diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/2000users.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/2000users.html | 1000 |
1 files changed, 1000 insertions, 0 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/2000users.html b/docs/htmldocs/Samba3-ByExample/2000users.html new file mode 100644 index 0000000000..5ba3718066 --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/2000users.html @@ -0,0 +1,1000 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. A Distributed 2000-User Network</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="happy.html" title="Chapter 5. Making Happy Users"><link rel="next" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. A Distributed 2000-User Network</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="2000users"></a>Chapter 6. A Distributed 2000-User Network</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="2000users.html#id2583740">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2583770">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2583839">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2584112">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id2585057">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2585074">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2588234">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2588381">Questions and Answers</a></span></dt></dl></div><p> +There is something indeed mystical about things that are +big. Large networks exhibit a certain magnetism and exude a sense of +importance that obscures reality. You and I know that it is no more +difficult to secure a large network than it is a small one. We all +know that over and above a particular number of network clients, the +rules no longer change; the only real dynamic is the size of the domain +(much like a kingdom) over which the network ruler (oops, administrator) +has control. The real dynamic then transforms from the technical to the +political. Then again, that point is often reached well before the +kingdom (or queendom) grows large. +</p><p> +If you have systematically worked your way to this chapter, hopefully you +have found some gems and techniques that are applicable in your +world. The network designs you have worked with in this book have their +strong points as well as weak ones. That is to be expected given that +they are based on real business environments, the specifics of which are +molded to serve the purposes of this book. +</p><p> +This chapter is intent on wrapping up issues that are central to +implementation and design of progressively larger networks. Are you ready +for this chapter? Good, it is time to move on. +</p><p> +In previous chapters, you made the assumption that your network +administration staff need detailed instruction right down to the +nuts and bolts of implementing the solution. That is still the case, +but they have graduated now. You decide to document only those issues, +methods, and techniques that are new or complex. Routine tasks such as +implementing a DNS or a DHCP server are under control. Even the basics of +Samba are largely under control. So in this section you focus on the +specifics of implementing LDAP changes, Samba changes, and approach and +design of the solution and its deployment. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583740"></a>Introduction</h2></div></div></div><p> +Abmas is a miracle company. Most businesses would have collapsed under +the weight of rapid expansion that this company has experienced. Samba +is flexible, so there is no need to reinstall the whole operating +system just because you need to implement a new network design. In fact, +you can keep an old server running right up to the moment of cutover +and then do a near-live conversion. There is no need to reinstall a +Samba server just to change the way your network should function. +</p><p> +<a class="indexterm" name="id2583759"></a> +Network growth is common to all organizations. In this exercise, +your preoccupation is with the mechanics of implementing Samba and +LDAP so that network users on each network segment can work +without impediment. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583770"></a>Assignment Tasks</h3></div></div></div><p> + Starting with the configuration files for the server called + <code class="constant">MASSIVE</code> in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you now deal with the + issues that are particular to large distributed networks. Your task + is simple identify the challenges, consider the + alternatives, and then design and implement a solution. + </p><p> + <a class="indexterm" name="id2583798"></a> + Remember, you have users based in London (UK), Los Angeles, + Washington. DC, and, three buildings in New York. A significant portion + of your workforce have notebook computers and roam all over the + world. Some dial into the office, others use VPN connections over the + Internet, and others just move between buildings.i + </p><p> + What do you say to an employee who normally uses a desktop + system but must spend six weeks on the road with a notebook computer? + She is concerned about email access and how to keep coworkers current + with changing documents. + </p><p> + To top it all off, you have one network support person and one + help desk person based in London, a single person dedicated to all + network operations in Los Angeles, five staff for user administration + and help desk in New York, plus one <span class="emphasis"><em>floater</em></span> for + Washington. + </p><p> + You have outsourced all desktop deployment and management to + DirectPointe. Your concern is server maintenance and third-level + support. Build a plan and show what must be done. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583839"></a>Dissection and Discussion</h2></div></div></div><p> +<a class="indexterm" name="id2583847"></a> +<a class="indexterm" name="id2583854"></a> +In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you implemented an LDAP server that provided the +<em class="parameter"><code>passdb backend</code></em> for the Samba servers. You +explored ways to accelerate Windows desktop profile handling and you +took control of network performance. +</p><p> +<a class="indexterm" name="id2583878"></a> +<a class="indexterm" name="id2583885"></a> +<a class="indexterm" name="id2583892"></a> +<a class="indexterm" name="id2583899"></a> +The implementation of an LDAP-based passdb backend (known as +<span class="emphasis"><em>ldapsam</em></span> in Samba parlance), or some form of database +that can be distributed, is essential to permit the deployment of Samba +Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem +is that the <span class="emphasis"><em>tdbsam</em></span>-style passdb backend does not +lend itself to being replicated. The older plain-text-based +<span class="emphasis"><em>smbpasswd</em></span>-style passdb backend can be replicated +using a tool such as <code class="literal">rsync</code>, but +<span class="emphasis"><em>smbpasswd</em></span> suffers the drawback that it does not +support the range of account facilities demanded by modern network +managers. +</p><p> +<a class="indexterm" name="id2583938"></a> +<a class="indexterm" name="id2583945"></a> +The new <span class="emphasis"><em>tdbsam</em></span> facility supports functionality +that is similar to an <span class="emphasis"><em>ldapsam</em></span>, but the lack of +distributed infrastructure sorely limits the scope for its +deployment. This raises the following questions: Why can't I just use +an XML-based backend, or for that matter, why not use an SQL-based +backend? Is support for these tools broken? Answers to these +questions require a bit of background.</p><p> +<a class="indexterm" name="id2583969"></a> +<a class="indexterm" name="id2583976"></a> +<a class="indexterm" name="id2583982"></a> +<a class="indexterm" name="id2583990"></a> +<span class="emphasis"><em>What is a directory?</em></span> A directory is a +collection of information regarding objects that can be accessed to +rapidly find information that is relevant in a particular and +consistent manner. A directory differs from a database in that it is +generally more often searched (read) than updated. As a consequence, the +information is organized to facilitate read access rather than to +support transaction processing.</p><p> +<a class="indexterm" name="id2584010"></a> +<a class="indexterm" name="id2584020"></a> +<a class="indexterm" name="id2584026"></a> +<a class="indexterm" name="id2584033"></a> +The Lightweight Directory Access Protocol (LDAP) differs +considerably from a traditional database. It has a simple search +facility that uniquely makes a highly preferred mechanism for managing +user identities. LDAP provides a scalable mechanism for distributing +the data repository and for keeping all copies (slaves) in sync with +the master repository.</p><p> +<a class="indexterm" name="id2584049"></a> +<a class="indexterm" name="id2584056"></a> +<a class="indexterm" name="id2584063"></a> +Samba is a flexible and powerful file and print sharing +technology. It can use many external authentication sources and can be +part of a total authentication and identity management +infrastructure. The two most important external sources for large sites +are Microsoft Active Directory and LDAP. Sites that specifically wish to +avoid the proprietary implications of Microsoft Active Directory +naturally gravitate toward OpenLDAP.</p><p> +<a class="indexterm" name="id2584080"></a> +In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you had to deal with a locally routed +network. All deployment concerns focused around making users happy, +and that simply means taking control over all network practices and +usage so that no one user is disadvantaged by any other. The real +lesson is one of understanding that no matter how much network +bandwidth you provide, bandwidth remains a precious resource.</p><p>In this chapter, you must now consider how the overall network must +function. In particular, you must be concerned with users who move +between offices. You must take into account the way users need to +access information globally. And you must make the network robust +enough so that it can sustain partial breakdown without causing loss of +productivity.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2584112"></a>Technical Issues</h3></div></div></div><p> + There are at least three areas that need to be addressed as you + approach the challenge of designing a network solution for the newly + expanded business: + </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2584128"></a> + User needs such as mobility and data access</p></li><li><p>The nature of Windows networking protocols</p></li><li><p>Identity management infrastructure needs</p></li></ul></div><p>Let's look at each in turn.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2584151"></a>User Needs</h4></div></div></div><p> + The new company has three divisions. Staff for each division are spread across + the company. Some staff are office-bound and some are mobile users. Mobile + users travel globally. Some spend considerable periods working in other offices. + Everyone wants to be able to work without constraint of productivity. + </p><p> + The challenge is not insignificant. In some parts of the world, even dial-up + connectivity is poor, while in other regions political encumbrances severely + curtail user needs. Parts of the global Internet infrastructure remain shielded + off for reasons outside the scope of this discussion. + </p><p> + <a class="indexterm" name="id2584176"></a> + Decisions must be made regarding where data is to be stored, how it will be + replicated (if at all), and what the network bandwidth implications are. For + example, one decision that can be made is to give each office its own master + file storage area that can be synchronized to a central repository in New + York. This would permit global data to be backed up from a single location. + The synchronization tool could be <code class="literal">rsync,</code> run via a cron + job. Mobile users may use off-line file storage under Windows XP Professional. + This way, they can synchronize all files that have changed since each logon + to the network. + </p><p> + <a class="indexterm" name="id2584203"></a> + <a class="indexterm" name="id2584212"></a> + No matter which way you look at this, the bandwidth requirements + for acceptable performance are substantial even if only 10 percent of + staff are global data users. A company with 3,500 employees, + 280 of whom are mobile users who use a similarly distributed + network, found they needed at least 2 Mb/sec connectivity + between the UK and US offices. Even over 2 Mb/sec bandwidth, this + company abandoned any attempt to run roaming profile usage for + mobile users. At that time, the average roaming profile took 480 + KB, while today the minimum Windows XP Professional roaming + profile involves a transfer of over 750 KB from the profile + server to and from the client. + </p><p> + <a class="indexterm" name="id2584233"></a> + Obviously then, user needs and wide-area practicalities dictate the economic and + technical aspects of your network design as well as for standard operating procedures. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2584245"></a>The Nature of Windows Networking Protocols</h4></div></div></div><p> + <a class="indexterm" name="id2584254"></a> + Network logons that include roaming profile handling requires from 140 KB to 2 MB. + The inclusion of support for a minimal set of common desktop applications can push + the size of a complete profile to over 15 MB. This has substantial implications + for location of user profiles. Additionally, it is a significant factor in + determining the nature and style of mandatory profiles that may be enforced as + part of a total service-level assurance program that might be implemented. + </p><p> + <a class="indexterm" name="id2584274"></a> + <a class="indexterm" name="id2584281"></a> + One way to reduce the network bandwidth impact of user logon + traffic is through folder redirection. In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you + implemented this in the new Windows XP Professional standard + desktop configuration. When desktop folders such as <span class="guimenu">My + Documents</span> are redirected to a network drive, they should + also be excluded from synchronization to and from the server on + logon or logout. Redirected folders are analogous to network drive + connections. + </p><p><a class="indexterm" name="id2584309"></a> + Of course, network applications should only be run off + local application servers. As a general rule, even with 2 Mb/sec + network bandwidth, it would not make sense at all for someone who + is working out of the London office to run applications off a + server that is located in New York. + </p><p> + <a class="indexterm" name="id2584324"></a> + When network bandwidth becomes a precious commodity (that is most + of the time), there is a significant demand to understand network + processes and to mold the limits of acceptability around the + constraints of affordability. + </p><p> + When a Windows NT4/200x/XP Professional client user logs onto + the network, several important things must happen. + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id2584347"></a> + The client obtains an IP address via DHCP. (DHCP is + necessary so that users can roam between offices.) + </p></li><li><p> + <a class="indexterm" name="id2584360"></a> + <a class="indexterm" name="id2584366"></a> + The client must register itself with the WINS and/or DNS server. + </p></li><li><p> + <a class="indexterm" name="id2584379"></a> + The client must locate the closest domain controller. + </p></li><li><p> + The client must log onto a domain controller and obtain as part of + that process the location of the user's profile, load it, connect to + redirected folders, and establish all network drive and printer connections. + </p></li><li><p> + The domain controller must be able to resolve the user's + credentials before the logon process is fully implemented. + </p></li></ul></div><p> + Given that this book is about Samba and that it implements the Windows + NT4-style domain semantics, it makes little sense to compare Samba with + Microsoft Active Directory insofar as the logon protocols and principles + of operation are concerned. The following information pertains exclusively + to the interaction between a Windows XP Professional workstation and a + Samba-3.0.20 server. In the discussion that follows, use is made of DHCP and WINS. + </p><p> + As soon as the Windows workstation starts up, it obtains an + IP address. This is immediately followed by registration of its + name both by broadcast and Unicast registration that is directed + at the WINS server. + </p><p> + <a class="indexterm" name="id2584426"></a> + <a class="indexterm" name="id2584432"></a><a class="indexterm" name="id2584442"></a> + Given that the client is already a domain member, it then sends + a directed (Unicast) request to the WINS server seeking the list of + IP addresses for domain controllers (NetBIOS name type 0x1C). The + WINS server replies with the information requested.</p><p> + <a class="indexterm" name="id2584456"></a> + <a class="indexterm" name="id2584465"></a> + <a class="indexterm" name="id2584472"></a> + The client sends two netlogon mailslot broadcast requests + to the local network and to each of the IP addresses returned by + the WINS server. Whichever answers this request first appears to + be the machine that the Windows XP client attempts to use to + process the network logon. The mailslot messages use UDP broadcast + to the local network and UDP Unicast directed at each machine that + was listed in the WINS server response to a request for the list of + domain controllers. + </p><p> + <a class="indexterm" name="id2584498"></a> + <a class="indexterm" name="id2584507"></a> + <a class="indexterm" name="id2584514"></a> + The logon process begins with negotiation of the SMB/CIFS + protocols that are to be used; this is followed by an exchange of + information that ultimately includes the client sending the + credentials with which the user is attempting to logon. The logon + server must now approve the further establishment of the + connection, but that is a good point to halt for now. The priority + here must center around identification of network infrastructure + needs. A secondary fact we need to know is, what happens when + local domain controllers fail or break? + </p><p> + <a class="indexterm" name="id2584534"></a> + <a class="indexterm" name="id2584541"></a> + <a class="indexterm" name="id2584547"></a> + <a class="indexterm" name="id2584554"></a> + Under most circumstances, the nearest domain controller + responds to the netlogon mailslot broadcast. The exception to this + norm occurs when the nearest domain controller is too busy or is out + of service. Herein lies an important fact. This means it is + important that every network segment should have at least two + domain controllers. Since there can be only one PDC, all additional + domain controllers are by definition BDCs. + </p><p> + <a class="indexterm" name="id2584571"></a> + <a class="indexterm" name="id2584578"></a> + The provision of sufficient servers that are BDCs is an + important design factor. The second important design factor + involves how each of the BDCs obtains user authentication + data. That is the subject of the next section, which involves key + decisions regarding Identity Management facilities. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2584592"></a>Identity Management Needs</h4></div></div></div><p> + <a class="indexterm" name="id2584600"></a> + <a class="indexterm" name="id2584607"></a> + <a class="indexterm" name="id2584614"></a> + <a class="indexterm" name="id2584621"></a> + Network managers recognize that in large organizations users + generally need to be given resource access based on needs, while + being excluded from other resources for reasons of privacy. It is + therefore essential that all users identify themselves at the + point of network access. The network logon is the principal means + by which user credentials are validated and filtered and appropriate + rights and privileges are allocated. + </p><p> + <a class="indexterm" name="id2584638"></a> + <a class="indexterm" name="id2584645"></a> + <a class="indexterm" name="id2584652"></a> + Unfortunately, network resources tend to have their own Identity + Management facilities, the quality and manageability of which varies + from quite poor to exceptionally good. Corporations that use a mixture + of systems soon discover that until recently, few systems were + designed to interoperate. For example, UNIX systems each have an + independent user database. Sun Microsystems developed a facility that + was originally called <code class="constant">Yellow Pages</code>, and was renamed + when a telephone company objected to the use of its trademark. + What was once called <code class="constant">Yellow Pages</code> is today known + as <code class="constant">Network Information System</code> (NIS). + </p><p> + <a class="indexterm" name="id2584683"></a> + NIS gained a strong following throughout the UNIX/VMS space in a short + period of time and retained that appeal and use for over a decade. + Security concerns and inherent limitations have caused it to enter its + twilight. NIS did not gain widespread appeal outside of the UNIX world + and was not universally adopted. Sun updated this to a more secure + implementation called NIS+, but even it has fallen victim to changing + demands as the demand for directory services that can be coupled with + other information systems is catching on. + </p><p> + <a class="indexterm" name="id2584702"></a> + <a class="indexterm" name="id2584708"></a> + <a class="indexterm" name="id2584715"></a> + Nevertheless, both NIS and NIS+ continue to hold ground in + business areas where UNIX still has major sway. Examples of + organizations that remain firmly attached to the use of NIS and + NIS+ include large government departments, education institutions, + and large corporations that have a scientific or engineering + focus. + </p><p> + <a class="indexterm" name="id2584731"></a> + <a class="indexterm" name="id2584737"></a> + Today's networking world needs a scalable, distributed Identity + Management infrastructure, commonly called a directory. The most + popular technologies today are Microsoft Active Directory service + and a number of LDAP implementations. + </p><p> + <a class="indexterm" name="id2584752"></a> + The problem of managing multiple directories has become a focal + point over the past decade, creating a large market for + metadirectory products and services that allow organizations that + have multiple directories and multiple management and control + centers to provision information from one directory into + another. The attendant benefit to end users is the promise of + having to remember and deal with fewer login identities and + passwords.</p><p> + <a class="indexterm" name="id2584769"></a> + The challenge of every large network is to find the optimum + balance of internal systems and facilities for Identity + Management resources. How well the solution is chosen and + implemented has potentially significant impact on network bandwidth + and systems response needs.</p><p> + <a class="indexterm" name="id2584786"></a> + <a class="indexterm" name="id2584793"></a> + <a class="indexterm" name="id2584802"></a> + In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you implemented a single LDAP server for the + entire network. This may work for smaller networks, but almost + certainly fails to meet the needs of large and complex networks. The + following section documents how you may implement a single + master LDAP server with multiple slave servers.</p><p> + What is the best method for implementing master/slave LDAP + servers within the context of a distributed 2,000-user network is a + question that remains to be answered.</p><p> + <a class="indexterm" name="id2584832"></a> + <a class="indexterm" name="id2584838"></a> + One possibility that has great appeal is to create a single, + large distributed domain. The practical implications of this + design (see <a class="link" href="2000users.html#chap7net" title="Figure 6.6. Network Topology 2000 User Complex Design A">“Network Topology 2000 User Complex Design A”</a>) demands the placement of + sufficient BDCs in each location. Additionally, network + administrators must make sure that profiles are not transferred + over the wide-area links, except as a totally unavoidable + measure. Network design must balance the risk of loss of user + productivity against the cost of network management and + maintenance. + </p><p> + <a class="indexterm" name="id2584863"></a> + The network design in <a class="link" href="2000users.html#chap7net2" title="Figure 6.7. Network Topology 2000 User Complex Design B">“Network Topology 2000 User Complex Design B”</a> takes the approach + that management of networks that are too remote to be managed + effectively from New York ought to be given a certain degree of + autonomy. With this rationale, the Los Angeles and London networks, + though fully integrated with those on the East Coast, each have their + own domain name space and can be independently managed and controlled. + One of the key drawbacks of this design is that it flies in the face of + the ability for network users to roam globally without some compromise + in how they may access global resources. + </p><p> + <a class="indexterm" name="id2584890"></a> + Desk-bound users need not be negatively affected by this design, since + the use of interdomain trusts can be used to satisfy the need for global + data sharing. + </p><p> + <a class="indexterm" name="id2584902"></a> + <a class="indexterm" name="id2584909"></a> + <a class="indexterm" name="id2584918"></a> + When Samba-3 is configured to use an LDAP backend, it stores the domain + account information in a directory entry. This account entry contains the + domain SID. An unintended but exploitable side effect is that this makes it + possible to operate with more than one PDC on a distributed network. + </p><p> + <a class="indexterm" name="id2584933"></a> + <a class="indexterm" name="id2584940"></a> + <a class="indexterm" name="id2584947"></a> + How might this peculiar feature be exploited? The answer is simple. It is + imperative that each network segment have its own WINS server. Major + servers on remote network segments can be given a static WINS entry in + the <code class="filename">wins.dat</code> file on each WINS server. This allows + all essential data to be visible from all locations. Each location would, + however, function as if it is an independent domain, while all sharing the + same domain SID. Since all domain account information can be stored in a + single LDAP backend, users have unfettered ability to roam. + </p><p> + <a class="indexterm" name="id2584972"></a> + <a class="indexterm" name="id2584981"></a> + This concept has not been exhaustively validated, though we can see no reason + why this should not work. The important facets are the following: The name of + the domain must be identical in all locations. Each network segment must have + its own WINS server. The name of the PDC must be the same in all locations; this + necessitates the use of NetBIOS name aliases for each PDC so that they can be + accessed globally using the alias and not the PDC's primary name. A single master + LDAP server can be based in New York, with multiple LDAP slave servers located + on every network segment. Finally, the BDCs should each use failover LDAP servers + that are in fact slave LDAP servers on the local segments. + </p><p> + <a class="indexterm" name="id2585003"></a> + <a class="indexterm" name="id2585012"></a> + <a class="indexterm" name="id2585019"></a> + <a class="indexterm" name="id2585028"></a> + With a single master LDAP server, all network updates are effected on a single + server. In the event that this should become excessively fragile or network + bandwidth limiting, one could implement a delegated LDAP domain. This is also + known as a partitioned (or multiple partition) LDAP database and as a distributed + LDAP directory. + </p><p> + As the LDAP directory grows, it becomes increasingly important + that its structure is implemented in a manner that mirrors + organizational needs, so as to limit network update and + referential traffic. It should be noted that all directory + administrators must of necessity follow the same standard + procedures for managing the directory, because retroactive correction of + inconsistent directory information can be exceedingly difficult. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2585057"></a>Political Issues</h3></div></div></div><p> + As organizations grow, the number of points of control increases + also. In a large distributed organization, it is important that the + Identity Management system be capable of being updated from + many locations, and it is equally important that changes made should + become usable in a reasonable period, typically + minutes rather than days (the old limitation of highly manual + systems). + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2585074"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id2585082"></a> + <a class="indexterm" name="id2585089"></a> + <a class="indexterm" name="id2585096"></a> + <a class="indexterm" name="id2585102"></a> + Samba-3 has the ability to use multiple password (authentication and + identity resolution) backends. The diagram in <a class="link" href="2000users.html#chap7idres" title="Figure 6.1. Samba and Authentication Backend Search Pathways">“Samba and Authentication Backend Search Pathways”</a> + demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system + password database. The diagram only documents the mechanisms for + authentication and identity resolution (obtaining a UNIX UID/GID) + using the specific systems shown. + </p><div class="figure"><a name="chap7idres"></a><p class="title"><b>Figure 6.1. Samba and Authentication Backend Search Pathways</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-idresol.png" width="297" alt="Samba and Authentication Backend Search Pathways"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id2585167"></a> + <a class="indexterm" name="id2585174"></a> + <a class="indexterm" name="id2585181"></a> + <a class="indexterm" name="id2585188"></a> + <a class="indexterm" name="id2585194"></a> + <a class="indexterm" name="id2585201"></a> + <a class="indexterm" name="id2585208"></a> + Samba is capable of using the <code class="constant">smbpasswd</code>, + <code class="constant">tdbsam</code>, <code class="constant">xmlsam</code>, + and <code class="constant">mysqlsam</code> authentication databases. The SMB + passwords can, of course, also be stored in an LDAP ldapsam + backend. LDAP is the preferred passdb backend for distributed network + operations. + </p><p> + <a class="indexterm" name="id2585236"></a> + Additionally, it is possible to use multiple passdb backends + concurrently as well as have multiple LDAP backends. As a result, you + can specify a failover LDAP backend. The syntax for specifying a + single LDAP backend in <code class="filename">smb.conf</code> is: +</p><pre class="screen"> +... +passdb backend = ldapsam:ldap://master.abmas.biz +... +</pre><p> + This configuration tells Samba to use a single LDAP server, as shown in <a class="link" href="2000users.html#ch7singleLDAP" title="Figure 6.2. Samba Configuration to Use a Single LDAP Server">“Samba Configuration to Use a Single LDAP Server”</a>. + </p><div class="figure"><a name="ch7singleLDAP"></a><p class="title"><b>Figure 6.2. Samba Configuration to Use a Single LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-singleLDAP.png" width="351" alt="Samba Configuration to Use a Single LDAP Server"></div></div></div><p><br class="figure-break"> + <a class="indexterm" name="id2585309"></a> + <a class="indexterm" name="id2585318"></a> + The addition of a failover LDAP server can simply be done by adding a + second entry for the failover server to the single <em class="parameter"><code>ldapsam</code></em> + entry, as shown here (note the particular use of the double quotes): +</p><pre class="screen"> +... +passdb backend = ldapsam:"ldap://master.abmas.biz \ + ldap://slave.abmas.biz" +... +</pre><p> + This configuration tells Samba to use a master LDAP server, with failover to a slave server if necessary, + as shown in <a class="link" href="2000users.html#ch7dualLDAP" title="Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server">“Samba Configuration to Use a Dual (Fail-over) LDAP Server”</a>. + </p><div class="figure"><a name="ch7dualLDAP"></a><p class="title"><b>Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-fail-overLDAP.png" width="351" alt="Samba Configuration to Use a Dual (Fail-over) LDAP Server"></div></div></div><p><br class="figure-break"> + </p><p> + Some folks have tried to implement this without the use of double quotes. This is the type of entry they + created: +</p><pre class="screen"> +... +passdb backend = ldapsam:ldap://master.abmas.biz \ + ldapsam:ldap://slave.abmas.biz +... +</pre><p> + <a class="indexterm" name="id2585405"></a> + The effect of this style of entry is that Samba lists the users + that are in both LDAP databases. If both contain the same information, + it results in each record being shown twice. This is, of course, not the + solution desired for a failover implementation. The net effect of this + configuration is shown in <a class="link" href="2000users.html#ch7dualadd" title="Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!">“Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!”</a> + </p><div class="figure"><a name="ch7dualadd"></a><p class="title"><b>Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP.png" width="297" alt="Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!"></div></div></div><br class="figure-break"><p> + If, however, each LDAP database contains unique information, this may + well be an advantageous way to effectively integrate multiple LDAP databases + into one seemingly contiguous directory. Only the first database will be updated. + An example of this configuration is shown in <a class="link" href="2000users.html#ch7dualok" title="Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.">“Samba Configuration to Use Two LDAP Databases - The result is additive.”</a>. + </p><div class="figure"><a name="ch7dualok"></a><p class="title"><b>Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP-Ok.png" width="297" alt="Samba Configuration to Use Two LDAP Databases - The result is additive."></div></div></div><br class="figure-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + When the use of ldapsam is specified twice, as shown here, it is imperative + that the two LDAP directories must be disjoint. If the entries are for a + master LDAP server as well as its own slave server, updates to the LDAP + database may end up being lost or corrupted. You may safely use multiple + LDAP backends only if both are entirely separate from each other. + </p></div><p> + It is assumed that the network you are working with follows in a + pattern similar to what was covered in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>. The following steps + permit the operation of a master/slave OpenLDAP arrangement. + </p><div class="procedure"><a name="id2585547"></a><p class="title"><b>Procedure 6.1. Implementation Steps for an LDAP Slave Server</b></p><ol type="1"><li><p> + <a class="indexterm" name="id2585559"></a> + <a class="indexterm" name="id2585566"></a> + Log onto the master LDAP server as <code class="constant">root</code>. + You are about to change the configuration of the LDAP server, so it + makes sense to temporarily halt it. Stop OpenLDAP from running on + SUSE Linux by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap stop +</pre><p> + On Red Hat Linux, you can do this by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> service ldap stop +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id2585611"></a> + Edit the <code class="filename">/etc/openldap/slapd.conf</code> file so it + matches the content of <a class="link" href="2000users.html#ch7-LDAP-master" title="Example 6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf">“LDAP Master Server Configuration File /etc/openldap/slapd.conf”</a>. + </p></li><li><p> + Create a file called <code class="filename">admin-accts.ldif</code> with the following contents: +</p><pre class="screen"> +dn: cn=updateuser,dc=abmas,dc=biz +objectClass: person +cn: updateuser +sn: updateuser +userPassword: not24get + +dn: cn=sambaadmin,dc=abmas,dc=biz +objectClass: person +cn: sambaadmin +sn: sambaadmin +userPassword: buttercup +</pre><p> + </p></li><li><p> + Add an account called “<span class="quote">updateuser</span>” to the master LDAP server as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l admin-accts.ldif +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id2585684"></a> + <a class="indexterm" name="id2585691"></a> + Change directory to a suitable place to dump the contents of the + LDAP server. The dump file (and LDIF file) is used to preload + the slave LDAP server database. You can dump the database by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat -v -l LDAP-transfer-LDIF.txt +</pre><p> + Each record is written to the file. + </p></li><li><p> + <a class="indexterm" name="id2585723"></a> + Copy the file <code class="filename">LDAP-transfer-LDIF.txt</code> to the intended + slave LDAP server. A good location could be in the directory + <code class="filename">/etc/openldap/preload</code>. + </p></li><li><p> + Log onto the slave LDAP server as <code class="constant">root</code>. You can + now configure this server so the <code class="filename">/etc/openldap/slapd.conf</code> + file matches the content of <a class="link" href="2000users.html#ch7-LDAP-slave" title="Example 6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf">“LDAP Slave Configuration File /etc/openldap/slapd.conf”</a>. + </p></li><li><p> + Change directory to the location in which you stored the + <code class="filename">LDAP-transfer-LDIF.txt</code> file (<code class="filename">/etc/openldap/preload</code>). + While in this directory, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l LDAP-transfer-LDIF.txt +</pre><p> + If all goes well, the following output confirms that the data is being loaded + as intended: +</p><pre class="screen"> +added: "dc=abmas,dc=biz" (00000001) +added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002) +added: "cn=updateuser,dc=abmas,dc=biz" (00000003) +added: "ou=People,dc=abmas,dc=biz" (00000004) +added: "ou=Groups,dc=abmas,dc=biz" (00000005) +added: "ou=Computers,dc=abmas,dc=biz" (00000006) +added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007) +added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008) +added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009) +added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a) +added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b) +added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c) +added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d) +added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e) +added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f) +added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010) +added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011) +added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012) +added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013) +</pre><p> + </p></li><li><p> + Now start the LDAP server and set it to run automatically on system reboot by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +<code class="prompt">root# </code> chkconfig ldap on +</pre><p> + On Red Hat Linux, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> service ldap start +<code class="prompt">root# </code> chkconfig ldap on +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id2585896"></a> + <a class="indexterm" name="id2585903"></a> + <a class="indexterm" name="id2585910"></a> + Go back to the master LDAP server. Execute the following to start LDAP as well + as <code class="literal">slurpd</code>, the synchronization daemon, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +<code class="prompt">root# </code> chkconfig ldap on +<code class="prompt">root# </code> rcslurpd start +<code class="prompt">root# </code> chkconfig slurpd on +</pre><p> + <a class="indexterm" name="id2585955"></a> + On Red Hat Linux, check the equivalent command to start <code class="literal">slurpd</code>. + </p></li><li><p> + <a class="indexterm" name="id2585976"></a> + On the master LDAP server you may now add an account to validate that replication + is working. Assuming the configuration shown in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> /var/lib/samba/sbin/smbldap-useradd -a fruitloop +</pre><p> + </p></li><li><p> + On the slave LDAP server, change to the directory <code class="filename">/var/lib/ldap</code>. + There should now be a file called <code class="filename">replogfile</code>. If replication worked + as expected, the content of this file should be: +</p><pre class="screen"> +time: 1072486403 +dn: uid=fruitloop,ou=People,dc=abmas,dc=biz +changetype: modify +replace: sambaProfilePath +sambaProfilePath: \\MASSIVE\profiles\fruitloop +- +replace: sambaHomePath +sambaHomePath: \\MASSIVE\homes +- +replace: entryCSN +entryCSN: 2003122700:43:38Z#0x0005#0#0000 +- +replace: modifiersName +modifiersName: cn=Manager,dc=abmas,dc=biz +- +replace: modifyTimestamp +modifyTimestamp: 20031227004338Z +- +</pre><p> + </p></li><li><p> + Given that this first slave LDAP server is now working correctly, you may now + implement additional slave LDAP servers as required. + </p></li><li><p> + On each machine (PDC and BDCs) after the respective <code class="filename">smb.conf</code> files have been created as shown in + <a class="link" href="2000users.html#ch7-massmbconfA" title="Example 6.3. Primary Domain Controller smb.conf File Part A">Primary Domain Controller <code class="filename">smb.conf</code> File Part A + B + C</a> and + on BDCs the <a class="link" href="2000users.html#ch7-slvsmbocnfA" title="Example 6.6. Backup Domain Controller smb.conf File Part A">Backup Domain Controller <code class="filename">smb.conf</code> File Part A + + B + C</a> execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w buttercup +</pre><p> + This will install in the <code class="filename">secrets.tdb</code> file the password that Samba will need to + manage (write to) the LDAP Master server to perform account updates. + </p></li></ol></div><div class="example"><a name="ch7-LDAP-master"></a><p class="title"><b>Example 6.1. LDAP Master Server Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +replica host=lapdc.abmas.biz:389 + suffix="dc=abmas,dc=biz" + binddn="cn=updateuser,dc=abmas,dc=biz" + bindmethod=simple credentials=not24get + +access to attrs=sambaLMPassword,sambaNTPassword + by dn="cn=sambaadmin,dc=abmas,dc=biz" write + by * none + +replogfile /var/lib/ldap/replogfile + +directory /var/lib/ldap + +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"><div class="example"><a name="ch7-LDAP-slave"></a><p class="title"><b>Example 6.2. LDAP Slave Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +access to * + by dn=cn=updateuser,dc=abmas,dc=biz write + by * read + +updatedn cn=updateuser,dc=abmas,dc=biz +updateref ldap://massive.abmas.biz + +directory /var/lib/ldap + +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfA"></a><p class="title"><b>Example 6.3. Primary Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2586239"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2586251"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2586263"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586275"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2586287"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2586299"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2586310"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2586322"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2586334"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2586346"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2586358"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586369"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2586381"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586394"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586406"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2586418"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2586431"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586444"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586457"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586470"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586482"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id2586495"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id2586507"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2586519"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2586531"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2586542"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586554"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586566"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586578"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586589"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2586601"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2586613"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2586625"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2586637"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586650"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586662"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2586674"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2586685"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2586697"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfB"></a><p class="title"><b>Example 6.4. Primary Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[IPC$]</code></em></td></tr><tr><td><a class="indexterm" name="id2586743"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2586763"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586775"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2586787"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2586807"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586819"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2586831"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2586851"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586863"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2586875"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2586895"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2586907"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2586918"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586930"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2586951"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2586962"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2586974"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586986"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586997"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfC"></a><p class="title"><b>Example 6.5. Primary Domain Controller <code class="filename">smb.conf</code> File Part C</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2587043"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2587055"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2587066"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id2587078"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2587098"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2587110"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2587122"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2587134"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587146"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2587166"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2587178"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2587190"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587201"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2587222"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2587234"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2587246"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587257"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2587278"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2587290"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2587302"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id2587313"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfA"></a><p class="title"><b>Example 6.6. Backup Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># # Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2587363"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2587374"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2587386"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2587398"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2587410"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2587422"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2587434"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2587445"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2587457"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2587469"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2587480"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2587492"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2587504"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587516"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2587528"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2587540"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2587552"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587564"></a><em class="parameter"><code>os level = 63</code></em></td></tr><tr><td><a class="indexterm" name="id2587575"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587587"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2587599"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2587610"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2587622"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2587634"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2587646"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2587658"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2587671"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587682"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2587694"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2587706"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2587718"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2587738"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2587750"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2587762"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2587782"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2587794"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2587806"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfB"></a><p class="title"><b>Example 6.7. Backup Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2587852"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2587864"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2587875"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2587895"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2587907"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2587919"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587930"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2587951"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2587963"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2587974"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587986"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587998"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2588018"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2588030"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2588041"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id2588053"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2588074"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2588086"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2588097"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2588109"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2588130"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2588141"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2588153"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2588165"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2588185"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2588197"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2588209"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2588221"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2588234"></a>Key Points Learned</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id2588245"></a><a class="indexterm" name="id2588250"></a> + Where Samba-3 is used as a domain controller, the use of LDAP is an + essential component to permit the use of BDCs. + </p></li><li><p> + <a class="indexterm" name="id2588263"></a> + Replication of the LDAP master server to create a network of BDCs + is an important mechanism for limiting WAN traffic. + </p></li><li><p> + Network administration presents many complex challenges, most of which + can be satisfied by good design but that also require sound communication + and unification of management practices. This can be highly challenging in + a large, globally distributed network. + </p></li><li><p> + Roaming profiles must be contained to the local network segment. Any + departure from this may clog wide-area arteries and slow legitimate network + traffic to a crawl. + </p></li></ul></div></div><div class="figure"><a name="chap7net"></a><p class="title"><b>Figure 6.6. Network Topology 2000 User Complex Design A</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net-Ar.png" width="432" alt="Network Topology 2000 User Complex Design A"></div></div></div><br class="figure-break"><div class="figure"><a name="chap7net2"></a><p class="title"><b>Figure 6.7. Network Topology 2000 User Complex Design B</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net2-Br.png" width="432" alt="Network Topology 2000 User Complex Design B"></div></div></div><br class="figure-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2588381"></a>Questions and Answers</h2></div></div></div><p> + There is much rumor and misinformation regarding the use of MS Windows networking protocols. + These questions are just a few of those frequently asked. + </p><div class="qandaset"><dl><dt> <a href="2000users.html#id2588399"> + + + Is it true that DHCP uses lots of WAN bandwidth? + </a></dt><dt> <a href="2000users.html#id2588534"> + + + How much background communication takes place between a master LDAP server and its slave LDAP servers? + </a></dt><dt> <a href="2000users.html#id2588595"> + LDAP has a database. Is LDAP not just a fancy database front end? + </a></dt><dt> <a href="2000users.html#id2588659"> + + Can Active Directory obtain account information from an OpenLDAP server? + </a></dt><dt> <a href="2000users.html#id2588694"> + What are the parts of a roaming profile? How large is each part? + </a></dt><dt> <a href="2000users.html#id2588842"> + Can the My Documents folder be stored on a network drive? + </a></dt><dt> <a href="2000users.html#id2588890"> + + + + How much WAN bandwidth does WINS consume? + </a></dt><dt> <a href="2000users.html#id2588975"> + How many BDCs should I have? What is the right number of Windows clients per server? + </a></dt><dt> <a href="2000users.html#id2589011"> + + I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to + run an NIS server? + </a></dt><dt> <a href="2000users.html#id2589044"> + Can I use NIS in place of LDAP? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2588399"></a><a name="id2588401"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588406"></a> + <a class="indexterm" name="id2588412"></a> + Is it true that DHCP uses lots of WAN bandwidth? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588429"></a> + <a class="indexterm" name="id2588438"></a> + <a class="indexterm" name="id2588445"></a> + It is a smart practice to localize DHCP servers on each network segment. As a + rule, there should be two DHCP servers per network segment. This means that if + one server fails, there is always another to service user needs. DHCP requests use + only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network + routers. This makes it possible to run fewer DHCP servers. + </p><p> + <a class="indexterm" name="id2588464"></a> + <a class="indexterm" name="id2588473"></a> + A DHCP network address request and confirmation usually results in about six UDP packets. + The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP + clients and that uses a 24-hour IP address lease. This means that all clients renew + their IP address lease every 24 hours. If we assume an average packet length equal to the + maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection, + how significant would the DHCP traffic be if all of it were to use DHCP Relay? + </p><p> + I must stress that this is a bad design, but here is the calculation: +</p><pre class="screen"> +Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte) + x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day. + +DHCP traffic: 300 (clients) x 6 (packets) + x 512 (bytes/packet) = 0.9 Mbytes/day. +</pre><p> + From this can be seen that the traffic impact would be minimal. + </p><p> + <a class="indexterm" name="id2588511"></a> + <a class="indexterm" name="id2588520"></a> + Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, + the impact of the update is no more than the DHCP IP address renewal traffic and thus + still insignificant for most practical purposes. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588534"></a><a name="id2588536"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588540"></a> + <a class="indexterm" name="id2588547"></a> + How much background communication takes place between a master LDAP server and its slave LDAP servers? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588568"></a> + The process that controls the replication of data from the master LDAP server to the slave LDAP + servers is called <code class="literal">slurpd</code>. The <code class="literal">slurpd</code> remains nascent (quiet) + until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) + two user accounts requires less than 10KB traffic. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588595"></a><a name="id2588597"></a></td><td align="left" valign="top"><p> + LDAP has a database. Is LDAP not just a fancy database front end? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588609"></a> + <a class="indexterm" name="id2588616"></a> + <a class="indexterm" name="id2588625"></a> + <a class="indexterm" name="id2588631"></a> + LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific + data storage system. This type of database is indexed so that records can be rapidly located, but the + database is not generic and can be used only in particular pre-programmed ways. General external + applications do not gain access to the data. This type of database is used also by SQL servers. Both + an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional + orientation and typically allows external programs to perform ad hoc queries, even across data tables. + An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific + simple queries. The term <code class="constant">database</code> is heavily overloaded and thus much misunderstood. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588659"></a><a name="id2588661"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588665"></a> + Can Active Directory obtain account information from an OpenLDAP server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588680"></a> + No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP + database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface + to OpenLDAP using standard LDAP queries and updates. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588694"></a><a name="id2588696"></a></td><td align="left" valign="top"><p> + What are the parts of a roaming profile? How large is each part? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2588707"></a> + A roaming profile consists of + </p><div class="itemizedlist"><ul type="disc"><li><p> + Desktop folders such as <code class="constant">Desktop</code>, <code class="constant">My Documents</code>, + <code class="constant">My Pictures</code>, <code class="constant">My Music</code>, <code class="constant">Internet Files</code>, + <code class="constant">Cookies</code>, <code class="constant">Application Data</code>, + <code class="constant">Local Settings,</code> and more. See <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, <a class="link" href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">“Windows XP Professional User Shared Folders”</a>. + </p><p> + <a class="indexterm" name="id2588768"></a> + Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all + such folders can be redirected to network drive resources. See <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a> + for more information regarding folder redirection. + </p></li><li><p> + A static or rewritable portion that is typically only a few files (2-5 KB of information). + </p></li><li><p> + <a class="indexterm" name="id2588795"></a> + <a class="indexterm" name="id2588801"></a> + The registry load file that modifies the <code class="constant">HKEY_LOCAL_USER</code> hive. This is + the <code class="filename">NTUSER.DAT</code> file. It can be from 0.4 to 1.5 MB. + </p></li></ul></div><p> + <a class="indexterm" name="id2588824"></a> + Microsoft Outlook PST files may be stored in the <code class="constant">Local Settings\Application Data</code> + folder. It can be up to 2 GB in size per PST file. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588842"></a><a name="id2588845"></a></td><td align="left" valign="top"><p> + Can the <code class="constant">My Documents</code> folder be stored on a network drive? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588860"></a> + <a class="indexterm" name="id2588867"></a> + Yes. More correctly, such folders can be redirected to network shares. No specific network drive + connection is required. Registry settings permit this to be redirected directly to a UNC (Universal + Naming Convention) resource, though it is possible to specify a network drive letter instead of a + UNC name. See <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588890"></a><a name="id2588893"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588897"></a> + <a class="indexterm" name="id2588904"></a> + <a class="indexterm" name="id2588913"></a> + How much WAN bandwidth does WINS consume? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2588927"></a> + <a class="indexterm" name="id2588936"></a> + <a class="indexterm" name="id2588943"></a> + MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. + This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS + server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, + was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total + of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links. + Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication + traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection + that aggregated the branch office connections plus an Internet connection. + </p><p> + In conclusion, the total load afforded through WINS traffic is again marginal to total operational + usage as it should be. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588975"></a><a name="id2588977"></a></td><td align="left" valign="top"><p> + How many BDCs should I have? What is the right number of Windows clients per server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + It is recommended to have at least one BDC per network segment, including the segment served + by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the + load demand pattern of client usage. I have seen sites that function without problem with 200 + clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular + company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print + server; and an application server. While all three were BDCs, typically only the print server would + service network logon requests after the first 10 users had started to use the network. This was + a reflection of the service load placed on both the application server and the data server. + </p><p> + As unsatisfactory as the answer might sound, it all depends on network and server load + characteristics. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589011"></a><a name="id2589013"></a></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2589017"></a><a class="indexterm" name="id2589023"></a> + I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to + run an NIS server? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The correct answer to both questions is yes. But do understand that an LDAP server has + a configurable schema that can store far more information for many more purposes than + just NIS. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589044"></a><a name="id2589047"></a></td><td align="left" valign="top"><p> + Can I use NIS in place of LDAP? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + <a class="indexterm" name="id2589058"></a> + <a class="indexterm" name="id2589065"></a> + No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal + with the types of data necessary for interoperability with Microsoft Windows networking. The use + of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also + a Samba-specific schema extension. + </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Making Happy Users </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Domain Members, Updating Samba and Migration</td></tr></table></div></body></html> |