diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/secure.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/secure.html | 1859 |
1 files changed, 0 insertions, 1859 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/secure.html b/docs/htmldocs/Samba3-ByExample/secure.html deleted file mode 100644 index 600a6dc1c3..0000000000 --- a/docs/htmldocs/Samba3-ByExample/secure.html +++ /dev/null @@ -1,1859 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Secure Office Networking</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="small.html" title="Chapter 2. Small Office Networking"><link rel="next" href="Big500users.html" title="Chapter 4. The 500-User Office"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Secure Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 3. Secure Office Networking"><div class="titlepage"><div><div><h2 class="title"><a name="secure"></a>Chapter 3. Secure Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="secure.html#id330143">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id330177">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id330386">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id330398">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id330742">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id330776">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id331530">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id335513">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id335566">Questions and Answers</a></span></dt></dl></div><p> - Congratulations, your Samba networking skills are developing nicely. You started out - with three simple networks in <a class="link" href="simple.html" title="Chapter 1. No-Frills Samba Servers">“No-Frills Samba Servers”</a>, and then in <a class="link" href="small.html" title="Chapter 2. Small Office Networking">“Small Office Networking”</a> - you designed and built a network that provides a high degree of flexibility, integrity, - and dependability. It was enough for the basic needs each was designed to fulfill. In - this chapter you address a more complex set of needs. The solution you explore - introduces you to basic features that are specific to Samba-3. - </p><p> - You should note that a working and secure solution could be implemented using Samba-2.2.x. - In the exercises presented here, you are gradually using more Samba-3-specific features, - so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. - To avoid confusion, this book is all about Samba-3. Let's get the exercises in this - chapter underway. - </p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330143"></a>Introduction</h2></div></div></div><p> - You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work - well done. It is one year since the last network upgrade. You have been quite busy. - Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over - general network management. Soon she will provide primary user support. You have - demonstrated that you can delegate responsibility and can plan and execute according - to that plan. Above all, you have shown Mr. Meany that you are a responsible person. - Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never - expected: You are going to take charge of business operations. Mr. Meany - is retiring and has entrusted the business to your capable hands. - </p><p> - Mr. Meany may be retiring from this company, but not from work. He is taking the - opportunity to develop Abmas Accounting into a larger and more substantial company. - He says that it took him many years to learn that there is no future in just running - a business. He now realizes there is great personal satisfaction in the creation of - career opportunities for people in the local community. He wants to do more for others, - as he is doing for you. Today he spent a lot of time talking about his grand plan - for growth, which you will deal with in the chapters ahead. - </p><p> - Over the past year, the growth projections were exceeded. The network has grown to - meet the needs of 130 users. Along with growth, the demand for improved services - and better functionality has also developed. You are about to make an interim - improvement and then hand over all Help desk and network maintenance to Christine. - Christine has professional certifications in Microsoft Windows as well as in Linux; - she is a hard worker and quite likable. Christine does not want to manage the department - (although she manages well). She gains job satisfaction when left to sort things out. - Occasionally she wants to work with you on a challenging problem. When you told her - about your move, she almost resigned, although she was reassured that a new manager would - be hired to run Information Technology, and she would be responsible only for operations. - </p><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id330177"></a>Assignment Tasks</h3></div></div></div><p> - You promised the staff Internet services including Web browsing, electronic mail, virus - protection, and a company Web site. Christine is eager to help turn the vision into - reality. Let's see how close you can get to the promises made. - </p><p> - The network you are about to deliver will service 130 users today. Within a year, - Abmas will aquire another company. Mr. Meany claims that within 2 years there will be - well over 500 users on the network. You have bought into the big picture, so prepare - for growth. You have purchased a new server and will implement a new network infrastructure. - </p><p> - You have decided to not recycle old network components. The only items that will be - carried forward are notebook computers. You offered staff new notebooks, but not - one person wanted the disruption for what was perceived as a marginal update. - You decided to give everyone, even the notebook user, a new desktop computer. - </p><p> - You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional) - and a 10 Mb/sec ethernet port. You registered the domain - <code class="constant">abmas.us</code>, and the Internet Service Provider (ISP) is supplying - secondary DNS. Information furnished by your ISP is shown in <a class="link" href="secure.html#chap4netid" title="Table 3.1. Abmas.US ISP Information">“Abmas.US ISP Information”</a>. - </p><p> - It is of paramount priority that under no circumstances will Samba offer - service access from an Internet connection. You are paying an ISP to - give, as part of its value-added services, full firewall protection for your - connection to the outside world. The only services allowed in from - the Internet side are the following destination ports: <code class="constant">http/https (ports - 80 and 443), email (port 25), DNS (port 53)</code>. All Internet traffic - will be allowed out after network address translation (NAT). No internal IP addresses - are permitted through the NAT filter because complete privacy of internal network - operations must be assured. - </p><div class="table"><a name="chap4netid"></a><p class="title"><b>Table 3.1. Abmas.US ISP Information</b></p><div class="table-contents"><table summary="Abmas.US ISP Information" border="1"><colgroup><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Parameter</th><th align="center">Value</th></tr></thead><tbody><tr><td align="left">Server IP Address</td><td align="center">123.45.67.66</td></tr><tr><td align="left">DSL Device IP Address</td><td align="center">123.45.67.65</td></tr><tr><td align="left">Network Address</td><td align="center">123.45.67.64/30</td></tr><tr><td align="left">Gateway Address</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Primary DNS Server</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Secondary DNS Server</td><td align="center">123.45.54.32</td></tr><tr><td align="left">Forwarding DNS Server</td><td align="center">123.45.12.23</td></tr></tbody></table></div></div><br class="table-break"><div class="figure"><a name="ch04net"></a><p class="title"><b>Figure 3.1. Abmas Network Topology 130 Users</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap4-net.png" width="351" alt="Abmas Network Topology 130 Users"></div></div></div><br class="figure-break"><p> - Christine recommended that desktop systems should be installed from a single cloned - master system that has a minimum of locally installed software and loads all software - off a central application server. The benefit of having the central application server - is that it allows single-point maintenance of all business applications, a more - efficient way to manage software. She further recommended installation of antivirus - software on workstations as well as on the Samba server. Christine knows the dangers - of potential virus infection and insists on a comprehensive approach to detective - as well as corrective action to protect network operations. - </p><p> - A significant concern is the problem of managing company growth. Recently, a number - of users had to share a PC while waiting for new machines to arrive. This presented - some problems with desktop computers and software installation into the new users' - desktop profiles. - </p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330386"></a>Dissection and Discussion</h2></div></div></div><p> - Many of the conclusions you draw here are obvious. Some requirements are not very clear - or may simply be your means of drawing the most out of Samba-3. Much can be done more simply - than you will demonstrate here, but keep in mind that the network must scale to at least 500 - users. This means that some functionality will be overdesigned for the current 130-user - environment. - </p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id330398"></a>Technical Issues</h3></div></div></div><p> - In this exercise we use a 24-bit subnet mask for the two local networks. This, - of course, limits our network to a maximum of 253 usable IP addresses. The network - address range chosen is one assigned by RFC1918 for private networks. - When the number of users on the network begins to approach the limit of usable - addresses, it is a good idea to switch to a network address specified in RFC1918 - in the 172.16.0.0/16 range. This is done in subsequent chapters. - </p><p> - <a class="indexterm" name="id330412"></a> - <a class="indexterm" name="id330419"></a> - The high growth rates projected are a good reason to use the <code class="constant">tdbsam</code> - passdb backend. The use of <code class="constant">smbpasswd</code> for the backend may result in - performance problems. The <code class="constant">tdbsam</code> passdb backend offers features that - are not available with the older, flat ASCII-based <code class="constant">smbpasswd</code> database. - </p><p> - <a class="indexterm" name="id330443"></a> - The proposed network design uses a single server to act as an Internet services host for - electronic mail, Web serving, remote administrative access via SSH, - Samba-based file and print services. This design is often chosen by sites that feel - they cannot afford or justify the cost or overhead of having separate servers. It must - be realized that if security of this type of server should ever be violated (compromised), - the whole network and all data is at risk. Many sites continue to choose this type - of solution; therefore, this chapter provides detailed coverage of key implementation - aspects. - </p><p> - Samba will be configured to specifically not operate on the Ethernet interface that is - directly connected to the Internet. - </p><p> - <a class="indexterm" name="id330462"></a> - <a class="indexterm" name="id330469"></a> - <a class="indexterm" name="id330475"></a> - <a class="indexterm" name="id330483"></a> - You know that your ISP is providing full firewall services, but you cannot rely on that. - Always assume that human error will occur, so be prepared by using Linux firewall facilities - based on <code class="literal">iptables</code> to effect NAT. Block all - incoming traffic except to permitted well-known ports. You must also allow incoming packets - to establish outgoing connections. You will permit all internal outgoing requests. - </p><p> - The configuration of Web serving, Web proxy services, electronic mail, and the details of - generic antivirus handling are beyond the scope of this book and therefore are not - covered except insofar as this affects Samba-3. - </p><p> - <a class="indexterm" name="id330507"></a> - Notebook computers are configured to use a network login when in the office and a - local account to log in while away from the office. Users store all work done in - transit (away from the office) by using a local share for work files. Standard procedures - dictate that on completion of the work that necessitates mobile file access, all - work files are moved back to secure storage on the office server. Staff is instructed - to not carry on any company notebook computer any files that are not absolutely required. - This is a preventative measure to protect client information as well as private business - records. - </p><p> - <a class="indexterm" name="id330527"></a> - All applications are served from the central server from a share called <code class="constant">apps</code>. - Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network - (or administrative) installation. Accounting and financial management software can also - be run only from the central application server. Notebook users are provided with - locally installed applications on a need-to-have basis only. - </p><p> - <a class="indexterm" name="id330543"></a> - The introduction of roaming profiles support means that users can move between - desktop computer systems without constraint while retaining full access to their data. - The desktop travels with them as they move. - </p><p> - <a class="indexterm" name="id330555"></a> - The DNS server implementation must now address both internal and external - needs. You forward DNS lookups to your ISP-provided server as well as the - <code class="constant">abmas.us</code> external secondary DNS server. - </p><p> - <a class="indexterm" name="id330569"></a> - <a class="indexterm" name="id330575"></a> - <a class="indexterm" name="id330584"></a> - Compared with the DHCP server configuration in <a class="link" href="small.html" title="Chapter 2. Small Office Networking">“Small Office Networking”</a>, <a class="link" href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">“Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf”</a>, the - configuration used in this example has to deal with the presence of an Internet connection. - The scope set for it ensures that no DHCP services will be offered on the external - connection. All printers are configured as DHCP clients so that the DHCP server assigns - the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional - feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic - DNS (DDNS) operation. - </p><p> - This is the first implementation that depends on a correctly functioning DNS server. - Comprehensive steps are included to provide for a fully functioning DNS server that also - is enabled for DDNS operation. This means that DHCP clients can be autoregistered - with the DNS server. - </p><p> - You are taking the opportunity to manually set the netbios name of the Samba server to - a name other than what will be automatically resolved. You are doing this to ensure that - the machine has the same NetBIOS name on both network segments. - </p><p> - As in the previous network configuration, printing in this network configuration uses - direct raw printing (i.e., no smart printing and no print driver autodownload to Windows - clients). Printer drivers are installed on the Windows client manually. This is not - a problem because Christine is to install and configure one single workstation and - then clone that configuration, using Norton Ghost, to all workstations. Each machine is - identical, so this should pose no problem. - </p><div class="sect3" title="Hardware Requirements"><div class="titlepage"><div><div><h4 class="title"><a name="id330622"></a>Hardware Requirements</h4></div></div></div><p> - <a class="indexterm" name="id330630"></a> - This server runs a considerable number of services. From similarly configured Linux - installations, the approximate calculated memory requirements are as shown in - <a class="link" href="secure.html#ch4memoryest" title="Example 3.1. Estimation of Memory Requirements">“Estimation of Memory Requirements”</a>. - -</p><div class="example"><a name="ch4memoryest"></a><p class="title"><b>Example 3.1. Estimation of Memory Requirements</b></p><div class="example-contents"><pre class="screen"> -Application Memory per User 130 Users 500 Users - Name (MBytes) Total MBytes Total MBytes ------------ --------------- ------------ ------------ -DHCP 2.5 3 3 -DNS 16.0 16 16 -Samba (nmbd) 16.0 16 16 -Samba (winbind) 16.0 16 16 -Samba (smbd) 4.0 520 2000 -Apache 10.0 (20 User) 200 200 -CUPS 3.5 16 32 -Basic OS 256.0 256 256 - -------------- -------------- - Total: 1043 MBytes 2539 MBytes - -------------- -------------- -</pre></div></div><p><br class="example-break"> - You should add a safety margin of at least 50% to these estimates. The minimum - system memory recommended for initial startup 1 GB, but to permit the system - to scale to 500 users, it makes sense to provision the machine with 4 GB memory. - An initial configuration with only 1 GB memory would lead to early performance complaints - as the system load builds up. Given the low cost of memory, it does not make sense to - compromise in this area. - </p><p> - <a class="indexterm" name="id330669"></a> - Aggregate input/output loads should be considered for sizing network configuration as - well as disk subsystems. For network bandwidth calculations, one would typically use an - estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec) - would deliver below acceptable capacity for the initial user load. It is therefore a good - idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached - to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T - switched ports. - </p><p> - <a class="indexterm" name="id330683"></a> - <a class="indexterm" name="id330689"></a> - Considering the choice of 1 Gb Ethernet interfaces for the two local network segments, - the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O - demand that would require a fast disk storage I/O capability. Peak disk throughput is - limited by the disk subsystem chosen. It is desirable to provide the maximum - I/O bandwidth affordable. If a low-cost solution must be chosen, - 3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a - 64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI - controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec). - Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, - it makes sense to purchase well-known, branded hardware that has appropriate performance - specifications. As a minimum, one should attempt to provide a disk subsystem that can - deliver I/O rates of at least 100 MB/sec. - </p><p> - Disk storage requirements may be calculated as shown in <a class="link" href="secure.html#ch4diskest" title="Example 3.2. Estimation of Disk Storage Requirements">“Estimation of Disk Storage Requirements”</a>. - -</p><div class="example"><a name="ch4diskest"></a><p class="title"><b>Example 3.2. Estimation of Disk Storage Requirements</b></p><div class="example-contents"><pre class="screen"> -Corporate Data: 100 MBytes/user per year -Email Storage: 500 MBytes/user per year -Applications: 5000 MBytes -Safety Buffer: At least 50% - -Given 500 Users and 2 years: ------------------------------ - Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes - Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes - Applications: 5000 MBytes = 5 GBytes - ---------------------------- - Total: 605 GBytes - Add 50% buffer 303 GBytes - Recommended Storage: 908 GBytes -</pre></div></div><p><br class="example-break"> - <a class="indexterm" name="id330731"></a> - The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5 - with two hot spare drives would require an 8-drive by 200 GB capacity per drive array. - </p></div></div><div class="sect2" title="Political Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id330742"></a>Political Issues</h3></div></div></div><p> - Your industry is coming under increasing accountability pressures. Increased paranoia - is necessary so you can demonstrate that you have acted with due diligence. You must - not trust your Internet connection. - </p><p> - Apart from permitting more efficient management of business applications through use of - an application server, your primary reason for the decision to implement this is that it - gives you greater control over software licensing. - </p><p> - <a class="indexterm" name="id330760"></a> - You are well aware that the current configuration results in some performance issues - as the size of the desktop profile grows. Given that users use Microsoft Outlook - Express, you know that the storage implications of the <code class="constant">.PST</code> file - is something that needs to be addressed later. - </p></div></div><div class="sect1" title="Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330776"></a>Implementation</h2></div></div></div><p> - <a class="link" href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">“Abmas Network Topology 130 Users”</a> demonstrates the overall design of the network that you will implement. - </p><p> - The information presented here assumes that you are already familiar with many basic steps. - As this stands, the details provided already extend well beyond just the necessities of - Samba configuration. This decision is deliberate to ensure that key determinants - of a successful installation are not overlooked. This is the last case that documents - the finite minutiae of DHCP and DNS server configuration. Beyond the information provided - here, there are many other good reference books on these subjects. - </p><p> - The <code class="filename">smb.conf</code> file has the following noteworthy features: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - The NetBIOS name of the Samba server is set to <code class="constant">DIAMOND</code>. - </p></li><li class="listitem"><p> - The Domain name is set to <code class="constant">PROMISES</code>. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330826"></a> - <a class="indexterm" name="id330832"></a> - <a class="indexterm" name="id330838"></a> - Ethernet interface <code class="constant">eth0</code> is attached to the Internet connection - and is externally exposed. This interface is explicitly not available for Samba to use. - Samba listens on this interface for broadcast messages but does not broadcast any - information on <code class="constant">eth0</code>, nor does it accept any connections from it. - This is achieved by way of the <em class="parameter"><code>interfaces</code></em> parameter and the - <em class="parameter"><code>bind interfaces only</code></em> entry. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330868"></a> - <a class="indexterm" name="id330874"></a> - <a class="indexterm" name="id330881"></a> - The <em class="parameter"><code>passdb backend</code></em> parameter specifies the creation and use - of the <code class="constant">tdbsam</code> password backend. This is a binary database that - has excellent scalability for a large number of user account entries. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330901"></a> - <a class="indexterm" name="id330907"></a> - <a class="indexterm" name="id330913"></a> - WINS serving is enabled by the <a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = Yes</a>, - and name resolution is set to use it by means of the - <a class="link" href="smb.conf.5.html#NAMERESOLVEORDER" target="_top">name resolve order = wins bcast hosts</a> entry. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330940"></a> - The Samba server is configured for use by Windows clients as a time server. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330950"></a> - <a class="indexterm" name="id330957"></a> - <a class="indexterm" name="id330963"></a> - Samba is configured to directly interface with CUPS via the direct internal interface - that is provided by CUPS libraries. This is achieved with the - <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = CUPS</a> as well as the - <a class="link" href="smb.conf.5.html#PRINTCAPNAME" target="_top">printcap name = CUPS</a> entries. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330990"></a> - <a class="indexterm" name="id330996"></a> - <a class="indexterm" name="id331003"></a> - External interface scripts are provided to enable Samba to interface smoothly to - essential operating system functions for user and group management. This is important - to enable workstations to join the Domain and is also important so that you can use - the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools - are provided as part of the <code class="filename">SRVTOOLS.EXE</code> toolkit that can be - downloaded from the Microsoft FTP - <a class="ulink" href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">site</a>. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id331028"></a> - The <code class="filename">smb.conf</code> file specifies that the Samba server will operate in (default) <em class="parameter"><code> - security = user</code></em> mode<sup>[<a name="id331045" href="#ftn.id331045" class="footnote">5</a>]</sup> - (User Mode). - </p></li><li class="listitem"><p> - <a class="indexterm" name="id331061"></a> - <a class="indexterm" name="id331067"></a> - Domain logon services as well as a Domain logon script are specified. The logon script - will be used to add robustness to the overall network configuration. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id331079"></a> - <a class="indexterm" name="id331085"></a> - <a class="indexterm" name="id331092"></a> - Roaming profiles are enabled through the specification of the parameter, - <a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path = \\%L\profiles\%U</a>. The value of this parameter translates the - <code class="constant">%L</code> to the name by which the Samba server is called by the client (for this - configuration, it translates to the name <code class="constant">DIAMOND</code>), and the <code class="constant">%U</code> - will translate to the name of the user within the context of the connection made to the profile share. - It is the administrator's responsibility to ensure there is a directory in the root of the - profile share for each user. This directory must be owned by the user also. An exception to this - requirement is when a profile is created for group use. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id331124"></a> - <a class="indexterm" name="id331130"></a> - Precautionary veto is effected for particular Windows file names that have been targeted by - virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking - controls. This should help to prevent lock contention-related file access problems. - </p></li><li class="listitem"><p> - Every user has a private home directory on the UNIX/Linux host. This is mapped to - a network drive that is the same for all users. - </p></li></ul></div><p> - The configuration of the server is the most complex so far. The following steps are used: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - Basic System Configuration - </p></li><li class="listitem"><p> - Samba Configuration - </p></li><li class="listitem"><p> - DHCP and DNS Server Configuration - </p></li><li class="listitem"><p> - Printer Configuration - </p></li><li class="listitem"><p> - Process Start-up Configuration - </p></li><li class="listitem"><p> - Validation - </p></li><li class="listitem"><p> - Application Share Configuration - </p></li><li class="listitem"><p> - Windows Client Configuration - </p></li></ol></div><p> - The following sections cover each step in logical and defined detail. - </p><div class="sect2" title="Basic System Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="ch4bsc"></a>Basic System Configuration</h3></div></div></div><p> - <a class="indexterm" name="id331207"></a> - The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been - freshly installed. It prepares basic files so that the system is ready for comprehensive - operation in line with the network diagram shown in <a class="link" href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">“Abmas Network Topology 130 Users”</a>. - </p><div class="procedure" title="Procedure 3.1. Server Configuration Steps"><a name="id331220"></a><p class="title"><b>Procedure 3.1. Server Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id331231"></a> - Using the UNIX/Linux system tools, name the server <code class="constant">server.abmas.us</code>. - Verify that your hostname is correctly set by running: -</p><pre class="screen"> -<code class="prompt">root# </code> uname -n -server -</pre><p> - An alternate method to verify the hostname is: -</p><pre class="screen"> -<code class="prompt">root# </code> hostname -f -server.abmas.us -</pre><p> - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id331268"></a> - <a class="indexterm" name="id331274"></a> - Edit your <code class="filename">/etc/hosts</code> file to include the primary names and addresses - of all network interfaces that are on the host server. This is necessary so that during - startup the system can resolve all its own names to the IP address prior to - startup of the DNS server. An example of entries that should be in the - <code class="filename">/etc/hosts</code> file is: -</p><pre class="screen"> -127.0.0.1 localhost -192.168.1.1 sleeth1.abmas.biz sleeth1 diamond -192.168.2.1 sleeth2.abmas.biz sleeth2 -123.45.67.66 server.abmas.us server -</pre><p> - You should check the startup order of your system. If the CUPS print server is started before - the DNS server (<code class="literal">named</code>), you should also include an entry for the printers - in the <code class="filename">/etc/hosts</code> file, as follows: -</p><pre class="screen"> -192.168.1.20 qmsa.abmas.biz qmsa -192.168.1.30 hplj6a.abmas.biz hplj6a -192.168.2.20 qmsf.abmas.biz qmsf -192.168.2.30 hplj6f.abmas.biz hplj6f -</pre><p> - <a class="indexterm" name="id331319"></a> - <a class="indexterm" name="id331325"></a> - <a class="indexterm" name="id331332"></a> - The printer entries are not necessary if <code class="literal">named</code> is started prior to - startup of <code class="literal">cupsd</code>, the CUPS daemon. - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id331354"></a> - <a class="indexterm" name="id331361"></a> - <a class="indexterm" name="id331367"></a> - The host server is acting as a router between the two internal network segments as well - as for all Internet access. This necessitates that IP forwarding be enabled. This can be - achieved by adding to the <code class="filename">/etc/rc.d/boot.local</code> an entry as follows: -</p><pre class="screen"> -echo 1 > /proc/sys/net/ipv4/ip_forward -</pre><p> - To ensure that your kernel is capable of IP forwarding during configuration, you may - wish to execute that command manually also. This setting permits the Linux system to - act as a router.<sup>[<a name="id331388" href="#ftn.id331388" class="footnote">6</a>]</sup> - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id331400"></a> - <a class="indexterm" name="id331406"></a> - Installation of a basic firewall and NAT facility is necessary. - The following script can be installed in the <code class="filename">/usr/local/sbin</code> - directory. It is executed from the <code class="filename">/etc/rc.d/boot.local</code> startup - script. In your case, this script is called <code class="filename">abmas-netfw.sh</code>. The - script contents are shown in <a class="link" href="secure.html#ch4natfw" title="Example 3.3. NAT Firewall Configuration Script">“NAT Firewall Configuration Script”</a>. - -</p><div class="example"><a name="ch4natfw"></a><p class="title"><b>Example 3.3. NAT Firewall Configuration Script</b></p><div class="example-contents"><pre class="screen"> -#!/bin/sh -echo -e "\n\nLoading NAT firewall.\n" -IPTABLES=/usr/sbin/iptables -EXTIF="eth0" -INTIFA="eth1" -INTIFB="eth2" - -/sbin/depmod -a -/sbin/modprobe ip_tables -/sbin/modprobe ip_conntrack -/sbin/modprobe ip_conntrack_ftp -/sbin/modprobe iptable_nat -/sbin/modprobe ip_nat_ftp -$IPTABLES -P INPUT DROP -$IPTABLES -F INPUT -$IPTABLES -P OUTPUT ACCEPT -$IPTABLES -F OUTPUT -$IPTABLES -P FORWARD DROP -$IPTABLES -F FORWARD - -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A INPUT -i $INTIFA -j ACCEPT -$IPTABLES -A INPUT -i $INTIFB -j ACCEPT -$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT -# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS -for i in 22 25 53 80 443 -do - $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT -done -# Allow DNS(udp) -$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT -echo "Allow all connections OUT and only existing and specified ones IN" -$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \ - --state ESTABLISHED,RELATED -j ACCEPT -$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \ - --state ESTABLISHED,RELATED -j ACCEPT -$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT -$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT -$IPTABLES -A FORWARD -j LOG -echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" -$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE -echo "1" > /proc/sys/net/ipv4/ip_forward -echo -e "\nNAT firewall done.\n" -</pre></div></div><p><br class="example-break"> - </p></li><li class="step" title="Step 5"><p> - Execute the following to make the script executable: -</p><pre class="screen"> -<code class="prompt">root# </code> chmod 755 /usr/local/sbin/abmas-natfw.sh -</pre><p> - You must now edit <code class="filename">/etc/rc.d/boot.local</code> to add an entry - that runs your <code class="literal">abmas-natfw.sh</code> script. The following - entry works for you: -</p><pre class="screen"> -#! /bin/sh -# -# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany. -# All rights reserved. -# -# Author: Werner Fink, 1996 -# Burchard Steinbild, 1996 -# -# /etc/init.d/boot.local -# -# script with local commands to be executed from init on system startup -# -# Here you should add things that should happen directly after booting -# before we're going to the first run level. -# -/usr/local/sbin/abmas-natfw.sh -</pre><p> - </p></li></ol></div><p> - <a class="indexterm" name="id331512"></a> - The server is now ready for Samba configuration. During the validation step, you remove - the entry for the Samba server <code class="constant">diamond</code> from the <code class="filename">/etc/hosts</code> - file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. - </p></div><div class="sect2" title="Samba Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id331530"></a>Samba Configuration</h3></div></div></div><p> - When you have completed this section, the Samba server is ready for testing and validation; - however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have - been configured. - </p><div class="procedure" title="Procedure 3.2. Samba Configuration Steps"><a name="id331541"></a><p class="title"><b>Procedure 3.2. Samba Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary - RPM file is called <code class="filename">samba-3.0.20-1.i386.rpm</code>, one way to install this - file is as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> rpm -Uvh samba-3.0.20-1.i386.rpm -</pre><p> - This operation must be performed while logged in as the <code class="literal">root</code> user. - Successful operation is clearly indicated. If this installation should fail for any reason, - refer to the operating system manufacturer's documentation for guidance. - </p></li><li class="step" title="Step 2"><p> - Install the <code class="filename">smb.conf</code> file shown in <a class="link" href="secure.html#promisnet" title="Example 3.4. 130 User Network with tdbsam [globals] Section">“130 User Network with tdbsam [globals] Section”</a>, <a class="link" href="secure.html#promisnetsvca" title="Example 3.5. 130 User Network with tdbsam Services Section Part A">“130 User Network with tdbsam Services Section Part A”</a>, - and <a class="link" href="secure.html#promisnetsvcb" title="Example 3.6. 130 User Network with tdbsam Services Section Part B">“130 User Network with tdbsam Services Section Part B”</a>. Concatenate (join) all three files to make a single <code class="filename">smb.conf</code> - file. The final, fully qualified path for this file should be <code class="filename">/etc/samba/smb.conf</code>. - -</p><div class="example"><a name="promisnet"></a><p class="title"><b>Example 3.4. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> [globals] Section</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id331640"></a><em class="parameter"><code>workgroup = PROMISES</code></em></td></tr><tr><td><a class="indexterm" name="id331650"></a><em class="parameter"><code>netbios name = DIAMOND</code></em></td></tr><tr><td><a class="indexterm" name="id331661"></a><em class="parameter"><code>interfaces = eth1, eth2, lo</code></em></td></tr><tr><td><a class="indexterm" name="id331671"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331682"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id331692"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331702"></a><em class="parameter"><code>passwd program = /usr/bin/passwd %u</code></em></td></tr><tr><td><a class="indexterm" name="id331713"></a><em class="parameter"><code>passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*</code></em></td></tr><tr><td><a class="indexterm" name="id331724"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id331734"></a><em class="parameter"><code>unix password sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331745"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id331755"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id331766"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id331776"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id331786"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id331797"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id331807"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331818"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id331828"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id331838"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id331849"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id331859"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id331870"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id331880"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id331891"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id331902"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id331912"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id331923"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id331933"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id331944"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id331954"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id331964"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331975"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331985"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id331996"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332006"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332016"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id332027"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id332037"></a><em class="parameter"><code>veto files = /*.eml/*.nws/*.{*}/</code></em></td></tr><tr><td><a class="indexterm" name="id332048"></a><em class="parameter"><code>veto oplock files = /*.doc/*.xls/*.mdb/</code></em></td></tr></table></div></div><p><br class="example-break"> - -</p><div class="example"><a name="promisnetsvca"></a><p class="title"><b>Example 3.5. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id332085"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id332096"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id332106"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id332117"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id332135"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id332146"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id332156"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332167"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332177"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332187"></a><em class="parameter"><code>default devmode = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332198"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id332217"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id332227"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id332237"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332248"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id332267"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id332277"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id332287"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id332298"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id332317"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id332327"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id332337"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><p><br class="example-break"> - -</p><div class="example"><a name="promisnetsvcb"></a><p class="title"><b>Example 3.6. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id332375"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id332386"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id332396"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id332415"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id332425"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id332436"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id332454"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id332465"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id332475"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332486"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr></table></div></div><p><br class="example-break"> - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id332503"></a><a class="indexterm" name="id332508"></a> - Add the <code class="constant">root</code> user to the password backend as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> smbpasswd -a root -New SMB password: XXXXXXXX -Retype new SMB password: XXXXXXXX -<code class="prompt">root# </code> -</pre><p> - The <code class="constant">root</code> account is the UNIX equivalent of the Windows Domain Administrator. - This account is essential in the regular maintenance of your Samba server. It must never be - deleted. If for any reason the account is deleted, you may not be able to recreate this account - without considerable trouble. - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id332548"></a> - Create the username map file to permit the <code class="constant">root</code> account to be called - <code class="constant">Administrator</code> from the Windows network environment. To do this, create - the file <code class="filename">/etc/samba/smbusers</code> with the following contents: -</p><pre class="screen"> -#### -# User mapping file -#### -# File Format -# ----------- -# Unix_ID = Windows_ID -# -# Examples: -# root = Administrator -# janes = "Jane Smith" -# jimbo = Jim Bones -# -# Note: If the name contains a space it must be double quoted. -# In the example above the name 'jimbo' will be mapped to Windows -# user names 'Jim' and 'Bones' because the space was not quoted. -####################################################################### -root = Administrator -#### -# End of File -#### -</pre><p> - </p></li><li class="step" title="Step 5"><p> - <a class="indexterm" name="id332583"></a> - <a class="indexterm" name="id332590"></a> - <a class="indexterm" name="id332600"></a> - <a class="indexterm" name="id332611"></a> - Create and map Windows Domain Groups to UNIX groups. A sample script is provided in <a class="link" href="small.html" title="Chapter 2. Small Office Networking">“Small Office Networking”</a>, - <a class="link" href="small.html#initGrps" title="Example 2.1. Script to Map Windows NT Groups to UNIX Groups">“Script to Map Windows NT Groups to UNIX Groups”</a>. Create a file containing this script. We called ours - <code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed, - and then execute the script. Sample output should be as follows: - -</p><div class="example"><a name="ch4initGrps"></a><p class="title"><b>Example 3.7. Script to Map Windows NT Groups to UNIX Groups</b></p><div class="example-contents"><a class="indexterm" name="id332645"></a><pre class="screen"> -#!/bin/bash -# -# initGrps.sh -# - -# Create UNIX groups -groupadd acctsdep -groupadd finsrvcs - -# Map Windows Domain Groups to UNIX groups -net groupmap add ntgroup="Domain Admins" unixgroup=root type=d -net groupmap add ntgroup="Domain Users" unixgroup=users type=d -net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d - -# Add Functional Domain Groups -net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d -net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d -net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - -# Map Windows NT machine local groups to local UNIX groups -# Mapping of local groups is not necessary and not functional -# for this installation. -</pre></div></div><p><br class="example-break"> - -</p><pre class="screen"> -<code class="prompt">root# </code> chmod 755 initGrps.sh -<code class="prompt">root# </code> /etc/samba # ./initGrps.sh -Updated mapping entry for Domain Admins -Updated mapping entry for Domain Users -Updated mapping entry for Domain Guests -No rid or sid specified, choosing algorithmic mapping -Successfully added group Accounts Dept to the mapping db -No rid or sid specified, choosing algorithmic mapping -Successfully added group Domain Guests to the mapping db - -<code class="prompt">root# </code> /etc/samba # net groupmap list | sort -Account Operators (S-1-5-32-548) -> -1 -Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep -Administrators (S-1-5-32-544) -> -1 -Backup Operators (S-1-5-32-551) -> -1 -Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root -Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody -Domain Users (S-1-5-21-179504-2437109-488451-513) -> users -Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs -Guests (S-1-5-32-546) -> -1 -Power Users (S-1-5-32-547) -> -1 -Print Operators (S-1-5-32-550) -> -1 -Replicators (S-1-5-32-552) -> -1 -System Operators (S-1-5-32-549) -> -1 -Users (S-1-5-32-545) -> -1 -</pre><p> - </p></li><li class="step" title="Step 6"><p> - <a class="indexterm" name="id332701"></a> - <a class="indexterm" name="id332708"></a> - <a class="indexterm" name="id332714"></a> - <a class="indexterm" name="id332720"></a> - <a class="indexterm" name="id332726"></a> - <a class="indexterm" name="id332733"></a> - <a class="indexterm" name="id332741"></a> - There is one preparatory step without which you will not have a working Samba - network environment. You must add an account for each network user. - For each user who needs to be given a Windows Domain account, make an entry in the - <code class="filename">/etc/passwd</code> file as well as in the Samba password backend. - Use the system tool of your choice to create the UNIX system account, and use the Samba - <code class="literal">smbpasswd</code> to create a Domain user account. - There are a number of tools for user management under UNIX, such as - <code class="literal">useradd</code>, and <code class="literal">adduser</code>, as well as a plethora of custom - tools. You also want to create a home directory for each user. - You can do this by executing the following steps for each user: -</p><pre class="screen"> -<code class="prompt">root# </code> useradd -m <em class="parameter"><code>username</code></em> -<code class="prompt">root# </code> passwd <em class="parameter"><code>username</code></em> -Changing password for <em class="parameter"><code>username</code></em>. -New password: XXXXXXXX -Re-enter new password: XXXXXXXX -Password changed -<code class="prompt">root# </code> smbpasswd -a <em class="parameter"><code>username</code></em> -New SMB password: XXXXXXXX -Retype new SMB password: XXXXXXXX -Added user <em class="parameter"><code>username</code></em>. -</pre><p> - You do of course use a valid user login ID in place of <em class="parameter"><code>username</code></em>. - </p></li><li class="step" title="Step 7"><p> - <a class="indexterm" name="id332838"></a> - <a class="indexterm" name="id332846"></a> - <a class="indexterm" name="id332854"></a> - Using the preferred tool for your UNIX system, add each user to the UNIX groups created - previously as necessary. File system access control will be based on UNIX group membership. - </p></li><li class="step" title="Step 8"><p> - Create the directory mount point for the disk subsystem that can be mounted to provide - data storage for company files. In this case the mount point is indicated in the <code class="filename">smb.conf</code> - file is <code class="filename">/data</code>. Format the file system as required, and mount the formatted - file system partition using appropriate system tools. - </p></li><li class="step" title="Step 9"><p> - <a class="indexterm" name="id332889"></a> - Create the top-level file storage directories for data and applications as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /data/{accounts,finsrvcs} -<code class="prompt">root# </code> mkdir -p /apps -<code class="prompt">root# </code> chown -R root:root /data -<code class="prompt">root# </code> chown -R root:root /apps -<code class="prompt">root# </code> chown -R bjordan:acctsdep /data/accounts -<code class="prompt">root# </code> chown -R bjordan:finsrvcs /data/finsrvcs -<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data -<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps -</pre><p> - Each department is responsible for creating its own directory structure within the departmental - share. The directory root of the <code class="literal">accounts</code> share is <code class="filename">/data/accounts</code>. - The directory root of the <code class="literal">finsvcs</code> share is <code class="filename">/data/finsvcs</code>. - The <code class="filename">/apps</code> directory is the root of the <code class="constant">apps</code> share - that provides the application server infrastructure. - </p></li><li class="step" title="Step 10"><p> - The <code class="filename">smb.conf</code> file specifies an infrastructure to support roaming profiles and network - logon services. You can now create the file system infrastructure to provide the - locations on disk that these services require. Adequate planning is essential, - since desktop profiles can grow to be quite large. For planning purposes, a minimum of - 200 MB of storage should be allowed per user for profile storage. The following - commands create the directory infrastructure needed: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /var/spool/samba -<code class="prompt">root# </code> mkdir -p /var/lib/samba/{netlogon/scripts,profiles} -<code class="prompt">root# </code> chown -R root:root /var/spool/samba -<code class="prompt">root# </code> chown -R root:root /var/lib/samba -<code class="prompt">root# </code> chmod a+rwxt /var/spool/samba -<code class="prompt">root# </code> chmod 2775 /var/lib/samba/profiles -<code class="prompt">root# </code> chgrp users /var/lib/samba/profiles -</pre><p> - For each user account that is created on the system, the following commands should be - executed: -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir /var/lib/samba/profiles/'username' -<code class="prompt">root# </code> chown 'username':users /var/lib/samba/profiles/'username' -<code class="prompt">root# </code> chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' -</pre><p> - </p></li><li class="step" title="Step 11"><p> - <a class="indexterm" name="id333063"></a> - <a class="indexterm" name="id333069"></a> - <a class="indexterm" name="id333075"></a> - Create a logon script. It is important that each line is correctly terminated with - a carriage return and line-feed combination (i.e., DOS encoding). The following procedure - works if the right tools (<code class="constant">unix2dos</code> and <code class="constant">dos2unix</code>) are installed. - First, create a file called <code class="filename">/var/lib/samba/netlogon/scripts/logon.bat.unix</code> - with the following contents: -</p><pre class="screen"> -net time \\diamond /set /yes -net use h: /home -net use p: \\diamond\apps -</pre><p> - Convert the UNIX file to a DOS file using the <code class="literal">unix2dos</code> as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \ - > /var/lib/samba/netlogon/scripts/logon.bat -</pre><p> - </p></li></ol></div></div><div class="sect2" title="Configuration of DHCP and DNS Servers"><div class="titlepage"><div><div><h3 class="title"><a name="ch4dhcpdns"></a>Configuration of DHCP and DNS Servers</h3></div></div></div><p> - DHCP services are a basic component of the entire network client installation. DNS operation is - foundational to Internet access as well as to trouble-free operation of local networking. When - you have completed this section, the server should be ready for solid duty operation. - </p><div class="procedure" title="Procedure 3.3. DHCP and DNS Server Configuration Steps"><a name="id333134"></a><p class="title"><b>Procedure 3.3. DHCP and DNS Server Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id333145"></a> - Create a file called <code class="filename">/etc/dhcpd.conf</code> with the contents as - shown in <a class="link" href="secure.html#prom-dhcp" title="Example 3.8. DHCP Server Configuration File /etc/dhcpd.conf">“DHCP Server Configuration File /etc/dhcpd.conf”</a>. - -</p><div class="example"><a name="prom-dhcp"></a><p class="title"><b>Example 3.8. DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></b></p><div class="example-contents"><pre class="screen"> -# Abmas Accounting Inc. -default-lease-time 86400; -max-lease-time 172800; -default-lease-time 86400; -option ntp-servers 192.168.1.1; -option domain-name "abmas.biz"; -option domain-name-servers 192.168.1.1, 192.168.2.1; -option netbios-name-servers 192.168.1.1, 192.168.2.1; -option netbios-node-type 8; ### Node type = Hybrid ### -ddns-updates on; ### Dynamic DNS enabled ### -ddns-update-style interim; - -subnet 192.168.1.0 netmask 255.255.255.0 { - range dynamic-bootp 192.168.1.128 192.168.1.254; - option subnet-mask 255.255.255.0; - option routers 192.168.1.1; - allow unknown-clients; - host qmsa { - hardware ethernet 08:00:46:7a:35:e4; - fixed-address 192.168.1.20; - } - host hplj6a { - hardware ethernet 00:03:47:cb:81:e0; - fixed-address 192.168.1.30; - } - } -subnet 192.168.2.0 netmask 255.255.255.0 { - range dynamic-bootp 192.168.2.128 192.168.2.254; - option subnet-mask 255.255.255.0; - option routers 192.168.2.1; - allow unknown-clients; - host qmsf { - hardware ethernet 01:04:31:db:e1:c0; - fixed-address 192.168.1.20; - } - host hplj6f { - hardware ethernet 00:03:47:cf:83:e2; - fixed-address 192.168.2.30; - } - } -subnet 127.0.0.0 netmask 255.0.0.0 { - } -subnet 123.45.67.64 netmask 255.255.255.252 { - } -</pre></div></div><p><br class="example-break"> - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id333199"></a> - Create a file called <code class="filename">/etc/named.conf</code> that has the combined contents - of the <a class="link" href="secure.html#ch4namedcfg" title="Example 3.9. DNS Master Configuration File /etc/named.conf Master Section">“DNS Master Configuration File /etc/named.conf Master Section”</a>, <a class="link" href="secure.html#ch4namedvarfwd" title="Example 3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section">“DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section”</a>, and - <a class="link" href="secure.html#ch4namedvarrev" title="Example 3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section">“DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section”</a> files that are concatenated (merged) in this - specific order. - </p></li><li class="step" title="Step 3"><p> - Create the files shown in their respective directories as shown in <a class="link" href="secure.html#namedrscfiles" title="Table 3.2. DNS (named) Resource Files">DNS - (named) Resource Files</a>. - - </p><div class="table"><a name="namedrscfiles"></a><p class="title"><b>Table 3.2. DNS (named) Resource Files</b></p><div class="table-contents"><table summary="DNS (named) Resource Files" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Reference</th><th align="left">File Location</th></tr></thead><tbody><tr><td align="left"><a class="link" href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">“DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”</a></td><td align="left">/var/lib/named/localhost.zone</td></tr><tr><td align="left"><a class="link" href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">“DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone”</a></td><td align="left">/var/lib/named/127.0.0.zone</td></tr><tr><td align="left"><a class="link" href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">“DNS Root Name Server Hint File: /var/lib/named/root.hint”</a></td><td align="left">/var/lib/named/root.hint</td></tr><tr><td align="left"><a class="link" href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">“DNS Abmas.biz Forward Zone File”</a></td><td align="left">/var/lib/named/master/abmas.biz.hosts</td></tr><tr><td align="left"><a class="link" href="secure.html#abmasus" title="Example 3.15. DNS Abmas.us Forward Zone File">“DNS Abmas.us Forward Zone File”</a></td><td align="left">/var/lib/named/abmas.us.hosts</td></tr><tr><td align="left"><a class="link" href="secure.html#eth1zone" title="Example 3.12. DNS 192.168.1 Reverse Zone File">“DNS 192.168.1 Reverse Zone File”</a></td><td align="left">/var/lib/named/192.168.1.0.rev</td></tr><tr><td align="left"><a class="link" href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">“DNS 192.168.2 Reverse Zone File”</a></td><td align="left">/var/lib/named/192.168.2.0.rev</td></tr></tbody></table></div></div><p><br class="table-break"> - -</p><div class="example"><a name="ch4namedcfg"></a><p class="title"><b>Example 3.9. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Master Section</b></p><div class="example-contents"><a class="indexterm" name="id333369"></a><pre class="screen"> -### -# Abmas Biz DNS Control File -### -# Date: November 15, 2003 -### -options { - directory "/var/lib/named"; - forwarders { - 123.45.12.23; - }; - forward first; - listen-on { - mynet; - }; - auth-nxdomain yes; - multiple-cnames yes; - notify no; -}; - -zone "." in { - type hint; - file "root.hint"; -}; - -zone "localhost" in { - type master; - file "localhost.zone"; -}; - -zone "0.0.127.in-addr.arpa" in { - type master; - file "127.0.0.zone"; -}; - -acl mynet { - 192.168.1.0/24; - 192.168.2.0/24; - 127.0.0.1; -}; - -acl seconddns { - 123.45.54.32; -}; - -</pre></div></div><p><br class="example-break"> - -</p><div class="example"><a name="ch4namedvarfwd"></a><p class="title"><b>Example 3.10. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Forward Lookup Definition Section</b></p><div class="example-contents"><pre class="screen"> -zone "abmas.biz" { - type master; - file "/var/lib/named/master/abmas.biz.hosts"; - allow-query { - mynet; - }; - allow-transfer { - mynet; - }; - allow-update { - mynet; - }; -}; - -zone "abmas.us" { - type master; - file "/var/lib/named/master/abmas.us.hosts"; - allow-query { - any; - }; - allow-transfer { - seconddns; - }; -}; -</pre></div></div><p><br class="example-break"> - -</p><div class="example"><a name="ch4namedvarrev"></a><p class="title"><b>Example 3.11. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Reverse Lookup Definition Section</b></p><div class="example-contents"><pre class="screen"> -zone "1.168.192.in-addr.arpa" { - type master; - file "/var/lib/named/master/192.168.1.0.rev"; - allow-query { - mynet; - }; - allow-transfer { - mynet; - }; - allow-update { - mynet; - }; -}; - -zone "2.168.192.in-addr.arpa" { - type master; - file "/var/lib/named/master/192.168.2.0.rev"; - allow-query { - mynet; - }; - allow-transfer { - mynet; - }; - allow-update { - mynet; - }; -}; -</pre></div></div><p><br class="example-break"> - -</p><div class="example"><a name="eth1zone"></a><p class="title"><b>Example 3.12. DNS 192.168.1 Reverse Zone File</b></p><div class="example-contents"><pre class="screen"> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( - 2003021825 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS sleeth1.abmas.biz. -$ORIGIN 1.168.192.in-addr.arpa. -1 PTR sleeth1.abmas.biz. -20 PTR qmsa.abmas.biz. -30 PTR hplj6a.abmas.biz. -</pre></div></div><p><br class="example-break"> - -</p><div class="example"><a name="eth2zone"></a><p class="title"><b>Example 3.13. DNS 192.168.2 Reverse Zone File</b></p><div class="example-contents"><pre class="screen"> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( - 2003021825 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS sleeth2.abmas.biz. -$ORIGIN 2.168.192.in-addr.arpa. -1 PTR sleeth2.abmas.biz. -20 PTR qmsf.abmas.biz. -30 PTR hplj6f.abmas.biz. -</pre></div></div><p><br class="example-break"> - -</p><div class="example"><a name="abmasbiz"></a><p class="title"><b>Example 3.14. DNS Abmas.biz Forward Zone File</b></p><div class="example-contents"><pre class="screen"> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. ( - 2003021833 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS dns.abmas.biz. - MX 10 mail.abmas.biz. -$ORIGIN abmas.biz. -sleeth1 A 192.168.1.1 -sleeth2 A 192.168.2.1 -qmsa A 192.168.1.20 -hplj6a A 192.168.1.30 -qmsf A 192.168.2.20 -hplj6f A 192.168.2.30 -dns CNAME sleeth1 -diamond CNAME sleeth1 -mail CNAME sleeth1 -</pre></div></div><p><br class="example-break"> - -</p><div class="example"><a name="abmasus"></a><p class="title"><b>Example 3.15. DNS Abmas.us Forward Zone File</b></p><div class="example-contents"><pre class="screen"> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -abmas.us IN SOA server.abmas.us. root.abmas.us. ( - 2003021833 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS dns.abmas.us. - NS dns2.abmas.us. - MX 10 mail.abmas.us. -$ORIGIN abmas.us. -server A 123.45.67.66 -dns2 A 123.45.54.32 -gw A 123.45.67.65 -www CNAME server -mail CNAME server -dns CNAME server -</pre></div></div><p><br class="example-break"> - - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id333533"></a><a class="indexterm" name="id333539"></a> - All DNS name resolution should be handled locally. To ensure that the server is configured - correctly to handle this, edit <code class="filename">/etc/resolv.conf</code> to have the following - content: -</p><pre class="screen"> -search abmas.us abmas.biz -nameserver 127.0.0.1 -nameserver 123.45.54.23 -</pre><p> - <a class="indexterm" name="id333561"></a> - This instructs the name resolver function (when configured correctly) to ask the DNS server - that is running locally to resolve names to addresses. In the event that the local name server - is not available, ask the name server provided by the ISP. The latter, of course, does not resolve - purely local names to IP addresses. - </p></li><li class="step" title="Step 5"><p> - <a class="indexterm" name="id333580"></a> - The final step is to edit the <code class="filename">/etc/nsswitch.conf</code> file. - This file controls the operation of the various resolver libraries that are part of the Linux - Glibc libraries. Edit this file so that it contains the following entries: -</p><pre class="screen"> -hosts: files dns wins -</pre><p> - </p></li></ol></div><p> - The basic DHCP and DNS services are now ready for validation testing. Before you can proceed, - there are a few more steps along the road. First, configure the print spooling and print - processing system. Then you can configure the server so that all services - start automatically on reboot. You must also manually start all services prior to validation testing. - </p></div><div class="sect2" title="Printer Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="ch4ptrcfg"></a>Printer Configuration</h3></div></div></div><p> - Network administrators who are new to CUPS based-printing typically experience some difficulty mastering - its powerful features. The steps outlined in this section are designed to navigate around the distractions - of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a - transparent print queue that performs no filtering, and only minimal handling of each print job that is - submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that - the correct printer driver must be installed on all clients. - </p><div class="procedure" title="Procedure 3.4. Printer Configuration Steps"><a name="id333627"></a><p class="title"><b>Procedure 3.4. Printer Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines. - </p></li><li class="step" title="Step 2"><p> - Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. - Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the - port as necessary in the following example commands. - This allows the CUPS spooler to print using raw mode protocols. - <a class="indexterm" name="id333649"></a> - <a class="indexterm" name="id333656"></a> - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id333669"></a><a class="indexterm" name="id333677"></a> - Configure the CUPS Print Queues as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E -<code class="prompt">root# </code> lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E -<code class="prompt">root# </code> lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E -<code class="prompt">root# </code> lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E -</pre><p> - <a class="indexterm" name="id333717"></a> - This creates the necessary print queues with no assigned print filter. - </p></li><li class="step" title="Step 4"><p><a class="indexterm" name="id333731"></a> - Print queues may not be enabled at creation. Use <code class="literal">lpc stat</code> to check - the status of the print queues and, if necessary, make certain that the queues you have - just created are enabled by executing the following: -</p><pre class="screen"> -<code class="prompt">root# </code> /usr/bin/enable qmsa -<code class="prompt">root# </code> /usr/bin/enable hplj6a -<code class="prompt">root# </code> /usr/bin/enable qmsf -<code class="prompt">root# </code> /usr/bin/enable hplj6f -</pre><p> - </p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id333783"></a> - Even though your print queues may be enabled, it is still possible that they - are not accepting print jobs. A print queue services incoming printing - requests only when configured to do so. Ensure that your print queues are - set to accept incoming jobs by executing the following commands: -</p><pre class="screen"> -<code class="prompt">root# </code> /usr/sbin/accept qmsa -<code class="prompt">root# </code> /usr/sbin/accept hplj6a -<code class="prompt">root# </code> /usr/sbin/accept qmsf -<code class="prompt">root# </code> /usr/sbin/accept hplj6f -</pre><p> - </p></li><li class="step" title="Step 6"><p> - <a class="indexterm" name="id333831"></a> - <a class="indexterm" name="id333838"></a> - <a class="indexterm" name="id333844"></a> - Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: -</p><pre class="screen"> -application/octet-stream application/vnd.cups-raw 0 - -</pre><p> - </p></li><li class="step" title="Step 7"><p> - <a class="indexterm" name="id333871"></a> - Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: -</p><pre class="screen"> -application/octet-stream -</pre><p> - </p></li><li class="step" title="Step 8"><p> - Printing drivers are installed on each network client workstation. - </p></li></ol></div><p> - Note: If the parameter <em class="parameter"><code>cups options = Raw</code></em> is specified in the <code class="filename">smb.conf</code> file, - the last two steps can be omitted with CUPS version 1.1.18, or later. - </p><p> - The UNIX system print queues have been configured and are ready for validation testing. - </p></div><div class="sect2" title="Process Startup Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="procstart"></a>Process Startup Configuration</h3></div></div></div><p> - <a class="indexterm" name="id333932"></a> - There are two essential steps to process startup configuration. First, the process - must be configured so that it automatically restarts each time the server - is rebooted. This step involves use of the <code class="literal">chkconfig</code> tool that - creates the appropriate symbolic links from the master daemon control file that is - located in the <code class="filename">/etc/rc.d</code> directory, to the <code class="filename">/etc/rc'x'.d</code> - directories. Links are created so that when the system run level is changed, the - necessary start or kill script is run. - </p><p> - <a class="indexterm" name="id333964"></a> - <a class="indexterm" name="id333970"></a> - <a class="indexterm" name="id333977"></a> - <a class="indexterm" name="id333984"></a> - <a class="indexterm" name="id333991"></a> - In the event that a service is not run as a daemon, but via the internetworking - super daemon (<code class="literal">inetd</code> or <code class="literal">xinetd</code>), then the <code class="literal">chkconfig</code> - tool makes the necessary entries in the <code class="filename">/etc/xinetd.d</code> directory - and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to - re-read its control files. - </p><p> - Last, each service must be started to permit system validation to proceed. - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Use the standard system tool to configure each service to restart - automatically at every system reboot. For example, - <a class="indexterm" name="id334038"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> chkconfig dhpcd on -<code class="prompt">root# </code> chkconfig named on -<code class="prompt">root# </code> chkconfig cups on -<code class="prompt">root# </code> chkconfig smb on -</pre><p> - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id334080"></a> - <a class="indexterm" name="id334087"></a> - <a class="indexterm" name="id334094"></a> - Now start each service to permit the system to be validated. - Execute each of the following in the sequence shown: - -</p><pre class="screen"> -<code class="prompt">root# </code> /etc/rc.d/init.d/dhcpd restart -<code class="prompt">root# </code> /etc/rc.d/init.d/named restart -<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart -<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart -</pre><p> - </p></li></ol></div></div><div class="sect2" title="Validation"><div class="titlepage"><div><div><h3 class="title"><a name="ch4valid"></a>Validation</h3></div></div></div><p> - <a class="indexterm" name="id334146"></a> - Complex networking problems are most often caused by simple things that are poorly or incorrectly - configured. The validation process adopted here should be followed carefully; it is the result of the - experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should - refrain from taking shortcuts, from making basic assumptions, and from not exercising due process - and diligence in network validation. By thoroughly testing and validating every step in the process - of network installation and configuration, you can save yourself from sleepless nights and restless - days. A well debugged network is a foundation for happy network users and network administrators. - Later in this book you learn how to make users happier. For now, it is enough to learn to - validate. Let's get on with it. - </p><div class="procedure" title="Procedure 3.5. Server Validation Steps"><a name="id334161"></a><p class="title"><b>Procedure 3.5. Server Validation Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id334172"></a> - One of the most important facets of Samba configuration is to ensure that - name resolution functions correctly. You can check name resolution - with a few simple tests. The most basic name resolution is provided from the - <code class="filename">/etc/hosts</code> file. To test its operation, make a - temporary edit to the <code class="filename">/etc/nsswitch.conf</code> file. Using - your favorite editor, change the entry for <code class="constant">hosts</code> to read: -</p><pre class="screen"> -hosts: files -</pre><p> - When you have saved this file, execute the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> ping diamond -PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. -64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms -64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms -64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms -64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms - ---- sleeth1.abmas.biz ping statistics --- -4 packets transmitted, 4 received, 0% packet loss, time 3016ms -rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms -</pre><p> - This proves that name resolution via the <code class="filename">/etc/hosts</code> file - is working. - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id334233"></a> - So far, your installation is going particularly well. In this step we validate - DNS server and name resolution operation. Using your favorite UNIX system editor, - change the <code class="filename">/etc/nsswitch.conf</code> file so that the - <code class="constant">hosts</code> entry reads: -</p><pre class="screen"> -hosts: dns -</pre><p> - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id334263"></a> - Before you test DNS operation, it is a good idea to verify that the DNS server - is running by executing the following: -</p><pre class="screen"> -<code class="prompt">root# </code> ps ax | grep named - 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log - 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 2552 pts/2 S 0:00 grep named -</pre><p> - This means that we are ready to check DNS operation. Do so by executing: - <a class="indexterm" name="id334287"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> ping diamond -PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. -64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms -64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms - ---- sleeth1.abmas.biz ping statistics --- -2 packets transmitted, 2 received, 0% packet loss, time 999ms -rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms -</pre><p> - You should take a few more steps to validate DNS server operation, as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> host -f diamond.abmas.biz -sleeth1.abmas.biz has address 192.168.1.1 -</pre><p> - <a class="indexterm" name="id334321"></a> - You may now remove the entry called <code class="constant">diamond</code> from the - <code class="filename">/etc/hosts</code> file. It does not hurt to leave it there, - but its removal reduces the number of administrative steps for this name. - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id334346"></a> - WINS is a great way to resolve NetBIOS names to their IP address. You can test - the operation of WINS by starting <code class="literal">nmbd</code> (manually or by way - of the Samba startup method shown in <a class="link" href="secure.html#procstart" title="Process Startup Configuration">“Process Startup Configuration”</a>). You must edit - the <code class="filename">/etc/nsswitch.conf</code> file so that the <code class="constant">hosts</code> - entry is as follows: -</p><pre class="screen"> -hosts: wins -</pre><p> - The next step is to make certain that Samba is running using <code class="literal">ps ax | grep mbd</code>. - The <code class="literal">nmbd</code> daemon will provide the WINS name resolution service when the - <code class="filename">smb.conf</code> file <em class="parameter"><code>global</code></em> parameter <a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = Yes</a> has been specified. Having validated that Samba is operational, - excute the following: -</p><pre class="screen"> -<code class="prompt">root# </code> ping diamond -PING diamond (192.168.1.1) 56(84) bytes of data. -64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms -64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms -</pre><p> - <a class="indexterm" name="id334432"></a> - Now that you can relax with the knowledge that all three major forms of name - resolution to IP address resolution are working, edit the <code class="filename">/etc/nsswitch.conf</code> - again. This time you add all three forms of name resolution to this file. - Your edited entry for <code class="constant">hosts</code> should now look like this: -</p><pre class="screen"> -hosts: files dns wins -</pre><p> - The system is looking good. Let's move on. - </p></li><li class="step" title="Step 5"><p> - It would give you peace of mind to know that the DHCP server is running - and available for service. You can validate DHCP services by running: - -</p><pre class="screen"> -<code class="prompt">root# </code> ps ax | grep dhcp - 2618 ? S 0:00 /usr/sbin/dhcpd ... - 8180 pts/2 S 0:00 grep dhcp -</pre><p> - This shows that the server is running. The proof of whether or not it is working - comes when you try to add the first DHCP client to the network. - </p></li><li class="step" title="Step 6"><p> - <a class="indexterm" name="id334485"></a> - This is a good point at which to start validating Samba operation. You are - content that name resolution is working for basic TCP/IP needs. Let's move on. - If your <code class="filename">smb.conf</code> file has bogus options or parameters, this may cause Samba - to refuse to start. The first step should always be to validate the contents - of this file by running: -</p><pre class="screen"> -<code class="prompt">root# </code> testparm -s -Load smb config files from smb.conf -Processing section "[homes]" -Processing section "[printers]" -Processing section "[netlogon]" -Processing section "[profiles]" -Processing section "[accounts]" -Processing section "[service]" -Processing section "[apps]" -Loaded services file OK. -# Global parameters -[global] - workgroup = PROMISES - netbios name = DIAMOND - interfaces = eth1, eth2, lo - bind interfaces only = Yes - passdb backend = tdbsam - pam password change = Yes - passwd program = /usr/bin/passwd '%u' - passwd chat = *New*Password* %n\n \ - *Re-enter*new*password* %n\n *Password*changed* - username map = /etc/samba/smbusers - unix password sync = Yes - log level = 1 - syslog = 0 - log file = /var/log/samba/%m - max log size = 50 - smb ports = 139 - name resolve order = wins bcast hosts - time server = Yes - printcap name = CUPS - show add printer wizard = No - add user script = /usr/sbin/useradd -m '%u' - delete user script = /usr/sbin/userdel -r '%u' - add group script = /usr/sbin/groupadd '%g' - delete group script = /usr/sbin/groupdel '%g' - add user to group script = /usr/sbin/usermod -G '%g' '%u' - add machine script = /usr/sbin/useradd \ - -s /bin/false -d /dev/null '%u' - shutdown script = /var/lib/samba/scripts/shutdown.sh - abort shutdown script = /sbin/shutdown -c - logon script = scripts\logon.bat - logon path = \\%L\profiles\%U - logon drive = X: - logon home = \\%L\%U - domain logons = Yes - preferred master = Yes - wins support = Yes - utmp = Yes - winbind use default domain = Yes - map acl inherit = Yes - cups options = Raw - veto files = /*.eml/*.nws/*.{*}/ - veto oplock files = /*.doc/*.xls/*.mdb/ - -[homes] - comment = Home Directories - valid users = %S - read only = No - browseable = No -... -### Remainder cut to save space ### -</pre><p> - Clear away all errors before proceeding. - </p></li><li class="step" title="Step 7"><p> - <a class="indexterm" name="id334550"></a> - <a class="indexterm" name="id334557"></a> - <a class="indexterm" name="id334564"></a> - <a class="indexterm" name="id334571"></a> - Check that the Samba server is running: -</p><pre class="screen"> -<code class="prompt">root# </code> ps ax | grep mbd -14244 ? S 0:00 /usr/sbin/nmbd -D -14245 ? S 0:00 /usr/sbin/nmbd -D -14290 ? S 0:00 /usr/sbin/smbd -D - -$rootprompt; ps ax | grep winbind -14293 ? S 0:00 /usr/sbin/winbindd -D -14295 ? S 0:00 /usr/sbin/winbindd -D -</pre><p> - The <code class="literal">winbindd</code> daemon is running in split mode (normal), so there are also - two instances<sup>[<a name="id334598" href="#ftn.id334598" class="footnote">7</a>]</sup> of it. - </p></li><li class="step" title="Step 8"><p> - <a class="indexterm" name="id334627"></a> - <a class="indexterm" name="id334634"></a> - Check that an anonymous connection can be made to the Samba server: -</p><pre class="screen"> -<code class="prompt">root# </code> smbclient -L localhost -U% - - Sharename Type Comment - --------- ---- ------- - IPC$ IPC IPC Service (Samba 3.0.20) - netlogon Disk Network Logon Service - profiles Disk Profile Share - accounts Disk Accounting Files - service Disk Financial Services Files - apps Disk Application Files - ADMIN$ IPC IPC Service (Samba 3.0.20) - hplj6a Printer hplj6a - hplj6f Printer hplj6f - qmsa Printer qmsa - qmsf Printer qmsf - - Server Comment - --------- ------- - DIAMOND Samba 3.0.20 - - Workgroup Master - --------- ------- - PROMISES DIAMOND -</pre><p> - This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent - of browsing the server from a Windows client to obtain a list of shares on the server. - The <code class="constant">-U%</code> argument means to send a <code class="constant">NULL</code> username and - a <code class="constant">NULL</code> password. - </p></li><li class="step" title="Step 9"><p> - <a class="indexterm" name="id334682"></a> - <a class="indexterm" name="id334688"></a> - <a class="indexterm" name="id334695"></a> - Verify that each printer has the IP address assigned in the DHCP server configuration file. - The easiest way to do this is to ping the printer name. Immediately after the ping response - has been received, execute <code class="literal">arp -a</code> to find the MAC address of the printer - that has responded. Now you can compare the IP address and the MAC address of the printer - with the configuration information in the <code class="filename">/etc/dhcpd.conf</code> file. They - should, of course, match. For example, -</p><pre class="screen"> -<code class="prompt">root# </code> ping hplj6 -PING hplj6a (192.168.1.30) 56(84) bytes of data. -64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms - -<code class="prompt">root# </code> arp -a -hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0 -</pre><p> - <a class="indexterm" name="id334736"></a> - The MAC address <code class="constant">00:03:47:CB:81:E0</code> matches that specified for the - IP address from which the printer has responded and with the entry for it in the - <code class="filename">/etc/dhcpd.conf</code> file. Repeat this for each printer configured. - </p></li><li class="step" title="Step 10"><p> - <a class="indexterm" name="id334763"></a> - Make an authenticated connection to the server using the <code class="literal">smbclient</code> tool: -</p><pre class="screen"> -<code class="prompt">root# </code> smbclient //diamond/accounts -U gholmes -Password: XXXXXXX -smb: \> dir - . D 0 Thu Nov 27 15:07:09 2003 - .. D 0 Sat Nov 15 17:40:50 2003 - zakadmin.exe 161424 Thu Nov 27 15:06:52 2003 - zak.exe 6066384 Thu Nov 27 15:06:52 2003 - dhcpd.conf 1256 Thu Nov 27 15:06:52 2003 - smb.conf 2131 Thu Nov 27 15:06:52 2003 - initGrps.sh A 1089 Thu Nov 27 15:06:52 2003 - POLICY.EXE 86542 Thu Nov 27 15:06:52 2003 - - 55974 blocks of size 65536. 33968 blocks available -smb: \> q -</pre><p> - </p></li><li class="step" title="Step 11"><p> - <a class="indexterm" name="id334807"></a> - Your new server is connected to an Internet-accessible connection. Before you start - your firewall, you should run a port scanner against your system. You should repeat that - after the firewall has been started. This helps you understand to what extent the - server may be vulnerable to external attack. One way you can do this is by using an - external service, such as the <a class="ulink" href="http://www.dslreports.com/scan" target="_top">DSL Reports</a> - tools. Alternately, if you can gain root-level access to a remote - UNIX/Linux system that has the <code class="literal">nmap</code> tool, you can run the following: -</p><pre class="screen"> -<code class="prompt">root# </code> nmap -v -sT server.abmas.us - -Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) -Host server.abmas.us (123.45.67.66) appears to be up ... good. -Initiating Connect() Scan against server.abmas.us (123.45.67.66) -Adding open port 6000/tcp -Adding open port 873/tcp -Adding open port 445/tcp -Adding open port 10000/tcp -Adding open port 901/tcp -Adding open port 631/tcp -Adding open port 25/tcp -Adding open port 111/tcp -Adding open port 32770/tcp -Adding open port 3128/tcp -Adding open port 53/tcp -Adding open port 80/tcp -Adding open port 443/tcp -Adding open port 139/tcp -Adding open port 22/tcp -The Connect() Scan took 0 seconds to scan 1601 ports. -Interesting ports on server.abmas.us (123.45.67.66): -(The 1587 ports scanned but not shown below are in state: closed) -Port State Service -22/tcp open ssh -25/tcp open smtp -53/tcp open domain -80/tcp open http -111/tcp open sunrpc -139/tcp open netbios-ssn -443/tcp open https -445/tcp open microsoft-ds -631/tcp open ipp -873/tcp open rsync -901/tcp open samba-swat -3128/tcp open squid-http -6000/tcp open X11 -10000/tcp open snet-sensor-mgmt -32770/tcp open sometimes-rpc3 - -Nmap run completed -- 1 IP address (1 host up) scanned in 1 second -</pre><p> - The above scan was run before the external interface was locked down with the NAT-firewall - script you created above. The following results are obtained after the firewall rules - have been put into place: -</p><pre class="screen"> -<code class="prompt">root# </code> nmap -v -sT server.abmas.us - -Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) -Host server.abmas.us (123.45.67.66) appears to be up ... good. -Initiating Connect() Scan against server.abmas.us (123.45.67.66) -Adding open port 53/tcp -Adding open port 22/tcp -The Connect() Scan took 168 seconds to scan 1601 ports. -Interesting ports on server.abmas.us (123.45.67.66): -(The 1593 ports scanned but not shown below are in state: filtered) -Port State Service -22/tcp open ssh -25/tcp closed smtp -53/tcp open domain -80/tcp closed http -443/tcp closed https - -Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds -</pre><p> - </p></li></ol></div></div><div class="sect2" title="Application Share Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="ch4appscfg"></a>Application Share Configuration</h3></div></div></div><p> - <a class="indexterm" name="id334886"></a> - <a class="indexterm" name="id334893"></a> - The use of an application server is a key mechanism by which desktop administration overheads - can be reduced. Check the application manual for your software to identify how best to - create an administrative installation. - </p><p> - Some Windows software will only run locally on the desktop computer. Such software - is typically not suited for administrative installation. Administratively installed software - permits one or more of the following installation choices: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Install software fully onto a workstation, storing data files on the same workstation. - </p></li><li class="listitem"><p> - Install software fully onto a workstation with central network data file storage. - </p></li><li class="listitem"><p> - Install software to run off a central application server with data files stored - on the local workstation. This is often called a minimum installation, or a - network client installation. - </p></li><li class="listitem"><p> - Install software to run off a central application server with data files stored - on a central network share. This type of installation often prevents storage - of work files on the local workstation. - </p></li></ul></div><p> - <a class="indexterm" name="id334936"></a> - A common application deployed in this environment is an office suite. - Enterprise editions of Microsoft Office XP Professional can be administratively installed - by launching the installation from a command shell. The command that achieves this is - <code class="literal">setup /a</code>. It results in a set of prompts through which various - installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource - Kit for more information regarding this mode of installation of MS Office XP Professional. - The full administrative installation of MS Office XP Professional requires approximately - 650 MB of disk space. - </p><p> - When the MS Office XP Professional product has been installed to the administrative network - share, the product can be installed onto a workstation by executing the normal setup program. - The installation process now provides a choice to either perform a minimum installation - or a full local installation. A full local installation takes over 100 MB of disk space. - A network workstation (minimum) installation requires typically 10 MB to 15 MB of - local disk space. In the latter case, when the applications are used, they load over the network. - </p><p> - <a class="indexterm" name="id334963"></a> - <a class="indexterm" name="id334970"></a> - Microsoft Office Service Packs can be unpacked to update an administrative share. This makes - it possible to update MS Office XP Professional for all users from a single installation - of the service pack and generally circumvents the need to run updates on each network - Windows client. - </p><p> - The default location for MS Office XP Professional data files can be set through registry - editing or by way of configuration options inside each Office XP Professional application. - </p><p> - <a class="indexterm" name="id334988"></a> - OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also - be installed to run off a network share. The latter is a most desirable solution for office-bound - network users and for administrative staff alike. It permits quick and easy updates - to be rolled out to all users with a minimum of disruption and with maximum flexibility. - </p><p> - The process for installation of administrative shared OpenOffice involves download of the - distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. - When fully extracted using the unzipping tool of your choosing, change into the Windows - installation files directory then execute <code class="literal">setup -net</code>. You are - prompted on screen for the target installation location. This is the administrative - share point. The full administrative OpenOffice share takes approximately 150 MB of disk - space. - </p><div class="sect3" title="Comments Regarding Software Terms of Use"><div class="titlepage"><div><div><h4 class="title"><a name="id335012"></a>Comments Regarding Software Terms of Use</h4></div></div></div><p> - Many single-user products can be installed into an administrative share, but - personal versions of products such as Microsoft Office XP Professional do not permit this. - Many people do not like terms of use typical with commercial products, so a few comments - regarding software licensing seem important. - </p><p> - Please do not use an administrative installation of proprietary and commercially licensed - software products to violate the copyright holders' property. All software is licensed, - particularly software that is licensed for use free of charge. All software is the property - of the copyright holder unless the author and/or copyright holder has explicitly disavowed - ownership and has placed the software into the public domain. - </p><p> - Software that is under the GNU General Public License, like proprietary software, is - licensed in a way that restricts use. For example, if you modify GPL software and then - distribute the binary version of your modifications, you must offer to provide the source - code as well. This restriction is designed to maintain the momentum - of the diffusion of technology and to protect against the withholding of innovations. - </p><p> - Commercial and proprietary software generally restrict use to those who have paid the - license fees and who comply with the licensee's terms of use. Software that is released - under the GNU General Public License is restricted to particular terms and conditions - also. Whatever the licensing terms may be, if you do not approve of the terms of use, - please do not use the software. - </p><p> - <a class="indexterm" name="id335047"></a> - Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided - with the source code. - </p></div></div><div class="sect2" title="Windows Client Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="ch4wincfg"></a>Windows Client Configuration</h3></div></div></div><p> - Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs - to reinstall many of the notebook computers that will be recycled for use with the new network - configuration. The smartest way to handle the challenge of the roll-out program is to build - a staged system for each type of target machine, and then use an image replication tool such as Norton - Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can - be done with notebook computers as long as they are identical or sufficiently similar. - </p><div class="procedure" title="Procedure 3.6. Windows Client Configuration Procedure"><a name="sbewinclntprep"></a><p class="title"><b>Procedure 3.6. Windows Client Configuration Procedure</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id335091"></a> - <a class="indexterm" name="id335098"></a> - Install MS Windows XP Professional. During installation, configure the client to use DHCP for - TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server - address that has been defined for the local subnet. - </p></li><li class="step" title="Step 2"><p> - Join the Windows Domain <code class="constant">PROMISES</code>. Use the Domain Administrator - username <code class="constant">root</code> and the SMB password you assigned to this account. - A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to - a Windows Domain is given in <a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>. - Reboot the machine as prompted and then log on using the Domain Administrator account - (<code class="constant">root</code>). - </p></li><li class="step" title="Step 3"><p> - Verify <code class="constant">DIAMOND</code> is visible in <span class="guimenu">My Network Places</span>, - that it is possible to connect to it and see the shares <span class="guimenuitem">accounts</span>, - <span class="guimenuitem">apps</span>, and <span class="guimenuitem">finsvcs</span>, and that it is - possible to open each share to reveal its contents. - </p></li><li class="step" title="Step 4"><p> - Create a drive mapping to the <code class="constant">apps</code> share on the server <code class="constant">DIAMOND</code>. - </p></li><li class="step" title="Step 5"><p> - Perform an administrative installation of each application to be used. Select the options - that you wish to use. Of course, you can choose to run applications over the network, correct? - </p></li><li class="step" title="Step 6"><p> - Now install all applications to be installed locally. Typical tools include Adobe Acrobat, - NTP-based time synchronization software, drivers for specific local devices such as fingerprint - scanners, and the like. Probably the most significant application for local installation - is antivirus software. - </p></li><li class="step" title="Step 7"><p> - Now install all four printers onto the staging system. The printers you install - include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will - also configure identical printers that are located in the financial services department. - Install printers on each machine following the steps shown in the Windows client printer - preparation procedure below. - </p></li><li class="step" title="Step 8"><p> - <a class="indexterm" name="id335222"></a> - When you are satisfied that the staging systems are complete, use the appropriate procedure to - remove the client from the domain. Reboot the system and then log on as the local administrator - and clean out all temporary files stored on the system. Before shutting down, use the disk - defragmentation tool so that the file system is in optimal condition before replication. - </p></li><li class="step" title="Step 9"><p> - Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the - machine to a network share on the server. - </p></li><li class="step" title="Step 10"><p> - <a class="indexterm" name="id335246"></a> - <a class="indexterm" name="id335256"></a> - You may now replicate the image to the target machines using the appropriate Norton Ghost - procedure. Make sure to use the procedure that ensures each machine has a unique - Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. - </p></li><li class="step" title="Step 11"><p> - Log on to the machine as the local Administrator (the only option), and join the machine to - the Domain, following the procedure set out in <a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>. The system is now - ready for the user to log on, provided you have created a network logon account for that - user, of course. - </p></li><li class="step" title="Step 12"><p> - Instruct all users to log on to the workstation using their assigned username and password. - </p></li></ol></div><div class="procedure" title="Procedure 3.7. Windows Client Printer Preparation Procedure"><a name="sbewinclntptrprep"></a><p class="title"><b>Procedure 3.7. Windows Client Printer Preparation Procedure</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. - Ensure that <span class="guimenuitem">Local printer</span> is selected. - </p></li><li class="step" title="Step 2"><p> - Click <span class="guibutton">Next</span>. In the - <span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>. - In the <span class="guimenuitem">Printers:</span> panel, select the printer called - <code class="constant">HP LaserJet 6</code>. Click <span class="guibutton">Next</span>. - </p></li><li class="step" title="Step 3"><p> - In the <span class="guimenuitem">Available ports:</span> panel, select - <code class="constant">FILE:</code>. Accept the default printer name by clicking - <span class="guibutton">Next</span>. When asked, <span class="quote">“<span class="quote">Would you like to print a - test page?,</span>”</span> click <span class="guimenuitem">No</span>. Click - <span class="guibutton">Finish</span>. - </p></li><li class="step" title="Step 4"><p> - You may be prompted for the name of a file to print to. If so, close the - dialog panel. Right-click <span class="guiicon">HP LaserJet 6</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>. - </p></li><li class="step" title="Step 5"><p> - In the <span class="guimenuitem">Network</span> panel, enter the name of - the print queue on the Samba server as follows: <code class="constant">\\DIAMOND\hplj6a</code>. - Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. - </p></li><li class="step" title="Step 6"><p> - Repeat the printer installation steps above for both HP LaserJet 6 printers - as well as for both QMS Magicolor laser printers. - </p></li></ol></div></div><div class="sect2" title="Key Points Learned"><div class="titlepage"><div><div><h3 class="title"><a name="id335513"></a>Key Points Learned</h3></div></div></div><p> - How do you feel? You have built a capable network, a truly ambitious project. - Future network updates can be handled by - your staff. You must be a satisfied manager. Let's review the achievements. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - A simple firewall has been configured to protect the server in the event that - the ISP firewall service should fail. - </p></li><li class="listitem"><p> - The Samba configuration uses measures to ensure that only local network users - can connect to SMB/CIFS services. - </p></li><li class="listitem"><p> - Samba uses the new <code class="constant">tdbsam</code> passdb backend facility. - Considerable complexity was added to Samba functionality. - </p></li><li class="listitem"><p> - A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS - server. - </p></li><li class="listitem"><p> - The DNS server was configured to permit DDNS only for local network clients. This - server also provides primary DNS services for the company Internet presence. - </p></li><li class="listitem"><p> - You introduced an application server as well as the concept of cloning a Windows - client in order to effect improved standardization of desktops and to reduce - the costs of network management. - </p></li></ul></div></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id335566"></a>Questions and Answers</h2></div></div></div><p> - </p><div class="qandaset" title="Frequently Asked Questions"><a name="id335576"></a><dl><dt>1. <a href="secure.html#id335582"> - What is the maximum number of account entries that the tdbsam - passdb backend can handle? - </a></dt><dt>2. <a href="secure.html#id335635"> - Would Samba operate any better if the OS level is set to a value higher than 35? - </a></dt><dt>3. <a href="secure.html#id335654"> - Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? - </a></dt><dt>4. <a href="secure.html#id335674"> - Why has a path been specified in the IPC$ share? - </a></dt><dt>5. <a href="secure.html#id335699"> - Why does the smb.conf file in this exercise include an entry for smb ports? - </a></dt><dt>6. <a href="secure.html#id335740"> - What is the difference between a print queue and a printer? - </a></dt><dt>7. <a href="secure.html#id335768"> - Can all MS Windows application software be installed onto an application server share? - </a></dt><dt>8. <a href="secure.html#id335788"> - Why use dynamic DNS (DDNS)? - </a></dt><dt>9. <a href="secure.html#id335807"> - Why would you use WINS as well as DNS-based name resolution? - </a></dt><dt>10. <a href="secure.html#id335876"> - What are the major benefits of using an application server? - </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question" title="1."><td align="left" valign="top"><a name="id335582"></a><a name="id335584"></a><p><b>1.</b></p></td><td align="left" valign="top"><p> - What is the maximum number of account entries that the <em class="parameter"><code>tdbsam</code></em> - passdb backend can handle? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - The tdb data structure and support system can handle more entries than the number of - accounts that are possible on most UNIX systems. A practical limit would come into - play long before a performance boundary would be anticipated. That practical limit - is controlled by the nature of Windows networking. There are few Windows file and - print servers that can handle more than a few hundred concurrent client connections. - The key limiting factors that predicate offloading of services to additional servers - are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations. - All of these are readily exhausted by just a few hundred concurrent active users. - Such bottlenecks can best be removed by segmentation of the network (distributing - network load across multiple networks). - </p><p> - As the network grows, it becomes necessary to provide additional authentication - servers (domain controllers). The tdbsam is limited to a single machine and cannot - be reliably replicated. This means that practical limits on network design dictate - the point at which a distributed passdb backend is required; at this time, there is - no real alternative other than ldapsam (LDAP). - </p><p> - The guideline provided in <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, Section 10.1.2, - is to limit the number of accounts in the tdbsam backend to 250. This is the point - at which most networks tend to want backup domain controllers (BDCs). Samba-3 does - not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The - limitation of 250 users per tdbsam is predicated only on the need for replication, - not on the limits<sup>[<a name="id335626" href="#ftn.id335626" class="footnote">8</a>]</sup> of the tdbsam backend itself. - </p></td></tr><tr class="question" title="2."><td align="left" valign="top"><a name="id335635"></a><a name="id335637"></a><p><b>2.</b></p></td><td align="left" valign="top"><p> - Would Samba operate any better if the OS level is set to a value higher than 35? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value - of 35 already assures Samba of precedence over MS Windows products in browser elections. There is - no gain to be had from setting this higher. - </p></td></tr><tr class="question" title="3."><td align="left" valign="top"><a name="id335654"></a><a name="id335656"></a><p><b>3.</b></p></td><td align="left" valign="top"><p> - Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at - a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special - Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups. - </p></td></tr><tr class="question" title="4."><td align="left" valign="top"><a name="id335674"></a><a name="id335676"></a><p><b>4.</b></p></td><td align="left" valign="top"><p> - Why has a path been specified in the <em class="parameter"><code>IPC$</code></em> share? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - This is done so that in the event that a software bug may permit a client connection to the IPC$ share to - obtain access to the file system, it does so at a location that presents least risk. Under normal operation - this type of paranoid step should not be necessary. The use of this parameter should not be necessary. - </p></td></tr><tr class="question" title="5."><td align="left" valign="top"><a name="id335699"></a><a name="id335701"></a><p><b>5.</b></p></td><td align="left" valign="top"><p> - Why does the <code class="filename">smb.conf</code> file in this exercise include an entry for <a class="link" href="smb.conf.5.html#SMBPORTS" target="_top">smb ports</a>? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port - used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS - over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By - specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts. - The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain - member, the default behavior is highly beneficial and should not be changed. - </p></td></tr><tr class="question" title="6."><td align="left" valign="top"><a name="id335740"></a><a name="id335742"></a><p><b>6.</b></p></td><td align="left" valign="top"><p> - What is the difference between a print queue and a printer? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - A printer is a physical device that is connected either directly to the network or to a computer - via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a - hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a - single print data stream and block all secondary attempts to dispatch jobs concurrently to the - same device. If many clients were to concurrently print directly via TCP/IP to the same printer, - it would result in a huge amount of network traffic through continually failing connection attempts. - </p><p> - A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or - print requests. When the data stream has been fully received, the input stream is closed, - and the job is then submitted to a sequential print queue where the job is stored until - the printer is ready to receive the job. - </p></td></tr><tr class="question" title="7."><td align="left" valign="top"><a name="id335768"></a><a name="id335770"></a><p><b>7.</b></p></td><td align="left" valign="top"><p> - Can all MS Windows application software be installed onto an application server share? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - Much older Windows software is not compatible with installation to and execution from - an application server. Enterprise versions of Microsoft Office XP Professional can - be installed to an application server. Retail consumer versions of Microsoft Office XP - Professional do not permit installation to an application server share and can be installed - and used only to/from a local workstation hard disk. - </p></td></tr><tr class="question" title="8."><td align="left" valign="top"><a name="id335788"></a><a name="id335791"></a><p><b>8.</b></p></td><td align="left" valign="top"><p> - Why use dynamic DNS (DDNS)? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - When DDNS records are updated directly from the DHCP server, it is possible for - network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate - Windows clients via DNS. - </p></td></tr><tr class="question" title="9."><td align="left" valign="top"><a name="id335807"></a><a name="id335809"></a><p><b>9.</b></p></td><td align="left" valign="top"><p> - Why would you use WINS as well as DNS-based name resolution? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is - a name like <span class="quote">“<span class="quote">myhost.mydomain.tld</span>”</span> where <em class="parameter"><code>tld</code></em> - means <code class="constant">top-level domain</code>. A FQDN is a longhand but easy-to-remember - expression that may be up to 1024 characters in length and that represents an IP address. - A NetBIOS name is always 16 characters long. The 16<sup>th</sup> character - is a name type indicator. A specific name type is registered<sup>[<a name="id335840" href="#ftn.id335840" class="footnote">9</a>]</sup> for each - type of service that is provided by the Windows server or client and that may be registered - where a WINS server is in use. - </p><p> - WINS is a mechanism by which a client may locate the IP Address that corresponds to a - NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name - that includes a particular registered NetBIOS name type. DNS does not provide a mechanism - that permits handling of the NetBIOS name type information. - </p><p> - DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular - hostname or service name that has been registered in the DNS database for a particular domain. - A DNS server has limited scope of control and is said to be authoritative for the zone over - which it has control. - </p><p> - Windows 200x Active Directory requires the registration in the DNS zone for the domain it - controls of service locator<sup>[<a name="id335866" href="#ftn.id335866" class="footnote">10</a>]</sup> records - that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also - requires the registration of special records that are called global catalog (GC) entries - and site entries by which domain controllers and other essential ADS servers may be located. - </p></td></tr><tr class="question" title="10."><td align="left" valign="top"><a name="id335876"></a><a name="id335879"></a><p><b>10.</b></p></td><td align="left" valign="top"><p> - What are the major benefits of using an application server? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - The use of an application server can significantly reduce application update maintenance. - By providing a centralized application share, software updates need be applied to only - one location for all major applications used. This results in faster update roll-outs and - significantly better application usage control. - </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id331045" href="#id331045" class="para">5</a>] </sup>See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 3. - This is necessary so that Samba can act as a Domain Controller (PDC); see - <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 4, for additional information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id331388" href="#id331388" class="para">6</a>] </sup>You may want to do the echo command last and include - "0" in the init scripts, since it opens up your network for a short time.</p></div><div class="footnote"><p><sup>[<a name="ftn.id334598" href="#id334598" class="para">7</a>] </sup>For more information regarding winbindd, see <span class="emphasis"><em>TOSHARG2</em></span>, - Chapter 23, Section 23.3. The single instance of <code class="literal">smbd</code> is normal. One additional - <code class="literal">smbd</code> slave process is spawned for each SMB/CIFS client - connection.</p></div><div class="footnote"><p><sup>[<a name="ftn.id335626" href="#id335626" class="para">8</a>] </sup>Bench tests have shown that tdbsam is a very - effective database technology. There is surprisingly little performance loss even - with over 4000 users.</p></div><div class="footnote"><p><sup>[<a name="ftn.id335840" href="#id335840" class="para">9</a>] </sup> - See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, for more information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id335866" href="#id335866" class="para">10</a>] </sup>See TOSHARG2, Chapter 9, Section 9.3.3.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Small Office Networking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. The 500-User Office</td></tr></table></div></body></html> |