diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/net2000users.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/net2000users.html | 1000 |
1 files changed, 0 insertions, 1000 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/net2000users.html b/docs/htmldocs/Samba3-ByExample/net2000users.html deleted file mode 100644 index 8892043f42..0000000000 --- a/docs/htmldocs/Samba3-ByExample/net2000users.html +++ /dev/null @@ -1,1000 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. A Distributed 2000-User Network</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="happy.html" title="Chapter 5. Making Happy Users"><link rel="next" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. A Distributed 2000-User Network</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 6. A Distributed 2000-User Network"><div class="titlepage"><div><div><h2 class="title"><a name="net2000users"></a>Chapter 6. A Distributed 2000-User Network</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="net2000users.html#id352846">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="net2000users.html#id352871">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="net2000users.html#id352928">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="net2000users.html#id353175">Technical Issues</a></span></dt><dt><span class="sect2"><a href="net2000users.html#id353997">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="net2000users.html#id354011">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="net2000users.html#id357027">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="net2000users.html#id357166">Questions and Answers</a></span></dt></dl></div><p> -There is something indeed mystical about things that are -big. Large networks exhibit a certain magnetism and exude a sense of -importance that obscures reality. You and I know that it is no more -difficult to secure a large network than it is a small one. We all -know that over and above a particular number of network clients, the -rules no longer change; the only real dynamic is the size of the domain -(much like a kingdom) over which the network ruler (oops, administrator) -has control. The real dynamic then transforms from the technical to the -political. Then again, that point is often reached well before the -kingdom (or queendom) grows large. -</p><p> -If you have systematically worked your way to this chapter, hopefully you -have found some gems and techniques that are applicable in your -world. The network designs you have worked with in this book have their -strong points as well as weak ones. That is to be expected given that -they are based on real business environments, the specifics of which are -molded to serve the purposes of this book. -</p><p> -This chapter is intent on wrapping up issues that are central to -implementation and design of progressively larger networks. Are you ready -for this chapter? Good, it is time to move on. -</p><p> -In previous chapters, you made the assumption that your network -administration staff need detailed instruction right down to the -nuts and bolts of implementing the solution. That is still the case, -but they have graduated now. You decide to document only those issues, -methods, and techniques that are new or complex. Routine tasks such as -implementing a DNS or a DHCP server are under control. Even the basics of -Samba are largely under control. So in this section you focus on the -specifics of implementing LDAP changes, Samba changes, and approach and -design of the solution and its deployment. -</p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352846"></a>Introduction</h2></div></div></div><p> -Abmas is a miracle company. Most businesses would have collapsed under -the weight of rapid expansion that this company has experienced. Samba -is flexible, so there is no need to reinstall the whole operating -system just because you need to implement a new network design. In fact, -you can keep an old server running right up to the moment of cutover -and then do a near-live conversion. There is no need to reinstall a -Samba server just to change the way your network should function. -</p><p> -<a class="indexterm" name="id352861"></a> -Network growth is common to all organizations. In this exercise, -your preoccupation is with the mechanics of implementing Samba and -LDAP so that network users on each network segment can work -without impediment. -</p><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id352871"></a>Assignment Tasks</h3></div></div></div><p> - Starting with the configuration files for the server called - <code class="constant">MASSIVE</code> in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you now deal with the - issues that are particular to large distributed networks. Your task - is simple identify the challenges, consider the - alternatives, and then design and implement a solution. - </p><p> - <a class="indexterm" name="id352896"></a> - Remember, you have users based in London (UK), Los Angeles, - Washington. DC, and, three buildings in New York. A significant portion - of your workforce have notebook computers and roam all over the - world. Some dial into the office, others use VPN connections over the - Internet, and others just move between buildings.i - </p><p> - What do you say to an employee who normally uses a desktop - system but must spend six weeks on the road with a notebook computer? - She is concerned about email access and how to keep coworkers current - with changing documents. - </p><p> - To top it all off, you have one network support person and one - help desk person based in London, a single person dedicated to all - network operations in Los Angeles, five staff for user administration - and help desk in New York, plus one <span class="emphasis"><em>floater</em></span> for - Washington. - </p><p> - You have outsourced all desktop deployment and management to - DirectPointe. Your concern is server maintenance and third-level - support. Build a plan and show what must be done. - </p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id352928"></a>Dissection and Discussion</h2></div></div></div><p> -<a class="indexterm" name="id352936"></a> -<a class="indexterm" name="id352942"></a> -In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you implemented an LDAP server that provided the -<em class="parameter"><code>passdb backend</code></em> for the Samba servers. You -explored ways to accelerate Windows desktop profile handling and you -took control of network performance. -</p><p> -<a class="indexterm" name="id352966"></a> -<a class="indexterm" name="id352972"></a> -<a class="indexterm" name="id352979"></a> -<a class="indexterm" name="id352986"></a> -The implementation of an LDAP-based passdb backend (known as -<span class="emphasis"><em>ldapsam</em></span> in Samba parlance), or some form of database -that can be distributed, is essential to permit the deployment of Samba -Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem -is that the <span class="emphasis"><em>tdbsam</em></span>-style passdb backend does not -lend itself to being replicated. The older plain-text-based -<span class="emphasis"><em>smbpasswd</em></span>-style passdb backend can be replicated -using a tool such as <code class="literal">rsync</code>, but -<span class="emphasis"><em>smbpasswd</em></span> suffers the drawback that it does not -support the range of account facilities demanded by modern network -managers. -</p><p> -<a class="indexterm" name="id353021"></a> -<a class="indexterm" name="id353028"></a> -The new <span class="emphasis"><em>tdbsam</em></span> facility supports functionality -that is similar to an <span class="emphasis"><em>ldapsam</em></span>, but the lack of -distributed infrastructure sorely limits the scope for its -deployment. This raises the following questions: Why can't I just use -an XML-based backend, or for that matter, why not use an SQL-based -backend? Is support for these tools broken? Answers to these -questions require a bit of background.</p><p> -<a class="indexterm" name="id353049"></a> -<a class="indexterm" name="id353055"></a> -<a class="indexterm" name="id353062"></a> -<a class="indexterm" name="id353069"></a> -<span class="emphasis"><em>What is a directory?</em></span> A directory is a -collection of information regarding objects that can be accessed to -rapidly find information that is relevant in a particular and -consistent manner. A directory differs from a database in that it is -generally more often searched (read) than updated. As a consequence, the -information is organized to facilitate read access rather than to -support transaction processing.</p><p> -<a class="indexterm" name="id353086"></a> -<a class="indexterm" name="id353095"></a> -<a class="indexterm" name="id353102"></a> -<a class="indexterm" name="id353109"></a> -The Lightweight Directory Access Protocol (LDAP) differs -considerably from a traditional database. It has a simple search -facility that uniquely makes a highly preferred mechanism for managing -user identities. LDAP provides a scalable mechanism for distributing -the data repository and for keeping all copies (slaves) in sync with -the master repository.</p><p> -<a class="indexterm" name="id353122"></a> -<a class="indexterm" name="id353129"></a> -<a class="indexterm" name="id353135"></a> -Samba is a flexible and powerful file and print sharing -technology. It can use many external authentication sources and can be -part of a total authentication and identity management -infrastructure. The two most important external sources for large sites -are Microsoft Active Directory and LDAP. Sites that specifically wish to -avoid the proprietary implications of Microsoft Active Directory -naturally gravitate toward OpenLDAP.</p><p> -<a class="indexterm" name="id353149"></a> -In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you had to deal with a locally routed -network. All deployment concerns focused around making users happy, -and that simply means taking control over all network practices and -usage so that no one user is disadvantaged by any other. The real -lesson is one of understanding that no matter how much network -bandwidth you provide, bandwidth remains a precious resource.</p><p>In this chapter, you must now consider how the overall network must -function. In particular, you must be concerned with users who move -between offices. You must take into account the way users need to -access information globally. And you must make the network robust -enough so that it can sustain partial breakdown without causing loss of -productivity.</p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id353175"></a>Technical Issues</h3></div></div></div><p> - There are at least three areas that need to be addressed as you - approach the challenge of designing a network solution for the newly - expanded business: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="indexterm" name="id353189"></a> - User needs such as mobility and data access</p></li><li class="listitem"><p>The nature of Windows networking protocols</p></li><li class="listitem"><p>Identity management infrastructure needs</p></li></ul></div><p>Let's look at each in turn.</p><div class="sect3" title="User Needs"><div class="titlepage"><div><div><h4 class="title"><a name="id353212"></a>User Needs</h4></div></div></div><p> - The new company has three divisions. Staff for each division are spread across - the company. Some staff are office-bound and some are mobile users. Mobile - users travel globally. Some spend considerable periods working in other offices. - Everyone wants to be able to work without constraint of productivity. - </p><p> - The challenge is not insignificant. In some parts of the world, even dial-up - connectivity is poor, while in other regions political encumbrances severely - curtail user needs. Parts of the global Internet infrastructure remain shielded - off for reasons outside the scope of this discussion. - </p><p> - <a class="indexterm" name="id353231"></a> - Decisions must be made regarding where data is to be stored, how it will be - replicated (if at all), and what the network bandwidth implications are. For - example, one decision that can be made is to give each office its own master - file storage area that can be synchronized to a central repository in New - York. This would permit global data to be backed up from a single location. - The synchronization tool could be <code class="literal">rsync,</code> run via a cron - job. Mobile users may use off-line file storage under Windows XP Professional. - This way, they can synchronize all files that have changed since each logon - to the network. - </p><p> - <a class="indexterm" name="id353252"></a> - <a class="indexterm" name="id353262"></a> - No matter which way you look at this, the bandwidth requirements - for acceptable performance are substantial even if only 10 percent of - staff are global data users. A company with 3,500 employees, - 280 of whom are mobile users who use a similarly distributed - network, found they needed at least 2 Mb/sec connectivity - between the UK and US offices. Even over 2 Mb/sec bandwidth, this - company abandoned any attempt to run roaming profile usage for - mobile users. At that time, the average roaming profile took 480 - KB, while today the minimum Windows XP Professional roaming - profile involves a transfer of over 750 KB from the profile - server to and from the client. - </p><p> - <a class="indexterm" name="id353277"></a> - Obviously then, user needs and wide-area practicalities dictate the economic and - technical aspects of your network design as well as for standard operating procedures. - </p></div><div class="sect3" title="The Nature of Windows Networking Protocols"><div class="titlepage"><div><div><h4 class="title"><a name="id353288"></a>The Nature of Windows Networking Protocols</h4></div></div></div><p> - <a class="indexterm" name="id353296"></a> - Network logons that include roaming profile handling requires from 140 KB to 2 MB. - The inclusion of support for a minimal set of common desktop applications can push - the size of a complete profile to over 15 MB. This has substantial implications - for location of user profiles. Additionally, it is a significant factor in - determining the nature and style of mandatory profiles that may be enforced as - part of a total service-level assurance program that might be implemented. - </p><p> - <a class="indexterm" name="id353312"></a> - <a class="indexterm" name="id353319"></a> - One way to reduce the network bandwidth impact of user logon - traffic is through folder redirection. In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you - implemented this in the new Windows XP Professional standard - desktop configuration. When desktop folders such as <span class="guimenu">My - Documents</span> are redirected to a network drive, they should - also be excluded from synchronization to and from the server on - logon or logout. Redirected folders are analogous to network drive - connections. - </p><p><a class="indexterm" name="id353343"></a> - Of course, network applications should only be run off - local application servers. As a general rule, even with 2 Mb/sec - network bandwidth, it would not make sense at all for someone who - is working out of the London office to run applications off a - server that is located in New York. - </p><p> - <a class="indexterm" name="id353356"></a> - When network bandwidth becomes a precious commodity (that is most - of the time), there is a significant demand to understand network - processes and to mold the limits of acceptability around the - constraints of affordability. - </p><p> - When a Windows NT4/200x/XP Professional client user logs onto - the network, several important things must happen. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id353375"></a> - The client obtains an IP address via DHCP. (DHCP is - necessary so that users can roam between offices.) - </p></li><li class="listitem"><p> - <a class="indexterm" name="id353387"></a> - <a class="indexterm" name="id353394"></a> - The client must register itself with the WINS and/or DNS server. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id353406"></a> - The client must locate the closest domain controller. - </p></li><li class="listitem"><p> - The client must log onto a domain controller and obtain as part of - that process the location of the user's profile, load it, connect to - redirected folders, and establish all network drive and printer connections. - </p></li><li class="listitem"><p> - The domain controller must be able to resolve the user's - credentials before the logon process is fully implemented. - </p></li></ul></div><p> - Given that this book is about Samba and that it implements the Windows - NT4-style domain semantics, it makes little sense to compare Samba with - Microsoft Active Directory insofar as the logon protocols and principles - of operation are concerned. The following information pertains exclusively - to the interaction between a Windows XP Professional workstation and a - Samba-3.0.20 server. In the discussion that follows, use is made of DHCP and WINS. - </p><p> - As soon as the Windows workstation starts up, it obtains an - IP address. This is immediately followed by registration of its - name both by broadcast and Unicast registration that is directed - at the WINS server. - </p><p> - <a class="indexterm" name="id353444"></a> - <a class="indexterm" name="id353450"></a><a class="indexterm" name="id353460"></a> - Given that the client is already a domain member, it then sends - a directed (Unicast) request to the WINS server seeking the list of - IP addresses for domain controllers (NetBIOS name type 0x1C). The - WINS server replies with the information requested.</p><p> - <a class="indexterm" name="id353472"></a> - <a class="indexterm" name="id353481"></a> - <a class="indexterm" name="id353488"></a> - The client sends two netlogon mailslot broadcast requests - to the local network and to each of the IP addresses returned by - the WINS server. Whichever answers this request first appears to - be the machine that the Windows XP client attempts to use to - process the network logon. The mailslot messages use UDP broadcast - to the local network and UDP Unicast directed at each machine that - was listed in the WINS server response to a request for the list of - domain controllers. - </p><p> - <a class="indexterm" name="id353502"></a> - <a class="indexterm" name="id353511"></a> - <a class="indexterm" name="id353518"></a> - The logon process begins with negotiation of the SMB/CIFS - protocols that are to be used; this is followed by an exchange of - information that ultimately includes the client sending the - credentials with which the user is attempting to logon. The logon - server must now approve the further establishment of the - connection, but that is a good point to halt for now. The priority - here must center around identification of network infrastructure - needs. A secondary fact we need to know is, what happens when - local domain controllers fail or break? - </p><p> - <a class="indexterm" name="id353533"></a> - <a class="indexterm" name="id353540"></a> - <a class="indexterm" name="id353546"></a> - <a class="indexterm" name="id353553"></a> - Under most circumstances, the nearest domain controller - responds to the netlogon mailslot broadcast. The exception to this - norm occurs when the nearest domain controller is too busy or is out - of service. Herein lies an important fact. This means it is - important that every network segment should have at least two - domain controllers. Since there can be only one PDC, all additional - domain controllers are by definition BDCs. - </p><p> - <a class="indexterm" name="id353566"></a> - <a class="indexterm" name="id353573"></a> - The provision of sufficient servers that are BDCs is an - important design factor. The second important design factor - involves how each of the BDCs obtains user authentication - data. That is the subject of the next section, which involves key - decisions regarding Identity Management facilities. - </p></div><div class="sect3" title="Identity Management Needs"><div class="titlepage"><div><div><h4 class="title"><a name="id353585"></a>Identity Management Needs</h4></div></div></div><p> - <a class="indexterm" name="id353593"></a> - <a class="indexterm" name="id353600"></a> - <a class="indexterm" name="id353606"></a> - <a class="indexterm" name="id353613"></a> - Network managers recognize that in large organizations users - generally need to be given resource access based on needs, while - being excluded from other resources for reasons of privacy. It is - therefore essential that all users identify themselves at the - point of network access. The network logon is the principal means - by which user credentials are validated and filtered and appropriate - rights and privileges are allocated. - </p><p> - <a class="indexterm" name="id353627"></a> - <a class="indexterm" name="id353634"></a> - <a class="indexterm" name="id353640"></a> - Unfortunately, network resources tend to have their own Identity - Management facilities, the quality and manageability of which varies - from quite poor to exceptionally good. Corporations that use a mixture - of systems soon discover that until recently, few systems were - designed to interoperate. For example, UNIX systems each have an - independent user database. Sun Microsystems developed a facility that - was originally called <code class="constant">Yellow Pages</code>, and was renamed - when a telephone company objected to the use of its trademark. - What was once called <code class="constant">Yellow Pages</code> is today known - as <code class="constant">Network Information System</code> (NIS). - </p><p> - <a class="indexterm" name="id353666"></a> - NIS gained a strong following throughout the UNIX/VMS space in a short - period of time and retained that appeal and use for over a decade. - Security concerns and inherent limitations have caused it to enter its - twilight. NIS did not gain widespread appeal outside of the UNIX world - and was not universally adopted. Sun updated this to a more secure - implementation called NIS+, but even it has fallen victim to changing - demands as the demand for directory services that can be coupled with - other information systems is catching on. - </p><p> - <a class="indexterm" name="id353681"></a> - <a class="indexterm" name="id353687"></a> - <a class="indexterm" name="id353694"></a> - Nevertheless, both NIS and NIS+ continue to hold ground in - business areas where UNIX still has major sway. Examples of - organizations that remain firmly attached to the use of NIS and - NIS+ include large government departments, education institutions, - and large corporations that have a scientific or engineering - focus. - </p><p> - <a class="indexterm" name="id353707"></a> - <a class="indexterm" name="id353714"></a> - Today's networking world needs a scalable, distributed Identity - Management infrastructure, commonly called a directory. The most - popular technologies today are Microsoft Active Directory service - and a number of LDAP implementations. - </p><p> - <a class="indexterm" name="id353726"></a> - The problem of managing multiple directories has become a focal - point over the past decade, creating a large market for - metadirectory products and services that allow organizations that - have multiple directories and multiple management and control - centers to provision information from one directory into - another. The attendant benefit to end users is the promise of - having to remember and deal with fewer login identities and - passwords.</p><p> - <a class="indexterm" name="id353740"></a> - The challenge of every large network is to find the optimum - balance of internal systems and facilities for Identity - Management resources. How well the solution is chosen and - implemented has potentially significant impact on network bandwidth - and systems response needs.</p><p> - <a class="indexterm" name="id353754"></a> - <a class="indexterm" name="id353761"></a> - <a class="indexterm" name="id353770"></a> - In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, you implemented a single LDAP server for the - entire network. This may work for smaller networks, but almost - certainly fails to meet the needs of large and complex networks. The - following section documents how you may implement a single - master LDAP server with multiple slave servers.</p><p> - What is the best method for implementing master/slave LDAP - servers within the context of a distributed 2,000-user network is a - question that remains to be answered.</p><p> - <a class="indexterm" name="id353796"></a> - <a class="indexterm" name="id353803"></a> - One possibility that has great appeal is to create a single, - large distributed domain. The practical implications of this - design (see <a class="link" href="net2000users.html#chap7net" title="Figure 6.6. Network Topology 2000 User Complex Design A">“Network Topology 2000 User Complex Design A”</a>) demands the placement of - sufficient BDCs in each location. Additionally, network - administrators must make sure that profiles are not transferred - over the wide-area links, except as a totally unavoidable - measure. Network design must balance the risk of loss of user - productivity against the cost of network management and - maintenance. - </p><p> - <a class="indexterm" name="id353826"></a> - The network design in <a class="link" href="net2000users.html#chap7net2" title="Figure 6.7. Network Topology 2000 User Complex Design B">“Network Topology 2000 User Complex Design B”</a> takes the approach - that management of networks that are too remote to be managed - effectively from New York ought to be given a certain degree of - autonomy. With this rationale, the Los Angeles and London networks, - though fully integrated with those on the East Coast, each have their - own domain name space and can be independently managed and controlled. - One of the key drawbacks of this design is that it flies in the face of - the ability for network users to roam globally without some compromise - in how they may access global resources. - </p><p> - <a class="indexterm" name="id353848"></a> - Desk-bound users need not be negatively affected by this design, since - the use of interdomain trusts can be used to satisfy the need for global - data sharing. - </p><p> - <a class="indexterm" name="id353859"></a> - <a class="indexterm" name="id353866"></a> - <a class="indexterm" name="id353875"></a> - When Samba-3 is configured to use an LDAP backend, it stores the domain - account information in a directory entry. This account entry contains the - domain SID. An unintended but exploitable side effect is that this makes it - possible to operate with more than one PDC on a distributed network. - </p><p> - <a class="indexterm" name="id353887"></a> - <a class="indexterm" name="id353894"></a> - <a class="indexterm" name="id353901"></a> - How might this peculiar feature be exploited? The answer is simple. It is - imperative that each network segment have its own WINS server. Major - servers on remote network segments can be given a static WINS entry in - the <code class="filename">wins.dat</code> file on each WINS server. This allows - all essential data to be visible from all locations. Each location would, - however, function as if it is an independent domain, while all sharing the - same domain SID. Since all domain account information can be stored in a - single LDAP backend, users have unfettered ability to roam. - </p><p> - <a class="indexterm" name="id353921"></a> - <a class="indexterm" name="id353930"></a> - This concept has not been exhaustively validated, though we can see no reason - why this should not work. The important facets are the following: The name of - the domain must be identical in all locations. Each network segment must have - its own WINS server. The name of the PDC must be the same in all locations; this - necessitates the use of NetBIOS name aliases for each PDC so that they can be - accessed globally using the alias and not the PDC's primary name. A single master - LDAP server can be based in New York, with multiple LDAP slave servers located - on every network segment. Finally, the BDCs should each use failover LDAP servers - that are in fact slave LDAP servers on the local segments. - </p><p> - <a class="indexterm" name="id353946"></a> - <a class="indexterm" name="id353956"></a> - <a class="indexterm" name="id353962"></a> - <a class="indexterm" name="id353972"></a> - With a single master LDAP server, all network updates are effected on a single - server. In the event that this should become excessively fragile or network - bandwidth limiting, one could implement a delegated LDAP domain. This is also - known as a partitioned (or multiple partition) LDAP database and as a distributed - LDAP directory. - </p><p> - As the LDAP directory grows, it becomes increasingly important - that its structure is implemented in a manner that mirrors - organizational needs, so as to limit network update and - referential traffic. It should be noted that all directory - administrators must of necessity follow the same standard - procedures for managing the directory, because retroactive correction of - inconsistent directory information can be exceedingly difficult. - </p></div></div><div class="sect2" title="Political Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id353997"></a>Political Issues</h3></div></div></div><p> - As organizations grow, the number of points of control increases - also. In a large distributed organization, it is important that the - Identity Management system be capable of being updated from - many locations, and it is equally important that changes made should - become usable in a reasonable period, typically - minutes rather than days (the old limitation of highly manual - systems). - </p></div></div><div class="sect1" title="Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id354011"></a>Implementation</h2></div></div></div><p> - <a class="indexterm" name="id354019"></a> - <a class="indexterm" name="id354026"></a> - <a class="indexterm" name="id354032"></a> - <a class="indexterm" name="id354039"></a> - Samba-3 has the ability to use multiple password (authentication and - identity resolution) backends. The diagram in <a class="link" href="net2000users.html#chap7idres" title="Figure 6.1. Samba and Authentication Backend Search Pathways">“Samba and Authentication Backend Search Pathways”</a> - demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system - password database. The diagram only documents the mechanisms for - authentication and identity resolution (obtaining a UNIX UID/GID) - using the specific systems shown. - </p><div class="figure"><a name="chap7idres"></a><p class="title"><b>Figure 6.1. Samba and Authentication Backend Search Pathways</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-idresol.png" width="297" alt="Samba and Authentication Backend Search Pathways"></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id354099"></a> - <a class="indexterm" name="id354106"></a> - <a class="indexterm" name="id354113"></a> - <a class="indexterm" name="id354120"></a> - <a class="indexterm" name="id354126"></a> - <a class="indexterm" name="id354133"></a> - <a class="indexterm" name="id354140"></a> - Samba is capable of using the <code class="constant">smbpasswd</code>, - <code class="constant">tdbsam</code>, <code class="constant">xmlsam</code>, - and <code class="constant">mysqlsam</code> authentication databases. The SMB - passwords can, of course, also be stored in an LDAP ldapsam - backend. LDAP is the preferred passdb backend for distributed network - operations. - </p><p> - <a class="indexterm" name="id354166"></a> - Additionally, it is possible to use multiple passdb backends - concurrently as well as have multiple LDAP backends. As a result, you - can specify a failover LDAP backend. The syntax for specifying a - single LDAP backend in <code class="filename">smb.conf</code> is: -</p><pre class="screen"> -... -passdb backend = ldapsam:ldap://master.abmas.biz -... -</pre><p> - This configuration tells Samba to use a single LDAP server, as shown in <a class="link" href="net2000users.html#ch7singleLDAP" title="Figure 6.2. Samba Configuration to Use a Single LDAP Server">“Samba Configuration to Use a Single LDAP Server”</a>. - </p><div class="figure"><a name="ch7singleLDAP"></a><p class="title"><b>Figure 6.2. Samba Configuration to Use a Single LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-singleLDAP.png" width="351" alt="Samba Configuration to Use a Single LDAP Server"></div></div></div><p><br class="figure-break"> - <a class="indexterm" name="id354234"></a> - <a class="indexterm" name="id354244"></a> - The addition of a failover LDAP server can simply be done by adding a - second entry for the failover server to the single <em class="parameter"><code>ldapsam</code></em> - entry, as shown here (note the particular use of the double quotes): -</p><pre class="screen"> -... -passdb backend = ldapsam:"ldap://master.abmas.biz \ - ldap://slave.abmas.biz" -... -</pre><p> - This configuration tells Samba to use a master LDAP server, with failover to a slave server if necessary, - as shown in <a class="link" href="net2000users.html#ch7dualLDAP" title="Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server">“Samba Configuration to Use a Dual (Fail-over) LDAP Server”</a>. - </p><div class="figure"><a name="ch7dualLDAP"></a><p class="title"><b>Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-fail-overLDAP.png" width="351" alt="Samba Configuration to Use a Dual (Fail-over) LDAP Server"></div></div></div><p><br class="figure-break"> - </p><p> - Some folks have tried to implement this without the use of double quotes. This is the type of entry they - created: -</p><pre class="screen"> -... -passdb backend = ldapsam:ldap://master.abmas.biz \ - ldapsam:ldap://slave.abmas.biz -... -</pre><p> - <a class="indexterm" name="id354323"></a> - The effect of this style of entry is that Samba lists the users - that are in both LDAP databases. If both contain the same information, - it results in each record being shown twice. This is, of course, not the - solution desired for a failover implementation. The net effect of this - configuration is shown in <a class="link" href="net2000users.html#ch7dualadd" title="Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!">“Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!”</a> - </p><div class="figure"><a name="ch7dualadd"></a><p class="title"><b>Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP.png" width="297" alt="Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!"></div></div></div><br class="figure-break"><p> - If, however, each LDAP database contains unique information, this may - well be an advantageous way to effectively integrate multiple LDAP databases - into one seemingly contiguous directory. Only the first database will be updated. - An example of this configuration is shown in <a class="link" href="net2000users.html#ch7dualok" title="Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.">“Samba Configuration to Use Two LDAP Databases - The result is additive.”</a>. - </p><div class="figure"><a name="ch7dualok"></a><p class="title"><b>Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP-Ok.png" width="297" alt="Samba Configuration to Use Two LDAP Databases - The result is additive."></div></div></div><br class="figure-break"><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - When the use of ldapsam is specified twice, as shown here, it is imperative - that the two LDAP directories must be disjoint. If the entries are for a - master LDAP server as well as its own slave server, updates to the LDAP - database may end up being lost or corrupted. You may safely use multiple - LDAP backends only if both are entirely separate from each other. - </p></div><p> - It is assumed that the network you are working with follows in a - pattern similar to what was covered in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>. The following steps - permit the operation of a master/slave OpenLDAP arrangement. - </p><div class="procedure" title="Procedure 6.1. Implementation Steps for an LDAP Slave Server"><a name="id354454"></a><p class="title"><b>Procedure 6.1. Implementation Steps for an LDAP Slave Server</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id354465"></a> - <a class="indexterm" name="id354472"></a> - Log onto the master LDAP server as <code class="constant">root</code>. - You are about to change the configuration of the LDAP server, so it - makes sense to temporarily halt it. Stop OpenLDAP from running on - SUSE Linux by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> rcldap stop -</pre><p> - On Red Hat Linux, you can do this by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> service ldap stop -</pre><p> - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id354514"></a> - Edit the <code class="filename">/etc/openldap/slapd.conf</code> file so it - matches the content of <a class="link" href="net2000users.html#ch7-LDAP-master" title="Example 6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf">“LDAP Master Server Configuration File /etc/openldap/slapd.conf”</a>. - </p></li><li class="step" title="Step 3"><p> - Create a file called <code class="filename">admin-accts.ldif</code> with the following contents: -</p><pre class="screen"> -dn: cn=updateuser,dc=abmas,dc=biz -objectClass: person -cn: updateuser -sn: updateuser -userPassword: not24get - -dn: cn=sambaadmin,dc=abmas,dc=biz -objectClass: person -cn: sambaadmin -sn: sambaadmin -userPassword: buttercup -</pre><p> - </p></li><li class="step" title="Step 4"><p> - Add an account called <span class="quote">“<span class="quote">updateuser</span>”</span> to the master LDAP server as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> slapadd -v -l admin-accts.ldif -</pre><p> - </p></li><li class="step" title="Step 5"><p> - <a class="indexterm" name="id354583"></a> - <a class="indexterm" name="id354590"></a> - Change directory to a suitable place to dump the contents of the - LDAP server. The dump file (and LDIF file) is used to preload - the slave LDAP server database. You can dump the database by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> slapcat -v -l LDAP-transfer-LDIF.txt -</pre><p> - Each record is written to the file. - </p></li><li class="step" title="Step 6"><p> - <a class="indexterm" name="id354620"></a> - Copy the file <code class="filename">LDAP-transfer-LDIF.txt</code> to the intended - slave LDAP server. A good location could be in the directory - <code class="filename">/etc/openldap/preload</code>. - </p></li><li class="step" title="Step 7"><p> - Log onto the slave LDAP server as <code class="constant">root</code>. You can - now configure this server so the <code class="filename">/etc/openldap/slapd.conf</code> - file matches the content of <a class="link" href="net2000users.html#ch7-LDAP-slave" title="Example 6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf">“LDAP Slave Configuration File /etc/openldap/slapd.conf”</a>. - </p></li><li class="step" title="Step 8"><p> - Change directory to the location in which you stored the - <code class="filename">LDAP-transfer-LDIF.txt</code> file (<code class="filename">/etc/openldap/preload</code>). - While in this directory, execute: -</p><pre class="screen"> -<code class="prompt">root# </code> slapadd -v -l LDAP-transfer-LDIF.txt -</pre><p> - If all goes well, the following output confirms that the data is being loaded - as intended: -</p><pre class="screen"> -added: "dc=abmas,dc=biz" (00000001) -added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002) -added: "cn=updateuser,dc=abmas,dc=biz" (00000003) -added: "ou=People,dc=abmas,dc=biz" (00000004) -added: "ou=Groups,dc=abmas,dc=biz" (00000005) -added: "ou=Computers,dc=abmas,dc=biz" (00000006) -added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007) -added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008) -added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009) -added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a) -added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b) -added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c) -added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d) -added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e) -added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f) -added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010) -added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011) -added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012) -added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013) -</pre><p> - </p></li><li class="step" title="Step 9"><p> - Now start the LDAP server and set it to run automatically on system reboot by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> rcldap start -<code class="prompt">root# </code> chkconfig ldap on -</pre><p> - On Red Hat Linux, execute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> service ldap start -<code class="prompt">root# </code> chkconfig ldap on -</pre><p> - </p></li><li class="step" title="Step 10"><p> - <a class="indexterm" name="id354767"></a> - <a class="indexterm" name="id354774"></a> - <a class="indexterm" name="id354781"></a> - Go back to the master LDAP server. Execute the following to start LDAP as well - as <code class="literal">slurpd</code>, the synchronization daemon, as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> rcldap start -<code class="prompt">root# </code> chkconfig ldap on -<code class="prompt">root# </code> rcslurpd start -<code class="prompt">root# </code> chkconfig slurpd on -</pre><p> - <a class="indexterm" name="id354824"></a> - On Red Hat Linux, check the equivalent command to start <code class="literal">slurpd</code>. - </p></li><li class="step" title="Step 11"><p> - <a class="indexterm" name="id354844"></a> - On the master LDAP server you may now add an account to validate that replication - is working. Assuming the configuration shown in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, execute: -</p><pre class="screen"> -<code class="prompt">root# </code> /var/lib/samba/sbin/smbldap-useradd -a fruitloop -</pre><p> - </p></li><li class="step" title="Step 12"><p> - On the slave LDAP server, change to the directory <code class="filename">/var/lib/ldap</code>. - There should now be a file called <code class="filename">replogfile</code>. If replication worked - as expected, the content of this file should be: -</p><pre class="screen"> -time: 1072486403 -dn: uid=fruitloop,ou=People,dc=abmas,dc=biz -changetype: modify -replace: sambaProfilePath -sambaProfilePath: \\MASSIVE\profiles\fruitloop -- -replace: sambaHomePath -sambaHomePath: \\MASSIVE\homes -- -replace: entryCSN -entryCSN: 2003122700:43:38Z#0x0005#0#0000 -- -replace: modifiersName -modifiersName: cn=Manager,dc=abmas,dc=biz -- -replace: modifyTimestamp -modifyTimestamp: 20031227004338Z -- -</pre><p> - </p></li><li class="step" title="Step 13"><p> - Given that this first slave LDAP server is now working correctly, you may now - implement additional slave LDAP servers as required. - </p></li><li class="step" title="Step 14"><p> - On each machine (PDC and BDCs) after the respective <code class="filename">smb.conf</code> files have been created as shown in - <a class="link" href="net2000users.html#ch7-massmbconfA" title="Example 6.3. Primary Domain Controller smb.conf File Part A">Primary Domain Controller <code class="filename">smb.conf</code> File Part A + B + C</a> and - on BDCs the <a class="link" href="net2000users.html#ch7-slvsmbocnfA" title="Example 6.6. Backup Domain Controller smb.conf File Part A">Backup Domain Controller <code class="filename">smb.conf</code> File Part A - + B + C</a> execute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> smbpasswd -w buttercup -</pre><p> - This will install in the <code class="filename">secrets.tdb</code> file the password that Samba will need to - manage (write to) the LDAP Master server to perform account updates. - </p></li></ol></div><div class="example"><a name="ch7-LDAP-master"></a><p class="title"><b>Example 6.1. LDAP Master Server Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen"> -include /etc/openldap/schema/core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/nis.schema -include /etc/openldap/schema/samba.schema - -pidfile /var/run/slapd/slapd.pid -argsfile /var/run/slapd/slapd.args - -database bdb -suffix "dc=abmas,dc=biz" -rootdn "cn=Manager,dc=abmas,dc=biz" - -# rootpw = not24get -rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV - -replica host=lapdc.abmas.biz:389 - suffix="dc=abmas,dc=biz" - binddn="cn=updateuser,dc=abmas,dc=biz" - bindmethod=simple credentials=not24get - -access to attrs=sambaLMPassword,sambaNTPassword - by dn="cn=sambaadmin,dc=abmas,dc=biz" write - by * none - -replogfile /var/lib/ldap/replogfile - -directory /var/lib/ldap - -# Indices to maintain -index objectClass eq -index cn pres,sub,eq -index sn pres,sub,eq -index uid pres,sub,eq -index displayName pres,sub,eq -index uidNumber eq -index gidNumber eq -index memberUID eq -index sambaSID eq -index sambaPrimaryGroupSID eq -index sambaDomainName eq -index default sub -</pre></div></div><br class="example-break"><div class="example"><a name="ch7-LDAP-slave"></a><p class="title"><b>Example 6.2. LDAP Slave Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen"> -include /etc/openldap/schema/core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/nis.schema -include /etc/openldap/schema/samba.schema - -pidfile /var/run/slapd/slapd.pid -argsfile /var/run/slapd/slapd.args - -database bdb -suffix "dc=abmas,dc=biz" -rootdn "cn=Manager,dc=abmas,dc=biz" - -# rootpw = not24get -rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV - -access to * - by dn=cn=updateuser,dc=abmas,dc=biz write - by * read - -updatedn cn=updateuser,dc=abmas,dc=biz -updateref ldap://massive.abmas.biz - -directory /var/lib/ldap - -# Indices to maintain -index objectClass eq -index cn pres,sub,eq -index sn pres,sub,eq -index uid pres,sub,eq -index displayName pres,sub,eq -index uidNumber eq -index gidNumber eq -index memberUID eq -index sambaSID eq -index sambaPrimaryGroupSID eq -index sambaDomainName eq -index default sub -</pre></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfA"></a><p class="title"><b>Example 6.3. Primary Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id355074"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id355085"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id355097"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id355108"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id355120"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id355131"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id355143"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id355154"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id355166"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id355177"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id355189"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355200"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id355212"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id355224"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id355236"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id355248"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id355259"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id355272"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id355284"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id355296"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id355308"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id355319"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id355331"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id355343"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id355354"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id355366"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355377"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355389"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355400"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id355412"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id355423"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id355435"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id355447"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id355458"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id355470"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id355482"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id355493"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id355505"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id355516"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfB"></a><p class="title"><b>Example 6.4. Primary Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[IPC$]</code></em></td></tr><tr><td><a class="indexterm" name="id355561"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id355581"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id355593"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id355604"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id355625"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id355636"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id355648"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id355668"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id355680"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id355691"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id355712"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id355723"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id355735"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id355746"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id355767"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id355778"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id355790"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355801"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355813"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfC"></a><p class="title"><b>Example 6.5. Primary Domain Controller <code class="filename">smb.conf</code> File Part C</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id355857"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id355869"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id355880"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id355892"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id355912"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id355924"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id355936"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id355947"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id355959"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id355979"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id355990"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id356002"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id356014"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id356034"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id356046"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id356057"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id356069"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id356089"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id356101"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id356112"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id356124"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfA"></a><p class="title"><b>Example 6.6. Backup Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># # Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id356172"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id356183"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id356195"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id356206"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id356218"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id356229"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id356241"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id356252"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id356264"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id356275"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id356287"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id356298"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id356310"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id356322"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id356333"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id356345"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id356356"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356368"></a><em class="parameter"><code>os level = 63</code></em></td></tr><tr><td><a class="indexterm" name="id356379"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id356391"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id356402"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id356414"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id356425"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id356437"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id356449"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id356460"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id356472"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356483"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id356495"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id356507"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id356518"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id356538"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id356550"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id356562"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id356582"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id356594"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id356605"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfB"></a><p class="title"><b>Example 6.7. Backup Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id356650"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id356661"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id356673"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id356693"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id356705"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id356716"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id356728"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id356748"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id356760"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id356771"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356783"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356794"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id356815"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id356826"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id356838"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id356849"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id356870"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id356881"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id356893"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id356904"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id356925"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id356936"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id356948"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id356959"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id356980"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id356991"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id357003"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id357014"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="sect2" title="Key Points Learned"><div class="titlepage"><div><div><h3 class="title"><a name="id357027"></a>Key Points Learned</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id357038"></a><a class="indexterm" name="id357043"></a> - Where Samba-3 is used as a domain controller, the use of LDAP is an - essential component to permit the use of BDCs. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id357055"></a> - Replication of the LDAP master server to create a network of BDCs - is an important mechanism for limiting WAN traffic. - </p></li><li class="listitem"><p> - Network administration presents many complex challenges, most of which - can be satisfied by good design but that also require sound communication - and unification of management practices. This can be highly challenging in - a large, globally distributed network. - </p></li><li class="listitem"><p> - Roaming profiles must be contained to the local network segment. Any - departure from this may clog wide-area arteries and slow legitimate network - traffic to a crawl. - </p></li></ul></div></div><div class="figure"><a name="chap7net"></a><p class="title"><b>Figure 6.6. Network Topology 2000 User Complex Design A</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net-Ar.png" width="432" alt="Network Topology 2000 User Complex Design A"></div></div></div><br class="figure-break"><div class="figure"><a name="chap7net2"></a><p class="title"><b>Figure 6.7. Network Topology 2000 User Complex Design B</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net2-Br.png" width="432" alt="Network Topology 2000 User Complex Design B"></div></div></div><br class="figure-break"></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id357166"></a>Questions and Answers</h2></div></div></div><p> - There is much rumor and misinformation regarding the use of MS Windows networking protocols. - These questions are just a few of those frequently asked. - </p><div class="qandaset" title="Frequently Asked Questions"><a name="id357176"></a><dl><dt> <a href="net2000users.html#id357182"> - - - Is it true that DHCP uses lots of WAN bandwidth? - </a></dt><dt> <a href="net2000users.html#id357303"> - - - How much background communication takes place between a master LDAP server and its slave LDAP servers? - </a></dt><dt> <a href="net2000users.html#id357360"> - LDAP has a database. Is LDAP not just a fancy database front end? - </a></dt><dt> <a href="net2000users.html#id357417"> - - Can Active Directory obtain account information from an OpenLDAP server? - </a></dt><dt> <a href="net2000users.html#id357449"> - What are the parts of a roaming profile? How large is each part? - </a></dt><dt> <a href="net2000users.html#id357590"> - Can the My Documents folder be stored on a network drive? - </a></dt><dt> <a href="net2000users.html#id357635"> - - - - How much WAN bandwidth does WINS consume? - </a></dt><dt> <a href="net2000users.html#id357712"> - How many BDCs should I have? What is the right number of Windows clients per server? - </a></dt><dt> <a href="net2000users.html#id357739"> - - I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to - run an NIS server? - </a></dt><dt> <a href="net2000users.html#id357770"> - Can I use NIS in place of LDAP? - </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id357182"></a><a name="id357185"></a></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357189"></a> - <a class="indexterm" name="id357196"></a> - Is it true that DHCP uses lots of WAN bandwidth? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357212"></a> - <a class="indexterm" name="id357221"></a> - <a class="indexterm" name="id357228"></a> - It is a smart practice to localize DHCP servers on each network segment. As a - rule, there should be two DHCP servers per network segment. This means that if - one server fails, there is always another to service user needs. DHCP requests use - only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network - routers. This makes it possible to run fewer DHCP servers. - </p><p> - <a class="indexterm" name="id357244"></a> - <a class="indexterm" name="id357253"></a> - A DHCP network address request and confirmation usually results in about six UDP packets. - The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP - clients and that uses a 24-hour IP address lease. This means that all clients renew - their IP address lease every 24 hours. If we assume an average packet length equal to the - maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection, - how significant would the DHCP traffic be if all of it were to use DHCP Relay? - </p><p> - I must stress that this is a bad design, but here is the calculation: -</p><pre class="screen"> -Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte) - x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day. - -DHCP traffic: 300 (clients) x 6 (packets) - x 512 (bytes/packet) = 0.9 Mbytes/day. -</pre><p> - From this can be seen that the traffic impact would be minimal. - </p><p> - <a class="indexterm" name="id357282"></a> - <a class="indexterm" name="id357291"></a> - Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, - the impact of the update is no more than the DHCP IP address renewal traffic and thus - still insignificant for most practical purposes. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357303"></a><a name="id357305"></a></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357310"></a> - <a class="indexterm" name="id357317"></a> - How much background communication takes place between a master LDAP server and its slave LDAP servers? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357336"></a> - The process that controls the replication of data from the master LDAP server to the slave LDAP - servers is called <code class="literal">slurpd</code>. The <code class="literal">slurpd</code> remains nascent (quiet) - until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) - two user accounts requires less than 10KB traffic. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357360"></a><a name="id357362"></a></td><td align="left" valign="top"><p> - LDAP has a database. Is LDAP not just a fancy database front end? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357374"></a> - <a class="indexterm" name="id357381"></a> - <a class="indexterm" name="id357390"></a> - <a class="indexterm" name="id357396"></a> - LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific - data storage system. This type of database is indexed so that records can be rapidly located, but the - database is not generic and can be used only in particular pre-programmed ways. General external - applications do not gain access to the data. This type of database is used also by SQL servers. Both - an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional - orientation and typically allows external programs to perform ad hoc queries, even across data tables. - An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific - simple queries. The term <code class="constant">database</code> is heavily overloaded and thus much misunderstood. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357417"></a><a name="id357419"></a></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357423"></a> - Can Active Directory obtain account information from an OpenLDAP server? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357437"></a> - No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP - database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface - to OpenLDAP using standard LDAP queries and updates. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357449"></a><a name="id357452"></a></td><td align="left" valign="top"><p> - What are the parts of a roaming profile? How large is each part? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id357462"></a> - A roaming profile consists of - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Desktop folders such as <code class="constant">Desktop</code>, <code class="constant">My Documents</code>, - <code class="constant">My Pictures</code>, <code class="constant">My Music</code>, <code class="constant">Internet Files</code>, - <code class="constant">Cookies</code>, <code class="constant">Application Data</code>, - <code class="constant">Local Settings,</code> and more. See <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>, <a class="link" href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">“Windows XP Professional User Shared Folders”</a>. - </p><p> - <a class="indexterm" name="id357521"></a> - Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all - such folders can be redirected to network drive resources. See <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a> - for more information regarding folder redirection. - </p></li><li class="listitem"><p> - A static or rewritable portion that is typically only a few files (2-5 KB of information). - </p></li><li class="listitem"><p> - <a class="indexterm" name="id357545"></a> - <a class="indexterm" name="id357551"></a> - The registry load file that modifies the <code class="constant">HKEY_LOCAL_USER</code> hive. This is - the <code class="filename">NTUSER.DAT</code> file. It can be from 0.4 to 1.5 MB. - </p></li></ul></div><p> - <a class="indexterm" name="id357573"></a> - Microsoft Outlook PST files may be stored in the <code class="constant">Local Settings\Application Data</code> - folder. It can be up to 2 GB in size per PST file. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357590"></a><a name="id357592"></a></td><td align="left" valign="top"><p> - Can the <code class="constant">My Documents</code> folder be stored on a network drive? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357607"></a> - <a class="indexterm" name="id357614"></a> - Yes. More correctly, such folders can be redirected to network shares. No specific network drive - connection is required. Registry settings permit this to be redirected directly to a UNC (Universal - Naming Convention) resource, though it is possible to specify a network drive letter instead of a - UNC name. See <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a>. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357635"></a><a name="id357637"></a></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357641"></a> - <a class="indexterm" name="id357648"></a> - <a class="indexterm" name="id357657"></a> - How much WAN bandwidth does WINS consume? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357671"></a> - <a class="indexterm" name="id357680"></a> - <a class="indexterm" name="id357687"></a> - MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. - This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS - server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, - was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total - of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links. - Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication - traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection - that aggregated the branch office connections plus an Internet connection. - </p><p> - In conclusion, the total load afforded through WINS traffic is again marginal to total operational - usage as it should be. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357712"></a><a name="id357714"></a></td><td align="left" valign="top"><p> - How many BDCs should I have? What is the right number of Windows clients per server? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - It is recommended to have at least one BDC per network segment, including the segment served - by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the - load demand pattern of client usage. I have seen sites that function without problem with 200 - clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular - company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print - server; and an application server. While all three were BDCs, typically only the print server would - service network logon requests after the first 10 users had started to use the network. This was - a reflection of the service load placed on both the application server and the data server. - </p><p> - As unsatisfactory as the answer might sound, it all depends on network and server load - characteristics. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357739"></a><a name="id357741"></a></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357745"></a><a class="indexterm" name="id357751"></a> - I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to - run an NIS server? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - The correct answer to both questions is yes. But do understand that an LDAP server has - a configurable schema that can store far more information for many more purposes than - just NIS. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id357770"></a><a name="id357772"></a></td><td align="left" valign="top"><p> - Can I use NIS in place of LDAP? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - <a class="indexterm" name="id357783"></a> - <a class="indexterm" name="id357790"></a> - No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal - with the types of data necessary for interoperability with Microsoft Windows networking. The use - of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also - a Samba-specific schema extension. - </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Making Happy Users </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Domain Members, Updating Samba and Migration</td></tr></table></div></body></html> |