| blob | 0940f4da416a76b51c0ec44a55a6933f2249f58f |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE appendix PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
4 <appendix id="appendix">
5 <title>Appendix: A Collection of Useful Tid-bits</title>
7 <para><indexterm>
8 <primary>material</primary>
9 </indexterm><indexterm>
10 <primary>domain</primary>
11 <secondary>joining</secondary>
12 </indexterm>
13 Information presented here is considered to be either basic or well-known material that is informative
14 yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
15 the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps
16 different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical,
17 as shown in the example given below.
18 </para>
20 <sect1 id="domjoin">
21 <title>Joining a Domain: Windows 200x/XP Professional</title>
23 <para><indexterm>
24 <primary>joining a domain</primary>
25 </indexterm>
26 Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
27 This section steps through the process for making a Windows 200x/XP Professional machine a
28 member of a Domain Security environment. It should be noted that this process is identical
29 when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC.
30 </para>
32 <procedure>
33 <title>Steps to Join a Domain</title>
35 <step><para>
36 Click <guimenu>Start</guimenu>.
37 </para></step>
39 <step><para>
40 Right-click <guimenu>My Computer</guimenu>, and then select <guimenuitem>Properties</guimenuitem>.
41 </para></step>
43 <step><para>
44 The opening panel is the same one that can be reached by clicking <guimenu>System</guimenu> on the Control Panel.
45 See <link linkend="swxpp001"></link>.
46 <image id="swxpp001"><imagefile>wxpp001</imagefile><imagedescription>The General Panel.</imagedescription></image>
47 </para></step>
49 <step><para>
50 Click the <guimenu>Computer Name</guimenu> tab.
51 This panel shows the <guimenuitem>Computer Description</guimenuitem>, the <guimenuitem>Full computer name</guimenuitem>,
52 and the <guimenuitem>Workgroup</guimenuitem> or <guimenuitem>Domain name</guimenuitem>.
53 </para>
55 <para>
56 Clicking the <guimenu>Network ID</guimenu> button launches the configuration wizard. Do not use this with
57 Samba-3. If you wish to change the computer name, or join or leave the domain, click the <guimenu>Change</guimenu> button.
58 See <link linkend="swxpp004"></link>.
59 <image id="swxpp004"><imagefile>wxpp004</imagefile><imagedescription>The Computer Name Panel.</imagedescription></image>
60 </para></step>
62 <step><para>
63 Click on <guimenu>Change</guimenu>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP.
64 We join the domain called MIDEARTH. See <link linkend="swxpp006"></link>.
65 <image id="swxpp006"><imagefile>wxpp006</imagefile><imagedescription>The Computer Name Changes Panel</imagedescription></image>
66 </para></step>
68 <step><para>
69 Enter the name <guimenu>MIDEARTH</guimenu> in the field below the Domain radio button.
70 </para>
72 <para>
73 This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <link linkend="swxpp007"></link>.
74 <image id="swxpp007"><imagefile>wxpp007</imagefile><imagedescription>The Computer Name Changes Panel &smbmdash; Domain MIDEARTH</imagedescription></image>
75 </para></step>
77 <step><para>
78 Now click the <guimenu>OK</guimenu> button. A dialog box should appear to allow you to provide the credentials (username and password)
79 of a Domain administrative account that has the rights to add machines to the Domain.
80 </para>
82 <para>
83 Enter the name <quote>root</quote> and the root password from your Samba-3 server. See <link linkend="swxpp008"></link>.
84 <image id="swxpp008"><imagefile>wxpp008</imagefile><imagedescription>Computer Name Changes &smbmdash; User name and Password Panel</imagedescription></image>
85 </para></step>
87 <step><para>
88 Click <guimenu>OK</guimenu>.
89 </para>
91 <para>
92 The <quote>Welcome to the MIDEARTH domain</quote> dialog box should appear. At this point, the machine must be rebooted.
93 Joining the domain is now complete.
94 </para></step>
96 </procedure>
98 <para><indexterm>
99 <primary>Active Directory</primary>
100 </indexterm><indexterm>
101 <primary>DNS</primary>
102 </indexterm>
103 The screen capture shown in <link linkend="swxpp007"/> has a button labeled <guimenu>More...</guimenu>. This button opens a
104 panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
105 of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space.
106 </para>
108 <para><indexterm>
109 <primary>Netlogon</primary>
110 </indexterm><indexterm>
111 <primary>DNS</primary><secondary>dynamic</secondary>
112 </indexterm>
113 Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
114 register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
115 to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running).
116 </para>
118 <para><indexterm>
119 <primary>DNS</primary>
120 <secondary>suffix</secondary>
121 </indexterm>
122 The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
123 this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to
124 a valid IP address.
125 </para>
127 <para>
128 The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
129 Where the client is a member of a Samba Domain, it is preferable to leave this field blank.
130 </para>
132 <para><indexterm>
133 <primary>Group Policy</primary>
134 </indexterm>
135 According to Microsoft documentation, <quote>If this computer belongs to a group with <constant>Group Policy</constant>
136 enabled on <command>Primary DNS suffice of this computer</command>, the string specified in the Group Policy is used
137 as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
138 used only if Group Policy is disabled or unspecified.</quote>
139 </para>
141 </sect1>
143 <sect1>
144 <title>Samba System File Location</title>
146 <para><indexterm>
147 <primary>default installation</primary>
148 </indexterm><indexterm>
149 <primary>/usr/local/samba</primary>
150 </indexterm><indexterm>
151 <primary>/usr/local</primary>
152 </indexterm>
153 One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team
154 build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is
155 in the <filename>/usr/local/samba</filename> directory. This is a perfectly reasonable location, particularly given all the other
156 Open Source software that installs into the <filename>/usr/local</filename> subdirectories.
157 </para>
159 <para>
160 Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team
161 default.
162 </para>
164 <para><indexterm>
165 <primary>Free Standards Group</primary>
166 <see>FSG</see>
167 </indexterm><indexterm>
168 <primary>FSG</primary>
169 </indexterm><indexterm>
170 <primary>Linux Standards Base</primary>
171 <see>LSB</see>
172 </indexterm><indexterm>
173 <primary>LSB</primary>
174 </indexterm><indexterm>
175 <primary>File Hierarchy System</primary>
176 <see>FHS</see>
177 </indexterm><indexterm>
178 <primary>FHS</primary>
179 </indexterm><indexterm>
180 <primary>file locations</primary>
181 </indexterm><indexterm>
182 <primary>/etc/samba</primary>
183 </indexterm><indexterm>
184 <primary>/usr/sbin</primary>
185 </indexterm><indexterm>
186 <primary>/usr/bin</primary>
187 </indexterm><indexterm>
188 <primary>/usr/share</primary>
189 </indexterm><indexterm>
190 <primary>/usr/share/swat</primary>
191 </indexterm><indexterm>
192 <primary>/usr/lib/samba</primary>
193 </indexterm><indexterm>
194 <primary>/usr/share/samba/swat</primary>
195 </indexterm><indexterm>
196 <primary>SWAT</primary>
197 </indexterm><indexterm>
198 <primary>VFS modules</primary>
199 </indexterm>
200 Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy
201 System (FHS), have elected to locate the configuration files under the <filename>/etc/samba</filename> directory, common binary
202 files (those used by users) in the <filename>/usr/bin</filename> directory, and the administrative files (daemons) in the
203 <filename>/usr/sbin</filename> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the
204 <filename>/usr/share</filename> directory, either in <filename>/usr/share/samba/swat</filename> or in
205 <filename>/usr/share/swat</filename>. There are additional support files for <command>smbd</command> in the
206 <filename>/usr/lib/samba</filename> directory tree. The files located there include the dynamically loadable modules for the
207 passdb backend as well as for the VFS modules.
208 </para>
210 <para><indexterm>
211 <primary>/var/lib/samba</primary>
212 </indexterm><indexterm>
213 <primary>/var/log/samba</primary>
214 </indexterm><indexterm>
215 <primary>run-time control files</primary>
216 </indexterm>
217 Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in
218 the <filename>/var/lib/samba</filename> directory. Log files are created in <filename>/var/log/samba.</filename>
219 </para>
221 <para>
222 When Samba is built and installed using the default Samba Team process, all files are located under the
223 <filename>/usr/local/samba</filename> directory tree. This makes it simple to find the files that Samba owns.
224 </para>
226 <para><indexterm>
227 <primary>smbd</primary>
228 <secondary>location of files</secondary>
229 </indexterm>
230 One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location
231 of all files called <command>smbd</command>. Here is an example:
232 <screen>
233 &rootprompt; find / -name smbd -print
234 </screen>
235 You can find the location of the configuration files by running:
236 <screen>
237 &rootprompt; /path-to-binary-file/smbd -b | more
238 ...
239 Paths:
240 SBINDIR: /usr/sbin
241 BINDIR: /usr/bin
242 SWATDIR: /usr/share/samba/swat
243 CONFIGFILE: /etc/samba/smb.conf
244 LOGFILEBASE: /var/log/samba
245 LMHOSTSFILE: /etc/samba/lmhosts
246 LIBDIR: /usr/lib/samba
247 SHLIBEXT: so
248 LOCKDIR: /var/lib/samba
249 PIDDIR: /var/run/samba
250 SMB_PASSWD_FILE: /etc/samba/smbpasswd
251 PRIVATE_DIR: /etc/samba
252 ...
253 </screen>
254 If you wish to locate the Samba version, just run:
255 <screen>
256 &rootprompt; /path-to-binary-file/smbd -V
257 Version 3.0.20-SUSE
258 </screen>
259 </para>
261 <para>
262 Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
263 by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
264 executing:<indexterm>
265 <primary>rpm</primary>
266 </indexterm>
267 <screen>
268 &rootprompt; rpm -qa | grep samba
269 samba3-pdb-3.0.20-1
270 samba3-vscan-0.3.6-0
271 samba3-winbind-3.0.20-1
272 samba3-3.0.20-1
273 samba3-python-3.0.20-1
274 samba3-utils-3.0.20-1
275 samba3-doc-3.0.20-1
276 samba3-client-3.0.20-1
277 samba3-cifsmount-3.0.20-1
278 </screen><indexterm>
279 <primary>package names</primary>
280 </indexterm>
281 The package names, of course, vary according to how the vendor, or the binary package builder, prepared them.
282 </para>
284 </sect1>
286 <sect1>
287 <title>Starting Samba</title>
289 <para><indexterm>
290 <primary>daemon</primary>
291 </indexterm>
292 Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services.
293 An example of a service is the Apache Web server for which the daemon is called <command>httpd</command>. In the case of Samba, there
294 are three daemons, two of which are needed as a minimum.
295 </para>
297 <para>
298 The Samba server is made up of the following daemons:
299 </para>
301 <example id="ch12SL">
302 <title>A Useful Samba Control Script for SUSE Linux</title>
303 <screen>
304 #!/bin/bash
305 #
306 # Script to start/stop samba
307 # Locate this in /sbin as a file called 'samba'
309 RCD=/etc/rc.d
311 if [ z$1 == 'z' ]; then
312 echo $0 - No arguments given; must be start or stop.
313 exit
314 fi
316 if [ $1 == 'start' ]; then
317 ${RCD}/nmb start
318 ${RCD}/smb start
319 ${RCD}/winbind start
321 fi
322 if [ $1 == 'stop' ]; then
323 ${RCD}/smb stop
324 ${RCD}/winbind stop
325 ${RCD}/nmb stop
326 fi
327 if [ $1 == 'restart' ]; then
328 ${RCD}/smb stop
329 ${RCD}/winbind stop
330 ${RCD}/nmb stop
331 sleep 5
332 ${RCD}/nmb start
333 ${RCD}/smb start
334 ${RCD}/winbind start
335 fi
336 exit 0
337 </screen>
338 </example>
340 <variablelist>
341 <varlistentry><term>nmbd</term>
342 <listitem><para>
343 <indexterm><primary>smbd</primary></indexterm>
344 <indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
345 This daemon handles all name registration and resolution requests. It is the primary vehicle involved
346 in network browsing. It handles all UDP-based protocols. The <command>nmbd</command> daemon should
347 be the first command started as part of the Samba startup process.
348 </para></listitem>
349 </varlistentry>
351 <varlistentry><term>smbd</term>
352 <listitem><para>
353 <indexterm><primary>nmbd</primary></indexterm>
354 <indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
355 This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
356 manages local authentication. It should be started immediately following the startup of <command>nmbd</command>.
357 </para></listitem>
358 </varlistentry>
360 <varlistentry><term>winbindd</term>
361 <listitem><para>
362 <indexterm><primary>winbindd</primary></indexterm>
363 <indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
364 This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when
365 Samba has trust relationships with another Domain. The <command>winbindd</command> daemon will check the
366 &smb.conf; file for the presence of the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter>
367 parameters. If they are not found, <command>winbindd</command> bails out and refuses to start.
368 </para></listitem>
369 </varlistentry>
370 </variablelist>
372 <para>
373 When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its
374 integration into the platform as a whole. Please refer to your operating system platform administration manuals for
375 specific information pertaining to correct management of Samba startup.
376 </para>
378 <example id="ch12RHscript">
379 <title>A Sample Samba Control Script for Red Hat Linux</title>
380 <screen>
381 #!/bin/sh
382 #
383 # chkconfig: 345 81 35
384 # description: Starts and stops the Samba smbd and nmbd daemons \
385 # used to provide SMB network services.
387 # Source function library.
388 . /etc/rc.d/init.d/functions
389 # Source networking configuration.
390 . /etc/sysconfig/network
391 # Check that networking is up.
392 [ ${NETWORKING} = "no" ] && exit 0
393 CONFIG=/etc/samba/smb.conf
394 # Check that smb.conf exists.
395 [ -f $CONFIG ] || exit 0
397 # See how we were called.
398 case "$1" in
399 start)
400 echo -n "Starting SMB services: "
401 daemon smbd -D; daemon nmbd -D; echo;
402 touch /var/lock/subsys/smb
403 ;;
404 stop)
405 echo -n "Shutting down SMB services: "
406 smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'`
407 for pid in $smbdpids; do
408 kill -TERM $pid
409 done
410 killproc nmbd -TERM; rm -f /var/lock/subsys/smb
411 echo ""
412 ;;
413 status)
414 status smbd; status nmbd;
415 ;;
416 restart)
417 echo -n "Restarting SMB services: "
418 $0 stop; $0 start;
419 echo "done."
420 ;;
421 *)
422 echo "Usage: smb {start|stop|restart|status}"
423 exit 1
424 esac
425 </screen>
426 </example>
428 <para><indexterm>
429 <primary>samba control script</primary>
430 </indexterm>
431 SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently
432 executed from the command line is shown in <link linkend="ch12SL"/>. This can be located in the directory
433 <filename>/sbin</filename> in a file called <filename>samba</filename>. This type of control script should be
434 owned by user root and group root, and set so that only root can execute it.
435 </para>
437 <para><indexterm>
438 <primary>startup script</primary>
439 </indexterm>
440 A sample startup script for a Red Hat Linux system is shown in <link linkend="ch12RHscript"/>.
441 This file could be located in the directory <filename>/etc/rc.d</filename> and can be called
442 <filename>samba</filename>. A similar startup script is required to control <command>winbind</command>.
443 If you want to find more information regarding startup scripts please refer to the packaging section of
444 the Samba source code distribution tarball. The packaging files for each platform include a
445 startup control file.
446 </para>
448 </sect1>
450 <sect1>
451 <title>DNS Configuration Files</title>
453 <para>
454 The following files are common to all DNS server configurations. Rather than repeat them multiple times, they
455 are presented here for general reference.
456 </para>
458 <sect2>
459 <title>The Forward Zone File for the Loopback Adaptor</title>
461 <para>
462 The forward zone file for the loopback address never changes. An example file is shown
463 in <link linkend="loopback"/>. All traffic destined for an IP address that is hosted on a
464 physical interface on the machine itself is routed to the loopback adaptor. This is
465 a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor
466 is called <constant>localhost</constant>.
467 </para>
469 <example id="loopback">
470 <title>DNS Localhost Forward Zone File: <filename>/var/lib/named/localhost.zone</filename></title>
471 <screen>
472 $TTL 1W
473 @ IN SOA @ root (
474 42 ; serial
475 2D ; refresh
476 4H ; retry
477 6W ; expiry
478 1W ) ; minimum
480 IN NS @
481 IN A 127.0.0.1
482 </screen>
483 </example>
485 </sect2>
487 <sect2>
488 <title>The Reverse Zone File for the Loopback Adaptor</title>
490 <para>
491 The reverse zone file for the loopback address as shown in <link linkend="dnsloopy"/>
492 is necessary so that references to the address <constant>127.0.0.1</constant> can be
493 resolved to the correct name of the interface.
494 </para>
496 <example id="dnsloopy">
497 <title>DNS Localhost Reverse Zone File: <filename>/var/lib/named/127.0.0.zone</filename></title>
498 <screen>
499 $TTL 1W
500 @ IN SOA localhost. root.localhost. (
501 42 ; serial
502 2D ; refresh
503 4H ; retry
504 6W ; expiry
505 1W ) ; minimum
507 IN NS localhost.
508 1 IN PTR localhost.
509 </screen>
510 </example>
512 <example id="roothint">
513 <title>DNS Root Name Server Hint File: <filename>/var/lib/named/root.hint</filename></title>
514 <screen>
515 ; This file is made available by InterNIC under anonymous FTP as
516 ; file /domain/named.root
517 ; on server FTP.INTERNIC.NET
518 ; last update: Nov 5, 2002. Related version of root zone: 2002110501
519 ; formerly NS.INTERNIC.NET
520 . 3600000 IN NS A.ROOT-SERVERS.NET.
521 A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
522 ; formerly NS1.ISI.EDU
523 . 3600000 NS B.ROOT-SERVERS.NET.
524 B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
525 ; formerly C.PSI.NET
526 . 3600000 NS C.ROOT-SERVERS.NET.
527 C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
528 ; formerly TERP.UMD.EDU
529 . 3600000 NS D.ROOT-SERVERS.NET.
530 D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
531 ; formerly NS.NASA.GOV
532 . 3600000 NS E.ROOT-SERVERS.NET.
533 E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
534 ; formerly NS.ISC.ORG
535 . 3600000 NS F.ROOT-SERVERS.NET.
536 F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
537 ; formerly NS.NIC.DDN.MIL
538 . 3600000 NS G.ROOT-SERVERS.NET.
539 G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
540 ; formerly AOS.ARL.ARMY.MIL
541 . 3600000 NS H.ROOT-SERVERS.NET.
542 H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
543 ; formerly NIC.NORDU.NET
544 . 3600000 NS I.ROOT-SERVERS.NET.
545 I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
546 ; operated by VeriSign, Inc.
547 . 3600000 NS J.ROOT-SERVERS.NET.
548 J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
549 ; housed in LINX, operated by RIPE NCC
550 . 3600000 NS K.ROOT-SERVERS.NET.
551 K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
552 ; operated by IANA
553 . 3600000 NS L.ROOT-SERVERS.NET.
554 L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
555 ; housed in Japan, operated by WIDE
556 . 3600000 NS M.ROOT-SERVERS.NET.
557 M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
558 ; End of File
559 </screen>
560 </example>
561 </sect2>
563 <sect2>
564 <title>DNS Root Server Hint File</title>
566 <para>
567 The content of the root hints file as shown in <link linkend="roothint"/> changes slowly over time.
568 Periodically this file should be updated from the source shown. Because
569 of its size this file is located at the end of this appendix.
570 </para>
572 </sect2>
574 </sect1>
576 <sect1 id="altldapcfg">
577 <title>Alternative LDAP Database Initialization</title>
579 <para><indexterm>
580 <primary>LDAP</primary>
581 <secondary>database</secondary>
582 </indexterm><indexterm>
583 <primary>LDAP</primary>
584 <secondary>initial configuration</secondary>
585 </indexterm>
586 The following procedure may be used as an alternative means of configuring
587 the initial LDAP database. Many administrators prefer to have greater control
588 over how system files get configured.
589 </para>
591 <sect2>
592 <title>Initialization of the LDAP Database</title>
594 <para><indexterm>
595 <primary>LDIF</primary>
596 </indexterm><indexterm>
597 <primary>Domain Groups</primary>
598 <secondary>well-known</secondary>
599 </indexterm><indexterm>
600 <primary>SID</primary>
601 </indexterm>
602 The first step to get the LDAP server ready for action is to create the LDIF file from
603 which the LDAP database will be pre-loaded. This is necessary to create the containers
604 into which the user, group, and so on, accounts is written. It is also necessary to
605 pre-load the well-known Windows NT Domain Groups, as they must have the correct SID so
606 that they can be recognized as special NT Groups by the MS Windows clients.
607 </para>
609 <procedure id="ldapinit">
610 <title>LDAP Directory Pre-Load Steps</title>
612 <step><para>
613 Create a directory in which to store the files you use to generate
614 the LDAP LDIF file for your system. Execute the following:
615 <screen>
616 &rootprompt; mkdir /etc/openldap/SambaInit
617 &rootprompt; chown root.root /etc/openldap/SambaInit
618 &rootprompt; chmod 700 /etc/openldap/SambaInit
619 </screen>
620 </para></step>
622 <step><para>
623 Install the files shown in <link linkend="sbehap-ldapreconfa"/>, <link linkend="sbehap-ldapreconfb"/>,
624 and <link linkend="sbehap-ldapreconfc"/> into the directory
625 <filename>/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</filename> These three files are,
626 respectively, Part A, B, and C of the <filename>SMBLDAP-ldif-preconfig.sh</filename> file.
627 </para></step>
629 <step><para>
630 Install the files shown in <link linkend="sbehap-ldifpata"/> and <link linkend="sbehap-ldifpatb"/> into the directory
631 <filename>/etc/openldap/SambaInit/nit-ldif.pat.</filename> These two files are
632 Part A and B, respectively, of the <filename>init-ldif.pat</filename> file.
633 </para></step>
635 <step><para>
636 Change to the <filename>/etc/openldap/SambaInit</filename> directory. Execute the following:
637 <screen>
638 &rootprompt; ./SMBLDAP-ldif-preconfig.sh
640 How do you wish to refer to your organization?
641 Suggestions:
642 Black Tire Company, Inc.
643 Cat With Hat Ltd.
644 How would you like your organization name to appear?
645 Your organization name is: My Organization
646 Enter a new name is this is not what you want, press Enter to Continue.
647 Name [My Organization]: Abmas Inc.
649 Samba Config File Location [/etc/samba/smb.conf]:
650 Enter a new full path or press Enter to continue.
651 Samba Config File Location [/etc/samba/smb.conf]:
652 Domain Name: MEGANET2
653 Domain SID: S-1-5-21-3504140859-1010554828-2431957765
655 The name of your Internet domain is now needed in a special format
656 as follows, if your domain name is mydomain.org, what we need is
657 the information in the form of:
658 Domain ID: mydomain
659 Top level: org
660 If your fully qualified hostname is: snoopy.bazaar.garagesale.net
661 where "snoopy" is the name of the machine,
662 Then the information needed is:
663 Domain ID: garagesale
664 Top Level: net
666 Found the following domain name: abmas.biz
667 I think the bit we are looking for might be: abmas
668 Enter the domain name or press Enter to continue:
670 The top level organization name I will use is: biz
671 Enter the top level org name or press Enter to continue:
672 &rootprompt;
673 </screen>
674 This creates a file called <filename>MEGANET2.ldif</filename>.
675 </para></step>
677 <step><para>
678 It is now time to pre-load the LDAP database with the following
679 command:
680 <screen>
681 &rootprompt; slapadd -v -l MEGANET2.ldif
682 added: "dc=abmas,dc=biz" (00000001)
683 added: "cn=Manager,dc=abmas,dc=biz" (00000002)
684 added: "ou=People,dc=abmas,dc=biz" (00000003)
685 added: "ou=Computers,dc=abmas,dc=biz" (00000004)
686 added: "ou=Groups,dc=abmas,dc=biz" (00000005)
687 added: "ou=Domains,dc=abmas,dc=biz" (00000006)
688 added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007)
689 added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008)
690 added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009)
691 added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a)
692 </screen>
693 You should verify that the account information was correctly loaded by executing:
694 <screen>
695 &rootprompt; slapcat
696 dn: dc=abmas,dc=biz
697 objectClass: dcObject
698 objectClass: organization
699 dc: abmas
700 o: Abmas Inc.
701 description: Posix and Samba LDAP Identity Database
702 structuralObjectClass: organization
703 entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474
704 creatorsName: cn=manager,dc=abmas,dc=biz
705 modifiersName: cn=manager,dc=abmas,dc=biz
706 createTimestamp: 20031217055747Z
707 modifyTimestamp: 20031217055747Z
708 entryCSN: 2003121705:57:47Z#0x0001#0#0000
709 ...
711 dn: cn=domusers,ou=Groups,dc=abmas,dc=biz
712 objectClass: posixGroup
713 objectClass: sambaGroupMapping
714 gidNumber: 513
715 cn: domusers
716 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513
717 sambaGroupType: 2
718 displayName: Domain Users
719 description: Domain Users
720 structuralObjectClass: posixGroup
721 entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474
722 creatorsName: cn=manager,dc=abmas,dc=biz
723 modifiersName: cn=manager,dc=abmas,dc=biz
724 createTimestamp: 20031217055747Z
725 modifyTimestamp: 20031217055747Z
726 entryCSN: 2003121705:57:47Z#0x000a#0#0000
727 </screen>
728 </para></step>
730 <step><para>
731 Your LDAP database is ready for testing. You can now start the LDAP server
732 using the system tool for your Linux operating system. For SUSE Linux, you can
733 do this as follows:
734 <screen>
735 &rootprompt; rcldap start
736 </screen>
737 </para></step>
739 <step><para>
740 It is now a good idea to validate that the LDAP server is running correctly.
741 Execute the following:
742 <screen>
743 &rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
744 # extended LDIF
745 #
746 # LDAPv3
747 # base <dc=abmas,dc=biz> with scope sub
748 # filter: (ObjectClass=*)
749 # requesting: ALL
750 #
752 # abmas.biz
753 dn: dc=abmas,dc=biz
754 objectClass: dcObject
755 objectClass: organization
756 dc: abmas
757 o: Abmas Inc.
758 description: Posix and Samba LDAP Identity Database
759 ...
760 # domusers, Groups, abmas.biz
761 dn: cn=domusers,ou=Groups,dc=abmas,dc=biz
762 objectClass: posixGroup
763 objectClass: sambaGroupMapping
764 gidNumber: 513
765 cn: domusers
766 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513
767 sambaGroupType: 2
768 displayName: Domain Users
769 description: Domain Users
771 # search result
772 search: 2
773 result: 0 Success
775 # numResponses: 11
776 # numEntries: 10
777 </screen>
778 Your LDAP server is ready for creation of additional accounts.
779 </para></step>
780 </procedure>
782 </sect2>
784 <example id="sbehap-ldapreconfa">
785 <title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part A</title>
786 <screen>
787 #!/bin/bash
788 #
789 # This script prepares the ldif LDAP load file only
790 #
792 # Pattern File Name
793 file=init-ldif.pat
795 # The name of my organization
796 ORGNAME="My Organization"
798 # My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets"
799 INETDOMAIN="my-domain"
801 # In the above case, md domain is: buckets.org, TLDORG="org"
802 TLDORG="org"
804 # This is the Samba Domain/Workgroup Name
805 DOMNAME="MYWORKGROUP"
807 #
808 # Here We Go ...
809 #
811 cat <<EOF
813 How do you wish to refer to your organization?
815 Suggestions:
816 Black Tire Company, Inc.
817 Cat With Hat Ltd.
819 How would you like your organization name to appear?
821 EOF
823 echo "Your organization name is: $ORGNAME"
824 echo
825 echo "Enter a new name or, press Enter to Continue."
826 echo
827 </screen>
828 </example>
830 <example id="sbehap-ldapreconfb">
831 <title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part B</title>
832 <screen>
833 echo -e -n "Name [$ORGNAME]: "
834 read name
836 if [ ! -z "$name" ]; then
837 ORGNAME=${name}
838 fi
839 echo
840 sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1
842 # Try to find smb.conf
844 if [ -e /usr/local/samba/lib/smb.conf ]; then
845 CONF=/usr/local/samba/lib/smb.conf
846 elif [ -e /etc/samba/smb.conf ]; then
847 CONF=/etc/samba/smb.conf
848 fi
850 echo "Samba Config File Location [$CONF]: "
851 echo
852 echo "Enter a new full path or press Enter to continue."
853 echo
854 echo -n "Samba Config File Location [$CONF]: "
855 read name
856 if [ ! -z "$name" ]; then
857 CONF=$name
858 fi
859 echo
861 # Find the name of our Domain/Workgroup
862 DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=`
863 echo Domain Name: $DOMNAME
864 echo
866 sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2
868 DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"`
869 echo Domain SID: $DOMSID
871 sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1
872 </screen>
873 </example>
875 <example id="sbehap-ldapreconfc">
876 <title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part C</title>
877 <screen>
878 cat >>EOL
879 The name of your Internet domain is now needed in a special format
880 as follows, if your domain name is mydomain.org, what we need is
881 the information in the form of:
882 Domain ID: mydomain
883 Top level: org
885 If your fully qualified hostname is: snoopy.bazaar.garagesale.net
886 where "snoopy" is the name of the machine,
887 Then the information needed is:
888 Domain ID: garagesale
889 Top Level: net
891 EOL
892 INETDOMAIN=`hostname -d | cut -f1 -d.`
893 echo Found the following domain name: `hostname -d`
894 echo "I think the bit we are looking for might be: $INETDOMAIN"
895 echo
896 echo -n "Enter the domain name or press Enter to continue: "
897 read domnam
898 if [ ! -z $domnam ]; then
899 INETDOMAIN=$domnam
900 fi
901 echo
902 sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2
903 TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"`
904 echo "The top level organization name I will use is: ${TLDORG}"
905 echo
906 echo -n "Enter the top level org name or press Enter to continue: "
907 read domnam
908 if [ ! -z $domnam ]; then
909 TLDORG=$domnam
910 fi
911 sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif
912 rm $file.tmp*
913 exit 0
914 </screen>
915 </example>
917 <example id="sbehap-ldifpata">
918 <title>LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part A</title>
919 <screen>
920 dn: dc=INETDOMAIN,dc=TLDORG
921 objectClass: dcObject
922 objectClass: organization
923 dc: INETDOMAIN
924 o: ORGNAME
925 description: Posix and Samba LDAP Identity Database
927 dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG
928 objectClass: organizationalRole
929 cn: Manager
930 description: Directory Manager
932 dn: ou=People,dc=INETDOMAIN,dc=TLDORG
933 objectClass: top
934 objectClass: organizationalUnit
935 ou: People
937 dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG
938 objectClass: top
939 objectClass: organizationalUnit
940 ou: Computers
942 dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG
943 objectClass: top
944 objectClass: organizationalUnit
945 ou: Groups
947 dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG
948 objectClass: top
949 objectClass: organizationalUnit
950 ou: Idmap
952 dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG
953 objectClass: sambaDomain
954 sambaDomainName: DOMNAME
955 sambaSID: DOMSID
956 sambaAlgorithmicRidBase: 1000
957 structuralObjectClass: sambaDomain
958 </screen>
959 </example>
961 <example id="sbehap-ldifpatb">
962 <title>LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part B</title>
963 <screen>
964 dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG
965 objectClass: posixGroup
966 objectClass: sambaGroupMapping
967 gidNumber: 512
968 cn: domadmins
969 sambaSID: DOMSID-512
970 sambaGroupType: 2
971 displayName: Domain Admins
972 description: Domain Administrators
974 dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG
975 objectClass: posixGroup
976 objectClass: sambaGroupMapping
977 gidNumber: 514
978 cn: domguests
979 sambaSID: DOMSID-514
980 sambaGroupType: 2
981 displayName: Domain Guests
982 description: Domain Guests Users
984 dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG
985 objectClass: posixGroup
986 objectClass: sambaGroupMapping
987 gidNumber: 513
988 cn: domusers
989 sambaSID: DOMSID-513
990 sambaGroupType: 2
991 displayName: Domain Users
992 description: Domain Users
993 </screen>
994 </example>
996 </sect1>
998 <sect1>
999 <title>The LDAP Account Manager</title>
1001 <para><indexterm>
1002 <primary>LAM</primary>
1003 </indexterm><indexterm>
1004 <primary>LDAP Account Manager</primary>
1005 <see>LAM</see>
1006 </indexterm><indexterm>
1007 <primary>PHP</primary>
1008 </indexterm><indexterm>
1009 <primary>unencrypted</primary>
1010 </indexterm><indexterm>
1011 <primary>SSL</primary>
1012 </indexterm><indexterm>
1013 <primary>Posix</primary>
1014 </indexterm><indexterm>
1015 <primary>accounts</primary><secondary>manage</secondary>
1016 </indexterm>
1017 The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
1018 LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
1019 server either using unencrypted connections or via SSL. LAM can be used to manage
1020 Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines
1021 (hosts).
1022 </para>
1024 <para>
1025 LAM is available from the <ulink url="http://sourceforge.net/projects/lam/">LAM</ulink>
1026 home page and from its mirror sites. LAM has been released under the GNU GPL version 2.
1027 The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early
1028 in 2004.
1029 </para>
1031 <para><indexterm>
1032 <primary>PHP4</primary>
1033 </indexterm><indexterm>
1034 <primary>OpenLDAP</primary>
1035 </indexterm><indexterm>
1036 <primary>Perl</primary>
1037 </indexterm>
1038 Requirements:
1039 </para>
1041 <itemizedlist>
1042 <listitem><para>A web server that will work with PHP4.</para></listitem>
1043 <listitem><para>PHP4 (available from the <ulink url="http://www.php.net/">
1044 PHP</ulink> home page.)</para></listitem>
1045 <listitem><para>OpenLDAP 2.0 or later.</para></listitem>
1046 <listitem><para>A Web browser that supports CSS.</para></listitem>
1047 <listitem><para>Perl.</para></listitem>
1048 <listitem><para>The gettext package.</para></listitem>
1049 <listitem><para>mcrypt + mhash (optional since version 0.4.3).</para></listitem>
1050 <listitem><para>It is also a good idea to install SSL support.</para></listitem>
1051 </itemizedlist>
1053 <para>
1054 LAM is a useful tool that provides a simple Web-based device that can be used to
1055 manage the contents of the LDAP directory to:<indexterm>
1056 <primary>organizational units</primary>
1057 </indexterm><indexterm>
1058 <primary>operating profiles</primary>
1059 </indexterm><indexterm>
1060 <primary>account policies</primary>
1061 </indexterm>
1062 </para>
1064 <itemizedlist>
1065 <listitem><para>Display user/group/host and Domain entries.</para></listitem>
1066 <listitem><para>Manages entries (Add/Delete/Edit).</para></listitem>
1067 <listitem><para>Filter and sort entries.</para></listitem>
1068 <listitem><para>Set LAM administrator accounts.</para></listitem>
1069 <listitem><para>Store and use multiple operating profiles.</para></listitem>
1070 <listitem><para>Edit organizational units (OUs).</para></listitem>
1071 <listitem><para>Upload accounts from a file.</para></listitem>
1072 <listitem><para></para>Is compatible with Samba-2.2.x and Samba-3.</listitem>
1073 </itemizedlist>
1075 <para>
1076 When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba
1077 user, group, and windows domain member machine accounts.
1078 </para>
1080 <para><indexterm>
1081 <primary>default password</primary>
1082 </indexterm><indexterm>
1083 <primary>secure connections</primary>
1084 </indexterm><indexterm>
1085 <primary>LAM</primary>
1086 </indexterm><indexterm>
1087 <primary>SSL</primary>
1088 </indexterm>
1089 The default password is <quote>lam.</quote> It is highly recommended that you use only
1090 an SSL connection to your Web server for all remote operations involving LAM. If you
1091 want secure connections, you must configure your Apache Web server to permit connections
1092 to LAM using only SSL.
1093 </para>
1095 <procedure id="sbehap-laminst">
1096 <title>Apache Condiguration Steps for LAM</title>
1098 <step><para>
1099 Extract the LAM package with:
1100 <screen>
1101 &rootprompt; tar xzf ldap-account-manager_0.4.3.tar.gz
1102 </screen>
1103 Alternately, install the LAM RPM for your system using the following example for
1104 example:
1105 <screen>
1106 &rootprompt; rpm -Uvh ldap-account-manager-0.4.3-1.noarch.rpm
1107 </screen>
1108 </para></step>
1110 <step><para>
1111 Copy the extracted files to the document root directory of your Web server.
1112 For example, on SUSE Linux Enterprise Server 8, copy to the
1113 <filename>/srv/web/htdocs</filename> directory.
1114 </para></step>
1116 <step><para><indexterm>
1117 <primary>file permissions</primary>
1118 </indexterm>
1119 Set file permissions using the following commands:
1120 <screen>
1121 &rootprompt; chown -R wwwrun.www /srv/www/htdocs/lam
1122 &rootprompt; chmod 755 /srv/www/htdocs/lam/sess
1123 &rootprompt; chmod 755 /srv/www/htdocs/lam/tmp
1124 &rootprompt; chmod 755 /srv/www/htdocs/lam/config
1125 &rootprompt; chmod 755 /srv/www/htdocs/lam/lib/*pl
1126 </screen>
1127 </para></step>
1129 <step><para><indexterm>
1130 <primary>LAM</primary>
1131 <secondary>configuration file</secondary>
1132 </indexterm>
1133 Using your favorite editor create the following <filename>config.cfg</filename>
1134 LAM configuration file:
1135 <screen>
1136 &rootprompt; cd /srv/www/htdocs/lam/config
1137 &rootprompt; cp config.cfg_sample config.cfg
1138 &rootprompt; vi config.cfg
1139 </screen><indexterm>
1140 <primary>LAM</primary>
1141 <secondary>profile</secondary>
1142 </indexterm><indexterm>
1143 <primary>LAM</primary>
1144 <secondary>wizard</secondary>
1145 </indexterm>
1146 An example file is shown in <link linkend="lamcfg"/>.
1147 This is the minimum configuration that must be completed. The LAM profile
1148 file can be created using a convenient wizard that is part of the LAM
1149 configuration suite.
1150 </para></step>
1152 <step><para>
1153 Start your Web server then, using your Web browser, connect to
1154 <ulink url="http://localhost/lam">LAM</ulink> URL. Click on the
1155 the <parameter>Configuration Login</parameter> link then click on the
1156 Configuration Wizard link to begin creation of the default profile so that
1157 LAM can connect to your LDAP server. Alternately, copy the
1158 <filename>lam.conf_sample</filename> file to a file called
1159 <filename>lam.conf</filename> then, using your favorite editor,
1160 change the settings to match local site needs.
1161 </para></step>
1162 </procedure>
1164 <para><indexterm>
1165 <primary>pitfalls</primary>
1166 </indexterm>
1167 An example of a working file is shown here in <link linkend="lamconf"/>.
1168 This file has been stripped of comments to keep the size small. The comments
1169 and help information provided in the profile file that the wizard creates
1170 is very useful and will help many administrators to avoid pitfalls.
1171 Your configuration file obviously reflects the configuration options that
1172 are preferred at your site.
1173 </para>
1175 <para><indexterm>
1176 <primary>LAM</primary>
1177 <secondary>login screen</secondary>
1178 </indexterm>
1179 It is important that your LDAP server is running at the time that LAM is
1180 being configured. This permits you to validate correct operation.
1181 An example of the LAM login screen is provided in <link linkend="lam-login"/>.
1182 </para>
1184 <image id="lam-login">
1185 <imagedescription>The LDAP Account Manager Login Screen</imagedescription>
1186 <imagefile scale="50">lam-login</imagefile>
1187 </image>
1189 <para><indexterm>
1190 <primary>LAM</primary>
1191 <secondary>configuration editor</secondary>
1192 </indexterm>
1193 The LAM configuration editor has a number of options that must be managed correctly.
1194 An example of use of the LAM configuration editor is shown in <link linkend="lam-config"/>.
1195 It is important that you correctly set the minimum and maximum UID/GID values that are
1196 permitted for use at your site. The default values may not be compatible with a need to
1197 modify initial default account values for well-known Windows network users and groups.
1198 The best work-around is to temporarily set the minimum values to zero (0) to permit
1199 the initial settings to be made. Do not forget to reset these to sensible values before
1200 using LAM to add additional users and groups.
1201 </para>
1203 <image id="lam-config">
1204 <imagedescription>The LDAP Account Manager Configuration Screen</imagedescription>
1205 <imagefile scale="50">lam-config</imagefile>
1206 </image>
1208 <para><indexterm>
1209 <primary>PDF</primary>
1210 </indexterm>
1211 LAM has some nice, but unusual features. For example, one unexpected feature in most application
1212 screens permits the generation of a PDF file that lists configuration information. This is a well
1213 thought out facility. This option has been edited out of the following screen shots to conserve
1214 space.
1215 </para>
1217 <para><indexterm>
1218 <primary>LAM</primary>
1219 <secondary>opening screen</secondary>
1220 </indexterm>
1221 When you log onto LAM the opening screen drops you right into the user manager as shown in
1222 <link linkend="lam-user"/>. This is a logical action as it permits the most-needed facility
1223 to be used immediately. The editing of an existing user, as with the addition of a new user,
1224 is easy to follow and very clear in both layout and intent. It is a simple matter to edit
1225 generic settings, UNIX specific parameters, and then Samba account requirements. Each step
1226 involves clicking a button that intuitively drives you through the process. When you have
1227 finished editing simply press the <guimenu>Final</guimenu> button.
1228 </para>
1230 <image id="lam-user">
1231 <imagedescription>The LDAP Account Manager User Edit Screen</imagedescription>
1232 <imagefile scale="50">lam-users</imagefile>
1233 </image>
1235 <para>
1236 The edit screen for groups is shown in <link linkend="lam-group"/>. As with the edit screen
1237 for user accounts, group accounts may be rapidly dealt with. <link linkend="lam-group-mem"/>
1238 shown a sub-screen from the group editor that permits users to be assigned secondary group
1239 memberships.
1240 </para>
1242 <image id="lam-group">
1243 <imagedescription>The LDAP Account Manager Group Edit Screen</imagedescription>
1244 <imagefile scale="50">lam-groups</imagefile>
1245 </image>
1247 <image id="lam-group-mem">
1248 <imagedescription>The LDAP Account Manager Group Membership Edit Screen</imagedescription>
1249 <imagefile scale="50">lam-group-members</imagefile>
1250 </image>
1252 <para><indexterm>
1253 <primary>smbldap-tools</primary>
1254 </indexterm><indexterm>
1255 <primary>scripts</primary>
1256 </indexterm>
1257 The final screen presented here is one that you should not normally need to use. Host accounts will
1258 be automatically managed using the smbldap-tools scripts. This means that the screen <link linkend="lam-host"/>
1259 will, in most cases, not be used.
1260 </para>
1262 <image id="lam-host">
1263 <imagedescription>The LDAP Account Manager Host Edit Screen</imagedescription>
1264 <imagefile scale="50">lam-hosts</imagefile>
1265 </image>
1267 <para>
1268 One aspect of LAM that may annoy some users is the way it forces certain conventions on
1269 the administrator. For example, LAM does not permit the creation of Windows user and group
1270 accounts that contain upper-case characters or spaces even though the underlying UNIX/Linux
1271 operating system may exhibit no problems with them. Given the propensity for using upper-case
1272 characters and spaces (particularly in the default Windows account names) this may cause
1273 some annoyance. For the rest, LAM is a very useful administrative tool.
1274 </para>
1276 <example id="lamcfg">
1277 <title>Example LAM Configuration File &smbmdash; <filename>config.cfg</filename></title>
1278 <screen>
1279 # password to add/delete/rename configuration profiles
1280 password: not24get
1282 # default profile, without ".conf"
1283 default: lam
1284 </screen>
1285 </example>
1287 <example id="lamconf">
1288 <title>LAM Profile Control File &smbmdash; <filename>lam.conf</filename></title>
1289 <screen>
1290 ServerURL: ldap://massive.abmas.org:389
1291 Admins: cn=Manager,dc=abmas,dc=biz
1292 Passwd: not24get
1293 usersuffix: ou=People,dc=abmas,dc=biz
1294 groupsuffix: ou=Groups,dc=abmas,dc=biz
1295 hostsuffix: ou=Computers,dc=abmas,dc=biz
1296 domainsuffix: ou=Domains,dc=abmas,dc=biz
1297 MinUID: 0
1298 MaxUID: 65535
1299 MinGID: 0
1300 MaxGID: 65535
1301 MinMachine: 20000
1302 MaxMachine: 25000
1303 userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber
1304 grouplistAttributes: #cn;#gidNumber;#memberUID;#description
1305 hostlistAttributes: #cn;#description;#uidNumber;#gidNumber
1306 maxlistentries: 30
1307 defaultLanguage: en_GB:ISO-8859-1:English (Britain)
1308 scriptPath:
1309 scriptServer:
1310 samba3: yes
1311 cachetimeout: 5
1312 pwdhash: SSHA
1313 </screen>
1314 </example>
1316 </sect1>
1318 <sect1 id="ch12-SUIDSGID">
1319 <title>Effect of Setting File and Directory SUID/SGID Permissions Explained</title>
1321 <indexterm><primary>SUID</primary></indexterm>
1322 <indexterm><primary>SGID</primary></indexterm>
1323 <para>
1324 The setting of the SUID/SGID bits on the file or directory permissions flag has particular
1325 consequences. If the file is executable and the SUID bit is set, it executes with the privilege
1326 of (with the UID of) the owner of the file. For example, if you are logged onto a system as
1327 a normal user (let's say as the user <constant>bobj</constant>), and you execute a file that is owned
1328 by the user <constant>root</constant> (uid = 0), and the file has the SUID bit set, then the file is
1329 executed as if you had logged in as the user <constant>root</constant> and then executed the file.
1330 The SUID bit effectively gives you (as <constant>bobj</constant>) administrative privilege for the
1331 use of that executable file.
1332 </para>
1334 <para>
1335 The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it
1336 applies the privilege to the UNIX group setting. In other words, the file executes with the force
1337 of capability of the group.
1338 </para>
1340 <para>
1341 When the SUID/SGID permissions are set on a directory, all files that are created within that directory
1342 is automatically given the ownership of the SUID user and the SGID group, as per the ownership
1343 of the directory in which the file is created. This means that the system level <command>create()</command>
1344 function executes with the SUID user and/or SGID group of the directory in which the file is
1345 created.
1346 </para>
1348 <para>
1349 If you want to obtain the SUID behavior, simply execute the following command:
1350 <screen>
1351 &rootprompt; chmod u+s file-or-directory
1352 </screen>
1353 To set the SGID properties on a file or a directory, execute this command:
1354 <screen>
1355 &rootprompt; chmod g+s file-or-directory
1356 </screen>
1357 And to set both SUID and SGID properties, execute the following:
1358 <screen>
1359 &rootprompt; chmod ug+s file-or-directory
1360 </screen>
1361 </para>
1363 <para>
1364 Let's consider the example of a directory <filename>/data/accounts</filename>. The permissions on this
1365 directory before setting both SUID and SGID on this directory are:
1366 <screen>
1367 &rootprompt; ls -al /data/accounts
1368 total 1
1369 drwxr-xr-x 10 root root 232 Dec 18 17:08 .
1370 drwxr-xr-x 21 root root 600 Dec 17 23:15 ..
1371 drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/
1372 drwx------ 2 root root 48 Jan 26 2002 lost+found
1373 </screen>
1374 In this example, if the user <constant>maryv</constant> creates a file, it would be owned by her.
1375 If <constant>maryv</constant> has the primary group of <constant>Accounts</constant>, the file is
1376 owned by the group <constant>Accounts</constant> as shown in this listing:
1377 <screen>
1378 &rootprompt; ls -al /data/accounts/maryvfile.txt
1379 drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53
1380 </screen>
1381 </para>
1383 <para>
1384 Now you set the SUID and SGID and check the result as follows:
1385 <screen>
1386 &rootprompt; chmod ug+s /data/accounts
1387 &rootprompt; ls -al /data/accounts
1388 total 1
1389 drwxr-xr-x 10 root root 232 Dec 18 17:08 .
1390 drwxr-xr-x 21 root root 600 Dec 17 23:15 ..
1391 drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts
1392 drwx------ 2 root root 48 Jan 26 2002 lost+found
1393 </screen>
1394 If <constant>maryv</constant> creates a file in this directory after this change has been made, the
1395 file is owned by the user <constant>bobj</constant>, and the group is set to the group
1396 <constant>Domain Users</constant> as shown here:
1397 <screen>
1398 &rootprompt; chmod ug+s /data/accounts
1399 &rootprompt; ls -al /data/accounts/maryvfile.txt
1400 total 1
1401 drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
1402 </screen>
1403 </para>
1405 </sect1>
1407 <sect1 id="ch12dblck">
1408 <title>Shared Data Integrity</title>
1410 <para><indexterm>
1411 <primary>data integrity</primary>
1412 </indexterm><indexterm>
1413 <primary>multi-user</primary>
1414 <secondary>data access</secondary>
1415 </indexterm>
1416 The integrity of shared data is often viewed as a particularly emotional issue, especially where
1417 there are concurrent problems with multi-user data access. Contrary to the assertions of some who have
1418 experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
1419 </para>
1421 <para>
1422 The solution to concurrent multi-user data access problems must consider three separate areas
1423 from which the problem may stem:<indexterm>
1424 <primary>locking</primary>
1425 <secondary>Application level</secondary>
1426 </indexterm><indexterm>
1427 <primary>locking</primary>
1428 <secondary>Client side</secondary>
1429 </indexterm><indexterm>
1430 <primary>locking</primary>
1431 <secondary>Server side</secondary>
1432 </indexterm>
1433 </para>
1435 <itemizedlist>
1436 <listitem><para>application level locking controls.</para></listitem>
1437 <listitem><para>client side locking controls.</para></listitem>
1438 <listitem><para>server side locking controls.</para></listitem>
1439 </itemizedlist>
1441 <para><indexterm>
1442 <primary>database applications</primary>
1443 </indexterm><indexterm>
1444 <primary>Microsoft Access</primary>
1445 </indexterm>
1446 Many database applications use some form of application-level access control. An example of one
1447 well-known application that uses application-level locking is Microsoft Access. Detailed guidance
1448 is provided given that this is the most common application for which problems have been reported.
1449 </para>
1451 <para><indexterm>
1452 <primary>Microsoft Excel</primary>
1453 </indexterm><indexterm>
1454 <primary>Act!</primary>
1455 </indexterm>
1456 Common applications that are affected by client- and server-side locking controls include MS
1457 Excel and Act!. Important locking guidance is provided here.
1458 </para>
1461 <sect2>
1462 <title>Microsoft Access</title>
1464 <para>
1465 The best advice that can be given is to carefully read the Microsoft knowledge base articles that
1466 cover this area. Examples of relevant documents includes:
1467 </para>
1469 <itemizedlist>
1470 <listitem><para>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</para></listitem>
1471 <listitem><para>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</para></listitem>
1472 </itemizedlist>
1475 <para><indexterm>
1476 <primary>multi-user</primary>
1477 <secondary>access</secondary>
1478 </indexterm><indexterm>
1479 <primary>exclusive open</primary>
1480 </indexterm>
1481 Make sure that your MS Access database file is configured for multi-user access (not set for
1482 exclusive open). Open MS Access on each client workstation then set the following: <menuchoice>
1483 <guimenu>(Menu bar) Tools</guimenu><guimenu>Options</guimenu><guimenu>[tab] General</guimenu>
1484 </menuchoice>. Set network path to Default database folder: <filename>\\server\share\folder</filename>.
1485 </para>
1487 <para>
1488 You can configure MS Access file sharing behavior as follows: click <guimenu>[tab] Advanced</guimenu>.
1489 Set:<indexterm>
1490 <primary>record locking</primary>
1491 </indexterm>
1492 </para>
1494 <itemizedlist>
1495 <listitem><para>Default open mode: Shared</para></listitem>
1496 <listitem><para>Default Record Locking: Edited Record</para></listitem>
1497 <listitem><para>Open databases using record_level locking</para></listitem>
1498 </itemizedlist>
1500 <para><indexterm>
1501 <primary>MS Access</primary>
1502 <secondary>validate</secondary>
1503 </indexterm>
1504 You must now commit the changes so that they will take effect. To do so, click
1505 <guimenu>Apply</guimenu><guimenu>Ok</guimenu>. At this point, you should exit MS Access, restart
1506 it and then validate that these settings have not changed.
1507 </para>
1509 </sect2>
1511 <sect2>
1512 <title>Act! Database Sharing</title>
1514 <para><indexterm>
1515 <primary>ACT! database</primary>
1516 </indexterm><indexterm>
1517 <primary>data corruption</primary>
1518 </indexterm>
1519 Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you
1520 must disable opportunistic locking on the server and all workstations. Failure to do so
1521 results in data corruption. This information is available from the Act! Web site
1522 knowledge-base articles
1523 <ulink url="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925">1998223162925</ulink>
1524 as well as from article
1525 <ulink url="http://itdomino.saleslogix.com/act.nsf/docid/200110485036">200110485036</ulink>.
1526 </para>
1528 <para><indexterm>
1529 <primary>opportunistic locking</primary>
1530 </indexterm><indexterm>
1531 <primary>Act!Diag</primary>
1532 </indexterm>
1533 These documents clearly state that opportunistic locking must be disabled on both
1534 the server (Samba in the case we are interested in here), as well as on every workstation
1535 from which the centrally shared Act! database will be accessed. Act! provides
1536 a tool called <command>Act!Diag</command> that may be used to disable all workstation
1537 registry settings that may otherwise interfere with the operation of Act!
1538 Registered Act! users may download this utility from the Act! Web
1539 <ulink url="http://www.act.com/support/updates/index.cfm">site.</ulink>
1540 </para>
1542 </sect2>
1544 <sect2>
1545 <title>Opportunistic Locking Controls</title>
1547 <para><indexterm>
1548 <primary>file caching</primary>
1549 </indexterm>
1550 Third-party Windows applications may not be compatible with the use of opportunistic file
1551 and record locking. For applications that are known not to be compatible,<footnote>Refer to
1552 the application manufacturers' installation guidelines and knowledge base for specific
1553 information regarding compatibility. It is often safe to assume that if the software
1554 manufacturer does not specifically mention incompatibilities with opportunistic file
1555 and record locking, or with Windows client file caching, the application is probably
1556 compatible with Windows (as well as Samba) default settings.</footnote> oplock
1557 support may need to be disabled both on the Samba server and on the Windows workstations.
1558 </para>
1560 <para><indexterm>
1561 <primary>cache</primary>
1562 </indexterm><indexterm>
1563 <primary>write lock</primary>
1564 </indexterm><indexterm>
1565 <primary>flush</primary>
1566 <secondary>cache memory</secondary>
1567 </indexterm>
1568 Oplocks enable a Windows client to cache parts of a file that are being
1569 edited. Another windows client may then request to open the file with the
1570 ability to write to it. The server will then ask the original workstation
1571 that had the file open with a write lock to release it's lock. Before
1572 doing so, that workstation must flush the file from cache memory to the
1573 disk or network drive.
1574 </para>
1576 <para><indexterm>
1577 <primary>Oplocks</primary>
1578 <secondary>disabled</secondary>
1579 </indexterm>
1580 Disabling of Oplocks usage may require server and client changes.
1581 Oplocks may be disabled by file, by file pattern, on the share, or on the
1582 samba server.
1583 </para>
1585 <para>
1586 The following are examples showing how Oplock support may be managed using
1587 Samba &smb.conf; file settings:
1588 <screen>
1589 By file: veto oplock files = myfile.mdb
1591 By Pattern: veto oplock files = /*.mdb/
1593 On the Share: oplocks = No
1594 level2 oplocks = No
1596 On the server:
1597 (in [global]) oplocks = No
1598 level2 oplocks = No
1599 </screen>
1600 </para>
1602 <para>
1603 The following registry entries on Microsoft Windows XP Professional, 2000 Professional and Windows NT4
1604 workstation clients must be configured as shown here:
1605 <screen>
1606 REGEDIT4
1608 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
1609 Services\LanmanServer\Parameters]
1610 "EnableOplocks"=dword:00000000
1612 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
1613 Services\LanmanWorkstation\Parameters]
1614 "UseOpportunisticLocking"=dword:00000000
1615 </screen>
1616 </para>
1618 <para>
1619 Comprehensive coverage of file and record locking controls is provided in TOSHARG Chapter 13.
1620 The information provided in that chapter was obtained from a wide variety of sources.
1621 </para>
1623 </sect2>
1625 </sect1>
1627 </appendix>