diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/happy.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/happy.html | 2878 |
1 files changed, 0 insertions, 2878 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/happy.html b/docs/htmldocs/Samba3-ByExample/happy.html deleted file mode 100644 index 24c7b0118e..0000000000 --- a/docs/htmldocs/Samba3-ByExample/happy.html +++ /dev/null @@ -1,2878 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Making Happy Users</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter 4. The 500-User Office"><link rel="next" href="net2000users.html" title="Chapter 6. A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="net2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 5. Making Happy Users"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter 5. Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id341339">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id341463">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id341540">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id341668">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id342070">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id343725">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id343737">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id343908">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id346546">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id350178">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id350194">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id350283">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id350512">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id350609">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id350723">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id351441">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id351724">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id351896">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id352365">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id352391">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id352420">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id352508">Questions and Answers</a></span></dt></dl></div><p> - It is said that <span class="quote">“<span class="quote">a day that is without troubles is not fulfilling. Rather, give - me a day of troubles well handled so that I can be content with my achievements.</span>”</span> - </p><p> - In the world of computer networks, problems are as varied as the people who create them - or experience them. The design of the network implemented in <a class="link" href="Big500users.html" title="Chapter 4. The 500-User Office">“The 500-User Office”</a> - may create problems for some network users. The following lists some of the problems that - may occur: - </p><a class="indexterm" name="id340972"></a><a class="indexterm" name="id340978"></a><a class="indexterm" name="id340987"></a><a class="indexterm" name="id340994"></a><a class="indexterm" name="id341000"></a><div class="caution" title="Caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p> -A significant number of network administrators have responded to the guidance given -here. It should be noted that there are sites that have a single PDC for many hundreds of -concurrent network clients. Network bandwidth, network bandwidth utilization, and server load -are among the factors that determine the maximum number of Windows clients that -can be served by a single domain controller (PDC or BDC) on a network segment. It is possible -to operate with only a single PDC over a routed network. What is possible is not necessarily -<span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with -the message that the domain controller cannot be found or that the user account cannot -be found (when you know it exists), that may be an indication that the domain controller is -overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows -clients is conservative and if followed will minimize problems but it is not absolute. -</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p> - <a class="indexterm" name="id341038"></a> - <a class="indexterm" name="id341046"></a> - When a Windows client logs onto the network, many data packets are exchanged - between the client and the server that is providing the network logon services. - Each request between the client and the server must complete within a specific - time limit. This is one of the primary factors that govern the installation of - multiple domain controllers (usually called secondary or backup controllers). - As a rough rule, there should be one such backup controller for every - 30 to 150 clients. The actual limits are determined by network operational - characteristics. - </p><p> - <a class="indexterm" name="id341061"></a> - <a class="indexterm" name="id341068"></a> - <a class="indexterm" name="id341074"></a> - If the domain controller provides only network logon services - and all file and print activity is handled by domain member servers, one domain - controller per 150 clients on a single network segment may suffice. In any - case, it is highly recommended to have a minimum of one domain controller (PDC or BDC) - per network segment. It is better to have at least one BDC on the network - segment that has a PDC. If the domain controller is also used as a file and - print server, the number of clients it can service reliably is reduced, - and generally for low powered hardware should not exceed 30 machines (Windows - workstations plus domain member servers) per domain controller. Many sites are - able to operate with more clients per domain controller, the number of clients - that can be supported is limited by the CPU speed, memory and the workload on - the Samba server as well as network bandwidth utilization. - </p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p> - <a class="indexterm" name="id341100"></a> - Slow logons and log-offs may be caused by many factors that include: - - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id341113"></a> - <a class="indexterm" name="id341125"></a> - Excessive delays in the resolution of a NetBIOS name to its IP - address. This may be observed when an overloaded domain controller - is also the WINS server. Another cause may be the failure to use - a WINS server (this assumes that there is a single network segment). - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341141"></a> - <a class="indexterm" name="id341147"></a> - <a class="indexterm" name="id341154"></a> - Network traffic collisions due to overloading of the network - segment. One short-term workaround to this may be to replace - network HUBs with Ethernet switches. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341167"></a> - Defective networking hardware. Over the past few years, we have seen - on the Samba mailing list a significant increase in the number of - problems that were traced to a defective network interface controller, - a defective HUB or Ethernet switch, or defective cabling. In most cases, - it was the erratic nature of the problem that ultimately pointed to - the cause of the problem. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341184"></a> - <a class="indexterm" name="id341193"></a> - Excessively large roaming profiles. This type of problem is typically - the result of poor user education as well as poor network management. - It can be avoided by users not storing huge quantities of email in - MS Outlook PST files as well as by not storing files on the desktop. - These are old bad habits that require much discipline and vigilance - on the part of network management. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341210"></a> - You should verify that the Windows XP WebClient service is not running. - The use of the WebClient service has been implicated in many Windows - networking-related problems. - </p></li></ul></div><p> - </p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p> - Loss of access to network resources during client operation may be caused by a number - of factors, including: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id341240"></a> - Network overload (typically indicated by a high network collision rate) - </p></li><li class="listitem"><p> - Server overload - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341258"></a> - Timeout causing the client to close a connection that is in use but has - been latent (no traffic) for some time (5 minutes or more) - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341273"></a> - Defective networking hardware - </p></li></ul></div><p> - <a class="indexterm" name="id341287"></a> - No matter what the cause, a sudden loss of access to network resources can - result in BSOD (blue screen of death) situations that necessitate rebooting of the client - workstation. In the case of a mild problem, retrying to access the network drive of the printer - may restore operations, but in any case this is a serious problem that may lead to the next - problem, data corruption. - </p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p> - <a class="indexterm" name="id341314"></a> - Data corruption is one of the most serious problems. It leads to uncertainty, anger, and - frustration, and generally precipitates immediate corrective demands. Management response - to this type of problem may be rational, as well as highly irrational. There have been - cases where management has fired network staff for permitting this situation to occur without - immediate correction. There have been situations where perfectly functional hardware was thrown - out and replaced, only to find the problem caused by a low-cost network hardware item. There - have been cases where server operating systems were replaced, or where Samba was updated, - only to later isolate the problem due to defective client software. - </p></dd></dl></div><p> - In this chapter, you can work through a number of measures that significantly arm you to - anticipate and combat network performance issues. You can work through complex and thorny - methods to improve the reliability of your network environment, but be warned that all such steps - demand the price of complexity. - </p><div class="sect1" title="Regarding LDAP Directories and Windows Computer Accounts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id341339"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p> - <a class="indexterm" name="id341347"></a> - Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some - constraints that are described in this section. - </p><p> - <a class="indexterm" name="id341361"></a> - <a class="indexterm" name="id341367"></a> - <a class="indexterm" name="id341374"></a> - <a class="indexterm" name="id341381"></a> - The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. - That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats - them. A user account and a machine account are indistinguishable from each other, except that - the machine account ends in a $ character, as do trust accounts. - </p><p> - <a class="indexterm" name="id341394"></a> - <a class="indexterm" name="id341401"></a> - The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID - is a design decision that was made a long way back in the history of Samba development. It is - unlikely that this decision will be reversed or changed during the remaining life of the - Samba-3.x series. - </p><p> - <a class="indexterm" name="id341414"></a> - <a class="indexterm" name="id341420"></a> - The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that - must refer back to the host operating system on which Samba is running. The name service - switch (NSS) is the preferred mechanism that shields applications (like Samba) from the - need to know everything about every host OS it runs on. - </p><p> - Samba asks the host OS to provide a UID via the <span class="quote">“<span class="quote">passwd</span>”</span>, <span class="quote">“<span class="quote">shadow</span>”</span> - and <span class="quote">“<span class="quote">group</span>”</span> facilities in the NSS control (configuration) file. The best tool - for achieving this is left up to the UNIX administrator to determine. It is not imposed by - Samba. Samba provides winbindd together with its support libraries as one method. It is - possible to do this via LDAP, and for that Samba provides the appropriate hooks so that - all account entities can be located in an LDAP directory. - </p><p> - <a class="indexterm" name="id341451"></a> - For many the weapon of choice is to use the PADL nss_ldap utility. This utility must - be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That - is fundamentally an LDAP design question. The information provided on the Samba list and - in the documentation is directed at providing working examples only. The design - of an LDAP directory is a complex subject that is beyond the scope of this documentation. - </p></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id341463"></a>Introduction</h2></div></div></div><p> - You just opened an email from Christine that reads: - </p><p> - Good morning, - </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> - A few months ago we sat down to design the network. We discussed the challenges ahead and we all - agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated - that we would have some time to resolve any issues that might be encountered. - </p><p> - As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them - resigned yesterday afternoon because she was under duress to complete some critical projects. She - suffered a blue screen of death situation just as she was finishing four hours of intensive work, all - of which was lost. She has a unique requirement that involves storing large files on her desktop. - Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it - takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all - network logon traffic passes over the network links between our buildings, logging on may take - three or four attempts due to blue screen problems associated with network timeouts. - </p><p> - A few of us worked to help her out of trouble. We convinced her to stay and promised to fully - resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard - limits on what our users can do with their desktops. Otherwise, we face staff losses - that can surely do harm to our growth as well as to staff morale. I am sure we can better deal - with the consequences of what we know we must do than we can with the unrest we have now. - </p><p> - Stan and I have discussed the current situation. We are resolved to help our users and protect - the well being of Abmas. Please acknowledge this advice with consent to proceed as required to - regain control of our vital IT operations. - </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p> - </p><p> - <a class="indexterm" name="id341510"></a> - <a class="indexterm" name="id341517"></a> - Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a - single domain controller is a poor design that has obvious operational effects that may - frustrate users. Here is your reply: - </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> - Christine, Your diligence and attention to detail are much valued. Stan and I fully support your - proposals to resolve the issues. I am confident that your plans fully realized will significantly - boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. - Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait - for approval; I appreciate the urgency. - </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id341540"></a>Assignment Tasks</h3></div></div></div><p> - The priority of assigned tasks in this chapter is: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - <a class="indexterm" name="id341559"></a> - <a class="indexterm" name="id341568"></a> - <a class="indexterm" name="id341575"></a> - <a class="indexterm" name="id341582"></a><a class="indexterm" name="id341587"></a> - Implement Backup Domain Controllers (BDCs) in each building. This involves - a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous - chapter to an LDAP-based backend. - </p><p> - You can implement a single central LDAP server for this purpose. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341608"></a> - <a class="indexterm" name="id341614"></a> - <a class="indexterm" name="id341621"></a> - <a class="indexterm" name="id341628"></a> - Rectify the problem of excessive logon times. This involves redirection of - folders to network shares as well as modification of all user desktops to - exclude the redirected folders from being loaded at login time. You can also - create a new default profile that can be used for all new users. - </p></li></ol></div><p> - <a class="indexterm" name="id341644"></a> - You configure a new MS Windows XP Professional workstation disk image that you roll out - to all desktop users. The instructions you have created are followed on a staging machine - from which all changes can be carefully tested before inflicting them on your network users. - </p><p> - <a class="indexterm" name="id341657"></a> - This is the last network example in which specific mention of printing is made. The example - again makes use of the CUPS printing system. - </p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id341668"></a>Dissection and Discussion</h2></div></div></div><p> - <a class="indexterm" name="id341676"></a> - <a class="indexterm" name="id341682"></a> - <a class="indexterm" name="id341689"></a> - The implementation of Samba BDCs necessitates the installation and configuration of LDAP. - For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial - LDAP servers in current use with Samba-3 include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id341704"></a> - Novell <a class="ulink" href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a> - is being successfully used by some sites. Information on how to use eDirectory can be - obtained from the Samba mailing lists or from Novell. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341723"></a> - IBM <a class="ulink" href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli - Directory Server</a> can be used to provide the Samba LDAP backend. Example schema - files are provided in the Samba source code tarball under the directory - <code class="filename">~samba/example/LDAP.</code> - </p></li><li class="listitem"><p> - <a class="indexterm" name="id341748"></a> - Sun <a class="ulink" href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity - Server product suite</a> provides an LDAP server that can be used for Samba. - Example schema files are provided in the Samba source code tarball under the directory - <code class="filename">~samba/example/LDAP.</code> - </p></li></ul></div><p> - A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial - offerings, it requires that you manually edit the server configuration files and manually - initialize the LDAP directory database. OpenLDAP itself has only command-line tools to - help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. - </p><p> - <a class="indexterm" name="id341780"></a> - For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite - adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include - GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database - requires an understanding of what you are doing, why you are doing it, and the tools that you must use. - </p><p> - <a class="indexterm" name="id341793"></a> - <a class="indexterm" name="id341800"></a> - <a class="indexterm" name="id341807"></a> - <a class="indexterm" name="id341816"></a> - <a class="indexterm" name="id341825"></a> - <a class="indexterm" name="id341832"></a> - <a class="indexterm" name="id341841"></a> - When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. - High availability operation may be obtained through directory replication/synchronization and - master/slave server configurations. OpenLDAP is a mature platform to host the organizational - directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. - The price paid through learning how to design an LDAP directory schema in implementation and configuration - of management tools is well rewarded by performance and flexibility and the freedom to manage directory - contents with greater ability to back up, restore, and modify the directory than is generally possible - with Microsoft Active Directory. - </p><p> - <a class="indexterm" name="id341860"></a> - <a class="indexterm" name="id341869"></a> - <a class="indexterm" name="id341876"></a> - <a class="indexterm" name="id341883"></a> - A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory - tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured - for a specific task orientation. It comes with a set of administrative tools that is entirely customized - for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange - server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator - who wants to build a custom directory solution. Microsoft provides an application called - <a class="ulink" href="http://www.microsoft.com/windowsserver2003/adam/default.mspx" target="_top"> - MS ADAM</a> that provides more generic LDAP services, yet it does not have the vanilla-like services - of OpenLDAP. - </p><p> - <a class="indexterm" name="id341906"></a> - <a class="indexterm" name="id341915"></a> - You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly - if you find the challenge of learning about LDAP directories, schemas, configuration, and management - tools and the creation of shell and Perl scripts a bit - challenging. OpenLDAP can be easily customized, though it includes - many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file - that is required for use as a passdb backend. - </p><p> - <a class="indexterm" name="id341929"></a> - For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, - there are a few nice Web-based tools that may help you to manage your users and groups more effectively. - The Web-based tools you might like to consider include the - <a class="ulink" href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM) and the Webmin-based - <a class="ulink" href="http://www.webmin.com" target="_top">Webmin</a> Idealx - <a class="ulink" href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools</a>. - </p><p> - Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of - these, so it may be useful to them: - <a class="ulink" href="http://biot.com/gq" target="_top">GQ</a>, a GTK-based LDAP browser; - LDAP <a class="ulink" href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor</a> - <a class="ulink" href="http://www.jxplorer.org/" target="_top">; JXplorer</a> (by Computer Associates); - and <a class="ulink" href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin</a>. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal - security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided - is considered to consist of the barest essentials only. You are strongly encouraged to learn more about - LDAP before attempting to deploy it in a business-critical environment. - </p></div><p> - Information to help you get started with OpenLDAP is available from the - <a class="ulink" href="http://www.openldap.org/pub/" target="_top">OpenLDAP web site</a>. Many people have found the book - <a class="ulink" href="http://www.oreilly.com/catalog/ldapsa/index.html" target="_top"><span class="emphasis"><em>LDAP System Administration</em></span>,</a> - by Jerry Carter quite useful. - </p><p> - <a class="indexterm" name="id342015"></a> - <a class="indexterm" name="id342022"></a> - <a class="indexterm" name="id342031"></a> - <a class="indexterm" name="id342038"></a> - Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the - main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must - be loaded over the WAN connection. The addition of BDCs on each network segment significantly - improves overall network performance for most users, but it is not enough. You must gain control over - user desktops, and this must be done in a way that wins their support and does not cause further loss of - staff morale. The following procedures solve this problem. - </p><p> - <a class="indexterm" name="id342055"></a> - There is also an opportunity to implement smart printing features. You add this to the Samba configuration - so that future printer changes can be managed without need to change desktop configurations. - </p><p> - You add the ability to automatically download new printer drivers, even if they are not installed - in the default desktop profile. Only one example of printing configuration is given. It is assumed that - you can extrapolate the principles and use them to install all printers that may be needed. - </p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id342070"></a>Technical Issues</h3></div></div></div><p> - <a class="indexterm" name="id342078"></a> - <a class="indexterm" name="id342087"></a> - <a class="indexterm" name="id342097"></a> - The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory - server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system - accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account - attributes Samba needs. Samba-3 can use the LDAP backend to store: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Windows Networking User Accounts</p></li><li class="listitem"><p>Windows NT Group Accounts</p></li><li class="listitem"><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li class="listitem"><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p> - <a class="indexterm" name="id342133"></a> - <a class="indexterm" name="id342140"></a> - <a class="indexterm" name="id342146"></a> - <a class="indexterm" name="id342153"></a> - <a class="indexterm" name="id342160"></a> - <a class="indexterm" name="id342167"></a> - <a class="indexterm" name="id342176"></a> - <a class="indexterm" name="id342182"></a> - <a class="indexterm" name="id342189"></a> - The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking - accounts in the LDAP backend. This implies the need to use the - <a class="ulink" href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution - of the UNIX group name to its GID must be enabled from either the <code class="filename">/etc/group</code> - or from the LDAP backend. This requires the use of the PADL <code class="filename">nss_ldap</code> tool-set - that integrates with the NSS. The same requirements exist for resolution - of the UNIX username to the UID. The relationships are demonstrated in <a class="link" href="happy.html#sbehap-LDAPdiag" title="Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">“The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts”</a>. - </p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id342269"></a> - <a class="indexterm" name="id342275"></a> - You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really - ought to learn how to configure secure communications over LDAP so that site security is not - at risk. This is not covered in the following guidance. - </p><p> - <a class="indexterm" name="id342290"></a> - <a class="indexterm" name="id342296"></a> - <a class="indexterm" name="id342306"></a> - <a class="indexterm" name="id342312"></a> - When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>. - You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you - create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. - You need to decide how best to create user and group accounts. A few hints are, of course, provided. - You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools - that help to manage user and group configuration. - </p><p> - <a class="indexterm" name="id342343"></a> - <a class="indexterm" name="id342350"></a> - <a class="indexterm" name="id342356"></a> - In order to effect folder redirection and to add robustness to the implementation, - create a network default profile. All network users workstations are configured to use - the new profile. Roaming profiles will automatically be deleted from the workstation - when the user logs off. - </p><p> - <a class="indexterm" name="id342369"></a> - The profile is configured so that users cannot change the appearance - of their desktop. This is known as a mandatory profile. You make certain that users - are able to use their computers efficiently. - </p><p> - <a class="indexterm" name="id342381"></a> - A network logon script is used to deliver flexible but consistent network drive - connections. - </p><div class="sect3" title="Addition of Machines to the Domain"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p> - <a class="indexterm" name="id342401"></a> - <a class="indexterm" name="id342406"></a> - <a class="indexterm" name="id342412"></a> - <a class="indexterm" name="id342417"></a> - Samba versions prior to 3.0.11 necessitated the use of a domain administrator account - that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code> - user to add user and group accounts. Samba 3.0.11 introduced a new facility known as - <code class="constant">Privileges</code>, which provides five new privileges that - can be assigned to users and/or groups; see Table 5.1. - </p><div class="table"><a name="sbehap-privs"></a><p class="title"><b>Table 5.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div></div><br class="table-break"><p> - In this network example use is made of one of the supported privileges purely to demonstrate - how any user can now be given the ability to add machines to the domain using a normal user account - that has been given the appropriate privileges. - </p></div><div class="sect3" title="Roaming Profile Background"><div class="titlepage"><div><div><h4 class="title"><a name="id342548"></a>Roaming Profile Background</h4></div></div></div><p> - As XP roaming profiles grow, so does the amount of time it takes to log in and out. - </p><p> - <a class="indexterm" name="id342560"></a> - <a class="indexterm" name="id342566"></a> - <a class="indexterm" name="id342573"></a> - <a class="indexterm" name="id342580"></a> - An XP roaming profile consists of the <code class="constant">HKEY_CURRENT_USER</code> hive file - <code class="filename">NTUSER.DAT</code> and a number of folders (My Documents, Application Data, - Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the - network with the default configuration of MS Windows NT/200x/XPP, all this data is - copied to the local machine under the <code class="filename">C:\Documents and Settings\%USERNAME%</code> - directory. While the user is logged in, any changes made to any of these folders or to the - <code class="constant">HKEY_CURRENT_USER</code> branch of the registry are made to the local copy - of the profile. At logout the profile data is copied back to the server. This behavior - can be changed through appropriate registry changes and/or through changes to the default - user profile. In the latter case, it updates the registry with the values that are set in the - profile <code class="filename">NTUSER.DAT</code> - file. - </p><p> - The first challenge is to reduce the amount of data that must be transferred to and - from the profile server as roaming profiles are processed. This includes removing - all the shortcuts in the Recent directory, making sure the cache used by the Web browser - is not being dumped into the <code class="filename">Application Data</code> folder, removing the - Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the - user to not place large files on the desktop and to use his or her mapped home directory - instead of the <code class="filename">My Documents</code> folder for saving documents. - </p><p> - <a class="indexterm" name="id342644"></a> - Using a folder other than <code class="filename">My Documents</code> is a nuisance for - some users, since many applications use it by default. - </p><p> - <a class="indexterm" name="id342661"></a> - <a class="indexterm" name="id342668"></a> - <a class="indexterm" name="id342675"></a> - The secret to rapid loading of roaming profiles is to prevent unnecessary data from - being copied back and forth, without losing any functionality. This is not difficult; - it can be done by making changes to the Local Group Policy on each client as well - as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive. - </p><p> - <a class="indexterm" name="id342693"></a> - <a class="indexterm" name="id342700"></a> - Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means - you need to edit every user's profile, unless a better method can be - followed. Fortunately, with the right preparations, this is not difficult. - It is possible to remove the <code class="filename">NTUSER.DAT</code> file from each - user's profile. Then just create a Network Default Profile. Of course, it is - necessary to copy all files from redirected folders to the network share to which - they are redirected. - </p></div><div class="sect3" title="The Local Group Policy"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p> - <a class="indexterm" name="id342736"></a> - <a class="indexterm" name="id342742"></a> - <a class="indexterm" name="id342749"></a> - <a class="indexterm" name="id342756"></a> - Without an Active Directory PDC, you cannot take full advantage of Group Policy - Objects. However, you can still make changes to the Local Group Policy by using - the Group Policy editor (<code class="literal">gpedit.msc</code>). - </p><p> - The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can - be found under - <span class="guimenu">User Configuration</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. - By default this setting contains - <span class="quote">“<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”</span>. - </p><p> - Simply add the folders you do not wish to be copied back and forth to this - semicolon-separated list. Note that this change must be made on all clients - that are using roaming profiles. - </p></div><div class="sect3" title="Profile Changes"><div class="titlepage"><div><div><h4 class="title"><a name="id342818"></a>Profile Changes</h4></div></div></div><p> - <a class="indexterm" name="id342826"></a> - <a class="indexterm" name="id342832"></a> - There are two changes that should be done to each user's profile. Move each of - the directories that you have excluded from being copied back and forth out of - the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file - to point to the new paths that are shared over the network instead of to the default - path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>). - </p><p> - <a class="indexterm" name="id342857"></a> - <a class="indexterm" name="id342864"></a> - The above modifies existing user profiles. So that newly created profiles have - these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in - the <code class="filename">C:\Documents and Settings\Default User</code> folder on each - client machine, changing the same registry keys. You could do this by copying - <code class="filename">NTUSER.DAT</code> to a Linux box and using <code class="literal">regedt32</code>. - The basic method is described under <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a>. - </p></div><div class="sect3" title="Using a Network Default User Profile"><div class="titlepage"><div><div><h4 class="title"><a name="id342906"></a>Using a Network Default User Profile</h4></div></div></div><p> - <a class="indexterm" name="id342914"></a> - <a class="indexterm" name="id342921"></a> - If you are using Samba as your PDC, you should create a file share called - <code class="constant">NETLOGON</code> and within that create a directory called - <code class="filename">Default User</code>, which is a copy of the desired default user - configuration (including a copy of <code class="filename">NTUSER.DAT</code>). - If this share exists and the <code class="filename">Default User</code> folder exists, - the first login from a new account pulls its configuration from it. - See also <a class="ulink" href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top"> - the Real Men Don't Click</a> Web site. - </p></div><div class="sect3" title="Installation of Printer Driver Auto-Download"><div class="titlepage"><div><div><h4 class="title"><a name="id342960"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p> - <a class="indexterm" name="id342968"></a> - <a class="indexterm" name="id342977"></a> - <a class="indexterm" name="id342984"></a> - The subject of printing is quite topical. Printing problems run second place to name - resolution issues today. So far in this book, you have experienced only what is generally - known as <span class="quote">“<span class="quote">dumb</span>”</span> printing. Dumb printing is the arrangement by which all drivers - are manually installed on each client and the printing subsystems perform no filtering - or intelligent processing. Dumb printing is easily understood. It usually works without - many problems, but it has its limitations also. Dumb printing is better known as - <code class="literal">Raw-Print-Through</code> printing. - </p><p> - <a class="indexterm" name="id343008"></a> - <a class="indexterm" name="id343017"></a> - Samba permits the configuration of <code class="literal">smart</code> printing using the Microsoft - Windows point-and-click (also called drag-and-drop) printing. What this provides is - essentially the ability to print to any printer. If the local client does not yet have a - driver installed, the driver is automatically downloaded from the Samba server and - installed on the client. Drag-and-drop printing is neat; it means the user never needs - to fuss with driver installation, and that is a <span class="trademark">Good Thing,</span>™ - isn't it? - </p><p> - There is a further layer of print job processing that is known as <code class="literal">intelligent</code> - printing that automatically senses the file format of data submitted for printing and - then invokes a suitable print filter to convert the incoming data stream into a format - suited to the printer to which the job is dispatched. - </p><p> - <a class="indexterm" name="id343057"></a> - <a class="indexterm" name="id343064"></a> - <a class="indexterm" name="id343071"></a> - The CUPS printing subsystem is capable of intelligent printing. It has the capacity to - detect the data format and apply a print filter. This means that it is feasible to install - on all Windows clients a single printer driver for use with all printers that are routed - through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately, - <a class="ulink" href="http://www.easysw.com" target="_top">Easy Software Products</a>, the authors of CUPS, have - released a PostScript printing driver for Windows. It can be installed into the Samba - printing backend so that it automatically downloads to the client when needed. - </p><p> - This means that so long as there is a CUPS driver for the printer, all printing from Windows - software can use PostScript, no matter what the actual printer language for the physical - device is. It also means that the administrator can swap out a printer with a totally - different type of device without ever needing to change a client workstation driver. - </p><p> - This book is about Samba-3, so you can confine the printing style to just the smart - style of installation. Those interested in further information regarding intelligent - printing should review documentation on the Easy Software Products Web site. - </p></div><div class="sect3" title="Avoiding Failures: Solving Problems Before They Happen"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p> - It has often been said that there are three types of people in the world: those who - have sharp minds and those who forget things. Please do not ask what the third group - is like! Well, it seems that many of us have company in the second group. There must - be a good explanation why so many network administrators fail to solve apparently - simple problems efficiently and effectively. - </p><p> - Here are some diagnostic guidelines that can be referred to when things go wrong: - </p><div class="sect4" title="Preliminary Advice: Dangers Can Be Avoided"><div class="titlepage"><div><div><h5 class="title"><a name="id343123"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p> - The best advice regarding how to mend a broken leg is <span class="quote">“<span class="quote">Never break a leg!</span>”</span> - </p><p> - <a class="indexterm" name="id343138"></a> - Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice - regarding the best way to remedy LDAP and Samba problems: <span class="quote">“<span class="quote">Avoid them like the plague!</span>”</span> - </p><p> - If you are now asking yourself how problems can be avoided, the best advice is to start - out your learning experience with a <span class="emphasis"><em>known-good configuration.</em></span> After - you have seen a fully working solution, a good way to learn is to make slow and progressive - changes that cause things to break, then observe carefully how and why things ceased to work. - </p><p> - The examples in this chapter (also in the book as a whole) are known to work. That means - that they could serve as the kick-off point for your journey through fields of knowledge. - Use this resource carefully; we hope it serves you well. - </p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> - Do not be lulled into thinking that you can easily adopt the examples in this - book and adapt them without first working through the examples provided. A little - thing overlooked can cause untold pain and may permanently tarnish your experience. - </p></div></div><div class="sect4" title="The Name Service Caching Daemon"><div class="titlepage"><div><div><h5 class="title"><a name="id343173"></a>The Name Service Caching Daemon</h5></div></div></div><p> - The name service caching daemon (nscd) is a primary cause of difficulties with name - resolution, particularly where <code class="literal">winbind</code> is used. Winbind does its - own caching, thus nscd causes double caching which can lead to peculiar problems during - debugging. As a rule, it is a good idea to turn off the name service caching daemon. - </p><p> - Operation of the name service caching daemon is controlled by the - <code class="filename">/etc/nscd.conf</code> file. Typical contents of this file are as follows: -</p><pre class="screen"> -# /etc/nscd.conf -# An example Name Service Cache config file. This file is needed by nscd. -# Legal entries are: -# logfile <file> -# debug-level <level> -# threads <threads to use> -# server-user <user to run server as instead of root> -# server-user is ignored if nscd is started with -S parameters -# stat-user <user who is allowed to request statistics> -# reload-count unlimited|<number> -# -# enable-cache <service> <yes|no> -# positive-time-to-live <service> <time in seconds> -# negative-time-to-live <service> <time in seconds> -# suggested-size <service> <prime number> -# check-files <service> <yes|no> -# persistent <service> <yes|no> -# shared <service> <yes|no> -# Currently supported cache names (services): passwd, group, hosts -# logfile /var/log/nscd.log -# threads 6 -# server-user nobody -# stat-user somebody - debug-level 0 -# reload-count 5 - enable-cache passwd yes - positive-time-to-live passwd 600 - negative-time-to-live passwd 20 - suggested-size passwd 211 - check-files passwd yes - persistent passwd yes - shared passwd yes - enable-cache group yes - positive-time-to-live group 3600 - negative-time-to-live group 60 - suggested-size group 211 - check-files group yes - persistent group yes - shared group yes -# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to -# cache hosts will cause your local system to not be able to trust -# forward/reverse lookup checks. DO NOT USE THIS if your system relies on -# this sort of security mechanism. Use a caching DNS server instead. - enable-cache hosts no - positive-time-to-live hosts 3600 - negative-time-to-live hosts 20 - suggested-size hosts 211 - check-files hosts yes - persistent hosts yes - shared hosts yes -</pre><p> - It is feasible to comment out the <code class="constant">passwd</code> and <code class="constant">group</code> - entries so they will not be cached. Alternatively, it is often simpler to just disable the - <code class="literal">nscd</code> service by executing (on Novell SUSE Linux): -</p><pre class="screen"> -<code class="prompt">root# </code> chkconfig nscd off -<code class="prompt">root# </code> rcnscd off -</pre><p> - </p></div><div class="sect4" title="Debugging LDAP"><div class="titlepage"><div><div><h5 class="title"><a name="id343291"></a>Debugging LDAP</h5></div></div></div><p> - <a class="indexterm" name="id343298"></a> - <a class="indexterm" name="id343305"></a> - <a class="indexterm" name="id343312"></a> - In the example <code class="filename">/etc/openldap/slapd.conf</code> control file - (see <a class="link" href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">“LDAP DB_CONFIG File”</a>) there is an entry for <code class="constant">loglevel 256</code>. - To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter - and restart <code class="literal">slapd</code>. - </p><p> - <a class="indexterm" name="id343346"></a> - <a class="indexterm" name="id343352"></a> - LDAP log information can be directed into a file that is separate from the normal system - log files by changing the <code class="filename">/etc/syslog.conf</code> file so it has the following - contents: -</p><pre class="screen"> -# Some foreign boot scripts require local7 -# -local0,local1.* -/var/log/localmessages -local2,local3.* -/var/log/localmessages -local5.* -/var/log/localmessages -local6,local7.* -/var/log/localmessages -local4.* -/var/log/ldaplogs -</pre><p> - In this case, all LDAP-related logs will be directed to the file - <code class="filename">/var/log/ldaplogs</code>. This makes it easy to track LDAP errors. - The snippet provides a simple example of usage that can be modified to suit - local site needs. The configuration used later in this chapter reflects such - customization with the intent that LDAP log files will be stored at a location - that meets local site needs and wishes more fully. - </p></div><div class="sect4" title="Debugging NSS_LDAP"><div class="titlepage"><div><div><h5 class="title"><a name="id343386"></a>Debugging NSS_LDAP</h5></div></div></div><p> - The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the - <code class="filename">/etc/ldap.conf</code> file the following parameters: -</p><pre class="screen"> -debug 256 -logdir /data/logs -</pre><p> - Create the log directory as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir /data/logs -</pre><p> - </p><p> - The diagnostic process should follow these steps: - </p><div class="procedure" title="Procedure 5.1. NSS_LDAP Diagnostic Steps"><a name="id343427"></a><p class="title"><b>Procedure 5.1. NSS_LDAP Diagnostic Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Verify the <code class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</code> entries - in the <code class="filename">/etc/ldap.conf</code> file and compare them closely with the directory - tree location that was chosen when the directory was first created. - </p><p> - One way this can be done is by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> slapcat | grep Group | grep dn -dn: ou=Groups,dc=abmas,dc=biz -dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz -dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz -dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz -dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz -dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz -dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz -dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz -dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz -</pre><p> - The first line is the DIT entry point for the container for POSIX groups. The correct entry - for the <code class="filename">/etc/ldap.conf</code> for the <code class="constant">nss_base_group</code> - parameter therefore is the distinguished name (dn) as applied here: -</p><pre class="screen"> -nss_base_group ou=Groups,dc=abmas,dc=biz?one -</pre><p> - The same process may be followed to determine the appropriate dn for user accounts. - If the container for computer accounts is not the same as that for users (see the <code class="filename">smb.conf</code> - file entry for <code class="constant">ldap machine suffix</code>), it may be necessary to set the - following DIT dn in the <code class="filename">/etc/ldap.conf</code> file: -</p><pre class="screen"> -nss_base_passwd dc=abmas,dc=biz?sub -</pre><p> - This instructs LDAP to search for machine as well as user entries from the top of the DIT - down. This is inefficient, but at least should work. Note: It is possible to specify multiple - <code class="constant">nss_base_passwd</code> entries in the <code class="filename">/etc/ldap.conf</code> file; they - will be evaluated sequentially. Let us consider an example of use where the following DIT - has been implemented: - </p><p> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li class="listitem"><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li class="listitem"><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p> - </p><p> - The appropriate multiple entry for the <code class="constant">nss_base_passwd</code> directive - in the <code class="filename">/etc/ldap.conf</code> file may be: -</p><pre class="screen"> -nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one -nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one -</pre><p> - </p></li><li class="step" title="Step 2"><p> - Perform lookups such as: -</p><pre class="screen"> -<code class="prompt">root# </code> getent passwd -</pre><p> - Each such lookup will create an entry in the <code class="filename">/data/log</code> directory - for each such process executed. The contents of each file created in this directory - may provide a hint as to the cause of the a problem that is under investigation. - </p></li><li class="step" title="Step 3"><p> - For additional diagnostic information, check the contents of the <code class="filename">/var/log/messages</code> - to see what error messages are being generated as a result of the LDAP lookups. Here is an example of - a successful lookup: -</p><pre class="screen"> -slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539 -(IP=0.0.0.0:389) -slapd[12164]: conn=0 op=0 BIND dn="" method=128 -slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text= -slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0 -filter="(objectClass=*)" -slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0 -nentries=1 text= -slapd[12164]: conn=0 op=2 UNBIND -slapd[12164]: conn=0 fd=10 closed -slapd[12164]: conn=1 fd=10 ACCEPT from -IP=127.0.0.1:33540 (IP=0.0.0.0:389) -slapd[12164]: conn=1 op=0 BIND -dn="cn=Manager,dc=abmas,dc=biz" method=128 -slapd[12164]: conn=1 op=0 BIND -dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0 -slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text= -slapd[12164]: conn=1 op=1 SRCH -base="ou=People,dc=abmas,dc=biz" scope=1 deref=0 -filter="(objectClass=posixAccount)" -slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword -uidNumber gidNumber cn -homeDirectory loginShell gecos description objectClass -slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0 -nentries=2 text= -slapd[12164]: conn=1 fd=10 closed - -</pre><p> - </p></li><li class="step" title="Step 4"><p> - Check that the bindpw entry in the <code class="filename">/etc/ldap.conf</code> or in the - <code class="filename">/etc/ldap.secrets</code> file is correct, as specified in the - <code class="filename">/etc/openldap/slapd.conf</code> file. - </p></li></ol></div></div><div class="sect4" title="Debugging Samba"><div class="titlepage"><div><div><h5 class="title"><a name="id343646"></a>Debugging Samba</h5></div></div></div><p> - The following parameters in the <code class="filename">smb.conf</code> file can be useful in tracking down Samba-related problems: -</p><pre class="screen"> -[global] - ... - log level = 5 - log file = /var/log/samba/%m.log - max log size = 0 - ... -</pre><p> - This will result in the creation of a separate log file for every client from which connections - are made. The log file will be quite verbose and will grow continually. Do not forget to - change these lines to the following when debugging has been completed: -</p><pre class="screen"> -[global] - ... - log level = 1 - log file = /var/log/samba/%m.log - max log size = 50 - ... -</pre><p> - </p><p> - The log file can be analyzed by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> cd /var/log/samba -<code class="prompt">root# </code> grep -v "^\[200" machine_name.log -</pre><p> - </p><p> - Search for hints of what may have failed by looking for the words <span class="emphasis"><em>fail</em></span> - and <span class="emphasis"><em>error</em></span>. - </p></div><div class="sect4" title="Debugging on the Windows Client"><div class="titlepage"><div><div><h5 class="title"><a name="id343710"></a>Debugging on the Windows Client</h5></div></div></div><p> - MS Windows 2000 Professional and Windows XP Professional clients can be configured - to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search - the Microsoft knowledge base for detailed instructions. The techniques vary a little with each - version of MS Windows. - </p></div></div></div><div class="sect2" title="Political Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id343725"></a>Political Issues</h3></div></div></div><p> - MS Windows network users are generally very sensitive to limits that may be imposed when - confronted with locked-down workstation configurations. The challenge you face must - be promoted as a choice between reliable, fast network operation and a constant flux - of problems that result in user irritation. - </p></div><div class="sect2" title="Installation Checklist"><div class="titlepage"><div><div><h3 class="title"><a name="id343737"></a>Installation Checklist</h3></div></div></div><p> - You are starting a complex project. Even though you went through the installation of a complex - network in <a class="link" href="Big500users.html" title="Chapter 4. The 500-User Office">“The 500-User Office”</a>, this network is a bigger challenge because of the - large number of complex applications that must be configured before the first few steps - can be validated. Take stock of what you are about to undertake, prepare yourself, and - frequently review the steps ahead while making at least a mental note of what has already - been completed. The following task list may help you to keep track of the task items - that are covered: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>DHCP and DNS servers</p></li><li class="listitem"><p>OpenLDAP server</p></li><li class="listitem"><p>PAM and NSS client tools</p></li><li class="listitem"><p>Samba-3 PDC</p></li><li class="listitem"><p>Idealx smbldap scripts</p></li><li class="listitem"><p>LDAP initialization</p></li><li class="listitem"><p>Create user and group accounts</p></li><li class="listitem"><p>Printers</p></li><li class="listitem"><p>Share point directory roots</p></li><li class="listitem"><p>Profile directories</p></li><li class="listitem"><p>Logon scripts</p></li><li class="listitem"><p>Configuration of user rights and privileges</p></li></ol></div></li><li class="listitem"><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>DHCP and DNS servers</p></li><li class="listitem"><p>PAM and NSS client tools</p></li><li class="listitem"><p>Printers</p></li><li class="listitem"><p>Share point directory roots</p></li><li class="listitem"><p>Profiles directories</p></li></ol></div></li><li class="listitem"><p>Windows XP Client Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Default profile folder redirection</p></li><li class="listitem"><p>MS Outlook PST file relocation</p></li><li class="listitem"><p>Delete roaming profile on logout</p></li><li class="listitem"><p>Upload printer drivers to Samba servers</p></li><li class="listitem"><p>Install software</p></li><li class="listitem"><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" title="Samba Server Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id343908"></a>Samba Server Implementation</h2></div></div></div><p> - <a class="indexterm" name="id343916"></a> - <a class="indexterm" name="id343923"></a> - The network design shown in <a class="link" href="happy.html#chap6net" title="Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend">“Network Topology 500 User Network Using ldapsam passdb backend”</a> is not comprehensive. It is assumed - that you will install additional file servers and possibly additional BDCs. - </p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id343983"></a> - <a class="indexterm" name="id343990"></a> - All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE - Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to - adjust the locations for your particular Linux system distribution/implementation. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools -scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball, -please verify that the versions you are about to use are matching. The smbldap-tools package -uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are -issued for POSIX accounts. The LDAP rdn under which this information is stored are called -<code class="constant">uidNumber</code> and <code class="constant">gidNumber</code> respectively. These may be -located in any convenient part of the directory information tree (DIT). In the examples that -follow they have been located under <code class="constant">dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</code>. -They could just as well be located under the rdn <code class="constant">cn=NextFreeUnixId</code>. -</p></div><p> - The steps in the process involve changes from the network configuration shown in - <a class="link" href="Big500users.html" title="Chapter 4. The 500-User Office">“The 500-User Office”</a>. Before implementing the following steps, you must - have completed the network implementation shown in that chapter. If you are starting - with newly installed Linux servers, you must complete the steps shown in - <a class="link" href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">“Installation of DHCP, DNS, and Samba Control Files”</a> before commencing at <a class="link" href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">“OpenLDAP Server Configuration”</a>. - </p><div class="sect2" title="OpenLDAP Server Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p> - <a class="indexterm" name="id344059"></a> - <a class="indexterm" name="id344066"></a> - <a class="indexterm" name="id344073"></a> - Confirm that the packages shown in <a class="link" href="happy.html#oldapreq" title="Table 5.2. Required OpenLDAP Linux Packages">“Required OpenLDAP Linux Packages”</a> are installed on your system. - </p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table 5.2. Required OpenLDAP Linux Packages</b></p><div class="table-contents"><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><p> - Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method - for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you - follow these guidelines, the resulting system should work fine. - </p><div class="procedure" title="Procedure 5.2. OpenLDAP Server Configuration Steps"><a name="id344202"></a><p class="title"><b>Procedure 5.2. OpenLDAP Server Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id344213"></a> - Install the file shown in <a class="link" href="happy.html#sbehap-slapdconf" title="Example 5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A">“LDAP Master Configuration File /etc/openldap/slapd.conf Part A”</a> in the directory - <code class="filename">/etc/openldap</code>. - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id344240"></a> - <a class="indexterm" name="id344247"></a> - <a class="indexterm" name="id344253"></a> - Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that - the directory exists with permissions: -</p><pre class="screen"> -<code class="prompt">root# </code> ls -al /data | grep ldap -drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap -</pre><p> - This may require you to add a user and a group account for LDAP if they do not exist. - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id344286"></a> - Install the file shown in <a class="link" href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">“LDAP DB_CONFIG File”</a> in the directory - <code class="filename">/data/ldap</code>. In the event that this file is added after <code class="constant">ldap</code> - has been started, it is possible to cause the new settings to take effect by shutting down - the <code class="constant">LDAP</code> server, executing the <code class="literal">db_recover</code> command inside the - <code class="filename">/data/ldap</code> directory, and then restarting the <code class="constant">LDAP</code> server. - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id344336"></a> - Performance logging can be enabled and should preferably be sent to a file on - a file system that is large enough to handle significantly sized logs. To enable - the logging at a verbose level to permit detailed analysis, uncomment the entry in - the <code class="filename">/etc/openldap/slapd.conf</code> shown as <span class="quote">“<span class="quote">loglevel 256</span>”</span>. - </p><p> - Edit the <code class="filename">/etc/syslog.conf</code> file to add the following at the end - of the file: -</p><pre class="screen"> -local4.* -/data/ldap/log/openldap.log -</pre><p> - Note: The path <code class="filename">/data/ldap/log</code> should be set at a location - that is convenient and that can store a large volume of data. - </p></li></ol></div><div class="example"><a name="sbehap-dbconf"></a><p class="title"><b>Example 5.1. LDAP DB_CONFIG File</b></p><div class="example-contents"><pre class="screen"> -set_cachesize 0 150000000 1 -set_lg_regionmax 262144 -set_lg_bsize 2097152 -#set_lg_dir /var/log/bdb -set_flags DB_LOG_AUTOREMOVE -</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf"></a><p class="title"><b>Example 5.2. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen"> -include /etc/openldap/schema/core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/nis.schema -include /etc/openldap/schema/samba3.schema - -pidfile /var/run/slapd/slapd.pid -argsfile /var/run/slapd/slapd.args - -access to dn.base="" - by self write - by * auth - -access to attr=userPassword - by self write - by * auth - -access to attr=shadowLastChange - by self write - by * read - -access to * - by * read - by anonymous auth - -#loglevel 256 - -schemacheck on -idletimeout 30 -backend bdb -database bdb -checkpoint 1024 5 -cachesize 10000 - -suffix "dc=abmas,dc=biz" -rootdn "cn=Manager,dc=abmas,dc=biz" - -# rootpw = not24get -rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV - -directory /data/ldap -</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf2"></a><p class="title"><b>Example 5.3. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><div class="example-contents"><pre class="screen"> -# Indices to maintain -index objectClass eq -index cn pres,sub,eq -index sn pres,sub,eq -index uid pres,sub,eq -index displayName pres,sub,eq -index uidNumber eq -index gidNumber eq -index memberUID eq -index sambaSID eq -index sambaPrimaryGroupSID eq -index sambaDomainName eq -index default sub -</pre></div></div><br class="example-break"></div><div class="sect2" title="PAM and NSS Client Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p> - <a class="indexterm" name="id344468"></a> - <a class="indexterm" name="id344474"></a> - <a class="indexterm" name="id344481"></a> - The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and - groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure - the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. - </p><p> - <a class="indexterm" name="id344493"></a> - <a class="indexterm" name="id344502"></a> - Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely - that you may want to use them for UNIX system (Linux) local machine logons. This necessitates - correct configuration of PAM. The <code class="literal">pam_ldap</code> open source package provides the - PAM modules that most people would use. On SUSE Linux systems, the <code class="literal">pam_unix2.so</code> - module also has the ability to redirect authentication requests through LDAP. - </p><p> - <a class="indexterm" name="id344527"></a> - <a class="indexterm" name="id344534"></a> - <a class="indexterm" name="id344541"></a> - <a class="indexterm" name="id344548"></a> - You have chosen to configure these services by directly editing the system files, but of course, you - know that this configuration can be done using system tools provided by the Linux system vendor. - SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span> → <span class="guimenuitem">system</span> → <span class="guimenuitem">ldap-client</span> that permits - configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <code class="literal">authconfig</code> - tool for this. - </p><div class="procedure" title="Procedure 5.3. PAM and NSS Client Configuration Steps"><a name="id344584"></a><p class="title"><b>Procedure 5.3. PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example 5.4. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> -host 127.0.0.1 - -base dc=abmas,dc=biz - -binddn cn=Manager,dc=abmas,dc=biz -bindpw not24get - -timelimit 50 -bind_timelimit 50 -bind_policy hard - -idle_timelimit 3600 - -pam_password exop - -nss_base_passwd ou=People,dc=abmas,dc=biz?one -nss_base_shadow ou=People,dc=abmas,dc=biz?one -nss_base_group ou=Groups,dc=abmas,dc=biz?one - -ssl off -</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-nss02"></a><p class="title"><b>Example 5.5. Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> -host 172.16.0.1 - -base dc=abmas,dc=biz - -binddn cn=Manager,dc=abmas,dc=biz -bindpw not24get - -timelimit 50 -bind_timelimit 50 -bind_policy hard - -idle_timelimit 3600 - -pam_password exop - -nss_base_passwd ou=People,dc=abmas,dc=biz?one -nss_base_shadow ou=People,dc=abmas,dc=biz?one -nss_base_group ou=Groups,dc=abmas,dc=biz?one - -ssl off -</pre></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id344595"></a> - <a class="indexterm" name="id344602"></a> - <a class="indexterm" name="id344609"></a> - Execute the following command to find where the <code class="filename">nss_ldap</code> module - expects to find its control file: -</p><pre class="screen"> -<code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 | grep conf -</pre><p> - The preferred and usual location is <code class="filename">/etc/ldap.conf</code>. - </p></li><li class="step" title="Step 2"><p> - On the server <code class="constant">MASSIVE</code>, install the file shown in - <a class="link" href="happy.html#sbehap-nss01" title="Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf">“Configuration File for NSS LDAP Support /etc/ldap.conf”</a> into the path that was obtained from the step above. - On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in - <a class="link" href="happy.html#sbehap-nss02" title="Example 5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf">“Configuration File for NSS LDAP Clients Support /etc/ldap.conf”</a> into the path that was obtained from the step above. - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id344734"></a> - Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that - control user and group resolution will obtain information from the normal system files as - well as from <code class="literal">ldap</code>: -</p><pre class="screen"> -passwd: files ldap -shadow: files ldap -group: files ldap -hosts: files dns wins -</pre><p> - Later, when the LDAP database has been initialized and user and group accounts have been - added, you can validate resolution of the LDAP resolver process. The inclusion of - WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be - resolved to their IP addresses, whether or not they are DHCP clients. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - Some Linux systems (Novell SUSE Linux in particular) add entries to the <code class="filename">nsswitch.conf</code> - file that may cause operational problems with the configuration methods adopted in this book. It is - advisable to comment out the entries <code class="constant">passwd_compat</code> and <code class="constant">group_compat</code> - where they are found in this file. - </p></div><p> - Even at the risk of overstating the issue, incorrect and inappropriate configuration of the - <code class="filename">nsswitch.conf</code> file is a significant cause of operational problems with LDAP. - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id344800"></a> - For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following - files in the <code class="filename">/etc/pam.d</code> directory: <code class="literal">login</code>, <code class="literal">password</code>, - <code class="literal">samba</code>, <code class="literal">sshd</code>. In each file, locate every entry that has the - <code class="literal">pam_unix2.so</code> entry and add to the line the entry <code class="literal">use_ldap</code> as shown - for the <code class="literal">login</code> module in this example: -</p><pre class="screen"> -#%PAM-1.0 -auth requisite pam_unix2.so nullok use_ldap #set_secrpc -auth required pam_securetty.so -auth required pam_nologin.so -#auth required pam_homecheck.so -auth required pam_env.so -auth required pam_mail.so -account required pam_unix2.so use_ldap -password required pam_pwcheck.s nullok -password required pam_unix2.so nullok use_first_pass \ - use_authtok use_ldap -session required pam_unix2.so none use_ldap # debug or trace -session required pam_limits.so -</pre><p> - </p><p> - <a class="indexterm" name="id344872"></a> - On other Linux systems that do not have an LDAP-enabled <code class="literal">pam_unix2.so</code> module, - you must edit these files by adding the <code class="literal">pam_ldap.so</code> modules as shown here: -</p><pre class="screen"> -#%PAM-1.0 -auth required pam_securetty.so -auth required pam_nologin.so -auth sufficient pam_ldap.so -auth required pam_unix2.so nullok try_first_pass #set_secrpc -account sufficient pam_ldap.so -account required pam_unix2.so -password required pam_pwcheck.so nullok -password required pam_ldap.so use_first_pass use_authtok -password required pam_unix2.so nullok use_first_pass use_authtok -session required pam_unix2.so none # debug or trace -session required pam_limits.so -session required pam_env.so -session optional pam_mail.so -</pre><p> - This example does have the LDAP-enabled <code class="literal">pam_unix2.so</code>, but simply - demonstrates the use of the <code class="literal">pam_ldap.so</code> module. You can use either - implementation, but if the <code class="literal">pam_unix2.so</code> on your system supports - LDAP, you probably want to use it rather than add an additional module. - </p></li></ol></div></div><div class="sect2" title="Samba-3 PDC Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p> - <a class="indexterm" name="id344942"></a> - Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server - before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the - choice to either build your own or obtain the packages from a dependable source. - Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for - Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that - is included with this book. - </p><div class="procedure" title="Procedure 5.4. Configuration of PDC Called MASSIVE"><a name="id344954"></a><p class="title"><b>Procedure 5.4. Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Install the files in <a class="link" href="happy.html#sbehap-massive-smbconfa" title="Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part A”</a>, - <a class="link" href="happy.html#sbehap-massive-smbconfb" title="Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part B”</a>, <a class="link" href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, - and <a class="link" href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a> into the <code class="filename">/etc/samba/</code> - directory. The three files should be added together to form the <code class="filename">smb.conf</code> - master file. It is a good practice to call this file something like - <code class="filename">smb.conf.master</code> and then to perform all file edits - on the master file. The operational <code class="filename">smb.conf</code> is then generated as shown in - the next step. - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id345025"></a> - Create and verify the contents of the <code class="filename">smb.conf</code> file that is generated by: -</p><pre class="screen"> -<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf -</pre><p> - Immediately follow this with the following: -</p><pre class="screen"> -<code class="prompt">root# </code> testparm -</pre><p> - The output that is created should be free from errors, as shown here: - -</p><pre class="screen"> -Load smb config files from /etc/samba/smb.conf -Processing section "[accounts]" -Processing section "[service]" -Processing section "[pidata]" -Processing section "[homes]" -Processing section "[printers]" -Processing section "[apps]" -Processing section "[netlogon]" -Processing section "[profiles]" -Processing section "[profdata]" -Processing section "[print$]" -Loaded services file OK. -Server role: ROLE_DOMAIN_PDC -Press enter to see a dump of your service definitions -</pre><p> - </p></li><li class="step" title="Step 3"><p> - Delete all runtime files from prior Samba operation by executing (for SUSE - Linux): -</p><pre class="screen"> -<code class="prompt">root# </code> rm /etc/samba/*tdb -<code class="prompt">root# </code> rm /var/lib/samba/*tdb -<code class="prompt">root# </code> rm /var/lib/samba/*dat -<code class="prompt">root# </code> rm /var/log/samba/* -</pre><p> - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id345117"></a> - <a class="indexterm" name="id345124"></a> - Samba-3 communicates with the LDAP server. The password that it uses to - authenticate to the LDAP server must be stored in the <code class="filename">secrets.tdb</code> - file. Execute the following to create the new <code class="filename">secrets.tdb</code> files - and store the password for the LDAP Manager: -</p><pre class="screen"> -<code class="prompt">root# </code> smbpasswd -w not24get -</pre><p> - The expected output from this command is: -</p><pre class="screen"> -Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb -</pre><p> - </p></li><li class="step" title="Step 5"><p> - <a class="indexterm" name="id345169"></a> - <a class="indexterm" name="id345176"></a> - Samba-3 generates a Windows Security Identifier (SID) only when <code class="literal">smbd</code> - has been started. For this reason, you start Samba. After a few seconds delay, - execute: -</p><pre class="screen"> -<code class="prompt">root# </code> smbclient -L localhost -U% -<code class="prompt">root# </code> net getlocalsid -</pre><p> - A report such as the following means that the domain SID has not yet - been written to the <code class="filename">secrets.tdb</code> or to the LDAP backend: -</p><pre class="screen"> -[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852) - failed to bind to server ldap://massive.abmas.biz -with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server - (unknown) -[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169) - smbldap_search_suffix: Problem during the LDAP search: - (unknown) (Timed out) -</pre><p> - The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server - is not running, this operation will fail by way of a timeout, as shown previously. This is - normal output; do not worry about this error message. When the domain has been created and - written to the <code class="filename">secrets.tdb</code> file, the output should look like this: -</p><pre class="screen"> -SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 -</pre><p> - If, after a short delay (a few seconds), the domain SID has still not been written to - the <code class="filename">secrets.tdb</code> file, it is necessary to investigate what - may be misconfigured. In this case, carefully check the <code class="filename">smb.conf</code> file for typographical - errors (the most common problem). The use of the <code class="literal">testparm</code> is highly - recommended to validate the contents of this file. - </p></li><li class="step" title="Step 6"><p> - When a positive domain SID has been reported, stop Samba. - </p></li><li class="step" title="Step 7"><p> - <a class="indexterm" name="id345275"></a> - <a class="indexterm" name="id345281"></a> - <a class="indexterm" name="id345288"></a> - <a class="indexterm" name="id345295"></a> - Configure the NFS server for your Linux system. So you can complete the steps that - follow, enter into the <code class="filename">/etc/exports</code> the following entry: -</p><pre class="screen"> -/home *(rw,root_squash,sync) -</pre><p> - This permits the user home directories to be used on the BDC servers for testing - purposes. You, of course, decide what is the best way for your site to distribute - data drives, and you create suitable backup and restore procedures for Abmas - I'd strongly recommend that for normal operation the BDC is completely independent - of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite - closely. If you do use NFS, do not forget to start the NFS server as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> rcnfsserver start -</pre><p> - </p></li></ol></div><p> - Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with - configuration of the LDAP server. - </p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example 5.6. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id345373"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id345384"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id345396"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id345407"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id345418"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345430"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id345442"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345453"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id345465"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id345476"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id345488"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id345499"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id345511"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id345522"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id345534"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345545"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id345557"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id345568"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id345580"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id345592"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id345604"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id345616"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id345628"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id345640"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id345652"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example 5.7. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id345688"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id345700"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id345711"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id345723"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345734"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345746"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345757"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id345769"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id345780"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id345792"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id345804"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id345815"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id345827"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id345839"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id345850"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id345862"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345873"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id345884"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" title="Install and Configure Idealx smbldap-tools Scripts"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p> - <a class="indexterm" name="id345910"></a> - The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts - on the LDAP server. You have chosen the Idealx scripts because they are the best-known - LDAP configuration scripts. The use of these scripts will help avoid the necessity - to create custom scripts. It is easy to download them from the Idealx - <a class="ulink" href="http://samba.idealx.org/index.en.html" target="_top">Web site</a>. The tarball may - be directly <a class="ulink" href="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz" target="_top">downloaded</a> - from this site also. Alternatively, you may obtain the - <a class="ulink" href="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm" target="_top">smbldap-tools-0.9.1-1.src.rpm</a> - file that may be used to build an installable RPM package for your Linux system. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must -change the path to them in your <code class="filename">smb.conf</code> file on the PDC (<code class="constant">MASSIVE</code>). -</p></div><p> - The smbldap-tools are located in <code class="filename">/opt/IDEALX/sbin</code>. - The scripts are not needed on BDC machines because all LDAP updates are handled by - the PDC alone. - </p><div class="sect3" title="Installation of smbldap-tools from the Tarball"><div class="titlepage"><div><div><h4 class="title"><a name="id345968"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p> - To perform a manual installation of the smbldap-tools scripts, the following procedure may be used: - </p><div class="procedure" title="Procedure 5.5. Unpacking and Installation Steps for the smbldap-tools Tarball"><a name="idealxscript"></a><p class="title"><b>Procedure 5.5. Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Create the <code class="filename">/opt/IDEALX/sbin</code> directory, and set its permissions - and ownership as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /opt/IDEALX/sbin -<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin -<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin -<code class="prompt">root# </code> mkdir -p /etc/smbldap-tools -<code class="prompt">root# </code> chown root:root /etc/smbldap-tools -<code class="prompt">root# </code> chmod 755 /etc/smbldap-tools -</pre><p> - </p></li><li class="step" title="Step 2"><p> - If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location. - Change into either the directory extracted from the tarball or the smbldap-tools - directory in your <code class="filename">/usr/share/doc/packages</code> directory tree. - </p></li><li class="step" title="Step 3"><p> - Copy all the <code class="filename">smbldap-*</code> and the <code class="filename">configure.pl</code> files into the - <code class="filename">/opt/IDEALX/sbin</code> directory, as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> cd smbldap-tools-0.9.1/ -<code class="prompt">root# </code> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/ -<code class="prompt">root# </code> cp smbldap*conf /etc/smbldap-tools/ -<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/smbldap-* -<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/configure.pl -<code class="prompt">root# </code> chmod 640 /etc/smbldap-tools/smbldap.conf -<code class="prompt">root# </code> chmod 600 /etc/smbldap-tools/smbldap_bind.conf -</pre><p> - </p></li><li class="step" title="Step 4"><p> - The smbldap-tools scripts master control file must now be configured. - Change to the <code class="filename">/opt/IDEALX/sbin</code> directory, then edit the - <code class="filename">smbldap_tools.pm</code> to affect the changes - shown here: -</p><pre class="screen"> -... -# ugly funcs using global variables and spawning openldap clients - -my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; -my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; -... -</pre><p> - </p></li><li class="step" title="Step 5"><p> - To complete the configuration of the smbldap-tools, set the permissions and ownership - by executing the following commands: -</p><pre class="screen"> -<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin/* -<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin/smbldap-* -<code class="prompt">root# </code> chmod 640 /opt/IDEALX/sbin/smb*pm -</pre><p> - The smbldap-tools scripts are now ready for the configuration step outlined in - <a class="link" href="happy.html#smbldap-init" title="Configuration of smbldap-tools">“Configuration of smbldap-tools”</a>. - </p></li></ol></div></div><div class="sect3" title="Installing smbldap-tools from the RPM Package"><div class="titlepage"><div><div><h4 class="title"><a name="id346204"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p> - In the event that you have elected to use the RPM package provided by Idealx, download the - source RPM <code class="filename">smbldap-tools-0.9.1-1.src.rpm</code>, then follow this procedure: - </p><div class="procedure" title="Procedure 5.6. Installation Steps for smbldap-tools RPM's"><a name="id346220"></a><p class="title"><b>Procedure 5.6. Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Install the source RPM that has been downloaded as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> rpm -i smbldap-tools-0.9.1-1.src.rpm -</pre><p> - </p></li><li class="step" title="Step 2"><p> - Change into the directory in which the SPEC files are located. On SUSE Linux: -</p><pre class="screen"> -<code class="prompt">root# </code> cd /usr/src/packages/SPECS -</pre><p> - On Red Hat Linux systems: -</p><pre class="screen"> -<code class="prompt">root# </code> cd /usr/src/redhat/SPECS -</pre><p> - </p></li><li class="step" title="Step 3"><p> - Edit the <code class="filename">smbldap-tools.spec</code> file to change the value of the - <code class="constant">_sysconfig</code> macro as shown here: -</p><pre class="screen"> -%define _prefix /opt/IDEALX -%define _sysconfdir /etc -</pre><p> - Note: Any suitable directory can be specified. - </p></li><li class="step" title="Step 4"><p> - Build the package by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> rpmbuild -ba -v smbldap-tools.spec -</pre><p> - A build process that has completed without error will place the installable binary - files in the directory <code class="filename">../RPMS/noarch</code>. - </p></li><li class="step" title="Step 5"><p> - Install the binary package by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm -</pre><p> - </p></li></ol></div><p> - The Idealx scripts should now be ready for configuration using the steps outlined in - <a class="link" href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>. - </p></div><div class="sect3" title="Configuration of smbldap-tools"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p> - Prior to use, the smbldap-tools must be configured to match the settings in the <code class="filename">smb.conf</code> file - and to match the settings in the <code class="filename">/etc/openldap/slapd.conf</code> file. The assumption - is made that the <code class="filename">smb.conf</code> file has correct contents. The following procedure ensures that - this is completed correctly: - </p><p> - The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included - in the <code class="filename">smb.conf</code> file. - </p><div class="procedure" title="Procedure 5.7. Configuration Steps for smbldap-tools to Enable Use"><a name="id346402"></a><p class="title"><b>Procedure 5.7. Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Change into the directory that contains the <code class="filename">configure.pl</code> script. -</p><pre class="screen"> -<code class="prompt">root# </code> cd /opt/IDEALX/sbin -</pre><p> - </p></li><li class="step" title="Step 2"><p> - Execute the <code class="filename">configure.pl</code> script as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> ./configure.pl -</pre><p> - The interactive use of this script for the PDC is demonstrated here: -</p><pre class="screen"> -<code class="prompt">root# </code> /opt/IDEALX/sbin/configure.pl --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - smbldap-tools script configuration - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Before starting, check - . if your samba controller is up and running. - . if the domain SID is defined (you can get it with the - 'net getlocalsid') - - . you can leave the configuration using the Crtl-c key combination - . empty value can be set with the "." character --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Looking for configuration files... - -Samba Config File Location [/etc/samba/smb.conf] > -smbldap-tools configuration file Location (global parameters) - [/etc/opt/IDEALX/smbldap-tools/smbldap.conf] > -smbldap Config file Location (bind parameters) - [/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] > --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Let's start configuring the smbldap-tools scripts ... - -. workgroup name: name of the domain Samba act as a PDC - workgroup name [MEGANET2] > -. netbios name: netbios name of the samba controler - netbios name [MASSIVE] > -. logon drive: local path to which the home directory - will be connected (for NT Workstations). Ex: 'H:' - logon drive [H:] > -. logon home: home directory location (for Win95/98 or NT Workstation) - (use %U as username) Ex:'\\MASSIVE\%U' - logon home (press the "." character if you don't want homeDirectory) - [\\MASSIVE\%U] > -. logon path: directory where roaming profiles are stored. - Ex:'\\MASSIVE\profiles\%U' - logon path (press the "." character - if you don't want roaming profile) [\\%L\profiles\%U] > -. home directory prefix (use %U as username) - [/home/%U] > /data/users/%U -. default users' homeDirectory mode [700] > -. default user netlogon script (use %U as username) - [scripts\logon.bat] > - default password validation time (time in days) [45] > 900 -. ldap suffix [dc=abmas,dc=biz] > -. ldap group suffix [ou=Groups] > -. ldap user suffix [ou=People,ou=Users] > -. ldap machine suffix [ou=Computers,ou=Users] > -. Idmap suffix [ou=Idmap] > -. sambaUnixIdPooldn: object where you want to store the next uidNumber - and gidNumber available for new users and groups - sambaUnixIdPooldn object (relative to ${suffix}) - [sambaDomainName=MEGANET2] > -. ldap master server: IP adress or DNS name of the master - (writable) ldap server - ldap master server [massive.abmas.biz] > -. ldap master port [389] > -. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] > -. ldap master bind password [] > -. ldap slave server: IP adress or DNS name of the slave ldap server: - can also be the master one - ldap slave server [massive.abmas.biz] > -. ldap slave port [389] > -. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] > -. ldap slave bind password [] > -. ldap tls support (1/0) [0] > -. SID for domain MEGANET2: SID of the domain - (can be obtained with 'net getlocalsid MASSIVE') - SID for domain MEGANET2 - [S-1-5-21-3504140859-1010554828-2431957765]] > -. unix password encryption: encryption used for unix passwords - unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 -. default user gidNumber [513] > -. default computer gidNumber [515] > -. default login shell [/bin/bash] > -. default skeleton directory [/etc/skel] > -. default domain name to append to mail adress [] > abmas.biz --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -backup old configuration files: - /etc/opt/IDEALX/smbldap-tools/smbldap.conf-> - /etc/opt/IDEALX/smbldap-tools/smbldap.conf.old - /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf-> - /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old -writing new configuration file: - /etc/opt/IDEALX/smbldap-tools/smbldap.conf done. - /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done. -</pre><p> - Since a slave LDAP server has not been configured, it is necessary to specify the IP - address of the master LDAP server for both the master and the slave configuration - prompts. - </p></li><li class="step" title="Step 3"><p> - Change to the directory that contains the <code class="filename">smbldap.conf</code> file, - then verify its contents. - </p></li></ol></div><p> - The smbldap-tools are now ready for use. - </p></div></div><div class="sect2" title="LDAP Initialization and Creation of User and Group Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id346546"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p> - The LDAP database must be populated with well-known Windows domain user accounts and domain group - accounts before Samba can be used. The following procedures step you through the process. - </p><p> - At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are - mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not - hurt to have UNIX user and group accounts in both the system files as well as in the LDAP - database. From a UNIX system perspective, the NSS resolver checks system files before - referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it - does not need to ask LDAP. - </p><p> - Addition of an account to the LDAP backend can be done in two ways: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id346574"></a> - <a class="indexterm" name="id346580"></a> - <a class="indexterm" name="id346587"></a> - <a class="indexterm" name="id346594"></a> - <a class="indexterm" name="id346601"></a> - <a class="indexterm" name="id346608"></a> - If you always have a user account in the <code class="filename">/etc/passwd</code> on every - server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in - LDAP. In this case, you can add Windows domain user accounts using the - <code class="literal">pdbedit</code> utility. Use of this tool from the command line adds the - SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user. - </p><p> - This is the least desirable method because when LDAP is used as the passwd backend Samba - expects the POSIX account to be in LDAP also. It is possible to use the PADL account - migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code> - files, or from NIS, to LDAP. - </p></li><li class="listitem"><p> - If you decide that it is probably a good idea to add both the PosixAccount attributes - as well as the SambaSamAccount attributes for each user, then a suitable script is needed. - In the example system you are installing in this exercise, you are making use of the - Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system, - is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code> - </p></li></ul></div><p> - <a class="indexterm" name="id346659"></a> - If you wish to have more control over how the LDAP database is initialized or - if you don't want to use the Idealx smbldap-tools, you should refer to - <a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">“Alternative LDAP Database Initialization”</a>. - </p><p> - <a class="indexterm" name="id346685"></a> - The following steps initialize the LDAP database, and then you can add user and group - accounts that Samba can use. You use the <code class="literal">smbldap-populate</code> to - seed the LDAP database. You then manually add the accounts shown in <a class="link" href="happy.html#sbehap-bigacct" title="Table 5.3. Abmas Network Users and Groups">“Abmas Network Users and Groups”</a>. - The list of users does not cover all 500 network users; it provides examples only. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id346712"></a> - <a class="indexterm" name="id346720"></a> - <a class="indexterm" name="id346730"></a> - In the following examples, as the LDAP database is initialized, we do create a container - for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made - of the People container, not the Computers container, for domain member accounts. This is not a - mistake; it is a deliberate action that is necessitated by the fact that the resolution of - a machine (computer) account to a UID is done via NSS. The only way this can be handled is - using the NSS (<code class="filename">/etc/nsswitch.conf</code>) entry for <code class="constant">passwd</code>, - which is resolved using the <code class="filename">nss_ldap</code> library. The configuration file for - the <code class="filename">nss_ldap</code> library is the file <code class="filename">/etc/ldap.conf</code> that - provides only one possible LDAP search command that is specified by the entry called - <code class="constant">nss_base_passwd</code>. This means that the search path must take into account - the directory structure so that the LDAP search will commence at a level that is above - both the Computers container and the Users (or People) container. If this is done, it is - necessary to use a search that will descend the directory tree so that the machine account - can be found. Alternatively, by placing all machine accounts in the People container, we - are able to sidestep this limitation. This is the simpler solution that has been adopted - in this chapter. - </p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table 5.3. Abmas Network Users and Groups</b></p><div class="table-contents"><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left"> </td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left"> </td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><div class="procedure" title="Procedure 5.8. LDAP Directory Initialization Steps"><a name="creatacc"></a><p class="title"><b>Procedure 5.8. LDAP Directory Initialization Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Start the LDAP server by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> rcldap start -Starting ldap-server done -</pre><p> - </p></li><li class="step" title="Step 2"><p> - Change to the <code class="filename">/opt/IDEALX/sbin</code> directory. - </p></li><li class="step" title="Step 3"><p> - Execute the script that will populate the LDAP database as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> ./smbldap-populate -a root -k 0 -m 0 -</pre><p> - The expected output from this is: -</p><pre class="screen"> -Using workgroup name from smb.conf: sambaDomainName=MEGANET2 --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=> Warning: you must update smbldap.conf configuration file to : -=> sambaUnixIdPooldn parameter must be set - to "sambaDomainName=MEGANET2,dc=abmas,dc=biz" --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Using builtin directory structure -adding new entry: dc=abmas,dc=biz -adding new entry: ou=People,dc=abmas,dc=biz -adding new entry: ou=Groups,dc=abmas,dc=biz -entry ou=People,dc=abmas,dc=biz already exist. -adding new entry: ou=Idmap,dc=abmas,dc=biz -adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz -adding new entry: uid=root,ou=People,dc=abmas,dc=biz -adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz -adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz -</pre><p> - </p></li><li class="step" title="Step 4"><p> - Edit the <code class="filename">/etc/smbldap-tools/smbldap.conf</code> file so that the following - information is changed from: -</p><pre class="screen"> -# Where to store next uidNumber and gidNumber available -sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" -</pre><p> - to read, after modification: -</p><pre class="screen"> -# Where to store next uidNumber and gidNumber available -#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" -sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" -</pre><p> - </p></li><li class="step" title="Step 5"><p> - It is necessary to restart the LDAP server as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> rcldap restart -Shutting down ldap-server done -Starting ldap-server done -</pre><p> - </p></li><li class="step" title="Step 6"><p> - <a class="indexterm" name="id347108"></a> - So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. - There are several ways you can check that your LDAP database is able to receive IDMAP information. One of - the simplest is to execute: -</p><pre class="screen"> -<code class="prompt">root# </code> slapcat | grep -i idmap -dn: ou=Idmap,dc=abmas,dc=biz -ou: idmap -</pre><p> - <a class="indexterm" name="id347129"></a> - If the execution of this command does not return IDMAP entries, you need to create an LDIF - template file (see <a class="link" href="happy.html#sbehap-ldifadd" title="Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">“LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF”</a>). You can add the required entries using - the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ - -w not24get < /etc/openldap/idmap.LDIF -</pre><p> - Samba automatically populates this LDAP directory container when it needs to. - </p></li><li class="step" title="Step 7"><p> - <a class="indexterm" name="id347164"></a> - It looks like all has gone well, as expected. Let's confirm that this is the case - by running a few tests. First we check the contents of the database directly - by running <code class="literal">slapcat</code> as follows (the output has been cut down): -</p><pre class="screen"> -<code class="prompt">root# </code> slapcat -dn: dc=abmas,dc=biz -objectClass: dcObject -objectClass: organization -dc: abmas -o: abmas -structuralObjectClass: organization -entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43 -creatorsName: cn=Manager,dc=abmas,dc=biz -createTimestamp: 20031217234200Z -entryCSN: 2003121723:42:00Z#0x0001#0#0000 -modifiersName: cn=Manager,dc=abmas,dc=biz -modifyTimestamp: 20031217234200Z -... -dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz -objectClass: posixGroup -objectClass: sambaGroupMapping -gidNumber: 553 -cn: Domain Computers -description: Netbios Domain Computers accounts -sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 -sambaGroupType: 2 -displayName: Domain Computers -structuralObjectClass: posixGroup -entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43 -creatorsName: cn=Manager,dc=abmas,dc=biz -createTimestamp: 20031217234206Z -entryCSN: 2003121723:42:06Z#0x0002#0#0000 -modifiersName: cn=Manager,dc=abmas,dc=biz -modifyTimestamp: 20031217234206Z -</pre><p> - This looks good so far. - </p></li><li class="step" title="Step 8"><p> - <a class="indexterm" name="id347205"></a> - The next step is to prove that the LDAP server is running and responds to a - search request. Execute the following as shown (output has been cut to save space): -</p><pre class="screen"> -<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" -# extended LDIF -# -# LDAPv3 -# base <dc=abmas,dc=biz> with scope sub -# filter: (ObjectClass=*) -# requesting: ALL -# - -# abmas.biz -dn: dc=abmas,dc=biz -objectClass: dcObject -objectClass: organization -dc: abmas -o: abmas - -# People, abmas.biz -dn: ou=People,dc=abmas,dc=biz -objectClass: organizationalUnit -ou: People -... -# Domain Computers, Groups, abmas.biz -dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz -objectClass: posixGroup -objectClass: sambaGroupMapping -gidNumber: 553 -cn: Domain Computers -description: Netbios Domain Computers accounts -sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 -sambaGroupType: 2 -displayName: Domain Computers - -# search result -search: 2 -result: 0 Success - -# numResponses: 20 -# numEntries: 19 -</pre><p> - Good. It is all working just fine. - </p></li><li class="step" title="Step 9"><p> - <a class="indexterm" name="id347246"></a> - You must now make certain that the NSS resolver can interrogate LDAP also. - Execute the following commands: -</p><pre class="screen"> -<code class="prompt">root# </code> getent passwd | grep root -root:x:998:512:Netbios Domain Administrator:/home:/bin/false - -<code class="prompt">root# </code> getent group | grep Domain -Domain Admins:x:512:root -Domain Users:x:513: -Domain Guests:x:514: -Domain Computers:x:553: -</pre><p> - <a class="indexterm" name="id347273"></a> - This demonstrates that the <code class="literal">nss_ldap</code> library is functioning - as it should. If these two steps fail to produce this information, refer to - <a class="link" href="happy.html#sbeavoid" title="Avoiding Failures: Solving Problems Before They Happen">“Avoiding Failures: Solving Problems Before They Happen”</a> for diagnostic procedures that can be followed to - isolate the cause of the problem. Proceed to the next step only when the previous steps - have been successfully completed. - </p></li><li class="step" title="Step 10"><p> - <a class="indexterm" name="id347301"></a> - <a class="indexterm" name="id347308"></a> - <a class="indexterm" name="id347314"></a> - Our database is now ready for the addition of network users. For each user for - whom an account must be created, execute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> ./smbldap-useradd -m -a <code class="constant">username</code> -<code class="prompt">root# </code> ./smbldap-passwd <code class="constant">username</code> -Changing password for <code class="constant">username</code> -New password : XXXXXXXX -Retype new password : XXXXXXXX - -<code class="prompt">root# </code> smbpasswd <code class="constant">username</code> -New SMB password: XXXXXXXX -Retype new SMB password: XXXXXXXX -</pre><p> - where <code class="constant">username</code> is the login ID for each user. - </p></li><li class="step" title="Step 11"><p> - <a class="indexterm" name="id347372"></a> - Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the - following: -</p><pre class="screen"> -<code class="prompt">root# </code> getent passwd -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/bin/bash -... -root:x:0:512:Netbios Domain Administrator:/home:/bin/false -nobody:x:999:514:nobody:/dev/null:/bin/false -bobj:x:1000:513:System User:/home/bobj:/bin/bash -stans:x:1001:513:System User:/home/stans:/bin/bash -chrisr:x:1002:513:System User:/home/chrisr:/bin/bash -maryv:x:1003:513:System User:/home/maryv:/bin/bash -</pre><p> - This demonstrates that user account resolution via LDAP is working. - </p></li><li class="step" title="Step 12"><p> - This step will determine whether or not identity resolution is working correctly. - Do not procede is this step fails, rather find the cause of the failure. The - <code class="literal">id</code> command may be used to validate your configuration so far, - as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> id chrisr -uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) -</pre><p> - This confirms that the UNIX (POSIX) user account information can be resolved from LDAP - by system tools that make a getentpw() system call. - </p></li><li class="step" title="Step 13"><p> - <a class="indexterm" name="id347429"></a> - The root account must have UID=0; if not, this means that operations conducted from - a Windows client using tools such as the Domain User Manager fails under UNIX because - the management of user and group accounts requires that the UID=0. Additionally, it is - a good idea to make certain that no matter how root account credentials are resolved, - the home directory and shell are valid. You decide to effect this immediately - as demonstrated here: -</p><pre class="screen"> -<code class="prompt">root# </code> cd /opt/IDEALX/sbin -<code class="prompt">root# </code> ./smbldap-usermod -u 0 -d /root -s /bin/bash root -</pre><p> - </p></li><li class="step" title="Step 14"><p> - Verify that the changes just made to the <code class="constant">root</code> account were - accepted by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> getent passwd | grep root -root:x:0:0:root:/root:/bin/bash -root:x:0:512:Netbios Domain Administrator:/root:/bin/bash -</pre><p> - This demonstrates that the changes were accepted. - </p></li><li class="step" title="Step 15"><p> - Make certain that a home directory has been created for every user by listing the - directories in <code class="filename">/home</code> as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> ls -al /home -drwxr-xr-x 8 root root 176 Dec 17 18:50 ./ -drwxr-xr-x 21 root root 560 Dec 15 22:19 ../ -drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/ -drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/ -drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/ -drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/ -</pre><p> - This is precisely what we want to see. - </p></li><li class="step" title="Step 16"><p> - <a class="indexterm" name="id347517"></a> - <a class="indexterm" name="id347524"></a> - The final validation step involves making certain that Samba-3 can obtain the user - accounts from the LDAP ldapsam passwd backend. Execute the following command as shown: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -Lv chrisr -Unix username: chrisr -NT username: chrisr -Account Flags: [U ] -User SID: S-1-5-21-3504140859-1010554828-2431957765-3004 -Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513 -Full Name: System User -Home Directory: \\MASSIVE\homes -HomeDir Drive: H: -Logon Script: scripts\login.cmd -Profile Path: \\MASSIVE\profiles\chrisr -Domain: MEGANET2 -Account desc: System User -Workstations: -Munged dial: -Logon time: 0 -Logoff time: Mon, 18 Jan 2038 20:14:07 GMT -Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT -Password last set: Wed, 17 Dec 2003 17:17:40 GMT -Password can change: Wed, 17 Dec 2003 17:17:40 GMT -Password must change: Mon, 18 Jan 2038 20:14:07 GMT -Last bad password : 0 -Bad password count : 0 -Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -</pre><p> - This looks good. Of course, you fully expected that it would all work, didn't you? - </p></li><li class="step" title="Step 17"><p> - <a class="indexterm" name="id347558"></a> - Now you add the group accounts that are used on the Abmas network. Execute - the following exactly as shown: -</p><pre class="screen"> -<code class="prompt">root# </code> ./smbldap-groupadd -a Accounts -<code class="prompt">root# </code> ./smbldap-groupadd -a Finances -<code class="prompt">root# </code> ./smbldap-groupadd -a PIOps -</pre><p> - The addition of groups does not involve keyboard interaction, so the lack of console - output is of no concern. - </p></li><li class="step" title="Step 18"><p> - <a class="indexterm" name="id347598"></a> - You really do want to confirm that UNIX group resolution from LDAP is functioning - as it should. Let's do this as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> getent group -... -Domain Admins:x:512:root -Domain Users:x:513:bobj,stans,chrisr,maryv -Domain Guests:x:514: -... -Accounts:x:1000: -Finances:x:1001: -PIOps:x:1002: -</pre><p> - The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well - as our own site-specific group accounts, are correctly listed. This is looking good. - </p></li><li class="step" title="Step 19"><p> - <a class="indexterm" name="id347627"></a> - The final step we need to validate is that Samba can see all the Windows domain groups - and that they are correctly mapped to the respective UNIX group account. To do this, - just execute the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> net groupmap list -Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins -Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users -Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests -... -Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts -Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances -PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps -</pre><p> - This is looking good. Congratulations it works! Note that in the above output - the lines were shortened by replacing the middle value (1010554828) of the SID with the - ellipsis (...). - </p></li><li class="step" title="Step 20"><p> - The server you have so carefully built is now ready for another important step. You - start the Samba-3 server and validate its operation. Execute the following to render all - the processes needed fully operative so that, on system reboot, they are automatically - started: -</p><pre class="screen"> -<code class="prompt">root# </code> chkconfig named on -<code class="prompt">root# </code> chkconfig dhcpd on -<code class="prompt">root# </code> chkconfig ldap on -<code class="prompt">root# </code> chkconfig nmb on -<code class="prompt">root# </code> chkconfig smb on -<code class="prompt">root# </code> chkconfig winbind on -<code class="prompt">root# </code> rcnmb start -<code class="prompt">root# </code> rcsmb start -<code class="prompt">root# </code> rcwinbind start -</pre><p> - </p></li><li class="step" title="Step 21"><p> - The next step might seem a little odd at this point, but take note that you are about to - start <code class="literal">winbindd</code>, which must be able to authenticate to the PDC via the - localhost interface with the <code class="literal">smbd</code> process. This account can be - easily created by joining the PDC to the domain by executing the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc join -S MASSIVE -U root%not24get -</pre><p> - Note: Before executing this command on the PDC, both <code class="literal">nmbd</code> and - <code class="literal">smbd</code> must be started so that the <code class="literal">net</code> command - can communicate with <code class="literal">smbd</code>. The expected output is as follows: -</p><pre class="screen"> -Joined domain MEGANET2. -</pre><p> - This indicates that the domain security account for the PDC has been correctly created. - </p></li><li class="step" title="Step 22"><p> - At this time it is necessary to restart <code class="literal">winbindd</code> so that it can - correctly authenticate to the PDC. The following command achieves that: -</p><pre class="screen"> -<code class="prompt">root# </code> rcwinbind restart -</pre><p> - </p></li><li class="step" title="Step 23"><p> - <a class="indexterm" name="id347824"></a> - You may now check Samba-3 operation as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> smbclient -L massive -U% - - Sharename Type Comment - --------- ---- ------- - IPC$ IPC IPC Service (Samba 3.0.20) - accounts Disk Accounting Files - service Disk Financial Services Files - pidata Disk Property Insurance Files - apps Disk Application Files - netlogon Disk Network Logon Service - profiles Disk Profile Share - profdata Disk Profile Data Share - ADMIN$ IPC IPC Service (Samba 3.0.20) - - Server Comment - --------- ------- - MASSIVE Samba 3.0.20 - - Workgroup Master - --------- ------- - MEGANET2 MASSIVE -</pre><p> - This shows that an anonymous connection is working. - </p></li><li class="step" title="Step 24"><p> - For your finale, let's try an authenticated connection: -</p><pre class="screen"> -<code class="prompt">root# </code> smbclient //massive/bobj -Ubobj%n3v3r2l8 -smb: \> dir - . D 0 Wed Dec 17 01:16:19 2003 - .. D 0 Wed Dec 17 19:04:42 2003 - bin D 0 Tue Sep 2 04:00:57 2003 - Documents D 0 Sun Nov 30 07:28:20 2003 - public_html D 0 Sun Nov 30 07:28:20 2003 - .urlview H 311 Fri Jul 7 06:55:35 2000 - .dvipsrc H 208 Fri Nov 17 11:22:02 1995 - - 57681 blocks of size 524288. 57128 blocks available -smb: \> q -</pre><p> - Well done. All is working fine. - </p></li></ol></div><p> - The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task. - </p></div><div class="sect2" title="Printer Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p> - <a class="indexterm" name="id347908"></a> - The configuration for Samba-3 to enable CUPS raw-print-through printing has already been - taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code> - printing to be possible involves creation of the directories in which Samba-3 stores - Windows printing driver files. - </p><div class="procedure" title="Procedure 5.9. Printer Configuration Steps"><a name="id347927"></a><p class="title"><b>Procedure 5.9. Printer Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Configure all network-attached printers to have a fixed IP address. - </p></li><li class="step" title="Step 2"><p> - Create an entry in the DNS database on the server <code class="constant">MASSIVE</code> - in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code> - and in the reverse lookup database for the network segment that the printer is to - be located in. Example configuration files for similar zones were presented in <a class="link" href="secure.html" title="Chapter 3. Secure Office Networking">“Secure Office Networking”</a>, - <a class="link" href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">“DNS Abmas.biz Forward Zone File”</a> and in <a class="link" href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">“DNS 192.168.2 Reverse Zone File”</a>. - </p></li><li class="step" title="Step 3"><p> - Follow the instructions in the printer manufacturers' manuals to permit printing - to port 9100. Use any other port the manufacturer specifies for direct mode, - raw printing. This allows the CUPS spooler to print using raw mode protocols. - <a class="indexterm" name="id347982"></a> - <a class="indexterm" name="id347989"></a> - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id348002"></a> - <a class="indexterm" name="id348009"></a> - Only on the server to which the printer is attached, configure the CUPS Print - Queues as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em> - -v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E -</pre><p> - <a class="indexterm" name="id348043"></a> - This step creates the necessary print queue to use no assigned print filter. This - is ideal for raw printing, that is, printing without use of filters. - The name <em class="parameter"><code>printque</code></em> is the name you have assigned for - the particular printer. - </p></li><li class="step" title="Step 5"><p> - Print queues may not be enabled at creation. Make certain that the queues - you have just created are enabled by executing the following: -</p><pre class="screen"> -<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em> -</pre><p> - </p></li><li class="step" title="Step 6"><p> - Even though your print queue may be enabled, it is still possible that it - may not accept print jobs. A print queue will service incoming printing - requests only when configured to do so. Ensure that your print queue is - set to accept incoming jobs by executing the following commands: -</p><pre class="screen"> -<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em> -</pre><p> - </p></li><li class="step" title="Step 7"><p> - <a class="indexterm" name="id348117"></a> - <a class="indexterm" name="id348124"></a> - <a class="indexterm" name="id348130"></a> - Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: -</p><pre class="screen"> -application/octet-stream application/vnd.cups-raw 0 - -</pre><p> - </p></li><li class="step" title="Step 8"><p> - <a class="indexterm" name="id348157"></a> - Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: -</p><pre class="screen"> -application/octet-stream -</pre><p> - </p></li><li class="step" title="Step 9"><p> - Refer to the CUPS printing manual for instructions regarding how to configure - CUPS so that print queues that reside on CUPS servers on remote networks - route print jobs to the print server that owns that queue. The default setting - on your CUPS server may automatically discover remotely installed printers and - may permit this functionality without requiring specific configuration. - </p></li><li class="step" title="Step 10"><p> - The following action creates the necessary directory subsystem. Follow these - steps to printing heaven: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40} -<code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers -<code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers -</pre><p> - </p></li></ol></div></div></div><div class="sect1" title="Samba-3 BDC Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure" title="Procedure 5.10. Configuration of BDC Called: BLDG1"><a name="id348233"></a><p class="title"><b>Procedure 5.10. Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Install the files in <a class="link" href="happy.html#sbehap-bldg1-smbconf" title="Example 5.8. LDAP Based smb.conf File, Server: BLDG1">“LDAP Based smb.conf File, Server: BLDG1”</a>, - <a class="link" href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a> - into the <code class="filename">/etc/samba/</code> directory. The three files - should be added together to form the <code class="filename">smb.conf</code> file. - </p></li><li class="step" title="Step 2"><p> - Verify the <code class="filename">smb.conf</code> file as in step 2 of <a class="link" href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">“Samba-3 PDC Configuration”</a>. - </p></li><li class="step" title="Step 3"><p> - Carefully follow the steps outlined in <a class="link" href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">“PAM and NSS Client Configuration”</a>, taking - particular note to install the correct <code class="filename">ldap.conf</code>. - </p></li><li class="step" title="Step 4"><p> - Verify that the NSS resolver is working. You may need to cycle the run level - to 1 and back to 5 before the NSS LDAP resolver functions. Follow these - commands: -</p><pre class="screen"> -<code class="prompt">root# </code> init 1 -</pre><p> - After the run level has been achieved, you are prompted to provide the - <code class="constant">root</code> password. Log on, and then execute: -</p><pre class="screen"> -<code class="prompt">root# </code> init 5 -</pre><p> - When the normal logon prompt appears, log into the system as <code class="constant">root</code> - and then execute these commands: -</p><pre class="screen"> -<code class="prompt">root# </code> getent passwd -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/bin/bash -daemon:x:2:2:Daemon:/sbin:/bin/bash -lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash -mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false -... -root:x:0:512:Netbios Domain Administrator:/root:/bin/bash -nobody:x:999:514:nobody:/dev/null:/bin/false -bobj:x:1000:513:System User:/home/bobj:/bin/bash -stans:x:1001:513:System User:/home/stans:/bin/bash -chrisr:x:1002:513:System User:/home/chrisr:/bin/bash -maryv:x:1003:513:System User:/home/maryv:/bin/bash -vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false -bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false -</pre><p> - This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem. - </p></li><li class="step" title="Step 5"><p> - <a class="indexterm" name="id348380"></a> - The next step in the verification process involves testing the operation of UNIX group - resolution via the NSS LDAP resolver. Execute these commands: -</p><pre class="screen"> -<code class="prompt">root# </code> getent group -root:x:0: -bin:x:1:daemon -daemon:x:2: -sys:x:3: -... -Domain Admins:x:512:root -Domain Users:x:513:bobj,stans,chrisr,maryv,jht -Domain Guests:x:514: -Administrators:x:544: -Users:x:545: -Guests:x:546:nobody -Power Users:x:547: -Account Operators:x:548: -Server Operators:x:549: -Print Operators:x:550: -Backup Operators:x:551: -Replicator:x:552: -Domain Computers:x:553: -Accounts:x:1000: -Finances:x:1001: -PIOps:x:1002: -</pre><p> - This is also the correct and desired output, because it demonstrates that the LDAP client - is able to communicate correctly with the LDAP server (<code class="constant">MASSIVE</code>). - </p></li><li class="step" title="Step 6"><p> - <a class="indexterm" name="id348415"></a> - You must now set the LDAP administrative password into the Samba-3 <code class="filename">secrets.tdb</code> - file by executing this command: -</p><pre class="screen"> -<code class="prompt">root# </code> smbpasswd -w not24get -Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb -</pre><p> - </p></li><li class="step" title="Step 7"><p> - Now you must obtain the domain SID from the PDC and store it into the - <code class="filename">secrets.tdb</code> file also. This step is not necessary with an LDAP - passdb backend because Samba-3 obtains the domain SID from the - sambaDomain object it automatically stores in the LDAP backend. It does not hurt to - add the SID to the <code class="filename">secrets.tdb</code>, and if you wish to do so, this - command can achieve that: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc getsid MEGANET2 -Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ - for Domain MEGANET2 in secrets.tdb -</pre><p> - When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take - any special action to join it to the domain. However, winbind communicates with the - domain controller that is running on the localhost and must be able to authenticate, - thus requiring that the BDC should be joined to the domain. The process of joining - the domain creates the necessary authentication accounts. - </p></li><li class="step" title="Step 8"><p> - To join the Samba BDC to the domain, execute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc join -U root%not24get -Joined domain MEGANET2. -</pre><p> - This indicates that the domain security account for the BDC has been correctly created. - </p></li><li class="step" title="Step 9"><p> - <a class="indexterm" name="id348504"></a> - Verify that user and group account resolution works via Samba-3 tools as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -L -root:0:root -nobody:65534:nobody -bobj:1000:System User -stans:1001:System User -chrisr:1002:System User -maryv:1003:System User -bldg1$:1006:bldg1$ - -<code class="prompt">root# </code> net groupmap list -Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> - Domain Admins -Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users -Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> - Domain Guests -Administrators (S-1-5-21-3504140859-...-2431957765-544) -> - Administrators -... -Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts -Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances -PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps -</pre><p> - These results show that all things are in order. - </p></li><li class="step" title="Step 10"><p> - The server you have so carefully built is now ready for another important step. Now - start the Samba-3 server and validate its operation. Execute the following to render all - the processes needed fully operative so that, upon system reboot, they are automatically - started: -</p><pre class="screen"> -<code class="prompt">root# </code> chkconfig named on -<code class="prompt">root# </code> chkconfig dhcpd on -<code class="prompt">root# </code> chkconfig nmb on -<code class="prompt">root# </code> chkconfig smb on -<code class="prompt">root# </code> chkconfig winbind on -<code class="prompt">root# </code> rcnmb start -<code class="prompt">root# </code> rcsmb start -<code class="prompt">root# </code> rcwinbind start -</pre><p> - Samba-3 should now be running and is ready for a quick test. But not quite yet! - </p></li><li class="step" title="Step 11"><p> - Your new <code class="constant">BLDG1, BLDG2</code> servers do not have home directories for users. - To rectify this using the SUSE yast2 utility or by manually editing the <code class="filename">/etc/fstab</code> - file, add a mount entry to mount the <code class="constant">home</code> directory that has been exported - from the <code class="constant">MASSIVE</code> server. Mount this resource before proceeding. An alternate - approach could be to create local home directories for users who are to use these machines. - This is a choice that you, as system administrator, must make. The following entry in the - <code class="filename">/etc/fstab</code> file suffices for now: -</p><pre class="screen"> -massive.abmas.biz:/home /home nfs rw 0 0 -</pre><p> - To mount this resource, execute: -</p><pre class="screen"> -<code class="prompt">root# </code> mount -a -</pre><p> - Verify that the home directory has been mounted as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> df | grep home -massive:/home 29532988 283388 29249600 1% /home -</pre><p> - </p></li><li class="step" title="Step 12"><p> - Implement a quick check using one of the users that is in the LDAP database. Here you go: -</p><pre class="screen"> -<code class="prompt">root# </code> smbclient //bldg1/bobj -Ubobj%n3v3r2l8 -smb: \> dir - . D 0 Wed Dec 17 01:16:19 2003 - .. D 0 Wed Dec 17 19:04:42 2003 - bin D 0 Tue Sep 2 04:00:57 2003 - Documents D 0 Sun Nov 30 07:28:20 2003 - public_html D 0 Sun Nov 30 07:28:20 2003 - .urlview H 311 Fri Jul 7 06:55:35 2000 - .dvipsrc H 208 Fri Nov 17 11:22:02 1995 - - 57681 blocks of size 524288. 57128 blocks available -smb: \> q -</pre><p> - </p></li></ol></div><p> - Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build - and configure the second BDC server (<code class="constant">BLDG2</code>) as follows: - </p><div class="procedure" title="Procedure 5.11. Configuration of BDC Called BLDG2"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure 5.11. Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Install the files in <a class="link" href="happy.html#sbehap-bldg2-smbconf" title="Example 5.9. LDAP Based smb.conf File, Server: BLDG2">“LDAP Based smb.conf File, Server: BLDG2”</a>, - <a class="link" href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a> - into the <code class="filename">/etc/samba/</code> directory. The three files - should be added together to form the <code class="filename">smb.conf</code> file. - </p></li><li class="step" title="Step 2"><p> - Follow carefully the steps shown in <a class="link" href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">“Samba-3 BDC Configuration”</a>, starting at step 2. - </p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example 5.8. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id348810"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id348821"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id348832"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id348844"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id348856"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id348867"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id348879"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id348890"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id348902"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id348913"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id348925"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id348936"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id348948"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id348959"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id348971"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id348982"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id348994"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id349006"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id349017"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id349028"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id349040"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id349052"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id349063"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id349075"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id349086"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id349098"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id349110"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id349122"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id349133"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id349144"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id349156"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example 5.9. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id349201"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id349213"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id349224"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id349236"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id349247"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id349259"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id349270"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id349282"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id349293"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id349305"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id349316"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id349328"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id349339"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id349351"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id349362"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id349374"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id349386"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id349397"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id349409"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id349420"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id349432"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id349443"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id349455"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id349466"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id349478"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id349490"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id349501"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id349513"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id349525"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id349536"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id349548"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example 5.10. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id349592"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id349604"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id349615"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id349635"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id349647"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id349658"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id349679"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id349690"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id349702"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id349722"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id349734"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id349745"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id349757"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id349777"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id349789"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id349800"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id349812"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id349823"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example 5.11. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id349868"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id349879"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id349891"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id349902"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id349922"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id349934"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id349946"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id349957"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id349978"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id349989"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id350001"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id350012"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id350032"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id350044"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id350056"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id350067"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id350088"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id350099"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id350111"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id350122"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id350134"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id350145"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> -dn: ou=Idmap,dc=abmas,dc=biz -objectClass: organizationalUnit -ou: idmap -structuralObjectClass: organizationalUnit -</pre></div></div><br class="example-break"></div><div class="sect1" title="Miscellaneous Server Preparation Tasks"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id350178"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p> - My father would say, <span class="quote">“<span class="quote">Dinner is not over until the dishes have been done.</span>”</span> - The makings of a great network environment take a lot of effort and attention to detail. - So far, you have completed most of the complex (and to many administrators, the interesting - part of server configuration) steps, but remember to tie it all together. Here are - a few more steps that must be completed so that your network runs like a well-rehearsed - orchestra. - </p><div class="sect2" title="Configuring Directory Share Point Roots"><div class="titlepage"><div><div><h3 class="title"><a name="id350194"></a>Configuring Directory Share Point Roots</h3></div></div></div><p> - In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em> - parameter. Even though it is obvious to all, one of the common Samba networking problems is - caused by forgetting to verify that every such share root directory actually exists and that it - has the necessary permissions and ownership. - </p><p> - Here is an example, but remember to create the directory needed for every share: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,piops} -<code class="prompt">root# </code> mkdir -p /apps -<code class="prompt">root# </code> chown -R root:root /data -<code class="prompt">root# </code> chown -R root:root /apps -<code class="prompt">root# </code> chown -R bobj:Accounts /data/accounts -<code class="prompt">root# </code> chown -R bobj:Finances /data/finsvcs -<code class="prompt">root# </code> chown -R bobj:PIOps /data/piops -<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data -<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps -</pre><p> - </p></div><div class="sect2" title="Configuring Profile Directories"><div class="titlepage"><div><div><h3 class="title"><a name="id350283"></a>Configuring Profile Directories</h3></div></div></div><p> - You made a conscious decision to do everything it would take to improve network client - performance. One of your decisions was to implement folder redirection. This means that Windows - user desktop profiles are now made up of two components: a dynamically loaded part and a set of file - network folders. - </p><p> - For this arrangement to work, every user needs a directory structure for the network folder - portion of his or her profile as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /var/lib/samba/profdata -<code class="prompt">root# </code> chown root:root /var/lib/samba/profdata -<code class="prompt">root# </code> chmod 755 /var/lib/samba/profdata - -# Per user structure -<code class="prompt">root# </code> cd /var/lib/samba/profdata -<code class="prompt">root# </code> mkdir -p <span class="emphasis"><em>username</em></span> -<code class="prompt">root# </code> for i in InternetFiles Cookies History AppData \ - LocalSettings MyPictures MyDocuments Recent -<code class="prompt">root# </code> do -<code class="prompt">root# </code> mkdir <span class="emphasis"><em>username</em></span>/$i -<code class="prompt">root# </code> done -<code class="prompt">root# </code> chown -R <span class="emphasis"><em>username</em></span>:Domain\ Users <span class="emphasis"><em>username</em></span> -<code class="prompt">root# </code> chmod -R 750 <span class="emphasis"><em>username</em></span> -</pre><p> - </p><p> - <a class="indexterm" name="id350393"></a> - <a class="indexterm" name="id350399"></a> - You have three options insofar as the dynamically loaded portion of the roaming profile - is concerned: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>You may permit the user to obtain a default profile.</p></li><li class="listitem"><p>You can create a mandatory profile.</p></li><li class="listitem"><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p> - Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory - profile is effected by renaming the <code class="filename">NTUSER.DAT</code> to <code class="filename">NTUSER.MAN</code>, - that is, just by changing the filename extension. - </p><p> - <a class="indexterm" name="id350445"></a> - <a class="indexterm" name="id350452"></a> - The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend. - You can manage this using the Idealx smbldap-tools or using the - <a class="ulink" href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager</a>. - </p><p> - It may not be obvious that you must ensure that the root directory for the user's profile exists - and has the needed permissions. Use the following commands to create this directory: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> -<code class="prompt">root# </code> chown <span class="emphasis"><em>username</em></span>:Domain\ Users - /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> -<code class="prompt">root# </code> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> -</pre><p> - </p></div><div class="sect2" title="Preparation of Logon Scripts"><div class="titlepage"><div><div><h3 class="title"><a name="id350512"></a>Preparation of Logon Scripts</h3></div></div></div><p> - <a class="indexterm" name="id350519"></a> - The use of a logon script with Windows XP Professional is an option that every site should consider. - Unless you have locked down the desktop so the user cannot change anything, there is risk that - a vital network drive setting may be broken or that printer connections may be lost. Logon scripts - can help to restore persistent network folder (drive) and printer connections in a predictable - manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook) - user attaches to another company's network that forces environment changes that are alien to your - network. - </p><p> - If you decide to use network logon scripts, by reference to the <code class="filename">smb.conf</code> files for the domain - controllers, you see that the path to the share point for the <code class="constant">NETLOGON</code> - share defined is <code class="filename">/var/lib/samba/netlogon</code>. The path defined for the logon - script inside that share is <code class="filename">scripts\logon.bat</code>. This means that as a Windows - NT/200x/XP client logs onto the network, it tries to obtain the file <code class="filename">logon.bat</code> - from the fully qualified path <code class="filename">/var/lib/samba/netlogon/scripts</code>. This fully - qualified path should therefore exist whether you install the <code class="filename">logon.bat</code>. - </p><p> - You can, of course, create the fully qualified path by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /var/lib/samba/netlogon/scripts -</pre><p> - </p><p> - You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 24, - Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon - facilities in use today is called <a class="ulink" href="http://www.kixtart.org" target="_top">KiXtart</a>. - </p></div><div class="sect2" title="Assigning User Rights and Privileges"><div class="titlepage"><div><div><h3 class="title"><a name="id350609"></a>Assigning User Rights and Privileges</h3></div></div></div><p> - The ability to perform tasks such as joining Windows clients to the domain can be assigned to - normal user accounts. By default, only the domain administrator account (<code class="constant">root</code> on UNIX - systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant - this privilege in a very limited fashion to particular accounts. - </p><p> - By default, even Samba-3.0.11 does not grant any rights even to the <code class="constant">Domain Admins</code> - group. Here we grant this group all privileges. - </p><p> - Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who - are granted rights can be restricted to particular machines. It is left to the network administrator - to determine which rights should be provided and to whom. - </p><div class="procedure" title="Procedure 5.12. Steps for Assignment of User Rights and Privileges"><a name="id350638"></a><p class="title"><b>Procedure 5.12. Steps for Assignment of User Rights and Privileges</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Log onto the PDC as the <code class="constant">root</code> account. - </p></li><li class="step" title="Step 2"><p> - Execute the following command to grant the <code class="constant">Domain Admins</code> group all - rights and privileges: -</p><pre class="screen"> -<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \ - "MEGANET2\Domain Admins" SeMachineAccountPrivilege \ - SePrintOperatorPrivilege SeAddUsersPrivilege \ - SeDiskOperatorPrivilege SeRemoteShutdownPrivilege -Successfully granted rights. -</pre><p> - Repeat this step on each domain controller, in each case substituting the name of the server - (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE. - </p></li><li class="step" title="Step 3"><p> - In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations - to the domain. Execute the following only on the PDC. It is not necessary to do this on - BDCs or on DMS machines because machine accounts are only ever added by the PDC: -</p><pre class="screen"> -<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \ - "MEGANET2\bobj" SeMachineAccountPrivilege -Successfully granted rights. -</pre><p> - </p></li><li class="step" title="Step 4"><p> - Verify that privilege assignments have been correctly applied by executing: -</p><pre class="screen"> -net rpc rights list accounts -Uroot%not24get -MEGANET2\bobj -SeMachineAccountPrivilege - -S-0-0 -No privileges assigned - -BUILTIN\Print Operators -No privileges assigned - -BUILTIN\Account Operators -No privileges assigned - -BUILTIN\Backup Operators -No privileges assigned - -BUILTIN\Server Operators -No privileges assigned - -BUILTIN\Administrators -No privileges assigned - -Everyone -No privileges assigned - -MEGANET2\Domain Admins -SeMachineAccountPrivilege -SePrintOperatorPrivilege -SeAddUsersPrivilege -SeRemoteShutdownPrivilege -SeDiskOperatorPrivilege -</pre><p> - </p></li></ol></div></div></div><div class="sect1" title="Windows Client Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id350723"></a>Windows Client Configuration</h2></div></div></div><p> - <a class="indexterm" name="id350731"></a> - In the next few sections, you can configure a new Windows XP Professional disk image on a staging - machine. You will configure all software, printer settings, profile and policy handling, and desktop - default profile settings on this system. When it is complete, you copy the contents of the - <code class="filename">C:\Documents and Settings\Default User</code> directory to a directory with the same - name in the <code class="constant">NETLOGON</code> share on the domain controllers. - </p><p> - Much can be learned from the Microsoft Support site regarding how best to set up shared profiles. - One knowledge-base article in particular stands out: - "<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a - Base Profile for All Users."</a> - - </p><div class="sect2" title="Configuration of Default Profile with Folder Redirection"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p> - <a class="indexterm" name="id350774"></a> - Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>. - It is necessary to expose folders that are generally hidden to provide access to the - <code class="constant">Default User</code> folder. - </p><div class="procedure" title="Procedure 5.13. Expose Hidden Folders"><a name="id350791"></a><p class="title"><b>Procedure 5.13. Expose Hidden Folders</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Launch the Windows Explorer by clicking - <span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>. - Select <span class="guilabel">Show hidden files and folders</span>, - and click <span class="guibutton">OK</span>. Exit Windows Explorer. - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id350856"></a> - Launch the Registry Editor. Click - <span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. Key in <code class="literal">regedt32</code>, and click - <span class="guibutton">OK</span>. - </p></li></ol></div><p> - </p><div class="procedure" title="Procedure 5.14. Redirect Folders in Default System User Profile"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure 5.14. Redirect Folders in Default System User Profile</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id350912"></a> - <a class="indexterm" name="id350919"></a> - Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel. - Click <span class="guimenu">File</span> → <span class="guimenuitem">Load Hive...</span> → <span class="guimenuitem">Documents and Settings</span> → <span class="guimenuitem">Default User</span> → <span class="guimenuitem">NTUSER</span> → <span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name - <code class="constant">Default</code> and click <span class="guibutton">OK</span>. - </p></li><li class="step" title="Step 2"><p> - Browse inside the newly loaded Default folder to: -</p><pre class="screen"> -HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - CurrentVersion\Explorer\User Shell Folders\ -</pre><p> - The right panel reveals the contents as shown in <a class="link" href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">“Windows XP Professional User Shared Folders”</a>. - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id351008"></a> - <a class="indexterm" name="id351015"></a> - You edit hive keys. Acceptable values to replace the - <code class="constant">%USERPROFILE%</code> variable includes: - - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A drive letter such as <code class="constant">U:</code></p></li><li class="listitem"><p>A direct network path such as - <code class="constant">\\MASSIVE\profdata</code></p></li><li class="listitem"><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p> - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id351059"></a> - Set the registry keys as shown in <a class="link" href="happy.html#proffold" title="Table 5.4. Default Profile Redirections">“Default Profile Redirections”</a>. Your implementation makes the assumption - that users have statically located machines. Notebook computers (mobile users) need to be - accommodated using local profiles. This is not an uncommon assumption. - </p></li><li class="step" title="Step 5"><p> - Click back to the root of the loaded hive <code class="constant">Default</code>. - Click <span class="guimenu">File</span> → <span class="guimenuitem">Unload Hive...</span> → <span class="guimenuitem">Yes</span>. - </p></li><li class="step" title="Step 6"><p> - <a class="indexterm" name="id351112"></a> - Click <span class="guimenu">File</span> → <span class="guimenuitem">Exit</span>. This exits the - Registry Editor. - </p></li><li class="step" title="Step 7"><p> - Now follow the procedure given in <a class="link" href="happy.html#sbehap-locgrppol" title="The Local Group Policy">“The Local Group Policy”</a>. Make sure that each folder you - have redirected is in the exclusion list. - </p></li><li class="step" title="Step 8"><p> - You are now ready to copy<sup>[<a name="id351153" href="#ftn.id351153" class="footnote">11</a>]</sup> - the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer, - and use it to copy the full contents of the directory <code class="filename">Default User</code> that - is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the - <code class="constant">NETLOGON</code> share. If the <code class="constant">NETLOGON</code> share has the defined - UNIX path of <code class="filename">/var/lib/samba/netlogon</code>, when the copy is complete there must - be a directory in there called <code class="filename">Default User</code>. - </p></li></ol></div><p> - Before punching out new desktop images for the client workstations, it is perhaps a good idea that - desktop behavior should be returned to the original Microsoft settings. The following steps achieve - that ojective: - </p><div class="procedure" title="Procedure 5.15. Reset Folder Display to Original Behavior"><a name="id351213"></a><p class="title"><b>Procedure 5.15. Reset Folder Display to Original Behavior</b></p><ul class="procedure"><li class="step" title="Step 1"><p> - To launch the Windows Explorer, click - <span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>. - Deselect <span class="guilabel">Show hidden files and folders</span>, and click <span class="guibutton">OK</span>. - Exit Windows Explorer. - </p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure 5.3. Windows XP Professional User Shared Folders</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div></div><br class="figure-break"><div class="table"><a name="proffold"></a><p class="title"><b>Table 5.4. Default Profile Redirections</b></p><div class="table-contents"><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="Configuration of MS Outlook to Relocate PST File"><div class="titlepage"><div><div><h3 class="title"><a name="id351441"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p> - <a class="indexterm" name="id351449"></a> - <a class="indexterm" name="id351458"></a> - Microsoft Outlook can store a Personal Storage file, generally known as a PST file. - It is the nature of email storage that this file grows, at times quite rapidly. - So that users' email is available to them at every workstation they may log onto, - it is common practice in well-controlled sites to redirect the PST folder to the - users' home directory. Follow these steps for each user who wishes to do this. - </p><p> - To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave - slightly differently), follow these steps: - </p><div class="procedure" title="Procedure 5.16. Outlook PST File Relocation"><a name="id351476"></a><p class="title"><b>Procedure 5.16. Outlook PST File Relocation</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Close Outlook if it is open. - </p></li><li class="step" title="Step 2"><p> - From the <span class="guimenu">Control Panel</span>, launch the Mail icon. - </p></li><li class="step" title="Step 3"><p> - Click <span class="guimenu">Email Accounts.</span> - </p></li><li class="step" title="Step 4"><p> - Make a note of the location of the PST file(s). From this location, move - the files to the desired new target location. The most desired new target location - may well be the users' home directory. - </p></li><li class="step" title="Step 5"><p> - Add a new data file, selecting the PST file in the new desired target location. - Give this entry (not the filename) a new name such as <span class="quote">“<span class="quote">Personal Mail Folders.</span>”</span> - </p><p> - Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems - following these instructions. Feedback from users suggests that where IMAP is used the PST - file is used to store rules and filters. When the PST store is relocated it appears to break - MS Outlook's Send/Receive button. If anyone has successfully relocated PST files where IMAP is - used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that - this warning can be removed or modified. - </p></li><li class="step" title="Step 6"><p> - Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>. - </p></li><li class="step" title="Step 7"><p> - Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span> - </p></li><li class="step" title="Step 8"><p> - Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new - target location. - </p></li><li class="step" title="Step 9"><p> - Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry. - </p></li></ol></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id351615"></a> - You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise - the user may be not be able to retrieve contacts when addressing a new email message. - </p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id351628"></a> - Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook - Express storage files can not be redirected to network shares. The options panel will not permit - this, but they can be moved to folders outside of the user's profile. They can also be excluded - from folder synchronization as part of the roaming profile. - </p><p> - While it is possible to redirect the data stores for Outlook Express data stores by editing the - registry, experience has shown that data corruption and loss of email messages will result. - </p><p> - <a class="indexterm" name="id351646"></a> - <a class="indexterm" name="id351653"></a> - In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with - roaming profiles this can result in excruciatingly long login and logout behavior will files are - synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming - profiles are used. - </p></div><p> - <a class="indexterm" name="id351665"></a> - Microsoft does not support storing PST files on network shares, although the practice does appear - to be rather popular. Anyone who does relocation the PST file to a network resource should refer - the Microsoft <a class="ulink" href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better - understand the issues. - </p><p> - <a class="indexterm" name="id351684"></a> - Apart from manually moving PST files to a network share, it is possible to set the default PST - location for new accounts by following the instructions at the WindowsITPro <a class="ulink" href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site. - </p><p> - <a class="indexterm" name="id351701"></a> - User feedback suggests that disabling of oplocks on PST files will significantly improve - network performance by reducing locking overheads. One way this can be done is to add to the - <code class="filename">smb.conf</code> file stanza for the share the PST file the following: -</p><pre class="screen"> -veto oplock files = /*.pdf/*.PST/ -</pre><p> - </p></div><div class="sect2" title="Configure Delete Cached Profiles on Logout"><div class="titlepage"><div><div><h3 class="title"><a name="id351724"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p> - Configure the Windows XP Professional client to auto-delete roaming profiles on logout: - </p><p> - <a class="indexterm" name="id351736"></a> - Click - <span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. In the dialog box, enter <code class="literal">MMC</code> and click <span class="guibutton">OK</span>. - </p><p> - Follow these steps to set the default behavior of the staging machine so that all roaming - profiles are deleted as network users log out of the system. Click - <span class="guimenu">File</span> → <span class="guimenuitem">Add/Remove Snap-in</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Group Policy</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Finish</span> → <span class="guimenuitem">Close</span> → <span class="guimenuitem">OK</span>. - </p><p> - <a class="indexterm" name="id351830"></a> - The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span> - utility that enables you to set the policies needed. In the left panel, click - <span class="guimenuitem">Local Computer Policy</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each - item as shown: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li class="listitem"><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p> - Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies - made of this system to deploy the new standard desktop system. - </p></div><div class="sect2" title="Uploading Printer Drivers to Samba Servers"><div class="titlepage"><div><div><h3 class="title"><a name="id351896"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p> - <a class="indexterm" name="id351904"></a> - Users want to be able to use network printers. You have a vested interest in making - it easy for them to print. You have chosen to install the printer drivers onto the Samba - servers and to enable point-and-click (drag-and-drop) printing. This process results in - Samba being able to automatically provide the Windows client with the driver necessary to - print to the printer chosen. The following procedure must be followed for every network - printer: - </p><div class="procedure" title="Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers"><a name="id351918"></a><p class="title"><b>Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Join your Windows XP Professional workstation (the staging machine) to the - <code class="constant">MEGANET2</code> domain. If you are not sure of the procedure, - follow the guidance given in <a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>. - </p></li><li class="step" title="Step 2"><p> - After the machine has rebooted, log onto the workstation as the domain - <code class="constant">root</code> (this is the Administrator account for the - operating system that is the host platform for this implementation of Samba. - </p></li><li class="step" title="Step 3"><p> - Launch MS Windows Explorer. Navigate in the left panel. Click - <span class="guimenu">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">Microsoft Windows Network</span> → <span class="guimenuitem">Meganet2</span> → <span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span> - <span class="guimenu">Printers and Faxes</span>. - </p></li><li class="step" title="Step 4"><p> - Identify a printer that is shown in the right panel. Let us assume the printer is called - <code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon - and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates - that <span class="quote">“<span class="quote">The printer driver is not installed on this computer. Some printer properties - will not be accessible unless you install the printer driver. Do you want to install the - driver now?</span>”</span> It is important at this point you answer <span class="guimenu">No</span>. - </p></li><li class="step" title="Step 5"><p> - The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server - <code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab. - Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span> - button that is next to the <span class="guimenu">Driver</span> box. This launches the <span class="quote">“<span class="quote">Add Printer Wizard</span>”</span>. - </p></li><li class="step" title="Step 6"><p> - <a class="indexterm" name="id352097"></a> - <a class="indexterm" name="id352106"></a> - The <span class="quote">“<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>”</span> panel - is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the - printer manufacturer. In your case, you are adding a driver for a printer manufactured by - Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click - <span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A - progress bar appears and instructs you as each file is being uploaded and that it is being - directed at the network server <code class="constant">\\massive\ps01-color</code>. - </p></li><li class="step" title="Step 7"><p> - <a class="indexterm" name="id352150"></a> - <a class="indexterm" name="id352160"></a> - <a class="indexterm" name="id352169"></a> - <a class="indexterm" name="id352178"></a> - <a class="indexterm" name="id352187"></a> - <a class="indexterm" name="id352196"></a> - The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, - you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel. - You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under - the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to - load additional printer drivers; there is also a check-box in this tab called <span class="quote">“<span class="quote">List in the - directory</span>”</span>. When this box is checked, the printer will be published in Active Directory - (Applicable to Active Directory use only.) - </p></li><li class="step" title="Step 8"><p> - <a class="indexterm" name="id352247"></a> - Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server. - You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor. - Right-click on the printer, click <span class="guimenu">Properties</span> → <span class="guimenuitem">Device Settings</span>. Now change the settings to suit - your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if - you need to reverse the changes back to their original settings. - </p></li><li class="step" title="Step 9"><p> - This is necessary so that the printer settings are initialized in the Samba printers - database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed - just to initialize the Samba printers database entry for this printer. If you need to revert a setting, - click <span class="guimenu">Apply</span> again. - </p></li><li class="step" title="Step 10"><p> - <a class="indexterm" name="id352314"></a> - Verify that all printer settings are at the desired configuration. When you are satisfied that they are, - click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button. - A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span> - in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on - massive Properties</span> panel. - </p></li><li class="step" title="Step 11"><p> - You must repeat this process for all network printers (i.e., for every printer on each server). - When you have finished uploading drivers to all printers, close all applications. The next task - is to install software your users require to do their work. - </p></li></ol></div></div><div class="sect2" title="Software Installation"><div class="titlepage"><div><div><h3 class="title"><a name="id352365"></a>Software Installation</h3></div></div></div><p> - Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is - a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. - Notebooks require special handling that is beyond the scope of this chapter. - </p><p> - For desktop systems, the installation of software onto administratively centralized application servers - make a lot of sense. This means that you can manage software maintenance from a central - perspective and that only minimal application stubware needs to be installed onto the desktop - systems. You should proceed with software installation and default configuration as far as is humanly - possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect - of software operations and configuration. - </p><p> - When you believe that the overall configuration is complete, be sure to create a shared group profile - and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in - case a user may have specific needs you had not anticipated. - </p></div><div class="sect2" title="Roll-out Image Creation"><div class="titlepage"><div><div><h3 class="title"><a name="id352391"></a>Roll-out Image Creation</h3></div></div></div><p> - The final steps before preparing the distribution Norton Ghost image file you might follow are: - </p><div class="blockquote"><blockquote class="blockquote"><p> - Unjoin the domain Each workstation requires a unique name and must be independently - joined into domain membership. - </p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p> - Defragment the hard disk While not obvious to the uninitiated, defragmentation results - in better performance and often significantly reduces the size of the compressed disk image. That - also means it will take less time to deploy the image onto 500 workstations. - </p></blockquote></div></div></div><div class="sect1" title="Key Points Learned"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352420"></a>Key Points Learned</h2></div></div></div><p> - This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately - avoided any consideration of security. Security does not just happen; you must design it into your total - network. Security begins with a systems design and implementation that anticipates hostile behavior from - users both inside and outside the organization. Hostile and malicious intruders do not respect barriers; - they accept them as challenges. For that reason, if not simply from a desire to establish safe networking - practices, you must not deploy the design presented in this book in an environment where there is risk - of compromise. - </p><p> - <a class="indexterm" name="id352437"></a> - <a class="indexterm" name="id352445"></a> - As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be - configured to use secure protocols for all communications over the network. Of course, secure networking - does not result just from systems design and implementation but involves constant user education - training and, above all, disciplined attention to detail and constant searching for signs of unfriendly - or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources. - Jerry Carter's book <a class="ulink" href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top"> - <span class="emphasis"><em>LDAP System Administration</em></span></a> is a good place to start reading about OpenLDAP - as well as security considerations. - </p><p> - The substance of this chapter that has been deserving of particular attention includes: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Implementation of an OpenLDAP-based passwd backend, necessary to support distributed - domain control. - </p></li><li class="listitem"><p> - Implementation of Samba primary and secondary domain controllers with a common LDAP backend - for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and - pam_ldap tool-sets. - </p></li><li class="listitem"><p> - Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as - to manage Samba Windows user and group accounts. - </p></li><li class="listitem"><p> - The basics of implementation of Group Policy controls for Windows network clients. - </p></li><li class="listitem"><p> - Control over roaming profiles, with particular focus on folder redirection to network drives. - </p></li><li class="listitem"><p> - Use of the CUPS printing system together with Samba-based printer driver auto-download. - </p></li></ul></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352508"></a>Questions and Answers</h2></div></div></div><p> - Well, here we are at the end of this chapter and we have only ten questions to help you to - remember so much. There are bound to be some sticky issues here. - </p><div class="qandaset" title="Frequently Asked Questions"><a name="id352518"></a><dl><dt> <a href="happy.html#id352525"> - Why did you not cover secure practices? Isn't it rather irresponsible to instruct - network administrators to implement insecure solutions? - </a></dt><dt> <a href="happy.html#id352558"> - You have focused much on SUSE Linux and little on the market leader, Red Hat. Do - you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant - to the Linux I might be using? - </a></dt><dt> <a href="happy.html#id352600"> - You did not use SWAT to configure Samba. Is there something wrong with it? - </a></dt><dt> <a href="happy.html#id352635"> - You have exposed a well-used password not24get. Is that - not irresponsible? - </a></dt><dt> <a href="happy.html#id352657"> - The Idealx smbldap-tools create many domain group accounts that are not used. Is that - a good thing? - </a></dt><dt> <a href="happy.html#id352681"> - Can I use LDAP just for Samba accounts and not for UNIX system accounts? - </a></dt><dt> <a href="happy.html#id352701"> - Why are the Windows domain RID portions not the same as the UNIX UID? - </a></dt><dt> <a href="happy.html#id352732"> - Printer configuration examples all show printing to the HP port 9100. Does this - mean that I must have HP printers for these solutions to work? - </a></dt><dt> <a href="happy.html#id352757"> - Is folder redirection dangerous? I've heard that you can lose your data that way. - </a></dt><dt> <a href="happy.html#id352779"> - Is it really necessary to set a local Group Policy to exclude the redirected - folders from the roaming profile? - </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id352525"></a><a name="id352527"></a></td><td align="left" valign="top"><p> - Why did you not cover secure practices? Isn't it rather irresponsible to instruct - network administrators to implement insecure solutions? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - Let's get this right. This is a book about Samba, not about OpenLDAP and secure - communication protocols for subjects other than Samba. Earlier on, you note, - that the dynamic DNS and DHCP solutions also used no protective secure communications - protocols. The reason for this is simple: There are so many ways of implementing - secure protocols that this book would have been even larger and more complex. - </p><p> - The solutions presented here all work (at least they did for me). Network administrators - have the interest and the need to be better trained and instructed in secure networking - practices and ought to implement safe systems. I made the decision, right or wrong, - to keep this material as simple as possible. The intent of this book is to demonstrate - a working solution and not to discuss too many peripheral issues. - </p><p> - This book makes little mention of backup techniques. Does that mean that I am recommending - that you should implement a network without provision for data recovery and for disaster - management? Back to our focus: The deployment of Samba has been clearly demonstrated. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352558"></a><a name="id352561"></a></td><td align="left" valign="top"><p> - You have focused much on SUSE Linux and little on the market leader, Red Hat. Do - you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant - to the Linux I might be using? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications - for a standard Linux distribution. The differences are marginal. Surely you know - your Linux platform, and you do have access to administration manuals for it. This - book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on - the Samba part of the book; all the other bits are peripheral (but important) to - creation of a total network solution. - </p><p> - What I find interesting is the attention reviewers give to Linux installation and to - the look and feel of the desktop, but does that make for a great server? In this book, - I have paid particular attention to the details of creating a whole solution framework. - I have not tightened every nut and bolt, but I have touched on all the issues you - need to be familiar with. Over the years many people have approached me wanting to - know the details of exactly how to implement a DHCP and dynamic DNS server with Samba - and WINS. In this chapter, it is plain to see what needs to be configured to provide - transparent interoperability. Likewise for CUPS and Samba interoperation. These are - key stumbling areas for many people. - </p><p> - At every critical junction, I have provided comparative guidance for both SUSE and - Red Hat Linux. Both manufacturers have done a great job in furthering the cause - of open source software. I favor neither and respect both. I like particular - features of both products (companies also). No bias in presentation is intended. - Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352600"></a><a name="id352603"></a></td><td align="left" valign="top"><p> - You did not use SWAT to configure Samba. Is there something wrong with it? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - That is a good question. As it is, the <code class="filename">smb.conf</code> file configurations are presented - in as direct a format as possible. Adding SWAT into the equation would have complicated - matters. I sought simplicity of implementation. The fact is that I did use SWAT to - create the files in the first place. - </p><p> - There are people in the Linux and open source community who feel that SWAT is dangerous - and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I - hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG2</em></span>. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352635"></a><a name="id352637"></a></td><td align="left" valign="top"><p> - You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that - not irresponsible? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - Well, I had to use a password of some sort. At least this one has been consistently - used throughout. I guess you can figure out that in a real deployment it would make - sense to use a more secure and original password. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352657"></a><a name="id352660"></a></td><td align="left" valign="top"><p> - The Idealx smbldap-tools create many domain group accounts that are not used. Is that - a good thing? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - I took this up with Idealx and found them most willing to change that in the next version. - Let's give Idealx some credit for the contribution they have made. I appreciate their work - and, besides, it does no harm to create accounts that are not now used at some time - Samba may well use them. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352681"></a><a name="id352683"></a></td><td align="left" valign="top"><p> - Can I use LDAP just for Samba accounts and not for UNIX system accounts? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) - group account for every Windows domain group account. But if you put your users into - the system password account, how do you plan to keep all domain controller system - password files in sync? I think that having everything in LDAP makes a lot of sense - for the UNIX administrator who is still learning the craft and is migrating from MS Windows. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352701"></a><a name="id352703"></a></td><td align="left" valign="top"><p> - Why are the Windows domain RID portions not the same as the UNIX UID? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. - This algorithm ought to ensure that there will be no clashes with well-known RIDs. - Well-known RIDs have special significance to MS Windows clients. The automatic - assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does - permit you to override that to some extent. See the <code class="filename">smb.conf</code> man page entry - for <em class="parameter"><code>algorithmic rid base</code></em>. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352732"></a><a name="id352735"></a></td><td align="left" valign="top"><p> - Printer configuration examples all show printing to the HP port 9100. Does this - mean that I must have HP printers for these solutions to work? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - No. You can use any type of printer and must use the interfacing protocol supported - by the printer. Many networks use LPR/LPD print servers to which are attached - PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached - inkjet printer. Use the appropriate device URI (Universal Resource Interface) - argument to the <code class="constant">lpadmin -v</code> option that is right for your - printer. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352757"></a><a name="id352759"></a></td><td align="left" valign="top"><p> - Is folder redirection dangerous? I've heard that you can lose your data that way. - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - The only loss of data I know of that involved folder redirection was caused by - manual misuse of the redirection tool. The administrator redirected a folder to - a network drive and said he wanted to migrate (move) the data over. Then he - changed his mind, so he moved the folder back to the roaming profile. This time, - he declined to move the data because he thought it was still in the local profile - folder. That was not the case, so by declining to move the data back, he wiped out - the data. You cannot hold the tool responsible for that. Caveat emptor still applies. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id352779"></a><a name="id352781"></a></td><td align="left" valign="top"><p> - Is it really necessary to set a local Group Policy to exclude the redirected - folders from the roaming profile? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - Yes. If you do not do this, the data will still be copied from the network folder - (share) to the local cached copy of the profile. - </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id351153" href="#id351153" class="para">11</a>] </sup> - There is an alternate method by which a default user profile can be added to the - <code class="constant">NETLOGON</code> share. This facility in the Windows System tool - permits profiles to be exported. The export target may be a particular user or - group profile share point or else the <code class="constant">NETLOGON</code> share. - In this case, the profile directory must be named <code class="constant">Default User</code>. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="net2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. The 500-User Office </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. A Distributed 2000-User Network</td></tr></table></div></body></html> |