| blob | 3ba9a2ec6981ac53895a675c715e439c8242ed21 |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
5 <!-- entities files to use -->
6 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
7 %global_entities;
9 ]>
10 <preface id="preface">
11 <title>Preface</title>
13 <para>
14 Network administrators live busy lives. We face distractions and pressures
15 that drive us to seek proven, working case scenarios that can be easily
16 implemented. Often this approach lands us in trouble. There is a
17 saying that, geometrically speaking, the shortest distance between two
18 points is a straight line, but practically we find that the quickest
19 route to a stable network solution is the long way around.
20 </para>
22 <para>
23 This book is your means to the straight path. It provides step-by-step,
24 proven, working examples of Samba deployments. If you want to deploy
25 Samba-3 with the least effort, or if you want to become an expert at deploying
26 Samba-3 without having to search through lots of documentation, this
27 book is the ticket to your destination.
28 </para>
30 <para>
31 Samba is software that can be run on a platform other than Microsoft Windows,
32 for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems.
33 Samba uses the TCP/IP protocol that is installed on the host server. When
34 correctly configured, it allows that host to interact with a Microsoft Windows
35 client or server as if it is a Windows file and print server. This book
36 will help you to implement Windows-compatible file and print services.
37 </para>
39 <para>
40 The examples presented in this book are typical of various businesses and
41 reflect the problems and challenges they face. Care has been taken to preserve
42 attitudes, perceptions, practices, and demands from real network case studies.
43 The maximum benefit may be obtained from this book by working carefully through
44 each exercise. You may be in a hurry to satisfy a specific need, so feel
45 free to locate the example that most closely matches your need, copy it, and
46 innovate as much as you like. Above all, enjoy the process of learning the
47 secrets of MS Windows networking that is truly liberated by Samba.
48 </para>
50 <para>
51 The focus of attention in this book is Samba-3. Specific notes are made in
52 respect of how Samba may be made secure. This book does not attempt to provide
53 detailed information regarding secure operation and configuration of peripheral
54 services and applications such as OpenLDAP, DNS and DHCP, the need for which
55 can be met from other resources that are dedicated to the subject.
56 </para>
58 <sect1>
59 <title>Why Is This Book Necessary?</title>
61 <para>
62 This book is the result of observations and feedback. The feedback from
63 the Samba-HOWTO-Collection has been positive and complimentary. There
64 have been requests for far more worked examples, a
65 <quote>Samba Cookbook,</quote> and for training materials to
66 help kick-start the process of mastering Samba.
67 </para>
69 <para>
70 The Samba mailing list's users have asked for sample configuration files
71 that work. It is natural to question one's own ability to correctly
72 configure a complex tool such as Samba until a minimum necessary
73 knowledge level has been attained.
74 </para>
76 <para>
77 The Samba-HOWTO-Collection, as do <emphasis>The Official Samba-3 HOWTO and
78 Reference Guide</emphasis>, document Samba features and functionality in
79 a topical context. This book takes a completely different approach. It
80 walks through Samba network configurations that are working within particular
81 environmental contexts, providing documented step-by-step implementations.
82 All example case configuration files, scripts, and other tools are provided
83 on the CD-ROM. This book is descriptive, provides detailed diagrams, and
84 makes deployment of Samba-3 a breeze.
85 </para>
87 </sect1>
89 <sect1>
90 <title>Prerequisites</title>
92 <para>
93 This book is not a tutorial on UNIX or Linux administration. UNIX and Linux
94 training is best obtained from books dedicated to the subject. This book
95 assumes that you have at least the basic skill necessary to use these operating
96 systems, and that you can use a basic system editor to edit and configure files.
97 It has been written with the assumption that you have experience with Samba,
98 have read <emphasis>The Official Samba-3 HOWTO and Reference Guide</emphasis> and
99 the Samba-HOWTO-Collection, or that you have familiarity with Microsoft Windows.
100 </para>
102 <para>
103 If you do not have this experience, you can follow the examples in this book but may
104 find yourself at times intimidated by assumptions made. In this situation, you
105 may need to refer to administrative guides or manuals for your operating system
106 platform to find what is the best method to achieve what the text of this book describes.
107 </para>
109 </sect1>
111 <sect1>
112 <title>Approach</title>
114 <para>
115 The first chapter deals with some rather thorny network analysis issues. Do not be
116 put off by this. The information you glean, even without a detailed understanding
117 of network protocol analysis, can help you understand how Windows networking functions.
118 </para>
120 <para>
121 Each following chapter of this book opens with the description of a networking solution
122 sought by a hypothetical site. Bob Jordan is a hypothetical decision maker
123 for an imaginary company, <constant>Abmas Biz NL</constant>. We will use the
124 non-existent domain name <constant>abmas.biz</constant>. All <emphasis>facts</emphasis>
125 presented regarding this company are fictitious and have been drawn from a variety of real
126 business scenarios over many years. Not one of these reveal the identify of the
127 real-world company from which the scenario originated.
128 </para>
130 <para>
131 In any case, Mr. Jordan likes to give all his staff nasty little assignments.
132 Stanley Saroka is one of his proteges; Christine Roberson is the network administrator
133 Bob trusts. Jordan is inclined to treat other departments well because they finance
134 Abmas IT operations.
135 </para>
137 <para>
138 Each chapter presents a summary of the network solution we have chosen to
139 demonstrate together with a rationale to help you to understand the
140 thought process that drove that solution. The chapter then documents in precise
141 detail all configuration files and steps that must be taken to implement the
142 example solution. Anyone wishing to gain serious value from this book will
143 do well to take note of the implications of points made, so watch out for the
144 <emphasis>this means that</emphasis> notations.
145 </para>
147 <para>
148 Each chapter has a set of questions and answers to help you to
149 to understand and digest key attributes of the solutions presented.
150 </para>
152 </sect1>
154 <sect1>
155 <title>Summary of Topics</title>
157 <para>
158 Our first assignment is to understand how Microsoft Windows products
159 function in the network environment. That is where we start. Let's take
160 just a few moments to get a bird's eye view of this book. Remember that
161 this is a book about file and print technology deployment; there are
162 great examples of printing solutions. Here we go.
163 </para>
165 <variablelist>
166 <varlistentry>
167 <term>Chapter 1 &smbmdash; Windows Networking Primer</term><listitem>
168 <para>
169 Here we cover practical exercises to help us to understand how MS Windows
170 network protocols function. A network protocol analyzer helps you to
171 appreciate the fact that Windows networking is highly dependent on broadcast
172 messaging. Additionally, you can look into network packets that a Windows
173 client sends to a network server to set up a network connection. On completion,
174 you should have a basic understanding of how network browsing functions and
175 have seen some of the information a Windows client sends to
176 a file and print server to create a connection over which file and print
177 operations may take place.
178 </para>
179 </listitem>
180 </varlistentry>
182 <varlistentry>
183 <term>Chapter 2 &smbmdash; No Frills Samba Servers</term><listitem>
184 <para>
185 Here you design a solution for three different business scenarios, each for a
186 company called Abmas. There are two simple networking problems and one slightly
187 more complex networking challenge. In the first two cases, Abmas has a small
188 simple office, and they want to replace a Windows 9x peer-to-peer network. The
189 third example business uses Windows 2000 Professional. This must be simple,
190 so let's see how far we can get. If successful, Abmas grows quickly and
191 soon needs to replace all servers and workstations.
192 </para>
194 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demands:
195 <itemizedlist>
196 <listitem><para>Case 1: The simplest &smb.conf; file that may
197 reasonably be used. Works with Samba-2.x also. This
198 configuration uses Share Mode security. Encrypted
199 passwords are not used, so there is no
200 <filename>smbpasswd</filename> file.
201 </para></listitem>
203 <listitem><para>Case 2: Another simple &smb.conf; file that adds
204 WINS support and printing support. This case deals with
205 a special requirement that demonstrates how to deal with
206 purpose-built software that has a particular requirement
207 for certain share names and printing demands. This
208 configuration uses Share Mode security and also works with
209 Samba-2.x. Encrypted passwords are not used, so there is no
210 <filename>smbpasswd</filename> file.
211 </para></listitem>
213 <listitem><para>Case 3: This &smb.conf; configuration uses User Mode
214 security. The file share configuration demonstrates
215 the ability to provide master access to an administrator
216 while restricting all staff to their own work areas.
217 Encrypted passwords are used, so there is an implicit
218 <filename>smbpasswd</filename> file.
219 </para></listitem>
220 </itemizedlist>
221 </para>
222 </listitem>
223 </varlistentry>
225 <varlistentry>
226 <term>Chapter 3 &smbmdash; Small Office Networking</term><listitem>
227 <para>
228 Abmas is a successful company now. They have 50 network users
229 and want a little more varoom from the network. This is a typical
230 small office and they want better systems to help them to grow. This is
231 your chance to really give advanced users a bit more functionality and usefulness.
232 </para>
234 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
235 makes use of encrypted passwords, so there is an <filename>smbpasswd</filename>
236 file. It also demonstrates use of the <parameter>valid users</parameter> and
237 <parameter>valid groups</parameter> to restrict share access. The Windows
238 clients access the server as Domain members. Mobile users log onto
239 the Domain while in the office, but use a local machine account while on the
240 road. The result is an environment that answers mobile computing user needs.
241 </para>
242 </listitem>
243 </varlistentry>
245 <varlistentry>
246 <term>Chapter 4 &smbmdash; Secure Office Networking</term><listitem>
247 <para>
248 Abmas is growing rapidly now. Money is a little tight, but with 130
249 network users, security has become a concern. They have many new machines
250 to install and the old equipment will be retired. This time they want the
251 new network to scale and grow for at least two years. Start with a sufficient
252 system and allow room for growth. You are now implementing an Internet
253 connection and have a few reservations about user expectations.
254 </para>
256 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
257 makes use of encrypted passwords, and you can use a <filename>tdbsam</filename>
258 password backend. Domain logons are introduced. Applications are served from the central
259 server. Roaming profiles are mandated. Access to the server is tightened up
260 so that only domain members can access server resources. Mobile computing
261 needs still are catered to.
262 </para>
263 </listitem>
264 </varlistentry>
266 <varlistentry>
267 <term>Chapter 5 &smbmdash; The 500 User Office</term><listitem>
268 <para>
269 The two-year projections were met. Congratulations, you are a star.
270 Now Abmas needs to replace the network. Into the existing user base, they
271 need to merge a 280-user company they just acquired. It is time to build a serious
272 network. There are now three buildings on one campus and your assignment is
273 to keep everyone working while a new network is rolled out. Oh, isn't it nice
274 to roll out brand new clients and servers! Money is no longer tight, you get
275 to buy and install what you ask for. You will install routers and a firewall.
276 This is exciting!
277 </para>
279 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
280 makes use of encrypted passwords, and a <filename>tdbsam</filename>
281 password backend is used. You are not ready to launch into LDAP yet, so you
282 accept the limitation of having one central Domain Controller with a Domain
283 Member server in two buildings on your campus. A number of clever techniques
284 are used to demonstrate some of the smart options built into Samba.
285 </para>
286 </listitem>
287 </varlistentry>
289 <varlistentry>
290 <term>Chapter 6 &smbmdash; Making Users Happy</term><listitem>
291 <para>
292 Congratulations again. Abmas is happy with your services and you have been given another raise.
293 Your users are becoming much more capable and are complaining about little
294 things that need to be fixed. Are you up to the task? Mary says it takes her 20 minutes
295 to log onto the network and it is killing her productivity. Email is a bit <emphasis>
296 unreliable</emphasis> &smbmdash; have you been sleeping on the job? We do not discuss the
297 technology of email but when the use of mail clients breaks because of networking
298 problems, you had better get on top of it. It's time for a change.
299 </para>
301 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
302 makes use of encrypted passwords; a distributed <filename>ldapsam</filename>
303 password backend is used. Roaming profiles are enabled. Desktop profile controls
304 are introduced. Check out the techniques that can improve the user experience
305 of network performance. As a special bonus, this chapter documents how to configure
306 smart downloading of printer drivers for drag-and-drop printing support. And, yes,
307 the secret of configuring CUPS is clearly documented. Go for it; this one will
308 tease you, too.
309 </para>
310 </listitem>
311 </varlistentry>
313 <varlistentry>
314 <term>Chapter 7 &smbmdash; A Distributed 2000-User Network</term><listitem>
315 <para>
316 Only eight months have passed, and Abmas has acquired another company. You now need to expand
317 the network further. You have to deal with a network that spans several countries.
318 There are three new networks in addition to the original three buildings at the head-office
319 campus. The head office is in New York and you have branch offices in Washington, Los Angeles, and
320 London. Your desktop standard is Windows XP Professional. In many ways, everything has changed
321 and yet it must remain the same. Your team is primed for another roll-out. You know there are
322 further challenges ahead.
323 </para>
325 <para><emphasis>TechInfo</emphasis> &smbmdash; Slave LDAP servers are introduced. Samba is
326 configured to use multiple LDAP backends. This is a brief chapter; it assumes that the
327 technology has been mastered and gets right down to concepts and how to deploy them.
328 </para>
329 </listitem>
330 </varlistentry>
332 <varlistentry>
333 <term>Chapter 8 &smbmdash; Migrating NT4 Domain to Samba-3</term><listitem>
334 <para>
335 Another six months have <?latex \linebreak ?>
336 passed. Abmas has acquired yet another company. You will find a
337 way to migrate all users off the old network onto the existing network without loss
338 of passwords and will effect the change-over during one weekend. May the force (and caffeine) be with
339 you, may you keep your back to the wind and may the sun shine on your face.
340 </para>
342 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demonstrates the use of
343 the <command>net rpc migrate</command> facility using an LDAP ldapsam backend, and also
344 using a tdbsam passdb backend. Both are much-asked-for examples of NT4 Domain migration.
345 </para>
346 </listitem>
347 </varlistentry>
349 <varlistentry>
350 <term>Chapter 9 &smbmdash; Adding UNIX/Linux Servers and Clients</term><listitem>
351 <para>
352 Well done, Bob, your team has achieved much. Now help Abmas integrate the entire network.
353 You want central control and central support and you need to cut costs. How can you reduce administrative
354 overheads and yet get better control of the network?
355 </para>
357 <para>
358 This chapter has been contributed by Mark Taylor <email>mark.taylor@siriusit.co.uk</email>
359 and is based on a live site. For further information regarding this example case,
360 please contact Mark directly.
361 </para>
363 <para><emphasis>TechInfo</emphasis> &smbmdash; It is time to consider how to add Samba servers
364 and UNIX and Linux network clients. Users who convert to Linux want to be able to log on
365 using Windows network accounts. You explore nss_ldap, pam_ldap, winbind, and a few neat
366 techniques for taking control. Are you ready for this?
367 </para>
368 </listitem>
369 </varlistentry>
371 <varlistentry>
372 <term>Chapter 10 &smbmdash; Active Directory, Kerberos and Security</term><listitem>
373 <para>
374 Abmas has acquired another company that has just migrated to running Windows Server 2003 and
375 Active Directory. One of your staff makes offhand comments that land you in hot water.
376 A network security auditor is hired by the head of the new business and files a damning
377 report, and you must address the <emphasis>defects</emphasis> reported. You have hired new
378 network engineers who want to replace Microsoft Active Directory with a pure Kerberos
379 solution. How will you handle this?
380 </para>
382 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter is your answer. Learn about
383 share access controls, proper use of UNIX/Linux file system access controls, and Windows
384 200x Access Control Lists. Follow these steps to beat the critics.
385 </para>
386 </listitem>
387 </varlistentry>
389 <varlistentry>
390 <term>Chapter 11 &smbmdash; Integrating Additional Services</term><listitem>
391 <para>
392 The battle is almost over, Samba-3 has won the day. Your team are delighted and now you
393 find yourself at yet another cross-roads. Abmas have acquired a snack food business, you
394 made promises you must keep. IT costs must be reduced, you have new resistance, but you
395 will win again. This time you choose to install the Squid proxy server to validate the
396 fact that Samba is far more than just a file and print server. SPNEGO authentication
397 support means that your Microsoft Windows clients gain transparent proxy access.
398 </para>
400 <para><emphasis>TechInfo</emphasis> &smbmdash; Samba provides the <command>ntlm_auth</command>
401 module that makes it possible for MS Windows Internet Explorer to connect via the Squid Web
402 and FTP proxy server. You will configure Samba-3 as well as Squid to deliver authenticated
403 access control based using the Active Directory Domain user security credentials.
404 </para>
405 </listitem>
406 </varlistentry>
408 <varlistentry>
409 <term>Chapter 12 &smbmdash; Performance, Reliability and Availability</term><listitem>
410 <para>
411 Bob, are you sure the new Samba server is up to the load? Your network is serving many
412 users who risk becoming unproductive. What can you do to keep ahead of demand? Can you
413 keep the cost under control also? What can go wrong?
414 </para>
416 <para><emphasis>TechInfo</emphasis> &smbmdash; Hot tips that put chili into your
417 network. Avoid name resolution problems, identify potential causes of network collisions,
418 avoid Samba configuration options that will weigh the server down. MS distributed file
419 services to make your network fly and much more. This chapter contains a good deal of
420 <quote>Did I tell you about this...?</quote> type of hints to help keep your name on the top
421 performers list.
422 </para>
423 </listitem>
424 </varlistentry>
425 </variablelist>
427 </sect1>
429 <!-- the conventions used in this book -->
430 <xi:include href="conventions.xml" xmlns:xi="http://www.w3.org/2003/XInclude" />
432 </preface>