| blob | 49b2e5c3775581429e05884b7983c27731d4fbcc |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE preface PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <preface id="preface">
4 <title>Preface</title>
6 <para>
7 Network administrators live busy lives. We face distractions and pressures
8 that drive us to seek proven, working case scenarios that can be easily
9 implemented. Often this approach lands us in trouble. There is a
10 saying that, geometrically speaking, the shortest distance between two
11 points is a straight line, but practically we find that the quickest
12 route to a stable network solution is the long way around.
13 </para>
15 <para>
16 This book is your means to the straight path. It provides step-by-step,
17 proven, working examples of Samba deployments. If you want to deploy
18 Samba-3 with the least effort, or if you want to become an expert at deploying
19 Samba-3 without having to search through lots of documentation, this
20 book is the ticket to your destination.
21 </para>
23 <para>
24 Samba is software that can be run on a platform other than Microsoft Windows,
25 for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems.
26 Samba uses the TCP/IP protocol that is installed on the host server. When
27 correctly configured, it allows that host to interact with a Microsoft Windows
28 client or server as if it is a Windows file and print server. This book
29 will help you to implement Windows-compatible file and print services.
30 </para>
32 <para>
33 The examples presented in this book are typical of various businesses and
34 reflect the problems and challenges they face. Care has been taken to preserve
35 attitudes, perceptions, practices, and demands from real network case studies.
36 The maximum benefit may be obtained from this book by working carefully through
37 each exercise. You may be in a hurry to satisfy a specific need, so feel
38 free to locate the example that most closely matches your need, copy it, and
39 innovate as much as you like. Above all, enjoy the process of learning the
40 secrets of MS Windows networking that is truly liberated by Samba.
41 </para>
43 <para>
44 The focus of attention in this book is Samba-3. Specific notes are made in
45 respect of how Samba may be made secure. This book does not attempt to provide
46 detailed information regarding secure operation and configuration of peripheral
47 services and applications such as OpenLDAP, DNS and DHCP, the need for which
48 can be met from other resources that are dedicated to the subject.
49 </para>
51 <sect1>
52 <title>Why Is This Book Necessary?</title>
54 <para>
55 This book is the result of observations and feedback. The feedback from
56 the Samba-HOWTO-Collection has been positive and complimentary. There
57 have been requests for far more worked examples, a
58 <quote>Samba Cookbook,</quote> and for training materials to
59 help kick-start the process of mastering Samba.
60 </para>
62 <para>
63 The Samba mailing list's users have asked for sample configuration files
64 that work. It is natural to question one's own ability to correctly
65 configure a complex tool such as Samba until a minimum necessary
66 knowledge level has been attained.
67 </para>
69 <para>
70 The Samba-HOWTO-Collection, as do <emphasis>The Official Samba-3 HOWTO and
71 Reference Guide</emphasis>, document Samba features and functionality in
72 a topical context. This book takes a completely different approach. It
73 walks through Samba network configurations that are working within particular
74 environmental contexts, providing documented step-by-step implementations.
75 All example case configuration files, scripts, and other tools are provided
76 on the CD-ROM. This book is descriptive, provides detailed diagrams, and
77 makes deployment of Samba-3 a breeze.
78 </para>
80 <sect2>
81 <title>Samba 3.0.12 Update Edition</title>
83 <para>
84 The Samba 3.0.x series has been remarkably popular. At the time this book first
85 went to print samba-3.0.2 was being released. There have been significant modifications
86 and enhancements between samba-3.0.2 and samba-3.0.11 (the current release) that
87 necessitate this documentation update. This update has the specific intent to
88 refocus this book so that its guidance can be followed for samba-3.0.12
89 and beyond. Further changes are expected as Samba-3 matures further and will
90 be reflected in future updates.
91 </para>
93 <para>
94 The changes shown in <link linkend="pref-new"/> are incorporated in this update:
95 </para>
97 <table id="pref-new">
98 <title>Samba Changes &smbmdash; 3.0.2 to 3.0.12</title>
99 <tgroup cols="2">
100 <colspec align="left"/>
101 <colspec align="justify"/>
102 <thead>
103 <row>
104 <entry align="left">
105 <para>
106 New Feature
107 </para>
108 </entry>
109 <entry align="left">
110 <para>
111 Description
112 </para>
113 </entry>
114 </row>
115 </thead>
116 <tbody>
117 <row>
118 <entry>
119 <para>
120 Winbind Case Handling
121 </para>
122 </entry>
123 <entry>
124 <para>
125 User and group names returned by <command>winbindd</command> are now converted to lower case
126 for better consistency. Samba implementations that depend on the case of information returned
127 by winbind (such as %u and %U) must now convert the dependency to expecting lower case values.
128 This affects mail spool files, home directories, valid user lines in the &smb.conf; file, etc.
129 </para>
130 </entry>
131 </row>
132 <row>
133 <entry>
134 <para>
135 Schema Changes
136 </para>
137 </entry>
138 <entry>
139 <para>
140 Addition of code to handle password aging, password uniqueness controls, bad
141 password instances at logon time, have made necessary extensions to the SambaSAM
142 schema. This change affects all sites that use LDAP and means that the directory
143 schema must be updated.
144 </para>
145 </entry>
146 </row>
147 <row>
148 <entry>
149 <para>
150 Username Map Handling
151 </para>
152 </entry>
153 <entry>
154 <para>
155 Samba-3.0.8 redefined the behavior: Local authentication results in a username map file
156 lookup before authenticating the connection. All authentication via an external domain
157 controller will result in the use of the fully qualified name (i.e.: DOMAIN\username)
158 after the user has been successfully authenticated.
159 </para>
160 </entry>
161 </row>
162 <row>
163 <entry>
164 <para>
165 UNIX extension handling
166 </para>
167 </entry>
168 <entry>
169 <para>
170 Symbolicly linked files and directories on the UNIX host to absolute paths will
171 now be followed. This can be turned off using <quote>wide links = No</quote> in
172 the share stanza in the &smb.conf; file. Turning off <quote>wide links</quote>
173 support will degrade server performance because each path must be checked.
174 </para>
175 </entry>
176 </row>
177 <row>
178 <entry>
179 <para>
180 Privileges Support
181 </para>
182 </entry>
183 <entry>
184 <para>
185 Versions of Samba prior to samba-3.0.11 required the use of the UNIX <constant>root</constant>
186 account from network Windows clients. The new <quote>enable privileges = Yes</quote> capability
187 means that functions such as adding machines to the domain, managing printers, etc. can now
188 be delegated to normal user accounts or to groups of users.
189 </para>
190 </entry>
191 </row>
192 </tbody>
193 </tgroup>
194 </table>
195 </sect2>
197 </sect1>
199 <sect1>
200 <title>Prerequisites</title>
202 <para>
203 This book is not a tutorial on UNIX or Linux administration. UNIX and Linux
204 training is best obtained from books dedicated to the subject. This book
205 assumes that you have at least the basic skill necessary to use these operating
206 systems, and that you can use a basic system editor to edit and configure files.
207 It has been written with the assumption that you have experience with Samba,
208 have read <emphasis>The Official Samba-3 HOWTO and Reference Guide</emphasis> and
209 the Samba-HOWTO-Collection, or that you have familiarity with Microsoft Windows.
210 </para>
212 <para>
213 If you do not have this experience, you can follow the examples in this book but may
214 find yourself at times intimidated by assumptions made. In this situation, you
215 may need to refer to administrative guides or manuals for your operating system
216 platform to find what is the best method to achieve what the text of this book describes.
217 </para>
219 </sect1>
221 <sect1>
222 <title>Approach</title>
224 <para>
225 The first chapter deals with some rather thorny network analysis issues. Do not be
226 put off by this. The information you glean, even without a detailed understanding
227 of network protocol analysis, can help you understand how Windows networking functions.
228 </para>
230 <para>
231 Each following chapter of this book opens with the description of a networking solution
232 sought by a hypothetical site. Bob Jordan is a hypothetical decision maker
233 for an imaginary company, <constant>Abmas Biz NL</constant>. We will use the
234 non-existent domain name <constant>abmas.biz</constant>. All <emphasis>facts</emphasis>
235 presented regarding this company are fictitious and have been drawn from a variety of real
236 business scenarios over many years. Not one of these reveal the identify of the
237 real-world company from which the scenario originated.
238 </para>
240 <para>
241 In any case, Mr. Jordan likes to give all his staff nasty little assignments.
242 Stanley Saroka is one of his proteges; Christine Roberson is the network administrator
243 Bob trusts. Jordan is inclined to treat other departments well because they finance
244 Abmas IT operations.
245 </para>
247 <para>
248 Each chapter presents a summary of the network solution we have chosen to
249 demonstrate together with a rationale to help you to understand the
250 thought process that drove that solution. The chapter then documents in precise
251 detail all configuration files and steps that must be taken to implement the
252 example solution. Anyone wishing to gain serious value from this book will
253 do well to take note of the implications of points made, so watch out for the
254 <emphasis>this means that</emphasis> notations.
255 </para>
257 <para>
258 Each chapter has a set of questions and answers to help you to
259 to understand and digest key attributes of the solutions presented.
260 </para>
262 </sect1>
264 <sect1>
265 <title>Summary of Topics</title>
267 <para>
268 Our first assignment is to understand how Microsoft Windows products
269 function in the network environment. That is where we start. Let's take
270 just a few moments to get a bird's eye view of this book. Remember that
271 this is a book about file and print technology deployment; there are
272 great examples of printing solutions. Here we go.
273 </para>
275 <variablelist>
276 <varlistentry>
277 <term>Chapter 1 &smbmdash; Windows Networking Primer</term><listitem>
278 <para>
279 Here we cover practical exercises to help us to understand how MS Windows
280 network protocols function. A network protocol analyzer helps you to
281 appreciate the fact that Windows networking is highly dependent on broadcast
282 messaging. Additionally, you can look into network packets that a Windows
283 client sends to a network server to set up a network connection. On completion,
284 you should have a basic understanding of how network browsing functions and
285 have seen some of the information a Windows client sends to
286 a file and print server to create a connection over which file and print
287 operations may take place.
288 </para>
289 </listitem>
290 </varlistentry>
292 <varlistentry>
293 <term>Chapter 2 &smbmdash; No Frills Samba Servers</term><listitem>
294 <para>
295 Here you design a solution for three different business scenarios, each for a
296 company called Abmas. There are two simple networking problems and one slightly
297 more complex networking challenge. In the first two cases, Abmas has a small
298 simple office, and they want to replace a Windows 9x peer-to-peer network. The
299 third example business uses Windows 2000 Professional. This must be simple,
300 so let's see how far we can get. If successful, Abmas grows quickly and
301 soon needs to replace all servers and workstations.
302 </para>
304 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demands:
305 <itemizedlist>
306 <listitem><para>Case 1: The simplest &smb.conf; file that may
307 reasonably be used. Works with Samba-2.x also. This
308 configuration uses Share Mode security. Encrypted
309 passwords are not used, so there is no
310 <filename>smbpasswd</filename> file.
311 </para></listitem>
313 <listitem><para>Case 2: Another simple &smb.conf; file that adds
314 WINS support and printing support. This case deals with
315 a special requirement that demonstrates how to deal with
316 purpose-built software that has a particular requirement
317 for certain share names and printing demands. This
318 configuration uses Share Mode security and also works with
319 Samba-2.x. Encrypted passwords are not used, so there is no
320 <filename>smbpasswd</filename> file.
321 </para></listitem>
323 <listitem><para>Case 3: This &smb.conf; configuration uses User Mode
324 security. The file share configuration demonstrates
325 the ability to provide master access to an administrator
326 while restricting all staff to their own work areas.
327 Encrypted passwords are used, so there is an implicit
328 <filename>smbpasswd</filename> file.
329 </para></listitem>
330 </itemizedlist>
331 </para>
332 </listitem>
333 </varlistentry>
335 <varlistentry>
336 <term>Chapter 3 &smbmdash; Small Office Networking</term><listitem>
337 <para>
338 Abmas is a successful company now. They have 50 network users
339 and want a little more varoom from the network. This is a typical
340 small office and they want better systems to help them to grow. This is
341 your chance to really give advanced users a bit more functionality and usefulness.
342 </para>
344 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
345 makes use of encrypted passwords, so there is an <filename>smbpasswd</filename>
346 file. It also demonstrates use of the <parameter>valid users</parameter> and
347 <parameter>valid groups</parameter> to restrict share access. The Windows
348 clients access the server as Domain members. Mobile users log onto
349 the Domain while in the office, but use a local machine account while on the
350 road. The result is an environment that answers mobile computing user needs.
351 </para>
352 </listitem>
353 </varlistentry>
355 <varlistentry>
356 <term>Chapter 4 &smbmdash; Secure Office Networking</term><listitem>
357 <para>
358 Abmas is growing rapidly now. Money is a little tight, but with 130
359 network users, security has become a concern. They have many new machines
360 to install and the old equipment will be retired. This time they want the
361 new network to scale and grow for at least two years. Start with a sufficient
362 system and allow room for growth. You are now implementing an Internet
363 connection and have a few reservations about user expectations.
364 </para>
366 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
367 makes use of encrypted passwords, and you can use a <filename>tdbsam</filename>
368 password backend. Domain logons are introduced. Applications are served from the central
369 server. Roaming profiles are mandated. Access to the server is tightened up
370 so that only domain members can access server resources. Mobile computing
371 needs still are catered to.
372 </para>
373 </listitem>
374 </varlistentry>
376 <varlistentry>
377 <term>Chapter 5 &smbmdash; The 500 User Office</term><listitem>
378 <para>
379 The two-year projections were met. Congratulations, you are a star.
380 Now Abmas needs to replace the network. Into the existing user base, they
381 need to merge a 280-user company they just acquired. It is time to build a serious
382 network. There are now three buildings on one campus and your assignment is
383 to keep everyone working while a new network is rolled out. Oh, isn't it nice
384 to roll out brand new clients and servers! Money is no longer tight, you get
385 to buy and install what you ask for. You will install routers and a firewall.
386 This is exciting!
387 </para>
389 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
390 makes use of encrypted passwords, and a <filename>tdbsam</filename>
391 password backend is used. You are not ready to launch into LDAP yet, so you
392 accept the limitation of having one central Domain Controller with a Domain
393 Member server in two buildings on your campus. A number of clever techniques
394 are used to demonstrate some of the smart options built into Samba.
395 </para>
396 </listitem>
397 </varlistentry>
399 <varlistentry>
400 <term>Chapter 6 &smbmdash; Making Users Happy</term><listitem>
401 <para>
402 Congratulations again. Abmas is happy with your services and you have been given another raise.
403 Your users are becoming much more capable and are complaining about little
404 things that need to be fixed. Are you up to the task? Mary says it takes her 20 minutes
405 to log onto the network and it is killing her productivity. Email is a bit <emphasis>
406 unreliable</emphasis> &smbmdash; have you been sleeping on the job? We do not discuss the
407 technology of email but when the use of mail clients breaks because of networking
408 problems, you had better get on top of it. It's time for a change.
409 </para>
411 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
412 makes use of encrypted passwords; a distributed <filename>ldapsam</filename>
413 password backend is used. Roaming profiles are enabled. Desktop profile controls
414 are introduced. Check out the techniques that can improve the user experience
415 of network performance. As a special bonus, this chapter documents how to configure
416 smart downloading of printer drivers for drag-and-drop printing support. And, yes,
417 the secret of configuring CUPS is clearly documented. Go for it; this one will
418 tease you, too.
419 </para>
420 </listitem>
421 </varlistentry>
423 <varlistentry>
424 <term>Chapter 7 &smbmdash; A Distributed 2000-User Network</term><listitem>
425 <para>
426 Only eight months have passed, and Abmas has acquired another company. You now need to expand
427 the network further. You have to deal with a network that spans several countries.
428 There are three new networks in addition to the original three buildings at the head-office
429 campus. The head office is in New York and you have branch offices in Washington, Los Angeles, and
430 London. Your desktop standard is Windows XP Professional. In many ways, everything has changed
431 and yet it must remain the same. Your team is primed for another roll-out. You know there are
432 further challenges ahead.
433 </para>
435 <para><emphasis>TechInfo</emphasis> &smbmdash; Slave LDAP servers are introduced. Samba is
436 configured to use multiple LDAP backends. This is a brief chapter; it assumes that the
437 technology has been mastered and gets right down to concepts and how to deploy them.
438 </para>
439 </listitem>
440 </varlistentry>
442 <varlistentry>
443 <term>Chapter 8 &smbmdash; Migrating NT4 Domain to Samba-3</term><listitem>
444 <para>
445 Another six months have <?latex \linebreak ?>
446 passed. Abmas has acquired yet another company. You will find a
447 way to migrate all users off the old network onto the existing network without loss
448 of passwords and will effect the change-over during one weekend. May the force (and caffeine) be with
449 you, may you keep your back to the wind and may the sun shine on your face.
450 </para>
452 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demonstrates the use of
453 the <command>net rpc migrate</command> facility using an LDAP ldapsam backend, and also
454 using a tdbsam passdb backend. Both are much-asked-for examples of NT4 Domain migration.
455 </para>
456 </listitem>
457 </varlistentry>
459 <varlistentry>
460 <term>Chapter 9 &smbmdash; Migrating NetWare 4.11 Server to Samba</term><listitem>
461 <para>
462 Misty Stanley-Jones has contributed information that summarizes her experience at migration
463 from a NetWare server to Samba-3.
464 </para>
466 <para><emphasis>TechInfo</emphasis> &smbmdash; The documentation provided demonstrates
467 how one site miigrated from NetWare to Samba. Some alternatives tools are mentioned. These
468 could be used to provide another pathway to a successful migration.
469 </para>
470 </listitem>
471 </varlistentry>
473 <varlistentry>
474 <term>Chapter 10 &smbmdash; Adding UNIX/Linux Servers and Clients</term><listitem>
475 <para>
476 Well done, Bob, your team has achieved much. Now help Abmas integrate the entire network.
477 You want central control and central support and you need to cut costs. How can you reduce administrative
478 overheads and yet get better control of the network?
479 </para>
481 <para>
482 This chapter has been contributed by Mark Taylor <email>mark.taylor@siriusit.co.uk</email>
483 and is based on a live site. For further information regarding this example case,
484 please contact Mark directly.
485 </para>
487 <para><emphasis>TechInfo</emphasis> &smbmdash; It is time to consider how to add Samba servers
488 and UNIX and Linux network clients. Users who convert to Linux want to be able to log on
489 using Windows network accounts. You explore nss_ldap, pam_ldap, winbind, and a few neat
490 techniques for taking control. Are you ready for this?
491 </para>
492 </listitem>
493 </varlistentry>
495 <varlistentry>
496 <term>Chapter 11 &smbmdash; Active Directory, Kerberos and Security</term><listitem>
497 <para>
498 Abmas has acquired another company that has just migrated to running Windows Server 2003 and
499 Active Directory. One of your staff makes offhand comments that land you in hot water.
500 A network security auditor is hired by the head of the new business and files a damning
501 report, and you must address the <emphasis>defects</emphasis> reported. You have hired new
502 network engineers who want to replace Microsoft Active Directory with a pure Kerberos
503 solution. How will you handle this?
504 </para>
506 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter is your answer. Learn about
507 share access controls, proper use of UNIX/Linux file system access controls, and Windows
508 200x Access Control Lists. Follow these steps to beat the critics.
509 </para>
510 </listitem>
511 </varlistentry>
513 <varlistentry>
514 <term>Chapter 12 &smbmdash; Integrating Additional Services</term><listitem>
515 <para>
516 The battle is almost over, Samba-3 has won the day. Your team are delighted and now you
517 find yourself at yet another cross-roads. Abmas have acquired a snack food business, you
518 made promises you must keep. IT costs must be reduced, you have new resistance, but you
519 will win again. This time you choose to install the Squid proxy server to validate the
520 fact that Samba is far more than just a file and print server. SPNEGO authentication
521 support means that your Microsoft Windows clients gain transparent proxy access.
522 </para>
524 <para><emphasis>TechInfo</emphasis> &smbmdash; Samba provides the <command>ntlm_auth</command>
525 module that makes it possible for MS Windows Internet Explorer to connect via the Squid Web
526 and FTP proxy server. You will configure Samba-3 as well as Squid to deliver authenticated
527 access control using the Active Directory Domain user security credentials.
528 </para>
529 </listitem>
530 </varlistentry>
532 <varlistentry>
533 <term>Chapter 13 &smbmdash; Performance, Reliability and Availability</term><listitem>
534 <para>
535 Bob, are you sure the new Samba server is up to the load? Your network is serving many
536 users who risk becoming unproductive. What can you do to keep ahead of demand? Can you
537 keep the cost under control also? What can go wrong?
538 </para>
540 <para><emphasis>TechInfo</emphasis> &smbmdash; Hot tips that put chili into your
541 network. Avoid name resolution problems, identify potential causes of network collisions,
542 avoid Samba configuration options that will weigh the server down. MS distributed file
543 services to make your network fly and much more. This chapter contains a good deal of
544 <quote>Did I tell you about this...?</quote> type of hints to help keep your name on the top
545 performers list.
546 </para>
547 </listitem>
548 </varlistentry>
549 </variablelist>
551 </sect1>
553 <!-- the conventions used in this book -->
554 <xi:include href="conventions.xml" xmlns:xi="http://www.w3.org/2003/XInclude" />
556 </preface>