diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/appendix.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/appendix.html | 1060 |
1 files changed, 1060 insertions, 0 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/appendix.html b/docs/htmldocs/Samba3-ByExample/appendix.html new file mode 100644 index 0000000000..77e695835c --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/appendix.html @@ -0,0 +1,1060 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. A Collection of Useful Tidbits</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="ch14.html" title="Chapter 14. Samba Support"><link rel="next" href="primer.html" title="Chapter 16. Networking Primer"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. A Collection of Useful Tidbits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Chapter 15. A Collection of Useful Tidbits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383041">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383432">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id383730">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id383740">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id383783">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id383865">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id383921">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id384378">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id385293">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id385724">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id385863">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id385938">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p> + <a class="indexterm" name="id382496"></a> + <a class="indexterm" name="id382502"></a> + Information presented here is considered to be either basic or well-known material that is informative + yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that + the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps + different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, + as shown in the example given below. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div></div><p> + <a class="indexterm" name="id382529"></a> + Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. + This section steps through the process for making a Windows 200x/XP Professional machine a + member of a Domain Security environment. It should be noted that this process is identical + when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. + </p><div class="procedure"><a name="id382539"></a><p class="title"><b>Procedure 15.1. Steps to Join a Domain</b></p><ol type="1"><li><p> + Click <span class="guimenu">Start</span>. + </p></li><li><p> + Right-click <span class="guimenu">My Computer</span>, and then select <span class="guimenuitem">Properties</span>. + </p></li><li><p> + The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel. + See <a href="appendix.html#swxpp001" title="Figure 15.1. The General Panel.">???</a>. + </p><div class="figure"><a name="swxpp001"></a><p class="title"><b>Figure 15.1. The General Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click the <span class="guimenu">Computer Name</span> tab. + This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>, + and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>. + </p><p> + Clicking the <span class="guimenu">Network ID</span> button launches the configuration wizard. Do not use this with + Samba-3. If you wish to change the computer name, or join or leave the domain, click the <span class="guimenu">Change</span> button. + See <a href="appendix.html#swxpp004" title="Figure 15.2. The Computer Name Panel.">???</a>. + </p><div class="figure"><a name="swxpp004"></a><p class="title"><b>Figure 15.2. The Computer Name Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. + We join the domain called MIDEARTH. See <a href="appendix.html#swxpp006" title="Figure 15.3. The Computer Name Changes Panel">???</a>. + </p><div class="figure"><a name="swxpp006"></a><p class="title"><b>Figure 15.3. The Computer Name Changes Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Enter the name <span class="guimenu">MIDEARTH</span> in the field below the Domain radio button. + </p><p> + This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">???</a>. + </p><div class="figure"><a name="swxpp007"></a><p class="title"><b>Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the credentials (username and password) + of a domain administrative account that has the rights to add machines to the domain. + </p><p> + Enter the name “<span class="quote">root</span>” and the root password from your Samba-3 server. See <a href="appendix.html#swxpp008" title="Figure 15.5. Computer Name Changes User name and Password Panel">???</a>. + </p><div class="figure"><a name="swxpp008"></a><p class="title"><b>Figure 15.5. Computer Name Changes User name and Password Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes User name and Password Panel"></div></div></div><p><br class="figure-break"> + </p></li><li><p> + Click <span class="guimenu">OK</span>. + </p><p> + The “<span class="quote">Welcome to the MIDEARTH domain</span>” dialog box should appear. At this point, the machine must be rebooted. + Joining the domain is now complete. + </p></li></ol></div><p> + <a class="indexterm" name="id382944"></a> + <a class="indexterm" name="id382951"></a> + The screen capture shown in <a href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">???</a> has a button labeled <span class="guimenu">More...</span>. This button opens a + panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members + of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace. + </p><p> + <a class="indexterm" name="id382974"></a> + <a class="indexterm" name="id382981"></a> + Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers + register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server + to find the services (like which machines are domain controllers or which machines have the Netlogon service running). + </p><p> + <a class="indexterm" name="id382996"></a> + The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, + this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to + a valid IP address. + </p><p> + The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. + Where the client is a member of a Samba domain, it is preferable to leave this field blank. + </p><p> + <a class="indexterm" name="id383016"></a> + According to Microsoft documentation, “<span class="quote">If this computer belongs to a group with <code class="constant">Group Policy</code> + enabled on <code class="literal">Primary DNS suffice of this computer</code>, the string specified in the Group Policy is used + as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is + used only if Group Policy is disabled or unspecified.</span>” + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383041"></a>Samba System File Location</h2></div></div></div><p><a class="indexterm" name="id383048"></a><a class="indexterm" name="id383056"></a><a class="indexterm" name="id383063"></a> + One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team + build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is + in the <code class="filename">/usr/local/samba</code> directory. This is a perfectly reasonable location, particularly given all the other + Open Source software that installs into the <code class="filename">/usr/local</code> subdirectories. + </p><p> + Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team + default. + </p><p><a class="indexterm" name="id383094"></a><a class="indexterm" name="id383105"></a><a class="indexterm" name="id383113"></a><a class="indexterm" name="id383124"></a><a class="indexterm" name="id383132"></a><a class="indexterm" name="id383143"></a><a class="indexterm" name="id383150"></a><a class="indexterm" name="id383158"></a><a class="indexterm" name="id383166"></a><a class="indexterm" name="id383174"></a><a class="indexterm" name="id383182"></a><a class="indexterm" name="id383190"></a><a class="indexterm" name="id383198"></a><a class="indexterm" name="id383205"></a><a class="indexterm" name="id383213"></a><a class="indexterm" name="id383221"></a> + Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy + System (FHS), have elected to locate the configuration files under the <code class="filename">/etc/samba</code> directory, common binary + files (those used by users) in the <code class="filename">/usr/bin</code> directory, and the administrative files (daemons) in the + <code class="filename">/usr/sbin</code> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the + <code class="filename">/usr/share</code> directory, either in <code class="filename">/usr/share/samba/swat</code> or in + <code class="filename">/usr/share/swat</code>. There are additional support files for <code class="literal">smbd</code> in the + <code class="filename">/usr/lib/samba</code> directory tree. The files located there include the dynamically loadable modules for the + passdb backend as well as for the VFS modules. + </p><p><a class="indexterm" name="id383285"></a><a class="indexterm" name="id383292"></a><a class="indexterm" name="id383300"></a> + Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in + the <code class="filename">/var/lib/samba</code> directory. Log files are created in <code class="filename">/var/log/samba.</code> + </p><p> + When Samba is built and installed using the default Samba Team process, all files are located under the + <code class="filename">/usr/local/samba</code> directory tree. This makes it simple to find the files that Samba owns. + </p><p><a class="indexterm" name="id383335"></a> + One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location + of all files called <code class="literal">smbd</code>. Here is an example: +</p><pre class="screen"> +<code class="prompt">root# </code> find / -name smbd -print +</pre><p> + You can find the location of the configuration files by running: +</p><pre class="screen"> +<code class="prompt">root# </code> /path-to-binary-file/smbd -b | more +... +Paths: + SBINDIR: /usr/sbin + BINDIR: /usr/bin + SWATDIR: /usr/share/samba/swat + CONFIGFILE: /etc/samba/smb.conf + LOGFILEBASE: /var/log/samba + LMHOSTSFILE: /etc/samba/lmhosts + LIBDIR: /usr/lib/samba + SHLIBEXT: so + LOCKDIR: /var/lib/samba + PIDDIR: /var/run/samba + SMB_PASSWD_FILE: /etc/samba/smbpasswd + PRIVATE_DIR: /etc/samba +... +</pre><p> + If you wish to locate the Samba version, just run: +</p><pre class="screen"> +<code class="prompt">root# </code> /path-to-binary-file/smbd -V +Version 3.0.20-SUSE +</pre><p> + </p><p> + Many people have been caught by installation of Samba using the default Samba Team process when it was already installed + by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by + executing:<a class="indexterm" name="id383400"></a> +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -qa | grep samba +samba3-pdb-3.0.20-1 +samba3-vscan-0.3.6-0 +samba3-winbind-3.0.20-1 +samba3-3.0.20-1 +samba3-python-3.0.20-1 +samba3-utils-3.0.20-1 +samba3-doc-3.0.20-1 +samba3-client-3.0.20-1 +samba3-cifsmount-3.0.20-1 + </pre><p><a class="indexterm" name="id383420"></a> + The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383432"></a>Starting Samba</h2></div></div></div><p><a class="indexterm" name="id383439"></a> + Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. + An example of a service is the Apache Web server for which the daemon is called <code class="literal">httpd</code>. In the case of Samba, there + are three daemons, two of which are needed as a minimum. + </p><p> + The Samba server is made up of the following daemons: + </p><div class="example"><a name="ch12SL"></a><p class="title"><b>Example 15.1. A Useful Samba Control Script for SUSE Linux</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash +# +# Script to start/stop samba +# Locate this in /sbin as a file called 'samba' + +RCD=/etc/rc.d + +if [ z$1 == 'z' ]; then + echo $0 - No arguments given; must be start or stop. + exit +fi + +if [ $1 == 'start' ]; then + ${RCD}/nmb start + ${RCD}/smb start + ${RCD}/winbind start + +fi +if [ $1 == 'stop' ]; then + ${RCD}/smb stop + ${RCD}/winbind stop + ${RCD}/nmb stop +fi +if [ $1 == 'restart' ]; then + ${RCD}/smb stop + ${RCD}/winbind stop + ${RCD}/nmb stop + sleep 5 + ${RCD}/nmb start + ${RCD}/smb start + ${RCD}/winbind start +fi +exit 0 +</pre></div></div><br class="example-break"><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p> + <a class="indexterm" name="id383493"></a> + <a class="indexterm" name="id383500"></a> + This daemon handles all name registration and resolution requests. It is the primary vehicle involved + in network browsing. It handles all UDP-based protocols. The <code class="literal">nmbd</code> daemon should + be the first command started as part of the Samba startup process. + </p></dd><dt><span class="term">smbd</span></dt><dd><p> + <a class="indexterm" name="id383527"></a> + <a class="indexterm" name="id383534"></a> + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also + manages local authentication. It should be started immediately following the startup of <code class="literal">nmbd</code>. + </p></dd><dt><span class="term">winbindd</span></dt><dd><p> + <a class="indexterm" name="id383560"></a> + <a class="indexterm" name="id383567"></a> + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when + Samba has trust relationships with another domain. The <code class="literal">winbindd</code> daemon will check the + <code class="filename">smb.conf</code> file for the presence of the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> + parameters. If they are not found, <code class="literal">winbindd</code> bails out and refuses to start. + </p></dd></dl></div><p> + When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its + integration into the platform as a whole. Please refer to your operating system platform administration manuals for + specific information pertaining to correct management of Samba startup. + </p><div class="example"><a name="ch12RHscript"></a><p class="title"><b>Example 15.2. A Sample Samba Control Script for Red Hat Linux</b></p><div class="example-contents"><pre class="screen"> +#!/bin/sh +# +# chkconfig: 345 81 35 +# description: Starts and stops the Samba smbd and nmbd daemons \ +# used to provide SMB network services. + +# Source function library. +. /etc/rc.d/init.d/functions +# Source networking configuration. +. /etc/sysconfig/network +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 +CONFIG=/etc/samba/smb.conf +# Check that smb.conf exists. +[ -f $CONFIG ] || exit 0 + +# See how we were called. +case "$1" in + start) + echo -n "Starting SMB services: " + daemon smbd -D; daemon nmbd -D; echo; + touch /var/lock/subsys/smb + ;; + stop) + echo -n "Shutting down SMB services: " + smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'` + for pid in $smbdpids; do + kill -TERM $pid + done + killproc nmbd -TERM; rm -f /var/lock/subsys/smb + echo "" + ;; + status) + status smbd; status nmbd; + ;; + restart) + echo -n "Restarting SMB services: " + $0 stop; $0 start; + echo "done." + ;; + *) + echo "Usage: smb {start|stop|restart|status}" + exit 1 +esac +</pre></div></div><br class="example-break"><p><a class="indexterm" name="id383659"></a> + SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently + executed from the command line is shown in <a href="appendix.html#ch12SL" title="Example 15.1. A Useful Samba Control Script for SUSE Linux">???</a>. This can be located in the directory + <code class="filename">/sbin</code> in a file called <code class="filename">samba</code>. This type of control script should be + owned by user root and group root, and set so that only root can execute it. + </p><p><a class="indexterm" name="id383691"></a> + A sample startup script for a Red Hat Linux system is shown in <a href="appendix.html#ch12RHscript" title="Example 15.2. A Sample Samba Control Script for Red Hat Linux">???</a>. + This file could be located in the directory <code class="filename">/etc/rc.d</code> and can be called + <code class="filename">samba</code>. A similar startup script is required to control <code class="literal">winbind</code>. + If you want to find more information regarding startup scripts please refer to the packaging section of + the Samba source code distribution tarball. The packaging files for each platform include a + startup control file. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383730"></a>DNS Configuration Files</h2></div></div></div><p> + The following files are common to all DNS server configurations. Rather than repeat them multiple times, they + are presented here for general reference. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383740"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div></div><p> + The forward zone file for the loopback address never changes. An example file is shown + in <a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a>. All traffic destined for an IP address that is hosted on a + physical interface on the machine itself is routed to the loopback adaptor. This is + a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor + is called <code class="constant">localhost</code>. + </p><div class="example"><a name="loopback"></a><p class="title"><b>Example 15.3. DNS Localhost Forward Zone File: <code class="filename">/var/lib/named/localhost.zone</code></b></p><div class="example-contents"><pre class="screen"> +$TTL 1W +@ IN SOA @ root ( + 42 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + + IN NS @ + IN A 127.0.0.1 +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383783"></a>The Reverse Zone File for the Loopback Adaptor</h3></div></div></div><p> + The reverse zone file for the loopback address as shown in <a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a> + is necessary so that references to the address <code class="constant">127.0.0.1</code> can be + resolved to the correct name of the interface. + </p><div class="example"><a name="dnsloopy"></a><p class="title"><b>Example 15.4. DNS Localhost Reverse Zone File: <code class="filename">/var/lib/named/127.0.0.zone</code></b></p><div class="example-contents"><pre class="screen"> +$TTL 1W +@ IN SOA localhost. root.localhost. ( + 42 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + + IN NS localhost. +1 IN PTR localhost. +</pre></div></div><br class="example-break"><div class="example"><a name="roothint"></a><p class="title"><b>Example 15.5. DNS Root Name Server Hint File: <code class="filename">/var/lib/named/root.hint</code></b></p><div class="example-contents"><pre class="screen"> +; This file is made available by InterNIC under anonymous FTP as +; file /domain/named.root +; on server FTP.INTERNIC.NET +; last update: Nov 5, 2002. Related version of root zone: 2002110501 +; formerly NS.INTERNIC.NET +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +; formerly NS1.ISI.EDU +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 +; formerly C.PSI.NET +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; formerly TERP.UMD.EDU +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 +; formerly NS.NASA.GOV +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; formerly NS.ISC.ORG +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +; formerly NS.NIC.DDN.MIL +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; formerly AOS.ARL.ARMY.MIL +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +; formerly NIC.NORDU.NET +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +; operated by VeriSign, Inc. +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +; housed in LINX, operated by RIPE NCC +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +; operated by IANA +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 +; housed in Japan, operated by WIDE +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +; End of File +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383865"></a>DNS Root Server Hint File</h3></div></div></div><p> + The content of the root hints file as shown in <a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a> changes slowly over time. + Periodically this file should be updated from the source shown. Because + of its size, this file is located at the end of this chapter. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div></div><p><a class="indexterm" name="id383894"></a><a class="indexterm" name="id383906"></a> + The following procedure may be used as an alternative means of configuring + the initial LDAP database. Many administrators prefer to have greater control + over how system files get configured. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id383921"></a>Initialization of the LDAP Database</h3></div></div></div><p><a class="indexterm" name="id383928"></a><a class="indexterm" name="id383935"></a><a class="indexterm" name="id383947"></a> + The first step to get the LDAP server ready for action is to create the LDIF file from + which the LDAP database will be preloaded. This is necessary to create the containers + into which the user, group, and other accounts are written. It is also necessary to + preload the well-known Windows NT Domain Groups, as they must have the correct SID so + that they can be recognized as special NT Groups by the MS Windows clients. + </p><div class="procedure"><a name="ldapinit"></a><p class="title"><b>Procedure 15.2. LDAP Directory Pre-Load Steps</b></p><ol type="1"><li><p> + Create a directory in which to store the files you use to generate + the LDAP LDIF file for your system. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /etc/openldap/SambaInit +<code class="prompt">root# </code> chown root:root /etc/openldap/SambaInit +<code class="prompt">root# </code> chmod 700 /etc/openldap/SambaInit +</pre><p> + </p></li><li><p> + Install the files shown in <a href="appendix.html#sbehap-ldapreconfa" title="Example 15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A">???</a>, <a href="appendix.html#sbehap-ldapreconfb" title="Example 15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B">???</a>, + and <a href="appendix.html#sbehap-ldapreconfc" title="Example 15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C">???</a> into the directory + <code class="filename">/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</code> These three files are, + respectively, parts A, B, and C of the <code class="filename">SMBLDAP-ldif-preconfig.sh</code> file. + </p></li><li><p> + Install the files shown in <a href="appendix.html#sbehap-ldifpata" title="Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A">???</a> and <a href="appendix.html#sbehap-ldifpatb" title="Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B">???</a> into the directory + <code class="filename">/etc/openldap/SambaInit/.</code> These two files are + parts A and B, respectively, of the <code class="filename">init-ldif.pat</code> file. + </p></li><li><p> + Change to the <code class="filename">/etc/openldap/SambaInit</code> directory. Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> sh SMBLDAP-ldif-preconfig.sh + +How do you wish to refer to your organization? +Suggestions: + Black Tire Company, Inc. + Cat With Hat Ltd. +How would you like your organization name to appear? +Your organization name is: My Organization +Enter a new name is this is not what you want, press Enter to Continue. +Name [My Organization]: Abmas Inc. + +Samba Config File Location [/etc/samba/smb.conf]: +Enter a new full path or press Enter to continue. +Samba Config File Location [/etc/samba/smb.conf]: +Domain Name: MEGANET2 +Domain SID: S-1-5-21-3504140859-1010554828-2431957765 + +The name of your Internet domain is now needed in a special format +as follows, if your domain name is mydomain.org, what we need is +the information in the form of: + Domain ID: mydomain + Top level: org +If your fully qualified hostname is: snoopy.bazaar.garagesale.net +where "snoopy" is the name of the machine, +Then the information needed is: + Domain ID: garagesale + Top Level: net + +Found the following domain name: abmas.biz +I think the bit we are looking for might be: abmas +Enter the domain name or press Enter to continue: + +The top level organization name I will use is: biz +Enter the top level org name or press Enter to continue: +<code class="prompt">root# </code> +</pre><p> + This creates a file called <code class="filename">MEGANET2.ldif</code>. + </p></li><li><p> + It is now time to preload the LDAP database with the following + command: +</p><pre class="screen"> +<code class="prompt">root# </code> slapadd -v -l MEGANET2.ldif +added: "dc=abmas,dc=biz" (00000001) +added: "cn=Manager,dc=abmas,dc=biz" (00000002) +added: "ou=People,dc=abmas,dc=biz" (00000003) +added: "ou=Computers,dc=abmas,dc=biz" (00000004) +added: "ou=Groups,dc=abmas,dc=biz" (00000005) +added: "ou=Domains,dc=abmas,dc=biz" (00000006) +added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007) +added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008) +added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009) +added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a) +</pre><p> + You should verify that the account information was correctly loaded by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: Abmas Inc. +description: Posix and Samba LDAP Identity Database +structuralObjectClass: organization +entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474 +creatorsName: cn=manager,dc=abmas,dc=biz +modifiersName: cn=manager,dc=abmas,dc=biz +createTimestamp: 20031217055747Z +modifyTimestamp: 20031217055747Z +entryCSN: 2003121705:57:47Z#0x0001#0#0000 +... + +dn: cn=domusers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users +structuralObjectClass: posixGroup +entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474 +creatorsName: cn=manager,dc=abmas,dc=biz +modifiersName: cn=manager,dc=abmas,dc=biz +createTimestamp: 20031217055747Z +modifyTimestamp: 20031217055747Z +entryCSN: 2003121705:57:47Z#0x000a#0#0000 +</pre><p> + </p></li><li><p> + Your LDAP database is ready for testing. You can now start the LDAP server + using the system tool for your Linux operating system. For SUSE Linux, you can + do this as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +</pre><p> + </p></li><li><p> + It is now a good idea to validate that the LDAP server is running correctly. + Execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: Abmas Inc. +description: Posix and Samba LDAP Identity Database +... +# domusers, Groups, abmas.biz +dn: cn=domusers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users + +# search result +search: 2 +result: 0 Success + +# numResponses: 11 +# numEntries: 10 +</pre><p> + Your LDAP server is ready for creation of additional accounts. + </p></li></ol></div></div><div class="example"><a name="sbehap-ldapreconfa"></a><p class="title"><b>Example 15.6. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part A</b></p><div class="example-contents"><pre class="screen"> +#!/bin/bash +# +# This script prepares the ldif LDAP load file only +# + +# Pattern File Name +file=init-ldif.pat + +# The name of my organization +ORGNAME="My Organization" + +# My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets" +INETDOMAIN="my-domain" + +# In the above case, md domain is: buckets.org, TLDORG="org" +TLDORG="org" + +# This is the Samba Domain/Workgroup Name +DOMNAME="MYWORKGROUP" + +# +# Here We Go ... +# + +cat <<EOF + +How do you wish to refer to your organization? + +Suggestions: + Black Tire Company, Inc. + Cat With Hat Ltd. + +How would you like your organization name to appear? + +EOF + +echo "Your organization name is: $ORGNAME" +echo +echo "Enter a new name or, press Enter to Continue." +echo +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfb"></a><p class="title"><b>Example 15.7. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part B</b></p><div class="example-contents"><pre class="screen"> +echo -e -n "Name [$ORGNAME]: " + read name + +if [ ! -z "$name" ]; then + ORGNAME=${name} +fi +echo +sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1 + +# Try to find smb.conf + +if [ -e /usr/local/samba/lib/smb.conf ]; then + CONF=/usr/local/samba/lib/smb.conf +elif [ -e /etc/samba/smb.conf ]; then + CONF=/etc/samba/smb.conf +fi + +echo "Samba Config File Location [$CONF]: " +echo +echo "Enter a new full path or press Enter to continue." +echo +echo -n "Samba Config File Location [$CONF]: " + read name +if [ ! -z "$name" ]; then + CONF=$name +fi +echo + +# Find the name of our Domain/Workgroup +DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=` +echo Domain Name: $DOMNAME +echo + +sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2 + +DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"` +echo Domain SID: $DOMSID + +sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1 +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfc"></a><p class="title"><b>Example 15.8. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part C</b></p><div class="example-contents"><pre class="screen"> +cat >>EOL +The name of your Internet domain is now needed in a special format +as follows, if your domain name is mydomain.org, what we need is +the information in the form of: + Domain ID: mydomain + Top level: org + +If your fully qualified hostname is: snoopy.bazaar.garagesale.net +where "snoopy" is the name of the machine, +Then the information needed is: + Domain ID: garagesale + Top Level: net + +EOL +INETDOMAIN=`hostname -d | cut -f1 -d.` +echo Found the following domain name: `hostname -d` +echo "I think the bit we are looking for might be: $INETDOMAIN" +echo +echo -n "Enter the domain name or press Enter to continue: " + read domnam +if [ ! -z $domnam ]; then + INETDOMAIN=$domnam +fi +echo +sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2 +TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"` +echo "The top level organization name I will use is: ${TLDORG}" +echo +echo -n "Enter the top level org name or press Enter to continue: " + read domnam +if [ ! -z $domnam ]; then + TLDORG=$domnam +fi +sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif +rm $file.tmp* +exit 0 +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpata"></a><p class="title"><b>Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A</b></p><div class="example-contents"><pre class="screen"> +dn: dc=INETDOMAIN,dc=TLDORG +objectClass: dcObject +objectClass: organization +dc: INETDOMAIN +o: ORGNAME +description: Posix and Samba LDAP Identity Database + +dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG +objectClass: organizationalRole +cn: Manager +description: Directory Manager + +dn: ou=People,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: People + +dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Computers + +dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Groups + +dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Idmap + +dn: ou=Domains,dc=INETDOMAIN,dc=TLDORG +objectClass: top +objectClass: organizationalUnit +ou: Domains + +dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG +objectClass: sambaDomain +sambaDomainName: DOMNAME +sambaSID: DOMSID +sambaAlgorithmicRidBase: 1000 +structuralObjectClass: sambaDomain +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpatb"></a><p class="title"><b>Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B</b></p><div class="example-contents"><pre class="screen"> +dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 512 +cn: domadmins +sambaSID: DOMSID-512 +sambaGroupType: 2 +displayName: Domain Admins +description: Domain Administrators + +dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 514 +cn: domguests +sambaSID: DOMSID-514 +sambaGroupType: 2 +displayName: Domain Guests +description: Domain Guests Users + +dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 513 +cn: domusers +sambaSID: DOMSID-513 +sambaGroupType: 2 +displayName: Domain Users +description: Domain Users +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384378"></a>The LDAP Account Manager</h2></div></div></div><p> +<a class="indexterm" name="id384386"></a> +<a class="indexterm" name="id384392"></a> +<a class="indexterm" name="id384401"></a> +<a class="indexterm" name="id384408"></a> +<a class="indexterm" name="id384414"></a> +<a class="indexterm" name="id384421"></a> +<a class="indexterm" name="id384428"></a> +The LDAP Account Manager (LAM) is an application suite that has been written in PHP. +LAM can be used with any Web server that has PHP4 support. It connects to the LDAP +server either using unencrypted connections or via SSL/TLS. LAM can be used to manage +Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines +(hosts). +</p><p> +LAM is available from the <a href="http://sourceforge.net/projects/lam/" target="_top">LAM</a> +home page and from its mirror sites. LAM has been released under the GNU GPL version 2. +The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter +of 2005. +</p><p> +<a class="indexterm" name="id384454"></a> +<a class="indexterm" name="id384461"></a> +<a class="indexterm" name="id384468"></a> +Requirements: +</p><div class="itemizedlist"><ul type="disc"><li><p>A web server that will work with PHP4.</p></li><li><p>PHP4 (available from the <a href="http://www.php.net/" target="_top">PHP</a> home page.)</p></li><li><p>OpenLDAP 2.0 or later.</p></li><li><p>A Web browser that supports CSS.</p></li><li><p>Perl.</p></li><li><p>The gettext package.</p></li><li><p>mcrypt + mhash (optional).</p></li><li><p>It is also a good idea to install SSL support.</p></li></ul></div><p> +LAM is a useful tool that provides a simple Web-based device that can be used to +manage the contents of the LDAP directory to: +<a class="indexterm" name="id384525"></a> +<a class="indexterm" name="id384532"></a> +<a class="indexterm" name="id384539"></a> +</p><div class="itemizedlist"><ul type="disc"><li><p>Display user/group/host and Domain entries.</p></li><li><p>Manage entries (Add/Delete/Edit).</p></li><li><p>Filter and sort entries.</p></li><li><p>Store and use multiple operating profiles.</p></li><li><p>Edit organizational units (OUs).</p></li><li><p>Upload accounts from a file.</p></li><li><p>Is compatible with Samba-2.2.x and Samba-3.</p></li></ul></div><p> +When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba +user, group, and windows domain member machine accounts. +</p><p> +<a class="indexterm" name="id384590"></a> +<a class="indexterm" name="id384596"></a> +<a class="indexterm" name="id384603"></a> +<a class="indexterm" name="id384610"></a> +The default password is “<span class="quote">lam.</span>” It is highly recommended that you use only +an SSL connection to your Web server for all remote operations involving LAM. If you +want secure connections, you must configure your Apache Web server to permit connections +to LAM using only SSL. +</p><div class="procedure"><a name="sbehap-laminst"></a><p class="title"><b>Procedure 15.3. Apache Configuration Steps for LAM</b></p><ol type="1"><li><p> + Extract the LAM package by untarring it as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> tar xzf ldap-account-manager_0.4.9.tar.gz +</pre><p> + Alternatively, install the LAM DEB for your system using the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> dpkg -i ldap-account-manager_0.4.9.all.deb +</pre><p> + </p></li><li><p> + Copy the extracted files to the document root directory of your Web server. + For example, on SUSE Linux Enterprise Server 9, copy to the + <code class="filename">/srv/www/htdocs</code> directory. + </p></li><li><p> + <a class="indexterm" name="id384683"></a> + Set file permissions using the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown -R wwwrun:www /srv/www/htdocs/lam +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/sess +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/tmp +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/config +<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/lib/*pl +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id384733"></a> + Using your favorite editor create the following <code class="filename">config.cfg</code> + LAM configuration file: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /srv/www/htdocs/lam/config +<code class="prompt">root# </code> cp config.cfg_sample config.cfg +<code class="prompt">root# </code> vi config.cfg +</pre><p> + <a class="indexterm" name="id384773"></a> + <a class="indexterm" name="id384782"></a> + An example file is shown in <a href="appendix.html#lamcfg" title="Example 15.11. Example LAM Configuration File config.cfg">???</a>. + This is the minimum configuration that must be completed. The LAM profile + file can be created using a convenient wizard that is part of the LAM + configuration suite. + </p></li><li><p> + Start your Web server then, using your Web browser, connect to + <a href="http://localhost/lam" target="_top">LAM</a> URL. Click on the + the <em class="parameter"><code>Configuration Login</code></em> link then click on the + Configuration Wizard link to begin creation of the default profile so that + LAM can connect to your LDAP server. Alternately, copy the + <code class="filename">lam.conf_sample</code> file to a file called + <code class="filename">lam.conf</code> then, using your favorite editor, + change the settings to match local site needs. + </p></li></ol></div><p> + <a class="indexterm" name="id384837"></a> + An example of a working file is shown here in <a href="appendix.html#lamconf" title="Example 15.12. LAM Profile Control File lam.conf">???</a>. + This file has been stripped of comments to keep the size small. The comments + and help information provided in the profile file that the wizard creates + is very useful and will help many administrators to avoid pitfalls. + Your configuration file obviously reflects the configuration options that + are preferred at your site. + </p><p> + <a class="indexterm" name="id384857"></a> + It is important that your LDAP server is running at the time that LAM is + being configured. This permits you to validate correct operation. + An example of the LAM login screen is provided in <a href="appendix.html#lam-login" title="Figure 15.6. The LDAP Account Manager Login Screen">???</a>. + </p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure 15.6. The LDAP Account Manager Login Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id384917"></a> + The LAM configuration editor has a number of options that must be managed correctly. + An example of use of the LAM configuration editor is shown in <a href="appendix.html#lam-config" title="Figure 15.7. The LDAP Account Manager Configuration Screen">???</a>. + It is important that you correctly set the minimum and maximum UID/GID values that are + permitted for use at your site. The default values may not be compatible with a need to + modify initial default account values for well-known Windows network users and groups. + The best work-around is to temporarily set the minimum values to zero (0) to permit + the initial settings to be made. Do not forget to reset these to sensible values before + using LAM to add additional users and groups. + </p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure 15.7. The LDAP Account Manager Configuration Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id384982"></a> + LAM has some nice, but unusual features. For example, one unexpected feature in most application + screens permits the generation of a PDF file that lists configuration information. This is a well + thought out facility. This option has been edited out of the following screen shots to conserve + space. + </p><p> + <a class="indexterm" name="id384994"></a> + When you log onto LAM the opening screen drops you right into the user manager as shown in + <a href="appendix.html#lam-user" title="Figure 15.8. The LDAP Account Manager User Edit Screen">???</a>. This is a logical action as it permits the most-needed facility + to be used immediately. The editing of an existing user, as with the addition of a new user, + is easy to follow and very clear in both layout and intent. It is a simple matter to edit + generic settings, UNIX specific parameters, and then Samba account requirements. Each step + involves clicking a button that intuitively drives you through the process. When you have + finished editing simply press the <span class="guimenu">Final</span> button. + </p><div class="figure"><a name="lam-user"></a><p class="title"><b>Figure 15.8. The LDAP Account Manager User Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-users.png" width="270" alt="The LDAP Account Manager User Edit Screen"></div></div></div><br class="figure-break"><p> + The edit screen for groups is shown in <a href="appendix.html#lam-group" title="Figure 15.9. The LDAP Account Manager Group Edit Screen">???</a>. As with the edit screen + for user accounts, group accounts may be rapidly dealt with. <a href="appendix.html#lam-group-mem" title="Figure 15.10. The LDAP Account Manager Group Membership Edit Screen">???</a> + shows a sub-screen from the group editor that permits users to be assigned secondary group + memberships. + </p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure 15.9. The LDAP Account Manager Group Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div></div><br class="figure-break"><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure 15.10. The LDAP Account Manager Group Membership Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id385162"></a><a class="indexterm" name="id385168"></a> + The final screen presented here is one that you should not normally need to use. Host accounts will + be automatically managed using the smbldap-tools scripts. This means that the screen <a href="appendix.html#lam-host" title="Figure 15.11. The LDAP Account Manager Host Edit Screen">???</a> + will, in most cases, not be used. + </p><div class="figure"><a name="lam-host"></a><p class="title"><b>Figure 15.11. The LDAP Account Manager Host Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-hosts.png" width="270" alt="The LDAP Account Manager Host Edit Screen"></div></div></div><br class="figure-break"><p> + One aspect of LAM that may annoy some users is the way it forces certain conventions on + the administrator. For example, LAM does not permit the creation of Windows user and group + accounts that contain spaces even though the underlying UNIX/Linux + operating system may exhibit no problems with them. Given the propensity for using upper-case + characters and spaces (particularly in the default Windows account names) this may cause + some annoyance. For the rest, LAM is a very useful administrative tool. + </p><p> + The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features + (e.g., logon hours). The new plugin-based architecture also allows management of much more different + account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another + important point is the tree view which allows browsing and editing LDAP objects directly. + </p><div class="example"><a name="lamcfg"></a><p class="title"><b>Example 15.11. Example LAM Configuration File <code class="filename">config.cfg</code></b></p><div class="example-contents"><pre class="screen"> +# password to add/delete/rename configuration profiles +password: not24get + +# default profile, without ".conf" +default: lam +</pre></div></div><br class="example-break"><div class="example"><a name="lamconf"></a><p class="title"><b>Example 15.12. LAM Profile Control File <code class="filename">lam.conf</code></b></p><div class="example-contents"><pre class="screen"> +ServerURL: ldap://massive.abmas.org:389 +Admins: cn=Manager,dc=abmas,dc=biz +Passwd: not24get +usersuffix: ou=People,dc=abmas,dc=biz +groupsuffix: ou=Groups,dc=abmas,dc=biz +hostsuffix: ou=Computers,dc=abmas,dc=biz +domainsuffix: ou=Domains,dc=abmas,dc=biz +MinUID: 0 +MaxUID: 65535 +MinGID: 0 +MaxGID: 65535 +MinMachine: 20000 +MaxMachine: 25000 +userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber +grouplistAttributes: #cn;#gidNumber;#memberUID;#description +hostlistAttributes: #cn;#description;#uidNumber;#gidNumber +maxlistentries: 30 +defaultLanguage: en_GB:ISO-8859-1:English (Great Britain) +scriptPath: +scriptServer: +samba3: yes +cachetimeout: 5 +pwdhash: SSHA +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385293"></a>IDEALX Management Console</h2></div></div></div><p> + IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive + web-based management interface for UNIX and Linux systems. + </p><p> + The Samba toolset is the first console developped for IMC. It offers a simple and ergonomic + interface for managing a Samba domain controler. The goal is to give Linux administrators who + need to manage production Samba servers an effective, intuitive and consistent management + experience. An IMC screenshot of the user management tool is shown in <a href="appendix.html#imcidealx" title="Figure 15.12. The IMC Samba User Account Screen">???</a>. + </p><div class="figure"><a name="imcidealx"></a><p class="title"><b>Figure 15.12. The IMC Samba User Account Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/imc-usermanager2.png" width="216" alt="The IMC Samba User Account Screen"></div></div></div><br class="figure-break"><p> + IMC is built on a set of Perl modules. Most modules are standard CPAN modules. Some are bundled with IMC, + but will soon to be hosted on the CPAN independently, like Struts4P, a port of Struts to the Perl language. + </p><p> + For further information regarding IMC refer to the web <a href="http://imc.sourceforge.net/" target="_top">site.</a> + Prebuilt RPM packages are also <a href="http://imc.sourceforge.net/download.html" target="_top">available.</a> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div></div><a class="indexterm" name="id385390"></a><a class="indexterm" name="id385396"></a><p> + The setting of the SUID/SGID bits on the file or directory permissions flag has particular + consequences. If the file is executable and the SUID bit is set, it executes with the privilege + of (with the UID of) the owner of the file. For example, if you are logged onto a system as + a normal user (let's say as the user <code class="constant">bobj</code>), and you execute a file that is owned + by the user <code class="constant">root</code> (uid = 0), and the file has the SUID bit set, then the file is + executed as if you had logged in as the user <code class="constant">root</code> and then executed the file. + The SUID bit effectively gives you (as <code class="constant">bobj</code>) administrative privilege for the + use of that executable file. + </p><p> + The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it + applies the privilege to the UNIX group setting. In other words, the file executes with the force + of capability of the group. + </p><p> + When the SUID/SGID permissions are set on a directory, all files that are created within that directory + are automatically given the ownership of the SUID user and the SGID group, as per the ownership + of the directory in which the file is created. This means that the system level <code class="literal">create()</code> + function executes with the SUID user and/or SGID group of the directory in which the file is + created. + </p><p> + If you want to obtain the SUID behavior, simply execute the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod u+s file-or-directory +</pre><p> + To set the SGID properties on a file or a directory, execute this command: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod g+s file-or-directory +</pre><p> + And to set both SUID and SGID properties, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s file-or-directory +</pre><p> + </p><p> + Let's consider the example of a directory <code class="filename">/data/accounts</code>. The permissions on this + directory before setting both SUID and SGID on this directory are: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data/accounts +total 1 +drwxr-xr-x 10 root root 232 Dec 18 17:08 . +drwxr-xr-x 21 root root 600 Dec 17 23:15 .. +drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/ +drwx------ 2 root root 48 Jan 26 2002 lost+found +</pre><p> + In this example, if the user <code class="constant">maryv</code> creates a file, it is owned by her. + If <code class="constant">maryv</code> has the primary group of <code class="constant">Accounts</code>, the file is + owned by the group <code class="constant">Accounts</code>, as shown in this listing: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt +drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53 +</pre><p> + </p><p> + Now you set the SUID and SGID and check the result as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s /data/accounts +<code class="prompt">root# </code> ls -al /data/accounts +total 1 +drwxr-xr-x 10 root root 232 Dec 18 17:08 . +drwxr-xr-x 21 root root 600 Dec 17 23:15 .. +drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts +drwx------ 2 root root 48 Jan 26 2002 lost+found +</pre><p> + If <code class="constant">maryv</code> creates a file in this directory after this change has been made, the + file is owned by the user <code class="constant">bobj</code>, and the group is set to the group + <code class="constant">Domain Users</code>, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> chmod ug+s /data/accounts +<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt +total 1 +drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt +</pre><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div></div><p><a class="indexterm" name="id385602"></a><a class="indexterm" name="id385610"></a> + The integrity of shared data is often viewed as a particularly emotional issue, especially where + there are concurrent problems with multiuser data access. Contrary to the assertions of some who have + experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter. + </p><p> + The solution to concurrent multiuser data access problems must consider three separate areas + from which the problem may stem:<a class="indexterm" name="id385629"></a><a class="indexterm" name="id385640"></a><a class="indexterm" name="id385652"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>application-level locking controls</p></li><li><p>client-side locking controls</p></li><li><p>server-side locking controls</p></li></ul></div><p><a class="indexterm" name="id385684"></a><a class="indexterm" name="id385691"></a> + Many database applications use some form of application-level access control. An example of one + well-known application that uses application-level locking is Microsoft Access. Detailed guidance + is provided here because this is the most common application for which problems have been reported. + </p><p><a class="indexterm" name="id385705"></a><a class="indexterm" name="id385713"></a> + Common applications that are affected by client- and server-side locking controls include MS + Excel and Act!. Important locking guidance is provided here. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385724"></a>Microsoft Access</h3></div></div></div><p> + The best advice that can be given is to carefully read the Microsoft knowledgebase articles that + cover this area. Examples of relevant documents include: + </p><div class="itemizedlist"><ul type="disc"><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id385749"></a><a class="indexterm" name="id385760"></a> + Make sure that your MS Access database file is configured for multiuser access (not set for + exclusive open). Open MS Access on each client workstation, then set the following: <span class="guimenu">(Menu bar) Tools</span>+<span class="guimenu">Options</span>+<span class="guimenu">[tab] General</span>. Set network path to Default database folder: <code class="filename">\\server\share\folder</code>. + </p><p> + You can configure MS Access file sharing behavior as follows: click <span class="guimenu">[tab] Advanced</span>. + Set:<a class="indexterm" name="id385808"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p>Default open mode: Shared</p></li><li><p>Default Record Locking: Edited Record</p></li><li><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id385836"></a> + You must now commit the changes so that they will take effect. To do so, click + <span class="guimenu">Apply</span><span class="guimenu">Ok</span>. At this point, you should exit MS Access, restart + it, and then validate that these settings have not changed. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385863"></a>Act! Database Sharing</h3></div></div></div><p><a class="indexterm" name="id385870"></a><a class="indexterm" name="id385877"></a> + Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you + must disable opportunistic locking on the server and all workstations. Failure to do so + results in data corruption. This information is available from the Act! Web site + knowledgebase articles + <a href="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925" target="_top">1998223162925</a> + as well as from article + <a href="http://itdomino.saleslogix.com/act.nsf/docid/200110485036" target="_top">200110485036</a>. + </p><p><a class="indexterm" name="id385904"></a><a class="indexterm" name="id385912"></a> + These documents clearly state that opportunistic locking must be disabled on both + the server (Samba in the case we are interested in here), as well as on every workstation + from which the centrally shared Act! database will be accessed. Act! provides + a tool called <code class="literal">Act!Diag</code> that may be used to disable all workstation + registry settings that may otherwise interfere with the operation of Act! + Registered Act! users may download this utility from the Act! Web + <a href="http://www.act.com/support/updates/index.cfm" target="_top">site.</a> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id385938"></a>Opportunistic Locking Controls</h3></div></div></div><p><a class="indexterm" name="id385945"></a> + Third-party Windows applications may not be compatible with the use of opportunistic file + and record locking. For applications that are known not to be compatible,<sup>[<a name="id385956" href="#ftn.id385956">14</a>]</sup> oplock + support may need to be disabled both on the Samba server and on the Windows workstations. + </p><p><a class="indexterm" name="id385966"></a><a class="indexterm" name="id385973"></a><a class="indexterm" name="id385981"></a> + Oplocks enable a Windows client to cache parts of a file that are being + edited. Another windows client may then request to open the file with the + ability to write to it. The server will then ask the original workstation + that had the file open with a write lock to release its lock. Before + doing so, that workstation must flush the file from cache memory to the + disk or network drive. + </p><p><a class="indexterm" name="id385999"></a> + Disabling of Oplocks usage may require server and client changes. + Oplocks may be disabled by file, by file pattern, on the share, or on the + Samba server. + </p><p> + The following are examples showing how Oplock support may be managed using + Samba <code class="filename">smb.conf</code> file settings: +</p><pre class="screen"> +By file: veto oplock files = myfile.mdb + +By Pattern: veto oplock files = /*.mdb/ + +On the Share: oplocks = No + level2 oplocks = No + +On the server: +(in [global]) oplocks = No + level2 oplocks = No +</pre><p> + </p><p> + The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4 + workstation clients must be configured as shown here: +</p><pre class="screen"> +REGEDIT4 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ + Services\LanmanServer\Parameters] + "EnableOplocks"=dword:00000000 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ + Services\LanmanWorkstation\Parameters] + "UseOpportunisticLocking"=dword:00000000 +</pre><p> + </p><p> + Comprehensive coverage of file and record-locking controls is provided in TOSHARG2, Chapter 13. + The information in that chapter was obtained from a wide variety of sources. + </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Samba Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Networking Primer</td></tr></table></div></body></html> |