| blob | 3ddf3305c19509e5002baa1bb1f463e52b92b70b |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <chapter id="happy">
4 <title>Making Happy Users</title>
6 <para>
7 It has been said, <quote>A day that is without troubles is not fulfilling. Rather, give
8 me a day of troubles well handled so that I can be content with my achievements.</quote>
9 </para>
11 <para>
12 In the world of computer networks, problems are as varied as the people who create them
13 or experience them. The design of the network implemented in the last chapter may
14 create problems for some network users. The following lists some of the problems that
15 may occur:
16 </para>
18 <indexterm><primary>PDC</primary></indexterm>
19 <indexterm><primary>network bandwidth</primary><secondary>utilization</secondary></indexterm>
20 <indexterm><primary>BDC</primary></indexterm>
21 <indexterm><primary>user account</primary></indexterm>
22 <indexterm><primary>PDC/BDC ratio</primary></indexterm>
23 <caution><para>
24 Notice: A significant number of network administrators have responded to the guidance given
25 below. It should be noted that there are sites that have a single PDC for many hundreds of
26 concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
27 are among the factors that will determine the maximum number of Windows clients that
28 can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
29 to operate with only a single PDC over a routed network. What is possible is not necessarily
30 <emphasis>best practice</emphasis>. When Windows client network logons begin to fail with
31 the message that the domain controller can not be found, or that the user account can not
32 be found (when you know it exists), that may be an indication that the DC is overloaded or
33 network bandwidth is overloaded. The guidance given in respect of PDC/BDC ratio to Windows
34 clients is conservative and if followed will minimize problems - but it is not absolute.
35 </para></caution>
37 <variablelist>
38 <varlistentry>
39 <term>Users experiencing difficulty logging onto the network</term>
40 <listitem><para>
41 <indexterm>
42 <primary>network</primary>
43 <secondary>logon</secondary>
44 </indexterm>
45 When a Windows client logs onto the network, many data packets are exchanged
46 between the client and the server that is providing the network logon services.
47 Each request between the client and the server must complete within a specific
48 time limit. This is one of the primary factors that govern the installation of
49 <indexterm>
50 <primary>multiple domain controllers</primary>
51 </indexterm>
52 multiple domain controllers (usually called secondary or backup controllers).
53 As a rough rule, there should be one such backup controller for every
54 30 to 150 clients. The actual limits are determined by network operational
55 characteristics.
56 </para>
58 <para>
59 If the domain controller provides only network logon services
60 and all file and print activity is handled by Domain Member servers, one Domain
61 Controller per 150 clients on a single network segment may suffice. In any
62 case, it is highly recommended to have a minimum of one Domain Controller (PDC or BDC)
63 per network segment. It is better to have at least one BDC on the network
64 segment that has a PDC. If the Domain Controller is also used as a file and
65 print server, the number of clients it can service reliably is reduced
66 and a common rule is not to exceed 30 machines (Windows workstations plus
67 Domain Member servers) per Domain Controller.
68 </para></listitem></varlistentry>
70 <varlistentry>
71 <term>Slow logons and log-offs</term>
72 <listitem><para>
73 <indexterm>
74 <primary>slow logon</primary>
75 </indexterm>
76 Slow logons and log-offs may be caused by many factors that include:
78 <itemizedlist>
79 <listitem><para><indexterm>
80 <primary>NetBIOS</primary>
81 <secondary>name resolution</secondary>
82 <tertiary>delays</tertiary>
83 </indexterm><indexterm>
84 <primary>WINS</primary>
85 <secondary>server</secondary>
86 </indexterm>
87 Excessive delays in the resolution of a NetBIOS name to its IP
88 address. This may be observed when an overloaded domain controller
89 is also the WINS server. Another cause may be the failure to use
90 a WINS server (this assumes that there is a single network segment).
91 </para></listitem>
93 <listitem><para><indexterm>
94 <primary>traffic collisions</primary>
95 </indexterm><indexterm>
96 <primary>HUB</primary>
97 </indexterm><indexterm>
98 <primary>Etherswitch</primary>
99 </indexterm>
100 Network traffic collisions due to overloading of the network
101 segment &smbmdash; one short-term workaround to this may be to replace
102 network HUBs with Ether-switches.
103 </para></listitem>
105 <listitem><para><indexterm>
106 <primary>networking hardware</primary>
107 <secondary>defective</secondary>
108 </indexterm>
109 Defective networking hardware. Over the past few years, we have seen
110 on the Samba mailing list a significant increase in the number of
111 problems that were traced to a defective network interface controller,
112 a defective HUB or Etherswitch, or defective cabling. In most cases,
113 it was the erratic nature of the problem that ultimately pointed to
114 the cause of the problem.
115 </para></listitem>
117 <listitem><para><indexterm>
118 <primary>profile</primary>
119 <secondary>roaming</secondary>
120 </indexterm><indexterm>
121 <primary>MS Outlook</primary>
122 <secondary>PST file</secondary>
123 </indexterm>
124 Excessively large roaming profiles. This type of problem is typically
125 the result of poor user eduction, as well as poor network management.
126 It can be avoided by users not storing huge quantities of email in
127 MS Outlook PST files, as well as by not storing files on the desktop.
128 These are old bad habits that require much discipline and vigilance
129 on the part of network management.
130 </para></listitem>
132 <listitem><para><indexterm>
133 <primary>WebClient</primary>
134 </indexterm>
135 You should verify that the Windows XP WebClient service is not running.
136 The use of the WebClient service has been implicated in many Windows
137 networking related problems.
138 </para></listitem>
139 </itemizedlist>
141 </para></listitem></varlistentry>
143 <varlistentry>
144 <term>Loss of access to network drives and printer resources</term>
145 <listitem><para>
146 Loss of access to network resources during client operation may be caused by a number
147 of factors including:
148 </para>
150 <itemizedlist>
151 <listitem><para><indexterm>
152 <primary>network</primary>
153 <secondary>overload</secondary>
154 </indexterm>
155 Network overload (typically indicated by a high network collision rate)
156 </para></listitem>
158 <listitem><para>
159 Server overload
160 </para></listitem>
162 <listitem><para><indexterm>
163 <primary>network</primary>
164 <secondary>timeout</secondary>
165 </indexterm>
166 Timeout causing the client to close a connection that is in use, but has
167 been latent (no traffic) for some time (5 minutes or more)
168 </para></listitem>
170 <listitem><para><indexterm>
171 <primary>network hardware</primary>
172 <secondary>defective</secondary>
173 </indexterm>
174 Defective networking hardware
175 </para></listitem>
176 </itemizedlist>
178 <para><indexterm>
179 <primary>data</primary>
180 <secondary>corruption</secondary>
181 </indexterm>
182 No matter what the cause, a sudden operational loss of access to network resources can
183 result in BSOD (blue screen of death) situations that necessitate rebooting of the client
184 workstation. In the case of a mild problem, retrying to access the network drive of printer
185 may restore operations, but in any case this is a serious problem as it may lead to the next
186 problem, data corruption.
187 </para></listitem></varlistentry>
189 <varlistentry>
190 <term>Potential data corruption</term>
191 <listitem><para><indexterm>
192 <primary>data</primary>
193 <secondary>corruption</secondary>
194 </indexterm>
195 Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
196 frustration, and generally precipitates immediate corrective demands. Management response
197 to this type of problem may be rational, as well as highly irrational. There have been
198 cases where management has fired network staff for permitting this situation to occur without
199 immediate correction. There have been situations where perfectly functional hardware was thrown
200 out and replaced, only to find the problem caused by a low-cost network hardware item. There
201 have been cases where server operating systems were replaced, or where Samba was updated,
202 only to later isolate the problem due to defective client software.
203 </para></listitem></varlistentry>
204 </variablelist>
206 <para>
207 In this chapter, you can work through a number of measures that significantly arm you to
208 anticipate and to combat network performance issues. You can work through complex and thorny
209 methods to improve the reliability of your network environment, but be warned that all such steps
210 demand the price of complexity.
211 </para>
213 <sect1>
214 <title>Regarding LDAP Directories and Windows Computer Accounts</title>
216 <para>
217 <indexterm><primary>LDAP</primary><secondary>directory</secondary></indexterm>
218 Computer (machine) accounts can be placed where ever you like in an LDAP directory subject to some
219 constraints that are described in this section.
220 </para>
222 <para>
223 <indexterm><primary>POSIX</primary></indexterm>
224 <indexterm><primary>SambaSAMAccount</primary></indexterm>
225 <indexterm><primary>machine account</primary></indexterm>
226 <indexterm><primary>trust account</primary></indexterm>
227 The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
228 i.e.: Machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
229 them. A user account and a machine account are indistinquishable from each other, except that
230 the machine account ends in a '$' character, as do trust accounts.
231 </para>
233 <para>
234 <indexterm><primary>account</primary></indexterm>
235 <indexterm><primary>UID</primary></indexterm>
236 The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX UID
237 is a design decision that was made a long way back in the history of Samba development. It is
238 unlikely that this decision will be reversed of changed during the remaining life of the
239 Samba-3.x series.
240 </para>
242 <para>
243 <indexterm><primary>SID</primary></indexterm>
244 <indexterm><primary>NSS</primary></indexterm>
245 The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
246 must refer back to the host operating system on which Samba is running. The Name Service
247 Switcher (NSS) is the preferred mechanism that shields applications (like Samba) from the
248 need to know everything about every host OS it runs on.
249 </para>
251 <para>
252 Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>
253 and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool
254 for achieving this is left up to the UNIX administrator to determine. It is not imposed by
255 Samba. Samba provides winbindd together with its support libraries as one method. It is
256 possible to do this via LDAP - and for that Samba provides the appropriate hooks so that
257 all account entities can be located in an LDAP directory.
258 </para>
260 <para>
261 <indexterm><primary>nss_ldap</primary></indexterm>
262 For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
263 be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
264 is fundamentally an LDAP design question. The information provided on the Samba list and
265 in the documentation is directed at providing working examples only. The design
266 of an LDAP directory is a complex subject that is beyond the scope of this documentation.
267 </para>
269 </sect1>
272 <sect1>
273 <title>Introduction</title>
275 <para>
276 Mr. Bob Jordan just opened an email from Christine that reads:
277 </para>
279 <para>
280 Bob,
281 <blockquote><attribution>Christine</attribution><para>
282 A few months ago we sat down to design the network. We discussed the challenges ahead and we all
283 agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
284 that we would have some time to resolve any issues that might be encountered.
285 </para>
287 <para>
288 As you now know we started off on the wrong foot. We have a lot of unhappy users. One of them
289 resigned yesterday afternoon because she was under duress to complete some critical projects. She
290 suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
291 of which was lost. She has a unique requirement that involves storing large files on her desktop.
292 Mary's desktop profile is nearly 1 Gigabyte in size. As a result of her desktop configuration, it
293 takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
294 network logon traffic passes over the network links between our buildings, logging on may take
295 three or four attempts due to blue screen problems associated with network timeouts.
296 </para>
298 <para>
299 A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
300 resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
301 limits on what our users can do with their desktops. If we do not do this, we face staff losses
302 that can surely do harm to our growth, as well as to staff morale. I am sure we can better deal
303 with the consequences of what we know we must do than we can with the unrest we have now.
304 </para>
306 <para>
307 Stan and I have discussed the current situation. We are resolved to help our users and protect
308 the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
309 regain control of our vital IT operations.
310 </para></blockquote>
311 </para>
313 <para><indexterm>
314 <primary>compromise</primary>
315 </indexterm><indexterm>
316 <primary>network</primary>
317 <secondary>multi-segment</secondary>
318 </indexterm>
319 Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a
320 single domain controller is a poor design that has obvious operational effects that may
321 frustrate users. Here is Bob's reply:
322 <blockquote><attribution>Bob</attribution><para>
323 Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
324 proposals to resolve the issues. I am confident that your plans fully realized will significantly
325 boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
326 Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
327 for approval; I appreciate the urgency.
328 </para></blockquote>
329 </para>
331 <sect2>
332 <title>Assignment Tasks</title>
334 <para>
335 The priority of assigned tasks in this chapter is:
336 </para>
338 <orderedlist>
339 <listitem><para><indexterm>
340 <primary>Backup Domain Controller</primary>
341 <see>BDC</see>
342 </indexterm><indexterm>
343 <primary>BDC</primary>
344 </indexterm><indexterm>
345 <primary>tdbsam</primary>
346 </indexterm><indexterm>
347 <primary>LDAP</primary>
348 </indexterm><indexterm>
349 <primary>migration</primary>
350 </indexterm>
351 Implement Backup Domain Controllers (BDCs) in each building. This involves
352 a change from use of a <emphasis>tdbsam</emphasis> backend that was used in the previous
353 chapter, to use an LDAP-based backend.
354 </para>
356 <para>
357 You can implement a single central LDAP server for this purpose.
358 </para></listitem>
360 <listitem><para><indexterm>
361 <primary>logon time</primary>
362 </indexterm><indexterm>
363 <primary>network share</primary>
364 </indexterm><indexterm>
365 <primary>default profile</primary>
366 </indexterm><indexterm>
367 <primary>profile</primary>
368 <secondary>default</secondary>
369 </indexterm>
370 Rectify the problem of excessive logon times. This involves redirection of
371 folders to network shares as well as modification of all user desktops to
372 exclude the redirected folders from being loaded at login time. You can also
373 create a new default profile that can be used for all new users.
374 </para></listitem>
376 </orderedlist>
378 <para><indexterm>
379 <primary>disk image</primary>
380 </indexterm>
381 You configure a new MS Windows XP Professional Workstation disk image that you
382 roll out to all desktop users. The instructions you have created are followed on a
383 staging machine from which all changes can be carefully tested before inflicting them on
384 your network users.
385 </para>
387 <para><indexterm>
388 <primary>CUPS</primary>
389 </indexterm>
390 This is the last network example in which specific mention of printing is made. The example
391 again makes use of the CUPS printing system.
392 </para>
394 </sect2>
396 </sect1>
398 <sect1>
399 <title>Dissection and Discussion</title>
401 <para><indexterm>
402 <primary>BDC</primary>
403 </indexterm><indexterm>
404 <primary>LDAP</primary>
405 </indexterm><indexterm>
406 <primary>OpenLDAP</primary>
407 </indexterm>
408 The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
409 For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
410 LDAP servers in current use with Samba-3 include:
411 </para>
413 <itemizedlist><indexterm>
414 <primary>eDirectory</primary>
415 </indexterm>
416 <listitem><para>Novell <ulink
417 url="http://www.novell.com/products/edirectory/">eDirectory.</ulink>
418 eDirectory is being successfully used by some sites. Information on how to use eDirectory can be
419 obtained from the Samba mailing lists or from Novell.</para></listitem>
421 <listitem><para><indexterm>
422 <primary>Tivoli Directory Server</primary>
423 </indexterm>IBM
424 <ulink
425 url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli Directory Server,</ulink>
426 can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba
427 source code tarball under the directory <filename>~samba/example/LDAP.</filename></para></listitem>
429 <listitem><para><indexterm>
430 <primary>Sun ONE Identity Server</primary>
431 </indexterm>Sun
432 <ulink
433 url="http://www.sun.com/software/sunone/identity/index.html">ONE Identity Server.</ulink>
434 This product suite provides an LDAP server that can be used for Samba. Example schema files are
435 provided in the Samba source code tarball under the directory
436 <filename>~samba/example/LDAP.
437 </filename></para></listitem>
438 </itemizedlist>
440 <para>
441 A word of caution is fully in order. OpenLDAP is purely an LDAP server and unlike commercial
442 offerings, it requires that you manually edit the server configuration files and manually
443 initialize the LDAP directory database. OpenLDAP itself has only command line tools to
444 help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
445 </para>
447 <para><indexterm>
448 <primary>Active Directory</primary>
449 </indexterm>
450 For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
451 adequate. If you are migrating from Microsoft Active Directory, be
452 warned that OpenLDAP does not include
453 GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
454 requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
455 </para>
457 <para><indexterm>
458 <primary>Identity Management</primary>
459 </indexterm><indexterm>
460 <primary>high availability</primary>
461 </indexterm><indexterm>
462 <primary>directory</primary>
463 <secondary>replication</secondary>
464 </indexterm><indexterm>
465 <primary>directory</primary>
466 <secondary>synchronization</secondary>
467 </indexterm><indexterm>
468 <primary>performance</primary>
469 </indexterm><indexterm>
470 <primary>directory</primary>
471 <secondary>management</secondary>
472 </indexterm><indexterm>
473 <primary>directory</primary>
474 <secondary>schema</secondary>
475 </indexterm>
476 When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
477 High availability operation may be obtained through directory replication/synchronization and
478 master/slave server configurations. OpenLDAP is a mature platform to host the organizational
479 directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
480 The price paid through learning how to design an LDAP directory schema in implementation and configuration
481 of management tools is well rewarded by performance and flexibility, and the freedom to manage directory
482 contents with greater ability to back up, restore, and modify the directory than is generally possible
483 with Microsoft Active Directory.
484 </para>
486 <para><indexterm>
487 <primary>comparison</primary>
488 <secondary>Active Directory & OpenLDAP</secondary>
489 </indexterm><indexterm>
490 <primary>ADAM</primary>
491 </indexterm><indexterm>
492 <primary>Active Directory</primary>
493 </indexterm><indexterm>
494 <primary>OpenLDAP</primary>
495 </indexterm>
496 A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
497 tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured
498 for a specific task orientation. It comes with a set of administrative tools that is entirely customized
499 for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
500 server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
501 who wants to built a custom directory solution. Microsoft Active Directory is a generic LDAP server that has
502 been pre-configured for a specific task. Microsoft provides an application called
503 <ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx">
504 MS ADAM</ulink> that provides more-generic LDAP services, yet it does not have the vanilla-like services
505 of OpenLDAP.
506 </para>
508 <para><indexterm>
509 <primary>directory</primary>
510 <secondary>schema</secondary>
511 </indexterm><indexterm>
512 <primary>passdb backend</primary>
513 </indexterm>
514 You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
515 if you find the challenge of learning about LDAP directories, schemas, configuration, and management
516 tools, and the creation of shell and Perl scripts a bit
517 challenging. OpenLDAP can be easily customized, though it includes
518 many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
519 that is required for use as a passdb backend.
520 </para>
522 <para>
523 <indexterm><primary>interoperability</primary></indexterm>
524 For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
525 there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
526 The Web-based tools you might like to consider include: The
527 <ulink url="http://lam.sourceforge.net/">LDAP Account Manager</ulink> (LAM), as well as the
528 <ulink url="http://www.webmin.com">Webmin</ulink>-based Idealx
529 <ulink url="http://webmin.idealx.org/index.en.html">CGI tools.</ulink>
530 </para>
532 <para>
533 Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
534 these so it may be useful to include passing reference to them.
535 The first is <ulink url="http://biot.com/gq">GQ</ulink>, a GTK-ased LDAP browser;
536 LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor,</ulink>
537 <ulink url="http://www.jxplorer.org/">JXplorer</ulink> (by Computer Associates),
538 and the last is called <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin.</ulink>
539 </para>
541 <note><para>
542 The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
543 security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
544 is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
545 LDAP before attempting to deploy it in a business-critical environment.
546 </para></note>
548 <para>
549 Information to help you get started with OpenLDAP is available from the
550 <ulink url="http://www.openldap.org/pub/">OpenLDAP Web Site.</ulink> Many people have found the book
551 <ulink url="http://www.booksense.com/product/info.jsp?isbn=1565924916">LDAP System Administration,</ulink>
552 written by Jerry Carter, quite useful.
553 </para>
555 <para><indexterm>
556 <primary>BDC</primary>
557 </indexterm><indexterm>
558 <primary>network</primary>
559 <secondary>segment</secondary>
560 </indexterm><indexterm>
561 <primary>performance</primary>
562 </indexterm><indexterm>
563 <primary>network</primary>
564 <secondary>wide-area</secondary>
565 </indexterm>
566 Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
567 main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
568 be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly
569 improves overall network performance for most users, but this is not enough. You must gain control over
570 user desktops, and this must be done in a way that wins their support and does not cause further loss of
571 staff morale. The following procedures solve this problem.
572 </para>
574 <para><indexterm>
575 <primary>smart printing</primary>
576 </indexterm>
577 There is also an opportunity to implement smart printing features. You add this to the Samba configuration
578 so that future printer changes can be managed without need to change desktop configurations.
579 </para>
581 <para>
582 You add the ability to automatically download new printer drivers, even if they are not installed
583 in the default desktop profile. Only one example of printing configuration is given. It is assumed that
584 you can extrapolate the principles and use this to install all printers that may be needed.
585 </para>
587 <sect2>
588 <title>Technical Issues</title>
590 <para><indexterm>
591 <primary>identity</primary>
592 <secondary>management</secondary>
593 </indexterm><indexterm>
594 <primary>directory</primary>
595 <secondary>server</secondary>
596 </indexterm><indexterm>
597 <primary>Posix</primary>
598 </indexterm>
599 The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
600 server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
601 accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account
602 attributes Samba needs. Samba-3 can use the LDAP backend to store:
603 </para>
605 <itemizedlist>
606 <listitem><para>Windows Networking User Accounts</para></listitem>
607 <listitem><para>Windows NT Group Accounts</para></listitem>
608 <listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem>
609 <listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem>
610 </itemizedlist>
612 <para><indexterm>
613 <primary>UNIX accounts</primary>
614 </indexterm><indexterm>
615 <primary>Windows accounts</primary>
616 </indexterm><indexterm>
617 <primary>PADL LDAP tools</primary>
618 </indexterm><indexterm>
619 <primary>/etc/group</primary>
620 </indexterm><indexterm>
621 <primary>LDAP</primary>
622 </indexterm><indexterm>
623 <primary>name service switch</primary>
624 <see>NSS</see>
625 </indexterm><indexterm>
626 <primary>NSS</primary>
627 </indexterm><indexterm>
628 <primary>UID</primary>
629 </indexterm><indexterm>
630 <primary>nss_ldap</primary>
631 </indexterm>
632 The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
633 accounts in the LDAP backend. This implies the need to use the
634 <ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools.</ulink> The resolution
635 of the UNIX group name to its GID must be enabled from either the
636 <filename>/etc/group</filename>
637 or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> toolset
638 that integrates with the name service switcher (NSS). The same requirements exist for resolution
639 of the UNIX username to the UID. The relationships are demonstrated in <link linkend="sbehap-LDAPdiag"/>.
640 </para>
642 <image id="sbehap-LDAPdiag">
643 <imagedescription>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</imagedescription>
644 <imagefile scale="50">UNIX-Samba-and-LDAP</imagefile>
645 </image>
647 <para><indexterm>
648 <primary>security</primary>
649 </indexterm><indexterm>
650 <primary>LDAP</primary>
651 <secondary>secure</secondary>
652 </indexterm>
653 You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
654 ought to learn how to configure secure communications over LDAP so that sites security is not
655 at risk. This is not covered in the following guidance.
656 </para>
658 <para><indexterm>
659 <primary>PDC</primary>
660 </indexterm><indexterm>
661 <primary>LDAP Interchange Format</primary>
662 <see>LDIF</see>
663 </indexterm><indexterm>
664 <primary>LDIF</primary>
665 </indexterm><indexterm>
666 <primary>secrets.tdb</primary>
667 </indexterm>
668 When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC)
669 called <constant>MASSIVE</constant>. You initialize the Samba
670 <filename>secrets.tdb<subscript></subscript></filename>
671 file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database
672 can be initialized. You need to decide how best to create user and group accounts. A few
673 hints are, of course, provided. You can also find on the enclosed
674 CD-ROM, in the <filename>Chap06</filename>
675 directory, a few tools that help to manage user and group configuration.
676 </para>
678 <para><indexterm>
679 <primary>folder redirection</primary>
680 </indexterm><indexterm>
681 <primary>default profile</primary>
682 </indexterm><indexterm>
683 <primary>roaming profile</primary>
684 </indexterm>
685 In order to effect folder redirection and to add robustness to the implementation,
686 create a network Default Profile. All network users workstations are configured to use
687 the new profile. Roaming profiles will automatically be deleted from the workstation
688 when the user logs off.
689 </para>
691 <para><indexterm>
692 <primary>mandatory profile</primary>
693 </indexterm>
694 The profile is configured so that users cannot change the appearance
695 of their desktop. This is known as a mandatory profile. You make certain that users
696 are able to use their computers efficiently.
697 </para>
699 <para><indexterm>
700 <primary>logon script</primary>
701 </indexterm>
702 A network logon script is used to deliver flexible but consistent network drive
703 connections.
704 </para>
706 <sect3 id="sbehap-ppc">
707 <title>Addition of Machines to the Domain</title>
709 <para>
710 <indexterm><primary></primary></indexterm>
711 <indexterm><primary></primary></indexterm>
712 <indexterm><primary></primary></indexterm>
713 <indexterm><primary></primary></indexterm>
714 Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
715 that maps to the UNIX UID=0. The UNIX operating system permits only the <constant>root</constant>
716 user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
717 <constant>Privilieges</constant>. This new facility introduced four new privileges that
718 can be assigned to users and/or groups:
719 </para>
722 <table id="sbehap-privs">
723 <title>Current Privilege Capabilities</title>
724 <tgroup cols="2">
725 <colspec align="left"/>
726 <colspec align="left"/>
727 <thead>
728 <row>
729 <entry align="left">Privilege</entry>
730 <entry align="left">Description</entry>
731 </row>
732 </thead>
733 <tbody>
734 <row>
735 <entry><para>SeMachineAccountPrivilege</para></entry>
736 <entry><para>Add machines to domain</para></entry>
737 </row>
738 <row>
739 <entry><para>SePrintOperatorPrivilege</para></entry>
740 <entry><para>Manage printers</para></entry>
741 </row>
742 <row>
743 <entry><para>SeAddUsersPrivilege</para></entry>
744 <entry><para>Add users and groups to the domain</para></entry>
745 </row>
746 <row>
747 <entry><para>SeRemoteShutdownPrivilege</para></entry>
748 <entry><para>Force shutdown from a remote system</para></entry>
749 </row>
750 <row>
751 <entry><para>SeDiskOperatorPrivilege</para></entry>
752 <entry><para>Manage disk share</para></entry>
753 </row>
754 </tbody>
755 </tgroup>
756 </table>
758 <para>
759 In this network example use will be made of one of the supported privileges purely to demonstrate
760 how any user can now be given the ability to add machines to the domain using a normal user account
761 that has been given the appropriate privileges.
762 </para>
764 </sect3>
766 <sect3>
767 <title>Roaming Profile Background</title>
769 <para>
770 As XP roaming profiles grow, so does the amount of time it takes to log in and out.
771 </para>
773 <para><indexterm>
774 <primary>roaming profile</primary>
775 </indexterm><indexterm>
776 <primary>HKEY_CURRENT_USER</primary>
777 </indexterm><indexterm>
778 <primary>NTUSER.DAT</primary>
779 </indexterm><indexterm>
780 <primary>%USERNAME%</primary>
781 </indexterm>
782 An XP Roaming Profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file
783 <filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data,
784 Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
785 network with the default configuration of MS Windows NT/200x/XPP, all this data is
786 copied to the local machine. By default it is copied to the local machine, under the
787 <filename>C:\Documents and Settings\%USERNAME%</filename> directory. While the user is logged in,
788 any changes made to any of these folders or to the <constant>HKEY_CURRENT_USER</constant>
789 branch of the registry are made to the local copy of the profile. At logout the profile
790 data is copied back to the server. This behavior can be changed through appropriate
791 registry changes and/or through changes to the Default User profile. In the latter case,
792 it updates the registry with the values that are set in the
793 profile <filename>NTUSER.DAT</filename>
794 file.
795 </para>
797 <para>
798 The first challenge is to reduce the amount of data that must be transferred to and
799 from the profile server as roaming profiles are processed. This includes removing
800 all the shortcuts in the Recent directory, making sure the cache used by the web browser
801 is not being dumped into the <filename>Application Data</filename> folder, removing the
802 Java plug-in's cache (the .jpi_cache directory in the profile), as well as training the
803 user to not place large files on the Desktop and to use his mapped home directory for
804 saving documents instead of the <filename>My Documents</filename> folder.
805 </para>
807 <para><indexterm>
808 <primary>My Documents</primary>
809 </indexterm>
810 Using a folder other than <filename>My Documents</filename> is a nuisance for
811 some users since many applications use it by default.
812 </para>
814 <para><indexterm>
815 <primary>roaming profiles</primary>
816 </indexterm><indexterm>
817 <primary>Local Group Policy</primary>
818 </indexterm><indexterm>
819 <primary>NTUSER.DAT</primary>
820 </indexterm>
821 The secret to rapid loading of roaming profiles is to prevent unnecessary data from
822 being copied back and forth, without losing any functionality. This is not difficult;
823 it can be done by making changes to the Local Group Policy on each client as well
824 as changing some paths in each user's <filename>NTUSER.DAT</filename> hive.
825 </para>
827 <para><indexterm>
828 <primary>Network Default Profile</primary>
829 </indexterm><indexterm>
830 <primary>redirected folders</primary>
831 </indexterm>
832 Every user profile has their own <filename>NTUSER.DAT</filename> file. This means
833 you need to edit every user's profile, unless a better method can be
834 followed. Fortunately, with the right preparations, this is not difficult.
835 It is possible to remove the <filename>NTUSER.DAT</filename> file from each
836 user's profile. Then just create a Network Default Profile. Of course, it is
837 necessary to copy all files from redirected folders to the network share to which
838 they are redirected.
839 </para>
841 </sect3>
843 <sect3 id="sbehap-locgrppol">
844 <title>The Local Group Policy</title>
845 <para><indexterm>
846 <primary>Group Policy Objects</primary>
847 </indexterm><indexterm>
848 <primary>Active Directory</primary>
849 </indexterm><indexterm>
850 <primary>PDC</primary>
851 </indexterm><indexterm>
852 <primary>Group Policy editor</primary>
853 </indexterm>
854 Without an Active Directory PDC, you cannot take full advantage of Group Policy
855 Objects. However, you can still make changes to the Local Group Policy by using
856 the Group Policy editor (<command>gpedit.msc</command>).
857 </para>
859 <para>
860 The <emphasis>Exclude directories in roaming profile</emphasis> settings can
861 be found under
862 <menuchoice>
863 <guimenu>User Configuration</guimenu>
864 <guimenuitem>Administrative Templates</guimenuitem>
865 <guimenuitem>System</guimenuitem>
866 <guimenuitem>User Profiles</guimenuitem>
867 </menuchoice>.
868 By default this setting contains:
869 <quote>Local Settings;Temporary Internet Files;History;Temp</quote>.
870 </para>
872 <para>
873 Simply add the folders you do not wish to be copied back and forth to this
874 semi-colon separated list. Note that this change must be made on all clients
875 that are using roaming profiles.
876 </para>
878 </sect3>
880 <sect3>
881 <title>Profile Changes</title>
882 <para><indexterm>
883 <primary>NTUSER.DAT</primary>
884 </indexterm><indexterm>
885 <primary>%USERNAME%</primary>
886 </indexterm>
887 There are two changes that should be done to each user's profile. Move each of
888 the directories that you have excluded from being copied back and forth out of
889 the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file
890 to point to the new paths that are shared over the network, instead of the default
891 path (<filename>C:\Documents and Settings\%USERNAME%</filename>).
892 </para>
894 <para><indexterm>
895 <primary>Default User</primary>
896 </indexterm><indexterm>
897 <primary>regedt32</primary>
898 </indexterm>
899 The above modifies existing user profiles. So that newly created profiles have
900 these settings, you will need to modify the <filename>NTUSER.DAT</filename> in
901 the <filename>C:\Documents and Settings\Default User</filename> folder on each
902 client machine, changing the same registry keys. You could do this by copying
903 <filename>NTUSER.DAT</filename> to a Linux box and using
904 <command>regedt32</command>.
905 The basic method is described under <link linkend="redirfold"/>.
906 </para>
908 </sect3>
910 <sect3>
911 <title>Using a Network Default User Profile</title>
913 <para><indexterm>
914 <primary>NETLOGON</primary>
915 </indexterm><indexterm>
916 <primary>NTUSER.DAT</primary>
917 </indexterm>
918 If you are using Samba as your PDC, you should create a file-share called
919 <constant>NETLOGON</constant> and within that create a directory called
920 <filename>Default User</filename>, which is a copy of the desired default user
921 configuration (including a copy of <filename>NTUSER.DAT</filename>.
922 If this share exists and the <filename>Default User</filename> folder exists,
923 the first login from a new account pulls its configuration from it.
924 See also: <ulink
925 url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html">
926 the Real Men Don't Click</ulink> Web site.
927 </para>
929 </sect3>
931 <sect3>
932 <title>Installation of Printer Driver Auto-Download</title>
934 <para><indexterm>
935 <primary>printing</primary>
936 <secondary>dumb</secondary>
937 </indexterm><indexterm>
938 <primary>dumb printing</primary>
939 </indexterm><indexterm>
940 <primary>Raw Print Through</primary>
941 </indexterm>
942 The subject of printing is quite topical. Printing problems run second place to name
943 resolution issues today. So far in this book, you have experienced only what is generally
944 known as <quote>dumb</quote> printing. Dumb printing is the arrangement where all drivers
945 are manually installed on each client and the printing subsystems perform no filtering
946 or intelligent processing. Dumb printing is easily understood. It usually works without
947 many problems, but it has its limitations also. Dumb printing is better known as
948 <command>Raw Print Through</command> printing.
949 </para>
951 <para><indexterm>
952 <primary>printing</primary>
953 <secondary>drag-and-drop</secondary>
954 </indexterm><indexterm>
955 <primary>printing</primary>
956 <secondary>point-n-click</secondary>
957 </indexterm>
958 Samba permits the configuration of <command>Smart</command> printing using the Microsoft
959 Windows point-and-click (also called drag-and-drop) printing. What this provides is
960 essentially the ability to print to any printer. If the local client does not yet have a
961 driver installed, the driver is automatically downloaded from the Samba server and
962 installed on the client. Drag-and-drop printing is neat; it means the user never needs
963 to fuss with driver installation, and that is a <trademark>Good Thing</trademark>,
964 isn't it?
965 </para>
967 <para>
968 There is a further layer of print job processing that is known as <command>Intelligent</command>
969 printing that automatically senses the file format of data submitted for printing and
970 then invokes a suitable print filter to convert the incoming data stream into a format
971 suited to the printer to which the job is dispatched.
972 </para>
974 <para>
975 <indexterm><primary>CUPS</primary></indexterm>
976 <indexterm><primary>Easy Software Products</primary></indexterm>
977 <indexterm><primary>Postscript</primary></indexterm>
978 The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
979 detect the data format and apply a print filter. This means that it is feasible to install
980 on all Windows clients a single printer driver for use with all printers that are routed
981 through CUPS. The most sensible driver to use is one for a Postscript printer. Fortunately,
982 <ulink url="http://www.easysw.com">Easy Software Products,</ulink> the authors of CUPS have
983 released a Postscript printing driver for Windows. It can be installed into the Samba
984 printing backend so that it automatically downloads to the client when needed.
985 </para>
987 <para>
988 This means that so long as there is a CUPS driver for the printer, all printing from Windows
989 software can use Postscript, no matter what the actual printer language for the physical
990 device is. It also means that the administrator can swap out a printer with a totally
991 different type of device without ever needing to change a client workstation driver.
992 </para>
994 <para>
995 This book is about Samba-3, so you can confine the printing style to just the smart
996 style of installation. Those interested in further information regarding intelligent
997 printing should review documentation on the Easy Software Products Web site.
998 </para>
1000 </sect3>
1002 <sect3 id="sbeavoid">
1003 <title>Avoiding Failures &smbmdash; Solving Problems Before the Happen</title>
1005 <para>
1006 It has often been said that there are three types of people in the world: Those who
1007 have sharp minds and those that forget things. Please do not ask what the third group
1008 are like! Well, it seems that many of us have company in the second group. There must
1009 be a good explanation why so many network administrators fail to solve apparently
1010 simple problems efficiently and effectively.
1011 </para>
1013 <para>
1014 Here are some diagnostic guidelines that can be referred to when things go wrong:
1015 </para>
1017 <sect4>
1018 <title>Preliminary Advice &smbmdash; Dangers Can be Avoided</title>
1020 <para>
1021 The best advice regarding how best to mend a broken leg was <quote>never break a leg!</quote>
1022 </para>
1024 <para>
1025 <indexterm><primary>LDAP</primary></indexterm>
1026 New comers to Samba and LDAP seem to struggle a great deal at first. If you want advice
1027 regarding the best way to remedy LDAP and Samba problems: <quote>Avoid them like the plague!</quote>
1028 </para>
1030 <para>
1031 If you are now asking yourself how can problems be avoided? The best advice is to start
1032 out your learning experience with an <emphasis>known-to-work</emphasis> solution. After
1033 you have seen a fully working solution, a good way to learn is to make slow and progressive
1034 changes that cause things to break, then observe carefully how and why things ceased to work.
1035 </para>
1037 <para>
1038 The examples in this chapter (also in the book as a whole) are known to work. That means
1039 that they could serve as the kick-off point for your journey through fields of knowledge.
1040 Use this resource carefully; we hope it serves you well.
1041 </para>
1043 <warning><para>
1044 Do not be lulled into thinking that you can easily adopt the examples in this
1045 book and adapt them without first working through the working examples provided. A little
1046 thing over-looked can cause untold pain and may permanently tarnish your experience.
1047 </para></warning>
1049 </sect4>
1051 <sect4>
1052 <title>Debugging LDAP</title>
1054 <para>
1055 <indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
1056 <indexterm><primary>loglevel</primary></indexterm>
1057 <indexterm><primary>slapd</primary></indexterm>
1058 In the example <filename>/etc/openldap/slapd.conf</filename> control file
1059 (see <link linkend="sbehap-dbconf"/>) there is an entry for <constant>loglevel 256</constant>.
1060 To enable logging via the syslog infrastructure it is necessary to uncomment this parameter
1061 and restart <command>slapd</command>.
1062 </para>
1064 <para>
1065 <indexterm><primary>/etc/syslog.conf</primary></indexterm>
1066 <indexterm><primary>/var/log/ldaplogs</primary></indexterm>
1067 LDAP log information can be directed into a file that is separate from the normal system
1068 log files by changing the <filename>/etc/syslog.conf</filename> file so it has the following
1069 contents:
1070 <screen>
1071 # Some foreign boot scripts require local7
1072 #
1073 local0,local1.* -/var/log/localmessages
1074 local2,local3.* -/var/log/localmessages
1075 local5.* -/var/log/localmessages
1076 local6,local7.* -/var/log/localmessages
1077 local4.* -/var/log/ldaplogs
1078 </screen>
1079 In the above case, all LDAP related logs will be directed to the file
1080 <filename>/var/log/ldaplogs</filename>. This makes it easy to track LDAP errors.
1081 The above provides a simple example of usage that can be modified to suit
1082 local site needs. The configuration used later in this chapter reflects such
1083 customization with the intent that LDAP log files will be stored at a location
1084 that meets local site needs and wishes more fully.
1085 </para>
1087 </sect4>
1089 <sect4>
1090 <title>Debugging NSS_LDAP</title>
1092 <para>
1093 The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
1094 <filename>/etc/ldap.conf</filename> file the following parameters:
1095 <screen>
1096 debug 256
1097 logdir /data/logs
1098 </screen>
1099 Create the log directory as follows:
1100 <screen>
1101 &rootprompt; mkdir /data/logs
1102 </screen>
1103 </para>
1105 <para>
1106 The diagnostic process should follow the following steps:
1107 </para>
1109 <procedure>
1111 <step><para>
1112 Verify the <constant>nss_base_passwd, nss_base_shadow, nss_base_group</constant> entries
1113 in the <filename>/etc/ldap.conf</filename> file and compare them closely with the directory
1114 tree location that was chosen in when the directory was first created.
1115 </para>
1117 <para>
1118 One way this can be done is by executing:
1119 <screen>
1120 &rootprompt; slapcat | grep Group | grep dn
1121 dn: ou=Groups,dc=abmas,dc=biz
1122 dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
1123 dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
1124 dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
1125 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1126 dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
1127 dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
1128 dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
1129 dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
1130 </screen>
1131 The first line is the DIT entry point for the container for POSIX groups. The correct entry
1132 for the <filename>/etc/ldap.conf</filename> for the <constant>nss_base_group</constant>
1133 parameter therefore is the distinquished name (dn) as applied here:
1134 <screen>
1135 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1136 </screen>
1137 The same process may be followed to determine the appropriate dn for user accounts.
1138 If the container for computer accounts is not the same as that for users (see the &smb.conf;
1139 file entry for <constant>ldap machine suffix</constant>, it may be necessary to set the
1140 following DIT dn in the <filename>/etc/ldap.conf</filename> file:
1141 <screen>
1142 nss_base_passwd dc=abmas,dc=biz?sub
1143 </screen>
1144 This instructs LDAP to search for machine as well as user entries from the top of the DIT
1145 down. This is inefficient, but at least should work. Note: It is possible to specify mulitple
1146 <constant>nss_base_passwd</constant> entries in the <filename>/etc/ldap.conf</filename> file, they
1147 will be evaluated sequentially. Let us consider an example of use where the following DIT
1148 has been implemented:
1149 </para>
1151 <para>
1152 <simplelist>
1153 <member><para>All user accounts are stored under the DIT: ou=Users,dc=abmas,dc=biz</para></member>
1154 <member><para>All user login accounts are under the DIT: ou=People,ou-Users,dc=abmas,dc=biz</para></member>
1155 <member><para>All computer accounts are under the DIT: ou=Computers,ou=Users,dc=abmas,dc=biz</para></member>
1156 </simplelist>
1157 </para>
1159 <para>
1160 The appropriate multiple entry for the <constant>nss_base_passwd</constant> directive
1161 in the <filename>/etc/ldap.conf</filename> file may be:
1162 <screen>
1163 nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
1164 nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
1165 </screen>
1166 </para></step>
1168 <step><para>
1169 Perform lookups such as:
1170 <screen>
1171 &rootprompt; getent passwd
1172 </screen>
1173 Each such lookup will create an entry in the <filename>/data/log</filename> directory
1174 for each such process executed. The contents of that file may provide a hint as to
1175 the cause of the failure that is being investigated.
1176 </para></step>
1178 <step><para>
1179 Check the contents of the <filename>/var/log/messages</filename> to see what error messages are being
1180 generated as a result of the LDAP lookups. Here is an example of a successful lookup:
1181 <screen>
1182 slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
1183 (IP=0.0.0.0:389)
1184 slapd[12164]: conn=0 op=0 BIND dn="" method=128
1185 slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
1186 slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
1187 filter="(objectClass=*)"
1188 slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
1189 nentries=1 text=
1190 slapd[12164]: conn=0 op=2 UNBIND
1191 slapd[12164]: conn=0 fd=10 closed
1192 slapd[12164]: conn=1 fd=10 ACCEPT from
1193 IP=127.0.0.1:33540 (IP=0.0.0.0:389)
1194 slapd[12164]: conn=1 op=0 BIND
1195 dn="cn=Manager,dc=abmas,dc=biz" method=128
1196 slapd[12164]: conn=1 op=0 BIND
1197 dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
1198 slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
1199 slapd[12164]: conn=1 op=1 SRCH
1200 base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
1201 filter="(objectClass=posixAccount)"
1202 slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
1203 uidNumber gidNumber cn
1204 homeDirectory loginShell gecos description objectClass
1205 slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
1206 nentries=2 text=
1207 slapd[12164]: conn=1 fd=10 closed
1209 </screen>
1210 </para></step>
1212 <step><para>
1213 Check that the bindpw entry in the <filename>/etc/ldap.conf</filename> or in the
1214 <filename>/etc/ldap.secrets</filename> file is correct. i.e.: As specified in the
1215 <filename>/etc/openldap/slapd.conf</filename> file.
1216 </para></step>
1218 </procedure>
1220 </sect4>
1222 <sect4>
1223 <title>Debugging Samba</title>
1225 <para>
1226 The following parameters in the &smb.conf; file can be useful in tracking down Samba related problems:
1227 <screen>
1228 [global]
1229 ...
1230 log level = 5
1231 log file = /var/log/samba/%m.log
1232 max log size = 0
1233 ...
1234 </screen>
1235 This will result in the creation of a separate log file for every client from which connections
1236 are made. The log file will be quite verbose and will grow continually. Do not forget to
1237 change these lines to the following when debugging has been completed:
1238 <screen>
1239 [global]
1240 ...
1241 log level = 1
1242 log file = /var/log/samba/%m.log
1243 max log size = 50
1244 ...
1245 </screen>
1246 </para>
1248 <para>
1249 The log file can be analyzed by executing:
1250 <screen>
1251 &rootprompt; cd /var/log/samba
1252 &rootprompt; grep -v "^\[200" machine_name.log
1253 </screen>
1254 </para>
1256 <para>
1257 Search for hints of what may have failed by lokking for the words <emphasis>fail</emphasis>
1258 and <emphasis>error</emphasis>.
1259 </para>
1261 </sect4>
1263 <sect4>
1264 <title>Debugging on the Windows Client</title>
1266 <para>
1267 MS Windows 2000 Professional and Windows XP Professional clients are capable of being configured
1268 to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
1269 the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
1270 version of MS Windows.
1271 </para>
1273 </sect4>
1275 </sect3>
1277 </sect2>
1280 <sect2>
1281 <title>Political Issues</title>
1283 <para>
1284 MS Windows network users are generally very sensitive to limits that may be imposed when
1285 confronted with locked-down workstation configurations. The challenge you face must
1286 be promoted as a choice between reliable and fast network operation, and a constant flux
1287 of problems that result in user irritation.
1288 </para>
1290 </sect2>
1292 <sect2>
1293 <title>Installation Check-List</title>
1295 <para>
1296 You are starting a complex project. Even though you have gone through the installation
1297 of a complex network in chapter 5, this network is a bigger challenge because of the
1298 large number of complex applications that must be configured before the first few steps
1299 can be validated. Take stock of what you are about to undertake, prepare yourself, and
1300 frequently review the steps ahead while making at least a mental note of what has already
1301 been completed. The following task list may help you to keep track of the task items
1302 that are covered:
1303 </para>
1306 <itemizedlist>
1307 <listitem><para>Samba-3 PDC Server Configuration</para>
1308 <orderedlist>
1309 <listitem><para>DHCP and DNS Servers</para></listitem>
1310 <listitem><para>OpenLDAP Server</para></listitem>
1311 <listitem><para>PAM and NSS Client Tools</para></listitem>
1312 <listitem><para>Samba-3 PDC</para></listitem>
1313 <listitem><para>Idealx SMB-LDAP Scripts</para></listitem>
1314 <listitem><para>LDAP Initialization</para></listitem>
1315 <listitem><para>Create User and Group Accounts</para></listitem>
1316 <listitem><para>Printers</para></listitem>
1317 <listitem><para>Share Point Directory Roots</para></listitem>
1318 <listitem><para>Profile Directories</para></listitem>
1319 <listitem><para>Logon Scripts</para></listitem>
1320 <listitem><para>Configuration of User Rights and Privileges</para></listitem>
1321 </orderedlist>
1322 </listitem>
1323 <listitem><para>Samba-3 BDC Server Configuration</para>
1324 <orderedlist>
1325 <listitem><para>DHCP and DNS Servers</para></listitem>
1326 <listitem><para>PAM and NSS Client Tools</para></listitem>
1327 <listitem><para>Printers</para></listitem>
1328 <listitem><para>Share Point Directory Roots</para></listitem>
1329 <listitem><para>Profiles Directories</para></listitem>
1330 </orderedlist>
1331 </listitem>
1332 <listitem><para>Windows XP Client Configuration</para>
1333 <orderedlist>
1334 <listitem><para>Default Profile Folder Redirection</para></listitem>
1335 <listitem><para>MS Outlook PST File Relocation</para></listitem>
1336 <listitem><para>Delete Roaming Profile on Logout</para></listitem>
1337 <listitem><para>Upload Printer Drivers to Samba Servers</para></listitem>
1338 <listitem><para>Install Software</para></listitem>
1339 <listitem><para>Creation of Roll-out Images</para></listitem>
1340 </orderedlist>
1341 </listitem>
1342 </itemizedlist>
1345 </sect2>
1347 </sect1>
1349 <sect1>
1350 <title>Samba Server Implementation</title>
1352 <para><indexterm>
1353 <primary>file servers</primary>
1354 </indexterm><indexterm>
1355 <primary>BDC</primary>
1356 </indexterm>
1357 The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed
1358 that you will install additional file servers, and possibly additional BDCs.
1359 </para>
1361 <image id="chap6net">
1362 <imagedescription>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend.</imagedescription>
1363 <imagefile scale="50">chap6-net</imagefile>
1364 </image>
1366 <para><indexterm>
1367 <primary>SUSE Linux</primary>
1368 </indexterm><indexterm>
1369 <primary>Red Hat Linux</primary>
1370 </indexterm>
1371 All configuration files and locations are shown for SUSE Linux 9.2 and are equaly valid for SUSE
1372 Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
1373 adjust the locations for your particular Linux system distribution/implementation.
1374 </para>
1376 <note><para>
1377 The following information applies to Samba-3.0.15 when used with the Idealx smbldap-tools scripts
1378 version 0.8.8. If using a different version of Samba, or of the smbldap-tools tarball, please
1379 verify that the versions you are about to use are matching. The smbldap-tools package uses counter
1380 entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are issued for POSIX
1381 accounts. The LDAP rdn under which this information is stored are called <constant>uidNumber</constant>
1382 and <constant>gidNumber</constant> respectively. These may be located in any convenient part of the
1383 directory information tree (DIT). In the examples that follow they have been located under
1384 <constant>dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</constant>. They could just as well be located under the rdn
1385 <constant>cn=NextFreeUnixId</constant>.
1386 </para></note>
1388 <para>
1389 The steps in the process involve changes from the network configuration
1390 shown in <link linkend="Big500users"/>.
1391 Before implementing the following steps, you must have completed the network implementation shown
1392 in that chapter. If you are starting with newly installed Linux servers, you must complete
1393 the steps shown in <link linkend="ch5-dnshcp-setup"/> before commencing
1394 at <link linkend="ldapsetup"/>:
1395 </para>
1397 <sect2 id="ldapsetup">
1398 <title>OpenLDAP Server Configuration</title>
1400 <para><indexterm>
1401 <primary>nss_ldap</primary>
1402 </indexterm><indexterm>
1403 <primary>pam_ldap</primary>
1404 </indexterm><indexterm>
1405 <primary>openldap</primary>
1406 </indexterm>
1407 Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system.
1408 </para>
1410 <table id="oldapreq">
1411 <title>Required OpenLDAP Linux Packages</title>
1412 <tgroup cols="3">
1413 <colspec align="left"/>
1414 <colspec align="left"/>
1415 <colspec align="left"/>
1416 <thead>
1417 <row>
1418 <entry align="center">SUSE Linux 8.x</entry>
1419 <entry align="center">SUSE Linux 9.x</entry>
1420 <entry align="center">Red Hat Linux</entry>
1421 </row>
1422 </thead>
1423 <tbody>
1424 <row>
1425 <entry>nss_ldap</entry>
1426 <entry>nss_ldap</entry>
1427 <entry>nss_ldap</entry>
1428 </row>
1429 <row>
1430 <entry>pam_ldap</entry>
1431 <entry>pam_ldap</entry>
1432 <entry>pam_ldap</entry>
1433 </row>
1434 <row>
1435 <entry>openldap2</entry>
1436 <entry>openldap2</entry>
1437 <entry>openldap</entry>
1438 </row>
1439 <row>
1440 <entry>openldap2-client</entry>
1441 <entry>openldap2-client</entry>
1442 <entry></entry>
1443 </row>
1444 </tbody>
1445 </tgroup>
1446 </table>
1448 <para>
1449 Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method
1450 for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you
1451 follow these guidelines, the resulting system should work fine.
1452 </para>
1454 <procedure>
1455 <step><para><indexterm>
1456 <primary>/etc/openldap/slapd.conf</primary>
1457 </indexterm>
1458 Install the file shown in <link linkend="sbehap-slapdconf"/> in the directory
1459 <filename>/etc/openldap</filename>.
1460 </para></step>
1462 <step><para><indexterm>
1463 <primary>/data/ldap</primary>
1464 </indexterm><indexterm>
1465 <primary>group account</primary>
1466 </indexterm><indexterm>
1467 <primary>user account</primary>
1468 </indexterm>
1469 Remove all files from the directory <filename>/data/ldap</filename>, making certain that
1470 the directory exists with permissions:
1471 <screen>
1472 &rootprompt; ls -al /data | grep ldap
1473 drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
1474 </screen>
1475 This may require you to add a user and a group account for LDAP if they do not exist.
1476 </para></step>
1478 <step><para><indexterm><primary>DB_CONFIG</primary></indexterm>
1479 Install the file shown in <link linkend="sbehap-dbconf"/> in the directory
1480 <filename>/data/ldap</filename>. In the event that this file is added after <constant>ldap</constant>
1481 has been started, it is possible to cause the new settings to take effect by shutting down
1482 the <constant>LDAP</constant> server, executing the <command>db_recover</command> command inside the
1483 <filename>/data/ldap</filename> directory, and then restarting the <constant>LDAP</constant> server.
1484 </para></step>
1486 <step><para><indexterm><primary>syslog</primary></indexterm>
1487 Performance logging can be enabled and should preferrably be sent to a file on
1488 a file system that is large enough to handle significantly sized logs. To enable
1489 the logging at a verbose level to permit detailed analysis uncomment the entry in
1490 the <filename>/etc/openldap/slapd.conf</filename> shown as <quote>loglevel 256</quote>.
1491 </para>
1493 <para>
1494 Edit the <filename>/etc/syslog.conf</filename> file to add the following at the end
1495 of the file:
1496 <screen>
1497 local4.* -/data/ldap/log/openldap.log
1498 </screen>
1499 Note: The path <filename>/data/ldap/log</filename> should be set a a location
1500 that is convenient and that can store a large volume of data.
1501 </para></step>
1503 </procedure>
1505 <example id="sbehap-dbconf">
1506 <title>LDAP DB_CONFIG File</title>
1507 <screen>
1508 set_cachesize 0 150000000 1
1509 set_lg_regionmax 262144
1510 set_lg_bsize 2097152
1511 #set_lg_dir /var/log/bdb
1512 set_flags DB_LOG_AUTOREMOVE
1513 </screen>
1514 </example>
1516 <example id="sbehap-slapdconf">
1517 <title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part A</title>
1518 <screen>
1519 include /etc/openldap/schema/core.schema
1520 include /etc/openldap/schema/cosine.schema
1521 include /etc/openldap/schema/inetorgperson.schema
1522 include /etc/openldap/schema/nis.schema
1523 include /etc/openldap/schema/samba3.schema
1525 pidfile /var/run/slapd/slapd.pid
1526 argsfile /var/run/slapd/slapd.args
1528 access to dn.base=""
1529 by self write
1530 by * auth
1532 access to attr=userPassword
1533 by self write
1534 by * auth
1536 access to attr=shadowLastChange
1537 by self write
1538 by * read
1540 access to *
1541 by * read
1542 by anonymous auth
1544 #loglevel 256
1546 schemacheck on
1547 idletimeout 30
1548 backend bdb
1549 database bdb
1550 checkpoint 1024 5
1551 cachesize 10000
1553 suffix "dc=abmas,dc=biz"
1554 rootdn "cn=Manager,dc=abmas,dc=biz"
1556 # rootpw = not24get
1557 rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
1559 directory /data/ldap
1560 </screen>
1561 </example>
1563 <example id="sbehap-slapdconf2">
1564 <title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part B</title>
1565 <screen>
1566 # Indices to maintain
1567 index objectClass eq
1568 index cn pres,sub,eq
1569 index sn pres,sub,eq
1570 index uid pres,sub,eq
1571 index displayName pres,sub,eq
1572 index uidNumber eq
1573 index gidNumber eq
1574 index memberUID eq
1575 index sambaSID eq
1576 index sambaPrimaryGroupSID eq
1577 index sambaDomainName eq
1578 index default sub
1579 </screen>
1580 </example>
1582 </sect2>
1584 <sect2 id="sbehap-PAM-NSS">
1585 <title>PAM and NSS Client Configuration</title>
1587 <para><indexterm>
1588 <primary>LDAP</primary>
1589 </indexterm><indexterm>
1590 <primary>NSS</primary>
1591 </indexterm><indexterm>
1592 <primary>PAM</primary>
1593 </indexterm>
1594 The steps that follow involve configuration of LDAP, Name Service Switch (NSS) LDAP-based resolution
1595 of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead
1596 configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
1597 </para>
1599 <para>
1600 Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
1601 that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
1602 correct configuration of the Pluggable Authentication
1603 Modules<indexterm>
1604 <primary>Pluggable Authentication Modules</primary>
1605 <see>PAM</see>
1606 </indexterm><indexterm>
1607 <primary>pam_unix2.so</primary>
1608 </indexterm>
1609 (PAM). The <command>pam_ldap</command>
1610 open source package provides the PAM modules that most people would use. On SUSE Linux systems,
1611 the <command>pam_unix2.so</command> module also has the ability to redirect authentication requests
1612 through LDAP.
1613 </para>
1615 <para><indexterm>
1616 <primary>YaST</primary>
1617 </indexterm><indexterm>
1618 <primary>SUSE Linux</primary>
1619 </indexterm><indexterm>
1620 <primary>Red Hat Linux</primary>
1621 </indexterm><indexterm>
1622 <primary>authconfig</primary>
1623 </indexterm>
1624 You have chosen to configure these services by directly editing the system files but, of course, you
1625 know that this configuration can be done using system tools provided by the Linux system vendor.
1626 SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu>
1627 <guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits
1628 configuration of SUSE Linux as an LDAP client. Red Hat Linux provides
1629 the <command>authconfig</command>
1630 tool for this.
1631 </para>
1633 <procedure>
1634 <step><para><indexterm>
1635 <primary>/lib/libnss_ldap.so.2</primary>
1636 </indexterm><indexterm>
1637 <primary>/etc/ldap.conf</primary>
1638 </indexterm><indexterm>
1639 <primary>nss_ldap</primary>
1640 </indexterm>
1641 Execute the following command to find where the <filename>nss_ldap</filename> module
1642 expects to find its control file:
1643 <screen>
1644 &rootprompt; strings /lib/libnss_ldap.so.2 | grep conf
1645 </screen>
1646 The preferred and usual location is <filename>/etc/ldap.conf</filename>.
1647 </para></step>
1649 <step><para>
1650 On the server <constant>MASSIVE</constant>, install the file shown in
1651 <link linkend="sbehap-nss01"/> into the path that was obtained from the step above.
1652 On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
1653 <link linkend="sbehap-nss02"/> into the path that was obtained from the step above.
1654 </para></step>
1656 <example id="sbehap-nss01">
1657 <title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
1658 <screen>
1659 host 127.0.0.1
1661 base dc=abmas,dc=biz
1663 binddn cn=Manager,dc=abmas,dc=biz
1664 bindpw not24get
1666 timelimit 50
1667 bind_timelimit 50
1668 bind_policy hard
1670 idle_timelimit 3600
1672 pam_password exop
1674 nss_base_passwd ou=People,dc=abmas,dc=biz?one
1675 nss_base_shadow ou=People,dc=abmas,dc=biz?one
1676 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1678 ssl off
1679 </screen>
1680 </example>
1682 <example id="sbehap-nss02">
1683 <title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
1684 <screen>
1685 host 172.16.0.1
1687 base dc=abmas,dc=biz
1689 binddn cn=Manager,dc=abmas,dc=biz
1690 bindpw not24get
1692 timelimit 50
1693 bind_timelimit 50
1694 bind_policy hard
1696 idle_timelimit 3600
1698 pam_password exop
1700 nss_base_passwd ou=People,dc=abmas,dc=biz?one
1701 nss_base_shadow ou=People,dc=abmas,dc=biz?one
1702 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1704 ssl off
1705 </screen>
1706 </example>
1708 <step><para><indexterm>
1709 <primary>/etc/nsswitch.conf</primary>
1710 </indexterm>
1711 Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that
1712 control user and group resolution will obtain information from the normal system files as
1713 well as from <command>ldap</command> as follows:
1714 <screen>
1715 passwd: files ldap
1716 shadow: files ldap
1717 group: files ldap
1718 hosts: files dns wins
1719 </screen>
1720 Later, when the LDAP database has been initialized and user and group accounts have been
1721 added, you can validate resolution of the LDAP resolver process. The inclusion of
1722 WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
1723 resolved to their IP addresses, whether or not they are DHCP clients.
1724 </para></step>
1726 <step><para><indexterm>
1727 <primary>pam_unix2.so</primary>
1728 <secondary>use_ldap</secondary>
1729 </indexterm>
1730 For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
1731 files in the <filename>/etc/pam.d</filename> directory:
1732 <command>login, password, samba, sshd</command>.
1733 In each file, locate every entry that has the <command>pam_unix2.so</command> entry and add to the
1734 line the entry <command>use_ldap</command> as shown for the
1735 <command>login</command> module in
1736 this example:
1737 <screen>
1738 #%PAM-1.0
1739 auth requisite pam_unix2.so nullok use_ldap #set_secrpc
1740 auth required pam_securetty.so
1741 auth required pam_nologin.so
1742 #auth required pam_homecheck.so
1743 auth required pam_env.so
1744 auth required pam_mail.so
1745 account required pam_unix2.so use_ldap
1746 password required pam_pwcheck.s nullok
1747 password required pam_unix2.so nullok use_first_pass \
1748 use_authtok use_ldap
1749 session required pam_unix2.so none use_ldap # debug or trace
1750 session required pam_limits.so
1751 </screen>
1752 </para>
1754 <para><indexterm>
1755 <primary>pam_ldap.so</primary>
1756 </indexterm>
1757 On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module,
1758 you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here:
1759 <screen>
1760 #%PAM-1.0
1761 auth required pam_securetty.so
1762 auth required pam_nologin.so
1763 auth sufficient pam_ldap.so
1764 auth required pam_unix2.so nullok try_first_pass #set_secrpc
1765 account sufficient pam_ldap.so
1766 account required pam_unix2.so
1767 password required pam_pwcheck.so nullok
1768 password required pam_ldap.so use_first_pass use_authtok
1769 password required pam_unix2.so nullok use_first_pass use_authtok
1770 session required pam_unix2.so none # debug or trace
1771 session required pam_limits.so
1772 session required pam_env.so
1773 session optional pam_mail.so
1774 </screen>
1775 This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply
1776 demonstrates the use of the <command>pam_ldap.so</command> module. You can use either
1777 implementation, but if the <command>pam_unix2.so</command> on your system supports
1778 LDAP, you probably want to use it, rather than add an additional module.
1779 </para></step>
1780 </procedure>
1782 </sect2>
1784 <sect2 id="sbehap-massive">
1785 <title>Samba-3 PDC Configuration</title>
1787 <para><indexterm>
1788 <primary>Samba RPM Packages</primary>
1789 </indexterm>
1790 Verify that the Samba-3.0.15 (or later) packages are installed on each SUSE Linux server
1791 before following the steps below. If Samba-3.0.15 (or later) is not installed, you have the
1792 choice to either build your own or to obtain the packages from a dependable source.
1793 Packages for SUSE Linux 8.x, 9.x and SUSE Linux Enterprise Server 9, as well as for
1794 Red Hat Fedora Core and Red Hat Enteprise Linux Server 3 and 4 are included on the CD-ROM that
1795 is included at the back of this book.
1796 </para>
1798 <procedure>
1799 <title>Configuration of PDC Called: <constant>MASSIVE</constant></title>
1800 <step><para>
1801 Install the files in <link linkend="sbehap-massive-smbconfa"/>,
1802 <link linkend="sbehap-massive-smbconfb"/>, <link linkend="sbehap-shareconfa"/>,
1803 and <link linkend="sbehap-shareconfb"/> into the <filename>/etc/samba/</filename>
1804 directory. The three files should be added together to form the &smb.conf;
1805 master file. It is a good practice to call this file something like
1806 <filename>smb.conf.master</filename>, and then to perform all file edits
1807 on the master file. The operational &smb.conf; is then generated as shown in
1808 the next step.
1809 </para></step>
1811 <step><para><indexterm>
1812 <primary>testparm</primary>
1813 </indexterm>
1814 Create and verify the contents of the &smb.conf; file that is generated by:
1815 <screen>
1816 &rootprompt; testparm -s smb.conf.master > smb.conf
1817 </screen>
1818 Immediately follow this with the following:
1819 <screen>
1820 &rootprompt; testparm
1821 </screen>
1822 The output that is created should be free from errors, as shown here:
1824 <screen>
1825 Load smb config files from /etc/samba/smb.conf
1826 Processing section "[accounts]"
1827 Processing section "[service]"
1828 Processing section "[pidata]"
1829 Processing section "[homes]"
1830 Processing section "[printers]"
1831 Processing section "[apps]"
1832 Processing section "[netlogon]"
1833 Processing section "[profiles]"
1834 Processing section "[profdata]"
1835 Processing section "[print$]"
1836 Loaded services file OK.
1837 Server role: ROLE_DOMAIN_PDC
1838 Press enter to see a dump of your service definitions
1839 </screen>
1840 </para></step>
1842 <step><para>
1843 Delete all run-time files from prior Samba operation by executing (for SUSE
1844 Linux):
1845 <screen>
1846 &rootprompt; rm /etc/samba/*tdb
1847 &rootprompt; rm /var/lib/samba/*tdb
1848 &rootprompt; rm /var/lib/samba/*dat
1849 &rootprompt; rm /var/log/samba/*
1850 </screen>
1851 </para></step>
1853 <step><para><indexterm>
1854 <primary>secrets.tdb</primary>
1855 </indexterm><indexterm>
1856 <primary>smbpasswd</primary>
1857 </indexterm>
1858 Samba-3 communicates with the LDAP server. The password that it uses to
1859 authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename>
1860 file. Execute the following to create the new <filename>secrets.tdb</filename> files
1861 and store the password for the LDAP Manager:
1862 <screen>
1863 &rootprompt; smbpasswd -w not24get
1864 </screen>
1865 The expected output from this command is:
1866 <screen>
1867 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
1868 </screen>
1869 </para></step>
1871 <step><para><indexterm>
1872 <primary>smbd</primary>
1873 </indexterm><indexterm>
1874 <primary>net</primary>
1875 <secondary>getlocalsid</secondary>
1876 </indexterm>
1877 Samba-3 generates a Windows Security Identifier only when <command>smbd</command>
1878 has been started. For this reason, you start Samba. After a few seconds delay,
1879 execute:
1880 <screen>
1881 &rootprompt; smbclient -L localhost -U%
1882 &rootprompt; net getlocalsid
1883 </screen>
1884 A report such as the following means that the Domain Security Identifier (SID) has not yet
1885 been written to the <filename>secrets.tdb</filename> or to the LDAP backend:
1886 <screen>
1887 [2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
1888 failed to bind to server ldap://massive.abmas.biz
1889 with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
1890 (unknown)
1891 [2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
1892 smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out)
1893 </screen>
1894 The attempt to read the SID will attempt to bind to the LDAP server. Because the LDAP server
1895 is not running this operation will fail by way of a time out, as shown above. This is
1896 normal output, do not worry about this error message. When the Domain has been created and
1897 written to the <filename>secrets.tdb</filename> file, the output should look like this:
1898 <screen>
1899 SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
1900 </screen>
1901 If, after a short delay (a few seconds), the Domain SID has still not been written to
1902 the <filename>secrets.tdb</filename> file, it is necessary to investigate what
1903 may be mis-configured. In this case, carefully check the &smb.conf; file for typographical
1904 errors (the most common problem). The use of the <command>testparm</command> is highly
1905 recommended to validate the contents of this file.
1906 </para></step>
1908 <step><para>
1909 When a positive Domain SID has been reported, stop Samba.
1910 </para></step>
1912 <step><para>
1913 <indexterm>
1914 <primary>NFS server</primary>
1915 </indexterm>
1916 <indexterm>
1917 <primary>/etc/exports</primary>
1918 </indexterm>
1919 <indexterm>
1920 <primary>BDC</primary>
1921 </indexterm>
1922 <indexterm>
1923 <primary>rsync</primary>
1924 </indexterm>
1925 Configure the NFS server for your Linux system. So you can complete the steps that
1926 follow, enter into the <filename>/etc/exports</filename> the following entry:
1927 <screen>
1928 /home *(rw,root_squash,sync)
1929 </screen>
1930 This permits the user home directories to be used on the BDC servers for testing
1931 purposes. You, of course, decide what is the best way for your site to distribute
1932 data drives, as well as creating suitable backup and restore procedures for Abmas Inc.
1933 I'd strongly recommend that for normal operation the BDC is completely independent
1934 of the PDC. rsync is a useful tool here as it resembles the NT replication service quite
1935 closely. If you do use NFS, do not forget to start the NFS server as follows:
1936 <screen>
1937 &rootprompt; rcnfsserver start
1938 </screen>
1939 </para></step>
1940 </procedure>
1942 <para>
1943 Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
1944 configuration of the LDAP server.
1945 </para>
1947 <smbconfexample id="sbehap-massive-smbconfa">
1948 <title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
1949 <smbconfcomment>Global parameters</smbconfcomment>
1950 <smbconfsection name="[global]"/>
1951 <smbconfoption name="unix charset">LOCALE</smbconfoption>
1952 <smbconfoption name="workgroup">MEGANET2</smbconfoption>
1953 <smbconfoption name="netbios name">MASSIVE</smbconfoption>
1954 <smbconfoption name="interfaces">eth1, lo</smbconfoption>
1955 <smbconfoption name="bind interfaces only">Yes</smbconfoption>
1956 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
1957 <smbconfoption name="enable privileges">Yes</smbconfoption>
1958 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
1959 <smbconfoption name="log level">1</smbconfoption>
1960 <smbconfoption name="syslog">0</smbconfoption>
1961 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
1962 <smbconfoption name="max log size">50</smbconfoption>
1963 <smbconfoption name="smb ports">139 445</smbconfoption>
1964 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
1965 <smbconfoption name="time server">Yes</smbconfoption>
1966 <smbconfoption name="printcap name">CUPS</smbconfoption>
1967 <smbconfoption name="show add printer wizard">No</smbconfoption>
1968 <smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
1969 <smbconfoption name="delete user script">/opt/IDEALX/sbin/smbldap-userdel "%u"</smbconfoption>
1970 <smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
1971 <smbconfoption name="delete group script">/opt/IDEALX/sbin/smbldap-groupdel "%g"</smbconfoption>
1972 <smbconfoption name="add user to group script">/opt/IDEALX/sbin/</smbconfoption>
1973 <member><parameter>smbldap-groupmod -m "%u" "%g"</parameter></member>
1974 <smbconfoption name="delete user from group script">/opt/IDEALX/sbin/</smbconfoption>
1975 <member><parameter>smbldap-groupmod -x "%u" "%g"</parameter></member>
1976 <smbconfoption name="set primary group script">/opt/IDEALX/sbin/</smbconfoption>
1977 <member><parameter>smbldap-usermod -g "%g" "%u"</parameter></member>
1978 <smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w "%u"</smbconfoption>
1979 </smbconfexample>
1981 <smbconfexample id="sbehap-massive-smbconfb">
1982 <title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
1983 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
1984 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
1985 <smbconfoption name="logon drive">X:</smbconfoption>
1986 <smbconfoption name="domain logons">Yes</smbconfoption>
1987 <smbconfoption name="preferred master">Yes</smbconfoption>
1988 <smbconfoption name="wins support">Yes</smbconfoption>
1989 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
1990 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
1991 <smbconfoption name="ldap user suffix">ou=People</smbconfoption>
1992 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
1993 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
1994 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
1995 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
1996 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
1997 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
1998 <smbconfoption name="map acl inherit">Yes</smbconfoption>
1999 <smbconfoption name="printing">cups</smbconfoption>
2000 <smbconfoption name="printer admin">root, chrisr</smbconfoption>
2001 </smbconfexample>
2003 </sect2>
2006 <sect2 id="sbeidealx">
2007 <title>Install and Configure Idealx smbldap-tools Scripts</title>
2009 <para><indexterm>
2010 <primary>Idealx</primary>
2011 <secondary>smbldap-tools</secondary>
2012 </indexterm>
2013 The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
2014 on the LDAP server. You have chosen the Idealx scripts since they are the best known
2015 LDAP configuration scripts. The use of these scripts will help avoid the necessity
2016 to create custom scripts. It is easy to download them from the Idealx
2017 <ulink url="http://samba.idealx.org/index.en.html">Web Site.</ulink> The tarball may
2018 be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.8.8.tgz">downloaded</ulink>
2019 for this site, also. Alternately, you may obtain the
2020 <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.8.8-3.src.rpm">smbldap-tools-0.8.8-3.src.rpm</ulink>
2021 file that may be used to build an installable RPM package for your Linux system.
2022 </para>
2024 <note><para>
2025 The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
2026 change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>).
2027 </para></note>
2029 <para>
2030 The smbldap-tools are located in <filename>/opt/IDEALX/sbin</filename>.
2031 The scripts are not needed on BDC machines because all LDAP updates are handled by
2032 the PDC alone.
2033 </para>
2035 <sect3>
2036 <title>Installation of smbldap-tools from the tarball</title>
2038 <para>
2039 To perform a manual installation of the smbldap-tools scripts the following procedure may be used:
2040 </para>
2042 <procedure id="idealxscript">
2043 <step><para>
2044 Create the <filename>/opt/IDEALX/sbin</filename> directory, and set its permissions
2045 and ownership as shown here:
2046 <screen>
2047 &rootprompt; mkdir -p /opt/IDEALX/sbin
2048 &rootprompt; chown root.root /opt/IDEALX/sbin
2049 &rootprompt; chmod 755 /opt/IDEALX/sbin
2050 &rootprompt; mkdir -p /etc/smbldap-tools
2051 &rootprompt; chown root.root /etc/smbldap-tools
2052 &rootprompt; chmod 755 /etc/smbldap-tools
2053 </screen>
2054 </para></step>
2056 <step><para>
2057 If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
2058 Change into either the directory extracted from the tarball, or else into the smbldap-tools
2059 directory in your <filename>/usr/share/doc/packages</filename> directory tree.
2060 </para></step>
2062 <step><para>
2063 Copy all the <filename>smbldap-*</filename> and the <filename>configure.pl</filename> files into the
2064 <filename>/opt/IDEALX/sbin</filename> directory, as shown here:
2065 <screen>
2066 &rootprompt; cd smbldap-tools-0.8.8/
2067 &rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
2068 &rootprompt; cp smbldap*conf /etc/smbldap-tools/
2069 &rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-*
2070 &rootprompt; chmod 750 /opt/IDEALX/sbin/configure.pl
2071 &rootprompt; chmod 640 /etc/smbldap-tools/smbldap.conf
2072 &rootprompt; chmod 600 /etc/smbldap-tools/smbldap_bind.conf
2073 </screen>
2074 </para></step>
2076 <step><para>
2077 The smbldap-tools scripts master control file must now be configured.
2078 Change to the <filename>/opt/IDEALX/sbin</filename> directory, then edit the
2079 <filename>smbldap_tools.pm</filename> to affect the changes
2080 shown here:
2081 <screen>
2082 ...
2083 # ugly funcs using global variables and spawning openldap clients
2085 my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
2086 my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
2087 ...
2088 </screen>
2089 </para></step>
2091 <step><para>
2092 To complete the configuration of the smbldap-tools, set the permissions and ownership
2093 by executing the following commands:
2094 <screen>
2095 &rootprompt; chown root.root /opt/IDEALX/sbin/*
2096 &rootprompt; chmod 755 /opt/IDEALX/sbin/smbldap-*
2097 &rootprompt; chmod 640 /opt/IDEALX/sbin/smb*pm
2098 </screen>
2099 The smbldap-tools scripts are now ready for the configuration step outlined in
2100 <link linkend="smbldap-init">Configuration of smbldap-tools</link>.
2101 </para></step>
2102 </procedure>
2104 </sect3>
2106 <sect3>
2107 <title>Installing smbldap-tools from the RPM Package</title>
2109 <para>
2110 In the event that you have elected to use the RPM package provided by Idealx, download the
2111 source RPM <filename>smbldap-tools-0.8.8-3.src.rpm</filename>, then follow the following procedure:
2112 </para>
2114 <procedure>
2116 <step><para>
2117 Install the source RPM that has been downloaded as follows:
2118 <screen>
2119 &rootprompt; rpm -i smbldap-tools-0.8.8-3.src.rpm
2120 </screen>
2121 </para></step>
2123 <step><para>
2124 Change into the directory in which the SPEC files are located. On SUSE Linux:
2125 <screen>
2126 &rootprompt; cd /usr/src/packages/SPECS
2127 </screen>
2128 On Red Hat Linux systems:
2129 <screen>
2130 &rootprompt; cd /usr/src/redhat/SPECS
2131 </screen>
2132 </para></step>
2134 <step><para>
2135 Edit the <filename>smbldap-tools.spec</filename> file to change the value of the
2136 <constant>_sysconfig</constant> macro as shown here:
2137 <screen>
2138 %define _prefix /opt/IDEALX
2139 %define _sysconfdir /etc
2140 </screen>
2141 Note: Any suitable directory can be specified.
2142 </para></step>
2144 <step><para>
2145 Build the package by executing:
2146 <screen>
2147 &rootprompt; rpmbuild -ba -v smbldap-tools.spec
2148 </screen>
2149 A build process that has completed without error will place the installable binary
2150 files in the directory <filename>../RPMS/noarch</filename>.
2151 </para></step>
2153 <step><para>
2154 Install the binary package by executing:
2155 <screen>
2156 &rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.8-3.noarch.rpm
2157 </screen>
2158 </para></step>
2160 </procedure>
2162 <para>
2163 The Idealx scripts should now be ready for configuration using the steps outlined in
2164 <link linkend="smbldap-init">Configuration of smbldap-tools</link>.
2165 </para>
2167 </sect3>
2169 <sect3 id="smbldap-init">
2170 <title>Configuration of smbldap-tools</title>
2172 <para>
2173 Prior to use the smbldap-tools must be configured to match the settings in the &smb.conf; file
2174 and to match the settings in the <filename>/etc/openldap/slapd.conf</filename> file. The assumption
2175 is made that the &smb.conf; file has correct contents. The following procedure will ensure that
2176 this is completed correctly:
2177 </para>
2179 <para>
2180 The smbldap-tools require that the netbios name (machine name) of the Samba server be included
2181 in the &smb.conf; file.
2182 </para>
2184 <procedure>
2186 <step><para>
2187 Change into the directory that contains the <filename>configure.pl</filename> script.
2188 <screen>
2189 &rootprompt; cd /opt/IDEALX/sbin
2190 </screen>
2191 </para></step>
2193 <step><para>
2194 Execute the <filename>configure.pl</filename> script as follows:
2195 <screen>
2196 &rootprompt; ./configure.pl
2197 </screen>
2198 The interactive use of this script for the PDC is demonstrated here:
2199 <screen>
2200 Unrecognized escape \p passed through at ./configure.pl line 194.
2201 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2202 smbldap-tools script configuration
2203 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2204 Before starting, check
2205 . if your samba controller is up and running.
2206 . if the domain SID is defined (you can get it with the 'net getlocalsid')
2208 . you can leave the configuration using the Crtl-c key combination
2209 . empty value can be set with the "." caracter
2210 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2211 Looking for configuration files...
2213 Samba Config File Location [/etc/samba/smb.conf] >
2214 smbldap Config file Location (global parameters)
2215 [/etc/smbldap-tools/smbldap.conf] >
2216 smbldap Config file Location (bind parameters)
2217 [/etc/smbldap-tools/smbldap_bind.conf] >
2218 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2219 Let's start configuring the smbldap-tools scripts ...
2221 . workgroup name: name of the domain Samba act as a PDC
2222 workgroup name [MEGANET2] >
2223 . netbios name: netbios name of the samba controler
2224 netbios name [MASSIVE] >
2225 . logon drive: local path to which the home directory
2226 will be connected (for NT Workstations). Ex: 'H:'
2227 logon drive [X:] >
2228 . logon home: home directory location (for Win95/98 or NT Workstation).
2229 (use %U as username) Ex:'\\MASSIVE\home\%U'
2230 logon home (leave blank if you don't want homeDirectory)
2231 [\\MASSIVE\home\%U] > \\MASSIVE\%U
2232 . logon path: directory where roaming profiles are stored.
2233 Ex:'\\MASSIVE\profiles\%U'
2234 logon path (leave blank if you don't want roaming profile)
2235 [\\MASSIVE\profiles\%U] >
2236 . home directory prefix (use %U as username)
2237 [/home/%U] > /home/users/%U
2238 . default user netlogon script (use %U as username)
2239 [%U.cmd] > scripts\login.cmd
2240 default password validation time (time in days) [45] > 0
2241 . ldap suffix [dc=abmas,dc=biz] >
2242 . ldap group suffix [ou=Groups] >
2243 . ldap user suffix [ou=People] >
2244 . ldap machine suffix [ou=People] >
2245 . Idmap suffix [ou=Idmap] >
2246 . sambaUnixIdPooldn: object where you want to store the next uidNumber
2247 and gidNumber available for new users and groups
2248 sambaUnixIdPooldn object (relative to ${suffix})
2249 [cn=NextFreeUnixId] > sambaDomainName=MEGANET2
2250 . ldap master server: IP adress or DNS name
2251 of the master (writable) ldap server
2252 Use of uninitialized value in scalar chomp at ./configure.pl
2253 line 138, <STDIN> line 17.
2254 Use of uninitialized value in hash element at ./configure.pl
2255 line 140, <STDIN> line 17.
2256 Use of uninitialized value in concatenation (.) or string at
2257 ./configure.pl line 144, <STDIN> line 17.
2258 Use of uninitialized value in string at ./configure.pl
2259 line 145, <STDIN> line 17.
2260 ldap master server [] > 127.0.0.1
2261 . ldap master port [389] >
2262 . ldap master bind dn [cn=Manager,dc=abmas,dc=biz] >
2263 . ldap master bind password [] >
2264 . ldap slave server: IP adress or DNS name of the slave
2265 ldap server: can also be the master one
2266 Use of uninitialized value in scalar chomp at ./configure.pl
2267 line 138, <STDIN> line 21.
2268 Use of uninitialized value in hash element at ./configure.pl
2269 line 140, <STDIN> line 21.
2270 Use of uninitialized value in concatenation (.) or string at
2271 ./configure.pl line 144, <STDIN> line 21.
2272 Use of uninitialized value in string at ./configure.pl line 145,
2273 <STDIN> line 21.
2274 ldap slave server [] > 127.0.0.1
2275 . ldap slave port [389] >
2276 . ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] >
2277 . ldap slave bind password [] >
2278 . ldap tls support (1/0) [0] >
2279 . SID for domain MEGANET2: SID of the domain
2280 (can be obtained with 'net getlocalsid MASSIVE')
2281 SID for domain MEGANET2
2282 [S-1-5-21-3504140859-1010554828-2431957765] >
2283 . unix password encryption: encryption used for unix passwords
2284 unix password encryption
2285 (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
2286 . default user gidNumber [513] >
2287 . default computer gidNumber [515] >
2288 . default login shell [/bin/bash] >
2289 . default domain name to append to mail adress [] > abmas.biz
2290 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2291 backup old configuration files:
2292 /etc/smbldap-tools/smbldap.conf->
2293 etc/smbldap-tools/smbldap.conf.old
2294 /etc/smbldap-tools/smbldap_bind.conf->
2295 etc/smbldap-tools/smbldap_bind.conf.old
2296 writing new configuration file:
2297 /etc/smbldap-tools/smbldap.conf done.
2298 /etc/smbldap-tools/smbldap_bind.conf done.
2299 </screen>
2300 Since a slave LDAP server has not been configured it is necessary to specify the IP
2301 address of the master LDAP server for both the master and the slave configuration
2302 prompts.
2303 </para></step>
2305 <step><para>
2306 Change to the directory that contains the <filename>smbldap.conf</filename> file
2307 then verify its contents.
2308 </para></step>
2310 </procedure>
2312 <para>
2313 The smbldap-tools are now ready for use.
2314 </para>
2316 </sect3>
2318 </sect2>
2320 <sect2>
2321 <title>LDAP Initialization and Creation of User and Group Accounts</title>
2323 <para>
2324 The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group
2325 accounts before Samba can be used. The following procedures step you through the process.
2326 </para>
2328 <para>
2329 At this time, Samba-3 requires that on a PDC all UNIX (Posix) group accounts that are
2330 mapped (linked) to Windows Domain Group accounts must be in the LDAP database. It does not
2331 hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
2332 database. From a UNIX system perspective, the NSS resolver checks system files before
2333 referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
2334 does not need to ask LDAP.
2335 </para>
2337 <para>
2338 Addition of an account to the LDAP backend can be done in a number of ways:
2339 </para>
2341 <blockquote><para><indexterm>
2342 <primary>NIS</primary>
2343 </indexterm><indexterm>
2344 <primary>/etc/passwd</primary>
2345 </indexterm><indexterm>
2346 <primary>Posix accounts</primary>
2347 </indexterm><indexterm>
2348 <primary>pdbedit</primary>
2349 </indexterm><indexterm>
2350 <primary>SambaSamAccount</primary>
2351 </indexterm><indexterm>
2352 <primary>PosixAccount</primary>
2353 </indexterm>
2354 If you always have a user account in the <filename>/etc/passwd</filename> on every
2355 server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in
2356 LDAP. In this case, you can add Windows Domain user accounts using the
2357 <command>pdbedit</command> utility. Use of this tool from the command line adds the
2358 SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
2359 </para>
2361 <para>
2362 If you decide that it is probably a good idea to add both the PosixAccount attributes
2363 as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
2364 In the example system you are installing in this exercise, you are making use of the
2365 Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system,
2366 is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename>
2367 </para></blockquote>
2369 <para><indexterm>
2370 <primary>Idealx</primary>
2371 <secondary>smbldap-tools</secondary>
2372 </indexterm>
2373 If you wish to have more control over how the LDAP database is initialized or
2374 want not to use the Idealx smbldap-tools, you should refer to <link
2375 linkend="altldapcfg"/>.
2376 </para>
2378 <para><indexterm>
2379 <primary>smbldap-populate</primary>
2380 </indexterm>
2381 The following steps initialize the LDAP database, and then you can add user and group
2382 accounts that Samba can use. You use the <command>smbldap-populate</command> to
2383 seed the LDAP database. You then manually add the accounts shown in <link linkend="sbehap-bigacct"/>.
2384 The list of users does not cover all 500 network users; it provides examples only.
2385 </para>
2387 <note><para><indexterm>
2388 <primary>LDAP</primary>
2389 <secondary>database</secondary>
2390 </indexterm><indexterm>
2391 <primary>directory</primary>
2392 <secondary>People container</secondary>
2393 </indexterm><indexterm>
2394 <primary>directory</primary>
2395 <secondary>Computers container</secondary>
2396 </indexterm>
2397 In the following examples, as the LDAP database is initialized, we do create a container
2398 for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made
2399 of the People container, not the Computers container, for domain member accounts. This is not a
2400 mistake; it is a deliberate action that is necessitated by the fact that the resolution of
2401 a machine (computer) account to a UID is done via NSS. The only way this can be handled is
2402 using the NSS (<filename>/etc/nsswitch.conf</filename>) entry for <constant>passwd</constant>
2403 which is resolved using the <filename>nss_ldap</filename> library. The configuration file for
2404 the <filename>nss_ldap</filename> library is the file <filename>/etc/ldap.conf</filename> that
2405 provides only one possible LDAP search command that is specified by the entry called
2406 <constant>nss_base_passwd</constant>. This means that the search path must take into account
2407 the directory structure so that the LDAP search will commence at a level that is above
2408 both the Computers container and the Users (or People) container. If this is done, it is
2409 necessary to use a search that will descend the directory tree so that the machine account
2410 can be found. Alternately, by placing all machine accounts in the People container, we
2411 are able to side-step this limitation. This is the simpler solution that has been adopted
2412 in this chapter.
2413 </para></note>
2416 <table id="sbehap-bigacct">
2417 <title>Abmas Network Users and Groups</title>
2418 <tgroup cols="4">
2419 <colspec align="left"/>
2420 <colspec align="left"/>
2421 <colspec align="left"/>
2422 <colspec align="left"/>
2423 <thead>
2424 <row>
2425 <entry align="center">Account Name</entry>
2426 <entry align="center">Type</entry>
2427 <entry align="center">ID</entry>
2428 <entry align="center">Password</entry>
2429 </row>
2430 </thead>
2431 <tbody>
2432 <row>
2433 <entry>Robert Jordan</entry>
2434 <entry>User</entry>
2435 <entry>bobj</entry>
2436 <entry>n3v3r2l8</entry>
2437 </row>
2438 <row>
2439 <entry>Stanley Soroka</entry>
2440 <entry>User</entry>
2441 <entry>stans</entry>
2442 <entry>impl13dst4r</entry>
2443 </row>
2444 <row>
2445 <entry>Christine Roberson</entry>
2446 <entry>User</entry>
2447 <entry>chrisr</entry>
2448 <entry>S9n0nw4ll</entry>
2449 </row>
2450 <row>
2451 <entry>Mary Vortexis</entry>
2452 <entry>User</entry>
2453 <entry>maryv</entry>
2454 <entry>kw13t0n3</entry>
2455 </row>
2456 <row>
2457 <entry>Accounts</entry>
2458 <entry>Group</entry>
2459 <entry>Accounts</entry>
2460 <entry></entry>
2461 </row>
2462 <row>
2463 <entry>Finances</entry>
2464 <entry>Group</entry>
2465 <entry>Finances</entry>
2466 <entry></entry>
2467 </row>
2468 <row>
2469 <entry>Insurance</entry>
2470 <entry>Group</entry>
2471 <entry>PIOps</entry>
2472 <entry></entry>
2473 </row>
2474 </tbody>
2475 </tgroup>
2476 </table>
2478 <procedure id="creatacc">
2479 <step><para>
2480 Start the LDAP server by executing:
2481 <screen>
2482 &rootprompt; rcldap start
2483 Starting ldap-server done
2484 </screen>
2485 </para></step>
2487 <step><para>
2488 Change to the <filename>/opt/IDEALX/sbin</filename> directory.
2489 </para></step>
2491 <step><para>
2492 Execute the script that will populate the LDAP database as shown here:
2493 <screen>
2494 &rootprompt; ./smbldap-populate -a root -k 0
2495 </screen>
2496 The expected output from this is:
2497 <screen>
2498 Using workgroup name from smb.conf: sambaDomainName=MEGANET2
2499 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2500 => Warning: you must update smbldap.conf configuration file to :
2501 => sambaUnixIdPooldn parameter must be set
2502 to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
2503 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2504 Using builtin directory structure
2505 adding new entry: dc=abmas,dc=biz
2506 adding new entry: ou=People,dc=abmas,dc=biz
2507 adding new entry: ou=Groups,dc=abmas,dc=biz
2508 entry ou=People,dc=abmas,dc=biz already exist.
2509 adding new entry: ou=Idmap,dc=abmas,dc=biz
2510 adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
2511 adding new entry: uid=root,ou=People,dc=abmas,dc=biz
2512 adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
2513 adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
2514 adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
2515 adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
2516 adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
2517 adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
2518 adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
2519 adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
2520 adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
2521 </screen>
2522 </para></step>
2524 <step><para>
2525 Edit the <filename>/etc/smbldap-tools/smbldap.conf</filename> file so that the following
2526 information is changed from:
2527 <screen>
2528 # Where to store next uidNumber and gidNumber available
2529 sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
2530 </screen>
2531 to read, after modification:
2532 <screen>
2533 # Where to store next uidNumber and gidNumber available
2534 #sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
2535 sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
2536 </screen>
2537 </para></step>
2539 <step><para>
2540 It is necessary to restart the LDAP server as shown here:
2541 <screen>
2542 &rootprompt; rcldap restart
2543 Shutting down ldap-server done
2544 Starting ldap-server done
2545 </screen>
2546 </para></step>
2548 <step><para><indexterm>
2549 <primary>slapcat</primary>
2550 </indexterm>
2551 So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data.
2552 There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
2553 the simplest is to execute:
2554 <screen>
2555 &rootprompt; slapcat | grep -i idmap
2556 dn: ou=Idmap,dc=abmas,dc=biz
2557 ou: idmap
2558 </screen>
2559 <indexterm>
2560 <primary>ldapadd</primary>
2561 </indexterm>
2562 If the execution of this command does not return IDMAP entries, you need to create an LDIF
2563 template file (see <link linkend="sbehap-ldifadd"/>). You can add the required entries using
2564 the following command:
2565 <screen>
2566 &rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
2567 -w not24get < /etc/openldap/idmap.LDIF
2568 </screen>
2569 Samba automatically populates this LDAP directory container when it needs to.
2570 </para></step>
2572 <step><para><indexterm>
2573 <primary>slapcat</primary>
2574 </indexterm>
2575 It looks like all has gone well, as expected. Let's confirm that this is the case
2576 by running a few tests. First we check the contents of the database directly
2577 by running <command>slapcat</command> as follows (the output has been cut down):
2578 <screen>
2579 &rootprompt; slapcat
2580 dn: dc=abmas,dc=biz
2581 objectClass: dcObject
2582 objectClass: organization
2583 dc: abmas
2584 o: abmas
2585 structuralObjectClass: organization
2586 entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
2587 creatorsName: cn=Manager,dc=abmas,dc=biz
2588 createTimestamp: 20031217234200Z
2589 entryCSN: 2003121723:42:00Z#0x0001#0#0000
2590 modifiersName: cn=Manager,dc=abmas,dc=biz
2591 modifyTimestamp: 20031217234200Z
2592 ...
2593 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
2594 objectClass: posixGroup
2595 objectClass: sambaGroupMapping
2596 gidNumber: 553
2597 cn: Domain Computers
2598 description: Netbios Domain Computers accounts
2599 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
2600 sambaGroupType: 2
2601 displayName: Domain Computers
2602 structuralObjectClass: posixGroup
2603 entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
2604 creatorsName: cn=Manager,dc=abmas,dc=biz
2605 createTimestamp: 20031217234206Z
2606 entryCSN: 2003121723:42:06Z#0x0002#0#0000
2607 modifiersName: cn=Manager,dc=abmas,dc=biz
2608 modifyTimestamp: 20031217234206Z
2609 </screen>
2610 This looks good so far.
2611 </para></step>
2613 <step><para><indexterm>
2614 <primary>ldapsearch</primary>
2615 </indexterm>
2616 The next step is to prove that the LDAP server is running and responds to a
2617 search request. Execute the following as shown (output has been cut to save space):
2618 <screen>
2619 &rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
2620 # extended LDIF
2621 #
2622 # LDAPv3
2623 # base <dc=abmas,dc=biz> with scope sub
2624 # filter: (ObjectClass=*)
2625 # requesting: ALL
2626 #
2628 # abmas.biz
2629 dn: dc=abmas,dc=biz
2630 objectClass: dcObject
2631 objectClass: organization
2632 dc: abmas
2633 o: abmas
2635 # People, abmas.biz
2636 dn: ou=People,dc=abmas,dc=biz
2637 objectClass: organizationalUnit
2638 ou: People
2639 ...
2640 # Domain Computers, Groups, abmas.biz
2641 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
2642 objectClass: posixGroup
2643 objectClass: sambaGroupMapping
2644 gidNumber: 553
2645 cn: Domain Computers
2646 description: Netbios Domain Computers accounts
2647 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
2648 sambaGroupType: 2
2649 displayName: Domain Computers
2651 # search result
2652 search: 2
2653 result: 0 Success
2655 # numResponses: 20
2656 # numEntries: 19
2657 </screen>
2658 Good. It is all working just fine.
2659 </para></step>
2661 <step><para><indexterm>
2662 <primary>getent</primary>
2663 </indexterm>
2664 You must now make certain that the NSS resolver can interrogate LDAP also.
2665 Execute the following commands:
2666 <screen>
2667 &rootprompt; getent passwd | grep root
2668 root:x:998:512:Netbios Domain Administrator:/home:/bin/false
2670 &rootprompt; getent group | grep Domain
2671 Domain Admins:x:512:root
2672 Domain Users:x:513:
2673 Domain Guests:x:514:
2674 Domain Computers:x:553:
2675 </screen><indexterm>
2676 <primary>nss_ldap</primary>
2677 </indexterm>
2678 This demonstrates that the <command>nss_ldap</command> library is functioning
2679 as it should. If these two steps fail to produce this information refer to
2680 <link linkend="sbeavoid"/> for diagnostic procedures that can be followed to
2681 isolate the cause of the problem. Procede to the next step only when the steps
2682 above have been successfully completed.
2683 </para></step>
2685 <step><para><indexterm>
2686 <primary>smbldap-useradd</primary>
2687 </indexterm><indexterm>
2688 <primary>smbldap-passwd</primary>
2689 </indexterm><indexterm>
2690 <primary>smbpasswd</primary>
2691 </indexterm>
2692 Our database is now ready for the addition of network users. For each user for
2693 whom an account must be created, execute the following:
2694 <screen>
2695 &rootprompt; ./smbldap-useradd -m -a <constant>username</constant>
2696 &rootprompt; ./smbldap-passwd <constant>username</constant>
2697 Changing password for <constant>username</constant>
2698 New password : XXXXXXXX
2699 Retype new password : XXXXXXXX
2701 &rootprompt; smbpasswd <constant>username</constant>
2702 New SMB password: XXXXXXXX
2703 Retype new SMB password: XXXXXXXX
2704 </screen>
2705 Where <constant>username</constant> is the login ID for each user.
2706 </para></step>
2708 <step><para><indexterm>
2709 <primary>getent</primary>
2710 </indexterm>
2711 Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the
2712 following:
2713 <screen>
2714 &rootprompt; getent passwd
2715 root:x:0:0:root:/root:/bin/bash
2716 bin:x:1:1:bin:/bin:/bin/bash
2717 ...
2718 root:x:0:512:Netbios Domain Administrator:/home:/bin/false
2719 nobody:x:999:514:nobody:/dev/null:/bin/false
2720 bobj:x:1000:513:System User:/home/bobj:/bin/bash
2721 stans:x:1001:513:System User:/home/stans:/bin/bash
2722 chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
2723 maryv:x:1003:513:System User:/home/maryv:/bin/bash
2724 </screen>
2725 This demonstates that user account resolution via LDAP is working.
2726 </para></step>
2728 <step><para>
2729 This step will determin
2730 <screen>
2731 &rootprompt; id chrisr
2732 uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
2733 </screen>
2734 This confirms that the UNIX (Posix) user account information can be resolved from LDAP
2735 by system tools that make a getentpw() system call.
2736 </para></step>
2738 <step><para><indexterm>
2739 <primary>smbldap-usermod</primary>
2740 </indexterm>
2741 The 'root' account must have UID=0, if not this means that operations conducted from
2742 a Windows client using tools such as the Domain User Manager fails under UNIX because
2743 the management of user and group accounts requires that the UID=0. Additionally, it is
2744 a good idea to make certain that no matter how 'root' account credentials are resolved
2745 that the home directory and shell are valid. You decide to effect this immediately
2746 as demonstrated here:
2747 <screen>
2748 &rootprompt; cd /opt/IDEALX/sbin
2749 &rootprompt; ./smbldap-usermod -u 0 -d /root -s /bin/bash root
2750 </screen>
2751 </para></step>
2753 <step><para>
2754 Verify that the changes just made to the <constant>root</constant> account were
2755 accepted by executing:
2756 <screen>
2757 &rootprompt; getent passwd | grep root
2758 root:x:0:0:root:/root:/bin/bash
2759 root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
2760 </screen>
2761 This demonstrates that the changes were accepted.
2762 </para></step>
2764 <step><para>
2765 Make certain that a home directory has been created for every user by listing the
2766 directories in <filename>/home</filename> as follows:
2767 <screen>
2768 &rootprompt; ls -al /home
2769 drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
2770 drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
2771 drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
2772 drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
2773 drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
2774 drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
2775 </screen>
2776 This is precisely what we want to see.
2777 </para></step>
2779 <step><para><indexterm>
2780 <primary>ldapsam</primary>
2781 </indexterm><indexterm>
2782 <primary>pdbedit</primary>
2783 </indexterm>
2784 The final validation step involves making certain that Samba-3 can obtain the user
2785 accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
2786 <screen>
2787 &rootprompt; pdbedit -Lv chrisr
2788 Unix username: chrisr
2789 NT username: chrisr
2790 Account Flags: [U ]
2791 User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
2792 Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
2793 Full Name: System User
2794 Home Directory: \\MASSIVE\homes
2795 HomeDir Drive: H:
2796 Logon Script: scripts\login.cmd
2797 Profile Path: \\MASSIVE\profiles\chrisr
2798 Domain: MEGANET2
2799 Account desc: System User
2800 Workstations:
2801 Munged dial:
2802 Logon time: 0
2803 Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
2804 Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
2805 Password last set: Wed, 17 Dec 2003 17:17:40 GMT
2806 Password can change: Wed, 17 Dec 2003 17:17:40 GMT
2807 Password must change: Mon, 18 Jan 2038 20:14:07 GMT
2808 Last bad password : 0
2809 Bad password count : 0
2810 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
2811 </screen>
2812 This looks good. Of course, you fully expected that it would all work, didn't you?
2813 </para></step>
2815 <step><para><indexterm>
2816 <primary>smbldap-groupadd</primary>
2817 </indexterm>
2818 Now you add the group accounts that are used on the Abmas network. Execute
2819 the following exactly as shown:
2820 <screen>
2821 &rootprompt; ./smbldap-groupadd -a Accounts
2822 &rootprompt; ./smbldap-groupadd -a Finances
2823 &rootprompt; ./smbldap-groupadd -a PIOps
2824 </screen>
2825 The addition of groups does not involve keyboard interaction, so the lack of console
2826 output is of no concern.
2827 </para></step>
2829 <step><para><indexterm>
2830 <primary>getent</primary>
2831 </indexterm>
2832 You really do want to confirm that UNIX group resolution from LDAP is functioning
2833 as it should. Let's do this as shown here:
2834 <screen>
2835 &rootprompt; getent group
2836 ...
2837 Domain Admins:x:512:root
2838 Domain Users:x:513:bobj,stans,chrisr,maryv
2839 Domain Guests:x:514:
2840 ...
2841 Accounts:x:1000:
2842 Finances:x:1001:
2843 PIOps:x:1002:
2844 </screen>
2845 The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
2846 as our own site-specific group accounts, are correctly listed. This is looking good.
2847 </para></step>
2849 <step><para><indexterm>
2850 <primary>net</primary>
2851 <secondary>groupmap</secondary>
2852 <tertiary>list</tertiary>
2853 </indexterm>
2854 The final step we need to validate is that Samba can see all the Windows Domain Groups
2855 and that they are correctly mapped to the respective UNIX group account. To do this,
2856 just execute the following command:
2857 <screen>
2858 &rootprompt; net groupmap list
2859 Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
2860 Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
2861 Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
2862 ...
2863 Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
2864 Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
2865 PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
2866 </screen>
2867 This is looking good. Congratulations &smbmdash; it works! Note that in the above output
2868 the lines where shortened by replacing the middle value (1010554828) of the SID with the
2869 elipsis (...).
2870 </para></step>
2872 <step><para>
2873 The server you have so carefully built is now ready for another important step. You
2874 start the Samba-3 server and validate its operation. Execute the following to render all
2875 the processes needed fully operative so that, on system reboot, they are automatically
2876 started:
2877 <screen>
2878 &rootprompt; chkconfig named on
2879 &rootprompt; chkconfig dhcpd on
2880 &rootprompt; chkconfig ldap on
2881 &rootprompt; chkconfig nmb on
2882 &rootprompt; chkconfig smb on
2883 &rootprompt; chkconfig winbind on
2884 &rootprompt; rcnmb start
2885 &rootprompt; rcsmb start
2886 &rootprompt; rcwinbind start
2887 </screen>
2888 </para></step>
2890 <step><para>
2891 The next step might seem a little odd at this point, but take note that you are about to
2892 start <command>winbindd</command> which must be able to authenticate to the PDC via the
2893 localhost interface with the <command>smbd</command> process. This account can be
2894 easily created by joining the PDC to the Domain by executing the following command:
2895 <screen>
2896 &rootprompt; net rpc join -S MASSIVE -U root%not24get
2897 </screen>
2898 Note: Before executing this command on the PDC both <command>nmbd</command> and
2899 <command>smbd</command> must be started so that the <command>net</command> command
2900 can communicate with <command>smbd</command>. The expected output is:
2901 <screen>
2902 Joined domain MEGANET2.
2903 </screen>
2904 This indicates that the Domain security account for the PDC has been correctly created.
2905 </para></step>
2907 <step><para>
2908 At this time it is necessary to restart <command>winbindd</command> so that it can
2909 correctly authenticate to the PDC. The following command achieves that:
2910 <screen>
2911 &rootprompt; rcwinbind restart
2912 </screen>
2913 </para></step>
2915 <step><para><indexterm>
2916 <primary>smbclient</primary>
2917 </indexterm>
2918 You may now check Samba-3 operation as follows:
2919 <screen>
2920 &rootprompt; smbclient -L massive -U%
2922 Sharename Type Comment
2923 --------- ---- -------
2924 IPC$ IPC IPC Service (Samba 3.0.1)
2925 accounts Disk Accounting Files
2926 service Disk Financial Services Files
2927 pidata Disk Property Insurance Files
2928 apps Disk Application Files
2929 netlogon Disk Network Logon Service
2930 profiles Disk Profile Share
2931 profdata Disk Profile Data Share
2932 ADMIN$ IPC IPC Service (Samba 3.0.1)
2934 Server Comment
2935 --------- -------
2936 MASSIVE Samba 3.0.1
2938 Workgroup Master
2939 --------- -------
2940 MEGANET2 MASSIVE
2941 </screen>
2942 This shows that an anonymous connection is working.
2943 </para></step>
2945 <step><para>
2946 For your finale, let's try an authenticated connection. Follow this as shown:
2947 <screen>
2948 &rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8
2949 smb: \> dir
2950 . D 0 Wed Dec 17 01:16:19 2003
2951 .. D 0 Wed Dec 17 19:04:42 2003
2952 bin D 0 Tue Sep 2 04:00:57 2003
2953 Documents D 0 Sun Nov 30 07:28:20 2003
2954 public_html D 0 Sun Nov 30 07:28:20 2003
2955 .urlview H 311 Fri Jul 7 06:55:35 2000
2956 .dvipsrc H 208 Fri Nov 17 11:22:02 1995
2958 57681 blocks of size 524288. 57128 blocks available
2959 smb: \> q
2960 </screen>
2961 Well done. All is working fine.
2962 </para></step>
2963 </procedure>
2965 <para>
2966 The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task.
2967 </para>
2969 </sect2>
2971 <sect2 id="sbehap-ptrcfg">
2972 <title>Printer Configuration</title>
2974 <para><indexterm>
2975 <primary>CUPS</primary>
2976 </indexterm>
2977 The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
2978 taken care of in the &smb.conf; file. The only preparation needed for
2979 <constant>smart</constant>
2980 printing to be possible involves creation of the directories in which Samba-3 stores
2981 Windows printing driver files.
2982 </para>
2984 <procedure>
2986 <step><para>
2987 Configure all network attached printers to have a fixed IP address.
2988 </para></step>
2990 <step><para>
2991 Create an entry in the DNS database on the server <constant>MASSIVE</constant>
2992 in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
2993 and in the reverse lookup database for the network segment that the printer is to
2994 be located in. Example configuration files for similar zones were presented in
2995 <link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
2996 </para></step>
2998 <step><para>
2999 Follow the instructions in the printer manufacturers' manuals to permit printing
3000 to port 9100. Use any other port the manufacturer specifies for direct mode,
3001 raw printing. This allows the CUPS spooler to print using raw mode protocols.
3002 <indexterm><primary>CUPS</primary></indexterm>
3003 <indexterm><primary>raw printing</primary></indexterm>
3004 </para></step>
3006 <step><para><indexterm>
3007 <primary>lpadmin</primary>
3008 </indexterm>
3009 <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
3010 Only on the server to which the printer is attached, configure the CUPS Print
3011 Queues as follows:
3012 <screen>
3013 &rootprompt; lpadmin -p <parameter>printque</parameter>
3014 -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
3015 </screen>
3016 <indexterm><primary>print filter</primary></indexterm>
3017 This step creates the necessary print queue to use no assigned print filter. This
3018 is ideal for raw printing, i.e., printing without use of filters.
3019 The name <parameter>printque</parameter> is the name you have assigned for
3020 the particular printer.
3021 </para></step>
3023 <step><para>
3024 Print queues may not be enabled at creation. Make certain that the queues
3025 you have just created are enabled by executing the following:
3026 <screen>
3027 &rootprompt; /usr/bin/enable <parameter>printque</parameter>
3028 </screen>
3029 </para></step>
3031 <step><para>
3032 Even though your print queue may be enabled, it is still possible that it
3033 may not accept print jobs. A print queue will service incoming printing
3034 requests only when configured to do so. Ensure that your print queue is
3035 set to accept incoming jobs by executing the following commands:
3036 <screen>
3037 &rootprompt; /usr/bin/accept <parameter>printque</parameter>
3038 </screen>
3039 </para></step>
3041 <step><para>
3042 <indexterm><primary>mime type</primary></indexterm>
3043 <indexterm><primary>/etc/mime.convs</primary></indexterm>
3044 <indexterm><primary>application/octet-stream</primary></indexterm>
3045 Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
3046 <screen>
3047 application/octet-stream application/vnd.cups-raw 0 -
3048 </screen>
3049 </para></step>
3051 <step><para>
3052 <indexterm><primary>/etc/mime.types</primary></indexterm>
3053 Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
3054 <screen>
3055 application/octet-stream
3056 </screen>
3057 </para></step>
3059 <step><para>
3060 Refer to the CUPS printing manual for instructions regarding how to configure
3061 CUPS so that print queues that reside on CUPS servers on remote networks
3062 route print jobs to the print server that owns that queue. The default setting
3063 on your CUPS server may automatically discover remotely installed printers and
3064 may permit this functionality without requiring specific configuration.
3065 </para></step>
3067 <step><para>
3068 The following action creates the necessary directory sub-system. Follow these
3069 steps to printing heaven:
3070 <screen>
3071 &rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
3072 &rootprompt; chown -R root.root /var/lib/samba/drivers
3073 &rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers
3074 </screen>
3075 </para></step>
3077 </procedure>
3079 </sect2>
3081 </sect1>
3083 <sect1 id="sbehap-bldg1">
3084 <title>Samba-3 BDC Configuration</title>
3086 <procedure>
3087 <title>Configuration of BDC Called: <constant>BLDG1</constant></title>
3088 <step><para>
3089 Install the files in <link linkend="sbehap-bldg1-smbconf"/>,
3090 <link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
3091 into the <filename>/etc/samba/</filename> directory. The three files
3092 should be added together to form the &smb.conf; file.
3093 </para></step>
3095 <step><para>
3096 Verify the &smb.conf; file as in step 2 of <link
3097 linkend="sbehap-massive"/>.
3098 </para></step>
3100 <step><para>
3101 Carefully follow the steps outlined in <link linkend="sbehap-PAM-NSS"/>, taking
3102 particular note to install the correct <filename>ldap.conf</filename>.
3103 </para></step>
3105 <step><para>
3106 Verify that the NSS resolver is working. You may need to cycle the run level
3107 to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
3108 commands:
3109 <screen>
3110 &rootprompt; init 1
3111 </screen>
3112 After the run level has been achieved, you are prompted to provide the
3113 <constant>root</constant> password. Log on, and then execute:
3114 <screen>
3115 &rootprompt; init 5
3116 </screen>
3117 When the normal logon prompt appears, log into the system as
3118 <constant>root</constant>
3119 and then execute these commands:
3120 <screen>
3121 &rootprompt; getent passwd
3122 root:x:0:0:root:/root:/bin/bash
3123 bin:x:1:1:bin:/bin:/bin/bash
3124 daemon:x:2:2:Daemon:/sbin:/bin/bash
3125 lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
3126 mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
3127 ...
3128 root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
3129 nobody:x:999:514:nobody:/dev/null:/bin/false
3130 bobj:x:1000:513:System User:/home/bobj:/bin/bash
3131 stans:x:1001:513:System User:/home/stans:/bin/bash
3132 chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
3133 maryv:x:1003:513:System User:/home/maryv:/bin/bash
3134 vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
3135 bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
3136 </screen>
3137 This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
3138 </para></step>
3140 <step><para><indexterm>
3141 <primary>getent</primary>
3142 </indexterm>
3143 The next step in the verification process involves testing the operation of UNIX group
3144 resolution via the NSS LDAP resolver. Execute these commands:
3145 <screen>
3146 &rootprompt; getent group
3147 root:x:0:
3148 bin:x:1:daemon
3149 daemon:x:2:
3150 sys:x:3:
3151 ...
3152 Domain Admins:x:512:root
3153 Domain Users:x:513:bobj,stans,chrisr,maryv,jht
3154 Domain Guests:x:514:
3155 Administrators:x:544:
3156 Users:x:545:
3157 Guests:x:546:nobody
3158 Power Users:x:547:
3159 Account Operators:x:548:
3160 Server Operators:x:549:
3161 Print Operators:x:550:
3162 Backup Operators:x:551:
3163 Replicator:x:552:
3164 Domain Computers:x:553:
3165 Accounts:x:1000:
3166 Finances:x:1001:
3167 PIOps:x:1002:
3168 </screen>
3169 This is also the correct and desired output, because it demonstrates that the LDAP client
3170 is able to communicate correctly with the LDAP server
3171 (<constant>MASSIVE</constant>).
3172 </para></step>
3174 <step><para><indexterm>
3175 <primary>smbpasswd</primary>
3176 </indexterm>
3177 You must now set the LDAP administrative password into the
3178 Samba-3 <filename>secrets.tdb</filename>
3179 file by executing this command:
3180 <screen>
3181 &rootprompt; smbpasswd -w not24get
3182 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
3183 </screen>
3184 </para></step>
3186 <step><para>
3187 Now you must obtain the Domain Security Identifier from the PDC and store it into the
3188 <filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP
3189 passdb backend because Samba-3 obtains the Domain SID from the
3190 sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
3191 add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this
3192 command can achieve that:
3193 <screen>
3194 &rootprompt; net rpc getsid MEGANET2
3195 Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
3196 for Domain MEGANET2 in secrets.tdb
3197 </screen>
3198 When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
3199 any special action to join it to the Domain. However, winbind communicates with the
3200 Domain Controller that is running on the localhost and must be able to authenticate,
3201 thus requiring that the BDC should be joined to the Domain. The process of joining
3202 the Domain creates the necessary authentication accounts.
3203 </para></step>
3205 <step><para>
3206 To join the Samba BDC to the Domain execute the following:
3207 <screen>
3208 &rootprompt; net rpc join -U root%not24get
3209 Joined domain MEGANET2.
3210 </screen>
3211 This indicates that the Domain security account for the BDC has been correctly created.
3212 </para></step>
3214 <step><para>
3215 <indexterm>
3216 <primary>pdbedit</primary>
3217 </indexterm>
3218 Verify that user and group account resolution works via Samba-3 tools as follows:
3219 <screen>
3220 &rootprompt; pdbedit -L
3221 root:0:root
3222 nobody:65534:nobody
3223 bobj:1000:System User
3224 stans:1001:System User
3225 chrisr:1002:System User
3226 maryv:1003:System User
3227 bldg1$:1006:bldg1$
3229 &rootprompt; net groupmap list
3230 Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
3231 Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
3232 Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
3233 Administrators (S-1-5-21-3504140859-...-2431957765-544) -> Administrators
3234 ...
3235 Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
3236 Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
3237 PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
3238 </screen>
3239 The above results show that all things are in order.
3240 </para></step>
3242 <step><para>
3243 The server you have so carefully built is now ready for another important step. Now
3244 start the Samba-3 server and validate its operation. Execute the following to render all
3245 the processes needed fully operative so that, upon system reboot, they are automatically
3246 started:
3247 <screen>
3248 &rootprompt; chkconfig named on
3249 &rootprompt; chkconfig dhcpd on
3250 &rootprompt; chkconfig nmb on
3251 &rootprompt; chkconfig smb on
3252 &rootprompt; chkconfig winbind on
3253 &rootprompt; rcnmb start
3254 &rootprompt; rcsmb start
3255 &rootprompt; rcwinbind start
3256 </screen>
3257 Samba-3 should now be running and is ready for a quick test. But not quite yet!
3258 </para></step>
3260 <step><para>
3261 Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users.
3262 To rectify this using the SUSE yast2 utility or by manually editing the <filename>/etc/fstab</filename>
3263 file, add a mount entry to mount the <constant>home</constant> directory that has been exported
3264 from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate
3265 approach could be to create local home directories for users who are to use these machines.
3266 This is a choice that you, as system administrator, must make. The following entry in the
3267 <filename>/etc/fstab</filename> file suffices for now:
3268 <screen>
3269 massive.abmas.biz:/home /home nfs rw 0 0
3270 </screen>
3271 To mount this resource, execute:
3272 <screen>
3273 &rootprompt; mount -a
3274 </screen>
3275 Verify that the home directory has been mounted as follows:
3276 <screen>
3277 &rootprompt; df | grep home
3278 massive:/home 29532988 283388 29249600 1% /home
3279 </screen>
3280 </para></step>
3282 <step><para>
3283 Implement a quick check using one of the users that is in the LDAP database. Here you go:
3284 <screen>
3285 &rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8
3286 smb: \> dir
3287 . D 0 Wed Dec 17 01:16:19 2003
3288 .. D 0 Wed Dec 17 19:04:42 2003
3289 bin D 0 Tue Sep 2 04:00:57 2003
3290 Documents D 0 Sun Nov 30 07:28:20 2003
3291 public_html D 0 Sun Nov 30 07:28:20 2003
3292 .urlview H 311 Fri Jul 7 06:55:35 2000
3293 .dvipsrc H 208 Fri Nov 17 11:22:02 1995
3295 57681 blocks of size 524288. 57128 blocks available
3296 smb: \> q
3297 </screen>
3298 </para></step>
3300 </procedure>
3302 <procedure id="sbehap-bldg2">
3303 <title>Configuration of BDC Called: <constant>BLDG2</constant></title>
3304 <step><para>
3305 Install the files in <link linkend="sbehap-bldg2-smbconf"/>,
3306 <link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
3307 into the <filename>/etc/samba/</filename> directory. The three files
3308 should be added together to form the &smb.conf; file.
3309 </para></step>
3311 <step><para>
3312 Follow carefully the steps shown in <link linkend="sbehap-bldg1"/>, starting at step 2.
3313 </para></step>
3315 </procedure>
3317 <smbconfexample id="sbehap-bldg1-smbconf">
3318 <title>LDAP Based &smb.conf; File, Server: BLDG1</title>
3319 <smbconfcomment>Global parameters</smbconfcomment>
3320 <smbconfsection name="[global]"/>
3321 <smbconfoption name="unix charset">LOCALE</smbconfoption>
3322 <smbconfoption name="workgroup">MEGANET2</smbconfoption>
3323 <smbconfoption name="netbios name">BLDG1</smbconfoption>
3324 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
3325 <smbconfoption name="enable privileges">Yes</smbconfoption>
3326 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
3327 <smbconfoption name="log level">1</smbconfoption>
3328 <smbconfoption name="syslog">0</smbconfoption>
3329 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
3330 <smbconfoption name="max log size">50</smbconfoption>
3331 <smbconfoption name="smb ports">139 445</smbconfoption>
3332 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
3333 <smbconfoption name="printcap name">CUPS</smbconfoption>
3334 <smbconfoption name="show add printer wizard">No</smbconfoption>
3335 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
3336 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
3337 <smbconfoption name="logon drive">X:</smbconfoption>
3338 <smbconfoption name="domain logons">Yes</smbconfoption>
3339 <smbconfoption name="domain master">No</smbconfoption>
3340 <smbconfoption name="wins server">172.16.0.1</smbconfoption>
3341 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
3342 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
3343 <smbconfoption name="ldap user suffix">ou=People</smbconfoption>
3344 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
3345 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
3346 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
3347 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
3348 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
3349 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
3350 <smbconfoption name="printing">cups</smbconfoption>
3351 <smbconfoption name="printer admin">root, chrisr</smbconfoption>
3352 </smbconfexample>
3355 <smbconfexample id="sbehap-bldg2-smbconf">
3356 <title>LDAP Based &smb.conf; File, Server: BLDG2</title>
3357 <smbconfcomment>Global parameters</smbconfcomment>
3358 <smbconfsection name="[global]"/>
3359 <smbconfoption name="unix charset">LOCALE</smbconfoption>
3360 <smbconfoption name="workgroup">MEGANET2</smbconfoption>
3361 <smbconfoption name="netbios name">BLDG2</smbconfoption>
3362 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
3363 <smbconfoption name="enable privileges">Yes</smbconfoption>
3364 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
3365 <smbconfoption name="log level">1</smbconfoption>
3366 <smbconfoption name="syslog">0</smbconfoption>
3367 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
3368 <smbconfoption name="max log size">50</smbconfoption>
3369 <smbconfoption name="smb ports">139 445</smbconfoption>
3370 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
3371 <smbconfoption name="printcap name">CUPS</smbconfoption>
3372 <smbconfoption name="show add printer wizard">No</smbconfoption>
3373 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
3374 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
3375 <smbconfoption name="logon drive">X:</smbconfoption>
3376 <smbconfoption name="domain logons">Yes</smbconfoption>
3377 <smbconfoption name="domain master">No</smbconfoption>
3378 <smbconfoption name="wins server">172.16.0.1</smbconfoption>
3379 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
3380 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
3381 <smbconfoption name="ldap user suffix">ou=People</smbconfoption>
3382 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
3383 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
3384 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
3385 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
3386 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
3387 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
3388 <smbconfoption name="printing">cups</smbconfoption>
3389 <smbconfoption name="printer admin">root, chrisr</smbconfoption>
3390 </smbconfexample>
3393 <smbconfexample id="sbehap-shareconfa">
3394 <title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
3395 <smbconfsection name="[accounts]"/>
3396 <smbconfoption name="comment">Accounting Files</smbconfoption>
3397 <smbconfoption name="path">/data/accounts</smbconfoption>
3398 <smbconfoption name="read only">No</smbconfoption>
3400 <smbconfsection name="[service]"/>
3401 <smbconfoption name="comment">Financial Services Files</smbconfoption>
3402 <smbconfoption name="path">/data/service</smbconfoption>
3403 <smbconfoption name="read only">No</smbconfoption>
3405 <smbconfsection name="[pidata]"/>
3406 <smbconfoption name="comment">Property Insurance Files</smbconfoption>
3407 <smbconfoption name="path">/data/pidata</smbconfoption>
3408 <smbconfoption name="read only">No</smbconfoption>
3410 <smbconfsection name="[homes]"/>
3411 <smbconfoption name="comment">Home Directories</smbconfoption>
3412 <smbconfoption name="valid users">%S</smbconfoption>
3413 <smbconfoption name="read only">No</smbconfoption>
3414 <smbconfoption name="browseable">No</smbconfoption>
3416 <smbconfsection name="[printers]"/>
3417 <smbconfoption name="comment">SMB Print Spool</smbconfoption>
3418 <smbconfoption name="path">/var/spool/samba</smbconfoption>
3419 <smbconfoption name="guest ok">Yes</smbconfoption>
3420 <smbconfoption name="printable">Yes</smbconfoption>
3421 <smbconfoption name="browseable">No</smbconfoption>
3422 </smbconfexample>
3424 <smbconfexample id="sbehap-shareconfb">
3425 <title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
3426 <smbconfsection name="[apps]"/>
3427 <smbconfoption name="comment">Application Files</smbconfoption>
3428 <smbconfoption name="path">/apps</smbconfoption>
3429 <smbconfoption name="admin users">bjordan</smbconfoption>
3430 <smbconfoption name="read only">No</smbconfoption>
3432 <smbconfsection name="[netlogon]"/>
3433 <smbconfoption name="comment">Network Logon Service</smbconfoption>
3434 <smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
3435 <smbconfoption name="guest ok">Yes</smbconfoption>
3436 <smbconfoption name="locking">No</smbconfoption>
3438 <smbconfsection name="[profiles]"/>
3439 <smbconfoption name="comment">Profile Share</smbconfoption>
3440 <smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
3441 <smbconfoption name="read only">No</smbconfoption>
3442 <smbconfoption name="profile acls">Yes</smbconfoption>
3444 <smbconfsection name="[profdata]"/>
3445 <smbconfoption name="comment">Profile Data Share</smbconfoption>
3446 <smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
3447 <smbconfoption name="read only">No</smbconfoption>
3448 <smbconfoption name="profile acls">Yes</smbconfoption>
3450 <smbconfsection name="[print$]"/>
3451 <smbconfoption name="comment">Printer Drivers</smbconfoption>
3452 <smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
3453 <smbconfoption name="browseable">yes</smbconfoption>
3454 <smbconfoption name="guest ok">no</smbconfoption>
3455 <smbconfoption name="read only">yes</smbconfoption>
3456 <smbconfoption name="write list">root, chrisr</smbconfoption>
3457 </smbconfexample>
3459 <example id="sbehap-ldifadd">
3460 <title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
3461 <screen>
3462 dn: ou=Idmap,dc=abmas,dc=biz
3463 objectClass: organizationalUnit
3464 ou: idmap
3465 structuralObjectClass: organizationalUnit
3466 </screen>
3467 </example>
3469 </sect1>
3471 <sect1>
3472 <title>Miscellaneous Server Preparation Tasks</title>
3474 <para>
3475 My father would say, <quote>Dinner is not over until the dishes have been done.</quote>
3476 The makings of a great network environment take a lot of effort and attention to detail.
3477 So far you have completed most of the complex (and to many administrators, the interesting
3478 part of server configuration) steps, but remember to tie it all together. Here are
3479 a few more steps that must be completed so that your network runs like a well-rehearsed
3480 orchestra.
3481 </para>
3483 <sect2>
3484 <title>Configuring Directory Share Point Roots</title>
3486 <para>
3487 In your &smb.conf; file, you have specified Windows shares. Each has a
3488 <parameter>path</parameter>
3489 parameter. Even though it is obvious to all, one of the common Samba networking problems is
3490 caused by forgetting to verify that every such share root directory actually exists and that it
3491 has the necessary permissions and ownership.
3492 </para>
3494 <para>
3495 Here is an example, but remember to create the directory needed for every share:
3496 <screen>
3497 &rootprompt; mkdir -p /data/{accounts,finsvcs,piops}
3498 &rootprompt; mkdir -p /apps
3499 &rootprompt; chown -R root.root /data
3500 &rootprompt; chown -R root.root /apps
3501 &rootprompt; chown -R bobj.Accounts /data/accounts
3502 &rootprompt; chown -R bobj.Finances /data/finsvcs
3503 &rootprompt; chown -R bobj.PIOps /data/pidata
3504 &rootprompt; chmod -R ug+rwxs,o-rwx /data
3505 &rootprompt; chmod -R ug+rwx,o+rx-w /apps
3506 </screen>
3507 </para>
3509 </sect2>
3511 <sect2>
3512 <title>Configuring Profile Directories</title>
3514 <para>
3515 You made a conscious decision to do everything it would take to improve network client
3516 performance. One of your decisions was to implement folder redirection. This means that Windows
3517 user desktop profiles are now made up of two components &smbmdash; a dynamically loaded part and a set of file
3518 network folders.
3519 </para>
3521 <para>
3522 For this arrangement to work, every user needs a directory structure for the network folder
3523 portion of their profile as shown here:
3524 <screen>
3525 &rootprompt; mkdir -p /var/lib/samba/profdata
3526 &rootprompt; chown root.root /var/lib/samba/profdata
3527 &rootprompt; chmod 755 /var/lib/samba/profdata
3529 # Per user structure
3530 &rootprompt; cd /var/lib/samba/profdata
3531 &rootprompt; mkdir -p <emphasis>username</emphasis>
3532 &rootprompt; for i in InternetFiles Cookies History AppData \
3533 LocalSettings MyPictures MyDocuments Recent
3534 &rootprompt; do
3535 &rootprompt; mkdir <emphasis>username</emphasis>/$i
3536 &rootprompt; done
3537 &rootprompt; chown -R <emphasis>username</emphasis>.Domain\ Users <emphasis>username</emphasis>
3538 &rootprompt; chmod -R 750 <emphasis>username</emphasis>
3539 </screen>
3540 </para>
3542 <para><indexterm>
3543 <primary>roaming profile</primary>
3544 </indexterm><indexterm>
3545 <primary>mandatory profile</primary>
3546 </indexterm>
3547 You have three options insofar as the dynamically loaded portion of the roaming profile
3548 is concerned:
3549 </para>
3551 <itemizedlist>
3552 <listitem><para>You may permit the user to obtain a default profile.</para></listitem>
3553 <listitem><para>You can create a mandatory profile.</para></listitem>
3554 <listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem>
3555 </itemizedlist>
3557 <para>
3558 Mandatory profiles cannot be overwritten by a user. The change from
3559 a user profile to a mandatory profile is effected by renaming the
3560 <filename>NTUSER.DAT</filename> to
3561 <filename>NTUSER.MAN</filename>, i.e., just by changing the filename
3562 extension.
3563 </para>
3565 <para><indexterm>
3566 <primary>SRVTOOLS.EXE</primary>
3567 </indexterm><indexterm>
3568 <primary>Domain User Manager</primary>
3569 </indexterm>
3570 The location of the profile that a user can obtain is set in the users' account in the LDAP passdb backend.
3571 You can manage this using the Idealx smbldap-tools or using the
3572 <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager.</ulink>
3573 </para>
3575 <para>
3576 It may not be obvious that you must ensure that the root directory for the user's profile exists
3577 and has the needed permissions. Use the following commands to create this directory:
3578 <screen>
3579 &rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis>
3580 &rootprompt; chown <emphasis>username</emphasis>.Domain\ Users
3581 /var/lib/samba/profiles/<emphasis>username</emphasis>
3582 &rootprompt; chmod 700 /var/lib/samba/profiles/<emphasis>username</emphasis>
3583 </screen>
3584 </para>
3586 </sect2>
3588 <sect2>
3589 <title>Preparation of Logon Scripts</title>
3591 <para><indexterm>
3592 <primary>logon script</primary>
3593 </indexterm>
3594 The use of a logon script with Windows XP Professional is an option that every site should consider.
3595 Unless you have locked down the desktop so the user cannot change anything, there is risk that
3596 a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
3597 can help to restore persistent network folder (drive) and printer connections in a predictable
3598 manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
3599 user attaches to another company's network that forces environment changes that are alien to your
3600 network.
3601 </para>
3603 <para>
3604 If you decide to use network logon scripts, by reference to the &smb.conf; files for the Domain
3605 Controllers, you see that the path to the share point for the
3606 <constant>NETLOGON</constant>
3607 share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon
3608 script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows
3609 NT/200x/XP client logs onto the network, it tries to obtain the file
3610 <filename>logon.bat</filename>
3611 from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully
3612 qualified path should, therefore, exist whether you install the
3613 <filename>logon.bat</filename>.
3614 </para>
3616 <para>
3617 You can, of course, create the fully qualified path by executing:
3618 <screen>
3619 &rootprompt; mkdir -p /var/lib/samba/netlogon/scripts
3620 </screen>
3621 </para>
3623 <para>
3624 You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 21,
3625 Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon
3626 facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart.</ulink>
3627 </para>
3629 </sect2>
3631 <sect2>
3632 <title>Assigning User Rights and Privileges</title>
3634 <para>
3635 The ability to perform tasks such as joining Windows clients to the domain can be assigned to
3636 normal user accounts. By default, only the domain administrator account (<constant>root</constant> on UNIX
3637 systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
3638 this privilege in a very limited fashion to particular accounts.
3639 </para>
3641 <para>
3642 By default, even Samba 3.0.11 does not grant any rights even to the <constant>Domain Admins</constant>
3643 group. Here we will grant this group all privileges.
3644 </para>
3646 <para>
3647 Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
3648 are granted rights can be restricted to particular machines. It is left to the network administrator
3649 to determine which rights should be provided and to whom.
3650 </para>
3652 <procedure>
3653 <step><para>
3654 Log onto the primary domain controller (PDC) as the <constant>root</constant> account.
3655 </para></step>
3657 <step><para>
3658 Execute the following command to grant the <constant>Domain Admins</constant> group all
3659 rights and privileges:
3660 <screen>
3661 &rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
3662 "MEGANET2\Domain Admins" SeMachineAccountPrivilege \
3663 SePrintOperatorPrivilege SeAddUsersPrivilege \
3664 SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
3665 Successfully granted rights.
3666 </screen>
3667 Repeat this step on each domain controller in each case substituting the name of the server
3668 (e.g.: BLDG1, BLDG2) in place of the PDC called MASSIVE.
3669 </para></step>
3671 <step><para>
3672 In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
3673 to the domain. Execute the following only on the PDC. It is not necessary to do this on
3674 BDCs or on DMS machines because machine accounts are only ever added by the PDC:
3675 <screen>
3676 &rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
3677 "MEGANET2\bobj" SeMachineAccountPrivilege
3678 Successfully granted rights.
3679 </screen>
3680 </para></step>
3682 <step><para>
3683 Verify that the assignment of privileges have been correctly applied by executing:
3684 <screen>
3685 net rpc rights list accounts -Uroot%not24get
3686 MEGANET2\bobj
3687 SeMachineAccountPrivilege
3689 S-0-0
3690 No privileges assigned
3692 BUILTIN\Print Operators
3693 No privileges assigned
3695 BUILTIN\Account Operators
3696 No privileges assigned
3698 BUILTIN\Backup Operators
3699 No privileges assigned
3701 BUILTIN\Server Operators
3702 No privileges assigned
3704 BUILTIN\Administrators
3705 No privileges assigned
3707 Everyone
3708 No privileges assigned
3710 MEGANET2\Domain Admins
3711 SeMachineAccountPrivilege
3712 SePrintOperatorPrivilege
3713 SeAddUsersPrivilege
3714 SeRemoteShutdownPrivilege
3715 SeDiskOperatorPrivilege
3716 </screen>
3717 </para></step>
3719 </procedure>
3721 </sect2>
3723 </sect1>
3725 <sect1>
3726 <title>Windows Client Configuration</title>
3728 <para><indexterm>
3729 <primary>NETLOGON</primary>
3730 </indexterm>
3731 In the next few sections, you can configure a new Windows XP Professional disk image on a staging
3732 machine. You will configure all software, printer settings, profile and policy handling, and desktop
3733 default profile settings on this system. When it is complete, you copy the contents of the
3734 <filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same
3735 name in the <constant>NETLOGON</constant> share on the Domain Controllers.
3736 </para>
3738 <para>
3739 Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
3740 One knowledge-base article in particular stands out. See:
3741 <ulink
3742 url="http://support.microsoft.com/default.aspx&scid=kb;en-us;168475">How to Create a
3743 Base Profile for All Users.</ulink>
3745 </para>
3747 <sect2 id="redirfold">
3748 <title>Configuration of Default Profile with Folder Redirection</title>
3750 <para><indexterm>
3751 <primary>folder redirection</primary>
3752 </indexterm>
3753 Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>.
3754 It is necessary to expose folders that are generally hidden to provide
3755 access to the <constant>Default User</constant>
3756 folder.
3757 </para>
3759 <procedure>
3760 <title>Expose Hidden Folders</title>
3762 <step><para>
3763 Launch the Windows Explorer by clicking
3764 <menuchoice>
3765 <guimenu>Start</guimenu>
3766 <guimenuitem>My Computer</guimenuitem>
3767 <guimenuitem>Tools</guimenuitem>
3768 <guimenuitem>Folder Options</guimenuitem>
3769 <guimenuitem>View Tab</guimenuitem>
3770 </menuchoice>.
3771 Select <guilabel>Show hidden files and folders</guilabel>,
3772 and click <guibutton>OK</guibutton>.
3773 Exit Windows Explorer.
3774 </para></step>
3776 <step><para><indexterm>
3777 <primary>regedt32</primary>
3778 </indexterm>
3779 Launch the Registry Editor. Click
3780 <menuchoice>
3781 <guimenu>Start</guimenu>
3782 <guimenuitem>Run</guimenuitem>
3783 </menuchoice>. Key in <command>regedt32</command>, and click
3784 <guibutton>OK</guibutton>.
3785 </para></step>
3786 </procedure>
3788 <para>
3789 </para>
3791 <procedure id="sbehap-rdrfldr">
3792 <title>Redirect Folders in Default System User Profile</title>
3794 <step><para><indexterm>
3795 <primary>HKEY_LOCAL_MACHINE</primary>
3796 </indexterm><indexterm>
3797 <primary>Default User</primary>
3798 </indexterm>
3799 Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel.
3800 Click <menuchoice>
3801 <guimenu>File</guimenu>
3802 <guimenuitem>Load Hive...</guimenuitem>
3803 <guimenuitem>[Panel] Documents and Settings</guimenuitem>
3804 <guimenuitem>[Panel] Default User</guimenuitem>
3805 <guimenuitem>NTUSER</guimenuitem>
3806 <guimenuitem>Open</guimenuitem>
3807 </menuchoice>. In the dialog box that opens, enter the
3808 key name <constant>Default</constant>
3809 and click <guibutton>OK</guibutton>.
3810 </para></step>
3812 <step><para>
3813 Browse inside the newly loaded Default folder to:
3814 <screen>
3815 HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
3816 CurrentVersion\Explorer\User Shell Folders\
3817 </screen>
3818 The contents of the right panel reveals the contents as
3819 shown in <link linkend="XP-screen001"/>.
3820 </para></step>
3822 <step><para><indexterm>
3823 <primary>%USERPROFILE%</primary>
3824 </indexterm><indexterm>
3825 <primary>%LOGONSERVER%</primary>
3826 </indexterm>
3827 You edit hive keys. Acceptable values to replace the
3828 <constant>%USERPROFILE%</constant> variable includes:
3830 <itemizedlist>
3831 <listitem><para>A drive letter such as: <constant>U:</constant></para></listitem>
3832 <listitem><para>A direct network path such as:
3833 <constant>\\MASSIVE\profdata</constant></para></listitem>
3834 <listitem><para>A network redirection (UNC name) that contains a macro such as: </para>
3835 <para><constant>%LOGONSERVER%\profdata\</constant></para></listitem>
3836 </itemizedlist>
3837 </para></step>
3839 <step><para><indexterm>
3840 <primary>registry keys</primary>
3841 </indexterm>
3842 Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption
3843 that users have statically located machines. Notebook computers (mobile users) need to be
3844 accommodated using local profiles. This is not an uncommon assumption.
3845 </para></step>
3847 <step><para>
3848 Click back to the root of the loaded hive <constant>Default</constant>.
3849 Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem>
3850 <guimenuitem>Yes</guimenuitem></menuchoice>.
3851 </para></step>
3853 <step><para><indexterm>
3854 <primary>Registry Editor</primary>
3855 </indexterm>
3856 Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the
3857 Registry Editor.
3858 </para></step>
3860 <step><para>
3861 Now follow the procedure given in <link linkend="sbehap-locgrppol"/>. Make sure that each folder you
3862 have redirected is in the exclusion list.
3863 </para></step>
3865 <step><para>
3866 You are now ready to copy<footnote><para>
3867 There is an alternate method by which a Default User profile can be added to the
3868 <constant>NETLOGON</constant> share. This facility in the Windows System tool
3869 permits profiles to be exported. The export target may be a particular user or
3870 group profile share point, or else into the <constant>NETLOGON</constant> share.
3871 In this case, the profile directory must be named
3872 <constant>Default User</constant>.
3873 </para></footnote>
3874 the Default User profile to the Samba Domain Controllers. Launch Microsoft
3875 Windows Explorer, and use it to copy the full contents of the
3876 directory <filename>Default User</filename>
3877 that is in the <filename>C:\Documents and Settings</filename> to the root directory of the
3878 <constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined
3879 UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must be
3880 a directory in there called <filename>Default User</filename>.
3881 </para></step>
3883 </procedure>
3885 <procedure>
3886 <title>Reset Folder Display to Original Behavior</title>
3888 <step><para>
3889 To launch the Windows Explorer, click
3890 <menuchoice>
3891 <guimenu>Start</guimenu>
3892 <guimenuitem>My Computer</guimenuitem>
3893 <guimenuitem>Tools</guimenuitem>
3894 <guimenuitem>Folder Options</guimenuitem>
3895 <guimenuitem>View Tab</guimenuitem>
3896 </menuchoice>.
3897 Deselect <guilabel>Show hidden files and folders</guilabel>,
3898 and click <guibutton>OK</guibutton>.
3899 Exit Windows Explorer.
3900 </para></step>
3902 </procedure>
3904 <image id="XP-screen001">
3905 <imagedescription>Windows XP Professional &smbmdash; User Shared Folders</imagedescription>
3906 <imagefile scale="65">XP-screen001</imagefile>
3907 </image>
3909 <table id="proffold">
3910 <title>Default Profile Redirections</title>
3911 <tgroup cols="2">
3912 <colspec align="left"/>
3913 <colspec align="left"/>
3914 <thead>
3915 <row>
3916 <entry>Registry Key</entry>
3917 <entry>Redirected Value</entry>
3918 </row>
3919 </thead>
3920 <tbody>
3921 <row>
3922 <entry>Cache</entry>
3923 <entry>%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry>
3924 </row>
3925 <row>
3926 <entry>Cookies</entry>
3927 <entry>%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry>
3928 </row>
3929 <row>
3930 <entry>History</entry>
3931 <entry>%LOGONSERVER%\profdata\%USERNAME%\History</entry>
3932 </row>
3933 <row>
3934 <entry>Local AppData</entry>
3935 <entry>%LOGONSERVER%\profdata\%USERNAME%\AppData</entry>
3936 </row>
3937 <row>
3938 <entry>Local Settings</entry>
3939 <entry>%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry>
3940 </row>
3941 <row>
3942 <entry>My Pictures</entry>
3943 <entry>%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry>
3944 </row>
3945 <row>
3946 <entry>Personal</entry>
3947 <entry>%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry>
3948 </row>
3949 <row>
3950 <entry>Recent</entry>
3951 <entry>%LOGONSERVER%\profdata\%USERNAME%\Recent</entry>
3952 </row>
3953 </tbody>
3954 </tgroup>
3955 </table>
3957 </sect2>
3959 <sect2>
3960 <title>Configuration of MS Outlook to Relocate PST File</title>
3962 <para><indexterm>
3963 <primary>Outlook</primary>
3964 <secondary>PST</secondary>
3965 </indexterm>
3966 Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
3967 It is the nature of email storage that this file grows, at times quite rapidly.
3968 So that users' email is available to them at every workstation they may log onto,
3969 it is common practice in well-controlled sites to redirect the PST folder to the
3970 users' home directory. Follow these steps for each user who wishes to do this.
3971 </para>
3973 <note><para>
3974 It is presumed that Outlook Express has been configured for use.
3975 </para></note>
3977 <para>
3978 Launch Outlook Express 6. Click
3979 <menuchoice>
3980 <guimenu>Tools</guimenu>
3981 <guimenuitem>Options</guimenuitem>
3982 <guimenuitem>Maintenance</guimenuitem>
3983 <guimenuitem>Store Folder</guimenuitem>
3984 <guimenuitem>Change</guimenuitem>
3985 </menuchoice>.
3986 </para>
3988 <para>
3989 Follow the on-screen prompts to relocate the PST file to the desired location.
3990 </para>
3992 </sect2>
3994 <sect2>
3995 <title>Configure Delete Cached Profiles on Logout</title>
3997 <para>
3998 To configure the Windows XP Professional client to auto-delete roaming profiles on logout:
3999 </para>
4001 <para><indexterm>
4002 <primary>MMC</primary>
4003 </indexterm>
4004 Click
4005 <menuchoice>
4006 <guimenu>Start</guimenu>
4007 <guimenuitem>Run</guimenuitem>
4008 </menuchoice>. In the dialog box, enter: <command>MMC</command>
4009 and click <guibutton>OK</guibutton>.
4010 </para>
4012 <para>
4013 Follow these steps to set the default behavior of the staging machine so that all roaming
4014 profiles are deleted as network users log out of the system. Click
4015 <menuchoice>
4016 <guimenu>File</guimenu>
4017 <guimenuitem>Add/Remove Snap-in</guimenuitem>
4018 <guimenuitem>Add</guimenuitem>
4019 <guimenuitem>Group Policy</guimenuitem>
4020 <guimenuitem>Add</guimenuitem>
4021 <guimenuitem>Finish</guimenuitem>
4022 <guimenuitem>Close</guimenuitem>
4023 <guimenuitem>OK</guimenuitem>
4024 </menuchoice>.
4025 </para>
4027 <para><indexterm>
4028 <primary>Microsoft Management Console</primary>
4029 <see>MMC</see>
4030 </indexterm>
4031 The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu>
4032 utility that enables you to set the policies needed. In the left panel, click
4033 <menuchoice>
4034 <guimenuitem>Local Computer Policy</guimenuitem>
4035 <guimenuitem>Administrative Templates</guimenuitem>
4036 <guimenuitem>System</guimenuitem>
4037 <guimenuitem>User Profiles</guimenuitem>
4038 </menuchoice>. In the right panel, set the properties shown here by double-clicking on each
4039 item as shown:
4040 </para>
4042 <itemizedlist>
4043 <listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem>
4044 <listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem>
4045 </itemizedlist>
4047 <para>
4048 Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
4049 made of this system to deploy the new standard desktop system.
4050 </para>
4052 </sect2>
4054 <sect2>
4055 <title>Uploading Printer Drivers to Samba Servers</title>
4057 <para><indexterm>
4058 <primary>printing</primary>
4059 <secondary>drag-and-drop</secondary>
4060 </indexterm>
4061 Users want to be able to use network printers. You have a vested interest in making
4062 it easy for them to print. You have chosen to install the printer drivers onto the Samba
4063 servers and to enable point-and-click (drag-and-drop) printing. This process results in
4064 Samba being able to automatically provide the Windows client with the driver necessary to
4065 print to the printer chosen. The following procedure must be followed for every network
4066 printer:
4067 </para>
4069 <procedure>
4070 <step><para>
4071 Join your Windows XP Professional workstation (the staging machine) to the
4072 <constant>MEGANET2</constant> Domain. If you are not sure of the procedure,
4073 follow the guidance given in <link linkend="domjoin"/>.
4074 </para></step>
4076 <step><para>
4077 After the machine has re-booted, log onto the workstation as the domain
4078 <constant>root</constant> (this is the Administrator account for the
4079 operating system that is the host platform for this implementation of Samba.
4080 </para></step>
4082 <step><para>
4083 Launch MS Windows Explorer. Navigate in the left panel. Click
4084 <menuchoice>
4085 <guimenu>My Network Places</guimenu>
4086 <guimenuitem>Entire Network</guimenuitem>
4087 <guimenuitem>Microsoft Windows Network</guimenuitem>
4088 <guimenuitem>Meganet2</guimenuitem>
4089 <guimenuitem>Massive</guimenuitem>
4090 </menuchoice>. Click on <guimenu>Massive</guimenu>
4091 <guimenu>Printers and Faxes</guimenu>.
4092 </para></step>
4094 <step><para>
4095 Identify a printer that is shown in the right panel. Let us assume the printer is called
4096 <constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon
4097 and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates
4098 that <quote>The printer driver is not installed on this computer. Some printer properties
4099 will not be accessible unless you install the printer driver. Do you want to install the
4100 driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>.
4101 </para></step>
4103 <step><para>
4104 The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server
4105 <constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab.
4106 Note that the box labelled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu>
4107 button that is next to the <guimenu>Driver</guimenu> box. This launches the quote<quote>Add Printer Wizard</quote>.
4108 </para></step>
4110 <step><para><indexterm>
4111 <primary>Add Printer Wizard</primary>
4112 <secondary>APW</secondary>
4113 </indexterm><indexterm>
4114 <primary>APW</primary>
4115 </indexterm>
4116 The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel
4117 is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the
4118 Printer Manufacturer. In your case, you are adding a driver for a printer manufactured by
4119 Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
4120 <guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A
4121 progress bar appears and instructs you as each file is being uploaded and that it is being
4122 directed at the network server <constant>\\massive\ps01-color</constant>.
4123 </para></step>
4125 <step><para>
4126 <indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm>
4127 <indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm>
4128 <indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm>
4129 <indexterm><primary>printers</primary><secondary>General</secondary></indexterm>
4130 <indexterm><primary>printers</primary><secondary>Security</secondary></indexterm>
4131 <indexterm><primary>AD printer publishing</primary></indexterm>
4132 The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
4133 you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel.
4134 You can set the Location (under the <guimenu>General</guimenu> tab), and Security settings (under
4135 the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to
4136 load additional printer drivers, there is also a check-box in this tab called <quote>List in the
4137 directory</quote>. When this box is checked the printer will be published in Active Directory
4138 (Applicable to Active Directory use only.)
4139 </para></step>
4141 <step><para>
4142 <indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm>
4143 Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server.
4144 You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor.
4145 Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu>
4146 <guimenuitem>Device Settings</guimenuitem> </menuchoice>. Now change the settings to suit
4147 your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
4148 you need to reverse them changes back to their original settings.
4149 </para></step>
4151 <step><para>
4152 This is necessary so that the printer settings are initialized in the Samba printers
4153 database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed
4154 just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
4155 Click <guimenu>Apply</guimenu> again.
4156 </para></step>
4158 <step><para>
4159 <indexterm><primary>Print Test Page</primary></indexterm>
4160 Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
4161 click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button.
4162 A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu>
4163 in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on
4164 massive Properties</guimenu> panel.
4165 </para></step>
4167 <step><para>
4168 You must repeat this process for all network printers (i.e., for every printer, on each server).
4169 When you have finished uploading drivers to all printers, close all applications. The next task
4170 is to install software your users require to do their work.
4171 </para></step>
4172 </procedure>
4174 </sect2>
4176 <sect2>
4177 <title>Software Installation</title>
4179 <para>
4180 Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
4181 a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
4182 Notebooks require special handling that is beyond the scope of this chapter.
4183 </para>
4185 <para>
4186 For desktop systems, the installation of software onto administratively centralized application servers
4187 make a lot of sense. This means that you can manage software maintenance from a central
4188 perspective and that only minimal application stub-ware needs to be installed onto the desktop
4189 systems. You should proceed with software installation and default configuration as far as is humanly
4190 possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
4191 of software operations and configuration.
4192 </para>
4194 <para>
4195 When you believe that the overall configuration is complete, be sure to create a shared group profile
4196 and migrate that to the Samba server for later re-use when creating custom mandatory profiles, just in
4197 case a user may have specific needs you had not anticipated.
4198 </para>
4200 </sect2>
4202 <sect2>
4203 <title>Roll-out Image Creation</title>
4205 <para>
4206 The final steps before preparing the distribution Norton Ghost image file you might follow are:
4207 </para>
4209 <blockquote><para>
4210 Un-join the domain &smbmdash; Each workstation requires a unique name and must be independently
4211 joined into Domain Membership.
4212 </para></blockquote>
4214 <blockquote><para>
4215 Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results
4216 in better performance and often significantly reduces the size of the compressed disk image. That
4217 also means it will take less time to deploy the image onto 500 workstations.
4218 </para></blockquote>
4220 </sect2>
4222 </sect1>
4224 <sect1>
4225 <title>Key Points Learned</title>
4227 <para>
4228 This chapter has introduced many new concepts. Is it a sad fact that the example presented deliberately
4229 avoided any consideration of security. Security does not just happen; you must design it into your total
4230 network. Security begins with a systems design and implementation that anticipates hostile behavior from
4231 users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
4232 they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
4233 practices, you must not deploy the design presented in this book in an environment where there is risk
4234 of compromise.
4235 </para>
4237 <para><indexterm>
4238 <primary>Access Control Lists</primary>
4239 <see>ACLs</see>
4240 </indexterm><indexterm>
4241 <primary>ACLs</primary>
4242 </indexterm>
4243 As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs) and it must be
4244 configured to use secure protocols for all communications over the network. Of course, secure networking
4245 does not result just from systems design and implementation but involves constant user education
4246 training, and above all disciplined attention to detail and constant searching for signs of unfriendly
4247 or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
4248 Jerry Carter's book <ulink
4249 url="http://www.booksense.com/product/info.jsp&isbn=1565924916"><emphasis>LDAP System
4250 Administration</emphasis></ulink> is a good place to start reading about OpenLDAP as well as security considerations.
4251 </para>
4253 <para>
4254 The substance of this chapter that has been deserving of particular attention includes:
4255 </para>
4257 <itemizedlist>
4258 <listitem><para>
4259 Implementation of an OpenLDAP-based passwd backend &smbmdash; necessary to support distributed
4260 Domain Control.
4261 </para></listitem>
4263 <listitem><para>
4264 Implementation of Samba Primary and Secondary Domain Controllers with a common LDAP backend
4265 for user and group accounts that is shared with the UNIX system through the PADL nns_ldap and
4266 pam_ldap toolsets.
4267 </para></listitem>
4269 <listitem><para>
4270 Use of the Idealx smbldap-tools scripts for UNIX (Posix) account management as well as
4271 to manage Samba Windows user and group accounts.
4272 </para></listitem>
4274 <listitem><para>
4275 The basics of implementation of Group Policy controls for Windows network clients.
4276 </para></listitem>
4278 <listitem><para>
4279 Control over roaming profiles, with particular focus on folder redirection to network drives.
4280 </para></listitem>
4282 <listitem><para>
4283 Use of the CUPS printing system together with Samba-based printer driver auto-download.
4284 </para></listitem>
4285 </itemizedlist>
4287 </sect1>
4290 <sect1>
4291 <title>Questions and Answers</title>
4293 <para>
4294 Well, here we are at the end of this chapter and we have only ten questions to help you to
4295 remember so much. There are bound to be some sticky issues here.
4296 </para>
4298 <qandaset defaultlabel="chap06qa">
4299 <qandaentry>
4300 <question>
4302 <para>
4303 Why did you not cover secure practices? Isn't it rather irresponsible to instruct
4304 network administrators to implement insecure solutions?
4305 </para>
4307 </question>
4308 <answer>
4310 <para>
4311 Let's get this right. This is a book about Samba, not about OpenLDAP and secure
4312 communication protocols for subjects other than Samba. Earlier on, you note
4313 that the Dynamic DNS and DHCP solutions also used no protective secure communications
4314 protocols. The reason for this is simple: There are so many ways of implementing
4315 secure protocols that this book would have been even larger and more complex.
4316 </para>
4318 <para>
4319 The solutions presented here all work (at least they did for me). Network administrators
4320 have the interest and the need to be better trained and instructed in secure networking
4321 practices and ought to implement safe systems. I made the decision, right or wrong,
4322 to keep this material as simple as possible. The intent of this book is to demonstrate
4323 a working solution and not to discuss too many peripheral issues.
4324 </para>
4326 <para>
4327 This book makes little mention of backup techniques. Does that mean that I am recommending
4328 that you should implement a network without provision for data recovery and for disaster
4329 management? Back to our focus: The deployment of Samba has been clearly demonstrated.
4330 </para>
4332 </answer>
4333 </qandaentry>
4335 <qandaentry>
4336 <question>
4338 <para>
4339 You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
4340 you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
4341 to the Linux I might be using?
4342 </para>
4344 </question>
4345 <answer>
4347 <para>
4348 Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
4349 for a standard Linux distribution. The differences are marginal. Surely you know
4350 your Linux platform and you do have access to administration manuals for it. This
4351 book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
4352 the Samba part of the book; all the other bits are peripheral (but important) to
4353 creation of a total network solution.
4354 </para>
4356 <para>
4357 What I find interesting is the attention reviewers give to Linux installation and to
4358 the look and feel of the desktop, but does that make for a great server? In this book,
4359 I have paid particular attention to the details of creating a whole solution framework.
4360 I have not tightened every nut and bolt, but I have touched on all the issues you
4361 need to be familiar with. Over the years many people have approached me wanting to
4362 know the details of exactly how to implement a DHCP and Dynamic DNS server with Samba
4363 and WINS. In this chapter, it is plain to see what needs to be configured to provide
4364 transparent interoperability. Likewise for CUPS and Samba interoperation. These are
4365 key stumbling areas for many people.
4366 </para>
4368 <para>
4369 At every critical junction, I have provided comparative guidance for both SUSE and
4370 Red Hat Linux. Both manufacturers have done a great job in furthering the cause
4371 of open source software. I favor neither and respect both. I like particular
4372 features of both products (companies also). No bias in presentation is intended.
4373 Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
4374 </para>
4376 </answer>
4377 </qandaentry>
4379 <qandaentry>
4380 <question>
4382 <para>
4383 You did not use SWAT to configure Samba. Is there something wrong with it?
4384 </para>
4386 </question>
4387 <answer>
4389 <para>
4390 That is a good question. As it is, the &smb.conf; file configurations are presented
4391 in as direct a format as possible. Adding SWAT into the equation would have complicated
4392 matters. I sought simplicity of implementation. The fact is that I did use SWAT to
4393 create the files in the first place.
4394 </para>
4396 <para>
4397 There are people in the Linux and open source community who feel that SWAT is dangerous
4398 and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
4399 hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG</emphasis>.
4400 </para>
4402 </answer>
4403 </qandaentry>
4405 <qandaentry>
4406 <question>
4408 <para>
4409 You have exposed a well-used password <emphasis>not24get</emphasis>. Is that
4410 not irresponsible?
4411 </para>
4413 </question>
4414 <answer>
4416 <para>
4417 Well, I had to use a password of some sort. At least this one has been consistently
4418 used throughout. I guess you can figure out that in a real deployment it would make
4419 sense to use a more secure and original password.
4420 </para>
4422 </answer>
4423 </qandaentry>
4425 <qandaentry>
4426 <question>
4428 <para>
4429 The Idealx smbldap-tools create many domain group accounts that are not used. Is that
4430 a good thing?
4431 </para>
4433 </question>
4434 <answer>
4436 <para>
4437 I took this up with Idealx and found them most willing to change that in the next version.
4438 Let's give Idealx some credit for the contribution they have made. I appreciate their work
4439 and, besides, it does no harm to create accounts that are not now used as at some time
4440 Samba may well use them.
4441 </para>
4443 </answer>
4444 </qandaentry>
4446 <qandaentry>
4447 <question>
4449 <para>
4450 Can I use LDAP just for Samba accounts and not for UNIX system accounts?
4451 </para>
4453 </question>
4454 <answer>
4456 <para>
4457 Yes, you can do that for user accounts only. Samba requires there to be a Posix (UNIX)
4458 group account for every Windows Domain group account. But if you put your users into
4459 the system password account, how do you plan to keep all domain controller system
4460 password files in sync? I think that having everything in LDAP makes a lot of sense
4461 for the UNIX admin who is still learning the craft and is migrating from MS Windows.
4462 </para>
4464 </answer>
4465 </qandaentry>
4467 <qandaentry>
4468 <question>
4470 <para>
4471 Why are the Windows Domain RID portions not the same as the UNIX UID?
4472 </para>
4474 </question>
4475 <answer>
4477 <para>
4478 Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
4479 This algorithm ought to ensure that there will be no clashes with well-known RIDs.
4480 Well-known RIDs have special significance to MS Windows clients. The automatic
4481 assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
4482 permit you to override that to some extent. See the &smb.conf; man page entry
4483 for <parameter>algorithmic rid base</parameter>.
4484 </para>
4486 </answer>
4487 </qandaentry>
4489 <qandaentry>
4490 <question>
4492 <para>
4493 Printer configuration examples all show printing to the HP port 9100. Does this
4494 mean that I must have HP printers for these solutions to work?
4495 </para>
4497 </question>
4498 <answer>
4500 <para>
4501 No. You can use any type of printer and must use the interfacing protocol supported
4502 by the printer. Many networks use LPR/LPD print servers to which are attached
4503 PCL printers, InkJet printers, plotters, and so on. At home I use a USB attached
4504 Inkjet printer. Use the appropriate device URI (Universal Resource Interface)
4505 argument to the <constant>lpadmin -v</constant> option that is right for your
4506 printer.
4507 </para>
4509 </answer>
4510 </qandaentry>
4512 <qandaentry>
4513 <question>
4515 <para>
4516 Is folder redirection dangerous? I've heard that you can lose your data that way.
4517 </para>
4519 </question>
4520 <answer>
4522 <para>
4523 The only loss of data I know of that involved folder redirection was caused by
4524 manual misuse of the redirection tool. The administrator redirected a folder to
4525 a network drive and said he wanted to migrate (move) the data over. Then he
4526 changed his mind, so he moved the folder back to the roaming profile. This time,
4527 he declined to move the data because he thought it was still in the local profile
4528 folder. That was not the case, so by declining to move the data back, he wiped out
4529 the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
4530 </para>
4532 </answer>
4533 </qandaentry>
4535 <qandaentry>
4536 <question>
4538 <para>
4539 Is it really necessary to set a local Group Policy to exclude the redirected
4540 folders from the roaming profile?
4541 </para>
4543 </question>
4544 <answer>
4546 <para>
4547 Yes. If you do not do this, the data will still be copied from the network folder
4548 (share) to the local cached copy of the profile.
4549 </para>
4551 </answer>
4552 </qandaentry>
4554 </qandaset>
4556 </sect1>
4558 </chapter>