diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/appendix.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/appendix.html | 1065 |
1 files changed, 0 insertions, 1065 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/appendix.html b/docs/htmldocs/Samba3-ByExample/appendix.html deleted file mode 100644 index 88e5fc2e48..0000000000 --- a/docs/htmldocs/Samba3-ByExample/appendix.html +++ /dev/null @@ -1,1065 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. A Collection of Useful Tidbits</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="ch14.html" title="Chapter 14. Samba Support"><link rel="next" href="primer.html" title="Chapter 16. Networking Primer"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. A Collection of Useful Tidbits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 15. A Collection of Useful Tidbits"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Chapter 15. A Collection of Useful Tidbits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id387559">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id387952">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id388254">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id388264">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id388308">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id388408">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id388463">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id388919">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id389839">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id390270">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id390409">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id390484">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p> - <a class="indexterm" name="id387011"></a> - <a class="indexterm" name="id387018"></a> - Information presented here is considered to be either basic or well-known material that is informative - yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that - the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps - different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, - as shown in the example given below. - </p><div class="sect1" title="Joining a Domain: Windows 200x/XP Professional"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div></div><p> - <a class="indexterm" name="id387044"></a> - Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. - This section steps through the process for making a Windows 200x/XP Professional machine a - member of a Domain Security environment. It should be noted that this process is identical - when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. - </p><div class="procedure" title="Procedure 15.1. Steps to Join a Domain"><a name="id387055"></a><p class="title"><b>Procedure 15.1. Steps to Join a Domain</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Click <span class="guimenu">Start</span>. - </p></li><li class="step" title="Step 2"><p> - Right-click <span class="guimenu">My Computer</span>, and then select <span class="guimenuitem">Properties</span>. - </p></li><li class="step" title="Step 3"><p> - The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel. - See <a class="link" href="appendix.html#swxpp001" title="Figure 15.1. The General Panel.">“The General Panel.”</a>. - </p><div class="figure"><a name="swxpp001"></a><p class="title"><b>Figure 15.1. The General Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 4"><p> - Click the <span class="guimenu">Computer Name</span> tab. - This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>, - and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>. - </p><p> - Clicking the <span class="guimenu">Network ID</span> button launches the configuration wizard. Do not use this with - Samba-3. If you wish to change the computer name, or join or leave the domain, click the <span class="guimenu">Change</span> button. - See <a class="link" href="appendix.html#swxpp004" title="Figure 15.2. The Computer Name Panel.">“The Computer Name Panel.”</a>. - </p><div class="figure"><a name="swxpp004"></a><p class="title"><b>Figure 15.2. The Computer Name Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 5"><p> - Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. - We join the domain called MIDEARTH. See <a class="link" href="appendix.html#swxpp006" title="Figure 15.3. The Computer Name Changes Panel">“The Computer Name Changes Panel”</a>. - </p><div class="figure"><a name="swxpp006"></a><p class="title"><b>Figure 15.3. The Computer Name Changes Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel"></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 6"><p> - Enter the name <span class="guimenu">MIDEARTH</span> in the field below the Domain radio button. - </p><p> - This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a class="link" href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">“The Computer Name Changes Panel Domain MIDEARTH”</a>. - </p><div class="figure"><a name="swxpp007"></a><p class="title"><b>Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH"></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 7"><p> - Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the credentials (username and password) - of a domain administrative account that has the rights to add machines to the domain. - </p><p> - Enter the name <span class="quote">“<span class="quote">root</span>”</span> and the root password from your Samba-3 server. See <a class="link" href="appendix.html#swxpp008" title="Figure 15.5. Computer Name Changes User name and Password Panel">“Computer Name Changes User name and Password Panel”</a>. - </p><div class="figure"><a name="swxpp008"></a><p class="title"><b>Figure 15.5. Computer Name Changes User name and Password Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes User name and Password Panel"></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 8"><p> - Click <span class="guimenu">OK</span>. - </p><p> - The <span class="quote">“<span class="quote">Welcome to the MIDEARTH domain</span>”</span> dialog box should appear. At this point, the machine must be rebooted. - Joining the domain is now complete. - </p></li></ol></div><p> - <a class="indexterm" name="id387460"></a> - <a class="indexterm" name="id387466"></a> - The screen capture shown in <a class="link" href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">“The Computer Name Changes Panel Domain MIDEARTH”</a> has a button labeled <span class="guimenu">More...</span>. This button opens a - panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members - of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace. - </p><p> - <a class="indexterm" name="id387490"></a> - <a class="indexterm" name="id387497"></a> - Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers - register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server - to find the services (like which machines are domain controllers or which machines have the Netlogon service running). - </p><p> - <a class="indexterm" name="id387512"></a> - The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, - this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to - a valid IP address. - </p><p> - The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. - Where the client is a member of a Samba domain, it is preferable to leave this field blank. - </p><p> - <a class="indexterm" name="id387534"></a> - According to Microsoft documentation, <span class="quote">“<span class="quote">If this computer belongs to a group with <code class="constant">Group Policy</code> - enabled on <code class="literal">Primary DNS suffice of this computer</code>, the string specified in the Group Policy is used - as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is - used only if Group Policy is disabled or unspecified.</span>”</span> - </p></div><div class="sect1" title="Samba System File Location"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387559"></a>Samba System File Location</h2></div></div></div><p><a class="indexterm" name="id387566"></a><a class="indexterm" name="id387574"></a><a class="indexterm" name="id387581"></a> - One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team - build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is - in the <code class="filename">/usr/local/samba</code> directory. This is a perfectly reasonable location, particularly given all the other - Open Source software that installs into the <code class="filename">/usr/local</code> subdirectories. - </p><p> - Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team - default. - </p><p><a class="indexterm" name="id387612"></a><a class="indexterm" name="id387624"></a><a class="indexterm" name="id387631"></a><a class="indexterm" name="id387643"></a><a class="indexterm" name="id387650"></a><a class="indexterm" name="id387662"></a><a class="indexterm" name="id387670"></a><a class="indexterm" name="id387677"></a><a class="indexterm" name="id387685"></a><a class="indexterm" name="id387693"></a><a class="indexterm" name="id387701"></a><a class="indexterm" name="id387709"></a><a class="indexterm" name="id387717"></a><a class="indexterm" name="id387725"></a><a class="indexterm" name="id387732"></a><a class="indexterm" name="id387740"></a> - Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy - System (FHS), have elected to locate the configuration files under the <code class="filename">/etc/samba</code> directory, common binary - files (those used by users) in the <code class="filename">/usr/bin</code> directory, and the administrative files (daemons) in the - <code class="filename">/usr/sbin</code> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the - <code class="filename">/usr/share</code> directory, either in <code class="filename">/usr/share/samba/swat</code> or in - <code class="filename">/usr/share/swat</code>. There are additional support files for <code class="literal">smbd</code> in the - <code class="filename">/usr/lib/samba</code> directory tree. The files located there include the dynamically loadable modules for the - passdb backend as well as for the VFS modules. - </p><p><a class="indexterm" name="id387804"></a><a class="indexterm" name="id387812"></a><a class="indexterm" name="id387820"></a> - Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in - the <code class="filename">/var/lib/samba</code> directory. Log files are created in <code class="filename">/var/log/samba.</code> - </p><p> - When Samba is built and installed using the default Samba Team process, all files are located under the - <code class="filename">/usr/local/samba</code> directory tree. This makes it simple to find the files that Samba owns. - </p><p><a class="indexterm" name="id387854"></a> - One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location - of all files called <code class="literal">smbd</code>. Here is an example: -</p><pre class="screen"> -<code class="prompt">root# </code> find / -name smbd -print -</pre><p> - You can find the location of the configuration files by running: -</p><pre class="screen"> -<code class="prompt">root# </code> /path-to-binary-file/smbd -b | more -... -Paths: - SBINDIR: /usr/sbin - BINDIR: /usr/bin - SWATDIR: /usr/share/samba/swat - CONFIGFILE: /etc/samba/smb.conf - LOGFILEBASE: /var/log/samba - LMHOSTSFILE: /etc/samba/lmhosts - LIBDIR: /usr/lib/samba - SHLIBEXT: so - LOCKDIR: /var/lib/samba - PIDDIR: /var/run/samba - SMB_PASSWD_FILE: /etc/samba/smbpasswd - PRIVATE_DIR: /etc/samba -... -</pre><p> - If you wish to locate the Samba version, just run: -</p><pre class="screen"> -<code class="prompt">root# </code> /path-to-binary-file/smbd -V -Version 3.0.20-SUSE -</pre><p> - </p><p> - Many people have been caught by installation of Samba using the default Samba Team process when it was already installed - by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by - executing:<a class="indexterm" name="id387919"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> rpm -qa | grep samba -samba3-pdb-3.0.20-1 -samba3-vscan-0.3.6-0 -samba3-winbind-3.0.20-1 -samba3-3.0.20-1 -samba3-python-3.0.20-1 -samba3-utils-3.0.20-1 -samba3-doc-3.0.20-1 -samba3-client-3.0.20-1 -samba3-cifsmount-3.0.20-1 - </pre><p><a class="indexterm" name="id387940"></a> - The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. - </p></div><div class="sect1" title="Starting Samba"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387952"></a>Starting Samba</h2></div></div></div><p><a class="indexterm" name="id387958"></a> - Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. - An example of a service is the Apache Web server for which the daemon is called <code class="literal">httpd</code>. In the case of Samba, there - are three daemons, two of which are needed as a minimum. - </p><p> - The Samba server is made up of the following daemons: - </p><div class="example"><a name="ch12SL"></a><p class="title"><b>Example 15.1. A Useful Samba Control Script for SUSE Linux</b></p><div class="example-contents"><pre class="screen"> -#!/bin/bash -# -# Script to start/stop samba -# Locate this in /sbin as a file called 'samba' - -RCD=/etc/rc.d - -if [ z$1 == 'z' ]; then - echo $0 - No arguments given; must be start or stop. - exit -fi - -if [ $1 == 'start' ]; then - ${RCD}/nmb start - ${RCD}/smb start - ${RCD}/winbind start - -fi -if [ $1 == 'stop' ]; then - ${RCD}/smb stop - ${RCD}/winbind stop - ${RCD}/nmb stop -fi -if [ $1 == 'restart' ]; then - ${RCD}/smb stop - ${RCD}/winbind stop - ${RCD}/nmb stop - sleep 5 - ${RCD}/nmb start - ${RCD}/smb start - ${RCD}/winbind start -fi -exit 0 -</pre></div></div><br class="example-break"><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p> - <a class="indexterm" name="id388017"></a> - <a class="indexterm" name="id388024"></a> - This daemon handles all name registration and resolution requests. It is the primary vehicle involved - in network browsing. It handles all UDP-based protocols. The <code class="literal">nmbd</code> daemon should - be the first command started as part of the Samba startup process. - </p></dd><dt><span class="term">smbd</span></dt><dd><p> - <a class="indexterm" name="id388051"></a> - <a class="indexterm" name="id388058"></a> - This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also - manages local authentication. It should be started immediately following the startup of <code class="literal">nmbd</code>. - </p></dd><dt><span class="term">winbindd</span></dt><dd><p> - <a class="indexterm" name="id388085"></a> - <a class="indexterm" name="id388092"></a> - This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when - Samba has trust relationships with another domain. The <code class="literal">winbindd</code> daemon will check the - <code class="filename">smb.conf</code> file for the presence of the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> - parameters. If they are not found, <code class="literal">winbindd</code> bails out and refuses to start. - </p></dd></dl></div><p> - When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its - integration into the platform as a whole. Please refer to your operating system platform administration manuals for - specific information pertaining to correct management of Samba startup. - </p><div class="example"><a name="ch12RHscript"></a><p class="title"><b>Example 15.2. A Sample Samba Control Script for Red Hat Linux</b></p><div class="example-contents"><pre class="screen"> -#!/bin/sh -# -# chkconfig: 345 81 35 -# description: Starts and stops the Samba smbd and nmbd daemons \ -# used to provide SMB network services. - -# Source function library. -. /etc/rc.d/init.d/functions -# Source networking configuration. -. /etc/sysconfig/network -# Check that networking is up. -[ ${NETWORKING} = "no" ] && exit 0 -CONFIG=/etc/samba/smb.conf -# Check that smb.conf exists. -[ -f $CONFIG ] || exit 0 - -# See how we were called. -case "$1" in - start) - echo -n "Starting SMB services: " - daemon smbd -D; daemon nmbd -D; echo; - touch /var/lock/subsys/smb - ;; - stop) - echo -n "Shutting down SMB services: " - smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'` - for pid in $smbdpids; do - kill -TERM $pid - done - killproc nmbd -TERM; rm -f /var/lock/subsys/smb - echo "" - ;; - status) - status smbd; status nmbd; - ;; - restart) - echo -n "Restarting SMB services: " - $0 stop; $0 start; - echo "done." - ;; - *) - echo "Usage: smb {start|stop|restart|status}" - exit 1 -esac -</pre></div></div><br class="example-break"><p><a class="indexterm" name="id388184"></a> - SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently - executed from the command line is shown in <a class="link" href="appendix.html#ch12SL" title="Example 15.1. A Useful Samba Control Script for SUSE Linux">“A Useful Samba Control Script for SUSE Linux”</a>. This can be located in the directory - <code class="filename">/sbin</code> in a file called <code class="filename">samba</code>. This type of control script should be - owned by user root and group root, and set so that only root can execute it. - </p><p><a class="indexterm" name="id388216"></a> - A sample startup script for a Red Hat Linux system is shown in <a class="link" href="appendix.html#ch12RHscript" title="Example 15.2. A Sample Samba Control Script for Red Hat Linux">“A Sample Samba Control Script for Red Hat Linux”</a>. - This file could be located in the directory <code class="filename">/etc/rc.d</code> and can be called - <code class="filename">samba</code>. A similar startup script is required to control <code class="literal">winbind</code>. - If you want to find more information regarding startup scripts please refer to the packaging section of - the Samba source code distribution tarball. The packaging files for each platform include a - startup control file. - </p></div><div class="sect1" title="DNS Configuration Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388254"></a>DNS Configuration Files</h2></div></div></div><p> - The following files are common to all DNS server configurations. Rather than repeat them multiple times, they - are presented here for general reference. - </p><div class="sect2" title="The Forward Zone File for the Loopback Adaptor"><div class="titlepage"><div><div><h3 class="title"><a name="id388264"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div></div><p> - The forward zone file for the loopback address never changes. An example file is shown - in <a class="link" href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">“DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”</a>. All traffic destined for an IP address that is hosted on a - physical interface on the machine itself is routed to the loopback adaptor. This is - a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor - is called <code class="constant">localhost</code>. - </p><div class="example"><a name="loopback"></a><p class="title"><b>Example 15.3. DNS Localhost Forward Zone File: <code class="filename">/var/lib/named/localhost.zone</code></b></p><div class="example-contents"><pre class="screen"> -$TTL 1W -@ IN SOA @ root ( - 42 ; serial - 2D ; refresh - 4H ; retry - 6W ; expiry - 1W ) ; minimum - - IN NS @ - IN A 127.0.0.1 -</pre></div></div><br class="example-break"></div><div class="sect2" title="The Reverse Zone File for the Loopback Adaptor"><div class="titlepage"><div><div><h3 class="title"><a name="id388308"></a>The Reverse Zone File for the Loopback Adaptor</h3></div></div></div><p> - The reverse zone file for the loopback address as shown in <a class="link" href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">“DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone”</a> - is necessary so that references to the address <code class="constant">127.0.0.1</code> can be - resolved to the correct name of the interface. - </p><div class="example"><a name="dnsloopy"></a><p class="title"><b>Example 15.4. DNS Localhost Reverse Zone File: <code class="filename">/var/lib/named/127.0.0.zone</code></b></p><div class="example-contents"><pre class="screen"> -$TTL 1W -@ IN SOA localhost. root.localhost. ( - 42 ; serial - 2D ; refresh - 4H ; retry - 6W ; expiry - 1W ) ; minimum - - IN NS localhost. -1 IN PTR localhost. -</pre></div></div><br class="example-break"><div class="example"><a name="roothint"></a><p class="title"><b>Example 15.5. DNS Root Name Server Hint File: <code class="filename">/var/lib/named/root.hint</code></b></p><div class="example-contents"><pre class="screen"> -; This file is made available by InterNIC under anonymous FTP as -; file /domain/named.root -; on server FTP.INTERNIC.NET -; last update: Nov 5, 2002. Related version of root zone: 2002110501 -; formerly NS.INTERNIC.NET -. 3600000 IN NS A.ROOT-SERVERS.NET. -A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 -; formerly NS1.ISI.EDU -. 3600000 NS B.ROOT-SERVERS.NET. -B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 -; formerly C.PSI.NET -. 3600000 NS C.ROOT-SERVERS.NET. -C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 -; formerly TERP.UMD.EDU -. 3600000 NS D.ROOT-SERVERS.NET. -D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 -; formerly NS.NASA.GOV -. 3600000 NS E.ROOT-SERVERS.NET. -E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 -; formerly NS.ISC.ORG -. 3600000 NS F.ROOT-SERVERS.NET. -F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 -; formerly NS.NIC.DDN.MIL -. 3600000 NS G.ROOT-SERVERS.NET. -G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 -; formerly AOS.ARL.ARMY.MIL -. 3600000 NS H.ROOT-SERVERS.NET. -H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 -; formerly NIC.NORDU.NET -. 3600000 NS I.ROOT-SERVERS.NET. -I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 -; operated by VeriSign, Inc. -. 3600000 NS J.ROOT-SERVERS.NET. -J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 -; housed in LINX, operated by RIPE NCC -. 3600000 NS K.ROOT-SERVERS.NET. -K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 -; operated by IANA -. 3600000 NS L.ROOT-SERVERS.NET. -L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 -; housed in Japan, operated by WIDE -. 3600000 NS M.ROOT-SERVERS.NET. -M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 -; End of File -</pre></div></div><br class="example-break"></div><div class="sect2" title="DNS Root Server Hint File"><div class="titlepage"><div><div><h3 class="title"><a name="id388408"></a>DNS Root Server Hint File</h3></div></div></div><p> - The content of the root hints file as shown in <a class="link" href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">“DNS Root Name Server Hint File: /var/lib/named/root.hint”</a> changes slowly over time. - Periodically this file should be updated from the source shown. Because - of its size, this file is located at the end of this chapter. - </p></div></div><div class="sect1" title="Alternative LDAP Database Initialization"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div></div><p><a class="indexterm" name="id388437"></a><a class="indexterm" name="id388448"></a> - The following procedure may be used as an alternative means of configuring - the initial LDAP database. Many administrators prefer to have greater control - over how system files get configured. - </p><div class="sect2" title="Initialization of the LDAP Database"><div class="titlepage"><div><div><h3 class="title"><a name="id388463"></a>Initialization of the LDAP Database</h3></div></div></div><p><a class="indexterm" name="id388470"></a><a class="indexterm" name="id388478"></a><a class="indexterm" name="id388489"></a> - The first step to get the LDAP server ready for action is to create the LDIF file from - which the LDAP database will be preloaded. This is necessary to create the containers - into which the user, group, and other accounts are written. It is also necessary to - preload the well-known Windows NT Domain Groups, as they must have the correct SID so - that they can be recognized as special NT Groups by the MS Windows clients. - </p><div class="procedure" title="Procedure 15.2. LDAP Directory Pre-Load Steps"><a name="ldapinit"></a><p class="title"><b>Procedure 15.2. LDAP Directory Pre-Load Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Create a directory in which to store the files you use to generate - the LDAP LDIF file for your system. Execute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir /etc/openldap/SambaInit -<code class="prompt">root# </code> chown root:root /etc/openldap/SambaInit -<code class="prompt">root# </code> chmod 700 /etc/openldap/SambaInit -</pre><p> - </p></li><li class="step" title="Step 2"><p> - Install the files shown in <a class="link" href="appendix.html#sbehap-ldapreconfa" title="Example 15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A">“LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A”</a>, <a class="link" href="appendix.html#sbehap-ldapreconfb" title="Example 15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B">“LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B”</a>, - and <a class="link" href="appendix.html#sbehap-ldapreconfc" title="Example 15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C">“LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C”</a> into the directory - <code class="filename">/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</code> These three files are, - respectively, parts A, B, and C of the <code class="filename">SMBLDAP-ldif-preconfig.sh</code> file. - </p></li><li class="step" title="Step 3"><p> - Install the files shown in <a class="link" href="appendix.html#sbehap-ldifpata" title="Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A">“LDIF Pattern File Used to Pre-configure LDAP Part A”</a> and <a class="link" href="appendix.html#sbehap-ldifpatb" title="Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B">“LDIF Pattern File Used to Pre-configure LDAP Part B”</a> into the directory - <code class="filename">/etc/openldap/SambaInit/.</code> These two files are - parts A and B, respectively, of the <code class="filename">init-ldif.pat</code> file. - </p></li><li class="step" title="Step 4"><p> - Change to the <code class="filename">/etc/openldap/SambaInit</code> directory. Execute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> sh SMBLDAP-ldif-preconfig.sh - -How do you wish to refer to your organization? -Suggestions: - Black Tire Company, Inc. - Cat With Hat Ltd. -How would you like your organization name to appear? -Your organization name is: My Organization -Enter a new name is this is not what you want, press Enter to Continue. -Name [My Organization]: Abmas Inc. - -Samba Config File Location [/etc/samba/smb.conf]: -Enter a new full path or press Enter to continue. -Samba Config File Location [/etc/samba/smb.conf]: -Domain Name: MEGANET2 -Domain SID: S-1-5-21-3504140859-1010554828-2431957765 - -The name of your Internet domain is now needed in a special format -as follows, if your domain name is mydomain.org, what we need is -the information in the form of: - Domain ID: mydomain - Top level: org -If your fully qualified hostname is: snoopy.bazaar.garagesale.net -where "snoopy" is the name of the machine, -Then the information needed is: - Domain ID: garagesale - Top Level: net - -Found the following domain name: abmas.biz -I think the bit we are looking for might be: abmas -Enter the domain name or press Enter to continue: - -The top level organization name I will use is: biz -Enter the top level org name or press Enter to continue: -<code class="prompt">root# </code> -</pre><p> - This creates a file called <code class="filename">MEGANET2.ldif</code>. - </p></li><li class="step" title="Step 5"><p> - It is now time to preload the LDAP database with the following - command: -</p><pre class="screen"> -<code class="prompt">root# </code> slapadd -v -l MEGANET2.ldif -added: "dc=abmas,dc=biz" (00000001) -added: "cn=Manager,dc=abmas,dc=biz" (00000002) -added: "ou=People,dc=abmas,dc=biz" (00000003) -added: "ou=Computers,dc=abmas,dc=biz" (00000004) -added: "ou=Groups,dc=abmas,dc=biz" (00000005) -added: "ou=Domains,dc=abmas,dc=biz" (00000006) -added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007) -added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008) -added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009) -added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a) -</pre><p> - You should verify that the account information was correctly loaded by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> slapcat -dn: dc=abmas,dc=biz -objectClass: dcObject -objectClass: organization -dc: abmas -o: Abmas Inc. -description: Posix and Samba LDAP Identity Database -structuralObjectClass: organization -entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474 -creatorsName: cn=manager,dc=abmas,dc=biz -modifiersName: cn=manager,dc=abmas,dc=biz -createTimestamp: 20031217055747Z -modifyTimestamp: 20031217055747Z -entryCSN: 2003121705:57:47Z#0x0001#0#0000 -... - -dn: cn=domusers,ou=Groups,dc=abmas,dc=biz -objectClass: posixGroup -objectClass: sambaGroupMapping -gidNumber: 513 -cn: domusers -sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 -sambaGroupType: 2 -displayName: Domain Users -description: Domain Users -structuralObjectClass: posixGroup -entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474 -creatorsName: cn=manager,dc=abmas,dc=biz -modifiersName: cn=manager,dc=abmas,dc=biz -createTimestamp: 20031217055747Z -modifyTimestamp: 20031217055747Z -entryCSN: 2003121705:57:47Z#0x000a#0#0000 -</pre><p> - </p></li><li class="step" title="Step 6"><p> - Your LDAP database is ready for testing. You can now start the LDAP server - using the system tool for your Linux operating system. For SUSE Linux, you can - do this as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> rcldap start -</pre><p> - </p></li><li class="step" title="Step 7"><p> - It is now a good idea to validate that the LDAP server is running correctly. - Execute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" -# extended LDIF -# -# LDAPv3 -# base <dc=abmas,dc=biz> with scope sub -# filter: (ObjectClass=*) -# requesting: ALL -# - -# abmas.biz -dn: dc=abmas,dc=biz -objectClass: dcObject -objectClass: organization -dc: abmas -o: Abmas Inc. -description: Posix and Samba LDAP Identity Database -... -# domusers, Groups, abmas.biz -dn: cn=domusers,ou=Groups,dc=abmas,dc=biz -objectClass: posixGroup -objectClass: sambaGroupMapping -gidNumber: 513 -cn: domusers -sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 -sambaGroupType: 2 -displayName: Domain Users -description: Domain Users - -# search result -search: 2 -result: 0 Success - -# numResponses: 11 -# numEntries: 10 -</pre><p> - Your LDAP server is ready for creation of additional accounts. - </p></li></ol></div></div><div class="example"><a name="sbehap-ldapreconfa"></a><p class="title"><b>Example 15.6. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part A</b></p><div class="example-contents"><pre class="screen"> -#!/bin/bash -# -# This script prepares the ldif LDAP load file only -# - -# Pattern File Name -file=init-ldif.pat - -# The name of my organization -ORGNAME="My Organization" - -# My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets" -INETDOMAIN="my-domain" - -# In the above case, md domain is: buckets.org, TLDORG="org" -TLDORG="org" - -# This is the Samba Domain/Workgroup Name -DOMNAME="MYWORKGROUP" - -# -# Here We Go ... -# - -cat <<EOF - -How do you wish to refer to your organization? - -Suggestions: - Black Tire Company, Inc. - Cat With Hat Ltd. - -How would you like your organization name to appear? - -EOF - -echo "Your organization name is: $ORGNAME" -echo -echo "Enter a new name or, press Enter to Continue." -echo -</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfb"></a><p class="title"><b>Example 15.7. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part B</b></p><div class="example-contents"><pre class="screen"> -echo -e -n "Name [$ORGNAME]: " - read name - -if [ ! -z "$name" ]; then - ORGNAME=${name} -fi -echo -sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1 - -# Try to find smb.conf - -if [ -e /usr/local/samba/lib/smb.conf ]; then - CONF=/usr/local/samba/lib/smb.conf -elif [ -e /etc/samba/smb.conf ]; then - CONF=/etc/samba/smb.conf -fi - -echo "Samba Config File Location [$CONF]: " -echo -echo "Enter a new full path or press Enter to continue." -echo -echo -n "Samba Config File Location [$CONF]: " - read name -if [ ! -z "$name" ]; then - CONF=$name -fi -echo - -# Find the name of our Domain/Workgroup -DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=` -echo Domain Name: $DOMNAME -echo - -sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2 - -DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"` -echo Domain SID: $DOMSID - -sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1 -</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfc"></a><p class="title"><b>Example 15.8. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part C</b></p><div class="example-contents"><pre class="screen"> -cat <<EOL -The name of your Internet domain is now needed in a special format -as follows, if your domain name is mydomain.org, what we need is -the information in the form of: - Domain ID: mydomain - Top level: org - -If your fully qualified hostname is: snoopy.bazaar.garagesale.net -where "snoopy" is the name of the machine, -Then the information needed is: - Domain ID: garagesale - Top Level: net - -EOL -INETDOMAIN=`hostname -d | cut -f1 -d.` -echo Found the following domain name: `hostname -d` -echo "I think the bit we are looking for might be: $INETDOMAIN" -echo -echo -n "Enter the domain name or press Enter to continue: " - read domnam -if [ ! -z $domnam ]; then - INETDOMAIN=$domnam -fi -echo -sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2 -TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"` -echo "The top level organization name I will use is: ${TLDORG}" -echo -echo -n "Enter the top level org name or press Enter to continue: " - read domnam -if [ ! -z $domnam ]; then - TLDORG=$domnam -fi -sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif -rm $file.tmp* -exit 0 -</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpata"></a><p class="title"><b>Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A</b></p><div class="example-contents"><pre class="screen"> -dn: dc=INETDOMAIN,dc=TLDORG -objectClass: dcObject -objectClass: organization -dc: INETDOMAIN -o: ORGNAME -description: Posix and Samba LDAP Identity Database - -dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG -objectClass: organizationalRole -cn: Manager -description: Directory Manager - -dn: ou=People,dc=INETDOMAIN,dc=TLDORG -objectClass: top -objectClass: organizationalUnit -ou: People - -dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG -objectClass: top -objectClass: organizationalUnit -ou: Computers - -dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG -objectClass: top -objectClass: organizationalUnit -ou: Groups - -dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG -objectClass: top -objectClass: organizationalUnit -ou: Idmap - -dn: ou=Domains,dc=INETDOMAIN,dc=TLDORG -objectClass: top -objectClass: organizationalUnit -ou: Domains - -dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG -objectClass: sambaDomain -sambaDomainName: DOMNAME -sambaSID: DOMSID -sambaAlgorithmicRidBase: 1000 -structuralObjectClass: sambaDomain -</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpatb"></a><p class="title"><b>Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B</b></p><div class="example-contents"><pre class="screen"> -dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG -objectClass: posixGroup -objectClass: sambaGroupMapping -gidNumber: 512 -cn: domadmins -sambaSID: DOMSID-512 -sambaGroupType: 2 -displayName: Domain Admins -description: Domain Administrators - -dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG -objectClass: posixGroup -objectClass: sambaGroupMapping -gidNumber: 514 -cn: domguests -sambaSID: DOMSID-514 -sambaGroupType: 2 -displayName: Domain Guests -description: Domain Guests Users - -dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG -objectClass: posixGroup -objectClass: sambaGroupMapping -gidNumber: 513 -cn: domusers -sambaSID: DOMSID-513 -sambaGroupType: 2 -displayName: Domain Users -description: Domain Users -</pre></div></div><br class="example-break"></div><div class="sect1" title="The LDAP Account Manager"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388919"></a>The LDAP Account Manager</h2></div></div></div><p> -<a class="indexterm" name="id388927"></a> -<a class="indexterm" name="id388934"></a> -<a class="indexterm" name="id388943"></a> -<a class="indexterm" name="id388949"></a> -<a class="indexterm" name="id388956"></a> -<a class="indexterm" name="id388963"></a> -<a class="indexterm" name="id388970"></a> -The LDAP Account Manager (LAM) is an application suite that has been written in PHP. -LAM can be used with any Web server that has PHP4 support. It connects to the LDAP -server either using unencrypted connections or via SSL/TLS. LAM can be used to manage -Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines -(hosts). -</p><p> -LAM is available from the <a class="ulink" href="http://sourceforge.net/projects/lam/" target="_top">LAM</a> -home page and from its mirror sites. LAM has been released under the GNU GPL version 2. -The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter -of 2005. -</p><p> -<a class="indexterm" name="id388996"></a> -<a class="indexterm" name="id389003"></a> -<a class="indexterm" name="id389010"></a> -Requirements: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A web server that will work with PHP4.</p></li><li class="listitem"><p>PHP4 (available from the <a class="ulink" href="http://www.php.net/" target="_top">PHP</a> home page.)</p></li><li class="listitem"><p>OpenLDAP 2.0 or later.</p></li><li class="listitem"><p>A Web browser that supports CSS.</p></li><li class="listitem"><p>Perl.</p></li><li class="listitem"><p>The gettext package.</p></li><li class="listitem"><p>mcrypt + mhash (optional).</p></li><li class="listitem"><p>It is also a good idea to install SSL support.</p></li></ul></div><p> -LAM is a useful tool that provides a simple Web-based device that can be used to -manage the contents of the LDAP directory to: -<a class="indexterm" name="id389067"></a> -<a class="indexterm" name="id389074"></a> -<a class="indexterm" name="id389081"></a> -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Display user/group/host and Domain entries.</p></li><li class="listitem"><p>Manage entries (Add/Delete/Edit).</p></li><li class="listitem"><p>Filter and sort entries.</p></li><li class="listitem"><p>Store and use multiple operating profiles.</p></li><li class="listitem"><p>Edit organizational units (OUs).</p></li><li class="listitem"><p>Upload accounts from a file.</p></li><li class="listitem"><p>Is compatible with Samba-2.2.x and Samba-3.</p></li></ul></div><p> -When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba -user, group, and windows domain member machine accounts. -</p><p> -<a class="indexterm" name="id389132"></a> -<a class="indexterm" name="id389139"></a> -<a class="indexterm" name="id389145"></a> -<a class="indexterm" name="id389152"></a> -The default password is <span class="quote">“<span class="quote">lam.</span>”</span> It is highly recommended that you use only -an SSL connection to your Web server for all remote operations involving LAM. If you -want secure connections, you must configure your Apache Web server to permit connections -to LAM using only SSL. -</p><div class="procedure" title="Procedure 15.3. Apache Configuration Steps for LAM"><a name="sbehap-laminst"></a><p class="title"><b>Procedure 15.3. Apache Configuration Steps for LAM</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Extract the LAM package by untarring it as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> tar xzf ldap-account-manager_0.4.9.tar.gz -</pre><p> - Alternatively, install the LAM DEB for your system using the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> dpkg -i ldap-account-manager_0.4.9.all.deb -</pre><p> - </p></li><li class="step" title="Step 2"><p> - Copy the extracted files to the document root directory of your Web server. - For example, on SUSE Linux Enterprise Server 9, copy to the - <code class="filename">/srv/www/htdocs</code> directory. - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id389226"></a> - Set file permissions using the following commands: -</p><pre class="screen"> -<code class="prompt">root# </code> chown -R wwwrun:www /srv/www/htdocs/lam -<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/sess -<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/tmp -<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/config -<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/lib/*pl -</pre><p> - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id389276"></a> - Using your favorite editor create the following <code class="filename">config.cfg</code> - LAM configuration file: -</p><pre class="screen"> -<code class="prompt">root# </code> cd /srv/www/htdocs/lam/config -<code class="prompt">root# </code> cp config.cfg_sample config.cfg -<code class="prompt">root# </code> vi config.cfg -</pre><p> - <a class="indexterm" name="id389315"></a> - <a class="indexterm" name="id389324"></a> - An example file is shown in <a class="link" href="appendix.html#lamcfg" title="Example 15.11. Example LAM Configuration File config.cfg">“Example LAM Configuration File config.cfg”</a>. - This is the minimum configuration that must be completed. The LAM profile - file can be created using a convenient wizard that is part of the LAM - configuration suite. - </p></li><li class="step" title="Step 5"><p> - Start your Web server then, using your Web browser, connect to - <a class="ulink" href="http://localhost/lam" target="_top">LAM</a> URL. Click on the - the <em class="parameter"><code>Configuration Login</code></em> link then click on the - Configuration Wizard link to begin creation of the default profile so that - LAM can connect to your LDAP server. Alternately, copy the - <code class="filename">lam.conf_sample</code> file to a file called - <code class="filename">lam.conf</code> then, using your favorite editor, - change the settings to match local site needs. - </p></li></ol></div><p> - <a class="indexterm" name="id389379"></a> - An example of a working file is shown here in <a class="link" href="appendix.html#lamconf" title="Example 15.12. LAM Profile Control File lam.conf">“LAM Profile Control File lam.conf”</a>. - This file has been stripped of comments to keep the size small. The comments - and help information provided in the profile file that the wizard creates - is very useful and will help many administrators to avoid pitfalls. - Your configuration file obviously reflects the configuration options that - are preferred at your site. - </p><p> - <a class="indexterm" name="id389399"></a> - It is important that your LDAP server is running at the time that LAM is - being configured. This permits you to validate correct operation. - An example of the LAM login screen is provided in <a class="link" href="appendix.html#lam-login" title="Figure 15.6. The LDAP Account Manager Login Screen">“The LDAP Account Manager Login Screen”</a>. - </p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure 15.6. The LDAP Account Manager Login Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id389458"></a> - The LAM configuration editor has a number of options that must be managed correctly. - An example of use of the LAM configuration editor is shown in <a class="link" href="appendix.html#lam-config" title="Figure 15.7. The LDAP Account Manager Configuration Screen">“The LDAP Account Manager Configuration Screen”</a>. - It is important that you correctly set the minimum and maximum UID/GID values that are - permitted for use at your site. The default values may not be compatible with a need to - modify initial default account values for well-known Windows network users and groups. - The best work-around is to temporarily set the minimum values to zero (0) to permit - the initial settings to be made. Do not forget to reset these to sensible values before - using LAM to add additional users and groups. - </p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure 15.7. The LDAP Account Manager Configuration Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id389523"></a> - LAM has some nice, but unusual features. For example, one unexpected feature in most application - screens permits the generation of a PDF file that lists configuration information. This is a well - thought out facility. This option has been edited out of the following screen shots to conserve - space. - </p><p> - <a class="indexterm" name="id389536"></a> - When you log onto LAM the opening screen drops you right into the user manager as shown in - <a class="link" href="appendix.html#lam-user" title="Figure 15.8. The LDAP Account Manager User Edit Screen">“The LDAP Account Manager User Edit Screen”</a>. This is a logical action as it permits the most-needed facility - to be used immediately. The editing of an existing user, as with the addition of a new user, - is easy to follow and very clear in both layout and intent. It is a simple matter to edit - generic settings, UNIX specific parameters, and then Samba account requirements. Each step - involves clicking a button that intuitively drives you through the process. When you have - finished editing simply press the <span class="guimenu">Final</span> button. - </p><div class="figure"><a name="lam-user"></a><p class="title"><b>Figure 15.8. The LDAP Account Manager User Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-users.png" width="270" alt="The LDAP Account Manager User Edit Screen"></div></div></div><br class="figure-break"><p> - The edit screen for groups is shown in <a class="link" href="appendix.html#lam-group" title="Figure 15.9. The LDAP Account Manager Group Edit Screen">“The LDAP Account Manager Group Edit Screen”</a>. As with the edit screen - for user accounts, group accounts may be rapidly dealt with. <a class="link" href="appendix.html#lam-group-mem" title="Figure 15.10. The LDAP Account Manager Group Membership Edit Screen">“The LDAP Account Manager Group Membership Edit Screen”</a> - shows a sub-screen from the group editor that permits users to be assigned secondary group - memberships. - </p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure 15.9. The LDAP Account Manager Group Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div></div><br class="figure-break"><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure 15.10. The LDAP Account Manager Group Membership Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id389704"></a><a class="indexterm" name="id389710"></a> - The final screen presented here is one that you should not normally need to use. Host accounts will - be automatically managed using the smbldap-tools scripts. This means that the screen <a class="link" href="appendix.html#lam-host" title="Figure 15.11. The LDAP Account Manager Host Edit Screen">“The LDAP Account Manager Host Edit Screen”</a> - will, in most cases, not be used. - </p><div class="figure"><a name="lam-host"></a><p class="title"><b>Figure 15.11. The LDAP Account Manager Host Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-hosts.png" width="270" alt="The LDAP Account Manager Host Edit Screen"></div></div></div><br class="figure-break"><p> - One aspect of LAM that may annoy some users is the way it forces certain conventions on - the administrator. For example, LAM does not permit the creation of Windows user and group - accounts that contain spaces even though the underlying UNIX/Linux - operating system may exhibit no problems with them. Given the propensity for using upper-case - characters and spaces (particularly in the default Windows account names) this may cause - some annoyance. For the rest, LAM is a very useful administrative tool. - </p><p> - The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features - (e.g., logon hours). The new plugin-based architecture also allows management of much more different - account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another - important point is the tree view which allows browsing and editing LDAP objects directly. - </p><div class="example"><a name="lamcfg"></a><p class="title"><b>Example 15.11. Example LAM Configuration File <code class="filename">config.cfg</code></b></p><div class="example-contents"><pre class="screen"> -# password to add/delete/rename configuration profiles -password: not24get - -# default profile, without ".conf" -default: lam -</pre></div></div><br class="example-break"><div class="example"><a name="lamconf"></a><p class="title"><b>Example 15.12. LAM Profile Control File <code class="filename">lam.conf</code></b></p><div class="example-contents"><pre class="screen"> -ServerURL: ldap://massive.abmas.org:389 -Admins: cn=Manager,dc=abmas,dc=biz -Passwd: not24get -usersuffix: ou=People,dc=abmas,dc=biz -groupsuffix: ou=Groups,dc=abmas,dc=biz -hostsuffix: ou=Computers,dc=abmas,dc=biz -domainsuffix: ou=Domains,dc=abmas,dc=biz -MinUID: 0 -MaxUID: 65535 -MinGID: 0 -MaxGID: 65535 -MinMachine: 20000 -MaxMachine: 25000 -userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber -grouplistAttributes: #cn;#gidNumber;#memberUID;#description -hostlistAttributes: #cn;#description;#uidNumber;#gidNumber -maxlistentries: 30 -defaultLanguage: en_GB:ISO-8859-1:English (Great Britain) -scriptPath: -scriptServer: -samba3: yes -cachetimeout: 5 -pwdhash: SSHA -</pre></div></div><br class="example-break"></div><div class="sect1" title="IDEALX Management Console"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389839"></a>IDEALX Management Console</h2></div></div></div><p> - IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive - web-based management interface for UNIX and Linux systems. - </p><p> - The Samba toolset is the first console developped for IMC. It offers a simple and ergonomic - interface for managing a Samba domain controler. The goal is to give Linux administrators who - need to manage production Samba servers an effective, intuitive and consistent management - experience. An IMC screenshot of the user management tool is shown in <a class="link" href="appendix.html#imcidealx" title="Figure 15.12. The IMC Samba User Account Screen">“The IMC Samba User Account Screen”</a>. - </p><div class="figure"><a name="imcidealx"></a><p class="title"><b>Figure 15.12. The IMC Samba User Account Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/imc-usermanager2.png" width="216" alt="The IMC Samba User Account Screen"></div></div></div><br class="figure-break"><p> - IMC is built on a set of Perl modules. Most modules are standard CPAN modules. Some are bundled with IMC, - but will soon to be hosted on the CPAN independently, like Struts4P, a port of Struts to the Perl language. - </p><p> - For further information regarding IMC refer to the web <a class="ulink" href="http://imc.sourceforge.net/" target="_top">site.</a> - Prebuilt RPM packages are also <a class="ulink" href="http://imc.sourceforge.net/download.html" target="_top">available.</a> - </p></div><div class="sect1" title="Effect of Setting File and Directory SUID/SGID Permissions Explained"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div></div><a class="indexterm" name="id389935"></a><a class="indexterm" name="id389942"></a><p> - The setting of the SUID/SGID bits on the file or directory permissions flag has particular - consequences. If the file is executable and the SUID bit is set, it executes with the privilege - of (with the UID of) the owner of the file. For example, if you are logged onto a system as - a normal user (let's say as the user <code class="constant">bobj</code>), and you execute a file that is owned - by the user <code class="constant">root</code> (uid = 0), and the file has the SUID bit set, then the file is - executed as if you had logged in as the user <code class="constant">root</code> and then executed the file. - The SUID bit effectively gives you (as <code class="constant">bobj</code>) administrative privilege for the - use of that executable file. - </p><p> - The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it - applies the privilege to the UNIX group setting. In other words, the file executes with the force - of capability of the group. - </p><p> - When the SUID/SGID permissions are set on a directory, all files that are created within that directory - are automatically given the ownership of the SUID user and the SGID group, as per the ownership - of the directory in which the file is created. This means that the system level <code class="literal">create()</code> - function executes with the SUID user and/or SGID group of the directory in which the file is - created. - </p><p> - If you want to obtain the SUID behavior, simply execute the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> chmod u+s file-or-directory -</pre><p> - To set the SGID properties on a file or a directory, execute this command: -</p><pre class="screen"> -<code class="prompt">root# </code> chmod g+s file-or-directory -</pre><p> - And to set both SUID and SGID properties, execute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> chmod ug+s file-or-directory -</pre><p> - </p><p> - Let's consider the example of a directory <code class="filename">/data/accounts</code>. The permissions on this - directory before setting both SUID and SGID on this directory are: -</p><pre class="screen"> -<code class="prompt">root# </code> ls -al /data/accounts -total 1 -drwxr-xr-x 10 root root 232 Dec 18 17:08 . -drwxr-xr-x 21 root root 600 Dec 17 23:15 .. -drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/ -drwx------ 2 root root 48 Jan 26 2002 lost+found -</pre><p> - In this example, if the user <code class="constant">maryv</code> creates a file, it is owned by her. - If <code class="constant">maryv</code> has the primary group of <code class="constant">Accounts</code>, the file is - owned by the group <code class="constant">Accounts</code>, as shown in this listing: -</p><pre class="screen"> -<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt -drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53 -</pre><p> - </p><p> - Now you set the SUID and SGID and check the result as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> chmod ug+s /data/accounts -<code class="prompt">root# </code> ls -al /data/accounts -total 1 -drwxr-xr-x 10 root root 232 Dec 18 17:08 . -drwxr-xr-x 21 root root 600 Dec 17 23:15 .. -drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts -drwx------ 2 root root 48 Jan 26 2002 lost+found -</pre><p> - If <code class="constant">maryv</code> creates a file in this directory after this change has been made, the - file is owned by the user <code class="constant">bobj</code>, and the group is set to the group - <code class="constant">Domain Users</code>, as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> chmod ug+s /data/accounts -<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt -total 1 -drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt -</pre><p> - </p></div><div class="sect1" title="Shared Data Integrity"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div></div><p><a class="indexterm" name="id390147"></a><a class="indexterm" name="id390155"></a> - The integrity of shared data is often viewed as a particularly emotional issue, especially where - there are concurrent problems with multiuser data access. Contrary to the assertions of some who have - experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter. - </p><p> - The solution to concurrent multiuser data access problems must consider three separate areas - from which the problem may stem:<a class="indexterm" name="id390175"></a><a class="indexterm" name="id390186"></a><a class="indexterm" name="id390197"></a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>application-level locking controls</p></li><li class="listitem"><p>client-side locking controls</p></li><li class="listitem"><p>server-side locking controls</p></li></ul></div><p><a class="indexterm" name="id390229"></a><a class="indexterm" name="id390237"></a> - Many database applications use some form of application-level access control. An example of one - well-known application that uses application-level locking is Microsoft Access. Detailed guidance - is provided here because this is the most common application for which problems have been reported. - </p><p><a class="indexterm" name="id390251"></a><a class="indexterm" name="id390259"></a> - Common applications that are affected by client- and server-side locking controls include MS - Excel and Act!. Important locking guidance is provided here. - </p><div class="sect2" title="Microsoft Access"><div class="titlepage"><div><div><h3 class="title"><a name="id390270"></a>Microsoft Access</h3></div></div></div><p> - The best advice that can be given is to carefully read the Microsoft knowledgebase articles that - cover this area. Examples of relevant documents include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li class="listitem"><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id390294"></a><a class="indexterm" name="id390306"></a> - Make sure that your MS Access database file is configured for multiuser access (not set for - exclusive open). Open MS Access on each client workstation, then set the following: <span class="guimenu">(Menu bar) Tools</span>+<span class="guimenu">Options</span>+<span class="guimenu">[tab] General</span>. Set network path to Default database folder: <code class="filename">\\server\share\folder</code>. - </p><p> - You can configure MS Access file sharing behavior as follows: click <span class="guimenu">[tab] Advanced</span>. - Set:<a class="indexterm" name="id390353"></a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Default open mode: Shared</p></li><li class="listitem"><p>Default Record Locking: Edited Record</p></li><li class="listitem"><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id390382"></a> - You must now commit the changes so that they will take effect. To do so, click - <span class="guimenu">Apply</span><span class="guimenu">Ok</span>. At this point, you should exit MS Access, restart - it, and then validate that these settings have not changed. - </p></div><div class="sect2" title="Act! Database Sharing"><div class="titlepage"><div><div><h3 class="title"><a name="id390409"></a>Act! Database Sharing</h3></div></div></div><p><a class="indexterm" name="id390415"></a><a class="indexterm" name="id390423"></a> - Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you - must disable opportunistic locking on the server and all workstations. Failure to do so - results in data corruption. This information is available from the Act! Web site - knowledgebase articles - <a class="ulink" href="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925" target="_top">1998223162925</a> - as well as from article - <a class="ulink" href="http://itdomino.saleslogix.com/act.nsf/docid/200110485036" target="_top">200110485036</a>. - </p><p><a class="indexterm" name="id390449"></a><a class="indexterm" name="id390457"></a> - These documents clearly state that opportunistic locking must be disabled on both - the server (Samba in the case we are interested in here), as well as on every workstation - from which the centrally shared Act! database will be accessed. Act! provides - a tool called <code class="literal">Act!Diag</code> that may be used to disable all workstation - registry settings that may otherwise interfere with the operation of Act! - Registered Act! users may download this utility from the Act! Web - <a class="ulink" href="http://www.act.com/support/updates/index.cfm" target="_top">site.</a> - </p></div><div class="sect2" title="Opportunistic Locking Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id390484"></a>Opportunistic Locking Controls</h3></div></div></div><p><a class="indexterm" name="id390491"></a> - Third-party Windows applications may not be compatible with the use of opportunistic file - and record locking. For applications that are known not to be compatible,<sup>[<a name="id390501" href="#ftn.id390501" class="footnote">14</a>]</sup> oplock - support may need to be disabled both on the Samba server and on the Windows workstations. - </p><p><a class="indexterm" name="id390512"></a><a class="indexterm" name="id390520"></a><a class="indexterm" name="id390528"></a> - Oplocks enable a Windows client to cache parts of a file that are being - edited. Another windows client may then request to open the file with the - ability to write to it. The server will then ask the original workstation - that had the file open with a write lock to release its lock. Before - doing so, that workstation must flush the file from cache memory to the - disk or network drive. - </p><p><a class="indexterm" name="id390546"></a> - Disabling of Oplocks usage may require server and client changes. - Oplocks may be disabled by file, by file pattern, on the share, or on the - Samba server. - </p><p> - The following are examples showing how Oplock support may be managed using - Samba <code class="filename">smb.conf</code> file settings: -</p><pre class="screen"> -By file: veto oplock files = myfile.mdb - -By Pattern: veto oplock files = /*.mdb/ - -On the Share: oplocks = No - level2 oplocks = No - -On the server: -(in [global]) oplocks = No - level2 oplocks = No -</pre><p> - </p><p> - The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4 - workstation clients must be configured as shown here: -</p><pre class="screen"> -REGEDIT4 - -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ - Services\LanmanServer\Parameters] - "EnableOplocks"=dword:00000000 - -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ - Services\LanmanWorkstation\Parameters] - "UseOpportunisticLocking"=dword:00000000 -</pre><p> - </p><p> - Comprehensive coverage of file and record-locking controls is provided in TOSHARG2, Chapter 13. - The information in that chapter was obtained from a wide variety of sources. - </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id390501" href="#id390501" class="para">14</a>] </sup>Refer to - the application manufacturer's installation guidelines and knowledge base for specific - information regarding compatibility. It is often safe to assume that if the software - manufacturer does not specifically mention incompatibilities with opportunistic file - and record locking, or with Windows client file caching, the application is probably - compatible with Windows (as well as Samba) default settings.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Samba Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Networking Primer</td></tr></table></div></body></html> |