Windows explorer, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>Windows security identifier (see SID)</dt><dt>Windows Servers, <a href="kerberos.html#id372607">Introduction</a></dt><dt>Windows Services for UNIX (see SUS)</dt><dt>Windows XP, <a href="small.html#id321247">Assignment Tasks</a></dt><dt>WINS, <a href="simple.html#id317589">Implementation</a>, <a href="small.html#id321342">Technical Issues</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#ch4wincfg">Windows Client Configuration</a>, <a href="Big500users.html#id330784">Technical Issues</a>, <a href="Big500users.html#ch5wincfg">Windows Client Configuration</a>, <a href="2000users.html#id348183">The Nature of Windows Networking Protocols</a>, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="2000users.html#id352211">Questions and Answers</a>, <a href="primer.html#chap01qa">Questions and Answers</a></dt><dd><dl><dt>lookup, <a href="unixclients.html#id360240">Questions and Answers</a></dt><dt>name resolution, <a href="HA.html#id381054">Routed Networks</a></dt><dt>server, <a href="happy.html">Making Happy Users</a>, <a href="HA.html#id381054">Routed Networks</a></dt></dl></dd><dt>WINS server, <a href="Big500users.html">The 500-User Office</a>, <a href="2000users.html#id352211">Questions and Answers</a></dt><dt>wins server, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></dt><dt>WINS serving, <a href="secure.html#id325041">Implementation</a></dt><dt>wins support, <a href="simple.html#id317589">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325041">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="secure.html#ch4valid">Validation</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>wins.dat, <a href="2000users.html#id348480">Identity Management Needs</a>, <a href="upgrades.html#id363672">Replacing a Domain Member Server</a></dt><dt>Word, <a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></dt><dt>workgroup, <a href="simple.html#id316708">Implementation</a>, <a href="simple.html#id317589">Implementation</a>, <a href="simple.html#AcctgNet">Implementation</a>, <a href="small.html#id321546">Implementation</a>, <a href="secure.html#id325866">Samba Configuration</a>, <a href="Big500users.html#id330980">Implementation</a>, <a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a>, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="unixclients.html#id358229">IDMAP_RID with Winbind</a>, <a href="unixclients.html#id358814">IDMAP Storage in LDAP using Winbind</a>, <a href="unixclients.html#id359380">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a href="upgrades.html#id361487">Security Identifiers (SIDs)</a>, <a href="upgrades.html#id362215">Change of Workgroup (Domain) Name</a>, <a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a>, <a href="DomApps.html#id379127">NSS Configuration</a></dt><dt>Workgroup Announcement, <a href="primer.html#id387234">Findings</a></dt><dt>workstation, <a href="unixclients.html#id353760">Implementation</a></dt><dt>wrapper, <a href="DomApps.html#id379827">Questions and Answers</a></dt><dt>write list, <a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a>, <a href="2000users.html#id348912">Implementation</a>, <a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a>, <a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a>, <a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a>, <a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a>, <a href="nw4migration.html#id368982">LDAP Server Configuration</a></dt><dt>write lock, <a href="appendix.html#id385938">Opportunistic Locking Controls</a></dt></dl></div><div class="indexdiv"><h3>X</h3><dl><dt>xinetd, <a href="secure.html#procstart">Process Startup Configuration</a></dt><dt>XML, <a href="2000users.html#id347824">Dissection and Discussion</a></dt><dt>xmlsam, <a href="2000users.html#id348912">Implementation</a></dt></dl></div><div class="indexdiv"><h3>Y</h3><dl><dt>YaST, <a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></dt><dt>Yellow Pages, <a href="2000users.html#id348480">Identity Management Needs</a></dt><dt>yellow pages (see NIS)</dt></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="go01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Glossary </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/kerberos.html b/docs/htmldocs/Samba3-ByExample/kerberos.html new file mode 100644 index 0000000000..f5085f4a98 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/kerberos.html @@ -0,0 +1,826 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id372607">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id373189">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id373203">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id373574">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id375060">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id375395">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id375952">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id376321">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id377005">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id377127">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id372556"></a> + By this point in the book, you have been exposed to many Samba-3 features and capabilities. + More importantly, if you have implemented the examples given, you are well on your way to becoming + a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to + practice, you likely have thought of improvements and scenarios with which you can experiment. You + are rather well plugged in to the many flexible ways Samba can be used. + </p><p><a class="indexterm" name="id372570"></a> + This is a book about Samba-3. Understandably, its intent is to present it in a positive light. + The casual observer might conclude that this book is one-eyed about Samba. It is what + would you expect? This chapter exposes some criticisms that have been raised concerning + the use of Samba. For each criticism, there are good answers and appropriate solutions. + </p><p> + Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular + decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of + criticism develops with respect to Abmas. + </p><p><a class="indexterm" name="id372594"></a> + This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled + out of thin air. They were drawn from comments made by Samba users and from criticism during + discussions with Windows network administrators. The tone of the objections reflects as closely + as possible that of the original. The case presented is a straw-man example that is designed to + permit each objection to be answered as it might occur in real life. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372607"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id372613"></a><a class="indexterm" name="id372621"></a><a class="indexterm" name="id372629"></a><a class="indexterm" name="id372637"></a><a class="indexterm" name="id372645"></a> + Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took + note of the spectacular projection of Abmas onto the global business stage. Abmas is building an + interesting portfolio of companies that includes accounting services, financial advice, investment + portfolio management, property insurance, risk assessment, and the recent addition of a a video rental + business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an + interesting business growth and development plan. Abmas Video Rentals was recently acquired. + During the time that the acquisition was closing, the Video Rentals business upgraded its Windows + NT4-based network to Windows 2003 Server and Active Directory. + </p><p><a class="indexterm" name="id372662"></a> + You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory. + The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform. + Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to + operate with a solution that is viewed by Christine and her group as “<span class="quote">an island of broken + technologies.</span>” This comment was made by one of Christine's staff as they were installing a new + Samba-3 server at the new business. + </p><p><a class="indexterm" name="id372681"></a><a class="indexterm" name="id372689"></a> + Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer + should make such a comment. He felt that he had to prepare in case he might be criticized for his + decision to use Active Directory. He decided he would defend his decision by hiring the services + of an outside security systems consultant to report<sup>[<a name="id372701" href="#ftn.id372701">12</a>]</sup> on his unit's operations + and to investigate the role of Samba at his site. Here are key extracts from this hypothetical + report: + </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id372710"></a><a class="indexterm" name="id372718"></a><a class="indexterm" name="id372726"></a><a class="indexterm" name="id372733"></a> + ... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site, + has been examined. We find no evidence to support a notion that vulnerabilities exist at your site. + ... we took additional steps to validate the integrity of the installation and operation of Active + Directory and are pleased that your staff are following sound practices. + </p><p> + ... + </p><p><a class="indexterm" name="id372751"></a><a class="indexterm" name="id372763"></a><a class="indexterm" name="id372774"></a><a class="indexterm" name="id372782"></a><a class="indexterm" name="id372790"></a><a class="indexterm" name="id372798"></a> + User and group accounts, and respective privileges, have been well thought out. File system shares are + appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and + effective off-site storage practices are considered to exceed industry norms. + </p><p><a class="indexterm" name="id372811"></a><a class="indexterm" name="id372819"></a><a class="indexterm" name="id372827"></a> + Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain + a secure network. + </p><p><a class="indexterm" name="id372843"></a><a class="indexterm" name="id372850"></a><a class="indexterm" name="id372858"></a><a class="indexterm" name="id372866"></a> + The recently installed Linux file and application server uses a tool called <code class="literal">winbind</code> + that is indiscriminate about security. All user accounts in Active Directory can be used to access data + stored on the Linux system. We are alarmed that secure information is accessible to staff who should + not even be aware that it exists. We share the concerns of your network management staff who have gone + to great lengths to set fine-grained controls that limit information access to those who need access. + It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work. + </p><p><a class="indexterm" name="id372892"></a><a class="indexterm" name="id372900"></a><a class="indexterm" name="id372908"></a> + Graham Judd [head of network administration] has locked down the security of all systems and is following + the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network + is isolated from the outside world, the [product name removed] firewall is under current contract + maintenance support from [the manufacturer]. ... our attempts to penetrate security of your systems + failed to find problems common to Windows networking sites. We commend your staff on their attention to + detail and for following Microsoft recommended best practices. + </p><p> + ... + </p><p><a class="indexterm" name="id372927"></a><a class="indexterm" name="id372935"></a><a class="indexterm" name="id372943"></a><a class="indexterm" name="id372951"></a> + Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of + all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft + ... what worries us regarding Samba is the need to disable essential Windows security features such as + secure channel support, digital sign'n'seal on all communication traffic, and running Active Directory in + mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that + Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that + with trusted computing initiatives that the Samba developers do not participate in. + </p><p><a class="indexterm" name="id372968"></a><a class="indexterm" name="id372976"></a><a class="indexterm" name="id372984"></a><a class="indexterm" name="id372992"></a><a class="indexterm" name="id373000"></a><a class="indexterm" name="id373007"></a><a class="indexterm" name="id373015"></a> + One wonders about the integrity of an open source program that is developed by a team of hackers + who cannot be held accountable for the flaws in their code. The sheer number of updates and bug + fixes they have released should ring alarm bells in any business. + </p><p><a class="indexterm" name="id373029"></a><a class="indexterm" name="id373037"></a><a class="indexterm" name="id373044"></a> + Another factor that should be considered is that buying Microsoft products and services helps to + provide employment in the IT industry. Samba and Open Source software place those jobs at risk. + </p></blockquote></div><p><a class="indexterm" name="id373057"></a><a class="indexterm" name="id373065"></a> + This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple + discussion, but it gets further out of hand. When you return to your office, you find the following + email in your in-box: + </p><p> + Good afternoon, + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + I apologize for the leak of internal discussions to the new business. It reflects poorly on our + professionalism and has put you in an unpleasant position. I regret the incident. + </p><p> + I also wish to advise that two of the recent recruits want to implement Kerberos authentication + across all systems. I concur with the desire to improve security. One of the new guys who is championing + the move to Kerberos was responsible for the comment that caused the embarrassment. + </p><p><a class="indexterm" name="id373096"></a><a class="indexterm" name="id373104"></a><a class="indexterm" name="id373111"></a><a class="indexterm" name="id373119"></a> + I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, + plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect + to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, + I would like to hire the services of a well-known Samba consultant to set the record straight. + </p><p><a class="indexterm" name="id373134"></a><a class="indexterm" name="id373142"></a><a class="indexterm" name="id373150"></a><a class="indexterm" name="id373158"></a><a class="indexterm" name="id373166"></a><a class="indexterm" name="id373173"></a> + I intend to use this report to answer the criticism raised and would like to establish a policy that we + will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered + out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain + responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce + use of any centrally proposed standards, but make all noncompliance the financial responsibility of the + out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id373189"></a>Assignment Tasks</h3></div></div></div><p> + You agreed with Stan's recommendations and hired a consultant to help defuse the powder + keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able + to support his or her claims, keep emotions to the side, and answer technically. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id373203"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id373209"></a><a class="indexterm" name="id373217"></a><a class="indexterm" name="id373225"></a><a class="indexterm" name="id373233"></a><a class="indexterm" name="id373241"></a><a class="indexterm" name="id373249"></a><a class="indexterm" name="id373257"></a> + Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to + make or reject. It is likely that your decision to use Samba can greatly benefit your company. + The Samba Team obviously believes that the Samba software is a worthy choice. + If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire + someone to help manage your Samba installation, you can create income and employment. Alternately, + money saved by not spending in the IT area can be spent elsewhere in the business. All money saved + or spent creates employment. + </p><p><a class="indexterm" name="id373273"></a><a class="indexterm" name="id373281"></a><a class="indexterm" name="id373289"></a><a class="indexterm" name="id373297"></a><a class="indexterm" name="id373305"></a> + In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted + purely to provide file and print service interoperability on platforms that otherwise cannot provide + access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to + effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an + alternative to the use of a Microsoft file and print serving platforms with no consideration of costs. + </p><p><a class="indexterm" name="id373320"></a><a class="indexterm" name="id373328"></a><a class="indexterm" name="id373336"></a><a class="indexterm" name="id373343"></a> + It would be foolish to adopt a technology that might put any data or users at risk. Security affects + everyone. The Samba-Team is fully cognizant of the responsibility they have to their users. + The Samba documentation clearly reveals that full responsibility is accepted to fix anything + that is broken. + </p><p><a class="indexterm" name="id373357"></a><a class="indexterm" name="id373365"></a><a class="indexterm" name="id373373"></a><a class="indexterm" name="id373381"></a><a class="indexterm" name="id373392"></a><a class="indexterm" name="id373400"></a><a class="indexterm" name="id373408"></a><a class="indexterm" name="id373416"></a><a class="indexterm" name="id373424"></a><a class="indexterm" name="id373432"></a><a class="indexterm" name="id373439"></a> + There is a mistaken perception in the IT industry that commercial software providers are fully + accountable for the defects in products. Open Source software comes with no warranty, so it is + often assumed that its use confers a higher degree of risk. Everyone should read commercial software + End User License Agreements (EULAs). You should determine what real warranty is offered and the + extent of liability that is accepted. Doing so soon dispels the popular notion that + commercial software vendors are willingly accountable for product defects. In many cases, the + commercial vendor accepts liability only to reimburse the price paid for the software. + </p><p><a class="indexterm" name="id373462"></a><a class="indexterm" name="id373470"></a><a class="indexterm" name="id373477"></a><a class="indexterm" name="id373485"></a><a class="indexterm" name="id373493"></a><a class="indexterm" name="id373501"></a> + The real issues that a consumer (like you) needs answered are What is the way of escape from technical + problems, and how long will it take? The average problem turnaround time in the Open Source community is + approximately 48 hours. What does the EULA offer? What is the track record in the commercial software + industry? What happens when your commercial vendor decides to cease providing support? + </p><p><a class="indexterm" name="id373516"></a><a class="indexterm" name="id373523"></a><a class="indexterm" name="id373531"></a><a class="indexterm" name="id373539"></a><a class="indexterm" name="id373547"></a><a class="indexterm" name="id373555"></a><a class="indexterm" name="id373562"></a> + Open Source software at least puts you in possession of the source code. This means that when + all else fails, you can hire a programmer to solve the problem. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id373574"></a>Technical Issues</h3></div></div></div><p> + Each issue is now discussed and, where appropriate, example implementation steps are + provided. + </p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id373594"></a><a class="indexterm" name="id373601"></a><a class="indexterm" name="id373609"></a><a class="indexterm" name="id373621"></a><a class="indexterm" name="id373628"></a><a class="indexterm" name="id373636"></a><a class="indexterm" name="id373644"></a><a class="indexterm" name="id373652"></a><a class="indexterm" name="id373660"></a><a class="indexterm" name="id373668"></a> + Windows network administrators may be dismayed to find that <code class="literal">winbind</code> + exposes all domain users so that they may use their domain account credentials to + log on to a UNIX/Linux system. The fact that all users in the domain can see the + UNIX/Linux server in their Network Neighborhood and can browse the shares on the + server seems to excite them further. + </p><p><a class="indexterm" name="id373688"></a><a class="indexterm" name="id373696"></a><a class="indexterm" name="id373704"></a><a class="indexterm" name="id373712"></a> + <code class="literal">winbind</code> provides for the UNIX/Linux domain member server or + client, the same as one would obtain by adding a Microsoft Windows server or + client to the domain. The real objection is the fact that Samba is not MS Windows + and therefore requires handling a little differently from the familiar Windows systems. + One must recognize fear of the unknown. + </p><p><a class="indexterm" name="id373734"></a><a class="indexterm" name="id373742"></a><a class="indexterm" name="id373750"></a><a class="indexterm" name="id373758"></a><a class="indexterm" name="id373766"></a><a class="indexterm" name="id373777"></a> + Windows network administrators need to recognize that <code class="literal">winbind</code> does + not, and cannot, override account controls set using the Active Directory management + tools. The control is the same. Have no fear. + </p><p><a class="indexterm" name="id373796"></a><a class="indexterm" name="id373804"></a><a class="indexterm" name="id373815"></a><a class="indexterm" name="id373823"></a><a class="indexterm" name="id373831"></a><a class="indexterm" name="id373839"></a><a class="indexterm" name="id373847"></a><a class="indexterm" name="id373855"></a><a class="indexterm" name="id373862"></a><a class="indexterm" name="id373870"></a> + Where Samba and the ADS domain account information obtained through the use of + <code class="literal">winbind</code> permits access, by browsing or by the drive mapping to + a share, to data that should be better protected. This can only happen when security + controls have not been properly implemented. Samba permits access controls to be set + on: + </p><div class="itemizedlist"><ul type="disc"><li><p>Shares themselves (i.e., the logical share itself)</p></li><li><p>The share definition in <code class="filename">smb.conf</code></p></li><li><p>The shared directories and files using UNIX permissions</p></li><li><p>Using Windows 2000 ACLs if the file system is POSIX enabled</p></li></ul></div><p> + Examples of each are given in <a href="kerberos.html#ch10expl" title="Implementation">???</a>. + </p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id373940"></a><a class="indexterm" name="id373947"></a><a class="indexterm" name="id373959"></a><a class="indexterm" name="id373970"></a><a class="indexterm" name="id373978"></a><a class="indexterm" name="id373986"></a><a class="indexterm" name="id373993"></a><a class="indexterm" name="id374001"></a><a class="indexterm" name="id374009"></a> + User and group management facilities as known in the Windows ADS environment may be + used to provide equivalent access control constraints or to provide equivalent + permissions and privileges on Samba servers. Samba offers greater flexibility in the + use of user and group controls because it has additional layers of control compared to + Windows 200x/XP. For example, access controls on a Samba server may be set within + the share definition in a manner for which Windows has no equivalent. + </p><p><a class="indexterm" name="id374029"></a><a class="indexterm" name="id374037"></a><a class="indexterm" name="id374045"></a><a class="indexterm" name="id374053"></a><a class="indexterm" name="id374064"></a><a class="indexterm" name="id374072"></a><a class="indexterm" name="id374080"></a> + In any serious analysis of system security, it is important to examine the safeguards + that remain when all other protective measures fail. An administrator may inadvertently + set excessive permissions on the file system of a shared resource, or he may set excessive + privileges on the share itself. If that were to happen in a Windows 2003 Server environment, + the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is + possible to guard against that by enforcing controls on the share definition itself. You + see a practical example of this a little later in this chapter. + </p><p><a class="indexterm" name="id374096"></a><a class="indexterm" name="id374104"></a> + The report that is critical of Samba really ought to have exercised greater due + diligence: the real weakness is on the side of a Microsoft Windows environment. + </p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id374124"></a> + Samba is designed in such a manner that weaknesses inherent in the design of + Microsoft Windows networking ought not to expose the underlying UNIX/Linux file + system in any way. All software has potential defects, and Samba is no exception. + What matters more is how defects that are discovered get dealt with. + </p><p><a class="indexterm" name="id374138"></a><a class="indexterm" name="id374146"></a><a class="indexterm" name="id374154"></a><a class="indexterm" name="id374162"></a> + The Samba Team totally agrees with the necessity to observe and fully implement + every security facility to provide a level of protection and security that is necessary + and that the end user (or network administrator) needs. Never would the Samba Team + recommend a compromise to system security, nor would deliberate defoliation of + security be publicly condoned; yet this is the practice by many Windows network + administrators just to make happy users who have no notion of consequential risk. + </p><p><a class="indexterm" name="id374178"></a><a class="indexterm" name="id374186"></a><a class="indexterm" name="id374193"></a><a class="indexterm" name="id374201"></a><a class="indexterm" name="id374209"></a><a class="indexterm" name="id374217"></a><a class="indexterm" name="id374225"></a> + The report condemns Samba for releasing updates and security fixes, yet Microsoft + online updates need to be applied almost weekly. The answer to the criticism + lies in the fact that Samba development is continuing, documentation is improving, + user needs are being increasingly met or exceeded, and security updates are issued + with a short turnaround time. + </p><p><a class="indexterm" name="id374239"></a><a class="indexterm" name="id374247"></a><a class="indexterm" name="id374255"></a><a class="indexterm" name="id374263"></a><a class="indexterm" name="id374271"></a> + The release of Samba-4 is expected around late 2004 to early 2005 and involves a near + complete rewrite to permit extensive modularization and to prepare Samba for new + functionality planned for addition during the next-generation series. The Samba Team + is responsible and can be depended upon; the history to date suggests a high + degree of dependability and on charter development consistent with published + roadmap projections. + </p><p><a class="indexterm" name="id374289"></a><a class="indexterm" name="id374297"></a><a class="indexterm" name="id374309"></a><a class="indexterm" name="id374320"></a><a class="indexterm" name="id374328"></a><a class="indexterm" name="id374336"></a><a class="indexterm" name="id374343"></a> + Not well published is the fact that Microsoft was a foundation member of + the Common Internet File System (CIFS) initiative, together with the participation + of the network attached storage (NAS) industry. Unfortunately, for the past few years, + Microsoft has been absent from active involvement at CIFS conferences and has + not exercised the leadership expected of a major force in the networking technology + space. The Samba Team has maintained consistent presence and leadership at all + CIFS conferences and at the interoperability laboratories run concurrently with + them. + </p></dd><dt><span class="term">Cryptographic Controls (schannel, sign'n'seal)</span></dt><dd><p><a class="indexterm" name="id374368"></a><a class="indexterm" name="id374376"></a><a class="indexterm" name="id374383"></a> + The report correctly mentions that Samba did not support the most recent + <code class="constant">schannel</code> and <code class="constant">digital sign'n'seal</code> features + of Microsoft Windows NT/200x/XPPro products. This is one of the key features + of the Samba-3 release. Market research reports take so long to generate that they are + seldom a reflection of current practice, and in many respects reports are like a + pathology report they reflect accurately (at best) status at a snapshot in time. + Meanwhile, the world moves on. + </p><p><a class="indexterm" name="id374409"></a><a class="indexterm" name="id374416"></a><a class="indexterm" name="id374424"></a><a class="indexterm" name="id374432"></a><a class="indexterm" name="id374440"></a><a class="indexterm" name="id374455"></a><a class="indexterm" name="id374463"></a> + It should be pointed out that had clear public specifications for the protocols + been published, it would have been much easier to implement these features and would have + taken less time to do. The sole mechanism used to find an algorithm that is compatible + with the methods used by Microsoft has been based on observation of network traffic + and trial-and-error implementation of potential techniques. The real value of public + and defensible standards is obvious to all and would have enabled more secure networking + for everyone. + </p><p><a class="indexterm" name="id374478"></a><a class="indexterm" name="id374486"></a> + Critics of Samba often ignore fundamental problems that may plague (or may have plagued) + the users of Microsoft's products also. Those who are first to criticize Samba + for not rushing into release of <code class="constant">digital sign'n'seal</code> support + often dismiss the problems that Microsoft has + <a href="http://support.microsoft.com/default.aspx?kbid=321733" target="_top">acknowledged</a> + and for which a fix was provided. In fact, + <a href="http://www.tangent-systems.com/support/delayedwrite.html" target="_top">Tangent Systems</a> + have documented a significant problem with delays writes that can be connected with the + implementation of sign'n'seal. They provide a work-around that is not trivial for many + Windows networking sites. From notes such as this it is clear that there are benefits + from not rushing new technology out of the door too soon. + </p><p><a class="indexterm" name="id374519"></a><a class="indexterm" name="id374527"></a><a class="indexterm" name="id374535"></a><a class="indexterm" name="id374543"></a><a class="indexterm" name="id374551"></a><a class="indexterm" name="id374558"></a><a class="indexterm" name="id374566"></a><a class="indexterm" name="id374574"></a><a class="indexterm" name="id374582"></a> + One final comment is warranted. If companies want more secure networking protocols, + the most effective method by which this can be achieved is by users seeking + and working together to help define open and publicly refereed standards. The + development of closed source, proprietary methods that are developed in a + clandestine framework of secrecy, under claims of digital rights protection, does + not favor the diffusion of safe networking protocols and certainly does not + help the consumer to make a better choice. + </p></dd><dt><span class="term">Active Directory Replacement with Kerberos, LDAP, and Samba</span></dt><dd><p> + </p><div class="literallayout"><p> </p></div><p> + The Microsoft networking protocols extensively make use of remote procedure call (RPC) + technology. Active Directory is not a simple mixture of LDAP and Kerberos together + with file and print services, but rather is a complex, intertwined implementation + of them that uses RPCs that are not supported by any of these component technologies + and yet by which they are made to interoperate in ways that the components do not + support. + </p><p><a class="indexterm" name="id374664"></a><a class="indexterm" name="id374675"></a><a class="indexterm" name="id374683"></a><a class="indexterm" name="id374691"></a><a class="indexterm" name="id374699"></a> + In order to make the popular request for Samba to be an Active Directory Server a + reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls + that are not presently supported. The Samba Team has not been able to gain critical + overall support for all project maintainers to work together on the complex + challenge of developing and integrating the necessary technologies. Therefore, if + the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality + into the Samba project, this dream request cannot become a reality. + </p><p><a class="indexterm" name="id374715"></a><a class="indexterm" name="id374723"></a><a class="indexterm" name="id374731"></a><a class="indexterm" name="id374742"></a><a class="indexterm" name="id374750"></a> + At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the + Samba development roadmap. If it is not on the published roadmap, it cannot be delivered + anytime soon. Ergo, ADS server support is not a current goal for Samba development. + The Samba Team is most committed to permitting Samba to be a full ADS domain member + that is increasingly capable of being managed using Microsoft Windows MMC tools. + </p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id374766"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id374772"></a><a class="indexterm" name="id374780"></a><a class="indexterm" name="id374788"></a> + Kerberos is a network authentication protocol that provides secure authentication for + client-server applications by using secret-key cryptography. Firewalls are an insufficient + barrier mechanism in today's networking world; at best they only restrict incoming network + traffic but cannot prevent network traffic that comes from authorized locations from + performing unauthorized activities. + </p><p><a class="indexterm" name="id374802"></a><a class="indexterm" name="id374810"></a><a class="indexterm" name="id374818"></a> + Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses + strong cryptography so that a client can prove its identity to a server (and vice versa) across an + insecure network connection. After a client and server has used Kerberos to prove their identity, + they can also encrypt all of their communications to assure privacy and data integrity as they go + about their business. + </p><p><a class="indexterm" name="id374833"></a><a class="indexterm" name="id374841"></a><a class="indexterm" name="id374849"></a><a class="indexterm" name="id374857"></a><a class="indexterm" name="id374868"></a> + Kerberos is a trusted third-party service. That means that there is a third party (the kerberos + server) that is trusted by all the entities on the network (users and services, usually called + principals). All principals share a secret password (or key) with the kerberos server and this + enables principals to verify that the messages from the kerberos server are authentic. Therefore, + trusting the kerberos server, users and services can authenticate each other. + </p><p> + <a class="indexterm" name="id374884"></a> + <a class="indexterm" name="id374891"></a> + <a class="indexterm" name="id374898"></a> + Kerberos was, until recently, a technology that was restricted from being exported from the United States. + For many years that hindered global adoption of more secure networking technologies both within the United States + and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe + and is available from the <a href="http://www.pdc.kth.se/heimdal/" target="_top">Royal Institute</a> of + Technology (KTH), Sweden. It is known as the Heimdal Kerberos project. In recent times the U.S. government + has removed sanctions affecting the global distribution of MIT Kerberos. It is likely that there will be a + significant surge forward in the development of Kerberos-enabled applications and in the general deployment + and use of Kerberos across the spectrum of the information technology industry. + </p><p> + <a class="indexterm" name="id374920"></a> + A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation + of it. For example, a 2002 + <a href="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument" target="_top">IDG</a> + report<sup>[<a name="id374937" href="#ftn.id374937">13</a>]</sup> by + states: + </p><div class="blockquote"><blockquote class="blockquote"><p> + A Microsoft Corp. executive testified at the software giant's remedy hearing that the company goes to + great lengths to disclose interfaces and protocols that allow third-party software products to interact + with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's + use of the Kerberos authentication specification, not everyone agrees. + </p><p> + <a class="indexterm" name="id374958"></a> + Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared + before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version + 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with + the Microsoft OS. Microsoft takes advantage of unspecified fields in the Kerberos specification for storing + Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so + that software developers could add their own authorization information, he said. + </p></blockquote></div><p> + <a class="indexterm" name="id374976"></a> + <a class="indexterm" name="id374983"></a> + It so happens that Microsoft Windows clients depend on and expect the contents of the <span class="emphasis"><em>unspecified + fields</em></span> in the Kerberos 5 communications data stream for their Windows interoperability, + particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability + issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional, + there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment + (DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by + Microsoft. + </p><p> + Microsoft makes the following comment in a reference in a + <a href="http://www.microsoft.com/technet/itsolutions/interop/mgmt/kerberos.asp" target="_top"> + technet</a> article: + </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id375016"></a><a class="indexterm" name="id375028"></a> + The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC + representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos + tickets to convey Privilege Attribute Certificates (PACs) that define user identity and group membership. + The DCE PAC is used in a similar manner as Windows NT Security IDs for user authorization and access control. + Windows NT services will not be able to translate DCE PACs into Windows NT user and group identifiers. This + is not an issue with Kerberos interoperability, but rather an issue of interoperability between DCE and + Windows NT access control information. + </p></blockquote></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch10expl"></a>Implementation</h2></div></div></div><p> + The following procedures outline the implementation of the security measures discussed so far. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id375060"></a>Share Access Controls</h3></div></div></div><p><a class="indexterm" name="id375067"></a><a class="indexterm" name="id375075"></a><a class="indexterm" name="id375082"></a> + Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as + Windows XP Pro) attempts to make a connection to the Samba server. + </p><div class="procedure"><a name="id375094"></a><p class="title"><b>Procedure 11.1. Create/Edit/Delete Share ACLs</b></p><ol type="1"><li><p><a class="indexterm" name="id375104"></a><a class="indexterm" name="id375112"></a> + From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator + account (on Samba domains, this is usually the account called <code class="constant">root</code>). + </p></li><li><p> + Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Computer Management</span>. + </p></li><li><p> + In the left panel, + <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> → <span class="guimenuitem">Connect to another computer ...</span> → <span class="guimenuitem">Browse...</span> → <span class="guimenuitem">Advanced</span> → <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to + administer. Click <span class="guimenu">OK</span> → <span class="guimenuitem">OK</span> → <span class="guimenuitem">OK</span>.<a class="indexterm" name="id375232"></a> + In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect + the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>, + the Computer Management entry should now say <span class="guimenu">Computer Management (FRODO)</span>. + </p></li><li><p> + In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>. + </p></li><li><p><a class="indexterm" name="id375293"></a><a class="indexterm" name="id375301"></a> + In the right panel, double-click on the share on which you wish to set/edit ACLs. This + will bring up the Properties panel. Click the <span class="guimenu">Share Permissions</span> tab. + </p></li><li><p><a class="indexterm" name="id375323"></a><a class="indexterm" name="id375331"></a><a class="indexterm" name="id375339"></a><a class="indexterm" name="id375347"></a><a class="indexterm" name="id375354"></a><a class="indexterm" name="id375362"></a> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions + set for the permitted group. + </p></li><li><p> + When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> + buttons. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id375395"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id375401"></a><a class="indexterm" name="id375413"></a><a class="indexterm" name="id375421"></a><a class="indexterm" name="id375428"></a><a class="indexterm" name="id375436"></a><a class="indexterm" name="id375444"></a> + Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a + checkpoint can be used to require someone who wants to get through to meet certain requirements, so + it is possible to require the user (or group the user belongs to) to meet specified credential-related + objectives. It can be likened to a pile-driver by overriding default controls in that having met the + credential-related objectives, the user can be granted powers and privileges that would not normally be + available under default settings. + </p><p><a class="indexterm" name="id375460"></a><a class="indexterm" name="id375468"></a><a class="indexterm" name="id375476"></a><a class="indexterm" name="id375484"></a> + It must be emphasized that the controls discussed here can act as a filter or give rights of passage + that act as a superstructure over normal directory and file access controls. However, share-level + ACLs act at a higher level than do share definition controls because the user must filter through the + share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented + by Samba and Windows networking consists of: + </p><div class="orderedlist"><ol type="1"><li><p>Share-level ACLs</p></li><li><p>Share-definition controls</p></li><li><p>Directory and file permissions</p></li><li><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id375528"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id375535"></a> + Consider the following extract from a <code class="filename">smb.conf</code> file defining the share called <code class="constant">Apps</code>: +</p><pre class="screen"> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + valid users = @Employees +</pre><p> + This definition permits only those who are members of the group called <code class="constant">Employees</code> to + access the share. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id375568"></a><a class="indexterm" name="id375579"></a><a class="indexterm" name="id375587"></a><a class="indexterm" name="id375595"></a><a class="indexterm" name="id375603"></a> + On domain member servers and clients, even when the <em class="parameter"><code>winbind use default domain</code></em> has + been specified, the use of domain accounts in security controls requires fully qualified domain specification, + for example, <a class="indexterm" name="id375620"></a>valid users = @"MEGANET\Northern Engineers". + Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a + delimiter. + </p></div><p><a class="indexterm" name="id375630"></a><a class="indexterm" name="id375638"></a><a class="indexterm" name="id375646"></a> + If there is an ACL on the share itself to permit read/write access for all <code class="constant">Employees</code> + as well as read/write for the group <code class="constant">Doctors</code>, both groups are permitted through + to the share. However, at the moment an attempt is made to set up a connection to the share, a member of + the group <code class="constant">Doctors</code>, who is not also a member of the group <code class="constant">Employees</code>, + would immediately fail to validate. + </p><p><a class="indexterm" name="id375674"></a> + Consider another example. In this case, you want to permit all members of the group <code class="constant">Employees</code> + except the user <code class="constant">patrickj</code> to access the <code class="constant">Apps</code> share. This can be + easily achieved by setting a share-level ACL permitting only <code class="constant">Employees</code> to access the share, + and then in the share definition controls excluding just <code class="constant">patrickj</code>. Here is how that might + be done: +</p><pre class="screen"> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj +</pre><p> + <a class="indexterm" name="id375711"></a> + Let us assume that you want to permit the user <code class="constant">gbshaw</code> to manage any file in the + UNIX/Linux file system directory <code class="filename">/data/apps</code>, but you do not want to grant any write + permissions beyond that directory tree. Here is one way this can be done: +</p><pre class="screen"> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj + admin users = gbshaw +</pre><p> + <a class="indexterm" name="id375738"></a> + Now we have a set of controls that permits only <code class="constant">Employees</code> who are also members of + the group <code class="constant">Doctors</code>, excluding the user <code class="constant">patrickj</code>, to have + read-only privilege, but the user <code class="constant">gbshaw</code> is granted administrative rights. + The administrative rights conferred upon the user <code class="constant">gbshaw</code> permit operation as + if that user has logged in as the user <code class="constant">root</code> on the UNIX/Linux system and thus, + for access to the directory tree that has been shared (exported), permit the user to override controls + that apply to all other users on that resource. + </p><p> + There are additional checkpoint controls that may be used. For example, if for the same share we now + want to provide the user <code class="constant">peters</code> with the ability to write to one directory to + which he has write privilege in the UNIX file system, you can specifically permit that with the + following settings: +</p><pre class="screen"> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj + admin users = gbshaw + write list = peters +</pre><p> + <a class="indexterm" name="id375789"></a> + This is a particularly complex example at this point, but it begins to demonstrate the possibilities. + You should refer to the online manual page for the <code class="filename">smb.conf</code> file for more information regarding + the checkpoint controls that Samba implements. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id375808"></a>Override Controls</h4></div></div></div><p><a class="indexterm" name="id375815"></a> + Override controls implemented by Samba permit actions like the adoption of a different identity + during file system operations, the forced overwriting of normal file and directory permissions, + and so on. You should refer to the online manual page for the <code class="filename">smb.conf</code> file for more information regarding + the override controls that Samba implements. + </p><p> + In the following example, you want to create a Windows networking share that any user can access. + However, you want all read and write operations to be performed as if the user <code class="constant">billc</code> + and member of the group <code class="constant">Mentors</code> read/write the files. Here is one way this + can be done: +</p><pre class="screen"> +[someshare] + comment = Some Files Everyone May Overwrite + path = /data/somestuff + read only = No + force user = billc + force group = Mentors +</pre><p> + <a class="indexterm" name="id375852"></a><a class="indexterm" name="id375860"></a> + That is all there is to it. Well, it is almost that simple. The downside of this method is that + users are logged onto the Windows client as themselves, and then immediately before accessing the + file, Samba makes system calls to change the effective user and group to the forced settings + specified, completes the file transaction, and then reverts to the actually logged-on identity. + This imposes significant overhead on Samba. The alternative way to effectively achieve the same result + (but with lower system CPU overheads) is described next. + </p><p><a class="indexterm" name="id375876"></a><a class="indexterm" name="id375884"></a><a class="indexterm" name="id375892"></a><a class="indexterm" name="id375903"></a><a class="indexterm" name="id375911"></a> + The use of the <em class="parameter"><code>force user</code></em> or the <em class="parameter"><code>force group</code></em> may + also have a severe impact on system (particularly on Windows client) performance. If opportunistic + locking is enabled on the share (the default), it causes an <code class="constant">oplock break</code> to be + sent to the client even if the client has not opened the file. On networks that have high traffic + density, or on links that are routed to a remote network segment, <code class="constant">oplock breaks</code> + can be lost. This results in possible retransmission of the request, or the client may time-out while + waiting for the file system transaction (read or write) to complete. The result can be a profound + apparent performance degradation as the client continually attempts to reconnect to overcome the + effect of the lost <code class="constant">oplock break</code>, or time-out. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id375952"></a>Share Point Directory and File Permissions</h3></div></div></div><p><a class="indexterm" name="id375958"></a><a class="indexterm" name="id375966"></a><a class="indexterm" name="id375974"></a><a class="indexterm" name="id375982"></a> + Samba has been designed and implemented so that it respects as far as is feasible the security and + user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing + with respect to file system access that violates file system permission settings, unless it is + explicitly instructed to do otherwise through share definition controls. Given that Samba obeys + UNIX file system controls, this chapter does not document simple information that can be obtained + from a basic UNIX training guide. Instead, one common example of a typical problem is used + to demonstrate the most effective solution referred to in the immediately preceding paragraph. + </p><p><a class="indexterm" name="id375999"></a><a class="indexterm" name="id376007"></a><a class="indexterm" name="id376015"></a> + One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of + Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence: + </p><div class="orderedlist"><ol type="1"><li><p> + A user opens a Work document from a network drive. The file was owned by user <code class="constant">janetp</code> + and [users], and was set read/write-enabled for everyone. + </p></li><li><p> + File changes and edits are made. + </p></li><li><p> + The file is saved, and MS Word is closed. + </p></li><li><p> + The file is now owned by the user <code class="constant">billc</code> and group <code class="constant">doctors</code>, + and is set read/write by <code class="constant">billc</code>, read-only by <code class="constant">doctors</code>, and + no access by everyone. + </p></li><li><p> + The original owner cannot now access her own file and is “<span class="quote">justifiably</span>” upset. + </p></li></ol></div><p> + There have been many postings over the years that report the same basic problem. Frequently Samba users + want to know when this “<span class="quote">bug</span>” will be fixed. The fact is, this is not a bug in Samba at all. + Here is the real sequence of what happens in this case. + </p><p><a class="indexterm" name="id376099"></a><a class="indexterm" name="id376107"></a><a class="indexterm" name="id376115"></a> + When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned + by the user who creates the file (<code class="constant">billc</code>) and has the permissions that follow + that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing + the file to disk, it then renames the new (temporary) file to the name of the old one. MS Word does not + change the ownership or permissions to what they were on the original file. The file is thus a totally + new file, and the old one has been deleted in the process. + </p><p> + Samba received a request to create a new file, and then to rename the file to a new name. The old file that + has the same name is now automatically deleted. Samba has no way of knowing that the new file should + perhaps have the same ownership and permissions as the old file. To Samba, these are entirely independent + operations. + </p><p> + The question is, “<span class="quote">How can we solve the problem?</span>” + </p><p> + The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these + simple steps to create a share in which all files will consistently be owned by the same user and the + same group: + </p><div class="procedure"><a name="id376152"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p> + Change your share definition so that it matches this pattern: +</p><pre class="screen"> +[finance] + path = /usr/data/finance + browseable = Yes + read only = No +</pre><p> + </p></li><li><p><a class="indexterm" name="id376176"></a><a class="indexterm" name="id376187"></a> + Set consistent user and group permissions recursively down the directory tree as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R janetp.users /usr/data/finance +</pre><p> + </p></li><li><p><a class="indexterm" name="id376218"></a> + Set the files and directory permissions to be read/write for owner and group, and not accessible + to others (everyone), using the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+rwx,o-rwx /usr/data/finance +</pre><p> + </p></li><li><p><a class="indexterm" name="id376245"></a> + Set the SGID (supergroup) bit on all directories from the top down. This means all files + can be created with the permissions of the group set on the directory. It means all users + who are members of the group <code class="constant">finance</code> can read and write all files in + the directory. The directory is not readable or writable by anyone who is not in the + <code class="constant">finance</code> group. Simply follow this example: +</p><pre class="screen"> +<code class="prompt">root# </code> find /usr/data/finance -type d -exec chmod ug+s {}\; +</pre><p> + + </p></li><li><p><a class="indexterm" name="id376282"></a><a class="indexterm" name="id376290"></a><a class="indexterm" name="id376298"></a> + Make sure all users that must have read/write access to the directory have + <code class="constant">finance</code> group membership as their primary group, + for example, the group they belong to in <code class="filename">/etc/passwd</code>. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id376321"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id376328"></a><a class="indexterm" name="id376335"></a><a class="indexterm" name="id376343"></a><a class="indexterm" name="id376351"></a> + Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because + there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means + that some transactions are not possible from MS Windows clients. One of these is to reset the ownership + of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login. + </p><p> + There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, + either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id376370"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p> + From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator + account (on Samba domains, this is usually the account called <code class="constant">root</code>). + </p></li><li><p> + Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Computer Management</span>. + </p></li><li><p> + In the left panel, + <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> → <span class="guimenuitem">Connect to another computer ...</span> → <span class="guimenuitem">Browse...</span> → <span class="guimenuitem">Advanced</span> → <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to + administer. Click <span class="guimenu">OK</span> → <span class="guimenuitem">OK</span> → <span class="guimenuitem">OK</span>. + In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect + the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>, + the Computer Management entry should now say: <span class="guimenu">Computer Management (FRODO)</span>. + </p></li><li><p> + In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>. + </p></li><li><p><a class="indexterm" name="id376547"></a><a class="indexterm" name="id376555"></a><a class="indexterm" name="id376562"></a><a class="indexterm" name="id376570"></a> + In the right panel, double-click on the share on which you wish to set/edit ACLs. This + brings up the Properties panel. Click the <span class="guimenu">Security</span> tab. It is best + to edit ACLs using the <code class="constant">Advanced</code> editing features. Click the + <span class="guimenu">Advanced</span> button. This opens a panel that has four tabs. Only the + functionality under the <code class="constant">Permissions</code> tab can be utilized with respect + to a Samba domain server. + </p></li><li><p><a class="indexterm" name="id376607"></a><a class="indexterm" name="id376615"></a> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions + set for the permitted group. + </p></li><li><p> + When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> + buttons until the last panel closes. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id376647"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p> + The following alternative method may be used from a Windows workstation. In this example we work + with a domain called <code class="constant">MEGANET</code>, a server called <code class="constant">MASSIVE</code>, and a + share called <code class="constant">Apps</code>. The underlying UNIX/Linux share point for this share is + <code class="filename">/data/apps</code>. + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">[right-click] My Computer</span> → <span class="guimenuitem">Explore</span> → <span class="guimenuitem">[left panel] [+] My Network Places</span> → <span class="guimenuitem">[+] Entire Network</span> → <span class="guimenuitem">[+] Microsoft Windows Network</span> → <span class="guimenuitem">[+] Meganet</span> → <span class="guimenuitem">[+] Massive</span> → <span class="guimenuitem">[right-click] Apps</span> → <span class="guimenuitem">Properties</span> → <span class="guimenuitem">Security</span> → <span class="guimenuitem">Advanced</span>. This opens a panel that has four tabs. Only the functionality under the + <code class="constant">Permissions</code> tab can be utilized for a Samba domain server. + </p></li><li><p><a class="indexterm" name="id376768"></a><a class="indexterm" name="id376775"></a> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions + set for the permitted group. + </p></li><li><p> + When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> + buttons until the last panel closes. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id376809"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id376816"></a><a class="indexterm" name="id376824"></a> + Yet another alternative method for setting desired security settings on the shared resource files and + directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line + tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 + Linux system: + </p><div class="procedure"><ol type="1"><li><p> + Log into the Linux system as the user <code class="constant">root</code>. + </p></li><li><p> + Change directory to the location of the exported (shared) Windows file share (Apps), which is in + the directory <code class="filename">/data</code>. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /data +</pre><p> + Retrieve the existing POSIX ACLs entry by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> getfacl apps +# file: apps +# owner: root +# group: root +user::rwx +group::rwx +other::r-x +</pre><p> + </p></li><li><p><a class="indexterm" name="id376892"></a> + You want to add permission for <code class="constant">AppsMgrs</code> to enable them to + manage the applications (apps) share. It is important to set the ACL recursively + so that the AppsMgrs have this capability throughout the directory tree that is + being shared. This is done using the <code class="constant">-R</code> option as shown. + Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> setfacl -m -R group:AppsMgrs:rwx /data/apps +</pre><p> + Because setting an ACL does not provide a response, you immediately validate the command executed + as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> getfacl /data/apps +# file: apps +# owner: root +# group: root +user::rwx +group::rwx +group:AppsMgrs:rwx +mask::rwx +other::r-x +</pre><p> + This confirms that the change of POSIX ACL permissions has been effective. + </p></li><li><p><a class="indexterm" name="id376942"></a><a class="indexterm" name="id376950"></a><a class="indexterm" name="id376958"></a><a class="indexterm" name="id376965"></a><a class="indexterm" name="id376973"></a> + It is highly recommended that you read the online manual page for the <code class="literal">setfacl</code> + and <code class="literal">getfacl</code> commands. This provides information regarding how to set/read the default + ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent + of setting <code class="constant">inheritance</code> properties. + </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id377005"></a>Key Points Learned</h3></div></div></div><p> + The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. + Looking back, this chapter could be broken into two, but it's too late now. It has been done. + The highlights covered are as follows: + </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id377020"></a><a class="indexterm" name="id377028"></a><a class="indexterm" name="id377036"></a><a class="indexterm" name="id377043"></a> + Winbind honors and does not override account controls set in Active Directory. + This means that password change, logon hours, and so on, are (or soon will be) enforced + by Samba winbind. At this time, an out-of-hours login is denied and password + change is enforced. At this time, if logon hours expire, the user is not forcibly + logged off. That may be implemented at some later date. + </p></li><li><p><a class="indexterm" name="id377059"></a><a class="indexterm" name="id377067"></a> + Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential + problems acknowledged by Microsoft as having been fixed but reported by some as still + possibly an open issue. + </p></li><li><p><a class="indexterm" name="id377081"></a><a class="indexterm" name="id377089"></a><a class="indexterm" name="id377097"></a><a class="indexterm" name="id377104"></a> + The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft + Active Directory. The possibility to do this is not planned in the current Samba-3 + roadmap. Samba-3 does aim to provide further improvements in interoperability so that + UNIX/Linux systems may be fully integrated into Active Directory domains. + </p></li><li><p> + This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of + the four key methodologies was reviewed with specific reference to example deployment + techniques. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id377127"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt> <a href="kerberos.html#id377142"> + Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? + </a></dt><dt> <a href="kerberos.html#id377210"> + Does Samba-3 support Active Directory? + </a></dt><dt> <a href="kerberos.html#id377238"> + When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was + necessary with Samba-2? + </a></dt><dt> <a href="kerberos.html#id377273"> + Is it safe to set share-level access controls in Samba? + </a></dt><dt> <a href="kerberos.html#id377300"> + Is it mandatory to set share ACLs to get a secure Samba-3 server? + </a></dt><dt> <a href="kerberos.html#id377372"> + The valid users did not work on the [homes]. + Has this functionality been restored yet? + </a></dt><dt> <a href="kerberos.html#id377431"> + Is the bias against use of the force user and force group + really warranted? + </a></dt><dt> <a href="kerberos.html#id377492"> + The example given for file and directory access control forces all files to be owned by one + particular user. I do not like that. Is there any way I can see who created the file? + </a></dt><dt> <a href="kerberos.html#id377536"> + In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use + of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why + have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? + </a></dt><dt> <a href="kerberos.html#id377596"> + I tried to set valid users = @Engineers, but it does not work. My Samba + server is an Active Directory domain member server. Has this been fixed now? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id377142"></a><a name="id377144"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377147"></a><a class="indexterm" name="id377155"></a> + Does Samba-3 require the <code class="constant">Sign'n'seal</code> registry hacks needed by Samba-2? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377174"></a><a class="indexterm" name="id377182"></a><a class="indexterm" name="id377190"></a> + No. Samba-3 fully supports <code class="constant">Sign'n'seal</code> as well as <code class="constant">schannel</code> + operation. The registry change should not be applied when Samba-3 is used as a domain controller. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377210"></a><a name="id377212"></a></td><td align="left" valign="top"><p> + Does Samba-3 support Active Directory? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377222"></a> + Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not + provide Active Directory services. It cannot be used to replace a Microsoft Active Directory + server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, + and it can function as an Active Directory domain member server. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377238"></a><a name="id377240"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377243"></a> + When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was + necessary with Samba-2? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377259"></a> + No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x + Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, + because Samba-3 can join a native Windows 2003 Server ADS domain. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377273"></a><a name="id377275"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377278"></a> + Is it safe to set share-level access controls in Samba? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. Share-level access controls have been supported since early versions of Samba-2. This is + very mature technology. Not enough sites make use of this powerful capability, neither on + Windows server or with Samba servers. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377300"></a><a name="id377302"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377305"></a> + Is it mandatory to set share ACLs to get a secure Samba-3 server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377320"></a><a class="indexterm" name="id377328"></a><a class="indexterm" name="id377336"></a><a class="indexterm" name="id377344"></a><a class="indexterm" name="id377352"></a> + No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides + means of securing shares through share definition controls in the <code class="filename">smb.conf</code> file. The additional + support for share-level ACLs is like frosting on the cake. It adds to security but is not essential + to it. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377372"></a><a name="id377374"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377378"></a> + The <em class="parameter"><code>valid users</code></em> did not work on the <em class="parameter"><code>[homes]</code></em>. + Has this functionality been restored yet? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377404"></a> + Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard + on the <em class="parameter"><code>[homes]</code></em> meta-service. The correct way to specify this is: + <a class="indexterm" name="id377421"></a>valid users = %S. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377431"></a><a name="id377433"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377436"></a><a class="indexterm" name="id377444"></a><a class="indexterm" name="id377452"></a> + Is the bias against use of the <em class="parameter"><code>force user</code></em> and <em class="parameter"><code>force group</code></em> + really warranted? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377479"></a> + There is no bias. There is a determination to recommend the right tool for the task at hand. + After all, it is better than putting users through performance problems, isn't it? + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377492"></a><a name="id377494"></a></td><td align="left" valign="top"><p> + The example given for file and directory access control forces all files to be owned by one + particular user. I do not like that. Is there any way I can see who created the file? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377506"></a> + Sure. You do not have to set the SUID bit on the directory. Simply execute the following command + to permit file ownership to be retained by the user who created it: +</p><pre class="screen"> +<code class="prompt">root# </code> find /usr/data/finance -type d -exec chmod g+s {}\; +</pre><p> + Note that this required no more than removing the <code class="constant">u</code> argument so that the + SUID bit is not set for the owner. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377536"></a><a name="id377538"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377541"></a> + In the book, “<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>”, you recommended use + of the Windows NT4 Server Manager (part of the <code class="filename">SRVTOOLS.EXE</code>) utility. Why + have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377567"></a><a class="indexterm" name="id377575"></a> + Either tool can be used with equal effect. There is no benefit of one over the other, except that + the MMC utility is present on all Windows 200x/XP systems and does not require additional software + to be downloaded and installed. Note that if you want to manage user and group accounts in your + Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which + is provided as part of the <code class="filename">SRVTOOLS.EXE</code> utility. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377596"></a><a name="id377599"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377602"></a><a class="indexterm" name="id377610"></a><a class="indexterm" name="id377618"></a> + I tried to set <em class="parameter"><code>valid users = @Engineers</code></em>, but it does not work. My Samba + server is an Active Directory domain member server. Has this been fixed now? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The use of this parameter has always required the full specification of the domain account, for + example, <em class="parameter"><code>valid users = @"MEGANET2\Domain Admins"</code></em>. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id374937" href="#id374937">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Integrating Additional Services</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/ntmigration.html b/docs/htmldocs/Samba3-ByExample/ntmigration.html new file mode 100644 index 0000000000..93b4e16bb3 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/ntmigration.html @@ -0,0 +1,1128 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. Migrating NT4 Domain to Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="upgrades.html" title="Chapter 8. Updating Samba-3"><link rel="next" href="nw4migration.html" title="Chapter 10. Migrating NetWare Server to Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. Migrating NT4 Domain to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrades.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="nw4migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ntmigration"></a>Chapter 9. Migrating NT4 Domain to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ntmigration.html#id364185">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364261">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id364312">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364468">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id364771">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id364791">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id364916">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id367204">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id367537">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id367572">Questions and Answers</a></span></dt></dl></div><p> + Ever since Microsoft announced that it was discontinuing support for Windows + NT4, Samba users started to ask for detailed instructions on how to migrate + from NT4 to Samba-3. This chapter provides background information that should + meet these needs. + </p><p> + One wonders how many NT4 systems will be left in service by the time you read this + book though. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id364185"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id364192"></a> + Network administrators who want to migrate off a Windows NT4 environment know + one thing with certainty. They feel that NT4 has been abandoned, and they want + to update. The desire to get off NT4 and to not adopt Windows 200x and Active + Directory is driven by a mixture of concerns over complexity, cost, fear of + failure, and much more. + </p><p> + <a class="indexterm" name="id364207"></a> + <a class="indexterm" name="id364213"></a> + <a class="indexterm" name="id364223"></a> + <a class="indexterm" name="id364232"></a> + The migration from NT4 to Samba-3 can involve a number of factors, including + migration of data to another server, migration of network environment controls + such as group policies, and migration of the users, groups, and machine + accounts. + </p><p> + <a class="indexterm" name="id364246"></a> + It should be pointed out now that it is possible to migrate some systems from + a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly + not possible in every case. It is possible to just migrate the domain accounts + to Samba-3 and then to switch machines, but as a hands-off transition, this is more + the exception than the rule. Most systems require some tweaking after + migration before an environment that is acceptable for immediate use + is obtained. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364261"></a>Assignment Tasks</h3></div></div></div><p> + <a class="indexterm" name="id364268"></a> + <a class="indexterm" name="id364275"></a> + <a class="indexterm" name="id364282"></a> + You are about to migrate an MS Windows NT4 domain accounts database to + a Samba-3 server. The Samba-3 server is using a + <em class="parameter"><code>passdb backend</code></em> based on LDAP. The + <code class="constant">ldapsam</code> is ideal because an LDAP backend can be distributed + for use with BDCs generally essential for larger networks. + </p><p> + Your objective is to document the process of migrating user and group accounts + from several NT4 domains into a single Samba-3 LDAP backend database. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id364312"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id364319"></a> + <a class="indexterm" name="id364326"></a> + <a class="indexterm" name="id364333"></a> + <a class="indexterm" name="id364344"></a> + <a class="indexterm" name="id364356"></a> + <a class="indexterm" name="id364362"></a> + The migration process takes a snapshot of information that is stored in the + Windows NT4 registry-based accounts database. That information resides in + the Security Account Manager (SAM) portion of the NT4 registry under keys called + <code class="constant">SAM</code> and <code class="constant">SECURITY</code>. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + <a class="indexterm" name="id364384"></a> + <a class="indexterm" name="id364391"></a> + The Windows NT4 registry keys called <code class="constant">SAM</code> and <code class="constant">SECURITY</code> + are protected so that you cannot view the contents. If you change the security setting + to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not + do this unless you are willing to render your domain controller inoperative. + </p></div><p> + <a class="indexterm" name="id364413"></a> + <a class="indexterm" name="id364422"></a> + Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are. + While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server, + that may not be a good idea from an administration perspective. Since the process involves going + through a certain amount of disruptive activity anyhow, why not take this opportunity to + review the structure of the network, how Windows clients are controlled and how they + interact with the network environment. + </p><p> + <a class="indexterm" name="id364437"></a> + <a class="indexterm" name="id364446"></a> + <a class="indexterm" name="id364453"></a> + MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed + have done little to keep the NT4 server environment up to date with more recent Windows releases, + particularly Windows XP Professional. The migration provides opportunity to revise and update + roaming profile deployment as well as folder redirection. Given that you must port the + greater network configuration of this from the old NT4 server to the new Samba-3 server. + Do not forget to validate the security descriptors in the profiles share as well as network logon + scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this + as a good time to update desktop systems also. In all, the extra effort should constitute no + real disruption to users, but rather, with due diligence and care, should make their network experience + a much happier one. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364468"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id364476"></a> + <a class="indexterm" name="id364483"></a> + Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic + element. Many sites have asked for instructions regarding merging of multiple NT4 + domains into one Samba-3 LDAP database. It seems that this is viewed as a significant + added value compared with the alternative of migration to Windows Server 200x and Active + Directory. The diagram in <a href="ntmigration.html#ch8-migration" title="Figure 9.1. Schematic Explaining the net rpc vampire Process">???</a> illustrates the effect of migration + from a Windows NT4 domain to a Samba domain. + </p><div class="figure"><a name="ch8-migration"></a><p class="title"><b>Figure 9.1. Schematic Explaining the <code class="literal">net rpc vampire</code> Process</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch8-migration.png" width="297" alt="Schematic Explaining the net rpc vampire Process"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id364550"></a> + <a class="indexterm" name="id364557"></a> + If you want to merge multiple NT4 domain account databases into one Samba domain, + you must now dump the contents of the first migration and edit it as appropriate. Now clean + out (remove) the tdbsam backend file (<code class="filename">passdb.tdb</code>) or the LDAP database + files. You must start each migration with a new database into which you merge your NT4 + domains. + </p><p><a class="indexterm" name="id364575"></a> + At this point, you are ready to perform the second migration, following the same steps as + for the first. In other words, dump the database, edit it, and then you may merge the + dump for the first and second migrations. + </p><p><a class="indexterm" name="id364588"></a><a class="indexterm" name="id364596"></a><a class="indexterm" name="id364604"></a> + You must be careful. If you choose to migrate to an LDAP backend, your dump file + now contains the full account information, including the domain SID. The domain SID for each + of the two NT4 domains will be different. You must choose one and change the domain + portion of the account SIDs so that all are the same. + </p><p> + <a class="indexterm" name="id364618"></a> + <a class="indexterm" name="id364625"></a> + <a class="indexterm" name="id364632"></a> + <a class="indexterm" name="id364639"></a> + <a class="indexterm" name="id364646"></a> + <a class="indexterm" name="id364652"></a> + <a class="indexterm" name="id364659"></a> + <a class="indexterm" name="id364666"></a> + <a class="indexterm" name="id364673"></a> + <a class="indexterm" name="id364680"></a> + <a class="indexterm" name="id364686"></a> + <a class="indexterm" name="id364693"></a> + If you choose to use a tdbsam (<code class="filename">passdb.tdb</code>) backend file, your best choice + is to use <code class="literal">pdbedit</code> to export the contents of the tdbsam file into an + smbpasswd data file. This automatically strips out all domain-specific information, + such as logon hours, logon machines, logon script, profile path, as well as the domain SID. + The resulting file can be easily merged with other migration attempts (each of which must start + with a clean file). It should also be noted that all users who end up in the merged smbpasswd + file must have an account in <code class="filename">/etc/passwd</code>. The resulting smbpasswd file + may be exported or imported into either a tdbsam (<code class="filename">passdb.tdb</code>) or + an LDAP backend. + </p><div class="figure"><a name="NT4DUM"></a><p class="title"><b>Figure 9.2. View of Accounts in NT4 Domain User Manager</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UserMgrNT4.png" width="270" alt="View of Accounts in NT4 Domain User Manager"></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364771"></a>Political Issues</h3></div></div></div><p> + The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3 + domain may be seen by those who had power over them as a loss of prestige or a loss of + power. The imposition of a single domain may even be seen as a threat. So in migrating and + merging account databases, be consciously aware of the political fall-out in which you + may find yourself entangled when key staff feel a loss of prestige. + </p><p> + The best advice that can be given to those who set out to merge NT4 domains into a single + Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers + greater network interoperability and manageability. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id364791"></a>Implementation</h2></div></div></div><p> + From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations + to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX + server. If you contemplate doing this, please note that the steps that follow in this + chapter assume familiarity with the information that has been previously covered in this + book. You are particularly encouraged to be familiar with <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, + <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a> and <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. + </p><p> + We present here the steps and example output for two NT4 to Samba-3 domain migrations. The + first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the + scripts you specify in the <code class="filename">smb.conf</code> file for the <em class="parameter"><code>add user script</code></em> + collection of parameters are used to effect the addition of accounts into the passdb backend. + </p><p> + Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to + review <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> for DNS and DHCP configuration. The importance of correctly + functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names + (machine names, computer names, domain names, workgroup names ALL names!). + </p><p> + The migration process involves the following steps: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Prepare the target Samba-3 server. This involves configuring Samba-3 for + migration to either a tdbsam or an ldapsam backend. + </p></li><li><p> + <a class="indexterm" name="id364867"></a> + <a class="indexterm" name="id364874"></a> + <a class="indexterm" name="id364880"></a> + Clean up the source NT4 PDC. Delete all accounts that need not be migrated. + Delete all files that should not be migrated. Where possible, change NT group + names so there are no spaces or uppercase characters. This is important if + the target UNIX host insists on POSIX-compliant all lowercase user and group + names. + </p></li><li><p> + Step through the migration process. + </p></li><li><p><a class="indexterm" name="id364898"></a> + Remove the NT4 PDC from the network. + </p></li><li><p> + Upgrade the Samba-3 server from a BDC to a PDC, and validate all account + information. + </p></li></ul></div><p> + It may help to use the above outline as a pre-migration checklist. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364916"></a>NT4 Migration Using LDAP Backend</h3></div></div></div><p> + In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about + to be migrated are shown in <a href="ntmigration.html#NT4DUM" title="Figure 9.2. View of Accounts in NT4 Domain User Manager">???</a>. In this example use is made of the + smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend. + Four scripts are essential to the migration process. Other scripts will be required + for daily management, but these are not critical to migration. The critical scripts are dependant + on which passdb backend is being used. Refer to <a href="ntmigration.html#ch8-vampire" title="Table 9.1. Samba smb.conf Scripts Essential to Samba Operation">???</a> to see which scripts + must be provided so that the migration process can complete. + </p><p> + Verify that you have correctly specified in the <code class="filename">smb.conf</code> file the scripts and arguments + that should be passed to them before attempting to perform the account migration. Note also + that the deletion scripts must be commented out during migration. These should be uncommented + following successful migration of the NT4 Domain accounts. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Under absolutely no circumstances should the Samba daemons be started until instructed to do so. + Delete the <code class="filename">/etc/samba/secrets.tdb</code> file and all Samba control tdb files + before commencing the following configuration steps. + </p></div><div class="table"><a name="ch8-vampire"></a><p class="title"><b>Table 9.1. Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</b></p><div class="table-contents"><table summary="Samba smb.conf Scripts Essential to Samba Operation" border="1"><colgroup><col align="left"><col align="center"><col align="center"></colgroup><thead><tr><th align="left">Entity</th><th align="center">ldapsam Script</th><th align="center">tdbsam Script</th></tr></thead><tbody><tr><td align="left">Add User Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr><tr><td align="left">Delete User Accounts</td><td align="center">smbldap-userdel</td><td align="center">userdel</td></tr><tr><td align="left">Add Group Accounts</td><td align="center">smbldap-groupadd</td><td align="center">groupadd</td></tr><tr><td align="left">Delete Group Accounts</td><td align="center">smbldap-groupdel</td><td align="center">groupdel</td></tr><tr><td align="left">Add User to Group</td><td align="center">smbldap-groupmod</td><td align="center">usermod (See Note)</td></tr><tr><td align="left">Add Machine Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr></tbody></table></div></div><br class="table-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id365106"></a> + <a class="indexterm" name="id365113"></a> + <a class="indexterm" name="id365120"></a> + The UNIX/Linux <code class="literal">usermod</code> utility does not permit simple user addition to (or deletion + of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this + capability, you must create your own tool to do this. Alternately, you can search the Web + to locate a utility called <code class="literal">groupmem</code> (by George Kraft) that provides this functionality. + The <code class="literal">groupmem</code> utility was contributed to the shadow package but has not surfaced + in the formal commands provided by Linux distributions (March 2004). + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id365153"></a> + The <code class="literal">tdbdump</code> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your + Linux distribution, you will need to build this yourself or else forgo its use. + </p></div><p> + <a class="indexterm" name="id365171"></a> + Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains. + </p><div class="procedure"><a name="id365180"></a><p class="title"><b>Procedure 9.1. User Migration Steps</b></p><div class="example"><a name="sbent4smb"></a><p class="title"><b>Example 9.1. NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id365238"></a><em class="parameter"><code>workgroup = DAMNATION</code></em></td></tr><tr><td><a class="indexterm" name="id365250"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id365263"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id365276"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id365288"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id365301"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id365313"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id365326"></a><em class="parameter"><code>smb ports = 139 445</code></em></td></tr><tr><td><a class="indexterm" name="id365338"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id365351"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id365364"></a><em class="parameter"><code>#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id365377"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id365390"></a><em class="parameter"><code>#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id365403"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id365416"></a><em class="parameter"><code>#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id365429"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id365442"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id365455"></a><em class="parameter"><code>logon script = scripts\logon.cmd</code></em></td></tr><tr><td><a class="indexterm" name="id365468"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id365481"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id365493"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id365506"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365518"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id365531"></a><em class="parameter"><code>#wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365543"></a><em class="parameter"><code>wins server = 192.168.123.124</code></em></td></tr><tr><td><a class="indexterm" name="id365556"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id365569"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id365581"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id365594"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id365607"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365619"></a><em class="parameter"><code>ldap suffix = dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id365632"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id365644"></a><em class="parameter"><code>ldap timeout = 20</code></em></td></tr><tr><td><a class="indexterm" name="id365657"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id365670"></a><em class="parameter"><code>idmap backend = ldap:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id365682"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id365695"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id365707"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365720"></a><em class="parameter"><code>ea support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365733"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbent4smb2"></a><p class="title"><b>Example 9.2. NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id365778"></a><em class="parameter"><code>comment = Application Data</code></em></td></tr><tr><td><a class="indexterm" name="id365791"></a><em class="parameter"><code>path = /data/home/apps</code></em></td></tr><tr><td><a class="indexterm" name="id365803"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id365825"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id365838"></a><em class="parameter"><code>path = /home/users/%U/Documents</code></em></td></tr><tr><td><a class="indexterm" name="id365850"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id365863"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id365875"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id365897"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id365909"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id365922"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365934"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365947"></a><em class="parameter"><code>use client driver = No</code></em></td></tr><tr><td><a class="indexterm" name="id365960"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id365981"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id365994"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id366006"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id366019"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id366040"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id366053"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id366066"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id366078"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id366100"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id366112"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id366125"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id366137"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id366159"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id366172"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbentslapd"></a><p class="title"><b>Example 9.3. NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba3.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +access to dn.base="" + by self write + by * auth + +access to attr=userPassword + by self write + by * auth + +access to attr=shadowLastChange + by self write + by * read + +access to * + by * read + by anonymous auth +</pre></div></div><br class="example-break"><div class="example"><a name="sbentslapd2"></a><p class="title"><b>Example 9.4. NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><div class="example-contents"><pre class="screen"> +#loglevel 256 + +#schemacheck on +idletimeout 30 +#backend bdb +database bdb +checkpoint 1024 5 +cachesize 10000 + +suffix "dc=terpstra-world,dc=org" +rootdn "cn=Manager,dc=terpstra-world,dc=org" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +directory /var/lib/ldap + +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"><div class="example"><a name="sbrntldapconf"></a><p class="title"><b>Example 9.5. NT4 Migration NSS LDAP File: <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +host 127.0.0.1 + +base dc=terpstra-world,dc=org + +ldap_version 3 + +binddn cn=Manager,dc=terpstra-world,dc=org +bindpw not24get + +pam_password exop + +nss_base_passwd ou=People,dc=terpstra-world,dc=org?one +nss_base_shadow ou=People,dc=terpstra-world,dc=org?one +nss_base_group ou=Groups,dc=terpstra-world,dc=org?one + +ssl off +</pre></div></div><br class="example-break"><div class="example"><a name="sbentnss"></a><p class="title"><b>Example 9.6. NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:1)</b></p><div class="example-contents"><pre class="screen"> +passwd: files #ldap +shadow: files #ldap +group: files #ldap + +hosts: files dns wins +networks: files dns + +services: files +protocols: files +rpc: files +ethers: files +netmasks: files +netgroup: files +publickey: files + +bootparams: files +automount: files nis +aliases: files +#passwd_compat: ldap #Not needed. +#group_compat: ldap #Not needed. +</pre></div></div><br class="example-break"><div class="example"><a name="sbentnss2"></a><p class="title"><b>Example 9.7. NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:2)</b></p><div class="example-contents"><pre class="screen"> +passwd: files ldap +shadow: files ldap +group: files ldap + +hosts: files dns wins +networks: files dns + +services: files +protocols: files +rpc: files +ethers: files +netmasks: files +netgroup: files +publickey: files + +bootparams: files +automount: files nis +aliases: files +#passwd_compat: ldap #Not needed. +#group_compat: ldap #Not needed. +</pre></div></div><br class="example-break"><ol type="1"><li><p> + Configure the Samba <code class="filename">smb.conf</code> file to create a BDC. An example configuration is + given in <a href="ntmigration.html#sbent4smb" title="Example 9.1. NT4 Migration Samba-3 Server smb.conf Part: A">???</a>. + The delete scripts are commented out so that during the process of migration + no account information can be deleted. + </p></li><li><p> + <a class="indexterm" name="id366191"></a> + Configure OpenLDAP in preparation for the migration. An example + <code class="filename">sladp.conf</code> file is shown in <a href="ntmigration.html#sbentslapd" title="Example 9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A">???</a>. + The <code class="constant">rootpw</code> value is an encrypted password string that can + be obtained by executing the <code class="literal">slappasswd</code> command. + </p></li><li><p> + <a class="indexterm" name="id366289"></a> + <a class="indexterm" name="id366296"></a> + Install the PADL <code class="literal">nss_ldap</code> tool set, then configure the <code class="filename">/etc/ldap.conf</code> + as shown in <a href="ntmigration.html#sbrntldapconf" title="Example 9.5. NT4 Migration NSS LDAP File: /etc/ldap.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id366352"></a> + Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown + in <a href="ntmigration.html#sbentnss" title="Example 9.6. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)">???</a>. Note that the LDAP entries have been commented out. + This is deliberate. If these entries are active (not commented out), and the + <code class="filename">/etc/ldap.conf</code> file has been configured, when the LDAP server + is started, the process of starting the LDAP server will cause LDAP lookups. This + causes the LDAP server <code class="literal">slapd</code> to hang because it finds port 389 + open and therefore cannot gain exclusive control of it. By commenting these entries + out, it is possible to avoid this gridlock situation and thus the overall + installation and configuration will progress more smoothly. + </p></li><li><p> + Validate the the target NT4 PDC name is being correctly resolved to its IP address by + executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ping transgression +PING transgression.terpstra-world.org (192.168.1.5) 56(84) bytes of data. +64 bytes from (192.168.1.5): icmp_seq=1 ttl=128 time=0.159 ms +64 bytes from (192.168.1.5): icmp_seq=2 ttl=128 time=0.192 ms +64 bytes from (192.168.1.5): icmp_seq=3 ttl=128 time=0.141 ms + +--- transgression.terpstra-world.org ping statistics --- +3 packets transmitted, 3 received, 0% packet loss, time 2000ms +rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms +</pre><p> + Do not proceed to the next step if this step fails. It is imperative that the name of the PDC + can be resolved to its IP address. If this is broken, fix it. + </p></li><li><p> + Pull the domain SID from the NT4 domain that is being migrated as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc getsid -S TRANGRESSION -U Administrator%not24get +Storing SID S-1-5-21-1385457007-882775198-1210191635 \ + for Domain DAMNATION in secrets.tdb +</pre><p> + </p><p> + Another way to obtain the domain SID from the target NT4 domain that is being + migrated to Samba-3 is by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc info -S TRANSGRESSION +</pre><p> + If this method is used, do not forget to store the SID obtained into the + <code class="filename">secrets.tdb</code> file. This can be done by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635 +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id366500"></a> + <a class="indexterm" name="id366506"></a> + <a class="indexterm" name="id366513"></a> + <a class="indexterm" name="id366520"></a> + Install the Idealx <code class="literal">smbldap-tools</code> software package, following + the instructions given in <a href="happy.html#sbeidealx" title="Install and Configure Idealx smbldap-tools Scripts">???</a>. The resulting perl scripts + should be located in the <code class="filename">/opt/IDEALX/sbin</code> directory. + Change into that location, or wherever the scripts have been installed. Execute the + <code class="filename">configure.pl</code> script to configure the Idealx package for use. + Note: Use the domain SID obtained from the step above. The following is + an example configuration session: +</p><pre class="screen"> +<code class="prompt">root# </code> ./configure.pl +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + smbldap-tools script configuration + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Before starting, check + . if your samba controller is up and running. + . if the domain SID is defined + (you can get it with the 'net getlocalsid') + + . you can leave the configuration using the Crtl-c key combination + . empty value can be set with the "." character +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Looking for configuration files... + +Samba Config File Location [/etc/samba/smb.conf] > +smbldap Config file Location (global parameters) + [/etc/smbldap-tools/smbldap.conf] > +smbldap Config file Location (bind parameters) + [/etc/smbldap-tools/smbldap_bind.conf] > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Let's start configuring the smbldap-tools scripts ... + +. workgroup name: name of the domain Samba act as a PDC + workgroup name [DAMNATION] > +. netbios name: netbios name of the samba controller + netbios name [MERLIN] > +. logon drive: local path to which the home directory + will be connected (for NT Workstations). Ex: 'H:' + logon drive [X:] > H: +. logon home: home directory location (for Win95/98 or NT Workstation) + (use %U as username) Ex:'\\MERLIN\home\%U' + logon home (leave blank if you don't want homeDirectory) + [\\MERLIN\home\%U] > \\%L\%U +. logon path: directory where roaming profiles are stored. + Ex:'\\MERLIN\profiles\%U' + logon path (leave blank if you don't want roaming profile) + [\\MERLIN\profiles\%U] > \\%L\profiles\%U +. home directory prefix (use %U as username) [/home/%U] > + /home/users/%U +. default user netlogon script (use %U as username) + [%U.cmd] > scripts\logon.cmd + default password validation time (time in days) [45] > 180 +. ldap suffix [dc=terpstra-world,dc=org] > +. ldap group suffix [ou=Groups] > +. ldap user suffix [ou=People] > +. ldap machine suffix [ou=People] > +. Idmap suffix [ou=Idmap] > +. sambaUnixIdPooldn: object where you want to store the next uidNumber + and gidNumber available for new users and groups + sambaUnixIdPooldn object (relative to ${suffix}) + [sambaDomainName=DAMNATION] > +. ldap master server: + IP address or DNS name of the master (writable) ldap server + ldap master server [] > 127.0.0.1 +. ldap master port [389] > +. ldap master bind dn [cn=Manager,dc=terpstra-world,dc=org] > +. ldap master bind password [] > +. ldap slave server: IP address or DNS name of the slave ldap server: + can also be the master one + ldap slave server [] > 127.0.0.1 +. ldap slave port [389] > +. ldap slave bind dn [cn=Manager,dc=terpstra-world,dc=org] > +. ldap slave bind password [] > +. ldap tls support (1/0) [0] > +. SID for domain DAMNATION: SID of the domain + (can be obtained with 'net getlocalsid MERLIN') + SID for domain DAMNATION [] + > S-1-5-21-1385457007-882775198-1210191635 +. unix password encryption: encryption used for unix passwords +unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 +. default user gidNumber [513] > +. default computer gidNumber [515] > +. default login shell [/bin/bash] > +. default domain name to append to mail address [] > + terpstra-world.org +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +backup old configuration files: + /etc/smbldap-tools/smbldap.conf-> + /etc/smbldap-tools/smbldap.conf.old + /etc/smbldap-tools/smbldap_bind.conf-> + /etc/smbldap-tools/smbldap_bind.conf.old +writing new configuration file: + /etc/smbldap-tools/smbldap.conf done. + /etc/smbldap-tools/smbldap_bind.conf done. +</pre><p> + <a class="indexterm" name="id366615"></a> + <a class="indexterm" name="id366622"></a> + <a class="indexterm" name="id366629"></a> + <a class="indexterm" name="id366636"></a> + Note that the NT4 domain SID that was previously obtained was entered above. Also, + the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is + the location into which the Idealx smbldap-tools store the next available UID/GID + information. It is also where Samba stores domain specific information such as the + next RID, the SID, and so on. In older version of the smbldap-tools this information + was stored in the sambaUnixIdPooldn DIT location cn=NextFreeUnixId. Where smbldap-tools + are being upgraded to version 0.9.1 it is appropriate to update this to the new location + only if the directory information is also relocated. + </p></li><li><p> + Start the LDAP server using the system interface script. On Novell SLES9 + this is done as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +</pre><p> + </p></li><li><p> + Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown in + <a href="ntmigration.html#sbentnss2" title="Example 9.7. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)">???</a>. Note that the LDAP entries have now been uncommented. + </p></li><li><p> + The LDAP management password must be installed into the <code class="filename">secrets.tdb</code> + file as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +Setting stored password for + "cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb +</pre><p> + </p></li><li><p> + Populate the LDAP directory as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> /opt/IDEALX/sbin/smbldap-populate -a root -k 0 -m 0 +Using workgroup name from sambaUnixIdPooldn (smbldap.conf): + sambaDomainName=DAMNATION +Using builtin directory structure +adding new entry: dc=terpstra-world,dc=org +adding new entry: ou=People,dc=terpstra-world,dc=org +adding new entry: ou=Groups,dc=terpstra-world,dc=org +entry ou=People,dc=terpstra-world,dc=org already exist. +adding new entry: ou=Idmap,dc=terpstra-world,dc=org +adding new entry: sambaDomainName=DAMNATION,dc=terpstra-world,dc=org +adding new entry: uid=root,ou=People,dc=terpstra-world,dc=org +adding new entry: uid=nobody,ou=People,dc=terpstra-world,dc=org +adding new entry: cn=Domain Admins,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Domain Users,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Domain Guests,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Domain Computers,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Administrators,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Print Operators,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Backup Operators,ou=Groups,dc=terpstra-world,dc=org +adding new entry: cn=Replicators,ou=Groups,dc=terpstra-world,dc=org +</pre><p> + The script tries to add the ou=People container twice, hence the error message. + This is expected behavior. + </p></li><li><p> + <a class="indexterm" name="id366775"></a> + Restart the LDAP server following initialization of the LDAP directory. Execute the + system control script provided on your system. The following steps can be used on + Novell SUSE SLES 9: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap restart +<code class="prompt">root# </code> chkconfig ldap on +</pre><p> + </p></li><li><p> + Verify that the new user accounts that have been added to the LDAP directory can be + resolved as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +... +nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash +man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash +news:x:9:13:News system:/etc/news:/bin/bash +uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash ++::0:0::: +root:x:0:0:Netbios Domain Administrator:/home/users/root:/bin/false +nobody:x:999:514:nobody:/dev/null:/bin/false +</pre><p> + Now repeat this for the group accounts as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +nobody:x:65533: +nogroup:x:65534:nobody +users:x:100: ++::0: +Domain Admins:x:512:root +Domain Users:x:513: +Domain Guests:x:514: +Domain Computers:x:515: +Administrators:x:544: +Print Operators:x:550: +Backup Operators:x:551: +Replicators:x:552: +</pre><p> + In both cases the LDAP accounts follow the “<span class="quote">+::0:</span>” entry. + </p></li><li><p> + Now it is time to join the Samba BDC to the target NT4 domain that is being + migrated to Samba-3 by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S TRANSGRESSION -U Administrator%not24get +merlin:/opt/IDEALX/sbin # net rpc join -S TRANSGRESSION \ + -U Administrator%not24get +Joined domain DAMNATION. +</pre><p> + </p></li><li><p> + Set the new domain administrator (root) password for both UNIX and Windows as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> /opt/IDEALX/sbin/smbldap-passwd root +Changing password for root +New password : ******** +Retype new password : ******** +</pre><p> + Note: During account migration, the Windows Administrator account will not be migrated + to the Samba server. + </p></li><li><p> + Now validate that these accounts can be resolved using Samba's tools as + shown here for user accounts: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lw +root:0:84B0D8E14D158FF8417EAF50CFAC29C3: + AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-425F6467: +nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX: + NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000: +</pre><p> + Now complete the following step to validate that group account mappings have + been correctly set: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512) + -> Domain Admins +Domain Users (S-1-5-21-1385457007-882775198-1210191635-513) + -> Domain Users +Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514) + -> Domain Guests +Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515) + -> Domain Computers +Administrators (S-1-5-32-544) -> Administrators +Print Operators (S-1-5-32-550) -> Print Operators +Backup Operators (S-1-5-32-551) -> Backup Operators +Replicators (S-1-5-32-552) -> Replicators +</pre><p> + These are the expected results for a correctly configured system. + </p></li><li><p> + Commence migration as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc vampire -S TRANSGRESSION \ + -U Administrator%not24get > /tmp/vampire.log 2>1 +</pre><p> + Check the vampire log to confirm that only expected errors have been + reported. See <a href="ntmigration.html#sbevam1" title="Migration Log Validation">???</a>. + </p></li><li><p> + The migration of user accounts can be quickly validated as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lw +root:0:84B0D8E14D158FF8417EAF50CFAC29C3:... +nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:... +Administrator:0:84B0D8E14D158FF8417EAF50CFAC29C3:... +Guest:1:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:... +TRANSGRESSION$:2:CC044B748CEE294CE76B6B0D1B86C1A8:... +IUSR_TRANSGRESSION:3:64046AC81B056C375F9537FC409085F8:... +MIDEARTH$:4:E93186E5819706D2AAD3B435B51404EE:... +atrickhoffer:5:DC08CFE0C12B2867352502E32A407F23:... +barryf:6:B829BCDE01FF24376E45D5F10408CFBD:... +fsellerby:7:6A97CBEBE8F9826B417EAF50CFAC29C3:... +gdaison:8:48F6A8C8A900024351DA8C2061C5F1D3:... +hrambotham:9:7330D9EA0964465EAAD3B435B51404EE:... +jrhapsody:10:ACBA7D207E2BA35D9BD41A26B01626BD:... +maryk:11:293B5A4CA41F6CA1A7D80430B8342B73:... +jacko:12:8E8982D86BD037C364BBD09A598E07AD:... +bridge:13:0D2CA7D2BE67FE2193BE3A377C968336:... +sharpec:14:8841A75CAC19D2855D8B73B1F4D430F8:... +jimbo:15:6E8BDC904FD9EC5C17306D272A9441BB:... +dhenwick:16:D1694A03C33584BDAAD3B435B51404EE:... +dork:17:69E2D19E69A593D5AAD3B435B51404EE:... +blue:18:E355EBF9559979FEAAD3B435B51404EE:... +billw:19:EE35C3481CF7F7DB484448BC86A641A5:... +rfreshmill:20:7EC033B58661B60CAAD3B435B51404EE:... +MAGGOT$:21:A3B9334765AD30F7AAD3B435B51404EE:... +TRENTWARE$:22:1D92C8DD5E7F0DDF93BE3A377C968336:... +MORTON$:23:89342E69DCA9D3F8AAD3B435B51404EE:... +NARM$:24:2B93E2D1D25448BDAAD3B435B51404EE:... +LAPDOG$:25:14AA535885120943AAD3B435B51404EE:... +SCAVENGER$:26:B6288EB6D147B56F8963805A19B0ED49:... +merlin$:27:820C50523F368C54AB9D85AE603AD09D:... +</pre><p> + </p></li><li><p> + The mapping of UNIX and Windows groups can be validated as show here: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512) + -> Domain Admins +Domain Users (S-1-5-21-1385457007-882775198-1210191635-513) + -> Domain Users +Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514) + -> Domain Guests +Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515) + -> Domain Computers +Administrators (S-1-5-32-544) -> Administrators +Print Operators (S-1-5-32-550) -> Print Operators +Backup Operators (S-1-5-32-551) -> Backup Operators +Replicator (S-1-5-32-552) -> Replicators +Engineers (S-1-5-21-1385457007-882775198-1210191635-1020) -> Engineers +Marketoids (S-1-5-21-1385457007-882775198-1210191635-1022) -> Marketoids +Gnomes (S-1-5-21-1385457007-882775198-1210191635-1023) -> Gnomes +Catalyst (S-1-5-21-1385457007-882775198-1210191635-1024) -> Catalyst +Recieving (S-1-5-21-1385457007-882775198-1210191635-1025) -> Recieving +Rubberboot (S-1-5-21-1385457007-882775198-1210191635-1026) -> Rubberboot +Sales (S-1-5-21-1385457007-882775198-1210191635-1027) -> Sales +Accounting (S-1-5-21-1385457007-882775198-1210191635-1028) -> Accounting +Shipping (S-1-5-21-1385457007-882775198-1210191635-1029) -> Shipping +Account Operators (S-1-5-32-548) -> Account Operators +Guests (S-1-5-32-546) -> Guests +Server Operators (S-1-5-32-549) -> Server Operators +Users (S-1-5-32-545) -> Users +</pre><p> + It is of vital importance that the domain SID portions of all group + accounts are identical. + </p></li><li><p> + The final responsibility in the migration process is to create identical + shares and printing resources on the new Samba-3 server, copy all data + across, set up privileges, and set share and file/directory access controls. + </p></li><li><p> + <a class="indexterm" name="id367029"></a> + <a class="indexterm" name="id367036"></a> + Edit the <code class="filename">smb.conf</code> file to reset the parameter + <a class="indexterm" name="id367049"></a>domain master = Yes so that + the Samba server functions as a PDC for the purpose of migration. + Also, uncomment the deletion scripts so they will now be fully functional, + enable the <em class="parameter"><code>wins support = yes</code></em> parameter and + comment out the <em class="parameter"><code>wins server</code></em>. Validate the configuration + with the <code class="literal">testparm</code> utility as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm +Load smb config files from /etc/samba/smb.conf +Processing section "[apps]" +Processing section "[media]" +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[profdata]" +Processing section "[print$]" +Loaded services file OK. +Server role: ROLE_DOMAIN_PDC +Press enter to see a dump of your service definitions +</pre><p> + </p></li><li><p> + Now shut down the old NT4 PDC. Only when the old NT4 PDC and all + NT4 BDCs have been shut down can the Samba-3 PDC be started. + </p></li><li><p> + All workstations should function as they did with the old NT4 PDC. All + interdomain trust accounts should remain in place and fully functional. + All machine accounts and user logon accounts should also function correctly. + </p></li><li><p> + The configuration of Samba-3 BDC servers can be accomplished now or at any + convenient time in the future. Please refer to the carefully detailed process + for doing so is outlined in <a href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">???</a>. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbevam1"></a>Migration Log Validation</h4></div></div></div><p> + The following <code class="filename">vampire.log</code> file is typical of a valid migration. +</p><pre class="screen"> +adding user Administrator to group Domain Admins +adding user atrickhoffer to group Engineers +adding user dhenwick to group Engineers +adding user dork to group Engineers +adding user rfreshmill to group Marketoids +adding user jacko to group Gnomes +adding user jimbo to group Gnomes +adding user maryk to group Gnomes +adding user gdaison to group Gnomes +adding user dhenwick to group Catalyst +adding user jacko to group Catalyst +adding user jacko to group Recieving +adding user blue to group Recieving +adding user hrambotham to group Rubberboot +adding user billw to group Sales +adding user bridge to group Sales +adding user jrhapsody to group Sales +adding user maryk to group Sales +adding user rfreshmill to group Sales +adding user fsellerby to group Sales +adding user sharpec to group Sales +adding user jimbo to group Accounting +adding user gdaison to group Accounting +adding user jacko to group Shipping +adding user blue to group Shipping +Fetching DOMAIN database +Creating unix group: 'Engineers' +Creating unix group: 'Marketoids' +Creating unix group: 'Gnomes' +Creating unix group: 'Catalyst' +Creating unix group: 'Recieving' +Creating unix group: 'Rubberboot' +Creating unix group: 'Sales' +Creating unix group: 'Accounting' +Creating unix group: 'Shipping' +Creating account: Administrator +Creating account: Guest +Creating account: TRANSGRESSION$ +Creating account: IUSR_TRANSGRESSION +Creating account: MIDEARTH$ +Creating account: atrickhoffer +Creating account: barryf +Creating account: fsellerby +Creating account: gdaison +Creating account: hrambotham +Creating account: jrhapsody +Creating account: maryk +Creating account: jacko +Creating account: bridge +Creating account: sharpec +Creating account: jimbo +Creating account: dhenwick +Creating account: dork +Creating account: blue +Creating account: billw +Creating account: rfreshmill +Creating account: MAGGOT$ +Creating account: TRENTWARE$ +Creating account: MORTON$ +Creating account: NARM$ +Creating account: LAPDOG$ +Creating account: SCAVENGER$ +Creating account: merlin$ +Group members of Domain Admins: Administrator, +Group members of Domain Users: Administrator(primary), +TRANSGRESSION$(primary),IUSR_TRANSGRESSION(primary), +MIDEARTH$(primary),atrickhoffer(primary),barryf(primary), +fsellerby(primary),gdaison(primary),hrambotham(primary), +jrhapsody(primary),maryk(primary),jacko(primary),bridge(primary), +sharpec(primary),jimbo(primary),dhenwick(primary),dork(primary), +blue(primary),billw(primary),rfreshmill(primary),MAGGOT$(primary), +TRENTWARE$(primary),MORTON$(primary),NARM$(primary), +LAPDOG$(primary),SCAVENGER$(primary),merlin$(primary), +Group members of Domain Guests: Guest(primary), +Group members of Engineers: atrickhoffer,dhenwick,dork, +Group members of Marketoids: rfreshmill, +Group members of Gnomes: jacko,jimbo,maryk,gdaison, +Group members of Catalyst: dhenwick,jacko, +Group members of Recieving: jacko,blue, +Group members of Rubberboot: hrambotham, +Group members of Sales: billw,bridge,jrhapsody,maryk, +rfreshmill,fsellerby,sharpec, +Group members of Accounting: jimbo,gdaison, +Group members of Shipping: jacko,blue, +Fetching BUILTIN database +skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain) +Creating unix group: 'Account Operators' +Creating unix group: 'Guests' +Creating unix group: 'Server Operators' +Creating unix group: 'Users' +</pre><p> + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id367204"></a>NT4 Migration Using tdbsam Backend</h3></div></div></div><p> + In this example, we change the domain name of the NT4 server from + <code class="constant">DRUGPREP</code> to <code class="constant">MEGANET</code> prior to the use + of the vampire (migration) tool. This migration process makes use of Linux system tools + (like <code class="literal">useradd</code>) to add the accounts that are migrated into the + UNIX/Linux <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code> + databases. These entries must therefore be present, and correct options specified, + in your <code class="filename">smb.conf</code> file, or else the migration does not work as it should. + </p><div class="procedure"><a name="id367248"></a><p class="title"><b>Procedure 9.2. Migration Steps Using tdbsam</b></p><ol type="1"><li><p> + Prepare a Samba-3 server precisely per the instructions shown in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>. + Set the workgroup name to <code class="constant">MEGANET</code>. + </p></li><li><p><a class="indexterm" name="id367275"></a><a class="indexterm" name="id367282"></a> + Edit the <code class="filename">smb.conf</code> file to temporarily change the parameter + <a class="indexterm" name="id367298"></a>domain master = No so + the Samba server functions as a BDC for the purpose of migration. + </p></li><li><p> + Start Samba as you have done previously. + </p></li><li><p><a class="indexterm" name="id367318"></a> + Join the NT4 Domain as a BDC, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get +Joined domain MEGANET. +</pre><p> + </p></li><li><p><a class="indexterm" name="id367351"></a> + You may vampire the accounts from the NT4 PDC by executing the command, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc vampire -S oldnt4pdc -U Administrator%not24get +Fetching DOMAIN database +SAM_DELTA_DOMAIN_INFO not handled +Creating unix group: 'Domain Admins' +Creating unix group: 'Domain Users' +Creating unix group: 'Domain Guests' +Creating unix group: 'Engineers' +Creating unix group: 'Marketoids' +Creating unix group: 'Account Operators' +Creating unix group: 'Administrators' +Creating unix group: 'Backup Operators' +Creating unix group: 'Guests' +Creating unix group: 'Print Operators' +Creating unix group: 'Replicator' +Creating unix group: 'Server Operators' +Creating unix group: 'Users' +Creating account: Administrator +Creating account: Guest +Creating account: oldnt4pdc$ +Creating account: jacko +Creating account: maryk +Creating account: bridge +Creating account: sharpec +Creating account: jimbo +Creating account: dhenwick +Creating account: dork +Creating account: blue +Creating account: billw +Creating account: massive$ +Group members of Engineers: Administrator, + sharpec(primary),bridge,billw(primary),dhenwick +Group members of Marketoids: Administrator,jacko(primary), + maryk(primary),jimbo,blue(primary),dork(primary) +Creating unix group: 'Gnomes' +Fetching BUILTIN database +SAM_DELTA_DOMAIN_INFO not handled +</pre><p> + </p></li><li><p><a class="indexterm" name="id367395"></a> + At this point, we can validate our migration. Let's look at the accounts + in the form in which they are seen in a smbpasswd file. This achieves that: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lw +Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3: + AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[UX ]:LCT-3DF7AA9F: +jimbo:512:6E9A2A51F64A1BD5C187B8085FE1D9DF: + CDF7E305E639966E489A0CEFB95EE5E0:[UX ]:LCT-3E9362BC: +sharpec:511:E4301A7CD8FDD1EC6BBF9BC19CDF8151: + 7000255938831D5B948C95C1931534C5:[UX ]:LCT-3E8B42C4: +dhenwick:513:DCD8886141E3F892AAD3B435B51404EE: + 2DB36465949CB938DD98C312EFDC2639:[UX ]:LCT-3E939F41: +bridge:510:3FE6873A43101B46417EAF50CFAC29C3: + 891741F481AF111B4CAA09A94016BD01:[UX ]:LCT-3E8B4291: +blue:515:256D41D2559BB3D2AAD3B435B51404EE: + 9CCADDA4F7D281DD0FAD321478C6F971:[UX ]:LCT-3E939FDC: +diamond$:517:6C8E7B64EDCDBC4218B6345447A4454B: + 3323AC63C666CFAACB60C13F65D54E9A:[S ]:LCT-00000000: +oldnt4pdc$:507:3E39430CDCABB5B09ED320D0448AE568: + 95DBAF885854A919C7C7E671060478B9:[S ]:LCT-3DF7AA9F: +Guest:506:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DUX ]:LCT-3E93A008: +billw:516:85380CA7C21B6EBE168C8150662AF11B: + 5D7478508293709937E55FB5FBA14C17:[UX ]:LCT-3FED7CA1: +dork:514:78C70DDEC35A35B5AAD3B435B51404EE: + 0AD886E015AC595EC0AF40E6C9689E1A:[UX ]:LCT-3E939F9A: +jacko:508:BC472F3BF9A0A5F63832C92FC614B7D1: + 0C6822AAF85E86600A40DC73E40D06D5:[UX ]:LCT-3E8B4242: +maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C: + CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270: +</pre><p> + </p></li><li><p><a class="indexterm" name="id367434"></a> + An expanded view of a user account entry shows more of what was + obtained from the NT4 PDC: +</p><pre class="screen"> +sleeth:~ # pdbedit -Lv maryk +Unix username: maryk +NT username: maryk +Account Flags: [UX ] +User SID: S-1-5-21-1988699175-926296742-1295600288-1003 +Primary Group SID: S-1-5-21-1988699175-926296742-1295600288-1007 +Full Name: Mary Kathleen +Home Directory: \\diamond\maryk +HomeDir Drive: X: +Logon Script: scripts\logon.bat +Profile Path: \\diamond\profiles\maryk +Domain: MEGANET +Account desc: Peace Maker +Workstations: +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Wed, 02 Apr 2003 13:05:04 GMT +Password can change: 0 +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +</pre><p> + </p></li><li><p><a class="indexterm" name="id367468"></a> + The following command lists the long names of the groups that have been + imported (vampired) from the NT4 PDC: +</p><pre class="screen"> +<code class="prompt">root# </code> net group -l -Uroot%not24get -Smassive + +Group name Comment +----------------------------- +Engineers Snake Oil Engineers +Marketoids Untrustworthy Hype Vendors +Gnomes Plain Vanilla Garden Gnomes +Replicator Supports file replication in a domain +Guests Users granted guest access to the computer/domain +Administrators Members can fully administer the computer/domain +Users Ordinary users +</pre><p> + Everything looks well and in order. + </p></li><li><p><a class="indexterm" name="id367503"></a><a class="indexterm" name="id367511"></a> + Edit the <code class="filename">smb.conf</code> file to reset the parameter + <a class="indexterm" name="id367526"></a>domain master = Yes so + the Samba server functions as a PDC for the purpose of migration. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id367537"></a>Key Points Learned</h3></div></div></div><p> + Migration of an NT4 PDC database to a Samba-3 PDC is possible. + </p><div class="itemizedlist"><ul type="disc"><li><p> + An LDAP backend is a suitable vehicle for NT4 migrations. + </p></li><li><p> + A tdbsam backend can be used to perform a migration. + </p></li><li><p> + Multiple NT4 domains can be merged into a single Samba-3 + domain. + </p></li><li><p> + The net Samba-3 domain most likely requires some + administration and updating before going live. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id367572"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt> <a href="ntmigration.html#id367587"> + Why must I start each migration with a clean database? + </a></dt><dt> <a href="ntmigration.html#id367623"> + Is it possible to set my domain SID to anything I like? + </a></dt><dt> <a href="ntmigration.html#id367680"> + When using a tdbsam passdb backend, why must I have all domain user and group accounts + in /etc/passwd and /etc/group? + </a></dt><dt> <a href="ntmigration.html#id367846"> + Why did you validate connectivity before attempting migration? + </a></dt><dt> <a href="ntmigration.html#id367889"> + How would you merge 10 tdbsam-based domains into an LDAP database? + </a></dt><dt> <a href="ntmigration.html#id368004"> + I want to change my domain name after I migrate all accounts from an NT4 domain to a + Samba-3 domain. Does it make any sense to migrate the machine accounts in that case? + </a></dt><dt> <a href="ntmigration.html#id368075"> + After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why? + </a></dt><dt> <a href="ntmigration.html#id368134"> + How can I reset group membership after loading the account information into the LDAP database? + </a></dt><dt> <a href="ntmigration.html#id368166"> + What are the limits or constraints that apply to group names? + </a></dt><dt> <a href="ntmigration.html#id368262"> + My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 + LDAP backend system using the vampire process? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id367587"></a><a name="id367589"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id367593"></a> + Why must I start each migration with a clean database? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id367608"></a> + This is a recommendation that permits the data from each NT4 domain to + be kept separate until you are ready to merge them. Also, if you do not start with a clean database, + you may find errors due to users or groups from multiple domains having the + same name but different SIDs. It is better to permit each migration to complete + without undue errors and then to handle the merging of vampired data under + proper supervision. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id367623"></a><a name="id367626"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id367629"></a> + Is it possible to set my domain SID to anything I like? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id367644"></a><a class="indexterm" name="id367652"></a><a class="indexterm" name="id367659"></a> + Yes, so long as the SID you create has the same structure as an autogenerated SID. + The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where + the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why + would you really want to create your own SID? I cannot think of a good reason. + You may want to set the SID to one that is already in use somewhere on your network, + but that is a little different from straight out creating your own domain SID. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id367680"></a><a name="id367682"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id367685"></a><a class="indexterm" name="id367693"></a><a class="indexterm" name="id367701"></a><a class="indexterm" name="id367709"></a><a class="indexterm" name="id367717"></a><a class="indexterm" name="id367728"></a><a class="indexterm" name="id367739"></a> + When using a tdbsam passdb backend, why must I have all domain user and group accounts + in <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id367770"></a><a class="indexterm" name="id367778"></a><a class="indexterm" name="id367785"></a><a class="indexterm" name="id367793"></a><a class="indexterm" name="id367801"></a><a class="indexterm" name="id367809"></a> + Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba + does not fabricate the UNIX IDs from thin air, but rather requires them to be located + in a suitable place. + </p><p> + When migrating a <code class="filename">smbpasswd</code> file to an LDAP backend, the + UID of each account is taken together with the account information in the + <code class="filename">/etc/passwd</code>, and both sets of data are used to create the account + entry in the LDAP database. + </p><p> + If you elect to create the POSIX account also, the entire UNIX account is copied to the + LDAP backend. The same occurs with NT groups and UNIX groups. At the conclusion of + migration to the LDAP database, the accounts may be removed from the UNIX database files. + In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in + LDAP, require UIDs/GIDs. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id367846"></a><a name="id367848"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id367852"></a><a class="indexterm" name="id367859"></a><a class="indexterm" name="id367867"></a> + Why did you validate connectivity before attempting migration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Access validation before attempting to migrate NT4 domain accounts helps to pinpoint + potential problems that may otherwise affect or impede account migration. I am always + mindful of the 4 P's of migration: Planning Prevents Poor Performance. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id367889"></a><a name="id367891"></a></td><td align="left" valign="top"><p> + How would you merge 10 tdbsam-based domains into an LDAP database? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id367901"></a><a class="indexterm" name="id367909"></a><a class="indexterm" name="id367917"></a><a class="indexterm" name="id367925"></a><a class="indexterm" name="id367933"></a><a class="indexterm" name="id367940"></a><a class="indexterm" name="id367948"></a><a class="indexterm" name="id367956"></a><a class="indexterm" name="id367964"></a><a class="indexterm" name="id367972"></a><a class="indexterm" name="id367979"></a> + If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of + accounts that have the same UNIX identifier (UID/GID). This means that you almost + certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd + file format and then manually edit all records to ensure that each has a unique UID. Each + file can then be imported a number of ways. You can use the <code class="literal">pdbedit</code> tool + to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to + tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that + you have migrated before handing over access to a user. After all, too many users with a bad + migration experience may threaten your career. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368004"></a><a name="id368006"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id368009"></a><a class="indexterm" name="id368017"></a> + I want to change my domain name after I migrate all accounts from an NT4 domain to a + Samba-3 domain. Does it make any sense to migrate the machine accounts in that case? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368036"></a><a class="indexterm" name="id368044"></a><a class="indexterm" name="id368052"></a><a class="indexterm" name="id368060"></a> + I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries + on each Windows NT4 and upward client that have a tattoo of the old domain name. If you + unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid + this tattooing effect. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368075"></a><a name="id368077"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id368080"></a> + After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368096"></a><a class="indexterm" name="id368104"></a> + Samba-3 currently does not implement multiple group membership internally. If you use the Windows + NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group + membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend, + then multiple group membership is handled through the UNIX groups file. When you dump the user + accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each + file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <code class="filename">/etc/passwd</code> + and <code class="filename">/etc/group</code> information also. That is where the multiple group information + is most closely at your fingertips. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368134"></a><a name="id368136"></a></td><td align="left" valign="top"><p> + How can I reset group membership after loading the account information into the LDAP database? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368146"></a> + You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The + installation file is called <code class="filename">SRVTOOLS.EXE</code>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368166"></a><a name="id368168"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id368171"></a> + What are the limits or constraints that apply to group names? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368186"></a><a class="indexterm" name="id368194"></a><a class="indexterm" name="id368202"></a><a class="indexterm" name="id368209"></a><a class="indexterm" name="id368217"></a><a class="indexterm" name="id368225"></a> + A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group + name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows + groups can contain upper- and lowercase characters, as well as spaces. + Many UNIX system do not permit the use of uppercase characters, and some do not permit the + space character either. A number of systems (i.e., Linux) work fine with both uppercase + and space characters in group names, but the shadow-utils package that provides the group + control functions (<code class="literal">groupadd</code>, <code class="literal">groupmod</code>, <code class="literal">groupdel</code>, and so on) do not permit them. + Also, a number of UNIX systems management tools enforce their own particular interpretation + of the POSIX standards and likewise do not permit uppercase or space characters in group + or user account names. You have to experiment with your system to find what its + peculiarities are. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368262"></a><a name="id368264"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id368267"></a> + My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 + LDAP backend system using the vampire process? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux + kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs, + you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned + integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts. + Please check this carefully before you attempt to effect a migration using the vampire process. + </p><p><a class="indexterm" name="id368291"></a> + Migration speed depends much on the processor speed, the network speed, disk I/O capability, and + LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP + to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts + per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrades.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="nw4migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Updating Samba-3 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. Migrating NetWare Server to Samba-3</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/nw4migration.html b/docs/htmldocs/Samba3-ByExample/nw4migration.html new file mode 100644 index 0000000000..99bef571ec --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/nw4migration.html @@ -0,0 +1,1249 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Migrating NetWare Server to Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="ntmigration.html" title="Chapter 9. Migrating NT4 Domain to Samba-3"><link rel="next" href="RefSection.html" title="Part III. Reference Section"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Migrating NetWare Server to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ntmigration.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="RefSection.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="nw4migration"></a>Chapter 10. Migrating NetWare Server to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="nw4migration.html#id368455">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368561">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id368660">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368732">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id368903">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id368911">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></div><p> + <a class="indexterm" name="id368324"></a> + <a class="indexterm" name="id368330"></a> + Novell is a company any seasoned IT manager has to admire. It has become increasingly + Linux-friendly and is emerging out of a deep regression that almost saw the company + disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the + platform of choice to which many older NetWare servers are being migrated. + It will be interesting to see what becomes of NetWare over time. + Meanwhile, there can be no denying that Novell is a Linux company. + </p><p> + <a class="indexterm" name="id368348"></a> + <a class="indexterm" name="id368355"></a> + <a class="indexterm" name="id368362"></a> + <a class="indexterm" name="id368369"></a> + Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, + Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with + the knowledge that file locations may vary a little; even so, the information + in this chapter should provide something of value. + </p><p> + <a class="indexterm" name="id368382"></a> + Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many + years who surfaced on the Samba mailing list with a barrage of questions and who + regularly helps other administrators to solve thorny Samba migration questions. + </p><p> + <a class="indexterm" name="id368394"></a> + <a class="indexterm" name="id368401"></a> + <a class="indexterm" name="id368407"></a> + <a class="indexterm" name="id368414"></a> + One wonders how many NetWare servers remain in active service. Many are being migrated + to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are + ideal target platforms to which a NetWare server may be migrated. The migration method + of choice is much dependent on the tools that the administrator finds most natural to use. + The old-hand NetWare guru will likely want to use tools like the NetWare NLM for + <code class="literal">rsync</code> to migrate files from the NetWare server to the Samba server. + The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare + Emulator) open source package. The MS Windows network administrator will likely make use of the + NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice, + migration will be filled with joyous and challenging moments though probably not + concurrently. + </p><p> + The priority that Misty faced was one of migration of the data files off the NetWare 4.11 + server and onto a Samba-based Windows file and print server. This chapter does not pretend + to document all the different methods that could be used to migrate user and group accounts + off a NetWare server. Its focus is on migration of data files. + </p><p> + This chapter tells its own story, so ride along. Maybe the information presented here + will help to smooth over a similar migration challenge in your favorite networking environment. + </p><p> + File paths have been modified to permit use of RPM packages provided by Novell. In the + original documentation contributed by Misty, the Courier-IMAP package had been built + directly from the original source tarball. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id368455"></a>Introduction</h2></div></div></div><p> + <a class="indexterm" name="id368462"></a> + Misty Stanley-Jones was recruited by Abmas to administer a network that had + not received much attention for some years and was much in need of a makeover. + As a brand-new sysadmin to this company, she inherited a very old Novell file server + and came with a determination to change things for the better. + </p><p> + A site survey turned up the following details for the old NetWare server: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>200 MHz MMX processor</p></td></tr><tr><td><p>512K RAM</p></td></tr><tr><td><p>24 GB disk space in RAID1</p></td></tr><tr><td><p>Novell 4.11 patched to service pack 7</p></td></tr><tr><td><p>60+ users</p></td></tr><tr><td><p>7 network-attached printers</p></td></tr></table><p> + The company had outgrown this server several years before and was dealing with + severe growing pains. Some of the problems experienced were: + </p><div class="itemizedlist"><ul type="disc"><li><p>Very slow performance</p></li><li><p>Available storage hovering around the 5% range</p><div class="itemizedlist"><ul type="circle"><li><p>Extremely slow print spooling.</p></li><li><p> + Users storing information on their local hard + drives, causing backup integrity problems + </p></li></ul></div></li></ul></div><p> + <a class="indexterm" name="id368550"></a> + At one point disk space had filled up to 100 percent, causing the payroll database + to become corrupt. This caused the accounting department to be down for over + a week and necessitated deployment of another file server. The replacement + server was created with very poor security and design considerations from + a discarded desktop PC. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id368561"></a>Assignment Tasks</h3></div></div></div><p> + Misty has provided this summary of her migration experience in the hope + that it will help someone to avoid the challenges she faced. Perhaps her + configuration files and background will accelerate your learning as you + grapple with a similar migration challenge. Let there be no confusion, + the information presented in this chapter is provided to demonstrate + how Misty dealt with a particular NetWare migration requirement, and + it provides an overall approach to the implementation of a Samba-3 + environment that is significantly divergent from that presented in + <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. + </p><p> + The complete removal of all site-specific information in order to produce + a generic migration solution would rob this chapter of its character. + It should be recognized, therefore, that the examples given require + significant adaptation to suit local needs and thus + there are some gaps in the example files. That is not Misty's fault;it + is the result of treatment given to her files in an attempt to make + the overall information more useful to you. + </p><p> + <a class="indexterm" name="id368590"></a> + After management reviewed a cost-benefit report as well as an estimated + time-to-completion, approval was given proceed with the solution proposed. + The server was built from purchased components. The total project cost + was $3,000. A brief description of the configuration follows: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td> + <p>3.0 GHz P4 Processor</p> + </td></tr><tr><td> + <p>1 GB RAM</p> + </td></tr><tr><td> + <p>120 GB SATA operating system drive</p> + </td></tr><tr><td> + <p>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</p> + </td></tr><tr><td> + <p>2 x 80 GB SATA removable drives for online backup</p> + </td></tr><tr><td> + <p>A DLT drive for asynchronous offline backup</p> + </td></tr><tr><td> + <p>SUSE Linux Professional 9.1</p> + </td></tr></table><p> + The new system has operated for 6 months without problems. Over the past months + much attention has been focused on cleaning up desktops and user profiles. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id368660"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id368668"></a> + <a class="indexterm" name="id368675"></a> + <a class="indexterm" name="id368682"></a> + <a class="indexterm" name="id368688"></a> + A decision to use LDAP was made even though I knew nothing about LDAP except that + I had been reading the book “<span class="quote">LDAP System Administration,</span>” by Gerald Carter. + LDAP seemed to provide some of the functionality of Novell's e-Directory Services + and would provide centralized authentication and identity management. + </p><p> + <a class="indexterm" name="id368705"></a> + <a class="indexterm" name="id368711"></a> + <a class="indexterm" name="id368718"></a> + Building the LDAP database took a while and a lot of trial and error. Following + the guidance I obtained from “<span class="quote">LDAP System + Administration,</span>” I installed OpenLDAP (from RPM; later I compiled + a more current version from source) and built my initial LDAP tree. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id368732"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id368739"></a> + <a class="indexterm" name="id368746"></a> + <a class="indexterm" name="id368753"></a> + <a class="indexterm" name="id368760"></a> + <a class="indexterm" name="id368767"></a> + <a class="indexterm" name="id368773"></a> + <a class="indexterm" name="id368780"></a> + <a class="indexterm" name="id368787"></a> + <a class="indexterm" name="id368794"></a> + The first challenge was to create a company white pages, followed by manually + entering everything from the printed company directory. This used only the inetOrgPerson + object class from the OpenLDAP schemas. The next step was to write a shell script that + would look at the <code class="filename">/etc/passwd</code> and <code class="filename">/etc/shadow</code> + files on our mail server and create an LDIF file from which the information could be + imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, + and SMTP. + </p><p> + Because a decision was made to use Courier-IMAP the schema “<span class="quote">authldap.schema</span>” + from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory + needs. Where the Courier-IMAP file provided by SUSE is used, this file is named + <code class="filename">courier.schema</code>. + </p><p> + Looking back, it would have been much easier to populate the LDAP directory using a convenient + tool such as <code class="literal">phpLDAPAdmin</code> from the outset. An excessive amount of time was + spent trying to generate LDIF files that could be parsed using the <code class="literal">ldapmodify</code> + so that necessary changes could be written to the directory. This was a learning experience! + </p><p> + An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to + make them work. Instead, even though it is most inelegant, I wrote a simple script that did + what I needed. It is enclosed as a simple example to demonstrate that you do not need to be + a guru to make light of otherwise painful repetition. This file is listed in <a href="nw4migration.html#sbeamg" title="Example 10.1. A Rough Tool to Create an LDIF File from the System Account Files">???</a>. + </p><div class="example"><a name="sbeamg"></a><p class="title"><b>Example 10.1. A Rough Tool to Create an LDIF File from the System Account Files</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash + +cat /etc/passwd | while read l; do + uid=`echo $l | cut -d : -f 1` + uidNumber=`echo $l | cut -d : -f 3` + gidNumber=`echo $1 | cut -d : -f 4` + gecos=`echo $l | cut -d : -f 5` + homeDirectory=`echo $l | cut -d : -f 6` + loginShell=`echo $l | cut -d : -f 6` + userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2` + + echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com" + echo "objectClass: account" + echo "objectClass: posixAccount" + echo "cn: $gecos" + echo "uid: $uid" + echo "uidNumber: $uidNumber" + echo "gidNumber: $gidNumber" + echo "homeDirectory: $homeDirectory" + echo "loginShell: $loginShell" + echo "userPassword: $userPassword" +done +</pre></div></div><br class="example-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + + The PADL MigrationTools are recommended for migration of the UNIX account information into + the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups, + aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text + files (or from a name service such as NIS). This too set can be obtained from the <a href="http://www.padl.com" target="_top">PADL Web site</a>. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id368903"></a>Implementation</h2></div></div></div><p> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id368911"></a>NetWare Migration Using LDAP Backend</h3></div></div></div><p> + The following software must be installed on the SUSE Linux Enterprise Server to perform + this migration: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>courier-imap</p></td></tr><tr><td><p>courier-imap-ldap</p></td></tr><tr><td><p>nss_ldap</p></td></tr><tr><td><p>openldap2-client</p></td></tr><tr><td><p>openldap2-devel (only for Samba compilation)</p></td></tr><tr><td><p>openldap2</p></td></tr><tr><td><p>pam_ldap</p></td></tr><tr><td><p>samba-3.0.20 or later</p></td></tr><tr><td><p>samba-client-3.0.20 or later</p></td></tr><tr><td><p>samba-winbind-3.0.20 or later</p></td></tr><tr><td><p>smbldap-tools Version 0.9.1</p></td></tr></table><p> + Each software application must be carefully configured in preparation for migration. + The configuration files used at Abmas are provided as a guide and should be modified + to meet needs at your site. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id368982"></a>LDAP Server Configuration</h4></div></div></div><p> + The <code class="filename">/etc/openldap/slapd.conf</code> file Misty used is shown here: +</p><pre class="programlisting"> +#/etc/openldap/slapd.conf +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba3.schema +include /etc/openldap/schema/dhcp.schema +include /etc/openldap/schema/misc.schema +include /etc/openldap/schema/idpool.schema +include /etc/openldap/schema/eduperson.schema +include /etc/openldap/schema/commURI.schema +include /etc/openldap/schema/local.schema +include /etc/openldap/schema/courier.schema + +pidfile /var/run/slapd/run/slapd.pid +argsfile /var/run/slapd/run/slapd.args + +replogfile /data/ldap/log/slapd.replog + +# Load dynamic backend modules: +modulepath /usr/lib/openldap/modules + +####################################################################### +# Logging parameters +####################################################################### +loglevel 256 + +####################################################################### +# SASL and TLS options +####################################################################### +sasl-host ldap.corp.abmas.org +sasl-realm DIGEST-MD5 +sasl-secprops none +TLSCipherSuite HIGH:MEDIUM:+SSLV2 +TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem +TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem +password-hash {SSHA} +defaultsearchbase "dc=abmas,dc=biz" + +####################################################################### +# bdb database definitions +####################################################################### +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=manager,dc=abmas,dc=biz" +rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5 +directory /data/ldap +mode 0600 +# The following is for BDB to make it flush its data to disk every +# 500 seconds or 5kb of data +checkpoint 500 5 + +## For running slapindex +#readonly on + +## Indexes for often-requested attributes +index objectClass eq +index cn eq,sub +index sn eq,sub +index uid eq,sub +index uidNumber eq +index gidNumber eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +cachesize 2000 + +replica host=baa.corp.abmas.org:389 + suffix="dc=abmas,dc=biz" + binddn="cn=replica,dc=abmas,dc=biz" + credentials=verysecret + bindmethod=simple + tls=yes +replica host=ns.abmas.org:389 + suffix="dc=abmas,dc=biz" + binddn="cn=replica,dc=abmas,dc=biz" + credentials=verysecret + bindmethod=simple + tls=yes + +####################################################################### +# ACL section +####################################################################### +## MOST RESTRICTIVE RULES MUST GO FIRST! +# Admins get access to everything. This way I do not have to rename. +access to * + by group/groupOfUniqueNames/uniqueMember="cn=LDAP +Administrators,ou=groups,dc=abmas,dc=biz" write + by * break + +## Users can change their own passwords. +access to +attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet, +sambaPwdMustChange,sambaPwdCanChange + by self write + by * auth + +## Home contact info restricted to the logged-in user and the HR dept +access to attrs=hometelephoneNumber,homePostalAddress, +mobileTelephoneNumber,pagerTelephoneNumber + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by self write + by * none + +## Everyone can read email aliases +access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" + by * read + +## Only admins can manage email aliases +## If someone is the role occupant of an alias they can change it -- this +## is accomplished by the "organizationalRole" objectclass and is +## pretty cool -- like a groupOfUniqueNames but for individual +## users. +access to dn.children="ou=Email Aliases,dc=abmas,dc=biz" + by dnattr=roleOccupant write + by * read + +## Admins and HR can add and delete users +access to dn.sub="ou=people,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## Admins and HR can add and delete bizputers +access to dn.sub="ou=bizputers,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## Admins and HR can add and delete groups +access to dn.sub="ou=groups,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## This is used to quickly deactivate any LDAP object only +## Admins have access. +access to dn.sub="ou=inactive,dc=abmas,dc=biz" + by * none + +## This is for programs like Windows Address Book that can +## detect the default search base. +access to attrs=namingcontexts,supportedControl + by anonymous =cs + by * read + +## Default to read-only access +access to * + by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write + by * read +</pre><p> +</p><p> + <a class="indexterm" name="id369093"></a> + The <code class="filename">/etc/ldap.conf</code> file used is listed in <a href="nw4migration.html#ch8ldap" title="Example 10.2. NSS LDAP Control File /etc/ldap.conf">???</a>. + </p><div class="example"><a name="ch8ldap"></a><p class="title"><b>Example 10.2. NSS LDAP Control File /etc/ldap.conf</b></p><div class="example-contents"><pre class="screen"> +# /etc/ldap.conf +# This file is present on every *NIX client that authenticates to LDAP. +# For me, most of the defaults are fine. There is an amazing amount of +# customization that can be done see the man page for info. + +# Your LDAP server. Must be resolvable without using LDAP. The following +# is for the LDAP server all others use the FQDN of the server +URI ldap://127.0.0.1 + +# The distinguished name of the search base. +base ou=corp,dc=abmas,dc=biz + +# The LDAP version to use (defaults to 3 if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with if the effective +# user ID is root. Password is stored in /etc/ldap.secret (mode 600) +rootbinddn cn=Manager,dc=abmas,dc=biz + +# Filter to AND with uid=%s +pam_filter objectclass=posixAccount + +# The user ID attribute (defaults to uid) +pam_login_attribute uid + +# Group member attribute +pam_member_attribute memberUID + +# Use the OpenLDAP password change +# extended operation to update the password. +pam_password exop + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +ssl start_tls + +tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem +... +</pre></div></div><br class="example-break"><p> + The NSS control file <code class="filename">/etc/nsswitch.conf</code> has the following contents: +</p><pre class="screen"> +# /etc/nsswitch.conf +# This file controls the resolve order for system databases. + +# the following two lines obviate the "+" entry in /etc/passwd and /etc/group. +passwd: compat ldap +group: compat ldap +# The above are all that I store in LDAP at this point. There are +# possibilities to store hosts, services, ethers, and lots of other things. +</pre><p> + </p><p> + <a class="indexterm" name="id369173"></a> + <a class="indexterm" name="id369179"></a> + In my setup, users authenticate via PAM and NSS using LDAP-based accounts. + The configuration file that controls the behavior of the PAM <code class="literal">pam_unix2</code> + module is shown in <a href="nw4migration.html#sbepu2" title="Example 10.3. The PAM Control File /etc/security/pam_unix2.conf">???</a> file. + This works out of the box with the configuration files in this chapter. It + enables you to have no local accounts for users (it is highly advisable + to have a local account for the root user). Traps for the unwary include the following: + </p><div class="example"><a name="sbepu2"></a><p class="title"><b>Example 10.3. The PAM Control File <code class="filename">/etc/security/pam_unix2.conf</code></b></p><div class="example-contents"><pre class="screen"> +# pam_unix2 config file +# +# This file contains options for the pam_unix2.so module. +# It contains a list of options for every type of management group, +# which will be used for authentication, account management and +# password management. Not all options will be used from all types of +# management groups. +# +# At first, pam_unix2 will read this file and then uses the local +# options. Not all options can be set her global. +# +# Allowed options are: +# +# debug (account, auth, password, session) +# nullok (auth) +# md5 (password / overwrites /etc/default/passwd) +# bigcrypt (password / overwrites /etc/default/passwd) +# blowfish (password / overwrites /etc/default/passwd) +# crypt_rounds=XX +# none (session) +# trace (session) +# call_modules=x,y,z (account, auth, password) +# +# Example: +# auth: nullok +# account: +# password: nullok blowfish crypt_rounds=8 +# session: none +# +auth: use_ldap +account: use_ldap +password: use_ldap +session: none +</pre></div></div><br class="example-break"><a class="indexterm" name="id369231"></a><a class="indexterm" name="id369238"></a><a class="indexterm" name="id369245"></a><div class="itemizedlist"><ul type="disc"><li><p> + If your LDAP database goes down, nobody can authenticate except for root. + </p></li><li><p> + If failover is configured incorrectly, weird behavior can occur. For example, + DNS can fail to resolve. + </p></li></ul></div><p> + I do have two LDAP slave servers configured. That subject is beyond the scope + of this document, and steps for implementing it are well documented. + </p><p> + The following services authenticate using LDAP: + </p><a class="indexterm" name="id369278"></a><a class="indexterm" name="id369284"></a><a class="indexterm" name="id369291"></a><table class="simplelist" border="0" summary="Simple list"><tr><td><p>UNIX login/ssh</p></td></tr><tr><td><p>Postfix (SMTP)</p></td></tr><tr><td><p>Courier-IMAP/IMAPS/POP3/POP3S</p></td></tr></table><p> + <a class="indexterm" name="id369319"></a> + <a class="indexterm" name="id369326"></a> + Companywide white pages can be searched using an LDAP client + such as the one in the Windows Address Book. + </p><p> + <a class="indexterm" name="id369337"></a> + <a class="indexterm" name="id369344"></a> + Having gained a solid understanding of LDAP and a relatively workable LDAP tree + thus far, it was time to configure Samba. I compiled the latest stable Samba and + also installed the latest <code class="literal">smbldap-tools</code> from + <a href="http://idealx.com" target="_top">Idealx</a>. + </p><p> + The Samba <code class="filename">smb.conf</code> file was configured as shown in <a href="nw4migration.html#ch8smbconf" title="Example 10.4. Samba Configuration File smb.conf Part A">???</a>. + </p><div class="example"><a name="ch8smbconf"></a><p class="title"><b>Example 10.4. Samba Configuration File smb.conf Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id369411"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id369423"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id369436"></a><em class="parameter"><code>server string = Corp File Server</code></em></td></tr><tr><td><a class="indexterm" name="id369448"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id369461"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id369474"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id369486"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id369499"></a><em class="parameter"><code>log file = /data/samba/log/%m.log</code></em></td></tr><tr><td><a class="indexterm" name="id369512"></a><em class="parameter"><code>name resolve order = wins host bcast</code></em></td></tr><tr><td><a class="indexterm" name="id369524"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id369537"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id369549"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id369562"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id369575"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id369588"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id369600"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id369614"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id369627"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id369640"></a><em class="parameter"><code>add machine script = /usr/local/sbin/smbldap-useradd -w "%m"</code></em></td></tr><tr><td><a class="indexterm" name="id369653"></a><em class="parameter"><code>logon script = logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id369666"></a><em class="parameter"><code>logon path = \\%L\profiles\%U\%a</code></em></td></tr><tr><td><a class="indexterm" name="id369678"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id369691"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id369703"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id369716"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id369728"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id369741"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id369754"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id369767"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id369779"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id369792"></a><em class="parameter"><code>ldap suffix = ou=MEGANET2,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id369805"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id369817"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id369830"></a><em class="parameter"><code>admin users = root, "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id369842"></a><em class="parameter"><code>printer admin = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id369855"></a><em class="parameter"><code>force printername = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf2"></a><p class="title"><b>Example 10.5. Samba Configuration File smb.conf Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id369895"></a><em class="parameter"><code>comment = Network logon service</code></em></td></tr><tr><td><a class="indexterm" name="id369908"></a><em class="parameter"><code>path = /data/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id369920"></a><em class="parameter"><code>write list = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id369933"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id369954"></a><em class="parameter"><code>comment = Roaming Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id369967"></a><em class="parameter"><code>path = /data/samba/profiles/</code></em></td></tr><tr><td><a class="indexterm" name="id369980"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id369992"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id370005"></a><em class="parameter"><code>veto files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id370018"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id370039"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id370052"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id370064"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id370077"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id370089"></a><em class="parameter"><code>veto files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id370102"></a><em class="parameter"><code>hide files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id370115"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[software]</code></em></td></tr><tr><td><a class="indexterm" name="id370136"></a><em class="parameter"><code>comment = Software for %a computers</code></em></td></tr><tr><td><a class="indexterm" name="id370149"></a><em class="parameter"><code>path = /data/samba/shares/software/%a</code></em></td></tr><tr><td><a class="indexterm" name="id370161"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id370183"></a><em class="parameter"><code>comment = Public Files</code></em></td></tr><tr><td><a class="indexterm" name="id370195"></a><em class="parameter"><code>path = /data/samba/shares/public</code></em></td></tr><tr><td><a class="indexterm" name="id370208"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id370221"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[PDF]</code></em></td></tr><tr><td><a class="indexterm" name="id370242"></a><em class="parameter"><code>comment = Location of documents printed to PDFCreator printer</code></em></td></tr><tr><td><a class="indexterm" name="id370255"></a><em class="parameter"><code>path = /data/samba/shares/pdf</code></em></td></tr><tr><td><a class="indexterm" name="id370268"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf3"></a><p class="title"><b>Example 10.6. Samba Configuration File smb.conf Part C</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[EVERYTHING]</code></em></td></tr><tr><td><a class="indexterm" name="id370308"></a><em class="parameter"><code>comment = All shares</code></em></td></tr><tr><td><a class="indexterm" name="id370320"></a><em class="parameter"><code>path = /data/samba</code></em></td></tr><tr><td><a class="indexterm" name="id370333"></a><em class="parameter"><code>valid users = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id370345"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[CDROM]</code></em></td></tr><tr><td><a class="indexterm" name="id370367"></a><em class="parameter"><code>comment = CD-ROM on MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id370379"></a><em class="parameter"><code>path = /mnt</code></em></td></tr><tr><td><a class="indexterm" name="id370392"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id370413"></a><em class="parameter"><code>comment = Printer Drivers Share</code></em></td></tr><tr><td><a class="indexterm" name="id370426"></a><em class="parameter"><code>path = /data/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id370439"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id370451"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id370473"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id370485"></a><em class="parameter"><code>path = /data/samba/spool</code></em></td></tr><tr><td><a class="indexterm" name="id370498"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id370510"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id370523"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[acct_hp8500]</code></em></td></tr><tr><td><a class="indexterm" name="id370544"></a><em class="parameter"><code>comment = "Accounting Color Laser Printer"</code></em></td></tr><tr><td><a class="indexterm" name="id370557"></a><em class="parameter"><code>path = /data/samba/spool/private</code></em></td></tr><tr><td><a class="indexterm" name="id370570"></a><em class="parameter"><code>valid users = @acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry</code></em></td></tr><tr><td><a class="indexterm" name="id370583"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id370596"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id370608"></a><em class="parameter"><code>copy = printers</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[plotter]</code></em></td></tr><tr><td><a class="indexterm" name="id370630"></a><em class="parameter"><code>comment = Engineering Plotter</code></em></td></tr><tr><td><a class="indexterm" name="id370642"></a><em class="parameter"><code>path = /data/samba/spool</code></em></td></tr><tr><td><a class="indexterm" name="id370655"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id370668"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id370680"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id370693"></a><em class="parameter"><code>copy = printers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf4"></a><p class="title"><b>Example 10.7. Samba Configuration File smb.conf Part D</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[APPS]</code></em></td></tr><tr><td><a class="indexterm" name="id370732"></a><em class="parameter"><code>path = /data/samba/shares/Apps</code></em></td></tr><tr><td><a class="indexterm" name="id370745"></a><em class="parameter"><code>force group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id370758"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ACCT]</code></em></td></tr><tr><td><a class="indexterm" name="id370779"></a><em class="parameter"><code>path = /data/samba/shares/Accounting</code></em></td></tr><tr><td><a class="indexterm" name="id370792"></a><em class="parameter"><code>valid users = @acct, "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id370805"></a><em class="parameter"><code>force group = acct</code></em></td></tr><tr><td><a class="indexterm" name="id370817"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id370830"></a><em class="parameter"><code>create mask = 0660</code></em></td></tr><tr><td><a class="indexterm" name="id370842"></a><em class="parameter"><code>directory mask = 0770</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ACCT_ADMIN]</code></em></td></tr><tr><td><a class="indexterm" name="id370864"></a><em class="parameter"><code>path = /data/samba/shares/Acct_Admin</code></em></td></tr><tr><td><a class="indexterm" name="id370876"></a><em class="parameter"><code>valid users = @â€acct_adminâ€</code></em></td></tr><tr><td><a class="indexterm" name="id370889"></a><em class="parameter"><code>force group = acct_admin</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[HR_PR]</code></em></td></tr><tr><td><a class="indexterm" name="id370911"></a><em class="parameter"><code>path = /data/samba/shares/HR_PR</code></em></td></tr><tr><td><a class="indexterm" name="id370924"></a><em class="parameter"><code>valid users = @hr, @acct_admin</code></em></td></tr><tr><td><a class="indexterm" name="id370936"></a><em class="parameter"><code>force group = hr</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ENGR]</code></em></td></tr><tr><td><a class="indexterm" name="id370958"></a><em class="parameter"><code>path = /data/samba/shares/Engr</code></em></td></tr><tr><td><a class="indexterm" name="id370970"></a><em class="parameter"><code>valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</code></em></td></tr><tr><td><a class="indexterm" name="id370983"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id370996"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id371008"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[DATA]</code></em></td></tr><tr><td><a class="indexterm" name="id371030"></a><em class="parameter"><code>path = /data/samba/shares/DATA</code></em></td></tr><tr><td><a class="indexterm" name="id371043"></a><em class="parameter"><code>valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</code></em></td></tr><tr><td><a class="indexterm" name="id371056"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id371068"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id371081"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id371093"></a><em class="parameter"><code>copy = engr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf5"></a><p class="title"><b>Example 10.8. Samba Configuration File smb.conf Part E</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[X]</code></em></td></tr><tr><td><a class="indexterm" name="id371133"></a><em class="parameter"><code>path = /data/samba/shares/X</code></em></td></tr><tr><td><a class="indexterm" name="id371145"></a><em class="parameter"><code>valid users = @engr, @acct</code></em></td></tr><tr><td><a class="indexterm" name="id371158"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id371171"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id371183"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id371196"></a><em class="parameter"><code>copy = engr</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[NETWORK]</code></em></td></tr><tr><td><a class="indexterm" name="id371217"></a><em class="parameter"><code>path = /data/samba/shares/network</code></em></td></tr><tr><td><a class="indexterm" name="id371230"></a><em class="parameter"><code>valid users = "@Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id371242"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id371255"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id371268"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[UTILS]</code></em></td></tr><tr><td><a class="indexterm" name="id371289"></a><em class="parameter"><code>path = /data/samba/shares/Utils</code></em></td></tr><tr><td><a class="indexterm" name="id371302"></a><em class="parameter"><code>write list = "@Domain Admins"</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[SYS]</code></em></td></tr><tr><td><a class="indexterm" name="id371323"></a><em class="parameter"><code>path = /data/samba/shares/SYS</code></em></td></tr><tr><td><a class="indexterm" name="id371336"></a><em class="parameter"><code>valid users = chad</code></em></td></tr><tr><td><a class="indexterm" name="id371348"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id371361"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id371377"></a> + <a class="indexterm" name="id371384"></a> + <a class="indexterm" name="id371390"></a> + Most of these shares are only used by one company group, but they are required + because of some ancient Qbasic and Rbase applications were that written expecting + their own drive letters. + </p><p> + <a class="indexterm" name="id371402"></a> + <a class="indexterm" name="id371409"></a> + <a class="indexterm" name="id371416"></a> + Note: During the process of building the new server, I kept data files + up to date with the Novell server via use of <code class="literal">rsync</code>. + On a separate system (my workstation in fact), which could be rebooted + whenever necessary, I set up a mount point to the Novell server via + <code class="literal">ncpmount</code>. I then created a + <code class="filename">rsyncd.conf</code> to share that mount point out to my + new server, and synchronized once an hour. The script I used to synchronize + is shown in <a href="nw4migration.html#sbersync" title="Example 10.9. Rsync Script">???</a>. The files exclusion list I used + is shown in <a href="nw4migration.html#sbexcld" title="Example 10.10. Rsync Files Exclusion List /root/excludes.txt">???</a>. The reason I had to have the + <code class="literal">rsync</code> daemon running on a system that could be + rebooted frequently is because <code class="constant">ncpfs</code> + (part of the MARS NetWare Emulation package) has a nasty habit of creating stale + mount points that cannot be recovered without a reboot. The reason for hourly + synchronization is because some part of the chain was very slow and + performance-heavy (whether <code class="literal">rsync</code> itself, the network, + or the Novell server, I am not sure, but it was probably the Novell server). + </p><div class="example"><a name="sbersync"></a><p class="title"><b>Example 10.9. Rsync Script</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash +# Part 1 - rsync the Novell directories to the new server +echo "#############################################" +echo "New sync operation starting at `date`" +if ! pgrep -fl '^rsync\> ; then + echo "Good, no rsync is running!" + echo "Synchronizing oink to BHPRO" + rsync -av --exclude-from=/root/excludes.txt +baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1 + retval=$? + [ ${retval} = 0 ] && echo "Sync operation completed at `date`" + echo "Fixing permissions" + # I had a whole lot more permission-fixing stuff here. It got + # pared down as groups got moved over. The problem + # was that the way I was mounting the directory, everything + # was owned by the Novell administrator which translated to + # Root. This is also why I could only do one-way sync because + # I could not fix the ACLs on the Novell side. + find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \; + find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \; +else + # This rsync took ages and ages -- I had it set to run every hour but + # I needed a way to prevent it running into itself. + echo "Oh no, rsync is already running!" +echo "#############################################" +fi +</pre></div></div><br class="example-break"><div class="example"><a name="sbexcld"></a><p class="title"><b>Example 10.10. Rsync Files Exclusion List <code class="filename">/root/excludes.txt</code></b></p><div class="example-contents"><pre class="screen"> +/Acct/ +/Apps/ +/DATA/ +/Engr/*.pc3 +/Engr/plotter +/Engr/APPOLO/ +/Engr/LIBRARY/ +/Home/Accounting/ +/Home/Angie/ +/Home/AngieY/ +/Home/Brandon/ +/Home/Carl/ +</pre></div></div><br class="example-break"><p> + After Samba was configured, I initialized the LDAP database. The first + thing I had to do was store the LDAP password in the Samba configuration by + issuing the command (as root): +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w verysecret +</pre><p> + where “<span class="quote">verysecret</span>” is replaced by the LDAP bind password. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The Idealx smbldap-tools package can be configured using a script called +<code class="literal">configure.pl</code> that is provided as part of the tool. See <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> +for an example of its use. Many administrators, like Misty, choose to do this manually +so as to maintain greater awareness of how the tool-chain works and possibly to avoid +undesirable actions from occurring unnoticed. +</p></div><p> + Now Samba was ready for use and it was time to configure the smbldap-tools. There are two + relevant files, which are usually put into the directory + <code class="filename">/etc/smbldap-tools</code>. The main file, + <code class="filename">smbldap.conf</code> is shown in <a href="nw4migration.html#ch8ideal" title="Example 10.11. Idealx smbldap-tools Control File Part A">???</a>. + </p><div class="example"><a name="ch8ideal"></a><p class="title"><b>Example 10.11. Idealx smbldap-tools Control File Part A</b></p><div class="example-contents"><pre class="screen"> +######### +# +# located in /etc/smbldap-tools/smbldap.conf +# +###################################################################### +# +# General Configuration +# +###################################################################### + +# Put your own SID +# to obtain this number do: net getlocalsid +SID="S-1-5-21-725326080-1709766072-2910717368" + +###################################################################### +# +# LDAP Configuration +# +###################################################################### + +# Notes: to use to dual ldap servers backend for Samba, you must patch +# Samba with the dual-head patch from IDEALX. If not using this patch +# just use the same server for slaveLDAP and masterLDAP. +# Those two servers declarations can also be used when you have +# . one master LDAP server where all writing operations must be done +# . one slave LDAP server where all reading operations must be done +# (typically a replication directory) + +# Ex: slaveLDAP=127.0.0.1 +slaveLDAP="127.0.0.1" +slavePort="389" + +# Master LDAP : needed for write operations +# Ex: masterLDAP=127.0.0.1 +masterLDAP="127.0.0.1" +masterPort="389" + +# Use TLS for LDAP +# If set to 1, this option will use start_tls for connection +# (you should also used the port 389) +ldapTLS="0" + +# How to verify the server's certificate (none, optional or require) +# see "man Net::LDAP" in start_tls section for more details +verify="" +</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal2"></a><p class="title"><b>Example 10.12. Idealx smbldap-tools Control File Part B</b></p><div class="example-contents"><pre class="screen"> +# CA certificate +# see "man Net::LDAP" in start_tls section for more details +cafile="" + certificate to use to connect to the ldap server +# see "man Net::LDAP" in start_tls section for more details +clientcert="" + +# key certificate to use to connect to the ldap server +# see "man Net::LDAP" in start_tls section for more details +clientkey="" + +# LDAP Suffix +# Ex: suffix=dc=IDEALX,dc=ORG +suffix="ou=MEGANET2,dc=abmas,dc=biz" + +# Where are stored Users +# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" +usersdn="ou=People,${suffix}" + +# Where are stored Computers +# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" +computersdn="ou=People,${suffix}" + +# Where are stored Groups +# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" +groupsdn="ou=Groups,${suffix}" + +# Where are stored Idmap entries +# (used if samba is a domain member server) +# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" +idmapdn="ou=Idmap,${suffix}" + +# Where to store next uidNumber and gidNumber available +sambaUnixIdPooldn="sambaDomainName=MEGANET2,${suffix}" + +# Default scope Used +scope="sub" +</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal3"></a><p class="title"><b>Example 10.13. Idealx smbldap-tools Control File Part C</b></p><div class="example-contents"><pre class="screen"> +# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) +hash_encrypt="MD5" + +# if hash_encrypt is set to CRYPT, you may set a salt format. +# default is "%s", but many systems will generate MD5 hashed +# passwords if you use "$1$%.8s". This parameter is optional! +crypt_salt_format="%s" + +###################################################################### +# +# Unix Accounts Configuration +# +###################################################################### + +# Login defs +# Default Login Shell +# Ex: userLoginShell="/bin/bash" +userLoginShell="/bin/false" + +# Home directory +# Ex: userHome="/home/%U" +userHome="/home/%U" + +# Gecos +userGecos="Samba User" + +# Default User (POSIX and Samba) GID +defaultUserGid="513" + +# Default Computer (Samba) GID +defaultComputerGid="515" + +# Skel dir +skeletonDir="/etc/skel" + +# Default password validation time (time in days) Comment the next +# line if you don't want password to be enable for +# defaultMaxPasswordAge days (be careful to the sambaPwdMustChange +# attribute's value) +defaultMaxPasswordAge="45" +</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal4"></a><p class="title"><b>Example 10.14. Idealx smbldap-tools Control File Part D</b></p><div class="example-contents"><pre class="screen"> +###################################################################### +# +# SAMBA Configuration +# +###################################################################### + +# The UNC path to home drives location (%U username substitution) +# Ex: \\My-PDC-netbios-name\homes\%U +# Just set it to a null string if you want to use the smb.conf +# 'logon home' directive and/or disable roaming profiles +userSmbHome="" + +# The UNC path to profiles locations (%U username substitution) +# Ex: \\My-PDC-netbios-name\profiles\%U +# Just set it to a null string if you want to use the smb.conf +# 'logon path' directive and/or disable roaming profiles +userProfile="" + +# The default Home Drive Letter mapping +# (will be automatically mapped at logon time if home directory exist) +# Ex: H: for H: +userHomeDrive="" + +# The default user netlogon script name (%U username substitution) +# if not used, will be automatically username.cmd +# make sure script file is edited under DOS +# Ex: %U.cmd +# userScript="startup.cmd" # make sure script file is edited under DOS +userScript="" + +# Domain appended to the users "mail"-attribute +# when smbldap-useradd -M is used +mailDomain="abmas.org" + +###################################################################### +# +# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) +# +###################################################################### +# Allows not to use smbpasswd +# (if with_smbpasswd == 0 in smbldap_conf.pm) but +# prefer Crypt::SmbHash library +with_smbpasswd="0" +smbpasswd="/usr/bin/smbpasswd" +</pre></div></div><br class="example-break"><p> + <a class="indexterm" name="id371746"></a> + Note: I chose not to take advantage of the TLS capability of this. + Eventually I may go back and tweak it. Also, I chose not to take advantage + of the master/slave configuration as I heard horror stories that it was + unstable. My slave servers are replicas only. + </p><p> + The <code class="filename">/etc/smbldap-tools/smbldap_bind.conf</code> file is shown here: +</p><pre class="screen"> +# smbldap_bind.conf +# +# This file simply tells smbldap-tools how to bind to your LDAP server. +# It has to be a DN with full write access to the Samba portion of +# the database. + +############################ +# Credential Configuration # +############################ +# Notes: you can specify two different configurations if you use a +# master ldap for writing access and a slave ldap server for reading access +# By default, we will use the same DN (so it will work for standard Samba +# release) +slaveDN="cn=Manager,dc=abmas,dc=biz" +slavePw="verysecret" +masterDN="cn=Manager,dc=abmas,dc=biz" +masterPw="verysecret" +</pre><p> + </p><p> + The next step was to run the <code class="literal">smbldap-populate</code> command, which populates + the LDAP tree with the appropriate default users, groups, and UID and GID pools. + It creates a user called Administrator with UID=0 and GID=0 matching the + Domain Admins group. This is fine because you can still log on as root to a Windows system, + but it will break cached credentials if you need to log on as the administrator + to a system that is not on the network. + </p><p> + After the LDAP database has been preloaded, it is prudent to validate that the + information needed is in the LDAP directory. This can be done done by restarting + the LDAP server, then performing an LDAP search by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapsearch -W -x -b "dc=abmas,dc=biz"\ + -D "cn=Manager,dc=abmas,dc=biz" \ + "(Objectclass=*)" +Enter LDAP Password: +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +o: abmas +dc: abmas + +# People, abmas.biz +dn: ou=People,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: People + +# Groups, abmas.biz +dn: ou=Groups,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: Groups + +# Idmap, abmas.biz +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: Idmap +... +</pre><p> + </p><p> + <a class="indexterm" name="id371820"></a> + <a class="indexterm" name="id371827"></a> + <a class="indexterm" name="id371834"></a> + <a class="indexterm" name="id371841"></a> + <a class="indexterm" name="id371847"></a> + With the LDAP directory now initialized, it was time to create the Windows and POSIX + (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. + The easiest way to do this was to use <code class="literal">smbldap-groupadd</code> command. + It creates the group with the posixGroup and sambaGroupMapping attributes, a + unique GID, and an automatically determined RID. I learned the hard way not to + try to do this by hand. + </p><p> + <a class="indexterm" name="id371866"></a> + <a class="indexterm" name="id371873"></a> + <a class="indexterm" name="id371880"></a> + After I had my group mappings in place, I added users to the groups (the users + don't really have to exist yet). I used the <code class="literal">smbldap-groupmod</code> + command to accomplish this. It can also be done manually by adding memberUID + attributes to the group entries in LDAP. + </p><p> + <a class="indexterm" name="id371898"></a> + <a class="indexterm" name="id371905"></a> + <a class="indexterm" name="id371912"></a> + The most monumental task of all was adding the sambaSamAccount information to each + already existent posixAccount entry. I did it one at a time as I moved people onto + the new server, by issuing the command: +</p><pre class="screen"> +<code class="prompt">root# </code> smbldap-usermod -a -P username +</pre><p> + <a class="indexterm" name="id371932"></a> + <a class="indexterm" name="id371939"></a> + <a class="indexterm" name="id371946"></a> + I completed that step for every user after asking the person what his or her current + NetWare password was. The wiser way to have done it would probably have been to dump the + entire database to an LDIF file. This can be done by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat > somefile.ldif +</pre><p> + <a class="indexterm" name="id371967"></a> + <a class="indexterm" name="id371973"></a> + Then update the LDIF file created by using a Perl script to parse and add the + appropriate attributes and objectClasses to each entry, followed by re-importing + the entire database into the LDAP directory. + </p><p> + Rebuilding of the LDAP directory can be done as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap stop +<code class="prompt">root# </code> cd /data/ldap +<code class="prompt">root# </code> rm *bdb _* log* +<code class="prompt">root# </code> su - ldap -c "slapadd -l somefile.ldif" +<code class="prompt">root# </code> rcldap start +</pre><p> + This can be done at any time and for any reason, with no harm to the database. + </p><p> + I first added a test user, of course. The LDIF for this test user looks like + this, to give you an idea: +</p><pre class="screen"> +# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz +dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz +cn: Test User +gecos: Test User +gidNumber: 513 +givenName: Test +homeDirectory: /home/test.user +homePhone: 555 +l: Somewhere +l: ST +mail: test.user +o: Corp +objectClass: top +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: sambaSamAccount +postalCode: 12345 +sn: User +street: 10 Some St. +uid: test.user +uidNumber: 1074 +sambaLogonTime: 0 +sambaLogoffTime: 2147483647 +sambaKickoffTime: 2147483647 +sambaPwdCanChange: 0 +displayName: Samba User +sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148 +sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE +sambaAcctFlags: [U] +sambaNTPassword: D062088E99C95E37D7702287BB35E770 +sambaPwdLastSet: 1102537694 +sambaPwdMustChange: 1106425694 +userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8 +loginShell: /bin/false +</pre><p> + </p><p> + Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain. + It worked, and the machine's account entry under ou=Computers looks like this: +</p><pre class="screen"> +dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz +objectClass: top +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: sambaSamAccount +cn: w2kengrspare$ +sn: w2kengrspare$ +uid: w2kengrspare$ +uidNumber: 1104 +gidNumber: 515 +homeDirectory: /dev/null +loginShell: /bin/false +description: Computer +gecos: Computer +sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208 +sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031 +displayName: W2KENGRSPARE$ +sambaPwdCanChange: 1103149236 +sambaPwdMustChange: 2147483647 +sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834 +sambaPwdLastSet: 1103149236 +sambaAcctFlags: [W ] +</pre><p> + </p><p> + <a class="indexterm" name="id372066"></a> + So now I could log on with a test user from the machine w2kengrspare. It was all well and + good, but that user was in no groups yet and so had pretty boring access. I fixed that + by writing the login script! To write the login script, I used + <a href="http://www.kixtart.org" target="_top">Kixtart</a> because it will work + with every architecture of Windows, has an active and helpful user base, and was both + easier to learn and more powerful than the standard netlogon scripts I have seen. + I also did not have to do a logon script per user or per group. + </p><p> + <a class="indexterm" name="id372086"></a> + I downloaded Kixtart and put the following files in my netlogon share: +</p><pre class="screen"> +KIX32.EXE +KX32.dll +KX95.dll <-- Not needed unless you are running Win9x clients. +kx16.dll <-- Probably not needed unless you are running DOS clients. +kxrpc.exe <-- Probably useless as it has to run on the server and can + only be run on NT. It's for Windows 95 to become group-aware. + We can get around the need. +</pre><p> + </p><p> + <a class="indexterm" name="id372109"></a> + I then wrote the <code class="filename">logon.kix</code> file that is shown in + <a href="nw4migration.html#ch8kix" title="Example 10.15. Kixtart Control File File: logon.kix">???</a>. I chose to keep it all in one file, but it + can be split up and linked via include directives. + </p><div class="example"><a name="ch8kix"></a><p class="title"><b>Example 10.15. Kixtart Control File File: logon.kix</b></p><div class="example-contents"><pre class="screen"> +; This script just calls the other scripts. + +; First we want to get things done for everyone. + +; Second, we do first-time login stuff. + +; Third, we go through the group-oriented scripts one at a time. + + +; We want to check for group membership here to avoid the overhead of running +; scripts which don't apply. +call "\\massive\netlogon\scripts\main.kix" +call "\\massive\netlogon\scripts\setup.kix" +IF INGROUP("MEGANET2\ACCT") + call "scripts\acct.kix" +ENDIF +IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST") +call "\\massive\netlogon\scripts\engr.kix" +ENDIF +IF INGROUP("MEGANET2\FURN") + call "\\massive\netlogon\scripts\furn.kix" +ENDIF +IF INGROUP("MEGANET2\TRUSS") + call "\\massive\netlogon\scripts\truss.kix" +ENDIF +</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix2"></a><p class="title"><b>Example 10.16. Kixtart Control File File: main.kix</b></p><div class="example-contents"><pre class="screen"> +break on + +; Choose whether to hide the login window or not +IF INGROUP("MEGANET2\Domain Admins") + USE Z: \\massive\everything + SETCONSOLE("show") +ELSE + ; Nobody cares about seeing the login script except admins + SETCONSOLE("hide") +ENDIF + +; Delete all previously connected shares +USE * /delete + +SETTITLE("Logging on @USERID to @LDOMAIN at @TIME") + +; Set the time on the workstation +$Timeserver = "\\massive" +Settime $TimeServer + +; Map the home directory +USE H: @HOMESHR ; connect to user's home share +IF @ERROR = 0 + + H: + CD @HOMEDIR ; change directory to user's home directory +ENDIF + +; Everyone gets the N drive +USE N: \\massive\network +</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix3"></a><p class="title"><b>Example 10.17. Kixtart Control File File: setup.kix, Part A</b></p><div class="example-contents"><pre class="screen"> +; My setup.kix is where all of the redirection stuff happens. Note that with +; the use of registry keys, this only happens the first time they log in ,or if +; I delete the pertinent registry keys which triggers it to happen again: + +; Check to see if we have written the abmas sub-key before +$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas") +IF NOT $RETURNCODE = 0 +; Add key for abmas-specific things on the first login + ADDKEY("HKEY_CURRENT_USER\abmas") + ; The following key gets deleted at the end of the first login + ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +ENDIF + +; People with laptops need My Documents to be in their profile. People with +; desktops can have My Documents redirected to their home directory to avoid +; long delays with logging out and out-of-sync files. + +; Check to see if this is the first login -- doesn't make sense to do this +; at the very first login + +$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +IF NOT $RETURNCODE = 0 + +; We don't want to do this stuff for people with laptops or people in the FURN +; group. (They store their profiles in a different server) + + IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN") + $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied") + +; A crude way to tell what OS our profile is for and copy the "My Documents" +; to the redirected folder on the server. It works because the profiles +; are stored as \\server\profiles\user\architecture + IF NOT $RETURNCODE = 0 + IF EXIST("\\massive\profiles\@userID\WinXP") + copy "\\massive\profiles\@userID\WinXP\My Documents\*" +"\\massive\@userID\" + ENDIF + IF EXIST("\\massive\profiles\@userID\Win2K") + copy "\\massive\profiles\@userID\Win2K\My Documents\*" +"\\massive\@userID\" + ENDIF + IF EXIST("\\massive\profiles\@userID\WinNT") + copy "\\massive\profiles\@userID\WinNT\My Documents\*" +"\\massive\@userID\" + ENDIF +</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix3b"></a><p class="title"><b>Example 10.18. Kixtart Control File File: setup.kix, Part B</b></p><div class="example-contents"><pre class="screen"> +; Now we will write the registry values to redirect the locations of "My +Documents" +; and other folders. + ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "Personal","\\massive\@userID","REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ") + IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP +Professional" + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ") + ENDIF + ENDIF + ENDIF + +; Now we will delete the FIRST_LOGIN sub-key that we made before. +; Note - to run this script again you will want to delete the HKCU\abmas +; sub-key, log out, and log back in. +$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +IF $RETURNVALUE = 0 + DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +ENDIF +</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix4"></a><p class="title"><b>Example 10.19. Kixtart Control File File: acct.kix</b></p><div class="example-contents"><pre class="screen"> +; And here is one group-oriented script to show what can be +; done that way: acct.kix: + +IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR") + USE I: \\MEGANET2\HR_PR +ENDIF + +; Set up printer +$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500") +IF NOT $RETURNVALUE = 0 + ADDPRINTERCONNECTION("\\massive\acct_hp8500") + SETDEFAULTPRINTER("\\massive\acct_hp8500") +ENDIF +; Set up drive mappings + USE M: \\massive\ACCT + IF INGROUP("MEGANET2\ABRA") + USE T: \\trussrv\abra + ENDIF +</pre></div></div><br class="example-break"><p> + As you can see in the script, I redirected the My Documents to the user's home + share if he or she were not in the Laptop group. I also added printers on a + group-by-group basis, and if applicable I set the group printer. For this to + be effective, the print drivers must be installed on the Samba server in the + <code class="filename">[print$]</code> share. Ample documentation exists about how to + do that, so it is not covered here. + </p><p> + I call this script via the logon.bat script in the [netlogon] directory: +</p><pre class="screen"> +\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f +</pre><p> + I only had to fully qualify the paths for Windows 9x, as Windows NT and + greater automatically add [NETLOGON] to the path. + </p><p> + Also of note for Win9x is that the drive mappings and printer setup will not + work because they rely on RPC. You merely have to put the appropriate settings + into the <code class="filename">c:\autoexec.bat</code> file or map the drives manually. + One option is to check the OS as part of the Kixtart script, and if it + is Win9x and is the first login, copy a premade + <code class="filename">autoexec.bat</code> to the <code class="filename">C:</code> drive. I + have only three such machines, and one is going away in the very near future, + so it was easier to do it by hand. + </p><p> + <a class="indexterm" name="id372323"></a> + At this point I was able to add the users. This is the part that really falls + into upgrade. I moved the users over one group at a time, starting with the + people who used the least amount of resources on the network. With each group + that I moved, I first logged on as a standard user in that group and took + careful note of the environment, mainly the printers he or she used, the PATH, + and what network resources he or she had access to (most importantly, which ones + the user actually needed access to). + </p><p> + I then added the user's SambaSamAccount information as mentioned earlier, + and join the computer to the domain. The very first thing I had to do was to + copy the user's profile to the new server. This was very important, and I really + struggled with the most effective way to do it. Here is the method that worked + for every one of my users on Windows NT, 2000, and XP: + </p><div class="procedure"><ol type="1"><li><p> + Log in as the user on the domain. This creates the local copy + of the user's profile and copies it to the server as he or she logs out. + </p></li><li><p> + Reboot the computer and log in as the local machine administrator. + </p></li><li><p> + Right-click My Computer, click Properties, and navigate to the + user profiles tab (varies per version of Windows). + </p></li><li><p> + Select the user's local profile <code class="constant">(COMPUTERNAME\username)</code>, + and click the <code class="literal">Copy To</code> button. + </p></li><li><p> + In the next dialog, copy it directly to the profiles share on the + Samba server (in my case \\PDCname\profiles\user\<architecture>. + You will have had to make a connection to the share as that + user (e.g., Windows Explorer type \\PDCname\profiles\username). + </p></li><li><p> + When the copy is complete (it can take a while) log out, and log back in + as the user. All of his or her settings and all contents of My Documents, + Favorites, and the registry should have been copied successfully. + </p></li><li><p> + If it doesn't look right (the dead giveaway is the desktop background), + shut down the computer without logging out (power cycle) and try logging + in as the user again. If it still doesn't work, repeat the steps above. + I only had to ever repeat it once. + </p></li></ol></div><p> + Words to the Wise: + </p><div class="itemizedlist"><ul type="disc"><li><p> + If the user was anything other than a standard user on his or her system + before, you will save yourself some headaches by giving him or her identical + permissions (on the local machine) as his or her domain account <span class="emphasis"><em>before</em></span> + copying the profile over. Do this through the User Administrator + in the Control Panel, after joining the computer to the domain and + before logging on as that user for the first time. Otherwise the user will + have trouble with permissions on his or her registry keys. + </p></li><li><p> + If any application was installed for the user only, rather than for + the entire system, it will probably not work without being reinstalled. + </p></li></ul></div><p> + After all these steps are accomplished, only cleanup details are left. Make sure user's + shortcuts and Network Places point to the appropriate place on the new server, check + the important applications to be sure they work as expected and troubleshoot any problems + that might arise, and check to be sure the user's printers are present and working. By the + way, if there are any network printers installed as system printers (the Novell way), + you will need to log in as a local administrator and delete them. + </p><p> + For my non-laptop systems, I would then log in and out a couple times as the user + to be sure that his or her registry settings were modified, and then I was finished. + </p><p> + Some compatibility issues that cropped up included the following: + </p><p> + Blackberry client: It did not like having its registry settings moved around + and so had to be reinstalled. Also, it needed write permissions to a portion of + the hard drive, and I had to give it those manually on the one system where + this was an issue. + </p><p> + CAMedia: Digital camera software for Canon cameras caused all kinds of trouble + with the registry. I had to use the Run as service to open the registry of + the local user while logged in as the domain user, and give the domain user + the appropriate permissions to some registry keys, then export that portion + of the registry to a file. Then, as the domain user, I had to import that file + into the registry. + </p><p> + Crystal Reports version 7: More registry problems that were solved by recopying + the user's profile. + </p><p> + Printing from legacy applications: I found out that Novell sends its jobs to + the printer in a raw format. CUPS sends them in PostScript by default. I had + to make a second printer definition for one printer and tell CUPS specifically + to send raw data to the printer, then assign this printer to the LPT port with + Kixtart's version of the net use command. + </p><p> + These were all eventually solved by elbow grease, queries to the Samba mailing + list and others, and diligence. The complete migration took about 5 weeks. + My userbase is relatively small but includes multiple versions of Windows, + multiple Linux member servers, a mechanized saw, a pen plotter, and legacy + applications written in Qbasic and R:Base, just to name a few. I actually + ended up making some of these applications work better (or work again, as + some of them had stopped functioning on the old server) because as part of + the process I had to find out how things were supposed to work. + </p><p> + The one thing I have not been able to get working is a very old database that + we had around for reference purposes; it uses Novell's Btrieve engine. + </p><p> + As the resources compare, I went from 95 percent disk usage to just around 10 percent. + I went from a very high load on the server to an average load of between one + and two runnable processes on the server. I have improved the security and + robustness of the system. I have also implemented + <a href="http://www.clamav.net" target="_top">ClamAV</a> antivirus software, + which scans the entire Samba server for viruses every 2 hours and + quarantines them. I have found it much less problematic than our ancient + version of Norton Antivirus Corporate Edition, and much more up-to-date. + </p><p> + In short, my users are much happier now that the new server is running, and that + is what is important to me. + </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ntmigration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="RefSection.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 9. Migrating NT4 Domain to Samba-3 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Reference Section</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/pr01.html b/docs/htmldocs/Samba3-ByExample/pr01.html new file mode 100644 index 0000000000..8041cfdd95 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/pr01.html @@ -0,0 +1,31 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>About the Cover Artwork</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="index.html" title="Samba-3 by Example"><link rel="next" href="pr02.html" title="Acknowledgments"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">About the Cover Artwork</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id275208"></a>About the Cover Artwork</h2></div></div></div><p> + The cover artwork of this book continues the freedom theme of the first + edition of “<span class="quote">Samba-3 by Example</span>”. The history of civilization + demonstrates the fragile nature of freedom. It can be lost in a moment, + and once lost, the cost of recovering liberty can be incredible. The last + edition cover featured Alfred the Great who liberated England from the + constant assault of Vikings and Norsemen. Events in England that + finally liberated the common people came about in small steps, but + the result should not be under-estimated. Today, as always, freedom and + liberty are seldom appreciated until they are lost. If we can not quantify + what is the value of freedom, we shall be little motivated to protect it. + </p><p> + <span class="emphasis"><em>Samba-3 by Example Cover Artwork:</em></span> The British houses + of parliament are a symbol of the Westminster system of government. This form + of government permits the people to govern themselves at the lowest level, yet + it provides for courts of appeal that are designed to protect freedom and to + hold back all forces of tyranny. The clock is a pertinent symbol of the + importance of time and place. + </p><p> + The information technology industry is being challenged by the imposition of + new laws, hostile litigation, and the imposition of significant constraint + of practice that threatens to remove the freedom to develop and deploy open + source software solutions. Samba is a software solution that epitomizes freedom + of choice in network interoperability for Microsoft Windows clients. + </p><p> + I hope you will take the time needed to deploy it well, and that you may realize + the greatest benefits that may be obtained. You are free to use it in ways never + considered, but in doing so there may be some obstacles. Every obstacle that is + overcome adds to the freedom you can enjoy. Use Samba well, and it will serve + you well. + </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Samba-3 by Example </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Acknowledgments</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/pr02.html b/docs/htmldocs/Samba3-ByExample/pr02.html new file mode 100644 index 0000000000..e2a43e492f --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/pr02.html @@ -0,0 +1,35 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Acknowledgments</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="pr01.html" title="About the Cover Artwork"><link rel="next" href="pr03.html" title="Foreword"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Acknowledgments</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr03.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id274575"></a>Acknowledgments</h2></div></div></div><p> + <span class="emphasis"><em>Samba-3 by Example</em></span> would not have been written except + as a result of feedback provided by reviewers and readers of the book <span class="emphasis"><em>The + Official Samba-3 HOWTO and Reference Guide.</em></span> This second edition + was made possible by generous feedback from Samba users. I hope this book + more than answers the challenge and needs of many more networks that are + languishing for a better networking solution. + </p><p> + I am deeply indebted to a large group of diligent people. Space prevents + me from listing all of them, but a few stand out as worthy of mention. + Jelmer Vernooij made the notable contribution of building the XML production + environment and thereby made possible the typesetting of this book. + </p><p> + Samba would not have come into existence if Andrew Tridgell had not taken + the first steps. He continues to lead the project. Under the shadow of his + mantle are some great folks who never give up and are always ready to help. + Thank you to: Jeremy Allison, Jerry Carter, Andrew Bartlett, Jelmer Vernooij, + Alexander Bokovoy, Volker Lendecke, and other team members who answered my + continuous stream of questions all of which resulted in improved content + in this book. + </p><p> + My heartfelt thanks go out also to a small set of reviewers (alphabetically + listed) who gave substantial feedback and significant suggestions for improvement: + Tony Earnshaw, William Enestvedt, Eric Hines, Roland Gruber, Gavin Henry, + Steven Henry, Luke Howard, Tarjei Huse, Jon Johnston, Alan Munter, Mike MacIsaac, + Scott Mann, Ed Riddle, Geoff Scott, Santos Soler, Misty Stanley-Jones, Mark Taylor, + and Jérôme Tournier. + </p><p> + My appreciation is extended to a team of more than 30 additional reviewers who + helped me to find my way around dark corners. + </p><p> + Particular mention is due to Lyndell, Amos, and Melissa who gave me the + latitude necessary to spend nearly an entire year writing Samba documentation, + and then gave more so this second edition could be created. + </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">About the Cover Artwork </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Foreword</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/pr03.html b/docs/htmldocs/Samba3-ByExample/pr03.html new file mode 100644 index 0000000000..83daba8e13 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/pr03.html @@ -0,0 +1,55 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Foreword</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="pr02.html" title="Acknowledgments"><link rel="next" href="preface.html" title="Preface"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Foreword</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="preface.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h2 class="title"><a name="id275394"></a>Foreword</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pr03.html#id275401">By John M. Weathersby, Executive Director, OSSI</a></span></dt></dl></div><div class="sect1" lang="en-US"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id275401"></a>By John M. Weathersby, Executive Director, OSSI</h2></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> +The Open Source Software Institute (OSSI) is comprised of representatives from a broad spectrum of business and +non-business organizations that share a common interest in the promotion of development and implementation +of open source software solutions globally, and in particular within the United States of America. +</p><p> +The OSSI has global affiliations with like-minded organizations. Our affiliate in the United Kingdom is the +Open Source Consortium (OSC). Both the OSSI and the OSC share a common objective to expand the use of open source +software in federal, state, and municipal government agencies; and in academic institutions. We represent +businesses that provide professional support services that answer the needs of our target organizational +information technology consumers in an effective and cost-efficient manner. +</p><p> +Open source software has matured greatly over the past five years with the result that an increasing number of +people who hold key decisionmaking positions want to know how the business model works. They +want to understand how problems get resolved, how questions get answered, and how the development model +is sustained. Information and communications technology directors in defense organizations, and in other +government agencies that deal with sensitive information, want to become familiar with development road-maps +and, in particular, seek to evaluate the track record of the mainstream open source project teams. +</p><p> +Wherever the OSSI gains entrance to new opportunities we find that Microsoft Windows technologies are the +benchmark against which open source software solutions are measured. Two open source software projects +are key to our ability to present a structured and convincing proposition that there are alternatives +to the incumbent proprietary means of meeting information technology needs. They are the Apache Web Server +and Samba. +</p><p> +Just as the Apache Web Server is the standard in web serving technology, Samba is the definitive standard +for providing interoperability with UNIX systems and other non-Microsoft operating system platforms. Both +open source applications have a truly remarkable track record that extends for more than a decade. Both have +demonstrated the unique capacity to innovate and maintain a level of development that has not only kept +pace with demands, but, in many areas, each project has also proven to be an industry leader. +</p><p> +One of the areas in which the Samba project has demonstrated key leadership is in documentation. The OSSI +was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly +well-written books to help Samba software users deploy, maintain, and troubleshoot Windows networking +installations. We were concerned that, given the large volume of documentation, the challenge to maintain +it and keep it current might prove difficult. +</p><p> +This second edition of the book, <span class="emphasis"><em>Samba-3 by Example</em></span>, barely one year following the release +of the first edition, has removed all concerns and is proof that open source solutions are a compelling choice. +The first edition was released shortly following the release of Samba version 3.0 itself, and has become +the authoritative instrument for training and for guiding deployment. +</p><p> +I am personally aware of how much effort has gone into this second edition. John Terpstra has worked with +government bodies and with large organizations that have deployed Samba-3 since it was released. He also +worked to ensure that this book gained community following. He asked those who have worked at the coalface +of large and small organizations alike, to contribute their experiences. He has captured that in this book +and has succeeded yet again. His recipe is persistence, intuition, and a high level of respect for the people +who use Samba. +</p><p> +This book is the first source you should turn to before you deploy Samba and as you are mastering its +deployment. I am proud and excited to be associated in a small way with such a useful tool. This book has +reached maturity that is demonstrated by reiteration that every step in deployment must be validated. +This book makes it easy to succeed, and difficult to fail, to gain a stable network environment. +</p><p> +I recommend this book for use by all IT managers and network administrators. +</p></blockquote></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="preface.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Acknowledgments </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Preface</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/preface.html b/docs/htmldocs/Samba3-ByExample/preface.html new file mode 100644 index 0000000000..1fee0be58d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/preface.html @@ -0,0 +1,386 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Preface</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="pr03.html" title="Foreword"><link rel="next" href="ExNetworks.html" title="Part I. Example Network Configurations"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Preface</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr03.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ExNetworks.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="preface"></a>Preface</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="preface.html#id274305">Why Is This Book Necessary?</a></span></dt><dd><dl><dt><span class="sect2"><a href="preface.html#id274342">Samba 3.0.20 Update Edition</a></span></dt></dl></dd><dt><span class="sect1"><a href="preface.html#id274092">Prerequisites</a></span></dt><dt><span class="sect1"><a href="preface.html#id315668">Approach</a></span></dt><dt><span class="sect1"><a href="preface.html#id315719">Summary of Topics</a></span></dt><dt><span class="sect1"><a href="preface.html#id316343">Conventions Used</a></span></dt></dl></div><p> + Network administrators live busy lives. We face distractions and pressures + that drive us to seek proven, working case scenarios that can be easily + implemented. Often this approach lands us in trouble. There is a + saying that, geometrically speaking, the shortest distance between two + points is a straight line, but practically we find that the quickest + route to a stable network solution is the long way around. + </p><p> + This book is your means to the straight path. It provides step-by-step, + proven, working examples of Samba deployments. If you want to deploy + Samba-3 with the least effort, or if you want to become an expert at deploying + Samba-3 without having to search through lots of documentation, this + book is the ticket to your destination. + </p><p> + Samba is software that can be run on a platform other than Microsoft Windows, + for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. + Samba uses the TCP/IP protocol that is installed on the host server. When + correctly configured, it allows that host to interact with a Microsoft Windows + client or server as if it is a Windows file and print server. This book + will help you to implement Windows-compatible file and print services. + </p><p> + The examples presented in this book are typical of various businesses and + reflect the problems and challenges they face. Care has been taken to preserve + attitudes, perceptions, practices, and demands from real network case studies. + The maximum benefit may be obtained from this book by working carefully through + each exercise. You may be in a hurry to satisfy a specific need, so feel + free to locate the example that most closely matches your need, copy it, and + innovate as much as you like. Above all, enjoy the process of learning the + secrets of MS Windows networking that is truly liberated by Samba. + </p><p> + The focus of attention in this book is Samba-3. Specific notes are made in + respect of how Samba may be made secure. This book does not attempt to provide + detailed information regarding secure operation and configuration of peripheral + services and applications such as OpenLDAP, DNS and DHCP, the need for which + can be met from other resources that are dedicated to the subject. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id274305"></a>Why Is This Book Necessary?</h2></div></div></div><p> + This book is the result of observations and feedback. The feedback from + the Samba-HOWTO-Collection has been positive and complimentary. There + have been requests for far more worked examples, a + “<span class="quote">Samba Cookbook,</span>” and for training materials to + help kick-start the process of mastering Samba. + </p><p> + The Samba mailing lists users have asked for sample configuration files + that work. It is natural to question one's own ability to correctly + configure a complex tool such as Samba until a minimum necessary + knowledge level has been attained. + </p><p> + The Samba-HOWTO-Collection as does <span class="emphasis"><em>The Official Samba-3 HOWTO and + Reference Guide</em></span> documents Samba features and functionality in + a topical context. This book takes a completely different approach. It + walks through Samba network configurations that are working within particular + environmental contexts, providing documented step-by-step implementations. + All example case configuration files, scripts, and other tools are provided + on the CD-ROM. This book is descriptive, provides detailed diagrams, and + makes deployment of Samba-3 a breeze. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id274342"></a>Samba 3.0.20 Update Edition</h3></div></div></div><p> + The Samba 3.0.x series has been remarkably popular. At the time this book first + went to print samba-3.0.2 was being released. There have been significant modifications + and enhancements between samba-3.0.2 and samba-3.0.14 (the current release) that + necessitate this documentation update. This update has the specific intent to + refocus this book so that its guidance can be followed for samba-3.0.20 + and beyond. Further changes are expected as Samba-3 matures further and will + be reflected in future updates. + </p><p> + The changes shown in <a href="preface.html#pref-new" title="Table 1. Samba Changes 3.0.2 to 3.0.20">???</a> are incorporated in this update. + </p><div class="table"><a name="pref-new"></a><p class="title"><b>Table 1. Samba Changes 3.0.2 to 3.0.20</b></p><div class="table-contents"><table summary="Samba Changes 3.0.2 to 3.0.20" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left"> + <p> + New Feature + </p> + </th><th align="left"> + <p> + Description + </p> + </th></tr></thead><tbody><tr><td align="left"> + <p> + Winbind Case Handling + </p> + </td><td align="justify"> + <p> + User and group names returned by <code class="literal">winbindd</code> are now converted to lower case + for better consistency. Samba implementations that depend on the case of information returned + by winbind (such as %u and %U) must now convert the dependency to expecting lower case values. + This affects mail spool files, home directories, valid user lines in the <code class="filename">smb.conf</code> file, etc. + </p> + </td></tr><tr><td align="left"> + <p> + Schema Changes + </p> + </td><td align="justify"> + <p> + Addition of code to handle password aging, password uniqueness controls, bad + password instances at logon time, have made necessary extensions to the SambaSAM + schema. This change affects all sites that use LDAP and means that the directory + schema must be updated. + </p> + </td></tr><tr><td align="left"> + <p> + Username Map Handling + </p> + </td><td align="justify"> + <p> + Samba-3.0.8 redefined the behavior: Local authentication results in a username map file + lookup before authenticating the connection. All authentication via an external domain + controller will result in the use of the fully qualified name (i.e.: DOMAIN\username) + after the user has been successfully authenticated. + </p> + </td></tr><tr><td align="left"> + <p> + UNIX Extension Handling + </p> + </td><td align="justify"> + <p> + Symbolically linked files and directories on the UNIX host to absolute paths will + now be followed. This can be turned off using “<span class="quote">wide links = No</span>” in + the share stanza in the <code class="filename">smb.conf</code> file. Turning off “<span class="quote">wide links</span>” + support will degrade server performance because each path must be checked. + </p> + </td></tr><tr><td align="left"> + <p> + Privileges Support + </p> + </td><td align="justify"> + <p> + Versions of Samba prior to samba-3.0.11 required the use of the UNIX <code class="constant">root</code> + account from network Windows clients. The new “<span class="quote">enable privileges = Yes</span>” capability + means that functions such as adding machines to the domain, managing printers, etc. can now + be delegated to normal user accounts or to groups of users. + </p> + </td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id274092"></a>Prerequisites</h2></div></div></div><p> + This book is not a tutorial on UNIX or Linux administration. UNIX and Linux + training is best obtained from books dedicated to the subject. This book + assumes that you have at least the basic skill necessary to use these operating + systems, and that you can use a basic system editor to edit and configure files. + It has been written with the assumption that you have experience with Samba, + have read <span class="emphasis"><em>The Official Samba-3 HOWTO and Reference Guide</em></span> and + the Samba-HOWTO-Collection, or that you have familiarity with Microsoft Windows. + </p><p> + If you do not have this experience, you can follow the examples in this book but may + find yourself at times intimidated by assumptions made. In this situation, you + may need to refer to administrative guides or manuals for your operating system + platform to find what is the best method to achieve what the text of this book describes. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id315668"></a>Approach</h2></div></div></div><p> + The first chapter deals with some rather thorny network analysis issues. Do not be + put off by this. The information you glean, even without a detailed understanding + of network protocol analysis, can help you understand how Windows networking functions. + </p><p> + Each following chapter of this book opens with the description of a networking solution + sought by a hypothetical site. Bob Jordan is a hypothetical decision maker + for an imaginary company, <code class="constant">Abmas Biz NL</code>. We will use the + non-existent domain name <code class="constant">abmas.biz</code>. All <span class="emphasis"><em>facts</em></span> + presented regarding this company are fictitious and have been drawn from a variety of real + business scenarios over many years. Not one of these reveal the identify of the + real-world company from which the scenario originated. + </p><p> + In any case, Mr. Jordan likes to give all his staff nasty little assignments. + Stanley Saroka is one of his proteges; Christine Roberson is the network administrator + Bob trusts. Jordan is inclined to treat other departments well because they finance + Abmas IT operations. + </p><p> + Each chapter presents a summary of the network solution we have chosen to + demonstrate together with a rationale to help you to understand the + thought process that drove that solution. The chapter then documents in precise + detail all configuration files and steps that must be taken to implement the + example solution. Anyone wishing to gain serious value from this book will + do well to take note of the implications of points made, so watch out for the + <span class="emphasis"><em>this means that</em></span> notations. + </p><p> + Each chapter has a set of questions and answers to help you to + to understand and digest key attributes of the solutions presented. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id315719"></a>Summary of Topics</h2></div></div></div><p> + The contents of this second edition of <span class="emphasis"><em>Samba-3 by Example</em></span> + have been rearranged based on feedback from purchasers of the first edition. + </p><p> + Clearly the first edition contained most of what was needed and that was missing + from other books that cover this difficult subject. The new arrangement adds + additional material to meet consumer requests and includes changes that originated + as suggestions for improvement. + </p><p> + Chapter 1 now dives directly into the heart of the implementation of Windows + file and print server networks that use Samba at the heart. + </p><div class="variablelist"><dl><dt><span class="term">Chapter 1 No Frills Samba Servers.</span></dt><dd><p> + Here you design a solution for three different business scenarios, each for a + company called Abmas. There are two simple networking problems and one slightly + more complex networking challenge. In the first two cases, Abmas has a small + simple office, and they want to replace a Windows 9x peer-to-peer network. The + third example business uses Windows 2000 Professional. This must be simple, + so let's see how far we can get. If successful, Abmas grows quickly and + soon needs to replace all servers and workstations. + </p><p><span class="emphasis"><em>TechInfo</em></span> This chapter demands: + </p><div class="itemizedlist"><ul type="disc"><li><p>Case 1: The simplest <code class="filename">smb.conf</code> file that may + reasonably be used. Works with Samba-2.x also. This + configuration uses Share Mode security. Encrypted + passwords are not used, so there is no + <code class="filename">smbpasswd</code> file. + </p></li><li><p>Case 2: Another simple <code class="filename">smb.conf</code> file that adds + WINS support and printing support. This case deals with + a special requirement that demonstrates how to deal with + purpose-built software that has a particular requirement + for certain share names and printing demands. This + configuration uses Share Mode security and also works with + Samba-2.x. Encrypted passwords are not used, so there is no + <code class="filename">smbpasswd</code> file. + </p></li><li><p>Case 3: This <code class="filename">smb.conf</code> configuration uses User Mode + security. The file share configuration demonstrates + the ability to provide master access to an administrator + while restricting all staff to their own work areas. + Encrypted passwords are used, so there is an implicit + <code class="filename">smbpasswd</code> file. + </p></li></ul></div><p> + </p></dd><dt><span class="term">Chapter 2 Small Office Networking.</span></dt><dd><p> + Abmas is a successful company now. They have 50 network users + and want a little more varoom from the network. This is a typical + small office and they want better systems to help them to grow. This is + your chance to really give advanced users a bit more functionality and usefulness. + </p><p><span class="emphasis"><em>TechInfo</em></span> This <code class="filename">smb.conf</code> file + makes use of encrypted passwords, so there is an <code class="filename">smbpasswd</code> + file. It also demonstrates use of the <em class="parameter"><code>valid users</code></em> and + <em class="parameter"><code>valid groups</code></em> to restrict share access. The Windows + clients access the server as Domain members. Mobile users log onto + the Domain while in the office, but use a local machine account while on the + road. The result is an environment that answers mobile computing user needs. + </p></dd><dt><span class="term">Chapter 3 Secure Office Networking.</span></dt><dd><p> + Abmas is growing rapidly now. Money is a little tight, but with 130 + network users, security has become a concern. They have many new machines + to install and the old equipment will be retired. This time they want the + new network to scale and grow for at least two years. Start with a sufficient + system and allow room for growth. You are now implementing an Internet + connection and have a few reservations about user expectations. + </p><p><span class="emphasis"><em>TechInfo</em></span> This <code class="filename">smb.conf</code> file + makes use of encrypted passwords, and you can use a <code class="filename">tdbsam</code> + password backend. Domain logons are introduced. Applications are served from the central + server. Roaming profiles are mandated. Access to the server is tightened up + so that only domain members can access server resources. Mobile computing + needs still are catered to. + </p></dd><dt><span class="term">Chapter 4 The 500 User Office.</span></dt><dd><p> + The two-year projections were met. Congratulations, you are a star. + Now Abmas needs to replace the network. Into the existing user base, they + need to merge a 280-user company they just acquired. It is time to build a serious + network. There are now three buildings on one campus and your assignment is + to keep everyone working while a new network is rolled out. Oh, isn't it nice + to roll out brand new clients and servers! Money is no longer tight, you get + to buy and install what you ask for. You will install routers and a firewall. + This is exciting! + </p><p><span class="emphasis"><em>TechInfo</em></span> This <code class="filename">smb.conf</code> file + makes use of encrypted passwords, and a <code class="filename">tdbsam</code> + password backend is used. You are not ready to launch into LDAP yet, so you + accept the limitation of having one central Domain Controller with a Domain + Member server in two buildings on your campus. A number of clever techniques + are used to demonstrate some of the smart options built into Samba. + </p></dd><dt><span class="term">Chapter 5 Making Happy Users.</span></dt><dd><p> + Congratulations again. Abmas is happy with your services and you have been given another raise. + Your users are becoming much more capable and are complaining about little + things that need to be fixed. Are you up to the task? Mary says it takes her 20 minutes + to log onto the network and it is killing her productivity. Email is a bit <span class="emphasis"><em> + unreliable</em></span> have you been sleeping on the job? We do not discuss the + technology of email but when the use of mail clients breaks because of networking + problems, you had better get on top of it. It's time for a change. + </p><p><span class="emphasis"><em>TechInfo</em></span> This <code class="filename">smb.conf</code> file + makes use of encrypted passwords; a distributed <code class="filename">ldapsam</code> + password backend is used. Roaming profiles are enabled. Desktop profile controls + are introduced. Check out the techniques that can improve the user experience + of network performance. As a special bonus, this chapter documents how to configure + smart downloading of printer drivers for drag-and-drop printing support. And, yes, + the secret of configuring CUPS is clearly documented. Go for it; this one will + tease you, too. + </p></dd><dt><span class="term">Chapter 6 A Distributed 2000 User Network.</span></dt><dd><p> + Only eight months have passed, and Abmas has acquired another company. You now need to expand + the network further. You have to deal with a network that spans several countries. + There are three new networks in addition to the original three buildings at the head-office + campus. The head office is in New York and you have branch offices in Washington, Los Angeles, and + London. Your desktop standard is Windows XP Professional. In many ways, everything has changed + and yet it must remain the same. Your team is primed for another roll-out. You know there are + further challenges ahead. + </p><p><span class="emphasis"><em>TechInfo</em></span> Slave LDAP servers are introduced. Samba is + configured to use multiple LDAP backends. This is a brief chapter; it assumes that the + technology has been mastered and gets right down to concepts and how to deploy them. + </p></dd><dt><span class="term">Chapter 7 Adding UNIX/Linux Servers and Clients.</span></dt><dd><p> + Well done, Bob, your team has achieved much. Now help Abmas integrate the entire network. + You want central control and central support and you need to cut costs. How can you reduce administrative + overheads and yet get better control of the network? + </p><p> + This chapter has been contributed by Mark Taylor <code class="email"><<a href="mailto:mark.taylor@siriusit.co.uk">mark.taylor@siriusit.co.uk</a>></code> + and is based on a live site. For further information regarding this example case, + please contact Mark directly. + </p><p><span class="emphasis"><em>TechInfo</em></span> It is time to consider how to add Samba servers + and UNIX and Linux network clients. Users who convert to Linux want to be able to log on + using Windows network accounts. You explore nss_ldap, pam_ldap, winbind, and a few neat + techniques for taking control. Are you ready for this? + </p></dd><dt><span class="term">Chapter 8 Updating Samba-3.</span></dt><dd><p> + This chapter is the result of repeated requests for better documentation of the steps + that must be followed when updating or upgrading a Samba server. It attempts to cover + the entire subject in broad-brush but at the same time provides detailed background + information that is not covered elsewhere in the Samba documentation. + </p><p><span class="emphasis"><em>TechInfo</em></span> Samba stores a lot of essential network + information in a large and growing collection of files. This chapter documents the + essentials of where those files may be located and how to find them. It also provides + an insight into inter-related matters that affect a Samba installation. + </p></dd><dt><span class="term">Chapter 9 Migrating NT4 Domain to Samba-3.</span></dt><dd><p> + Another six months have passed. Abmas has acquired yet another company. You will find a + way to migrate all users off the old network onto the existing network without loss + of passwords and will effect the change-over during one weekend. May the force (and caffeine) be with + you, may you keep your back to the wind and may the sun shine on your face. + </p><p><span class="emphasis"><em>TechInfo</em></span> This chapter demonstrates the use of + the <code class="literal">net rpc migrate</code> facility using an LDAP ldapsam backend, and also + using a tdbsam passdb backend. Both are much-asked-for examples of NT4 Domain migration. + </p></dd><dt><span class="term">Chapter 10 Migrating NetWare 4.11 Server to Samba.</span></dt><dd><p> + Misty Stanley-Jones has contributed information that summarizes her experience at migration + from a NetWare server to Samba-3. + </p><p><span class="emphasis"><em>TechInfo</em></span> The documentation provided demonstrates + how one site migrated from NetWare to Samba. Some alternatives tools are mentioned. These + could be used to provide another pathway to a successful migration. + </p></dd><dt><span class="term">Chapter 11 Active Directory, Kerberos and Security.</span></dt><dd><p> + Abmas has acquired another company that has just migrated to running Windows Server 2003 and + Active Directory. One of your staff makes offhand comments that land you in hot water. + A network security auditor is hired by the head of the new business and files a damning + report, and you must address the <span class="emphasis"><em>defects</em></span> reported. You have hired new + network engineers who want to replace Microsoft Active Directory with a pure Kerberos + solution. How will you handle this? + </p><p><span class="emphasis"><em>TechInfo</em></span> This chapter is your answer. Learn about + share access controls, proper use of UNIX/Linux file system access controls, and Windows + 200x Access Control Lists. Follow these steps to beat the critics. + </p></dd><dt><span class="term">Chapter 12 Integrating Additional Services.</span></dt><dd><p> + The battle is almost over, Samba-3 has won the day. Your team are delighted and now you + find yourself at yet another cross-roads. Abmas have acquired a snack food business, you + made promises you must keep. IT costs must be reduced, you have new resistance, but you + will win again. This time you choose to install the Squid proxy server to validate the + fact that Samba is far more than just a file and print server. SPNEGO authentication + support means that your Microsoft Windows clients gain transparent proxy access. + </p><p><span class="emphasis"><em>TechInfo</em></span> Samba provides the <code class="literal">ntlm_auth</code> + module that makes it possible for MS Windows Internet Explorer to connect via the Squid Web + and FTP proxy server. You will configure Samba-3 as well as Squid to deliver authenticated + access control using the Active Directory Domain user security credentials. + </p></dd><dt><span class="term">Chapter 13 Performance, Reliability and Availability.</span></dt><dd><p> + Bob, are you sure the new Samba server is up to the load? Your network is serving many + users who risk becoming unproductive. What can you do to keep ahead of demand? Can you + keep the cost under control also? What can go wrong? + </p><p><span class="emphasis"><em>TechInfo</em></span> Hot tips that put chili into your + network. Avoid name resolution problems, identify potential causes of network collisions, + avoid Samba configuration options that will weigh the server down. MS distributed file + services to make your network fly and much more. This chapter contains a good deal of + “<span class="quote">Did I tell you about this...?</span>” type of hints to help keep your name on the top + performers list. + </p></dd><dt><span class="term">Chapter 14 Samba Support.</span></dt><dd><p> + This chapter has been added specifically to help those who are seeking professional + paid support for Samba. The critics of Open Source Software often assert that + there is no support for free software. Some critics argue that free software + undermines the service that proprietary commercial software vendors depend on. + This chapter explains what are the support options for Samba and the fact that + a growing number of businesses make money by providing commercial paid-for + Samba support. + </p></dd><dt><span class="term">Chapter 15 A Collection of Useful Tid-bits.</span></dt><dd><p> + Sometimes it seems that there is not a good place for certain odds and ends that + impact Samba deployment. Some readers would argue that everyone can be expected + to know this information, or at least be able to find it easily. So to avoid + offending a reader's sensitivities, the tid-bits have been placed in this chapter. + Do check out the contents, you may find something of value among the loose ends. + </p></dd><dt><span class="term">Chapter 16 Windows Networking Primer.</span></dt><dd><p> + Here we cover practical exercises to help us to understand how MS Windows + network protocols function. A network protocol analyzer helps you to + appreciate the fact that Windows networking is highly dependent on broadcast + messaging. Additionally, you can look into network packets that a Windows + client sends to a network server to set up a network connection. On completion, + you should have a basic understanding of how network browsing functions and + have seen some of the information a Windows client sends to + a file and print server to create a connection over which file and print + operations may take place. + </p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id316343"></a>Conventions Used</h2></div></div></div><p> + The following notation conventions are used throughout this book: + </p><div class="itemizedlist"><ul type="disc"><li><p> + TOSHARG2 is used as an abbreviation for the book, “<span class="quote">The Official Samba-3 + HOWTO and Reference Guide, Second Edition</span>” Editors: John H. Terpstra and Jelmer R. Vernooij, + Publisher: Prentice Hall, ISBN: 0131882228. + </p></li><li><p> + S3bE2 is used as an abbreviation for the book, “<span class="quote">Samba-3 by Example, Second Edition</span>” + Editors: John H. Terpstra, Publisher: Prentice Hall, ISBN: 013188221X. + </p></li><li><p> + Directories and filenames appear in mono-font. For example, + <code class="filename">/etc/pam.conf</code>. + </p></li><li><p> + Executable names are bolded. For example, <code class="literal">smbd</code>. + </p></li><li><p> + Menu items and buttons appear in bold. For example, click <span class="guibutton">Next</span>. + </p></li><li><p> + Selecting a menu item is indicated as: + <span class="guimenu">Start</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Active Directory Users and Computers</span> + </p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr03.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ExNetworks.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Foreword </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part I. Example Network Configurations</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/primer.html b/docs/htmldocs/Samba3-ByExample/primer.html new file mode 100644 index 0000000000..50481ef7ff --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/primer.html @@ -0,0 +1,546 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Networking Primer</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits"><link rel="next" href="gpl.html" title="Appendix A. GNU General Public License"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Networking Primer</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="appendix.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="gpl.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="primer"></a>Chapter 16. Networking Primer</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="primer.html#id386080">Requirements and Notes</a></span></dt><dt><span class="sect1"><a href="primer.html#id386216">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id386266">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#id386373">Exercises</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id386486">Single-Machine Broadcast Activity</a></span></dt><dt><span class="sect2"><a href="primer.html#secondmachine">Second Machine Startup Broadcast Interaction</a></span></dt><dt><span class="sect2"><a href="primer.html#id387580">Simple Windows Client Connection Characteristics</a></span></dt><dt><span class="sect2"><a href="primer.html#id388041">Windows 200x/XP Client Interaction with Samba-3</a></span></dt><dt><span class="sect2"><a href="primer.html#id388566">Conclusions to Exercises</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01conc">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id388668">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01qa">Questions and Answers</a></span></dt></dl></div><p> + You are about to use the equivalent of a microscope to look at the information + that runs through the veins of a Windows network. We do more to observe the information than + to interrogate it. When you are done with this primer, you should have a good understanding + of the types of information that flow over the network. Do not worry, this is not + a biology lesson. We won't lose you in unnecessary detail. Think to yourself, “<span class="quote">This + is easy,</span>” then tackle each exercise without fear. + </p><p> + Samba can be configured with a minimum of complexity. Simplicity should be mastered + before you get too deeply into complexities. Let's get moving: we have work to do. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386080"></a>Requirements and Notes</h2></div></div></div><p> + Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations + as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet + card connected using a hub. Also required is one additional server (either Windows + NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network + sniffer and analysis application (ethereal is a good choice). All work should be undertaken + on a quiet network where there is no other traffic. It is best to use a dedicated hub + with only the machines under test connected at the time of the exercises. + </p><p><a class="indexterm" name="id386095"></a> + Ethereal has become the network protocol analyzer of choice for many network administrators. + You may find more information regarding this tool from the + <a href="http://www.ethereal.com" target="_top">Ethereal</a> Web site. Ethereal installation + files for Windows may be obtained from the Ethereal Web site. Ethereal is provided with + SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may + not be installed on your system by default. If it is not installed, you may also need + to install the <code class="literal">libpcap </code> software before you can install or use Ethereal. + Please refer to the instructions for your operating system or to the Ethereal Web site + for information regarding the installation and operation of Ethereal. + </p><p> + To obtain <code class="literal">ethereal</code> for your system, please visit the Ethereal + <a href="http://www.ethereal.com/download.html#binaries" target="_top">download site</a>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The successful completion of this chapter requires that you capture network traffic + using <code class="literal">Ethereal</code>. It is recommended that you use a hub, not an + Ethernet switch. It is necessary for the device used to act as a repeater, not as a + filter. Ethernet switches may filter out traffic that is not directed at the machine + that is used to monitor traffic; this would not allow you to complete the projects. + </p></div><p> + <a class="indexterm" name="id386154"></a> + Do not worry too much if you do not have access to all this equipment; network captures + from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly + into the analytical part of the exercises if you so desire. + </p><p><a class="indexterm" name="id386168"></a><a class="indexterm" name="id386179"></a> + Please do not be alarmed at the use of a high-powered analysis tool (Ethereal) in this + primer. We expose you only to a minimum of detail necessary to complete + the exercises. If you choose to use any other network sniffer and protocol + analysis tool, be advised that it may not allow you to examine the contents of + recently added security protocols used by Windows 200x/XP. + </p><p> + You could just skim through the exercises and try to absorb the key points made. + The exercises provide all the information necessary to convince the die-hard network + engineer. You possibly do not require so much convincing and may just want to move on, + in which case you should at least read <a href="primer.html#chap01conc" title="Dissection and Discussion">???</a>. + </p><p> + <a href="primer.html#chap01qa" title="Questions and Answers">???</a> also provides useful information + that may help you to avoid significantly time-consuming networking problems. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386216"></a>Introduction</h2></div></div></div><p> + The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows + network computing. If you want a solid technical grounding, do not gloss over these exercises. + The points covered are recurrent issues on the Samba mailing lists. + </p><p><a class="indexterm" name="id386228"></a> + You can see from these exercises that Windows networking involves quite a lot of network + broadcast traffic. You can look into the contents of some packets, but only to see + some particular information that the Windows client sends to a server in the course of + establishing a network connection. + </p><p> + To many people, browsing is everything that happens when one uses Microsoft Internet Explorer. + It is only when you start looking at network traffic and noting the protocols + and types of information that are used that you can begin to appreciate the complexities of + Windows networking and, more importantly, what needs to be configured so that it can work. + Detailed information regarding browsing is provided in the recommended + preparatory reading. + </p><p> + Recommended preparatory reading: <span class="emphasis"><em>The Official Samba-3 HOWTO and Reference Guide, Second + Edition</em></span> (TOSHARG2) Chapter 9, “<span class="quote">Network Browsing,</span>” and Chapter 3, + “<span class="quote">Server Types and Security Modes.</span>” + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id386266"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id386273"></a> + You are about to witness how Microsoft Windows computer networking functions. The + exercises step through identification of how a client machine establishes a + connection to a remote Windows server. You observe how Windows machines find + each other (i.e., how browsing works) and how the two key types of user identification + (share mode security and user mode security) are affected. + </p><p><a class="indexterm" name="id386287"></a> + The networking protocols used by MS Windows networking when working with Samba + use TCP/IP as the transport protocol. The protocols that are specific to Windows + networking are encapsulated in TCP/IP. The network analyzer we use (Ethereal) + is able to show you the contents of the TCP/IP packets (or messages). + </p><div class="procedure"><a name="chap01tasks"></a><p class="title"><b>Procedure 16.1. Diagnostic Tasks</b></p><ol type="1"><li><p><a class="indexterm" name="id386318"></a><a class="indexterm" name="id386329"></a><a class="indexterm" name="id386337"></a> + Examine network traces to witness SMB broadcasts, host announcements, + and name resolution processes. + </p></li><li><p> + Examine network traces to witness how share mode security functions. + </p></li><li><p> + Examine network traces to witness the use of user mode security. + </p></li><li><p> + Review traces of network logons for a Windows 9x/Me client as well as + a domain logon for a Windows XP Professional client. + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386373"></a>Exercises</h2></div></div></div><p> + <a class="indexterm" name="id386381"></a> + You are embarking on a course of discovery. The first part of the exercise requires + two MS Windows 9x/Me systems. We called one machine <code class="constant">WINEPRESSME</code> and the + other <code class="constant">MILGATE98</code>. Each needs an IP address; we used <code class="literal">10.1.1.10</code> + and <code class="literal">10.1.1.11</code>. The test machines need to be networked via a <span class="emphasis"><em>hub</em></span>. A UNIX/Linux + machine is required to run <code class="literal">Ethereal</code> to enable the network activity to be captured. + It is important that the machine from which network activity is captured must not interfere with + the operation of the Windows workstations. It is helpful for this machine to be passive (does not + send broadcast information) to the network. + </p><p> + For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running + VMWare 4.5. The following VMWare images were prepared: + </p><div class="itemizedlist"><ul type="disc"><li><p>Windows 98 name: MILGATE98</p></li><li><p>Windows Me name: WINEPRESSME</p></li><li><p>Windows XP Professional name: LightrayXP</p></li><li><p>Samba-3.0.20 running on a SUSE Enterprise Linux 9</p></li></ul></div><p> + Choose a workgroup name (MIDEARTH) for each exercise. + </p><p> + <a class="indexterm" name="id386463"></a> + The network captures provided on the CD-ROM included with this book were captured using <code class="constant">Ethereal</code> + version <code class="literal">0.10.6</code>. A later version suffices without problems, but an earlier version may not + expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all + packets has also been included. This makes it possible for you to do all the studying you like without the need to + perform the time-consuming equipment configuration and test work. This is a good time to point out that the value + that can be derived from this book really does warrant your taking sufficient time to practice each exercise with + care and attention to detail. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id386486"></a>Single-Machine Broadcast Activity</h3></div></div></div><p> + In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes. + </p><div class="procedure"><a name="id386496"></a><p class="title"><b>Procedure 16.2. Monitoring Windows 9x Steps</b></p><ol type="1"><li><p> + Start the machine from which network activity will be monitored (using <code class="literal">ethereal</code>). + Launch <code class="literal">ethereal</code>, click + <span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>. + </p><p> + Click the following: + </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p> + Click <span class="guibutton">OK</span>. + </p></li><li><p> + Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring, + do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. + </p></li><li><p> + At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later. + Leave this machine running in preparation for the task in <a href="primer.html#secondmachine" title="Second Machine Startup Broadcast Interaction">???</a>. + </p></li><li><p> + Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol + was used. Identify the timing between messages of identical types. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id386612"></a>Findings</h4></div></div></div><p> + The summary of the first 10 minutes of the packet capture should look like <a href="primer.html#pktcap01" title="Figure 16.1. Windows Me Broadcasts The First 10 Minutes">???</a>. + A screenshot of a later stage of the same capture is shown in <a href="primer.html#pktcap02" title="Figure 16.2. Windows Me Later Broadcast Sample">???</a>. + </p><div class="figure"><a name="pktcap01"></a><p class="title"><b>Figure 16.1. Windows Me Broadcasts The First 10 Minutes</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WINREPRESSME-Capture.png" width="216" alt="Windows Me Broadcasts The First 10 Minutes"></div></div></div><br class="figure-break"><div class="figure"><a name="pktcap02"></a><p class="title"><b>Figure 16.2. Windows Me Later Broadcast Sample</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WINREPRESSME-Capture2.png" width="226.8" alt="Windows Me Later Broadcast Sample"></div></div></div><br class="figure-break"><p><a class="indexterm" name="id386725"></a><a class="indexterm" name="id386736"></a> + Broadcast messages observed are shown in <a href="primer.html#capsstats01" title="Table 16.1. Windows Me Startup Broadcast Capture Statistics">???</a>. + Actual observations vary a little, but not by much. + Early in the startup process, the Windows Me machine broadcasts its name for two reasons: + first to ensure that its name would not result in a name clash, and second to establish its + presence with the Local Master Browser (LMB). + </p><div class="table"><a name="capsstats01"></a><p class="title"><b>Table 16.1. Windows Me Startup Broadcast Capture Statistics</b></p><div class="table-contents"><table summary="Windows Me Startup Broadcast Capture Statistics" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="left">Message</th><th align="center">Type</th><th align="center">Num</th><th align="left">Notes</th></tr></thead><tbody><tr><td align="left">WINEPRESSME<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">WINEPRESSME<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">WINEPRESSME<20></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1d></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1e></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1b></td><td align="center">Qry</td><td align="center">84</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">__MSBROWSE__</td><td align="center">Reg</td><td align="center">8</td><td align="left">Registered after winning election to Browse Master</td></tr><tr><td align="left">JHT<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 x 2. This is the name of the user that logged onto Windows</td></tr><tr><td align="left">Host Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">2</td><td align="left">Observed at 10 sec</td></tr><tr><td align="left">Domain/Workgroup Announcement MIDEARTH</td><td align="center">Ann</td><td align="center">18</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">Local Master Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">18</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">Get Backup List Request</td><td align="center">Qry</td><td align="center">12</td><td align="left">6 x 2 early in startup, 0.5 sec apart</td></tr><tr><td align="left">Browser Election Request</td><td align="center">Ann</td><td align="center">10</td><td align="left">5 x 2 early in startup</td></tr><tr><td align="left">Request Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">4</td><td align="left">Early in startup</td></tr></tbody></table></div></div><br class="table-break"><p><a class="indexterm" name="id387071"></a><a class="indexterm" name="id387079"></a> + From the packet trace, it should be noted that no messages were propagated over TCP/IP; + all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle + of various announcements, re-election of a browse master, and name queries. These create + the symphony of announcements by which network browsing is made possible. + </p><p><a class="indexterm" name="id387093"></a> + For detailed information regarding the precise behavior of the CIFS/SMB protocols, + refer to the book “<span class="quote">Implementing CIFS: The Common Internet File System,</span>” + by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X). + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="secondmachine"></a>Second Machine Startup Broadcast Interaction</h3></div></div></div><p> + At this time, the machine you used to capture the single-system startup trace should still be running. + The objective of this task is to identify the interaction of two machines in respect to broadcast activity. + </p><div class="procedure"><a name="id387125"></a><p class="title"><b>Procedure 16.3. Monitoring of Second Machine Activity</b></p><ol type="1"><li><p> + On the machine from which network activity will be monitored (using <code class="literal">ethereal</code>), + launch <code class="literal">ethereal</code> and click + <span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>. + </p><p> + Click: + </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p> + Click <span class="guibutton">OK</span>. + </p></li><li><p> + Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press + any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. + </p></li><li><p> + At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you + can examine the network data capture again at a later date should that be necessary. + </p></li><li><p> + Analyze the capture trace, taking note of the transport protocols used, the types of messages observed, + and what interaction took place between the two machines. Leave both machines running for the next task. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id387234"></a>Findings</h4></div></div></div><p> + <a href="primer.html#capsstats02" title="Table 16.2. Second Machine (Windows 98) Capture Statistics">???</a> summarizes capture statistics observed. As in the previous case, + all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second + Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash + (i.e., the name is already registered by another machine) on the network segment. Those wishing + to explore the inner details of the precise mechanism of how this functions should refer to + “<span class="quote">Implementing CIFS: The Common Internet File System.</span>” + </p><div class="table"><a name="capsstats02"></a><p class="title"><b>Table 16.2. Second Machine (Windows 98) Capture Statistics</b></p><div class="table-contents"><table summary="Second Machine (Windows 98) Capture Statistics" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="left">Message</th><th align="center">Type</th><th align="center">Num</th><th align="left">Notes</th></tr></thead><tbody><tr><td align="left">MILGATE98<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">MILGATE98<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">MILGATE98<20></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1d></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1e></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1b></td><td align="center">Qry</td><td align="center">18</td><td align="left">900 sec apart at stable operation</td></tr><tr><td align="left">JHT<03></td><td align="center">Reg</td><td align="center">2</td><td align="left">This is the name of the user that logged onto Windows</td></tr><tr><td align="left">Host Announcement MILGATE98</td><td align="center">Ann</td><td align="center">14</td><td align="left">Every 120 sec</td></tr><tr><td align="left">Domain/Workgroup Announcement MIDEARTH</td><td align="center">Ann</td><td align="center">6</td><td align="left">900 sec apart at stable operation</td></tr><tr><td align="left">Local Master Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">6</td><td align="left">Insufficient detail to determine frequency</td></tr></tbody></table></div></div><br class="table-break"><p> + <a class="indexterm" name="id387506"></a> + <a class="indexterm" name="id387513"></a> + <a class="indexterm" name="id387520"></a> + Observation of the contents of Host Announcements, Domain/Workgroup Announcements, + and Local Master Announcements is instructive. These messages convey a significant + level of detail regarding the nature of each machine that is on the network. An example + dissection of a Host Announcement is given in <a href="primer.html#hostannounce" title="Figure 16.3. Typical Windows 9x/Me Host Announcement">???</a>. + </p><div class="figure"><a name="hostannounce"></a><p class="title"><b>Figure 16.3. Typical Windows 9x/Me Host Announcement</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/HostAnnouncment.png" width="221.4" alt="Typical Windows 9x/Me Host Announcement"></div></div></div><br class="figure-break"></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id387580"></a>Simple Windows Client Connection Characteristics</h3></div></div></div><p> + The purpose of this exercise is to discover how Microsoft Windows clients create (establish) + connections with remote servers. The methodology involves analysis of a key aspect of how + Windows clients access remote servers: the session setup protocol. + </p><div class="procedure"><a name="id387592"></a><p class="title"><b>Procedure 16.4. Client Connection Exploration Steps</b></p><ol type="1"><li><p> + Configure a Windows 9x/Me machine (MILGATE98) with a share called <code class="constant">Stuff</code>. + Create a <em class="parameter"><code>Full Access</code></em> control password on this share. + </p></li><li><p> + Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports + no shared resources. + </p></li><li><p> + Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both + machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding. + </p></li><li><p> + Start ethereal (or the network sniffer of your choice). + </p></li><li><p> + From the WINEPRESSME machine, right-click <span class="guimenu">Network Neighborhood</span>, select + <span class="guimenuitem">Explore</span>, select + <span class="guimenuitem">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">MIDEARTH</span> → <span class="guimenuitem">MILGATE98</span> → <span class="guimenuitem">Stuff</span>. + Enter the password you set for the <code class="constant">Full Control</code> mode for the + <code class="constant">Stuff</code> share. + </p></li><li><p> + When the share called <code class="constant">Stuff</code> is being displayed, stop the capture. + Save the captured data in case it is needed for later analysis. + </p></li><li><p> + <a class="indexterm" name="id387716"></a> + From the top of the packets captured, scan down to locate the first packet that has + interpreted as <code class="constant">Session Setup AndX, User: anonymous; Tree Connect AndX, + Path: \\MILGATE98\IPC$</code>. + </p></li><li><p><a class="indexterm" name="id387733"></a><a class="indexterm" name="id387741"></a> + In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request, + and Tree Connect AndX Request</code>. Examine both operations. Identify the name of + the user Account and what password was used. The Account name should be empty. + This is a <code class="constant">NULL</code> session setup packet. + </p></li><li><p> + Return to the packet capture sequence. There will be a number of packets that have been + decoded of the type <code class="constant">Session Setup AndX</code>. Locate the last such packet + that was targeted at the <code class="constant">\\MILGATE98\IPC$</code> service. + </p></li><li><p> + <a class="indexterm" name="id387782"></a> + <a class="indexterm" name="id387788"></a> + Dissect this packet as per the previous one. This packet should have a password length + of 24 (characters) and should have a password field, the contents of which is a + long hexadecimal number. Observe the name in the Account field. This is a User Mode + session setup packet. + </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id387800"></a>Findings and Comments</h4></div></div></div><p> + <a class="indexterm" name="id387808"></a> + The <code class="constant">IPC$</code> share serves a vital purpose<sup>[<a name="id387819" href="#ftn.id387819">15</a>]</sup> + in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of + resources that are available on the server. The server responds with the shares and print queues that + are available. In most but not all cases, the connection is made with a <code class="constant">NULL</code> + username and a <code class="constant">NULL</code> password. + </p><p> + <a class="indexterm" name="id387836"></a> + The two packets examined are material evidence of how Windows clients may + interoperate with Samba. Samba requires every connection setup to be authenticated using + valid UNIX account credentials (UID/GID). This means that even a <code class="constant">NULL</code> + session setup can be established only by automatically mapping it to a valid UNIX + account. + </p><p> + <a class="indexterm" name="id387853"></a><a class="indexterm" name="id387859"></a> + <a class="indexterm" name="id387868"></a> + Samba has a special name for the <code class="constant">NULL</code>, or empty, user account: + it calls it the <a class="indexterm" name="id387879"></a>guest account. The + default value of this parameter is <code class="constant">nobody</code>; however, this can be + changed to map the function of the guest account to any other UNIX identity. Some + UNIX administrators prefer to map this account to the system default anonymous + FTP account. A sample NULL Session Setup AndX packet dissection is shown in + <a href="primer.html#nullconnect" title="Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request">???</a>. + </p><div class="figure"><a name="nullconnect"></a><p class="title"><b>Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/NullConnect.png" width="221.4" alt="Typical Windows 9x/Me NULL SessionSetUp AndX Request"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id387943"></a> + <a class="indexterm" name="id387950"></a> + <a class="indexterm" name="id387956"></a> + When a UNIX/Linux system does not have a <code class="constant">nobody</code> user account + (<code class="filename">/etc/passwd</code>), the operation of the <code class="constant">NULL</code> + account cannot validate and thus connections that utilize the guest account + fail. This breaks all ability to browse the Samba server and is a common + problem reported on the Samba mailing list. A sample User Mode session setup AndX + is shown in <a href="primer.html#userconnect" title="Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request">???</a>. + </p><div class="figure"><a name="userconnect"></a><p class="title"><b>Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UserConnect.png" width="221.4" alt="Typical Windows 9x/Me User SessionSetUp AndX Request"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id388029"></a> + The User Mode connection packet contains the account name and the domain name. + The password is provided in Microsoft encrypted form, and its length is shown + as 24 characters. This is the length of Microsoft encrypted passwords. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id388041"></a>Windows 200x/XP Client Interaction with Samba-3</h3></div></div></div><p> + By now you may be asking, “<span class="quote">Why did you choose to work with Windows 9x/Me?</span>” + </p><p> + First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise + on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba. + Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly + follows the same principles. + </p><p> + The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service + updates also uses the <code class="constant">NULL</code> account, as well as user accounts. Simply follow the procedure + to complete this exercise. + </p><p> + To complete this exercise, you need a Windows XP Professional client that has been configured as + a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain. + Here we do not provide details for how to configure this, as full coverage is provided earlier in this book. + </p><div class="procedure"><a name="id388076"></a><p class="title"><b>Procedure 16.5. Steps to Explore Windows XP Pro Connection Set-up</b></p><ol type="1"><li><p> + Start your domain controller. Also, start the ethereal monitoring machine, launch ethereal, + and then wait for the next step to complete. + </p></li><li><p> + Start the Windows XP Client and wait 5 minutes before proceeding. + </p></li><li><p> + On the machine from which network activity will be monitored (using <code class="literal">ethereal</code>), + launch <code class="literal">ethereal</code> and click + <span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>. + </p><p> + Click: + </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p> + Click <span class="guibutton">OK</span>. + </p></li><li><p> + On the Windows XP Professional client, press <span class="guimenu">Ctrl-Alt-Delete</span> to bring + up the domain logon screen. Log in using valid credentials for a domain user account. + </p></li><li><p> + Now proceed to connect to the domain controller as follows: + <span class="guimenu">Start</span> → <span class="guimenuitem">(right-click) My Network Places</span> → <span class="guimenuitem">Explore</span> → <span class="guimenuitem">{Left Panel} [+] Entire Network</span> → <span class="guimenuitem">{Left Panel} [+] Microsoft Windows Network</span> → <span class="guimenuitem">{Left Panel} [+] Midearth</span> → <span class="guimenuitem">{Left Panel} [+] Frodo</span> → <span class="guimenuitem">{Left Panel} [+] data</span>. Close the explorer window. + </p><p> + In this step, our domain name is <code class="constant">Midearth</code>, the domain controller is called + <code class="constant">Frodo</code>, and we have connected to a share called <code class="constant">data</code>. + </p></li><li><p> + Stop the capture on the <code class="literal">ethereal</code> monitoring machine. Be sure to save the captured data + to a file so that you can refer to it again later. + </p></li><li><p> + If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises + in this chapter. + </p></li><li><p> + <a class="indexterm" name="id388290"></a> + <a class="indexterm" name="id388296"></a> + From the top of the packets captured, scan down to locate the first packet that has + interpreted as <code class="constant">Session Setup AndX Request, NTLMSSP_AUTH</code>. + </p></li><li><p> + <a class="indexterm" name="id388315"></a> + <a class="indexterm" name="id388322"></a> + <a class="indexterm" name="id388328"></a> + In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request</code>. + Expand the packet decode information, beginning at the <code class="constant">Security Blob:</code> + entry. Expand the <code class="constant">GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</code> + keys. This should reveal that this is a <code class="constant">NULL</code> session setup packet. + The <code class="constant">User name: NULL</code> so indicates. An example decode is shown in + <a href="primer.html#XPCap01" title="Figure 16.6. Typical Windows XP NULL Session Setup AndX Request">???</a>. + </p></li><li><p> + Return to the packet capture sequence. There will be a number of packets that have been + decoded of the type <code class="constant">Session Setup AndX Request</code>. Click the last such packet that + has been decoded as <code class="constant">Session Setup AndX Request, NTLMSSP_AUTH</code>. + </p></li><li><p> + <a class="indexterm" name="id388386"></a> + In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request</code>. + Expand the packet decode information, beginning at the <code class="constant">Security Blob:</code> + entry. Expand the <code class="constant">GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</code> + keys. This should reveal that this is a <code class="constant">User Mode</code> session setup packet. + The <code class="constant">User name: jht</code> so indicates. An example decode is shown in + <a href="primer.html#XPCap02" title="Figure 16.7. Typical Windows XP User Session Setup AndX Request">???</a>. In this case the user name was <code class="constant">jht</code>. This packet + decode includes the <code class="constant">Lan Manager Response:</code> and the <code class="constant">NTLM Response:</code>. + The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan + password and then the NT (case-preserving) password hash. + </p></li><li><p> + <a class="indexterm" name="id388440"></a> + <a class="indexterm" name="id388447"></a> + The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode + session setup packet. + </p></li></ol></div><div class="figure"><a name="XPCap01"></a><p class="title"><b>Figure 16.6. Typical Windows XP NULL Session Setup AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WindowsXP-NullConnection.png" width="270" alt="Typical Windows XP NULL Session Setup AndX Request"></div></div></div><br class="figure-break"><div class="figure"><a name="XPCap02"></a><p class="title"><b>Figure 16.7. Typical Windows XP User Session Setup AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WindowsXP-UserConnection.png" width="270" alt="Typical Windows XP User Session Setup AndX Request"></div></div></div><br class="figure-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id388539"></a>Discussion</h4></div></div></div><p><a class="indexterm" name="id388546"></a> + This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled + in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles + remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a + <code class="constant">NULL-Session</code> connection to query and locate resources on an advanced network + technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated + connection must be made before resources can be used. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id388566"></a>Conclusions to Exercises</h3></div></div></div><p> + In summary, the following points have been established in this chapter: + </p><div class="itemizedlist"><ul type="disc"><li><p> + When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services. + </p></li><li><p> + Network browsing protocols query information stored on browse masters that manage + information provided by NetBIOS Name Registrations and by way of ongoing host + announcements and workgroup announcements. + </p></li><li><p> + All Samba servers must be configured with a mechanism for mapping the <code class="constant">NULL-Session</code> + to a valid but nonprivileged UNIX system account. + </p></li><li><p> + The use of Microsoft encrypted passwords is built right into the fabric of Windows + networking operations. Such passwords cannot be provided from the UNIX <code class="filename">/etc/passwd</code> + database and thus must be stored elsewhere on the UNIX system in a manner that Samba can + use. Samba-2.x permitted such encrypted passwords to be stored in the <code class="constant">smbpasswd</code> + file or in an LDAP database. Samba-3 permits use of multiple <em class="parameter"><code>passdb backend</code></em> + databases in concurrent deployment. Refer to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, “<span class="quote">Account Information Databases.</span>” + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="chap01conc"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id388644"></a> + The exercises demonstrate the use of the <code class="constant">guest</code> account, the way that + MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections + between a client and a server are established. + </p><p> + Those wishing background information regarding NetBIOS name types should refer to + the Microsoft knowledgebase article + <a href="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp" target="_top">Q102878.</a> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id388668"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id388676"></a> + Network browsing involves SMB broadcast announcements, SMB enumeration requests, + connections to the <code class="constant">IPC$</code> share, share enumerations, and SMB connection + setup processes. The use of anonymous connections to a Samba server involve the use of + the <em class="parameter"><code>guest account</code></em> that must map to a valid UNIX UID. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="chap01qa"></a>Questions and Answers</h2></div></div></div><p> + The questions and answers given in this section are designed to highlight important aspects of Microsoft + Windows networking. + </p><div class="qandaset"><dl><dt> <a href="primer.html#id388717"> + What is the significance of the MIDEARTH<1b> type query? + </a></dt><dt> <a href="primer.html#id388760"> + What is the significance of the MIDEARTH<1d> type name registration? + </a></dt><dt> <a href="primer.html#id388826"> + What is the role and significance of the <01><02>__MSBROWSE__<02><01> + name registration? + </a></dt><dt> <a href="primer.html#id388854"> + What is the significance of the MIDEARTH<1e> type name registration? + </a></dt><dt> <a href="primer.html#id388881"> + + What is the significance of the guest account in smb.conf? + </a></dt><dt> <a href="primer.html#id388948"> + Is it possible to reduce network broadcast activity with Samba-3? + </a></dt><dt> <a href="primer.html#id389046"> + Can I just use plain-text passwords with Samba? + </a></dt><dt> <a href="primer.html#id389122"> + What parameter in the smb.conf file is used to enable the use of encrypted passwords? + </a></dt><dt> <a href="primer.html#id389161"> + Is it necessary to specify encrypt passwords = Yes + when Samba-3 is configured as a domain member? + </a></dt><dt> <a href="primer.html#id389185"> + Is it necessary to specify a guest account when Samba-3 is configured + as a domain member server? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id388717"></a><a name="id388720"></a></td><td align="left" valign="top"><p> + What is the significance of the MIDEARTH<1b> type query? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id388731"></a> + <a class="indexterm" name="id388740"></a> + This is a broadcast announcement by which the Windows machine is attempting to + locate a Domain Master Browser (DMB) in the event that it might exist on the network. + Refer to <span class="emphasis"><em>TOSHARG2,</em></span> Chapter 9, Section 9.7, “<span class="quote">Technical Overview of Browsing,</span>” + for details regarding the function of the DMB and its role in network browsing. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id388760"></a><a name="id388762"></a></td><td align="left" valign="top"><p> + What is the significance of the MIDEARTH<1d> type name registration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id388773"></a> + <a class="indexterm" name="id388782"></a> + This name registration records the machine IP addresses of the LMBs. + Network clients can query this name type to obtain a list of browser servers from the + master browser. + </p><p> + The LMB is responsible for monitoring all host announcements on the local network and for + collating the information contained within them. Using this information, it can provide answers to other Windows + network clients that request information such as: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The list of machines known to the LMB (i.e., the browse list) + </p></li><li><p> + The IP addresses of all domain controllers known for the domain + </p></li><li><p> + The IP addresses of LMBs + </p></li><li><p> + The IP address of the DMB (if one exists) + </p></li><li><p> + The IP address of the LMB on the local segment + </p></li></ul></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id388826"></a><a name="id388829"></a></td><td align="left" valign="top"><p> + What is the role and significance of the <01><02>__MSBROWSE__<02><01> + name registration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id388842"></a> + This name is registered by the browse master to broadcast and receive domain announcements. + Its scope is limited to the local network segment, or subnet. By querying this name type, + master browsers on networks that have multiple domains can find the names of master browsers + for each domain. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id388854"></a><a name="id388856"></a></td><td align="left" valign="top"><p> + What is the significance of the MIDEARTH<1e> type name registration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id388868"></a> + This name is registered by all browse masters in a domain or workgroup. The registration + name type is known as the Browser Election Service. Master browsers register themselves + with this name type so that DMBs can locate them to perform cross-subnet + browse list updates. This name type is also used to initiate elections for Master Browsers. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id388881"></a><a name="id388883"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id388888"></a> + What is the significance of the <em class="parameter"><code>guest account</code></em> in smb.conf? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + This parameter specifies the default UNIX account to which MS Windows networking + NULL session connections are mapped. The default name for the UNIX account used for + this mapping is called <code class="constant">nobody</code>. If the UNIX/Linux system that + is hosting Samba does not have a <code class="constant">nobody</code> account and an alternate + mapping has not been specified, network browsing will not work at all. + </p><p> + It should be noted that the <em class="parameter"><code>guest account</code></em> is essential to + Samba operation. Either the operating system must have an account called <code class="constant">nobody</code> + or there must be an entry in the <code class="filename">smb.conf</code> file with a valid UNIX account, such as + <a class="indexterm" name="id388938"></a>guest account = ftp. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id388948"></a><a name="id388950"></a></td><td align="left" valign="top"><p> + Is it possible to reduce network broadcast activity with Samba-3? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id388962"></a> + <a class="indexterm" name="id388968"></a> + Yes, there are two ways to do this. The first involves use of WINS (See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, + Section 9.5, “<span class="quote">WINS The Windows Inter-networking Name Server</span>”); the + alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires + a correctly configured DNS server (see <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, Section 9.3, “<span class="quote">Discussion</span>”). + </p><p> + <a class="indexterm" name="id388998"></a> + <a class="indexterm" name="id389005"></a> + <a class="indexterm" name="id389014"></a> + The use of WINS reduces network broadcast traffic. The reduction is greatest when all network + clients are configured to operate in <em class="parameter"><code>Hybrid Mode</code></em>. This can be effected through + use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is + beneficial to configure Samba to use <a class="indexterm" name="id389030"></a>name resolve order = wins host cast. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as + well as with Samba-3. + </p></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id389046"></a><a name="id389048"></a></td><td align="left" valign="top"><p> + Can I just use plain-text passwords with Samba? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes, you can configure Samba to use plain-text passwords, though this does create a few problems. + </p><p> + First, the use of <code class="filename">/etc/passwd</code>-based plain-text passwords requires that registry + modifications be made on all MS Windows client machines to enable plain-text passwords support. This + significantly diminishes the security of MS Windows client operation. Many network administrators + are bitterly opposed to doing this. + </p><p> + Second, Microsoft has not maintained plain-text password support since the default setting was made + disabling this. When network connections are dropped by the client, it is not possible to re-establish + the connection automatically. Users need to log off and then log on again. Plain-text password support + may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing + environment. + </p><p> + Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling. + Just create user accounts by running <code class="literal">smbpasswd -a 'username'</code> + </p><p> + It is not possible to add a user to the <em class="parameter"><code>passdb backend</code></em> database unless there is + a UNIX system account for that user. On systems that run <code class="literal">winbindd</code> to access the Samba + PDC/BDC to provide Windows user and group accounts, the <em class="parameter"><code>idmap uid, idmap gid</code></em> ranges + set in the <code class="filename">smb.conf</code> file provide the local UID/GIDs needed for local identity management purposes. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id389122"></a><a name="id389124"></a></td><td align="left" valign="top"><p> + What parameter in the <code class="filename">smb.conf</code> file is used to enable the use of encrypted passwords? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The parameter in the <code class="filename">smb.conf</code> file that controls this behavior is known as <em class="parameter"><code>encrypt + passwords</code></em>. The default setting for this in Samba-3 is <code class="constant">Yes (Enabled)</code>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id389161"></a><a name="id389163"></a></td><td align="left" valign="top"><p> + Is it necessary to specify <a class="indexterm" name="id389168"></a>encrypt passwords = Yes + when Samba-3 is configured as a domain member? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. This is the default behavior. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id389185"></a><a name="id389188"></a></td><td align="left" valign="top"><p> + Is it necessary to specify a <em class="parameter"><code>guest account</code></em> when Samba-3 is configured + as a domain member server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. This is a local function on the server. The default setting is to use the UNIX account + <code class="constant">nobody</code>. If this account does not exist on the UNIX server, then it is + necessary to provide a <a class="indexterm" name="id389210"></a>guest account = an_account, + where <code class="constant">an_account</code> is a valid local UNIX user account. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id387819" href="#id387819">15</a>] </sup>TOSHARG2, Sect 4.5.1</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="appendix.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="gpl.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. A Collection of Useful Tidbits </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Appendix A. GNU General Public License</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/samba.css b/docs/htmldocs/Samba3-ByExample/samba.css new file mode 100644 index 0000000000..3d926e8e74 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/samba.css @@ -0,0 +1,80 @@ +BODY { + font-family: helvetica, arial, lucida sans, sans-serif; + background-color: white; +} + +H1, H2, H3 { + color: blue; + font-size: 120%; + padding: 2px; + margin-top: 0px; +} + +H1 { + background-color: #EEEEFF; + color: blue; +} + +H2 { + background-color: #DDDDFF; + color: blue; +} + +H3 { + background-color: #CCCCFF; + color: blue; +} + +H4 { + color: blue; +} + +TR.qandadiv TD { + padding-top: 1em; +} + +DIV.navhead { + font-size: 80%; +} + +A:link { + color: #36F; +} + +A:visited { + color: #96C; +} + +A:active { + color: #F63; +} + +TR.question { + color: #33C; + font-weight: bold; +} + +TR.question TD { + padding-top: 1em; +} + +DIV.variablelist { + padding-left: 2em; + color: #33C; +} + +P { + color: black; +} + +DIV.note, DIV.warning, DIV.caution, DIV.tip, DIV.important { + border: dashed 1px; + background-color: #EEEEFF; + width: 40em; +} + +PRE.programlisting, PRE.screen { + border: #630 1px dashed; + color: #630; +} + diff --git a/docs/htmldocs/Samba3-ByExample/secure.html b/docs/htmldocs/Samba3-ByExample/secure.html new file mode 100644 index 0000000000..2d4efce40d --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/secure.html @@ -0,0 +1,1859 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Secure Office Networking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="small.html" title="Chapter 2. Small Office Networking"><link rel="next" href="Big500users.html" title="Chapter 4. The 500-User Office"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Secure Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="secure"></a>Chapter 3. Secure Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="secure.html#id324364">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id324404">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id324626">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id324638">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id325007">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id325041">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id325866">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id330151">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id330204">Questions and Answers</a></span></dt></dl></div><p> + Congratulations, your Samba networking skills are developing nicely. You started out + with three simple networks in <a href="simple.html" title="Chapter 1. No-Frills Samba Servers">???</a>, and then in <a href="small.html" title="Chapter 2. Small Office Networking">???</a> + you designed and built a network that provides a high degree of flexibility, integrity, + and dependability. It was enough for the basic needs each was designed to fulfill. In + this chapter you address a more complex set of needs. The solution you explore + introduces you to basic features that are specific to Samba-3. + </p><p> + You should note that a working and secure solution could be implemented using Samba-2.2.x. + In the exercises presented here, you are gradually using more Samba-3-specific features, + so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. + To avoid confusion, this book is all about Samba-3. Let's get the exercises in this + chapter underway. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id324364"></a>Introduction</h2></div></div></div><p> + You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work + well done. It is one year since the last network upgrade. You have been quite busy. + Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over + general network management. Soon she will provide primary user support. You have + demonstrated that you can delegate responsibility and can plan and execute according + to that plan. Above all, you have shown Mr. Meany that you are a responsible person. + Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never + expected: You are going to take charge of business operations. Mr. Meany + is retiring and has entrusted the business to your capable hands. + </p><p> + Mr. Meany may be retiring from this company, but not from work. He is taking the + opportunity to develop Abmas Accounting into a larger and more substantial company. + He says that it took him many years to learn that there is no future in just running + a business. He now realizes there is great personal satisfaction in the creation of + career opportunities for people in the local community. He wants to do more for others, + as he is doing for you. Today he spent a lot of time talking about his grand plan + for growth, which you will deal with in the chapters ahead. + </p><p> + Over the past year, the growth projections were exceeded. The network has grown to + meet the needs of 130 users. Along with growth, the demand for improved services + and better functionality has also developed. You are about to make an interim + improvement and then hand over all Help desk and network maintenance to Christine. + Christine has professional certifications in Microsoft Windows as well as in Linux; + she is a hard worker and quite likable. Christine does not want to manage the department + (although she manages well). She gains job satisfaction when left to sort things out. + Occasionally she wants to work with you on a challenging problem. When you told her + about your move, she almost resigned, although she was reassured that a new manager would + be hired to run Information Technology, and she would be responsible only for operations. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id324404"></a>Assignment Tasks</h3></div></div></div><p> + You promised the staff Internet services including Web browsing, electronic mail, virus + protection, and a company Web site. Christine is eager to help turn the vision into + reality. Let's see how close you can get to the promises made. + </p><p> + The network you are about to deliver will service 130 users today. Within a year, + Abmas will aquire another company. Mr. Meany claims that within 2 years there will be + well over 500 users on the network. You have bought into the big picture, so prepare + for growth. You have purchased a new server and will implement a new network infrastructure. + </p><p> + You have decided to not recycle old network components. The only items that will be + carried forward are notebook computers. You offered staff new notebooks, but not + one person wanted the disruption for what was perceived as a marginal update. + You decided to give everyone, even the notebook user, a new desktop computer. + </p><p> + You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional) + and a 10 Mb/sec ethernet port. You registered the domain + <code class="constant">abmas.us</code>, and the Internet Service Provider (ISP) is supplying + secondary DNS. Information furnished by your ISP is shown in <a href="secure.html#chap4netid" title="Table 3.1. Abmas.US ISP Information">???</a>. + </p><p> + It is of paramount priority that under no circumstances will Samba offer + service access from an Internet connection. You are paying an ISP to + give, as part of its value-added services, full firewall protection for your + connection to the outside world. The only services allowed in from + the Internet side are the following destination ports: <code class="constant">http/https (ports + 80 and 443), email (port 25), DNS (port 53)</code>. All Internet traffic + will be allowed out after network address translation (NAT). No internal IP addresses + are permitted through the NAT filter because complete privacy of internal network + operations must be assured. + </p><div class="table"><a name="chap4netid"></a><p class="title"><b>Table 3.1. Abmas.US ISP Information</b></p><div class="table-contents"><table summary="Abmas.US ISP Information" border="1"><colgroup><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Parameter</th><th align="center">Value</th></tr></thead><tbody><tr><td align="left">Server IP Address</td><td align="center">123.45.67.66</td></tr><tr><td align="left">DSL Device IP Address</td><td align="center">123.45.67.65</td></tr><tr><td align="left">Network Address</td><td align="center">123.45.67.64/30</td></tr><tr><td align="left">Gateway Address</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Primary DNS Server</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Secondary DNS Server</td><td align="center">123.45.54.32</td></tr><tr><td align="left">Forwarding DNS Server</td><td align="center">123.45.12.23</td></tr></tbody></table></div></div><br class="table-break"><div class="figure"><a name="ch04net"></a><p class="title"><b>Figure 3.1. Abmas Network Topology 130 Users</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap4-net.png" width="351" alt="Abmas Network Topology 130 Users"></div></div></div><br class="figure-break"><p> + Christine recommended that desktop systems should be installed from a single cloned + master system that has a minimum of locally installed software and loads all software + off a central application server. The benefit of having the central application server + is that it allows single-point maintenance of all business applications, a more + efficient way to manage software. She further recommended installation of antivirus + software on workstations as well as on the Samba server. Christine knows the dangers + of potential virus infection and insists on a comprehensive approach to detective + as well as corrective action to protect network operations. + </p><p> + A significant concern is the problem of managing company growth. Recently, a number + of users had to share a PC while waiting for new machines to arrive. This presented + some problems with desktop computers and software installation into the new users' + desktop profiles. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id324626"></a>Dissection and Discussion</h2></div></div></div><p> + Many of the conclusions you draw here are obvious. Some requirements are not very clear + or may simply be your means of drawing the most out of Samba-3. Much can be done more simply + than you will demonstrate here, but keep in mind that the network must scale to at least 500 + users. This means that some functionality will be overdesigned for the current 130-user + environment. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id324638"></a>Technical Issues</h3></div></div></div><p> + In this exercise we use a 24-bit subnet mask for the two local networks. This, + of course, limits our network to a maximum of 253 usable IP addresses. The network + address range chosen is one assigned by RFC1918 for private networks. + When the number of users on the network begins to approach the limit of usable + addresses, it is a good idea to switch to a network address specified in RFC1918 + in the 172.16.0.0/16 range. This is done in subsequent chapters. + </p><p> + <a class="indexterm" name="id324653"></a> + <a class="indexterm" name="id324660"></a> + The high growth rates projected are a good reason to use the <code class="constant">tdbsam</code> + passdb backend. The use of <code class="constant">smbpasswd</code> for the backend may result in + performance problems. The <code class="constant">tdbsam</code> passdb backend offers features that + are not available with the older, flat ASCII-based <code class="constant">smbpasswd</code> database. + </p><p> + <a class="indexterm" name="id324687"></a> + The proposed network design uses a single server to act as an Internet services host for + electronic mail, Web serving, remote administrative access via SSH, + Samba-based file and print services. This design is often chosen by sites that feel + they cannot afford or justify the cost or overhead of having separate servers. It must + be realized that if security of this type of server should ever be violated (compromised), + the whole network and all data is at risk. Many sites continue to choose this type + of solution; therefore, this chapter provides detailed coverage of key implementation + aspects. + </p><p> + Samba will be configured to specifically not operate on the Ethernet interface that is + directly connected to the Internet. + </p><p> + <a class="indexterm" name="id324707"></a> + <a class="indexterm" name="id324714"></a> + <a class="indexterm" name="id324720"></a> + <a class="indexterm" name="id324729"></a> + You know that your ISP is providing full firewall services, but you cannot rely on that. + Always assume that human error will occur, so be prepared by using Linux firewall facilities + based on <code class="literal">iptables</code> to effect NAT. Block all + incoming traffic except to permitted well-known ports. You must also allow incoming packets + to establish outgoing connections. You will permit all internal outgoing requests. + </p><p> + The configuration of Web serving, Web proxy services, electronic mail, and the details of + generic antivirus handling are beyond the scope of this book and therefore are not + covered except insofar as this affects Samba-3. + </p><p> + <a class="indexterm" name="id324754"></a> + Notebook computers are configured to use a network login when in the office and a + local account to log in while away from the office. Users store all work done in + transit (away from the office) by using a local share for work files. Standard procedures + dictate that on completion of the work that necessitates mobile file access, all + work files are moved back to secure storage on the office server. Staff is instructed + to not carry on any company notebook computer any files that are not absolutely required. + This is a preventative measure to protect client information as well as private business + records. + </p><p> + <a class="indexterm" name="id324769"></a> + All applications are served from the central server from a share called <code class="constant">apps</code>. + Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network + (or administrative) installation. Accounting and financial management software can also + be run only from the central application server. Notebook users are provided with + locally installed applications on a need-to-have basis only. + </p><p> + <a class="indexterm" name="id324786"></a> + The introduction of roaming profiles support means that users can move between + desktop computer systems without constraint while retaining full access to their data. + The desktop travels with them as they move. + </p><p> + <a class="indexterm" name="id324798"></a> + The DNS server implementation must now address both internal and external + needs. You forward DNS lookups to your ISP-provided server as well as the + <code class="constant">abmas.us</code> external secondary DNS server. + </p><p> + <a class="indexterm" name="id324813"></a> + <a class="indexterm" name="id324820"></a> + <a class="indexterm" name="id324829"></a> + Compared with the DHCP server configuration in <a href="small.html" title="Chapter 2. Small Office Networking">???</a>, <a href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>, the + configuration used in this example has to deal with the presence of an Internet connection. + The scope set for it ensures that no DHCP services will be offered on the external + connection. All printers are configured as DHCP clients so that the DHCP server assigns + the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional + feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic + DNS (DDNS) operation. + </p><p> + This is the first implementation that depends on a correctly functioning DNS server. + Comprehensive steps are included to provide for a fully functioning DNS server that also + is enabled for DDNS operation. This means that DHCP clients can be autoregistered + with the DNS server. + </p><p> + You are taking the opportunity to manually set the netbios name of the Samba server to + a name other than what will be automatically resolved. You are doing this to ensure that + the machine has the same NetBIOS name on both network segments. + </p><p> + As in the previous network configuration, printing in this network configuration uses + direct raw printing (i.e., no smart printing and no print driver autodownload to Windows + clients). Printer drivers are installed on the Windows client manually. This is not + a problem because Christine is to install and configure one single workstation and + then clone that configuration, using Norton Ghost, to all workstations. Each machine is + identical, so this should pose no problem. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324872"></a>Hardware Requirements</h4></div></div></div><p> + <a class="indexterm" name="id324879"></a> + This server runs a considerable number of services. From similarly configured Linux + installations, the approximate calculated memory requirements are as shown in + <a href="secure.html#ch4memoryest" title="Example 3.1. Estimation of Memory Requirements">???</a>. + +</p><div class="example"><a name="ch4memoryest"></a><p class="title"><b>Example 3.1. Estimation of Memory Requirements</b></p><div class="example-contents"><pre class="screen"> +Application Memory per User 130 Users 500 Users + Name (MBytes) Total MBytes Total MBytes +----------- --------------- ------------ ------------ +DHCP 2.5 3 3 +DNS 16.0 16 16 +Samba (nmbd) 16.0 16 16 +Samba (winbind) 16.0 16 16 +Samba (smbd) 4.0 520 2000 +Apache 10.0 (20 User) 200 200 +CUPS 3.5 16 32 +Basic OS 256.0 256 256 + -------------- -------------- + Total: 1043 MBytes 2539 MBytes + -------------- -------------- +</pre></div></div><p><br class="example-break"> + You should add a safety margin of at least 50% to these estimates. The minimum + system memory recommended for initial startup 1 GB, but to permit the system + to scale to 500 users, it makes sense to provision the machine with 4 GB memory. + An initial configuration with only 1 GB memory would lead to early performance complaints + as the system load builds up. Given the low cost of memory, it does not make sense to + compromise in this area. + </p><p> + <a class="indexterm" name="id324923"></a> + Aggregate input/output loads should be considered for sizing network configuration as + well as disk subsystems. For network bandwidth calculations, one would typically use an + estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec) + would deliver below acceptable capacity for the initial user load. It is therefore a good + idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached + to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T + switched ports. + </p><p> + <a class="indexterm" name="id324942"></a> + <a class="indexterm" name="id324949"></a> + Considering the choice of 1 Gb Ethernet interfaces for the two local network segments, + the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O + demand that would require a fast disk storage I/O capability. Peak disk throughput is + limited by the disk subsystem chosen. It is desirable to provide the maximum + I/O bandwidth affordable. If a low-cost solution must be chosen, + 3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a + 64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI + controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec). + Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, + it makes sense to purchase well-known, branded hardware that has appropriate performance + specifications. As a minimum, one should attempt to provide a disk subsystem that can + deliver I/O rates of at least 100 MB/sec. + </p><p> + Disk storage requirements may be calculated as shown in <a href="secure.html#ch4diskest" title="Example 3.2. Estimation of Disk Storage Requirements">???</a>. + +</p><div class="example"><a name="ch4diskest"></a><p class="title"><b>Example 3.2. Estimation of Disk Storage Requirements</b></p><div class="example-contents"><pre class="screen"> +Corporate Data: 100 MBytes/user per year +Email Storage: 500 MBytes/user per year +Applications: 5000 MBytes +Safety Buffer: At least 50% + +Given 500 Users and 2 years: +----------------------------- + Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes + Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes + Applications: 5000 MBytes = 5 GBytes + ---------------------------- + Total: 605 GBytes + Add 50% buffer 303 GBytes + Recommended Storage: 908 GBytes +</pre></div></div><p><br class="example-break"> + <a class="indexterm" name="id324995"></a> + The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5 + with two hot spare drives would require an 8-drive by 200 GB capacity per drive array. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id325007"></a>Political Issues</h3></div></div></div><p> + Your industry is coming under increasing accountability pressures. Increased paranoia + is necessary so you can demonstrate that you have acted with due diligence. You must + not trust your Internet connection. + </p><p> + Apart from permitting more efficient management of business applications through use of + an application server, your primary reason for the decision to implement this is that it + gives you greater control over software licensing. + </p><p> + <a class="indexterm" name="id325025"></a> + You are well aware that the current configuration results in some performance issues + as the size of the desktop profile grows. Given that users use Microsoft Outlook + Express, you know that the storage implications of the <code class="constant">.PST</code> file + is something that needs to be addressed later. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325041"></a>Implementation</h2></div></div></div><p> + <a href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">???</a> demonstrates the overall design of the network that you will implement. + </p><p> + The information presented here assumes that you are already familiar with many basic steps. + As this stands, the details provided already extend well beyond just the necessities of + Samba configuration. This decision is deliberate to ensure that key determinants + of a successful installation are not overlooked. This is the last case that documents + the finite minutiae of DHCP and DNS server configuration. Beyond the information provided + here, there are many other good reference books on these subjects. + </p><p> + The <code class="filename">smb.conf</code> file has the following noteworthy features: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The NetBIOS name of the Samba server is set to <code class="constant">DIAMOND</code>. + </p></li><li><p> + The Domain name is set to <code class="constant">PROMISES</code>. + </p></li><li><p> + <a class="indexterm" name="id325100"></a> + <a class="indexterm" name="id325107"></a> + <a class="indexterm" name="id325114"></a> + Ethernet interface <code class="constant">eth0</code> is attached to the Internet connection + and is externally exposed. This interface is explicitly not available for Samba to use. + Samba listens on this interface for broadcast messages but does not broadcast any + information on <code class="constant">eth0</code>, nor does it accept any connections from it. + This is achieved by way of the <em class="parameter"><code>interfaces</code></em> parameter and the + <em class="parameter"><code>bind interfaces only</code></em> entry. + </p></li><li><p> + <a class="indexterm" name="id325147"></a> + <a class="indexterm" name="id325154"></a> + <a class="indexterm" name="id325161"></a> + The <em class="parameter"><code>passdb backend</code></em> parameter specifies the creation and use + of the <code class="constant">tdbsam</code> password backend. This is a binary database that + has excellent scalability for a large number of user account entries. + </p></li><li><p> + <a class="indexterm" name="id325183"></a> + <a class="indexterm" name="id325190"></a> + <a class="indexterm" name="id325196"></a> + WINS serving is enabled by the <a class="indexterm" name="id325204"></a>wins support = Yes, + and name resolution is set to use it by means of the + <a class="indexterm" name="id325211"></a>name resolve order = wins bcast hosts entry. + </p></li><li><p> + <a class="indexterm" name="id325223"></a> + The Samba server is configured for use by Windows clients as a time server. + </p></li><li><p> + <a class="indexterm" name="id325235"></a> + <a class="indexterm" name="id325242"></a> + <a class="indexterm" name="id325248"></a> + Samba is configured to directly interface with CUPS via the direct internal interface + that is provided by CUPS libraries. This is achieved with the + <a class="indexterm" name="id325257"></a>printing = CUPS as well as the + <a class="indexterm" name="id325264"></a>printcap name = CUPS entries. + </p></li><li><p> + <a class="indexterm" name="id325275"></a> + <a class="indexterm" name="id325282"></a> + <a class="indexterm" name="id325289"></a> + External interface scripts are provided to enable Samba to interface smoothly to + essential operating system functions for user and group management. This is important + to enable workstations to join the Domain and is also important so that you can use + the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools + are provided as part of the <code class="filename">SRVTOOLS.EXE</code> toolkit that can be + downloaded from the Microsoft FTP + <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">site</a>. + </p></li><li><p> + <a class="indexterm" name="id325316"></a> + The <code class="filename">smb.conf</code> file specifies that the Samba server will operate in (default) <em class="parameter"><code> + security = user</code></em> mode<sup>[<a name="id325335" href="#ftn.id325335">5</a>]</sup> + (User Mode). + </p></li><li><p> + <a class="indexterm" name="id325353"></a> + <a class="indexterm" name="id325360"></a> + Domain logon services as well as a Domain logon script are specified. The logon script + will be used to add robustness to the overall network configuration. + </p></li><li><p> + <a class="indexterm" name="id325372"></a> + <a class="indexterm" name="id325379"></a> + <a class="indexterm" name="id325386"></a> + Roaming profiles are enabled through the specification of the parameter, + <a class="indexterm" name="id325393"></a>logon path = \\%L\profiles\%U. The value of this parameter translates the + <code class="constant">%L</code> to the name by which the Samba server is called by the client (for this + configuration, it translates to the name <code class="constant">DIAMOND</code>), and the <code class="constant">%U</code> + will translate to the name of the user within the context of the connection made to the profile share. + It is the administrator's responsibility to ensure there is a directory in the root of the + profile share for each user. This directory must be owned by the user also. An exception to this + requirement is when a profile is created for group use. + </p></li><li><p> + <a class="indexterm" name="id325420"></a> + <a class="indexterm" name="id325426"></a> + Precautionary veto is effected for particular Windows file names that have been targeted by + virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking + controls. This should help to prevent lock contention-related file access problems. + </p></li><li><p> + Every user has a private home directory on the UNIX/Linux host. This is mapped to + a network drive that is the same for all users. + </p></li></ul></div><p> + The configuration of the server is the most complex so far. The following steps are used: + </p><div class="orderedlist"><ol type="1"><li><p> + Basic System Configuration + </p></li><li><p> + Samba Configuration + </p></li><li><p> + DHCP and DNS Server Configuration + </p></li><li><p> + Printer Configuration + </p></li><li><p> + Process Start-up Configuration + </p></li><li><p> + Validation + </p></li><li><p> + Application Share Configuration + </p></li><li><p> + Windows Client Configuration + </p></li></ol></div><p> + The following sections cover each step in logical and defined detail. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4bsc"></a>Basic System Configuration</h3></div></div></div><p> + <a class="indexterm" name="id325511"></a> + The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been + freshly installed. It prepares basic files so that the system is ready for comprehensive + operation in line with the network diagram shown in <a href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">???</a>. + </p><div class="procedure"><a name="id325526"></a><p class="title"><b>Procedure 3.1. Server Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id325537"></a> + Using the UNIX/Linux system tools, name the server <code class="constant">server.abmas.us</code>. + Verify that your hostname is correctly set by running: +</p><pre class="screen"> +<code class="prompt">root# </code> uname -n +server +</pre><p> + An alternate method to verify the hostname is: +</p><pre class="screen"> +<code class="prompt">root# </code> hostname -f +server.abmas.us +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id325579"></a> + <a class="indexterm" name="id325586"></a> + Edit your <code class="filename">/etc/hosts</code> file to include the primary names and addresses + of all network interfaces that are on the host server. This is necessary so that during + startup the system can resolve all its own names to the IP address prior to + startup of the DNS server. An example of entries that should be in the + <code class="filename">/etc/hosts</code> file is: +</p><pre class="screen"> +127.0.0.1 localhost +192.168.1.1 sleeth1.abmas.biz sleeth1 diamond +192.168.2.1 sleeth2.abmas.biz sleeth2 +123.45.67.66 server.abmas.us server +</pre><p> + You should check the startup order of your system. If the CUPS print server is started before + the DNS server (<code class="literal">named</code>), you should also include an entry for the printers + in the <code class="filename">/etc/hosts</code> file, as follows: +</p><pre class="screen"> +192.168.1.20 qmsa.abmas.biz qmsa +192.168.1.30 hplj6a.abmas.biz hplj6a +192.168.2.20 qmsf.abmas.biz qmsf +192.168.2.30 hplj6f.abmas.biz hplj6f +</pre><p> + <a class="indexterm" name="id325634"></a> + <a class="indexterm" name="id325641"></a> + <a class="indexterm" name="id325648"></a> + The printer entries are not necessary if <code class="literal">named</code> is started prior to + startup of <code class="literal">cupsd</code>, the CUPS daemon. + </p></li><li><p> + <a class="indexterm" name="id325674"></a> + <a class="indexterm" name="id325681"></a> + <a class="indexterm" name="id325687"></a> + The host server is acting as a router between the two internal network segments as well + as for all Internet access. This necessitates that IP forwarding be enabled. This can be + achieved by adding to the <code class="filename">/etc/rc.d/boot.local</code> an entry as follows: +</p><pre class="screen"> +echo 1 > /proc/sys/net/ipv4/ip_forward +</pre><p> + To ensure that your kernel is capable of IP forwarding during configuration, you may + wish to execute that command manually also. This setting permits the Linux system to + act as a router.<sup>[<a name="id325710" href="#ftn.id325710">6</a>]</sup> + </p></li><li><p> + <a class="indexterm" name="id325722"></a> + <a class="indexterm" name="id325729"></a> + Installation of a basic firewall and NAT facility is necessary. + The following script can be installed in the <code class="filename">/usr/local/sbin</code> + directory. It is executed from the <code class="filename">/etc/rc.d/boot.local</code> startup + script. In your case, this script is called <code class="filename">abmas-netfw.sh</code>. The + script contents are shown in <a href="secure.html#ch4natfw" title="Example 3.3. NAT Firewall Configuration Script">???</a>. + +</p><div class="example"><a name="ch4natfw"></a><p class="title"><b>Example 3.3. NAT Firewall Configuration Script</b></p><div class="example-contents"><pre class="screen"> +#!/bin/sh +echo -e "\n\nLoading NAT firewall.\n" +IPTABLES=/usr/sbin/iptables +EXTIF="eth0" +INTIFA="eth1" +INTIFB="eth2" + +/sbin/depmod -a +/sbin/modprobe ip_tables +/sbin/modprobe ip_conntrack +/sbin/modprobe ip_conntrack_ftp +/sbin/modprobe iptable_nat +/sbin/modprobe ip_nat_ftp +$IPTABLES -P INPUT DROP +$IPTABLES -F INPUT +$IPTABLES -P OUTPUT ACCEPT +$IPTABLES -F OUTPUT +$IPTABLES -P FORWARD DROP +$IPTABLES -F FORWARD + +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A INPUT -i $INTIFA -j ACCEPT +$IPTABLES -A INPUT -i $INTIFB -j ACCEPT +$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT +# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS +for i in 22 25 53 80 443 +do + $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT +done +# Allow DNS(udp) +$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT +echo "Allow all connections OUT and only existing and specified ones IN" +$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \ + --state ESTABLISHED,RELATED -j ACCEPT +$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \ + --state ESTABLISHED,RELATED -j ACCEPT +$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT +$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT +$IPTABLES -A FORWARD -j LOG +echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" +$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE +echo "1" > /proc/sys/net/ipv4/ip_forward +echo -e "\nNAT firewall done.\n" +</pre></div></div><p><br class="example-break"> + </p></li><li><p> + Execute the following to make the script executable: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod 755 /usr/local/sbin/abmas-natfw.sh +</pre><p> + You must now edit <code class="filename">/etc/rc.d/boot.local</code> to add an entry + that runs your <code class="literal">abmas-natfw.sh</code> script. The following + entry works for you: +</p><pre class="screen"> +#! /bin/sh +# +# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany. +# All rights reserved. +# +# Author: Werner Fink, 1996 +# Burchard Steinbild, 1996 +# +# /etc/init.d/boot.local +# +# script with local commands to be executed from init on system startup +# +# Here you should add things that should happen directly after booting +# before we're going to the first run level. +# +/usr/local/sbin/abmas-natfw.sh +</pre><p> + </p></li></ol></div><p> + <a class="indexterm" name="id325846"></a> + The server is now ready for Samba configuration. During the validation step, you remove + the entry for the Samba server <code class="constant">diamond</code> from the <code class="filename">/etc/hosts</code> + file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id325866"></a>Samba Configuration</h3></div></div></div><p> + When you have completed this section, the Samba server is ready for testing and validation; + however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have + been configured. + </p><div class="procedure"><a name="id325877"></a><p class="title"><b>Procedure 3.2. Samba Configuration Steps</b></p><ol type="1"><li><p> + Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary + RPM file is called <code class="filename">samba-3.0.20-1.i386.rpm</code>, one way to install this + file is as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -Uvh samba-3.0.20-1.i386.rpm +</pre><p> + This operation must be performed while logged in as the <code class="literal">root</code> user. + Successful operation is clearly indicated. If this installation should fail for any reason, + refer to the operating system manufacturer's documentation for guidance. + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file shown in <a href="secure.html#promisnet" title="Example 3.4. 130 User Network with tdbsam [globals] Section">???</a>, <a href="secure.html#promisnetsvca" title="Example 3.5. 130 User Network with tdbsam Services Section Part A">???</a>, + and <a href="secure.html#promisnetsvcb" title="Example 3.6. 130 User Network with tdbsam Services Section Part B">???</a>. Concatenate (join) all three files to make a single <code class="filename">smb.conf</code> + file. The final, fully qualified path for this file should be <code class="filename">/etc/samba/smb.conf</code>. + +</p><div class="example"><a name="promisnet"></a><p class="title"><b>Example 3.4. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> [globals] Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id325993"></a><em class="parameter"><code>workgroup = PROMISES</code></em></td></tr><tr><td><a class="indexterm" name="id326005"></a><em class="parameter"><code>netbios name = DIAMOND</code></em></td></tr><tr><td><a class="indexterm" name="id326018"></a><em class="parameter"><code>interfaces = eth1, eth2, lo</code></em></td></tr><tr><td><a class="indexterm" name="id326030"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326043"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id326056"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326068"></a><em class="parameter"><code>passwd program = /usr/bin/passwd %u</code></em></td></tr><tr><td><a class="indexterm" name="id326081"></a><em class="parameter"><code>passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*</code></em></td></tr><tr><td><a class="indexterm" name="id326094"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id326107"></a><em class="parameter"><code>unix password sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326119"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id326132"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id326144"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id326157"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id326170"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id326182"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id326195"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326207"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id326220"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id326232"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id326245"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id326258"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id326271"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id326284"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id326297"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id326310"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id326322"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id326335"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id326348"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id326361"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id326373"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id326386"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326398"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326411"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326423"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326436"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326448"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id326461"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id326473"></a><em class="parameter"><code>veto files = /*.eml/*.nws/*.{*}/</code></em></td></tr><tr><td><a class="indexterm" name="id326486"></a><em class="parameter"><code>veto oplock files = /*.doc/*.xls/*.mdb/</code></em></td></tr></table></div></div><p><br class="example-break"> + +</p><div class="example"><a name="promisnetsvca"></a><p class="title"><b>Example 3.5. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id326530"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id326542"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id326555"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id326567"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id326589"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id326602"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id326614"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326627"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326639"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326652"></a><em class="parameter"><code>default devmode = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326664"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id326686"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id326698"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id326711"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326724"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id326745"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id326758"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id326770"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id326783"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id326804"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id326817"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id326829"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><p><br class="example-break"> + +</p><div class="example"><a name="promisnetsvcb"></a><p class="title"><b>Example 3.6. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id326872"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id326885"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id326898"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id326919"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id326932"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id326944"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id326966"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id326978"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id326991"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327003"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr></table></div></div><p><br class="example-break"> + </p></li><li><p> + <a class="indexterm" name="id327024"></a><a class="indexterm" name="id327029"></a> + Add the <code class="constant">root</code> user to the password backend as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -a root +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +<code class="prompt">root# </code> +</pre><p> + The <code class="constant">root</code> account is the UNIX equivalent of the Windows Domain Administrator. + This account is essential in the regular maintenance of your Samba server. It must never be + deleted. If for any reason the account is deleted, you may not be able to recreate this account + without considerable trouble. + </p></li><li><p> + <a class="indexterm" name="id327073"></a> + Create the username map file to permit the <code class="constant">root</code> account to be called + <code class="constant">Administrator</code> from the Windows network environment. To do this, create + the file <code class="filename">/etc/samba/smbusers</code> with the following contents: +</p><pre class="screen"> +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id327111"></a> + <a class="indexterm" name="id327118"></a> + <a class="indexterm" name="id327129"></a> + <a class="indexterm" name="id327140"></a> + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in <a href="small.html" title="Chapter 2. Small Office Networking">???</a>, + <a href="small.html#initGrps" title="Example 2.1. Script to Map Windows NT Groups to UNIX Groups">???</a>. Create a file containing this script. We called ours + <code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed, + and then execute the script. Sample output should be as follows: + +</p><div class="example"><a name="ch4initGrps"></a><p class="title"><b>Example 3.7. Script to Map Windows NT Groups to UNIX Groups</b></p><div class="example-contents"><a class="indexterm" name="id327181"></a><pre class="screen"> +#!/bin/bash +# +# initGrps.sh +# + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs + +# Map Windows Domain Groups to UNIX groups +net groupmap add ntgroup="Domain Admins" unixgroup=root type=d +net groupmap add ntgroup="Domain Users" unixgroup=users type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d +net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d + +# Map Windows NT machine local groups to local UNIX groups +# Mapping of local groups is not necessary and not functional +# for this installation. +</pre></div></div><p><br class="example-break"> + +</p><pre class="screen"> +<code class="prompt">root# </code> chmod 755 initGrps.sh +<code class="prompt">root# </code> /etc/samba # ./initGrps.sh +Updated mapping entry for Domain Admins +Updated mapping entry for Domain Users +Updated mapping entry for Domain Guests +No rid or sid specified, choosing algorithmic mapping +Successfully added group Accounts Dept to the mapping db +No rid or sid specified, choosing algorithmic mapping +Successfully added group Domain Guests to the mapping db + +<code class="prompt">root# </code> /etc/samba # net groupmap list | sort +Account Operators (S-1-5-32-548) -> -1 +Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep +Administrators (S-1-5-32-544) -> -1 +Backup Operators (S-1-5-32-551) -> -1 +Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root +Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody +Domain Users (S-1-5-21-179504-2437109-488451-513) -> users +Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs +Guests (S-1-5-32-546) -> -1 +Power Users (S-1-5-32-547) -> -1 +Print Operators (S-1-5-32-550) -> -1 +Replicators (S-1-5-32-552) -> -1 +System Operators (S-1-5-32-549) -> -1 +Users (S-1-5-32-545) -> -1 +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id327240"></a> + <a class="indexterm" name="id327247"></a> + <a class="indexterm" name="id327254"></a> + <a class="indexterm" name="id327260"></a> + <a class="indexterm" name="id327267"></a> + <a class="indexterm" name="id327274"></a> + <a class="indexterm" name="id327283"></a> + There is one preparatory step without which you will not have a working Samba + network environment. You must add an account for each network user. + For each user who needs to be given a Windows Domain account, make an entry in the + <code class="filename">/etc/passwd</code> file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system account, and use the Samba + <code class="literal">smbpasswd</code> to create a Domain user account. + There are a number of tools for user management under UNIX, such as + <code class="literal">useradd</code>, and <code class="literal">adduser</code>, as well as a plethora of custom + tools. You also want to create a home directory for each user. + You can do this by executing the following steps for each user: +</p><pre class="screen"> +<code class="prompt">root# </code> useradd -m <em class="parameter"><code>username</code></em> +<code class="prompt">root# </code> passwd <em class="parameter"><code>username</code></em> +Changing password for <em class="parameter"><code>username</code></em>. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +<code class="prompt">root# </code> smbpasswd -a <em class="parameter"><code>username</code></em> +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +Added user <em class="parameter"><code>username</code></em>. +</pre><p> + You do of course use a valid user login ID in place of <em class="parameter"><code>username</code></em>. + </p></li><li><p> + <a class="indexterm" name="id327390"></a> + <a class="indexterm" name="id327399"></a> + <a class="indexterm" name="id327408"></a> + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously as necessary. File system access control will be based on UNIX group membership. + </p></li><li><p> + Create the directory mount point for the disk subsystem that can be mounted to provide + data storage for company files. In this case the mount point is indicated in the <code class="filename">smb.conf</code> + file is <code class="filename">/data</code>. Format the file system as required, and mount the formatted + file system partition using appropriate system tools. + </p></li><li><p> + <a class="indexterm" name="id327445"></a> + Create the top-level file storage directories for data and applications as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsrvcs} +<code class="prompt">root# </code> mkdir -p /apps +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R root:root /apps +<code class="prompt">root# </code> chown -R bjordan:acctsdep /data/accounts +<code class="prompt">root# </code> chown -R bjordan:finsrvcs /data/finsrvcs +<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps +</pre><p> + Each department is responsible for creating its own directory structure within the departmental + share. The directory root of the <code class="literal">accounts</code> share is <code class="filename">/data/accounts</code>. + The directory root of the <code class="literal">finsvcs</code> share is <code class="filename">/data/finsvcs</code>. + The <code class="filename">/apps</code> directory is the root of the <code class="constant">apps</code> share + that provides the application server infrastructure. + </p></li><li><p> + The <code class="filename">smb.conf</code> file specifies an infrastructure to support roaming profiles and network + logon services. You can now create the file system infrastructure to provide the + locations on disk that these services require. Adequate planning is essential, + since desktop profiles can grow to be quite large. For planning purposes, a minimum of + 200 MB of storage should be allowed per user for profile storage. The following + commands create the directory infrastructure needed: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/spool/samba +<code class="prompt">root# </code> mkdir -p /var/lib/samba/{netlogon/scripts,profiles} +<code class="prompt">root# </code> chown -R root:root /var/spool/samba +<code class="prompt">root# </code> chown -R root:root /var/lib/samba +<code class="prompt">root# </code> chmod a+rwxt /var/spool/samba +<code class="prompt">root# </code> chmod 2775 /var/lib/samba/profiles +<code class="prompt">root# </code> chgrp users /var/lib/samba/profiles +</pre><p> + For each user account that is created on the system, the following commands should be + executed: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /var/lib/samba/profiles/'username' +<code class="prompt">root# </code> chown 'username':users /var/lib/samba/profiles/'username' +<code class="prompt">root# </code> chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id327647"></a> + <a class="indexterm" name="id327653"></a> + <a class="indexterm" name="id327660"></a> + Create a logon script. It is important that each line is correctly terminated with + a carriage return and line-feed combination (i.e., DOS encoding). The following procedure + works if the right tools (<code class="constant">unix2dos</code> and <code class="constant">dos2unix</code>) are installed. + First, create a file called <code class="filename">/var/lib/samba/netlogon/scripts/logon.bat.unix</code> + with the following contents: +</p><pre class="screen"> +net time \\diamond /set /yes +net use h: /home +net use p: \\diamond\apps +</pre><p> + Convert the UNIX file to a DOS file using the <code class="literal">unix2dos</code> as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \ + > /var/lib/samba/netlogon/scripts/logon.bat +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4dhcpdns"></a>Configuration of DHCP and DNS Servers</h3></div></div></div><p> + DHCP services are a basic component of the entire network client installation. DNS operation is + foundational to Internet access as well as to trouble-free operation of local networking. When + you have completed this section, the server should be ready for solid duty operation. + </p><div class="procedure"><a name="id327727"></a><p class="title"><b>Procedure 3.3. DHCP and DNS Server Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id327738"></a> + Create a file called <code class="filename">/etc/dhcpd.conf</code> with the contents as + shown in <a href="secure.html#prom-dhcp" title="Example 3.8. DHCP Server Configuration File /etc/dhcpd.conf">???</a>. + +</p><div class="example"><a name="prom-dhcp"></a><p class="title"><b>Example 3.8. DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></b></p><div class="example-contents"><pre class="screen"> +# Abmas Accounting Inc. +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +option ntp-servers 192.168.1.1; +option domain-name "abmas.biz"; +option domain-name-servers 192.168.1.1, 192.168.2.1; +option netbios-name-servers 192.168.1.1, 192.168.2.1; +option netbios-node-type 8; ### Node type = Hybrid ### +ddns-updates on; ### Dynamic DNS enabled ### +ddns-update-style interim; + +subnet 192.168.1.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.1.128 192.168.1.254; + option subnet-mask 255.255.255.0; + option routers 192.168.1.1; + allow unknown-clients; + host qmsa { + hardware ethernet 08:00:46:7a:35:e4; + fixed-address 192.168.1.20; + } + host hplj6a { + hardware ethernet 00:03:47:cb:81:e0; + fixed-address 192.168.1.30; + } + } +subnet 192.168.2.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.2.128 192.168.2.254; + option subnet-mask 255.255.255.0; + option routers 192.168.2.1; + allow unknown-clients; + host qmsf { + hardware ethernet 01:04:31:db:e1:c0; + fixed-address 192.168.1.20; + } + host hplj6f { + hardware ethernet 00:03:47:cf:83:e2; + fixed-address 192.168.2.30; + } + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +subnet 123.45.67.64 netmask 255.255.255.252 { + } +</pre></div></div><p><br class="example-break"> + </p></li><li><p> + <a class="indexterm" name="id327812"></a> + Create a file called <code class="filename">/etc/named.conf</code> that has the combined contents + of the <a href="secure.html#ch4namedcfg" title="Example 3.9. DNS Master Configuration File /etc/named.conf Master Section">???</a>, <a href="secure.html#ch4namedvarfwd" title="Example 3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section">???</a>, and + <a href="secure.html#ch4namedvarrev" title="Example 3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section">???</a> files that are concatenated (merged) in this + specific order. + </p></li><li><p> + Create the files shown in their respective directories as shown in <a href="secure.html#namedrscfiles" title="Table 3.2. DNS (named) Resource Files">DNS + (named) Resource Files</a>. + + </p><div class="table"><a name="namedrscfiles"></a><p class="title"><b>Table 3.2. DNS (named) Resource Files</b></p><div class="table-contents"><table summary="DNS (named) Resource Files" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Reference</th><th align="left">File Location</th></tr></thead><tbody><tr><td align="left"><a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a></td><td align="left">/var/lib/named/localhost.zone</td></tr><tr><td align="left"><a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a></td><td align="left">/var/lib/named/127.0.0.zone</td></tr><tr><td align="left"><a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a></td><td align="left">/var/lib/named/root.hint</td></tr><tr><td align="left"><a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a></td><td align="left">/var/lib/named/master/abmas.biz.hosts</td></tr><tr><td align="left"><a href="secure.html#abmasus" title="Example 3.15. DNS Abmas.us Forward Zone File">???</a></td><td align="left">/var/lib/named/abmas.us.hosts</td></tr><tr><td align="left"><a href="secure.html#eth1zone" title="Example 3.12. DNS 192.168.1 Reverse Zone File">???</a></td><td align="left">/var/lib/named/192.168.1.0.rev</td></tr><tr><td align="left"><a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a></td><td align="left">/var/lib/named/192.168.2.0.rev</td></tr></tbody></table></div></div><p><br class="table-break"> + +</p><div class="example"><a name="ch4namedcfg"></a><p class="title"><b>Example 3.9. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Master Section</b></p><div class="example-contents"><a class="indexterm" name="id328017"></a><pre class="screen"> +### +# Abmas Biz DNS Control File +### +# Date: November 15, 2003 +### +options { + directory "/var/lib/named"; + forwarders { + 123.45.12.23; + }; + forward first; + listen-on { + mynet; + }; + auth-nxdomain yes; + multiple-cnames yes; + notify no; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +acl mynet { + 192.168.1.0/24; + 192.168.2.0/24; + 127.0.0.1; +}; + +acl seconddns { + 123.45.54.32; +}; + +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="ch4namedvarfwd"></a><p class="title"><b>Example 3.10. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Forward Lookup Definition Section</b></p><div class="example-contents"><pre class="screen"> +zone "abmas.biz" { + type master; + file "/var/lib/named/master/abmas.biz.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "abmas.us" { + type master; + file "/var/lib/named/master/abmas.us.hosts"; + allow-query { + any; + }; + allow-transfer { + seconddns; + }; +}; +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="ch4namedvarrev"></a><p class="title"><b>Example 3.11. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Reverse Lookup Definition Section</b></p><div class="example-contents"><pre class="screen"> +zone "1.168.192.in-addr.arpa" { + type master; + file "/var/lib/named/master/192.168.1.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "2.168.192.in-addr.arpa" { + type master; + file "/var/lib/named/master/192.168.2.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="eth1zone"></a><p class="title"><b>Example 3.12. DNS 192.168.1 Reverse Zone File</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( + 2003021825 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS sleeth1.abmas.biz. +$ORIGIN 1.168.192.in-addr.arpa. +1 PTR sleeth1.abmas.biz. +20 PTR qmsa.abmas.biz. +30 PTR hplj6a.abmas.biz. +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="eth2zone"></a><p class="title"><b>Example 3.13. DNS 192.168.2 Reverse Zone File</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( + 2003021825 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS sleeth2.abmas.biz. +$ORIGIN 2.168.192.in-addr.arpa. +1 PTR sleeth2.abmas.biz. +20 PTR qmsf.abmas.biz. +30 PTR hplj6f.abmas.biz. +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="abmasbiz"></a><p class="title"><b>Example 3.14. DNS Abmas.biz Forward Zone File</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.biz. + MX 10 mail.abmas.biz. +$ORIGIN abmas.biz. +sleeth1 A 192.168.1.1 +sleeth2 A 192.168.2.1 +qmsa A 192.168.1.20 +hplj6a A 192.168.1.30 +qmsf A 192.168.2.20 +hplj6f A 192.168.2.30 +dns CNAME sleeth1 +diamond CNAME sleeth1 +mail CNAME sleeth1 +</pre></div></div><p><br class="example-break"> + +</p><div class="example"><a name="abmasus"></a><p class="title"><b>Example 3.15. DNS Abmas.us Forward Zone File</b></p><div class="example-contents"><pre class="screen"> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.us IN SOA server.abmas.us. root.abmas.us. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.us. + NS dns2.abmas.us. + MX 10 mail.abmas.us. +$ORIGIN abmas.us. +server A 123.45.67.66 +dns2 A 123.45.54.32 +gw A 123.45.67.65 +www CNAME server +mail CNAME server +dns CNAME server +</pre></div></div><p><br class="example-break"> + + </p></li><li><p> + <a class="indexterm" name="id328181"></a><a class="indexterm" name="id328187"></a> + All DNS name resolution should be handled locally. To ensure that the server is configured + correctly to handle this, edit <code class="filename">/etc/resolv.conf</code> to have the following + content: +</p><pre class="screen"> +search abmas.us abmas.biz +nameserver 127.0.0.1 +nameserver 123.45.54.23 +</pre><p> + <a class="indexterm" name="id328209"></a> + This instructs the name resolver function (when configured correctly) to ask the DNS server + that is running locally to resolve names to addresses. In the event that the local name server + is not available, ask the name server provided by the ISP. The latter, of course, does not resolve + purely local names to IP addresses. + </p></li><li><p> + <a class="indexterm" name="id328228"></a> + The final step is to edit the <code class="filename">/etc/nsswitch.conf</code> file. + This file controls the operation of the various resolver libraries that are part of the Linux + Glibc libraries. Edit this file so that it contains the following entries: +</p><pre class="screen"> +hosts: files dns wins +</pre><p> + </p></li></ol></div><p> + The basic DHCP and DNS services are now ready for validation testing. Before you can proceed, + there are a few more steps along the road. First, configure the print spooling and print + processing system. Then you can configure the server so that all services + start automatically on reboot. You must also manually start all services prior to validation testing. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4ptrcfg"></a>Printer Configuration</h3></div></div></div><p> + Network administrators who are new to CUPS based-printing typically experience some difficulty mastering + its powerful features. The steps outlined in this section are designed to navigate around the distractions + of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a + transparent print queue that performs no filtering, and only minimal handling of each print job that is + submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that + the correct printer driver must be installed on all clients. + </p><div class="procedure"><a name="id328275"></a><p class="title"><b>Procedure 3.4. Printer Configuration Steps</b></p><ol type="1"><li><p> + Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines. + </p></li><li><p> + Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. + Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the + port as necessary in the following example commands. + This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id328297"></a> + <a class="indexterm" name="id328304"></a> + </p></li><li><p> + <a class="indexterm" name="id328317"></a><a class="indexterm" name="id328325"></a> + Configure the CUPS Print Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E +<code class="prompt">root# </code> lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E +<code class="prompt">root# </code> lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E +<code class="prompt">root# </code> lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E +</pre><p> + <a class="indexterm" name="id328365"></a> + This creates the necessary print queues with no assigned print filter. + </p></li><li><p><a class="indexterm" name="id328379"></a> + Print queues may not be enabled at creation. Use <code class="literal">lpc stat</code> to check + the status of the print queues and, if necessary, make certain that the queues you have + just created are enabled by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/enable qmsa +<code class="prompt">root# </code> /usr/bin/enable hplj6a +<code class="prompt">root# </code> /usr/bin/enable qmsf +<code class="prompt">root# </code> /usr/bin/enable hplj6f +</pre><p> + </p></li><li><p><a class="indexterm" name="id328431"></a> + Even though your print queues may be enabled, it is still possible that they + are not accepting print jobs. A print queue services incoming printing + requests only when configured to do so. Ensure that your print queues are + set to accept incoming jobs by executing the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/sbin/accept qmsa +<code class="prompt">root# </code> /usr/sbin/accept hplj6a +<code class="prompt">root# </code> /usr/sbin/accept qmsf +<code class="prompt">root# </code> /usr/sbin/accept hplj6f +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id328478"></a> + <a class="indexterm" name="id328485"></a> + <a class="indexterm" name="id328492"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id328518"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + Printing drivers are installed on each network client workstation. + </p></li></ol></div><p> + Note: If the parameter <em class="parameter"><code>cups options = Raw</code></em> is specified in the <code class="filename">smb.conf</code> file, + the last two steps can be omitted with CUPS version 1.1.18, or later. + </p><p> + The UNIX system print queues have been configured and are ready for validation testing. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="procstart"></a>Process Startup Configuration</h3></div></div></div><p> + <a class="indexterm" name="id328580"></a> + There are two essential steps to process startup configuration. First, the process + must be configured so that it automatically restarts each time the server + is rebooted. This step involves use of the <code class="literal">chkconfig</code> tool that + creates the appropriate symbolic links from the master daemon control file that is + located in the <code class="filename">/etc/rc.d</code> directory, to the <code class="filename">/etc/rc'x'.d</code> + directories. Links are created so that when the system run level is changed, the + necessary start or kill script is run. + </p><p> + <a class="indexterm" name="id328611"></a> + <a class="indexterm" name="id328618"></a> + <a class="indexterm" name="id328625"></a> + <a class="indexterm" name="id328631"></a> + <a class="indexterm" name="id328638"></a> + In the event that a service is not run as a daemon, but via the internetworking + super daemon (<code class="literal">inetd</code> or <code class="literal">xinetd</code>), then the <code class="literal">chkconfig</code> + tool makes the necessary entries in the <code class="filename">/etc/xinetd.d</code> directory + and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to + re-read its control files. + </p><p> + Last, each service must be started to permit system validation to proceed. + </p><div class="procedure"><ol type="1"><li><p> + Use the standard system tool to configure each service to restart + automatically at every system reboot. For example, + <a class="indexterm" name="id328685"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig dhpcd on +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> chkconfig smb on +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id328728"></a> + <a class="indexterm" name="id328735"></a> + <a class="indexterm" name="id328742"></a> + Now start each service to permit the system to be validated. + Execute each of the following in the sequence shown: + +</p><pre class="screen"> +<code class="prompt">root# </code> /etc/rc.d/init.d/dhcpd restart +<code class="prompt">root# </code> /etc/rc.d/init.d/named restart +<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4valid"></a>Validation</h3></div></div></div><p> + <a class="indexterm" name="id328794"></a> + Complex networking problems are most often caused by simple things that are poorly or incorrectly + configured. The validation process adopted here should be followed carefully; it is the result of the + experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should + refrain from taking shortcuts, from making basic assumptions, and from not exercising due process + and diligence in network validation. By thoroughly testing and validating every step in the process + of network installation and configuration, you can save yourself from sleepless nights and restless + days. A well debugged network is a foundation for happy network users and network administrators. + Later in this book you learn how to make users happier. For now, it is enough to learn to + validate. Let's get on with it. + </p><div class="procedure"><a name="id328809"></a><p class="title"><b>Procedure 3.5. Server Validation Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id328820"></a> + One of the most important facets of Samba configuration is to ensure that + name resolution functions correctly. You can check name resolution + with a few simple tests. The most basic name resolution is provided from the + <code class="filename">/etc/hosts</code> file. To test its operation, make a + temporary edit to the <code class="filename">/etc/nsswitch.conf</code> file. Using + your favorite editor, change the entry for <code class="constant">hosts</code> to read: +</p><pre class="screen"> +hosts: files +</pre><p> + When you have saved this file, execute the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ping diamond +PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. +64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms + +--- sleeth1.abmas.biz ping statistics --- +4 packets transmitted, 4 received, 0% packet loss, time 3016ms +rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms +</pre><p> + This proves that name resolution via the <code class="filename">/etc/hosts</code> file + is working. + </p></li><li><p> + <a class="indexterm" name="id328885"></a> + So far, your installation is going particularly well. In this step we validate + DNS server and name resolution operation. Using your favorite UNIX system editor, + change the <code class="filename">/etc/nsswitch.conf</code> file so that the + <code class="constant">hosts</code> entry reads: +</p><pre class="screen"> +hosts: dns +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id328915"></a> + Before you test DNS operation, it is a good idea to verify that the DNS server + is running by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ps ax | grep named + 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log + 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 2552 pts/2 S 0:00 grep named +</pre><p> + This means that we are ready to check DNS operation. Do so by executing: + <a class="indexterm" name="id328939"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> ping diamond +PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. +64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms + +--- sleeth1.abmas.biz ping statistics --- +2 packets transmitted, 2 received, 0% packet loss, time 999ms +rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms +</pre><p> + You should take a few more steps to validate DNS server operation, as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> host -f diamond.abmas.biz +sleeth1.abmas.biz has address 192.168.1.1 +</pre><p> + <a class="indexterm" name="id328973"></a> + You may now remove the entry called <code class="constant">diamond</code> from the + <code class="filename">/etc/hosts</code> file. It does not hurt to leave it there, + but its removal reduces the number of administrative steps for this name. + </p></li><li><p> + <a class="indexterm" name="id328998"></a> + WINS is a great way to resolve NetBIOS names to their IP address. You can test + the operation of WINS by starting <code class="literal">nmbd</code> (manually or by way + of the Samba startup method shown in <a href="secure.html#procstart" title="Process Startup Configuration">???</a>). You must edit + the <code class="filename">/etc/nsswitch.conf</code> file so that the <code class="constant">hosts</code> + entry is as follows: +</p><pre class="screen"> +hosts: wins +</pre><p> + The next step is to make certain that Samba is running using <code class="literal">ps ax | grep mbd</code>. + The <code class="literal">nmbd</code> daemon will provide the WINS name resolution service when the + <code class="filename">smb.conf</code> file <em class="parameter"><code></code></em> parameter <a class="indexterm" name="id329058"></a>wins support = Yes has been specified. Having validated that Samba is operational, + excute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ping diamond +PING diamond (192.168.1.1) 56(84) bytes of data. +64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms +64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms +</pre><p> + <a class="indexterm" name="id329078"></a> + Now that you can relax with the knowledge that all three major forms of name + resolution to IP address resolution are working, edit the <code class="filename">/etc/nsswitch.conf</code> + again. This time you add all three forms of name resolution to this file. + Your edited entry for <code class="constant">hosts</code> should now look like this: +</p><pre class="screen"> +hosts: files dns wins +</pre><p> + The system is looking good. Let's move on. + </p></li><li><p> + It would give you peace of mind to know that the DHCP server is running + and available for service. You can validate DHCP services by running: + +</p><pre class="screen"> +<code class="prompt">root# </code> ps ax | grep dhcp + 2618 ? S 0:00 /usr/sbin/dhcpd ... + 8180 pts/2 S 0:00 grep dhcp +</pre><p> + This shows that the server is running. The proof of whether or not it is working + comes when you try to add the first DHCP client to the network. + </p></li><li><p> + <a class="indexterm" name="id329131"></a> + This is a good point at which to start validating Samba operation. You are + content that name resolution is working for basic TCP/IP needs. Let's move on. + If your <code class="filename">smb.conf</code> file has bogus options or parameters, this may cause Samba + to refuse to start. The first step should always be to validate the contents + of this file by running: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s +Load smb config files from smb.conf +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[accounts]" +Processing section "[service]" +Processing section "[apps]" +Loaded services file OK. +# Global parameters +[global] + workgroup = PROMISES + netbios name = DIAMOND + interfaces = eth1, eth2, lo + bind interfaces only = Yes + passdb backend = tdbsam + pam password change = Yes + passwd program = /usr/bin/passwd '%u' + passwd chat = *New*Password* %n\n \ + *Re-enter*new*password* %n\n *Password*changed* + username map = /etc/samba/smbusers + unix password sync = Yes + log level = 1 + syslog = 0 + log file = /var/log/samba/%m + max log size = 50 + smb ports = 139 + name resolve order = wins bcast hosts + time server = Yes + printcap name = CUPS + show add printer wizard = No + add user script = /usr/sbin/useradd -m '%u' + delete user script = /usr/sbin/userdel -r '%u' + add group script = /usr/sbin/groupadd '%g' + delete group script = /usr/sbin/groupdel '%g' + add user to group script = /usr/sbin/usermod -G '%g' '%u' + add machine script = /usr/sbin/useradd \ + -s /bin/false -d /dev/null '%u' + shutdown script = /var/lib/samba/scripts/shutdown.sh + abort shutdown script = /sbin/shutdown -c + logon script = scripts\logon.bat + logon path = \\%L\profiles\%U + logon drive = X: + logon home = \\%L\%U + domain logons = Yes + preferred master = Yes + wins support = Yes + utmp = Yes + winbind use default domain = Yes + map acl inherit = Yes + cups options = Raw + veto files = /*.eml/*.nws/*.{*}/ + veto oplock files = /*.doc/*.xls/*.mdb/ + +[homes] + comment = Home Directories + valid users = %S + read only = No + browseable = No +... +### Remainder cut to save space ### +</pre><p> + Clear away all errors before proceeding. + </p></li><li><p> + <a class="indexterm" name="id329182"></a> + <a class="indexterm" name="id329188"></a> + <a class="indexterm" name="id329195"></a> + <a class="indexterm" name="id329202"></a> + Check that the Samba server is running: +</p><pre class="screen"> +<code class="prompt">root# </code> ps ax | grep mbd +14244 ? S 0:00 /usr/sbin/nmbd -D +14245 ? S 0:00 /usr/sbin/nmbd -D +14290 ? S 0:00 /usr/sbin/smbd -D + +$rootprompt; ps ax | grep winbind +14293 ? S 0:00 /usr/sbin/winbindd -B +14295 ? S 0:00 /usr/sbin/winbindd -B +</pre><p> + The <code class="literal">winbindd</code> daemon is running in split mode (normal), so there are also + two instances<sup>[<a name="id329230" href="#ftn.id329230">7</a>]</sup> of it. + </p></li><li><p> + <a class="indexterm" name="id329258"></a> + <a class="indexterm" name="id329265"></a> + Check that an anonymous connection can be made to the Samba server: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% + + Sharename Type Comment + --------- ---- ------- + IPC$ IPC IPC Service (Samba 3.0.20) + netlogon Disk Network Logon Service + profiles Disk Profile Share + accounts Disk Accounting Files + service Disk Financial Services Files + apps Disk Application Files + ADMIN$ IPC IPC Service (Samba 3.0.20) + hplj6a Printer hplj6a + hplj6f Printer hplj6f + qmsa Printer qmsa + qmsf Printer qmsf + + Server Comment + --------- ------- + DIAMOND Samba 3.0.20 + + Workgroup Master + --------- ------- + PROMISES DIAMOND +</pre><p> + This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent + of browsing the server from a Windows client to obtain a list of shares on the server. + The <code class="constant">-U%</code> argument means to send a <code class="constant">NULL</code> username and + a <code class="constant">NULL</code> password. + </p></li><li><p> + <a class="indexterm" name="id329313"></a> + <a class="indexterm" name="id329319"></a> + <a class="indexterm" name="id329326"></a> + Verify that each printer has the IP address assigned in the DHCP server configuration file. + The easiest way to do this is to ping the printer name. Immediately after the ping response + has been received, execute <code class="literal">arp -a</code> to find the MAC address of the printer + that has responded. Now you can compare the IP address and the MAC address of the printer + with the configuration information in the <code class="filename">/etc/dhcpd.conf</code> file. They + should, of course, match. For example, +</p><pre class="screen"> +<code class="prompt">root# </code> ping hplj6 +PING hplj6a (192.168.1.30) 56(84) bytes of data. +64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms + +<code class="prompt">root# </code> arp -a +hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0 +</pre><p> + <a class="indexterm" name="id329367"></a> + The MAC address <code class="constant">00:03:47:CB:81:E0</code> matches that specified for the + IP address from which the printer has responded and with the entry for it in the + <code class="filename">/etc/dhcpd.conf</code> file. Repeat this for each printer configured. + </p></li><li><p> + <a class="indexterm" name="id329394"></a> + Make an authenticated connection to the server using the <code class="literal">smbclient</code> tool: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //diamond/accounts -U gholmes +Password: XXXXXXX +smb: \> dir + . D 0 Thu Nov 27 15:07:09 2003 + .. D 0 Sat Nov 15 17:40:50 2003 + zakadmin.exe 161424 Thu Nov 27 15:06:52 2003 + zak.exe 6066384 Thu Nov 27 15:06:52 2003 + dhcpd.conf 1256 Thu Nov 27 15:06:52 2003 + smb.conf 2131 Thu Nov 27 15:06:52 2003 + initGrps.sh A 1089 Thu Nov 27 15:06:52 2003 + POLICY.EXE 86542 Thu Nov 27 15:06:52 2003 + + 55974 blocks of size 65536. 33968 blocks available +smb: \> q +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id329438"></a> + Your new server is connected to an Internet-accessible connection. Before you start + your firewall, you should run a port scanner against your system. You should repeat that + after the firewall has been started. This helps you understand to what extent the + server may be vulnerable to external attack. One way you can do this is by using an + external service, such as the <a href="http://www.dslreports.com/scan" target="_top">DSL Reports</a> + tools. Alternately, if you can gain root-level access to a remote + UNIX/Linux system that has the <code class="literal">nmap</code> tool, you can run the following: +</p><pre class="screen"> +<code class="prompt">root# </code> nmap -v -sT server.abmas.us + +Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) +Host server.abmas.us (123.45.67.66) appears to be up ... good. +Initiating Connect() Scan against server.abmas.us (123.45.67.66) +Adding open port 6000/tcp +Adding open port 873/tcp +Adding open port 445/tcp +Adding open port 10000/tcp +Adding open port 901/tcp +Adding open port 631/tcp +Adding open port 25/tcp +Adding open port 111/tcp +Adding open port 32770/tcp +Adding open port 3128/tcp +Adding open port 53/tcp +Adding open port 80/tcp +Adding open port 443/tcp +Adding open port 139/tcp +Adding open port 22/tcp +The Connect() Scan took 0 seconds to scan 1601 ports. +Interesting ports on server.abmas.us (123.45.67.66): +(The 1587 ports scanned but not shown below are in state: closed) +Port State Service +22/tcp open ssh +25/tcp open smtp +53/tcp open domain +80/tcp open http +111/tcp open sunrpc +139/tcp open netbios-ssn +443/tcp open https +445/tcp open microsoft-ds +631/tcp open ipp +873/tcp open rsync +901/tcp open samba-swat +3128/tcp open squid-http +6000/tcp open X11 +10000/tcp open snet-sensor-mgmt +32770/tcp open sometimes-rpc3 + +Nmap run completed -- 1 IP address (1 host up) scanned in 1 second +</pre><p> + The above scan was run before the external interface was locked down with the NAT-firewall + script you created above. The following results are obtained after the firewall rules + have been put into place: +</p><pre class="screen"> +<code class="prompt">root# </code> nmap -v -sT server.abmas.us + +Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) +Host server.abmas.us (123.45.67.66) appears to be up ... good. +Initiating Connect() Scan against server.abmas.us (123.45.67.66) +Adding open port 53/tcp +Adding open port 22/tcp +The Connect() Scan took 168 seconds to scan 1601 ports. +Interesting ports on server.abmas.us (123.45.67.66): +(The 1593 ports scanned but not shown below are in state: filtered) +Port State Service +22/tcp open ssh +25/tcp closed smtp +53/tcp open domain +80/tcp closed http +443/tcp closed https + +Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds +</pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4appscfg"></a>Application Share Configuration</h3></div></div></div><p> + <a class="indexterm" name="id329522"></a> + <a class="indexterm" name="id329529"></a> + The use of an application server is a key mechanism by which desktop administration overheads + can be reduced. Check the application manual for your software to identify how best to + create an administrative installation. + </p><p> + Some Windows software will only run locally on the desktop computer. Such software + is typically not suited for administrative installation. Administratively installed software + permits one or more of the following installation choices: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Install software fully onto a workstation, storing data files on the same workstation. + </p></li><li><p> + Install software fully onto a workstation with central network data file storage. + </p></li><li><p> + Install software to run off a central application server with data files stored + on the local workstation. This is often called a minimum installation, or a + network client installation. + </p></li><li><p> + Install software to run off a central application server with data files stored + on a central network share. This type of installation often prevents storage + of work files on the local workstation. + </p></li></ul></div><p> + <a class="indexterm" name="id329572"></a> + A common application deployed in this environment is an office suite. + Enterprise editions of Microsoft Office XP Professional can be administratively installed + by launching the installation from a command shell. The command that achieves this is + <code class="literal">setup /a</code>. It results in a set of prompts through which various + installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource + Kit for more information regarding this mode of installation of MS Office XP Professional. + The full administrative installation of MS Office XP Professional requires approximately + 650 MB of disk space. + </p><p> + When the MS Office XP Professional product has been installed to the administrative network + share, the product can be installed onto a workstation by executing the normal setup program. + The installation process now provides a choice to either perform a minimum installation + or a full local installation. A full local installation takes over 100 MB of disk space. + A network workstation (minimum) installation requires typically 10 MB to 15 MB of + local disk space. In the latter case, when the applications are used, they load over the network. + </p><p> + <a class="indexterm" name="id329600"></a> + <a class="indexterm" name="id329606"></a> + Microsoft Office Service Packs can be unpacked to update an administrative share. This makes + it possible to update MS Office XP Professional for all users from a single installation + of the service pack and generally circumvents the need to run updates on each network + Windows client. + </p><p> + The default location for MS Office XP Professional data files can be set through registry + editing or by way of configuration options inside each Office XP Professional application. + </p><p> + <a class="indexterm" name="id329624"></a> + OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also + be installed to run off a network share. The latter is a most desirable solution for office-bound + network users and for administrative staff alike. It permits quick and easy updates + to be rolled out to all users with a minimum of disruption and with maximum flexibility. + </p><p> + The process for installation of administrative shared OpenOffice involves download of the + distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. + When fully extracted using the unzipping tool of your choosing, change into the Windows + installation files directory then execute <code class="literal">setup -net</code>. You are + prompted on screen for the target installation location. This is the administrative + share point. The full administrative OpenOffice share takes approximately 150 MB of disk + space. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id329651"></a>Comments Regarding Software Terms of Use</h4></div></div></div><p> + Many single-user products can be installed into an administrative share, but + personal versions of products such as Microsoft Office XP Professional do not permit this. + Many people do not like terms of use typical with commercial products, so a few comments + regarding software licensing seem important. + </p><p> + Please do not use an administrative installation of proprietary and commercially licensed + software products to violate the copyright holders' property. All software is licensed, + particularly software that is licensed for use free of charge. All software is the property + of the copyright holder unless the author and/or copyright holder has explicitly disavowed + ownership and has placed the software into the public domain. + </p><p> + Software that is under the GNU General Public License, like proprietary software, is + licensed in a way that restricts use. For example, if you modify GPL software and then + distribute the binary version of your modifications, you must offer to provide the source + code as well. This restriction is designed to maintain the momentum + of the diffusion of technology and to protect against the withholding of innovations. + </p><p> + Commercial and proprietary software generally restrict use to those who have paid the + license fees and who comply with the licensee's terms of use. Software that is released + under the GNU General Public License is restricted to particular terms and conditions + also. Whatever the licensing terms may be, if you do not approve of the terms of use, + please do not use the software. + </p><p> + <a class="indexterm" name="id329686"></a> + Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided + with the source code. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4wincfg"></a>Windows Client Configuration</h3></div></div></div><p> + Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs + to reinstall many of the notebook computers that will be recycled for use with the new network + configuration. The smartest way to handle the challenge of the roll-out program is to build + a staged system for each type of target machine, and then use an image replication tool such as Norton + Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can + be done with notebook computers as long as they are identical or sufficiently similar. + </p><div class="procedure"><a name="sbewinclntprep"></a><p class="title"><b>Procedure 3.6. Windows Client Configuration Procedure</b></p><ol type="1"><li><p> + <a class="indexterm" name="id329729"></a> + <a class="indexterm" name="id329736"></a> + Install MS Windows XP Professional. During installation, configure the client to use DHCP for + TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server + address that has been defined for the local subnet. + </p></li><li><p> + Join the Windows Domain <code class="constant">PROMISES</code>. Use the Domain Administrator + username <code class="constant">root</code> and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows Domain is given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + Reboot the machine as prompted and then log on using the Domain Administrator account + (<code class="constant">root</code>). + </p></li><li><p> + Verify <code class="constant">DIAMOND</code> is visible in <span class="guimenu">My Network Places</span>, + that it is possible to connect to it and see the shares <span class="guimenuitem">accounts</span>, + <span class="guimenuitem">apps</span>, and <span class="guimenuitem">finsvcs</span>, and that it is + possible to open each share to reveal its contents. + </p></li><li><p> + Create a drive mapping to the <code class="constant">apps</code> share on the server <code class="constant">DIAMOND</code>. + </p></li><li><p> + Perform an administrative installation of each application to be used. Select the options + that you wish to use. Of course, you can choose to run applications over the network, correct? + </p></li><li><p> + Now install all applications to be installed locally. Typical tools include Adobe Acrobat, + NTP-based time synchronization software, drivers for specific local devices such as fingerprint + scanners, and the like. Probably the most significant application for local installation + is antivirus software. + </p></li><li><p> + Now install all four printers onto the staging system. The printers you install + include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will + also configure identical printers that are located in the financial services department. + Install printers on each machine following the steps shown in the Windows client printer + preparation procedure below. + </p></li><li><p> + <a class="indexterm" name="id329860"></a> + When you are satisfied that the staging systems are complete, use the appropriate procedure to + remove the client from the domain. Reboot the system and then log on as the local administrator + and clean out all temporary files stored on the system. Before shutting down, use the disk + defragmentation tool so that the file system is in optimal condition before replication. + </p></li><li><p> + Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the + machine to a network share on the server. + </p></li><li><p> + <a class="indexterm" name="id329885"></a> + <a class="indexterm" name="id329894"></a> + You may now replicate the image to the target machines using the appropriate Norton Ghost + procedure. Make sure to use the procedure that ensures each machine has a unique + Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. + </p></li><li><p> + Log on to the machine as the local Administrator (the only option), and join the machine to + the Domain, following the procedure set out in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. The system is now + ready for the user to log on, provided you have created a network logon account for that + user, of course. + </p></li><li><p> + Instruct all users to log on to the workstation using their assigned username and password. + </p></li></ol></div><div class="procedure"><a name="sbewinclntptrprep"></a><p class="title"><b>Procedure 3.7. Windows Client Printer Preparation Procedure</b></p><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. + Ensure that <span class="guimenuitem">Local printer</span> is selected. + </p></li><li><p> + Click <span class="guibutton">Next</span>. In the + <span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>. + In the <span class="guimenuitem">Printers:</span> panel, select the printer called + <code class="constant">HP LaserJet 6</code>. Click <span class="guibutton">Next</span>. + </p></li><li><p> + In the <span class="guimenuitem">Available ports:</span> panel, select + <code class="constant">FILE:</code>. Accept the default printer name by clicking + <span class="guibutton">Next</span>. When asked, “<span class="quote">Would you like to print a + test page?,</span>” click <span class="guimenuitem">No</span>. Click + <span class="guibutton">Finish</span>. + </p></li><li><p> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <span class="guiicon">HP LaserJet 6</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>. + </p></li><li><p> + In the <span class="guimenuitem">Network</span> panel, enter the name of + the print queue on the Samba server as follows: <code class="constant">\\DIAMOND\hplj6a</code>. + Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. + </p></li><li><p> + Repeat the printer installation steps above for both HP LaserJet 6 printers + as well as for both QMS Magicolor laser printers. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id330151"></a>Key Points Learned</h3></div></div></div><p> + How do you feel? You have built a capable network, a truly ambitious project. + Future network updates can be handled by + your staff. You must be a satisfied manager. Let's review the achievements. + </p><div class="itemizedlist"><ul type="disc"><li><p> + A simple firewall has been configured to protect the server in the event that + the ISP firewall service should fail. + </p></li><li><p> + The Samba configuration uses measures to ensure that only local network users + can connect to SMB/CIFS services. + </p></li><li><p> + Samba uses the new <code class="constant">tdbsam</code> passdb backend facility. + Considerable complexity was added to Samba functionality. + </p></li><li><p> + A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS + server. + </p></li><li><p> + The DNS server was configured to permit DDNS only for local network clients. This + server also provides primary DNS services for the company Internet presence. + </p></li><li><p> + You introduced an application server as well as the concept of cloning a Windows + client in order to effect improved standardization of desktops and to reduce + the costs of network management. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330204"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt>1. <a href="secure.html#id330220"> + What is the maximum number of account entries that the tdbsam + passdb backend can handle? + </a></dt><dt>2. <a href="secure.html#id330273"> + Would Samba operate any better if the OS level is set to a value higher than 35? + </a></dt><dt>3. <a href="secure.html#id330292"> + Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? + </a></dt><dt>4. <a href="secure.html#id330312"> + Why has a path been specified in the IPC$ share? + </a></dt><dt>5. <a href="secure.html#id330337"> + Why does the smb.conf file in this exercise include an entry for smb ports? + </a></dt><dt>6. <a href="secure.html#id330378"> + What is the difference between a print queue and a printer? + </a></dt><dt>7. <a href="secure.html#id330405"> + Can all MS Windows application software be installed onto an application server share? + </a></dt><dt>8. <a href="secure.html#id330426"> + Why use dynamic DNS (DDNS)? + </a></dt><dt>9. <a href="secure.html#id330444"> + Why would you use WINS as well as DNS-based name resolution? + </a></dt><dt>10. <a href="secure.html#id330514"> + What are the major benefits of using an application server? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id330220"></a><a name="id330222"></a><b>1.</b></td><td align="left" valign="top"><p> + What is the maximum number of account entries that the <em class="parameter"><code>tdbsam</code></em> + passdb backend can handle? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The tdb data structure and support system can handle more entries than the number of + accounts that are possible on most UNIX systems. A practical limit would come into + play long before a performance boundary would be anticipated. That practical limit + is controlled by the nature of Windows networking. There are few Windows file and + print servers that can handle more than a few hundred concurrent client connections. + The key limiting factors that predicate offloading of services to additional servers + are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations. + All of these are readily exhausted by just a few hundred concurrent active users. + Such bottlenecks can best be removed by segmentation of the network (distributing + network load across multiple networks). + </p><p> + As the network grows, it becomes necessary to provide additional authentication + servers (domain controllers). The tdbsam is limited to a single machine and cannot + be reliably replicated. This means that practical limits on network design dictate + the point at which a distributed passdb backend is required; at this time, there is + no real alternative other than ldapsam (LDAP). + </p><p> + The guideline provided in <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, Section 10.1.2, + is to limit the number of accounts in the tdbsam backend to 250. This is the point + at which most networks tend to want backup domain controllers (BDCs). Samba-3 does + not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The + limitation of 250 users per tdbsam is predicated only on the need for replication, + not on the limits<sup>[<a name="id330264" href="#ftn.id330264">8</a>]</sup> of the tdbsam backend itself. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330273"></a><a name="id330275"></a><b>2.</b></td><td align="left" valign="top"><p> + Would Samba operate any better if the OS level is set to a value higher than 35? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value + of 35 already assures Samba of precedence over MS Windows products in browser elections. There is + no gain to be had from setting this higher. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330292"></a><a name="id330294"></a><b>3.</b></td><td align="left" valign="top"><p> + Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at + a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special + Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330312"></a><a name="id330314"></a><b>4.</b></td><td align="left" valign="top"><p> + Why has a path been specified in the <em class="parameter"><code>IPC$</code></em> share? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + This is done so that in the event that a software bug may permit a client connection to the IPC$ share to + obtain access to the file system, it does so at a location that presents least risk. Under normal operation + this type of paranoid step should not be necessary. The use of this parameter should not be necessary. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330337"></a><a name="id330339"></a><b>5.</b></td><td align="left" valign="top"><p> + Why does the <code class="filename">smb.conf</code> file in this exercise include an entry for <a class="indexterm" name="id330350"></a>smb ports? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port + used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS + over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By + specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts. + The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain + member, the default behavior is highly beneficial and should not be changed. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330378"></a><a name="id330380"></a><b>6.</b></td><td align="left" valign="top"><p> + What is the difference between a print queue and a printer? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + A printer is a physical device that is connected either directly to the network or to a computer + via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a + hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a + single print data stream and block all secondary attempts to dispatch jobs concurrently to the + same device. If many clients were to concurrently print directly via TCP/IP to the same printer, + it would result in a huge amount of network traffic through continually failing connection attempts. + </p><p> + A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or + print requests. When the data stream has been fully received, the input stream is closed, + and the job is then submitted to a sequential print queue where the job is stored until + the printer is ready to receive the job. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330405"></a><a name="id330408"></a><b>7.</b></td><td align="left" valign="top"><p> + Can all MS Windows application software be installed onto an application server share? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Much older Windows software is not compatible with installation to and execution from + an application server. Enterprise versions of Microsoft Office XP Professional can + be installed to an application server. Retail consumer versions of Microsoft Office XP + Professional do not permit installation to an application server share and can be installed + and used only to/from a local workstation hard disk. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330426"></a><a name="id330428"></a><b>8.</b></td><td align="left" valign="top"><p> + Why use dynamic DNS (DDNS)? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + When DDNS records are updated directly from the DHCP server, it is possible for + network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate + Windows clients via DNS. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330444"></a><a name="id330446"></a><b>9.</b></td><td align="left" valign="top"><p> + Why would you use WINS as well as DNS-based name resolution? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is + a name like “<span class="quote">myhost.mydomain.tld</span>” where <em class="parameter"><code>tld</code></em> + means <code class="constant">top-level domain</code>. A FQDN is a longhand but easy-to-remember + expression that may be up to 1024 characters in length and that represents an IP address. + A NetBIOS name is always 16 characters long. The 16<sup>th</sup> character + is a name type indicator. A specific name type is registered<sup>[<a name="id330478" href="#ftn.id330478">9</a>]</sup> for each + type of service that is provided by the Windows server or client and that may be registered + where a WINS server is in use. + </p><p> + WINS is a mechanism by which a client may locate the IP Address that corresponds to a + NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name + that includes a particular registered NetBIOS name type. DNS does not provide a mechanism + that permits handling of the NetBIOS name type information. + </p><p> + DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular + hostname or service name that has been registered in the DNS database for a particular domain. + A DNS server has limited scope of control and is said to be authoritative for the zone over + which it has control. + </p><p> + Windows 200x Active Directory requires the registration in the DNS zone for the domain it + controls of service locator<sup>[<a name="id330504" href="#ftn.id330504">10</a>]</sup> records + that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also + requires the registration of special records that are called global catalog (GC) entries + and site entries by which domain controllers and other essential ADS servers may be located. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id330514"></a><a name="id330516"></a><b>10.</b></td><td align="left" valign="top"><p> + What are the major benefits of using an application server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The use of an application server can significantly reduce application update maintenance. + By providing a centralized application share, software updates need be applied to only + one location for all major applications used. This results in faster update roll-outs and + significantly better application usage control. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id325335" href="#id325335">5</a>] </sup>See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 3. + This is necessary so that Samba can act as a Domain Controller (PDC); see + <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 4, for additional information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id325710" href="#id325710">6</a>] </sup>You may want to do the echo command last and include + "0" in the init scripts, since it opens up your network for a short time.</p></div><div class="footnote"><p><sup>[<a name="ftn.id329230" href="#id329230">7</a>] </sup>For more information regarding winbindd, see <span class="emphasis"><em>TOSHARG2</em></span>, + Chapter 23, Section 23.3. The single instance of <code class="literal">smbd</code> is normal. One additional + <code class="literal">smbd</code> slave process is spawned for each SMB/CIFS client + connection.</p></div><div class="footnote"><p><sup>[<a name="ftn.id330264" href="#id330264">8</a>] </sup>Bench tests have shown that tdbsam is a very + effective database technology. There is surprisingly little performance loss even + with over 4000 users.</p></div><div class="footnote"><p><sup>[<a name="ftn.id330478" href="#id330478">9</a>] </sup> + See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, for more information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id330504" href="#id330504">10</a>] </sup>See TOSHARG2, Chapter 9, Section 9.3.3.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Small Office Networking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. The 500-User Office</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/simple.html b/docs/htmldocs/Samba3-ByExample/simple.html new file mode 100644 index 0000000000..c58e1ef896 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/simple.html @@ -0,0 +1,861 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. No-Frills Samba Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="next" href="small.html" title="Chapter 2. Small Office Networking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. No-Frills Samba Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ExNetworks.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="small.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="simple"></a>Chapter 1. No-Frills Samba Servers</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="simple.html#id316528">Introduction</a></span></dt><dt><span class="sect1"><a href="simple.html#id316559">Assignment Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="simple.html#id316598">Drafting Office</a></span></dt><dt><span class="sect2"><a href="simple.html#id317306">Charity Administration Office</a></span></dt><dt><span class="sect2"><a href="simple.html#AccountingOffice">Accounting Office</a></span></dt></dl></dd><dt><span class="sect1"><a href="simple.html#id320818">Questions and Answers</a></span></dt></dl></div><p> + This is the start of the real journey toward the successful deployment of Samba. For some this chapter + is the end of the road because their needs will have been adequately met. For others, this chapter is + the beginning of a journey that will take them well past the contents of this book. This book provides + example configurations of, for the greater part, complete networking solutions. The intent of this book + is to help you to get your Samba installation working with the least amount of pain and aggravation. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id316528"></a>Introduction</h2></div></div></div><p> + This chapter lays the groundwork for understanding the basics of Samba operation. + Instead of a bland technical discussion, each principle is demonstrated by way of a + real-world scenario for which a working solution<sup>[<a name="id316538" href="#ftn.id316538">1</a>]</sup> is fully described. + </p><p> + The practical exercises take you on a journey through a drafting office, a charity administration + office, and an accounting office. You may choose to apply any or all of these exercises to your own environment. + </p><p> + Every assignment case can be implemented far more creatively, but remember that the solutions you + create are designed to demonstrate a particular solution possibility. With experience, you should + find much improved solutions compared with those presented here. By the time you complete this book, + you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your + way through the examples. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id316559"></a>Assignment Tasks</h2></div></div></div><p> + Each case presented highlights different aspects of Windows networking for which a simple + Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases. + The cases are briefly reviewed to cover important points. Instructions are based + on the assumption that the official Samba Team RPM package has been installed. + </p><p> + This chapter has three assignments built around fictitious companies: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>A drafting office</p></li><li><p>A charity administration office</p></li><li><p>An accounting office</p></li></ul></div><p> + </p><p> + Let's get started. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id316598"></a>Drafting Office</h3></div></div></div><p> + Our fictitious company is called <span class="emphasis"><em>Abmas Design, Inc.</em></span> This is a three-person + computer-aided design (CAD) business that often has more work than can be handled. The + business owner hires contract draftspeople from wherever he can. They bring their own + notebook computers into the office. There are four permanent drafting machines. Abmas has a + collection of over 10 years of plans that must be available for all draftsmen to reference. + Abmas hires the services of an experienced network engineer to update the + plans that are stored on a central server one day per month. She knows how to upload + plans from each machine. The files available from the server must remain read-only. + Anyone should be able to access the plans at any time and without barriers or difficulty. + </p><p><a class="indexterm" name="id316618"></a> + <a class="indexterm" name="id316625"></a> + Mr. Bob Jordan has asked you to install the new server as economically as possible. The central + server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk + to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Fedora CoreX and + have upgraded Samba to version 3.0.20 using the RPM package that is provided from the Samba + <a href="http://www.samba.org" target="_top">FTP</a> sites. (Note: Fedora CoreX indicates your favorite + version.) + </p><p><a class="indexterm" name="id316647"></a> + The four permanent drafting machines (Microsoft Windows workstations) have attached printers + and plotters that are shared on a peer-to-peer basis by any and all network users. The intent + is to continue to share printers in this manner. The three permanent staff work together with + all contractors to store all new work on one PC. A daily copy is made of the work storage + area to another PC for safekeeping. When the network consultant arrives, the weekly work + area is copied to the central server and the files are removed from the main weekly storage + machine. The office works best with this arrangement and does not want to change anything. + Old habits are too ingrained. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id316663"></a>Dissection and Discussion</h4></div></div></div><p> + <a class="indexterm" name="id316671"></a> + The requirements for this server installation demand simplicity. An anonymous read-only + file server adequately meets all needs. The network consultant determines how + to upload all files from the weekly storage area to the server. This installation should + focus only on critical aspects of the installation. + </p><p> + It is not necessary to have specific users on the server. The site has a method for storing + all design files (plans). Each plan is stored in a directory that is named YYYYWW,<sup>[<a name="id316688" href="#ftn.id316688">2</a>]</sup> where + YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored + by week of year to preserve the filing technique the site is familiar with. + There is also a customer directory that is alphabetically listed. At the top level are 26 + directories (A-Z), in each is a second-level of directory for the first plus second letters of the name + (A-Z); inside each is a directory by the customers' name. Inside each directory is a symbolic + link to each design drawing or plan. This way of storing customer data files permits all + plans to be located both by customer name and by the date the work was performed, without + demanding the disk space that would be needed if a duplicate file copy were to be stored. + The share containing the plans is called <span class="emphasis"><em>Plans</em></span>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id316708"></a>Implementation</h4></div></div></div><p> + It is assumed that the server is fully installed and ready for installation and + configuration of Samba 3.0.20 and any support files needed. All TCP/IP addresses + have been hard-coded. In our case the IP address of the Samba server is + <code class="constant">192.168.1.1</code> and the netmask is <code class="constant">255.255.255.0</code>. + The hostname of the server used is <code class="constant">server</code>. + </p><div class="procedure"><a name="id316730"></a><p class="title"><b>Procedure 1.1. Samba Server Configuration</b></p><ol type="1"><li><p> + Download the Samba-3 RPM packages for Red Hat Fedora Core2 from the Samba + <a href="http://www.samba.org" target="_top">FTP servers.</a> + </p></li><li><p> + <a class="indexterm" name="id316754"></a> + <a class="indexterm" name="id316763"></a> + Install the RPM package using either the Red Hat Linux preferred GUI + tool or the <code class="literal">rpm</code>: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -Uvh samba-3.0.20-1.i386.rpm +</pre><p> + </p></li><li><p> + Create a mount point for the file system that will be used to store all data files. + You can create a directory called <code class="filename">/plans</code>: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /plans +<code class="prompt">root# </code> chmod 755 /plans +</pre><p> + The 755 permissions on this directory (mount point) permit the owner to read, write, + and execute, and the group and everyone else to read and execute only. + </p><p> + <a class="indexterm" name="id316824"></a> + Use Red Hat Linux system tools (refer to Red Hat instructions) + to format the 160GB hard drive with a suitable file system. An Ext3 file system + is suitable. Configure this drive to automatically mount using the <code class="filename">/plans</code> + directory as the mount point. + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file shown in <a href="simple.html#draft-smbconf" title="Example 1.1. Drafting Office smb.conf File">???</a> in the + <code class="filename">/etc/samba</code> directory. + +</p><div class="example"><a name="draft-smbconf"></a><p class="title"><b>Example 1.1. Drafting Office <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global Parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id316899"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id316911"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[Plans]</code></em></td></tr><tr><td><a class="indexterm" name="id316933"></a><em class="parameter"><code>path = /plans</code></em></td></tr><tr><td><a class="indexterm" name="id316945"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id316958"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><p><br class="example-break"> + </p></li><li><p> + <a class="indexterm" name="id316978"></a> + Verify that the <code class="filename">/etc/hosts</code> file contains the following entry: +</p><pre class="screen"> +192.168.1.1 server +</pre><p> + + </p></li><li><p> + <a class="indexterm" name="id317004"></a> + <a class="indexterm" name="id317013"></a> + <a class="indexterm" name="id317020"></a> + Use the standard system tool to start Samba and to configure it to restart + automatically at every system reboot. For example, +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +</pre><p> + </p></li></ol></div><div class="procedure"><a name="id317047"></a><p class="title"><b>Procedure 1.2. Windows Client Configuration</b></p><ol type="1"><li><p> + Make certain that all clients are set to the same network address range as + used for the Samba server. For example, one client might have an IP + address 192.168.1.10. + </p></li><li><p> + <a class="indexterm" name="id317067"></a> + Ensure that the netmask used on the Windows clients matches that used + for the Samba server. All clients must have the same netmask, such as + 255.255.255.0. + </p></li><li><p> + <a class="indexterm" name="id317082"></a> + Set the workgroup name on all clients to <code class="constant">MIDEARTH</code>. + </p></li><li><p> + Verify on each client that the machine called <code class="constant">SERVER</code> + is visible in the <span class="guimenu">Network Neighborhood</span>, that it is + possible to connect to it and see the share <span class="guimenuitem">Plans</span>, + and that it is possible to open that share to reveal its contents. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="validate1"></a>Validation</h4></div></div></div><p> + <a class="indexterm" name="id317131"></a> + The first priority in validating the new Samba configuration should be to check + that Samba answers on the loop-back interface. Then it is time to check that Samba + answers its own name correctly. Last, check that a client can connect to the Samba + server. + </p><div class="procedure"><ol type="1"><li><p> + <a class="indexterm" name="id317148"></a> + <a class="indexterm" name="id317155"></a> + <a class="indexterm" name="id317162"></a> + To check the ability to access the <code class="literal">smbd</code> daemon + services, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% + Sharename Type Comment + --------- ---- ------- + Plans Disk + IPC$ IPC IPC Service (Samba 3.0.20) + ADMIN$ IPC IPC Service (Samba 3.0.20) + + Server Comment + --------- ------- + SERVER Samba 3.0.20 + + Workgroup Master + --------- -------- + MIDEARTH SERVER +</pre><p> + <a class="indexterm" name="id317191"></a> + <a class="indexterm" name="id317198"></a> + This indicates that Samba is able to respond on the loopback interface to + a NULL connection. The <em class="parameter"><code>-U%</code></em> means send an empty + username and an empty password. This command should be repeated after + Samba has been running for 15 minutes. + </p></li><li><p> + Now verify that Samba correctly handles being passed a username + and password, and that it answers its own name. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L server -Uroot%password +</pre><p> + The output should be identical to the previous response. Samba has been + configured to ignore all usernames given; instead it uses the + <em class="parameter"><code>guest account</code></em> for all connections. + </p></li><li><p> + <a class="indexterm" name="id317246"></a> + <a class="indexterm" name="id317252"></a> + From the Windows 9x/Me client, launch Windows Explorer: + <span class="guiicon">[Desktop: right-click] Network Neighborhood</span>+<span class="guimenu">Explore</span> → <span class="guimenuitem">[Left Panel] [+] Entire Network</span> → <span class="guimenuitem">[Left Panel] [+] Server</span> → <span class="guimenuitem">[Left Panel] [+] Plans</span>. In the right panel you should see the files and directories + (folders) that are in the <span class="guiicon">Plans</span> share. + </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id317306"></a>Charity Administration Office</h3></div></div></div><p> + The fictitious charity organization is called <span class="emphasis"><em>Abmas Vision NL</em></span>. This office + has five networked computers. Staff are all volunteers, staff changes are frequent. + Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to + use any PC. Only two Windows applications are used: a custom funds tracking and management package + that stores all files on the central server and Microsoft Word. The office prepares mail-out + letters, invitations, and thank-you notes. All files must be stored in perpetuity. + The custom funds tracking and management (FTM) software is configured to use a server named + <code class="constant">SERVER</code>, a share named <code class="constant">FTMFILES</code>, and a printer queue + named <code class="constant">PRINTQ</code> that uses preprinted stationery, thus demanding a + dedicated printer. This printer does not need to be mapped to a local printer on the workstations. + </p><p> + The FTM software has been in use since the days of Windows 3.11. The software was configured + by the vendor who has since gone out of business. The identities of the file + server and the printer are hard-coded in a configuration file that was created using a + setup tool that the vendor did not provide to Abmas Vision NL or to its predecessors. The + company that produced the software is no longer in business. In order to avoid risk of + any incompatibilities, the share name and the name of the target print queue must be set + precisely as the application expects. In fact, share names and print queue names + should be treated as case insensitive (i.e., case does not matter), but Abmas Vision advises + that if the share name is not in lowercase, the application claims it cannot find the + file share. + </p><p> + <a class="indexterm" name="id317353"></a> + <a class="indexterm" name="id317360"></a> + Printer handling in Samba results in a significant level of confusion. Samba presents to the + MS Windows client only a print queue. The Samba <code class="literal">smbd</code> process passes a + print job sent to it from the Windows client to the native UNIX printing system. The native + UNIX printing system (spooler) places the job in a print queue from which it is + delivered to the printer. In this book, network diagrams refer to a printer by the name + of the print queue that services that printer. It does not matter what the fully qualified + name (or the hostname) of a network-attached printer is. The UNIX print spooler is configured + to correctly deliver all jobs to the printer. + </p><p> + This organization has a policy forbidding use of privately owned computers on site as a measure + to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are + used on this network. + </p><p> + <a class="indexterm" name="id317386"></a> + The central server was donated by a local computer store. It is a dual processor Pentium-III + server, has 1GB RAM, a 3-Ware IDE RAID Controller that has four 200GB IDE hard drives, and a + 100-base-T network card. The office has 100-base-T permanent network connections that go to + a central hub, and all equipment is new. The five network computers all are equipped with Microsoft + Windows Me. Funding is limited, so the server has no operating system on it. You have approval + to install Samba on Linux, provided it works without problems. There are two HP LaserJet + 5 PS printers that are network connected. The second printer is to be used for general + office and letter printing. Your recommendation to allow only the Linux server to print directly + to the printers was accepted. You have supplied SUSE Enterprise Linux Server 9 and + have upgraded Samba to version 3.0.20. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id317402"></a>Dissection and Discussion</h4></div></div></div><p> + <a class="indexterm" name="id317410"></a> + <a class="indexterm" name="id317416"></a> + <a class="indexterm" name="id317423"></a> + <a class="indexterm" name="id317430"></a> + This installation demands simplicity. Frequent turnover of volunteer staff indicates that + a network environment that requires users to logon might be problematic. It is suggested that the + best solution for this office would be one where the user can log onto any PC with any username + and password. Samba can accommodate an office like this by using the <em class="parameter"><code>force user</code></em> + parameter in share and printer definitions. Using the <em class="parameter"><code>force user</code></em> + parameter ensures that all files are owned by same user identifier (UID) and thus that there + will never be a problem with file access due to file access permissions. Additionally, you elect + to use the <em class="parameter"><code>nt acl support = No</code></em> option to ensure that + access control lists (Posix type) cannot be written to any file or directory. This prevents + an inadvertent ACL from overriding actual file permissions. + </p><p> + <a class="indexterm" name="id317467"></a> + <a class="indexterm" name="id317474"></a> + <a class="indexterm" name="id317481"></a> + This organization is a prime candidate for Share Mode security. The <em class="parameter"><code>force user</code></em> + allows all files to be owned by the same user and group. In addition, it would not hurt to + set SUID and set SGID shared directories. This means that all new files that are created, no matter + who creates it, are owned by the owner or group of the directory in which they are created. + For further information regarding the significance of the SUID/SGID settings, see <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#ch12-SUIDSGID" title="Effect of Setting File and Directory SUID/SGID Permissions Explained">???</a>. + </p><p> + <a class="indexterm" name="id317515"></a> + <a class="indexterm" name="id317522"></a> + <a class="indexterm" name="id317531"></a> + <a class="indexterm" name="id317538"></a> + All client workstations print to a print queue on the server. This ensures that print jobs + continue to print in the event that a user shuts down the workstation immediately after + sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing. + Older Linux systems offered a choice between the LPRng printing system or CUPS. It appears, however, + that CUPS has become the leading UNIX printing technology. + </p><p> + <a class="indexterm" name="id317552"></a> + The print queues are set up as <code class="constant">Raw</code> devices, which means that CUPS will + not do intelligent print processing, and vendor-supplied drivers must be installed locally on the + Windows clients. + </p><p> + The hypothetical software, FTM, is representative of + custom-built software that directly uses a NetBIOS interface. Most such software originated in + the days of MS/PC DOS. NetBIOS names are uppercase (and functionally are case insensitive), + so some old software applications would permit only uppercase names to be entered. + Some such applications were later ported to MS Windows but retain the uppercase network + resource naming conventions because customers are familiar with that. We made the decision + to name shares and print queues for this application in uppercase for the same reason. + Nothing would break if we were to use lowercase names, but that decision might create a need + to retrain staff something well avoided at this time. + </p><p> + NetBIOS networking does not print directly to a printer. Instead, all printing is done to a + print queue. The print spooling system is responsible for communicating with the physical + printer. In this example, therefore, the resource called <code class="constant">PRINTQ</code> + really is just a print queue. The name of the print queue is representative of + the device to which the print spooler delivers print jobs. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id317589"></a>Implementation</h4></div></div></div><p> + It is assumed that the server is fully installed and ready for configuration of + Samba 3.0.20 and for necessary support files. All TCP/IP addresses should be hard-coded. + In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is + 255.255.255.0. The hostname of the server used is <code class="constant">server</code>. + The office network is built as shown in <a href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">???</a>. + </p><div class="figure"><a name="charitynet"></a><p class="title"><b>Figure 1.1. Charity Administration Office Network</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/Charity-Network.png" width="432" alt="Charity Administration Office Network"></div></div></div><br class="figure-break"><div class="procedure"><a name="id317651"></a><p class="title"><b>Procedure 1.3. Samba Server Configuration</b></p><ol type="1"><li><p> + <a class="indexterm" name="id317662"></a> + Create a group account for office file storage: +</p><pre class="screen"> +<code class="prompt">root# </code> groupadd office +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id317687"></a> + <a class="indexterm" name="id317694"></a> + Create a user account for office file storage: +</p><pre class="screen"> +<code class="prompt">root# </code> useradd -m abmas +<code class="prompt">root# </code> passwd abmas +Changing password for abmas. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +</pre><p> + where XXXXXXXX is a secret password. + </p></li><li><p> + Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB + drives as a single RAID level 5 drive, with one drive set aside as the hot spare. + (Refer to the 3-Ware RAID Controller Manual for the manufacturer's preferred procedure.) + The resulting drive has a capacity of approximately 500GB of usable space. + </p></li><li><p> + <a class="indexterm" name="id317736"></a> + Create a mount point for the file system that can be used to store all data files. + Create a directory called <code class="filename">/data</code>: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /data +<code class="prompt">root# </code> chmod 755 /data +</pre><p> + The 755 permissions on this directory (mount point) permit the owner to read, write, and execute, + and the group and everyone else to read and execute only. + </p></li><li><p> + Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct + procedures) to format the partition with a suitable file system. The reiserfs file system + is suitable. Configure this drive to automount using the <code class="filename">/data</code> + directory as the mount point. It must be mounted before proceeding. + </p></li><li><p> + Under the directory called <code class="filename">/data</code>, create two directories + named <code class="filename">ftmfiles</code> and <code class="filename">officefiles</code>, and set + ownership and permissions: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}} +<code class="prompt">root# </code> chown -R abmas:office /data +<code class="prompt">root# </code> chmod -R ug+rwxs,o-w,o+rx /data +</pre><p> + These demonstrate compound operations. The <code class="literal">mkdir</code> command + creates in one step these directories: +</p><pre class="programlisting"> +/data/fmtfiles +/data/officefiles +/data/officefiles/letters +/data/officefiles/invitations +/data/officefiles/misc +</pre><p> + <a class="indexterm" name="id317847"></a> + The <code class="literal">chown</code> operation sets the owner to the user <code class="constant">abmas</code> + and the group to <code class="constant">office</code> on all directories just created. It recursively + sets the permissions so that the owner and group have SUID/SGID with read, write, and execute + permission, and everyone else has read and execute permission. This means that all files and + directories are created with the same owner and group as the directory in which they are + created. Any new directories created still have the same owner, group, and permissions as the + directory they are in. This should eliminate all permissions-based file access problems. For + more information on this subject, refer to TOSHARG2<sup>[<a name="id317872" href="#ftn.id317872">3</a>]</sup> or refer + to the UNIX man page for the <code class="literal">chmod</code> and the <code class="literal">chown</code> commands. + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file shown in <a href="simple.html#charity-smbconfnew" title="Example 1.2. Charity Administration Office smb.conf New-style File">???</a> in the + <code class="filename">/etc/samba</code> directory. This newer <code class="filename">smb.conf</code> file uses user-mode security + and is more suited to the mode of operation of Samba-3 than the older share-mode security + configuration that was shown in the first edition of this book. + </p><p> + Note: If you want to use the older-style configuration that uses share-mode security, you + can install the file shown in <a href="simple.html#charity-smbconf" title="Example 1.3. Charity Administration Office smb.conf Old-style File">???</a> in the + <code class="filename">/etc/samba</code> directory. + </p></li><li><p> + <a class="indexterm" name="id317945"></a> + We must ensure that the <code class="literal">smbd</code> can resolve the name of the Samba + server to its IP address. Verify that the <code class="filename">/etc/hosts</code> file + contains the following entry: +</p><pre class="screen"> +192.168.1.1 server +</pre><p> + </p></li><li><p> + Configure the printers with the IP address as shown in <a href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">???</a>. + Follow the instructions in the manufacturer's manual to permit printing to port 9100 + so that the CUPS spooler can print using raw mode protocols. + </p></li><li><p> + <a class="indexterm" name="id317991"></a> + Configure the CUPS Print Queues: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E +<code class="prompt">root# </code> lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E +</pre><p> + This creates the necessary print queues with no assigned print filter. + </p></li><li><p> + <a class="indexterm" name="id318024"></a> + <a class="indexterm" name="id318031"></a> + <a class="indexterm" name="id318038"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id318064"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id318089"></a> + Use the standard system tool to start Samba and CUPS to configure them to restart + automatically at every system reboot. For example, + </p><p> + <a class="indexterm" name="id318100"></a> + <a class="indexterm" name="id318107"></a> + <a class="indexterm" name="id318114"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart +</pre><p> + </p></li></ol></div><div class="example"><a name="charity-smbconfnew"></a><p class="title"><b>Example 1.2. Charity Administration Office <code class="filename">smb.conf</code> New-style File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global Parameters - Newer Configuration</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id318186"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id318198"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id318211"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id318223"></a><em class="parameter"><code>map to guest = Bad User</code></em></td></tr><tr><td><a class="indexterm" name="id318236"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id318248"></a><em class="parameter"><code>wins support = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[FTMFILES]</code></em></td></tr><tr><td><a class="indexterm" name="id318270"></a><em class="parameter"><code>comment = Funds Tracking & Management Files</code></em></td></tr><tr><td><a class="indexterm" name="id318283"></a><em class="parameter"><code>path = /data/ftmfiles</code></em></td></tr><tr><td><a class="indexterm" name="id318295"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id318308"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id318320"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id318333"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318345"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id318367"></a><em class="parameter"><code>comment = General Office Files</code></em></td></tr><tr><td><a class="indexterm" name="id318380"></a><em class="parameter"><code>path = /data/officefiles</code></em></td></tr><tr><td><a class="indexterm" name="id318392"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id318405"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id318417"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id318430"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318442"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id318464"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id318477"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id318489"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318502"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318514"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318527"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="charity-smbconf"></a><p class="title"><b>Example 1.3. Charity Administration Office <code class="filename">smb.conf</code> Old-style File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global Parameters - Older Style Configuration</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id318573"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id318586"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td><a class="indexterm" name="id318598"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id318611"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id318623"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318636"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id318649"></a><em class="parameter"><code>wins support = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[FTMFILES]</code></em></td></tr><tr><td><a class="indexterm" name="id318670"></a><em class="parameter"><code>comment = Funds Tracking & Management Files</code></em></td></tr><tr><td><a class="indexterm" name="id318683"></a><em class="parameter"><code>path = /data/ftmfiles</code></em></td></tr><tr><td><a class="indexterm" name="id318695"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id318708"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id318720"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id318733"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318746"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id318767"></a><em class="parameter"><code>comment = General Office Files</code></em></td></tr><tr><td><a class="indexterm" name="id318780"></a><em class="parameter"><code>path = /data/officefiles</code></em></td></tr><tr><td><a class="indexterm" name="id318792"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id318805"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id318817"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id318830"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318842"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id318864"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id318877"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id318889"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318902"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318914"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id318927"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="procedure"><a name="id318940"></a><p class="title"><b>Procedure 1.4. Windows Client Configuration</b></p><ol type="1"><li><p> + Configure clients to the network settings shown in <a href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">???</a>. + </p></li><li><p> + Ensure that the netmask used on the Windows clients matches that used + for the Samba server. All clients must have the same netmask, such as + <code class="constant">255.255.255.0</code>. + </p></li><li><p> + <a class="indexterm" name="id318976"></a> + On all Windows clients, set the WINS Server address to <code class="constant">192.168.1.1</code>, + the IP address of the server. + </p></li><li><p> + Set the workgroup name on all clients to <code class="constant">MIDEARTH</code>. + </p></li><li><p> + <a class="indexterm" name="id319005"></a> + Install the “<span class="quote">Client for Microsoft Networks.</span>” Ensure that the only option + enabled in its properties is the option “<span class="quote">Logon and restore network connections.</span>” + </p></li><li><p> + Click <span class="guibutton">OK</span> when you are prompted to reboot the system. Reboot the + system, then log on using any username and password you choose. + </p></li><li><p> + <a class="indexterm" name="id319040"></a> + Verify on each client that the machine called <code class="constant">SERVER</code> + is visible in <span class="guimenu">My Network Places</span>, that it is + possible to connect to it and see the share <span class="guimenuitem">office</span>, + and that it is possible to open that share to reveal its contents. + </p></li><li><p> + <a class="indexterm" name="id319071"></a> + <a class="indexterm" name="id319077"></a> + Disable password caching on all Windows 9x/Me machines using the registry change file + shown in <a href="simple.html#MEreg" title="Example 1.4. Windows Me Registry Edit File: Disable Password Caching">???</a>. Be sure to remove all files that have the + <code class="filename">PWL</code> extension that are in the <code class="filename">C:\WINDOWS</code> + directory. +</p><div class="example"><a name="MEreg"></a><p class="title"><b>Example 1.4. Windows Me Registry Edit File: Disable Password Caching</b></p><div class="example-contents"><pre class="screen"> +REGEDIT4 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ + Windows\CurrentVersion\Policies\Network] + "DisablePwdCaching"=dword:00000001 +</pre></div></div><p><br class="example-break"> + The best way to apply this change is to save the patch in a file called + <code class="filename">ME-dpwc.reg</code> and then execute: +</p><pre class="screen"> +C:\WINDOWS: regedit ME-dpwc.reg +</pre><p> + </p></li><li><p> + Instruct all users to log onto the workstation using a name and password of their own + choosing. The Samba server has been + configured to ignore the username and password given. + </p></li><li><p> + On each Windows Me workstation, configure a network drive mapping to drive <code class="filename">G:</code> + that redirects to the uniform naming convention (UNC) resource + <code class="filename">\\server\office</code>. Make this a permanent drive connection: + </p><div class="procedure"><ol type="1"><li><p> + <span class="guimenu">My Network</span> → <span class="guimenuitem">Map Network Drive...</span> + </p></li><li><p> + In the box labeled “<span class="quote">Drive:</span>”, type G. + </p></li><li><p> + In the box labeled “<span class="quote">Path:</span>”, enter + <code class="filename">\\server\officefiles</code>. + </p></li><li><p> + Click <span class="guimenuitem">Reconnect at logon</span>. + Click <span class="guibutton">OK</span>. + </p></li></ol></div></li><li><p> + On each workstation, install the FTM software following the + manufacturer's instructions. + </p><div class="procedure"><ol type="1"><li><p> + During installation, you are prompted for the name of the Windows 98 + server. Enter the name <code class="constant">SERVER</code>. + </p></li><li><p> + You are prompted for the name of the data share. + The prompt defaults to <code class="constant">FTMFILES</code>. Press enter to accept the default value. + </p></li><li><p> + You are now prompted for the print queue name. The default prompt is the name of + the server you entered (<code class="constant">SERVER</code> as follows: + <code class="constant">\\SERVER\PRINTQ</code>). Simply accept the default and press enter to + continue. The software now completes the installation. + </p></li></ol></div></li><li><p> + Install an office automation software package of the customer's choice. Either Microsoft + Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may + need to perform. Repeat this on each workstation. + </p></li><li><p> + Install a printer on each workstation using the following steps: + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. + Ensure that <span class="guimenuitem">Local printer</span> is selected. + </p></li><li><p> + Click <span class="guibutton">Next</span>. In the Manufacturer: panel, select + <code class="constant">HP</code>. In the Printers: panel, select the printer called + <code class="constant">HP LaserJet 5/5M Postscript</code>. Click <span class="guibutton">Next</span>. + </p></li><li><p> + In the Available ports: panel, select <code class="constant">FILE:</code>. Accept the + default printer name by clicking <span class="guibutton">Next</span>. When asked, + “<span class="quote">Would you like to print a test page?</span>”, click + <span class="guimenuitem">No</span>. Click <span class="guibutton">Finish</span>. + </p></li><li><p> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <span class="guiicon">HP LaserJet 5/5M Postscript</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>. + </p></li><li><p> + In the Network panel, enter the name of + the print queue on the Samba server as follows: <code class="constant">\\SERVER\hplj5</code>. + Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. + </p></li><li><p> + It is a good idea to test the functionality of the complete installation before + handing the newly configured network over to the Charity Administration Office + for production use. + </p></li></ol></div></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id319497"></a>Validation</h4></div></div></div><p> + Use the same validation process as was followed in <a href="simple.html#validate1" title="Validation">???</a>. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="AccountingOffice"></a>Accounting Office</h3></div></div></div><p> + Abmas Accounting is a 40-year-old family-run business. There are nine permanent + computer users. The network clients were upgraded two years ago. All computers run Windows 2000 + Professional. This year the server will be upgraded from an old Windows NT4 server (actually + running Windows NT4 Workstation, which worked fine for fewer than 10 users) that has + run in workgroup (standalone) mode, to a new Linux server running Samba. + </p><p> + The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows 2000 Professional + clients running as workgroup machines so that any staff member can take a machine home and keep + working. It has worked well so far, and your task is to replace the old server. All users have + their own workstation logon (you configured it that way when the machines were installed). + Mr. Meany wants the new system to operate the same way as the old Windows NT4 server users + cannot access each others' files, but he can access everyone's files. Each person's work files are + in a separate share on the server. Users log on to their Windows workstation with their username + and enter an assigned password; they do not need to enter a password when accessing their files + on the server. + </p><p> + <a class="indexterm" name="id319546"></a> + The new server will run Red Hat Fedora Core2. You should install Samba-3.0.20 and + copy all files from the old system to the new one. The existing Windows NT4 server has a parallel + port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each + workstation. You must not change anything on the workstations. Mr. Meany gave instructions to + replace the server, “<span class="quote">but leave everything else alone to avoid staff unrest.</span>” + </p><p> + You have tried to educate Mr. Meany and found that he has no desire to understand networking. + He believes that Windows for Workgroups 3.11 was “<span class="quote">the best server Microsoft ever sold + </span>” and that Windows NT and 2000 are “<span class="quote">too fang-dangled complex!</span>” + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id319572"></a>Dissection and Discussion</h4></div></div></div><p> + <a class="indexterm" name="id319580"></a> + The requirements of this network installation are not unusual. The staff are not interested in the + details of networking. Passwords are never changed. In this example solution, we demonstrate the use + of User Mode security in a simple context. Directories should be set SGID to ensure that members + of a common group can access the contents. Each user has his or her own share to which only they + can connect. Mr. Meany's share will be a top-level directory above the share point for each employee. + Mr. Meany is a member of the same group as his staff and can access their work files. + The well-used HP LaserJet 4 is available as a service called <code class="constant">hplj</code>. + </p><p> + You have finished configuring the new hardware and have just completed installation of Red Hat + Fedora Core2. Roll up your sleeves and let's get to work. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="AcctgNet"></a>Implementation</h4></div></div></div><p> + The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation, so it + cannot be running as a WINS server. It is best that the new configuration preserves the same + configuration. The office does not use Internet access, so security really is not an issue. + </p><p> + The core information regarding the users, their passwords, the directory share point, and the + share name is given in <a href="simple.html#acctingnet" title="Table 1.1. Accounting Office Network Information">???</a>. The overall network topology is shown in + <a href="simple.html#acctingnet2" title="Figure 1.2. Accounting Office Network Topology">???</a>. All machines have been configured as indicated prior to the + start of Samba configuration. The following prescriptive steps may now commence. + </p><div class="figure"><a name="acctingnet2"></a><p class="title"><b>Figure 1.2. Accounting Office Network Topology</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/AccountingNetwork.png" width="459" alt="Accounting Office Network Topology"></div></div></div><br class="figure-break"><div class="table"><a name="acctingnet"></a><p class="title"><b>Table 1.1. Accounting Office Network Information</b></p><div class="table-contents"><table summary="Accounting Office Network Information" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="left">User</th><th align="left">Login-ID</th><th align="left">Password</th><th align="left">Share Name</th><th align="left">Directory</th><th align="left">Wkst</th></tr></thead><tbody><tr><td align="left">Alan Meany</td><td align="left">alan</td><td align="left">alm1961</td><td align="left">alan</td><td align="left">/data</td><td align="left">PC1</td></tr><tr><td align="left">James Meany</td><td align="left">james</td><td align="left">jimm1962</td><td align="left">james</td><td align="left">/data/james</td><td align="left">PC2</td></tr><tr><td align="left">Jeannie Meany</td><td align="left">jeannie</td><td align="left">jema1965</td><td align="left">jeannie</td><td align="left">/data/jeannie</td><td align="left">PC3</td></tr><tr><td align="left">Suzy Millicent</td><td align="left">suzy</td><td align="left">suzy1967</td><td align="left">suzy</td><td align="left">/data/suzy</td><td align="left">PC4</td></tr><tr><td align="left">Ursula Jenning</td><td align="left">ujen</td><td align="left">ujen1974</td><td align="left">ursula</td><td align="left">/data/ursula</td><td align="left">PC5</td></tr><tr><td align="left">Peter Pan</td><td align="left">peter</td><td align="left">pete1984</td><td align="left">peter</td><td align="left">/data/peter</td><td align="left">PC6</td></tr><tr><td align="left">Dale Roland</td><td align="left">dale</td><td align="left">dale1986</td><td align="left">dale</td><td align="left">/data/dale</td><td align="left">PC7</td></tr><tr><td align="left">Bertrand E Paoletti</td><td align="left">eric</td><td align="left">eric1993</td><td align="left">eric</td><td align="left">/data/eric</td><td align="left">PC8</td></tr><tr><td align="left">Russell Lewis</td><td align="left">russ</td><td align="left">russ2001</td><td align="left">russell</td><td align="left">/data/russell</td><td align="left">PC9</td></tr></tbody></table></div></div><br class="table-break"><div class="procedure"><a name="id319964"></a><p class="title"><b>Procedure 1.5. Migration from Windows NT4 Workstation System to Samba-3</b></p><ol type="1"><li><p><a class="indexterm" name="id319975"></a> + Rename the old server from <code class="constant">CASHPOOL</code> to <code class="constant">STABLE</code> + by logging onto the console as the <code class="constant">Administrator</code>. Restart the machine + following system prompts. + </p></li><li><p> + Name the new server <code class="constant">CASHPOOL</code> using the standard configuration method. + Restart the machine following system prompts. + </p></li><li><p> + Install the latest Samba-3 binary Red Hat Linux RPM that is available from the + Samba FTP site. + </p></li><li><p> + <a class="indexterm" name="id320021"></a> + <a class="indexterm" name="id320028"></a> + Add a group account for the office to use. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> groupadd accts +</pre><p> + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file shown<sup>[<a name="id320060" href="#ftn.id320060">4</a>]</sup> + in <a href="simple.html#acctconf" title="Example 1.5. Accounting Office Network smb.conf Old Style Configuration File">???</a>. + </p></li><li><p> + <a class="indexterm" name="id320096"></a> + <a class="indexterm" name="id320103"></a> + <a class="indexterm" name="id320110"></a> + For each user who uses this system (see <a href="simple.html#acctingnet" title="Table 1.1. Accounting Office Network Information">???</a>), + execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> useradd -m -G accts -c "Name of User" "LoginID" +<code class="prompt">root# </code> passwd "LoginID" +Changing password for user "LoginID" +New Password: XXXXXXXXX <-- the password from the table +Retype new password: XXXXXXXXX +<code class="prompt">root# </code> smbpasswd -a "LoginID" +New SMB password: XXXXXXXXX <-- the password from the table +Retype new SMB password: XXXXXXXXX +Added user "LoginID" +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id320158"></a> + Create the directory structure for the file shares by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data +<code class="prompt">root# </code> chown alan /data +<code class="prompt">root# </code> for i in james suzy ujen peter dale eric jeannie russ +> do +> mkdir -p /data/$i +> chown $i /data/$i +> done +<code class="prompt">root# </code> chgrp -R accts /data +<code class="prompt">root# </code> chmod -R ug+rwxs,o-r+x /data +</pre><p> + The data storage structure is now prepared for use. + </p></li><li><p> + <a class="indexterm" name="id320209"></a> + Configure the CUPS Print Queues: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p hplj -v parallel:/dev/lp0 -E +</pre><p> + This creates the necessary print queues with no assigned print filter. + </p></li><li><p> + <a class="indexterm" name="id320235"></a> + <a class="indexterm" name="id320242"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id320268"></a> + <a class="indexterm" name="id320274"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id320300"></a> + Use the standard system tool to start Samba and CUPS to configure them to restart + automatically at every system reboot. For example, + </p><p> + <a class="indexterm" name="id320312"></a> + <a class="indexterm" name="id320318"></a> + <a class="indexterm" name="id320325"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart +</pre><p> + </p></li><li><p> + On Alan's workstation, use Windows Explorer to migrate the files from the old server + to the new server. The new server should appear in the <span class="guimenu">Network Neighborhood</span> + with the name of the old server (<code class="constant">CASHPOOL</code>). + </p><div class="procedure"><ol type="1"><li><p> + Log on to Alan's workstation as the user <code class="constant">alan</code>. + </p></li><li><p> + Launch a second instance of Windows Explorer and navigate to the share called + <span class="guiicon">files</span> on the server called <span class="guimenu">STABLE</span>. + </p></li><li><p> + Click in the right panel, and press <span class="guimenu">Ctrl-A</span> to select all files and + directories. Press <span class="guimenu">Ctrl-C</span> to instruct Windows that you wish to + copy all selected items. + </p></li><li><p> + Launch the Windows Explorer, and navigate to the share called <span class="guiicon">files</span> + on the server called <span class="guimenu">CASHPOOL</span>. Click in the right panel, and then press + <span class="guimenu">Ctrl-V</span> to commence the copying process. + </p></li></ol></div></li><li><p> + Verify that the files are being copied correctly from the Windows NT4 machine to the Samba-3 server. + This is best done on the Samba-3 server. Check the contents of the directory tree under + <code class="filename">/data</code> by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -aR /data +</pre><p> + Make certain to check the ownership and permissions on all files. If in doubt, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> chown alan /data +<code class="prompt">root# </code> for i in james suzy ujen peter dale eric jeannie russ +> do +> chown $i /data/$i +> done +<code class="prompt">root# </code> chgrp -R accts /data +<code class="prompt">root# </code> chmod -R ug+rwxs,o-r+x /data +</pre><p> + </p></li><li><p> + The migration of all data should now be complete. It is time to validate the installation. + For this, you should make sure all applications, including printing, work before asking the + customer to test drive the new network. + </p></li></ol></div><div class="example"><a name="acctconf"></a><p class="title"><b>Example 1.5. Accounting Office Network <code class="filename">smb.conf</code> Old Style Configuration File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id320561"></a><em class="parameter"><code>workgroup = BILLMORE</code></em></td></tr><tr><td><a class="indexterm" name="id320574"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id320586"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id320599"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id320611"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[files]</code></em></td></tr><tr><td><a class="indexterm" name="id320633"></a><em class="parameter"><code>comment = Work area files</code></em></td></tr><tr><td><a class="indexterm" name="id320646"></a><em class="parameter"><code>path = /data/%U</code></em></td></tr><tr><td><a class="indexterm" name="id320658"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[master]</code></em></td></tr><tr><td><a class="indexterm" name="id320680"></a><em class="parameter"><code>comment = Master work area files</code></em></td></tr><tr><td><a class="indexterm" name="id320692"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id320705"></a><em class="parameter"><code>valid users = alan</code></em></td></tr><tr><td><a class="indexterm" name="id320717"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id320739"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id320752"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id320764"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id320777"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id320789"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id320802"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id320818"></a>Questions and Answers</h2></div></div></div><p> + The following questions and answers draw from the examples in this chapter. + Many design decisions are impacted by the configurations chosen. The intent + is to expose some of the hidden implications. + </p><div class="qandaset"><dl><dt> <a href="simple.html#id320836"> + What makes an anonymous Samba server more simple than a non-anonymous Samba server? + </a></dt><dt> <a href="simple.html#id320859"> + How is the operation of the parameter force user different from + setting the root directory of the share SUID? + </a></dt><dt> <a href="simple.html#id320906"> + When would you both use the per share parameter force user and set + the share root directory SUID? + </a></dt><dt> <a href="simple.html#id320931"> + What is better about CUPS printing than LPRng printing? + </a></dt><dt> <a href="simple.html#id320964"> + When should Windows client IP addresses be hard-coded? + </a></dt><dt> <a href="simple.html#id320985"> + Under what circumstances is it best to use a DHCP server? + </a></dt><dt> <a href="simple.html#id321016"> + What is the purpose of setting the parameter guest ok on a share? + </a></dt><dt> <a href="simple.html#id321040"> + When would you set the global parameter disable spoolss? + </a></dt><dt> <a href="simple.html#id321120"> + Why would you disable password caching on Windows 9x/Me clients? + </a></dt><dt> <a href="simple.html#id321140"> + The example of Abmas Accounting uses User Mode security. How does this provide anonymous access? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id320836"></a><a name="id320838"></a></td><td align="left" valign="top"><p> + What makes an anonymous Samba server more simple than a non-anonymous Samba server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + In the anonymous server, the only account used is the <code class="constant">guest</code> account. + In a non-anonymous configuration, it is necessary to add real user accounts to both the + UNIX system and to the Samba configuration. Non-anonymous servers require additional + administration. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id320859"></a><a name="id320861"></a></td><td align="left" valign="top"><p> + How is the operation of the parameter <em class="parameter"><code>force user</code></em> different from + setting the root directory of the share SUID? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The parameter <em class="parameter"><code>force user</code></em> causes all operations on the share to assume the UID + of the forced user. The new default GID that applies is the primary GID of the forced user. + This gives all users of this resource the actual privilege of the forced user. + </p><p> + When a directory is set SUID, the operating system forces files that are written within it + to be owned by the owner of the directory. While this happens, the user who is using the share + has only the level of privilege he or she is assigned within the operating system context. + </p><p> + The parameter <em class="parameter"><code>force user</code></em> has potential security implications that go + beyond the actual share root directory. Be careful and wary of using this parameter. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id320906"></a><a name="id320908"></a></td><td align="left" valign="top"><p> + When would you both use the per share parameter <em class="parameter"><code>force user</code></em> and set + the share root directory SUID? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + You would use both parameters when it is necessary to guarantee that all share handling operations + are conducted as the forced user, while all file and directory creation are done as the SUID + directory owner. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id320931"></a><a name="id320933"></a></td><td align="left" valign="top"><p> + What is better about CUPS printing than LPRng printing? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + CUPS is a print spooling system that has integrated remote management facilities, provides completely + automated print processing/preprocessing, and can be configured to automatically + apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the + target printer. CUPS includes an image file RIP that supports printing of image files to + non-PostScript printers. CUPS has lots of bells and whistles and is more like a supercharged MS Windows + NT/200x print monitor and processor. Its complexity can be eliminated or turbocharged to suit + any fancy. + </p><p> + The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print + spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng can be + configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd + spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd. + </p><p> + Which spooling system is better is a matter of personal taste. It depends on what you want to do and how you want to + do it and manage it. Most modern Linux systems ship with CUPS as the default print management system. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id320964"></a><a name="id320966"></a></td><td align="left" valign="top"><p> + When should Windows client IP addresses be hard-coded? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + When there are few MS Windows clients, little client change, no mobile users, and users are not + inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows + client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove + user ability to access network configuration controls, fixed configuration eliminates the need + for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network + failure. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id320985"></a><a name="id320988"></a></td><td align="left" valign="top"><p> + Under what circumstances is it best to use a DHCP server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + In network configurations where there are mobile users, or where Windows client PCs move around + (particularly between offices or between subnets), it makes complete sense to control all Windows + client configurations using a DHCP server. Additionally, when users do tamper with the network + settings, DHCP can be used to normalize all client settings. + </p><p> + One underappreciated benefit of using a DHCP server to assign all network client + device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP + settings, change network addressing, or enhance the ability of client devices to + benefit from new network services. + </p><p> + Another benefit of modern DHCP servers is their ability to register dynamically + assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in + a large Windows network environment. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id321016"></a><a name="id321018"></a></td><td align="left" valign="top"><p> + What is the purpose of setting the parameter <em class="parameter"><code>guest ok</code></em> on a share? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + If this parameter is set to yes for a service, then no password is required to connect to the service. + Privileges are those of the guest account. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id321040"></a><a name="id321042"></a></td><td align="left" valign="top"><p> + When would you set the global parameter <em class="parameter"><code>disable spoolss</code></em>? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Setting this parameter to <code class="constant">Yes</code> disables Samba's support for the SPOOLSS set of + MS-RPCs and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to + using LanMan style printing commands. Windows 9x/Me are unaffected by the parameter. However, this + disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer + Wizard or by using the NT printer properties dialog window. It also disables the capability of + Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about + setting this parameter. + </p><p> + The alternate parameter <em class="parameter"><code>use client driver</code></em> applies only to Windows NT/200x clients. It has no + effect on Windows 95/98/Me clients. When serving a printer to Windows NT/200x clients without first installing a valid + printer driver on the Samba host, the client is required to install a local printer driver. From this point on, + the client treats the printer as a local printer and not a network printer connection. This is much the same behavior + that occurs when <em class="parameter"><code>disable spoolss = yes</code></em>. + </p><p> + Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client + considers the printer to be local, it attempts to issue the <em class="parameter"><code>OpenPrinterEx()</code></em> call requesting + access rights associated with the logged on user. If the user possesses local administrator rights but not root + privilege on the Samba host (often the case), the <em class="parameter"><code>OpenPrinterEx()</code></em> call fails. The result is + that the client now displays an “<span class="quote">Access Denied; Unable to connect</span>” message in the printer queue window + (even though jobs may be printed successfully). This parameter MUST not be enabled on a print share that has a valid + print driver installed on the Samba server. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id321120"></a><a name="id321122"></a></td><td align="left" valign="top"><p> + Why would you disable password caching on Windows 9x/Me clients? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Windows 9x/Me workstations that are set at default (password caching enabled) store the username and + password in files located in the Windows master directory. Such files can be scavenged (read off a client + machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed. + It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id321140"></a><a name="id321142"></a></td><td align="left" valign="top"><p> + The example of Abmas Accounting uses User Mode security. How does this provide anonymous access? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional, + and given that users are logging onto their machines, by default the client attempts to connect to + a remote server using currently logged in user credentials. By ensuring that the user's login ID and + password are the same as those set on the Samba server, access is transparent and does not require + separate user authentication. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id316538" href="#id316538">1</a>] </sup>The examples given mirror those documented + in The Official Samba-3 HOWTO and Reference Guide, Second Edition (TOSHARG2) Chapter 2, Section 2.3.1. You may gain additional + insight from the standalone server configurations covered in TOSHARG2, sections 2.3.1.2 through 2.3.1.4. + </p></div><div class="footnote"><p><sup>[<a name="ftn.id316688" href="#id316688">2</a>] </sup> + This information is given purely as an example of how data may be stored in such a way that it + will be easy to locate records at a later date. The example is not meant to imply any instructions + that may be construed as essential to the design of the solution; this is something you will almost + certainly want to determine for yourself.</p></div><div class="footnote"></div><div class="footnote"><p><sup>[<a name="ftn.id320060" href="#id320060">4</a>] </sup>This example uses the + <em class="parameter"><code>smbpasswd</code></em> file in an obtuse way, since the use of + the <em class="parameter"><code>passdb backend</code></em> has not been specified in the <code class="filename">smb.conf</code> + file. This means that you are depending on correct default behavior.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ExNetworks.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="small.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. Example Network Configurations </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. Small Office Networking</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/small.html b/docs/htmldocs/Samba3-ByExample/small.html new file mode 100644 index 0000000000..eed6092a1c --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/small.html @@ -0,0 +1,806 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. Small Office Networking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="simple.html" title="Chapter 1. No-Frills Samba Servers"><link rel="next" href="secure.html" title="Chapter 3. Secure Office Networking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Small Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="simple.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="secure.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="small"></a>Chapter 2. Small Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="small.html#id321229">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id321247">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id321293">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id321342">Technical Issues</a></span></dt><dt><span class="sect2"><a href="small.html#id321528">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id321546">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id323199">Validation</a></span></dt><dt><span class="sect2"><a href="small.html#id323822">Notebook Computers: A Special Case</a></span></dt><dt><span class="sect2"><a href="small.html#id323841">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id323907">Questions and Answers</a></span></dt></dl></div><p> + <a href="simple.html" title="Chapter 1. No-Frills Samba Servers">???</a> focused on the basics of simple yet effective + network solutions. Network administrators who take pride in their work + (that's most of us, right?) take care to deliver what our users want, + but not too much more. If we make things too complex, we confound our users + and increase costs of network ownership. A professional network manager + avoids the temptation to put too much pizazz into the way that the network + operates. Some creativity is helpful, but keep it under control + good advice that the following two scenarios illustrate. + </p><p> + <a class="indexterm" name="id321194"></a> + In one case the network administrator of a mid-sized company spent three + months building a new network to replace an old Netware server. What he + delivered had all the bells and whistles he could muster. There were a + few teething problems during the changeover, nothing serious but a little + disruptive all the same. Users were exposed to many changes at once. The + network administrator was asked to resign two months after implementing + the new system because so many staff complained they had lost time and + were not happy with the new network. Everything was automated, and he + delivered more features than any advanced user could think of. He was + just too smart for his own good. + </p><p> + In the case of the other company, a new network manager was appointed + to oversee the replacement of a LanTastic network with an MS Windows + NT 4.0 network. He had the replacement installed and operational within + two weeks. Before installation and changeover, he called a meeting to + explain to all users what was going to happen, how it would affect them, + and that he would be available 24 hours a day to help them transition. + One week after conversion, he held another meeting asking for cooperation + in the introduction of a few new features that would help to make life + easier. Network users were thrilled with the help he provided. The network + he implemented was nowhere near as complex as in the first example, had fewer + features, and yet he had happy users. Months later he was still adding + new innovations. He always asked the users if a + particular feature was what they wanted. He asked his boss for a raise + and got it. He often told me, “<span class="quote">Always keep a few new tricks up your + sleeves for when you need them.</span>” Was he smart? You decide. Let's + get on with our next exercise. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id321229"></a>Introduction</h2></div></div></div><p> + Abmas Accounting has grown. Mr. Meany likes you and says he knew you + were the right person for the job. That's why he asked you to install the + new server. The past few months have been hard work. You advised Mr. Meany + that it is time for a change. Abmas now has 52 users, having acquired an + investment consulting business recently. The new users were added to the + network without any problems. + </p><p> + Some of the Windows clients are nearly past their use-by date. + You found damaged and unusable software on some of the workstations + that came with the acquired business and found some machines + in need of both hardware and software maintenance. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id321247"></a>Assignment Tasks</h3></div></div></div><p> + <a class="indexterm" name="id321255"></a> + Mr. Meany is retiring in 12 months. Before he goes, he wants you to help ensure + that the business is running efficiently. Many of the new staff want notebook + computers. They visit customer business premises and need to use local network + facilities; these users are technically competent. The company uses a + business application that requires Windows XP Professional. In short, a complete + client upgrade is about to happen. Mr. Meany told you that he is working + on another business acquisition and that by the time he retires there will be + 80 to 100 users. + </p><p> + Mr. Meany is not concerned about security. He wants to make it easier for + staff to do their work. He has hired you to help him appoint a full-time + network manager before he retires. Above all, he says he is investing in + the ability to grow. He is determined to live his lifelong dream and + hand the business over to a bright and capable executive who can make + things happen. This means your network design must cope well with + growth. + </p><p> + In a few months, Abmas will require an Internet connection for email and so + that staff can easily obtain software updates. Mr. Meany is warming up to + the installation of antivirus software but is not yet ready to approve + this expense. He told you to spend the money a virus scanner costs + on better quality notebook computers for mobile users. + </p><p> + One of Mr. Meany's golfing partners convinced him to buy new laser + printers, one black only, the other a color laser printer. Staff support + the need for a color printer so they can present more attractive proposals + and reports. + </p><p> + Mr. Meany also asked if it would be possible for one of the staff to manage + user accounts from the Windows desktop. That person will be responsible for + basic operations. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id321293"></a>Dissection and Discussion</h2></div></div></div><p> + What are the key requirements in this business example? A quick review indicates + a need for + </p><div class="itemizedlist"><ul type="disc"><li><p> + Scalability, from 52 to over 100 users in 12 months + </p></li><li><p> + Mobile computing capability + <a class="indexterm" name="id321314"></a> + </p></li><li><p> + Improved reliability and usability + </p></li><li><p> + Easier administration + </p></li></ul></div><p> + In this instance the installed Linux system is assumed to be a Red Hat Linux Fedora Core2 server + (as in <a href="simple.html#AccountingOffice" title="Accounting Office">???</a>). + + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id321342"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id321350"></a> + <a class="indexterm" name="id321357"></a> + <a class="indexterm" name="id321364"></a> + <a class="indexterm" name="id321370"></a> + <a class="indexterm" name="id321377"></a> + It is time to implement a domain security environment. You will use the <code class="constant"> + smbpasswd</code> (default) backend. You should implement a DHCP server. There is no need to + run DNS at this time, but the system will use WINS. The domain name will be <code class="constant"> + BILLMORE</code>. This time, the name of the server will be <code class="constant">SLEETH</code>. + </p><p> + All printers will be configured as DHCP clients. The DHCP server will assign + the printer a fixed IP address by way of its Ethernet interface (MAC) address. + See <a href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The <code class="filename">smb.conf</code> file you are creating in this exercise can be used with equal effectiveness + with Samba-2.2.x series releases. This is deliberate so that in the next chapter it is + possible to start with the installation that you have created here, migrate it + to a Samba-3 configuration, and then secure the system further. Configurations following + this one utilize features that may not be supported in Samba-2.2.x releases. + However, you should note that the examples in each chapter start with the assumption + that a fresh new installation is being effected. + </p></div><p> + Later on, when the Internet connection is implemented, you will add DNS as well as + other enhancements. It is important that you plan accordingly. + </p><p> + <a class="indexterm" name="id321431"></a> + You have split the network into two separate areas. Each has its own Ethernet switch. + There are 20 users on the accounting network and 32 users on the financial services + network. The server has two network interfaces, one serving each network. The + network printers will be located in a central area. You plan to install the new + printers and keep the old printer in use also. + </p><p> + You will provide separate file storage areas for each business entity. The old system + will go away, accounting files will be handled under a single directory, and files will + be stored under customer name, not under a personal work area. Staff will be made + responsible for file location, so the old share point must be maintained. + </p><p> + Given that DNS will not be used, you will configure WINS name resolution for UNIX + hostname name resolution. + </p><p> + <a class="indexterm" name="id321455"></a> + <a class="indexterm" name="id321464"></a> + It is necessary to map Windows Domain Groups to UNIX groups. It is + advisable to also map Windows Local Groups to UNIX groups. Additionally, the two + key staff groups in the firm are accounting staff and financial services staff. + For these, it is necessary to create UNIX groups as well as Windows Domain Groups. + </p><p> + In the sample <code class="filename">smb.conf</code> file, you have configured Samba to call the UNIX + <code class="literal">groupadd</code> to add group entries. This utility does not permit + the addition of group names that contain uppercase characters or spaces. This + is considered a bug. The <code class="literal">groupadd</code> is part of the + <code class="literal">shadow-utils</code> open source software package. A later release + of this package may have been patched to resolve this bug. If your operating + platform has this bug, it means that attempts to add a Windows Domain Group that + has either a space or uppercase characters in it will fail. See + <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 11, Section 11.3.1, Example 11.1, for + more information. + </p><p> + <a class="indexterm" name="id321515"></a> + Vendor-supplied printer drivers will be installed on each client. The CUPS print + spooler on the UNIX host will be operated in <code class="constant">raw</code> mode. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id321528"></a>Political Issues</h3></div></div></div><p> + Mr. Meany is an old-school manager. He sets the rules and wants to see compliance. + He is willing to spend money on things he believes are of value. You need more + time to convince him of real priorities. + </p><p> + Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be + supplied with antivirus software? Above all, demonstrate good purchase value and remember + to make your users happy. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id321546"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id321554"></a> + In this example, the assumption is made that this server is being configured from a clean start. + The alternate approach could be to demonstrate the migration of the system that is documented + in <a href="simple.html#AcctgNet" title="Implementation">???</a> to meet the new requirements. The decision to treat this case, as with + future examples, as a new installation is based on the premise that you can determine + the migration steps from the information provided in <a href="ntmigration.html" title="Chapter 9. Migrating NT4 Domain to Samba-3">???</a>. + Additionally, a fresh installation makes the example easier to follow. + </p><p> + <a class="indexterm" name="id321581"></a> + Each user will be given a home directory on the UNIX system, which will be available as a private + share. Two additional shares will be created, one for the accounting department and the other for + the financial services department. Network users will be given access to these shares by way + of group membership. + </p><p> + <a class="indexterm" name="id321593"></a> + UNIX group membership is the primary mechanism by which Windows Domain users will be granted + rights and privileges within the Windows environment. + </p><p> + <a class="indexterm" name="id321607"></a> + The user <code class="literal">alanm</code> will be made the owner of all files. This will be preserved + by setting the sticky bit (set UID/GID) on the top-level directories. + </p><div class="figure"><a name="acct2net"></a><p class="title"><b>Figure 2.1. Abmas Accounting 52-User Network Topology</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/acct2net.png" alt="Abmas Accounting 52-User Network Topology"></div></div></div><br class="figure-break"><div class="procedure"><a name="id321665"></a><p class="title"><b>Procedure 2.1. Server Installation Steps</b></p><ol type="1"><li><p> + Using UNIX/Linux system tools, name the server <code class="constant">sleeth</code>. + </p></li><li><p> + <a class="indexterm" name="id321687"></a> + Place an entry for the machine <code class="constant">sleeth</code> in the <code class="filename">/etc/hosts</code>. + The printers are network attached, so there should be entries for the + network printers also. An example <code class="filename">/etc/hosts</code> file is shown here: +</p><pre class="screen"> +192.168.1.1 sleeth sleeth1 +192.168.2.1 sleeth2 +192.168.1.10 hplj6 +192.168.1.11 hplj4 +192.168.2.10 qms +</pre><p> + </p></li><li><p> + Install the Samba-3 binary RPM from the Samba-Team FTP site. + </p></li><li><p> + Install the ISC DHCP server using the UNIX/Linux system tools available to you. + </p></li><li><p> + <a class="indexterm" name="id321738"></a> + <a class="indexterm" name="id321745"></a> + <a class="indexterm" name="id321752"></a> + <a class="indexterm" name="id321759"></a> + Because Samba will be operating over two network interfaces and clients on each side + may want to be able to reach clients on the other side, it is imperative that IP forwarding + is enabled. Use the system tool of your choice to enable IP forwarding. In the + absence of such a tool on the Linux system, add to the <code class="filename">/etc/rc.d/rc.local</code> + file an entry as follows: +</p><pre class="screen"> +echo 1 > /proc/sys/net/ipv4/ip_forward +</pre><p> + This causes the Linux kernel to forward IP packets so that it acts as a router. + </p></li><li><p> + Install the <code class="filename">smb.conf</code> file as shown in <a href="small.html#acct2conf" title="Example 2.3. Accounting Office Network smb.conf File [globals] Section">???</a> and + <a href="small.html#acct3conf" title="Example 2.4. Accounting Office Network smb.conf File Services and Shares Section">???</a>. Combine these two examples to form a single + <code class="filename">/etc/samba/smb.conf</code> file. + </p></li><li><p> + <a class="indexterm" name="id321820"></a> + Add the user <code class="literal">root</code> to the Samba password backend: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -a root +New SMB password: XXXXXXX +Retype new SMB password: XXXXXXX +<code class="prompt">root# </code> +</pre><p> + <a class="indexterm" name="id321851"></a> + This is the Windows Domain Administrator password. Never delete this account from + the password backend after Windows Domain Groups have been initialized. If you delete + this account, your system is crippled. You cannot restore this account, + and your Samba server can no longer be administered. + </p></li><li><p> + <a class="indexterm" name="id321867"></a> + Create the username map file to permit the <code class="constant">root</code> account to be called + <code class="constant">Administrator</code> from the Windows network environment. To do this, create + the file <code class="filename">/etc/samba/smbusers</code> with the following contents: +</p><pre class="screen"> +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id321909"></a> + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in + <a href="small.html#initGrps" title="Example 2.1. Script to Map Windows NT Groups to UNIX Groups">???</a>. Create a file containing this script. We called ours + <code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed, + and then execute the script. Sample output should be as follows: + +</p><div class="example"><a name="initGrps"></a><p class="title"><b>Example 2.1. Script to Map Windows NT Groups to UNIX Groups</b></p><div class="example-contents"><a class="indexterm" name="id321939"></a><pre class="screen"> +#!/bin/bash +# +# initGrps.sh +# + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs + +# Map Windows Domain Groups to UNIX groups +net groupmap add ntgroup="Domain Admins" unixgroup=root type=d +net groupmap add ntgroup="Domain Users" unixgroup=users type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d +</pre></div></div><p><br class="example-break"> + +</p><pre class="screen"> +<code class="prompt">root# </code> chmod 755 initGrps.sh +<code class="prompt">root# </code> cd /etc/samba +<code class="prompt">root# </code> ./initGrps.sh +Updated mapping entry for Domain Admins +Updated mapping entry for Domain Users +Updated mapping entry for Domain Guests +No rid or sid specified, choosing algorithmic mapping +Successfully added group Accounts Dept to the mapping db +No rid or sid specified, choosing algorithmic mapping +Successfully added group Domain Guests to the mapping db + +<code class="prompt">root# </code> cd /etc/samba +<code class="prompt">root# </code> net groupmap list | sort +Account Operators (S-1-5-32-548) -> -1 +Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep +Administrators (S-1-5-32-544) -> -1 +Backup Operators (S-1-5-32-551) -> -1 +Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root +Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody +Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users +Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs +Guests (S-1-5-32-546) -> -1 +Power Users (S-1-5-32-547) -> -1 +Print Operators (S-1-5-32-550) -> -1 +Replicators (S-1-5-32-552) -> -1 +System Operators (S-1-5-32-549) -> -1 +Users (S-1-5-32-545) -> -1 +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id322008"></a> + <a class="indexterm" name="id322015"></a> + <a class="indexterm" name="id322024"></a> + For each user who needs to be given a Windows Domain account, make an entry in the + <code class="filename">/etc/passwd</code> file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system accounts, and use the Samba + <code class="literal">smbpasswd</code> program to create the Domain user accounts. + </p><p> + <a class="indexterm" name="id322048"></a> + <a class="indexterm" name="id322055"></a> + <a class="indexterm" name="id322062"></a> + There are a number of tools for user management under UNIX, such as + <code class="literal">useradd</code> and <code class="literal">adduser</code>, as well as a plethora of custom + tools. With the tool of your choice, create a home directory for each user. + </p></li><li><p> + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously, as necessary. File system access control will be based on UNIX group membership. + </p></li><li><p> + Create the directory mount point for the disk subsystem that is mounted to provide + data storage for company files. In this case the mount point is indicated in the <code class="filename">smb.conf</code> + file is <code class="filename">/data</code>. Format the file system as required, mount the formatted + file system partition using <code class="literal">mount</code>, + and make the appropriate changes in <code class="filename">/etc/fstab</code>. + </p></li><li><p> + Create the top-level file storage directories are follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs} +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R alanm:accounts /data/accounts +<code class="prompt">root# </code> chown -R alanm:finsvcs /data/finsvcs +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /data +</pre><p> + Each department is responsible for creating its own directory structure within its + share. The directory root of the <code class="literal">accounts</code> share is <code class="filename">/data/accounts</code>. + The directory root of the <code class="literal">finsvcs</code> share is <code class="filename">/data/finsvcs</code>. + </p></li><li><p> + Configure the printers with the IP addresses as shown in <a href="small.html#acct2net" title="Figure 2.1. Abmas Accounting 52-User Network Topology">???</a>. + Follow the instructions in the manufacturers' manuals to permit printing to port 9100. + This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id322209"></a> + <a class="indexterm" name="id322216"></a> + </p></li><li><p> + <a class="indexterm" name="id322229"></a> + <a class="indexterm" name="id322238"></a> + Configure the CUPS Print Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E +<code class="prompt">root# </code> lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E +<code class="prompt">root# </code> lpadmin -p qms -v socket://192.168.2.10:9100 -E +</pre><p> + <a class="indexterm" name="id322270"></a> + This creates the necessary print queues with no assigned print filter. + </p></li><li><p> + <a class="indexterm" name="id322284"></a> + <a class="indexterm" name="id322291"></a> + <a class="indexterm" name="id322298"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id322324"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id322349"></a> + Using your favorite system editor, create an <code class="filename">/etc/dhcpd.conf</code> with the + contents as shown in <a href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>. +</p><div class="example"><a name="dhcp01"></a><p class="title"><b>Example 2.2. Abmas Accounting DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></b></p><div class="example-contents"><a class="indexterm" name="id322384"></a><pre class="screen"> +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; + +option ntp-servers 192.168.1.1; +option domain-name "abmas.biz"; +option domain-name-servers 192.168.1.1, 192.168.2.1; +option netbios-name-servers 192.168.1.1, 192.168.2.1; +option netbios-node-type 8; +### NOTE ### +# netbios-node-type=8 means set clients to Hybrid Mode +# so they will use Unicast communication with the WINS +# server and thus reduce the level of UDP broadcast +# traffic by up to 90%. +############ + +subnet 192.168.1.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.1.128 192.168.1.254; + option subnet-mask 255.255.255.0; + option routers 192.168.1.1; + allow unknown-clients; + host hplj4 { + hardware ethernet 08:00:46:7a:35:e4; + fixed-address 192.168.1.10; + } + host hplj6 { + hardware ethernet 00:03:47:cb:81:e0; + fixed-address 192.168.1.11; + } + } +subnet 192.168.2.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.2.128 192.168.2.254; + option subnet-mask 255.255.255.0; + option routers 192.168.2.1; + allow unknown-clients; + host qms { + hardware ethernet 01:04:31:db:e1:c0; + fixed-address 192.168.1.10; + } + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +</pre></div></div><p><br class="example-break"> + </p></li><li><p> + Use the standard system tool to start Samba and CUPS and configure them to start + automatically at every system reboot. For example, + </p><p> + <a class="indexterm" name="id322419"></a> + <a class="indexterm" name="id322426"></a> + <a class="indexterm" name="id322432"></a> + <a class="indexterm" name="id322439"></a> + <a class="indexterm" name="id322446"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig dhcp on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig cups on +<code class="prompt">root# </code> /etc/rc.d/init.d/dhcp restart +<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart +<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id322501"></a> + <a class="indexterm" name="id322508"></a> + <a class="indexterm" name="id322517"></a> + <a class="indexterm" name="id322523"></a> + <a class="indexterm" name="id322530"></a> + <a class="indexterm" name="id322537"></a> + Configure the name service switch (NSS) to handle WINS-based name resolution. + Since this system does not use a DNS server, it is safe to remove this option from + the NSS configuration. Edit the <code class="filename">/etc/nsswitch.conf</code> file so that + the <code class="constant">hosts:</code> entry looks like this: +</p><pre class="screen"> +hosts: files wins +</pre><p> + </p></li></ol></div><div class="example"><a name="acct2conf"></a><p class="title"><b>Example 2.3. Accounting Office Network <code class="filename">smb.conf</code> File [globals] Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id322599"></a><em class="parameter"><code>workgroup = BILLMORE</code></em></td></tr><tr><td><a class="indexterm" name="id322611"></a><em class="parameter"><code>passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*</code></em></td></tr><tr><td><a class="indexterm" name="id322624"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id322637"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id322650"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id322662"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id322675"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id322688"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id322700"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id322713"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id322726"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id322739"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id322752"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id322765"></a><em class="parameter"><code>logon script = scripts\login.bat</code></em></td></tr><tr><td><a class="indexterm" name="id322778"></a><em class="parameter"><code>logon path = </code></em></td></tr><tr><td><a class="indexterm" name="id322790"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id322803"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322815"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322828"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322840"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="acct3conf"></a><p class="title"><b>Example 2.4. Accounting Office Network <code class="filename">smb.conf</code> File Services and Shares Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id322886"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id322898"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id322911"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id322924"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id322945"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id322958"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id322970"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322983"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322995"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id323008"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id323029"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id323042"></a><em class="parameter"><code>path = /data/%U</code></em></td></tr><tr><td><a class="indexterm" name="id323054"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id323067"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id323088"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id323101"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id323114"></a><em class="parameter"><code>valid users = %G</code></em></td></tr><tr><td><a class="indexterm" name="id323126"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[finsvcs]</code></em></td></tr><tr><td><a class="indexterm" name="id323148"></a><em class="parameter"><code>comment = Financial Service Files</code></em></td></tr><tr><td><a class="indexterm" name="id323160"></a><em class="parameter"><code>path = /data/finsvcs</code></em></td></tr><tr><td><a class="indexterm" name="id323173"></a><em class="parameter"><code>valid users = %G</code></em></td></tr><tr><td><a class="indexterm" name="id323185"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id323199"></a>Validation</h3></div></div></div><p> + Does everything function as it ought? That is the key question at this point. + Here are some simple steps to validate your Samba server configuration. + </p><div class="procedure"><a name="id323209"></a><p class="title"><b>Procedure 2.2. Validation Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id323220"></a> + If your <code class="filename">smb.conf</code> file has bogus options or parameters, this may cause Samba + to refuse to start. The first step should always be to validate the contents + of this file by running: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s +Load smb config files from smb.conf +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[accounts]" +Processing section "[service]" +Loaded services file OK. +# Global parameters +[global] + workgroup = BILLMORE + passwd chat = *New*Password* \ + %n\n *Re-enter*new*password* %n\n *Password*changed* + username map = /etc/samba/smbusers + syslog = 0 + name resolve order = wins bcast hosts + printcap name = CUPS + show add printer wizard = No + add user script = /usr/sbin/useradd -m '%u' + delete user script = /usr/sbin/userdel -r '%u' + add group script = /usr/sbin/groupadd '%g' + delete group script = /usr/sbin/groupdel '%g' + add user to group script = /usr/sbin/usermod -G '%g' '%u' + add machine script = /usr/sbin/useradd + -s /bin/false -d /var/lib/nobody '%u' + logon script = scripts\logon.bat + logon path = + logon drive = X: + domain logons = Yes + preferred master = Yes + wins support = Yes +... +### Remainder cut to save space ### +</pre><p> + The inclusion of an invalid parameter (say one called dogbert) would generate an + error as follows: +</p><pre class="screen"> +Unknown parameter encountered: "dogbert" +Ignoring unknown parameter "dogbert" +</pre><p> + Clear away all errors before proceeding, and start or restart samba as necessary. + </p></li><li><p> + <a class="indexterm" name="id323270"></a> + <a class="indexterm" name="id323277"></a> + <a class="indexterm" name="id323284"></a> + <a class="indexterm" name="id323291"></a> + Check that the Samba server is running: +</p><pre class="screen"> +<code class="prompt">root# </code> ps ax | grep mbd +14244 ? S 0:00 /usr/sbin/nmbd -D +14245 ? S 0:00 /usr/sbin/nmbd -D +14290 ? S 0:00 /usr/sbin/smbd -D + +$rootprompt; ps ax | grep winbind +14293 ? S 0:00 /usr/sbin/winbindd -B +14295 ? S 0:00 /usr/sbin/winbindd -B +</pre><p> + The <code class="literal">winbindd</code> daemon is running in split mode (normal), so there are also + two instances of it. For more information regarding <code class="literal">winbindd</code>, see + <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 23, Section 23.3. The single instance of + <code class="literal">smbd</code> is normal. + </p></li><li><p> + <a class="indexterm" name="id323342"></a> + Check that an anonymous connection can be made to the Samba server: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% + + Sharename Type Comment + --------- ---- ------- + netlogon Disk Network Logon Service + accounts Disk Accounting Files + finsvcs Disk Financial Service Files + IPC$ IPC IPC Service (Samba3) + ADMIN$ IPC IPC Service (Samba3) + hplj4 Printer Hewlett-Packard LaserJet 4 + hplj6 Printer Hewlett-Packard LaserJet 6 + qms Printer QMS Magicolor Laser Printer XXXX + + Server Comment + --------- ------- + SLEETH Samba 3.0.20 + + Workgroup Master + --------- ------- + BILLMORE SLEETH +</pre><p> + This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent + of browsing the server from a Windows client to obtain a list of shares on the server. + The <code class="constant">-U%</code> argument means to send a <code class="constant">NULL</code> username and + a <code class="constant">NULL</code> password. + </p></li><li><p> + <a class="indexterm" name="id323387"></a> + <a class="indexterm" name="id323393"></a> + <a class="indexterm" name="id323400"></a> + Verify that the printers have the IP addresses assigned in the DHCP server configuration file. + The easiest way to do this is to ping the printer name. Immediately after the ping response + has been received, execute <code class="literal">arp -a</code> to find the MAC address of the printer + that has responded. Now you can compare the IP address and the MAC address of the printer + with the configuration information in the <code class="filename">/etc/dhcpd.conf</code> file. They + should, of course, match. For example, +</p><pre class="screen"> +<code class="prompt">root# </code> ping hplj4 +PING hplj4 (192.168.1.11) 56(84) bytes of data. +64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms + +<code class="prompt">root# </code> arp -a +hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0 +</pre><p> + The MAC address <code class="constant">08:00:46:7A:35:E4</code> matches that specified for the + IP address from which the printer has responded and the entry for it in the + <code class="filename">/etc/dhcpd.conf</code> file. + </p></li><li><p> + <a class="indexterm" name="id323459"></a> + Make an authenticated connection to the server using the <code class="literal">smbclient</code> tool: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //sleeth/accounts -U alanm +Password: XXXXXXX +smb: \> dir + . D 0 Sun Nov 9 01:28:34 2003 + .. D 0 Sat Aug 16 17:24:26 2003 + .mc DH 0 Sat Nov 8 21:57:38 2003 + .qt DH 0 Fri Sep 5 00:48:25 2003 + SMB D 0 Sun Oct 19 23:04:30 2003 + Documents D 0 Sat Nov 1 00:31:51 2003 + xpsp1a_en_x86.exe 131170400 Sun Nov 2 01:25:44 2003 + + 65387 blocks of size 65536. 28590 blocks available +smb: \> q +</pre><p> + </p></li></ol></div></div><div class="procedure"><a name="id323498"></a><p class="title"><b>Procedure 2.3. Windows XP Professional Client Configuration</b></p><ol type="1"><li><p> + Configure clients to the network settings shown in <a href="small.html#acct2net" title="Figure 2.1. Abmas Accounting 52-User Network Topology">???</a>. + All clients use DHCP for TCP/IP protocol stack configuration. + <a class="indexterm" name="id323516"></a> + <a class="indexterm" name="id323523"></a> + DHCP configures all Windows clients to use the WINS Server address <code class="constant">192.168.1.1</code>. + </p></li><li><p> + Join the Windows Domain called <code class="constant">BILLMORE</code>. Use the Domain Administrator + username <code class="constant">root</code> and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows Domain is given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + Reboot the machine as prompted and then log on using a Domain User account. + </p></li><li><p> + Verify on each client that the machine called <code class="constant">SLEETH</code> + is visible in <span class="guimenu">My Network Places</span>, that it is + possible to connect to it and see the shares <span class="guimenuitem">accounts</span> + and <span class="guimenuitem">finsvcs</span>, + and that it is possible to open that share to reveal its contents. + </p></li><li><p> + Instruct all users to log onto the workstation using their assigned username and password. + </p></li><li><p> + Install a printer on each using the following steps: + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. + Ensure that <span class="guimenuitem">Local printer</span> is selected. + </p></li><li><p> + Click <span class="guibutton">Next</span>. In the + <span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>. + In the <span class="guimenuitem">Printers:</span> panel, select the printer called + <code class="constant">HP LaserJet 4</code>. Click <span class="guibutton">Next</span>. + </p></li><li><p> + In the <span class="guimenuitem">Available ports:</span> panel, select + <code class="constant">FILE:</code>. Accept the default printer name by clicking + <span class="guibutton">Next</span>. When asked, “<span class="quote">Would you like to print a + test page?</span>”, click <span class="guimenuitem">No</span>. Click + <span class="guibutton">Finish</span>. + </p></li><li><p> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <span class="guiicon">HP LaserJet 4</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>. + </p></li><li><p> + In the <span class="guimenuitem">Network</span> panel, enter the name of + the print queue on the Samba server as follows: <code class="constant">\\SERVER\hplj4</code>. + Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. + </p></li><li><p> + Repeat the printer installation steps above for the HP LaserJet 6 printer + as well as for the QMS Magicolor XXXX laser printer. + </p></li></ol></div></li></ol></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id323822"></a>Notebook Computers: A Special Case</h3></div></div></div><p> + As a network administrator, you already know how to create local machine accounts for Windows 200x/XP + Professional systems. This is the preferred solution to provide continuity of work for notebook users + so that absence from the office network environment does not become a barrier to productivity. + </p><p> + By creating a local machine account that has the same username and password as you create for that + user in the Windows Domain environment, the user can log onto the machine locally and still + transparently access network resources as if logged onto the domain itself. There are some trade-offs + that mean that as the network is more tightly secured, it becomes necessary to modify Windows client + configuration somewhat. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id323841"></a>Key Points Learned</h3></div></div></div><p> + In this network design and implementation exercise, you created a Windows NT4-style Domain + Controller using Samba-3.0.20. Following these guidelines, you experienced + and implemented several important aspects of Windows networking. In the next chapter, + you build on the experience. These are the highlights from this chapter: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id323858"></a> + You implemented a DHCP server, and Microsoft Windows clients were able to obtain all necessary + network configuration settings from this server. + </p></li><li><p> + <a class="indexterm" name="id323871"></a> + You created a Windows Domain Controller. You were able to use the network logon service + and successfully joined Windows 200x/XP Professional clients to the Domain. + </p></li><li><p> + <a class="indexterm" name="id323883"></a> + You created raw print queues in the CUPS printing system. You maintained a simple + printing system so that all users can share centrally managed printers. You installed + native printer drivers on the Windows clients. + </p></li><li><p> + You experienced the benefits of centrally managed user accounts on the server. + </p></li><li><p> + You offered Mobile notebook users a solution that allows them to continue to work + while away from the office and not connected to the corporate network. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323907"></a>Questions and Answers</h2></div></div></div><p> + Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that + may help. + </p><div class="qandaset"><dl><dt>1. <a href="small.html#id323919"> + What is the key benefit of using DHCP to configure Windows client TCP/IP stacks? + </a></dt><dt>2. <a href="small.html#id323941"> + Are there any DHCP server configuration parameters in the /etc/dhcpd.conf + that should be noted in particular? + </a></dt><dt>3. <a href="small.html#id323968"> + Is it possible to create a Windows Domain account that is specifically called Administrator? + </a></dt><dt>4. <a href="small.html#id324004"> + Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0? + </a></dt><dt>5. <a href="small.html#id324039"> + One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him + root access. How can we do this? + </a></dt><dt>6. <a href="small.html#id324077"> + Why must I map Windows Domain Groups to UNIX groups? + </a></dt><dt>7. <a href="small.html#id324114"> + I deleted my root account and now I cannot add it back! What can I do? + </a></dt><dt>8. <a href="small.html#id324184"> + When I run net groupmap list, it reports a group called Administrators + as well as Domain Admins. What is the difference between them? + </a></dt><dt>9. <a href="small.html#id324228"> + What is the effect of changing the name of a Samba server or of changing the Domain name? + </a></dt><dt>10. <a href="small.html#id324272"> + How can I manage user accounts from my Windows XP Professional workstation? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id323919"></a><a name="id323922"></a><b>1.</b></td><td align="left" valign="top"><p> + What is the key benefit of using DHCP to configure Windows client TCP/IP stacks? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + First and foremost, portability. It means that notebook users can move between + the Abmas office and client offices (so long as they, too, use DHCP) without having to manually + reconfigure their machines. It also means that when they work from their home environments + either using DHCP assigned addressing or when using dial-up networking, settings such as + default routes and DNS server addresses that apply only to the Abmas office environment do + not interfere with remote operations. This is an extremely important feature of DHCP. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id323941"></a><a name="id323943"></a><b>2.</b></td><td align="left" valign="top"><p> + Are there any DHCP server configuration parameters in the <code class="filename">/etc/dhcpd.conf</code> + that should be noted in particular? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. The configuration you created automatically provides each client with the IP address + of your WINS server. It also configures the client to preferentially register NetBIOS names + with the WINS server, and then instructs the client to first query the WINS server when a + NetBIOS machine name needs to be resolved to an IP Address. This configuration + results in far lower UDP broadcast traffic than would be the case if WINS was not used. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id323968"></a><a name="id323970"></a><b>3.</b></td><td align="left" valign="top"><p> + Is it possible to create a Windows Domain account that is specifically called <code class="constant">Administrator</code>? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + You can surely create a Windows Domain account called <code class="constant">Administrator</code>. It is also + possible to map that account so that it has the effective UNIX UID of 0. This way it isn't + necessary to use the <em class="parameter"><code>username map</code></em> facility to map this account to the UNIX + account called <code class="constant">root</code>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id324004"></a><a name="id324006"></a><b>4.</b></td><td align="left" valign="top"><p> + Why is it necessary to give the Windows Domain <code class="constant">Administrator</code> a UNIX UID of 0? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The Windows Domain <code class="constant">Administrator</code> account is the most privileged account that + exists on the Windows platform. This user can change any setting, add, delete, or modify user + accounts, and completely reconfigure the system. The equivalent to this account in the UNIX + environment is the <code class="constant">root</code> account. If you want to permit the Windows Domain + Administrator to manage accounts as well as permissions, privileges, and security + settings within the Domain and on the Samba server, equivalent rights must be assigned. This is + achieved with the <code class="constant">root</code> UID equal to 0. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id324039"></a><a name="id324042"></a><b>5.</b></td><td align="left" valign="top"><p> + One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him + <code class="constant">root</code> access. How can we do this? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Users who are members of the <code class="constant">Domain Admins</code> group can add machines to the + Domain. This group is mapped to the UNIX group account called <code class="constant">root</code> + (or the equivalent <code class="constant">wheel</code> on some UNIX systems) that has a GID of 0. + This must be the primary GID of the account of the user who is a member of the Windows <code class="constant"> + Domain Admins</code> account. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id324077"></a><a name="id324079"></a><b>6.</b></td><td align="left" valign="top"><p> + Why must I map Windows Domain Groups to UNIX groups? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account + has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are + <span class="guimenu">Domain Guests</span>, <span class="guimenu">Domain Users</span>, and <span class="guimenu">Domain Admins</span>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id324114"></a><a name="id324116"></a><b>7.</b></td><td align="left" valign="top"><p> + I deleted my <code class="constant">root</code> account and now I cannot add it back! What can I do? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + This is a nasty problem. Fortunately, there is a solution. + </p><div class="procedure"><ol type="1"><li><p> + Back up your existing configuration files in case you need to restore them. + </p></li><li><p> + Rename the <code class="filename">group_mapping.tdb</code> file. + </p></li><li><p> + Use the <code class="literal">smbpasswd</code> to add the root account. + </p></li><li><p> + Restore the <code class="filename">group_mapping.tdb</code> file. + </p></li></ol></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id324184"></a><a name="id324186"></a><b>8.</b></td><td align="left" valign="top"><p> + When I run <code class="literal">net groupmap list</code>, it reports a group called <span class="guimenu">Administrators</span> + as well as <span class="guimenu">Domain Admins</span>. What is the difference between them? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The group called <span class="guimenu">Administrators</span> is representative of the same account that would be + present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain + Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This + may change at some later date. These accounts are provided only so that security objects are correctly shown. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id324228"></a><a name="id324230"></a><b>9.</b></td><td align="left" valign="top"><p> + What is the effect of changing the name of a Samba server or of changing the Domain name? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + If you elect to change the name of the Samba server, on restarting <code class="literal">smbd</code>, + Windows security identifiers are changed. In the case of a standalone server or a Domain Member server, + the machine SID is changed. This may break Domain membership. In the case of a change of the Domain name + (Workgroup name), the Domain SID is changed. This affects all Domain memberships. + </p><p> + If it becomes necessary to change either the server name or the Domain name, be sure to back up the respective + SID before the change is made. You can back up the SID using the <code class="literal">net getlocalsid</code> (Samba-3) + or the <code class="literal">smbpasswd</code> (Samba-2.2.x). To change the SID, you use the same tool. Be sure + to check the man page for this command for detailed instructions regarding the steps involved. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id324272"></a><a name="id324274"></a><b>10.</b></td><td align="left" valign="top"><p> + How can I manage user accounts from my Windows XP Professional workstation? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Samba-3 implements a Windows NT4-style security domain architecture. This type of Domain cannot + be managed using tools present on a Windows XP Professional installation. You may download from the + Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use + it. This package extracts the tools: <code class="literal">User Manager for Domains</code>, <code class="literal">Server Manager</code>, and <code class="literal">Event + Viewer</code>. You may use the <span class="guimenu">User Manager for Domains</span> to manage your Samba-3 + Domain user and group accounts. Of course, you do need to be logged on as the <code class="constant">Administrator</code> + for the Samba-3 Domain. It may help to log on as the <code class="constant">root</code> account. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="simple.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="secure.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. No-Frills Samba Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Secure Office Networking</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/unixclients.html b/docs/htmldocs/Samba3-ByExample/unixclients.html new file mode 100644 index 0000000000..5685ca6d34 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/unixclients.html @@ -0,0 +1,1790 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Adding Domain Member Servers and Clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="next" href="upgrades.html" title="Chapter 8. Updating Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Adding Domain Member Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter 7. Adding Domain Member Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id352990">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id353039">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id353067">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id353091">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id353679">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id353760">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id359708">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id360196">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id360240">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id352902"></a><a class="indexterm" name="id352910"></a> + The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing. + It is well known that Samba is a file and print server. A recent survey conducted by <span class="emphasis"><em>Open Magazine</em></span> found + that of all respondents, 97 percent use Samba for file and print services, and 68 percent use Samba for Domain Control. See the + <a href="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba" target="_top">Open-Mag</a> + Web site for current information. The survey results as found on January 14, 2004, are shown in + <a href="unixclients.html#ch09openmag" title="Figure 7.1. Open Magazine Samba Survey">???</a>. + </p><div class="figure"><a name="ch09openmag"></a><p class="title"><b>Figure 7.1. Open Magazine Samba Survey</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/openmag.png" width="324" alt="Open Magazine Samba Survey"></div></div></div><br class="figure-break"><p> + While domain control is an exciting subject, basic file and print sharing remains the staple bread-and-butter + function that Samba provides. Yet this book may give the appearance of having focused too much on more + exciting aspects of Samba deployment. This chapter directs your attention to provide important information on + the addition of Samba servers into your present Windows network whatever the controlling technology + may be. So let's get back to our good friends at Abmas. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352990"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id352997"></a><a class="indexterm" name="id353005"></a> + Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward + with not too many distractions or problems. Your team is doing well, but a number of employees + are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's + get on with this; Christine and Stan are ready to go. + </p><p><a class="indexterm" name="id353023"></a> + Stan is firmly in control of the department of the future, while Christine is enjoying a stable and + predictable network environment. It is time to add more servers and to add Linux desktops. It is + time to meet the demands of future growth and endure trial by fire. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id353039"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id353045"></a> + You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003 + Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him + out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use + her help to get validation that Samba really does live up to expectations. + </p><p> + Over the past 6 months, you have hired several new staff who want Linux on their desktops. You must integrate + these systems to make sure that Abmas is not building islands of technology. You ask Christine to + do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make + the right decision, don't you? + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id353067"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id353075"></a> + Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble + at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning + an inability to achieve identical user and group IDs between Windows and UNIX environments. + </p><p> + You provide step-by-step implementations of the various tools that can be used for identity + resolution. You also provide working examples of solutions for integrated authentication for + both UNIX/Linux and Windows environments. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id353091"></a>Technical Issues</h3></div></div></div><p> + One of the great challenges we face when people ask us, “<span class="quote">What is the best way to solve + this problem?</span>” is to get beyond the facts so we not only can clearly comprehend + the immediate technical problem, but also can understand how needs may change. + </p><p> + <a class="indexterm" name="id353108"></a> + There are a few facts we should note when dealing with the question of how best to + integrate UNIX/Linux clients and servers into a Windows networking environment: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id353122"></a> + <a class="indexterm" name="id353129"></a> + <a class="indexterm" name="id353136"></a> + <a class="indexterm" name="id353145"></a> + <a class="indexterm" name="id353152"></a> + A domain controller (PDC or BDC) is always authoritative for all accounts in its domain. + This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs + to the same values that the PDC resolved them to. + </p></li><li><p> + <a class="indexterm" name="id353165"></a> + <a class="indexterm" name="id353172"></a> + <a class="indexterm" name="id353183"></a> + <a class="indexterm" name="id353190"></a> + A domain member can be authoritative for local accounts, but is never authoritative for + domain accounts. If a user is accessing a domain member server and that user's account + is not known locally, the domain member server must resolve the identity of that user + from the domain in which that user's account resides. It must then map that ID to a + UID/GID pair that it can use locally. This is handled by <code class="literal">winbindd</code>. + </p></li><li><p> + Samba, when running on a domain member server, can resolve user identities from a + number of sources: + </p><div class="itemizedlist"><ul type="circle"><li><p> + <a class="indexterm" name="id353218"></a> + <a class="indexterm" name="id353225"></a> + <a class="indexterm" name="id353232"></a> + <a class="indexterm" name="id353238"></a> + <a class="indexterm" name="id353245"></a> + By executing a system <code class="literal">getpwnam()</code> or <code class="literal">getgrnam()</code> call. + On systems that support it, this utilizes the name service switch (NSS) facility to + resolve names according to the configuration of the <code class="filename">/etc/nsswitch.conf</code> + file. NSS can be configured to use LDAP, winbind, NIS, or local files. + </p></li><li><p> + <a class="indexterm" name="id353276"></a> + <a class="indexterm" name="id353283"></a> + <a class="indexterm" name="id353290"></a> + Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured). + This requires the use of the PADL nss_ldap tool (or equivalent). + </p></li><li><p> + <a class="indexterm" name="id353302"></a> + <a class="indexterm" name="id353309"></a> + <a class="indexterm" name="id353316"></a> + <a class="indexterm" name="id353322"></a> + Directly by querying <code class="literal">winbindd</code>. The <code class="literal">winbindd</code> + contacts a domain controller to attempt to resolve the identity of the user or group. It + receives the Windows networking security identifier (SID) for that appropriate + account and then allocates a local UID or GID from the range of available IDs and + creates an entry in its <code class="filename">winbindd_idmap.tdb</code> and + <code class="filename">winbindd_cache.tdb</code> files. + </p><p> + <a class="indexterm" name="id353359"></a> + <a class="indexterm" name="id353366"></a> + If the parameter <a class="indexterm" name="id353373"></a>idmap backend = ldap:ldap://myserver.domain + was specified and the LDAP server has been configured with a container in which it may + store the IDMAP entries, all domain members may share a common mapping. + </p></li></ul></div><p> + Irrespective of how <code class="filename">smb.conf</code> is configured, winbind creates and caches a local copy of + the ID mapping database. It uses the <code class="filename">winbindd_idmap.tdb</code> and + <code class="filename">winbindd_cache.tdb</code> files to do this. + </p><p> + Which of the resolver methods is chosen is determined by the way that Samba is configured + in the <code class="filename">smb.conf</code> file. Some of the configuration options are rather less than obvious to the + casual user. + </p></li><li><p> + <a class="indexterm" name="id353420"></a> + <a class="indexterm" name="id353427"></a> + <a class="indexterm" name="id353436"></a> + If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable + of being resolved using) the NSS facility, it is possible to use the + <a class="indexterm" name="id353445"></a>winbind trusted domains only = Yes + in the <code class="filename">smb.conf</code> file. This parameter specifically applies to domain controllers, + and to domain member servers. + </p></li></ul></div><p> + <a class="indexterm" name="id353463"></a> + <a class="indexterm" name="id353470"></a> + <a class="indexterm" name="id353477"></a> + For many administrators, it should be plain that the use of an LDAP-based repository for all network + accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and + controllable facility. You eventually appreciate the decision to use LDAP. + </p><p> + <a class="indexterm" name="id353489"></a> + <a class="indexterm" name="id353496"></a> + <a class="indexterm" name="id353503"></a> + If your network account information resides in an LDAP repository, you should use it ahead of any + alternative method. This means that if it is humanly possible to use the <code class="literal">nss_ldap</code> + tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides + a more readily controllable method for asserting the exact same user and group identifiers + throughout the network. + </p><p> + <a class="indexterm" name="id353522"></a> + <a class="indexterm" name="id353531"></a> + <a class="indexterm" name="id353538"></a> + <a class="indexterm" name="id353545"></a> + <a class="indexterm" name="id353552"></a> + <a class="indexterm" name="id353559"></a> + In the situation where UNIX accounts are held on the domain member server itself, the only effective + way to use them involves the <code class="filename">smb.conf</code> entry + <a class="indexterm" name="id353573"></a>winbind trusted domains only = Yes. This forces + Samba (<code class="literal">smbd</code>) to perform a <code class="literal">getpwnam()</code> system call that can + then be controlled via <code class="filename">/etc/nsswitch.conf</code> file settings. The use of this parameter + disables the use of Samba with trusted domains (i.e., external domains). + </p><p> + <a class="indexterm" name="id353602"></a> + <a class="indexterm" name="id353609"></a> + <a class="indexterm" name="id353618"></a> + <a class="indexterm" name="id353625"></a> + Winbind can be used to create an appliance mode domain member server. In this capacity, <code class="literal">winbindd</code> + is configured to automatically allocate UIDs/GIDs from numeric ranges set in the <code class="filename">smb.conf</code> file. The allocation + is made for all accounts that connect to that domain member server, whether within its own domain or from + trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database. + This means that it is almost certain that a given user who accesses two domain member servers does not have the + same UID/GID on both servers however, this is transparent to the Windows network user. This data + is stored in the <code class="filename">winbindd_idmap.tdb</code> and <code class="filename">winbindd_cache.tdb</code> files. + </p><p> + <a class="indexterm" name="id353667"></a> + The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs + mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member + servers so configured. This solves one of the major headaches for network administrators who need to copy + files between or across network file servers. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id353679"></a>Political Issues</h3></div></div></div><p> + <a class="indexterm" name="id353687"></a> + <a class="indexterm" name="id353694"></a> + <a class="indexterm" name="id353700"></a> + <a class="indexterm" name="id353709"></a> + One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in + particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP + is different and requires a new approach to the need for a better identity management solution. The more + you work with LDAP, the more its power and flexibility emerges from its dark, cavernous chasm. + </p><p> + LDAP is a most suitable solution for heterogenous environments. If you need crypto, add Kerberos. + The reason these are preferable is because they are heterogenous. Windows solutions of this sort are <span class="emphasis"><em>not</em></span> + heterogenous by design. This is fundamental it isn't religious or political. This also doesn't say that + you can't use Windows Active Directory in a heterogenous environment it can be done, it just requires + commercial integration products. But it's not what Active Directory was designed for. + </p><p> + <a class="indexterm" name="id353740"></a> + <a class="indexterm" name="id353746"></a> + A number of long-term UNIX devotees have recently commented in various communications that the Samba Team + is the first application group to almost force network administrators to use LDAP. It should be pointed + out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has + finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total + organizational directory needs. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id353760"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id353767"></a> + <a class="indexterm" name="id353776"></a> + <a class="indexterm" name="id353786"></a> + The domain member server and the domain member client are at the center of focus in this chapter. + Configuration of Samba-3 domain controller is covered in earlier chapters, so if your + interest is in domain controller configuration, you will not find that here. You will find good + oil that helps you to add domain member servers and clients. + </p><p> + <a class="indexterm" name="id353799"></a> + In practice, domain member servers and domain member workstations are very different entities, but in + terms of technology they share similar core infrastructure. A technologist would argue that servers + and workstations are identical. Many users would argue otherwise, given that in a well-disciplined + environment a workstation (client) is a device from which a user creates documents and files that + are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item, + but a server is viewed as a core component of the business. + </p><p> + <a class="indexterm" name="id353816"></a> + We can look at this another way. If a workstation breaks down, one user is affected, but if a + server breaks down, hundreds of users may not be able to work. The services that a workstation + must provide are document- and file-production oriented; a server provides information storage + and is distribution oriented. + </p><p> + <a class="indexterm" name="id353829"></a> + <a class="indexterm" name="id353836"></a> + <a class="indexterm" name="id353842"></a> + <span class="emphasis"><em>Why is this important?</em></span> For starters, we must identify what + components of the operating system and its environment must be configured. Also, it is necessary + to recognize where the interdependencies between the various services to be used are. + In particular, it is important to understand the operation of each critical part of the + authentication process, the logon process, and how user identities get resolved and applied + within the operating system and applications (like Samba) that depend on this and may + actually contribute to it. + </p><p> + So, in this chapter we demonstrate how to implement the technology. It is done within a context of + what type of service need must be fulfilled. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sdcsdmldap"></a>Samba Domain with Samba Domain Member Server Using NSS LDAP</h3></div></div></div><p> + <a class="indexterm" name="id353877"></a> + <a class="indexterm" name="id353884"></a> + <a class="indexterm" name="id353890"></a> + <a class="indexterm" name="id353897"></a> + <a class="indexterm" name="id353906"></a> + <a class="indexterm" name="id353913"></a> + In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using + an LDAP ldapsam backend. We are adding to the LDAP backend database (directory) + containers for use by the IDMAP facility. This makes it possible to have globally consistent + mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run + <code class="literal">winbindd</code> as part of your configuration. The primary purpose of running + <code class="literal">winbindd</code> (within this operational context) is to permit mapping of foreign + SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any + domain member client or server, or from Windows clients that do not belong to a domain. Another + way to explain the necessity to run <code class="literal">winbindd</code> is that Samba can locally + resolve only accounts that belong to the security context of its own machine SID. Winbind + handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated + from the parameter values set in the <code class="filename">smb.conf</code> file for the <em class="parameter"><code>idmap uid</code></em> and + <em class="parameter"><code>idmap gid</code></em> ranges. Where LDAP is used, the mappings can be stored in LDAP + so that all domain member servers can use a consistent mapping. + </p><p> + <a class="indexterm" name="id353968"></a> + <a class="indexterm" name="id353975"></a> + <a class="indexterm" name="id353982"></a> + If your installation is accessed only from clients that are members of your own domain, and all + user accounts are present in a local passdb backend then it is not necessary to run + <code class="literal">winbindd</code>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam. + </p><p> + It is possible to use a local passdb backend with any convenient means of resolving the POSIX + user and group account information. The POSIX information is usually obtained using the + <code class="literal">getpwnam()</code> system call. On NSS-enabled systems, the actual POSIX account + source can be provided from + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id354014"></a> + <a class="indexterm" name="id354021"></a> + Accounts in <code class="filename">/etc/passwd</code> or in <code class="filename">/etc/group</code>. + </p></li><li><p> + <a class="indexterm" name="id354044"></a> + <a class="indexterm" name="id354051"></a> + <a class="indexterm" name="id354058"></a> + <a class="indexterm" name="id354065"></a> + <a class="indexterm" name="id354071"></a> + <a class="indexterm" name="id354078"></a> + <a class="indexterm" name="id354085"></a> + <a class="indexterm" name="id354092"></a> + <a class="indexterm" name="id354099"></a> + Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs + via multiple methods. The methods typically include <code class="literal">files</code>, + <code class="literal">compat</code>, <code class="literal">db</code>, <code class="literal">ldap</code>, + <code class="literal">nis</code>, <code class="literal">nisplus</code>, <code class="literal">hesiod.</code> When + correctly installed, Samba adds to this list the <code class="literal">winbindd</code> facility. + The ldap facility is frequently the nss_ldap tool provided by PADL Software. + </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + To advoid confusion the use of the term <code class="literal">local passdb backend</code> means that + the user account backend is not shared by any other Samba server instead, it is + used only locally on the Samba domain member server under discussion. + </p></div><p> + <a class="indexterm" name="id354173"></a> + The diagram in <a href="unixclients.html#ch9-sambadc" title="Figure 7.2. Samba Domain: Samba Member Server">???</a> demonstrates the relationship of Samba and system + components that are involved in the identity resolution process where Samba is used as a domain + member server within a Samba domain control network. + </p><div class="figure"><a name="ch9-sambadc"></a><p class="title"><b>Figure 7.2. Samba Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-SambaDC.png" width="324" alt="Samba Domain: Samba Member Server"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id354233"></a> + <a class="indexterm" name="id354239"></a> + In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam + to obtain authentication and user identity information. The IDMAP information is stored in the LDAP + backend so that it can be shared by all domain member servers so that every user will have a + consistent UID and GID across all of them. The IDMAP facility will be used for all foreign + (i.e., not having the same SID as the domain it is a member of) domains. The configuration of + NSS will ensure that all UNIX processes will obtain a consistent UID/GID. + </p><p> + The instructions given here apply to the Samba environment shown in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> and <a href="2000users.html" title="Chapter 6. A Distributed 2000-User Network">???</a>. + If the network does not have an LDAP slave server (i.e., <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> configuration), + change the target LDAP server from <code class="constant">lapdc</code> to <code class="constant">massive.</code> + </p><div class="procedure"><a name="id354281"></a><p class="title"><b>Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution</b></p><ol type="1"><li><p> + Create the <code class="filename">smb.conf</code> file as shown in <a href="unixclients.html#ch9-sdmsdc" title="Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File">???</a>. Locate + this file in the directory <code class="filename">/etc/samba</code>. + </p></li><li><p> + <a class="indexterm" name="id354318"></a> + Configure the file that will be used by <code class="constant">nss_ldap</code> to + locate and communicate with the LDAP server. This file is called <code class="filename">ldap.conf</code>. + If your implementation of <code class="constant">nss_ldap</code> is consistent with + the defaults suggested by PADL (the authors), it will be located in the + <code class="filename">/etc</code> directory. On some systems, the default location is + the <code class="filename">/etc/openldap</code> directory, however this file is intended + for use by the OpenLDAP utilities and should not really be used by the nss_ldap + utility since its content and structure serves the specific purpose of enabling + the resolution of user and group IDs via NSS. + </p><p> + Change the parameters inside the file that is located on your OS so it matches + <a href="unixclients.html#ch9-sdmlcnf" title="Example 7.3. Configuration File for NSS LDAP Support /etc/ldap.conf">???</a>. To find the correct location of this file, you + can obtain this from the library that will be used by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> strings /lib/libnss_ldap* | grep ldap.conf +/etc/ldap.conf +</pre><p> + </p></li><li><p> + Configure the NSS control file so it matches the one shown in + <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id354398"></a> + <a class="indexterm" name="id354405"></a> + Before proceeding to configure Samba, validate the operation of the NSS identity + resolution via LDAP by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +... +root:x:0:512:Netbios Domain Administrator:/root:/bin/false +nobody:x:999:514:nobody:/dev/null:/bin/false +bobj:x:1000:513:Robert Jordan:/home/bobj:/bin/bash +stans:x:1001:513:Stanley Soroka:/home/stans:/bin/bash +chrisr:x:1002:513:Christine Roberson:/home/chrisr:/bin/bash +maryv:x:1003:513:Mary Vortexis:/home/maryv:/bin/bash +jht:x:1004:513:John H Terpstra:/home/jht:/bin/bash +bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false +temptation$:x:1009:553:temptation$:/dev/null:/bin/false +vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false +fran$:x:1008:553:fran$:/dev/null:/bin/false +josephj:x:1007:513:Joseph James:/home/josephj:/bin/bash +</pre><p> + You should notice the location of the users' home directories. First, make certain that + the home directories exist on the domain member server; otherwise, the home directory + share is not available. The home directories could be mounted off a domain controller + using NFS or by any other suitable means. Second, the absence of the domain name in the + home directory path is indicative that identity resolution is not being done via winbind. +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +Domain Admins:x:512:root,jht +Domain Users:x:513:bobj,stans,chrisr,maryv,jht,josephj +Domain Guests:x:514: +Accounts:x:1000: +Finances:x:1001: +PIOps:x:1002: +sammy:x:4321: +</pre><p> + <a class="indexterm" name="id354446"></a> + <a class="indexterm" name="id354453"></a> + <a class="indexterm" name="id354460"></a> + This shows that all is working as it should be. Notice that in the LDAP database + the users' primary and secondary group memberships are identical. It is not + necessary to add secondary group memberships (in the group database) if the + user is already a member via primary group membership in the password database. + When using winbind, it is in fact undesirable to do this because it results in + doubling up of group memberships and may cause problems with winbind under certain + conditions. It is intended that these limitations with winbind will be resolved soon + after Samba-3.0.20 has been released. + </p></li><li><p> + <a class="indexterm" name="id354479"></a> + The LDAP directory must have a container object for IDMAP data. There are several ways you can + check that your LDAP database is able to receive IDMAP information. One of the simplest is to + execute: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat | grep -i idmap +dn: ou=Idmap,dc=abmas,dc=biz +ou: idmap +</pre><p> + <a class="indexterm" name="id354499"></a> + If the execution of this command does not return IDMAP entries, you need to create an LDIF + template file (see <a href="unixclients.html#ch9-ldifadd" title="Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using + the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ + -w not24get < /etc/openldap/idmap.LDIF +</pre><p> + </p></li><li><p> + Samba automatically populates the LDAP directory container when it needs to. To permit Samba + write access to the LDAP directory it is necessary to set the LDAP administrative password + in the <code class="filename">secrets.tdb</code> file as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id354558"></a> + <a class="indexterm" name="id354570"></a> + The system is ready to join the domain. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -U root%not24get +Joined domain MEGANET2. +</pre><p> + This indicates that the domain join succeeded. + </p><p> + Failure to join the domain could be caused by any number of variables. The most common + causes of failure to join are: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>Broken resolution of NetBIOS names to the respective IP address.</p></li><li><p>Incorrect username and password credentials.</p></li><li><p>The NT4 <em class="parameter"><code>restrict anonymous</code></em> is set to exclude anonymous + connections.</p></li></ul></div><p> + </p><p> + The connection setup can be diagnosed by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S 'pdc-name' -U administrator%password -d 5 +</pre><p> + <a class="indexterm" name="id354636"></a> + <a class="indexterm" name="id354643"></a> + <a class="indexterm" name="id354650"></a> + <a class="indexterm" name="id354657"></a> + Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of + the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that + says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the + <code class="constant">restrict anonymous</code> setting. Set this to the value 0 so that an anonymous connection + can be sustained, then try again. + </p><p> + It is possible (perhaps even recommended) to use the following to validate the ability to connect + to an NT4 PDC/BDC: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc info -S 'pdc-name' -U Administrator%not24get +Domain Name: MEGANET2 +Domain SID: S-1-5-21-422319763-4138913805-7168186429 +Sequence number: 1519909596 +Num users: 7003 +Num domain groups: 821 +Num local groups: 8 + +<code class="prompt">root# </code> net rpc testjoin -S 'pdc-name' -U Administrator%not24get +Join to 'MEGANET2' is OK +</pre><p> + If for any reason the following response is obtained to the last command above,it is time to + call in the Networking Super-Snooper task force (i.e., start debugging): +</p><pre class="screen"> +NT_STATUS_ACCESS_DENIED +Join to 'MEGANET2' failed. +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id354709"></a> + Just joining the domain is not quite enough; you must now provide a privileged set + of credentials through which <code class="literal">winbindd</code> can interact with the + domain servers. Execute the following to implant the necessary credentials: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo --set-auth-user=Administrator%not24get +</pre><p> + The configuration is now ready to obtain the Samba domain user and group information. + </p></li><li><p> + You may now start Samba in the usual manner, and your Samba domain member server + is ready for use. Just add shares as required. + </p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example 7.1. Samba Domain Member in Samba Domain Using LDAP <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id354782"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id354794"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id354807"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id354819"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id354832"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id354844"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id354857"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id354870"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id354882"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id354895"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id354907"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id354920"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id354933"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id354945"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id354958"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id354971"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id354983"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id354996"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id355009"></a><em class="parameter"><code>idmap backend = ldap:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id355022"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id355034"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id355047"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355059"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id355072"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id355093"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id355106"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id355119"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id355131"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id355153"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id355165"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id355178"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355190"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355203"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id355224"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id355237"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id355250"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id355262"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: idmap +structuralObjectClass: organizationalUnit +</pre></div></div><br class="example-break"><div class="example"><a name="ch9-sdmlcnf"></a><p class="title"><b>Example 7.3. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +URI ldap://massive.abmas.biz ldap://massive.abmas.biz:636 +host 192.168.2.1 +base dc=abmas,dc=biz +binddn cn=Manager,dc=abmas,dc=biz +bindpw not24get + +pam_password exop + +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_group ou=Groups,dc=abmas,dc=biz?one +ssl no +</pre></div></div><br class="example-break"><div class="example"><a name="ch9-sdmnss"></a><p class="title"><b>Example 7.4. NSS using LDAP for Identity Resolution File: <code class="filename">/etc/nsswitch.conf</code></b></p><div class="example-contents"><pre class="screen"> +passwd: files ldap +shadow: files ldap +group: files ldap + +hosts: files dns wins +networks: files dns + +services: files +protocols: files +rpc: files +ethers: files +netmasks: files +netgroup: files +publickey: files + +bootparams: files +automount: files +aliases: files +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="wdcsdm"></a>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</h3></div></div></div><p> + You need to use this method for creating a Samba domain member server if any of the following conditions + prevail: + </p><div class="itemizedlist"><ul type="disc"><li><p> + LDAP support (client) is not installed on the system. + </p></li><li><p> + There are mitigating circumstances forcing a decision not to use LDAP. + </p></li><li><p> + The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain. + </p></li></ul></div><p> + <a class="indexterm" name="id355383"></a> + <a class="indexterm" name="id355390"></a> + <a class="indexterm" name="id355396"></a> + Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain. + Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style + domain and/or does not use LDAP. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id355410"></a> + If you use <code class="literal">winbind</code> for identity resolution, make sure that there are no + duplicate accounts. + </p><p> + <a class="indexterm" name="id355426"></a> + For example, do not have more than one account that has UID=0 in the password database. If there + is an account called <code class="constant">root</code> in the <code class="filename">/etc/passwd</code> database, + it is okay to have an account called <code class="constant">root</code> in the LDAP ldapsam or in the + tdbsam. But if there are two accounts in the passdb backend that have the same UID, winbind will + break. This means that the <code class="constant">Administrator</code> account must be called + <code class="constant">root</code>. + </p><p> + <a class="indexterm" name="id355460"></a> + <a class="indexterm" name="id355467"></a> + <a class="indexterm" name="id355474"></a> + Winbind will break if there is an account in <code class="filename">/etc/passwd</code> that has + the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only. + </p></div><p> + <a class="indexterm" name="id355491"></a> + <a class="indexterm" name="id355498"></a> + <a class="indexterm" name="id355504"></a> + <a class="indexterm" name="id355511"></a> + <a class="indexterm" name="id355520"></a> + The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. + The winbind information is locally cached in the <code class="filename">winbindd_cache.tdb winbindd_idmap.tdb</code> + files. This provides considerable performance benefits compared with the LDAP solution, particularly + where the LDAP lookups must traverse WAN links. You may examine the contents of these + files using the tool <code class="literal">tdbdump</code>, though you may have to build this from the Samba + source code if it has not been supplied as part of a binary package distribution that you may be using. + </p><div class="procedure"><a name="id355545"></a><p class="title"><b>Procedure 7.2. Configuration of Winbind-Based Identity Resolution</b></p><ol type="1"><li><p> + Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents + shown in <a href="unixclients.html#ch0-NT4DSDM" title="Example 7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain">???</a>. + </p></li><li><p> + <a class="indexterm" name="id355576"></a> + Edit the <code class="filename">/etc/nsswitch.conf</code> so it has the entries shown in + <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id355601"></a> + The system is ready to join the domain. Execute the following: +</p><pre class="screen"> +net rpc join -U root%not2g4et +Joined domain MEGANET2. +</pre><p> + This indicates that the domain join succeed. + + </p></li><li><p> + <a class="indexterm" name="id355626"></a> + <a class="indexterm" name="id355633"></a> + Validate operation of <code class="literal">winbind</code> using the <code class="literal">wbinfo</code> + tool as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -u +MEGANET2+root +MEGANET2+nobody +MEGANET2+jht +MEGANET2+maryv +MEGANET2+billr +MEGANET2+jelliott +MEGANET2+dbrady +MEGANET2+joeg +MEGANET2+balap +</pre><p> + This shows that domain users have been listed correctly. +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -g +MEGANET2+Domain Admins +MEGANET2+Domain Users +MEGANET2+Domain Guests +MEGANET2+Accounts +MEGANET2+Finances +MEGANET2+PIOps +</pre><p> + This shows that domain groups have been correctly obtained also. + </p></li><li><p> + <a class="indexterm" name="id355685"></a> + <a class="indexterm" name="id355691"></a> + <a class="indexterm" name="id355698"></a> + The next step verifies that NSS is able to obtain this information + correctly from <code class="literal">winbind</code> also. +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +... +MEGANET2+root:x:10000:10001:NetBIOS Domain Admin: + /home/MEGANET2/root:/bin/bash +MEGANET2+nobody:x:10001:10001:nobody: + /home/MEGANET2/nobody:/bin/bash +MEGANET2+jht:x:10002:10001:John H Terpstra: + /home/MEGANET2/jht:/bin/bash +MEGANET2+maryv:x:10003:10001:Mary Vortexis: + /home/MEGANET2/maryv:/bin/bash +MEGANET2+billr:x:10004:10001:William Randalph: + /home/MEGANET2/billr:/bin/bash +MEGANET2+jelliott:x:10005:10001:John G Elliott: + /home/MEGANET2/jelliott:/bin/bash +MEGANET2+dbrady:x:10006:10001:Darren Brady: + /home/MEGANET2/dbrady:/bin/bash +MEGANET2+joeg:x:10007:10001:Joe Green: + /home/MEGANET2/joeg:/bin/bash +MEGANET2+balap:x:10008:10001:Bala Pillay: + /home/MEGANET2/balap:/bin/bash +</pre><p> + The user account information has been correctly obtained. This information has + been merged with the winbind template information configured in the <code class="filename">smb.conf</code> file. +</p><pre class="screen"> +<code class="prompt">root# </code># getent group +... +MEGANET2+Domain Admins:x:10000:MEGANET2+root,MEGANET2+jht +MEGANET2+Domain Users:x:10001:MEGANET2+jht,MEGANET2+maryv,\ + MEGANET2+billr,MEGANET2+jelliott,MEGANET2+dbrady,\ + MEGANET2+joeg,MEGANET2+balap +MEGANET2+Domain Guests:x:10002:MEGANET2+nobody +MEGANET2+Accounts:x:10003: +MEGANET2+Finances:x:10004: +MEGANET2+PIOps:x:10005: +</pre><p> + </p></li><li><p> + The Samba member server of a Windows NT4 domain is ready for use. + </p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example 7.5. Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id355794"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id355807"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id355819"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id355832"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id355844"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id355857"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id355870"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id355882"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id355895"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id355907"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id355920"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id355932"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id355945"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id355958"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id355970"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id355983"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id355996"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id356008"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id356021"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id356033"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id356055"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id356068"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id356080"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id356093"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id356114"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id356127"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id356139"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356152"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356164"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id356186"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id356198"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id356211"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id356224"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="dcwonss"></a>NT4/Samba Domain with Samba Domain Member Server without NSS Support</h3></div></div></div><p> + No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating + system that does not have NSS and PAM support to be outdated, the fact is there + are still many such systems in use today. Samba can be used without NSS support, but this + does limit it to the use of local user and group accounts only. + </p><p> + The following steps may be followed to implement Samba with support for local accounts. + In this configuration Samba is made a domain member server. All incoming connections + to the Samba server will cause the look-up of the incoming username. If the account + is found, it is used. If the account is not found, one will be automatically created + on the local machine so that it can then be used for all access controls. + </p><div class="procedure"><a name="id356261"></a><p class="title"><b>Procedure 7.3. Configuration Using Local Accounts Only</b></p><ol type="1"><li><p> + Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents + shown in <a href="unixclients.html#ch0-NT4DSCM" title="Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain">???</a>. + </p></li><li><p><a class="indexterm" name="id356292"></a> + The system is ready to join the domain. Execute the following: +</p><pre class="screen"> +net rpc join -U root%not24get +Joined domain MEGANET2. +</pre><p> + This indicates that the domain join succeed. + </p></li><li><p> + Be sure to run all three Samba daemons: <code class="literal">smbd</code>, <code class="literal">nmbd</code>, <code class="literal">winbindd</code>. + </p></li><li><p> + The Samba member server of a Windows NT4 domain is ready for use. + </p></li></ol></div><div class="example"><a name="ch0-NT4DSCM"></a><p class="title"><b>Example 7.6. Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id356377"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id356390"></a><em class="parameter"><code>workgroup = MEGANET3</code></em></td></tr><tr><td><a class="indexterm" name="id356402"></a><em class="parameter"><code>netbios name = BSDBOX</code></em></td></tr><tr><td><a class="indexterm" name="id356415"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id356428"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id356440"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id356453"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id356465"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id356478"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -M '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id356491"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id356504"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id356516"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id356529"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id356541"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id356554"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id356567"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id356579"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id356592"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id356605"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id356626"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id356639"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id356651"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id356664"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id356685"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id356698"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id356710"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356723"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356736"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id356757"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id356770"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id356782"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id356795"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p> + <a class="indexterm" name="id356821"></a> + <a class="indexterm" name="id356830"></a> + <a class="indexterm" name="id356837"></a> + One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory + domain using Kerberos protocols. This makes it possible to operate an entire Windows network + without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An + exhaustively complete discussion of the protocols is not possible in this book; perhaps a + later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate + in. For now, we simply focus on how a Samba-3 server can be made a domain member server. + </p><p> + <a class="indexterm" name="id356854"></a> + <a class="indexterm" name="id356861"></a> + <a class="indexterm" name="id356868"></a> + <a class="indexterm" name="id356874"></a> + The diagram in <a href="unixclients.html#ch9-adsdc" title="Figure 7.3. Active Directory Domain: Samba Member Server">???</a> demonstrates how Samba-3 interfaces with + Microsoft Active Directory components. It should be noted that if Microsoft Windows Services + for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP + for identity resolution just as can be done with Samba-3 when using an LDAP passdb backend. + The UNIX tool that you need for this, as in the case of LDAP on UNIX/Linux, is the PADL + Software nss_ldap tool-set. Compared with use of winbind and Kerberos, the use of + LDAP-based identity resolution is a little less secure. In view of the fact that this solution + requires additional software to be installed on the Windows 200x ADS domain controllers, + and that means more management overhead, it is likely that most Samba-3 ADS client sites + may elect to use winbind. + </p><p> + Do not attempt to use this procedure if you are not 100 percent certain that the build of Samba-3 + you are using has been compiled and linked with all the tools necessary for this to work. + Given the importance of this step, you must first validate that the Samba-3 message block + daemon (<code class="literal">smbd</code>) has the necessary features. + </p><p> + The hypothetical domain you are using in this example assumes that the Abmas London office + decided to take its own lead (some would say this is a typical behavior in a global + corporate world; besides, a little divergence and conflict makes for an interesting life). + The Windows Server 2003 ADS domain is called <code class="constant">london.abmas.biz</code> and the + name of the server is <code class="constant">W2K3S</code>. In ADS realm terms, the domain controller + is known as <code class="constant">w2k3s.london.abmas.biz</code>. In NetBIOS nomenclature, the + domain name is <code class="constant">LONDON</code> and the server name is <code class="constant">W2K3S</code>. + </p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure 7.3. Active Directory Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div></div><br class="figure-break"><div class="procedure"><a name="id356974"></a><p class="title"><b>Procedure 7.4. Joining a Samba Server as an ADS Domain Member</b></p><ol type="1"><li><p> + <a class="indexterm" name="id356985"></a> + Before you try to use Samba-3, you want to know for certain that your executables have + support for Kerberos and for LDAP. Execute the following to identify whether or + not this build is perhaps suitable for use: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/sbin +<code class="prompt">root# </code> smbd -b | grep KRB + HAVE_KRB5_H + HAVE_ADDR_TYPE_IN_KRB5_ADDRESS + HAVE_KRB5 + HAVE_KRB5_AUTH_CON_SETKEY + HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES + HAVE_KRB5_GET_PW_SALT + HAVE_KRB5_KEYBLOCK_KEYVALUE + HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK + HAVE_KRB5_MK_REQ_EXTENDED + HAVE_KRB5_PRINCIPAL_GET_COMP_STRING + HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES + HAVE_KRB5_STRING_TO_KEY + HAVE_KRB5_STRING_TO_KEY_SALT + HAVE_LIBKRB5 +</pre><p> + This output was obtained on a SUSE Linux system and shows the output for + Samba that has been compiled and linked with the Heimdal Kerberos libraries. + The following is a typical output that will be found on a Red Hat Linux system that + has been linked with the MIT Kerberos libraries: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/sbin +<code class="prompt">root# </code> smbd -b | grep KRB + HAVE_KRB5_H + HAVE_ADDRTYPE_IN_KRB5_ADDRESS + HAVE_KRB5 + HAVE_KRB5_AUTH_CON_SETUSERUSERKEY + HAVE_KRB5_ENCRYPT_DATA + HAVE_KRB5_FREE_DATA_CONTENTS + HAVE_KRB5_FREE_KTYPES + HAVE_KRB5_GET_PERMITTED_ENCTYPES + HAVE_KRB5_KEYTAB_ENTRY_KEY + HAVE_KRB5_LOCATE_KDC + HAVE_KRB5_MK_REQ_EXTENDED + HAVE_KRB5_PRINCIPAL2SALT + HAVE_KRB5_PRINC_COMPONENT + HAVE_KRB5_SET_DEFAULT_TGS_KTYPES + HAVE_KRB5_SET_REAL_TIME + HAVE_KRB5_STRING_TO_KEY + HAVE_KRB5_TKT_ENC_PART2 + HAVE_KRB5_USE_ENCTYPE + HAVE_LIBGSSAPI_KRB5 + HAVE_LIBKRB5 +</pre><p> + You can validate that Samba has been compiled and linked with LDAP support + by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -b | grep LDAP +massive:/usr/sbin # smbd -b | grep LDAP + HAVE_LDAP_H + HAVE_LDAP + HAVE_LDAP_DOMAIN2HOSTLIST + HAVE_LDAP_INIT + HAVE_LDAP_INITIALIZE + HAVE_LDAP_SET_REBIND_PROC + HAVE_LIBLDAP + LDAP_SET_REBIND_PROC_ARGS +</pre><p> + This does look promising; <code class="literal">smbd</code> has been built with Kerberos and LDAP + support. You are relieved to know that it is safe to progress. + </p></li><li><p> + <a class="indexterm" name="id357067"></a> + <a class="indexterm" name="id357076"></a> + <a class="indexterm" name="id357083"></a> + <a class="indexterm" name="id357090"></a> + <a class="indexterm" name="id357099"></a> + <a class="indexterm" name="id357108"></a> + <a class="indexterm" name="id357115"></a> + <a class="indexterm" name="id357122"></a> + <a class="indexterm" name="id357129"></a> + The next step is to identify which version of the Kerberos libraries have been used. + In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is + essential that it has been linked with either MIT Kerberos version 1.3.1 or later, + or that it has been linked with Heimdal Kerberos 0.6 plus specific patches. You may + identify what version of the MIT Kerberos libraries are installed on your system by + executing (on Red Hat Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -q krb5 +</pre><p> + Or on SUSE Linux, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -q heimdal +</pre><p> + Please note that the RPMs provided by the Samba-Team are known to be working and have + been validated. Red Hat Linux RPMs may be obtained from the Samba FTP sites. SUSE + Linux RPMs may be obtained from <a href="ftp://ftp.sernet.de" target="_top">Sernet</a> in + Germany. + </p><p> + From this point on, you are certain that the Samba-3 build you are using has the + necessary capabilities. You can now configure Samba-3 and the NSS. + </p></li><li><p> + Using you favorite editor, configure the <code class="filename">smb.conf</code> file that is located in the + <code class="filename">/etc/samba</code> directory so that it has the contents shown + in <a href="unixclients.html#ch9-adssdm" title="Example 7.7. Samba Domain Member smb.conf File for Active Directory Membership">???</a>. + </p></li><li><p> + Edit or create the NSS control file so it has the contents shown in <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + </p></li><li><p> + <a class="indexterm" name="id357221"></a> + Delete the file <code class="filename">/etc/samba/secrets.tdb</code> if it exists. Of course, you + do keep a backup, don't you? + </p></li><li><p> + Delete the tdb files that cache Samba information. You keep a backup of the old + files, of course. You also remove all files to ensure that nothing can pollute your + nice, new configuration. Execute the following (example is for SUSE Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> rm /var/lib/samba/*tdb +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id357261"></a> + Validate your <code class="filename">smb.conf</code> file using <code class="literal">testparm</code> (as you have + done previously). Correct all errors reported before proceeding. The command you + execute is: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s | less +</pre><p> + Now that you are satisfied that your Samba server is ready to join the Windows + ADS domain, let's move on. + </p></li><li><p> + <a class="indexterm" name="id357300"></a> + <a class="indexterm" name="id357311"></a> + This is a good time to double-check everything and then execute the following + command when everything you have done has checked out okay: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -UAdministrator%not24get +Using short domain name -- LONDON +Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' +</pre><p> + You have successfully made your Samba-3 server a member of the ADS domain + using Kerberos protocols. + </p><p> + <a class="indexterm" name="id357336"></a> + <a class="indexterm" name="id357342"></a> + In the event that you receive no output messages, a silent return means that the + domain join failed. You should use <code class="literal">ethereal</code> to identify what + may be failing. Common causes of a failed join include: + + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id357362"></a> + Defective or misconfigured DNS name resolution. + </p></li><li><p> + <a class="indexterm" name="id357376"></a> + Restrictive security settings on the Windows 200x ADS domain controller + preventing needed communications protocols. You can check this by searching + the Windows Server 200x Event Viewer. + </p></li><li><p> + Incorrectly configured <code class="filename">smb.conf</code> file settings. + </p></li><li><p> + Lack of support of necessary Kerberos protocols because the version of MIT + Kerberos (or Heimdal) in use is not up to date enough to support the necessary + functionality. + </p></li></ul></div><p> + + <a class="indexterm" name="id357404"></a> + <a class="indexterm" name="id357415"></a> + <a class="indexterm" name="id357421"></a> + In any case, never execute the <code class="literal">net rpc join</code> command in an attempt + to join the Samba server to the domain, unless you wish not to use the Kerberos + security protocols. Use of the older RPC-based domain join facility requires that + Windows Server 200x ADS has been configured appropriately for mixed mode operation. + </p></li><li><p> + <a class="indexterm" name="id357443"></a> + <a class="indexterm" name="id357450"></a> + If the <code class="literal">tdbdump</code> is installed on your system (not essential), + you can look inside the <code class="filename">/etc/samba/secrets.tdb</code> file. If + you wish to do this, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> tdbdump secrets.tdb +{ +key = "SECRETS/SID/LONDON" +data = "\01\04\00\00\00\00\00\05\15\00\00\00\EBw\86\F1\ED\BD\ + F6{\5C6\E5W\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ + 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ + 00\00\00\00\00\00\00\00" +} +{ +key = "SECRETS/MACHINE_PASSWORD/LONDON" +data = "le3Q5FPnN5.ueC\00" +} +{ +key = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/LONDON" +data = "\02\00\00\00" +} +{ +key = "SECRETS/MACHINE_LAST_CHANGE_TIME/LONDON" +data = "E\89\F6?" +} +</pre><p> + This is given to demonstrate to the skeptics that this process truly does work. + </p></li><li><p> + It is now time to start Samba in the usual way (as has been done many time before + in this book). + </p></li><li><p> + <a class="indexterm" name="id357500"></a> + This is a good time to verify that everything is working. First, check that + winbind is able to obtain the list of users and groups from the ADS domain controller. + Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -u +LONDON+Administrator +LONDON+Guest +LONDON+SUPPORT_388945a0 +LONDON+krbtgt +LONDON+jht +</pre><p> + Good, the list of users was obtained. Now do likewise for group accounts: +</p><pre class="screen"> +<code class="prompt">root# </code> wbinfo -g +LONDON+Domain Computers +LONDON+Domain Controllers +LONDON+Schema Admins +LONDON+Enterprise Admins +LONDON+Domain Admins +LONDON+Domain Users +LONDON+Domain Guests +LONDON+Group Policy Creator Owners +LONDON+DnsUpdateProxy +</pre><p> + Excellent. That worked also, as expected. + </p></li><li><p><a class="indexterm" name="id357541"></a> + Now repeat this via NSS to validate that full identity resolution is + functional as required. Execute: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +... +LONDON+Administrator:x:10000:10000:Administrator: + /home/LONDON/administrator:/bin/bash +LONDON+Guest:x:10001:10001:Guest: + /home/LONDON/guest:/bin/bash +LONDON+SUPPORT_388945a0:x:10002:10000:SUPPORT_388945a0: + /home/LONDON/support_388945a0:/bin/bash +LONDON+krbtgt:x:10003:10000:krbtgt: + /home/LONDON/krbtgt:/bin/bash +LONDON+jht:x:10004:10000:John H. Terpstra: + /home/LONDON/jht:/bin/bash +</pre><p> + Okay, ADS user accounts are being resolved. Now you try group resolution: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +LONDON+Domain Computers:x:10002: +LONDON+Domain Controllers:x:10003: +LONDON+Schema Admins:x:10004:LONDON+Administrator +LONDON+Enterprise Admins:x:10005:LONDON+Administrator +LONDON+Domain Admins:x:10006:LONDON+jht,LONDON+Administrator +LONDON+Domain Users:x:10000: +LONDON+Domain Guests:x:10001: +LONDON+Group Policy Creator Owners:x:10007:LONDON+Administrator +LONDON+DnsUpdateProxy:x:10008: +</pre><p> + This is very pleasing. Everything works as expected. + </p></li><li><p> + <a class="indexterm" name="id357589"></a> + <a class="indexterm" name="id357600"></a> + <a class="indexterm" name="id357609"></a> + You may now perform final verification that communications between Samba-3 winbind and + the Active Directory server is using Kerberos protocols. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads info +LDAP server: 192.168.2.123 +LDAP server name: w2k3s +Realm: LONDON.ABMAS.BIZ +Bind Path: dc=LONDON,dc=ABMAS,dc=BIZ +LDAP port: 389 +Server time: Sat, 03 Jan 2004 02:44:44 GMT +KDC server: 192.168.2.123 +Server time offset: 2 +</pre><p> + It should be noted that Kerberos protocols are time-clock critical. You should + keep all server time clocks synchronized using the network time protocol (NTP). + In any case, the output we obtained confirms that all systems are operational. + </p></li><li><p> + <a class="indexterm" name="id357639"></a> + There is one more action you elect to take, just because you are paranoid and disbelieving, + so you execute the following command: +</p><pre class="programlisting"> +<code class="prompt">root# </code> net ads status -UAdministrator%not24get +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +objectClass: computer +cn: fran +distinguishedName: CN=fran,CN=Computers,DC=london,DC=abmas,DC=biz +instanceType: 4 +whenCreated: 20040103092006.0Z +whenChanged: 20040103092006.0Z +uSNCreated: 28713 +uSNChanged: 28717 +name: fran +objectGUID: 58f89519-c467-49b9-acb0-f099d73696e +userAccountControl: 69632 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 127175965783327936 +localPolicyFlags: 0 +pwdLastSet: 127175952062598496 +primaryGroupID: 515 +objectSid: S-1-5-21-4052121579-2079768045-1474639452-1109 +accountExpires: 9223372036854775807 +logonCount: 13 +sAMAccountName: fran$ +sAMAccountType: 805306369 +operatingSystem: Samba +operatingSystemVersion: 3.0.20-SUSE +dNSHostName: fran +userPrincipalName: HOST/fran@LONDON.ABMAS.BIZ +servicePrincipalName: CIFS/fran.london.abmas.biz +servicePrincipalName: CIFS/fran +servicePrincipalName: HOST/fran.london.abmas.biz +servicePrincipalName: HOST/fran +objectCategory: CN=Computer,CN=Schema,CN=Configuration, + DC=london,DC=abmas,DC=biz +isCriticalSystemObject: FALSE +-------------- Security Descriptor (revision: 1, type: 0x8c14) +owner SID: S-1-5-21-4052121579-2079768045-1474639452-512 +group SID: S-1-5-21-4052121579-2079768045-1474639452-513 +------- (system) ACL (revision: 4, size: 120, number of ACEs: 2) +------- ACE (type: 0x07, flags: 0x5a, size: 0x38, + mask: 0x20, object flags: 0x3) +access SID: S-1-1-0 +access type: AUDIT OBJECT +Permissions: + [Write All Properties] +------- ACE (type: 0x07, flags: 0x5a, size: 0x38, + mask: 0x20, object flags: 0x3) +access SID: S-1-1-0 +access type: AUDIT OBJECT +Permissions: + [Write All Properties] +------- (user) ACL (revision: 4, size: 1944, number of ACEs: 40) +------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff) +access SID: S-1-5-21-4052121579-2079768045-1474639452-512 +access type: ALLOWED +Permissions: [Full Control] +------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff) +access SID: S-1-5-32-548 +... +------- ACE (type: 0x05, flags: 0x12, size: 0x38, + mask: 0x10, object flags: 0x3) +access SID: S-1-5-9 +access type: ALLOWED OBJECT +Permissions: + [Read All Properties] +-------------- End Of Security Descriptor +</pre><p> + And now you have conclusive proof that your Samba-3 ADS domain member server + called <code class="constant">FRAN</code> is able to communicate fully with the ADS + domain controllers. + </p></li></ol></div><p> + Your Samba-3 ADS domain member server is ready for use. During training sessions, + you may be asked what is inside the <code class="filename">winbindd_cache.tdb and winbindd_idmap.tdb</code> + files. Since curiosity just took hold of you, execute the following: +</p><pre class="programlisting"> +<code class="prompt">root# </code> tdbdump /var/lib/samba/winbindd_idmap.tdb +{ +key = "S-1-5-21-4052121579-2079768045-1474639452-501\00" +data = "UID 10001\00" +} +{ +key = "UID 10005\00" +data = "S-1-5-21-4052121579-2079768045-1474639452-1111\00" +} +{ +key = "GID 10004\00" +data = "S-1-5-21-4052121579-2079768045-1474639452-518\00" +} +{ +key = "S-1-5-21-4052121579-2079768045-1474639452-502\00" +data = "UID 10003\00" +} +... + +<code class="prompt">root# </code> tdbdump /var/lib/samba/winbindd_cache.tdb +{ +key = "UL/LONDON" +data = "\00\00\00\00bp\00\00\06\00\00\00\0DAdministrator\0D + Administrator-S-1-5-21-4052121579-2079768045-1474639452-500- + S-1-5-21-4052121579-2079768045-1474639452-513\05Guest\05 + Guest-S-1-5-21-4052121579-2079768045-1474639452-501- + S-1-5-21-4052121579-2079768045-1474639452-514\10 + SUPPORT_388945a0\10SUPPORT_388945a0. + S-1-5-21-4052121579-2079768045-1474639452-1001- + S-1-5-21-4052121579-2079768045-1474639452-513\06krbtgt\06 + krbtgt-S-1-5-21-4052121579-2079768045-1474639452-502- + S-1-5-21-4052121579-2079768045-1474639452-513\03jht\10 + John H. Terpstra.S-1-5-21-4052121579-2079768045-1474639452-1110- + S-1-5-21-4052121579-2079768045-1474639452-513" +} +{ +key = "GM/S-1-5-21-4052121579-2079768045-1474639452-512" +data = "\00\00\00\00bp\00\00\02\00\00\00. + S-1-5-21-4052121579-2079768045-1474639452-1110\03 + jht\01\00\00\00-S-1-5-21-4052121579-2079768045-1474639452-500\0D + Administrator\01\00\00\00" +} +{ +key = "SN/S-1-5-21-4052121579-2079768045-1474639452-513" +data = "\00\00\00\00xp\00\00\02\00\00\00\0CDomain Users" +} +{ +key = "GM/S-1-5-21-4052121579-2079768045-1474639452-518" +data = "\00\00\00\00bp\00\00\01\00\00\00- + S-1-5-21-4052121579-2079768045-1474639452-500\0D + Administrator\01\00\00\00" +} +{ +key = "SEQNUM/LONDON\00" +data = "xp\00\00C\92\F6?" +} +{ +key = "U/S-1-5-21-4052121579-2079768045-1474639452-1110" +data = "\00\00\00\00xp\00\00\03jht\10John H. Terpstra. + S-1-5-21-4052121579-2079768045-1474639452-1110- + S-1-5-21-4052121579-2079768045-1474639452-513" +} +{ +key = "NS/S-1-5-21-4052121579-2079768045-1474639452-502" +data = "\00\00\00\00bp\00\00- + S-1-5-21-4052121579-2079768045-1474639452-502" +} +{ +key = "SN/S-1-5-21-4052121579-2079768045-1474639452-1001" +data = "\00\00\00\00bp\00\00\01\00\00\00\10SUPPORT_388945a0" +} +{ +key = "SN/S-1-5-21-4052121579-2079768045-1474639452-500" +data = "\00\00\00\00bp\00\00\01\00\00\00\0DAdministrator" +} +{ +key = "U/S-1-5-21-4052121579-2079768045-1474639452-502" +data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- + S-1-5-21-4052121579-2079768045-1474639452-502- + S-1-5-21-4052121579-2079768045-1474639452-513" +} +.... +</pre><p> + Now all is revealed. Your curiosity, as well as that of your team, has been put at ease. + May this server serve well all who happen upon it. + </p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example 7.7. Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id357811"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id357824"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id357836"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id357849"></a><em class="parameter"><code>server string = Samba 3.0.20</code></em></td></tr><tr><td><a class="indexterm" name="id357862"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id357874"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id357887"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id357899"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id357912"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id357925"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id357937"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id357950"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id357962"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id357975"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id357987"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id358000"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id358013"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id358025"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id358047"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id358059"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id358072"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id358084"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id358106"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id358118"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id358131"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id358144"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id358156"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id358178"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id358190"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id358203"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id358216"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id358229"></a>IDMAP_RID with Winbind</h4></div></div></div><p> + <a class="indexterm" name="id358237"></a> + <a class="indexterm" name="id358244"></a> + <a class="indexterm" name="id358250"></a> + <a class="indexterm" name="id358257"></a> + The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a + predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method + of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data + in a central place. The downside is that it can be used only within a single ADS domain and + is not compatible with trusted domain implementations. + </p><p> + <a class="indexterm" name="id358276"></a> + <a class="indexterm" name="id358283"></a> + <a class="indexterm" name="id358290"></a> + <a class="indexterm" name="id358297"></a> + This alternate method of SID to UID/GID mapping can be achieved with the idmap_rid + plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the + RID to a base value specified. This utility requires that the parameter + “<span class="quote">allow trusted domains = No</span>” must be specified, as it is not compatible + with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and + <em class="parameter"><code>idmap gid</code></em> ranges must be specified. + </p><p> + <a class="indexterm" name="id358326"></a> + <a class="indexterm" name="id358333"></a> + The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory. + To use this with an NT4 domain, the <em class="parameter"><code>realm</code></em> is not used. Additionally the + method used to join the domain uses the <code class="constant">net rpc join</code> process. + </p><p> + An example <code class="filename">smb.conf</code> file for an ADS domain environment is shown in <a href="unixclients.html#sbe-idmapridex" title="Example 7.8. Example smb.conf File Using idmap_rid">???</a>. + </p><div class="example"><a name="sbe-idmapridex"></a><p class="title"><b>Example 7.8. Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id358404"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id358417"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id358429"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id358442"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id358455"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id358467"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id358480"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id358493"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id358505"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id358518"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id358531"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id358543"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id358556"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id358569"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id358581"></a><em class="parameter"><code>printer admin = "KPAK\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id358597"></a> + <a class="indexterm" name="id358604"></a> + <a class="indexterm" name="id358611"></a> + <a class="indexterm" name="id358618"></a> + In a large domain with many users, it is imperative to disable enumeration of users and groups. + For example, at a site that has 22,000 users in Active Directory the winbind-based user and + group resolution is unavailable for nearly 12 minutes following first start-up of + <code class="literal">winbind</code>. Disabling of such enumeration results in instantaneous response. + The disabling of user and group enumeration means that it will not be possible to list users + or groups using the <code class="literal">getent passwd</code> and <code class="literal">getent group</code> + commands. It will be possible to perform the lookup for individual users, as shown in the procedure + below. + </p><p> + <a class="indexterm" name="id358651"></a> + <a class="indexterm" name="id358657"></a> + The use of this tool requires configuration of NSS as per the native use of winbind. Edit the + <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters: +</p><pre class="screen"> +... +passwd: files winbind +shadow: files winbind +group: files winbind +... +hosts: files wins +... +</pre><p> + </p><p> + The following procedure can be used to utilize the idmap_rid facility: + </p><div class="procedure"><ol type="1"><li><p> + Create or install and <code class="filename">smb.conf</code> file with the above configuration. + </p></li><li><p> + Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. + </p></li><li><p> + Execute: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads join -UAdministrator%password +Using short domain name -- KPAK +Joined 'BIGJOE' to realm 'CORP.KPAK.COM' +</pre><p> + </p><p> + <a class="indexterm" name="id358732"></a> + An invalid or failed join can be detected by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +BIGJOE$@'s password: +[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) + ads_connect: No results returned +Join to domain is not valid +</pre><p> + The specific error message may differ from the above because it depends on the type of failure that + may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the above test, + and then examine the log files produced to identify the nature of the failure. + </p></li><li><p> + Start the <code class="literal">nmbd</code>, <code class="literal">winbind,</code> and <code class="literal">smbd</code> daemons in the order shown. + </p></li><li><p> + Validate the operation of this configuration by executing: + <a class="indexterm" name="id358794"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd administrator +administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash +</pre><p> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id358814"></a>IDMAP Storage in LDAP using Winbind</h4></div></div></div><p> + <a class="indexterm" name="id358822"></a> + <a class="indexterm" name="id358829"></a> + The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as + with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant + LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using + the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on. + </p><p> + The example in <a href="unixclients.html#sbeunxa" title="Example 7.9. Typical ADS Style Domain smb.conf File">???</a> is for an ADS-style domain. + </p><div class="example"><a name="sbeunxa"></a><p class="title"><b>Example 7.9. Typical ADS Style Domain <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id358883"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id358896"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id358908"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id358921"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id358934"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id358946"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id358959"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id358972"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id358984"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id358997"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id359010"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id359022"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id359035"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id359048"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id359064"></a> + In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the + command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates + advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in + “<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second Edition</span>” (TOSHARG2). + </p><p> + <a class="indexterm" name="id359092"></a> + <a class="indexterm" name="id359099"></a> + <a class="indexterm" name="id359106"></a> + Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code> + file so it has the following contents: +</p><pre class="screen"> +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + default_realm = SNOWSHOW.COM + dns_lookup_realm = false + dns_lookup_kdc = true + +[appdefaults] + pam = { + debug = false + ticket_lifetime = 36000 + renew_lifetime = 36000 + forwardable = true + krb4_convert = false + } +</pre><p> + </p><p> + Where Heimdal kerberos is installed, edit the <code class="filename">/etc/krb5.conf</code> + file so it is either empty (i.e., no contents) or it has the following contents: +</p><pre class="screen"> +[libdefaults] + default_realm = SNOWSHOW.COM + clockskew = 300 + +[realms] + SNOWSHOW.COM = { + kdc = ADSDC.SHOWSHOW.COM + } + +[domain_realm] + .snowshow.com = SNOWSHOW.COM +</pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file. + So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no + need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically. + </p></div><p> + Edit the NSS control file <code class="filename">/etc/nsswitch.conf</code> so it has the following entries: +</p><pre class="screen"> +... +passwd: files ldap +shadow: files ldap +group: files ldap +... +hosts: files wins +... +</pre><p> + </p><p> + <a class="indexterm" name="id359178"></a> + <a class="indexterm" name="id359185"></a> + You will need the <a href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> + tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has + the information needed. The following is an example of a working file: +</p><pre class="screen"> +host 192.168.2.1 +base dc=snowshow,dc=com +binddn cn=Manager,dc=snowshow,dc=com +bindpw not24get + +pam_password exop + +nss_base_passwd ou=People,dc=snowshow,dc=com?one +nss_base_shadow ou=People,dc=snowshow,dc=com?one +nss_base_group ou=Groups,dc=snowshow,dc=com?one +ssl no +</pre><p> + </p><p> + The following procedure may be followed to affect a working configuration: + </p><div class="procedure"><ol type="1"><li><p> + Configure the <code class="filename">smb.conf</code> file as shown above. + </p></li><li><p> + Create the <code class="filename">/etc/krb5.conf</code> file following the indications above. + </p></li><li><p> + Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above. + </p></li><li><p> + Download, build, and install the PADL nss_ldap tool set. Configure the + <code class="filename">/etc/ldap.conf</code> file as shown above. + </p></li><li><p> + Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP + as shown in the following LDIF file: +</p><pre class="screen"> +dn: dc=snowshow,dc=com +objectClass: dcObject +objectClass: organization +dc: snowshow +o: The Greatest Snow Show in Singapore. +description: Posix and Samba LDAP Identity Database + +dn: cn=Manager,dc=snowshow,dc=com +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +dn: ou=Idmap,dc=snowshow,dc=com +objectClass: organizationalUnit +ou: idmap +</pre><p> + </p></li><li><p> + Execute the command to join the Samba domain member server to the ADS domain as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> net ads testjoin +Using short domain name -- SNOWSHOW +Joined 'GOODELF' to realm 'SNOWSHOW.COM' +</pre><p> + </p></li><li><p> + Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +</pre><p> + </p></li><li><p> + Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. + </p></li></ol></div><p> + <a class="indexterm" name="id359368"></a> + Follow the diagnostic procedures shown earlier in this chapter to identify success or failure of the join. + In many cases a failure is indicated by a silent return to the command prompt with no indication of the + reason for failure. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id359380"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h4></div></div></div><p> + <a class="indexterm" name="id359388"></a> + <a class="indexterm" name="id359395"></a> + The use of this method is messy. The information provided in this section is for guidance only + and is very definitely not complete. This method does work; it is used in a number of large sites + and has an acceptable level of performance. + </p><p> + An example <code class="filename">smb.conf</code> file is shown in <a href="unixclients.html#sbewinbindex" title="Example 7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File">???</a>. + </p><div class="example"><a name="sbewinbindex"></a><p class="title"><b>Example 7.10. ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id359454"></a><em class="parameter"><code>workgroup = BUBBAH</code></em></td></tr><tr><td><a class="indexterm" name="id359466"></a><em class="parameter"><code>netbios name = MADMAX</code></em></td></tr><tr><td><a class="indexterm" name="id359479"></a><em class="parameter"><code>realm = BUBBAH.COM</code></em></td></tr><tr><td><a class="indexterm" name="id359491"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id359504"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id359516"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id359529"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id359542"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id359554"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id359567"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id359580"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id359596"></a> + The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary + to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the + following: +</p><pre class="screen"> +./configure --enable-rfc2307bis --enable-schema-mapping +make install +</pre><p> + </p><p> + <a class="indexterm" name="id359614"></a> + The following <code class="filename">/etc/nsswitch.conf</code> file contents are required: +</p><pre class="screen"> +... +passwd: files ldap +shadow: files ldap +group: files ldap +... +hosts: files wins +... +</pre><p> + </p><p> + <a class="indexterm" name="id359637"></a> + <a class="indexterm" name="id359644"></a> + The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation + and source code for nss_ldap instructions. + </p><p> + The next step involves preparation on the ADS schema. This is briefly discussed in the remaining + part of this chapter. + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id359663"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h5></div></div></div><p> + <a class="indexterm" name="id359671"></a> + The Microsoft Windows Service for UNIX version 3.5 is available for free + <a href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> + from the Microsoft Web site. You will need to download this tool and install it following + Microsoft instructions. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id359688"></a>IDMAP, Active Directory, and AD4UNIX</h5></div></div></div><p> + Instructions for obtaining and installing the AD4UNIX tool set can be found from the + <a href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> + Geekcomix</a> Web site. + </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id359708"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id359715"></a> + So far this chapter has been mainly concerned with the provision of file and print + services for domain member servers. However, an increasing number of UNIX/Linux + workstations are being installed that do not act as file or print servers to anyone + other than a single desktop user. The key demand for desktop systems is to be able + to log onto any UNIX/Linux or Windows desktop using the same network user credentials. + </p><p><a class="indexterm" name="id359730"></a> + The ability to use a common set of user credential across a variety of network systems + is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a + large number of vendors and include a range of technologies such as: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Proxy sign-on + </p></li><li><p> + Federated directory provisioning + </p></li><li><p> + Metadirectory server solutions + </p></li><li><p> + Replacement authentication systems + </p></li></ul></div><p><a class="indexterm" name="id359768"></a> + There are really four solutions that provide integrated authentication and + user identity management facilities: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Samba winbind (free). Samba-3.0.20 introduced a complete replacement for Winbind that now + provides a greater level of scalability in large ADS environments. + </p></li><li><p> + <a href="http://www.padl.com" target="_top">PADL</a> PAM and LDAP tools (free). + </p></li><li><p> + <a href="http://www.vintela.com" target="_top">Vintela</a> Authentication Services (commercial). + </p></li><li><p> + <a href="http://www.centrify.com" target="_top">Centrify</a> DirectControl (commercial). + Centrify's commercial product allows UNIX and Linux systems to use Active Directory + security, directory and policy services. Enhancements include a centralized ID mapping that + allows Samba, DirectControl and Active Directory to seamlessly work together. + </p></li></ul></div><p> + The following guidelines are pertinent to the deployment of winbind-based authentication + and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops + using Windows network domain user credentials (username and password). + </p><p> + You should note that it is possible to use LDAP-based PAM and NSS tools to permit distributed + systems logons (SSO), providing user and group accounts are stored in an LDAP directory. This + provides logon services for UNIX/Linux users, while Windows users obtain their sign-on + support via Samba-3. + </p><p> + <a class="indexterm" name="id359836"></a> + On the other hand, if the authentication and identity resolution backend must be provided by + a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft + Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these + situations now follows. + </p><p> + <a class="indexterm" name="id359851"></a> + <a class="indexterm" name="id359857"></a> + <a class="indexterm" name="id359864"></a> + To permit users to log on to a Linux system using Windows network credentials, you need to + configure identity resolution (NSS) and PAM. This means that the basic steps include those + outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) + usually do not need to provide file and print services to a group of users, the configuration + of shares and printers is generally less important. Often this allows the share specifications + to be entirely removed from the <code class="filename">smb.conf</code> file. That is obviously an administrator decision. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id359882"></a>NT4 Domain Member</h4></div></div></div><p> + The following steps provide a Linux system that users can log onto using + Windows NT4 (or Samba-3) domain network credentials: + </p><div class="procedure"><ol type="1"><li><p> + Follow the steps outlined in <a href="unixclients.html#wdcsdm" title="NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind">???</a> and ensure that + all validation tests function as shown. + </p></li><li><p> + Identify what services users must log on to. On Red Hat Linux, if it is + intended that the user shall be given access to all services, it may be + most expeditious to simply configure the file + <code class="filename">/etc/pam.d/system-auth</code>. + </p></li><li><p> + Carefully make a backup copy of all PAM configuration files before you + begin making changes. If you break the PAM configuration, please note + that you may need to use an emergency boot process to recover your Linux + system. It is possible to break the ability to log into the system if + PAM files are incorrectly configured. The entire directory + <code class="filename">/etc/pam.d</code> should be backed up to a safe location. + </p></li><li><p> + If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code> + so it matches <a href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">???</a>. + </p></li><li><p> + To provide the ability to log onto the graphical desktop interface, you must edit + the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the + <code class="filename">/etc/pam.d</code> directory. + </p></li><li><p> + Edit only one file at a time. Carefully validate its operation before attempting + to reboot the machine. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id359994"></a>ADS Domain Member</h4></div></div></div><p> + This procedure should be followed to permit a Linux network client (workstation/desktop) + to permit users to log on using Microsoft Active Directory-based user credentials. + </p><div class="procedure"><ol type="1"><li><p> + Follow the steps outlined in <a href="unixclients.html#adssdm" title="Active Directory Domain with Samba Domain Member Server">???</a> and ensure that + all validation tests function as shown. + </p></li><li><p> + Identify what services users must log on to. On Red Hat Linux, if it is + intended that the user shall be given access to all services, it may be + most expeditious to simply configure the file + <code class="filename">/etc/pam.d/system-auth</code> as shown in <a href="unixclients.html#ch9-rhsysauth" title="Example 7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind">???</a>. + </p></li><li><p> + Carefully make a backup copy of all PAM configuration files before you + begin making changes. If you break the PAM configuration, please note + that you may need to use an emergency boot process to recover your Linux + system. It is possible to break the ability to log into the system if + PAM files are incorrectly configured. The entire directory + <code class="filename">/etc/pam.d</code> should be backed up to a safe location. + </p></li><li><p> + If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code> + so it matches <a href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">???</a>. + </p></li><li><p> + To provide the ability to log onto the graphical desktop interface, you must edit + the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the + <code class="filename">/etc/pam.d</code> directory. + </p></li><li><p> + Edit only one file at a time. Carefully validate its operation before attempting + to reboot the machine. + </p></li></ol></div></div><div class="example"><a name="ch9-pamwnbdlogin"></a><p class="title"><b>Example 7.11. SUSE: PAM <code class="filename">login</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> +# /etc/pam.d/login + +#%PAM-1.0 +auth sufficient pam_unix2.so nullok +auth sufficient pam_winbind.so use_first_pass use_authtok +auth required pam_securetty.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_mail.so +account sufficient pam_unix2.so +account sufficient pam_winbind.so user_first_pass use_authtok +password required pam_pwcheck.so nullok +password sufficient pam_unix2.so nullok use_first_pass use_authtok +password sufficient pam_winbind.so use_first_pass use_authtok +session sufficient pam_unix2.so none +session sufficient pam_winbind.so use_first_pass use_authtok +session required pam_limits.so +</pre></div></div><br class="example-break"><div class="example"><a name="ch9-pamwbndxdm"></a><p class="title"><b>Example 7.12. SUSE: PAM <code class="filename">xdm</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> +# /etc/pam.d/gdm (/etc/pam.d/xdm) + +#%PAM-1.0 +auth sufficient pam_unix2.so nullok +auth sufficient pam_winbind.so use_first_pass use_authtok +account sufficient pam_unix2.so +account sufficient pam_winbind.so use_first_pass use_authtok +password sufficient pam_unix2.so +password sufficient pam_winbind.so use_first_pass use_authtok +session sufficient pam_unix2.so +session sufficient pam_winbind.so use_first_pass use_authtok +session required pam_dev perm.so +session required pam_resmgr.so +</pre></div></div><br class="example-break"><div class="example"><a name="ch9-rhsysauth"></a><p class="title"><b>Example 7.13. Red Hat 9: PAM System Authentication File: <code class="filename">/etc/pam.d/system-auth</code> Module Using Winbind</b></p><div class="example-contents"><pre class="screen"> +#%PAM-1.0 +auth required /lib/security/$ISA/pam_env.so +auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok +auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass +auth required /lib/security/$ISA/pam_deny.so + +account required /lib/security/$ISA/pam_unix.so +account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass + +password required /lib/security/$ISA/pam_cracklib.so retry=3 type= +# Note: The above line is complete. There is nothing following the '=' +password sufficient /lib/security/$ISA/pam_unix.so \ + nullok use_authtok md5 shadow +password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass +password required /lib/security/$ISA/pam_deny.so + +session required /lib/security/$ISA/pam_limits.so +session sufficient /lib/security/$ISA/pam_unix.so +session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id360196"></a>Key Points Learned</h3></div></div></div><p> + The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you + learned how to integrate such servers so that the UID/GID mappings they use can be consistent + across all domain member servers. You also discovered how to implement the ability to use Samba + or Windows domain account credentials to log on to a UNIX/Linux client. + </p><p> + The following are key points made in this chapter: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Domain controllers are always authoritative for the domain. + </p></li><li><p> + Domain members may have local accounts and must be able to resolve the identity of + domain user accounts. Domain user account identity must map to a local UID/GID. That + local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data + across all domain member machines. + </p></li><li><p> + Resolution of user and group identities on domain member machines may be implemented + using direct LDAP services or using winbind. + </p></li><li><p> + On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management + and PAM is responsible for authentication of logon credentials (username and password). + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id360240"></a>Questions and Answers</h2></div></div></div><p> + The following questions were obtained from the mailing list and also from private discussions + with Windows network administrators. + </p><div class="qandaset"><dl><dt> <a href="unixclients.html#id360257"> + We use NIS for all UNIX accounts. Why do we need winbind? + </a></dt><dt> <a href="unixclients.html#id360364"> + Our IT management people do not like LDAP but are looking at Microsoft Active Directory. + Which is better? + </a></dt><dt> <a href="unixclients.html#id360438"> + We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible + to use NIS in place of LDAP? + </a></dt><dt> <a href="unixclients.html#id360545"> + Are you suggesting that users should not log on to a domain member server? If so, why? + </a></dt><dt> <a href="unixclients.html#id360654"> + We want to ensure that only users from our own domain plus from trusted domains can use our + Samba servers. In the smb.conf file on all servers, we have enabled the winbind + trusted domains only parameter. We now find that users from trusted domains + cannot access our servers, and users from Windows clients that are not domain members + can also access our servers. Is this a Samba bug? + </a></dt><dt> <a href="unixclients.html#id360818"> + What are the benefits of using LDAP for my domain member servers? + </a></dt><dt> <a href="unixclients.html#id360993"> + Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into + my DNS configuration? + </a></dt><dt> <a href="unixclients.html#id361141"> + Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we + use Samba-3 with that configuration? + </a></dt><dt> <a href="unixclients.html#id361158"> + When I tried to execute net ads join, I got no output. It did not work, so + I think that it failed. I then executed net rpc join and that worked fine. + That is okay, isn't it? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id360257"></a><a name="id360259"></a></td><td align="left" valign="top"><p> + We use NIS for all UNIX accounts. Why do we need winbind? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id360270"></a> + <a class="indexterm" name="id360277"></a> + <a class="indexterm" name="id360284"></a> + <a class="indexterm" name="id360290"></a> + <a class="indexterm" name="id360297"></a> + <a class="indexterm" name="id360304"></a> + You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted + passwords that need to be stored in one of the acceptable passdb backends. + Your choice of backend is limited to <em class="parameter"><code>smbpasswd</code></em> or + <em class="parameter"><code>tdbsam</code></em>. Winbind is needed to handle the resolution of + SIDs from trusted domains to local UID/GID values. + </p><p> + <a class="indexterm" name="id360328"></a> + <a class="indexterm" name="id360335"></a> + On a domain member server, you effectively map Windows domain users to local users + that are in your NIS database by specifying the <em class="parameter"><code>winbind trusted domains + only</code></em>. This causes user and group account lookups to be routed via + the <code class="literal">getpwnam()</code> family of systems calls. On an NIS-enabled client, + this pushes the resolution of users and groups out through NIS. + </p><p> + As a general rule, it is always a good idea to run winbind on all Samba servers. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360364"></a><a name="id360366"></a></td><td align="left" valign="top"><p> + Our IT management people do not like LDAP but are looking at Microsoft Active Directory. + Which is better?<a class="indexterm" name="id360372"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id360386"></a><a class="indexterm" name="id360397"></a><a class="indexterm" name="id360405"></a> + Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos + infrastructure. Most IT managers who object to LDAP do so because + an LDAP server is most often supplied as a raw tool that needs to be configured and + for which the administrator must create the schema, create the administration tools, and + devise the backup and recovery facilities in a site-dependent manner. LDAP servers + in general are seen as a high-energy, high-risk facility. + </p><p><a class="indexterm" name="id360420"></a> + Microsoft Active Directory by comparison is easy to install and configure and + is supplied with all tools necessary to implement and manage the directory. For sites + that lack a lot of technical competence, Active Directory is a good choice. For sites + that have the technical competence to handle Active Directory well, LDAP is a good + alternative. The real issue is, What type of solution does + the site want? If management wants a choice to use an alternative, they may want to + consider the options. On the other hand, if management just wants a solution that works, + Microsoft Active Directory is a good solution. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360438"></a><a name="id360440"></a></td><td align="left" valign="top"><p> + We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible + to use NIS in place of LDAP? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id360451"></a><a class="indexterm" name="id360458"></a><a class="indexterm" name="id360466"></a><a class="indexterm" name="id360474"></a><a class="indexterm" name="id360482"></a><a class="indexterm" name="id360490"></a><a class="indexterm" name="id360497"></a> + Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping + the Windows (SMB) encrypted passwords database correctly synchronized across the entire + network. Workstations (Windows client machines) periodically change their domain + membership secure account password. How can you keep changes that are on remote BDCs + synchronized on the PDC? + </p><p><a class="indexterm" name="id360515"></a><a class="indexterm" name="id360523"></a><a class="indexterm" name="id360530"></a> + LDAP is a more elegant solution because it permits centralized storage and management + of all network identities (user, group, and machine accounts) together with all information + Samba needs to provide to network clients and their users. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360545"></a><a name="id360547"></a></td><td align="left" valign="top"><p> + Are you suggesting that users should not log on to a domain member server? If so, why? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id360557"></a><a class="indexterm" name="id360565"></a><a class="indexterm" name="id360577"></a> + Many UNIX administrators mock the model that the personal computer industry has adopted + as normative since the early days of Novell NetWare. The old + perception of the necessity to keep users off file and print servers was a result of + fears concerning the security and integrity of data. It was a simple and generally + effective measure to keep users away from servers, except through mapped drives. + </p><p><a class="indexterm" name="id360591"></a><a class="indexterm" name="id360599"></a><a class="indexterm" name="id360607"></a><a class="indexterm" name="id360615"></a><a class="indexterm" name="id360623"></a> + UNIX administrators are fully correct in asserting that UNIX servers and workstations + are identical in terms of the software that is installed. They correctly assert that + in a well-secured environment it is safe to store files on a system that has hundreds + of users. But all network administrators must factor into the decision to allow or + reject general user logins to a UNIX system that is principally a file and print + server the risk to operations through simple user errors. + Only then can one begin to appraise the best strategy and adopt a site-specific + policy that best protects the needs of users and of the organization alike. + </p><p><a class="indexterm" name="id360639"></a> + From experience, it is my recommendation to keep general system-level logins to a + practical minimum and to eliminate them if possible. This should not be taken as a + hard rule, though. The better question is, what works best for the site? + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360654"></a><a name="id360656"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id360659"></a><a class="indexterm" name="id360667"></a><a class="indexterm" name="id360678"></a><a class="indexterm" name="id360686"></a> + We want to ensure that only users from our own domain plus from trusted domains can use our + Samba servers. In the <code class="filename">smb.conf</code> file on all servers, we have enabled the <em class="parameter"><code>winbind + trusted domains only</code></em> parameter. We now find that users from trusted domains + cannot access our servers, and users from Windows clients that are not domain members + can also access our servers. Is this a Samba bug? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id360715"></a><a class="indexterm" name="id360723"></a><a class="indexterm" name="id360731"></a><a class="indexterm" name="id360739"></a><a class="indexterm" name="id360747"></a><a class="indexterm" name="id360754"></a> + The manual page for this <em class="parameter"><code>winbind trusted domains only</code></em> parameter says, + “<span class="quote">This parameter is designed to allow Samba servers that are members of a Samba-controlled + domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users + in the hosts primary domain. Therefore, the user <code class="constant">SAMBA\user1</code> would be + mapped to the account <code class="constant">user1</code> in <code class="filename">/etc/passwd</code> instead + of allocating a new UID for him or her.</span>” This clearly suggests that you are trying + to use this parameter inappropriately. + </p><p><a class="indexterm" name="id360792"></a> + A far better solution is to use the <em class="parameter"><code>valid users</code></em> by specifying + precisely the domain users and groups that should be permitted access to the shares. You could, + for example, set the following parameters: +</p><pre class="screen"> +[demoshare] + path = /export/demodata + valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users" +</pre><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360818"></a><a name="id360820"></a></td><td align="left" valign="top"><p> + What are the benefits of using LDAP for my domain member servers? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id360831"></a><a class="indexterm" name="id360838"></a><a class="indexterm" name="id360846"></a><a class="indexterm" name="id360854"></a><a class="indexterm" name="id360862"></a><a class="indexterm" name="id360869"></a><a class="indexterm" name="id360877"></a><a class="indexterm" name="id360885"></a><a class="indexterm" name="id360893"></a> + The key benefit of using LDAP is that the UID of all users and the GID of all groups + are globally consistent on domain controllers as well as on domain member servers. + This means that it is possible to copy/replicate files across servers without + loss of identity. + </p><p><a class="indexterm" name="id360906"></a><a class="indexterm" name="id360914"></a><a class="indexterm" name="id360922"></a><a class="indexterm" name="id360930"></a><a class="indexterm" name="id360938"></a><a class="indexterm" name="id360946"></a><a class="indexterm" name="id360957"></a><a class="indexterm" name="id360965"></a> + When use is made of account identity resolution via winbind, even when an IDMAP backend + is stored in LDAP, the UID/GID on domain member servers is consistent, but differs + from the ID that the user/group has on domain controllers. The winbind allocated UID/GID + that is stored in LDAP (or locally) will be in the numeric range specified in the <em class="parameter"><code> + idmap uid/gid</code></em> in the <code class="filename">smb.conf</code> file. On domain controllers, the UID/GID is + that of the POSIX value assigned in the LDAP directory as part of the POSIX account information. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id360993"></a><a name="id360995"></a></td><td align="left" valign="top"><p> + Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into + my DNS configuration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id361006"></a><a class="indexterm" name="id361017"></a><a class="indexterm" name="id361028"></a><a class="indexterm" name="id361036"></a><a class="indexterm" name="id361044"></a><a class="indexterm" name="id361052"></a><a class="indexterm" name="id361059"></a> + Samba depends on correctly functioning resolution of hostnames to their IP address. Samba + makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the + <code class="literal">getXXXbyXXX()</code> function calls. The configuration of the <code class="constant">hosts</code> + entry in the NSS <code class="filename">/etc/nsswitch.conf</code> file determines how the underlying + resolution process is implemented. If the <code class="constant">hosts</code> entry in your NSS + control file says: +</p><pre class="screen"> +hosts: files dns wins +</pre><p> + this means that a hostname lookup first tries the <code class="filename">/etc/hosts</code>. + If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a + WINS lookup. + </p><p><a class="indexterm" name="id361109"></a><a class="indexterm" name="id361117"></a><a class="indexterm" name="id361125"></a> + The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has + been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS + is the preferred name resolution technology. This usually makes most sense when Samba + is a client of an Active Directory domain, where NetBIOS use has been disabled. In this + case, the Windows 200x autoregisters all locator records it needs with its own DNS + server or servers. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id361141"></a><a name="id361143"></a></td><td align="left" valign="top"><p> + Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we + use Samba-3 with that configuration? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id361158"></a><a name="id361161"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id361164"></a><a class="indexterm" name="id361178"></a> + When I tried to execute net ads join, I got no output. It did not work, so + I think that it failed. I then executed net rpc join and that worked fine. + That is okay, isn't it? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id361200"></a><a class="indexterm" name="id361208"></a> + No. This is not okay. It means that your Samba-3 client has joined the ADS domain as + a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Domain Members, Updating Samba and Migration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Updating Samba-3</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-ByExample/upgrades.html b/docs/htmldocs/Samba3-ByExample/upgrades.html new file mode 100644 index 0000000000..d5bd3b036b --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/upgrades.html @@ -0,0 +1,947 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Updating Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="unixclients.html" title="Chapter 7. Adding Domain Member Servers and Clients"><link rel="next" href="ntmigration.html" title="Chapter 9. Migrating NT4 Domain to Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Updating Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unixclients.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="ntmigration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrades"></a>Chapter 8. Updating Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="upgrades.html#id361313">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id361397">Cautions and Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id362605">Upgrading from Samba 1.x and 2.x to Samba-3</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#sbeug2">Samba 1.9.x and 2.x Versions Without LDAP</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id362947">Applicable to All Samba 2.x to Samba-3 Upgrades</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id363269">Samba-2.x with LDAP Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrades.html#id363384">Updating a Samba-3 Installation</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrades.html#id363478">Samba-3 to Samba-3 Updates on the Same Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id363662">Migrating Samba-3 to a New Server</a></span></dt><dt><span class="sect2"><a href="upgrades.html#id364040">Migration of Samba Accounts to Active Directory</a></span></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id361239"></a> +<a class="indexterm" name="id361246"></a> +It was a little difficult to select an appropriate title for this chapter. +From email messages on the Samba mailing lists it is clear that many people +consider the updating and upgrading of Samba to be a migration matter. Others +talk about migrating Samba servers when in fact the issue at hand is one of +installing a new Samba server to replace an older existing Samba server. +</p><p> +<a class="indexterm" name="id361259"></a> +<a class="indexterm" name="id361266"></a> +There has also been much talk about migration of Samba-3 from an smbpasswd +passdb backend to the use of the tdbsam or ldapsam facilities that are new +to Samba-3. +</p><p> +Clearly, there is not a great deal of clarity in the terminology that various +people apply to these modes by which Samba servers are updated. This is further +highlighted by an email posting that included the following neat remark: +</p><div class="blockquote"><blockquote class="blockquote"><p> +<a class="indexterm" name="id361284"></a> +I like the “<span class="quote">net rpc vampire</span>” on NT4, but that to my surprise does +not seem to work against a Samba PDC and, if addressed in the Samba to Samba +context in either book, I could not find it. +</p></blockquote></div><p> +<a class="indexterm" name="id361303"></a> +So in response to the significant request for these situations to be better +documented, this chapter has now been added. User contributions and documentation +of real-world experiences are a most welcome addition to this chapter. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id361313"></a>Introduction</h2></div></div></div><p> +<a class="indexterm" name="id361321"></a> +<a class="indexterm" name="id361328"></a> +<a class="indexterm" name="id361335"></a> +A Windows network administrator explained in an email what changes he was +planning to make and followed with the question: “<span class="quote">Anyone done this +before?</span>” Many of us have upgraded and updated Samba without incident. +Others have experienced much pain and user frustration. So it is to be hoped +that the notes in this chapter will make a positive difference by assuring +that someone will be saved a lot of discomfort. +</p><p> +Before anyone commences an upgrade or an update of Samba, the one cardinal +rule that must be observed is: Backup all Samba configuration files in +case it is necessary to revert to the old version. Even if you do not like +this precautionary step, users will punish an administrator who +fails to take adequate steps to avoid situations that may inflict lost +productivity on them. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +<a class="indexterm" name="id361359"></a> +<a class="indexterm" name="id361366"></a> +Samba makes it possible to upgrade and update configuration files, but it +is not possible to downgrade the configuration files. Please ensure that +all configuration and control files are backed up to permit a down-grade +in the rare event that this may be necessary. +</p></div><p> +<a class="indexterm" name="id361378"></a> +<a class="indexterm" name="id361385"></a> +It is prudent also to backup all data files on the server before attempting +to perform a major upgrade. Many administrators have experienced the consequences +of failure to take adequate precautions. So what is adequate? That is simple! +If data is lost during an upgrade or update and it can not be restored, +the precautions taken were inadequate. If a backup was not needed, but was available, +caution was on the side of the victor. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id361397"></a>Cautions and Notes</h3></div></div></div><p> + Someone once said, “<span class="quote">It is good to be sorry, but better never to need to be!</span>” + These are wise words of advice to those contemplating a Samba upgrade or update. + </p><p> + <a class="indexterm" name="id361413"></a> + <a class="indexterm" name="id361419"></a> + <a class="indexterm" name="id361426"></a> + This is as good a time as any to define the terms <code class="constant">upgrade</code> and + <code class="constant">update</code>. The term <code class="constant">upgrade</code> refers to + the installation of a version of Samba that is a whole generation or more ahead of + that which is installed. Generations are indicated by the first digit of the version + number. So far Samba has been released in generations 1.x, 2.x, 3.x, and currently 4.0 + is in development. + </p><p> + <a class="indexterm" name="id361450"></a> + The term <code class="constant">update</code> refers to a minor version number installation + in place of one of the same generation. For example, updating from Samba 3.0.10 to 3.0.14 + is an update. The move from Samba 2.0.7 to 3.0.14 is an upgrade. + </p><p> + <a class="indexterm" name="id361466"></a> + While the use of these terms is an exercise in semantics, what needs to be realized + is that there are major functional differences between a Samba 2.x release and a Samba + 3.0.x release. Such differences may require a significantly different approach to + solving the same networking challenge and generally require careful review of the + latest documentation to identify precisely how the new installation may need to be + modified to preserve prior functionality. + </p><p> + There is an old axiom that says, “<span class="quote">The greater the volume of the documentation, + the greater the risk that noone will read it, but where there is no documentation, + noone can read it!</span>” While true, some documentation is an evil necessity. + It is hoped that this update to the documentation will avoid both extremes. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id361487"></a>Security Identifiers (SIDs)</h4></div></div></div><p> + <a class="indexterm" name="id361495"></a> + <a class="indexterm" name="id361504"></a> + <a class="indexterm" name="id361511"></a> + <a class="indexterm" name="id361517"></a> + <a class="indexterm" name="id361524"></a> + <a class="indexterm" name="id361533"></a> + Before the days of Windows NT and OS/2, every Windows and DOS networking client + that used the SMB protocols was an entirely autonomous entity. There was no concept + of a security identifier for a machine or a user outside of the username, the + machine name, and the workgroup name. In actual fact, these were not security identifiers + in the same context as the way that the SID is used since the development of + Windows NT 3.10. + </p><p> + <a class="indexterm" name="id361549"></a> + <a class="indexterm" name="id361556"></a> + <a class="indexterm" name="id361562"></a> + <a class="indexterm" name="id361569"></a> + <a class="indexterm" name="id361576"></a> + <a class="indexterm" name="id361582"></a> + Versions of Samba prior to 1.9 did not make use of a SID. Instead they make exclusive use + of the username that is embedded in the SessionSetUpAndX component of the connection + setup process between a Windows client and an SMB/CIFS server. + </p><p> + <a class="indexterm" name="id361597"></a> + <a class="indexterm" name="id361604"></a> + <a class="indexterm" name="id361610"></a> + Around November 1997 support was added to Samba-1.9 to handle the Windows security + RPC-based protocols that implemented support for Samba to store a machine SID. This + information was stored in a file called <code class="filename">MACHINE.SID.</code> + </p><p> + <a class="indexterm" name="id361628"></a> + <a class="indexterm" name="id361635"></a> + <a class="indexterm" name="id361641"></a> + Within the lifetime of the early Samba 2.x series, the machine SID information was + relocated into a tdb file called <code class="filename">secrets.tdb</code>, which is where + it is still located in Samba 3.0.x along with other information that pertains to the + local machine and its role within a domain security context. + </p><p> + <a class="indexterm" name="id361660"></a> + <a class="indexterm" name="id361669"></a> + <a class="indexterm" name="id361678"></a> + <a class="indexterm" name="id361684"></a> + There are two types of SID, those pertaining to the machine itself and the domain to + which it may belong, and those pertaining to users and groups within the security + context of the local machine, in the case of standalone servers (SAS) and domain member + servers (DMS). + </p><p> + <a class="indexterm" name="id361697"></a> + <a class="indexterm" name="id361704"></a> + <a class="indexterm" name="id361710"></a> + <a class="indexterm" name="id361717"></a> + <a class="indexterm" name="id361724"></a> + <a class="indexterm" name="id361731"></a> + When the Samba <code class="literal">smbd</code> daemon is first started, if the <code class="filename">secrets.tdb</code> + file does not exist, it is created at the first client connection attempt. If this file does + exist, <code class="literal">smbd</code> checks that there is a machine SID (if it is a domain controller, + it searches for the domain SID). If <code class="literal">smbd</code> does not find one for the current + name of the machine or for the current name of the workgroup, a new SID will be generated and + then written to the <code class="filename">secrets.tdb</code> file. The SID is generated in a nondeterminative + manner. This means that each time it is generated for a particular combination of machine name + (hostname) and domain name (workgroup), it will be different. + </p><p> + <a class="indexterm" name="id361775"></a> + The SID is the key used by MS Windows networking for all networking operations. This means + that when the machine or domain SID changes, all security-encoded objects such as profiles + and ACLs may become unusable. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + It is of paramount importance that the machine and domain SID be backed up so that in + the event of a change of hostname (machine name) or domain name (workgroup) the SID can + be restored to its previous value. + </p></div><p> + <a class="indexterm" name="id361793"></a> + <a class="indexterm" name="id361800"></a> + <a class="indexterm" name="id361806"></a> + <a class="indexterm" name="id361813"></a> + <a class="indexterm" name="id361820"></a> + <a class="indexterm" name="id361826"></a> + <a class="indexterm" name="id361833"></a> + <a class="indexterm" name="id361840"></a> + <a class="indexterm" name="id361847"></a> + <a class="indexterm" name="id361853"></a> + In Samba-3 on a domain controller (PDC or BDC), the domain name controls the domain + SID. On all prior versions the hostname (computer name, or NetBIOS name) controlled + the SID. On a standalone server the hostname still controls the SID. + </p><p> + <a class="indexterm" name="id361865"></a> + <a class="indexterm" name="id361874"></a> + The local machine SID can be backed up using this procedure (Samba-3): +</p><pre class="screen"> +<code class="prompt">root# </code> net getlocalsid > /etc/samba/my-local-SID +</pre><p> + The contents of the file <code class="filename">/etc/samba/my-local-SID</code> will be: +</p><pre class="screen"> +SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429 +</pre><p> + This SID can be restored by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net setlocalsid S-1-5-21-726309263-4128913605-1168186429 +</pre><p> + </p><p> + Samba 1.9.x stored the machine SID in the the file <code class="filename">/etc/MACHINE.SID</code> + from which it could be recovered and stored into the <code class="filename">secrets.tdb</code> file + using the procedure shown above. + </p><p> + Where the <code class="filename">secrets.tdb</code> file exists and a version of Samba 2.x or later + has been used, there is no specific need to go through this update process. Samba-3 has the + ability to read the older tdb file and to perform an in-situ update to the latest tdb format. + This is not a reversible process it is a one-way upgrade. + </p><p> + <a class="indexterm" name="id361956"></a> + In the course of the Samba 2.0.x series the <code class="literal">smbpasswd</code> was modified to + permit the domain SID to be captured to the <code class="filename">secrets.tdb</code> file by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -S PDC -Uadministrator%password +</pre><p> + </p><p> + The release of the Samba 2.2.x series permitted the SID to be obtained by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -S PDC -Uadministrator%password +</pre><p> + from which the SID could be copied to a file and then written to the Samba-2.2.x + <code class="filename">secrets.tdb</code> file by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -W S-1-5-21-726309263-4128913605-1168186429 +</pre><p> + </p><p> + <a class="indexterm" name="id362024"></a> + <a class="indexterm" name="id362031"></a> + Domain security information, which includes the domain SID, can be obtained from Samba-2.2.x + systems by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rpcclient hostname lsaquery -Uroot%password +</pre><p> + This can also be done with Samba-3 by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc info -Uroot%password +Domain Name: MIDEARTH +Domain SID: S-1-5-21-726309263-4128913605-1168186429 +Sequence number: 1113415916 +Num users: 4237 +Num domain groups: 86 +Num local groups: 0 +</pre><p> + It is a very good practice to store this SID information in a safely kept file, just in + case it is ever needed at a later date. + </p><p> + <a class="indexterm" name="id362073"></a> + <a class="indexterm" name="id362079"></a> + <a class="indexterm" name="id362086"></a> + Take note that the domain SID is used extensively in Samba. Where LDAP is used for the + <em class="parameter"><code>passdb backend</code></em>, all user, group, and trust accounts are encoded + with the domain SID. This means that if the domain SID changes for any reason, the entire + Samba environment can become broken and require extensive corrective action if the + original SID cannot be restored. Fortunately, it can be recovered from a dump of the + LDAP database. A dump of the LDAP directory database can be obtained by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat -v -l filename.ldif +</pre><p> + </p><p> + <a class="indexterm" name="id362118"></a> + <a class="indexterm" name="id362124"></a> + <a class="indexterm" name="id362131"></a> + When the domain SID has changed, roaming profiles cease to be functional. The recovery + of roaming profiles necessitates resetting of the domain portion of the user SID + that owns the profile. This is encoded in the <code class="filename">NTUser.DAT</code> and can be + updated using the Samba <code class="literal">profiles</code> utility. Please be aware that not all + Linux distributions of the Samba RPMs include this essential utility. Please do not + complain to the Samba Team if this utility is missing; that issue that must be + addressed to the creator of the RPM package. The Samba Team do their best to make + available all the tools needed to manage a Samba-based Windows networking environment. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id362157"></a>Change of hostname</h4></div></div></div><p> + <a class="indexterm" name="id362165"></a> + <a class="indexterm" name="id362174"></a> + Samba uses two methods by which the primary NetBIOS machine name (also known as a computer + name or the hostname) may be determined: If the <code class="filename">smb.conf</code> file contains a + <em class="parameter"><code>netbios name</code></em> entry, its value will be used directly. In the absence + of such an entry, the UNIX system hostname will be used. + </p><p> + Many sites have become victims of lost Samba functionality because the UNIX system + hostname was changed for one reason or another. Such a change will cause a new machine + SID to be generated. If this happens on a domain controller, it will also change the + domain SID. These SIDs can be updated (restored) using the procedure outlined previously. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Do NOT change the hostname or the <em class="parameter"><code>netbios name</code></em>. If this + is changed, be sure to reset the machine SID to the original setting. Otherwise + there may be serious interoperability and/or operational problems. + </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id362215"></a>Change of Workgroup (Domain) Name</h4></div></div></div><p> + <a class="indexterm" name="id362223"></a> + The domain name of a Samba server is identical to the workgroup name and is + set in the <code class="filename">smb.conf</code> file using the <em class="parameter"><code>workgroup</code></em> parameter. + This has been consistent throughout the history of Samba and across all versions. + </p><p> + <a class="indexterm" name="id362246"></a> + Be aware that when the workgroup name is changed, a new SID will be generated. + The old domain SID can be reset using the procedure outlined earlier in this chapter. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeug1"></a>Location of config files</h4></div></div></div><p> + The Samba-Team has maintained a constant default location for all Samba control files + throughout the life of the project. People who have produced binary packages of Samba + have varied the location of the Samba control files. This has led to some confusion + for network administrators. + </p><p> + <a class="indexterm" name="id362274"></a> + The Samba 1.9.x <code class="filename">smb.conf</code> file may be found either in the <code class="filename">/etc</code> + directory or in <code class="filename">/usr/local/samba/lib</code>. + </p><p> + During the life of the Samba 2.x release, the <code class="filename">smb.conf</code> file was relocated + on Linux systems to the <code class="filename">/etc/samba</code> directory where it + remains located also for Samba 3.0.x installations. + </p><p> + <a class="indexterm" name="id362318"></a> + Samba 2.x introduced the <code class="filename">secrets.tdb</code> file that is also stored in the + <code class="filename">/etc/samba</code> directory, or in the <code class="filename">/usr/local/samba/lib</code> + directory subsystem. + </p><p> + <a class="indexterm" name="id362347"></a> + The location at which <code class="literal">smbd</code> expects to find all configuration and control + files is determined at the time of compilation of Samba. For versions of Samba prior to + 3.0, one way to find the expected location of these files is to execute: +</p><pre class="screen"> +<code class="prompt">root# </code> strings /usr/sbin/smbd | grep conf +<code class="prompt">root# </code> strings /usr/sbin/smbd | grep secret +<code class="prompt">root# </code> strings /usr/sbin/smbd | grep smbpasswd +</pre><p> + Note: The <code class="literal">smbd</code> executable may be located in the path + <code class="filename">/usr/local/samba/sbin</code>. + </p><p> + <a class="indexterm" name="id362401"></a> + Samba-3 provides a neat new way to track the location of all control files as well as to + find the compile-time options used as the Samba package was built. Here is how the dark + secrets of the internals of the location of control files within Samba executables can + be uncovered: +</p><pre class="screen"> +<code class="prompt">root# </code> smbd -b | less +Build environment: + Built by: root@frodo + Built on: Mon Apr 11 20:23:27 MDT 2005 + Built using: gcc + Build host: Linux frodo 2.6... + SRCDIR: /usr/src/packages/BUILD/samba-3.0.20/source + BUILDDIR: /usr/src/packages/BUILD/samba-3.0.20/source + +Paths: + SBINDIR: /usr/sbin + BINDIR: /usr/bin + SWATDIR: /usr/share/samba/swat + CONFIGFILE: /etc/samba/smb.conf + LOGFILEBASE: /var/log/samba + LMHOSTSFILE: /etc/samba/lmhosts + LIBDIR: /usr/lib/samba + SHLIBEXT: so + LOCKDIR: /var/lib/samba + PIDDIR: /var/run/samba + SMB_PASSWD_FILE: /etc/samba/smbpasswd + PRIVATE_DIR: /etc/samba + ... +</pre><p> + </p><p> + <a class="indexterm" name="id362430"></a> + It is important that both the <code class="filename">smb.conf</code> file and the <code class="filename">secrets.tdb</code> + be backed up before attempting any upgrade. The <code class="filename">secrets.tdb</code> file + is version-encoded, and therefore a newer version may not work with an older version + of Samba. A backup means that it is always possible to revert a failed or problematic + upgrade. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id362458"></a>International Language Support</h4></div></div></div><p> + <a class="indexterm" name="id362466"></a> + <a class="indexterm" name="id362473"></a> + <a class="indexterm" name="id362480"></a> + <a class="indexterm" name="id362486"></a> + Samba-2.x had no support for Unicode; instead, all national language character-set support in file names + was done using particular locale codepage mapping techniques. Samba-3 supports Unicode in file names, thus + providing true internationalization support. + </p><p> + <a class="indexterm" name="id362499"></a> + Non-English users whose national language character set has special characters and who upgrade naively will + find that many files that have the special characters in the file name will see them garbled and jumbled up. + This typically happens with umlauts and accents because these characters were particular to the codepage + that was in use with Samba-2.x using an 8-bit encoding scheme. + </p><p> + <a class="indexterm" name="id362512"></a> + Files that are created with Samba-3 will use UTF-8 encoding. Should the file system ever end up with a + mix of codepage (unix charset)-encoded file names and UTF-8-encoded file names, the mess will take some + effort to set straight. + </p><p> + <a class="indexterm" name="id362524"></a> + A very helpful tool is available from Bjorn Jacke's <a href="http://j3e.de/linux/convmv/" target="_top">convmv</a> + work. Convmv is a tool that can be used to convert file and directory names from one encoding method to + another. The most common use for this tool is to convert locale-encoded files to UTF-8 Unicode encoding. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id362542"></a>Updates and Changes in Idealx smbldap-tools</h4></div></div></div><p> + The smbldap-tools have been maturing rapidly over the past year. With maturation comes change. + The location of the <code class="filename">smbldap.conf</code> and the <code class="filename">smbldap_bind.conf</code> + configuration files have been moved from the directory <code class="filename">/etc/smbldap-tools</code> to + the new location of <code class="filename">/etc/opt/IDEALX/smblda-tools</code> directory. + </p><p> + The smbldap-tools maintains an entry in the LDAP directory in which it stores the next + values that should be used for UID and GID allocation for POSIX accounts that are created + using this tool. The DIT location of these values has changed recently. The original + <code class="constant">sambaUnixIdPooldn object</code> entity was stored in a directory entry (DIT object) + called <code class="constant">NextFreeUnixId</code>, this has been changed to the DIT object + <code class="constant">sambaDomainName</code>. Anyone who updates from an older version to the + current release should note that the information stored under <code class="constant">NextFreeUnixId</code> + must now be relocated to the DIT object <code class="constant">sambaDomainName</code>. + </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id362605"></a>Upgrading from Samba 1.x and 2.x to Samba-3</h2></div></div></div><p> +Sites that are being upgraded from Samba-2 (or earlier versions) to Samba-3 +may experience little difficulty or may require a lot of effort, depending +on the complexity of the configuration. Samba-1.9.x upgrades to Samba-3 will +generally be simple and straightforward, although no upgrade should be +attempted without proper planning and preparation. +</p><p> +There are two basic modes of use of Samba versions prior to Samba-3. The first +does not use LDAP, the other does. Samba-1.9.x did not provide LDAP support. +Samba-2.x could be compiled with LDAP support. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeug2"></a>Samba 1.9.x and 2.x Versions Without LDAP</h3></div></div></div><p> + Where it is necessary to upgrade an old Samba installation to Samba-3, + the following procedure can be followed: + </p><div class="procedure"><a name="id362636"></a><p class="title"><b>Procedure 8.1. Upgrading from a Pre-Samba-3 Version</b></p><ol type="1"><li><p> + <a class="indexterm" name="id362647"></a> + <a class="indexterm" name="id362654"></a> + <a class="indexterm" name="id362661"></a> + Stop Samba. This can be done using the appropriate system tool + that is particular for each operating system or by executing the + <code class="literal">kill</code> command on <code class="literal">smbd</code>, + <code class="literal">nmbd</code>, and <code class="literal">winbindd</code>. + </p></li><li><p> + Find the location of the Samba <code class="filename">smb.conf</code> file and back it up to a + safe location. + </p></li><li><p> + Find the location of the <code class="filename">smbpasswd</code> file and + back it up to a safe location. + </p></li><li><p> + Find the location of the <code class="filename">secrets.tdb</code> file and + back it up to a safe location. + </p></li><li><p> + <a class="indexterm" name="id362739"></a> + <a class="indexterm" name="id362746"></a> + <a class="indexterm" name="id362753"></a> + <a class="indexterm" name="id362760"></a> + Find the location of the lock directory. This is the directory + in which Samba stores all its tdb control files. The default + location used by the Samba Team is in + <code class="filename">/usr/local/samba/var/locks</code> directory, + but on Linux systems the old location was under the + <code class="filename">/var/cache/samba</code> directory. However, the + Linux Standards Base specified location is now under the + <code class="filename">/var/lib/samba</code> directory. Copy all the + tdb files to a safe location. + </p></li><li><p> + <a class="indexterm" name="id362794"></a> + It is now safe to upgrade the Samba installation. On Linux systems + it is not necessary to remove the Samba RPMs because a simple + upgrade installation will automatically remove the old files. + </p><p> + On systems that do not support a reliable package management system + it is advisable either to delete the Samba old installation or to + move it out of the way by renaming the directories that contain the + Samba binary files. + </p></li><li><p> + When the Samba upgrade has been installed, the first step that should + be completed is to identify the new target locations for the control + files. Follow the steps shown in <a href="upgrades.html#sbeug1" title="Location of config files">???</a> to locate + the correct directories to which each control file must be moved. + </p></li><li><p> + Do not change the hostname. + </p></li><li><p> + Do not change the workgroup name. + </p></li><li><p> + <a class="indexterm" name="id362843"></a> + Execute the <code class="literal">testparm</code> to validate the <code class="filename">smb.conf</code> file. + This process will flag any parameters that are no longer supported. + It will also flag configuration settings that may be in conflict. + </p><p> + One solution that may be used to clean up and to update the <code class="filename">smb.conf</code> + file involves renaming it to <code class="filename">smb.conf.master</code> and + then executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /etc/samba +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +</pre><p> + <a class="indexterm" name="id362897"></a> + The resulting <code class="filename">smb.conf</code> file will be stripped of all comments + and of all nonconforming configuration settings. + </p></li><li><p> + <a class="indexterm" name="id362917"></a> + It is now safe to start Samba using the appropriate system tool. + Alternately, it is possible to just execute <code class="literal">nmbd</code>, + <code class="literal">smbd</code>, and <code class="literal">winbindd</code> for the command + line while logged in as the root user. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id362947"></a>Applicable to All Samba 2.x to Samba-3 Upgrades</h3></div></div></div><p> + <a class="indexterm" name="id362955"></a> + <a class="indexterm" name="id362961"></a> + <a class="indexterm" name="id362968"></a> + Samba 2.x servers that were running as a domain controller (PDC) + require changes to the configuration of the scripting interface + tools that Samba uses to perform OS updates for + users, groups, and trust accounts (machines and interdomain). + </p><p> + <a class="indexterm" name="id362980"></a> + The following parameters are new to Samba-3 and should be correctly configured. + Please refer to <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a> through <a href="2000users.html" title="Chapter 6. A Distributed 2000-User Network">???</a> + in this book for examples of use of the new parameters shown here: + <a class="indexterm" name="id363000"></a> + <a class="indexterm" name="id363006"></a> + <a class="indexterm" name="id363013"></a> + <a class="indexterm" name="id363020"></a> + <a class="indexterm" name="id363027"></a> + <a class="indexterm" name="id363034"></a> + <a class="indexterm" name="id363041"></a> + </p><p> + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>add group script</p></td></tr><tr><td><p>add machine script</p></td></tr><tr><td><p>add user to group script</p></td></tr><tr><td><p>delete group script</p></td></tr><tr><td><p>delete user from group script</p></td></tr><tr><td><p>passdb backend</p></td></tr><tr><td><p>set primary group script</p></td></tr></table><p> + </p><p> + <a class="indexterm" name="id363092"></a> + <a class="indexterm" name="id363098"></a> + The <em class="parameter"><code>add machine script</code></em> functionality was previously + handled by the <em class="parameter"><code>add user script</code></em>, which in Samba-3 is + used exclusively to add user accounts. + </p><p> + <a class="indexterm" name="id363121"></a> + <a class="indexterm" name="id363128"></a> + <a class="indexterm" name="id363135"></a> + <a class="indexterm" name="id363142"></a> + <a class="indexterm" name="id363148"></a> + <a class="indexterm" name="id363155"></a> + <a class="indexterm" name="id363162"></a> + <a class="indexterm" name="id363169"></a> + <a class="indexterm" name="id363176"></a> + Where the <em class="parameter"><code>passdb backend</code></em> used is either <code class="constant">smbpasswd</code> + (the default) or the new <code class="constant">tdbsam</code>, the system interface scripts + are typically used. These involve use of OS tools such as <code class="literal">useradd</code>, + <code class="literal">usermod</code>, <code class="literal">userdel</code>, <code class="literal">groupadd</code>, + <code class="literal">groupmod</code>, <code class="literal">groupdel</code>, and so on. + </p><p> + <a class="indexterm" name="id363235"></a> + <a class="indexterm" name="id363242"></a> + <a class="indexterm" name="id363248"></a> + Where the <em class="parameter"><code>passdb backend</code></em> makes use of an LDAP directory, + it is necessary either to use the <code class="constant">smbldap-tools</code> provided + by Idealx or to use an alternate toolset provided by a third + party or else home-crafted to manage the LDAP directory accounts. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id363269"></a>Samba-2.x with LDAP Support</h3></div></div></div><p> + Samba version 2.x could be compiled for use either with or without LDAP. + The LDAP control settings in the <code class="filename">smb.conf</code> file in this old version are + completely different (and less complete) than they are with Samba-3. This + means that after migrating the control files, it is necessary to reconfigure + the LDAP settings entirely. + </p><p> + Follow the procedure outlined in <a href="upgrades.html#sbeug2" title="Samba 1.9.x and 2.x Versions Without LDAP">???</a> to affect a migration + of all files to the correct locations. + </p><p> + <a class="indexterm" name="id363299"></a> + <a class="indexterm" name="id363306"></a> + The Samba SAM schema required for Samba-3 is significantly different from that + used with Samba 2.x. This means that the LDAP directory must be updated + using the procedure outlined in the Samba WHATSNEW.txt file that accompanies + all releases of Samba-3. This information is repeated here directly from this + file: +</p><pre class="screen"> +This is an extract from the Samba-3.0.x WHATSNEW.txt file: +========================================================== +Changes in Behavior +------------------- + +The following issues are known changes in behavior between Samba 2.2 and +Samba 3.0 that may affect certain installations of Samba. + + 1) When operating as a member of a Windows domain, Samba 2.2 would + map any users authenticated by the remote DC to the 'guest account' + if a uid could not be obtained via the getpwnam() call. Samba 3.0 + rejects the connection as NT_STATUS_LOGON_FAILURE. There is no + current work around to re-establish the 2.2 behavior. + + 2) When adding machines to a Samba 2.2 controlled domain, the + 'add user script' was used to create the UNIX identity of the + machine trust account. Samba 3.0 introduces a new 'add machine + script' that must be specified for this purpose. Samba 3.0 will + not fall back to using the 'add user script' in the absence of + an 'add machine script' + +###################################################################### +Passdb Backends and Authentication +################################## + +There have been a few new changes that Samba administrators should be +aware of when moving to Samba 3.0. + + 1) encrypted passwords have been enabled by default in order to + inter-operate better with out-of-the-box Windows client + installations. This does mean that either (a) a samba account + must be created for each user, or (b) 'encrypt passwords = no' + must be explicitly defined in smb.conf. + + 2) Inclusion of new 'security = ads' option for integration + with an Active Directory domain using the native Windows + Kerberos 5 and LDAP protocols. + + MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption + type which is necessary for servers on which the + administrator password has not been changed, or kerberos-enabled + SMB connections to servers that require Kerberos SMB signing. + Besides this one difference, either MIT or Heimdal Kerberos + distributions are usable by Samba 3.0. + + +Samba 3.0 also includes the possibility of setting up chains +of authentication methods (auth methods) and account storage +backends (passdb backend). Please refer to the smb.conf(5) +man page for details. While both parameters assume sane default +values, it is likely that you will need to understand what the +values actually mean in order to ensure Samba operates correctly. + +The recommended passdb backends at this time are + + * smbpasswd - 2.2 compatible flat file format + * tdbsam - attribute rich database intended as an smbpasswd + replacement for stand alone servers + * ldapsam - attribute rich account storage and retrieval + backend utilizing an LDAP directory. + * ldapsam_compat - a 2.2 backward compatible LDAP account + backend + +Certain functions of the smbpasswd(8) tool have been split between the +new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) +utility. See the respective man pages for details. + +###################################################################### +LDAP +#### + +This section outlines the new features affecting Samba / LDAP +integration. + +New Schema +---------- + +A new object class (sambaSamAccount) has been introduced to replace +the old sambaAccount. This change aids us in the renaming of +attributes to prevent clashes with attributes from other vendors. +There is a conversion script (examples/LDAP/convertSambaAccount) to +modify and LDIF file to the new schema. + +Example: + + $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif + $ convertSambaAccount --sid=<Domain SID> \ + --input=sambaAcct.ldif --output=sambaSamAcct.ldif \ + --changetype=[modify|add] + +The <DOM SID> can be obtained by running 'net getlocalsid +<DOMAINNAME>' on the Samba PDC as root. The changetype determines +the format of the generated LDIF output--either create new entries +or modify existing entries. + +The old sambaAccount schema may still be used by specifying the +"ldapsam_compat" passdb backend. However, the sambaAccount and +associated attributes have been moved to the historical section of +the schema file and must be uncommented before use if needed. +The 2.2 object class declaration for a sambaAccount has not changed +in the 3.0 samba.schema file. + +Other new object classes and their uses include: + + * sambaDomain - domain information used to allocate rids + for users and groups as necessary. The attributes are added + in 'ldap suffix' directory entry automatically if + an idmap uid/gid range has been set and the 'ldapsam' + passdb backend has been selected. + + * sambaGroupMapping - an object representing the + relationship between a posixGroup and a Windows + group/SID. These entries are stored in the 'ldap + group suffix' and managed by the 'net groupmap' command. + + * sambaUnixIdPool - created in the 'ldap idmap suffix' entry + automatically and contains the next available 'idmap uid' and + 'idmap gid' + + * sambaIdmapEntry - object storing a mapping between a + SID and a UNIX uid/gid. These objects are created by the + idmap_ldap module as needed. + + * sambaSidEntry - object representing a SID alone, as a Structural + class on which to build the sambaIdmapEntry. + + +New Suffix for Searching +------------------------ + +The following new smb.conf parameters have been added to aid in directing +certain LDAP queries when 'passdb backend = ldapsam://...' has been +specified. + + * ldap suffix - used to search for user and computer accounts + * ldap user suffix - used to store user accounts + * ldap machine suffix - used to store machine trust accounts + * ldap group suffix - location of posixGroup/sambaGroupMapping entries + * ldap idmap suffix - location of sambaIdmapEntry objects + +If an 'ldap suffix' is defined, it will be appended to all of the +remaining sub-suffix parameters. In this case, the order of the suffix +listings in smb.conf is important. Always place the 'ldap suffix' first +in the list. + +Due to a limitation in Samba's smb.conf parsing, you should not surround +the DN's with quotation marks. +</pre><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id363384"></a>Updating a Samba-3 Installation</h2></div></div></div><p> +The key concern in this section is to deal with the changes that have been +affected in Samba-3 between the Samba-3.0.0 release and the current update. +Network administrators have expressed concerns over the steps that should be +taken to update Samba-3 versions. +</p><p> +<a class="indexterm" name="id363397"></a> +The information in <a href="upgrades.html#sbeug1" title="Location of config files">???</a> would not be necessary if every +person who has ever produced Samba executable (binary) files could agree on +the preferred location of the <code class="filename">smb.conf</code> file and other Samba control files. +Clearly, such agreement is further away than a pipedream. +</p><p> +<a class="indexterm" name="id363420"></a> +Vendors and packagers who produce Samba binary installable packages do not, +as a rule, use the default paths used by the Samba-Team for the location of +the binary files, the <code class="filename">smb.conf</code> file, and the Samba control files (tdb's +as well as files such as <code class="filename">secrets.tdb</code>). This means that +the network or UNIX administrator who sets out to build the Samba executable +files from the Samba tarball must take particular care. Failure to take care +will result in both the original vendor's version of Samba remaining installed +and the new version being installed in the default location used +by the Samba-Team. This can lead to confusion and to much lost time as the +uninformed administrator deals with apparent failure of the update to take +effect. +</p><p> +<a class="indexterm" name="id363448"></a> +The best advice for those lacking in code compilation experience is to use +only vendor (or Samba-Team) provided binary packages. The Samba packages +that are provided by the Samba-Team are generally built to use file paths +that are compatible with the original OS vendor's practices. +</p><p> +<a class="indexterm" name="id363461"></a> +<a class="indexterm" name="id363468"></a> +If you are not sure whether a binary package complies with the OS +vendor's practices, it is better to ask the package maintainer via +email than to waste much time dealing with the nuances. +Alternately, just diagnose the paths specified by the binary files following +the procedure outlined above. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id363478"></a>Samba-3 to Samba-3 Updates on the Same Server</h3></div></div></div><p> + The guidance in this section deals with updates to an existing + Samba-3 server installation. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id363488"></a>Updating from Samba Versions Earlier than 3.0.5</h4></div></div></div><p> + With the provision that the binary Samba-3 package has been built + with the same path and feature settings as the existing Samba-3 + package that is being updated, an update of Samba-3 versions 3.0.0 + through 3.0.4 can be updated to 3.0.5 without loss of functionality + and without need to change either the <code class="filename">smb.conf</code> file or, where + used, the LDAP schema. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id363507"></a>Updating from Samba Versions between 3.0.6 and 3.0.10</h4></div></div></div><p> + <a class="indexterm" name="id363515"></a> + <a class="indexterm" name="id363522"></a> + When updating versions of Samba-3 prior to 3.0.6 to 3.0.6 through 3.0.10, + it is necessary only to update the LDAP schema (where LDAP is used). + Always use the LDAP schema file that is shipped with the latest Samba-3 + update. + </p><p> + <a class="indexterm" name="id363536"></a> + <a class="indexterm" name="id363543"></a> + <a class="indexterm" name="id363550"></a> + Samba-3.0.6 introduced the ability to remember the last <span class="emphasis"><em>n</em></span> number + of passwords a user has used. This information will work only with + the <code class="constant">tdbsam</code> and <code class="constant">ldapsam</code> + <em class="parameter"><code>passdb backend</code></em> facilities. + </p><p> + After updating the LDAP schema, do not forget to re-index the LDAP database. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id363581"></a>Updating from Samba Versions after 3.0.6 to a Current Release</h4></div></div></div><p> + <a class="indexterm" name="id363589"></a> + Samba-3.0.8 introduced changes in how the <em class="parameter"><code>username map</code></em> + behaves. It also included a change in behavior of <code class="literal">winbindd</code>. + Please refer to the man page for <code class="filename">smb.conf</code> before implementing any update + from versions prior to 3.0.8 to a current version. + </p><p> + <a class="indexterm" name="id363618"></a> + In Samba-3.0.11 a new privileges interface was implemented. Please + refer to <a href="happy.html#sbehap-ppc" title="Addition of Machines to the Domain">???</a> for information regarding this new + feature. It is not necessary to implement the privileges interface, but it + is one that has been requested for several years and thus may be of interest + at your site. + </p><p> + In Samba-3.0.11 there were some functional changes to the <em class="parameter"><code>ldap user + suffix</code></em> and to the <em class="parameter"><code>ldap machine suffix</code></em> behaviors. + The following information has been extracted from the WHATSNEW.txt file from this + release: +</p><pre class="screen"> +============ +LDAP Changes +============ + +If "ldap user suffix" or "ldap machine suffix" are defined in +smb.conf, all user-accounts must reside below the user suffix, +and all machine and inter-domain trust-accounts must be located +below the machine suffix. Previous Samba releases would fall +back to searching the 'ldap suffix' in some cases. +</pre><p> + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id363662"></a>Migrating Samba-3 to a New Server</h3></div></div></div><p> + The two most likely candidates for replacement of a server are + domain member servers and domain controllers. Each needs to be + handled slightly differently. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id363672"></a>Replacing a Domain Member Server</h4></div></div></div><p> + <a class="indexterm" name="id363680"></a> + Replacement of a domain member server should be done + using the same procedure as outlined in <a href="unixclients.html" title="Chapter 7. Adding Domain Member Servers and Clients">???</a>. + </p><p> + Usually the new server will be introduced with a temporary name. After + the old server data has been migrated to the new server, it is customary + that the new server be renamed to that of the old server. This will + change its SID and will necessitate rejoining to the domain. + </p><p> + <a class="indexterm" name="id363703"></a> + <a class="indexterm" name="id363709"></a> + <a class="indexterm" name="id363716"></a> + <a class="indexterm" name="id363723"></a> + <a class="indexterm" name="id363730"></a> + <a class="indexterm" name="id363736"></a> + Following a change of hostname (NetBIOS name) it is a good idea on all servers + to shut down the Samba <code class="literal">smbd</code>, <code class="literal">nmbd</code>, and + <code class="literal">winbindd</code> services, delete the <code class="filename">wins.dat</code> + and <code class="filename">browse.dat</code> files, then restart Samba. This will ensure + that the old name and IP address information is no longer able to interfere with + name to IP address resolution. If this is not done, there can be temporary name + resolution problems. These problems usually clear within 45 minutes of a name + change, but can persist for a longer period of time. + </p><p> + <a class="indexterm" name="id363780"></a> + <a class="indexterm" name="id363786"></a> + <a class="indexterm" name="id363793"></a> + <a class="indexterm" name="id363800"></a> + If the old domain member server had local accounts, it is necessary to create + on the new domain member server the same accounts with the same UID and GID + for each account. Where the <em class="parameter"><code>passdb backend</code></em> database + is stored in the <code class="constant">smbpasswd</code> or in the + <code class="constant">tdbsam</code> format, the user and group account information + for UNIX accounts that match the Samba accounts will reside in the system + <code class="filename">/etc/passwd</code>, <code class="filename">/etc/shadow</code>, and + <code class="filename">/etc/group</code> files. In this case, be sure to copy these + account entries to the new target server. + </p><p> + <a class="indexterm" name="id363845"></a> + Where the user accounts for both UNIX and Samba are stored in LDAP, the new + target server must be configured to use the <code class="literal">nss_ldap</code> tool set. + This will automatically ensure that the appropriate user entities are + available on the new server. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id363862"></a>Replacing a Domain Controller</h4></div></div></div><p> + <a class="indexterm" name="id363870"></a> + In the past, people who replaced a Windows NT4 domain controller typically + installed a new server, created printers and file shares on it, then migrate across + all data that was destined to reside on it. The same can of course be done with + Samba. + </p><p> + From recent mailing list postings it would seem that some administrators + have the intent to just replace the old Samba server with a new one with + the same name as the old one. In this case, simply follow the same process + as for upgrading a Samba 2.x system and do the following: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Where UNIX (POSIX) user and group accounts are stored in the system + <code class="filename">/etc/passwd</code>, <code class="filename">/etc/shadow</code>, and + <code class="filename">/etc/group</code> files, be sure to add the same accounts + with identical UID and GID values for each user. + </p><p> + Where LDAP is used, if the new system is intended to be the LDAP server, + migrate it across by configuring the LDAP server + (<code class="filename">/etc/openldap/slapd.conf</code>). The directory can + be populated either initially by setting this LDAP server up as a slave or + by dumping the data from the old LDAP server using the <code class="literal">slapcat</code> + command and then reloading the same data into the new LDAP server using the + <code class="literal">slapadd</code> command. Do not forget to install and configure + the <code class="literal">nss_ldap</code> tool and the <code class="filename">/etc/nsswitch.conf</code> + (as shown in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>). + </p></li><li><p> + Copy the <code class="filename">smb.conf</code> file from the old server to the new server into the correct + location as indicated previously in this chapter. + </p></li><li><p> + Copy the <code class="filename">secrets.tdb</code> file, the <code class="filename">smbpasswd</code> + file (if it is used), the <code class="filename">/etc/samba/passdb.tdb</code> file (only + used by the <code class="constant">tdbsam</code> backend), and all the tdb control files + from the old system to the correct location on the new system. + </p></li><li><p> + Before starting the Samba daemons, verify that the hostname of the new server + is identical to that of the old one. Note: The IP address can be different + from that of the old server. + </p></li><li><p> + Copy all files from the old server to the new server, taking precaution to + preserve all file ownership and permissions as well as any POSIX ACLs that + may have been created on the old server. + </p></li></ul></div><p> + When replacing a Samba domain controller (PDC or BDC) that uses LDAP, the new server + need simply be configured to use the LDAP directory, and for the rest it should just + work. The domain SID is obtained from the LDAP directory as part of the first connect + to the LDAP directory server. + </p><p> + All Samba servers, other than one that uses LDAP, depend on the tdb files, and + particularly on the <code class="filename">secrets.tdb</code> file. So long as the tdb files are + all in place, the <code class="filename">smb.conf</code> file is preserved, and either the hostname is identical + or the <em class="parameter"><code>netbios name</code></em> is set to the original server name, Samba + should correctly pick up the original SID and preserve all other settings. It is + sound advice to validate this before turning the system over to users. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id364040"></a>Migration of Samba Accounts to Active Directory</h3></div></div></div><p> + Yes, it works. The Windows ADMT tool can be used to migrate Samba accounts + to MS Active Directory. There are a few pitfalls to be aware of: + </p><div class="procedure"><a name="id364050"></a><p class="title"><b>Procedure 8.2. Migration to Active Directory</b></p><ol type="1"><li><p> + Administrator password must be THE SAME on the Samba server, + the 2003 ADS, and the local Administrator account on the workstations. + Perhaps this goes without saying, but there needs to be an account + called <code class="constant">Administrator</code> in your Samba domain, with + full administrative (root) rights to that domain. + </p></li><li><p> + In the Advanced/DNS section of the TCP/IP settings on your Windows + workstations, make sure the <em class="parameter"><code>DNS suffix for this + connection</code></em> field is blank. + </p></li><li><p> + Because you are migrating from Samba, user passwords cannot be + migrated. You'll have to reset everyone's passwords. (If you were + migrating from NT4 to ADS, you could migrate passwords as well.) + </p><p> + To date this has not been attempted with roaming profile support; + it has been documented as working with local profiles. + </p></li><li><p> + Disable the Windows Firewall on all workstations. Otherwise, + workstations won't be migrated to the new domain. + </p></li><li><p> + <a class="indexterm" name="id364108"></a> + When migrating machines, always test first (using ADMT's test mode) + and satisfy all errors before committing the migration. Note that the + test will always fail, because the machine will not have been actually + migrated. You'll need to interpret the errors to know whether the + failure was due to a problem or simply to the fact that it was just + a test. + </p></li></ol></div><p> + <a class="indexterm" name="id364122"></a> + There are some significant benefits of using the ADMT, besides just + migrating user accounts. ADMT can be found on the Windows 2003 CD. + </p><div class="itemizedlist"><ul type="disc"><li><p> + You can migrate workstations remotely. You can specify that SIDs + be simply added instead of replaced, giving you the option of joining a + workstation back to the old domain if something goes awry. The + workstations will be joined to the new domain. + </p></li><li><p> + Not only are user accounts migrated from the old domain to the new + domain, but ACLs on the workstations are migrated as well. Like SIDs, + ACLs can be added instead of replaced. + </p></li><li><p> + Locally stored user profiles on workstations are migrated as well, + presenting almost no disruption to the user. Saved passwords will be + lost, just as when you administratively reset the password in Windows ADS. + </p></li><li><p> + The ADMT lets you test all operations before actually performing the + migration. Accounts and workstations can be migrated individually or in + batches. User accounts can be safely migrated all at once (since no + changes are made on the original domain). It is recommended to migrate only one + or two workstations as a test before committing them all. + </p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unixclients.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ntmigration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Adding Domain Member Servers and Clients </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. Migrating NT4 Domain to Samba-3</td></tr></table></div></body></html> |
