1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
4 <title>Making Happy Users</title>
7 It is said that <quote>a day that is without troubles is not fulfilling. Rather, give
8 me a day of troubles well handled so that I can be content with my achievements.</quote>
12 In the world of computer networks, problems are as varied as the people who create them
13 or experience them. The design of the network implemented in <link linkend="Big500users"/>
14 may create problems for some network users. The following lists some of the problems that
18 <indexterm><primary>PDC</primary></indexterm>
19 <indexterm><primary>network bandwidth</primary><secondary>utilization</secondary></indexterm>
20 <indexterm><primary>BDC</primary></indexterm>
21 <indexterm><primary>user account</primary></indexterm>
22 <indexterm><primary>PDC/BDC ratio</primary></indexterm>
24 A significant number of network administrators have responded to the guidance given
25 here. It should be noted that there are sites that have a single PDC for many hundreds of
26 concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
27 are among the factors that determine the maximum number of Windows clients that
28 can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
29 to operate with only a single PDC over a routed network. What is possible is not necessarily
30 <emphasis>best practice</emphasis>. When Windows client network logons begin to fail with
31 the message that the domain controller cannot be found or that the user account cannot
32 be found (when you know it exists), that may be an indication that the domain controller is
33 overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows
34 clients is conservative and if followed will minimize problems &smbmdash; but it is not absolute.
39 <term>Users experiencing difficulty logging onto the network</term>
41 <indexterm><primary>network</primary><secondary>logon</secondary></indexterm>
42 <indexterm><primary>multiple domain controllers</primary></indexterm>
43 When a Windows client logs onto the network, many data packets are exchanged
44 between the client and the server that is providing the network logon services.
45 Each request between the client and the server must complete within a specific
46 time limit. This is one of the primary factors that govern the installation of
47 multiple domain controllers (usually called secondary or backup controllers).
48 As a rough rule, there should be one such backup controller for every
49 30 to 150 clients. The actual limits are determined by network operational
54 If the domain controller provides only network logon services
55 and all file and print activity is handled by domain member servers, one domain
56 controller per 150 clients on a single network segment may suffice. In any
57 case, it is highly recommended to have a minimum of one domain controller (PDC or BDC)
58 per network segment. It is better to have at least one BDC on the network
59 segment that has a PDC. If the domain controller is also used as a file and
60 print server, the number of clients it can service reliably is reduced,
61 and a common rule is not to exceed 30 machines (Windows workstations plus
62 domain member servers) per domain controller.
67 <term>Slow logons and log-offs</term>
69 <indexterm><primary>slow logon</primary></indexterm>
70 Slow logons and log-offs may be caused by many factors that include:
74 <indexterm><primary>NetBIOS</primary><secondary>name resolution</secondary><tertiary>delays</tertiary></indexterm>
75 <indexterm><primary>WINS</primary><secondary>server</secondary></indexterm>
76 Excessive delays in the resolution of a NetBIOS name to its IP
77 address. This may be observed when an overloaded domain controller
78 is also the WINS server. Another cause may be the failure to use
79 a WINS server (this assumes that there is a single network segment).
83 <indexterm><primary>traffic collisions</primary></indexterm>
84 <indexterm><primary>HUB</primary></indexterm>
85 <indexterm><primary>ethernet switch</primary></indexterm>
86 Network traffic collisions due to overloading of the network
87 segment. One short-term workaround to this may be to replace
88 network HUBs with Ethernet switches.
92 <indexterm><primary>networking hardware</primary><secondary>defective</secondary></indexterm>
93 Defective networking hardware. Over the past few years, we have seen
94 on the Samba mailing list a significant increase in the number of
95 problems that were traced to a defective network interface controller,
96 a defective HUB or Ethernet switch, or defective cabling. In most cases,
97 it was the erratic nature of the problem that ultimately pointed to
98 the cause of the problem.
102 <indexterm><primary>profile</primary><secondary>roaming</secondary></indexterm>
103 <indexterm><primary>MS Outlook</primary><secondary>PST file</secondary></indexterm>
104 Excessively large roaming profiles. This type of problem is typically
105 the result of poor user education as well as poor network management.
106 It can be avoided by users not storing huge quantities of email in
107 MS Outlook PST files as well as by not storing files on the desktop.
108 These are old bad habits that require much discipline and vigilance
109 on the part of network management.
113 <indexterm><primary>WebClient</primary></indexterm>
114 You should verify that the Windows XP WebClient service is not running.
115 The use of the WebClient service has been implicated in many Windows
116 networking-related problems.
123 <term>Loss of access to network drives and printer resources</term>
125 Loss of access to network resources during client operation may be caused by a number
126 of factors, including:
131 <indexterm><primary>network</primary><secondary>overload</secondary></indexterm>
132 Network overload (typically indicated by a high network collision rate)
140 <indexterm><primary>network</primary><secondary>timeout</secondary></indexterm>
141 Timeout causing the client to close a connection that is in use but has
142 been latent (no traffic) for some time (5 minutes or more)
146 <indexterm><primary>network hardware</primary><secondary>defective</secondary></indexterm>
147 Defective networking hardware
152 <indexterm><primary>data</primary><secondary>corruption</secondary></indexterm>
153 No matter what the cause, a sudden loss of access to network resources can
154 result in BSOD (blue screen of death) situations that necessitate rebooting of the client
155 workstation. In the case of a mild problem, retrying to access the network drive of the printer
156 may restore operations, but in any case this is a serious problem that may lead to the next
157 problem, data corruption.
162 <term>Potential data corruption</term>
164 <indexterm><primary>data</primary><secondary>corruption</secondary></indexterm>
165 Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
166 frustration, and generally precipitates immediate corrective demands. Management response
167 to this type of problem may be rational, as well as highly irrational. There have been
168 cases where management has fired network staff for permitting this situation to occur without
169 immediate correction. There have been situations where perfectly functional hardware was thrown
170 out and replaced, only to find the problem caused by a low-cost network hardware item. There
171 have been cases where server operating systems were replaced, or where Samba was updated,
172 only to later isolate the problem due to defective client software.
178 In this chapter, you can work through a number of measures that significantly arm you to
179 anticipate and combat network performance issues. You can work through complex and thorny
180 methods to improve the reliability of your network environment, but be warned that all such steps
181 demand the price of complexity.
185 <title>Regarding LDAP Directories and Windows Computer Accounts</title>
188 <indexterm><primary>LDAP</primary><secondary>directory</secondary></indexterm>
189 Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some
190 constraints that are described in this section.
194 <indexterm><primary>POSIX</primary></indexterm>
195 <indexterm><primary>SambaSAMAccount</primary></indexterm>
196 <indexterm><primary>machine account</primary></indexterm>
197 <indexterm><primary>trust account</primary></indexterm>
198 The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
199 That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
200 them. A user account and a machine account are indistinguishable from each other, except that
201 the machine account ends in a $ character, as do trust accounts.
205 <indexterm><primary>account</primary></indexterm>
206 <indexterm><primary>UID</primary></indexterm>
207 The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
208 is a design decision that was made a long way back in the history of Samba development. It is
209 unlikely that this decision will be reversed or changed during the remaining life of the
214 <indexterm><primary>SID</primary></indexterm>
215 <indexterm><primary>NSS</primary></indexterm>
216 The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
217 must refer back to the host operating system on which Samba is running. The name service
218 switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
219 need to know everything about every host OS it runs on.
223 Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>
224 and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool
225 for achieving this is left up to the UNIX administrator to determine. It is not imposed by
226 Samba. Samba provides winbindd together with its support libraries as one method. It is
227 possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
228 all account entities can be located in an LDAP directory.
232 <indexterm><primary>nss_ldap</primary></indexterm>
233 For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
234 be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
235 is fundamentally an LDAP design question. The information provided on the Samba list and
236 in the documentation is directed at providing working examples only. The design
237 of an LDAP directory is a complex subject that is beyond the scope of this documentation.
244 <title>Introduction</title>
247 You just opened an email from Christine that reads:
252 <blockquote><attribution>Christine</attribution><para>
253 A few months ago we sat down to design the network. We discussed the challenges ahead and we all
254 agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
255 that we would have some time to resolve any issues that might be encountered.
259 As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them
260 resigned yesterday afternoon because she was under duress to complete some critical projects. She
261 suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
262 of which was lost. She has a unique requirement that involves storing large files on her desktop.
263 Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it
264 takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
265 network logon traffic passes over the network links between our buildings, logging on may take
266 three or four attempts due to blue screen problems associated with network timeouts.
270 A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
271 resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
272 limits on what our users can do with their desktops. Otherwise, we face staff losses
273 that can surely do harm to our growth as well as to staff morale. I am sure we can better deal
274 with the consequences of what we know we must do than we can with the unrest we have now.
278 Stan and I have discussed the current situation. We are resolved to help our users and protect
279 the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
280 regain control of our vital IT operations.
285 <indexterm><primary>compromise</primary></indexterm>
286 <indexterm><primary>network</primary><secondary>multi-segment</secondary></indexterm>
287 Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a
288 single domain controller is a poor design that has obvious operational effects that may
289 frustrate users. Here is your reply:
292 <blockquote><attribution>Bob</attribution><para>
293 Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
294 proposals to resolve the issues. I am confident that your plans fully realized will significantly
295 boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
296 Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
297 for approval; I appreciate the urgency.
301 <title>Assignment Tasks</title>
304 The priority of assigned tasks in this chapter is:
309 <indexterm><primary>Backup Domain Controller</primary><see>BDC</see></indexterm>
310 <indexterm><primary>BDC</primary></indexterm>
311 <indexterm><primary>tdbsam</primary></indexterm>
312 <indexterm><primary>LDAP</primary></indexterm><indexterm><primary>migration</primary></indexterm>
313 Implement Backup Domain Controllers (BDCs) in each building. This involves
314 a change from a <emphasis>tdbsam</emphasis> backend that was used in the previous
315 chapter to an LDAP-based backend.
319 You can implement a single central LDAP server for this purpose.
323 <indexterm><primary>logon time</primary></indexterm>
324 <indexterm><primary>network share</primary></indexterm>
325 <indexterm><primary>default profile</primary></indexterm>
326 <indexterm><primary>profile</primary><secondary>default</secondary></indexterm>
327 Rectify the problem of excessive logon times. This involves redirection of
328 folders to network shares as well as modification of all user desktops to
329 exclude the redirected folders from being loaded at login time. You can also
330 create a new default profile that can be used for all new users.
335 <indexterm><primary>disk image</primary></indexterm>
336 You configure a new MS Windows XP Professional workstation disk image that you roll out
337 to all desktop users. The instructions you have created are followed on a staging machine
338 from which all changes can be carefully tested before inflicting them on your network users.
342 <indexterm><primary>CUPS</primary></indexterm>
343 This is the last network example in which specific mention of printing is made. The example
344 again makes use of the CUPS printing system.
352 <title>Dissection and Discussion</title>
355 <indexterm><primary>BDC</primary></indexterm>
356 <indexterm><primary>LDAP</primary></indexterm>
357 <indexterm><primary>OpenLDAP</primary></indexterm>
358 The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
359 For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
360 LDAP servers in current use with Samba-3 include:
365 <indexterm><primary>eDirectory</primary></indexterm>
366 Novell <ulink url="http://www.novell.com/products/edirectory/">eDirectory</ulink>
367 is being successfully used by some sites. Information on how to use eDirectory can be
368 obtained from the Samba mailing lists or from Novell.
372 <indexterm><primary>Tivoli Directory Server</primary></indexterm>
373 IBM <ulink url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli
374 Directory Server</ulink> can be used to provide the Samba LDAP backend. Example schema
375 files are provided in the Samba source code tarball under the directory
376 <filename>~samba/example/LDAP.</filename>
380 <indexterm><primary>Sun ONE Identity Server</primary></indexterm>
381 Sun <ulink url="http://www.sun.com/software/sunone/identity/index.html">ONE Identity
382 Server product suite</ulink> provides an LDAP server that can be used for Samba.
383 Example schema files are provided in the Samba source code tarball under the directory
384 <filename>~samba/example/LDAP.</filename>
389 A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial
390 offerings, it requires that you manually edit the server configuration files and manually
391 initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
392 help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
396 <indexterm><primary>Active Directory</primary></indexterm>
397 For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
398 adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
399 GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
400 requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
404 <indexterm><primary>Identity Management</primary></indexterm>
405 <indexterm><primary>high availability</primary></indexterm>
406 <indexterm><primary>directory</primary><secondary>replication</secondary></indexterm>
407 <indexterm><primary>directory</primary><secondary>synchronization</secondary></indexterm>
408 <indexterm><primary>performance</primary></indexterm>
409 <indexterm><primary>directory</primary><secondary>management</secondary></indexterm>
410 <indexterm><primary>directory</primary><secondary>schema</secondary></indexterm>
411 When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
412 High availability operation may be obtained through directory replication/synchronization and
413 master/slave server configurations. OpenLDAP is a mature platform to host the organizational
414 directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
415 The price paid through learning how to design an LDAP directory schema in implementation and configuration
416 of management tools is well rewarded by performance and flexibility and the freedom to manage directory
417 contents with greater ability to back up, restore, and modify the directory than is generally possible
418 with Microsoft Active Directory.
422 <indexterm><primary>comparison</primary><secondary>Active Directory & OpenLDAP</secondary></indexterm>
423 <indexterm><primary>ADAM</primary></indexterm>
424 <indexterm><primary>Active Directory</primary></indexterm>
425 <indexterm><primary>OpenLDAP</primary></indexterm>
426 A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
427 tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
428 for a specific task orientation. It comes with a set of administrative tools that is entirely customized
429 for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
430 server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
431 who wants to build a custom directory solution. Microsoft provides an application called
432 <ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx">
433 MS ADAM</ulink> that provides more generic LDAP services, yet it does not have the vanilla-like services
438 <indexterm><primary>directory</primary><secondary>schema</secondary></indexterm>
439 <indexterm><primary>passdb backend</primary></indexterm>
440 You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
441 if you find the challenge of learning about LDAP directories, schemas, configuration, and management
442 tools and the creation of shell and Perl scripts a bit
443 challenging. OpenLDAP can be easily customized, though it includes
444 many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
445 that is required for use as a passdb backend.
449 <indexterm><primary>interoperability</primary></indexterm>
450 For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
451 there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
452 The Web-based tools you might like to consider include the
453 <ulink url="http://lam.sourceforge.net/">LDAP Account Manager</ulink> (LAM) and the Webmin-based
454 <ulink url="http://www.webmin.com">Webmin</ulink> Idealx
455 <ulink url="http://webmin.idealx.org/index.en.html">CGI tools</ulink>.
459 Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
460 these, so it may be useful to them:
461 <ulink url="http://biot.com/gq">GQ</ulink>, a GTK-based LDAP browser;
462 LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor</ulink>
463 <ulink url="http://www.jxplorer.org/">; JXplorer</ulink> (by Computer Associates);
464 and <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin</ulink>.
468 The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
469 security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
470 is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
471 LDAP before attempting to deploy it in a business-critical environment.
475 Information to help you get started with OpenLDAP is available from the
476 <ulink url="http://www.openldap.org/pub/">OpenLDAP web site</ulink>. Many people have found the book
477 <ulink url="http://www.booksense.com/product/info.jsp?isbn=1565924916"><emphasis>LDAP System Administration</emphasis>,</ulink>
478 by Jerry Carter quite useful.
482 <indexterm><primary>BDC</primary></indexterm>
483 <indexterm><primary>network</primary><secondary>segment</secondary></indexterm>
484 <indexterm><primary>performance</primary></indexterm>
485 <indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm>
486 Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
487 main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
488 be loaded over the WAN connection. The addition of BDCs on each network segment significantly
489 improves overall network performance for most users, but it is not enough. You must gain control over
490 user desktops, and this must be done in a way that wins their support and does not cause further loss of
491 staff morale. The following procedures solve this problem.
495 <indexterm><primary>smart printing</primary></indexterm>
496 There is also an opportunity to implement smart printing features. You add this to the Samba configuration
497 so that future printer changes can be managed without need to change desktop configurations.
501 You add the ability to automatically download new printer drivers, even if they are not installed
502 in the default desktop profile. Only one example of printing configuration is given. It is assumed that
503 you can extrapolate the principles and use them to install all printers that may be needed.
507 <title>Technical Issues</title>
510 <indexterm><primary>identity</primary><secondary>management</secondary></indexterm>
511 <indexterm><primary>directory</primary><secondary>server</secondary></indexterm>
512 <indexterm><primary>Posix</primary></indexterm>
513 The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
514 server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
515 accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
516 attributes Samba needs. Samba-3 can use the LDAP backend to store:
520 <listitem><para>Windows Networking User Accounts</para></listitem>
521 <listitem><para>Windows NT Group Accounts</para></listitem>
522 <listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem>
523 <listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem>
527 <indexterm><primary>UNIX accounts</primary></indexterm>
528 <indexterm><primary>Windows accounts</primary></indexterm>
529 <indexterm><primary>PADL LDAP tools</primary></indexterm>
530 <indexterm><primary>/etc/group</primary></indexterm>
531 <indexterm><primary>LDAP</primary></indexterm>
532 <indexterm><primary>name service switch</primary><see>NSS</see></indexterm>
533 <indexterm><primary>NSS</primary></indexterm>
534 <indexterm><primary>UID</primary></indexterm>
535 <indexterm><primary>nss_ldap</primary></indexterm>
536 The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
537 accounts in the LDAP backend. This implies the need to use the
538 <ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools</ulink>. The resolution
539 of the UNIX group name to its GID must be enabled from either the <filename>/etc/group</filename>
540 or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> tool-set
541 that integrates with the NSS. The same requirements exist for resolution
542 of the UNIX username to the UID. The relationships are demonstrated in <link linkend="sbehap-LDAPdiag"/>.
545 <figure id="sbehap-LDAPdiag">
546 <title>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</title>
547 <imagefile scale="50">UNIX-Samba-and-LDAP</imagefile>
551 <indexterm><primary>security</primary></indexterm>
552 <indexterm><primary>LDAP</primary><secondary>secure</secondary></indexterm>
553 You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
554 ought to learn how to configure secure communications over LDAP so that site security is not
555 at risk. This is not covered in the following guidance.
559 <indexterm><primary>PDC</primary></indexterm>
560 <indexterm><primary>LDAP Interchange Format</primary><see>LDIF</see></indexterm>
561 <indexterm><primary>LDIF</primary></indexterm>
562 <indexterm><primary>secrets.tdb</primary></indexterm>
563 When OpenLDAP has been made operative, you configure the PDC called <constant>MASSIVE</constant>.
564 You initialize the Samba <filename>secrets.tdb<subscript></subscript></filename> file. Then you
565 create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
566 You need to decide how best to create user and group accounts. A few hints are, of course, provided.
567 You can also find on the enclosed CD-ROM, in the <filename>Chap06</filename> directory, a few tools
568 that help to manage user and group configuration.
572 <indexterm><primary>folder redirection</primary></indexterm>
573 <indexterm><primary>default profile</primary></indexterm>
574 <indexterm><primary>roaming profile</primary></indexterm>
575 In order to effect folder redirection and to add robustness to the implementation,
576 create a network default profile. All network users workstations are configured to use
577 the new profile. Roaming profiles will automatically be deleted from the workstation
578 when the user logs off.
582 <indexterm><primary>mandatory profile</primary></indexterm>
583 The profile is configured so that users cannot change the appearance
584 of their desktop. This is known as a mandatory profile. You make certain that users
585 are able to use their computers efficiently.
589 <indexterm><primary>logon script</primary></indexterm>
590 A network logon script is used to deliver flexible but consistent network drive
594 <sect3 id="sbehap-ppc">
595 <title>Addition of Machines to the Domain</title>
598 <indexterm><primary></primary></indexterm>
599 <indexterm><primary></primary></indexterm>
600 <indexterm><primary></primary></indexterm>
601 <indexterm><primary></primary></indexterm>
602 Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
603 that maps to the UNIX UID=0. The UNIX operating system permits only the <constant>root</constant>
604 user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
605 <constant>Privileges</constant>, which provides five new privileges that
606 can be assigned to users and/or groups; see Table 5.1.
610 <table id="sbehap-privs">
611 <title>Current Privilege Capabilities</title>
613 <colspec align="left"/>
614 <colspec align="left"/>
617 <entry align="left">Privilege</entry>
618 <entry align="left">Description</entry>
623 <entry><para>SeMachineAccountPrivilege</para></entry>
624 <entry><para>Add machines to domain</para></entry>
627 <entry><para>SePrintOperatorPrivilege</para></entry>
628 <entry><para>Manage printers</para></entry>
631 <entry><para>SeAddUsersPrivilege</para></entry>
632 <entry><para>Add users and groups to the domain</para></entry>
635 <entry><para>SeRemoteShutdownPrivilege</para></entry>
636 <entry><para>Force shutdown from a remote system</para></entry>
639 <entry><para>SeDiskOperatorPrivilege</para></entry>
640 <entry><para>Manage disk share</para></entry>
647 In this network example use is made of one of the supported privileges purely to demonstrate
648 how any user can now be given the ability to add machines to the domain using a normal user account
649 that has been given the appropriate privileges.
655 <title>Roaming Profile Background</title>
658 As XP roaming profiles grow, so does the amount of time it takes to log in and out.
662 <indexterm><primary>roaming profile</primary></indexterm>
663 <indexterm><primary>HKEY_CURRENT_USER</primary></indexterm>
664 <indexterm><primary>NTUSER.DAT</primary></indexterm>
665 <indexterm><primary>%USERNAME%</primary></indexterm>
666 An XP roaming profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file
667 <filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data,
668 Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
669 network with the default configuration of MS Windows NT/200x/XPP, all this data is
670 copied to the local machine under the <filename>C:\Documents and Settings\%USERNAME%</filename>
671 directory. While the user is logged in, any changes made to any of these folders or to the
672 <constant>HKEY_CURRENT_USER</constant> branch of the registry are made to the local copy
673 of the profile. At logout the profile data is copied back to the server. This behavior
674 can be changed through appropriate registry changes and/or through changes to the default
675 user profile. In the latter case, it updates the registry with the values that are set in the
676 profile <filename>NTUSER.DAT</filename>
681 The first challenge is to reduce the amount of data that must be transferred to and
682 from the profile server as roaming profiles are processed. This includes removing
683 all the shortcuts in the Recent directory, making sure the cache used by the Web browser
684 is not being dumped into the <filename>Application Data</filename> folder, removing the
685 Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the
686 user to not place large files on the desktop and to use his or her mapped home directory
687 instead of the <filename>My Documents</filename> folder for saving documents.
691 <indexterm><primary>My Documents</primary></indexterm>
692 Using a folder other than <filename>My Documents</filename> is a nuisance for
693 some users, since many applications use it by default.
697 <indexterm><primary>roaming profiles</primary></indexterm>
698 <indexterm><primary>Local Group Policy</primary></indexterm>
699 <indexterm><primary>NTUSER.DAT</primary></indexterm>
700 The secret to rapid loading of roaming profiles is to prevent unnecessary data from
701 being copied back and forth, without losing any functionality. This is not difficult;
702 it can be done by making changes to the Local Group Policy on each client as well
703 as changing some paths in each user's <filename>NTUSER.DAT</filename> hive.
707 <indexterm><primary>Network Default Profile</primary></indexterm>
708 <indexterm><primary>redirected folders</primary></indexterm>
709 Every user profile has its own <filename>NTUSER.DAT</filename> file. This means
710 you need to edit every user's profile, unless a better method can be
711 followed. Fortunately, with the right preparations, this is not difficult.
712 It is possible to remove the <filename>NTUSER.DAT</filename> file from each
713 user's profile. Then just create a Network Default Profile. Of course, it is
714 necessary to copy all files from redirected folders to the network share to which
720 <sect3 id="sbehap-locgrppol">
721 <title>The Local Group Policy</title>
724 <indexterm><primary>Group Policy Objects</primary></indexterm>
725 <indexterm><primary>Active Directory</primary></indexterm>
726 <indexterm><primary>PDC</primary></indexterm>
727 <indexterm><primary>Group Policy editor</primary></indexterm>
728 Without an Active Directory PDC, you cannot take full advantage of Group Policy
729 Objects. However, you can still make changes to the Local Group Policy by using
730 the Group Policy editor (<command>gpedit.msc</command>).
734 The <emphasis>Exclude directories in roaming profile</emphasis> settings can
737 <guimenu>User Configuration</guimenu>
738 <guimenuitem>Administrative Templates</guimenuitem>
739 <guimenuitem>System</guimenuitem>
740 <guimenuitem>User Profiles</guimenuitem>
742 By default this setting contains
743 <quote>Local Settings; Temporary Internet Files; History; Temp</quote>.
747 Simply add the folders you do not wish to be copied back and forth to this
748 semicolon-separated list. Note that this change must be made on all clients
749 that are using roaming profiles.
755 <title>Profile Changes</title>
758 <indexterm><primary>NTUSER.DAT</primary></indexterm>
759 <indexterm><primary>%USERNAME%</primary></indexterm>
760 There are two changes that should be done to each user's profile. Move each of
761 the directories that you have excluded from being copied back and forth out of
762 the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file
763 to point to the new paths that are shared over the network instead of to the default
764 path (<filename>C:\Documents and Settings\%USERNAME%</filename>).
768 <indexterm><primary>Default User</primary></indexterm>
769 <indexterm><primary>regedt32</primary></indexterm>
770 The above modifies existing user profiles. So that newly created profiles have
771 these settings, you need to modify the <filename>NTUSER.DAT</filename> in
772 the <filename>C:\Documents and Settings\Default User</filename> folder on each
773 client machine, changing the same registry keys. You could do this by copying
774 <filename>NTUSER.DAT</filename> to a Linux box and using <command>regedt32</command>.
775 The basic method is described under <link linkend="redirfold"/>.
781 <title>Using a Network Default User Profile</title>
784 <indexterm><primary>NETLOGON</primary></indexterm>
785 <indexterm><primary>NTUSER.DAT</primary></indexterm>
786 If you are using Samba as your PDC, you should create a file share called
787 <constant>NETLOGON</constant> and within that create a directory called
788 <filename>Default User</filename>, which is a copy of the desired default user
789 configuration (including a copy of <filename>NTUSER.DAT</filename>).
790 If this share exists and the <filename>Default User</filename> folder exists,
791 the first login from a new account pulls its configuration from it.
792 See also <ulink url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html">
793 the Real Men Don't Click</ulink> Web site.
799 <title>Installation of Printer Driver Auto-Download</title>
802 <indexterm><primary>printing</primary><secondary>dumb</secondary></indexterm>
803 <indexterm><primary>dumb printing</primary></indexterm>
804 <indexterm><primary>Raw Print Through</primary></indexterm>
805 The subject of printing is quite topical. Printing problems run second place to name
806 resolution issues today. So far in this book, you have experienced only what is generally
807 known as <quote>dumb</quote> printing. Dumb printing is the arrangement by which all drivers
808 are manually installed on each client and the printing subsystems perform no filtering
809 or intelligent processing. Dumb printing is easily understood. It usually works without
810 many problems, but it has its limitations also. Dumb printing is better known as
811 <command>Raw-Print-Through</command> printing.
815 <indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm>
816 <indexterm><primary>printing</primary><secondary>point-n-click</secondary></indexterm>
817 Samba permits the configuration of <command>smart</command> printing using the Microsoft
818 Windows point-and-click (also called drag-and-drop) printing. What this provides is
819 essentially the ability to print to any printer. If the local client does not yet have a
820 driver installed, the driver is automatically downloaded from the Samba server and
821 installed on the client. Drag-and-drop printing is neat; it means the user never needs
822 to fuss with driver installation, and that is a <trademark>Good Thing,</trademark>
827 There is a further layer of print job processing that is known as <command>intelligent</command>
828 printing that automatically senses the file format of data submitted for printing and
829 then invokes a suitable print filter to convert the incoming data stream into a format
830 suited to the printer to which the job is dispatched.
834 <indexterm><primary>CUPS</primary></indexterm>
835 <indexterm><primary>Easy Software Products</primary></indexterm>
836 <indexterm><primary>Postscript</primary></indexterm>
837 The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
838 detect the data format and apply a print filter. This means that it is feasible to install
839 on all Windows clients a single printer driver for use with all printers that are routed
840 through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately,
841 <ulink url="http://www.easysw.com">Easy Software Products</ulink>, the authors of CUPS, have
842 released a PostScript printing driver for Windows. It can be installed into the Samba
843 printing backend so that it automatically downloads to the client when needed.
847 This means that so long as there is a CUPS driver for the printer, all printing from Windows
848 software can use PostScript, no matter what the actual printer language for the physical
849 device is. It also means that the administrator can swap out a printer with a totally
850 different type of device without ever needing to change a client workstation driver.
854 This book is about Samba-3, so you can confine the printing style to just the smart
855 style of installation. Those interested in further information regarding intelligent
856 printing should review documentation on the Easy Software Products Web site.
861 <sect3 id="sbeavoid">
862 <title>Avoiding Failures: Solving Problems Before They Happen</title>
865 It has often been said that there are three types of people in the world: those who
866 have sharp minds and those who forget things. Please do not ask what the third group
867 is like! Well, it seems that many of us have company in the second group. There must
868 be a good explanation why so many network administrators fail to solve apparently
869 simple problems efficiently and effectively.
873 Here are some diagnostic guidelines that can be referred to when things go wrong:
877 <title>Preliminary Advice: Dangers Can Be Avoided</title>
880 The best advice regarding how to mend a broken leg is <quote>Never break a leg!</quote>
884 <indexterm><primary>LDAP</primary></indexterm>
885 Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice
886 regarding the best way to remedy LDAP and Samba problems: <quote>Avoid them like the plague!</quote>
890 If you are now asking yourself how problems can be avoided, the best advice is to start
891 out your learning experience with a <emphasis>known-good configuration.</emphasis> After
892 you have seen a fully working solution, a good way to learn is to make slow and progressive
893 changes that cause things to break, then observe carefully how and why things ceased to work.
897 The examples in this chapter (also in the book as a whole) are known to work. That means
898 that they could serve as the kick-off point for your journey through fields of knowledge.
899 Use this resource carefully; we hope it serves you well.
903 Do not be lulled into thinking that you can easily adopt the examples in this
904 book and adapt them without first working through the examples provided. A little
905 thing overlooked can cause untold pain and may permanently tarnish your experience.
911 <title>The Name Service Caching Daemon</title>
914 The name service caching daemon (nscd) is a primary cause of difficulties with name
915 resolution, particularly where <command>winbind</command> is used. Winbind does its
916 own caching, thus nscd causes double caching which can lead to peculiar problems during
917 debugging. As a rule, it is a good idea to turn off the name service caching daemon.
921 Operation of the name service caching daemon is controlled by the
922 <filename>/etc/nscd.conf</filename> file. Typical contents of this file are as follows:
925 # An example Name Service Cache config file. This file is needed by nscd.
927 # logfile <file>
928 # debug-level <level>
929 # threads <threads to use>
930 # server-user <user to run server as instead of root>
931 # server-user is ignored if nscd is started with -S parameters
932 # stat-user <user who is allowed to request statistics>
933 # reload-count unlimited|<number>
935 # enable-cache <service> <yes|no>
936 # positive-time-to-live <service> <time in seconds>
937 # negative-time-to-live <service> <time in seconds>
938 # suggested-size <service> <prime number>
939 # check-files <service> <yes|no>
940 # persistent <service> <yes|no>
941 # shared <service> <yes|no>
942 # Currently supported cache names (services): passwd, group, hosts
943 # logfile /var/log/nscd.log
949 enable-cache passwd yes
950 positive-time-to-live passwd 600
951 negative-time-to-live passwd 20
952 suggested-size passwd 211
953 check-files passwd yes
954 persistent passwd yes
956 enable-cache group yes
957 positive-time-to-live group 3600
958 negative-time-to-live group 60
959 suggested-size group 211
960 check-files group yes
963 # !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to
964 # cache hosts will cause your local system to not be able to trust
965 # forward/reverse lookup checks. DO NOT USE THIS if your system relies on
966 # this sort of security mechanism. Use a caching DNS server instead.
967 enable-cache hosts no
968 positive-time-to-live hosts 3600
969 negative-time-to-live hosts 20
970 suggested-size hosts 211
971 check-files hosts yes
975 It is feasible to comment out the <constant>passwd</constant> and <constant>group</constant>
976 entries so they will not be cached. Alternatively, it is often simpler to just disable the
977 <command>nscd</command> service by executing (on Novell SUSE Linux):
979 &rootprompt; chkconfig nscd off
980 &rootprompt; rcnscd off
987 <title>Debugging LDAP</title>
990 <indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
991 <indexterm><primary>loglevel</primary></indexterm>
992 <indexterm><primary>slapd</primary></indexterm>
993 In the example <filename>/etc/openldap/slapd.conf</filename> control file
994 (see <link linkend="sbehap-dbconf"/>) there is an entry for <constant>loglevel 256</constant>.
995 To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
996 and restart <command>slapd</command>.
1000 <indexterm><primary>/etc/syslog.conf</primary></indexterm>
1001 <indexterm><primary>/var/log/ldaplogs</primary></indexterm>
1002 LDAP log information can be directed into a file that is separate from the normal system
1003 log files by changing the <filename>/etc/syslog.conf</filename> file so it has the following
1006 # Some foreign boot scripts require local7
1008 local0,local1.* -/var/log/localmessages
1009 local2,local3.* -/var/log/localmessages
1010 local5.* -/var/log/localmessages
1011 local6,local7.* -/var/log/localmessages
1012 local4.* -/var/log/ldaplogs
1014 In this case, all LDAP-related logs will be directed to the file
1015 <filename>/var/log/ldaplogs</filename>. This makes it easy to track LDAP errors.
1016 The snippet provides a simple example of usage that can be modified to suit
1017 local site needs. The configuration used later in this chapter reflects such
1018 customization with the intent that LDAP log files will be stored at a location
1019 that meets local site needs and wishes more fully.
1025 <title>Debugging NSS_LDAP</title>
1028 The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
1029 <filename>/etc/ldap.conf</filename> file the following parameters:
1034 Create the log directory as follows:
1036 &rootprompt; mkdir /data/logs
1041 The diagnostic process should follow these steps:
1045 <title>NSS_LDAP Diagnostic Steps</title>
1048 Verify the <constant>nss_base_passwd, nss_base_shadow, nss_base_group</constant> entries
1049 in the <filename>/etc/ldap.conf</filename> file and compare them closely with the directory
1050 tree location that was chosen when the directory was first created.
1054 One way this can be done is by executing:
1056 &rootprompt; slapcat | grep Group | grep dn
1057 dn: ou=Groups,dc=abmas,dc=biz
1058 dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
1059 dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
1060 dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
1061 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1062 dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
1063 dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
1064 dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
1065 dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
1067 The first line is the DIT entry point for the container for POSIX groups. The correct entry
1068 for the <filename>/etc/ldap.conf</filename> for the <constant>nss_base_group</constant>
1069 parameter therefore is the distinguished name (dn) as applied here:
1071 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1073 The same process may be followed to determine the appropriate dn for user accounts.
1074 If the container for computer accounts is not the same as that for users (see the &smb.conf;
1075 file entry for <constant>ldap machine suffix</constant>), it may be necessary to set the
1076 following DIT dn in the <filename>/etc/ldap.conf</filename> file:
1078 nss_base_passwd dc=abmas,dc=biz?sub
1080 This instructs LDAP to search for machine as well as user entries from the top of the DIT
1081 down. This is inefficient, but at least should work. Note: It is possible to specify multiple
1082 <constant>nss_base_passwd</constant> entries in the <filename>/etc/ldap.conf</filename> file; they
1083 will be evaluated sequentially. Let us consider an example of use where the following DIT
1084 has been implemented:
1089 <listitem><para>All user accounts are stored under the DIT: ou=Users,dc=abmas,dc=biz</para></listitem>
1090 <listitem><para>All user login accounts are under the DIT: ou=People,ou-Users,dc=abmas,dc=biz</para></listitem>
1091 <listitem><para>All computer accounts are under the DIT: ou=Computers,ou=Users,dc=abmas,dc=biz</para></listitem>
1096 The appropriate multiple entry for the <constant>nss_base_passwd</constant> directive
1097 in the <filename>/etc/ldap.conf</filename> file may be:
1099 nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
1100 nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
1105 Perform lookups such as:
1107 &rootprompt; getent passwd
1109 Each such lookup will create an entry in the <filename>/data/log</filename> directory
1110 for each such process executed. The contents of each file created in this directory
1111 may provide a hint as to the cause of the a problem that is under investigation.
1115 For additional diagnostic information, check the contents of the <filename>/var/log/messages</filename>
1116 to see what error messages are being generated as a result of the LDAP lookups. Here is an example of
1117 a successful lookup:
1119 slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
1121 slapd[12164]: conn=0 op=0 BIND dn="" method=128
1122 slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
1123 slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
1124 filter="(objectClass=*)"
1125 slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
1127 slapd[12164]: conn=0 op=2 UNBIND
1128 slapd[12164]: conn=0 fd=10 closed
1129 slapd[12164]: conn=1 fd=10 ACCEPT from
1130 IP=127.0.0.1:33540 (IP=0.0.0.0:389)
1131 slapd[12164]: conn=1 op=0 BIND
1132 dn="cn=Manager,dc=abmas,dc=biz" method=128
1133 slapd[12164]: conn=1 op=0 BIND
1134 dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
1135 slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
1136 slapd[12164]: conn=1 op=1 SRCH
1137 base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
1138 filter="(objectClass=posixAccount)"
1139 slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
1140 uidNumber gidNumber cn
1141 homeDirectory loginShell gecos description objectClass
1142 slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
1144 slapd[12164]: conn=1 fd=10 closed
1150 Check that the bindpw entry in the <filename>/etc/ldap.conf</filename> or in the
1151 <filename>/etc/ldap.secrets</filename> file is correct, as specified in the
1152 <filename>/etc/openldap/slapd.conf</filename> file.
1160 <title>Debugging Samba</title>
1163 The following parameters in the &smb.conf; file can be useful in tracking down Samba-related problems:
1168 log file = /var/log/samba/%m.log
1172 This will result in the creation of a separate log file for every client from which connections
1173 are made. The log file will be quite verbose and will grow continually. Do not forget to
1174 change these lines to the following when debugging has been completed:
1179 log file = /var/log/samba/%m.log
1186 The log file can be analyzed by executing:
1188 &rootprompt; cd /var/log/samba
1189 &rootprompt; grep -v "^\[200" machine_name.log
1194 Search for hints of what may have failed by looking for the words <emphasis>fail</emphasis>
1195 and <emphasis>error</emphasis>.
1201 <title>Debugging on the Windows Client</title>
1204 MS Windows 2000 Professional and Windows XP Professional clients can be configured
1205 to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
1206 the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
1207 version of MS Windows.
1218 <title>Political Issues</title>
1221 MS Windows network users are generally very sensitive to limits that may be imposed when
1222 confronted with locked-down workstation configurations. The challenge you face must
1223 be promoted as a choice between reliable, fast network operation and a constant flux
1224 of problems that result in user irritation.
1230 <title>Installation Checklist</title>
1233 You are starting a complex project. Even though you went through the installation of a complex
1234 network in <link linkend="Big500users"/>, this network is a bigger challenge because of the
1235 large number of complex applications that must be configured before the first few steps
1236 can be validated. Take stock of what you are about to undertake, prepare yourself, and
1237 frequently review the steps ahead while making at least a mental note of what has already
1238 been completed. The following task list may help you to keep track of the task items
1244 <listitem><para>Samba-3 PDC Server Configuration</para>
1246 <listitem><para>DHCP and DNS servers</para></listitem>
1247 <listitem><para>OpenLDAP server</para></listitem>
1248 <listitem><para>PAM and NSS client tools</para></listitem>
1249 <listitem><para>Samba-3 PDC</para></listitem>
1250 <listitem><para>Idealx smbldap scripts</para></listitem>
1251 <listitem><para>LDAP initialization</para></listitem>
1252 <listitem><para>Create user and group accounts</para></listitem>
1253 <listitem><para>Printers</para></listitem>
1254 <listitem><para>Share point directory roots</para></listitem>
1255 <listitem><para>Profile directories</para></listitem>
1256 <listitem><para>Logon scripts</para></listitem>
1257 <listitem><para>Configuration of user rights and privileges</para></listitem>
1260 <listitem><para>Samba-3 BDC Server Configuration</para>
1262 <listitem><para>DHCP and DNS servers</para></listitem>
1263 <listitem><para>PAM and NSS client tools</para></listitem>
1264 <listitem><para>Printers</para></listitem>
1265 <listitem><para>Share point directory roots</para></listitem>
1266 <listitem><para>Profiles directories</para></listitem>
1269 <listitem><para>Windows XP Client Configuration</para>
1271 <listitem><para>Default profile folder redirection</para></listitem>
1272 <listitem><para>MS Outlook PST file relocation</para></listitem>
1273 <listitem><para>Delete roaming profile on logout</para></listitem>
1274 <listitem><para>Upload printer drivers to Samba servers</para></listitem>
1275 <listitem><para>Install software</para></listitem>
1276 <listitem><para>Creation of roll-out images</para></listitem>
1287 <title>Samba Server Implementation</title>
1290 <indexterm><primary>file servers</primary></indexterm>
1291 <indexterm><primary>BDC</primary></indexterm>
1292 The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed
1293 that you will install additional file servers and possibly additional BDCs.
1296 <figure id="chap6net">
1297 <title>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend</title>
1298 <imagefile scale="50">chap6-net</imagefile>
1302 <indexterm><primary>SUSE Linux</primary></indexterm>
1303 <indexterm><primary>Red Hat Linux</primary></indexterm>
1304 All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
1305 Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
1306 adjust the locations for your particular Linux system distribution/implementation.
1310 The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools
1311 scripts version 0.9.0. If using a different version of Samba or of the smbldap-tools tarball,
1312 please verify that the versions you are about to use are matching. The smbldap-tools package
1313 uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are
1314 issued for POSIX accounts. The LDAP rdn under which this information is stored are called
1315 <constant>uidNumber</constant> and <constant>gidNumber</constant> respectively. These may be
1316 located in any convenient part of the directory information tree (DIT). In the examples that
1317 follow they have been located under <constant>dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</constant>.
1318 They could just as well be located under the rdn <constant>cn=NextFreeUnixId</constant>.
1322 The steps in the process involve changes from the network configuration shown in
1323 <link linkend="Big500users"/>. Before implementing the following steps, you must
1324 have completed the network implementation shown in that chapter. If you are starting
1325 with newly installed Linux servers, you must complete the steps shown in
1326 <link linkend="ch5-dnshcp-setup"/> before commencing at <link linkend="ldapsetup"/>.
1329 <sect2 id="ldapsetup">
1330 <title>OpenLDAP Server Configuration</title>
1333 <indexterm><primary>nss_ldap</primary></indexterm>
1334 <indexterm><primary>pam_ldap</primary></indexterm>
1335 <indexterm><primary>openldap</primary></indexterm>
1336 Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system.
1339 <table id="oldapreq">
1340 <title>Required OpenLDAP Linux Packages</title>
1342 <colspec align="left"/>
1343 <colspec align="left"/>
1344 <colspec align="left"/>
1347 <entry align="center">SUSE Linux 8.x</entry>
1348 <entry align="center">SUSE Linux 9.x</entry>
1349 <entry align="center">Red Hat Linux</entry>
1354 <entry>nss_ldap</entry>
1355 <entry>nss_ldap</entry>
1356 <entry>nss_ldap</entry>
1359 <entry>pam_ldap</entry>
1360 <entry>pam_ldap</entry>
1361 <entry>pam_ldap</entry>
1364 <entry>openldap2</entry>
1365 <entry>openldap2</entry>
1366 <entry>openldap</entry>
1369 <entry>openldap2-client</entry>
1370 <entry>openldap2-client</entry>
1378 Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
1379 for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
1380 follow these guidelines, the resulting system should work fine.
1384 <title>OpenLDAP Server Configuration Steps</title>
1387 <indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
1388 Install the file shown in <link linkend="sbehap-slapdconf"/> in the directory
1389 <filename>/etc/openldap</filename>.
1393 <indexterm><primary>/data/ldap</primary></indexterm>
1394 <indexterm><primary>group account</primary></indexterm>
1395 <indexterm><primary>user account</primary></indexterm>
1396 Remove all files from the directory <filename>/data/ldap</filename>, making certain that
1397 the directory exists with permissions:
1399 &rootprompt; ls -al /data | grep ldap
1400 drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
1402 This may require you to add a user and a group account for LDAP if they do not exist.
1406 <indexterm><primary>DB_CONFIG</primary></indexterm>
1407 Install the file shown in <link linkend="sbehap-dbconf"/> in the directory
1408 <filename>/data/ldap</filename>. In the event that this file is added after <constant>ldap</constant>
1409 has been started, it is possible to cause the new settings to take effect by shutting down
1410 the <constant>LDAP</constant> server, executing the <command>db_recover</command> command inside the
1411 <filename>/data/ldap</filename> directory, and then restarting the <constant>LDAP</constant> server.
1415 <indexterm><primary>syslog</primary></indexterm>
1416 Performance logging can be enabled and should preferably be sent to a file on
1417 a file system that is large enough to handle significantly sized logs. To enable
1418 the logging at a verbose level to permit detailed analysis, uncomment the entry in
1419 the <filename>/etc/openldap/slapd.conf</filename> shown as <quote>loglevel 256</quote>.
1423 Edit the <filename>/etc/syslog.conf</filename> file to add the following at the end
1426 local4.* -/data/ldap/log/openldap.log
1428 Note: The path <filename>/data/ldap/log</filename> should be set at a location
1429 that is convenient and that can store a large volume of data.
1434 <example id="sbehap-dbconf">
1435 <title>LDAP DB_CONFIG File</title>
1437 set_cachesize 0 150000000 1
1438 set_lg_regionmax 262144
1439 set_lg_bsize 2097152
1440 #set_lg_dir /var/log/bdb
1441 set_flags DB_LOG_AUTOREMOVE
1445 <example id="sbehap-slapdconf">
1446 <title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part A</title>
1448 include /etc/openldap/schema/core.schema
1449 include /etc/openldap/schema/cosine.schema
1450 include /etc/openldap/schema/inetorgperson.schema
1451 include /etc/openldap/schema/nis.schema
1452 include /etc/openldap/schema/samba3.schema
1454 pidfile /var/run/slapd/slapd.pid
1455 argsfile /var/run/slapd/slapd.args
1457 access to dn.base=""
1461 access to attr=userPassword
1465 access to attr=shadowLastChange
1482 suffix "dc=abmas,dc=biz"
1483 rootdn "cn=Manager,dc=abmas,dc=biz"
1486 rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
1488 directory /data/ldap
1492 <example id="sbehap-slapdconf2">
1493 <title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part B</title>
1495 # Indices to maintain
1496 index objectClass eq
1497 index cn pres,sub,eq
1498 index sn pres,sub,eq
1499 index uid pres,sub,eq
1500 index displayName pres,sub,eq
1505 index sambaPrimaryGroupSID eq
1506 index sambaDomainName eq
1513 <sect2 id="sbehap-PAM-NSS">
1514 <title>PAM and NSS Client Configuration</title>
1517 <indexterm><primary>LDAP</primary></indexterm>
1518 <indexterm><primary>NSS</primary></indexterm>
1519 <indexterm><primary>PAM</primary></indexterm>
1520 The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
1521 groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
1522 the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
1526 <indexterm><primary>Pluggable Authentication Modules</primary><see>PAM</see></indexterm>
1527 <indexterm><primary>pam_unix2.so</primary></indexterm>
1528 Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
1529 that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
1530 correct configuration of PAM. The <command>pam_ldap</command> open source package provides the
1531 PAM modules that most people would use. On SUSE Linux systems, the <command>pam_unix2.so</command>
1532 module also has the ability to redirect authentication requests through LDAP.
1536 <indexterm><primary>YaST</primary></indexterm>
1537 <indexterm><primary>SUSE Linux</primary></indexterm>
1538 <indexterm><primary>Red Hat Linux</primary></indexterm>
1539 <indexterm><primary>authconfig</primary></indexterm>
1540 You have chosen to configure these services by directly editing the system files, but of course, you
1541 know that this configuration can be done using system tools provided by the Linux system vendor.
1542 SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu>
1543 <guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits
1544 configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <command>authconfig</command>
1549 <title>PAM and NSS Client Configuration Steps</title>
1552 <indexterm><primary>/lib/libnss_ldap.so.2</primary></indexterm>
1553 <indexterm><primary>/etc/ldap.conf</primary></indexterm>
1554 <indexterm><primary>nss_ldap</primary></indexterm>
1555 Execute the following command to find where the <filename>nss_ldap</filename> module
1556 expects to find its control file:
1558 &rootprompt; strings /lib/libnss_ldap.so.2 | grep conf
1560 The preferred and usual location is <filename>/etc/ldap.conf</filename>.
1564 On the server <constant>MASSIVE</constant>, install the file shown in
1565 <link linkend="sbehap-nss01"/> into the path that was obtained from the step above.
1566 On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
1567 <link linkend="sbehap-nss02"/> into the path that was obtained from the step above.
1570 <example id="sbehap-nss01">
1571 <title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
1575 base dc=abmas,dc=biz
1577 binddn cn=Manager,dc=abmas,dc=biz
1588 nss_base_passwd ou=People,dc=abmas,dc=biz?one
1589 nss_base_shadow ou=People,dc=abmas,dc=biz?one
1590 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1596 <example id="sbehap-nss02">
1597 <title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
1601 base dc=abmas,dc=biz
1603 binddn cn=Manager,dc=abmas,dc=biz
1614 nss_base_passwd ou=People,dc=abmas,dc=biz?one
1615 nss_base_shadow ou=People,dc=abmas,dc=biz?one
1616 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1623 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
1624 Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that
1625 control user and group resolution will obtain information from the normal system files as
1626 well as from <command>ldap</command>:
1631 hosts: files dns wins
1633 Later, when the LDAP database has been initialized and user and group accounts have been
1634 added, you can validate resolution of the LDAP resolver process. The inclusion of
1635 WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
1636 resolved to their IP addresses, whether or not they are DHCP clients.
1640 Some Linux systems (Novell SUSE Linux in particular) add entries to the <filename>nsswitch.conf</filename>
1641 file that may cause operational problems with the configuration methods adopted in this book. It is
1642 advisable to comment out the entries <constant>passwd_compat</constant> and <constant>group_compat</constant>
1643 where they are found in this file.
1647 Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
1648 <filename>nsswitch.conf</filename> file is a significant cause of operational problems with LDAP.
1652 <indexterm><primary>pam_unix2.so</primary><secondary>use_ldap</secondary></indexterm>
1653 For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
1654 files in the <filename>/etc/pam.d</filename> directory: <command>login</command>, <command>password</command>,
1655 <command>samba</command>, <command>sshd</command>. In each file, locate every entry that has the
1656 <command>pam_unix2.so</command> entry and add to the line the entry <command>use_ldap</command> as shown
1657 for the <command>login</command> module in this example:
1660 auth requisite pam_unix2.so nullok use_ldap #set_secrpc
1661 auth required pam_securetty.so
1662 auth required pam_nologin.so
1663 #auth required pam_homecheck.so
1664 auth required pam_env.so
1665 auth required pam_mail.so
1666 account required pam_unix2.so use_ldap
1667 password required pam_pwcheck.s nullok
1668 password required pam_unix2.so nullok use_first_pass \
1669 use_authtok use_ldap
1670 session required pam_unix2.so none use_ldap # debug or trace
1671 session required pam_limits.so
1676 <indexterm><primary>pam_ldap.so</primary></indexterm>
1677 On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module,
1678 you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here:
1681 auth required pam_securetty.so
1682 auth required pam_nologin.so
1683 auth sufficient pam_ldap.so
1684 auth required pam_unix2.so nullok try_first_pass #set_secrpc
1685 account sufficient pam_ldap.so
1686 account required pam_unix2.so
1687 password required pam_pwcheck.so nullok
1688 password required pam_ldap.so use_first_pass use_authtok
1689 password required pam_unix2.so nullok use_first_pass use_authtok
1690 session required pam_unix2.so none # debug or trace
1691 session required pam_limits.so
1692 session required pam_env.so
1693 session optional pam_mail.so
1695 This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply
1696 demonstrates the use of the <command>pam_ldap.so</command> module. You can use either
1697 implementation, but if the <command>pam_unix2.so</command> on your system supports
1698 LDAP, you probably want to use it rather than add an additional module.
1705 <sect2 id="sbehap-massive">
1706 <title>Samba-3 PDC Configuration</title>
1709 <indexterm><primary>Samba RPM Packages</primary></indexterm>
1710 Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
1711 before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
1712 choice to either build your own or obtain the packages from a dependable source.
1713 Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
1714 Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
1715 is included with this book.
1719 <title>Configuration of PDC Called <constant>MASSIVE</constant></title>
1722 Install the files in <link linkend="sbehap-massive-smbconfa"/>,
1723 <link linkend="sbehap-massive-smbconfb"/>, <link linkend="sbehap-shareconfa"/>,
1724 and <link linkend="sbehap-shareconfb"/> into the <filename>/etc/samba/</filename>
1725 directory. The three files should be added together to form the &smb.conf;
1726 master file. It is a good practice to call this file something like
1727 <filename>smb.conf.master</filename> and then to perform all file edits
1728 on the master file. The operational &smb.conf; is then generated as shown in
1733 <indexterm><primary>testparm</primary></indexterm>
1734 Create and verify the contents of the &smb.conf; file that is generated by:
1736 &rootprompt; testparm -s smb.conf.master > smb.conf
1738 Immediately follow this with the following:
1740 &rootprompt; testparm
1742 The output that is created should be free from errors, as shown here:
1745 Load smb config files from /etc/samba/smb.conf
1746 Processing section "[accounts]"
1747 Processing section "[service]"
1748 Processing section "[pidata]"
1749 Processing section "[homes]"
1750 Processing section "[printers]"
1751 Processing section "[apps]"
1752 Processing section "[netlogon]"
1753 Processing section "[profiles]"
1754 Processing section "[profdata]"
1755 Processing section "[print$]"
1756 Loaded services file OK.
1757 Server role: ROLE_DOMAIN_PDC
1758 Press enter to see a dump of your service definitions
1763 Delete all runtime files from prior Samba operation by executing (for SUSE
1766 &rootprompt; rm /etc/samba/*tdb
1767 &rootprompt; rm /var/lib/samba/*tdb
1768 &rootprompt; rm /var/lib/samba/*dat
1769 &rootprompt; rm /var/log/samba/*
1774 <indexterm><primary>secrets.tdb</primary></indexterm>
1775 <indexterm><primary>smbpasswd</primary></indexterm>
1776 Samba-3 communicates with the LDAP server. The password that it uses to
1777 authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename>
1778 file. Execute the following to create the new <filename>secrets.tdb</filename> files
1779 and store the password for the LDAP Manager:
1781 &rootprompt; smbpasswd -w not24get
1783 The expected output from this command is:
1785 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
1790 <indexterm><primary>smbd</primary></indexterm>
1791 <indexterm><primary>net</primary><secondary>getlocalsid</secondary></indexterm>
1792 Samba-3 generates a Windows Security Identifier (SID) only when <command>smbd</command>
1793 has been started. For this reason, you start Samba. After a few seconds delay,
1796 &rootprompt; smbclient -L localhost -U%
1797 &rootprompt; net getlocalsid
1799 A report such as the following means that the domain SID has not yet
1800 been written to the <filename>secrets.tdb</filename> or to the LDAP backend:
1802 [2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
1803 failed to bind to server ldap://massive.abmas.biz
1804 with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
1806 [2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
1807 smbldap_search_suffix: Problem during the LDAP search:
1808 (unknown) (Timed out)
1810 The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server
1811 is not running, this operation will fail by way of a timeout, as shown previously. This is
1812 normal output; do not worry about this error message. When the domain has been created and
1813 written to the <filename>secrets.tdb</filename> file, the output should look like this:
1815 SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
1817 If, after a short delay (a few seconds), the domain SID has still not been written to
1818 the <filename>secrets.tdb</filename> file, it is necessary to investigate what
1819 may be misconfigured. In this case, carefully check the &smb.conf; file for typographical
1820 errors (the most common problem). The use of the <command>testparm</command> is highly
1821 recommended to validate the contents of this file.
1825 When a positive domain SID has been reported, stop Samba.
1829 <indexterm><primary>NFS server</primary></indexterm>
1830 <indexterm><primary>/etc/exports</primary></indexterm>
1831 <indexterm><primary>BDC</primary></indexterm>
1832 <indexterm><primary>rsync</primary></indexterm>
1833 Configure the NFS server for your Linux system. So you can complete the steps that
1834 follow, enter into the <filename>/etc/exports</filename> the following entry:
1836 /home *(rw,root_squash,sync)
1838 This permits the user home directories to be used on the BDC servers for testing
1839 purposes. You, of course, decide what is the best way for your site to distribute
1840 data drives, and you create suitable backup and restore procedures for Abmas
1841 I'd strongly recommend that for normal operation the BDC is completely independent
1842 of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite
1843 closely. If you do use NFS, do not forget to start the NFS server as follows:
1845 &rootprompt; rcnfsserver start
1851 Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
1852 configuration of the LDAP server.
1855 <example id="sbehap-massive-smbconfa">
1856 <title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
1858 <smbconfcomment>Global parameters</smbconfcomment>
1859 <smbconfsection name="[global]"/>
1860 <smbconfoption name="unix charset">LOCALE</smbconfoption>
1861 <smbconfoption name="workgroup">MEGANET2</smbconfoption>
1862 <smbconfoption name="netbios name">MASSIVE</smbconfoption>
1863 <smbconfoption name="interfaces">eth1, lo</smbconfoption>
1864 <smbconfoption name="bind interfaces only">Yes</smbconfoption>
1865 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
1866 <smbconfoption name="enable privileges">Yes</smbconfoption>
1867 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
1868 <smbconfoption name="log level">1</smbconfoption>
1869 <smbconfoption name="syslog">0</smbconfoption>
1870 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
1871 <smbconfoption name="max log size">50</smbconfoption>
1872 <smbconfoption name="smb ports">139 445</smbconfoption>
1873 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
1874 <smbconfoption name="time server">Yes</smbconfoption>
1875 <smbconfoption name="printcap name">CUPS</smbconfoption>
1876 <smbconfoption name="show add printer wizard">No</smbconfoption>
1877 <smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
1878 <smbconfoption name="delete user script">/opt/IDEALX/sbin/smbldap-userdel "%u"</smbconfoption>
1879 <smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
1880 <smbconfoption name="delete group script">/opt/IDEALX/sbin/smbldap-groupdel "%g"</smbconfoption>
1881 <smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption>
1882 <smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption>
1883 <smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption>
1884 <smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w "%u"</smbconfoption>
1888 <example id="sbehap-massive-smbconfb">
1889 <title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
1891 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
1892 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
1893 <smbconfoption name="logon drive">X:</smbconfoption>
1894 <smbconfoption name="domain logons">Yes</smbconfoption>
1895 <smbconfoption name="preferred master">Yes</smbconfoption>
1896 <smbconfoption name="wins support">Yes</smbconfoption>
1897 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
1898 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
1899 <smbconfoption name="ldap user suffix">ou=People</smbconfoption>
1900 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
1901 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
1902 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
1903 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
1904 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
1905 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
1906 <smbconfoption name="map acl inherit">Yes</smbconfoption>
1907 <smbconfoption name="printing">cups</smbconfoption>
1908 <smbconfoption name="printer admin">root, chrisr</smbconfoption>
1915 <sect2 id="sbeidealx">
1916 <title>Install and Configure Idealx smbldap-tools Scripts</title>
1919 <indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm>
1920 The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
1921 on the LDAP server. You have chosen the Idealx scripts because they are the best-known
1922 LDAP configuration scripts. The use of these scripts will help avoid the necessity
1923 to create custom scripts. It is easy to download them from the Idealx
1924 <ulink url="http://samba.idealx.org/index.en.html">Web site</ulink>. The tarball may
1925 be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.0.tgz">downloaded</ulink>
1926 from this site also. Alternatively, you may obtain the
1927 <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.0-1.src.rpm">smbldap-tools-0.9.0-1.src.rpm</ulink>
1928 file that may be used to build an installable RPM package for your Linux system.
1932 The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
1933 change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>).
1937 The smbldap-tools are located in <filename>/opt/IDEALX/sbin</filename>.
1938 The scripts are not needed on BDC machines because all LDAP updates are handled by
1943 <title>Installation of smbldap-tools from the Tarball</title>
1946 To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
1949 <procedure id="idealxscript">
1950 <title>Unpacking and Installation Steps for the <constant>smbldap-tools</constant> Tarball</title>
1953 Create the <filename>/opt/IDEALX/sbin</filename> directory, and set its permissions
1954 and ownership as shown here:
1956 &rootprompt; mkdir -p /opt/IDEALX/sbin
1957 &rootprompt; chown root:root /opt/IDEALX/sbin
1958 &rootprompt; chmod 755 /opt/IDEALX/sbin
1959 &rootprompt; mkdir -p /etc/smbldap-tools
1960 &rootprompt; chown root:root /etc/smbldap-tools
1961 &rootprompt; chmod 755 /etc/smbldap-tools
1966 If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
1967 Change into either the directory extracted from the tarball or the smbldap-tools
1968 directory in your <filename>/usr/share/doc/packages</filename> directory tree.
1972 Copy all the <filename>smbldap-*</filename> and the <filename>configure.pl</filename> files into the
1973 <filename>/opt/IDEALX/sbin</filename> directory, as shown here:
1975 &rootprompt; cd smbldap-tools-0.9.0/
1976 &rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
1977 &rootprompt; cp smbldap*conf /etc/smbldap-tools/
1978 &rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-*
1979 &rootprompt; chmod 750 /opt/IDEALX/sbin/configure.pl
1980 &rootprompt; chmod 640 /etc/smbldap-tools/smbldap.conf
1981 &rootprompt; chmod 600 /etc/smbldap-tools/smbldap_bind.conf
1986 The smbldap-tools scripts master control file must now be configured.
1987 Change to the <filename>/opt/IDEALX/sbin</filename> directory, then edit the
1988 <filename>smbldap_tools.pm</filename> to affect the changes
1992 # ugly funcs using global variables and spawning openldap clients
1994 my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
1995 my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
2001 To complete the configuration of the smbldap-tools, set the permissions and ownership
2002 by executing the following commands:
2004 &rootprompt; chown root:root /opt/IDEALX/sbin/*
2005 &rootprompt; chmod 755 /opt/IDEALX/sbin/smbldap-*
2006 &rootprompt; chmod 640 /opt/IDEALX/sbin/smb*pm
2008 The smbldap-tools scripts are now ready for the configuration step outlined in
2009 <link linkend="smbldap-init"/>.
2017 <title>Installing smbldap-tools from the RPM Package</title>
2020 In the event that you have elected to use the RPM package provided by Idealx, download the
2021 source RPM <filename>smbldap-tools-0.9.0-1.src.rpm</filename>, then follow this procedure:
2025 <title>Installation Steps for <constant>smbldap-tools</constant> RPM's</title>
2028 Install the source RPM that has been downloaded as follows:
2030 &rootprompt; rpm -i smbldap-tools-0.9.0-1.src.rpm
2035 Change into the directory in which the SPEC files are located. On SUSE Linux:
2037 &rootprompt; cd /usr/src/packages/SPECS
2039 On Red Hat Linux systems:
2041 &rootprompt; cd /usr/src/redhat/SPECS
2046 Edit the <filename>smbldap-tools.spec</filename> file to change the value of the
2047 <constant>_sysconfig</constant> macro as shown here:
2049 %define _prefix /opt/IDEALX
2050 %define _sysconfdir /etc
2052 Note: Any suitable directory can be specified.
2056 Build the package by executing:
2058 &rootprompt; rpmbuild -ba -v smbldap-tools.spec
2060 A build process that has completed without error will place the installable binary
2061 files in the directory <filename>../RPMS/noarch</filename>.
2065 Install the binary package by executing:
2067 &rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.0-1.noarch.rpm
2074 The Idealx scripts should now be ready for configuration using the steps outlined in
2075 <link linkend="smbldap-init">Configuration of smbldap-tools</link>.
2080 <sect3 id="smbldap-init">
2081 <title>Configuration of smbldap-tools</title>
2084 Prior to use, the smbldap-tools must be configured to match the settings in the &smb.conf; file
2085 and to match the settings in the <filename>/etc/openldap/slapd.conf</filename> file. The assumption
2086 is made that the &smb.conf; file has correct contents. The following procedure ensures that
2087 this is completed correctly:
2091 The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
2092 in the &smb.conf; file.
2096 <title>Configuration Steps for <constant>smbldap-tools</constant> to Enable Use</title>
2099 Change into the directory that contains the <filename>configure.pl</filename> script.
2101 &rootprompt; cd /opt/IDEALX/sbin
2106 Execute the <filename>configure.pl</filename> script as follows:
2108 &rootprompt; ./configure.pl
2110 The interactive use of this script for the PDC is demonstrated here:
2112 &rootprompt; /opt/IDEALX/sbin/configure.pl
2113 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2114 smbldap-tools script configuration
2115 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2116 Before starting, check
2117 . if your samba controller is up and running.
2118 . if the domain SID is defined (you can get it with the 'net getlocalsid')
2120 . you can leave the configuration using the Crtl-c key combination
2121 . empty value can be set with the "." character
2122 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2123 Looking for configuration files...
2125 Samba Config File Location [/etc/samba/smb.conf] >
2126 smbldap Config file Location (global parameters)
2127 [/etc/opt/IDEALX/smbldap-tools/smbldap.conf] >
2128 smbldap Config file Location (bind parameters)
2129 [/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] >
2130 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2131 Let's start configuring the smbldap-tools scripts ...
2133 . workgroup name: name of the domain Samba act as a PDC
2134 workgroup name [MEGANET2] >
2135 . netbios name: netbios name of the samba controler
2136 netbios name [MASSIVE] >
2137 . logon drive: local path to which the home directory will
2138 be connected (for NT Workstations). Ex: 'H:'
2140 . logon home: home directory location (for Win95/98 or NT Workstation).
2141 (use %U as username) Ex:'\\MASSIVE\%U'
2142 logon home (press the "." character if you don't want homeDirectory)
2143 [\\MASSIVE\%U] > \\%L\%U
2144 . logon path: directory where roaming profiles are stored.
2145 Ex:'\\MASSIVE\profiles\%U'
2146 logon path (press the "." character if you don't want roaming profile)
2147 [\\%L\profiles\%U] >
2148 . home directory prefix (use %U as username) [/home/%U] > /data/users/%U
2149 . default users' homeDirectory mode [700] >
2150 . default user netlogon script (use %U as username) [scripts\logon.bat] >
2151 default password validation time (time in days) [45] > 900
2152 . ldap suffix [dc=terpstra-world,dc=org] >
2153 . ldap group suffix [ou=Groups] >
2154 . ldap user suffix [ou=People,ou=Users] >
2155 . ldap machine suffix [ou=Computers,ou=Users] >
2156 . Idmap suffix [ou=Idmap] >
2157 . sambaUnixIdPooldn: object where you want to store the next uidNumber
2158 and gidNumber available for new users and groups
2159 sambaUnixIdPooldn object (relative to ${suffix})
2160 [sambaDomainName=MEGANET2] >
2161 . ldap master server: IP adress or DNS name of the
2162 master (writable) ldap server
2163 ldap master server [merlin.terpstra-world.org] >
2164 . ldap master port [389] >
2165 . ldap master bind dn [cn=Manager,dc=terpstra-world,dc=org] >
2166 . ldap master bind password [] >
2167 . ldap slave server: IP adress or DNS name of the slave ldap server:
2168 can also be the master one
2169 ldap slave server [merlin.terpstra-world.org] >
2170 . ldap slave port [389] >
2171 . ldap slave bind dn [cn=Manager,dc=terpstra-world,dc=org] >
2172 . ldap slave bind password [] >
2173 . ldap tls support (1/0) [0] >
2174 . SID for domain MEGANET2: SID of the domain
2175 (can be obtained with 'net getlocalsid MASSIVE')
2176 SID for domain MEGANET2 [S-1-5-21-3504140859-1010554828-2431957765] >
2177 . unix password encryption: encryption used for unix passwords
2178 unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
2179 . default user gidNumber [513] >
2180 . default computer gidNumber [515] >
2181 . default login shell [/bin/bash] >
2182 . default domain name to append to mail adress [] > terpstra-world.org
2183 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2184 backup old configuration files:
2185 /etc/opt/IDEALX/smbldap-tools/smbldap.conf->
2186 /etc/opt/IDEALX/smbldap-tools/smbldap.conf.old
2187 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf->
2188 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old
2189 writing new configuration file:
2190 /etc/opt/IDEALX/smbldap-tools/smbldap.conf done.
2191 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done.
2193 Since a slave LDAP server has not been configured, it is necessary to specify the IP
2194 address of the master LDAP server for both the master and the slave configuration
2199 Change to the directory that contains the <filename>smbldap.conf</filename> file,
2200 then verify its contents.
2206 The smbldap-tools are now ready for use.
2214 <title>LDAP Initialization and Creation of User and Group Accounts</title>
2217 The LDAP database must be populated with well-known Windows domain user accounts and domain group
2218 accounts before Samba can be used. The following procedures step you through the process.
2222 At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are
2223 mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not
2224 hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
2225 database. From a UNIX system perspective, the NSS resolver checks system files before
2226 referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
2227 does not need to ask LDAP.
2231 Addition of an account to the LDAP backend can be done in two ways:
2236 <indexterm><primary>NIS</primary></indexterm>
2237 <indexterm><primary>/etc/passwd</primary></indexterm>
2238 <indexterm><primary>Posix accounts</primary></indexterm>
2239 <indexterm><primary>pdbedit</primary></indexterm>
2240 <indexterm><primary>SambaSamAccount</primary></indexterm>
2241 <indexterm><primary>PosixAccount</primary></indexterm>
2242 If you always have a user account in the <filename>/etc/passwd</filename> on every
2243 server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in
2244 LDAP. In this case, you can add Windows domain user accounts using the
2245 <command>pdbedit</command> utility. Use of this tool from the command line adds the
2246 SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
2250 This is the least desirable method because when LDAP is used as the passwd backend Samba
2251 expects the POSIX account to be in LDAP also. It is possible to use the PADL account
2252 migration tool to migrate all system accounts from either the <filename>/etc/passwd</filename>
2253 files, or from NIS, to LDAP.
2257 If you decide that it is probably a good idea to add both the PosixAccount attributes
2258 as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
2259 In the example system you are installing in this exercise, you are making use of the
2260 Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
2261 is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename>
2266 <indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm>
2267 If you wish to have more control over how the LDAP database is initialized or
2268 if you don't want to use the Idealx smbldap-tools, you should refer to
2269 <link linkend="appendix"/>, <link linkend="altldapcfg"/>.
2273 <indexterm><primary>smbldap-populate</primary></indexterm>
2274 The following steps initialize the LDAP database, and then you can add user and group
2275 accounts that Samba can use. You use the <command>smbldap-populate</command> to
2276 seed the LDAP database. You then manually add the accounts shown in <link linkend="sbehap-bigacct"/>.
2277 The list of users does not cover all 500 network users; it provides examples only.
2281 <indexterm><primary>LDAP</primary><secondary>database</secondary></indexterm>
2282 <indexterm><primary>directory</primary><secondary>People container</secondary></indexterm>
2283 <indexterm><primary>directory</primary><secondary>Computers container</secondary></indexterm>
2284 In the following examples, as the LDAP database is initialized, we do create a container
2285 for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made
2286 of the People container, not the Computers container, for domain member accounts. This is not a
2287 mistake; it is a deliberate action that is necessitated by the fact that the resolution of
2288 a machine (computer) account to a UID is done via NSS. The only way this can be handled is
2289 using the NSS (<filename>/etc/nsswitch.conf</filename>) entry for <constant>passwd</constant>,
2290 which is resolved using the <filename>nss_ldap</filename> library. The configuration file for
2291 the <filename>nss_ldap</filename> library is the file <filename>/etc/ldap.conf</filename> that
2292 provides only one possible LDAP search command that is specified by the entry called
2293 <constant>nss_base_passwd</constant>. This means that the search path must take into account
2294 the directory structure so that the LDAP search will commence at a level that is above
2295 both the Computers container and the Users (or People) container. If this is done, it is
2296 necessary to use a search that will descend the directory tree so that the machine account
2297 can be found. Alternatively, by placing all machine accounts in the People container, we
2298 are able to sidestep this limitation. This is the simpler solution that has been adopted
2303 <table id="sbehap-bigacct">
2304 <title>Abmas Network Users and Groups</title>
2306 <colspec align="left"/>
2307 <colspec align="left"/>
2308 <colspec align="left"/>
2309 <colspec align="left"/>
2312 <entry align="center">Account Name</entry>
2313 <entry align="center">Type</entry>
2314 <entry align="center">ID</entry>
2315 <entry align="center">Password</entry>
2320 <entry>Robert Jordan</entry>
2323 <entry>n3v3r2l8</entry>
2326 <entry>Stanley Soroka</entry>
2328 <entry>stans</entry>
2329 <entry>impl13dst4r</entry>
2332 <entry>Christine Roberson</entry>
2334 <entry>chrisr</entry>
2335 <entry>S9n0nw4ll</entry>
2338 <entry>Mary Vortexis</entry>
2340 <entry>maryv</entry>
2341 <entry>kw13t0n3</entry>
2344 <entry>Accounts</entry>
2345 <entry>Group</entry>
2346 <entry>Accounts</entry>
2350 <entry>Finances</entry>
2351 <entry>Group</entry>
2352 <entry>Finances</entry>
2356 <entry>Insurance</entry>
2357 <entry>Group</entry>
2358 <entry>PIOps</entry>
2365 <procedure id="creatacc">
2366 <title>LDAP Directory Initialization Steps</title>
2369 Start the LDAP server by executing:
2371 &rootprompt; rcldap start
2372 Starting ldap-server done
2377 Change to the <filename>/opt/IDEALX/sbin</filename> directory.
2381 Execute the script that will populate the LDAP database as shown here:
2383 &rootprompt; ./smbldap-populate -a root -k 0 -m 0
2385 The expected output from this is:
2387 Using workgroup name from smb.conf: sambaDomainName=MEGANET2
2388 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2389 => Warning: you must update smbldap.conf configuration file to :
2390 => sambaUnixIdPooldn parameter must be set
2391 to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
2392 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2393 Using builtin directory structure
2394 adding new entry: dc=abmas,dc=biz
2395 adding new entry: ou=People,dc=abmas,dc=biz
2396 adding new entry: ou=Groups,dc=abmas,dc=biz
2397 entry ou=People,dc=abmas,dc=biz already exist.
2398 adding new entry: ou=Idmap,dc=abmas,dc=biz
2399 adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
2400 adding new entry: uid=root,ou=People,dc=abmas,dc=biz
2401 adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
2402 adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
2403 adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
2404 adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
2405 adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
2406 adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
2407 adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
2408 adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
2409 adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
2414 Edit the <filename>/etc/smbldap-tools/smbldap.conf</filename> file so that the following
2415 information is changed from:
2417 # Where to store next uidNumber and gidNumber available
2418 sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
2420 to read, after modification:
2422 # Where to store next uidNumber and gidNumber available
2423 #sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
2424 sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
2429 It is necessary to restart the LDAP server as shown here:
2431 &rootprompt; rcldap restart
2432 Shutting down ldap-server done
2433 Starting ldap-server done
2438 <indexterm><primary>slapcat</primary></indexterm>
2439 So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.
2440 There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
2441 the simplest is to execute:
2443 &rootprompt; slapcat | grep -i idmap
2444 dn: ou=Idmap,dc=abmas,dc=biz
2447 <indexterm> <primary>ldapadd</primary></indexterm>
2448 If the execution of this command does not return IDMAP entries, you need to create an LDIF
2449 template file (see <link linkend="sbehap-ldifadd"/>). You can add the required entries using
2450 the following command:
2452 &rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
2453 -w not24get < /etc/openldap/idmap.LDIF
2455 Samba automatically populates this LDAP directory container when it needs to.
2459 <indexterm><primary>slapcat</primary></indexterm>
2460 It looks like all has gone well, as expected. Let's confirm that this is the case
2461 by running a few tests. First we check the contents of the database directly
2462 by running <command>slapcat</command> as follows (the output has been cut down):
2464 &rootprompt; slapcat
2466 objectClass: dcObject
2467 objectClass: organization
2470 structuralObjectClass: organization
2471 entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
2472 creatorsName: cn=Manager,dc=abmas,dc=biz
2473 createTimestamp: 20031217234200Z
2474 entryCSN: 2003121723:42:00Z#0x0001#0#0000
2475 modifiersName: cn=Manager,dc=abmas,dc=biz
2476 modifyTimestamp: 20031217234200Z
2478 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
2479 objectClass: posixGroup
2480 objectClass: sambaGroupMapping
2482 cn: Domain Computers
2483 description: Netbios Domain Computers accounts
2484 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
2486 displayName: Domain Computers
2487 structuralObjectClass: posixGroup
2488 entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
2489 creatorsName: cn=Manager,dc=abmas,dc=biz
2490 createTimestamp: 20031217234206Z
2491 entryCSN: 2003121723:42:06Z#0x0002#0#0000
2492 modifiersName: cn=Manager,dc=abmas,dc=biz
2493 modifyTimestamp: 20031217234206Z
2495 This looks good so far.
2499 <indexterm><primary>ldapsearch</primary></indexterm>
2500 The next step is to prove that the LDAP server is running and responds to a
2501 search request. Execute the following as shown (output has been cut to save space):
2503 &rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
2507 # base <dc=abmas,dc=biz> with scope sub
2508 # filter: (ObjectClass=*)
2514 objectClass: dcObject
2515 objectClass: organization
2520 dn: ou=People,dc=abmas,dc=biz
2521 objectClass: organizationalUnit
2524 # Domain Computers, Groups, abmas.biz
2525 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
2526 objectClass: posixGroup
2527 objectClass: sambaGroupMapping
2529 cn: Domain Computers
2530 description: Netbios Domain Computers accounts
2531 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
2533 displayName: Domain Computers
2542 Good. It is all working just fine.
2546 <indexterm><primary>getent</primary></indexterm>
2547 You must now make certain that the NSS resolver can interrogate LDAP also.
2548 Execute the following commands:
2550 &rootprompt; getent passwd | grep root
2551 root:x:998:512:Netbios Domain Administrator:/home:/bin/false
2553 &rootprompt; getent group | grep Domain
2554 Domain Admins:x:512:root
2556 Domain Guests:x:514:
2557 Domain Computers:x:553:
2559 <indexterm><primary>nss_ldap</primary></indexterm>
2560 This demonstrates that the <command>nss_ldap</command> library is functioning
2561 as it should. If these two steps fail to produce this information, refer to
2562 <link linkend="sbeavoid"/> for diagnostic procedures that can be followed to
2563 isolate the cause of the problem. Proceed to the next step only when the previous steps
2564 have been successfully completed.
2568 <indexterm><primary>smbldap-useradd</primary></indexterm>
2569 <indexterm><primary>smbldap-passwd</primary></indexterm>
2570 <indexterm><primary>smbpasswd</primary></indexterm>
2571 Our database is now ready for the addition of network users. For each user for
2572 whom an account must be created, execute the following:
2574 &rootprompt; ./smbldap-useradd -m -a <constant>username</constant>
2575 &rootprompt; ./smbldap-passwd <constant>username</constant>
2576 Changing password for <constant>username</constant>
2577 New password : XXXXXXXX
2578 Retype new password : XXXXXXXX
2580 &rootprompt; smbpasswd <constant>username</constant>
2581 New SMB password: XXXXXXXX
2582 Retype new SMB password: XXXXXXXX
2584 where <constant>username</constant> is the login ID for each user.
2588 <indexterm><primary>getent</primary></indexterm>
2589 Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
2592 &rootprompt; getent passwd
2593 root:x:0:0:root:/root:/bin/bash
2594 bin:x:1:1:bin:/bin:/bin/bash
2596 root:x:0:512:Netbios Domain Administrator:/home:/bin/false
2597 nobody:x:999:514:nobody:/dev/null:/bin/false
2598 bobj:x:1000:513:System User:/home/bobj:/bin/bash
2599 stans:x:1001:513:System User:/home/stans:/bin/bash
2600 chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
2601 maryv:x:1003:513:System User:/home/maryv:/bin/bash
2603 This demonstrates that user account resolution via LDAP is working.
2607 This step will determine whether or not identity resolution is working correctly.
2608 Do not procede is this step fails, rather find the cause of the failure. The
2609 <command>id</command> command may be used to validate your configuration so far,
2612 &rootprompt; id chrisr
2613 uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
2615 This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
2616 by system tools that make a getentpw() system call.
2620 <indexterm><primary>smbldap-usermod</primary></indexterm>
2621 The root account must have UID=0; if not, this means that operations conducted from
2622 a Windows client using tools such as the Domain User Manager fails under UNIX because
2623 the management of user and group accounts requires that the UID=0. Additionally, it is
2624 a good idea to make certain that no matter how root account credentials are resolved,
2625 the home directory and shell are valid. You decide to effect this immediately
2626 as demonstrated here:
2628 &rootprompt; cd /opt/IDEALX/sbin
2629 &rootprompt; ./smbldap-usermod -u 0 -d /root -s /bin/bash root
2634 Verify that the changes just made to the <constant>root</constant> account were
2635 accepted by executing:
2637 &rootprompt; getent passwd | grep root
2638 root:x:0:0:root:/root:/bin/bash
2639 root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
2641 This demonstrates that the changes were accepted.
2645 Make certain that a home directory has been created for every user by listing the
2646 directories in <filename>/home</filename> as follows:
2648 &rootprompt; ls -al /home
2649 drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
2650 drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
2651 drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
2652 drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
2653 drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
2654 drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
2656 This is precisely what we want to see.
2660 <indexterm><primary>ldapsam</primary></indexterm>
2661 <indexterm><primary>pdbedit</primary></indexterm>
2662 The final validation step involves making certain that Samba-3 can obtain the user
2663 accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
2665 &rootprompt; pdbedit -Lv chrisr
2666 Unix username: chrisr
2669 User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
2670 Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
2671 Full Name: System User
2672 Home Directory: \\MASSIVE\homes
2674 Logon Script: scripts\login.cmd
2675 Profile Path: \\MASSIVE\profiles\chrisr
2677 Account desc: System User
2681 Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
2682 Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
2683 Password last set: Wed, 17 Dec 2003 17:17:40 GMT
2684 Password can change: Wed, 17 Dec 2003 17:17:40 GMT
2685 Password must change: Mon, 18 Jan 2038 20:14:07 GMT
2686 Last bad password : 0
2687 Bad password count : 0
2688 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
2690 This looks good. Of course, you fully expected that it would all work, didn't you?
2694 <indexterm><primary>smbldap-groupadd</primary></indexterm>
2695 Now you add the group accounts that are used on the Abmas network. Execute
2696 the following exactly as shown:
2698 &rootprompt; ./smbldap-groupadd -a Accounts
2699 &rootprompt; ./smbldap-groupadd -a Finances
2700 &rootprompt; ./smbldap-groupadd -a PIOps
2702 The addition of groups does not involve keyboard interaction, so the lack of console
2703 output is of no concern.
2707 <indexterm><primary>getent</primary></indexterm>
2708 You really do want to confirm that UNIX group resolution from LDAP is functioning
2709 as it should. Let's do this as shown here:
2711 &rootprompt; getent group
2713 Domain Admins:x:512:root
2714 Domain Users:x:513:bobj,stans,chrisr,maryv
2715 Domain Guests:x:514:
2721 The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
2722 as our own site-specific group accounts, are correctly listed. This is looking good.
2726 <indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm>
2727 The final step we need to validate is that Samba can see all the Windows domain groups
2728 and that they are correctly mapped to the respective UNIX group account. To do this,
2729 just execute the following command:
2731 &rootprompt; net groupmap list
2732 Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
2733 Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
2734 Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
2736 Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
2737 Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
2738 PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
2740 This is looking good. Congratulations &smbmdash; it works! Note that in the above output
2741 the lines were shortened by replacing the middle value (1010554828) of the SID with the
2746 The server you have so carefully built is now ready for another important step. You
2747 start the Samba-3 server and validate its operation. Execute the following to render all
2748 the processes needed fully operative so that, on system reboot, they are automatically
2751 &rootprompt; chkconfig named on
2752 &rootprompt; chkconfig dhcpd on
2753 &rootprompt; chkconfig ldap on
2754 &rootprompt; chkconfig nmb on
2755 &rootprompt; chkconfig smb on
2756 &rootprompt; chkconfig winbind on
2757 &rootprompt; rcnmb start
2758 &rootprompt; rcsmb start
2759 &rootprompt; rcwinbind start
2764 The next step might seem a little odd at this point, but take note that you are about to
2765 start <command>winbindd</command>, which must be able to authenticate to the PDC via the
2766 localhost interface with the <command>smbd</command> process. This account can be
2767 easily created by joining the PDC to the domain by executing the following command:
2769 &rootprompt; net rpc join -S MASSIVE -U root%not24get
2771 Note: Before executing this command on the PDC, both <command>nmbd</command> and
2772 <command>smbd</command> must be started so that the <command>net</command> command
2773 can communicate with <command>smbd</command>. The expected output is as follows:
2775 Joined domain MEGANET2.
2777 This indicates that the domain security account for the PDC has been correctly created.
2781 At this time it is necessary to restart <command>winbindd</command> so that it can
2782 correctly authenticate to the PDC. The following command achieves that:
2784 &rootprompt; rcwinbind restart
2789 <indexterm><primary>smbclient</primary></indexterm>
2790 You may now check Samba-3 operation as follows:
2792 &rootprompt; smbclient -L massive -U%
2794 Sharename Type Comment
2795 --------- ---- -------
2796 IPC$ IPC IPC Service (Samba 3.0.20)
2797 accounts Disk Accounting Files
2798 service Disk Financial Services Files
2799 pidata Disk Property Insurance Files
2800 apps Disk Application Files
2801 netlogon Disk Network Logon Service
2802 profiles Disk Profile Share
2803 profdata Disk Profile Data Share
2804 ADMIN$ IPC IPC Service (Samba 3.0.20)
2808 MASSIVE Samba 3.0.20
2814 This shows that an anonymous connection is working.
2818 For your finale, let's try an authenticated connection:
2820 &rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8
2822 . D 0 Wed Dec 17 01:16:19 2003
2823 .. D 0 Wed Dec 17 19:04:42 2003
2824 bin D 0 Tue Sep 2 04:00:57 2003
2825 Documents D 0 Sun Nov 30 07:28:20 2003
2826 public_html D 0 Sun Nov 30 07:28:20 2003
2827 .urlview H 311 Fri Jul 7 06:55:35 2000
2828 .dvipsrc H 208 Fri Nov 17 11:22:02 1995
2830 57681 blocks of size 524288. 57128 blocks available
2833 Well done. All is working fine.
2838 The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task.
2843 <sect2 id="sbehap-ptrcfg">
2844 <title>Printer Configuration</title>
2847 <indexterm><primary>CUPS</primary></indexterm>
2848 The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
2849 taken care of in the &smb.conf; file. The only preparation needed for <constant>smart</constant>
2850 printing to be possible involves creation of the directories in which Samba-3 stores
2851 Windows printing driver files.
2855 <title>Printer Configuration Steps</title>
2858 Configure all network-attached printers to have a fixed IP address.
2862 Create an entry in the DNS database on the server <constant>MASSIVE</constant>
2863 in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
2864 and in the reverse lookup database for the network segment that the printer is to
2865 be located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
2866 <link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
2870 Follow the instructions in the printer manufacturers' manuals to permit printing
2871 to port 9100. Use any other port the manufacturer specifies for direct mode,
2872 raw printing. This allows the CUPS spooler to print using raw mode protocols.
2873 <indexterm><primary>CUPS</primary></indexterm>
2874 <indexterm><primary>raw printing</primary></indexterm>
2878 <indexterm><primary>lpadmin</primary></indexterm>
2879 <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
2880 Only on the server to which the printer is attached, configure the CUPS Print
2883 &rootprompt; lpadmin -p <parameter>printque</parameter>
2884 -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
2886 <indexterm><primary>print filter</primary></indexterm>
2887 This step creates the necessary print queue to use no assigned print filter. This
2888 is ideal for raw printing, that is, printing without use of filters.
2889 The name <parameter>printque</parameter> is the name you have assigned for
2890 the particular printer.
2894 Print queues may not be enabled at creation. Make certain that the queues
2895 you have just created are enabled by executing the following:
2897 &rootprompt; /usr/bin/enable <parameter>printque</parameter>
2902 Even though your print queue may be enabled, it is still possible that it
2903 may not accept print jobs. A print queue will service incoming printing
2904 requests only when configured to do so. Ensure that your print queue is
2905 set to accept incoming jobs by executing the following commands:
2907 &rootprompt; /usr/bin/accept <parameter>printque</parameter>
2912 <indexterm><primary>mime type</primary></indexterm>
2913 <indexterm><primary>/etc/mime.convs</primary></indexterm>
2914 <indexterm><primary>application/octet-stream</primary></indexterm>
2915 Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
2917 application/octet-stream application/vnd.cups-raw 0 -
2922 <indexterm><primary>/etc/mime.types</primary></indexterm>
2923 Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
2925 application/octet-stream
2930 Refer to the CUPS printing manual for instructions regarding how to configure
2931 CUPS so that print queues that reside on CUPS servers on remote networks
2932 route print jobs to the print server that owns that queue. The default setting
2933 on your CUPS server may automatically discover remotely installed printers and
2934 may permit this functionality without requiring specific configuration.
2938 The following action creates the necessary directory subsystem. Follow these
2939 steps to printing heaven:
2941 &rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
2942 &rootprompt; chown -R root:root /var/lib/samba/drivers
2943 &rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers
2953 <sect1 id="sbehap-bldg1">
2954 <title>Samba-3 BDC Configuration</title>
2957 <title>Configuration of BDC Called: <constant>BLDG1</constant></title>
2960 Install the files in <link linkend="sbehap-bldg1-smbconf"/>,
2961 <link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
2962 into the <filename>/etc/samba/</filename> directory. The three files
2963 should be added together to form the &smb.conf; file.
2967 Verify the &smb.conf; file as in step 2 of <link
2968 linkend="sbehap-massive"/>.
2972 Carefully follow the steps outlined in <link linkend="sbehap-PAM-NSS"/>, taking
2973 particular note to install the correct <filename>ldap.conf</filename>.
2977 Verify that the NSS resolver is working. You may need to cycle the run level
2978 to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
2983 After the run level has been achieved, you are prompted to provide the
2984 <constant>root</constant> password. Log on, and then execute:
2988 When the normal logon prompt appears, log into the system as <constant>root</constant>
2989 and then execute these commands:
2991 &rootprompt; getent passwd
2992 root:x:0:0:root:/root:/bin/bash
2993 bin:x:1:1:bin:/bin:/bin/bash
2994 daemon:x:2:2:Daemon:/sbin:/bin/bash
2995 lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
2996 mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
2998 root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
2999 nobody:x:999:514:nobody:/dev/null:/bin/false
3000 bobj:x:1000:513:System User:/home/bobj:/bin/bash
3001 stans:x:1001:513:System User:/home/stans:/bin/bash
3002 chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
3003 maryv:x:1003:513:System User:/home/maryv:/bin/bash
3004 vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
3005 bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
3007 This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
3011 <indexterm><primary>getent</primary></indexterm>
3012 The next step in the verification process involves testing the operation of UNIX group
3013 resolution via the NSS LDAP resolver. Execute these commands:
3015 &rootprompt; getent group
3021 Domain Admins:x:512:root
3022 Domain Users:x:513:bobj,stans,chrisr,maryv,jht
3023 Domain Guests:x:514:
3024 Administrators:x:544:
3028 Account Operators:x:548:
3029 Server Operators:x:549:
3030 Print Operators:x:550:
3031 Backup Operators:x:551:
3033 Domain Computers:x:553:
3038 This is also the correct and desired output, because it demonstrates that the LDAP client
3039 is able to communicate correctly with the LDAP server (<constant>MASSIVE</constant>).
3043 <indexterm><primary>smbpasswd</primary></indexterm>
3044 You must now set the LDAP administrative password into the Samba-3 <filename>secrets.tdb</filename>
3045 file by executing this command:
3047 &rootprompt; smbpasswd -w not24get
3048 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
3053 Now you must obtain the domain SID from the PDC and store it into the
3054 <filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP
3055 passdb backend because Samba-3 obtains the domain SID from the
3056 sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
3057 add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this
3058 command can achieve that:
3060 &rootprompt; net rpc getsid MEGANET2
3061 Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
3062 for Domain MEGANET2 in secrets.tdb
3064 When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
3065 any special action to join it to the domain. However, winbind communicates with the
3066 domain controller that is running on the localhost and must be able to authenticate,
3067 thus requiring that the BDC should be joined to the domain. The process of joining
3068 the domain creates the necessary authentication accounts.
3072 To join the Samba BDC to the domain, execute the following:
3074 &rootprompt; net rpc join -U root%not24get
3075 Joined domain MEGANET2.
3077 This indicates that the domain security account for the BDC has been correctly created.
3082 <primary>pdbedit</primary>
3084 Verify that user and group account resolution works via Samba-3 tools as follows:
3086 &rootprompt; pdbedit -L
3089 bobj:1000:System User
3090 stans:1001:System User
3091 chrisr:1002:System User
3092 maryv:1003:System User
3095 &rootprompt; net groupmap list
3096 Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
3097 Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
3098 Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
3099 Administrators (S-1-5-21-3504140859-...-2431957765-544) -> Administrators
3101 Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
3102 Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
3103 PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
3105 These results show that all things are in order.
3109 The server you have so carefully built is now ready for another important step. Now
3110 start the Samba-3 server and validate its operation. Execute the following to render all
3111 the processes needed fully operative so that, upon system reboot, they are automatically
3114 &rootprompt; chkconfig named on
3115 &rootprompt; chkconfig dhcpd on
3116 &rootprompt; chkconfig nmb on
3117 &rootprompt; chkconfig smb on
3118 &rootprompt; chkconfig winbind on
3119 &rootprompt; rcnmb start
3120 &rootprompt; rcsmb start
3121 &rootprompt; rcwinbind start
3123 Samba-3 should now be running and is ready for a quick test. But not quite yet!
3127 Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users.
3128 To rectify this using the SUSE yast2 utility or by manually editing the <filename>/etc/fstab</filename>
3129 file, add a mount entry to mount the <constant>home</constant> directory that has been exported
3130 from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate
3131 approach could be to create local home directories for users who are to use these machines.
3132 This is a choice that you, as system administrator, must make. The following entry in the
3133 <filename>/etc/fstab</filename> file suffices for now:
3135 massive.abmas.biz:/home /home nfs rw 0 0
3137 To mount this resource, execute:
3139 &rootprompt; mount -a
3141 Verify that the home directory has been mounted as follows:
3143 &rootprompt; df | grep home
3144 massive:/home 29532988 283388 29249600 1% /home
3149 Implement a quick check using one of the users that is in the LDAP database. Here you go:
3151 &rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8
3153 . D 0 Wed Dec 17 01:16:19 2003
3154 .. D 0 Wed Dec 17 19:04:42 2003
3155 bin D 0 Tue Sep 2 04:00:57 2003
3156 Documents D 0 Sun Nov 30 07:28:20 2003
3157 public_html D 0 Sun Nov 30 07:28:20 2003
3158 .urlview H 311 Fri Jul 7 06:55:35 2000
3159 .dvipsrc H 208 Fri Nov 17 11:22:02 1995
3161 57681 blocks of size 524288. 57128 blocks available
3169 Now that the first BDC (<constant>BDLG1</constant>) has been configured it is time to build
3170 and configure the second BDC server (<constant>BLDG2</constant>) as follows:
3173 <procedure id="sbehap-bldg2">
3174 <title>Configuration of BDC Called <constant>BLDG2</constant></title>
3177 Install the files in <link linkend="sbehap-bldg2-smbconf"/>,
3178 <link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
3179 into the <filename>/etc/samba/</filename> directory. The three files
3180 should be added together to form the &smb.conf; file.
3184 Follow carefully the steps shown in <link linkend="sbehap-bldg1"/>, starting at step 2.
3189 <example id="sbehap-bldg1-smbconf">
3190 <title>LDAP Based &smb.conf; File, Server: BLDG1</title>
3192 <smbconfcomment>Global parameters</smbconfcomment>
3193 <smbconfsection name="[global]"/>
3194 <smbconfoption name="unix charset">LOCALE</smbconfoption>
3195 <smbconfoption name="workgroup">MEGANET2</smbconfoption>
3196 <smbconfoption name="netbios name">BLDG1</smbconfoption>
3197 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
3198 <smbconfoption name="enable privileges">Yes</smbconfoption>
3199 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
3200 <smbconfoption name="log level">1</smbconfoption>
3201 <smbconfoption name="syslog">0</smbconfoption>
3202 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
3203 <smbconfoption name="max log size">50</smbconfoption>
3204 <smbconfoption name="smb ports">139 445</smbconfoption>
3205 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
3206 <smbconfoption name="printcap name">CUPS</smbconfoption>
3207 <smbconfoption name="show add printer wizard">No</smbconfoption>
3208 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
3209 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
3210 <smbconfoption name="logon drive">X:</smbconfoption>
3211 <smbconfoption name="domain logons">Yes</smbconfoption>
3212 <smbconfoption name="domain master">No</smbconfoption>
3213 <smbconfoption name="wins server">172.16.0.1</smbconfoption>
3214 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
3215 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
3216 <smbconfoption name="ldap user suffix">ou=People</smbconfoption>
3217 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
3218 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
3219 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
3220 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
3221 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
3222 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
3223 <smbconfoption name="printing">cups</smbconfoption>
3224 <smbconfoption name="printer admin">root, chrisr</smbconfoption>
3229 <example id="sbehap-bldg2-smbconf">
3230 <title>LDAP Based &smb.conf; File, Server: BLDG2</title>
3232 <smbconfcomment>Global parameters</smbconfcomment>
3233 <smbconfsection name="[global]"/>
3234 <smbconfoption name="unix charset">LOCALE</smbconfoption>
3235 <smbconfoption name="workgroup">MEGANET2</smbconfoption>
3236 <smbconfoption name="netbios name">BLDG2</smbconfoption>
3237 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
3238 <smbconfoption name="enable privileges">Yes</smbconfoption>
3239 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
3240 <smbconfoption name="log level">1</smbconfoption>
3241 <smbconfoption name="syslog">0</smbconfoption>
3242 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
3243 <smbconfoption name="max log size">50</smbconfoption>
3244 <smbconfoption name="smb ports">139 445</smbconfoption>
3245 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
3246 <smbconfoption name="printcap name">CUPS</smbconfoption>
3247 <smbconfoption name="show add printer wizard">No</smbconfoption>
3248 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
3249 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
3250 <smbconfoption name="logon drive">X:</smbconfoption>
3251 <smbconfoption name="domain logons">Yes</smbconfoption>
3252 <smbconfoption name="domain master">No</smbconfoption>
3253 <smbconfoption name="wins server">172.16.0.1</smbconfoption>
3254 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
3255 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
3256 <smbconfoption name="ldap user suffix">ou=People</smbconfoption>
3257 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
3258 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
3259 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
3260 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
3261 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
3262 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
3263 <smbconfoption name="printing">cups</smbconfoption>
3264 <smbconfoption name="printer admin">root, chrisr</smbconfoption>
3269 <example id="sbehap-shareconfa">
3270 <title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
3272 <smbconfsection name="[accounts]"/>
3273 <smbconfoption name="comment">Accounting Files</smbconfoption>
3274 <smbconfoption name="path">/data/accounts</smbconfoption>
3275 <smbconfoption name="read only">No</smbconfoption>
3277 <smbconfsection name="[service]"/>
3278 <smbconfoption name="comment">Financial Services Files</smbconfoption>
3279 <smbconfoption name="path">/data/service</smbconfoption>
3280 <smbconfoption name="read only">No</smbconfoption>
3282 <smbconfsection name="[pidata]"/>
3283 <smbconfoption name="comment">Property Insurance Files</smbconfoption>
3284 <smbconfoption name="path">/data/pidata</smbconfoption>
3285 <smbconfoption name="read only">No</smbconfoption>
3287 <smbconfsection name="[homes]"/>
3288 <smbconfoption name="comment">Home Directories</smbconfoption>
3289 <smbconfoption name="valid users">%S</smbconfoption>
3290 <smbconfoption name="read only">No</smbconfoption>
3291 <smbconfoption name="browseable">No</smbconfoption>
3293 <smbconfsection name="[printers]"/>
3294 <smbconfoption name="comment">SMB Print Spool</smbconfoption>
3295 <smbconfoption name="path">/var/spool/samba</smbconfoption>
3296 <smbconfoption name="guest ok">Yes</smbconfoption>
3297 <smbconfoption name="printable">Yes</smbconfoption>
3298 <smbconfoption name="browseable">No</smbconfoption>
3302 <example id="sbehap-shareconfb">
3303 <title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
3305 <smbconfsection name="[apps]"/>
3306 <smbconfoption name="comment">Application Files</smbconfoption>
3307 <smbconfoption name="path">/apps</smbconfoption>
3308 <smbconfoption name="admin users">bjordan</smbconfoption>
3309 <smbconfoption name="read only">No</smbconfoption>
3311 <smbconfsection name="[netlogon]"/>
3312 <smbconfoption name="comment">Network Logon Service</smbconfoption>
3313 <smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
3314 <smbconfoption name="guest ok">Yes</smbconfoption>
3315 <smbconfoption name="locking">No</smbconfoption>
3317 <smbconfsection name="[profiles]"/>
3318 <smbconfoption name="comment">Profile Share</smbconfoption>
3319 <smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
3320 <smbconfoption name="read only">No</smbconfoption>
3321 <smbconfoption name="profile acls">Yes</smbconfoption>
3323 <smbconfsection name="[profdata]"/>
3324 <smbconfoption name="comment">Profile Data Share</smbconfoption>
3325 <smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
3326 <smbconfoption name="read only">No</smbconfoption>
3327 <smbconfoption name="profile acls">Yes</smbconfoption>
3329 <smbconfsection name="[print$]"/>
3330 <smbconfoption name="comment">Printer Drivers</smbconfoption>
3331 <smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
3332 <smbconfoption name="browseable">yes</smbconfoption>
3333 <smbconfoption name="guest ok">no</smbconfoption>
3334 <smbconfoption name="read only">yes</smbconfoption>
3335 <smbconfoption name="write list">root, chrisr</smbconfoption>
3339 <example id="sbehap-ldifadd">
3340 <title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
3342 dn: ou=Idmap,dc=abmas,dc=biz
3343 objectClass: organizationalUnit
3345 structuralObjectClass: organizationalUnit
3352 <title>Miscellaneous Server Preparation Tasks</title>
3355 My father would say, <quote>Dinner is not over until the dishes have been done.</quote>
3356 The makings of a great network environment take a lot of effort and attention to detail.
3357 So far, you have completed most of the complex (and to many administrators, the interesting
3358 part of server configuration) steps, but remember to tie it all together. Here are
3359 a few more steps that must be completed so that your network runs like a well-rehearsed
3364 <title>Configuring Directory Share Point Roots</title>
3367 In your &smb.conf; file, you have specified Windows shares. Each has a <parameter>path</parameter>
3368 parameter. Even though it is obvious to all, one of the common Samba networking problems is
3369 caused by forgetting to verify that every such share root directory actually exists and that it
3370 has the necessary permissions and ownership.
3374 Here is an example, but remember to create the directory needed for every share:
3376 &rootprompt; mkdir -p /data/{accounts,finsvcs,piops}
3377 &rootprompt; mkdir -p /apps
3378 &rootprompt; chown -R root:root /data
3379 &rootprompt; chown -R root:root /apps
3380 &rootprompt; chown -R bobj:Accounts /data/accounts
3381 &rootprompt; chown -R bobj:Finances /data/finsvcs
3382 &rootprompt; chown -R bobj:PIOps /data/pidata
3383 &rootprompt; chmod -R ug+rwxs,o-rwx /data
3384 &rootprompt; chmod -R ug+rwx,o+rx-w /apps
3391 <title>Configuring Profile Directories</title>
3394 You made a conscious decision to do everything it would take to improve network client
3395 performance. One of your decisions was to implement folder redirection. This means that Windows
3396 user desktop profiles are now made up of two components: a dynamically loaded part and a set of file
3401 For this arrangement to work, every user needs a directory structure for the network folder
3402 portion of his or her profile as shown here:
3404 &rootprompt; mkdir -p /var/lib/samba/profdata
3405 &rootprompt; chown root:root /var/lib/samba/profdata
3406 &rootprompt; chmod 755 /var/lib/samba/profdata
3408 # Per user structure
3409 &rootprompt; cd /var/lib/samba/profdata
3410 &rootprompt; mkdir -p <emphasis>username</emphasis>
3411 &rootprompt; for i in InternetFiles Cookies History AppData \
3412 LocalSettings MyPictures MyDocuments Recent
3414 &rootprompt; mkdir <emphasis>username</emphasis>/$i
3416 &rootprompt; chown -R <emphasis>username</emphasis>:Domain\ Users <emphasis>username</emphasis>
3417 &rootprompt; chmod -R 750 <emphasis>username</emphasis>
3422 <indexterm><primary>roaming profile</primary></indexterm>
3423 <indexterm><primary>mandatory profile</primary></indexterm>
3424 You have three options insofar as the dynamically loaded portion of the roaming profile
3429 <listitem><para>You may permit the user to obtain a default profile.</para></listitem>
3430 <listitem><para>You can create a mandatory profile.</para></listitem>
3431 <listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem>
3435 Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory
3436 profile is effected by renaming the <filename>NTUSER.DAT</filename> to <filename>NTUSER.MAN</filename>,
3437 that is, just by changing the filename extension.
3441 <indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
3442 <indexterm><primary>Domain User Manager</primary></indexterm>
3443 The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.
3444 You can manage this using the Idealx smbldap-tools or using the
3445 <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager</ulink>.
3449 It may not be obvious that you must ensure that the root directory for the user's profile exists
3450 and has the needed permissions. Use the following commands to create this directory:
3452 &rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis>
3453 &rootprompt; chown <emphasis>username</emphasis>:Domain\ Users
3454 /var/lib/samba/profiles/<emphasis>username</emphasis>
3455 &rootprompt; chmod 700 /var/lib/samba/profiles/<emphasis>username</emphasis>
3462 <title>Preparation of Logon Scripts</title>
3465 <indexterm><primary>logon script</primary></indexterm>
3466 The use of a logon script with Windows XP Professional is an option that every site should consider.
3467 Unless you have locked down the desktop so the user cannot change anything, there is risk that
3468 a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
3469 can help to restore persistent network folder (drive) and printer connections in a predictable
3470 manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
3471 user attaches to another company's network that forces environment changes that are alien to your
3476 If you decide to use network logon scripts, by reference to the &smb.conf; files for the domain
3477 controllers, you see that the path to the share point for the <constant>NETLOGON</constant>
3478 share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon
3479 script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows
3480 NT/200x/XP client logs onto the network, it tries to obtain the file <filename>logon.bat</filename>
3481 from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully
3482 qualified path should therefore exist whether you install the <filename>logon.bat</filename>.
3486 You can, of course, create the fully qualified path by executing:
3488 &rootprompt; mkdir -p /var/lib/samba/netlogon/scripts
3493 You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 24,
3494 Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
3495 facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart</ulink>.
3501 <title>Assigning User Rights and Privileges</title>
3504 The ability to perform tasks such as joining Windows clients to the domain can be assigned to
3505 normal user accounts. By default, only the domain administrator account (<constant>root</constant> on UNIX
3506 systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
3507 this privilege in a very limited fashion to particular accounts.
3511 By default, even Samba-3.0.11 does not grant any rights even to the <constant>Domain Admins</constant>
3512 group. Here we grant this group all privileges.
3516 Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
3517 are granted rights can be restricted to particular machines. It is left to the network administrator
3518 to determine which rights should be provided and to whom.
3522 <title>Steps for Assignment of User Rights and Privileges</title>
3525 Log onto the PDC as the <constant>root</constant> account.
3529 Execute the following command to grant the <constant>Domain Admins</constant> group all
3530 rights and privileges:
3532 &rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
3533 "MEGANET2\Domain Admins" SeMachineAccountPrivilege \
3534 SePrintOperatorPrivilege SeAddUsersPrivilege \
3535 SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
3536 Successfully granted rights.
3538 Repeat this step on each domain controller, in each case substituting the name of the server
3539 (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE.
3543 In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
3544 to the domain. Execute the following only on the PDC. It is not necessary to do this on
3545 BDCs or on DMS machines because machine accounts are only ever added by the PDC:
3547 &rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
3548 "MEGANET2\bobj" SeMachineAccountPrivilege
3549 Successfully granted rights.
3554 Verify that privilege assignments have been correctly applied by executing:
3556 net rpc rights list accounts -Uroot%not24get
3558 SeMachineAccountPrivilege
3561 No privileges assigned
3563 BUILTIN\Print Operators
3564 No privileges assigned
3566 BUILTIN\Account Operators
3567 No privileges assigned
3569 BUILTIN\Backup Operators
3570 No privileges assigned
3572 BUILTIN\Server Operators
3573 No privileges assigned
3575 BUILTIN\Administrators
3576 No privileges assigned
3579 No privileges assigned
3581 MEGANET2\Domain Admins
3582 SeMachineAccountPrivilege
3583 SePrintOperatorPrivilege
3585 SeRemoteShutdownPrivilege
3586 SeDiskOperatorPrivilege
3597 <title>Windows Client Configuration</title>
3600 <indexterm><primary>NETLOGON</primary></indexterm>
3601 In the next few sections, you can configure a new Windows XP Professional disk image on a staging
3602 machine. You will configure all software, printer settings, profile and policy handling, and desktop
3603 default profile settings on this system. When it is complete, you copy the contents of the
3604 <filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same
3605 name in the <constant>NETLOGON</constant> share on the domain controllers.
3609 Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
3610 One knowledge-base article in particular stands out:
3611 "<ulink url="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475">How to Create a
3612 Base Profile for All Users."</ulink>
3616 <sect2 id="redirfold">
3617 <title>Configuration of Default Profile with Folder Redirection</title>
3620 <indexterm><primary>folder redirection</primary></indexterm>
3621 Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>.
3622 It is necessary to expose folders that are generally hidden to provide access to the
3623 <constant>Default User</constant> folder.
3627 <title>Expose Hidden Folders</title>
3630 Launch the Windows Explorer by clicking
3632 <guimenu>Start</guimenu>
3633 <guimenuitem>My Computer</guimenuitem>
3634 <guimenuitem>Tools</guimenuitem>
3635 <guimenuitem>Folder Options</guimenuitem>
3636 <guimenuitem>View Tab</guimenuitem>
3638 Select <guilabel>Show hidden files and folders</guilabel>,
3639 and click <guibutton>OK</guibutton>. Exit Windows Explorer.
3643 <indexterm><primary>regedt32</primary></indexterm>
3644 Launch the Registry Editor. Click
3646 <guimenu>Start</guimenu>
3647 <guimenuitem>Run</guimenuitem>
3648 </menuchoice>. Key in <command>regedt32</command>, and click
3649 <guibutton>OK</guibutton>.
3657 <procedure id="sbehap-rdrfldr">
3658 <title>Redirect Folders in Default System User Profile</title>
3661 <indexterm><primary>HKEY_LOCAL_MACHINE</primary></indexterm>
3662 <indexterm><primary>Default User</primary></indexterm>
3663 Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel.
3665 <guimenu>File</guimenu>
3666 <guimenuitem>Load Hive...</guimenuitem>
3667 <guimenuitem>Documents and Settings</guimenuitem>
3668 <guimenuitem>Default User</guimenuitem>
3669 <guimenuitem>NTUSER</guimenuitem>
3670 <guimenuitem>Open</guimenuitem>
3671 </menuchoice>. In the dialog box that opens, enter the key name
3672 <constant>Default</constant> and click <guibutton>OK</guibutton>.
3676 Browse inside the newly loaded Default folder to:
3678 HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
3679 CurrentVersion\Explorer\User Shell Folders\
3681 The right panel reveals the contents as shown in <link linkend="XP-screen001"/>.
3685 <indexterm><primary>%USERPROFILE%</primary></indexterm>
3686 <indexterm><primary>%LOGONSERVER%</primary></indexterm>
3687 You edit hive keys. Acceptable values to replace the
3688 <constant>%USERPROFILE%</constant> variable includes:
3691 <listitem><para>A drive letter such as <constant>U:</constant></para></listitem>
3692 <listitem><para>A direct network path such as
3693 <constant>\\MASSIVE\profdata</constant></para></listitem>
3694 <listitem><para>A network redirection (UNC name) that contains a macro such as </para>
3695 <para><constant>%LOGONSERVER%\profdata\</constant></para></listitem>
3700 <indexterm><primary>registry keys</primary></indexterm>
3701 Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption
3702 that users have statically located machines. Notebook computers (mobile users) need to be
3703 accommodated using local profiles. This is not an uncommon assumption.
3707 Click back to the root of the loaded hive <constant>Default</constant>.
3708 Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem>
3709 <guimenuitem>Yes</guimenuitem></menuchoice>.
3713 <indexterm><primary>Registry Editor</primary></indexterm>
3714 Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the
3719 Now follow the procedure given in <link linkend="sbehap-locgrppol"/>. Make sure that each folder you
3720 have redirected is in the exclusion list.
3724 You are now ready to copy<footnote><para>
3725 There is an alternate method by which a default user profile can be added to the
3726 <constant>NETLOGON</constant> share. This facility in the Windows System tool
3727 permits profiles to be exported. The export target may be a particular user or
3728 group profile share point or else the <constant>NETLOGON</constant> share.
3729 In this case, the profile directory must be named <constant>Default User</constant>.
3731 the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
3732 and use it to copy the full contents of the directory <filename>Default User</filename> that
3733 is in the <filename>C:\Documents and Settings</filename> to the root directory of the
3734 <constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined
3735 UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must
3736 be a directory in there called <filename>Default User</filename>.
3742 Before puching out new desktop images for the client workstations, it is perhaps a good idea that
3743 desktop behavior should be returned to the original Microsoft settings. The followin steps achieve
3748 <title>Reset Folder Display to Original Behavior</title>
3751 To launch the Windows Explorer, click
3753 <guimenu>Start</guimenu>
3754 <guimenuitem>My Computer</guimenuitem>
3755 <guimenuitem>Tools</guimenuitem>
3756 <guimenuitem>Folder Options</guimenuitem>
3757 <guimenuitem>View Tab</guimenuitem>
3759 Deselect <guilabel>Show hidden files and folders</guilabel>, and click <guibutton>OK</guibutton>.
3760 Exit Windows Explorer.
3765 <figure id="XP-screen001">
3766 <title>Windows XP Professional &smbmdash; User Shared Folders</title>
3767 <imagefile scale="65">XP-screen001</imagefile>
3770 <table id="proffold">
3771 <title>Default Profile Redirections</title>
3773 <colspec align="left"/>
3774 <colspec align="left"/>
3777 <entry>Registry Key</entry>
3778 <entry>Redirected Value</entry>
3783 <entry>Cache</entry>
3784 <entry>%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry>
3787 <entry>Cookies</entry>
3788 <entry>%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry>
3791 <entry>History</entry>
3792 <entry>%LOGONSERVER%\profdata\%USERNAME%\History</entry>
3795 <entry>Local AppData</entry>
3796 <entry>%LOGONSERVER%\profdata\%USERNAME%\AppData</entry>
3799 <entry>Local Settings</entry>
3800 <entry>%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry>
3803 <entry>My Pictures</entry>
3804 <entry>%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry>
3807 <entry>Personal</entry>
3808 <entry>%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry>
3811 <entry>Recent</entry>
3812 <entry>%LOGONSERVER%\profdata\%USERNAME%\Recent</entry>
3821 <title>Configuration of MS Outlook to Relocate PST File</title>
3824 <indexterm><primary>Outlook</primary><secondary>PST</secondary></indexterm>
3825 Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
3826 It is the nature of email storage that this file grows, at times quite rapidly.
3827 So that users' email is available to them at every workstation they may log onto,
3828 it is common practice in well-controlled sites to redirect the PST folder to the
3829 users' home directory. Follow these steps for each user who wishes to do this.
3833 It is presumed that Outlook Express has been configured for use.
3837 Launch Outlook Express 6. Click
3839 <guimenu>Tools</guimenu>
3840 <guimenuitem>Options</guimenuitem>
3841 <guimenuitem>Maintenance</guimenuitem>
3842 <guimenuitem>Store Folder</guimenuitem>
3843 <guimenuitem>Change</guimenuitem>
3848 Follow the on-screen prompts to relocate the PST file to the desired location.
3854 <title>Configure Delete Cached Profiles on Logout</title>
3857 Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
3861 <indexterm><primary>MMC</primary></indexterm>
3864 <guimenu>Start</guimenu>
3865 <guimenuitem>Run</guimenuitem>
3866 </menuchoice>. In the dialog box, enter <command>MMC</command> and click <guibutton>OK</guibutton>.
3870 Follow these steps to set the default behavior of the staging machine so that all roaming
3871 profiles are deleted as network users log out of the system. Click
3873 <guimenu>File</guimenu>
3874 <guimenuitem>Add/Remove Snap-in</guimenuitem>
3875 <guimenuitem>Add</guimenuitem>
3876 <guimenuitem>Group Policy</guimenuitem>
3877 <guimenuitem>Add</guimenuitem>
3878 <guimenuitem>Finish</guimenuitem>
3879 <guimenuitem>Close</guimenuitem>
3880 <guimenuitem>OK</guimenuitem>
3885 <indexterm><primary>Microsoft Management Console</primary><see>MMC</see></indexterm>
3886 The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu>
3887 utility that enables you to set the policies needed. In the left panel, click
3889 <guimenuitem>Local Computer Policy</guimenuitem>
3890 <guimenuitem>Administrative Templates</guimenuitem>
3891 <guimenuitem>System</guimenuitem>
3892 <guimenuitem>User Profiles</guimenuitem>
3893 </menuchoice>. In the right panel, set the properties shown here by double-clicking on each
3898 <listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem>
3899 <listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem>
3903 Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
3904 made of this system to deploy the new standard desktop system.
3910 <title>Uploading Printer Drivers to Samba Servers</title>
3913 <indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm>
3914 Users want to be able to use network printers. You have a vested interest in making
3915 it easy for them to print. You have chosen to install the printer drivers onto the Samba
3916 servers and to enable point-and-click (drag-and-drop) printing. This process results in
3917 Samba being able to automatically provide the Windows client with the driver necessary to
3918 print to the printer chosen. The following procedure must be followed for every network
3923 <title>Steps to Install Printer Drivers on the Samba Servers</title>
3926 Join your Windows XP Professional workstation (the staging machine) to the
3927 <constant>MEGANET2</constant> domain. If you are not sure of the procedure,
3928 follow the guidance given in Appendix A, <link linkend="domjoin"/>.
3932 After the machine has rebooted, log onto the workstation as the domain
3933 <constant>root</constant> (this is the Administrator account for the
3934 operating system that is the host platform for this implementation of Samba.
3938 Launch MS Windows Explorer. Navigate in the left panel. Click
3940 <guimenu>My Network Places</guimenu>
3941 <guimenuitem>Entire Network</guimenuitem>
3942 <guimenuitem>Microsoft Windows Network</guimenuitem>
3943 <guimenuitem>Meganet2</guimenuitem>
3944 <guimenuitem>Massive</guimenuitem>
3945 </menuchoice>. Click on <guimenu>Massive</guimenu>
3946 <guimenu>Printers and Faxes</guimenu>.
3950 Identify a printer that is shown in the right panel. Let us assume the printer is called
3951 <constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon
3952 and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates
3953 that <quote>The printer driver is not installed on this computer. Some printer properties
3954 will not be accessible unless you install the printer driver. Do you want to install the
3955 driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>.
3959 The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server
3960 <constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab.
3961 Note that the box labeled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu>
3962 button that is next to the <guimenu>Driver</guimenu> box. This launches the <quote>Add Printer Wizard</quote>.
3966 <indexterm><primary>Add Printer Wizard</primary><secondary>APW</secondary></indexterm>
3967 <indexterm><primary>APW</primary></indexterm>
3968 The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel
3969 is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the
3970 printer manufacturer. In your case, you are adding a driver for a printer manufactured by
3971 Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
3972 <guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A
3973 progress bar appears and instructs you as each file is being uploaded and that it is being
3974 directed at the network server <constant>\\massive\ps01-color</constant>.
3978 <indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm>
3979 <indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm>
3980 <indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm>
3981 <indexterm><primary>printers</primary><secondary>General</secondary></indexterm>
3982 <indexterm><primary>printers</primary><secondary>Security</secondary></indexterm>
3983 <indexterm><primary>AD printer publishing</primary></indexterm>
3984 The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
3985 you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel.
3986 You can set the Location (under the <guimenu>General</guimenu> tab) and Security settings (under
3987 the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to
3988 load additional printer drivers; there is also a check-box in this tab called <quote>List in the
3989 directory</quote>. When this box is checked, the printer will be published in Active Directory
3990 (Applicable to Active Directory use only.)
3994 <indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm>
3995 Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server.
3996 You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor.
3997 Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu>
3998 <guimenuitem>Device Settings</guimenuitem> </menuchoice>. Now change the settings to suit
3999 your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
4000 you need to reverse the changes back to their original settings.
4004 This is necessary so that the printer settings are initialized in the Samba printers
4005 database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed
4006 just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
4007 click <guimenu>Apply</guimenu> again.
4011 <indexterm><primary>Print Test Page</primary></indexterm>
4012 Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
4013 click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button.
4014 A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu>
4015 in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on
4016 massive Properties</guimenu> panel.
4020 You must repeat this process for all network printers (i.e., for every printer on each server).
4021 When you have finished uploading drivers to all printers, close all applications. The next task
4022 is to install software your users require to do their work.
4030 <title>Software Installation</title>
4033 Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
4034 a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
4035 Notebooks require special handling that is beyond the scope of this chapter.
4039 For desktop systems, the installation of software onto administratively centralized application servers
4040 make a lot of sense. This means that you can manage software maintenance from a central
4041 perspective and that only minimal application stubware needs to be installed onto the desktop
4042 systems. You should proceed with software installation and default configuration as far as is humanly
4043 possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
4044 of software operations and configuration.
4048 When you believe that the overall configuration is complete, be sure to create a shared group profile
4049 and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in
4050 case a user may have specific needs you had not anticipated.
4056 <title>Roll-out Image Creation</title>
4059 The final steps before preparing the distribution Norton Ghost image file you might follow are:
4063 Unjoin the domain &smbmdash; Each workstation requires a unique name and must be independently
4064 joined into domain membership.
4065 </para></blockquote>
4068 Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results
4069 in better performance and often significantly reduces the size of the compressed disk image. That
4070 also means it will take less time to deploy the image onto 500 workstations.
4071 </para></blockquote>
4078 <title>Key Points Learned</title>
4081 This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately
4082 avoided any consideration of security. Security does not just happen; you must design it into your total
4083 network. Security begins with a systems design and implementation that anticipates hostile behavior from
4084 users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
4085 they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
4086 practices, you must not deploy the design presented in this book in an environment where there is risk
4091 <indexterm><primary>Access Control Lists</primary><see>ACLs</see></indexterm>
4092 <indexterm><primary>ACLs</primary></indexterm>
4093 As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be
4094 configured to use secure protocols for all communications over the network. Of course, secure networking
4095 does not result just from systems design and implementation but involves constant user education
4096 training and, above all, disciplined attention to detail and constant searching for signs of unfriendly
4097 or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
4098 Jerry Carter's book <ulink url="http://www.booksense.com/product/info.jsp&isbn=1565924916">
4099 <emphasis>LDAP System Administration</emphasis></ulink> is a good place to start reading about OpenLDAP
4100 as well as security considerations.
4104 The substance of this chapter that has been deserving of particular attention includes:
4109 Implementation of an OpenLDAP-based passwd backend, necessary to support distributed
4114 Implementation of Samba primary and secondary domain controllers with a common LDAP backend
4115 for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and
4120 Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as
4121 to manage Samba Windows user and group accounts.
4125 The basics of implementation of Group Policy controls for Windows network clients.
4129 Control over roaming profiles, with particular focus on folder redirection to network drives.
4133 Use of the CUPS printing system together with Samba-based printer driver auto-download.
4141 <title>Questions and Answers</title>
4144 Well, here we are at the end of this chapter and we have only ten questions to help you to
4145 remember so much. There are bound to be some sticky issues here.
4148 <qandaset defaultlabel="chap06qa">
4153 Why did you not cover secure practices? Isn't it rather irresponsible to instruct
4154 network administrators to implement insecure solutions?
4161 Let's get this right. This is a book about Samba, not about OpenLDAP and secure
4162 communication protocols for subjects other than Samba. Earlier on, you note,
4163 that the dynamic DNS and DHCP solutions also used no protective secure communications
4164 protocols. The reason for this is simple: There are so many ways of implementing
4165 secure protocols that this book would have been even larger and more complex.
4169 The solutions presented here all work (at least they did for me). Network administrators
4170 have the interest and the need to be better trained and instructed in secure networking
4171 practices and ought to implement safe systems. I made the decision, right or wrong,
4172 to keep this material as simple as possible. The intent of this book is to demonstrate
4173 a working solution and not to discuss too many peripheral issues.
4177 This book makes little mention of backup techniques. Does that mean that I am recommending
4178 that you should implement a network without provision for data recovery and for disaster
4179 management? Back to our focus: The deployment of Samba has been clearly demonstrated.
4189 You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
4190 you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
4191 to the Linux I might be using?
4198 Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
4199 for a standard Linux distribution. The differences are marginal. Surely you know
4200 your Linux platform, and you do have access to administration manuals for it. This
4201 book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
4202 the Samba part of the book; all the other bits are peripheral (but important) to
4203 creation of a total network solution.
4207 What I find interesting is the attention reviewers give to Linux installation and to
4208 the look and feel of the desktop, but does that make for a great server? In this book,
4209 I have paid particular attention to the details of creating a whole solution framework.
4210 I have not tightened every nut and bolt, but I have touched on all the issues you
4211 need to be familiar with. Over the years many people have approached me wanting to
4212 know the details of exactly how to implement a DHCP and dynamic DNS server with Samba
4213 and WINS. In this chapter, it is plain to see what needs to be configured to provide
4214 transparent interoperability. Likewise for CUPS and Samba interoperation. These are
4215 key stumbling areas for many people.
4219 At every critical junction, I have provided comparative guidance for both SUSE and
4220 Red Hat Linux. Both manufacturers have done a great job in furthering the cause
4221 of open source software. I favor neither and respect both. I like particular
4222 features of both products (companies also). No bias in presentation is intended.
4223 Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
4233 You did not use SWAT to configure Samba. Is there something wrong with it?
4240 That is a good question. As it is, the &smb.conf; file configurations are presented
4241 in as direct a format as possible. Adding SWAT into the equation would have complicated
4242 matters. I sought simplicity of implementation. The fact is that I did use SWAT to
4243 create the files in the first place.
4247 There are people in the Linux and open source community who feel that SWAT is dangerous
4248 and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
4249 hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG</emphasis>.
4259 You have exposed a well-used password <emphasis>not24get</emphasis>. Is that
4267 Well, I had to use a password of some sort. At least this one has been consistently
4268 used throughout. I guess you can figure out that in a real deployment it would make
4269 sense to use a more secure and original password.
4279 The Idealx smbldap-tools create many domain group accounts that are not used. Is that
4287 I took this up with Idealx and found them most willing to change that in the next version.
4288 Let's give Idealx some credit for the contribution they have made. I appreciate their work
4289 and, besides, it does no harm to create accounts that are not now used &smbmdash; at some time
4290 Samba may well use them.
4300 Can I use LDAP just for Samba accounts and not for UNIX system accounts?
4307 Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)
4308 group account for every Windows domain group account. But if you put your users into
4309 the system password account, how do you plan to keep all domain controller system
4310 password files in sync? I think that having everything in LDAP makes a lot of sense
4311 for the UNIX administrator who is still learning the craft and is migrating from MS Windows.
4321 Why are the Windows domain RID portions not the same as the UNIX UID?
4328 Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
4329 This algorithm ought to ensure that there will be no clashes with well-known RIDs.
4330 Well-known RIDs have special significance to MS Windows clients. The automatic
4331 assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
4332 permit you to override that to some extent. See the &smb.conf; man page entry
4333 for <parameter>algorithmic rid base</parameter>.
4343 Printer configuration examples all show printing to the HP port 9100. Does this
4344 mean that I must have HP printers for these solutions to work?
4351 No. You can use any type of printer and must use the interfacing protocol supported
4352 by the printer. Many networks use LPR/LPD print servers to which are attached
4353 PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached
4354 inkjet printer. Use the appropriate device URI (Universal Resource Interface)
4355 argument to the <constant>lpadmin -v</constant> option that is right for your
4366 Is folder redirection dangerous? I've heard that you can lose your data that way.
4373 The only loss of data I know of that involved folder redirection was caused by
4374 manual misuse of the redirection tool. The administrator redirected a folder to
4375 a network drive and said he wanted to migrate (move) the data over. Then he
4376 changed his mind, so he moved the folder back to the roaming profile. This time,
4377 he declined to move the data because he thought it was still in the local profile
4378 folder. That was not the case, so by declining to move the data back, he wiped out
4379 the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
4389 Is it really necessary to set a local Group Policy to exclude the redirected
4390 folders from the roaming profile?
4397 Yes. If you do not do this, the data will still be copied from the network folder
4398 (share) to the local cached copy of the profile.