| blob | 1b075e73f7813fd24c8f5ee9800ec95fa53c01d2 |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
5 <!-- entities files to use -->
6 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
7 %global_entities;
9 ]>
11 <chapter id="happy">
12 <title>Making Users Happy</title>
14 <para>
15 It has been said, <quote>A day that is without troubles is not fulfilling. Rather, give
16 me a day of troubles well handled so that I can be content with my achievements.</quote>
17 </para>
19 <para>
20 In the world of computer networks, problems are as varied as the people who create them
21 or experience them. The design of the network implemented in the last chapter may
22 create problems for some network users. The following lists some of the problems that
23 may occur:
24 </para>
26 <variablelist>
27 <varlistentry>
28 <term>Users experiencing difficulty logging onto the network</term>
29 <listitem><para>
30 <indexterm>
31 <primary>network</primary>
32 <secondary>logon</secondary>
33 </indexterm>
34 When a Windows client logs onto the network, many data packets are exchanged
35 between the client and the server that is providing the network logon services.
36 Each request between the client and the server must complete within a specific
37 time limit. This is one of the primary factors that govern the installation of
38 <indexterm>
39 <primary>multiple domain controllers</primary>
40 </indexterm>
41 multiple domain controllers (usually called secondary or backup controllers).
42 As a rough rule, there should be one such backup controller for every
43 30 to 150 clients. The actual limits are determined by network operational
44 characteristics.
45 </para>
47 <para>
48 If the domain controller provides only network logon services
49 and all file and print activity is handled by Domain Member servers, one Domain
50 Controller per 150 clients on a single network segment may suffice. In any
51 case, it is highly recommended to have a minimum of one Domain Controller (PDC or BDC)
52 per network segment. It is better to have at least one BDC on the network
53 segment that has a PDC. If the Domain Controller is also used as a file and
54 print server, the number of clients it can service reliably is reduced
55 and a common rule is not to exceed 30 machines (Windows workstations plus
56 Domain Member servers) per Domain Controller.
57 </para></listitem></varlistentry>
59 <varlistentry>
60 <term>Slow logons and log-offs</term>
61 <listitem><para>
62 <indexterm>
63 <primary>slow logon</primary>
64 </indexterm>
65 Slow logons and log-offs may be caused by many factors that include:
67 <itemizedlist>
68 <listitem><para><indexterm>
69 <primary>NetBIOS</primary>
70 <secondary>name resolution</secondary>
71 <tertiary>delays</tertiary>
72 </indexterm><indexterm>
73 <primary>WINS</primary>
74 <secondary>server</secondary>
75 </indexterm>
76 Excessive delays in the resolution of a NetBIOS name to its IP
77 address. This may be observed when an overloaded domain controller
78 is also the WINS server. Another cause may be the failure to use
79 a WINS server (this assumes that there is a single network segment).
80 </para></listitem>
82 <listitem><para><indexterm>
83 <primary>traffic collisions</primary>
84 </indexterm><indexterm>
85 <primary>HUB</primary>
86 </indexterm><indexterm>
87 <primary>Etherswitch</primary>
88 </indexterm>
89 Network traffic collisions due to overloading of the network
90 segment &smbmdash; one short-term workaround to this may be to replace
91 network HUBs with Ether-switches.
92 </para></listitem>
94 <listitem><para><indexterm>
95 <primary>networking hardware</primary>
96 <secondary>defective</secondary>
97 </indexterm>
98 Defective networking hardware. Over the past few years, we have seen
99 on the Samba mailing list a significant increase in the number of
100 problems that were traced to a defective network interface controller,
101 a defective HUB or Etherswitch, or defective cabling. In most cases,
102 it was the erratic nature of the problem that ultimately pointed to
103 the cause of the problem.
104 </para></listitem>
106 <listitem><para><indexterm>
107 <primary>profile</primary>
108 <secondary>roaming</secondary>
109 </indexterm><indexterm>
110 <primary>MS Outlook</primary>
111 <secondary>PST file</secondary>
112 </indexterm>
113 Excessively large roaming profiles. This type of problem is typically
114 the result of poor user eduction, as well as poor network management.
115 It can be avoided by users not storing huge quantities of email in
116 MS Outlook PST files, as well as by not storing files on the desktop.
117 These are old bad habits that require much discipline and vigilance
118 on the part of network management.
119 </para></listitem>
120 </itemizedlist>
122 <listitem><para><indexterm>
123 <primary>WebClient</primary>
124 </indexterm>
125 You should verify that the Windows XP WebClient service is not running.
126 The use of the WebClient service has been implicated in many Windows
127 networking related problems.
128 </para></listitem>
130 </para></listitem></varlistentry>
132 <varlistentry>
133 <term>Loss of access to network drives and printer resources</term>
134 <listitem><para>
135 Loss of access to network resources during client operation may be caused by a number
136 of factors including:
137 </para>
139 <itemizedlist>
140 <listitem><para><indexterm>
141 <primary>network</primary>
142 <secondary>overload</secondary>
143 </indexterm>
144 Network overload (typically indicated by a high network collision rate)
145 </para></listitem>
147 <listitem><para>
148 Server overload
149 </para></listitem>
151 <listitem><para><indexterm>
152 <primary>network</primary>
153 <secondary>timeout</secondary>
154 </indexterm>
155 Timeout causing the client to close a connection that is in use, but has
156 been latent (no traffic) for some time (5 minutes or more)
157 </para></listitem>
159 <listitem><para><indexterm>
160 <primary>network hardware</primary>
161 <secondary>defective</secondary>
162 </indexterm>
163 Defective networking hardware
164 </para></listitem>
165 </itemizedlist>
167 <para><indexterm>
168 <primary>data</primary>
169 <secondary>corruption</secondary>
170 </indexterm>
171 No matter what the cause, a sudden operational loss of access to network resources can
172 result in BSOD (blue screen of death) situations that necessitate rebooting of the client
173 workstation. In the case of a mild problem, retrying to access the network drive of printer
174 may restore operations, but in any case this is a serious problem as it may lead to the next
175 problem, data corruption.
176 </para></listitem></varlistentry>
178 <varlistentry>
179 <term>Potential data corruption</term>
180 <listitem><para><indexterm>
181 <primary>data</primary>
182 <secondary>corruption</secondary>
183 </indexterm>
184 Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
185 frustration, and generally precipitates immediate corrective demands. Management response
186 to this type of problem may be rational, as well as highly irrational. There have been
187 cases where management has fired network staff for permitting this situation to occur without
188 immediate correction. There have been situations where perfectly functional hardware was thrown
189 out and replaced, only to find the problem caused by a low-cost network hardware item. There
190 have been cases where server operating systems were replaced, or where Samba was updated,
191 only to later isolate the problem due to defective client software.
192 </para></listitem></varlistentry>
193 </variablelist>
195 <para>
196 In this chapter, you can work through a number of measures that significantly arm you to
197 anticipate and to combat network performance issues. You can work through complex and thorny
198 methods to improve the reliability of your network environment, but be warned that all such steps
199 demand the price of complexity.
200 </para>
202 <sect1>
203 <title>Introduction</title>
205 <para>
206 Mr. Bob Jordan just opened an email from Christine that reads:
207 </para>
209 <para>
210 Bob,
211 <blockquote><attribution>Christine</attribution><para>
212 A few months ago we sat down to design the network. We discussed the challenges ahead and we all
213 agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
214 that we would have some time to resolve any issues that might be encountered.
215 </para>
217 <para>
218 As you now know we started off on the wrong foot. We have a lot of unhappy users. One of them
219 resigned yesterday afternoon because she was under duress to complete some critical projects. She
220 suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
221 of which was lost. She has a unique requirement that involves storing large files on her desktop.
222 Mary's desktop profile is nearly 1 Gigabyte in size. As a result of her desktop configuration, it
223 takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
224 network logon traffic passes over the network links between our buildings, logging on may take
225 three or four attempts due to blue screen problems associated with network timeouts.
226 </para>
228 <para>
229 A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
230 resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
231 limits on what our users can do with their desktops. If we do not do this, we face staff losses
232 that can surely do harm to our growth, as well as to staff morale. I am sure we can better deal
233 with the consequences of what we know we must do than we can with the unrest we have now.
234 </para>
236 <para>
237 Stan and I have discussed the current situation. We are resolved to help our users and protect
238 the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
239 regain control of our vital IT operations.
240 </para></blockquote>
241 </para>
243 <para><indexterm>
244 <primary>compromise</primary>
245 </indexterm><indexterm>
246 <primary>network</primary>
247 <secondary>multi-segment</secondary>
248 </indexterm>
249 Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a
250 single domain controller is a poor design that has obvious operational effects that may
251 frustrate users. Here is Bob's reply:
252 <blockquote><attribution>Bob</attribution><para>
253 Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
254 proposals to resolve the issues. I am confident that your plans fully realized will significantly
255 boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
256 Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
257 for approval; I appreciate the urgency.
258 </para></blockquote>
259 </para>
261 <sect2>
262 <title>Assignment Tasks</title>
264 <para>
265 The priority of assigned tasks in this chapter is:
266 </para>
268 <orderedlist>
269 <listitem><para><indexterm>
270 <primary>Backup Domain Controller</primary>
271 <see>BDC</see>
272 </indexterm><indexterm>
273 <primary>BDC</primary>
274 </indexterm><indexterm>
275 <primary>tdbsam</primary>
276 </indexterm><indexterm>
277 <primary>LDAP</primary>
278 </indexterm><indexterm>
279 <primary>migration</primary>
280 </indexterm>
281 Implement Backup Domain Controllers (BDCs) in each building. This involves
282 a change from use of a <emphasis>tdbsam</emphasis> backend that was used in the previous
283 chapter, to use an LDAP-based backend.
284 </para>
286 <para>
287 You can implement a single central LDAP server for this purpose.
288 </para></listitem>
290 <listitem><para><indexterm>
291 <primary>logon time</primary>
292 </indexterm><indexterm>
293 <primary>network share</primary>
294 </indexterm><indexterm>
295 <primary>default profile</primary>
296 </indexterm><indexterm>
297 <primary>profile</primary>
298 <secondary>default</secondary>
299 </indexterm>
300 Rectify the problem of excessive logon times. This involves redirection of
301 folders to network shares as well as modification of all user desktops to
302 exclude the redirected folders from being loaded at login time. You can also
303 create a new default profile that can be used for all new users.
304 </para></listitem>
306 </orderedlist>
308 <para><indexterm>
309 <primary>disk image</primary>
310 </indexterm>
311 You configure a new MS Windows XP Professional Workstation disk image that you
312 roll out to all desktop users. The instructions you have created are followed on a
313 staging machine from which all changes can be carefully tested before inflicting them on
314 your network users.
315 </para>
317 <para><indexterm>
318 <primary>CUPS</primary>
319 </indexterm>
320 This is the last network example in which specific mention of printing is made. The example
321 again makes use of the CUPS printing system.
322 </para>
324 </sect2>
326 </sect1>
328 <sect1>
329 <title>Dissection and Discussion</title>
331 <para><indexterm>
332 <primary>BDC</primary>
333 </indexterm><indexterm>
334 <primary>LDAP</primary>
335 </indexterm><indexterm>
336 <primary>OpenLDAP</primary>
337 </indexterm>
338 The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
339 For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
340 LDAP servers in current use with Samba-3 include:
341 </para>
343 <itemizedlist><indexterm>
344 <primary>eDirectory</primary>
345 </indexterm>
346 <listitem><para>Novell <ulink
347 url="http://www.novell.com/products/edirectory/">eDirectory.</ulink>
348 eDirectory is being successfully used by some sites. Information on how to use eDirectory can be
349 obtained from the Samba mailing lists or from Novell.</para></listitem>
351 <listitem><para><indexterm>
352 <primary>Tivoli Directory Server</primary>
353 </indexterm>IBM
354 <ulink
355 url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli Directory Server,</ulink>
356 can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba
357 source code tarball under the directory <filename>~samba/example/LDAP.</filename></para></listitem>
359 <listitem><para><indexterm>
360 <primary>Sun ONE Identity Server</primary>
361 </indexterm>Sun
362 <ulink
363 url="http://www.sun.com/software/sunone/identity/index.html">ONE Identity Server.</ulink>
364 This product suite provides an LDAP server that can be used for Samba. Example schema files are
365 provided in the Samba source code tarball under the directory
366 <filename>~samba/example/LDAP.
367 </filename></para></listitem>
368 </itemizedlist>
370 <para>
371 A word of caution is fully in order. OpenLDAP is purely an LDAP server and unlike commercial
372 offerings, it requires that you manually edit the server configuration files and manually
373 initialize the LDAP directory database. OpenLDAP itself has only command line tools to
374 help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
375 </para>
377 <para><indexterm>
378 <primary>Active Directory</primary>
379 </indexterm>
380 For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
381 adequate. If you are migrating from Microsoft Active Directory, be
382 warned that OpenLDAP does not include
383 GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
384 requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
385 </para>
387 <para><indexterm>
388 <primary>Identity Management</primary>
389 </indexterm><indexterm>
390 <primary>high availability</primary>
391 </indexterm><indexterm>
392 <primary>directory</primary>
393 <secondary>replication</secondary>
394 </indexterm><indexterm>
395 <primary>directory</primary>
396 <secondary>synchronization</secondary>
397 </indexterm><indexterm>
398 <primary>performance</primary>
399 </indexterm><indexterm>
400 <primary>directory</primary>
401 <secondary>management</secondary>
402 </indexterm><indexterm>
403 <primary>directory</primary>
404 <secondary>schema</secondary>
405 </indexterm>
406 When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
407 High availability operation may be obtained through directory replication/synchronization and
408 master/slave server configurations. OpenLDAP is a mature platform to host the organizational
409 directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
410 The price paid through learning how to design an LDAP directory schema in implementation and configuration
411 of management tools is well rewarded by performance and flexibility, and the freedom to manage directory
412 contents with greater ability to back up, restore, and modify the directory than is generally possible
413 with Microsoft Active Directory.
414 </para>
416 <para><indexterm>
417 <primary>comparison</primary>
418 <secondary>Active Directory & OpenLDAP</secondary>
419 </indexterm><indexterm>
420 <primary>ADAM</primary>
421 </indexterm><indexterm>
422 <primary>Active Directory</primary>
423 </indexterm><indexterm>
424 <primary>OpenLDAP</primary>
425 </indexterm>
426 A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
427 tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured
428 for a specific task orientation. It comes with a set of administrative tools that is entirely customized
429 for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
430 server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
431 who wants to built a custom directory solution. Microsoft Active Directory is a generic LDAP server that has
432 been pre-configured for a specific task. Microsoft provides an application called
433 <ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx">
434 MS ADAM</ulink> that provides more-generic LDAP services, yet it does not have the vanilla-like services
435 of OpenLDAP.
436 </para>
438 <para><indexterm>
439 <primary>directory</primary>
440 <secondary>schema</secondary>
441 </indexterm><indexterm>
442 <primary>passdb backend</primary>
443 </indexterm>
444 You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
445 if you find the challenge of learning about LDAP directories, schemas, configuration, and management
446 tools, and the creation of shell and Perl scripts a bit
447 challenging. OpenLDAP can be easily customized, though it includes
448 many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
449 that is required for use as a passdb backend.
450 </para>
452 <para>
453 For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
454 there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
455 The Web-based tools you might like to consider include: The <ulink
456 url="http://lam.sourceforge.net/">LDAP
457 Account Manager</ulink> (LAM), as well as the <ulink
458 url="http://www.webmin.com">Webmin</ulink>-based Idealx
459 <ulink url="http://webmin.idealx.org/index.en.html">CGI tools.</ulink>
460 </para>
462 <para>
463 Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
464 these so it may be useful to include passing reference to them.
465 The first is <ulink url="http://biot.com/gq">GQ</ulink>, a GTK-ased LDAP browser;
466 LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor,</ulink>
467 <ulink url="http://www.jxplorer.org/">JXplorer</ulink> (by Computer Associates),
468 and the last is called <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin.</ulink>
469 </para>
471 <note><para>
472 The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly lacks
473 security. No form of secure LDAP communications is attempted. The LDAP configuration information provided
474 is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
475 LDAP before attempting to deploy it in a business-critical environment.
476 </para></note>
478 <para>
479 Information to help you get started with OpenLDAP is available from the
480 <ulink url="http://www.openldap.org/pub/">
481 OpenLDAP Web Site.</ulink> Many people have found the book <ulink
482 url="http://www.booksense.com/product/info.jsp?isbn=1565924916">
483 LDAP System Administration,</ulink> written by Jerry Carter, quite useful.
484 </para>
486 <para><indexterm>
487 <primary>BDC</primary>
488 </indexterm><indexterm>
489 <primary>network</primary>
490 <secondary>segment</secondary>
491 </indexterm><indexterm>
492 <primary>performance</primary>
493 </indexterm><indexterm>
494 <primary>network</primary>
495 <secondary>wide-area</secondary>
496 </indexterm>
497 Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
498 main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
499 be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly
500 improves overall network performance for most users, but this is not enough. You must gain control over
501 user desktops, and this must be done in a way that wins their support and does not cause further loss of
502 staff morale. The following procedures solve this problem.
503 </para>
505 <para><indexterm>
506 <primary>smart printing</primary>
507 </indexterm>
508 There is also an opportunity to implement smart printing features. You add this to the Samba configuration
509 so that future printer changes can be managed without need to change desktop configurations.
510 </para>
512 <para>
513 You add the ability to automatically download new printer drivers, even if they are not installed
514 in the default desktop profile. Only one example of printing configuration is given. It is assumed that
515 you can extrapolate the principles and use this to install all printers that may be needed.
516 </para>
518 <sect2>
519 <title>Technical Issues</title>
521 <para><indexterm>
522 <primary>identity</primary>
523 <secondary>management</secondary>
524 </indexterm><indexterm>
525 <primary>directory</primary>
526 <secondary>server</secondary>
527 </indexterm><indexterm>
528 <primary>Posix</primary>
529 </indexterm>
530 The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
531 server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
532 accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account
533 attributes Samba needs. Samba-3 can use the LDAP backend to store:
534 </para>
536 <itemizedlist>
537 <listitem><para>Windows Networking User Accounts</para></listitem>
538 <listitem><para>Windows NT Group Accounts</para></listitem>
539 <listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem>
540 <listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem>
541 </itemizedlist>
543 <para><indexterm>
544 <primary>UNIX accounts</primary>
545 </indexterm><indexterm>
546 <primary>Windows accounts</primary>
547 </indexterm><indexterm>
548 <primary>PADL LDAP tools</primary>
549 </indexterm><indexterm>
550 <primary>/etc/group</primary>
551 </indexterm><indexterm>
552 <primary>LDAP</primary>
553 </indexterm><indexterm>
554 <primary>name service switch</primary>
555 <see>NSS</see>
556 </indexterm><indexterm>
557 <primary>NSS</primary>
558 </indexterm><indexterm>
559 <primary>UID</primary>
560 </indexterm><indexterm>
561 <primary>nss_ldap</primary>
562 </indexterm>
563 The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
564 accounts in the LDAP backend. This implies the need to use the
565 <ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools.</ulink> The resolution
566 of the UNIX group name to its GID must be enabled from either the
567 <filename>/etc/group</filename>
568 or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> toolset
569 that integrates with the name service switcher (NSS). The same requirements exist for resolution
570 of the UNIX username to the UID. The relationships are demonstrated in <link linkend="ch6-LDAPdiag"/>.
571 </para>
573 <image id="ch6-LDAPdiag">
574 <imagedescription>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</imagedescription>
575 <imagefile scale="70">UNIX-Samba-and-LDAP</imagefile>
576 </image>
578 <para><indexterm>
579 <primary>security</primary>
580 </indexterm><indexterm>
581 <primary>LDAP</primary>
582 <secondary>secure</secondary>
583 </indexterm>
584 You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
585 ought to learn how to configure secure communications over LDAP so that sites security is not
586 at risk. This is not covered in the following guidance.
587 </para>
589 <para><indexterm>
590 <primary>PDC</primary>
591 </indexterm><indexterm>
592 <primary>LDAP Interchange Format</primary>
593 <see>LDIF</see>
594 </indexterm><indexterm>
595 <primary>LDIF</primary>
596 </indexterm><indexterm>
597 <primary>secrets.tdb</primary>
598 </indexterm>
599 When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC)
600 called <constant>MASSIVE</constant>. You initialize the Samba
601 <filename>secrets.tdb<subscript></subscript></filename>
602 file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database
603 can be initialized. You need to decide how best to create user and group accounts. A few
604 hints are, of course, provided. You can also find on the enclosed
605 CD-ROM, in the <filename>Chap06</filename>
606 directory, a few tools that help to manage user and group configuration.
607 </para>
609 <para><indexterm>
610 <primary>folder redirection</primary>
611 </indexterm><indexterm>
612 <primary>default profile</primary>
613 </indexterm><indexterm>
614 <primary>roaming profile</primary>
615 </indexterm>
616 In order to effect folder redirection and to add robustness to the implementation,
617 create a network Default Profile. All network users workstations are configured to use
618 the new profile. Roaming profiles will automatically be deleted from the workstation
619 when the user logs off.
620 </para>
622 <para><indexterm>
623 <primary>mandatory profile</primary>
624 </indexterm>
625 The profile is configured so that users cannot change the appearance
626 of their desktop. This is known as a mandatory profile. You make certain that users
627 are able to use their computers efficiently.
628 </para>
630 <para><indexterm>
631 <primary>logon scrip</primary>
632 </indexterm>
633 A network logon script is used to deliver flexible but consistent network drive
634 connections.
635 </para>
637 <sect3>
638 <title>Roaming Profile Background</title>
640 <para>
641 As XP roaming profiles grow, so does the amount of time it takes to log in and out.
642 </para>
644 <para><indexterm>
645 <primary>roaming profile</primary>
646 </indexterm><indexterm>
647 <primary>HKEY_CURRENT_USER</primary>
648 </indexterm><indexterm>
649 <primary>NTUSER.DAT</primary>
650 </indexterm><indexterm>
651 <primary>%USERNAME%</primary>
652 </indexterm>
653 An XP Roaming Profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file
654 <filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data,
655 Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
656 network with the default configuration of MS Windows NT/200x/XPP, all this data is
657 copied to the local machine. By default it is copied to the local machine, under the
658 <filename>C:\Documents and Settings\%USERNAME%</filename> directory. While the user is logged in,
659 any changes made to any of these folders or to the <constant>HKEY_CURRENT_USER</constant>
660 branch of the registry are made to the local copy of the profile. At logout the profile
661 data is copied back to the server. This behavior can be changed through appropriate
662 registry changes and/or through changes to the Default User profile. In the latter case,
663 it updates the registry with the values that are set in the
664 profile <filename>NTUSER.DAT</filename>
665 file.
666 </para>
668 <para>
669 The first challenge is to reduce the amount of data that must be transferred to and
670 from the profile server as roaming profiles are processed. This includes removing
671 all the shortcuts in the Recent directory, making sure the cache used by the web browser
672 is not being dumped into the <filename>Application Data</filename> folder, removing the
673 Java plug-in's cache (the .jpi_cache directory in the profile), as well as training the
674 user to not place large files on the Desktop and to use his mapped home directory for
675 saving documents instead of the <filename>My Documents</filename> folder.
676 </para>
678 <para><indexterm>
679 <primary>My Documents</primary>
680 </indexterm>
681 Using a folder other than <filename>My Documents</filename> is a nuisance for
682 some users since many applications use it by default.
683 </para>
685 <para><indexterm>
686 <primary>roaming profiles</primary>
687 </indexterm><indexterm>
688 <primary>Local Group Policy</primary>
689 </indexterm><indexterm>
690 <primary>NTUSER.DAT</primary>
691 </indexterm>
692 The secret to rapid loading of roaming profiles is to prevent unnecessary data from
693 being copied back and forth, without losing any functionality. This is not difficult;
694 it can be done by making changes to the Local Group Policy on each client as well
695 as changing some paths in each user's <filename>NTUSER.DAT</filename> hive.
696 </para>
698 <para><indexterm>
699 <primary>Network Default Profile</primary>
700 </indexterm><indexterm>
701 <primary>redirected folders</primary>
702 </indexterm>
703 Every user profile has their own <filename>NTUSER.DAT</filename> file. This means
704 you need to edit every user's profile, unless a better method can be
705 followed. Fortunately, with the right preparations, this is not difficult.
706 It is possible to remove the <filename>NTUSER.DAT</filename> file from each
707 user's profile. Then just create a Network Default Profile. Of course, it is
708 necessary to copy all files from redirected folders to the network share to which
709 they are redirected.
710 </para>
712 </sect3>
714 <sect3 id="ch6-locgrppol">
715 <title>The Local Group Policy</title>
716 <para><indexterm>
717 <primary>Group Policy Objects</primary>
718 </indexterm><indexterm>
719 <primary>Active Directory</primary>
720 </indexterm><indexterm>
721 <primary>PDC</primary>
722 </indexterm><indexterm>
723 <primary>Group Policy editor</primary>
724 </indexterm>
725 Without an Active Directory PDC, you cannot take full advantage of Group Policy
726 Objects. However, you can still make changes to the Local Group Policy by using
727 the Group Policy editor (<command>gpedit.msc</command>).
728 </para>
730 <para>
731 The <emphasis>Exclude directories in roaming profile</emphasis> settings can
732 be found under
733 <menuchoice>
734 <guimenu>User Configuration</guimenu>
735 <guimenuitem>Administrative Templates</guimenuitem>
736 <guimenuitem>System</guimenuitem>
737 <guimenuitem>User Profiles</guimenuitem>
738 </menuchoice>.
739 By default this setting contains:
740 <quote>Local Settings;Temporary Internet Files;History;Temp</quote>.
741 </para>
743 <para>
744 Simply add the folders you do not wish to be copied back and forth to this
745 semi-colon separated list. Note that this change must be made on all clients
746 that are using roaming profiles.
747 </para>
749 </sect3>
751 <sect3>
752 <title>Profile Changes</title>
753 <para><indexterm>
754 <primary>NTUSER.DAT</primary>
755 </indexterm><indexterm>
756 <primary>%USERNAME%</primary>
757 </indexterm>
758 There are two changes that should be done to each user's profile. Move each of
759 the directories that you have excluded from being copied back and forth out of
760 the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file
761 to point to the new paths that are shared over the network, instead of the default
762 path (<filename>C:\Documents and Settings\%USERNAME%</filename>).
763 </para>
765 <para><indexterm>
766 <primary>Default User</primary>
767 </indexterm><indexterm>
768 <primary>regedt32</primary>
769 </indexterm>
770 The above modifies existing user profiles. So that newly created profiles have
771 these settings, you will need to modify the <filename>NTUSER.DAT</filename> in
772 the <filename>C:\Documents and Settings\Default User</filename> folder on each
773 client machine, changing the same registry keys. You could do this by copying
774 <filename>NTUSER.DAT</filename> to a Linux box and using
775 <command>regedt32</command>.
776 The basic method is described under <link linkend="redirfold"/>.
777 </para>
779 </sect3>
781 <sect3>
782 <title>Using a Network Default User Profile</title>
784 <para><indexterm>
785 <primary>NETLOGON</primary>
786 </indexterm><indexterm>
787 <primary>NTUSER.DAT</primary>
788 </indexterm>
789 If you are using Samba as your PDC, you should create a file-share called
790 <constant>NETLOGON</constant> and within that create a directory called
791 <filename>Default User</filename>, which is a copy of the desired default user
792 configuration (including a copy of <filename>NTUSER.DAT</filename>.
793 If this share exists and the <filename>Default User</filename> folder exists,
794 the first login from a new account pulls its configuration from it.
795 See also: <ulink
796 url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html">
797 the Real Men Don't Click</ulink> Web site.
798 </para>
800 </sect3>
802 <sect3>
803 <title>Installation of Printer Driver Auto-Download</title>
805 <para><indexterm>
806 <primary>printing</primary>
807 <secondary>dumb</secondary>
808 </indexterm><indexterm>
809 <primary>dumb printing</primary>
810 </indexterm><indexterm>
811 <primary>Raw Print Through</primary>
812 </indexterm>
813 The subject of printing is quite topical. Printing problems run second place to name
814 resolution issues today. So far in this book, you have experienced only what is generally
815 known as <quote>dumb</quote> printing. Dumb printing is the arrangement where all drivers
816 are manually installed on each client and the printing subsystems perform no filtering
817 or intelligent processing. Dumb printing is easily understood. It usually works without
818 many problems, but it has its limitations also. Dumb printing is better known as
819 <command>Raw Print Through</command> printing.
820 </para>
822 <para><indexterm>
823 <primary>printing</primary>
824 <secondary>drag-and-drop</secondary>
825 </indexterm><indexterm>
826 <primary>printing</primary>
827 <secondary>point-n-click</secondary>
828 </indexterm>
829 Samba permits the configuration of <command>Smart</command> printing using the Microsoft
830 Windows point-and-click (also called drag-and-drop) printing. What this provides is
831 essentially the ability to print to any printer. If the local client does not yet have a
832 driver installed, the driver is automatically downloaded from the Samba server and
833 installed on the client. Drag-and-drop printing is neat; it means the user never needs
834 to fuss with driver installation, and that is a <trademark>Good Thing</trademark>,
835 isn't it?
836 </para>
838 <para>
839 There is a further layer of print job processing that is known as <command>Intelligent</command>
840 printing that automatically senses the file format of data submitted for printing and
841 then invokes a suitable print filter to convert the incoming data stream into a format
842 suited to the printer to which the job is dispatched.
843 </para>
845 <para><indexterm>
846 <primary>CUPS</primary>
847 </indexterm><indexterm>
848 <primary>Postscript</primary>
849 </indexterm>
850 The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
851 detect the data format and apply a print filter. This means that it is feasible to install
852 on all Windows clients a single printer driver for use with all printers that are routed
853 through CUPS. The most sensible driver to use is one for a Postscript printer. Fortunately,
854 <ulink url="http://www.easysw.com">Easy Software Products,</ulink> the authors of CUPS have
855 released a Postscript printing driver for Windows. It can be installed into the Samba
856 printing backend so that it automatically downloads to the client when needed.
857 </para>
859 <para>
860 This means that so long as there is a CUPS driver for the printer, all printing from Windows
861 software can use Postscript, no matter what the actual printer language for the physical
862 device is. It also means that the administrator can swap out a printer with a totally
863 different type of device without ever needing to change a client workstation driver.
864 </para>
866 <para>
867 This book is about Samba-3, so you can confine the printing style to just the smart
868 style of installation. Those interested in further information regarding intelligent
869 printing should review documentation on the Easy Software Products Web site.
870 </para>
872 </sect3>
874 </sect2>
877 <sect2>
878 <title>Political Issues</title>
880 <para>
881 MS Windows network users are generally very sensitive to limits that may be imposed when
882 confronted with locked-down workstation configurations. The challenge you face must
883 be promoted as a choice between reliable and fast network operation, and a constant flux
884 of problems that result in user irritation.
885 </para>
887 </sect2>
889 <sect2>
890 <title>Installation Check-List</title>
892 <para>
893 You are starting a complex project. Even though you have gone through the installation
894 of a complex network in chapter 5, this network is a bigger challenge because of the
895 large number of complex applications that must be configured before the first few steps
896 can be validated. Take stock of what you are about to undertake, prepare yourself, and
897 frequently review the steps ahead while making at least a mental note of what has already
898 been completed. The following task list may help you to keep track of the task items
899 that are covered:
900 </para>
903 <itemizedlist>
904 <listitem><para>Samba-3 PDC Server Configuration</para>
905 <orderedlist>
906 <listitem><para>DHCP and DNS Servers</para></listitem>
907 <listitem><para>OpenLDAP Server</para></listitem>
908 <listitem><para>PAM and NSS Client Tools</para></listitem>
909 <listitem><para>Samba-3 PDC</para></listitem>
910 <listitem><para>Idealx SMB-LDAP Scripts</para></listitem>
911 <listitem><para>LDAP Initialization</para></listitem>
912 <listitem><para>Create User and Group Accounts</para></listitem>
913 <listitem><para>Printers</para></listitem>
914 <listitem><para>Share Point Directory Roots</para></listitem>
915 <listitem><para>Profile Directories</para></listitem>
916 </orderedlist>
917 </listitem>
918 <listitem><para>Samba-3 BDC Server Configuration</para>
919 <orderedlist>
920 <listitem><para>DHCP and DNS Servers</para></listitem>
921 <listitem><para>PAM and NSS Client Tools</para></listitem>
922 <listitem><para>Printers</para></listitem>
923 <listitem><para>Share Point Directory Roots</para></listitem>
924 <listitem><para>Profiles Directories</para></listitem>
925 </orderedlist>
926 </listitem>
927 <listitem><para>Samba-3 BDC Server Configuration</para></listitem>
928 <listitem><para>Windows XP Client Configuration</para>
929 <orderedlist>
930 <listitem><para>Default Profile Folder Redirection</para></listitem>
931 <listitem><para>MS Outlook PST File Relocation</para></listitem>
932 <listitem><para>Delete Roaming Profile on Logout</para></listitem>
933 <listitem><para>Upload Printer Drivers to Samba Servers</para></listitem>
934 <listitem><para>Install Software</para></listitem>
935 <listitem><para>Creation of Roll-out Images</para></listitem>
936 </orderedlist>
937 </listitem>
938 </itemizedlist>
941 </sect2>
943 </sect1>
945 <sect1>
946 <title>Samba Server Implementation</title>
948 <para><indexterm>
949 <primary>file servers</primary>
950 </indexterm><indexterm>
951 <primary>BDC</primary>
952 </indexterm>
953 The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed
954 that you will install additional file servers, and possibly additional BDCs.
955 </para>
957 <image id="chap6net">
958 <imagedescription>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend.</imagedescription>
959 <imagefile scale="70">chap6-net</imagefile>
960 </image>
962 <para><indexterm>
963 <primary>SUSE Linux</primary>
964 </indexterm><indexterm>
965 <primary>Red Hat Linux</primary>
966 </indexterm>
967 All configuration files and locations are shown for SUSE Linux 9.0. The file locations for
968 Red Hat Linux are similar. You may need to adjust the locations for your particular
969 Linux system distribution/implementation.
970 </para>
972 <para>
973 The steps in the process involve changes from the network configuration
974 shown in <link linkend="Big500users"/>.
975 Before implementing the following steps, you must have completed the network implementation shown
976 in that chapter. If you are starting with newly installed Linux servers, you must complete
977 the steps shown in <link linkend="ch5-dnshcp-setup"/> before commencing
978 at <link linkend="ldapsetup"/>:
979 </para>
981 <sect2 id="ldapsetup">
982 <title>OpenLDAP Server Configuration</title>
984 <para><indexterm>
985 <primary>nss_ldap</primary>
986 </indexterm><indexterm>
987 <primary>pam_ldap</primary>
988 </indexterm><indexterm>
989 <primary>openldap</primary>
990 </indexterm>
991 Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system.
992 </para>
994 <table id="oldapreq">
995 <title>Required OpenLDAP Linux Packages</title>
996 <tgroup cols="3">
997 <colspec align="left"/>
998 <colspec align="left"/>
999 <colspec align="left"/>
1000 <thead>
1001 <row>
1002 <entry align="center">SUSE Linux 8.x</entry>
1003 <entry align="center">SUSE Linux 9</entry>
1004 <entry align="center">Red Hat Linux 9</entry>
1005 </row>
1006 </thead>
1007 <tbody>
1008 <row>
1009 <entry>nss_ldap</entry>
1010 <entry>nss_ldap</entry>
1011 <entry>nss_ldap</entry>
1012 </row>
1013 <row>
1014 <entry>pam_ldap</entry>
1015 <entry>pam_ldap</entry>
1016 <entry>pam_ldap</entry>
1017 </row>
1018 <row>
1019 <entry>openldap2</entry>
1020 <entry>openldap2</entry>
1021 <entry>openldap</entry>
1022 </row>
1023 <row>
1024 <entry>openldap2-client</entry>
1025 <entry>openldap2-client</entry>
1026 <entry></entry>
1027 </row>
1028 <row>
1029 <entry></entry>
1030 <entry>openldap2-back-perl</entry>
1031 <entry></entry>
1032 </row>
1033 <row>
1034 <entry></entry>
1035 <entry>openldap2-back-monitor</entry>
1036 <entry></entry>
1037 </row>
1038 <row>
1039 <entry></entry>
1040 <entry>openldap2-back-ldap</entry>
1041 <entry></entry>
1042 </row>
1043 <row>
1044 <entry></entry>
1045 <entry>openldap2-back-meta</entry>
1046 <entry></entry>
1047 </row>
1048 </tbody>
1049 </tgroup>
1050 </table>
1052 <para>
1053 Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method
1054 for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you
1055 follow these guidelines, the resulting system should work fine.
1056 </para>
1058 <?latex \newpage ?>
1060 <procedure>
1061 <step><para><indexterm>
1062 <primary>/etc/openldap/slapd.conf</primary>
1063 </indexterm>
1064 Install the file shown in <link linkend="ch6-slapdconf"/> in the directory
1065 <filename>/etc/openldap</filename>.
1066 </para></step>
1068 <step><para><indexterm>
1069 <primary>/var/lib/ldap</primary>
1070 </indexterm><indexterm>
1071 <primary>group account</primary>
1072 </indexterm><indexterm>
1073 <primary>user account</primary>
1074 </indexterm>
1075 Remove all files from the directory <filename>/var/lib/ldap</filename>, making certain that
1076 the directory exists with permissions:
1077 <screen>
1078 &rootprompt; ls -al /var/lib | grep ldap
1079 drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
1080 </screen>
1081 This may require you to add a user and a group account for LDAP if they do not exist.
1082 </para></step>
1084 </procedure>
1087 <example id="ch6-slapdconf">
1088 <title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename></title>
1089 <screen>
1090 include /etc/openldap/schema/core.schema
1091 include /etc/openldap/schema/cosine.schema
1092 include /etc/openldap/schema/inetorgperson.schema
1093 include /etc/openldap/schema/nis.schema
1094 include /etc/openldap/schema/samba.schema
1096 pidfile /var/run/slapd/slapd.pid
1097 argsfile /var/run/slapd/slapd.args
1099 database ldbm
1100 suffix "dc=abmas,dc=biz"
1101 rootdn "cn=Manager,dc=abmas,dc=biz"
1103 # rootpw = not24get
1104 rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
1106 directory /var/lib/ldap
1108 # Indices to maintain
1109 index objectClass eq
1110 index cn pres,sub,eq
1111 index sn pres,sub,eq
1112 index uid pres,sub,eq
1113 index displayName pres,sub,eq
1114 index uidNumber eq
1115 index gidNumber eq
1116 index memberUID eq
1117 index sambaSID eq
1118 index sambaPrimaryGroupSID eq
1119 index sambaDomainName eq
1120 index default sub
1121 </screen>
1122 </example>
1124 </sect2>
1126 <sect2 id="ch6-PAM-NSS">
1127 <title>PAM and NSS Client Configuration</title>
1129 <para><indexterm>
1130 <primary>LDAP</primary>
1131 </indexterm><indexterm>
1132 <primary>NSS</primary>
1133 </indexterm><indexterm>
1134 <primary>PAM</primary>
1135 </indexterm>
1136 The steps that follow involve configuration of LDAP, Name Service Switch (NSS) LDAP-based resolution
1137 of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead
1138 configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
1139 </para>
1141 <para>
1142 Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
1143 that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
1144 correct configuration of the Pluggable Authentication
1145 Modules<indexterm>
1146 <primary>Pluggable Authentication Modules</primary>
1147 <see>PAM</see>
1148 </indexterm><indexterm>
1149 <primary>pam_unix2.so</primary>
1150 </indexterm>
1151 (PAM). The <command>pam_ldap</command>
1152 open source package provides the PAM modules that most people would use. On SUSE Linux systems,
1153 the <command>pam_unix2.so</command> module also has the ability to redirect authentication requests
1154 through LDAP.
1155 </para>
1157 <para><indexterm>
1158 <primary>YaST</primary>
1159 </indexterm><indexterm>
1160 <primary>SUSE Linux</primary>
1161 </indexterm><indexterm>
1162 <primary>Red Hat Linux</primary>
1163 </indexterm><indexterm>
1164 <primary>authconfig</primary>
1165 </indexterm>
1166 You have chosen to configure these services by directly editing the system files but, of course, you
1167 know that this configuration can be done using system tools provided by the Linux system vendor.
1168 SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu>
1169 <guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits
1170 configuration of SUSE Linux as an LDAP client. Red Hat Linux provides
1171 the <command>authconfig</command>
1172 tool for this.
1173 </para>
1175 <procedure>
1176 <step><para><indexterm>
1177 <primary>/lib/libnss_ldap.so.2</primary>
1178 </indexterm><indexterm>
1179 <primary>/etc/ldap.conf</primary>
1180 </indexterm><indexterm>
1181 <primary>nss_ldap</primary>
1182 </indexterm>
1183 Execute the following command to find where the <filename>nss_ldap</filename> module
1184 expects to find its control file:
1185 <screen>
1186 &rootprompt; strings /lib/libnss_ldap.so.2 | grep conf
1187 </screen>
1188 The preferred and usual location is <filename>/etc/ldap.conf</filename>.
1189 </para></step>
1191 <step><para>
1192 On the server <constant>MASSIVE</constant>, install the file shown in
1193 <link linkend="ch6-nss01"/> into the path that was obtained from the step above.
1194 On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
1195 <link linkend="ch6-nss02"/> into the path that was obtained from the step above.
1196 </para></step>
1198 <example id="ch6-nss01">
1199 <title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
1200 <screen>
1201 SIZELIMIT 200
1202 TIMELIMIT 15
1203 DEREF never
1205 host 127.0.0.1
1206 base dc=abmas,dc=biz
1207 binddn cn=Manager,dc=abmas,dc=biz
1208 bindpw not24get
1210 pam_password exop
1212 nss_base_passwd ou=People,dc=abmas,dc=biz?one
1213 nss_base_shadow ou=People,dc=abmas,dc=biz?one
1214 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1215 </screen>
1216 </example>
1218 <example id="ch6-nss02">
1219 <title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
1220 <screen>
1221 SIZELIMIT 200
1222 TIMELIMIT 15
1223 DEREF never
1225 host 172.16.0.1
1226 base dc=abmas,dc=biz
1227 binddn cn=Manager,dc=abmas,dc=biz
1228 bindpw not24get
1230 pam_password exop
1232 nss_base_passwd ou=People,dc=abmas,dc=biz?one
1233 nss_base_shadow ou=People,dc=abmas,dc=biz?one
1234 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1235 </screen>
1236 </example>
1238 <step><para><indexterm>
1239 <primary>/etc/nsswitch.conf</primary>
1240 </indexterm>
1241 Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that
1242 control user and group resolution will obtain information from the normal system files as
1243 well as from <command>ldap</command> as follows:
1244 <screen>
1245 passwd: files ldap
1246 shadow: files ldap
1247 group: files ldap
1248 hosts: files dns wins
1249 </screen>
1250 Later, when the LDAP database has been initialized and user and group accounts have been
1251 added, you can validate resolution of the LDAP resolver process. The inclusion of
1252 WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
1253 resolved to their IP addresses, whether or not they are DHCP clients.
1254 </para></step>
1256 <step><para><indexterm>
1257 <primary>pam_unix2.so</primary>
1258 <secondary>use_ldap</secondary>
1259 </indexterm>
1260 For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
1261 files in the <filename>/etc/pam.d</filename> directory:
1262 <command>login, password, samba, sshd</command>.
1263 In each file, locate every entry that has the <command>pam_unix2.so</command> entry and add to the
1264 line the entry <command>use_ldap</command> as shown for the
1265 <command>login</command> module in
1266 this example:
1267 <screen>
1268 #%PAM-1.0
1269 auth requisite pam_unix2.so nullok use_ldap #set_secrpc
1270 auth required pam_securetty.so
1271 auth required pam_nologin.so
1272 #auth required pam_homecheck.so
1273 auth required pam_env.so
1274 auth required pam_mail.so
1275 account required pam_unix2.so use_ldap
1276 password required pam_pwcheck.s nullok
1277 password required pam_unix2.so nullok use_first_pass \
1278 use_authtok use_ldap
1279 session required pam_unix2.so none use_ldap # debug or trace
1280 session required pam_limits.so
1281 </screen>
1282 </para>
1284 <para><indexterm>
1285 <primary>pam_ldap.so</primary>
1286 </indexterm>
1287 On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module,
1288 you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here:
1289 <screen>
1290 #%PAM-1.0
1291 auth required pam_securetty.so
1292 auth required pam_nologin.so
1293 auth sufficient pam_ldap.so
1294 auth required pam_unix2.so nullok try_first_pass #set_secrpc
1295 account sufficient pam_ldap.so
1296 account required pam_unix2.so
1297 password required pam_pwcheck.so nullok
1298 password required pam_ldap.so use_first_pass use_authtok
1299 password required pam_unix2.so nullok use_first_pass use_authtok
1300 session required pam_unix2.so none # debug or trace
1301 session required pam_limits.so
1302 session required pam_env.so
1303 session optional pam_mail.so
1304 </screen>
1305 This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply
1306 demonstrates the use of the <command>pam_ldap.so</command> module. You can use either
1307 implementation, but if the <command>pam_unix2.so</command> on your system supports
1308 LDAP, you probably want to use it, rather than add an additional module.
1309 </para></step>
1310 </procedure>
1312 </sect2>
1314 <sect2 id="ch6-massive">
1315 <title>Samba-3 PDC Configuration</title>
1317 <para><indexterm>
1318 <primary>Samba RPM Packages</primary>
1319 </indexterm>
1320 Verify that the Samba-3.0.2 (or later) packages are installed on each SUSE Linux server
1321 before following the steps below. If Samba-3.0.2 (or later) is not installed, you have the
1322 choice to either build your own or to obtain the packages from a dependable source.
1323 Packages for SUSE Linux 8.2 and 9.0, and Red Hat 9.0 are included on the CD-ROM that
1324 is included at the back of this book.
1325 </para>
1327 <procedure>
1328 <title>Configuration of PDC Called: <constant>MASSIVE</constant></title>
1329 <step><para>
1330 Install the files in <link linkend="ch6-massive-smbconfa"/>,
1331 <link linkend="ch6-massive-smbconfb"/>, <link linkend="ch6-shareconfa"/>,
1332 and <link linkend="ch6-shareconfb"/> into the <filename>/etc/samba/</filename>
1333 directory. The three files should be added together to form the &smb.conf;
1334 file.
1335 </para></step>
1337 <step><para><indexterm>
1338 <primary>testparm</primary>
1339 </indexterm>
1340 Verify the contents of the &smb.conf; file that is generated by Samba
1341 as it collates all the included files. You do this by executing:
1342 <screen>
1343 &rootprompt; testparm -s > test.conf
1344 </screen>
1345 The output that is created should be free from errors, as shown here:
1347 <screen>
1348 Processing section "[homes]"
1349 Processing section "[printers]"
1350 Processing section "[apps]"
1351 Processing section "[netlogon]"
1352 Processing section "[profiles]"
1353 Processing section "[profdata]"
1354 Processing section "[IPC$]"
1355 Processing section "[accounts]"
1356 Processing section "[service]"
1357 Processing section "[pidata]"
1358 Loaded services file OK.
1359 </screen>
1360 </para></step>
1362 <step><para>
1363 Delete all run-time files from prior Samba operation by executing (for SUSE
1364 Linux):
1365 <screen>
1366 &rootprompt; rm /etc/samba/*tdb
1367 &rootprompt; rm /var/lib/samba/*tdb
1368 &rootprompt; rm /var/lib/samba/*dat
1369 &rootprompt; rm /var/log/samba/*
1370 </screen>
1371 </para></step>
1373 <step><para><indexterm>
1374 <primary>secrets.tdb</primary>
1375 </indexterm><indexterm>
1376 <primary>smbpasswd</primary>
1377 </indexterm>
1378 Samba-3 communicates with the LDAP server. The password that it uses to
1379 authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename>
1380 file. Execute the following to create the new <filename>secrets.tdb</filename> files
1381 and store the password for the LDAP Manager:
1382 <screen>
1383 &rootprompt; smbpasswd -w not24get
1384 </screen>
1385 The expected output from this command is:
1386 <screen>
1387 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
1388 </screen>
1389 </para></step>
1391 <step><para><indexterm>
1392 <primary>smbd</primary>
1393 </indexterm><indexterm>
1394 <primary>net</primary>
1395 <secondary>getlocalsid</secondary>
1396 </indexterm>
1397 Samba-3 generates a Windows Security Identifier only when <command>smbd</command>
1398 has been started. For this reason, you start Samba. After a few seconds delay,
1399 execute:
1400 <screen>
1401 &rootprompt; smbclient -L localhost -U%
1402 &rootprompt; net getlocalsid
1403 </screen>
1404 A report such as the following means that the Domain Security Identifier (SID) has not yet
1405 been written to the <filename>secrets.tdb</filename> or to the LDAP backend:
1406 <screen>
1407 [2003/12/16 22:32:20, 0] utils/net.c:net_getlocalsid(414)
1408 Can't fetch domain SID for name: MASSIVE
1409 </screen>
1410 When the Domain has been created and written to the <filename>secrets.tdb</filename>
1411 file, the output should look like this:
1412 <screen>
1413 SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
1414 </screen>
1415 If, after a short delay (a few seconds), the Domain SID has still not been written to
1416 the <filename>secrets.tdb</filename> file, it is necessary to investigate what
1417 may be mis-configured. In this case, carefully check the &smb.conf; file for typographical
1418 errors (the most common problem). The use of the <command>testparm</command> is highly
1419 recommended to validate the contents of this file.
1420 </para></step>
1422 <step><para>
1423 When a positive Domain SID has been reported, stop Samba.
1424 </para></step>
1426 <step><para>
1427 <indexterm>
1428 <primary>NFS server</primary>
1429 </indexterm>
1430 <indexterm>
1431 <primary>/etc/exports</primary>
1432 </indexterm>
1433 <indexterm>
1434 <primary>BDC</primary>
1435 </indexterm>
1436 <indexterm>
1437 <primary>rsync</primary>
1438 </indexterm>
1439 Configure the NFS server for your Linux system. So you can complete the steps that
1440 follow, enter into the <filename>/etc/exports</filename> the following entry:
1441 <screen>
1442 /home *(rw,root_squash,sync)
1443 </screen>
1444 This permits the user home directories to be used on the BDC servers for testing
1445 purposes. You, of course, decide what is the best way for your site to distribute
1446 data drives, as well as creating suitable backup and restore procedures for Abmas Inc.
1447 I'd strongly recommend that for normal operation the BDC is completely independent
1448 of the PDC. rsync is a useful tool here as it resembles the NT replication service quite
1449 closely. If you do use NFS, do not forget to start the NFS server as follows:
1450 <screen>
1451 &rootprompt; rcnfs start
1452 </screen>
1453 </para></step>
1454 </procedure>
1456 <para>
1457 Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
1458 configuration of the LDAP server.
1459 </para>
1461 <smbconfexample id="ch6-massive-smbconfa">
1462 <title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
1463 <smbconfcomment>Global parameters</smbconfcomment>
1464 <smbconfsection>[global]</smbconfsection>
1465 <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
1466 <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
1467 <smbconfoption><name>netbios name</name><value>MASSIVE</value></smbconfoption>
1468 <smbconfoption><name>interfaces</name><value>eth1, lo</value></smbconfoption>
1469 <smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
1470 <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
1471 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
1472 <smbconfoption><name>log level</name><value>1</value></smbconfoption>
1473 <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
1474 <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
1475 <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
1476 <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
1477 <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
1478 <smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
1479 <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
1480 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
1481 <smbconfoption><name>add user script</name><value>/var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'</value></smbconfoption>
1482 <smbconfoption><name>delete user script</name><value>/var/lib/samba/sbin/smbldap-userdel.pl %u</value></smbconfoption>
1483 <smbconfoption><name>add group script</name><value>/var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'</value></smbconfoption>
1484 <smbconfoption><name>delete group script</name><value>/var/lib/samba/sbin/smbldap-groupdel.pl '%g'</value></smbconfoption>
1485 <smbconfoption><name>add user to group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
1486 <member><parameter>smbldap-groupmod.pl -m '%u' '%g'</parameter></member>
1487 <smbconfoption><name>delete user from group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
1488 <member><parameter>smbldap-groupmod.pl -x '%u' '%g'</parameter></member>
1489 <smbconfoption><name>set primary group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
1490 <member><parameter>smbldap-usermod.pl -g '%g' '%u'</parameter></member>
1491 <smbconfoption><name>add machine script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
1492 <member><parameter>smbldap-useradd.pl -w '%u'</parameter></member>
1493 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
1494 <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
1495 <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
1496 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
1497 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1498 <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
1499 <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
1500 <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
1501 <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
1502 <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
1503 </smbconfexample>
1505 <smbconfexample id="ch6-massive-smbconfb">
1506 <title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
1507 <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
1508 <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
1509 <smbconfoption><name>idmap backend</name><value>ldap:ldap://massive.abmas.biz</value></smbconfoption>
1510 <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
1511 <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
1512 <smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
1513 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
1514 <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
1515 </smbconfexample>
1517 </sect2>
1520 <sect2>
1521 <title>Install and Configure Idealx SMB-LDAP Scripts</title>
1523 <para><indexterm>
1524 <primary>Idealx</primary>
1525 <secondary>smbldap-tools</secondary>
1526 </indexterm>
1527 The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
1528 on the LDAP server. You have chosen the Idealx scripts since they are part of the
1529 Samba-3 package distribution. On your SUSE Linux system, you find these scripts in the
1530 <filename>/usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools</filename>
1531 directory. On a Red Hat Linux system, they are in a similar path. If you cannot find
1532 the scripts on your system, it is easy enough to download them from the Idealx
1533 <ulink url="http://samba.idealx.org/index.en.html">Web Site.</ulink> The tarball may
1534 be directly <ulink
1535 url="http://samba.idealx.org/dist/smbldap-tools-0.8.2.tgz">downloaded</ulink>
1536 for this site, also.
1537 </para>
1539 <para>
1540 In your installation, the smbldap-tools are located in <filename>/var/lib/samba/sbin</filename>.
1541 They can be installed in any convenient directory of your choice, in which case you must
1542 change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>).
1543 </para>
1545 <para>
1546 The scripts are not needed on BDC machines because all LDAP updates are handled by
1547 the PDC alone.
1548 </para>
1550 <procedure id="idealxscript">
1551 <step><para>
1552 Create the <filename>/var/lib/samba/sbin</filename> directory, and set its permissions
1553 and ownership as shown here:
1554 <screen>
1555 &rootprompt; mkdir -p /var/lib/samba/sbin
1556 &rootprompt; chown root.root /var/lib/samba/sbin
1557 &rootprompt; chmod 755 /var/lib/samba/sbin
1558 </screen>
1559 </para></step>
1561 <step><para>
1562 If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
1563 Change into either the directory extracted from the tarball, or else into the smbldap-tools
1564 directory in your <filename>/usr/share/doc/packages</filename> directory tree.
1565 </para></step>
1567 <step><para>
1568 Copy all the <filename>.pl</filename> and <filename>.pm</filename> files into the
1569 <filename>/var/lib/samba/sbin</filename> directory, as shown here:
1570 <screen>
1571 &rootprompt; cd /usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools
1572 &rootprompt; cp *.pl *.pm /var/lib/samba/sbin
1573 </screen>
1574 </para></step>
1576 <step><para><indexterm>
1577 <primary>mkntpasswd</primary>
1578 </indexterm>
1579 You must compile the <command>mkntpasswd</command> tool and then install it into
1580 the <filename>/var/lib/samba/sbin</filename> directory, as shown here:
1581 <screen>
1582 &rootprompt; cd mkntpwd
1583 &rootprompt; make
1584 gcc -O2 -DMPU8086 -c -o getopt.o getopt.c
1585 gcc -O2 -DMPU8086 -c -o md4.o md4.c
1586 gcc -O2 -DMPU8086 -c -o mkntpwd.o mkntpwd.c
1587 mkntpwd.c: In function `main':
1588 mkntpwd.c:37: warning: return type of `main' is not `int'
1589 gcc -O2 -DMPU8086 -c -o smbdes.o smbdes.c
1590 gcc -O2 -DMPU8086 -o mkntpwd getopt.o md4.o mkntpwd.o smbdes.o
1591 &rootprompt; cp mkntpwd /var/lib/samba/sbin
1592 </screen>
1593 The smbldap-tools scripts must now be configured.
1594 </para></step>
1596 <step><para>
1597 Change to the <filename>/var/lib/samba/sbin</filename> directory, and edit the
1598 <filename>/var/lib/samba/sbin/smbldap_conf.pm</filename> to affect the changes
1599 shown here:
1600 <screen>
1601 # Put your own SID
1602 # to obtain this number do: "net getlocalsid"
1603 #$SID='S-1-5-21-1671648649-242858427-2873575837';
1604 $SID='S-1-5-21-3504140859-1010554828-2431957765';
1605 ...
1606 # LDAP Suffix
1607 # Ex: $suffix = "dc=IDEALX,dc=ORG";
1608 $suffix = "dc=abmas,dc=biz";
1609 ...
1610 # Where are stored Users
1611 # Ex: $usersdn = "ou=Users,$suffix"; ...
1612 $usersou = q(People);
1613 $usersdn = "ou=$usersou,$suffix";
1615 # Where are stored Computers
1616 # Ex: $computersdn = "ou=Computers,$suffix"; ...
1617 $computersou = q(People);
1618 $computersdn = "ou=$computersou,$suffix";
1620 # Where are stored Groups
1621 # Ex $groupsdn = "ou=Groups,$suffix"; ...
1622 $groupsou = q(Groups);
1623 $groupsdn = "ou=$groupsou,$suffix";
1625 # Default scope Used
1626 $scope = "sub";
1628 # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
1629 $hash_encrypt="MD5";
1630 ...
1631 ############################
1632 # Credential Configuration #
1633 ############################
1634 # Bind DN used
1635 # Ex: $binddn = "cn=admin,$suffix"; ...
1636 $binddn = "cn=Manager,$suffix";
1638 # Bind DN passwd used
1639 # Ex: $bindpasswd = 'secret'; for 'secret'
1640 $bindpasswd = 'not24get';
1641 ...
1642 # Login defs
1643 # Default Login Shell
1644 # Ex: $_userLoginShell = q(/bin/bash);
1645 #$_userLoginShell = q(_LOGINSHELL_);
1646 $_userLoginShell = q(/bin/bash);
1648 # Home directory prefix (without username)
1649 # Ex: $_userHomePrefix = q(/home/);
1650 #$_userHomePrefix = q(_HOMEPREFIX_);
1651 $_userHomePrefix = q(/home/);
1652 ...
1653 # The UNC path to home drives location without the
1654 # username last extension (will be dynamically prepended)
1655 # Ex: q(\\\\My-PDC-netbios-name\\homes)
1656 # Just comment this if you want to use the smb.conf
1657 # 'logon home' directive # and/or desabling roaming profiles
1658 #$_userSmbHome = q(\\\\_PDCNAME_\\homes);
1659 $_userSmbHome = q(\\\\MASSIVE\\homes);
1661 # The UNC path to profiles locations without the username
1662 # last extension (will be dynamically prepended)
1663 # Ex: q(\\\\My-PDC-netbios-name\\profiles\\)
1664 # Just comment this if you want to use the smb.conf
1665 # 'logon path' directive and/or desabling roaming profiles
1666 $_userProfile = q(\\\\MASSIVE\\profiles\\);
1668 # The default Home Drive Letter mapping
1669 # (automatically mapped at logon time if home directory exists)
1670 # Ex: q(U:) for U:
1671 #$_userHomeDrive = q(_HOMEDRIVE_);
1672 $_userHomeDrive = q(H:);
1673 ...
1674 # Allows not to use smbpasswd
1675 # (if $with_smbpasswd == 0 in smbldap_conf.pm) but
1676 # prefer mkntpwd... most of the time, it's a wise choice :-)
1677 $with_smbpasswd = 0;
1678 $smbpasswd = "/usr/bin/smbpasswd";
1679 $mk_ntpasswd = "/var/lib/samba/sbin/mkntpwd";
1680 ...
1681 </screen>
1682 </para></step>
1684 <step><para>
1685 To complete the configuration of the smbldap-tools, set the permissions and ownership
1686 by executing the following commands:
1687 <screen>
1688 &rootprompt; chown root.root /var/lib/samba/sbin/*
1689 &rootprompt; chmod 755 /var/lib/samba/sbin/smb*pl
1690 &rootprompt; chmod 640 /var/lib/samba/sbin/smb*pm
1691 &rootprompt; chmod 555 /var/lib/samba/sbin/mkntpwd
1692 </screen>
1693 The smbldap-tools scripts are now ready for use.
1694 </para></step>
1695 </procedure>
1697 </sect2>
1699 <sect2>
1700 <title>LDAP Initialization and Creation of User and Group Accounts</title>
1702 <para>
1703 The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group
1704 accounts before Samba can be used. The following procedures step you through the process.
1705 </para>
1707 <para>
1708 At this time, Samba-3 requires that on a PDC all UNIX (Posix) group accounts that are
1709 mapped (linked) to Windows Domain Group accounts must be in the LDAP database. It does not
1710 hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
1711 database. From a UNIX system perspective, the NSS resolver checks system files before
1712 referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
1713 does not need to ask LDAP.
1714 </para>
1716 <para>
1717 Addition of an account to the LDAP backend can be done in a number of ways:
1718 </para>
1720 <blockquote><para><indexterm>
1721 <primary>NIS</primary>
1722 </indexterm><indexterm>
1723 <primary>/etc/passwd</primary>
1724 </indexterm><indexterm>
1725 <primary>Posix accounts</primary>
1726 </indexterm><indexterm>
1727 <primary>pdbedit</primary>
1728 </indexterm><indexterm>
1729 <primary>SambaSamAccount</primary>
1730 </indexterm><indexterm>
1731 <primary>PosixAccount</primary>
1732 </indexterm>
1733 If you always have a user account in the <filename>/etc/passwd</filename> on every
1734 server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in
1735 LDAP. In this case, you can add Windows Domain user accounts using the
1736 <command>pdbedit</command> utility. Use of this tool from the command line adds the
1737 SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
1738 </para>
1740 <para>
1741 If you decide that it is probably a good idea to add both the PosixAccount attributes
1742 as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
1743 In the example system you are installing in this exercise, you are making use of the
1744 Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system,
1745 is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename>
1746 </para></blockquote>
1748 <para><indexterm>
1749 <primary>Idealx</primary>
1750 <secondary>smbldap-tools</secondary>
1751 </indexterm>
1752 If you wish to have more control over how the LDAP database is initialized or
1753 want not to use the Idealx smbldap-tools, you should refer to <link
1754 linkend="altldapcfg"/>.
1755 </para>
1757 <para><indexterm>
1758 <primary>smbldap-populate.pl</primary>
1759 </indexterm>
1760 The following steps initialize the LDAP database, and then you can add user and group
1761 accounts that Samba can use. You use the <command>smbldap-populate.pl</command> to
1762 seed the LDAP database. You then manually add the accounts shown in <link linkend="ch6-bigacct"/>.
1763 The list of users does not cover all 500 network users; it provides examples only.
1764 </para>
1766 <note><para><indexterm>
1767 <primary>LDAP</primary>
1768 <secondary>database</secondary>
1769 </indexterm><indexterm>
1770 <primary>directory</primary>
1771 <secondary>People container</secondary>
1772 </indexterm><indexterm>
1773 <primary>directory</primary>
1774 <secondary>Computers container</secondary>
1775 </indexterm>
1776 In the following examples, as the LDAP database is initialized, we do create a container
1777 for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made
1778 of the People container, not the Computers container, for domain member accounts. This is not a
1779 mistake; it is a deliberate action that is necessitated by the fact that there is a bug in Samba-3
1780 that prevents it from being able to search the LDAP database for computer accounts if they are
1781 placed in the Computers container. By placing all machine accounts in the People container, we
1782 are able to side-step this bug. It is expected that at some time in the future this problem will
1783 be resolved. At that time, it will be possible to use the Computers container in order to keep
1784 machine accounts separate from user accounts.
1785 </para></note>
1788 <table id="ch6-bigacct">
1789 <title>Abmas Network Users and Groups</title>
1790 <tgroup cols="4">
1791 <colspec align="left"/>
1792 <colspec align="left"/>
1793 <colspec align="left"/>
1794 <colspec align="left"/>
1795 <thead>
1796 <row>
1797 <entry align="center">Account Name</entry>
1798 <entry align="center">Type</entry>
1799 <entry align="center">ID</entry>
1800 <entry align="center">Password</entry>
1801 </row>
1802 </thead>
1803 <tbody>
1804 <row>
1805 <entry>Robert Jordan</entry>
1806 <entry>User</entry>
1807 <entry>bobj</entry>
1808 <entry>n3v3r2l8</entry>
1809 </row>
1810 <row>
1811 <entry>Stanley Soroka</entry>
1812 <entry>User</entry>
1813 <entry>stans</entry>
1814 <entry>impl13dst4r</entry>
1815 </row>
1816 <row>
1817 <entry>Christine Roberson</entry>
1818 <entry>User</entry>
1819 <entry>chrisr</entry>
1820 <entry>S9n0nw4ll</entry>
1821 </row>
1822 <row>
1823 <entry>Mary Vortexis</entry>
1824 <entry>User</entry>
1825 <entry>maryv</entry>
1826 <entry>kw13t0n3</entry>
1827 </row>
1828 <row>
1829 <entry>Accounts</entry>
1830 <entry>Group</entry>
1831 <entry>Accounts</entry>
1832 <entry></entry>
1833 </row>
1834 <row>
1835 <entry>Finances</entry>
1836 <entry>Group</entry>
1837 <entry>Finances</entry>
1838 <entry></entry>
1839 </row>
1840 <row>
1841 <entry>Insurance</entry>
1842 <entry>Group</entry>
1843 <entry>PIOps</entry>
1844 <entry></entry>
1845 </row>
1846 </tbody>
1847 </tgroup>
1848 </table>
1850 <procedure id="creatacc">
1851 <step><para>
1852 Start the LDAP server by executing:
1853 <screen>
1854 &rootprompt; rcldap start
1855 Starting ldap-server done
1856 </screen>
1857 </para></step>
1859 <step><para>
1860 Change to the <filename>/var/lib/samba/sbin</filename> directory.
1861 </para></step>
1863 <step><para>
1864 Execute the script that will populate the LDAP database as shown here:
1865 <screen>
1866 &rootprompt; ./smbldap-populate.pl
1867 Using builtin directory structure
1868 adding new entry: dc=abmas,dc=biz
1869 adding new entry: ou=People,dc=abmas,dc=biz
1870 adding new entry: ou=Groups,dc=abmas,dc=biz
1871 adding new entry: ou=Computers,dc=abmas,dc=biz
1872 adding new entry: uid=Administrator,ou=People,dc=abmas,dc=biz
1873 adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
1874 adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
1875 adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
1876 adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
1877 adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
1878 adding new entry: cn=Users,ou=Groups,dc=abmas,dc=biz
1879 adding new entry: cn=Guests,ou=Groups,dc=abmas,dc=biz
1880 adding new entry: cn=Power Users,ou=Groups,dc=abmas,dc=biz
1881 adding new entry: cn=Account Operators,ou=Groups,dc=abmas,dc=biz
1882 adding new entry: cn=Server Operators,ou=Groups,dc=abmas,dc=biz
1883 adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
1884 adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
1885 adding new entry: cn=Replicator,ou=Groups,dc=abmas,dc=biz
1886 adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1887 </screen>
1888 </para></step>
1890 <step><para>
1891 It is necessary to restart the LDAP server as shown here:
1892 <screen>
1893 &rootprompt; rcldap restart
1894 Shutting down ldap-server done
1895 Starting ldap-server done
1896 </screen>
1897 </para></step>
1899 <step><para><indexterm>
1900 <primary>slapcat</primary>
1901 </indexterm>
1902 So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data.
1903 There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
1904 the simplest is to execute:
1905 <screen>
1906 &rootprompt; slapcat | grep -i idmap
1907 dn: ou=Idmap,dc=abmas,dc=biz
1908 ou: idmap
1909 </screen>
1910 <indexterm>
1911 <primary>ldapadd</primary>
1912 </indexterm>
1913 If the execution of this command does not return IDMAP entries, you need to create an LDIF
1914 template file (see <link linkend="ch6-ldifadd"/>). You can add the required entries using
1915 the following command:
1916 <screen>
1917 &rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
1918 -w not24get < /etc/openldap/idmap.LDIF
1919 </screen>
1920 Samba automatically populates this LDAP directory container when it needs to.
1921 </para></step>
1923 <step><para><indexterm>
1924 <primary>slapcat</primary>
1925 </indexterm>
1926 It looks like all has gone well, as expected. Let's confirm that this is the case
1927 by running a few tests. First we check the contents of the database directly
1928 by running <command>slapcat</command> as follows (the output has been cut down):
1929 <screen>
1930 &rootprompt; slapcat
1931 dn: dc=abmas,dc=biz
1932 objectClass: dcObject
1933 objectClass: organization
1934 dc: abmas
1935 o: abmas
1936 structuralObjectClass: organization
1937 entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
1938 creatorsName: cn=Manager,dc=abmas,dc=biz
1939 createTimestamp: 20031217234200Z
1940 entryCSN: 2003121723:42:00Z#0x0001#0#0000
1941 modifiersName: cn=Manager,dc=abmas,dc=biz
1942 modifyTimestamp: 20031217234200Z
1943 ...
1944 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1945 objectClass: posixGroup
1946 objectClass: sambaGroupMapping
1947 gidNumber: 553
1948 cn: Domain Computers
1949 description: Netbios Domain Computers accounts
1950 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
1951 sambaGroupType: 2
1952 displayName: Domain Computers
1953 structuralObjectClass: posixGroup
1954 entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
1955 creatorsName: cn=Manager,dc=abmas,dc=biz
1956 createTimestamp: 20031217234206Z
1957 entryCSN: 2003121723:42:06Z#0x0002#0#0000
1958 modifiersName: cn=Manager,dc=abmas,dc=biz
1959 modifyTimestamp: 20031217234206Z
1960 </screen>
1961 This looks good so far.
1962 </para></step>
1964 <step><para><indexterm>
1965 <primary>ldapsearch</primary>
1966 </indexterm>
1967 The next step is to prove that the LDAP server is running and responds to a
1968 search request. Execute the following as shown (output has been cut to save space):
1969 <screen>
1970 &rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
1971 # extended LDIF
1972 #
1973 # LDAPv3
1974 # base <dc=abmas,dc=biz> with scope sub
1975 # filter: (ObjectClass=*)
1976 # requesting: ALL
1977 #
1979 # abmas.biz
1980 dn: dc=abmas,dc=biz
1981 objectClass: dcObject
1982 objectClass: organization
1983 dc: abmas
1984 o: abmas
1986 # People, abmas.biz
1987 dn: ou=People,dc=abmas,dc=biz
1988 objectClass: organizationalUnit
1989 ou: People
1990 ...
1991 # Domain Computers, Groups, abmas.biz
1992 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1993 objectClass: posixGroup
1994 objectClass: sambaGroupMapping
1995 gidNumber: 553
1996 cn: Domain Computers
1997 description: Netbios Domain Computers accounts
1998 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
1999 sambaGroupType: 2
2000 displayName: Domain Computers
2002 # search result
2003 search: 2
2004 result: 0 Success
2006 # numResponses: 20
2007 # numEntries: 19
2008 </screen>
2009 Good. It is all working just fine.
2010 </para></step>
2012 <step><para><indexterm>
2013 <primary>getent</primary>
2014 </indexterm>
2015 You must now make certain that the NSS resolver can interrogate LDAP also.
2016 Execute the following commands:
2017 <screen>
2018 &rootprompt; getent passwd | grep Administrator
2019 Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
2021 &rootprompt; getent group | grep Domain
2022 Domain Admins:x:512:Administrator
2023 Domain Users:x:513:
2024 Domain Guests:x:514:
2025 Domain Computers:x:553:
2026 </screen><indexterm>
2027 <primary>nss_ldap</primary>
2028 </indexterm>
2029 This demonstrates that the <command>nss_ldap</command> library is functioning
2030 as it should.
2031 </para></step>
2033 <step><para><indexterm>
2034 <primary>smbldap-useradd.pl</primary>
2035 </indexterm><indexterm>
2036 <primary>smbldap-passwd.pl</primary>
2037 </indexterm><indexterm>
2038 <primary>smbpasswd</primary>
2039 </indexterm>
2040 Our database is now ready for the addition of network users. For each user for
2041 whom an account must be created, execute the following:
2042 <screen>
2043 &rootprompt; ./smbldap-useradd.pl -m -a <constant>username</constant>
2044 &rootprompt; ./smbldap-passwd.pl <constant>username</constant>
2045 Changing password for <constant>username</constant>
2046 New password : XXXXXXXX
2047 Retype new password : XXXXXXXX
2049 &rootprompt; smbpasswd <constant>username</constant>
2050 New SMB password: XXXXXXXX
2051 Retype new SMB password: XXXXXXXX
2052 </screen>
2053 Where <constant>username</constant> is the login ID for each user.
2054 </para></step>
2056 <step><para><indexterm>
2057 <primary>getent</primary>
2058 </indexterm>
2059 Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the
2060 following:
2061 <screen>
2062 &rootprompt; getent passwd
2063 ...
2064 Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
2065 nobody:x:999:514:nobody:/dev/null:/bin/false
2066 bobj:x:1000:513:System User:/home/bobj:/bin/bash
2067 stans:x:1001:513:System User:/home/stans:/bin/bash
2068 chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
2069 maryv:x:1003:513:System User:/home/maryv:/bin/bash
2071 &rootprompt; id chrisr
2072 uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
2073 </screen>
2074 This confirms that the UNIX (Posix) user accounts can be resolved from LDAP.
2075 </para></step>
2077 <step><para><indexterm>
2078 <primary>smbldap-usermod.pl</primary>
2079 </indexterm>
2080 In the above listing, you can see that the user <constant>Administrator</constant>
2081 has been given UID=998. This means that operations conducted from a Windows client
2082 using tools such as the Domain User Manager fails under UNIX because the
2083 management of user and group accounts requires that the UID=0. You decide to rectify
2084 this immediately as demonstrated here:
2085 <screen>
2086 &rootprompt; cd /var/lib/samba/sbin
2087 &rootprompt; ./smbldap-usermod.pl -u 0 Administrator
2088 </screen>
2089 </para></step>
2091 <step><para>
2092 Make certain that a home directory has been created for every user by listing the
2093 directories in <filename>/home</filename> as follows:
2094 <screen>
2095 &rootprompt; ls -al /home
2096 drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
2097 drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
2098 drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
2099 drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
2100 drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
2101 drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
2102 </screen>
2103 This is precisely what we want to see.
2104 </para></step>
2106 <step><para><indexterm>
2107 <primary>ldapsam</primary>
2108 </indexterm><indexterm>
2109 <primary>pdbedit</primary>
2110 </indexterm>
2111 The final validation step involves making certain that Samba-3 can obtain the user
2112 accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
2113 <screen>
2114 &rootprompt; pdbedit -Lv chrisr
2115 Unix username: chrisr
2116 NT username: chrisr
2117 Account Flags: [U ]
2118 User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
2119 Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
2120 Full Name: System User
2121 Home Directory: \\MASSIVE\homes
2122 HomeDir Drive: H:
2123 Logon Script: chrisr.cmd
2124 Profile Path: \\MASSIVE\profiles\chrisr
2125 Domain: MEGANET2
2126 Account desc: System User
2127 Workstations:
2128 Munged dial:
2129 Logon time: 0
2130 Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
2131 Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
2132 Password last set: Wed, 17 Dec 2003 17:17:40 GMT
2133 Password can change: Wed, 17 Dec 2003 17:17:40 GMT
2134 Password must change: Mon, 18 Jan 2038 20:14:07 GMT
2135 </screen>
2136 This looks good. Of course, you fully expected that it would all work, didn't you?
2137 </para></step>
2139 <step><para><indexterm>
2140 <primary>smbldap-groupadd.pl</primary>
2141 </indexterm>
2142 Now you add the group accounts that are used on the Abmas network. Execute
2143 the following exactly as shown:
2144 <screen>
2145 &rootprompt; ./smbldap-groupadd.pl -a Accounts
2146 &rootprompt; ./smbldap-groupadd.pl -a Finances
2147 &rootprompt; ./smbldap-groupadd.pl -a PIOps
2148 </screen>
2149 The addition of groups does not involve keyboard interaction, so the lack of console
2150 output is of no concern.
2151 </para></step>
2153 <step><para><indexterm>
2154 <primary>getent</primary>
2155 </indexterm>
2156 You really do want to confirm that UNIX group resolution from LDAP is functioning
2157 as it should. Let's do this as shown here:
2158 <screen>
2159 &rootprompt; getent group
2160 ...
2161 Domain Admins:x:512:Administrator
2162 Domain Users:x:513:bobj,stans,chrisr,maryv
2163 Domain Guests:x:514:
2164 ...
2165 Accounts:x:1000:
2166 Finances:x:1001:
2167 PIOps:x:1002:
2168 </screen>
2169 The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
2170 as our own site-specific group accounts, are correctly listed. This is looking good.
2171 </para></step>
2173 <step><para><indexterm>
2174 <primary>net</primary>
2175 <secondary>groupmap</secondary>
2176 <tertiary>list</tertiary>
2177 </indexterm>
2178 The final step we need to validate is that Samba can see all the Windows Domain Groups
2179 and that they are correctly mapped to the respective UNIX group account. To do this,
2180 just execute the following command:
2181 <screen>
2182 &rootprompt; net groupmap list
2183 Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
2184 Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
2185 Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
2186 ...
2187 Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
2188 Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
2189 PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
2190 </screen>
2191 This is looking good. Congratulations &smbmdash; it works! Note that in the above output
2192 the lines where shortened by replacing the middle value (1010554828) of the SID with the
2193 elipsis (...).
2194 </para></step>
2196 <step><para>
2197 The server you have so carefully built is now ready for another important step. You
2198 start the Samba-3 server and validate its operation. Execute the following to render all
2199 the processes needed fully operative so that, on system reboot, they are automatically
2200 started:
2201 <screen>
2202 &rootprompt; chkconfig named on
2203 &rootprompt; chkconfig dhcpd on
2204 &rootprompt; chkconfig ldap on
2205 &rootprompt; chkconfig nmb on
2206 &rootprompt; chkconfig smb on
2207 &rootprompt; chkconfig winbind on
2208 &rootprompt; rcnmb start
2209 &rootprompt; rcsmb start
2210 &rootprompt; rcwinbind start
2211 </screen>
2212 </para></step>
2214 <step><para>
2215 The next step might seem a little odd at this point, but take note that you are about to
2216 start <command>winbindd</command> which must be able to authenticate to the PDC via the
2217 localhost interface. This requires a Domain account for the PDC. This account can be
2218 easily created by joining the PDC to the Domain by executing the following command:
2219 <screen>
2220 &rootprompt; net rpc join -U Administrator%not24get
2221 Joined domain MEGANET2.
2222 </screen>
2223 This indicates that the Domain security account for the BDC has been correctly created.
2224 </para></step>
2226 <step><para>
2227 At this time it is necessary to restart <command>winbindd</command> so that it can
2228 correctly authenticate to the PDC. The following command achieves that:
2229 <screen>
2230 &rootprompt; rcwinbind restart
2231 </screen>
2232 </para></step>
2234 <step><para><indexterm>
2235 <primary>smbclient</primary>
2236 </indexterm>
2237 You may now check Samba-3 operation as follows:
2238 <screen>
2239 &rootprompt; smbclient -L massive -U%
2241 Sharename Type Comment
2242 --------- ---- -------
2243 IPC$ IPC IPC Service (Samba 3.0.1)
2244 accounts Disk Accounting Files
2245 service Disk Financial Services Files
2246 pidata Disk Property Insurance Files
2247 apps Disk Application Files
2248 netlogon Disk Network Logon Service
2249 profiles Disk Profile Share
2250 profdata Disk Profile Data Share
2251 ADMIN$ IPC IPC Service (Samba 3.0.1)
2253 Server Comment
2254 --------- -------
2255 MASSIVE Samba 3.0.1
2257 Workgroup Master
2258 --------- -------
2259 MEGANET2 MASSIVE
2260 </screen>
2261 This shows that an anonymous connection is working.
2262 </para></step>
2264 <step><para>
2265 For your finale, let's try an authenticated connection. Follow this as shown:
2266 <screen>
2267 &rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8
2268 smb: \> dir
2269 . D 0 Wed Dec 17 01:16:19 2003
2270 .. D 0 Wed Dec 17 19:04:42 2003
2271 bin D 0 Tue Sep 2 04:00:57 2003
2272 Documents D 0 Sun Nov 30 07:28:20 2003
2273 public_html D 0 Sun Nov 30 07:28:20 2003
2274 .urlview H 311 Fri Jul 7 06:55:35 2000
2275 .dvipsrc H 208 Fri Nov 17 11:22:02 1995
2277 57681 blocks of size 524288. 57128 blocks available
2278 smb: \> q
2279 </screen>
2280 Well done. All is working fine.
2281 </para></step>
2282 </procedure>
2284 <para>
2285 The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task.
2286 </para>
2288 </sect2>
2290 <sect2 id="ch6-ptrcfg">
2291 <title>Printer Configuration</title>
2293 <para><indexterm>
2294 <primary>CUPS</primary>
2295 </indexterm>
2296 The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
2297 taken care of in the &smb.conf; file. The only preparation needed for
2298 <constant>smart</constant>
2299 printing to be possible involves creation of the directories in which Samba-3 stores
2300 Windows printing driver files.
2301 </para>
2303 <procedure>
2305 <step><para>
2306 Configure all network attached printers to have a fixed IP address.
2307 </para></step>
2309 <step><para>
2310 Create an entry in the DNS database on the server <constant>MASSIVE</constant>
2311 in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
2312 and in the reverse lookup database for the network segment that the printer is to
2313 be located in. Example configuration files for similar zones were presented in
2314 <link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
2315 </para></step>
2317 <step><para>
2318 Follow the instructions in the printer manufacturers' manuals to permit printing
2319 to port 9100. Use any other port the manufacturer specifies for direct mode,
2320 raw printing. This allows the CUPS spooler to print using raw mode protocols.
2321 <indexterm><primary>CUPS</primary></indexterm>
2322 <indexterm><primary>raw printing</primary></indexterm>
2323 </para></step>
2325 <step><para><indexterm>
2326 <primary>lpadmin</primary>
2327 </indexterm>
2328 <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
2329 Only on the server to which the printer is attached, configure the CUPS Print
2330 Queues as follows:
2331 <screen>
2332 &rootprompt; lpadmin -p <parameter>printque</parameter> -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
2333 </screen>
2334 <indexterm><primary>print filter</primary></indexterm>
2335 This step creates the necessary print queue to use no assigned print filter. This
2336 is ideal for raw printing, i.e., printing without use of filters.
2337 The name <parameter>printque</parameter> is the name you have assigned for
2338 the particular printer.
2339 </para></step>
2341 <step><para>
2342 Print queues may not be enabled at creation. Make certain that the queues
2343 you have just created are enabled by executing the following:
2344 <screen>
2345 &rootprompt; /usr/bin/enable <parameter>printque</parameter>
2346 </screen>
2347 </para></step>
2349 <step><para>
2350 Even though your print queue may be enabled, it is still possible that it
2351 may not accept print jobs. A print queue will service incoming printing
2352 requests only when configured to do so. Ensure that your print queue is
2353 set to accept incoming jobs by executing the following commands:
2354 <screen>
2355 &rootprompt; /usr/bin/accept <parameter>printque</parameter>
2356 </screen>
2357 </para></step>
2359 <step><para>
2360 <indexterm><primary>mime type</primary></indexterm>
2361 <indexterm><primary>/etc/mime.convs</primary></indexterm>
2362 <indexterm><primary>application/octet-stream</primary></indexterm>
2363 Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
2364 <screen>
2365 application/octet-stream application/vnd.cups-raw 0 -
2366 </screen>
2367 </para></step>
2369 <step><para>
2370 <indexterm><primary>/etc/mime.types</primary></indexterm>
2371 Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
2372 <screen>
2373 application/octet-stream
2374 </screen>
2375 </para></step>
2377 <step><para>
2378 Refer to the CUPS printing manual for instructions regarding how to configure
2379 CUPS so that print queues that reside on CUPS servers on remote networks
2380 route print jobs to the print server that owns that queue. The default setting
2381 on your CUPS server may automatically discover remotely installed printers and
2382 may permit this functionality without requiring specific configuration.
2383 </para></step>
2385 <step><para>
2386 The following action creates the necessary directory sub-system. Follow these
2387 steps to printing heaven:
2388 <screen>
2389 &rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
2390 &rootprompt; chown -R root.root /var/lib/samba/drivers
2391 &rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers
2392 </screen>
2393 </para></step>
2395 </procedure>
2397 </sect2>
2399 </sect1>
2401 <sect1 id="ch6-bldg1">
2402 <title>Samba-3 BDC Configuration</title>
2404 <procedure>
2405 <title>Configuration of BDC Called: <constant>BLDG1</constant></title>
2406 <step><para>
2407 Install the files in <link linkend="ch6-bldg1-smbconf"/>,
2408 <link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/>
2409 into the <filename>/etc/samba/</filename> directory. The three files
2410 should be added together to form the &smb.conf; file.
2411 </para></step>
2413 <step><para>
2414 Verify the &smb.conf; file as in step 2 of <link
2415 linkend="ch6-massive"/>.
2416 </para></step>
2418 <step><para>
2419 Carefully follow the steps outlined in <link linkend="ch6-PAM-NSS"/>, taking
2420 particular note to install the correct <filename>ldap.conf</filename>.
2421 </para></step>
2423 <step><para>
2424 Verify that the NSS resolver is working. You may need to cycle the run level
2425 to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
2426 commands:
2427 <screen>
2428 &rootprompt; init 1
2429 </screen>
2430 After the run level has been achieved, you are prompted to provide the
2431 <constant>root</constant> password. Log on, and then execute:
2432 <screen>
2433 &rootprompt; init 5
2434 </screen>
2435 When the normal logon prompt appears, log into the system as
2436 <constant>root</constant>
2437 and then execute these commands:
2438 <screen>
2439 &rootprompt; getent passwd
2440 root:x:0:0:root:/root:/bin/bash
2441 bin:x:1:1:bin:/bin:/bin/bash
2442 daemon:x:2:2:Daemon:/sbin:/bin/bash
2443 lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
2444 mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
2445 ...
2446 Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
2447 nobody:x:999:514:nobody:/dev/null:/bin/false
2448 bobj:x:1000:513:System User:/home/bobj:/bin/bash
2449 stans:x:1001:513:System User:/home/stans:/bin/bash
2450 chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
2451 maryv:x:1003:513:System User:/home/maryv:/bin/bash
2452 vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
2453 bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
2454 </screen>
2455 This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
2456 </para></step>
2458 <step><para><indexterm>
2459 <primary>getent</primary>
2460 </indexterm>
2461 The next step in the verification process involves testing the operation of UNIX group
2462 resolution via the NSS LDAP resolver. Execute these commands:
2463 <screen>
2464 &rootprompt; getent group
2465 root:x:0:
2466 bin:x:1:daemon
2467 daemon:x:2:
2468 sys:x:3:
2469 ...
2470 Domain Admins:x:512:Administrator
2471 Domain Users:x:513:bobj,stans,chrisr,maryv,jht
2472 Domain Guests:x:514:
2473 Administrators:x:544:
2474 Users:x:545:
2475 Guests:x:546:nobody
2476 Power Users:x:547:
2477 Account Operators:x:548:
2478 Server Operators:x:549:
2479 Print Operators:x:550:
2480 Backup Operators:x:551:
2481 Replicator:x:552:
2482 Domain Computers:x:553:
2483 Accounts:x:1000:
2484 Finances:x:1001:
2485 PIOps:x:1002:
2486 </screen>
2487 This is also the correct and desired output, because it demonstrates that the LDAP client
2488 is able to communicate correctly with the LDAP server
2489 (<constant>MASSIVE</constant>).
2490 </para></step>
2492 <step><para><indexterm>
2493 <primary>smbpasswd</primary>
2494 </indexterm>
2495 You must now set the LDAP administrative password into the
2496 Samba-3 <filename>secrets.tdb</filename>
2497 file by executing this command:
2498 <screen>
2499 &rootprompt; smbpasswd -w not24get
2500 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
2501 </screen>
2502 </para></step>
2504 <step><para>
2505 Now you must obtain the Domain Security Identifier from the PDC and store it into the
2506 <filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP
2507 passdb backend because Samba-3 obtains the Domain SID from the
2508 sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
2509 add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this
2510 command can achieve that:
2511 <screen>
2512 &rootprompt; net rpc getsid MEGANET2
2513 Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
2514 for Domain MEGANET2 in secrets.tdb
2515 </screen>
2516 When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
2517 any special action to join it to the Domain. However, winbind communicates with the
2518 Domain Controller that is running on the localhost and must be able to authenticate,
2519 thus requiring that the BDC should be joined to the Domain. The process of joining
2520 the Domain creates the necessary authentication accounts.
2521 </para></step>
2523 <step><para>
2524 To join the Samba BDC to the Domain execute the following:
2525 <screen>
2526 &rootprompt; net rpc join -U Administrator%not24get
2527 Joined domain MEGANET2.
2528 </screen>
2529 This indicates that the Domain security account for the BDC has been correctly created.
2530 </para></step>
2532 <step><para>
2533 <indexterm>
2534 <primary>pdbedit</primary>
2535 </indexterm>
2536 Verify that user and group account resolution works via Samba-3 tools as follows:
2537 <screen>
2538 &rootprompt; pdbedit -L
2539 Administrator:0:Administrator
2540 nobody:65534:nobody
2541 bobj:1000:System User
2542 stans:1001:System User
2543 chrisr:1002:System User
2544 maryv:1003:System User
2545 bldg1$:1006:bldg1$
2547 &rootprompt; net groupmap list
2548 Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
2549 Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
2550 Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
2551 Administrators (S-1-5-21-3504140859-...-2431957765-544) -> Administrators
2552 ...
2553 Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
2554 Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
2555 PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
2556 </screen>
2557 The above results show that all things are in order.
2558 </para></step>
2560 <step><para>
2561 The server you have so carefully built is now ready for another important step. Now
2562 start the Samba-3 server and validate its operation. Execute the following to render all
2563 the processes needed fully operative so that, upon system reboot, they are automatically
2564 started:
2565 <screen>
2566 &rootprompt; chkconfig named on
2567 &rootprompt; chkconfig dhcpd on
2568 &rootprompt; chkconfig nmb on
2569 &rootprompt; chkconfig smb on
2570 &rootprompt; chkconfig winbind on
2571 &rootprompt; rcnmb start
2572 &rootprompt; rcsmb start
2573 &rootprompt; rcwinbind start
2574 </screen>
2575 Samba-3 should now be running and is ready for a quick test. But not quite yet!
2576 </para></step>
2578 <step><para>
2579 Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users.
2580 To rectify this using the SUSE yast2 utility or by manually
2581 editing the <filename>/etc/fstab</filename>
2582 file, add a mount entry to mount the <constant>home</constant> directory that has been exported
2583 from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate
2584 approach could be to create local home directories for users who are to use these machines.
2585 This is a choice that you, as system administrator, must make. The following entry in the
2586 <filename>/etc/fstab</filename> file suffices for now:
2587 <screen>
2588 massive.abmas.biz:/home /home nfs rw 0 0
2589 </screen>
2590 To mount this resource, execute:
2591 <screen>
2592 &rootprompt; mount -a
2593 </screen>
2594 Verify that the home directory has been mounted as follows:
2595 <screen>
2596 &rootprompt; df | grep home
2597 massive:/home 29532988 283388 29249600 1% /home
2598 </screen>
2599 </para></step>
2601 <step><para>
2602 Implement a quick check using one of the users that is in the LDAP database. Here you go:
2603 <screen>
2604 &rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8
2605 smb: \> dir
2606 . D 0 Wed Dec 17 01:16:19 2003
2607 .. D 0 Wed Dec 17 19:04:42 2003
2608 bin D 0 Tue Sep 2 04:00:57 2003
2609 Documents D 0 Sun Nov 30 07:28:20 2003
2610 public_html D 0 Sun Nov 30 07:28:20 2003
2611 .urlview H 311 Fri Jul 7 06:55:35 2000
2612 .dvipsrc H 208 Fri Nov 17 11:22:02 1995
2614 57681 blocks of size 524288. 57128 blocks available
2615 smb: \> q
2616 </screen>
2617 </para></step>
2619 </procedure>
2621 <procedure id="ch6-bldg2">
2622 <title>Configuration of BDC Called: <constant>BLDG2</constant></title>
2623 <step><para>
2624 Install the files in <link linkend="ch6-bldg2-smbconf"/>,
2625 <link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/>
2626 into the <filename>/etc/samba/</filename> directory. The three files
2627 should be added together to form the &smb.conf; file.
2628 </para></step>
2630 <step><para>
2631 Follow carefully the steps shown in <link linkend="ch6-bldg1"/>, starting at step 2.
2632 </para></step>
2634 </procedure>
2636 <smbconfexample id="ch6-bldg1-smbconf">
2637 <title>LDAP Based &smb.conf; File, Server: BLDG1</title>
2638 <smbconfcomment>Global parameters</smbconfcomment>
2639 <smbconfsection>[global]</smbconfsection>
2640 <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
2641 <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
2642 <smbconfoption><name>netbios name</name><value>BLDG1</value></smbconfoption>
2643 <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
2644 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
2645 <smbconfoption><name>log level</name><value>1</value></smbconfoption>
2646 <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
2647 <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
2648 <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
2649 <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
2650 <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
2651 <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
2652 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
2653 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
2654 <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
2655 <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
2656 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
2657 <smbconfoption><name>domain master</name><value>No</value></smbconfoption>
2658 <smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
2659 <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
2660 <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
2661 <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
2662 <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
2663 <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
2664 <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
2665 <smbconfoption><name>idmap backend</name><value>ldap:ldap://massive.abmas.biz</value></smbconfoption>
2666 <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
2667 <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
2668 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
2669 <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
2670 </smbconfexample>
2673 <smbconfexample id="ch6-bldg2-smbconf">
2674 <title>LDAP Based &smb.conf; File, Server: BLDG2</title>
2675 <smbconfcomment>Global parameters</smbconfcomment>
2676 <smbconfsection>[global]</smbconfsection>
2677 <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
2678 <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
2679 <smbconfoption><name>netbios name</name><value>BLDG2</value></smbconfoption>
2680 <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
2681 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
2682 <smbconfoption><name>log level</name><value>1</value></smbconfoption>
2683 <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
2684 <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
2685 <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
2686 <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
2687 <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
2688 <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
2689 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
2690 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
2691 <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
2692 <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
2693 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
2694 <smbconfoption><name>domain master</name><value>No</value></smbconfoption>
2695 <smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
2696 <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
2697 <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
2698 <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
2699 <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
2700 <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
2701 <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
2702 <smbconfoption><name>idmap backend</name><value>ldap://massive.abmas.biz</value></smbconfoption>
2703 <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
2704 <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
2705 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
2706 <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
2707 </smbconfexample>
2710 <smbconfexample id="ch6-shareconfa">
2711 <title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
2712 <smbconfsection>[accounts]</smbconfsection>
2713 <smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
2714 <smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
2715 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
2717 <smbconfsection>[service]</smbconfsection>
2718 <smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
2719 <smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
2720 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
2722 <smbconfsection>[pidata]</smbconfsection>
2723 <smbconfoption><name>comment</name><value>Property Insurance Files</value></smbconfoption>
2724 <smbconfoption><name>path</name><value>/data/pidata</value></smbconfoption>
2725 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
2727 <smbconfsection>[homes]</smbconfsection>
2728 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
2729 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
2730 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
2731 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
2733 <smbconfsection>[printers]</smbconfsection>
2734 <smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
2735 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
2736 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
2737 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
2738 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
2739 </smbconfexample>
2741 <smbconfexample id="ch6-shareconfb">
2742 <title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
2743 <smbconfsection>[apps]</smbconfsection>
2744 <smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
2745 <smbconfoption><name>path</name><value>/apps</value></smbconfoption>
2746 <smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
2747 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
2749 <smbconfsection>[netlogon]</smbconfsection>
2750 <smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
2751 <smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
2752 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
2753 <smbconfoption><name>locking</name><value>No</value></smbconfoption>
2755 <smbconfsection>[profiles]</smbconfsection>
2756 <smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
2757 <smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
2758 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
2759 <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
2761 <smbconfsection>[profdata]</smbconfsection>
2762 <smbconfoption><name>comment</name><value>Profile Data Share</value></smbconfoption>
2763 <smbconfoption><name>path</name><value>/var/lib/samba/profdata</value></smbconfoption>
2764 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
2765 <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
2767 <smbconfsection>[print$]</smbconfsection>
2768 <smbconfoption><name>comment</name><value>Printer Drivers</value></smbconfoption>
2769 <smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
2770 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
2771 <smbconfoption><name>guest ok</name><value>no</value></smbconfoption>
2772 <smbconfoption><name>read only</name><value>yes</value></smbconfoption>
2773 <smbconfoption><name>write list</name><value>Administrator, chrisr</value></smbconfoption>
2774 </smbconfexample>
2776 <example id="ch6-ldifadd">
2777 <title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
2778 <screen>
2779 dn: ou=Idmap,dc=abmas,dc=biz
2780 objectClass: organizationalUnit
2781 ou: idmap
2782 structuralObjectClass: organizationalUnit
2783 </screen>
2784 </example>
2786 </sect1>
2788 <sect1>
2789 <title>Miscellaneous Server Preparation Tasks</title>
2791 <para>
2792 My father would say, <quote>Dinner is not over until the dishes have been done.</quote>
2793 The makings of a great network environment take a lot of effort and attention to detail.
2794 So far you have completed most of the complex (and to many administrators, the interesting
2795 part of server configuration) steps, but remember to tie it all together. Here are
2796 a few more steps that must be completed so that your network runs like a well-rehearsed
2797 orchestra.
2798 </para>
2800 <sect2>
2801 <title>Configuring Directory Share Point Roots</title>
2803 <para>
2804 In your &smb.conf; file, you have specified Windows shares. Each has a
2805 <parameter>path</parameter>
2806 parameter. Even though it is obvious to all, one of the common Samba networking problems is
2807 caused by forgetting to verify that every such share root directory actually exists and that it
2808 has the necessary permissions and ownership.
2809 </para>
2811 <para>
2812 Here is an example, but remember to create the directory needed for every share:
2813 <screen>
2814 &rootprompt; mkdir -p /data/{accounts,finsvcs,piops}
2815 &rootprompt; mkdir -p /apps
2816 &rootprompt; chown -R root.root /data
2817 &rootprompt; chown -R root.root /apps
2818 &rootprompt; chown -R bobj.Accounts /data/accounts
2819 &rootprompt; chown -R bobj.Finances /data/finsvcs
2820 &rootprompt; chown -R bobj.PIOps /data/pidata
2821 &rootprompt; chmod -R ug+rwxs,o-rwx /data
2822 &rootprompt; chmod -R ug+rwx,o+rx-w /apps
2823 </screen>
2824 </para>
2826 </sect2>
2828 <sect2>
2829 <title>Configuring Profile Directories</title>
2831 <para>
2832 You made a conscious decision to do everything it would take to improve network client
2833 performance. One of your decisions was to implement folder redirection. This means that Windows
2834 user desktop profiles are now made up of two components &smbmdash; a dynamically loaded part and a set of file
2835 network folders.
2836 </para>
2838 <para>
2839 For this arrangement to work, every user needs a directory structure for the network folder
2840 portion of their profile as shown here:
2841 <screen>
2842 &rootprompt; mkdir -p /var/lib/samba/profdata
2843 &rootprompt; chown root.root /var/lib/samba/profdata
2844 &rootprompt; chmod 755 /var/lib/samba/profdata
2846 # Per user structure
2847 &rootprompt; cd /var/lib/samba/profdata
2848 &rootprompt; mkdir -p <emphasis>username</emphasis>
2849 &rootprompt; for i in InternetFiles Cookies History AppData \
2850 LocalSettings MyPictures MyDocuments Recent
2851 &rootprompt; do
2852 &rootprompt; mkdir <emphasis>username</emphasis>/$i
2853 &rootprompt; done
2854 &rootprompt; chown -R <emphasis>username</emphasis>.Domain\ Users <emphasis>username</emphasis>
2855 &rootprompt; chmod -R 750 <emphasis>username</emphasis>
2856 </screen>
2857 </para>
2859 <para><indexterm>
2860 <primary>roaming profile</primary>
2861 </indexterm><indexterm>
2862 <primary>mandatory profile</primary>
2863 </indexterm>
2864 You have three options insofar as the dynamically loaded portion of the roaming profile
2865 is concerned:
2866 </para>
2868 <itemizedlist>
2869 <listitem><para>You may permit the user to obtain a default profile.</para></listitem>
2870 <listitem><para>You can create a mandatory profile.</para></listitem>
2871 <listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem>
2872 </itemizedlist>
2874 <para>
2875 Mandatory profiles cannot be overwritten by a user. The change from
2876 a user profile to a mandatory profile is effected by renaming the
2877 <filename>NTUSER.DAT</filename> to
2878 <filename>NTUSER.MAN</filename>, i.e., just by changing the filename
2879 extension.
2880 </para>
2882 <para><indexterm>
2883 <primary>SRVTOOLS.EXE</primary>
2884 </indexterm><indexterm>
2885 <primary>Domain User Manager</primary>
2886 </indexterm>
2887 The location of the profile that a user can obtain is set in the users' account in the LDAP passdb backend.
2888 You can manage this using the Idealx smbldap-tools or using the
2889 <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager.</ulink>
2890 </para>
2892 <para>
2893 It may not be obvious that you must ensure that the root directory for the user's profile exists
2894 and has the needed permissions. Use the following commands to create this directory:
2895 <screen>
2896 &rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis>
2897 &rootprompt; chown <emphasis>username</emphasis>.Domain\ Users
2898 /var/lib/samba/profiles/<emphasis>username</emphasis>
2899 &rootprompt; chmod 700 /var/lib/samba/profiles/<emphasis>username</emphasis>
2900 </screen>
2901 </para>
2903 </sect2>
2905 <sect2>
2906 <title>Preparation of Logon Scripts</title>
2908 <para><indexterm>
2909 <primary>logon script</primary>
2910 </indexterm>
2911 The use of a logon script with Windows XP Professional is an option that every site should consider.
2912 Unless you have locked down the desktop so the user cannot change anything, there is risk that
2913 a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
2914 can help to restore persistent network folder (drive) and printer connections in a predictable
2915 manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
2916 user attaches to another company's network that forces environment changes that are alien to your
2917 network.
2918 </para>
2920 <para>
2921 If you decide to use network logon scripts, by reference to the &smb.conf; files for the Domain
2922 Controllers, you see that the path to the share point for the
2923 <constant>NETLOGON</constant>
2924 share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon
2925 script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows
2926 NT/200x/XP client logs onto the network, it tries to obtain the file
2927 <filename>logon.bat</filename>
2928 from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully
2929 qualified path should, therefore, exist whether you install the
2930 <filename>logon.bat</filename>.
2931 </para>
2933 <para>
2934 You can, of course, create the fully qualified path by executing:
2935 <screen>
2936 &rootprompt; mkdir -p /var/lib/samba/netlogon/scripts
2937 </screen>
2938 </para>
2940 <para>
2941 You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 21,
2942 Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon
2943 facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart.</ulink>
2944 </para>
2946 </sect2>
2948 </sect1>
2950 <sect1>
2951 <title>Windows Client Configuration</title>
2953 <para><indexterm>
2954 <primary>NETLOGON</primary>
2955 </indexterm>
2956 In the next few sections, you can configure a new Windows XP Professional disk image on a staging
2957 machine. You will configure all software, printer settings, profile and policy handling, and desktop
2958 default profile settings on this system. When it is complete, you copy the contents of the
2959 <filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same
2960 name in the <constant>NETLOGON</constant> share on the Domain Controllers.
2961 </para>
2963 <para>
2964 Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
2965 One knowledge-base article in particular stands out. See:
2966 <ulink
2967 url="http://support.microsoft.com/default.aspx&scid=kb;en-us;168475">How to Create a
2968 Base Profile for All Users.</ulink>
2970 </para>
2972 <sect2 id="redirfold">
2973 <title>Configuration of Default Profile with Folder Redirection</title>
2975 <para><indexterm>
2976 <primary>folder redirection</primary>
2977 </indexterm>
2978 Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>.
2979 It is necessary to expose folders that are generally hidden to provide
2980 access to the <constant>Default User</constant>
2981 folder.
2982 </para>
2984 <procedure>
2985 <title>Expose Hidden Folders</title>
2987 <step><para>
2988 Launch the Windows Explorer by clicking
2989 <menuchoice>
2990 <guimenu>Start</guimenu>
2991 <guimenuitem>My Computer</guimenuitem>
2992 <guimenuitem>Tools</guimenuitem>
2993 <guimenuitem>Folder Options</guimenuitem>
2994 <guimenuitem>View Tab</guimenuitem>
2995 </menuchoice>.
2996 Select <guilabel>Show hidden files and folders</guilabel>,
2997 and click <guibutton>OK</guibutton>.
2998 Exit Windows Explorer.
2999 </para></step>
3001 <step><para><indexterm>
3002 <primary>regedt32</primary>
3003 </indexterm>
3004 Launch the Registry Editor. Click
3005 <menuchoice>
3006 <guimenu>Start</guimenu>
3007 <guimenuitem>Run</guimenuitem>
3008 </menuchoice>. Key in <command>regedt32</command>, and click
3009 <guibutton>OK</guibutton>.
3010 </para></step>
3011 </procedure>
3013 <para>
3014 </para>
3016 <procedure id="ch6-rdrfldr">
3017 <title>Redirect Folders in Default System User Profile</title>
3019 <step><para><indexterm>
3020 <primary>HKEY_LOCAL_MACHINE</primary>
3021 </indexterm><indexterm>
3022 <primary>Default User</primary>
3023 </indexterm>
3024 Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel.
3025 Click <menuchoice>
3026 <guimenu>File</guimenu>
3027 <guimenuitem>Load Hive...</guimenuitem>
3028 <guimenuitem>[Panel] Documents and Settings</guimenuitem>
3029 <guimenuitem>[Panel] Default User</guimenuitem>
3030 <guimenuitem>NTUSER</guimenuitem>
3031 <guimenuitem>Open</guimenuitem>
3032 </menuchoice>. In the dialog box that opens, enter the
3033 key name <constant>Default</constant>
3034 and click <guibutton>OK</guibutton>.
3035 </para></step>
3037 <step><para>
3038 Browse inside the newly loaded Default folder to:
3039 <screen>
3040 HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
3041 CurrentVersion\Explorer\User Shell Folders\
3042 </screen>
3043 The contents of the right panel reveals the contents as
3044 shown in <link linkend="XP-screen001"/>.
3045 </para></step>
3047 <step><para><indexterm>
3048 <primary>%USERPROFILE%</primary>
3049 </indexterm><indexterm>
3050 <primary>%LOGONSERVER%</primary>
3051 </indexterm>
3052 You edit hive keys. Acceptable values to replace the
3053 <constant>%USERPROFILE%</constant> variable includes:
3055 <itemizedlist>
3056 <listitem><para>A drive letter such as: <constant>U:</constant></para></listitem>
3057 <listitem><para>A direct network path such as:
3058 <constant>\\MASSIVE\profdata</constant></para></listitem>
3059 <listitem><para>A network redirection (UNC name) that contains a macro such as: </para>
3060 <para><constant>\\%LOGONSERVER%\profdata\</constant></para></listitem>
3061 </itemizedlist>
3062 </para></step>
3064 <step><para><indexterm>
3065 <primary>registry keys</primary>
3066 </indexterm>
3067 Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption
3068 that users have statically located machines. Notebook computers (mobile users) need to be
3069 accommodated using local profiles. This is not an uncommon assumption.
3070 </para></step>
3072 <step><para>
3073 Click back to the root of the loaded hive <constant>Default</constant>.
3074 Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem>
3075 <guimenuitem>Yes</guimenuitem></menuchoice>.
3076 </para></step>
3078 <step><para><indexterm>
3079 <primary>Registry Editor</primary>
3080 </indexterm>
3081 Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the
3082 Registry Editor.
3083 </para></step>
3085 <step><para>
3086 Now follow the procedure given in <link linkend="ch6-locgrppol"/>. Make sure that each folder you
3087 have redirected is in the exclusion list.
3088 </para></step>
3090 <step><para>
3091 You are now ready to copy<footnote><para>
3092 There is an alternate method by which a Default User profile can be added to the
3093 <constant>NETLOGON</constant> share. This facility in the Windows System tool
3094 permits profiles to be exported. The export target may be a particular user or
3095 group profile share point, or else into the <constant>NETLOGON</constant> share.
3096 In this case, the profile directory must be named
3097 <constant>Default User</constant>.
3098 </para></footnote>
3099 the Default User profile to the Samba Domain Controllers. Launch Microsoft
3100 Windows Explorer, and use it to copy the full contents of the
3101 directory <filename>Default User</filename>
3102 that is in the <filename>C:\Documents and Settings</filename> to the root directory of the
3103 <constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined
3104 UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must be
3105 a directory in there called <filename>Default User</filename>.
3106 </para></step>
3108 </procedure>
3110 <procedure>
3111 <title>Reset Folder Display to Original Behavior</title>
3113 <step><para>
3114 To launch the Windows Explorer, click
3115 <menuchoice>
3116 <guimenu>Start</guimenu>
3117 <guimenuitem>My Computer</guimenuitem>
3118 <guimenuitem>Tools</guimenuitem>
3119 <guimenuitem>Folder Options</guimenuitem>
3120 <guimenuitem>View Tab</guimenuitem>
3121 </menuchoice>.
3122 Deselect <guilabel>Show hidden files and folders</guilabel>,
3123 and click <guibutton>OK</guibutton>.
3124 Exit Windows Explorer.
3125 </para></step>
3127 </procedure>
3129 <image id="XP-screen001">
3130 <imagedescription>Windows XP Professional &smbmdash; User Shared Folders</imagedescription>
3131 <imagefile scale="65">XP-screen001</imagefile>
3132 </image>
3134 <table id="proffold">
3135 <title>Default Profile Redirections</title>
3136 <tgroup cols="2">
3137 <colspec align="left"/>
3138 <colspec align="left"/>
3139 <thead>
3140 <row>
3141 <entry>Registry Key</entry>
3142 <entry>Redirected Value</entry>
3143 </row>
3144 </thead>
3145 <tbody>
3146 <row>
3147 <entry>Cache</entry>
3148 <entry>\\%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry>
3149 </row>
3150 <row>
3151 <entry>Cookies</entry>
3152 <entry>\\%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry>
3153 </row>
3154 <row>
3155 <entry>History</entry>
3156 <entry>\\%LOGONSERVER%\profdata\%USERNAME%\History</entry>
3157 </row>
3158 <row>
3159 <entry>Local AppData</entry>
3160 <entry>\\%LOGONSERVER%\profdata\%USERNAME%\AppData</entry>
3161 </row>
3162 <row>
3163 <entry>Local Settings</entry>
3164 <entry>\\%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry>
3165 </row>
3166 <row>
3167 <entry>My Pictures</entry>
3168 <entry>\\%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry>
3169 </row>
3170 <row>
3171 <entry>Personal</entry>
3172 <entry>\\%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry>
3173 </row>
3174 <row>
3175 <entry>Recent</entry>
3176 <entry>\\%LOGONSERVER%\profdata\%USERNAME%\Recent</entry>
3177 </row>
3178 </tbody>
3179 </tgroup>
3180 </table>
3182 </sect2>
3184 <sect2>
3185 <title>Configuration of MS Outlook to Relocate PST File</title>
3187 <para><indexterm>
3188 <primary>Outlook</primary>
3189 <secondary>PST</secondary>
3190 </indexterm>
3191 Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
3192 It is the nature of email storage that this file grows, at times quite rapidly.
3193 So that users' email is available to them at every workstation they may log onto,
3194 it is common practice in well-controlled sites to redirect the PST folder to the
3195 users' home directory. Follow these steps for each user who wishes to do this.
3196 </para>
3198 <note><para>
3199 It is presumed that Outlook Express has been configured for use.
3200 </para></note>
3202 <para>
3203 Launch Outlook Express 6. Click
3204 <menuchoice>
3205 <guimenu>Tools</guimenu>
3206 <guimenuitem>Options</guimenuitem>
3207 <guimenuitem>Maintenance</guimenuitem>
3208 <guimenuitem>Store Folder</guimenuitem>
3209 <guimenuitem>Change</guimenuitem>
3210 </menuchoice>.
3211 </para>
3213 <para>
3214 Follow the on-screen prompts to relocate the PST file to the desired location.
3215 </para>
3217 </sect2>
3219 <sect2>
3220 <title>Configure Delete Cached Profiles on Logout</title>
3222 <para>
3223 To configure the Windows XP Professional client to auto-delete roaming profiles on logout:
3224 </para>
3226 <para><indexterm>
3227 <primary>MMC</primary>
3228 </indexterm>
3229 Click
3230 <menuchoice>
3231 <guimenu>Start</guimenu>
3232 <guimenuitem>Run</guimenuitem>
3233 </menuchoice>. In the dialog box, enter: <command>MMC</command>
3234 and click <guibutton>OK</guibutton>.
3235 </para>
3237 <para>
3238 Follow these steps to set the default behavior of the staging machine so that all roaming
3239 profiles are deleted as network users log out of the system. Click
3240 <menuchoice>
3241 <guimenu>File</guimenu>
3242 <guimenuitem>Add/Remove Snap-in</guimenuitem>
3243 <guimenuitem>Add</guimenuitem>
3244 <guimenuitem>Group Policy</guimenuitem>
3245 <guimenuitem>Add</guimenuitem>
3246 <guimenuitem>Finish</guimenuitem>
3247 <guimenuitem>Close</guimenuitem>
3248 <guimenuitem>OK</guimenuitem>
3249 </menuchoice>.
3250 </para>
3252 <para><indexterm>
3253 <primary>Microsoft Management Console</primary>
3254 <see>MMC</see>
3255 </indexterm>
3256 The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu>
3257 utility that enables you to set the policies needed. In the left panel, click
3258 <menuchoice>
3259 <guimenuitem>Local Computer Policy</guimenuitem>
3260 <guimenuitem>Administrative Templates</guimenuitem>
3261 <guimenuitem>System</guimenuitem>
3262 <guimenuitem>User Profiles</guimenuitem>
3263 </menuchoice>. In the right panel, set the properties shown here by double-clicking on each
3264 item as shown:
3265 </para>
3267 <itemizedlist>
3268 <listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem>
3269 <listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem>
3270 </itemizedlist>
3272 <para>
3273 Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
3274 made of this system to deploy the new standard desktop system.
3275 </para>
3277 </sect2>
3279 <sect2>
3280 <title>Uploading Printer Drivers to Samba Servers</title>
3282 <para><indexterm>
3283 <primary>printing</primary>
3284 <secondary>drag-and-drop</secondary>
3285 </indexterm>
3286 Users want to be able to use network printers. You have a vested interest in making
3287 it easy for them to print. You have chosen to install the printer drivers onto the Samba
3288 servers and to enable point-and-click (drag-and-drop) printing. This process results in
3289 Samba being able to automatically provide the Windows client with the driver necessary to
3290 print to the printer chosen. The following procedure must be followed for every network
3291 printer:
3292 </para>
3294 <procedure>
3295 <step><para>
3296 Join your Windows XP Professional workstation (the staging machine) to the
3297 <constant>MEGANET2</constant> Domain. If you are not sure of the procedure,
3298 follow the guidance given in <link linkend="domjoin"/>.
3299 </para></step>
3301 <step><para>
3302 After the machine has re-booted, log onto the workstation as the domain
3303 <constant>Administrator</constant>.
3304 </para></step>
3306 <step><para>
3307 Launch MS Windows Explorer. Navigate in the left panel. Click
3308 <menuchoice>
3309 <guimenu>My Network Places</guimenu>
3310 <guimenuitem>Entire Network</guimenuitem>
3311 <guimenuitem>Microsoft Windows Network</guimenuitem>
3312 <guimenuitem>Meganet2</guimenuitem>
3313 <guimenuitem>Massive</guimenuitem>
3314 </menuchoice>. Click on <guimenu>Massive</guimenu>
3315 <guimenu>Printers and Faxes</guimenu>.
3316 </para></step>
3318 <step><para>
3319 Identify a printer that is shown in the right panel. Let us assume the printer is called
3320 <constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon
3321 and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates
3322 that <quote>The printer driver is not installed on this computer. Some printer properties
3323 will not be accessible unless you install the printer driver. Do you want to install the
3324 driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>.
3325 </para></step>
3327 <step><para>
3328 The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server
3329 <constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab.
3330 Note that the box labelled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu>
3331 button that is next to the <guimenu>Driver</guimenu> box. This launches the quote<quote>Add Printer Wizard</quote>.
3332 </para></step>
3334 <step><para><indexterm>
3335 <primary>Add Printer Wizard</primary>
3336 <secondary>APW</secondary>
3337 </indexterm><indexterm>
3338 <primary>APW</primary>
3339 </indexterm>
3340 The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel
3341 is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the
3342 Printer Manufacturer. In your case, you are adding a driver for a printer manufactured by
3343 Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
3344 <guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A
3345 progress bar appears and instructs you as each file is being uploaded and that it is being
3346 directed at the network server <constant>\\massive\ps01-color</constant>.
3347 </para></step>
3349 <step><para>
3350 <indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm>
3351 <indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm>
3352 <indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm>
3353 <indexterm><primary>printers</primary><secondary>General</secondary></indexterm>
3354 <indexterm><primary>printers</primary><secondary>Security</secondary></indexterm>
3355 <indexterm><primary>AD printer publishing</primary></indexterm>
3356 The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
3357 you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel.
3358 You can set the Location (under the <guimenu>General</guimenu> tab), and Security settings (under
3359 the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to
3360 load additional printer drivers, there is also a check-box in this tab called <quote>List in the
3361 directory</quote>. When this box is checked the printer will be published in Active Directory
3362 (Applicable to Active Directory use only.)
3363 </para></step>
3365 <step><para>
3366 <indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm>
3367 Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server.
3368 You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor.
3369 Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu>
3370 <guimenuitem>Device Settings</guimenuitem> </menuchoice>. Now change the settings to suit
3371 your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
3372 you need to reverse them changes back to their original settings.
3373 </para></step>
3375 <step><para>
3376 This is necessary so that the printer settings are initialized in the Samba printers
3377 database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed
3378 just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
3379 Click <guimenu>Apply</guimenu> again.
3380 </para></step>
3382 <step><para>
3383 <indexterm><primary>Print Test Page</primary></indexterm>
3384 Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
3385 click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button.
3386 A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu>
3387 in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on
3388 massive Properties</guimenu> panel.
3389 </para></step>
3391 <step><para>
3392 You must repeat this process for all network printers (i.e., for every printer, on each server).
3393 When you have finished uploading drivers to all printers, close all applications. The next task
3394 is to install software your users require to do their work.
3395 </para></step>
3396 </procedure>
3398 </sect2>
3400 <sect2>
3401 <title>Software Installation</title>
3403 <para>
3404 Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
3405 a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
3406 Notebooks require special handling that is beyond the scope of this chapter.
3407 </para>
3409 <para>
3410 For desktop systems, the installation of software onto administratively centralized application servers
3411 make a lot of sense. This means that you can manage software maintenance from a central
3412 perspective and that only minimal application stub-ware needs to be installed onto the desktop
3413 systems. You should proceed with software installation and default configuration as far as is humanly
3414 possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
3415 of software operations and configuration.
3416 </para>
3418 <para>
3419 When you believe that the overall configuration is complete, be sure to create a shared group profile
3420 and migrate that to the Samba server for later re-use when creating custom mandatory profiles, just in
3421 case a user may have specific needs you had not anticipated.
3422 </para>
3424 </sect2>
3426 <sect2>
3427 <title>Roll-out Image Creation</title>
3429 <para>
3430 The final steps before preparing the distribution Norton Ghost image file you might follow are:
3431 </para>
3433 <blockquote><para>
3434 Un-join the domain &smbmdash; Each workstation requires a unique name and must be independently
3435 joined into Domain Membership.
3436 </para></blockquote>
3438 <blockquote><para>
3439 Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results
3440 in better performance and often significantly reduces the size of the compressed disk image. That
3441 also means it will take less time to deploy the image onto 500 workstations.
3442 </para></blockquote>
3444 </sect2>
3446 </sect1>
3448 <sect1>
3449 <title>Key Points Learned</title>
3451 <para>
3452 This chapter has introduced many new concepts. Is it a sad fact that the example presented deliberately
3453 avoided any consideration of security. Security does not just happen; you must design it into your total
3454 network. Security begins with a systems design and implementation that anticipates hostile behavior from
3455 users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
3456 they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
3457 practices, you must not deploy the design presented in this book in an environment where there is risk
3458 of compromise.
3459 </para>
3461 <para><indexterm>
3462 <primary>Access Control Lists</primary>
3463 <see>ACLs</see>
3464 </indexterm><indexterm>
3465 <primary>ACLs</primary>
3466 </indexterm>
3467 As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs) and it must be
3468 configured to use secure protocols for all communications over the network. Of course, secure networking
3469 does not result just from systems design and implementation but involves constant user education
3470 training, and above all disciplined attention to detail and constant searching for signs of unfriendly
3471 or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
3472 Jerry Carter's book <ulink
3473 url="http://www.booksense.com/product/info.jsp&isbn=1565924916"><emphasis>LDAP System
3474 Administration</emphasis></ulink> is a good place to start reading about OpenLDAP as well as security considerations.
3475 </para>
3477 <para>
3478 The substance of this chapter that has been deserving of particular attention includes:
3479 </para>
3481 <itemizedlist>
3482 <listitem><para>
3483 Implementation of an OpenLDAP-based passwd backend &smbmdash; necessary to support distributed
3484 Domain Control.
3485 </para></listitem>
3487 <listitem><para>
3488 Implementation of Samba Primary and Secondary Domain Controllers with a common LDAP backend
3489 for user and group accounts that is shared with the UNIX system through the PADL nns_ldap and
3490 pam_ldap toolsets.
3491 </para></listitem>
3493 <listitem><para>
3494 Use of the Idealx smbldap-tools scripts for UNIX (Posix) account management as well as
3495 to manage Samba Windows user and group accounts.
3496 </para></listitem>
3498 <listitem><para>
3499 The basics of implementation of Group Policy controls for Windows network clients.
3500 </para></listitem>
3502 <listitem><para>
3503 Control over roaming profiles, with particular focus on folder redirection to network drives.
3504 </para></listitem>
3506 <listitem><para>
3507 Use of the CUPS printing system together with Samba-based printer driver auto-download.
3508 </para></listitem>
3509 </itemizedlist>
3511 </sect1>
3514 <sect1>
3515 <title>Questions and Answers</title>
3517 <para>
3518 Well, here we are at the end of this chapter and we have only ten questions to help you to
3519 remember so much. There are bound to be some sticky issues here.
3520 </para>
3522 <qandaset defaultlabel="chap06qa">
3523 <qandaentry>
3524 <question>
3526 <para>
3527 Why did you not cover secure practices? Isn't it rather irresponsible to instruct
3528 network administrators to implement insecure solutions?
3529 </para>
3531 </question>
3532 <answer>
3534 <para>
3535 Let's get this right. This is a book about Samba, not about OpenLDAP and secure
3536 communication protocols for subjects other than Samba. Earlier on, you note
3537 that the Dynamic DNS and DHCP solutions also used no protective secure communications
3538 protocols. The reason for this is simple: There are so many ways of implementing
3539 secure protocols that this book would have been even larger and more complex.
3540 </para>
3542 <para>
3543 The solutions presented here all work (at least they did for me). Network administrators
3544 have the interest and the need to be better trained and instructed in secure networking
3545 practices and ought to implement safe systems. I made the decision, right or wrong,
3546 to keep this material as simple as possible. The intent of this book is to demonstrate
3547 a working solution and not to discuss too many peripheral issues.
3548 </para>
3550 <para>
3551 This book makes little mention of backup techniques. Does that mean that I am recommending
3552 that you should implement a network without provision for data recovery and for disaster
3553 management? Back to our focus: The deployment of Samba has been clearly demonstrated.
3554 </para>
3556 </answer>
3557 </qandaentry>
3559 <qandaentry>
3560 <question>
3562 <para>
3563 You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
3564 you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
3565 to the Linux I might be using?
3566 </para>
3568 </question>
3569 <answer>
3571 <para>
3572 Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
3573 for a standard Linux distribution. The differences are marginal. Surely you know
3574 your Linux platform and you do have access to administration manuals for it. This
3575 book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
3576 the Samba part of the book; all the other bits are peripheral (but important) to
3577 creation of a total network solution.
3578 </para>
3580 <para>
3581 What I find interesting is the attention reviewers give to Linux installation and to
3582 the look and feel of the desktop, but does that make for a great server? In this book,
3583 I have paid particular attention to the details of creating a whole solution framework.
3584 I have not tightened every nut and bolt, but I have touched on all the issues you
3585 need to be familiar with. Over the years many people have approached me wanting to
3586 know the details of exactly how to implement a DHCP and Dynamic DNS server with Samba
3587 and WINS. In this chapter, it is plain to see what needs to be configured to provide
3588 transparent interoperability. Likewise for CUPS and Samba interoperation. These are
3589 key stumbling areas for many people.
3590 </para>
3592 <para>
3593 At every critical junction, I have provided comparative guidance for both SUSE and
3594 Red Hat Linux. Both manufacturers have done a great job in furthering the cause
3595 of open source software. I favor neither and respect both. I like particular
3596 features of both products (companies also). No bias in presentation is intended.
3597 Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
3598 </para>
3600 </answer>
3601 </qandaentry>
3603 <qandaentry>
3604 <question>
3606 <para>
3607 You did not use SWAT to configure Samba. Is there something wrong with it?
3608 </para>
3610 </question>
3611 <answer>
3613 <para>
3614 That is a good question. As it is, the &smb.conf; file configurations are presented
3615 in as direct a format as possible. Adding SWAT into the equation would have complicated
3616 matters. I sought simplicity of implementation. The fact is that I did use SWAT to
3617 create the files in the first place.
3618 </para>
3620 <para>
3621 There are people in the Linux and open source community who feel that SWAT is dangerous
3622 and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
3623 hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG</emphasis>.
3624 </para>
3626 </answer>
3627 </qandaentry>
3629 <qandaentry>
3630 <question>
3632 <para>
3633 You have exposed a well-used password <emphasis>not24get</emphasis>. Is that
3634 not irresponsible?
3635 </para>
3637 </question>
3638 <answer>
3640 <para>
3641 Well, I had to use a password of some sort. At least this one has been consistently
3642 used throughout. I guess you can figure out that in a real deployment it would make
3643 sense to use a more secure and original password.
3644 </para>
3646 </answer>
3647 </qandaentry>
3649 <qandaentry>
3650 <question>
3652 <para>
3653 The Idealx smbldap-tools create many domain group accounts that are not used. Is that
3654 a good thing?
3655 </para>
3657 </question>
3658 <answer>
3660 <para>
3661 I took this up with Idealx and found them most willing to change that in the next version.
3662 Let's give Idealx some credit for the contribution they have made. I appreciate their work
3663 and, besides, it does no harm to create accounts that are not now used as at some time
3664 Samba may well use them.
3665 </para>
3667 </answer>
3668 </qandaentry>
3670 <qandaentry>
3671 <question>
3673 <para>
3674 Can I use LDAP just for Samba accounts and not for UNIX system accounts?
3675 </para>
3677 </question>
3678 <answer>
3680 <para>
3681 Yes, you can do that for user accounts only. Samba requires there to be a Posix (UNIX)
3682 group account for every Windows Domain group account. But if you put your users into
3683 the system password account, how do you plan to keep all domain controller system
3684 password files in sync? I think that having everything in LDAP makes a lot of sense
3685 for the UNIX admin who is still learning the craft and is migrating from MS Windows.
3686 </para>
3688 </answer>
3689 </qandaentry>
3691 <qandaentry>
3692 <question>
3694 <para>
3695 Why are the Windows Domain RID portions not the same as the UNIX UID?
3696 </para>
3698 </question>
3699 <answer>
3701 <para>
3702 Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
3703 This algorithm ought to ensure that there will be no clashes with well-known RIDs.
3704 Well-known RIDs have special significance to MS Windows clients. The automatic
3705 assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
3706 permit you to override that to some extent. See the &smb.conf; man page entry
3707 for <parameter>algorithmic rid base</parameter>.
3708 </para>
3710 </answer>
3711 </qandaentry>
3713 <qandaentry>
3714 <question>
3716 <para>
3717 Printer configuration examples all show printing to the HP port 9100. Does this
3718 mean that I must have HP printers for these solutions to work?
3719 </para>
3721 </question>
3722 <answer>
3724 <para>
3725 No. You can use any type of printer and must use the interfacing protocol supported
3726 by the printer. Many networks use LPR/LPD print servers to which are attached
3727 PCL printers, InkJet printers, plotters, and so on. At home I use a USB attached
3728 Inkjet printer. Use the appropriate device URI (Universal Resource Interface)
3729 argument to the <constant>lpadmin -v</constant> option that is right for your
3730 printer.
3731 </para>
3733 </answer>
3734 </qandaentry>
3736 <qandaentry>
3737 <question>
3739 <para>
3740 Is folder redirection dangerous? I've heard that you can lose your data that way.
3741 </para>
3743 </question>
3744 <answer>
3746 <para>
3747 The only loss of data I know of that involved folder redirection was caused by
3748 manual misuse of the redirection tool. The administrator redirected a folder to
3749 a network drive and said he wanted to migrate (move) the data over. Then he
3750 changed his mind, so he moved the folder back to the roaming profile. This time,
3751 he declined to move the data because he thought it was still in the local profile
3752 folder. That was not the case, so by declining to move the data back, he wiped out
3753 the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
3754 </para>
3756 </answer>
3757 </qandaentry>
3759 <qandaentry>
3760 <question>
3762 <para>
3763 Is it really necessary to set a local Group Policy to exclude the redirected
3764 folders from the roaming profile?
3765 </para>
3767 </question>
3768 <answer>
3770 <para>
3771 Yes. If you do not do this, the data will still be copied from the network folder
3772 (share) to the local cached copy of the profile.
3773 </para>
3775 </answer>
3776 </qandaentry>
3778 </qandaset>
3780 </sect1>
3782 </chapter>