diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/happy.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/happy.html | 2878 |
1 files changed, 2878 insertions, 0 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/happy.html b/docs/htmldocs/Samba3-ByExample/happy.html new file mode 100644 index 0000000000..076a17b28f --- /dev/null +++ b/docs/htmldocs/Samba3-ByExample/happy.html @@ -0,0 +1,2878 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Making Happy Users</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter 4. The 500-User Office"><link rel="next" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter 5. Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id336072">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id336196">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id336272">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id336400">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id336802">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id338453">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id338466">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id338636">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id341324">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id345079">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id345095">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id345184">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id345412">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id345510">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id345624">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id346340">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id346624">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id346795">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id347264">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id347290">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id347320">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id347408">Questions and Answers</a></span></dt></dl></div><p> + It is said that “<span class="quote">a day that is without troubles is not fulfilling. Rather, give + me a day of troubles well handled so that I can be content with my achievements.</span>” + </p><p> + In the world of computer networks, problems are as varied as the people who create them + or experience them. The design of the network implemented in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a> + may create problems for some network users. The following lists some of the problems that + may occur: + </p><a class="indexterm" name="id335700"></a><a class="indexterm" name="id335707"></a><a class="indexterm" name="id335716"></a><a class="indexterm" name="id335722"></a><a class="indexterm" name="id335729"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p> +A significant number of network administrators have responded to the guidance given +here. It should be noted that there are sites that have a single PDC for many hundreds of +concurrent network clients. Network bandwidth, network bandwidth utilization, and server load +are among the factors that determine the maximum number of Windows clients that +can be served by a single domain controller (PDC or BDC) on a network segment. It is possible +to operate with only a single PDC over a routed network. What is possible is not necessarily +<span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with +the message that the domain controller cannot be found or that the user account cannot +be found (when you know it exists), that may be an indication that the domain controller is +overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows +clients is conservative and if followed will minimize problems but it is not absolute. +</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p> + <a class="indexterm" name="id335766"></a> + <a class="indexterm" name="id335775"></a> + When a Windows client logs onto the network, many data packets are exchanged + between the client and the server that is providing the network logon services. + Each request between the client and the server must complete within a specific + time limit. This is one of the primary factors that govern the installation of + multiple domain controllers (usually called secondary or backup controllers). + As a rough rule, there should be one such backup controller for every + 30 to 150 clients. The actual limits are determined by network operational + characteristics. + </p><p> + <a class="indexterm" name="id335790"></a> + <a class="indexterm" name="id335797"></a> + <a class="indexterm" name="id335803"></a> + If the domain controller provides only network logon services + and all file and print activity is handled by domain member servers, one domain + controller per 150 clients on a single network segment may suffice. In any + case, it is highly recommended to have a minimum of one domain controller (PDC or BDC) + per network segment. It is better to have at least one BDC on the network + segment that has a PDC. If the domain controller is also used as a file and + print server, the number of clients it can service reliably is reduced, + and generally for low powered hardware should not exceed 30 machines (Windows + workstations plus domain member servers) per domain controller. Many sites are + able to operate with more clients per domain controller, the number of clients + that can be supported is limited by the CPU speed, memory and the workload on + the Samba server as well as network bandwidth utilization. + </p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p> + <a class="indexterm" name="id335837"></a> + Slow logons and log-offs may be caused by many factors that include: + + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id335850"></a> + <a class="indexterm" name="id335861"></a> + Excessive delays in the resolution of a NetBIOS name to its IP + address. This may be observed when an overloaded domain controller + is also the WINS server. Another cause may be the failure to use + a WINS server (this assumes that there is a single network segment). + </p></li><li><p> + <a class="indexterm" name="id335877"></a> + <a class="indexterm" name="id335884"></a> + <a class="indexterm" name="id335890"></a> + Network traffic collisions due to overloading of the network + segment. One short-term workaround to this may be to replace + network HUBs with Ethernet switches. + </p></li><li><p> + <a class="indexterm" name="id335903"></a> + Defective networking hardware. Over the past few years, we have seen + on the Samba mailing list a significant increase in the number of + problems that were traced to a defective network interface controller, + a defective HUB or Ethernet switch, or defective cabling. In most cases, + it was the erratic nature of the problem that ultimately pointed to + the cause of the problem. + </p></li><li><p> + <a class="indexterm" name="id335920"></a> + <a class="indexterm" name="id335929"></a> + Excessively large roaming profiles. This type of problem is typically + the result of poor user education as well as poor network management. + It can be avoided by users not storing huge quantities of email in + MS Outlook PST files as well as by not storing files on the desktop. + These are old bad habits that require much discipline and vigilance + on the part of network management. + </p></li><li><p> + <a class="indexterm" name="id335946"></a> + You should verify that the Windows XP WebClient service is not running. + The use of the WebClient service has been implicated in many Windows + networking-related problems. + </p></li></ul></div><p> + </p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p> + Loss of access to network resources during client operation may be caused by a number + of factors, including: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id335976"></a> + Network overload (typically indicated by a high network collision rate) + </p></li><li><p> + Server overload + </p></li><li><p> + <a class="indexterm" name="id335995"></a> + Timeout causing the client to close a connection that is in use but has + been latent (no traffic) for some time (5 minutes or more) + </p></li><li><p> + <a class="indexterm" name="id336009"></a> + Defective networking hardware + </p></li></ul></div><p> + <a class="indexterm" name="id336023"></a> + No matter what the cause, a sudden loss of access to network resources can + result in BSOD (blue screen of death) situations that necessitate rebooting of the client + workstation. In the case of a mild problem, retrying to access the network drive of the printer + may restore operations, but in any case this is a serious problem that may lead to the next + problem, data corruption. + </p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p> + <a class="indexterm" name="id336047"></a> + Data corruption is one of the most serious problems. It leads to uncertainty, anger, and + frustration, and generally precipitates immediate corrective demands. Management response + to this type of problem may be rational, as well as highly irrational. There have been + cases where management has fired network staff for permitting this situation to occur without + immediate correction. There have been situations where perfectly functional hardware was thrown + out and replaced, only to find the problem caused by a low-cost network hardware item. There + have been cases where server operating systems were replaced, or where Samba was updated, + only to later isolate the problem due to defective client software. + </p></dd></dl></div><p> + In this chapter, you can work through a number of measures that significantly arm you to + anticipate and combat network performance issues. You can work through complex and thorny + methods to improve the reliability of your network environment, but be warned that all such steps + demand the price of complexity. + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336072"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p> + <a class="indexterm" name="id336080"></a> + Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some + constraints that are described in this section. + </p><p> + <a class="indexterm" name="id336094"></a> + <a class="indexterm" name="id336100"></a> + <a class="indexterm" name="id336107"></a> + <a class="indexterm" name="id336114"></a> + The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. + That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats + them. A user account and a machine account are indistinguishable from each other, except that + the machine account ends in a $ character, as do trust accounts. + </p><p> + <a class="indexterm" name="id336127"></a> + <a class="indexterm" name="id336134"></a> + The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID + is a design decision that was made a long way back in the history of Samba development. It is + unlikely that this decision will be reversed or changed during the remaining life of the + Samba-3.x series. + </p><p> + <a class="indexterm" name="id336146"></a> + <a class="indexterm" name="id336153"></a> + The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that + must refer back to the host operating system on which Samba is running. The name service + switch (NSS) is the preferred mechanism that shields applications (like Samba) from the + need to know everything about every host OS it runs on. + </p><p> + Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>” + and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool + for achieving this is left up to the UNIX administrator to determine. It is not imposed by + Samba. Samba provides winbindd together with its support libraries as one method. It is + possible to do this via LDAP, and for that Samba provides the appropriate hooks so that + all account entities can be located in an LDAP directory. + </p><p> + <a class="indexterm" name="id336184"></a> + For many the weapon of choice is to use the PADL nss_ldap utility. This utility must + be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That + is fundamentally an LDAP design question. The information provided on the Samba list and + in the documentation is directed at providing working examples only. The design + of an LDAP directory is a complex subject that is beyond the scope of this documentation. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336196"></a>Introduction</h2></div></div></div><p> + You just opened an email from Christine that reads: + </p><p> + Good morning, + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + A few months ago we sat down to design the network. We discussed the challenges ahead and we all + agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated + that we would have some time to resolve any issues that might be encountered. + </p><p> + As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them + resigned yesterday afternoon because she was under duress to complete some critical projects. She + suffered a blue screen of death situation just as she was finishing four hours of intensive work, all + of which was lost. She has a unique requirement that involves storing large files on her desktop. + Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it + takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all + network logon traffic passes over the network links between our buildings, logging on may take + three or four attempts due to blue screen problems associated with network timeouts. + </p><p> + A few of us worked to help her out of trouble. We convinced her to stay and promised to fully + resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard + limits on what our users can do with their desktops. Otherwise, we face staff losses + that can surely do harm to our growth as well as to staff morale. I am sure we can better deal + with the consequences of what we know we must do than we can with the unrest we have now. + </p><p> + Stan and I have discussed the current situation. We are resolved to help our users and protect + the well being of Abmas. Please acknowledge this advice with consent to proceed as required to + regain control of our vital IT operations. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p> + </p><p> + <a class="indexterm" name="id336243"></a> + <a class="indexterm" name="id336250"></a> + Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a + single domain controller is a poor design that has obvious operational effects that may + frustrate users. Here is your reply: + </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + Christine, Your diligence and attention to detail are much valued. Stan and I fully support your + proposals to resolve the issues. I am confident that your plans fully realized will significantly + boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. + Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait + for approval; I appreciate the urgency. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id336272"></a>Assignment Tasks</h3></div></div></div><p> + The priority of assigned tasks in this chapter is: + </p><div class="orderedlist"><ol type="1"><li><p> + <a class="indexterm" name="id336291"></a> + <a class="indexterm" name="id336300"></a> + <a class="indexterm" name="id336307"></a> + <a class="indexterm" name="id336314"></a><a class="indexterm" name="id336319"></a> + Implement Backup Domain Controllers (BDCs) in each building. This involves + a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous + chapter to an LDAP-based backend. + </p><p> + You can implement a single central LDAP server for this purpose. + </p></li><li><p> + <a class="indexterm" name="id336340"></a> + <a class="indexterm" name="id336346"></a> + <a class="indexterm" name="id336353"></a> + <a class="indexterm" name="id336360"></a> + Rectify the problem of excessive logon times. This involves redirection of + folders to network shares as well as modification of all user desktops to + exclude the redirected folders from being loaded at login time. You can also + create a new default profile that can be used for all new users. + </p></li></ol></div><p> + <a class="indexterm" name="id336376"></a> + You configure a new MS Windows XP Professional workstation disk image that you roll out + to all desktop users. The instructions you have created are followed on a staging machine + from which all changes can be carefully tested before inflicting them on your network users. + </p><p> + <a class="indexterm" name="id336389"></a> + This is the last network example in which specific mention of printing is made. The example + again makes use of the CUPS printing system. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336400"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id336408"></a> + <a class="indexterm" name="id336414"></a> + <a class="indexterm" name="id336421"></a> + The implementation of Samba BDCs necessitates the installation and configuration of LDAP. + For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial + LDAP servers in current use with Samba-3 include: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id336437"></a> + Novell <a href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a> + is being successfully used by some sites. Information on how to use eDirectory can be + obtained from the Samba mailing lists or from Novell. + </p></li><li><p> + <a class="indexterm" name="id336455"></a> + IBM <a href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli + Directory Server</a> can be used to provide the Samba LDAP backend. Example schema + files are provided in the Samba source code tarball under the directory + <code class="filename">~samba/example/LDAP.</code> + </p></li><li><p> + <a class="indexterm" name="id336480"></a> + Sun <a href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity + Server product suite</a> provides an LDAP server that can be used for Samba. + Example schema files are provided in the Samba source code tarball under the directory + <code class="filename">~samba/example/LDAP.</code> + </p></li></ul></div><p> + A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial + offerings, it requires that you manually edit the server configuration files and manually + initialize the LDAP directory database. OpenLDAP itself has only command-line tools to + help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. + </p><p> + <a class="indexterm" name="id336511"></a> + For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite + adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include + GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database + requires an understanding of what you are doing, why you are doing it, and the tools that you must use. + </p><p> + <a class="indexterm" name="id336525"></a> + <a class="indexterm" name="id336532"></a> + <a class="indexterm" name="id336539"></a> + <a class="indexterm" name="id336548"></a> + <a class="indexterm" name="id336557"></a> + <a class="indexterm" name="id336564"></a> + <a class="indexterm" name="id336573"></a> + When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. + High availability operation may be obtained through directory replication/synchronization and + master/slave server configurations. OpenLDAP is a mature platform to host the organizational + directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. + The price paid through learning how to design an LDAP directory schema in implementation and configuration + of management tools is well rewarded by performance and flexibility and the freedom to manage directory + contents with greater ability to back up, restore, and modify the directory than is generally possible + with Microsoft Active Directory. + </p><p> + <a class="indexterm" name="id336592"></a> + <a class="indexterm" name="id336601"></a> + <a class="indexterm" name="id336608"></a> + <a class="indexterm" name="id336615"></a> + A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory + tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured + for a specific task orientation. It comes with a set of administrative tools that is entirely customized + for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange + server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator + who wants to build a custom directory solution. Microsoft provides an application called + <a href="http://www.microsoft.com/windowsserver2003/adam/default.mspx" target="_top"> + MS ADAM</a> that provides more generic LDAP services, yet it does not have the vanilla-like services + of OpenLDAP. + </p><p> + <a class="indexterm" name="id336638"></a> + <a class="indexterm" name="id336647"></a> + You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly + if you find the challenge of learning about LDAP directories, schemas, configuration, and management + tools and the creation of shell and Perl scripts a bit + challenging. OpenLDAP can be easily customized, though it includes + many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file + that is required for use as a passdb backend. + </p><p> + <a class="indexterm" name="id336661"></a> + For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, + there are a few nice Web-based tools that may help you to manage your users and groups more effectively. + The Web-based tools you might like to consider include the + <a href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM) and the Webmin-based + <a href="http://www.webmin.com" target="_top">Webmin</a> Idealx + <a href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools</a>. + </p><p> + Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of + these, so it may be useful to them: + <a href="http://biot.com/gq" target="_top">GQ</a>, a GTK-based LDAP browser; + LDAP <a href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor</a> + <a href="http://www.jxplorer.org/" target="_top">; JXplorer</a> (by Computer Associates); + and <a href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin</a>. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal + security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided + is considered to consist of the barest essentials only. You are strongly encouraged to learn more about + LDAP before attempting to deploy it in a business-critical environment. + </p></div><p> + Information to help you get started with OpenLDAP is available from the + <a href="http://www.openldap.org/pub/" target="_top">OpenLDAP web site</a>. Many people have found the book + <a href="http://www.oreilly.com/catalog/ldapsa/index.html" target="_top"><span class="emphasis"><em>LDAP System Administration</em></span>,</a> + by Jerry Carter quite useful. + </p><p> + <a class="indexterm" name="id336747"></a> + <a class="indexterm" name="id336753"></a> + <a class="indexterm" name="id336762"></a> + <a class="indexterm" name="id336769"></a> + Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the + main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must + be loaded over the WAN connection. The addition of BDCs on each network segment significantly + improves overall network performance for most users, but it is not enough. You must gain control over + user desktops, and this must be done in a way that wins their support and does not cause further loss of + staff morale. The following procedures solve this problem. + </p><p> + <a class="indexterm" name="id336786"></a> + There is also an opportunity to implement smart printing features. You add this to the Samba configuration + so that future printer changes can be managed without need to change desktop configurations. + </p><p> + You add the ability to automatically download new printer drivers, even if they are not installed + in the default desktop profile. Only one example of printing configuration is given. It is assumed that + you can extrapolate the principles and use them to install all printers that may be needed. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id336802"></a>Technical Issues</h3></div></div></div><p> + <a class="indexterm" name="id336810"></a> + <a class="indexterm" name="id336819"></a> + <a class="indexterm" name="id336828"></a> + The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory + server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system + accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account + attributes Samba needs. Samba-3 can use the LDAP backend to store: + </p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p> + <a class="indexterm" name="id336864"></a> + <a class="indexterm" name="id336871"></a> + <a class="indexterm" name="id336878"></a> + <a class="indexterm" name="id336885"></a> + <a class="indexterm" name="id336891"></a> + <a class="indexterm" name="id336898"></a> + <a class="indexterm" name="id336907"></a> + <a class="indexterm" name="id336914"></a> + <a class="indexterm" name="id336920"></a> + The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking + accounts in the LDAP backend. This implies the need to use the + <a href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution + of the UNIX group name to its GID must be enabled from either the <code class="filename">/etc/group</code> + or from the LDAP backend. This requires the use of the PADL <code class="filename">nss_ldap</code> tool-set + that integrates with the NSS. The same requirements exist for resolution + of the UNIX username to the UID. The relationships are demonstrated in <a href="happy.html#sbehap-LDAPdiag" title="Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">???</a>. + </p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id337000"></a> + <a class="indexterm" name="id337007"></a> + You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really + ought to learn how to configure secure communications over LDAP so that site security is not + at risk. This is not covered in the following guidance. + </p><p> + <a class="indexterm" name="id337021"></a> + <a class="indexterm" name="id337028"></a> + <a class="indexterm" name="id337037"></a> + <a class="indexterm" name="id337044"></a> + When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>. + You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you + create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. + You need to decide how best to create user and group accounts. A few hints are, of course, provided. + You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools + that help to manage user and group configuration. + </p><p> + <a class="indexterm" name="id337074"></a> + <a class="indexterm" name="id337081"></a> + <a class="indexterm" name="id337088"></a> + In order to effect folder redirection and to add robustness to the implementation, + create a network default profile. All network users workstations are configured to use + the new profile. Roaming profiles will automatically be deleted from the workstation + when the user logs off. + </p><p> + <a class="indexterm" name="id337100"></a> + The profile is configured so that users cannot change the appearance + of their desktop. This is known as a mandatory profile. You make certain that users + are able to use their computers efficiently. + </p><p> + <a class="indexterm" name="id337112"></a> + A network logon script is used to deliver flexible but consistent network drive + connections. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p> + <a class="indexterm" name="id337132"></a> + <a class="indexterm" name="id337138"></a> + <a class="indexterm" name="id337143"></a> + <a class="indexterm" name="id337148"></a> + Samba versions prior to 3.0.11 necessitated the use of a domain administrator account + that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code> + user to add user and group accounts. Samba 3.0.11 introduced a new facility known as + <code class="constant">Privileges</code>, which provides five new privileges that + can be assigned to users and/or groups; see Table 5.1. + </p><div class="table"><a name="sbehap-privs"></a><p class="title"><b>Table 5.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div></div><br class="table-break"><p> + In this network example use is made of one of the supported privileges purely to demonstrate + how any user can now be given the ability to add machines to the domain using a normal user account + that has been given the appropriate privileges. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337279"></a>Roaming Profile Background</h4></div></div></div><p> + As XP roaming profiles grow, so does the amount of time it takes to log in and out. + </p><p> + <a class="indexterm" name="id337291"></a> + <a class="indexterm" name="id337298"></a> + <a class="indexterm" name="id337305"></a> + <a class="indexterm" name="id337311"></a> + An XP roaming profile consists of the <code class="constant">HKEY_CURRENT_USER</code> hive file + <code class="filename">NTUSER.DAT</code> and a number of folders (My Documents, Application Data, + Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the + network with the default configuration of MS Windows NT/200x/XPP, all this data is + copied to the local machine under the <code class="filename">C:\Documents and Settings\%USERNAME%</code> + directory. While the user is logged in, any changes made to any of these folders or to the + <code class="constant">HKEY_CURRENT_USER</code> branch of the registry are made to the local copy + of the profile. At logout the profile data is copied back to the server. This behavior + can be changed through appropriate registry changes and/or through changes to the default + user profile. In the latter case, it updates the registry with the values that are set in the + profile <code class="filename">NTUSER.DAT</code> + file. + </p><p> + The first challenge is to reduce the amount of data that must be transferred to and + from the profile server as roaming profiles are processed. This includes removing + all the shortcuts in the Recent directory, making sure the cache used by the Web browser + is not being dumped into the <code class="filename">Application Data</code> folder, removing the + Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the + user to not place large files on the desktop and to use his or her mapped home directory + instead of the <code class="filename">My Documents</code> folder for saving documents. + </p><p> + <a class="indexterm" name="id337373"></a> + Using a folder other than <code class="filename">My Documents</code> is a nuisance for + some users, since many applications use it by default. + </p><p> + <a class="indexterm" name="id337390"></a> + <a class="indexterm" name="id337396"></a> + <a class="indexterm" name="id337403"></a> + The secret to rapid loading of roaming profiles is to prevent unnecessary data from + being copied back and forth, without losing any functionality. This is not difficult; + it can be done by making changes to the Local Group Policy on each client as well + as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive. + </p><p> + <a class="indexterm" name="id337422"></a> + <a class="indexterm" name="id337429"></a> + Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means + you need to edit every user's profile, unless a better method can be + followed. Fortunately, with the right preparations, this is not difficult. + It is possible to remove the <code class="filename">NTUSER.DAT</code> file from each + user's profile. Then just create a Network Default Profile. Of course, it is + necessary to copy all files from redirected folders to the network share to which + they are redirected. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p> + <a class="indexterm" name="id337464"></a> + <a class="indexterm" name="id337471"></a> + <a class="indexterm" name="id337478"></a> + <a class="indexterm" name="id337484"></a> + Without an Active Directory PDC, you cannot take full advantage of Group Policy + Objects. However, you can still make changes to the Local Group Policy by using + the Group Policy editor (<code class="literal">gpedit.msc</code>). + </p><p> + The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can + be found under + <span class="guimenu">User Configuration</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. + By default this setting contains + “<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”. + </p><p> + Simply add the folders you do not wish to be copied back and forth to this + semicolon-separated list. Note that this change must be made on all clients + that are using roaming profiles. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337546"></a>Profile Changes</h4></div></div></div><p> + <a class="indexterm" name="id337554"></a> + <a class="indexterm" name="id337561"></a> + There are two changes that should be done to each user's profile. Move each of + the directories that you have excluded from being copied back and forth out of + the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file + to point to the new paths that are shared over the network instead of to the default + path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>). + </p><p> + <a class="indexterm" name="id337586"></a> + <a class="indexterm" name="id337592"></a> + The above modifies existing user profiles. So that newly created profiles have + these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in + the <code class="filename">C:\Documents and Settings\Default User</code> folder on each + client machine, changing the same registry keys. You could do this by copying + <code class="filename">NTUSER.DAT</code> to a Linux box and using <code class="literal">regedt32</code>. + The basic method is described under <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337635"></a>Using a Network Default User Profile</h4></div></div></div><p> + <a class="indexterm" name="id337643"></a> + <a class="indexterm" name="id337649"></a> + If you are using Samba as your PDC, you should create a file share called + <code class="constant">NETLOGON</code> and within that create a directory called + <code class="filename">Default User</code>, which is a copy of the desired default user + configuration (including a copy of <code class="filename">NTUSER.DAT</code>). + If this share exists and the <code class="filename">Default User</code> folder exists, + the first login from a new account pulls its configuration from it. + See also <a href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top"> + the Real Men Don't Click</a> Web site. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id337689"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p> + <a class="indexterm" name="id337697"></a> + <a class="indexterm" name="id337706"></a> + <a class="indexterm" name="id337713"></a> + The subject of printing is quite topical. Printing problems run second place to name + resolution issues today. So far in this book, you have experienced only what is generally + known as “<span class="quote">dumb</span>” printing. Dumb printing is the arrangement by which all drivers + are manually installed on each client and the printing subsystems perform no filtering + or intelligent processing. Dumb printing is easily understood. It usually works without + many problems, but it has its limitations also. Dumb printing is better known as + <code class="literal">Raw-Print-Through</code> printing. + </p><p> + <a class="indexterm" name="id337737"></a> + <a class="indexterm" name="id337746"></a> + Samba permits the configuration of <code class="literal">smart</code> printing using the Microsoft + Windows point-and-click (also called drag-and-drop) printing. What this provides is + essentially the ability to print to any printer. If the local client does not yet have a + driver installed, the driver is automatically downloaded from the Samba server and + installed on the client. Drag-and-drop printing is neat; it means the user never needs + to fuss with driver installation, and that is a <span class="trademark">Good Thing,</span>™ + isn't it? + </p><p> + There is a further layer of print job processing that is known as <code class="literal">intelligent</code> + printing that automatically senses the file format of data submitted for printing and + then invokes a suitable print filter to convert the incoming data stream into a format + suited to the printer to which the job is dispatched. + </p><p> + <a class="indexterm" name="id337786"></a> + <a class="indexterm" name="id337793"></a> + <a class="indexterm" name="id337800"></a> + The CUPS printing subsystem is capable of intelligent printing. It has the capacity to + detect the data format and apply a print filter. This means that it is feasible to install + on all Windows clients a single printer driver for use with all printers that are routed + through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately, + <a href="http://www.easysw.com" target="_top">Easy Software Products</a>, the authors of CUPS, have + released a PostScript printing driver for Windows. It can be installed into the Samba + printing backend so that it automatically downloads to the client when needed. + </p><p> + This means that so long as there is a CUPS driver for the printer, all printing from Windows + software can use PostScript, no matter what the actual printer language for the physical + device is. It also means that the administrator can swap out a printer with a totally + different type of device without ever needing to change a client workstation driver. + </p><p> + This book is about Samba-3, so you can confine the printing style to just the smart + style of installation. Those interested in further information regarding intelligent + printing should review documentation on the Easy Software Products Web site. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p> + It has often been said that there are three types of people in the world: those who + have sharp minds and those who forget things. Please do not ask what the third group + is like! Well, it seems that many of us have company in the second group. There must + be a good explanation why so many network administrators fail to solve apparently + simple problems efficiently and effectively. + </p><p> + Here are some diagnostic guidelines that can be referred to when things go wrong: + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id337852"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p> + The best advice regarding how to mend a broken leg is “<span class="quote">Never break a leg!</span>” + </p><p> + <a class="indexterm" name="id337867"></a> + Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice + regarding the best way to remedy LDAP and Samba problems: “<span class="quote">Avoid them like the plague!</span>” + </p><p> + If you are now asking yourself how problems can be avoided, the best advice is to start + out your learning experience with a <span class="emphasis"><em>known-good configuration.</em></span> After + you have seen a fully working solution, a good way to learn is to make slow and progressive + changes that cause things to break, then observe carefully how and why things ceased to work. + </p><p> + The examples in this chapter (also in the book as a whole) are known to work. That means + that they could serve as the kick-off point for your journey through fields of knowledge. + Use this resource carefully; we hope it serves you well. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Do not be lulled into thinking that you can easily adopt the examples in this + book and adapt them without first working through the examples provided. A little + thing overlooked can cause untold pain and may permanently tarnish your experience. + </p></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id337902"></a>The Name Service Caching Daemon</h5></div></div></div><p> + The name service caching daemon (nscd) is a primary cause of difficulties with name + resolution, particularly where <code class="literal">winbind</code> is used. Winbind does its + own caching, thus nscd causes double caching which can lead to peculiar problems during + debugging. As a rule, it is a good idea to turn off the name service caching daemon. + </p><p> + Operation of the name service caching daemon is controlled by the + <code class="filename">/etc/nscd.conf</code> file. Typical contents of this file are as follows: +</p><pre class="screen"> +# /etc/nscd.conf +# An example Name Service Cache config file. This file is needed by nscd. +# Legal entries are: +# logfile <file> +# debug-level <level> +# threads <threads to use> +# server-user <user to run server as instead of root> +# server-user is ignored if nscd is started with -S parameters +# stat-user <user who is allowed to request statistics> +# reload-count unlimited|<number> +# +# enable-cache <service> <yes|no> +# positive-time-to-live <service> <time in seconds> +# negative-time-to-live <service> <time in seconds> +# suggested-size <service> <prime number> +# check-files <service> <yes|no> +# persistent <service> <yes|no> +# shared <service> <yes|no> +# Currently supported cache names (services): passwd, group, hosts +# logfile /var/log/nscd.log +# threads 6 +# server-user nobody +# stat-user somebody + debug-level 0 +# reload-count 5 + enable-cache passwd yes + positive-time-to-live passwd 600 + negative-time-to-live passwd 20 + suggested-size passwd 211 + check-files passwd yes + persistent passwd yes + shared passwd yes + enable-cache group yes + positive-time-to-live group 3600 + negative-time-to-live group 60 + suggested-size group 211 + check-files group yes + persistent group yes + shared group yes +# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to +# cache hosts will cause your local system to not be able to trust +# forward/reverse lookup checks. DO NOT USE THIS if your system relies on +# this sort of security mechanism. Use a caching DNS server instead. + enable-cache hosts no + positive-time-to-live hosts 3600 + negative-time-to-live hosts 20 + suggested-size hosts 211 + check-files hosts yes + persistent hosts yes + shared hosts yes +</pre><p> + It is feasible to comment out the <code class="constant">passwd</code> and <code class="constant">group</code> + entries so they will not be cached. Alternatively, it is often simpler to just disable the + <code class="literal">nscd</code> service by executing (on Novell SUSE Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig nscd off +<code class="prompt">root# </code> rcnscd off +</pre><p> + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id338019"></a>Debugging LDAP</h5></div></div></div><p> + <a class="indexterm" name="id338027"></a> + <a class="indexterm" name="id338034"></a> + <a class="indexterm" name="id338041"></a> + In the example <code class="filename">/etc/openldap/slapd.conf</code> control file + (see <a href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">???</a>) there is an entry for <code class="constant">loglevel 256</code>. + To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter + and restart <code class="literal">slapd</code>. + </p><p> + <a class="indexterm" name="id338074"></a> + <a class="indexterm" name="id338081"></a> + LDAP log information can be directed into a file that is separate from the normal system + log files by changing the <code class="filename">/etc/syslog.conf</code> file so it has the following + contents: +</p><pre class="screen"> +# Some foreign boot scripts require local7 +# +local0,local1.* -/var/log/localmessages +local2,local3.* -/var/log/localmessages +local5.* -/var/log/localmessages +local6,local7.* -/var/log/localmessages +local4.* -/var/log/ldaplogs +</pre><p> + In this case, all LDAP-related logs will be directed to the file + <code class="filename">/var/log/ldaplogs</code>. This makes it easy to track LDAP errors. + The snippet provides a simple example of usage that can be modified to suit + local site needs. The configuration used later in this chapter reflects such + customization with the intent that LDAP log files will be stored at a location + that meets local site needs and wishes more fully. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id338115"></a>Debugging NSS_LDAP</h5></div></div></div><p> + The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the + <code class="filename">/etc/ldap.conf</code> file the following parameters: +</p><pre class="screen"> +debug 256 +logdir /data/logs +</pre><p> + Create the log directory as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir /data/logs +</pre><p> + </p><p> + The diagnostic process should follow these steps: + </p><div class="procedure"><a name="id338155"></a><p class="title"><b>Procedure 5.1. NSS_LDAP Diagnostic Steps</b></p><ol type="1"><li><p> + Verify the <code class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</code> entries + in the <code class="filename">/etc/ldap.conf</code> file and compare them closely with the directory + tree location that was chosen when the directory was first created. + </p><p> + One way this can be done is by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat | grep Group | grep dn +dn: ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz +dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz +dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz +dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz +</pre><p> + The first line is the DIT entry point for the container for POSIX groups. The correct entry + for the <code class="filename">/etc/ldap.conf</code> for the <code class="constant">nss_base_group</code> + parameter therefore is the distinguished name (dn) as applied here: +</p><pre class="screen"> +nss_base_group ou=Groups,dc=abmas,dc=biz?one +</pre><p> + The same process may be followed to determine the appropriate dn for user accounts. + If the container for computer accounts is not the same as that for users (see the <code class="filename">smb.conf</code> + file entry for <code class="constant">ldap machine suffix</code>), it may be necessary to set the + following DIT dn in the <code class="filename">/etc/ldap.conf</code> file: +</p><pre class="screen"> +nss_base_passwd dc=abmas,dc=biz?sub +</pre><p> + This instructs LDAP to search for machine as well as user entries from the top of the DIT + down. This is inefficient, but at least should work. Note: It is possible to specify multiple + <code class="constant">nss_base_passwd</code> entries in the <code class="filename">/etc/ldap.conf</code> file; they + will be evaluated sequentially. Let us consider an example of use where the following DIT + has been implemented: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p> + </p><p> + The appropriate multiple entry for the <code class="constant">nss_base_passwd</code> directive + in the <code class="filename">/etc/ldap.conf</code> file may be: +</p><pre class="screen"> +nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one +nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one +</pre><p> + </p></li><li><p> + Perform lookups such as: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +</pre><p> + Each such lookup will create an entry in the <code class="filename">/data/log</code> directory + for each such process executed. The contents of each file created in this directory + may provide a hint as to the cause of the a problem that is under investigation. + </p></li><li><p> + For additional diagnostic information, check the contents of the <code class="filename">/var/log/messages</code> + to see what error messages are being generated as a result of the LDAP lookups. Here is an example of + a successful lookup: +</p><pre class="screen"> +slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539 +(IP=0.0.0.0:389) +slapd[12164]: conn=0 op=0 BIND dn="" method=128 +slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text= +slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0 +filter="(objectClass=*)" +slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0 +nentries=1 text= +slapd[12164]: conn=0 op=2 UNBIND +slapd[12164]: conn=0 fd=10 closed +slapd[12164]: conn=1 fd=10 ACCEPT from +IP=127.0.0.1:33540 (IP=0.0.0.0:389) +slapd[12164]: conn=1 op=0 BIND +dn="cn=Manager,dc=abmas,dc=biz" method=128 +slapd[12164]: conn=1 op=0 BIND +dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0 +slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text= +slapd[12164]: conn=1 op=1 SRCH +base="ou=People,dc=abmas,dc=biz" scope=1 deref=0 +filter="(objectClass=posixAccount)" +slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword +uidNumber gidNumber cn +homeDirectory loginShell gecos description objectClass +slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0 +nentries=2 text= +slapd[12164]: conn=1 fd=10 closed + +</pre><p> + </p></li><li><p> + Check that the bindpw entry in the <code class="filename">/etc/ldap.conf</code> or in the + <code class="filename">/etc/ldap.secrets</code> file is correct, as specified in the + <code class="filename">/etc/openldap/slapd.conf</code> file. + </p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id338374"></a>Debugging Samba</h5></div></div></div><p> + The following parameters in the <code class="filename">smb.conf</code> file can be useful in tracking down Samba-related problems: +</p><pre class="screen"> +[global] + ... + log level = 5 + log file = /var/log/samba/%m.log + max log size = 0 + ... +</pre><p> + This will result in the creation of a separate log file for every client from which connections + are made. The log file will be quite verbose and will grow continually. Do not forget to + change these lines to the following when debugging has been completed: +</p><pre class="screen"> +[global] + ... + log level = 1 + log file = /var/log/samba/%m.log + max log size = 50 + ... +</pre><p> + </p><p> + The log file can be analyzed by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /var/log/samba +<code class="prompt">root# </code> grep -v "^\[200" machine_name.log +</pre><p> + </p><p> + Search for hints of what may have failed by looking for the words <span class="emphasis"><em>fail</em></span> + and <span class="emphasis"><em>error</em></span>. + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id338438"></a>Debugging on the Windows Client</h5></div></div></div><p> + MS Windows 2000 Professional and Windows XP Professional clients can be configured + to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search + the Microsoft knowledge base for detailed instructions. The techniques vary a little with each + version of MS Windows. + </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338453"></a>Political Issues</h3></div></div></div><p> + MS Windows network users are generally very sensitive to limits that may be imposed when + confronted with locked-down workstation configurations. The challenge you face must + be promoted as a choice between reliable, fast network operation and a constant flux + of problems that result in user irritation. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id338466"></a>Installation Checklist</h3></div></div></div><p> + You are starting a complex project. Even though you went through the installation of a complex + network in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>, this network is a bigger challenge because of the + large number of complex applications that must be configured before the first few steps + can be validated. Take stock of what you are about to undertake, prepare yourself, and + frequently review the steps ahead while making at least a mental note of what has already + been completed. The following task list may help you to keep track of the task items + that are covered: + </p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>OpenLDAP server</p></li><li><p>PAM and NSS client tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx smbldap scripts</p></li><li><p>LDAP initialization</p></li><li><p>Create user and group accounts</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profile directories</p></li><li><p>Logon scripts</p></li><li><p>Configuration of user rights and privileges</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>PAM and NSS client tools</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profiles directories</p></li></ol></div></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default profile folder redirection</p></li><li><p>MS Outlook PST file relocation</p></li><li><p>Delete roaming profile on logout</p></li><li><p>Upload printer drivers to Samba servers</p></li><li><p>Install software</p></li><li><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338636"></a>Samba Server Implementation</h2></div></div></div><p> + <a class="indexterm" name="id338644"></a> + <a class="indexterm" name="id338651"></a> + The network design shown in <a href="happy.html#chap6net" title="Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend">???</a> is not comprehensive. It is assumed + that you will install additional file servers and possibly additional BDCs. + </p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div></div><br class="figure-break"><p> + <a class="indexterm" name="id338711"></a> + <a class="indexterm" name="id338718"></a> + All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE + Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to + adjust the locations for your particular Linux system distribution/implementation. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools +scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball, +please verify that the versions you are about to use are matching. The smbldap-tools package +uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are +issued for POSIX accounts. The LDAP rdn under which this information is stored are called +<code class="constant">uidNumber</code> and <code class="constant">gidNumber</code> respectively. These may be +located in any convenient part of the directory information tree (DIT). In the examples that +follow they have been located under <code class="constant">dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</code>. +They could just as well be located under the rdn <code class="constant">cn=NextFreeUnixId</code>. +</p></div><p> + The steps in the process involve changes from the network configuration shown in + <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>. Before implementing the following steps, you must + have completed the network implementation shown in that chapter. If you are starting + with newly installed Linux servers, you must complete the steps shown in + <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> before commencing at <a href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">???</a>. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p> + <a class="indexterm" name="id338788"></a> + <a class="indexterm" name="id338794"></a> + <a class="indexterm" name="id338801"></a> + Confirm that the packages shown in <a href="happy.html#oldapreq" title="Table 5.2. Required OpenLDAP Linux Packages">???</a> are installed on your system. + </p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table 5.2. Required OpenLDAP Linux Packages</b></p><div class="table-contents"><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><p> + Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method + for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you + follow these guidelines, the resulting system should work fine. + </p><div class="procedure"><a name="id338930"></a><p class="title"><b>Procedure 5.2. OpenLDAP Server Configuration Steps</b></p><ol type="1"><li><p> + <a class="indexterm" name="id338942"></a> + Install the file shown in <a href="happy.html#sbehap-slapdconf" title="Example 5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A">???</a> in the directory + <code class="filename">/etc/openldap</code>. + </p></li><li><p> + <a class="indexterm" name="id338968"></a> + <a class="indexterm" name="id338975"></a> + <a class="indexterm" name="id338982"></a> + Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that + the directory exists with permissions: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /data | grep ldap +drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap +</pre><p> + This may require you to add a user and a group account for LDAP if they do not exist. + </p></li><li><p> + <a class="indexterm" name="id339015"></a> + Install the file shown in <a href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">???</a> in the directory + <code class="filename">/data/ldap</code>. In the event that this file is added after <code class="constant">ldap</code> + has been started, it is possible to cause the new settings to take effect by shutting down + the <code class="constant">LDAP</code> server, executing the <code class="literal">db_recover</code> command inside the + <code class="filename">/data/ldap</code> directory, and then restarting the <code class="constant">LDAP</code> server. + </p></li><li><p> + <a class="indexterm" name="id339064"></a> + Performance logging can be enabled and should preferably be sent to a file on + a file system that is large enough to handle significantly sized logs. To enable + the logging at a verbose level to permit detailed analysis, uncomment the entry in + the <code class="filename">/etc/openldap/slapd.conf</code> shown as “<span class="quote">loglevel 256</span>”. + </p><p> + Edit the <code class="filename">/etc/syslog.conf</code> file to add the following at the end + of the file: +</p><pre class="screen"> +local4.* -/data/ldap/log/openldap.log +</pre><p> + Note: The path <code class="filename">/data/ldap/log</code> should be set at a location + that is convenient and that can store a large volume of data. + </p></li></ol></div><div class="example"><a name="sbehap-dbconf"></a><p class="title"><b>Example 5.1. LDAP DB_CONFIG File</b></p><div class="example-contents"><pre class="screen"> +set_cachesize 0 150000000 1 +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir /var/log/bdb +set_flags DB_LOG_AUTOREMOVE +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf"></a><p class="title"><b>Example 5.2. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen"> +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba3.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +access to dn.base="" + by self write + by * auth + +access to attr=userPassword + by self write + by * auth + +access to attr=shadowLastChange + by self write + by * read + +access to * + by * read + by anonymous auth + +#loglevel 256 + +schemacheck on +idletimeout 30 +backend bdb +database bdb +checkpoint 1024 5 +cachesize 10000 + +suffix "dc=abmas,dc=biz" +rootdn "cn=Manager,dc=abmas,dc=biz" + +# rootpw = not24get +rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV + +directory /data/ldap +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf2"></a><p class="title"><b>Example 5.3. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><div class="example-contents"><pre class="screen"> +# Indices to maintain +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUID eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p> + <a class="indexterm" name="id339203"></a> + <a class="indexterm" name="id339209"></a> + <a class="indexterm" name="id339216"></a> + The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and + groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure + the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. + </p><p> + <a class="indexterm" name="id339228"></a> + <a class="indexterm" name="id339237"></a> + Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely + that you may want to use them for UNIX system (Linux) local machine logons. This necessitates + correct configuration of PAM. The <code class="literal">pam_ldap</code> open source package provides the + PAM modules that most people would use. On SUSE Linux systems, the <code class="literal">pam_unix2.so</code> + module also has the ability to redirect authentication requests through LDAP. + </p><p> + <a class="indexterm" name="id339262"></a> + <a class="indexterm" name="id339269"></a> + <a class="indexterm" name="id339276"></a> + <a class="indexterm" name="id339283"></a> + You have chosen to configure these services by directly editing the system files, but of course, you + know that this configuration can be done using system tools provided by the Linux system vendor. + SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span> → <span class="guimenuitem">system</span> → <span class="guimenuitem">ldap-client</span> that permits + configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <code class="literal">authconfig</code> + tool for this. + </p><div class="procedure"><a name="id339319"></a><p class="title"><b>Procedure 5.3. PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example 5.4. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +host 127.0.0.1 + +base dc=abmas,dc=biz + +binddn cn=Manager,dc=abmas,dc=biz +bindpw not24get + +timelimit 50 +bind_timelimit 50 +bind_policy hard + +idle_timelimit 3600 + +pam_password exop + +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_group ou=Groups,dc=abmas,dc=biz?one + +ssl off +</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-nss02"></a><p class="title"><b>Example 5.5. Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen"> +host 172.16.0.1 + +base dc=abmas,dc=biz + +binddn cn=Manager,dc=abmas,dc=biz +bindpw not24get + +timelimit 50 +bind_timelimit 50 +bind_policy hard + +idle_timelimit 3600 + +pam_password exop + +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_group ou=Groups,dc=abmas,dc=biz?one + +ssl off +</pre></div></div><br class="example-break"><ol type="1"><li><p> + <a class="indexterm" name="id339330"></a> + <a class="indexterm" name="id339337"></a> + <a class="indexterm" name="id339344"></a> + Execute the following command to find where the <code class="filename">nss_ldap</code> module + expects to find its control file: +</p><pre class="screen"> +<code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 | grep conf +</pre><p> + The preferred and usual location is <code class="filename">/etc/ldap.conf</code>. + </p></li><li><p> + On the server <code class="constant">MASSIVE</code>, install the file shown in + <a href="happy.html#sbehap-nss01" title="Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf">???</a> into the path that was obtained from the step above. + On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in + <a href="happy.html#sbehap-nss02" title="Example 5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf">???</a> into the path that was obtained from the step above. + </p></li><li><p> + <a class="indexterm" name="id339466"></a> + Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that + control user and group resolution will obtain information from the normal system files as + well as from <code class="literal">ldap</code>: +</p><pre class="screen"> +passwd: files ldap +shadow: files ldap +group: files ldap +hosts: files dns wins +</pre><p> + Later, when the LDAP database has been initialized and user and group accounts have been + added, you can validate resolution of the LDAP resolver process. The inclusion of + WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be + resolved to their IP addresses, whether or not they are DHCP clients. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Some Linux systems (Novell SUSE Linux in particular) add entries to the <code class="filename">nsswitch.conf</code> + file that may cause operational problems with the configuration methods adopted in this book. It is + advisable to comment out the entries <code class="constant">passwd_compat</code> and <code class="constant">group_compat</code> + where they are found in this file. + </p></div><p> + Even at the risk of overstating the issue, incorrect and inappropriate configuration of the + <code class="filename">nsswitch.conf</code> file is a significant cause of operational problems with LDAP. + </p></li><li><p> + <a class="indexterm" name="id339532"></a> + For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following + files in the <code class="filename">/etc/pam.d</code> directory: <code class="literal">login</code>, <code class="literal">password</code>, + <code class="literal">samba</code>, <code class="literal">sshd</code>. In each file, locate every entry that has the + <code class="literal">pam_unix2.so</code> entry and add to the line the entry <code class="literal">use_ldap</code> as shown + for the <code class="literal">login</code> module in this example: +</p><pre class="screen"> +#%PAM-1.0 +auth requisite pam_unix2.so nullok use_ldap #set_secrpc +auth required pam_securetty.so +auth required pam_nologin.so +#auth required pam_homecheck.so +auth required pam_env.so +auth required pam_mail.so +account required pam_unix2.so use_ldap +password required pam_pwcheck.s nullok +password required pam_unix2.so nullok use_first_pass \ + use_authtok use_ldap +session required pam_unix2.so none use_ldap # debug or trace +session required pam_limits.so +</pre><p> + </p><p> + <a class="indexterm" name="id339609"></a> + On other Linux systems that do not have an LDAP-enabled <code class="literal">pam_unix2.so</code> module, + you must edit these files by adding the <code class="literal">pam_ldap.so</code> modules as shown here: +</p><pre class="screen"> +#%PAM-1.0 +auth required pam_securetty.so +auth required pam_nologin.so +auth sufficient pam_ldap.so +auth required pam_unix2.so nullok try_first_pass #set_secrpc +account sufficient pam_ldap.so +account required pam_unix2.so +password required pam_pwcheck.so nullok +password required pam_ldap.so use_first_pass use_authtok +password required pam_unix2.so nullok use_first_pass use_authtok +session required pam_unix2.so none # debug or trace +session required pam_limits.so +session required pam_env.so +session optional pam_mail.so +</pre><p> + This example does have the LDAP-enabled <code class="literal">pam_unix2.so</code>, but simply + demonstrates the use of the <code class="literal">pam_ldap.so</code> module. You can use either + implementation, but if the <code class="literal">pam_unix2.so</code> on your system supports + LDAP, you probably want to use it rather than add an additional module. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p> + <a class="indexterm" name="id339674"></a> + Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server + before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the + choice to either build your own or obtain the packages from a dependable source. + Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for + Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that + is included with this book. + </p><div class="procedure"><a name="id339685"></a><p class="title"><b>Procedure 5.4. Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-massive-smbconfa" title="Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">???</a>, + <a href="happy.html#sbehap-massive-smbconfb" title="Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">???</a>, <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, + and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> into the <code class="filename">/etc/samba/</code> + directory. The three files should be added together to form the <code class="filename">smb.conf</code> + master file. It is a good practice to call this file something like + <code class="filename">smb.conf.master</code> and then to perform all file edits + on the master file. The operational <code class="filename">smb.conf</code> is then generated as shown in + the next step. + </p></li><li><p> + <a class="indexterm" name="id339758"></a> + Create and verify the contents of the <code class="filename">smb.conf</code> file that is generated by: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf +</pre><p> + Immediately follow this with the following: +</p><pre class="screen"> +<code class="prompt">root# </code> testparm +</pre><p> + The output that is created should be free from errors, as shown here: + +</p><pre class="screen"> +Load smb config files from /etc/samba/smb.conf +Processing section "[accounts]" +Processing section "[service]" +Processing section "[pidata]" +Processing section "[homes]" +Processing section "[printers]" +Processing section "[apps]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[profdata]" +Processing section "[print$]" +Loaded services file OK. +Server role: ROLE_DOMAIN_PDC +Press enter to see a dump of your service definitions +</pre><p> + </p></li><li><p> + Delete all runtime files from prior Samba operation by executing (for SUSE + Linux): +</p><pre class="screen"> +<code class="prompt">root# </code> rm /etc/samba/*tdb +<code class="prompt">root# </code> rm /var/lib/samba/*tdb +<code class="prompt">root# </code> rm /var/lib/samba/*dat +<code class="prompt">root# </code> rm /var/log/samba/* +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id339849"></a> + <a class="indexterm" name="id339856"></a> + Samba-3 communicates with the LDAP server. The password that it uses to + authenticate to the LDAP server must be stored in the <code class="filename">secrets.tdb</code> + file. Execute the following to create the new <code class="filename">secrets.tdb</code> files + and store the password for the LDAP Manager: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +</pre><p> + The expected output from this command is: +</p><pre class="screen"> +Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id339901"></a> + <a class="indexterm" name="id339908"></a> + Samba-3 generates a Windows Security Identifier (SID) only when <code class="literal">smbd</code> + has been started. For this reason, you start Samba. After a few seconds delay, + execute: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L localhost -U% +<code class="prompt">root# </code> net getlocalsid +</pre><p> + A report such as the following means that the domain SID has not yet + been written to the <code class="filename">secrets.tdb</code> or to the LDAP backend: +</p><pre class="screen"> +[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852) + failed to bind to server ldap://massive.abmas.biz +with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server + (unknown) +[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169) + smbldap_search_suffix: Problem during the LDAP search: + (unknown) (Timed out) +</pre><p> + The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server + is not running, this operation will fail by way of a timeout, as shown previously. This is + normal output; do not worry about this error message. When the domain has been created and + written to the <code class="filename">secrets.tdb</code> file, the output should look like this: +</p><pre class="screen"> +SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 +</pre><p> + If, after a short delay (a few seconds), the domain SID has still not been written to + the <code class="filename">secrets.tdb</code> file, it is necessary to investigate what + may be misconfigured. In this case, carefully check the <code class="filename">smb.conf</code> file for typographical + errors (the most common problem). The use of the <code class="literal">testparm</code> is highly + recommended to validate the contents of this file. + </p></li><li><p> + When a positive domain SID has been reported, stop Samba. + </p></li><li><p> + <a class="indexterm" name="id340007"></a> + <a class="indexterm" name="id340014"></a> + <a class="indexterm" name="id340020"></a> + <a class="indexterm" name="id340027"></a> + Configure the NFS server for your Linux system. So you can complete the steps that + follow, enter into the <code class="filename">/etc/exports</code> the following entry: +</p><pre class="screen"> +/home *(rw,root_squash,sync) +</pre><p> + This permits the user home directories to be used on the BDC servers for testing + purposes. You, of course, decide what is the best way for your site to distribute + data drives, and you create suitable backup and restore procedures for Abmas + I'd strongly recommend that for normal operation the BDC is completely independent + of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite + closely. If you do use NFS, do not forget to start the NFS server as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rcnfsserver start +</pre><p> + </p></li></ol></div><p> + Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with + configuration of the LDAP server. + </p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example 5.6. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id340105"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id340117"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id340130"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id340142"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id340155"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340168"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id340180"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340193"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id340206"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id340218"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id340231"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id340243"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id340256"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id340268"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id340281"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340294"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id340306"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id340319"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id340332"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id340345"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id340358"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id340371"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id340384"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id340397"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id340410"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example 5.7. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id340447"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id340460"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id340472"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id340485"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340498"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340510"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340523"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id340535"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id340548"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id340561"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id340573"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id340586"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id340599"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id340612"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id340624"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id340637"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id340649"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id340662"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p> + <a class="indexterm" name="id340688"></a> + The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts + on the LDAP server. You have chosen the Idealx scripts because they are the best-known + LDAP configuration scripts. The use of these scripts will help avoid the necessity + to create custom scripts. It is easy to download them from the Idealx + <a href="http://samba.idealx.org/index.en.html" target="_top">Web site</a>. The tarball may + be directly <a href="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz" target="_top">downloaded</a> + from this site also. Alternatively, you may obtain the + <a href="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm" target="_top">smbldap-tools-0.9.1-1.src.rpm</a> + file that may be used to build an installable RPM package for your Linux system. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must +change the path to them in your <code class="filename">smb.conf</code> file on the PDC (<code class="constant">MASSIVE</code>). +</p></div><p> + The smbldap-tools are located in <code class="filename">/opt/IDEALX/sbin</code>. + The scripts are not needed on BDC machines because all LDAP updates are handled by + the PDC alone. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id340746"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p> + To perform a manual installation of the smbldap-tools scripts, the following procedure may be used: + </p><div class="procedure"><a name="idealxscript"></a><p class="title"><b>Procedure 5.5. Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol type="1"><li><p> + Create the <code class="filename">/opt/IDEALX/sbin</code> directory, and set its permissions + and ownership as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /opt/IDEALX/sbin +<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin +<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin +<code class="prompt">root# </code> mkdir -p /etc/smbldap-tools +<code class="prompt">root# </code> chown root:root /etc/smbldap-tools +<code class="prompt">root# </code> chmod 755 /etc/smbldap-tools +</pre><p> + </p></li><li><p> + If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location. + Change into either the directory extracted from the tarball or the smbldap-tools + directory in your <code class="filename">/usr/share/doc/packages</code> directory tree. + </p></li><li><p> + Copy all the <code class="filename">smbldap-*</code> and the <code class="filename">configure.pl</code> files into the + <code class="filename">/opt/IDEALX/sbin</code> directory, as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> cd smbldap-tools-0.9.1/ +<code class="prompt">root# </code> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/ +<code class="prompt">root# </code> cp smbldap*conf /etc/smbldap-tools/ +<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/smbldap-* +<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/configure.pl +<code class="prompt">root# </code> chmod 640 /etc/smbldap-tools/smbldap.conf +<code class="prompt">root# </code> chmod 600 /etc/smbldap-tools/smbldap_bind.conf +</pre><p> + </p></li><li><p> + The smbldap-tools scripts master control file must now be configured. + Change to the <code class="filename">/opt/IDEALX/sbin</code> directory, then edit the + <code class="filename">smbldap_tools.pm</code> to affect the changes + shown here: +</p><pre class="screen"> +... +# ugly funcs using global variables and spawning openldap clients + +my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; +my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; +... +</pre><p> + </p></li><li><p> + To complete the configuration of the smbldap-tools, set the permissions and ownership + by executing the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin/* +<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin/smbldap-* +<code class="prompt">root# </code> chmod 640 /opt/IDEALX/sbin/smb*pm +</pre><p> + The smbldap-tools scripts are now ready for the configuration step outlined in + <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">???</a>. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id340981"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p> + In the event that you have elected to use the RPM package provided by Idealx, download the + source RPM <code class="filename">smbldap-tools-0.9.1-1.src.rpm</code>, then follow this procedure: + </p><div class="procedure"><a name="id340998"></a><p class="title"><b>Procedure 5.6. Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol type="1"><li><p> + Install the source RPM that has been downloaded as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -i smbldap-tools-0.9.1-1.src.rpm +</pre><p> + </p></li><li><p> + Change into the directory in which the SPEC files are located. On SUSE Linux: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/src/packages/SPECS +</pre><p> + On Red Hat Linux systems: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /usr/src/redhat/SPECS +</pre><p> + </p></li><li><p> + Edit the <code class="filename">smbldap-tools.spec</code> file to change the value of the + <code class="constant">_sysconfig</code> macro as shown here: +</p><pre class="screen"> +%define _prefix /opt/IDEALX +%define _sysconfdir /etc +</pre><p> + Note: Any suitable directory can be specified. + </p></li><li><p> + Build the package by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rpmbuild -ba -v smbldap-tools.spec +</pre><p> + A build process that has completed without error will place the installable binary + files in the directory <code class="filename">../RPMS/noarch</code>. + </p></li><li><p> + Install the binary package by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm +</pre><p> + </p></li></ol></div><p> + The Idealx scripts should now be ready for configuration using the steps outlined in + <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>. + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p> + Prior to use, the smbldap-tools must be configured to match the settings in the <code class="filename">smb.conf</code> file + and to match the settings in the <code class="filename">/etc/openldap/slapd.conf</code> file. The assumption + is made that the <code class="filename">smb.conf</code> file has correct contents. The following procedure ensures that + this is completed correctly: + </p><p> + The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included + in the <code class="filename">smb.conf</code> file. + </p><div class="procedure"><a name="id341180"></a><p class="title"><b>Procedure 5.7. Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol type="1"><li><p> + Change into the directory that contains the <code class="filename">configure.pl</code> script. +</p><pre class="screen"> +<code class="prompt">root# </code> cd /opt/IDEALX/sbin +</pre><p> + </p></li><li><p> + Execute the <code class="filename">configure.pl</code> script as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> ./configure.pl +</pre><p> + The interactive use of this script for the PDC is demonstrated here: +</p><pre class="screen"> +<code class="prompt">root# </code> /opt/IDEALX/sbin/configure.pl +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + smbldap-tools script configuration + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Before starting, check + . if your samba controller is up and running. + . if the domain SID is defined (you can get it with the + 'net getlocalsid') + + . you can leave the configuration using the Crtl-c key combination + . empty value can be set with the "." character +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Looking for configuration files... + +Samba Config File Location [/etc/samba/smb.conf] > +smbldap-tools configuration file Location (global parameters) + [/etc/opt/IDEALX/smbldap-tools/smbldap.conf] > +smbldap Config file Location (bind parameters) + [/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Let's start configuring the smbldap-tools scripts ... + +. workgroup name: name of the domain Samba act as a PDC + workgroup name [MEGANET2] > +. netbios name: netbios name of the samba controler + netbios name [MASSIVE] > +. logon drive: local path to which the home directory + will be connected (for NT Workstations). Ex: 'H:' + logon drive [H:] > +. logon home: home directory location (for Win95/98 or NT Workstation) + (use %U as username) Ex:'\\MASSIVE\%U' + logon home (press the "." character if you don't want homeDirectory) + [\\MASSIVE\%U] > +. logon path: directory where roaming profiles are stored. + Ex:'\\MASSIVE\profiles\%U' + logon path (press the "." character + if you don't want roaming profile) [\\%L\profiles\%U] > +. home directory prefix (use %U as username) + [/home/%U] > /data/users/%U +. default users' homeDirectory mode [700] > +. default user netlogon script (use %U as username) + [scripts\logon.bat] > + default password validation time (time in days) [45] > 900 +. ldap suffix [dc=abmas,dc=biz] > +. ldap group suffix [ou=Groups] > +. ldap user suffix [ou=People,ou=Users] > +. ldap machine suffix [ou=Computers,ou=Users] > +. Idmap suffix [ou=Idmap] > +. sambaUnixIdPooldn: object where you want to store the next uidNumber + and gidNumber available for new users and groups + sambaUnixIdPooldn object (relative to ${suffix}) + [sambaDomainName=MEGANET2] > +. ldap master server: IP adress or DNS name of the master + (writable) ldap server + ldap master server [massive.abmas.biz] > +. ldap master port [389] > +. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] > +. ldap master bind password [] > +. ldap slave server: IP adress or DNS name of the slave ldap server: + can also be the master one + ldap slave server [massive.abmas.biz] > +. ldap slave port [389] > +. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] > +. ldap slave bind password [] > +. ldap tls support (1/0) [0] > +. SID for domain MEGANET2: SID of the domain + (can be obtained with 'net getlocalsid MASSIVE') + SID for domain MEGANET2 + [S-1-5-21-3504140859-1010554828-2431957765]] > +. unix password encryption: encryption used for unix passwords + unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 +. default user gidNumber [513] > +. default computer gidNumber [515] > +. default login shell [/bin/bash] > +. default skeleton directory [/etc/skel] > +. default domain name to append to mail adress [] > abmas.biz +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +backup old configuration files: + /etc/opt/IDEALX/smbldap-tools/smbldap.conf-> + /etc/opt/IDEALX/smbldap-tools/smbldap.conf.old + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf-> + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old +writing new configuration file: + /etc/opt/IDEALX/smbldap-tools/smbldap.conf done. + /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done. +</pre><p> + Since a slave LDAP server has not been configured, it is necessary to specify the IP + address of the master LDAP server for both the master and the slave configuration + prompts. + </p></li><li><p> + Change to the directory that contains the <code class="filename">smbldap.conf</code> file, + then verify its contents. + </p></li></ol></div><p> + The smbldap-tools are now ready for use. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id341324"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p> + The LDAP database must be populated with well-known Windows domain user accounts and domain group + accounts before Samba can be used. The following procedures step you through the process. + </p><p> + At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are + mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not + hurt to have UNIX user and group accounts in both the system files as well as in the LDAP + database. From a UNIX system perspective, the NSS resolver checks system files before + referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it + does not need to ask LDAP. + </p><p> + Addition of an account to the LDAP backend can be done in two ways: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <a class="indexterm" name="id341352"></a> + <a class="indexterm" name="id341359"></a> + <a class="indexterm" name="id341365"></a> + <a class="indexterm" name="id341372"></a> + <a class="indexterm" name="id341379"></a> + <a class="indexterm" name="id341386"></a> + If you always have a user account in the <code class="filename">/etc/passwd</code> on every + server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in + LDAP. In this case, you can add Windows domain user accounts using the + <code class="literal">pdbedit</code> utility. Use of this tool from the command line adds the + SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user. + </p><p> + This is the least desirable method because when LDAP is used as the passwd backend Samba + expects the POSIX account to be in LDAP also. It is possible to use the PADL account + migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code> + files, or from NIS, to LDAP. + </p></li><li><p> + If you decide that it is probably a good idea to add both the PosixAccount attributes + as well as the SambaSamAccount attributes for each user, then a suitable script is needed. + In the example system you are installing in this exercise, you are making use of the + Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system, + is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code> + </p></li></ul></div><p> + <a class="indexterm" name="id341437"></a> + If you wish to have more control over how the LDAP database is initialized or + if you don't want to use the Idealx smbldap-tools, you should refer to + <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">???</a>. + </p><p> + <a class="indexterm" name="id341463"></a> + The following steps initialize the LDAP database, and then you can add user and group + accounts that Samba can use. You use the <code class="literal">smbldap-populate</code> to + seed the LDAP database. You then manually add the accounts shown in <a href="happy.html#sbehap-bigacct" title="Table 5.3. Abmas Network Users and Groups">???</a>. + The list of users does not cover all 500 network users; it provides examples only. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id341489"></a> + <a class="indexterm" name="id341498"></a> + <a class="indexterm" name="id341508"></a> + In the following examples, as the LDAP database is initialized, we do create a container + for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made + of the People container, not the Computers container, for domain member accounts. This is not a + mistake; it is a deliberate action that is necessitated by the fact that the resolution of + a machine (computer) account to a UID is done via NSS. The only way this can be handled is + using the NSS (<code class="filename">/etc/nsswitch.conf</code>) entry for <code class="constant">passwd</code>, + which is resolved using the <code class="filename">nss_ldap</code> library. The configuration file for + the <code class="filename">nss_ldap</code> library is the file <code class="filename">/etc/ldap.conf</code> that + provides only one possible LDAP search command that is specified by the entry called + <code class="constant">nss_base_passwd</code>. This means that the search path must take into account + the directory structure so that the LDAP search will commence at a level that is above + both the Computers container and the Users (or People) container. If this is done, it is + necessary to use a search that will descend the directory tree so that the machine account + can be found. Alternatively, by placing all machine accounts in the People container, we + are able to sidestep this limitation. This is the simpler solution that has been adopted + in this chapter. + </p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table 5.3. Abmas Network Users and Groups</b></p><div class="table-contents"><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left"> </td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left"> </td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><div class="procedure"><a name="creatacc"></a><p class="title"><b>Procedure 5.8. LDAP Directory Initialization Steps</b></p><ol type="1"><li><p> + Start the LDAP server by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap start +Starting ldap-server done +</pre><p> + </p></li><li><p> + Change to the <code class="filename">/opt/IDEALX/sbin</code> directory. + </p></li><li><p> + Execute the script that will populate the LDAP database as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-populate -a root -k 0 -m 0 +</pre><p> + The expected output from this is: +</p><pre class="screen"> +Using workgroup name from smb.conf: sambaDomainName=MEGANET2 +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +=> Warning: you must update smbldap.conf configuration file to : +=> sambaUnixIdPooldn parameter must be set + to "sambaDomainName=MEGANET2,dc=abmas,dc=biz" +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Using builtin directory structure +adding new entry: dc=abmas,dc=biz +adding new entry: ou=People,dc=abmas,dc=biz +adding new entry: ou=Groups,dc=abmas,dc=biz +entry ou=People,dc=abmas,dc=biz already exist. +adding new entry: ou=Idmap,dc=abmas,dc=biz +adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz +adding new entry: uid=root,ou=People,dc=abmas,dc=biz +adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz +adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz +</pre><p> + </p></li><li><p> + Edit the <code class="filename">/etc/smbldap-tools/smbldap.conf</code> file so that the following + information is changed from: +</p><pre class="screen"> +# Where to store next uidNumber and gidNumber available +sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +</pre><p> + to read, after modification: +</p><pre class="screen"> +# Where to store next uidNumber and gidNumber available +#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" +</pre><p> + </p></li><li><p> + It is necessary to restart the LDAP server as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> rcldap restart +Shutting down ldap-server done +Starting ldap-server done +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id341886"></a> + So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. + There are several ways you can check that your LDAP database is able to receive IDMAP information. One of + the simplest is to execute: +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat | grep -i idmap +dn: ou=Idmap,dc=abmas,dc=biz +ou: idmap +</pre><p> + <a class="indexterm" name="id341906"></a> + If the execution of this command does not return IDMAP entries, you need to create an LDIF + template file (see <a href="happy.html#sbehap-ldifadd" title="Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using + the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ + -w not24get < /etc/openldap/idmap.LDIF +</pre><p> + Samba automatically populates this LDAP directory container when it needs to. + </p></li><li><p> + <a class="indexterm" name="id341942"></a> + It looks like all has gone well, as expected. Let's confirm that this is the case + by running a few tests. First we check the contents of the database directly + by running <code class="literal">slapcat</code> as follows (the output has been cut down): +</p><pre class="screen"> +<code class="prompt">root# </code> slapcat +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: abmas +structuralObjectClass: organization +entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43 +creatorsName: cn=Manager,dc=abmas,dc=biz +createTimestamp: 20031217234200Z +entryCSN: 2003121723:42:00Z#0x0001#0#0000 +modifiersName: cn=Manager,dc=abmas,dc=biz +modifyTimestamp: 20031217234200Z +... +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 553 +cn: Domain Computers +description: Netbios Domain Computers accounts +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 +sambaGroupType: 2 +displayName: Domain Computers +structuralObjectClass: posixGroup +entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43 +creatorsName: cn=Manager,dc=abmas,dc=biz +createTimestamp: 20031217234206Z +entryCSN: 2003121723:42:06Z#0x0002#0#0000 +modifiersName: cn=Manager,dc=abmas,dc=biz +modifyTimestamp: 20031217234206Z +</pre><p> + This looks good so far. + </p></li><li><p> + <a class="indexterm" name="id341991"></a> + The next step is to prove that the LDAP server is running and responds to a + search request. Execute the following as shown (output has been cut to save space): +</p><pre class="screen"> +<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: abmas + +# People, abmas.biz +dn: ou=People,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: People +... +# Domain Computers, Groups, abmas.biz +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +objectClass: posixGroup +objectClass: sambaGroupMapping +gidNumber: 553 +cn: Domain Computers +description: Netbios Domain Computers accounts +sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 +sambaGroupType: 2 +displayName: Domain Computers + +# search result +search: 2 +result: 0 Success + +# numResponses: 20 +# numEntries: 19 +</pre><p> + Good. It is all working just fine. + </p></li><li><p> + <a class="indexterm" name="id342032"></a> + You must now make certain that the NSS resolver can interrogate LDAP also. + Execute the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd | grep root +root:x:998:512:Netbios Domain Administrator:/home:/bin/false + +<code class="prompt">root# </code> getent group | grep Domain +Domain Admins:x:512:root +Domain Users:x:513: +Domain Guests:x:514: +Domain Computers:x:553: +</pre><p> + <a class="indexterm" name="id342058"></a> + This demonstrates that the <code class="literal">nss_ldap</code> library is functioning + as it should. If these two steps fail to produce this information, refer to + <a href="happy.html#sbeavoid" title="Avoiding Failures: Solving Problems Before They Happen">???</a> for diagnostic procedures that can be followed to + isolate the cause of the problem. Proceed to the next step only when the previous steps + have been successfully completed. + </p></li><li><p> + <a class="indexterm" name="id342086"></a> + <a class="indexterm" name="id342093"></a> + <a class="indexterm" name="id342100"></a> + Our database is now ready for the addition of network users. For each user for + whom an account must be created, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-useradd -m -a <code class="constant">username</code> +<code class="prompt">root# </code> ./smbldap-passwd <code class="constant">username</code> +Changing password for <code class="constant">username</code> +New password : XXXXXXXX +Retype new password : XXXXXXXX + +<code class="prompt">root# </code> smbpasswd <code class="constant">username</code> +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +</pre><p> + where <code class="constant">username</code> is the login ID for each user. + </p></li><li><p> + <a class="indexterm" name="id342158"></a> + Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the + following: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +... +root:x:0:512:Netbios Domain Administrator:/home:/bin/false +nobody:x:999:514:nobody:/dev/null:/bin/false +bobj:x:1000:513:System User:/home/bobj:/bin/bash +stans:x:1001:513:System User:/home/stans:/bin/bash +chrisr:x:1002:513:System User:/home/chrisr:/bin/bash +maryv:x:1003:513:System User:/home/maryv:/bin/bash +</pre><p> + This demonstrates that user account resolution via LDAP is working. + </p></li><li><p> + This step will determine whether or not identity resolution is working correctly. + Do not procede is this step fails, rather find the cause of the failure. The + <code class="literal">id</code> command may be used to validate your configuration so far, + as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> id chrisr +uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) +</pre><p> + This confirms that the UNIX (POSIX) user account information can be resolved from LDAP + by system tools that make a getentpw() system call. + </p></li><li><p> + <a class="indexterm" name="id342218"></a> + The root account must have UID=0; if not, this means that operations conducted from + a Windows client using tools such as the Domain User Manager fails under UNIX because + the management of user and group accounts requires that the UID=0. Additionally, it is + a good idea to make certain that no matter how root account credentials are resolved, + the home directory and shell are valid. You decide to effect this immediately + as demonstrated here: +</p><pre class="screen"> +<code class="prompt">root# </code> cd /opt/IDEALX/sbin +<code class="prompt">root# </code> ./smbldap-usermod -u 0 -d /root -s /bin/bash root +</pre><p> + </p></li><li><p> + Verify that the changes just made to the <code class="constant">root</code> account were + accepted by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd | grep root +root:x:0:0:root:/root:/bin/bash +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash +</pre><p> + This demonstrates that the changes were accepted. + </p></li><li><p> + Make certain that a home directory has been created for every user by listing the + directories in <code class="filename">/home</code> as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> ls -al /home +drwxr-xr-x 8 root root 176 Dec 17 18:50 ./ +drwxr-xr-x 21 root root 560 Dec 15 22:19 ../ +drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/ +drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/ +drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/ +drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/ +</pre><p> + This is precisely what we want to see. + </p></li><li><p> + <a class="indexterm" name="id342306"></a> + <a class="indexterm" name="id342312"></a> + The final validation step involves making certain that Samba-3 can obtain the user + accounts from the LDAP ldapsam passwd backend. Execute the following command as shown: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -Lv chrisr +Unix username: chrisr +NT username: chrisr +Account Flags: [U ] +User SID: S-1-5-21-3504140859-1010554828-2431957765-3004 +Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513 +Full Name: System User +Home Directory: \\MASSIVE\homes +HomeDir Drive: H: +Logon Script: scripts\login.cmd +Profile Path: \\MASSIVE\profiles\chrisr +Domain: MEGANET2 +Account desc: System User +Workstations: +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Wed, 17 Dec 2003 17:17:40 GMT +Password can change: Wed, 17 Dec 2003 17:17:40 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +</pre><p> + This looks good. Of course, you fully expected that it would all work, didn't you? + </p></li><li><p> + <a class="indexterm" name="id342355"></a> + Now you add the group accounts that are used on the Abmas network. Execute + the following exactly as shown: +</p><pre class="screen"> +<code class="prompt">root# </code> ./smbldap-groupadd -a Accounts +<code class="prompt">root# </code> ./smbldap-groupadd -a Finances +<code class="prompt">root# </code> ./smbldap-groupadd -a PIOps +</pre><p> + The addition of groups does not involve keyboard interaction, so the lack of console + output is of no concern. + </p></li><li><p> + <a class="indexterm" name="id342394"></a> + You really do want to confirm that UNIX group resolution from LDAP is functioning + as it should. Let's do this as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +... +Domain Admins:x:512:root +Domain Users:x:513:bobj,stans,chrisr,maryv +Domain Guests:x:514: +... +Accounts:x:1000: +Finances:x:1001: +PIOps:x:1002: +</pre><p> + The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well + as our own site-specific group accounts, are correctly listed. This is looking good. + </p></li><li><p> + <a class="indexterm" name="id342423"></a> + The final step we need to validate is that Samba can see all the Windows domain groups + and that they are correctly mapped to the respective UNIX group account. To do this, + just execute the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins +Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users +Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests +... +Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts +Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances +PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps +</pre><p> + This is looking good. Congratulations it works! Note that in the above output + the lines were shortened by replacing the middle value (1010554828) of the SID with the + ellipsis (...). + </p></li><li><p> + The server you have so carefully built is now ready for another important step. You + start the Samba-3 server and validate its operation. Execute the following to render all + the processes needed fully operative so that, on system reboot, they are automatically + started: +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig dhcpd on +<code class="prompt">root# </code> chkconfig ldap on +<code class="prompt">root# </code> chkconfig nmb on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig winbind on +<code class="prompt">root# </code> rcnmb start +<code class="prompt">root# </code> rcsmb start +<code class="prompt">root# </code> rcwinbind start +</pre><p> + </p></li><li><p> + The next step might seem a little odd at this point, but take note that you are about to + start <code class="literal">winbindd</code>, which must be able to authenticate to the PDC via the + localhost interface with the <code class="literal">smbd</code> process. This account can be + easily created by joining the PDC to the domain by executing the following command: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -S MASSIVE -U root%not24get +</pre><p> + Note: Before executing this command on the PDC, both <code class="literal">nmbd</code> and + <code class="literal">smbd</code> must be started so that the <code class="literal">net</code> command + can communicate with <code class="literal">smbd</code>. The expected output is as follows: +</p><pre class="screen"> +Joined domain MEGANET2. +</pre><p> + This indicates that the domain security account for the PDC has been correctly created. + </p></li><li><p> + At this time it is necessary to restart <code class="literal">winbindd</code> so that it can + correctly authenticate to the PDC. The following command achieves that: +</p><pre class="screen"> +<code class="prompt">root# </code> rcwinbind restart +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id342620"></a> + You may now check Samba-3 operation as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient -L massive -U% + + Sharename Type Comment + --------- ---- ------- + IPC$ IPC IPC Service (Samba 3.0.20) + accounts Disk Accounting Files + service Disk Financial Services Files + pidata Disk Property Insurance Files + apps Disk Application Files + netlogon Disk Network Logon Service + profiles Disk Profile Share + profdata Disk Profile Data Share + ADMIN$ IPC IPC Service (Samba 3.0.20) + + Server Comment + --------- ------- + MASSIVE Samba 3.0.20 + + Workgroup Master + --------- ------- + MEGANET2 MASSIVE +</pre><p> + This shows that an anonymous connection is working. + </p></li><li><p> + For your finale, let's try an authenticated connection: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //massive/bobj -Ubobj%n3v3r2l8 +smb: \> dir + . D 0 Wed Dec 17 01:16:19 2003 + .. D 0 Wed Dec 17 19:04:42 2003 + bin D 0 Tue Sep 2 04:00:57 2003 + Documents D 0 Sun Nov 30 07:28:20 2003 + public_html D 0 Sun Nov 30 07:28:20 2003 + .urlview H 311 Fri Jul 7 06:55:35 2000 + .dvipsrc H 208 Fri Nov 17 11:22:02 1995 + + 57681 blocks of size 524288. 57128 blocks available +smb: \> q +</pre><p> + Well done. All is working fine. + </p></li></ol></div><p> + The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p> + <a class="indexterm" name="id342697"></a> + The configuration for Samba-3 to enable CUPS raw-print-through printing has already been + taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code> + printing to be possible involves creation of the directories in which Samba-3 stores + Windows printing driver files. + </p><div class="procedure"><a name="id342717"></a><p class="title"><b>Procedure 5.9. Printer Configuration Steps</b></p><ol type="1"><li><p> + Configure all network-attached printers to have a fixed IP address. + </p></li><li><p> + Create an entry in the DNS database on the server <code class="constant">MASSIVE</code> + in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code> + and in the reverse lookup database for the network segment that the printer is to + be located in. Example configuration files for similar zones were presented in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>, + <a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a> and in <a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a>. + </p></li><li><p> + Follow the instructions in the printer manufacturers' manuals to permit printing + to port 9100. Use any other port the manufacturer specifies for direct mode, + raw printing. This allows the CUPS spooler to print using raw mode protocols. + <a class="indexterm" name="id342772"></a> + <a class="indexterm" name="id342778"></a> + </p></li><li><p> + <a class="indexterm" name="id342792"></a> + <a class="indexterm" name="id342799"></a> + Only on the server to which the printer is attached, configure the CUPS Print + Queues as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em> + -v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E +</pre><p> + <a class="indexterm" name="id342832"></a> + This step creates the necessary print queue to use no assigned print filter. This + is ideal for raw printing, that is, printing without use of filters. + The name <em class="parameter"><code>printque</code></em> is the name you have assigned for + the particular printer. + </p></li><li><p> + Print queues may not be enabled at creation. Make certain that the queues + you have just created are enabled by executing the following: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + Even though your print queue may be enabled, it is still possible that it + may not accept print jobs. A print queue will service incoming printing + requests only when configured to do so. Ensure that your print queue is + set to accept incoming jobs by executing the following commands: +</p><pre class="screen"> +<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em> +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id342906"></a> + <a class="indexterm" name="id342913"></a> + <a class="indexterm" name="id342920"></a> + Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream application/vnd.cups-raw 0 - +</pre><p> + </p></li><li><p> + <a class="indexterm" name="id342946"></a> + Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: +</p><pre class="screen"> +application/octet-stream +</pre><p> + </p></li><li><p> + Refer to the CUPS printing manual for instructions regarding how to configure + CUPS so that print queues that reside on CUPS servers on remote networks + route print jobs to the print server that owns that queue. The default setting + on your CUPS server may automatically discover remotely installed printers and + may permit this functionality without requiring specific configuration. + </p></li><li><p> + The following action creates the necessary directory subsystem. Follow these + steps to printing heaven: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40} +<code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers +<code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers +</pre><p> + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id343026"></a><p class="title"><b>Procedure 5.10. Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-bldg1-smbconf" title="Example 5.8. LDAP Based smb.conf File, Server: BLDG1">???</a>, + <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> + into the <code class="filename">/etc/samba/</code> directory. The three files + should be added together to form the <code class="filename">smb.conf</code> file. + </p></li><li><p> + Verify the <code class="filename">smb.conf</code> file as in step 2 of <a href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">???</a>. + </p></li><li><p> + Carefully follow the steps outlined in <a href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">???</a>, taking + particular note to install the correct <code class="filename">ldap.conf</code>. + </p></li><li><p> + Verify that the NSS resolver is working. You may need to cycle the run level + to 1 and back to 5 before the NSS LDAP resolver functions. Follow these + commands: +</p><pre class="screen"> +<code class="prompt">root# </code> init 1 +</pre><p> + After the run level has been achieved, you are prompted to provide the + <code class="constant">root</code> password. Log on, and then execute: +</p><pre class="screen"> +<code class="prompt">root# </code> init 5 +</pre><p> + When the normal logon prompt appears, log into the system as <code class="constant">root</code> + and then execute these commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent passwd +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/bash +daemon:x:2:2:Daemon:/sbin:/bin/bash +lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash +mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false +... +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash +nobody:x:999:514:nobody:/dev/null:/bin/false +bobj:x:1000:513:System User:/home/bobj:/bin/bash +stans:x:1001:513:System User:/home/stans:/bin/bash +chrisr:x:1002:513:System User:/home/chrisr:/bin/bash +maryv:x:1003:513:System User:/home/maryv:/bin/bash +vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false +bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false +</pre><p> + This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem. + </p></li><li><p> + <a class="indexterm" name="id343172"></a> + The next step in the verification process involves testing the operation of UNIX group + resolution via the NSS LDAP resolver. Execute these commands: +</p><pre class="screen"> +<code class="prompt">root# </code> getent group +root:x:0: +bin:x:1:daemon +daemon:x:2: +sys:x:3: +... +Domain Admins:x:512:root +Domain Users:x:513:bobj,stans,chrisr,maryv,jht +Domain Guests:x:514: +Administrators:x:544: +Users:x:545: +Guests:x:546:nobody +Power Users:x:547: +Account Operators:x:548: +Server Operators:x:549: +Print Operators:x:550: +Backup Operators:x:551: +Replicator:x:552: +Domain Computers:x:553: +Accounts:x:1000: +Finances:x:1001: +PIOps:x:1002: +</pre><p> + This is also the correct and desired output, because it demonstrates that the LDAP client + is able to communicate correctly with the LDAP server (<code class="constant">MASSIVE</code>). + </p></li><li><p> + <a class="indexterm" name="id343207"></a> + You must now set the LDAP administrative password into the Samba-3 <code class="filename">secrets.tdb</code> + file by executing this command: +</p><pre class="screen"> +<code class="prompt">root# </code> smbpasswd -w not24get +Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb +</pre><p> + </p></li><li><p> + Now you must obtain the domain SID from the PDC and store it into the + <code class="filename">secrets.tdb</code> file also. This step is not necessary with an LDAP + passdb backend because Samba-3 obtains the domain SID from the + sambaDomain object it automatically stores in the LDAP backend. It does not hurt to + add the SID to the <code class="filename">secrets.tdb</code>, and if you wish to do so, this + command can achieve that: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc getsid MEGANET2 +Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ + for Domain MEGANET2 in secrets.tdb +</pre><p> + When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take + any special action to join it to the domain. However, winbind communicates with the + domain controller that is running on the localhost and must be able to authenticate, + thus requiring that the BDC should be joined to the domain. The process of joining + the domain creates the necessary authentication accounts. + </p></li><li><p> + To join the Samba BDC to the domain, execute the following: +</p><pre class="screen"> +<code class="prompt">root# </code> net rpc join -U root%not24get +Joined domain MEGANET2. +</pre><p> + This indicates that the domain security account for the BDC has been correctly created. + </p></li><li><p> + <a class="indexterm" name="id343296"></a> + Verify that user and group account resolution works via Samba-3 tools as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> pdbedit -L +root:0:root +nobody:65534:nobody +bobj:1000:System User +stans:1001:System User +chrisr:1002:System User +maryv:1003:System User +bldg1$:1006:bldg1$ + +<code class="prompt">root# </code> net groupmap list +Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> + Domain Admins +Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users +Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> + Domain Guests +Administrators (S-1-5-21-3504140859-...-2431957765-544) -> + Administrators +... +Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts +Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances +PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps +</pre><p> + These results show that all things are in order. + </p></li><li><p> + The server you have so carefully built is now ready for another important step. Now + start the Samba-3 server and validate its operation. Execute the following to render all + the processes needed fully operative so that, upon system reboot, they are automatically + started: +</p><pre class="screen"> +<code class="prompt">root# </code> chkconfig named on +<code class="prompt">root# </code> chkconfig dhcpd on +<code class="prompt">root# </code> chkconfig nmb on +<code class="prompt">root# </code> chkconfig smb on +<code class="prompt">root# </code> chkconfig winbind on +<code class="prompt">root# </code> rcnmb start +<code class="prompt">root# </code> rcsmb start +<code class="prompt">root# </code> rcwinbind start +</pre><p> + Samba-3 should now be running and is ready for a quick test. But not quite yet! + </p></li><li><p> + Your new <code class="constant">BLDG1, BLDG2</code> servers do not have home directories for users. + To rectify this using the SUSE yast2 utility or by manually editing the <code class="filename">/etc/fstab</code> + file, add a mount entry to mount the <code class="constant">home</code> directory that has been exported + from the <code class="constant">MASSIVE</code> server. Mount this resource before proceeding. An alternate + approach could be to create local home directories for users who are to use these machines. + This is a choice that you, as system administrator, must make. The following entry in the + <code class="filename">/etc/fstab</code> file suffices for now: +</p><pre class="screen"> +massive.abmas.biz:/home /home nfs rw 0 0 +</pre><p> + To mount this resource, execute: +</p><pre class="screen"> +<code class="prompt">root# </code> mount -a +</pre><p> + Verify that the home directory has been mounted as follows: +</p><pre class="screen"> +<code class="prompt">root# </code> df | grep home +massive:/home 29532988 283388 29249600 1% /home +</pre><p> + </p></li><li><p> + Implement a quick check using one of the users that is in the LDAP database. Here you go: +</p><pre class="screen"> +<code class="prompt">root# </code> smbclient //bldg1/bobj -Ubobj%n3v3r2l8 +smb: \> dir + . D 0 Wed Dec 17 01:16:19 2003 + .. D 0 Wed Dec 17 19:04:42 2003 + bin D 0 Tue Sep 2 04:00:57 2003 + Documents D 0 Sun Nov 30 07:28:20 2003 + public_html D 0 Sun Nov 30 07:28:20 2003 + .urlview H 311 Fri Jul 7 06:55:35 2000 + .dvipsrc H 208 Fri Nov 17 11:22:02 1995 + + 57681 blocks of size 524288. 57128 blocks available +smb: \> q +</pre><p> + </p></li></ol></div><p> + Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build + and configure the second BDC server (<code class="constant">BLDG2</code>) as follows: + </p><div class="procedure"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure 5.11. Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol type="1"><li><p> + Install the files in <a href="happy.html#sbehap-bldg2-smbconf" title="Example 5.9. LDAP Based smb.conf File, Server: BLDG2">???</a>, + <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> + into the <code class="filename">/etc/samba/</code> directory. The three files + should be added together to form the <code class="filename">smb.conf</code> file. + </p></li><li><p> + Follow carefully the steps shown in <a href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">???</a>, starting at step 2. + </p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example 5.8. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id343601"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id343614"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id343626"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id343639"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id343652"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id343664"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id343677"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id343690"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id343702"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id343715"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id343727"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id343740"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id343752"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id343765"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id343778"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id343790"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id343803"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id343816"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id343828"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id343841"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id343853"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id343866"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id343879"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id343891"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id343904"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id343917"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id343929"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id343942"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id343955"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id343967"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id343980"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example 5.9. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id344026"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id344039"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id344051"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id344064"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id344076"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344089"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id344102"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id344114"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id344127"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id344139"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id344152"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id344164"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id344177"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id344190"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id344202"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id344215"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id344228"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id344240"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344253"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id344265"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id344278"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id344291"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id344303"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id344316"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id344329"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id344341"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id344354"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id344367"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id344379"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id344392"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id344404"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example 5.10. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id344450"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id344463"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id344475"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id344497"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id344509"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id344522"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id344543"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id344556"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id344569"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id344590"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id344603"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id344615"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id344628"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id344649"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id344662"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id344674"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344687"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344700"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example 5.11. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id344745"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id344758"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id344770"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id344783"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id344804"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id344817"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id344830"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id344842"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id344864"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id344876"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id344889"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id344901"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id344923"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id344935"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id344948"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id344961"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id344982"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id344995"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id345007"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id345020"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id345032"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id345045"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: idmap +structuralObjectClass: organizationalUnit +</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id345079"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p> + My father would say, “<span class="quote">Dinner is not over until the dishes have been done.</span>” + The makings of a great network environment take a lot of effort and attention to detail. + So far, you have completed most of the complex (and to many administrators, the interesting + part of server configuration) steps, but remember to tie it all together. Here are + a few more steps that must be completed so that your network runs like a well-rehearsed + orchestra. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345095"></a>Configuring Directory Share Point Roots</h3></div></div></div><p> + In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em> + parameter. Even though it is obvious to all, one of the common Samba networking problems is + caused by forgetting to verify that every such share root directory actually exists and that it + has the necessary permissions and ownership. + </p><p> + Here is an example, but remember to create the directory needed for every share: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,piops} +<code class="prompt">root# </code> mkdir -p /apps +<code class="prompt">root# </code> chown -R root:root /data +<code class="prompt">root# </code> chown -R root:root /apps +<code class="prompt">root# </code> chown -R bobj:Accounts /data/accounts +<code class="prompt">root# </code> chown -R bobj:Finances /data/finsvcs +<code class="prompt">root# </code> chown -R bobj:PIOps /data/piops +<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data +<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345184"></a>Configuring Profile Directories</h3></div></div></div><p> + You made a conscious decision to do everything it would take to improve network client + performance. One of your decisions was to implement folder redirection. This means that Windows + user desktop profiles are now made up of two components: a dynamically loaded part and a set of file + network folders. + </p><p> + For this arrangement to work, every user needs a directory structure for the network folder + portion of his or her profile as shown here: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/profdata +<code class="prompt">root# </code> chown root:root /var/lib/samba/profdata +<code class="prompt">root# </code> chmod 755 /var/lib/samba/profdata + +# Per user structure +<code class="prompt">root# </code> cd /var/lib/samba/profdata +<code class="prompt">root# </code> mkdir -p <span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> for i in InternetFiles Cookies History AppData \ + LocalSettings MyPictures MyDocuments Recent +<code class="prompt">root# </code> do +<code class="prompt">root# </code> mkdir <span class="emphasis"><em>username</em></span>/$i +<code class="prompt">root# </code> done +<code class="prompt">root# </code> chown -R <span class="emphasis"><em>username</em></span>:Domain\ Users <span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chmod -R 750 <span class="emphasis"><em>username</em></span> +</pre><p> + </p><p> + <a class="indexterm" name="id345294"></a> + <a class="indexterm" name="id345300"></a> + You have three options insofar as the dynamically loaded portion of the roaming profile + is concerned: + </p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p> + Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory + profile is effected by renaming the <code class="filename">NTUSER.DAT</code> to <code class="filename">NTUSER.MAN</code>, + that is, just by changing the filename extension. + </p><p> + <a class="indexterm" name="id345346"></a> + <a class="indexterm" name="id345353"></a> + The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend. + You can manage this using the Idealx smbldap-tools or using the + <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager</a>. + </p><p> + It may not be obvious that you must ensure that the root directory for the user's profile exists + and has the needed permissions. Use the following commands to create this directory: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chown <span class="emphasis"><em>username</em></span>:Domain\ Users + /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +<code class="prompt">root# </code> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345412"></a>Preparation of Logon Scripts</h3></div></div></div><p> + <a class="indexterm" name="id345420"></a> + The use of a logon script with Windows XP Professional is an option that every site should consider. + Unless you have locked down the desktop so the user cannot change anything, there is risk that + a vital network drive setting may be broken or that printer connections may be lost. Logon scripts + can help to restore persistent network folder (drive) and printer connections in a predictable + manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook) + user attaches to another company's network that forces environment changes that are alien to your + network. + </p><p> + If you decide to use network logon scripts, by reference to the <code class="filename">smb.conf</code> files for the domain + controllers, you see that the path to the share point for the <code class="constant">NETLOGON</code> + share defined is <code class="filename">/var/lib/samba/netlogon</code>. The path defined for the logon + script inside that share is <code class="filename">scripts\logon.bat</code>. This means that as a Windows + NT/200x/XP client logs onto the network, it tries to obtain the file <code class="filename">logon.bat</code> + from the fully qualified path <code class="filename">/var/lib/samba/netlogon/scripts</code>. This fully + qualified path should therefore exist whether you install the <code class="filename">logon.bat</code>. + </p><p> + You can, of course, create the fully qualified path by executing: +</p><pre class="screen"> +<code class="prompt">root# </code> mkdir -p /var/lib/samba/netlogon/scripts +</pre><p> + </p><p> + You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 24, + Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon + facilities in use today is called <a href="http://www.kixtart.org" target="_top">KiXtart</a>. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id345510"></a>Assigning User Rights and Privileges</h3></div></div></div><p> + The ability to perform tasks such as joining Windows clients to the domain can be assigned to + normal user accounts. By default, only the domain administrator account (<code class="constant">root</code> on UNIX + systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant + this privilege in a very limited fashion to particular accounts. + </p><p> + By default, even Samba-3.0.11 does not grant any rights even to the <code class="constant">Domain Admins</code> + group. Here we grant this group all privileges. + </p><p> + Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who + are granted rights can be restricted to particular machines. It is left to the network administrator + to determine which rights should be provided and to whom. + </p><div class="procedure"><a name="id345539"></a><p class="title"><b>Procedure 5.12. Steps for Assignment of User Rights and Privileges</b></p><ol type="1"><li><p> + Log onto the PDC as the <code class="constant">root</code> account. + </p></li><li><p> + Execute the following command to grant the <code class="constant">Domain Admins</code> group all + rights and privileges: +</p><pre class="screen"> +<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \ + "MEGANET2\Domain Admins" SeMachineAccountPrivilege \ + SePrintOperatorPrivilege SeAddUsersPrivilege \ + SeDiskOperatorPrivilege SeRemoteShutdownPrivilege +Successfully granted rights. +</pre><p> + Repeat this step on each domain controller, in each case substituting the name of the server + (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE. + </p></li><li><p> + In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations + to the domain. Execute the following only on the PDC. It is not necessary to do this on + BDCs or on DMS machines because machine accounts are only ever added by the PDC: +</p><pre class="screen"> +<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \ + "MEGANET2\bobj" SeMachineAccountPrivilege +Successfully granted rights. +</pre><p> + </p></li><li><p> + Verify that privilege assignments have been correctly applied by executing: +</p><pre class="screen"> +net rpc rights list accounts -Uroot%not24get +MEGANET2\bobj +SeMachineAccountPrivilege + +S-0-0 +No privileges assigned + +BUILTIN\Print Operators +No privileges assigned + +BUILTIN\Account Operators +No privileges assigned + +BUILTIN\Backup Operators +No privileges assigned + +BUILTIN\Server Operators +No privileges assigned + +BUILTIN\Administrators +No privileges assigned + +Everyone +No privileges assigned + +MEGANET2\Domain Admins +SeMachineAccountPrivilege +SePrintOperatorPrivilege +SeAddUsersPrivilege +SeRemoteShutdownPrivilege +SeDiskOperatorPrivilege +</pre><p> + </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id345624"></a>Windows Client Configuration</h2></div></div></div><p> + <a class="indexterm" name="id345632"></a> + In the next few sections, you can configure a new Windows XP Professional disk image on a staging + machine. You will configure all software, printer settings, profile and policy handling, and desktop + default profile settings on this system. When it is complete, you copy the contents of the + <code class="filename">C:\Documents and Settings\Default User</code> directory to a directory with the same + name in the <code class="constant">NETLOGON</code> share on the domain controllers. + </p><p> + Much can be learned from the Microsoft Support site regarding how best to set up shared profiles. + One knowledge-base article in particular stands out: + "<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a + Base Profile for All Users."</a> + + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p> + <a class="indexterm" name="id345675"></a> + Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>. + It is necessary to expose folders that are generally hidden to provide access to the + <code class="constant">Default User</code> folder. + </p><div class="procedure"><a name="id345692"></a><p class="title"><b>Procedure 5.13. Expose Hidden Folders</b></p><ol type="1"><li><p> + Launch the Windows Explorer by clicking + <span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>. + Select <span class="guilabel">Show hidden files and folders</span>, + and click <span class="guibutton">OK</span>. Exit Windows Explorer. + </p></li><li><p> + <a class="indexterm" name="id345756"></a> + Launch the Registry Editor. Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. Key in <code class="literal">regedt32</code>, and click + <span class="guibutton">OK</span>. + </p></li></ol></div><p> + </p><div class="procedure"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure 5.14. Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p> + <a class="indexterm" name="id345813"></a> + <a class="indexterm" name="id345820"></a> + Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel. + Click <span class="guimenu">File</span> → <span class="guimenuitem">Load Hive...</span> → <span class="guimenuitem">Documents and Settings</span> → <span class="guimenuitem">Default User</span> → <span class="guimenuitem">NTUSER</span> → <span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name + <code class="constant">Default</code> and click <span class="guibutton">OK</span>. + </p></li><li><p> + Browse inside the newly loaded Default folder to: +</p><pre class="screen"> +HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ + CurrentVersion\Explorer\User Shell Folders\ +</pre><p> + The right panel reveals the contents as shown in <a href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">???</a>. + </p></li><li><p> + <a class="indexterm" name="id345908"></a> + <a class="indexterm" name="id345915"></a> + You edit hive keys. Acceptable values to replace the + <code class="constant">%USERPROFILE%</code> variable includes: + + </p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as <code class="constant">U:</code></p></li><li><p>A direct network path such as + <code class="constant">\\MASSIVE\profdata</code></p></li><li><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p> + </p></li><li><p> + <a class="indexterm" name="id345959"></a> + Set the registry keys as shown in <a href="happy.html#proffold" title="Table 5.4. Default Profile Redirections">???</a>. Your implementation makes the assumption + that users have statically located machines. Notebook computers (mobile users) need to be + accommodated using local profiles. This is not an uncommon assumption. + </p></li><li><p> + Click back to the root of the loaded hive <code class="constant">Default</code>. + Click <span class="guimenu">File</span> → <span class="guimenuitem">Unload Hive...</span> → <span class="guimenuitem">Yes</span>. + </p></li><li><p> + <a class="indexterm" name="id346011"></a> + Click <span class="guimenu">File</span> → <span class="guimenuitem">Exit</span>. This exits the + Registry Editor. + </p></li><li><p> + Now follow the procedure given in <a href="happy.html#sbehap-locgrppol" title="The Local Group Policy">???</a>. Make sure that each folder you + have redirected is in the exclusion list. + </p></li><li><p> + You are now ready to copy<sup>[<a name="id346053" href="#ftn.id346053">11</a>]</sup> + the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer, + and use it to copy the full contents of the directory <code class="filename">Default User</code> that + is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the + <code class="constant">NETLOGON</code> share. If the <code class="constant">NETLOGON</code> share has the defined + UNIX path of <code class="filename">/var/lib/samba/netlogon</code>, when the copy is complete there must + be a directory in there called <code class="filename">Default User</code>. + </p></li></ol></div><p> + Before punching out new desktop images for the client workstations, it is perhaps a good idea that + desktop behavior should be returned to the original Microsoft settings. The following steps achieve + that ojective: + </p><div class="procedure"><a name="id346112"></a><p class="title"><b>Procedure 5.15. Reset Folder Display to Original Behavior</b></p><ul><li><p> + To launch the Windows Explorer, click + <span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>. + Deselect <span class="guilabel">Show hidden files and folders</span>, and click <span class="guibutton">OK</span>. + Exit Windows Explorer. + </p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure 5.3. Windows XP Professional User Shared Folders</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div></div><br class="figure-break"><div class="table"><a name="proffold"></a><p class="title"><b>Table 5.4. Default Profile Redirections</b></p><div class="table-contents"><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346340"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p> + <a class="indexterm" name="id346348"></a> + <a class="indexterm" name="id346357"></a> + Microsoft Outlook can store a Personal Storage file, generally known as a PST file. + It is the nature of email storage that this file grows, at times quite rapidly. + So that users' email is available to them at every workstation they may log onto, + it is common practice in well-controlled sites to redirect the PST folder to the + users' home directory. Follow these steps for each user who wishes to do this. + </p><p> + To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave + slightly differently), follow these steps: + </p><div class="procedure"><a name="id346375"></a><p class="title"><b>Procedure 5.16. Outlook PST File Relocation</b></p><ol type="1"><li><p> + Close Outlook if it is open. + </p></li><li><p> + From the <span class="guimenu">Control Panel</span>, launch the Mail icon. + </p></li><li><p> + Click <span class="guimenu">Email Accounts.</span> + </p></li><li><p> + Make a note of the location of the PST file(s). From this location, move + the files to the desired new target location. The most desired new target location + may well be the users' home directory. + </p></li><li><p> + Add a new data file, selecting the PST file in the new desired target location. + Give this entry (not the filename) a new name such as “<span class="quote">Personal Mail Folders.</span>” + </p><p> + Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems + following these instructions. Feedback from users suggests that where IMAP is used the PST + file is used to store rules and filters. When the PST store is relocated it appears to break + MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is + used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that + this warning can be removed or modified. + </p></li><li><p> + Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>. + </p></li><li><p> + Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span> + </p></li><li><p> + Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new + target location. + </p></li><li><p> + Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry. + </p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id346514"></a> + You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise + the user may be not be able to retrieve contacts when addressing a new email message. + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + <a class="indexterm" name="id346527"></a> + Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook + Express storage files can not be redirected to network shares. The options panel will not permit + this, but they can be moved to folders outside of the user's profile. They can also be excluded + from folder synchronization as part of the roaming profile. + </p><p> + While it is possible to redirect the data stores for Outlook Express data stores by editing the + registry, experience has shown that data corruption and loss of email messages will result. + </p><p> + <a class="indexterm" name="id346545"></a> + <a class="indexterm" name="id346552"></a> + In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with + roaming profiles this can result in excruciatingly long login and logout behavior will files are + synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming + profiles are used. + </p></div><p> + <a class="indexterm" name="id346565"></a> + Microsoft does not support storing PST files on network shares, although the practice does appear + to be rather popular. Anyone who does relocation the PST file to a network resource should refer + the Microsoft <a href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better + understand the issues. + </p><p> + <a class="indexterm" name="id346583"></a> + Apart from manually moving PST files to a network share, it is possible to set the default PST + location for new accounts by following the instructions at the WindowsITPro <a href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site. + </p><p> + <a class="indexterm" name="id346601"></a> + User feedback suggests that disabling of oplocks on PST files will significantly improve + network performance by reducing locking overheads. One way this can be done is to add to the + <code class="filename">smb.conf</code> file stanza for the share the PST file the following: +</p><pre class="screen"> +veto oplock files = /*.pdf/*.PST/ +</pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346624"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p> + Configure the Windows XP Professional client to auto-delete roaming profiles on logout: + </p><p> + <a class="indexterm" name="id346636"></a> + Click + <span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. In the dialog box, enter <code class="literal">MMC</code> and click <span class="guibutton">OK</span>. + </p><p> + Follow these steps to set the default behavior of the staging machine so that all roaming + profiles are deleted as network users log out of the system. Click + <span class="guimenu">File</span> → <span class="guimenuitem">Add/Remove Snap-in</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Group Policy</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Finish</span> → <span class="guimenuitem">Close</span> → <span class="guimenuitem">OK</span>. + </p><p> + <a class="indexterm" name="id346729"></a> + The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span> + utility that enables you to set the policies needed. In the left panel, click + <span class="guimenuitem">Local Computer Policy</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each + item as shown: + </p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p> + Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies + made of this system to deploy the new standard desktop system. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id346795"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p> + <a class="indexterm" name="id346803"></a> + Users want to be able to use network printers. You have a vested interest in making + it easy for them to print. You have chosen to install the printer drivers onto the Samba + servers and to enable point-and-click (drag-and-drop) printing. This process results in + Samba being able to automatically provide the Windows client with the driver necessary to + print to the printer chosen. The following procedure must be followed for every network + printer: + </p><div class="procedure"><a name="id346817"></a><p class="title"><b>Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers</b></p><ol type="1"><li><p> + Join your Windows XP Professional workstation (the staging machine) to the + <code class="constant">MEGANET2</code> domain. If you are not sure of the procedure, + follow the guidance given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. + </p></li><li><p> + After the machine has rebooted, log onto the workstation as the domain + <code class="constant">root</code> (this is the Administrator account for the + operating system that is the host platform for this implementation of Samba. + </p></li><li><p> + Launch MS Windows Explorer. Navigate in the left panel. Click + <span class="guimenu">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">Microsoft Windows Network</span> → <span class="guimenuitem">Meganet2</span> → <span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span> + <span class="guimenu">Printers and Faxes</span>. + </p></li><li><p> + Identify a printer that is shown in the right panel. Let us assume the printer is called + <code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon + and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates + that “<span class="quote">The printer driver is not installed on this computer. Some printer properties + will not be accessible unless you install the printer driver. Do you want to install the + driver now?</span>” It is important at this point you answer <span class="guimenu">No</span>. + </p></li><li><p> + The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server + <code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab. + Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span> + button that is next to the <span class="guimenu">Driver</span> box. This launches the “<span class="quote">Add Printer Wizard</span>”. + </p></li><li><p> + <a class="indexterm" name="id346996"></a> + <a class="indexterm" name="id347005"></a> + The “<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>” panel + is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the + printer manufacturer. In your case, you are adding a driver for a printer manufactured by + Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click + <span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A + progress bar appears and instructs you as each file is being uploaded and that it is being + directed at the network server <code class="constant">\\massive\ps01-color</code>. + </p></li><li><p> + <a class="indexterm" name="id347050"></a> + <a class="indexterm" name="id347059"></a> + <a class="indexterm" name="id347068"></a> + <a class="indexterm" name="id347077"></a> + <a class="indexterm" name="id347087"></a> + <a class="indexterm" name="id347096"></a> + The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, + you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel. + You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under + the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to + load additional printer drivers; there is also a check-box in this tab called “<span class="quote">List in the + directory</span>”. When this box is checked, the printer will be published in Active Directory + (Applicable to Active Directory use only.) + </p></li><li><p> + <a class="indexterm" name="id347146"></a> + Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server. + You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor. + Right-click on the printer, click <span class="guimenu">Properties</span> → <span class="guimenuitem">Device Settings</span>. Now change the settings to suit + your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if + you need to reverse the changes back to their original settings. + </p></li><li><p> + This is necessary so that the printer settings are initialized in the Samba printers + database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed + just to initialize the Samba printers database entry for this printer. If you need to revert a setting, + click <span class="guimenu">Apply</span> again. + </p></li><li><p> + <a class="indexterm" name="id347214"></a> + Verify that all printer settings are at the desired configuration. When you are satisfied that they are, + click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button. + A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span> + in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on + massive Properties</span> panel. + </p></li><li><p> + You must repeat this process for all network printers (i.e., for every printer on each server). + When you have finished uploading drivers to all printers, close all applications. The next task + is to install software your users require to do their work. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id347264"></a>Software Installation</h3></div></div></div><p> + Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is + a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. + Notebooks require special handling that is beyond the scope of this chapter. + </p><p> + For desktop systems, the installation of software onto administratively centralized application servers + make a lot of sense. This means that you can manage software maintenance from a central + perspective and that only minimal application stubware needs to be installed onto the desktop + systems. You should proceed with software installation and default configuration as far as is humanly + possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect + of software operations and configuration. + </p><p> + When you believe that the overall configuration is complete, be sure to create a shared group profile + and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in + case a user may have specific needs you had not anticipated. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id347290"></a>Roll-out Image Creation</h3></div></div></div><p> + The final steps before preparing the distribution Norton Ghost image file you might follow are: + </p><div class="blockquote"><blockquote class="blockquote"><p> + Unjoin the domain Each workstation requires a unique name and must be independently + joined into domain membership. + </p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p> + Defragment the hard disk While not obvious to the uninitiated, defragmentation results + in better performance and often significantly reduces the size of the compressed disk image. That + also means it will take less time to deploy the image onto 500 workstations. + </p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347320"></a>Key Points Learned</h2></div></div></div><p> + This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately + avoided any consideration of security. Security does not just happen; you must design it into your total + network. Security begins with a systems design and implementation that anticipates hostile behavior from + users both inside and outside the organization. Hostile and malicious intruders do not respect barriers; + they accept them as challenges. For that reason, if not simply from a desire to establish safe networking + practices, you must not deploy the design presented in this book in an environment where there is risk + of compromise. + </p><p> + <a class="indexterm" name="id347336"></a> + <a class="indexterm" name="id347345"></a> + As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be + configured to use secure protocols for all communications over the network. Of course, secure networking + does not result just from systems design and implementation but involves constant user education + training and, above all, disciplined attention to detail and constant searching for signs of unfriendly + or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources. + Jerry Carter's book <a href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top"> + <span class="emphasis"><em>LDAP System Administration</em></span></a> is a good place to start reading about OpenLDAP + as well as security considerations. + </p><p> + The substance of this chapter that has been deserving of particular attention includes: + </p><div class="itemizedlist"><ul type="disc"><li><p> + Implementation of an OpenLDAP-based passwd backend, necessary to support distributed + domain control. + </p></li><li><p> + Implementation of Samba primary and secondary domain controllers with a common LDAP backend + for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and + pam_ldap tool-sets. + </p></li><li><p> + Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as + to manage Samba Windows user and group accounts. + </p></li><li><p> + The basics of implementation of Group Policy controls for Windows network clients. + </p></li><li><p> + Control over roaming profiles, with particular focus on folder redirection to network drives. + </p></li><li><p> + Use of the CUPS printing system together with Samba-based printer driver auto-download. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id347408"></a>Questions and Answers</h2></div></div></div><p> + Well, here we are at the end of this chapter and we have only ten questions to help you to + remember so much. There are bound to be some sticky issues here. + </p><div class="qandaset"><dl><dt> <a href="happy.html#id347424"> + Why did you not cover secure practices? Isn't it rather irresponsible to instruct + network administrators to implement insecure solutions? + </a></dt><dt> <a href="happy.html#id347458"> + You have focused much on SUSE Linux and little on the market leader, Red Hat. Do + you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant + to the Linux I might be using? + </a></dt><dt> <a href="happy.html#id347502"> + You did not use SWAT to configure Samba. Is there something wrong with it? + </a></dt><dt> <a href="happy.html#id347537"> + You have exposed a well-used password not24get. Is that + not irresponsible? + </a></dt><dt> <a href="happy.html#id347559"> + The Idealx smbldap-tools create many domain group accounts that are not used. Is that + a good thing? + </a></dt><dt> <a href="happy.html#id347582"> + Can I use LDAP just for Samba accounts and not for UNIX system accounts? + </a></dt><dt> <a href="happy.html#id347602"> + Why are the Windows domain RID portions not the same as the UNIX UID? + </a></dt><dt> <a href="happy.html#id347634"> + Printer configuration examples all show printing to the HP port 9100. Does this + mean that I must have HP printers for these solutions to work? + </a></dt><dt> <a href="happy.html#id347659"> + Is folder redirection dangerous? I've heard that you can lose your data that way. + </a></dt><dt> <a href="happy.html#id347681"> + Is it really necessary to set a local Group Policy to exclude the redirected + folders from the roaming profile? + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id347424"></a><a name="id347427"></a></td><td align="left" valign="top"><p> + Why did you not cover secure practices? Isn't it rather irresponsible to instruct + network administrators to implement insecure solutions? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Let's get this right. This is a book about Samba, not about OpenLDAP and secure + communication protocols for subjects other than Samba. Earlier on, you note, + that the dynamic DNS and DHCP solutions also used no protective secure communications + protocols. The reason for this is simple: There are so many ways of implementing + secure protocols that this book would have been even larger and more complex. + </p><p> + The solutions presented here all work (at least they did for me). Network administrators + have the interest and the need to be better trained and instructed in secure networking + practices and ought to implement safe systems. I made the decision, right or wrong, + to keep this material as simple as possible. The intent of this book is to demonstrate + a working solution and not to discuss too many peripheral issues. + </p><p> + This book makes little mention of backup techniques. Does that mean that I am recommending + that you should implement a network without provision for data recovery and for disaster + management? Back to our focus: The deployment of Samba has been clearly demonstrated. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347458"></a><a name="id347460"></a></td><td align="left" valign="top"><p> + You have focused much on SUSE Linux and little on the market leader, Red Hat. Do + you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant + to the Linux I might be using? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications + for a standard Linux distribution. The differences are marginal. Surely you know + your Linux platform, and you do have access to administration manuals for it. This + book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on + the Samba part of the book; all the other bits are peripheral (but important) to + creation of a total network solution. + </p><p> + What I find interesting is the attention reviewers give to Linux installation and to + the look and feel of the desktop, but does that make for a great server? In this book, + I have paid particular attention to the details of creating a whole solution framework. + I have not tightened every nut and bolt, but I have touched on all the issues you + need to be familiar with. Over the years many people have approached me wanting to + know the details of exactly how to implement a DHCP and dynamic DNS server with Samba + and WINS. In this chapter, it is plain to see what needs to be configured to provide + transparent interoperability. Likewise for CUPS and Samba interoperation. These are + key stumbling areas for many people. + </p><p> + At every critical junction, I have provided comparative guidance for both SUSE and + Red Hat Linux. Both manufacturers have done a great job in furthering the cause + of open source software. I favor neither and respect both. I like particular + features of both products (companies also). No bias in presentation is intended. + Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347502"></a><a name="id347504"></a></td><td align="left" valign="top"><p> + You did not use SWAT to configure Samba. Is there something wrong with it? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + That is a good question. As it is, the <code class="filename">smb.conf</code> file configurations are presented + in as direct a format as possible. Adding SWAT into the equation would have complicated + matters. I sought simplicity of implementation. The fact is that I did use SWAT to + create the files in the first place. + </p><p> + There are people in the Linux and open source community who feel that SWAT is dangerous + and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I + hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG2</em></span>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347537"></a><a name="id347539"></a></td><td align="left" valign="top"><p> + You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that + not irresponsible? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Well, I had to use a password of some sort. At least this one has been consistently + used throughout. I guess you can figure out that in a real deployment it would make + sense to use a more secure and original password. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347559"></a><a name="id347561"></a></td><td align="left" valign="top"><p> + The Idealx smbldap-tools create many domain group accounts that are not used. Is that + a good thing? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + I took this up with Idealx and found them most willing to change that in the next version. + Let's give Idealx some credit for the contribution they have made. I appreciate their work + and, besides, it does no harm to create accounts that are not now used at some time + Samba may well use them. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347582"></a><a name="id347584"></a></td><td align="left" valign="top"><p> + Can I use LDAP just for Samba accounts and not for UNIX system accounts? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) + group account for every Windows domain group account. But if you put your users into + the system password account, how do you plan to keep all domain controller system + password files in sync? I think that having everything in LDAP makes a lot of sense + for the UNIX administrator who is still learning the craft and is migrating from MS Windows. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347602"></a><a name="id347605"></a></td><td align="left" valign="top"><p> + Why are the Windows domain RID portions not the same as the UNIX UID? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. + This algorithm ought to ensure that there will be no clashes with well-known RIDs. + Well-known RIDs have special significance to MS Windows clients. The automatic + assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does + permit you to override that to some extent. See the <code class="filename">smb.conf</code> man page entry + for <em class="parameter"><code>algorithmic rid base</code></em>. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347634"></a><a name="id347636"></a></td><td align="left" valign="top"><p> + Printer configuration examples all show printing to the HP port 9100. Does this + mean that I must have HP printers for these solutions to work? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + No. You can use any type of printer and must use the interfacing protocol supported + by the printer. Many networks use LPR/LPD print servers to which are attached + PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached + inkjet printer. Use the appropriate device URI (Universal Resource Interface) + argument to the <code class="constant">lpadmin -v</code> option that is right for your + printer. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347659"></a><a name="id347661"></a></td><td align="left" valign="top"><p> + Is folder redirection dangerous? I've heard that you can lose your data that way. + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + The only loss of data I know of that involved folder redirection was caused by + manual misuse of the redirection tool. The administrator redirected a folder to + a network drive and said he wanted to migrate (move) the data over. Then he + changed his mind, so he moved the folder back to the roaming profile. This time, + he declined to move the data because he thought it was still in the local profile + folder. That was not the case, so by declining to move the data back, he wiped out + the data. You cannot hold the tool responsible for that. Caveat emptor still applies. + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id347681"></a><a name="id347683"></a></td><td align="left" valign="top"><p> + Is it really necessary to set a local Group Policy to exclude the redirected + folders from the roaming profile? + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> + Yes. If you do not do this, the data will still be copied from the network folder + (share) to the local cached copy of the profile. + </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id346053" href="#id346053">11</a>] </sup> + There is an alternate method by which a default user profile can be added to the + <code class="constant">NETLOGON</code> share. This facility in the Windows System tool + permits profiles to be exported. The export target may be a particular user or + group profile share point or else the <code class="constant">NETLOGON</code> share. + In this case, the profile directory must be named <code class="constant">Default User</code>. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. The 500-User Office </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. A Distributed 2000-User Network</td></tr></table></div></body></html> |