From ea941fd4a4ba4f0a7a45551ab35447d0cc70c293 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 25 May 2005 01:22:42 +0000 Subject: [PATCH] A small copy editor's update. --- docs/Samba-Guide/SBE-2000UserNetwork.xml | 1494 ++++++++++++--------------- docs/Samba-Guide/SBE-500UserNetwork.xml | 276 +++-- docs/Samba-Guide/SBE-Appendix1.xml | 423 +++++--- docs/Samba-Guide/SBE-MakingHappyUsers.xml | 1284 +++++++++++------------ docs/Samba-Guide/SBE-SecureOfficeServer.xml | 707 ++++++------- docs/Samba-Guide/SBE-TheSmallOffice.xml | 301 +++--- docs/Samba-Guide/SBE-preface.xml | 6 +- 7 files changed, 2088 insertions(+), 2403 deletions(-) diff --git a/docs/Samba-Guide/SBE-2000UserNetwork.xml b/docs/Samba-Guide/SBE-2000UserNetwork.xml index f3fc8b08057..6554a9fdc92 100644 --- a/docs/Samba-Guide/SBE-2000UserNetwork.xml +++ b/docs/Samba-Guide/SBE-2000UserNetwork.xml @@ -1,68 +1,68 @@ - A Distributed 2000 User Network - - - There is something indeed mystical about things that are - big. Large networks exhibit a certain magnetism and exude a sense of - importance that obscures reality. You and I know that it is no more - difficult to secure a large network than it is a small one. We all - know that over and above a particular number of network clients, the - rules no longer change; the only real dynamic is the size of the domain - (much like a kingdom) over which the network ruler (oops, administrator) - has control. The real dynamic then transforms from the technical to the - political. Then again, that point is often reached well before the - kingdom (or queendom) grows large. - - - - If you have systematically worked your way to this chapter, hopefully you - have found some gems and techniques that are applicable in your - world. The network designs you have worked with in this book with have their - strong points as well as weak ones. That is to be expected given that - they are based on real business environments, excepting that the facts - have been moulded to serve the purposes of this book. - - - - This chapter is intent on wrapping up issues that are central to - implementation and design of progressively larger networks. Are you ready - for this chapter? Good, it is time to move on. - - - - In previous chapters, you made the assumption that your network - administration staff need detailed instruction right down to the - nuts-and-bolts of implementing the solution. That's is still the case, - but they have graduated now. You decide to document only those issues, - methods and techniques that are new or complex. Routine tasks such as - implementing a DNS or a DHCP server are under control. Even the basics of - Samba are largely under control. So in this section you focus on the - specifics of implementing LDAP changes, Samba changes, and approach and - design of the solution and its deployment. - + A Distributed 2000-User Network + + +There is something indeed mystical about things that are +big. Large networks exhibit a certain magnetism and exude a sense of +importance that obscures reality. You and I know that it is no more +difficult to secure a large network than it is a small one. We all +know that over and above a particular number of network clients, the +rules no longer change; the only real dynamic is the size of the domain +(much like a kingdom) over which the network ruler (oops, administrator) +has control. The real dynamic then transforms from the technical to the +political. Then again, that point is often reached well before the +kingdom (or queendom) grows large. + + + +If you have systematically worked your way to this chapter, hopefully you +have found some gems and techniques that are applicable in your +world. The network designs you have worked with in this book have their +strong points as well as weak ones. That is to be expected given that +they are based on real business environments, the specifics of which are +molded to serve the purposes of this book. + + + +This chapter is intent on wrapping up issues that are central to +implementation and design of progressively larger networks. Are you ready +for this chapter? Good, it is time to move on. + + + +In previous chapters, you made the assumption that your network +administration staff need detailed instruction right down to the +nuts and bolts of implementing the solution. That is still the case, +but they have graduated now. You decide to document only those issues, +methods, and techniques that are new or complex. Routine tasks such as +implementing a DNS or a DHCP server are under control. Even the basics of +Samba are largely under control. So in this section you focus on the +specifics of implementing LDAP changes, Samba changes, and approach and +design of the solution and its deployment. + - Introduction - - - Abmas is a miracle company. Most businesses would have collapsed under - the weight of rapid expansion that this company has experienced. Samba - is flexible, so there is no need to reinstall the whole operating - system just because you need to implement a new network design. In fact, - you can keep an old server running right up to the moment of cut-over - and then do a near-live conversion. There is no need to reinstall a - Samba server just to change the way your network should function. - - - - LDAP - Network growth is common to all organizations. In this exercise, - your preoccupation is with the mechanics of implementing Samba and - LDAP so that network users on each network segment can work - without impediment. - +Introduction + + +Abmas is a miracle company. Most businesses would have collapsed under +the weight of rapid expansion that this company has experienced. Samba +is flexible, so there is no need to reinstall the whole operating +system just because you need to implement a new network design. In fact, +you can keep an old server running right up to the moment of cutover +and then do a near-live conversion. There is no need to reinstall a +Samba server just to change the way your network should function. + + + +LDAP +Network growth is common to all organizations. In this exercise, +your preoccupation is with the mechanics of implementing Samba and +LDAP so that network users on each network segment can work +without impediment. + Assignment Tasks @@ -78,30 +78,30 @@ VPN Remember, you have users based in London (UK), Los Angeles, - Washington DC, and three buildings in New York. A significant portion + Washington. DC, and, three buildings in New York. A significant portion of your workforce have notebook computers and roam all over the world. Some dial into the office, others use VPN connections over the - Internet and others just move between buildings. + Internet, and others just move between buildings.i What do you say to an employee who normally uses a desktop system but must spend six weeks on the road with a notebook computer? - She is concerned over email access and how to keep co-workers current + She is concerned about email access and how to keep coworkers current with changing documents. - + To top it all off, you have one network support person and one - Help desk person based in London, a single person dedicated to all + help desk person based in London, a single person dedicated to all network operations in Los Angeles, five staff for user administration - and Help desk in New York, plus one floater for - Washington DC. + and help desk in New York, plus one floater for + Washington. - - You have out-sourced all desktop deployment and management to - DirectPointe,Inc. Your concern is server maintenance and third-level + + You have outsourced all desktop deployment and management to + DirectPointe. Your concern is server maintenance and third-level support. Build a plan and show what must be done. @@ -109,446 +109,403 @@ - Dissection and Discussion +Dissection and Discussion + + +passdb backend +LDAP +In , you implemented an LDAP server that provided the +passdb backend for the Samba servers. You +explored ways to accelerate Windows desktop profile handling and you +took control of network performance. + + + +ldapsam +tdbsam +smbpasswd +replicated +The implementation of an LDAP-based passdb backend (known as +ldapsam in Samba parlance), or some form of database +that can be distributed, is essential to permit the deployment of Samba +Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem +is that the tdbsam-style passdb backend does not +lend itself to being replicated. The older plain-text-based +smbpasswd-style passdb backend can be replicated +using a tool such as rsync, but +smbpasswd suffers the drawback that it does not +support the range of account facilities demanded by modern network +managers. + + + +XML +SQL +The new tdbsam facility supports functionality +that is similar to an ldapsam, but the lack of +distributed infrastructure sorely limits the scope for its +deployment. This raises the following questions: Why can't I just use +an XML-based backend, or for that matter, why not use an SQL-based +backend? Is support for these tools broken? Answers to these +questions require a bit of background. + + +directory +database +transaction processing +LDAP +What is a directory? A directory is a +collection of information regarding objects that can be accessed to +rapidly find information that is relevant in a particular and +consistent manner. A directory differs from a database in that it is +generally more often searched (read) than updated. As a consequence, the +information is organized to facilitate read access rather than to +support transaction processing. + + +Lightweight Directory Access ProtocolLDAP +LDAP +master +slave +The Lightweight Directory Access Protocol (LDAP) differs +considerably from a traditional database. It has a simple search +facility that uniquely makes a highly preferred mechanism for managing +user identities. LDAP provides a scalable mechanism for distributing +the data repository and for keeping all copies (slaves) in sync with +the master repository. + + +identity management +Active Directory +OpenLDAP +Samba is a flexible and powerful file and print sharing +technology. It can use many external authentication sources and can be +part of a total authentication and identity management +infrastructure. The two most important external sources for large sites +are Microsoft Active Directory and LDAP. Sites that specifically wish to +avoid the proprietary implications of Microsoft Active Directory +naturally gravitate toward OpenLDAP. + + +networkrouted +In , you had to deal with a locally routed +network. All deployment concerns focused around making users happy, +and that simply means taking control over all network practices and +usage so that no one user is disadvantaged by any other. The real +lesson is one of understanding that no matter how much network +bandwidth you provide, bandwidth remains a precious resource. + +In this chapter, you must now consider how the overall network must +function. In particular, you must be concerned with users who move +between offices. You must take into account the way users need to +access information globally. And you must make the network robust +enough so that it can sustain partial breakdown without causing loss of +productivity. + + + Technical Issues - passdb backend - LDAP - In the previous chapter, you implemented an LDAP server that provided the - passdb backend for the Samba servers. You - explored ways to accelerate Windows desktop profile handling and you - took control of network performance. + There are at least three areas that need to be addressed as you + approach the challenge of designing a network solution for the newly + expanded business: + + mobility + User needs such as mobility and data access + + The nature of Windows networking protocols + + Identity management infrastructure needs + + + Let's look at each in turn. + + + User Needs + - ldapsam - tdbsam - smbpasswd - replicated - The implementation of an LDAP-based passdb backend (known as - ldapsam in Samba parlance), or some form of database - that can be distributed, is essential to permit the deployment of Samba - Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem - is that the tdbsam style passdb backend does not - lend itself to being replicated. The older plain-text-based - smbpasswd style passdb backend can be replicated - using a tool such as rsync, but - smbpasswd suffers the drawback that it does not - support the range of account facilities demanded by modern network - managers. - + The new company has three divisions. Staff for each division are spread across + the company. Some staff are office-bound and some are mobile users. Mobile + users travel globally. Some spend considerable periods working in other offices. + Everyone wants to be able to work without constraint of productivity. + - XML - SQL - The new tdbsam facility supports functionality - that is similar to an ldapsam, but the lack of - distributed infrastructure sorely limits the scope for its - deployment. This does raise the following questions: "Why can't I just use - an XML based backend, or for that matter, why not use an SQL based - backend?" "Is support for these tools broken?" No. Answers to these - questions require a bit of background. + The challenge is not insignificant. In some parts of the world, even dial-up + connectivity is poor, while in other regions political encumbrances severely + curtail user needs. Parts of the global Internet infrastructure remain shielded + off for reasons outside the scope of this discussion. - directory - database - transaction processing - LDAP - What is a directory? A directory is a - collection of information regarding objects that can be accessed to - rapidly find information that is relevant in a particular and - consistent manner. A directory differs from a database in that it is - generally more often searched (read) than updated. As a consequence, the - information is organized to facilitate read access rather than to - support transaction processing. + synchronize + Decisions must be made regarding where data is to be stored, how it will be + replicated (if at all), and what the network bandwidth implications are. For + example, one decision that can be made is to give each office its own master + file storage area that can be synchronized to a central repository in New + York. This would permit global data to be backed up from a single location. + The synchronization tool could be rsync, run via a cron + job. Mobile users may use off-line file storage under Windows XP Professional. + This way, they can synchronize all files that have changed since each logon + to the network. - Lightweight Directory Access ProtocolLDAP - LDAP - master - slave - The Lightweight Directory Access Protocol (LDAP) differs - considerably from a traditional database. It has a simple search - facility that uniquely makes a highly preferred mechanism for managing - user identities. LDAP provides a scalable mechanism for distributing - the data repository and for keeping all copies (slaves) in sync with - the master repository. + bandwidthrequirements + roaming profile + No matter which way you look at this, the bandwidth requirements + for acceptable performance are substantial even if only 10 percent of + staff are global data users. A company with 3,500 employees, + 280 of whom are mobile users who use a similarly distributed + network, found they needed at least 2 Mb/sec connectivity + between the UK and US offices. Even over 2 Mb/sec bandwidth, this + company abandoned any attempt to run roaming profile usage for + mobile users. At that time, the average roaming profile took 480 + KB, while today the minimum Windows XP Professional roaming + profile involves a transfer of over 750 KB from the profile + server to and from the client. - identity management - Active Directory - OpenLDAP - Samba is a flexible and powerful file and print sharing - technology. It can use many external authentication sources and can be - part of a total authentication and identity management - infrastructure. The two most important external sources for large sites - are Microsoft Active Directory and LDAP. Sites that specifically wish to - avoid the proprietary implications of Microsoft Active Directory - naturally gravitate toward OpenLDAP.i + wide-area + Obviously then, user needs and wide-area practicalities dictate the economic and + technical aspects of your network design as well as for standard operating procedures. + + + + The Nature of Windows Networking Protocols + - networkrouted - In , you had to deal with a locally routed - network. All deployment concerns focused around making users happy, - and that simply means taking control over all network practices and - usage so that no one user is disadvantaged by any other. The real - lesson is one of understanding that no matter how much network - bandwidth you provide, bandwidth remains a precious resource. + profilemandatory + Network logons that include roaming profile handling requires from 140 KB to 2 MB. + The inclusion of support for a minimal set of common desktop applications can push + the size of a complete profile to over 15 MB. This has substantial implications + for location of user profiles. Additionally, it is a significant factor in + determining the nature and style of mandatory profiles that may be enforced as + part of a total service-level assurance program that might be implemented. - In this chapter, you must now consider how the overall network must - function. In particular, you must be concerned with users who move - between offices. You must take into account the way users need to - access information globally. And you must make the network robust - enough so that it can sustain partial breakdown without causing loss of - productivity. + logon traffic + redirected folders + One way to reduce the network bandwidth impact of user logon + traffic is through folder redirection. In Chapter 5, you + implemented this in the new Windows XP Professional standard + desktop configuration. When desktop folders such as My + Documents are redirected to a network drive, they should + also be excluded from synchronization to and from the server on + logon or logout. Redirected folders are analogous to network drive + connections. - - Technical Issues + application servers + Of course, network applications should only be run off + local application servers. As a general rule, even with 2 Mb/sec + network bandwidth, it would not make sense at all for someone who + is working out of the London office to run applications off a + server that is located in New York. + + + + affordability + When network bandwidth becomes a precious commodity (that is most + of the time), there is a significant demand to understand network + processes and to mold the limits of acceptability around the + constraints of affordability. + - There are at least three areas that need to be addressed as you - approach the challenge of designing a network solution for the newly - expanded business. These are: + + When a Windows NT4/200x/XP Professional client user logs onto + the network, several important things must happen. + - - - mobility - - User needs such as mobility and data access - - - The nature of Windows networking protocols - - - Identity management infrastructure needs - + + DHCP + The client obtains an IP address via DHCP. (DHCP is + necessary so that users can roam between offices.) + + + + WINS + DNS + The client must register itself with the WINS and/or DNS server. + + + + Domain Controllerclosest + The client must locate the closest domain controller. + + + + The client must log onto a domain controller and obtain as part of + that process the location of the user's profile, load it, connect to + redirected folders, and establish all network drive and printer connections. + + + + The domain controller must be able to resolve the user's + credentials before the logon process is fully implemented. + - Let's look at each in turn. + + Given that this book is about Samba and that it implements the Windows + NT4-style domain semantics, it makes little sense to compare Samba with + Microsoft Active Directory insofar as the logon protocols and principles + of operation are concerned. The following information pertains exclusively + to the interaction between a Windows XP Professional workstation and a + Samba-3.0.20 server. In the discussion that follows, use is made of DHCP and WINS. + - - User Needs + + As soon as the Windows workstation starts up, it obtains an + IP address. This is immediately followed by registration of its + name both by broadcast and Unicast registration that is directed + at the WINS server. + - The new company has three divisions. Staff for each division - are spread across the company. Some staff are office-bound and - some are mobile users. Mobile users travel globally. Some spend - considerable periods working in other offices. Everyone wants to be - able to work without constraint of productivity. + + Unicast + broadcastdirected + NetBIOS + Given that the client is already a domain member, it then sends + a directed (Unicast) request to the WINS server seeking the list of + IP addresses for domain controllers (NetBIOS name type 0x1C). The + WINS server replies with the information requested. - The challenge is not insignificant. In some parts of the world, - even dial-up connectivity is poor, while in other regions political - encumbrances severely curtail user needs. Parts of the global - Internet infrastructure remain shielded-off for reasons outside - the scope of this discussion. + + broadcastmailslot + Unicast + WINS + The client sends two netlogon mailslot broadcast requests + to the local network and to each of the IP addresses returned by + the WINS server. Whichever answers this request first appears to + be the machine that the Windows XP client attempts to use to + process the network logon. The mailslot messages use UDP broadcast + to the local network and UDP Unicast directed at each machine that + was listed in the WINS server response to a request for the list of + domain controllers. + - - synchronize - - Decisions must be made regarding where data is to be stored, how - it will be replicated (if at all), and what the network bandwidth - implications are. For example, one decision that can be made is - to give each office its own master file storage area that can be - synchronized to a central repository in New York. This would permit - global data to be backed up from a single location. The - synchronization tool could be rsync, run via a - cron job. Mobile users may use off-line file storage under Windows - XP Professional. This way, they can synchronize all files that have - changed since each logon to the network. + + protocolnegotiation + logon server + fail + The logon process begins with negotiation of the SMB/CIFS + protocols that are to be used; this is followed by an exchange of + information that ultimately includes the client sending the + credentials with which the user is attempting to logon. The logon + server must now approve the further establishment of the + connection, but that is a good point to halt for now. The priority + here must center around identification of network infrastructure + needs. A secondary fact we need to know is, what happens when + local domain controllers fail or break? + - - bandwidth - requirements - - roaming profile - - No matter which way you look at this, the bandwidth requirements - for acceptable performance are substantial even if only 10 percent of - staff are global data users. A company with 3500 employees - and 280 of those were mobile users, and who used a similarly distributed - network, found they needed at least 2 Megabit/sec connectivity - between the UK and US offices. Even over 2 Mb/s bandwidth, this - company abandoned any attempt to run roaming profile usage for - mobile users. At that time, the average roaming profile took 480 - Kbytes, while today the minimum Windows XP Professional roaming - profile involves a transfer of over 750 Kbytes from the profile - server to/from the client. + + Domain Controller + PDC + BDC + netlogon + Under most circumstances, the nearest domain controller + responds to the netlogon mailslot broadcast. The exception to this + norm occurs when the nearest domain controller is too busy or is out + of service. Herein lies an important fact. This means it is + important that every network segment should have at least two + domain controllers. Since there can be only one PDC, all additional + domain controllers are by definition BDCs. + - - wide-area - - Obviously then, user needs and wide-area practicalities - dictate the economic and technical aspects of your network - design as well as for standard operating procedures. + + authentication + Identity Management + The provision of sufficient servers that are BDCs is an + important design factor. The second important design factor + involves how each of the BDCs obtains user authentication + data. That is the subject of the next section, which involves key + decisions regarding Identity Management facilities. + - The Nature of Windows Networking Protocols - - - profile - mandatory - - Network logons that include roaming profile handling requires - from 140 Kbytes to 2 Mbytes. The inclusion of support for a minimal - set of common desktop applications can push the size of a complete - profile to over 15 Mbytes. This has substantial implications so far - as location of user profiles is concerned. Additionally, it is a - significant factor in determining the nature and style of mandatory - profiles that may be enforced as part of a total service level - assurance program that might be implemented. - - - logon traffic - - redirected folders - - One way to reduce the network bandwidth impact of user logon - traffic is through folder redirection. In , you - implemented this in the new Windows XP Professional standard - desktop configuration. When desktop folders such as My - Documents are redirected to a network drive, they should - also be excluded from synchronization to/from the server on - logon/out. Redirected folders are analogous to network drive - connections. - - - application servers - - Of course, network applications should only be run off - local application servers. As a general rule, even with 2 Mbit/sec - network bandwidth, it would not make sense at all for someone who - is working out of the London office to run applications off a - server that is located in New York. - - - affordability - - When network bandwidth becomes a precious commodity (that is most - of the time), there is a significant demand to understand network - processes and to mould the limits of acceptability around the - constraints of affordability. - - When a Windows NT4/200x/XP Professional client user logs onto - the network, several important things must happen. - - - - - DHCP - - The client obtains an IP address via DHCP. (DHCP is - necessary so that users can roam between offices.) - - - - WINS - - DNS - - The client must register itself with the WINS and/or DNS - server. - - - - Domain Controller - closest - - The client must locate the closest Domain Controller. - - - The client must log onto a Domain Controller and obtain as - part of that process the location of the user's profile, load - it, connect to redirected folders, and establish all network - drive and printer connections. - - - The Domain Controller must be able to resolve the user's - credentials before the logon process is fully implemented. - - - - Given that this book is about Samba and the fact that it - implements the Windows NT4 style domain semantics, it makes little - sense to compare Samba with Microsoft Active Directory insofar as - the logon protocols and principles of operation are - concerned. The following information pertains exclusively to the - interaction between a Windows XP Professional workstation and a - Samba-3.0.20 server. In the discussion that follows, use is made of - DHCP and WINS. - - As soon as the Windows workstation starts up, it obtains an - IP address. This is immediately followed by registration of its - name both by broadcast and Unicast registration that is directed - at the WINS server. - - - Unicast - - broadcast - directed - - NetBIOS - - Given that the client is already a Domain Member, it then sends - a directed (Unicast) request to the WINS server seeking the list of - IP addresses for domain controllers (NetBIOS name type 0x1C). The - WINS server replies with the information requested. - - - broadcast - mailslot - - Unicast - - WINS - - The client sends two netlogon mailslot broadcast requests - to the local network and to each of the IP addresses returned by - the WINS server. Whichever answers this request first appears to - be the machine that the Windows XP client attempts to use to - process the network logon. The mailslot messages use UDP broadcast - to the local network and UDP Unicast directed at each machine that - was listed in the WINS server response to a request for the list of - Domain Controllers. - - - protocol - negotiation - - logon server - - fail - - The logon process begins with negotiation of the SMB/CIFS - protocols that are to be used; this is followed by an exchange of - information that ultimately includes the client sending the - credentials with which the user is attempting to logon. The logon - server must now approve the further establishment of the - connection, but that is a good point to halt for now. The priority - here must center around identification of network infrastructure - needs. A secondary fact we need to know is, what happens when - local Domain Controllers fail or break? - - - Domain Controller - - PDC - - BDC - - netlogon - - Under most circumstances, the nearest Domain Controller - responds to the netlogon mailslot broadcast. The exception to this - norm occurs when the nearest Domain Controller is too busy or is out - of service. Herein lies an important fact. This means it is - important that every network segment should have at least two - Domain Controllers. Since there can be only one Primary Domain - Controller (PDC), all additional Domain Controllers are by definition - Backup Domain Controllers (BDCs). - - - authentication - - Identity Management - - The provision of sufficient servers that are BDCs is an - important design factor. The second important design factor - involves how each of the BDCs obtains user authentication - data. That is the subject of the next section as it involves key - decisions regarding Identity Management facilities. - - + Identity Management Needs - - Identity Management Needs + + privacy + user credentials + validated + privileges + Network managers recognize that in large organizations users + generally need to be given resource access based on needs, while + being excluded from other resources for reasons of privacy. It is + therefore essential that all users identify themselves at the + point of network access. The network logon is the principal means + by which user credentials are validated and filtered and appropriate + rights and privileges are allocated. + - - privacy - - user credentials - - validated - - privileges - - Network managers recognize that in large organizations users - generally need to be given resource access based on needs, while - being excluded from other resources for reasons of privacy. It is, - therefore, essential that all users identify themselves at the - point of network access. The network logon is the principal means - by which user credentials are validated and filtered, and appropriate - rights and privileges are allocated. + + Identity Management + Yellow Pages + NIS + Unfortunately, network resources tend to have their own Identity + Management facilities, the quality and manageability of which varies + from quite poor to exceptionally good. Corporations that use a mixture + of systems soon discover that until recently, few systems were + designed to interoperate. For example, UNIX systems each have an + independent user database. Sun Microsystems developed a facility that + was originally called Yellow Pages, and was renamed + when a telephone company objected to the use of its trademark. + What was once called Yellow Pages is today known + as Network Information System (NIS). + - - Identity Management - - Yellow Pages - - NIS - - Unfortunately, network resources tend to have their own Identity - Management facilities, the quality and manageability of which varies - from quite poor to exceptionally good. Corporations that use a mixture - of systems soon discover that until recently, few systems were - designed to interoperate. For example, UNIX systems each have an - independent user database. Sun Microsystems developed a facility that - was originally called Yellow Pages, and was renamed - when a telephone company objected to the use of its trademark. - What was once called Yellow Pages is today known - as Network Information System (NIS). + + NIS+ + NIS gained a strong following throughout the UNIX/VMS space in a short + period of time and retained that appeal and use for over a decade. + Security concerns and inherent limitations have caused it to enter its + twilight. NIS did not gain widespread appeal outside of the UNIX world + and was not universally adopted. Sun updated this to a more secure + implementation called NIS+, but even it has fallen victim to changing + demands as the demand for directory services that can be coupled with + other information systems is catching on. + - - NIS+ - - NIS gained a strong following throughout the UNIX/VMS space in a - short period of time and retained that appeal and use - for over a decade. Security concerns as well as inherent limitations - have caused it to enter its twilight. NIS did not gain widespread - appeal outside of the UNIX world and was not universally - adopted. Sun updated this to a more secure implementation called - NIS+, but even it has fallen victim to changing demands as the - demand for directory services that can be coupled with other - information systems is catching on. - - NIS - - government - - education - - Nevertheless, both NIS and NIS+ continue to hold ground in - business areas where UNIX still has major sway. Examples of - organizations that remain firmly attached to the use of NIS and - NIS+ includes large government departments, education institutions, - as well as large corporations that have a scientific or engineering - focus. + + NIS + government + education + Nevertheless, both NIS and NIS+ continue to hold ground in + business areas where UNIX still has major sway. Examples of + organizations that remain firmly attached to the use of NIS and + NIS+ include large government departments, education institutions, + and large corporations that have a scientific or engineering + focus. + - - scalable - - distributed - - Today's networking world needs a scalable, distributed Identity - Management infrastructure, commonly called a directory. The most - popular technologies today are Microsoft Active Directory service - and a number of LDAP implementations. + + scalable + distributed + Today's networking world needs a scalable, distributed Identity + Management infrastructure, commonly called a directory. The most + popular technologies today are Microsoft Active Directory service + and a number of LDAP implementations. + multiple directories The problem of managing multiple directories has become a focal - point over the past decade. This has created a large market for - meta-directory products and services that allow organizations that + point over the past decade, creating a large market for + metadirectory products and services that allow organizations that have multiple directories and multiple management and control centers to provision information from one directory into another. The attendant benefit to end users is the promise of @@ -574,128 +531,109 @@ LDAP slave - In , you implemented a single LDAP server for the + In Chapter 5, you implemented a single LDAP server for the entire network. This may work for smaller networks, but almost certainly fails to meet the needs of large and complex networks. The - following section documents how one may implement a single - master LDAP server, with multiple slave servers. + following section documents how you may implement a single + master LDAP server with multiple slave servers. What is the best method for implementing master/slave LDAP - servers within the context of a distributed 2000 user network is a + servers within the context of a distributed 2,000-user network is a question that remains to be answered. - - distributed domain - - wide-area - - One possibility that has great appeal is to create one single - large distributed domain. The practical implications of this - design (see ) demands the placement of - sufficient BDCs in each location. Additionally, network - administrators must make sure that profiles are not transferred - over the wide-area links, except as a totally unavoidable - measure. Network design must balance the risk of loss of user - productivity against the cost of network management and - maintenance. + + distributed domain + wide-area + One possibility that has great appeal is to create a single, + large distributed domain. The practical implications of this + design (see ) demands the placement of + sufficient BDCs in each location. Additionally, network + administrators must make sure that profiles are not transferred + over the wide-area links, except as a totally unavoidable + measure. Network design must balance the risk of loss of user + productivity against the cost of network management and + maintenance. + - - domain name space - - The network design in takes the - approach that management of networks that are too remote to be - capable of being managed effectively from New York ought - to be given a certain degree of autonomy. With this rationale, the - Los Angeles and London networks, though fully integrated with that - on the east coast of the USA, each have their own domain name space - and can be independently managed and controlled. One of the key - drawbacks of this design is that it flies in the face of the - ability for network users to roam globally without some compromise - in how they may access global resources. + + domain name space + The network design in takes the approach + that management of networks that are too remote to be managed + effectively from New York ought to be given a certain degree of + autonomy. With this rationale, the Los Angeles and London networks, + though fully integrated with those on the East Coast, each have their + own domain name space and can be independently managed and controlled. + One of the key drawbacks of this design is that it flies in the face of + the ability for network users to roam globally without some compromise + in how they may access global resources. + - - interdomain trusts - - Desk-bound users need not be negatively affected by this - design, since the use of interdomain trusts can be used to satisfy - the need for global data sharing. + + interdomain trusts + Desk-bound users need not be negatively affected by this design, since + the use of interdomain trusts can be used to satisfy the need for global + data sharing. + - - LDAP - - LDAP - backend - - SID - - When Samba-3 is configured to use an LDAP backend, it stores the domain - account information in a directory entry. This account entry contains - the domain SID. An unintended but exploitable side effect is that - this makes it possible to operate with more than one PDC on a - distributed network. + + LDAP + LDAPbackend + SID + When Samba-3 is configured to use an LDAP backend, it stores the domain + account information in a directory entry. This account entry contains the + domain SID. An unintended but exploitable side effect is that this makes it + possible to operate with more than one PDC on a distributed network. + - - WINS - - wins.dat - - SID - - How might this peculiar feature be exploited? The answer is - simple. It is imperative that each network segment should have its - own WINS server. Major servers on remote network segments can be - given a static WINS entry in the wins.dat file - on each WINS server. This allows all essential data to be - visible from all locations. Each location would, however, function - as if it is an independent domain, while all sharing the same - domain SID. Since all domain account information can be stored in a - single LDAP backend, users have unfettered ability to - roam. + + WINS + wins.dat + SID + How might this peculiar feature be exploited? The answer is simple. It is + imperative that each network segment have its own WINS server. Major + servers on remote network segments can be given a static WINS entry in + the wins.dat file on each WINS server. This allows + all essential data to be visible from all locations. Each location would, + however, function as if it is an independent domain, while all sharing the + same domain SID. Since all domain account information can be stored in a + single LDAP backend, users have unfettered ability to roam. + - - NetBIOS name - aliases - - fail-over - - This concept has not been exhaustively validated, though we can - see no reason why this should not work. The important facets - are: The name of the domain must be identical in all - locations. Each network segment must have its own WINS server. The - name of the PDC must be the same in all locations; this - necessitates the use of NetBIOS name aliases for each PDC so that - they can be accessed globally using the alias and not the PDC's - primary name. A single master LDAP server can be based in New York, - with multiple LDAP slave servers located on every network - segment. Finally, the BDCs should each use fail-over LDAP servers - that are in fact slave LDAP servers on the local segments. + + NetBIOS namealiases + fail-over + This concept has not been exhaustively validated, though we can see no reason + why this should not work. The important facets are the following: The name of + the domain must be identical in all locations. Each network segment must have + its own WINS server. The name of the PDC must be the same in all locations; this + necessitates the use of NetBIOS name aliases for each PDC so that they can be + accessed globally using the alias and not the PDC's primary name. A single master + LDAP server can be based in New York, with multiple LDAP slave servers located + on every network segment. Finally, the BDCs should each use failover LDAP servers + that are in fact slave LDAP servers on the local segments. + - - LDAP - updates - - domain tree - - LDAP - database - - LDAP - directory - - With a single master LDAP server, all network updates are - effected on a single server. In the event that this should become - excessively fragile or network bandwidth limiting, one could - implement a delegated LDAP domain. This is also known as a - partitioned (or multiple partition) LDAP database - and as a distributed LDAP directory. - - As the LDAP directory grows, it becomes increasingly important - that its structure is implemented in a manner that mirrors - organizational needs, so as to limit network update and - referential traffic. It should be noted that all directory - administrators must of necessity follow the same standard - procedures for managing the directory, as retroactive correction of - inconsistent directory information can be exceedingly difficult. + + LDAPupdates + domain tree + LDAPdatabase + LDAPdirectory + With a single master LDAP server, all network updates are effected on a single + server. In the event that this should become excessively fragile or network + bandwidth limiting, one could implement a delegated LDAP domain. This is also + known as a partitioned (or multiple partition) LDAP database and as a distributed + LDAP directory. + + + + As the LDAP directory grows, it becomes increasingly important + that its structure is implemented in a manner that mirrors + organizational needs, so as to limit network update and + referential traffic. It should be noted that all directory + administrators must of necessity follow the same standard + procedures for managing the directory, because retroactive correction of + inconsistent directory information can be exceedingly difficult. + Network Topology &smbmdash; 2000 User Complex Design A @@ -715,13 +653,15 @@ Political Issues - As organizations grow, the number of points of control increase - also. In a large distributed organization, it is important that the - Identity Management system must be capable of being updated from - many locations, and it is equally important that changes made should - become capable of being used in a reasonable period, typically - minutes rather than days (the old limitation of highly manual - systems). + + As organizations grow, the number of points of control increases + also. In a large distributed organization, it is important that the + Identity Management system be capable of being updated from + many locations, and it is equally important that changes made should + become usable in a reasonable period, typically + minutes rather than days (the old limitation of highly manual + systems). + @@ -730,21 +670,17 @@ Implementation - - winbind - - LDAP - - UID - - GID - - Samba-3 has the ability to use multiple password (authentication - and identity resolution) backends. The diagram in demonstrates how Samba uses winbind, LDAP, - and NIS, the traditional system password database. The diagram only - documents the mechanisms for authentication and identity resolution - (obtaining a UNIX UID/GID) using the specific systems shown. + + winbind + LDAP + UID + GID + Samba-3 has the ability to use multiple password (authentication and + identity resolution) backends. The diagram in + demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system + password database. The diagram only documents the mechanisms for + authentication and identity resolution (obtaining a UNIX UID/GID) + using the specific systems shown. @@ -752,72 +688,59 @@ chap7-idresol - - smbpasswd - - xmlsam - - SMB passwords - - tdbsam - - mysqlsam - - LDAP - - distributed - + + smbpasswd + xmlsam + SMB passwords + tdbsam + mysqlsam + LDAP + distributed Samba is capable of using the smbpasswd, tdbsam, xmlsam, and mysqlsam authentication databases. The SMB passwords can, of course, also be stored in an LDAP ldapsam backend. LDAP is the preferred passdb backend for distributed network - operations. + operations. + - - passdb backend - + + passdb backend Additionally, it is possible to use multiple passdb backends - concurrently as well as have multiple LDAP backends. As a result, one - can specify a fail-over LDAP backend. The syntax for specifying a + concurrently as well as have multiple LDAP backends. As a result, you + can specify a failover LDAP backend. The syntax for specifying a single LDAP backend in &smb.conf; is: ... passdb backend = ldapsam:ldap://master.abmas.biz ... - This configuration tells Samba to use a single LDAP server as shown in - . + This configuration tells Samba to use a single LDAP server, as shown in . Samba Configuration to Use a Single LDAP Server ch7-singleLDAP - - LDAP - fail-over - - fail-over - - The addition of a fail-over LDAP server can simply be done by adding a - second entry for the fail-over server to the single - ldapsam entry as shown here (note the particular - use of the double quotes): + LDAPfail-over + fail-over + The addition of a failover LDAP server can simply be done by adding a + second entry for the failover server to the single ldapsam + entry, as shown here (note the particular use of the double quotes): ... passdb backend = ldapsam:"ldap://master.abmas.biz \ ldap://slave.abmas.biz" ... - This configuration tells Samba to use a master LDAP server, with fail-over to a slave server if necessary, + This configuration tells Samba to use a master LDAP server, with failover to a slave server if necessary, as shown in . Samba Configuration to Use a Dual (Fail-over) LDAP Server ch7-fail-overLDAP - + - Some folks have tried to implement this without the use of - double quotes as shown above. This is the type of entry they had + + Some folks have tried to implement this without the use of double quotes. This is the type of entry they created: ... @@ -825,13 +748,11 @@ passdb backend = ldapsam:ldap://master.abmas.biz \ ldapsam:ldap://slave.abmas.biz ... - - contiguous directory - + contiguous directory The effect of this style of entry is that Samba lists the users that are in both LDAP databases. If both contain the same information, it results in each record being shown twice. This is, of course, not the - solution desired for a fail-over implementation. The net effect of this + solution desired for a failover implementation. The net effect of this configuration is shown in @@ -845,30 +766,32 @@ passdb backend = ldapsam:ldap://master.abmas.biz \ well be an advantageous way to effectively integrate multiple LDAP databases into one seemingly contiguous directory. Only the first database will be updated. An example of this configuration is shown in . - + - - Samba Configuration to Use Two LDAP Databases - The result is additive. - ch7-dual-additive-LDAP-Ok - + + Samba Configuration to Use Two LDAP Databases - The result is additive. + ch7-dual-additive-LDAP-Ok + When the use of ldapsam is specified twice, as shown here, it is imperative that the two LDAP directories must be disjoint. If the entries are for a master LDAP server as well as its own slave server, updates to the LDAP database may end up being lost or corrupted. You may safely use multiple - LDAP backends only so long as both are entirely separate from each other. + LDAP backends only if both are entirely separate from each other. - It is assumed that the network you are working with follows in a - pattern similar to what has been covered in . The following steps - permit the operation of a Master/Slave OpenLDAP arrangement. + + It is assumed that the network you are working with follows in a + pattern similar to what was covered in Chapter 5. The following steps + permit the operation of a master/slave OpenLDAP arrangement. + - LDAP Master/Slave Configuration - SUSE LinuxRed Hat Linux + SUSE Linux + Red Hat Linux Log onto the master LDAP server as root. You are about to change the configuration of the LDAP server, so it makes sense to temporarily halt it. Stop OpenLDAP from running on @@ -882,14 +805,13 @@ passdb backend = ldapsam:ldap://master.abmas.biz \ - - /etc/openldap/slapd.conf - + + /etc/openldap/slapd.conf Edit the /etc/openldap/slapd.conf file so it matches the content of . - + Create a file called admin-accts.ldif with the following contents: dn: cn=updateuser,dc=abmas,dc=biz @@ -904,34 +826,29 @@ cn: sambaadmin sn: sambaadmin userPassword: buttercup - + - - Add an account called updateuser to the master LDAP server - as shown here: + + Add an account called updateuser to the master LDAP server as shown here: &rootprompt; slapadd -v -l admin-accts.ldif - + - - LDIF - - LDAP - preload - + + LDIF + LDAPpreload Change directory to a suitable place to dump the contents of the LDAP server. The dump file (and LDIF file) is used to preload - the Slave LDAP server database. You can dump the database by executing: + the slave LDAP server database. You can dump the database by executing: &rootprompt; slapcat -v -l LDAP-transfer-LDIF.txt Each record is written to the file. - - LDAP-transfer-LDIF.txt - + + LDAP-transfer-LDIF.txt Copy the file LDAP-transfer-LDIF.txt to the intended slave LDAP server. A good location could be in the directory /etc/openldap/preload. @@ -976,27 +893,22 @@ added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013) - Now start the LDAP server and set it to run automatically on system reboot - by executing: + Now start the LDAP server and set it to run automatically on system reboot by executing: &rootprompt; rcldap start &rootprompt; chkconfig ldap on - On Red Hat Linux, you would execute the following: + On Red Hat Linux, execute the following: &rootprompt; service ldap start &rootprompt; chkconfig ldap on - - chkconfig - - service - - rcldap - + chkconfig + service + rcldap Go back to the master LDAP server. Execute the following to start LDAP as well as slurpd, the synchronization daemon, as shown here: @@ -1005,17 +917,14 @@ added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013) &rootprompt; rcslurpd start &rootprompt; chkconfig slurpd on - - slurpd - + slurpd On Red Hat Linux, check the equivalent command to start slurpd. - - smbldap-useradd - - On the master ldap server you may now add an account to validate that replication - is working. Assuming the configuration shown in , execute: + + smbldap-useradd + On the master LDAP server you may now add an account to validate that replication + is working. Assuming the configuration shown in Chapter 5, execute: &rootprompt; /var/lib/samba/sbin/smbldap-useradd -a fruitloop @@ -1157,7 +1066,7 @@ index default sub 1 0 /var/log/samba/%m -50 +0 139 445 wins bcast hosts Yes @@ -1358,29 +1267,22 @@ index default sub Key Points Learned - - - - - LDAP - - BDC - - Where Samba-3 is used as a Domain Controller, the use of LDAP is an - essential component necessary to permit the use of BDCs. + + LDAPBDC + Where Samba-3 is used as a domain controller, the use of LDAP is an + essential component to permit the use of BDCs. - - wide-area - + + wide-area Replication of the LDAP master server to create a network of BDCs - is an important mechanism for limiting wide-area network traffic. + is an important mechanism for limiting WAN traffic. Network administration presents many complex challenges, most of which - can be satisfied by good design, but that also require sound communication + can be satisfied by good design but that also require sound communication and unification of management practices. This can be highly challenging in a large, globally distributed network. @@ -1408,27 +1310,19 @@ index default sub - - DHCP - - network - bandwidth - - Is it true that DHCP uses lots of wide-area network bandwidth? + + DHCP + networkbandwidth + Is it true that DHCP uses lots of WAN bandwidth? - - DHCP - Relay Agent - - routers - - DHCP - servers - + + DHCPRelay Agent + routers + DHCPservers It is a smart practice to localize DHCP servers on each network segment. As a rule, there should be two DHCP servers per network segment. This means that if one server fails, there is always another to service user needs. DHCP requests use @@ -1436,18 +1330,14 @@ index default sub routers. This makes it possible to run fewer DHCP servers. - - DHCP - request - - DHCP - traffic - + + DHCPrequest + DHCPtraffic A DHCP network address request and confirmation usually results in about six UDP packets. The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP clients and that uses a 24-hour IP address lease. This means that all clients renew their IP address lease every 24 hours. If we assume an average packet length equal to the - maximum (just to be on the safe side), and we have a 128 Kbit/sec wide-area connection, + maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection, how significant would the DHCP traffic be if all of it were to use DHCP Relay? @@ -1463,14 +1353,11 @@ DHCP traffic: 300 (clients) x 6 (packets) From this can be seen that the traffic impact would be minimal. - - DNS - Dynamic - - DHCP - - Even when DHCP is configured to do DNS update (Dynamic DNS) over a wide-area link, - the impact of the update is no more than the DHCP IP address renewal traffic and, thus, + + DNSDynamic + DHCP + Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, + the impact of the update is no more than the DHCP IP address renewal traffic and thus still insignificant for most practical purposes. @@ -1480,27 +1367,21 @@ DHCP traffic: 300 (clients) x 6 (packets) - - background communication - - LDAP - master/slave - background communication - - How much background communication takes place between a Master LDAP - server and its slave LDAP servers? + + background communication + LDAPmaster/slavebackground communication + How much background communication takes place between a master LDAP server and its slave LDAP servers? - - slurpd - - The process that controls the replication of data from the Master LDAP server to the Slave LDAP + + slurpd + The process that controls the replication of data from the master LDAP server to the slave LDAP servers is called slurpd. The slurpd remains nascent (quiet) - until an update must be propagated. The propagation traffic per LDAP salve to update (add/modify/delete) - two user accounts requires less than 10Kbytes traffic. + until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) + two user accounts requires less than 10KB traffic. @@ -1516,24 +1397,19 @@ DHCP traffic: 300 (clients) x 6 (packets) - - database - - LDAP - database - - SQL - - transactional - - LDAP does store its data in a database of sorts. In fact the LDAP backend is an application-specific + + database + LDAPdatabase + SQL + transactional + LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific data storage system. This type of database is indexed so that records can be rapidly located, but the database is not generic and can be used only in particular pre-programmed ways. General external applications do not gain access to the data. This type of database is used also by SQL servers. Both an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional - orientation and typically allows external programs to perform ad-hoc queries, even across data tables. + orientation and typically allows external programs to perform ad hoc queries, even across data tables. An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific - simple queries. The term database is heavily overloaded and, thus, much misunderstood. + simple queries. The term database is heavily overloaded and thus much misunderstood. @@ -1542,21 +1418,19 @@ DHCP traffic: 300 (clients) x 6 (packets) - - OpenLDAP - + + OpenLDAP Can Active Directory obtain account information from an OpenLDAP server? - - meta-directory - - No, at least not directly. It is possible to provision Active Directory from/to an OpenLDAP - database through use of a meta-directory server. Microsoft MMS (now called MIIS) can interface - to OpenLDAP using standard LDAP queries/updates. + + meta-directory + No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP + database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface + to OpenLDAP using standard LDAP queries and updates. @@ -1575,13 +1449,13 @@ DHCP traffic: 300 (clients) x 6 (packets) roaming profile - A roaming profile consists of: + A roaming profile consists of - Desktop folders such as: Desktop, My Documents, My Pictures, My Music, Internet Files, - Cookies, Application Data, Local Settings, and more. See . + Desktop folders such as Desktop, My Documents, My Pictures, My Music, Internet Files, + Cookies, Application Data, Local Settings, and more. See Chapter 5, . @@ -1593,25 +1467,21 @@ DHCP traffic: 300 (clients) x 6 (packets) - A static or re-writable portion that is typically only a few files (2-5 Kbytes of information). + A static or rewritable portion that is typically only a few files (2-5 KB of information). - - NTUSER.DAT - - HKEY_LOCAL_USER - + + NTUSER.DAT + HKEY_LOCAL_USER The registry load file that modifies the HKEY_LOCAL_USER hive. This is - the NTUSER.DAT file. It can be from 0.4-1.5 MBytes. + the NTUSER.DAT file. It can be from 0.4 to 1.5 MB. - - Microsoft Outlook - PST files - + + Microsoft OutlookPST files Microsoft Outlook PST files may be stored in the Local Settings\Application Data - folder. It can be up to 2 Gbytes in size per PST file. + folder. It can be up to 2 GB in size per PST file. @@ -1627,12 +1497,9 @@ DHCP traffic: 300 (clients) x 6 (packets) - - UNC name - - Universal Naming Convention - UNC name - + + UNC name + Universal Naming ConventionUNC name Yes. More correctly, such folders can be redirected to network shares. No specific network drive connection is required. Registry settings permit this to be redirected directly to a UNC (Universal Naming Convention) resource, though it is possible to specify a network drive letter instead of a @@ -1645,35 +1512,27 @@ DHCP traffic: 300 (clients) x 6 (packets) - - wide-area - - network - bandwidth - - WINS - - How much wide-area network bandwidth does WINS consume? + + wide-area + networkbandwidth + WINS + How much WAN bandwidth does WINS consume? - - NetBIOS - name cache - - WINS server - - domain replication - + + NetBIOSname cache + WINS server + domain replication MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS - server, the total bandwidth demand measured at the WINS server, averaged over an eight-hour working day, - was less than 30 Kbytes/sec. Analysis of network traffic over a six-week period showed that the total - of all background traffic consumed about 11 percent of available bandwidth over 64 Kbit/sec links. - Back-ground traffic consisted of domain replication, WINS queries, DNS lookups, authentication - traffic. Each of 11 branch offices had a 64 Kbit/sec wide-area link, with a 1.5 Mbit/sec main connection + server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, + was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total + of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links. + Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication + traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection that aggregated the branch office connections plus an Internet connection. @@ -1700,7 +1559,7 @@ DHCP traffic: 300 (clients) x 6 (packets) by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the load demand pattern of client usage. I have seen sites that function without problem with 200 clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular - company, there was a drafting office that has 30 CAD/CAM operators served by one server, a print + company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print server; and an application server. While all three were BDCs, typically only the print server would service network logon requests after the first 10 users had started to use the network. This was a reflection of the service load placed on both the application server and the data server. @@ -1717,11 +1576,8 @@ DHCP traffic: 300 (clients) x 6 (packets) - - NIS server - - LDAP - + + NIS serverLDAP I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to run an NIS server? @@ -1748,11 +1604,9 @@ DHCP traffic: 300 (clients) x 6 (packets) - - NIS - - NIS schema - + + NIS + NIS schema No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal with the types of data necessary for interoperability with Microsoft Windows networking. The use of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also diff --git a/docs/Samba-Guide/SBE-500UserNetwork.xml b/docs/Samba-Guide/SBE-500UserNetwork.xml index cad38cc861c..1e8116c6443 100644 --- a/docs/Samba-Guide/SBE-500UserNetwork.xml +++ b/docs/Samba-Guide/SBE-500UserNetwork.xml @@ -1,10 +1,10 @@ - The 500 User Office + The 500-User Office - The Samba-3 networking you explored in the previous chapter covers the finer points of + The Samba-3 networking you explored in covers the finer points of configuration of peripheral services such as DHCP and DNS, and WINS. You experienced implementation of a simple configuration of the services that are important adjuncts to successful deployment of Samba. @@ -12,7 +12,7 @@ An analysis of the history of postings to the Samba mailing list easily demonstrates - that the two most prevalent Samba problem areas are: + that the two most prevalent Samba problem areas are @@ -27,23 +27,20 @@ - The next chapter deals with more complex printing configurations. The exercises + The exercises so far in this book have focused on implementation of the simplest printing processes involving no print job processing intelligence. In this chapter, you maintain - that same approach to printing, but in the following chapter, there is an opportunity + that same approach to printing, but presents an opportunity to make printing more complex for the administrator while making it easier for the user. - - WINS server - - tdbsam - - passdb backend - - The previous chapter demonstrates operation of a DHCP server and a DNS server, + + WINS server + tdbsam + passdb backend + demonstrates operation of a DHCP server and a DNS server as well as a central WINS server. You validated the operation of these services and - saw an effective implementation of a Samba Domain Controller using the + saw an effective implementation of a Samba domain controller using the tdbsam passdb backend. @@ -51,14 +48,14 @@ The objective of this chapter is to introduce more complex techniques that can be used to improve manageability of Samba as networking needs grow. In this chapter, you implement a distributed DHCP server environment, a distributed DNS server arrangement, a centralized - WINS server, and a centralized Samba Domain Controller. + WINS server, and a centralized Samba domain controller. A note of caution is important regarding the Samba configuration that is used in this - chapter. The use of a single Domain Controller on a routed, multi-segment network is - a poor design choice that leads to potential network user complaints. As stated - in the paragraph above, the objective in this chapter is to demonstrate some successful + chapter. The use of a single domain controller on a routed, multisegment network is + a poor design choice that leads to potential network user complaints. + This chapter demonstrates some successful techniques in deployment and configuration management. This should be viewed as a foundation chapter for complex Samba deployments. @@ -76,25 +73,25 @@ Business continues to go well for Abmas. Mr. Meany is driving your success and the network continues to grow thanks to the hard work Christine has done. You recently - hired Stanley Soroka as Manager of Information Systems. Christine recommended Stan + hired Stanley Soroka as manager of information systems. Christine recommended Stan to the role. She told you Stan is so good at handling Samba that he can make a cast iron rocking horse that is embedded in concrete kick like a horse at a rodeo. You need skills like his. Christine and Stan get along just fine. Let's see what - you can get out of this pair as they plot the next generation networks. + you can get out of this pair as they plot the next-generation networks. Ten months ago Abmas closed an acquisition of a property insurance business. The - founder lost interest in the business and decided to sell it to Mr. Meany. - Because they were former university classmates, the purchase was concluded with mutual assent. The - acquired business is located at the other end of town in much larger facilities. - The old Abmas building has become too small. Located on the same campus as the - newly acquired business are two empty buildings that are ideal to provide - Abmas with opportunity for growth. + founder lost interest in the business and decided to sell it to Mr. Meany. Because + they were former university classmates, the purchase was concluded with mutual assent. + The acquired business is located at the other end of town in much larger facilities. + The old Abmas building has become too small. Located on the same campus as the newly + acquired business are two empty buildings that are ideal to provide Abmas with + opportunity for growth. - Abmas has now completed the purchase of the two empty buildings and you are + Abmas has now completed the purchase of the two empty buildings, and you are to install a new network and relocate staff in nicely furnished new facilities. The new network is to be used to fully integrate company operations. You have decided to locate the new network operations control center in the larger building @@ -131,15 +128,15 @@ - The Internet gateway is upgraded to 15 Megabit/sec service. Your ISP + The Internet gateway is upgraded to 15 Mb/sec service. Your ISP provides on your premises a fully managed Cisco PIX firewall. You no longer need to worry about firewall facilities on your network. - Stanley Soroka and Christine have purchased new server hardware. Christine wants to + Stanley and Christine have purchased new server hardware. Christine wants to roll out a network that has whistles and bells. Stan wants to start off with - a simple to manage, not-too-complex network. He is of the opinion that network + a simple to manage, not-too-complex network. He believes that network users need to be gradually introduced to new features and capabilities and not rushed into an environment that may cause disorientation and loss of productivity. @@ -149,8 +146,8 @@ that closely mirrors the successful system you installed in the old Abmas building. The new network infrastructure is owned by Abmas, but all desktop systems are being procured through a new out-source services and leasing company. Under - the terms of a deal with Mr. M. Proper (CEO), DirectPointe Inc., provides - all desktop systems and includes full level-one Help desk support for + the terms of a deal with Mr. M. Proper (CEO), DirectPointe, Inc., provides + all desktop systems and includes full level-one help desk support for a flat per-machine monthly fee. The deal allows you to add workstations on demand. This frees Stan and Christine to deal with deeper issues as they emerge and permits Stan to work on creating new future value-added services. @@ -165,14 +162,14 @@ PDC - The new network has a single Samba Domain Controller (PDC) located in the + The new network has a single Samba Primary Domain Controller (PDC) located in the Network Operation Center (NOC). Buildings 1 and 2 each have a local server - for local application servicing. It is a Domain Member. The new system + for local application servicing. It is a domain member. The new system uses the tdbsam passdb backend. - Printing is based on raw pass-through facilities as it has been used so far. + Printing is based on raw pass-through facilities just as it has been used so far. All printer drivers are installed on the desktop and notebook computers. @@ -184,16 +181,16 @@ network load factors - The example you are building in this chapter is an example of a network design that works, - but this does not make it a design that is recommended. As a general rule, there should - be at least one Backup Domain Controller per 150 Windows network clients. The principle behind - this recommendation is the fact that correct operation of MS Windows clients requires rapid + The example you are building in this chapter is of a network design that works, but this + does not make it a design that is recommended. As a general rule, there should be at least + one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind + this recommendation is that correct operation of MS Windows clients requires rapid network response to all SMB/CIFS requests. The same rule says that if there are more than - 50 clients per Domain Controller they are too busy to service requests. Let's put such - rules aside and recognize that network load affects the integrity of Domain Controller - responsiveness. This network will have 500 clients serviced by one central Domain - Controller. This is not a good omen for user satisfaction. You, of course, address this - very soon (see next chapter). + 50 clients per domain controller, they are too busy to service requests. Let's put such + rules aside and recognize that network load affects the integrity of domain controller + responsiveness. This network will have 500 clients serviced by one central domain + controller. This is not a good omen for user satisfaction. You, of course, address this + very soon (see ). @@ -205,7 +202,7 @@ - Design decisions made in this design include: + Design decisions made in this design include the following: @@ -213,29 +210,28 @@ PDC LDAP identity management - A single Primary Domain Controller (PDC) is being implemented. This limitation - is based on the choice not to use LDAP. Many network administrators fear using - LDAP based on the perceived complexity of implementation and management of an - LDAP-based backend for all user identity management as well as to store network - access credentials. + A single PDC is being implemented. This limitation is based on the choice not to + use LDAP. Many network administrators fear using LDAP because of the perceived + complexity of implementation and management of an LDAP-based backend for all user + identity management as well as to store network access credentials. BDC machine secret password - Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, - the only choice that makes sense with 500 users is to use the tdbsam passwd backend. - This type of backend is not receptive to replication to Backup Domain Controllers. - If the tdbsam passdb.tdb file is replicated to Backup Domain - Controllers (BDCs) using rsync, there are two potential problems: - 1) Data that is in memory but not yet written to disk will not be replicated, - and 2) Domain Member machines periodically change the secret machine password. When - this happens, there is no mechanism to return the changed password to the PDC. + Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the + only choice that makes sense with 500 users is to use the tdbsam passwd backend. + This type of backend is not receptive to replication to BDCs. If the tdbsam + passdb.tdb file is replicated to BDCs using + rsync, there are two potential problems: (1) data that is in + memory but not yet written to disk will not be replicated, and (2) domain member + machines periodically change the secret machine password. When this happens, there + is no mechanism to return the changed password to the PDC. - All Domain user, group, and machine accounts are managed on the PDC. This makes - for a simple mode of operation, but has to be balanced with network performance and + All domain user, group, and machine accounts are managed on the PDC. This makes + for a simple mode of operation but has to be balanced with network performance and integrity of operations considerations. @@ -250,14 +246,14 @@ - At this time the Samba WINS database is not capable of being replicated. That is + At this time the Samba WINS database cannot be replicated. That is why a single WINS server is being implemented. This should work without a problem. winbindd - Backup Domain Controllers make use of winbindd to provide - access to Domain security credentials for file system access and object storage. + BDCs make use of winbindd to provide + access to domain security credentials for file system access and object storage. @@ -271,15 +267,15 @@ - All network users are granted the ability to print to any printer that is network - attached. All printers are available from each server. Print jobs that are spooled - to a printer that is not on the local network segment are automatically routed to - the print spooler that is in control of that printer. The specific details of how this - might be done is demonstrated for one example only. + All network users are granted the ability to print to any printer that is + network-attached. All printers are available from each server. Print jobs that + are spooled to a printer that is not on the local network segment are automatically + routed to the print spooler that is in control of that printer. The specific details + of how this might be done are demonstrated for one example only. - The network address and sub-netmask chosen provide 1022 usable IP addresses in + The network address and subnetmask chosen provide 1022 usable IP addresses in each subnet. If in the future more addresses are required, it would make sense to add further subnets rather than change addressing. @@ -294,10 +290,10 @@ This case gets close to the real world. You and I know the right way to implement - Domain Control. Politically, we have to navigate a mine field. In this case, the need is to + domain control. Politically, we have to navigate a minefield. In this case, the need is to get the PDC rolled out in compliance with expectations and also to be ready to save the day by having the real solution ready before it is needed. That real solution is presented in - the next chapter. + Chapter 5. @@ -328,7 +324,7 @@ - The abbreviation shown in this table as {VLN} means + The abbreviation shown in this table as {VLN} refers to the directory location beginning with /var/lib/named. @@ -494,15 +490,13 @@ - Server Preparation &smbmdash; All Servers + Server Preparation: All Servers The following steps apply to all servers. Follow each step carefully. - Server Preparation Steps - Using the UNIX/Linux system tools, set the name of the server as shown in the network topology diagram in . For SUSE Linux products, the tool @@ -548,14 +542,14 @@ nameserver 127.0.0.1 administrator smbpasswd - Add the root user to the password backend as follows: + Add the root user to the password backend: &rootprompt; smbpasswd -a root New SMB password: XXXXXXXX Retype new SMB password: XXXXXXXX &rootprompt; - The root account is the UNIX equivalent of the Windows Domain Administrator. + The root account is the UNIX equivalent of the Windows domain administrator. This account is essential in the regular maintenance of your Samba server. It must never be deleted. If for any reason the account is deleted, you may not be able to recreate this account without considerable trouble. @@ -593,14 +587,14 @@ root = Administrator - Configure all network attached printers to have a fixed IP address. + Configure all network-attached printers to have a fixed IP address. Create an entry in the DNS database on the server MASSIVE in both the forward lookup database for the zone abmas.biz.hosts and in the reverse lookup database for the network segment that the printer is - located in. Example configuration files for similar zones were presented in + located in. Example configuration files for similar zones were presented in Chapter 3, and . @@ -621,7 +615,7 @@ root = Administrator print filter This step creates the necessary print queue to use no assigned print filter. This - is ideal for raw printing, i.e., printing without use of filters. + is ideal for raw printing, that is, printing without use of filters. The name printque is the name you have assigned for the particular printer. @@ -671,7 +665,7 @@ application/octet-stream - As part of the rollout program, you need to configure the application's + As part of the roll-out program, you need to configure the application's server shares. This can be done once on the central server and may then be replicated using a tool such as rsync. Refer to the man page for rsync for details regarding use. The notes in @@ -682,8 +676,8 @@ application/octet-stream - Logon scripts that are run from a Domain Controller (PDC or BDC) are capable of using semi-intelligent - processes to auto-map Windows client drives to an application server that is nearest to the client. This + Logon scripts that are run from a domain controller (PDC or BDC) are capable of using semi-intelligent + processes to automap Windows client drives to an application server that is nearest to the client. This is considerably more difficult when a single PDC is used on a routed network. It can be done, but not as elegantly as you see in the next chapter. @@ -691,7 +685,7 @@ application/octet-stream - Server Specific Preparation + Server-Specific Preparation There are some steps that apply to particular server functionality only. Each step is critical @@ -702,13 +696,11 @@ application/octet-stream Configuration for Server: <constant>MASSIVE</constant> - Function Specific Configuration Steps - /etc/rc.d/boot.local IP forwarding The host server acts as a router between the two internal network segments as well - as for all Internet access. This necessitates that IP forwarding must be enabled. This can be + as for all Internet access. This necessitates that IP forwarding be enabled. This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows: echo 1 > /proc/sys/net/ipv4/ip_forward @@ -718,9 +710,9 @@ echo 1 > /proc/sys/net/ipv4/ip_forward - This server is dual hosted (i.e., has two network interfaces) &smbmdash; one goes to the Internet, + This server is dual hosted (i.e., has two network interfaces) &smbmdash; one goes to the Internet and the other to a local network that has a router that is the gateway to the remote networks. - You must, therefore, configure the server with route table entries so that it can find machines + You must therefore configure the server with route table entries so that it can find machines on the remote networks. You can do this using the appropriate system tools for your Linux server or using static entries that you place in one of the system startup files. It is best to always use the tools that the operating system vendor provided. In the case of SUSE Linux, the @@ -749,40 +741,40 @@ hosts: files dns wins initGrps.sh - Create and map Windows Domain Groups to UNIX groups. A sample script is provided in + Create and map Windows domain groups to UNIX groups. A sample script is provided in . Create a file containing this script. You called yours /etc/samba/initGrps.sh. Set this file so it can be executed and then execute the script. An example of the execution of this script as well as its - validation are shown in Chapter 4, Section 4.3.2, Step 5. + validation are shown in Section 4.3.2, Step 5. /etc/passwd passwordbackend smbpasswd - For each user who needs to be given a Windows Domain account, make an entry in the - /etc/passwd file, as well as in the Samba password backend. - Use the system tool of your choice to create the UNIX system account and use the Samba - smbpasswd to create a Domain user account. + For each user who needs to be given a Windows domain account, make an entry in the + /etc/passwd file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system account, and use the Samba + smbpasswd to create a domain user account. useradd adduser usermanagement - There are a number of tools for user management under UNIX. Commonly known ones include: - useradd, adduser. In addition to these, there is a plethora of custom + There are a number of tools for user management under UNIX, such as + useradd, adduser, as well as a plethora of custom tools. With the tool of your choice, create a home directory for each user. Using the preferred tool for your UNIX system, add each user to the UNIX groups created - previously as necessary. File system access control based on UNIX group membership. + previously as necessary. File system access control is based on UNIX group membership. - Create the directory mount point for the disk sub-system that is to be mounted to provide - data storage for company files. In this case, the mount point indicated in the &smb.conf; + Create the directory mount point for the disk subsystem that is to be mounted to provide + data storage for company files, in this case, the mount point indicated in the &smb.conf; file is /data. Format the file system as required and mount the formatted file system partition using appropriate system tools. @@ -813,8 +805,8 @@ hosts: files dns wins The &smb.conf; file specifies an infrastructure to support roaming profiles and network logon services. You can now create the file system infrastructure to provide the locations on disk that these services require. Adequate planning is essential - since desktop profiles can grow to be quite large. For planning purposes, a minimum of - 200 Megabytes of storage should be allowed per user for profile storage. The following + because desktop profiles can grow to be quite large. For planning purposes, a minimum of + 200 MB of storage should be allowed per user for profile storage. The following commands create the directory infrastructure needed: &rootprompt; mkdir -p /var/spool/samba @@ -842,7 +834,7 @@ hosts: files dns wins net time \\massive /set /yes net use h: /home - Convert the UNIX file to a DOS file as follows: + Convert the UNIX file to a DOS file: &rootprompt; dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \ > /var/lib/samba/netlogon/scripts/logon.bat @@ -875,7 +867,7 @@ Added user username. Your server is ready for validation testing. Do not proceed with the steps in until after the operation of the server has been - validated following the same methods as outlined in . + validated following the same methods as outlined in Chapter 3, . @@ -886,8 +878,6 @@ Added user username. Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant> - Domain Member Specific Steps - /etc/nsswitch.conf The final step that must be completed is to edit the /etc/nsswitch.conf file. @@ -910,7 +900,7 @@ hosts: files dns wins rpc join - At this time, you must now attempt to join the Domain Member servers to the Domain. The following + You must now attempt to join the domain member servers to the domain. The following instructions should be executed to effect this: &rootprompt; net rpc join @@ -1526,7 +1516,7 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d /etc/xinetd.d - In the event that a service is provided not as a daemon but via the inter-networking + In the event that a service is provided not as a daemon but via the internetworking super daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /etc/xinetd.d directory and sends a hang-up (HUP) signal to the super daemon, thus forcing it to @@ -1538,11 +1528,9 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - Daemon Start-up Steps - Use the standard system tool to configure each service to restart - automatically at every system reboot. For example: + automatically at every system reboot. For example, chkconfig &rootprompt; chkconfig dhpc on @@ -1581,8 +1569,6 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - Windows Client Configuration Steps - Install MS Windows XP Professional. During installation, configure the client to use DHCP for TCP/IP protocol configuration. @@ -1593,11 +1579,11 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - Join the Windows Domain MEGANET. Use the Domain Administrator - user name root and the SMB password you assigned to this account. + Join the Windows domain MEGANET. Use the domain administrator + username root and the SMB password you assigned to this account. A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to - a Windows Domain is given in . - Reboot the machine as prompted and then logon using the Domain Administrator account + a Windows domain is given in Appendix A, . + Reboot the machine as prompted and then log on using the domain administrator account (root). @@ -1622,21 +1608,19 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat, + Now install all applications to be installed locally. Typical tools include Adobe Acrobat, NTP-based time synchronization software, drivers for specific local devices such as fingerprint scanners, and the like. Probably the most significant application to be locally installed - is anti-virus software. + is antivirus software. Now install all four printers onto the staging system. The printers you install - include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you + include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you also configure use of the identical printers that are located in the financial services department. Install printers on each machine using the following steps: - Printer Confuiguration Steps - Click Start @@ -1649,14 +1633,14 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - Click Next. In the panel labeled - Manufacturer:, select HP. + Click Next. In the + Manufacturer: panel, select HP. In the Printers: panel, select the printer called HP LaserJet 6. Click Next. - In the panel labeled Available ports:, select + In the Available ports: panel, select FILE:. Accept the default printer name by clicking Next. When asked, Would you like to print a test page?, click No. Click @@ -1674,7 +1658,7 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - In the panel labeled Network, enter the name of + In the Network panel, enter the name of the print queue on the Samba server as follows: \\BLDG1\hplj6a. Click OK @@ -1685,8 +1669,8 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d Repeat the printer installation steps above for both HP LaserJet 6 printers as well as for both QMS Magicolor laser printers. Remember to install all - printers, but to set the destination port for each to the server on the - local network. For example, a workstation in the Accounting group should + printers but to set the destination port for each to the server on the + local network. For example, a workstation in the accounting group should have all printers directed at the server BLDG1. You may elect to point all desktop workstation configurations at the server called MASSIVE and then in your deployment @@ -1701,7 +1685,7 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d When you are satisfied that the staging systems are complete, use the appropriate procedure to remove the client from the domain. Reboot the system, and then log on as the local administrator and clean out all temporary files stored on the system. Before shutting down, use the disk - de-fragmentation tool so that the file system is in an optimal condition before replication. + defragmentation tool so that the file system is in optimal condition before replication. @@ -1712,19 +1696,19 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d You may now replicate the image using the appropriate Norton Ghost procedure to the target machines. Make sure to use the procedure that ensures each machine has a unique - Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. + Windows security identifier (SID). When the installation of the disk image is complete, boot the PC. Log onto the machine as the local Administrator (the only option), and join the machine to - the Domain following the procedure set out in . You must now set the + the domain following the procedure set out in Appendix A, . You must now set the persistent drive mapping to the applications server that the user is to use. The system is now - ready for the user to logon, providing you have created a network logon account for that + ready for the user to log on, provided you have created a network logon account for that user, of course. - Instruct all users to log onto the workstation using their assigned user name and password. + Instruct all users to log onto the workstation using their assigned username and password. @@ -1736,8 +1720,8 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d The network you have just deployed has been a valuable exercise in forced constraint. You have deployed a network that works well, although you may soon start to see - performance problems, at which time the modifications demonstrated in the following - chapter bring the network to life. The following key learning points were experienced: + performance problems, at which time the modifications demonstrated in + Chapter 5 bring the network to life. The following key learning points were experienced: @@ -1750,12 +1734,12 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - Joining a Samba-3 Domain Member server to a Samba-3 Domain + Joining a Samba-3 domain member server to a Samba-3 domain - Configuration of winbind to use Domain Users and Groups for Samba access - to resources on the Domain Member servers + Configuration of winbind to use domain users and groups for Samba access + to resources on the domain member servers @@ -1838,7 +1822,7 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d Replication of the tdbsam database file can result in loss of currency in its contents between the PDC and BDCs. The most notable symptom is that workstations may not be able - to log onto the network following a reboot and may have to re-join the Domain to recover network + to log onto the network following a reboot and may have to rejoin the domain to recover network access capability. @@ -1901,7 +1885,7 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d The server called MASSIVE is acting as a router to the Internet. No other server - (BLDG1 or BLDG2) has any need for IP forwarding since they are attached only to their own network. + (BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network. Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network segments to the router that is its gateway to them. @@ -1931,7 +1915,7 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - On the Domain Member computers, you configured winbind in the /etc/nsswitch.conf file. + On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission? @@ -1940,8 +1924,8 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d PAM is needed only for authentication. When Samba is using Microsoft encrypted passwords, it makes only - marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the Domain - Member servers using Windows networking user names and passwords, it is necessary to configure PAM + marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the domain + member servers using Windows networking usernames and passwords, it is necessary to configure PAM to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name service switch (NSS). @@ -1961,10 +1945,10 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed - in TOSHARG, where it has a full chapter dedicated to the subject. While we are on the + in TOSHARG, which has a full chapter dedicated to the subject. While we are on the subject, it should be noted that you should definitely not use SWAT on any system that makes use of &smb.conf; include files because SWAT optimizes them out into an aggregated - file but leaves in place a broken reference to the top layer include file. SWAT was not designed to + file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to handle this functionality gracefully. @@ -1975,7 +1959,7 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - The Domain Controller has an auto-shutdown script. Isn't that dangerous? + The domain controller has an auto-shutdown script. Isn't that dangerous? diff --git a/docs/Samba-Guide/SBE-Appendix1.xml b/docs/Samba-Guide/SBE-Appendix1.xml index 08b4baf684e..0940f4da416 100644 --- a/docs/Samba-Guide/SBE-Appendix1.xml +++ b/docs/Samba-Guide/SBE-Appendix1.xml @@ -4,9 +4,12 @@ Appendix: A Collection of Useful Tid-bits - - material - domainjoining + + material + + domain + joining + Information presented here is considered to be either basic or well-known material that is informative yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps @@ -17,8 +20,9 @@ Joining a Domain: Windows 200x/XP Professional - - joining a domain + + joining a domain + Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a Domain Security environment. It should be noted that this process is identical @@ -66,21 +70,18 @@ - This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See - . wxpp007 - The Computer Name Changes Panel &smbmdash; Domain MIDEARTH + This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See . + wxpp007The Computer Name Changes Panel &smbmdash; Domain MIDEARTH - Now click the OK button. A dialog box should appear to allow you to provide the - credentials (username and password) of a Domain administrative account that has the rights to add machines to - the Domain. + Now click the OK button. A dialog box should appear to allow you to provide the credentials (username and password) + of a Domain administrative account that has the rights to add machines to the Domain. Enter the name root and the root password from your Samba-3 server. See . - wxpp008 - Computer Name Changes &smbmdash; User name and Password Panel + wxpp008Computer Name Changes &smbmdash; User name and Password Panel @@ -94,24 +95,30 @@ - - Active Directory - DNS + + Active Directory + + DNS + The screen capture shown in has a button labeled More.... This button opens a panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space. - - Netlogon - DNSdynamic + + Netlogon + + DNSdynamic + Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running). - - DNSsuffix + + DNS + suffix + The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to a valid IP address. @@ -122,8 +129,9 @@ Where the client is a member of a Samba Domain, it is preferable to leave this field blank. - - Group Policy + + Group Policy + According to Microsoft documentation, If this computer belongs to a group with Group Policy enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is @@ -135,10 +143,13 @@ Samba System File Location - - default installation - /usr/local/samba - /usr/local + + default installation + + /usr/local/samba + + /usr/local + One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is in the /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other @@ -150,23 +161,42 @@ default. - - Free Standards GroupFSG - FSG - Linux Standards BaseLSB - LSB - File Hierarchy SystemFHS - FHS - file locations - /etc/samba - /usr/sbin - /usr/bin - /usr/share - /usr/share/swat - /usr/lib/samba - /usr/share/samba/swat - SWAT - VFS modules + + Free Standards Group + FSG + + FSG + + Linux Standards Base + LSB + + LSB + + File Hierarchy System + FHS + + FHS + + file locations + + /etc/samba + + /usr/sbin + + /usr/bin + + /usr/share + + /usr/share/swat + + /usr/lib/samba + + /usr/share/samba/swat + + SWAT + + VFS modules + Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy System (FHS), have elected to locate the configuration files under the /etc/samba directory, common binary files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the @@ -177,10 +207,13 @@ passdb backend as well as for the VFS modules. - - /var/lib/samba - /var/log/samba - run-time control files + + /var/lib/samba + + /var/log/samba + + run-time control files + Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in the /var/lib/samba directory. Log files are created in /var/log/samba. @@ -190,8 +223,10 @@ /usr/local/samba directory tree. This makes it simple to find the files that Samba owns. - - smbdlocation of files + + smbd + location of files + One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location of all files called smbd. Here is an example: @@ -226,8 +261,9 @@ Version 3.0.20-SUSE Many people have been caught by installation of Samba using the default Samba Team process when it was already installed by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by - executing: - rpm + executing: + rpm + &rootprompt; rpm -qa | grep samba samba3-pdb-3.0.20-1 @@ -239,8 +275,9 @@ samba3-utils-3.0.20-1 samba3-doc-3.0.20-1 samba3-client-3.0.20-1 samba3-cifsmount-3.0.20-1 - - package names + + package names + The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. @@ -249,8 +286,9 @@ samba3-cifsmount-3.0.20-1 Starting Samba - - daemon + + daemon + Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there are three daemons, two of which are needed as a minimum. @@ -387,16 +425,18 @@ esac - - samba control script + + samba control script + SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently executed from the command line is shown in . This can be located in the directory /sbin in a file called samba. This type of control script should be owned by user root and group root, and set so that only root can execute it. - - startup script + + startup script + A sample startup script for a Red Hat Linux system is shown in . This file could be located in the directory /etc/rc.d and can be called samba. A similar startup script is required to control winbind. @@ -536,9 +576,13 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 Alternative LDAP Database Initialization - - LDAPdatabase - LDAPinitial configuration + + LDAP + database + + LDAP + initial configuration + The following procedure may be used as an alternative means of configuring the initial LDAP database. Many administrators prefer to have greater control over how system files get configured. @@ -547,10 +591,14 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 Initialization of the LDAP Database - - LDIF - Domain Groupswell-known - SID + + LDIF + + Domain Groups + well-known + + SID + The first step to get the LDAP server ready for action is to create the LDIF file from which the LDAP database will be pre-loaded. This is necessary to create the containers into which the user, group, and so on, accounts is written. It is also necessary to @@ -950,98 +998,119 @@ description: Domain Users The LDAP Account Manager - - LAM - LDAP Account ManagerLAM - PHP - unencrypted - SSL - Posix - accountsmanage - The LDAP Account Manager (LAM) is an application suite that has been written in PHP. - LAM can be used with any Web server that has PHP4 support. It connects to the LDAP - server either using unencrypted connections or via SSL/TLS. LAM can be used to manage - Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines - (hosts). - - - - LAM is available from the LAM - home page and from its mirror sites. LAM has been released under the GNU GPL version 2. - The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter - of 2005. - - - - PHP4 - OpenLDAP - Perl - Requirements: - - - - A web server that will work with PHP4. - PHP4 (available from the - PHP home page.) - OpenLDAP 2.0 or later. - A Web browser that supports CSS. - Perl. - The gettext package. - mcrypt + mhash (optional). - It is also a good idea to install SSL support. - - - - LAM is a useful tool that provides a simple Web-based device that can be used to - manage the contents of the LDAP directory to: - organizational units - operating profiles - account policies - - - - Display user/group/host and Domain entries. - Manage entries (Add/Delete/Edit). - Filter and sort entries. - Store and use multiple operating profiles. - Edit organizational units (OUs). - Upload accounts from a file. - Is compatible with Samba-2.2.x and Samba-3. - + + LAM + + LDAP Account Manager + LAM + + PHP + + unencrypted + + SSL + + Posix + + accountsmanage + +The LDAP Account Manager (LAM) is an application suite that has been written in PHP. +LAM can be used with any Web server that has PHP4 support. It connects to the LDAP +server either using unencrypted connections or via SSL. LAM can be used to manage +Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines +(hosts). + + + +LAM is available from the LAM +home page and from its mirror sites. LAM has been released under the GNU GPL version 2. +The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early +in 2004. + - - When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba - user, group, and windows domain member machine accounts. - + + PHP4 + + OpenLDAP + + Perl + +Requirements: + + + + A web server that will work with PHP4. + PHP4 (available from the + PHP home page.) + OpenLDAP 2.0 or later. + A Web browser that supports CSS. + Perl. + The gettext package. + mcrypt + mhash (optional since version 0.4.3). + It is also a good idea to install SSL support. + + + +LAM is a useful tool that provides a simple Web-based device that can be used to + manage the contents of the LDAP directory to: + organizational units + + operating profiles + + account policies + + + + + Display user/group/host and Domain entries. + Manages entries (Add/Delete/Edit). + Filter and sort entries. + Set LAM administrator accounts. + Store and use multiple operating profiles. + Edit organizational units (OUs). + Upload accounts from a file. + Is compatible with Samba-2.2.x and Samba-3. + + + +When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba +user, group, and windows domain member machine accounts. + - - default password - secure connections - LAMSSL - The default password is lam. It is highly recommended that you use only - an SSL connection to your Web server for all remote operations involving LAM. If you - want secure connections, you are advised to configure your Apache Web server to permit connections - to LAM using only SSL. - + + default password + + secure connections + + LAM + + SSL + +The default password is lam. It is highly recommended that you use only +an SSL connection to your Web server for all remote operations involving LAM. If you +want secure connections, you must configure your Apache Web server to permit connections +to LAM using only SSL. + - - Apache Configuration Steps for LAM + +Apache Condiguration Steps for LAM Extract the LAM package with: -&rootprompt; tar xzf ldap-account-manager_0.4.9.tar.gz +&rootprompt; tar xzf ldap-account-manager_0.4.3.tar.gz - Alternatively, install the LAM DEB for your system using the following command: +Alternately, install the LAM RPM for your system using the following example for +example: -&rootprompt; dpkg -i ldap-account-manager_0.4.9.all.deb +&rootprompt; rpm -Uvh ldap-account-manager-0.4.3-1.noarch.rpm Copy the extracted files to the document root directory of your Web server. - For example, on SUSE Linux Enterprise Server 9, copy to the - /srv/www/htdocs directory. + For example, on SUSE Linux Enterprise Server 8, copy to the + /srv/web/htdocs directory. @@ -1057,17 +1126,23 @@ description: Domain Users - - LAMconfiguration file - Using your favorite editor create the following config.cfg - LAM configuration file: + + LAM + configuration file + + Using your favorite editor create the following config.cfg + LAM configuration file: &rootprompt; cd /srv/www/htdocs/lam/config &rootprompt; cp config.cfg_sample config.cfg &rootprompt; vi config.cfg - - LAMprofile - LAMwizard + + LAM + profile + + LAM + wizard + An example file is shown in . This is the minimum configuration that must be completed. The LAM profile file can be created using a convenient wizard that is part of the LAM @@ -1086,8 +1161,9 @@ description: Domain Users - - pitfalls + + pitfalls + An example of a working file is shown here in . This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates @@ -1096,8 +1172,10 @@ description: Domain Users are preferred at your site. - - LAMlogin screen + + LAM + login screen + It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in . @@ -1127,16 +1205,19 @@ description: Domain Users lam-config - - PDF + + PDF + LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space. - - LAMopening screen + + LAM + opening screen + When you log onto LAM the opening screen drops you right into the user manager as shown in . This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, @@ -1154,7 +1235,7 @@ description: Domain Users The edit screen for groups is shown in . As with the edit screen for user accounts, group accounts may be rapidly dealt with. - shows a sub-screen from the group editor that permits users to be assigned secondary group + shown a sub-screen from the group editor that permits users to be assigned secondary group memberships. @@ -1168,8 +1249,11 @@ description: Domain Users lam-group-members - - smbldap-toolsscripts + + smbldap-tools + + scripts + The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen will, in most cases, not be used. @@ -1183,18 +1267,11 @@ description: Domain Users One aspect of LAM that may annoy some users is the way it forces certain conventions on the administrator. For example, LAM does not permit the creation of Windows user and group - accounts that contain spaces even though the underlying UNIX/Linux + accounts that contain upper-case characters or spaces even though the underlying UNIX/Linux operating system may exhibit no problems with them. Given the propensity for using upper-case characters and spaces (particularly in the default Windows account names) this may cause some annoyance. For the rest, LAM is a very useful administrative tool. - - - The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features - (e.g. logon hours). The new plugin based architecture also allows to manage much more different - account types like plain Unix accounts. The upload can now handle groups and hosts, too. Another - important point is the tree view which allows to browse and edit LDAP objects directly. - Example LAM Configuration File &smbmdash; <filename>config.cfg</filename> @@ -1227,7 +1304,7 @@ userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber grouplistAttributes: #cn;#gidNumber;#memberUID;#description hostlistAttributes: #cn;#description;#uidNumber;#gidNumber maxlistentries: 30 -defaultLanguage: en_GB:ISO-8859-1:English (Great Britain) +defaultLanguage: en_GB:ISO-8859-1:English (Britain) scriptPath: scriptServer: samba3: yes @@ -1241,6 +1318,8 @@ pwdhash: SSHA Effect of Setting File and Directory SUID/SGID Permissions Explained + SUID + SGID The setting of the SUID/SGID bits on the file or directory permissions flag has particular consequences. If the file is executable and the SUID bit is set, it executes with the privilege diff --git a/docs/Samba-Guide/SBE-MakingHappyUsers.xml b/docs/Samba-Guide/SBE-MakingHappyUsers.xml index 5fc3893aa77..47d5dc2bb63 100644 --- a/docs/Samba-Guide/SBE-MakingHappyUsers.xml +++ b/docs/Samba-Guide/SBE-MakingHappyUsers.xml @@ -4,14 +4,14 @@ Making Happy Users - It has been said, A day that is without troubles is not fulfilling. Rather, give + It is said that a day that is without troubles is not fulfilling. Rather, give me a day of troubles well handled so that I can be content with my achievements. In the world of computer networks, problems are as varied as the people who create them - or experience them. The design of the network implemented in the last chapter may - create problems for some network users. The following lists some of the problems that + or experience them. The design of the network implemented in + may create problems for some network users. The following lists some of the problems that may occur: @@ -21,17 +21,17 @@ user account PDC/BDC ratio -Notice: A significant number of network administrators have responded to the guidance given -below. It should be noted that there are sites that have a single PDC for many hundreds of +A significant number of network administrators have responded to the guidance given +here. It should be noted that there are sites that have a single PDC for many hundreds of concurrent network clients. Network bandwidth, network bandwidth utilization, and server load -are among the factors that will determine the maximum number of Windows clients that +are among the factors that determine the maximum number of Windows clients that can be served by a single domain controller (PDC or BDC) on a network segment. It is possible to operate with only a single PDC over a routed network. What is possible is not necessarily best practice. When Windows client network logons begin to fail with -the message that the domain controller can not be found, or that the user account can not -be found (when you know it exists), that may be an indication that the DC is overloaded or -network bandwidth is overloaded. The guidance given in respect of PDC/BDC ratio to Windows -clients is conservative and if followed will minimize problems - but it is not absolute. +the message that the domain controller cannot be found or that the user account cannot +be found (when you know it exists), that may be an indication that the domain controller is +overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows +clients is conservative and if followed will minimize problems &smbmdash; but it is not absolute. @@ -52,14 +52,14 @@ clients is conservative and if followed will minimize problems - but it is not a If the domain controller provides only network logon services - and all file and print activity is handled by Domain Member servers, one Domain - Controller per 150 clients on a single network segment may suffice. In any - case, it is highly recommended to have a minimum of one Domain Controller (PDC or BDC) + and all file and print activity is handled by domain member servers, one domain + controller per 150 clients on a single network segment may suffice. In any + case, it is highly recommended to have a minimum of one domain controller (PDC or BDC) per network segment. It is better to have at least one BDC on the network - segment that has a PDC. If the Domain Controller is also used as a file and - print server, the number of clients it can service reliably is reduced + segment that has a PDC. If the domain controller is also used as a file and + print server, the number of clients it can service reliably is reduced, and a common rule is not to exceed 30 machines (Windows workstations plus - Domain Member servers) per Domain Controller. + domain member servers) per domain controller. @@ -85,8 +85,8 @@ clients is conservative and if followed will minimize problems - but it is not a HUB ethernet switch Network traffic collisions due to overloading of the network - segment &smbmdash; one short-term workaround to this may be to replace - network HUBs with ethernet switches. + segment. One short-term workaround to this may be to replace + network HUBs with Ethernet switches. @@ -106,9 +106,9 @@ clients is conservative and if followed will minimize problems - but it is not a MS Outlook PST file Excessively large roaming profiles. This type of problem is typically - the result of poor user eduction, as well as poor network management. + the result of poor user education as well as poor network management. It can be avoided by users not storing huge quantities of email in - MS Outlook PST files, as well as by not storing files on the desktop. + MS Outlook PST files as well as by not storing files on the desktop. These are old bad habits that require much discipline and vigilance on the part of network management. @@ -117,7 +117,7 @@ clients is conservative and if followed will minimize problems - but it is not a WebClient You should verify that the Windows XP WebClient service is not running. The use of the WebClient service has been implicated in many Windows - networking related problems. + networking-related problems. @@ -127,7 +127,7 @@ clients is conservative and if followed will minimize problems - but it is not a Loss of access to network drives and printer resources Loss of access to network resources during client operation may be caused by a number - of factors including: + of factors, including: @@ -142,7 +142,7 @@ clients is conservative and if followed will minimize problems - but it is not a networktimeout - Timeout causing the client to close a connection that is in use, but has + Timeout causing the client to close a connection that is in use but has been latent (no traffic) for some time (5 minutes or more) @@ -156,8 +156,8 @@ clients is conservative and if followed will minimize problems - but it is not a datacorruption No matter what the cause, a sudden loss of access to network resources can result in BSOD (blue screen of death) situations that necessitate rebooting of the client - workstation. In the case of a mild problem, retrying to access the network drive of printer - may restore operations, but in any case this is a serious problem as it may lead to the next + workstation. In the case of a mild problem, retrying to access the network drive of the printer + may restore operations, but in any case this is a serious problem that may lead to the next problem, data corruption. @@ -180,7 +180,7 @@ clients is conservative and if followed will minimize problems - but it is not a In this chapter, you can work through a number of measures that significantly arm you to - anticipate and to combat network performance issues. You can work through complex and thorny + anticipate and combat network performance issues. You can work through complex and thorny methods to improve the reliability of your network environment, but be warned that all such steps demand the price of complexity. @@ -190,7 +190,7 @@ clients is conservative and if followed will minimize problems - but it is not a LDAPdirectory - Computer (machine) accounts can be placed where ever you like in an LDAP directory subject to some + Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some constraints that are described in this section. @@ -200,17 +200,17 @@ clients is conservative and if followed will minimize problems - but it is not a machine account trust account The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. - i.e.: Machine accounts are treated inside Samba in the same way that Windows NT4/200X treats + That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats them. A user account and a machine account are indistinguishable from each other, except that - the machine account ends in a '$' character, as do trust accounts. + the machine account ends in a $ character, as do trust accounts. account UID - The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX UID + The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID is a design decision that was made a long way back in the history of Samba development. It is - unlikely that this decision will be reversed of changed during the remaining life of the + unlikely that this decision will be reversed or changed during the remaining life of the Samba-3.x series. @@ -228,7 +228,7 @@ clients is conservative and if followed will minimize problems - but it is not a and group facilities in the NSS control (configuration) file. The best tool for achieving this is left up to the UNIX administrator to determine. It is not imposed by Samba. Samba provides winbindd together with its support libraries as one method. It is - possible to do this via LDAP - and for that Samba provides the appropriate hooks so that + possible to do this via LDAP, and for that Samba provides the appropriate hooks so that all account entities can be located in an LDAP directory. @@ -248,11 +248,11 @@ clients is conservative and if followed will minimize problems - but it is not a Introduction - Mr. Bob Jordan just opened an email from Christine that reads: + You just opened an email from Christine that reads: - Bob, + Good morning,
Christine A few months ago we sat down to design the network. We discussed the challenges ahead and we all agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated @@ -260,11 +260,11 @@ clients is conservative and if followed will minimize problems - but it is not a - As you now know we started off on the wrong foot. We have a lot of unhappy users. One of them + As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them resigned yesterday afternoon because she was under duress to complete some critical projects. She suffered a blue screen of death situation just as she was finishing four hours of intensive work, all of which was lost. She has a unique requirement that involves storing large files on her desktop. - Mary's desktop profile is nearly 1 Gigabyte in size. As a result of her desktop configuration, it + Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all network logon traffic passes over the network links between our buildings, logging on may take three or four attempts due to blue screen problems associated with network timeouts. @@ -273,8 +273,8 @@ clients is conservative and if followed will minimize problems - but it is not a A few of us worked to help her out of trouble. We convinced her to stay and promised to fully resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard - limits on what our users can do with their desktops. If we do not do this, we face staff losses - that can surely do harm to our growth, as well as to staff morale. I am sure we can better deal + limits on what our users can do with their desktops. Otherwise, we face staff losses + that can surely do harm to our growth as well as to staff morale. I am sure we can better deal with the consequences of what we know we must do than we can with the unrest we have now. @@ -286,11 +286,13 @@ clients is conservative and if followed will minimize problems - but it is not a - compromise + compromise networkmulti-segment - Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a + Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a single domain controller is a poor design that has obvious operational effects that may - frustrate users. Here is Bob's reply: + frustrate users. Here is your reply: + +
Bob Christine, Your diligence and attention to detail are much valued. Stan and I fully support your proposals to resolve the issues. I am confident that your plans fully realized will significantly @@ -298,7 +300,6 @@ clients is conservative and if followed will minimize problems - but it is not a Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait for approval; I appreciate the urgency.
- Assignment Tasks @@ -308,15 +309,14 @@ clients is conservative and if followed will minimize problems - but it is not a - Backup Domain ControllerBDC BDC tdbsam LDAPmigration Implement Backup Domain Controllers (BDCs) in each building. This involves - a change from use of a tdbsam backend that was used in the previous - chapter, to use an LDAP-based backend. + a change from a tdbsam backend that was used in the previous + chapter to an LDAP-based backend. @@ -333,15 +333,13 @@ clients is conservative and if followed will minimize problems - but it is not a exclude the redirected folders from being loaded at login time. You can also create a new default profile that can be used for all new users. - disk image - You configure a new MS Windows XP Professional Workstation disk image that you - roll out to all desktop users. The instructions you have created are followed on a - staging machine from which all changes can be carefully tested before inflicting them on - your network users. + You configure a new MS Windows XP Professional workstation disk image that you roll out + to all desktop users. The instructions you have created are followed on a staging machine + from which all changes can be carefully tested before inflicting them on your network users. @@ -367,39 +365,41 @@ clients is conservative and if followed will minimize problems - but it is not a - eDirectory - Novell eDirectory. - eDirectory is being successfully used by some sites. Information on how to use eDirectory can be + + eDirectory + Novell eDirectory + is being successfully used by some sites. Information on how to use eDirectory can be obtained from the Samba mailing lists or from Novell. - - - - Tivoli Directory Server - IBM Tivoli Directory Server, - can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba - source code tarball under the directory ~samba/example/LDAP. - - - - Sun ONE Identity Server - Sun ONE Identity Server. - This product suite provides an LDAP server that can be used for Samba. Example schema files are - provided in the Samba source code tarball under the directory ~samba/example/LDAP. - + + + + Tivoli Directory Server + IBM Tivoli + Directory Server can be used to provide the Samba LDAP backend. Example schema + files are provided in the Samba source code tarball under the directory + ~samba/example/LDAP. + + + + Sun ONE Identity Server + Sun ONE Identity + Server product suite provides an LDAP server that can be used for Samba. + Example schema files are provided in the Samba source code tarball under the directory + ~samba/example/LDAP. + - A word of caution is fully in order. OpenLDAP is purely an LDAP server and unlike commercial + A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial offerings, it requires that you manually edit the server configuration files and manually - initialize the LDAP directory database. OpenLDAP itself has only command line tools to + initialize the LDAP directory database. OpenLDAP itself has only command-line tools to help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. Active Directory For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite - adequate. If you are migrating from Microsoft Active Directory, be - warned that OpenLDAP does not include + adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database requires an understanding of what you are doing, why you are doing it, and the tools that you must use. @@ -417,7 +417,7 @@ clients is conservative and if followed will minimize problems - but it is not a master/slave server configurations. OpenLDAP is a mature platform to host the organizational directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. The price paid through learning how to design an LDAP directory schema in implementation and configuration - of management tools is well rewarded by performance and flexibility, and the freedom to manage directory + of management tools is well rewarded by performance and flexibility and the freedom to manage directory contents with greater ability to back up, restore, and modify the directory than is generally possible with Microsoft Active Directory. @@ -428,22 +428,22 @@ clients is conservative and if followed will minimize problems - but it is not a Active Directory OpenLDAP A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory - tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured + tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured for a specific task orientation. It comes with a set of administrative tools that is entirely customized for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator - who wants to built a custom directory solution. Microsoft provides an application called + who wants to build a custom directory solution. Microsoft provides an application called - MS ADAM that provides more-generic LDAP services, yet it does not have the vanilla-like services + MS ADAM that provides more generic LDAP services, yet it does not have the vanilla-like services of OpenLDAP. directoryschema passdb backend - You may wish to consider out-sourcing the development of your OpenLDAP directory to an expert, particularly + You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly if you find the challenge of learning about LDAP directories, schemas, configuration, and management - tools, and the creation of shell and Perl scripts a bit + tools and the creation of shell and Perl scripts a bit challenging. OpenLDAP can be easily customized, though it includes many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file that is required for use as a passdb backend. @@ -453,19 +453,19 @@ clients is conservative and if followed will minimize problems - but it is not a interoperability For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, there are a few nice Web-based tools that may help you to manage your users and groups more effectively. - The Web-based tools you might like to consider include: The - LDAP Account Manager (LAM), as well as the - Webmin-based Idealx - CGI tools. + The Web-based tools you might like to consider include the + LDAP Account Manager (LAM) and the Webmin-based + Webmin Idealx + CGI tools. Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of - these so it may be useful to include passing reference to them. - The first is GQ, a GTK-based LDAP browser; - LDAP Browser/Editor, - JXplorer (by Computer Associates), - and the last is called phpLDAPadmin. + these, so it may be useful to them: + GQ, a GTK-based LDAP browser; + LDAP Browser/Editor + ; JXplorer (by Computer Associates); + and phpLDAPadmin. @@ -477,9 +477,9 @@ clients is conservative and if followed will minimize problems - but it is not a Information to help you get started with OpenLDAP is available from the - OpenLDAP Web Site. Many people have found the book - LDAP System Administration, - written by Jerry Carter, quite useful. + OpenLDAP web site. Many people have found the book + LDAP System Administration, + by Jerry Carter quite useful. @@ -489,8 +489,8 @@ clients is conservative and if followed will minimize problems - but it is not a networkwide-area Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must - be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly - improves overall network performance for most users, but this is not enough. You must gain control over + be loaded over the WAN connection. The addition of BDCs on each network segment significantly + improves overall network performance for most users, but it is not enough. You must gain control over user desktops, and this must be done in a way that wins their support and does not cause further loss of staff morale. The following procedures solve this problem. @@ -504,7 +504,7 @@ clients is conservative and if followed will minimize problems - but it is not a You add the ability to automatically download new printer drivers, even if they are not installed in the default desktop profile. Only one example of printing configuration is given. It is assumed that - you can extrapolate the principles and use this to install all printers that may be needed. + you can extrapolate the principles and use them to install all printers that may be needed. @@ -516,7 +516,7 @@ clients is conservative and if followed will minimize problems - but it is not a Posix The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system - accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account + accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account attributes Samba needs. Samba-3 can use the LDAP backend to store: @@ -539,10 +539,10 @@ clients is conservative and if followed will minimize problems - but it is not a nss_ldap The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking accounts in the LDAP backend. This implies the need to use the - PADL LDAP tools. The resolution + PADL LDAP tools. The resolution of the UNIX group name to its GID must be enabled from either the /etc/group or from the LDAP backend. This requires the use of the PADL nss_ldap tool-set - that integrates with the name service switch (NSS). The same requirements exist for resolution + that integrates with the NSS. The same requirements exist for resolution of the UNIX username to the UID. The relationships are demonstrated in . @@ -551,12 +551,9 @@ clients is conservative and if followed will minimize problems - but it is not a UNIX-Samba-and-LDAP - - security - - LDAP - secure - + + security + LDAPsecure You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really ought to learn how to configure secure communications over LDAP so that site security is not at risk. This is not covered in the following guidance. @@ -565,39 +562,35 @@ clients is conservative and if followed will minimize problems - but it is not a PDC LDAP Interchange FormatLDIF - LDIFsecrets.tdb - When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC) - called MASSIVE. You initialize the Samba secrets.tdb - file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database - can be initialized. You need to decide how best to create user and group accounts. A few - hints are, of course, provided. You can also find on the enclosed CD-ROM, in the Chap06 - directory, a few tools that help to manage user and group configuration. + LDIF + secrets.tdb + When OpenLDAP has been made operative, you configure the PDC called MASSIVE. + You initialize the Samba secrets.tdb file. Then you + create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. + You need to decide how best to create user and group accounts. A few hints are, of course, provided. + You can also find on the enclosed CD-ROM, in the Chap06 directory, a few tools + that help to manage user and group configuration. - - folder redirection - - default profile - - roaming profile - + + folder redirection + default profile + roaming profile In order to effect folder redirection and to add robustness to the implementation, - create a network Default Profile. All network users workstations are configured to use + create a network default profile. All network users workstations are configured to use the new profile. Roaming profiles will automatically be deleted from the workstation when the user logs off. - - mandatory profile - + + mandatory profile The profile is configured so that users cannot change the appearance of their desktop. This is known as a mandatory profile. You make certain that users are able to use their computers efficiently. - - logon script - + + logon script A network logon script is used to deliver flexible but consistent network drive connections. @@ -613,8 +606,8 @@ clients is conservative and if followed will minimize problems - but it is not a Samba versions prior to 3.0.11 necessitated the use of a domain administrator account that maps to the UNIX UID=0. The UNIX operating system permits only the root user to add user and group accounts. Samba 3.0.11 introduced a new facility known as - Privileges. This new facility introduced four new privileges that - can be assigned to users and/or groups: + Privileges, which provides five new privileges that + can be assigned to users and/or groups; see Table 5.1. @@ -655,7 +648,7 @@ clients is conservative and if followed will minimize problems - but it is not a - In this network example use will be made of one of the supported privileges purely to demonstrate + In this network example use is made of one of the supported privileges purely to demonstrate how any user can now be given the ability to add machines to the domain using a normal user account that has been given the appropriate privileges. @@ -674,7 +667,7 @@ clients is conservative and if followed will minimize problems - but it is not a HKEY_CURRENT_USER NTUSER.DAT %USERNAME% - An XP Roaming Profile consists of the HKEY_CURRENT_USER hive file + An XP roaming profile consists of the HKEY_CURRENT_USER hive file NTUSER.DAT and a number of folders (My Documents, Application Data, Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the network with the default configuration of MS Windows NT/200x/XPP, all this data is @@ -682,8 +675,8 @@ clients is conservative and if followed will minimize problems - but it is not a directory. While the user is logged in, any changes made to any of these folders or to the HKEY_CURRENT_USER branch of the registry are made to the local copy of the profile. At logout the profile data is copied back to the server. This behavior - can be changed through appropriate registry changes and/or through changes to the Default - User profile. In the latter case, it updates the registry with the values that are set in the + can be changed through appropriate registry changes and/or through changes to the default + user profile. In the latter case, it updates the registry with the values that are set in the profile NTUSER.DAT file. @@ -691,17 +684,17 @@ clients is conservative and if followed will minimize problems - but it is not a The first challenge is to reduce the amount of data that must be transferred to and from the profile server as roaming profiles are processed. This includes removing - all the shortcuts in the Recent directory, making sure the cache used by the web browser + all the shortcuts in the Recent directory, making sure the cache used by the Web browser is not being dumped into the Application Data folder, removing the Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the - user to not place large files on the Desktop and to use his mapped home directory for - saving documents instead of the My Documents folder. + user to not place large files on the desktop and to use his or her mapped home directory + instead of the My Documents folder for saving documents. My Documents Using a folder other than My Documents is a nuisance for - some users since many applications use it by default. + some users, since many applications use it by default. @@ -717,7 +710,7 @@ clients is conservative and if followed will minimize problems - but it is not a Network Default Profile redirected folders - Every user profile has their own NTUSER.DAT file. This means + Every user profile has its own NTUSER.DAT file. This means you need to edit every user's profile, unless a better method can be followed. Fortunately, with the right preparations, this is not difficult. It is possible to remove the NTUSER.DAT file from each @@ -750,8 +743,8 @@ clients is conservative and if followed will minimize problems - but it is not a System User Profiles . - By default this setting contains: - Local Settings;Temporary Internet Files;History;Temp. + By default this setting contains + Local Settings; Temporary Internet Files; History; Temp. @@ -771,7 +764,7 @@ clients is conservative and if followed will minimize problems - but it is not a There are two changes that should be done to each user's profile. Move each of the directories that you have excluded from being copied back and forth out of the usual profile path. Modify each user's NTUSER.DAT file - to point to the new paths that are shared over the network, instead of the default + to point to the new paths that are shared over the network instead of to the default path (C:\Documents and Settings\%USERNAME%). @@ -779,7 +772,7 @@ clients is conservative and if followed will minimize problems - but it is not a Default User regedt32 The above modifies existing user profiles. So that newly created profiles have - these settings, you will need to modify the NTUSER.DAT in + these settings, you need to modify the NTUSER.DAT in the C:\Documents and Settings\Default User folder on each client machine, changing the same registry keys. You could do this by copying NTUSER.DAT to a Linux box and using regedt32. @@ -794,13 +787,13 @@ clients is conservative and if followed will minimize problems - but it is not a NETLOGON NTUSER.DAT - If you are using Samba as your PDC, you should create a file-share called + If you are using Samba as your PDC, you should create a file share called NETLOGON and within that create a directory called Default User, which is a copy of the desired default user configuration (including a copy of NTUSER.DAT). If this share exists and the Default User folder exists, the first login from a new account pulls its configuration from it. - See also: + See also the Real Men Don't Click Web site. @@ -815,27 +808,27 @@ clients is conservative and if followed will minimize problems - but it is not a Raw Print Through The subject of printing is quite topical. Printing problems run second place to name resolution issues today. So far in this book, you have experienced only what is generally - known as dumb printing. Dumb printing is the arrangement where all drivers + known as dumb printing. Dumb printing is the arrangement by which all drivers are manually installed on each client and the printing subsystems perform no filtering or intelligent processing. Dumb printing is easily understood. It usually works without many problems, but it has its limitations also. Dumb printing is better known as - Raw Print Through printing. + Raw-Print-Through printing. printingdrag-and-drop printingpoint-n-click - Samba permits the configuration of Smart printing using the Microsoft + Samba permits the configuration of smart printing using the Microsoft Windows point-and-click (also called drag-and-drop) printing. What this provides is essentially the ability to print to any printer. If the local client does not yet have a driver installed, the driver is automatically downloaded from the Samba server and installed on the client. Drag-and-drop printing is neat; it means the user never needs - to fuss with driver installation, and that is a Good Thing, + to fuss with driver installation, and that is a Good Thing, isn't it? - There is a further layer of print job processing that is known as Intelligent + There is a further layer of print job processing that is known as intelligent printing that automatically senses the file format of data submitted for printing and then invokes a suitable print filter to convert the incoming data stream into a format suited to the printer to which the job is dispatched. @@ -848,15 +841,15 @@ clients is conservative and if followed will minimize problems - but it is not a The CUPS printing subsystem is capable of intelligent printing. It has the capacity to detect the data format and apply a print filter. This means that it is feasible to install on all Windows clients a single printer driver for use with all printers that are routed - through CUPS. The most sensible driver to use is one for a Postscript printer. Fortunately, - Easy Software Products, the authors of CUPS have - released a Postscript printing driver for Windows. It can be installed into the Samba + through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately, + Easy Software Products, the authors of CUPS, have + released a PostScript printing driver for Windows. It can be installed into the Samba printing backend so that it automatically downloads to the client when needed. This means that so long as there is a CUPS driver for the printer, all printing from Windows - software can use Postscript, no matter what the actual printer language for the physical + software can use PostScript, no matter what the actual printer language for the physical device is. It also means that the administrator can swap out a printer with a totally different type of device without ever needing to change a client workstation driver. @@ -870,12 +863,12 @@ clients is conservative and if followed will minimize problems - but it is not a - Avoiding Failures &smbmdash; Solving Problems Before they Happen + Avoiding Failures: Solving Problems Before They Happen - It has often been said that there are three types of people in the world: Those who - have sharp minds and those that forget things. Please do not ask what the third group - are like! Well, it seems that many of us have company in the second group. There must + It has often been said that there are three types of people in the world: those who + have sharp minds and those who forget things. Please do not ask what the third group + is like! Well, it seems that many of us have company in the second group. There must be a good explanation why so many network administrators fail to solve apparently simple problems efficiently and effectively. @@ -885,20 +878,20 @@ clients is conservative and if followed will minimize problems - but it is not a - Preliminary Advice &smbmdash; Dangers Can be Avoided + Preliminary Advice: Dangers Can Be Avoided - The best advice regarding how best to mend a broken leg was never break a leg! + The best advice regarding how to mend a broken leg is Never break a leg! LDAP - New comers to Samba and LDAP seem to struggle a great deal at first. If you want advice + Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice regarding the best way to remedy LDAP and Samba problems: Avoid them like the plague! - If you are now asking yourself how can problems be avoided? The best advice is to start + If you are now asking yourself how problems can be avoided, the best advice is to start out your learning experience with a known-good configuration. After you have seen a fully working solution, a good way to learn is to make slow and progressive changes that cause things to break, then observe carefully how and why things ceased to work. @@ -912,20 +905,20 @@ clients is conservative and if followed will minimize problems - but it is not a Do not be lulled into thinking that you can easily adopt the examples in this - book and adapt them without first working through the working examples provided. A little - thing over-looked can cause untold pain and may permanently tarnish your experience. + book and adapt them without first working through the examples provided. A little + thing overlooked can cause untold pain and may permanently tarnish your experience. - The Name Service Caching Daemon (nscd) + The Name Service Caching Daemon The name service caching daemon (nscd) is a primary cause of difficulties with name resolution, particularly where winbind is used. Winbind does its own caching, thus nscd causes double caching which can lead to peculiar problems during - debugging. As a rule it is a good idea to turn off the name service caching daemon. + debugging. As a rule, it is a good idea to turn off the name service caching daemon. @@ -984,7 +977,7 @@ clients is conservative and if followed will minimize problems - but it is not a shared hosts yes It is feasible to comment out the passwd and group - entries so they will not be cached. Alternately, it is often simpler to just disable the + entries so they will not be cached. Alternatively, it is often simpler to just disable the nscd service by executing (on Novell SUSE Linux): &rootprompt; chkconfig nscd off @@ -1003,7 +996,7 @@ clients is conservative and if followed will minimize problems - but it is not a slapd In the example /etc/openldap/slapd.conf control file (see ) there is an entry for loglevel 256. - To enable logging via the syslog infrastructure it is necessary to uncomment this parameter + To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter and restart slapd. @@ -1022,9 +1015,9 @@ local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages local4.* -/var/log/ldaplogs - In the above case, all LDAP related logs will be directed to the file + In this case, all LDAP-related logs will be directed to the file /var/log/ldaplogs. This makes it easy to track LDAP errors. - The above provides a simple example of usage that can be modified to suit + The snippet provides a simple example of usage that can be modified to suit local site needs. The configuration used later in this chapter reflects such customization with the intent that LDAP log files will be stored at a location that meets local site needs and wishes more fully. @@ -1049,16 +1042,15 @@ logdir /data/logs - The diagnostic process should follow the following steps: + The diagnostic process should follow these steps: - Diagnostic Guidelines Verify the nss_base_passwd, nss_base_shadow, nss_base_group entries in the /etc/ldap.conf file and compare them closely with the directory - tree location that was chosen in when the directory was first created. + tree location that was chosen when the directory was first created. @@ -1083,14 +1075,14 @@ nss_base_group ou=Groups,dc=abmas,dc=biz?one The same process may be followed to determine the appropriate dn for user accounts. If the container for computer accounts is not the same as that for users (see the &smb.conf; - file entry for ldap machine suffix, it may be necessary to set the + file entry for ldap machine suffix), it may be necessary to set the following DIT dn in the /etc/ldap.conf file: nss_base_passwd dc=abmas,dc=biz?sub This instructs LDAP to search for machine as well as user entries from the top of the DIT down. This is inefficient, but at least should work. Note: It is possible to specify multiple - nss_base_passwd entries in the /etc/ldap.conf file, they + nss_base_passwd entries in the /etc/ldap.conf file; they will be evaluated sequentially. Let us consider an example of use where the following DIT has been implemented: @@ -1123,7 +1115,7 @@ nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one - For additional diagnostic information check the contents of the /var/log/messages + For additional diagnostic information, check the contents of the /var/log/messages to see what error messages are being generated as a result of the LDAP lookups. Here is an example of a successful lookup: @@ -1159,7 +1151,7 @@ slapd[12164]: conn=1 fd=10 closed Check that the bindpw entry in the /etc/ldap.conf or in the - /etc/ldap.secrets file is correct. i.e.: As specified in the + /etc/ldap.secrets file is correct, as specified in the /etc/openldap/slapd.conf file. @@ -1171,7 +1163,7 @@ slapd[12164]: conn=1 fd=10 closed Debugging Samba - The following parameters in the &smb.conf; file can be useful in tracking down Samba related problems: + The following parameters in the &smb.conf; file can be useful in tracking down Samba-related problems: [global] ... @@ -1212,7 +1204,7 @@ slapd[12164]: conn=1 fd=10 closed Debugging on the Windows Client - MS Windows 2000 Professional and Windows XP Professional clients are capable of being configured + MS Windows 2000 Professional and Windows XP Professional clients can be configured to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search the Microsoft knowledge base for detailed instructions. The techniques vary a little with each version of MS Windows. @@ -1231,18 +1223,18 @@ slapd[12164]: conn=1 fd=10 closed MS Windows network users are generally very sensitive to limits that may be imposed when confronted with locked-down workstation configurations. The challenge you face must - be promoted as a choice between reliable and fast network operation, and a constant flux + be promoted as a choice between reliable, fast network operation and a constant flux of problems that result in user irritation. - Installation Check-List + Installation Checklist - You are starting a complex project. Even though you have gone through the installation - of a complex network in chapter 5, this network is a bigger challenge because of the + You are starting a complex project. Even though you went through the installation of a complex + network in , this network is a bigger challenge because of the large number of complex applications that must be configured before the first few steps can be validated. Take stock of what you are about to undertake, prepare yourself, and frequently review the steps ahead while making at least a mental note of what has already @@ -1254,37 +1246,37 @@ slapd[12164]: conn=1 fd=10 closed Samba-3 PDC Server Configuration - DHCP and DNS Servers - OpenLDAP Server - PAM and NSS Client Tools + DHCP and DNS servers + OpenLDAP server + PAM and NSS client tools Samba-3 PDC - Idealx SMB-LDAP Scripts - LDAP Initialization - Create User and Group Accounts + Idealx smbldap scripts + LDAP initialization + Create user and group accounts Printers - Share Point Directory Roots - Profile Directories - Logon Scripts - Configuration of User Rights and Privileges + Share point directory roots + Profile directories + Logon scripts + Configuration of user rights and privileges Samba-3 BDC Server Configuration - DHCP and DNS Servers - PAM and NSS Client Tools + DHCP and DNS servers + PAM and NSS client tools Printers - Share Point Directory Roots - Profiles Directories + Share point directory roots + Profiles directories Windows XP Client Configuration - Default Profile Folder Redirection - MS Outlook PST File Relocation - Delete Roaming Profile on Logout - Upload Printer Drivers to Samba Servers - Install Software - Creation of Roll-out Images + Default profile folder redirection + MS Outlook PST file relocation + Delete roaming profile on logout + Upload printer drivers to Samba servers + Install software + Creation of roll-out images @@ -1297,61 +1289,53 @@ slapd[12164]: conn=1 fd=10 closed Samba Server Implementation - - file servers - - BDC - + + file servers + BDC The network design shown in is not comprehensive. It is assumed - that you will install additional file servers, and possibly additional BDCs. + that you will install additional file servers and possibly additional BDCs. - Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend. + Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend chap6-net - - SUSE Linux - - Red Hat Linux - + + SUSE Linux + Red Hat Linux All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to adjust the locations for your particular Linux system distribution/implementation. -The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools scripts -version 0.8.8. If using a different version of Samba, or of the smbldap-tools tarball, please -verify that the versions you are about to use are matching. The smbldap-tools package uses counter -entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are issued for POSIX -accounts. The LDAP rdn under which this information is stored are called uidNumber -and gidNumber respectively. These may be located in any convenient part of the -directory information tree (DIT). In the examples that follow they have been located under -dn=sambaDomainName=MEGANET2,dc=abmas,dc=biz. They could just as well be located under the rdn -cn=NextFreeUnixId. +The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools +scripts version 0.8.8. If using a different version of Samba or of the smbldap-tools tarball, +please verify that the versions you are about to use are matching. The smbldap-tools package +uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are +issued for POSIX accounts. The LDAP rdn under which this information is stored are called +uidNumber and gidNumber respectively. These may be +located in any convenient part of the directory information tree (DIT). In the examples that +follow they have been located under dn=sambaDomainName=MEGANET2,dc=abmas,dc=org. +They could just as well be located under the rdn cn=NextFreeUnixId. - The steps in the process involve changes from the network configuration - shown in . - Before implementing the following steps, you must have completed the network implementation shown - in that chapter. If you are starting with newly installed Linux servers, you must complete - the steps shown in before commencing - at : + The steps in the process involve changes from the network configuration shown in + . Before implementing the following steps, you must + have completed the network implementation shown in that chapter. If you are starting + with newly installed Linux servers, you must complete the steps shown in + before commencing at . OpenLDAP Server Configuration - - nss_ldap - - pam_ldap - - openldap - + + nss_ldap + pam_ldap + openldap Confirm that the packages shown in are installed on your system. @@ -1394,30 +1378,23 @@ directory information tree (DIT). In the examples that follow they have been loc - Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method - for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you + Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method + for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you follow these guidelines, the resulting system should work fine. - Implementing the OpenLDAP Server - - - /etc/openldap/slapd.conf - + + + /etc/openldap/slapd.conf Install the file shown in in the directory /etc/openldap. - The rootpw value is an enrypted password string that can be - generated by executing the slappasswd command. - - /data/ldap - - group account - - user account - + + /data/ldap + group account + user account Remove all files from the directory /data/ldap, making certain that the directory exists with permissions: @@ -1427,7 +1404,8 @@ drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap This may require you to add a user and a group account for LDAP if they do not exist. - DB_CONFIG + + DB_CONFIG Install the file shown in in the directory /data/ldap. In the event that this file is added after ldap has been started, it is possible to cause the new settings to take effect by shutting down @@ -1435,10 +1413,11 @@ drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap /data/ldap directory, and then restarting the LDAP server. - syslog + + syslog Performance logging can be enabled and should preferably be sent to a file on a file system that is large enough to handle significantly sized logs. To enable - the logging at a verbose level to permit detailed analysis uncomment the entry in + the logging at a verbose level to permit detailed analysis, uncomment the entry in the /etc/openldap/slapd.conf shown as loglevel 256. @@ -1448,7 +1427,7 @@ drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap local4.* -/data/ldap/log/openldap.log - Note: The path /data/ldap/log should be set a a location + Note: The path /data/ldap/log should be set at a location that is convenient and that can store a large volume of data. @@ -1481,7 +1460,7 @@ access to dn.base="" by self write by * auth -access to attr=userPassword,sambaLMPassword,sambaNTPassword +access to attr=userPassword by self write by * auth @@ -1490,8 +1469,8 @@ access to attr=shadowLastChange by * read access to * - by * read - by anonymous auth + by * read + by anonymous auth #loglevel 256 @@ -1536,62 +1515,44 @@ index default sub PAM and NSS Client Configuration - - LDAP - - NSS - - PAM - - The steps that follow involve configuration of LDAP, name service switch (NSS) LDAP-based resolution - of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead - configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. + + LDAP + NSS + PAM + The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and + groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure + the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. + Pluggable Authentication ModulesPAM + pam_unix2.so Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely that you may want to use them for UNIX system (Linux) local machine logons. This necessitates - correct configuration of the Pluggable Authentication - Modules - Pluggable Authentication Modules - PAM - - pam_unix2.so - - (PAM). The pam_ldap - open source package provides the PAM modules that most people would use. On SUSE Linux systems, - the pam_unix2.so module also has the ability to redirect authentication requests - through LDAP. + correct configuration of PAM. The pam_ldap open source package provides the + PAM modules that most people would use. On SUSE Linux systems, the pam_unix2.so + module also has the ability to redirect authentication requests through LDAP. - - YaST - - SUSE Linux - - Red Hat Linux - - authconfig - - You have chosen to configure these services by directly editing the system files but, of course, you + + YaST + SUSE Linux + Red Hat Linux + authconfig + You have chosen to configure these services by directly editing the system files, but of course, you know that this configuration can be done using system tools provided by the Linux system vendor. - SUSE Linux has a facility in YaST (the system admin tool) through yast + SUSE Linux has a facility in YaST (the system admin tool) through yast systemldap-client that permits - configuration of SUSE Linux as an LDAP client. Red Hat Linux provides - the authconfig + configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the authconfig tool for this. - Configuration of NSS and PAM - - - /lib/libnss_ldap.so.2 - - /etc/ldap.conf - - nss_ldap - + + + /lib/libnss_ldap.so.2 + /etc/ldap.conf + nss_ldap Execute the following command to find where the nss_ldap module expects to find its control file: @@ -1659,12 +1620,11 @@ ssl off - - /etc/nsswitch.conf - + + /etc/nsswitch.conf Edit the NSS control file (/etc/nsswitch.conf) so that the lines that control user and group resolution will obtain information from the normal system files as - well as from ldap as follows: + well as from ldap: passwd: files ldap shadow: files ldap @@ -1689,17 +1649,13 @@ hosts: files dns wins nsswitch.conf file is a significant cause of operational problems with LDAP. - - pam_unix2.so - use_ldap - + + pam_unix2.souse_ldap For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following - files in the /etc/pam.d directory: - login, password, samba, sshd. - In each file, locate every entry that has the pam_unix2.so entry and add to the - line the entry use_ldap as shown for the - login module in - this example: + files in the /etc/pam.d directory: login, password, + samba, sshd. In each file, locate every entry that has the + pam_unix2.so entry and add to the line the entry use_ldap as shown + for the login module in this example: #%PAM-1.0 auth requisite pam_unix2.so nullok use_ldap #set_secrpc @@ -1717,9 +1673,8 @@ session required pam_limits.so - - pam_ldap.so - + + pam_ldap.so On other Linux systems that do not have an LDAP-enabled pam_unix2.so module, you must edit these files by adding the pam_ldap.so modules as shown here: @@ -1741,8 +1696,9 @@ session optional pam_mail.so This example does have the LDAP-enabled pam_unix2.so, but simply demonstrates the use of the pam_ldap.so module. You can use either implementation, but if the pam_unix2.so on your system supports - LDAP, you probably want to use it, rather than add an additional module. + LDAP, you probably want to use it rather than add an additional module. + @@ -1750,19 +1706,18 @@ session optional pam_mail.so Samba-3 PDC Configuration - - Samba RPM Packages - + + Samba RPM Packages Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the - choice to either build your own or to obtain the packages from a dependable source. - Packages for SUSE Linux 8.x, 9.x and SUSE Linux Enterprise Server 9, as well as for - Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4 are included on the CD-ROM that - is included at the back of this book. + choice to either build your own or obtain the packages from a dependable source. + Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for + Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that + is included with this book. - Configuration of PDC Called: <constant>MASSIVE</constant> + Configuration of PDC Called <constant>MASSIVE</constant> Install the files in , @@ -1770,14 +1725,13 @@ session optional pam_mail.so and into the /etc/samba/ directory. The three files should be added together to form the &smb.conf; master file. It is a good practice to call this file something like - smb.conf.master, and then to perform all file edits + smb.conf.master and then to perform all file edits on the master file. The operational &smb.conf; is then generated as shown in the next step. - - testparm - + + testparm Create and verify the contents of the &smb.conf; file that is generated by: &rootprompt; testparm -s smb.conf.master > smb.conf @@ -1807,7 +1761,7 @@ Press enter to see a dump of your service definitions - Delete all run-time files from prior Samba operation by executing (for SUSE + Delete all runtime files from prior Samba operation by executing (for SUSE Linux): &rootprompt; rm /etc/samba/*tdb @@ -1817,11 +1771,9 @@ Press enter to see a dump of your service definitions - - secrets.tdb - - smbpasswd - + + secrets.tdb + smbpasswd Samba-3 communicates with the LDAP server. The password that it uses to authenticate to the LDAP server must be stored in the secrets.tdb file. Execute the following to create the new secrets.tdb files @@ -1835,20 +1787,17 @@ Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb - - smbd - - net - getlocalsid - - Samba-3 generates a Windows Security Identifier only when smbd + + smbd + netgetlocalsid + Samba-3 generates a Windows Security Identifier (SID) only when smbd has been started. For this reason, you start Samba. After a few seconds delay, execute: &rootprompt; smbclient -L localhost -U% &rootprompt; net getlocalsid - A report such as the following means that the Domain Security Identifier (SID) has not yet + A report such as the following means that the domain SID has not yet been written to the secrets.tdb or to the LDAP backend: [2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852) @@ -1859,37 +1808,29 @@ with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) - The attempt to read the SID will attempt to bind to the LDAP server. Because the LDAP server - is not running this operation will fail by way of a time out, as shown above. This is - normal output, do not worry about this error message. When the Domain has been created and + The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server + is not running, this operation will fail by way of a timeout, as shown previously. This is + normal output; do not worry about this error message. When the domain has been created and written to the secrets.tdb file, the output should look like this: SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 - If, after a short delay (a few seconds), the Domain SID has still not been written to + If, after a short delay (a few seconds), the domain SID has still not been written to the secrets.tdb file, it is necessary to investigate what - may be mis-configured. In this case, carefully check the &smb.conf; file for typographical + may be misconfigured. In this case, carefully check the &smb.conf; file for typographical errors (the most common problem). The use of the testparm is highly recommended to validate the contents of this file. - When a positive Domain SID has been reported, stop Samba. + When a positive domain SID has been reported, stop Samba. - - NFS server - - - /etc/exports - - - BDC - - - rsync - + NFS server + /etc/exports + BDC + rsync Configure the NFS server for your Linux system. So you can complete the steps that follow, enter into the /etc/exports the following entry: @@ -1897,9 +1838,9 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 This permits the user home directories to be used on the BDC servers for testing purposes. You, of course, decide what is the best way for your site to distribute - data drives, as well as creating suitable backup and restore procedures for Abmas Inc. + data drives, and you create suitable backup and restore procedures for Abmas I'd strongly recommend that for normal operation the BDC is completely independent - of the PDC. rsync is a useful tool here as it resembles the NT replication service quite + of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite closely. If you do use NFS, do not forget to start the NFS server as follows: &rootprompt; rcnfsserver start @@ -1974,19 +1915,17 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 Install and Configure Idealx smbldap-tools Scripts - - Idealx - smbldap-tools - + + Idealxsmbldap-tools The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts - on the LDAP server. You have chosen the Idealx scripts since they are the best known + on the LDAP server. You have chosen the Idealx scripts because they are the best-known LDAP configuration scripts. The use of these scripts will help avoid the necessity to create custom scripts. It is easy to download them from the Idealx - Web Site. The tarball may + Web site. The tarball may be directly downloaded - for this site, also. Alternately, you may obtain the + from this site also. Alternatively, you may obtain the smbldap-tools-0.8.8-3.src.rpm - file that may be used to build an install-able RPM package for your Linux system. + file that may be used to build an installable RPM package for your Linux system. @@ -2001,14 +1940,13 @@ change the path to them in your &smb.conf; file on the PDC (MASSIVE - Installation of smbldap-tools from the tarball + Installation of smbldap-tools from the Tarball - To perform a manual installation of the smbldap-tools scripts the following procedure may be used: + To perform a manual installation of the smbldap-tools scripts, the following procedure may be used: - Idealx smbldap-tools Configuration Create the /opt/IDEALX/sbin directory, and set its permissions @@ -2025,7 +1963,7 @@ change the path to them in your &smb.conf; file on the PDC (MASSIVE If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location. - Change into either the directory extracted from the tarball, or else into the smbldap-tools + Change into either the directory extracted from the tarball or the smbldap-tools directory in your /usr/share/doc/packages directory tree. @@ -2036,6 +1974,7 @@ change the path to them in your &smb.conf; file on the PDC (MASSIVE -&rootprompt; chown -R root:root /opt/IDEALX/sbin/* +&rootprompt; chown root.root /opt/IDEALX/sbin/* &rootprompt; chmod 755 /opt/IDEALX/sbin/smbldap-* &rootprompt; chmod 640 /opt/IDEALX/sbin/smb*pm The smbldap-tools scripts are now ready for the configuration step outlined in - Configuration of smbldap-tools. + . + @@ -2077,11 +2017,10 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; In the event that you have elected to use the RPM package provided by Idealx, download the - source RPM smbldap-tools-0.8.8-3.src.rpm, then follow the following procedure: + source RPM smbldap-tools-0.8.8-3.src.rpm, then follow this procedure: - Installation of smbldap-tools from RPM Install the source RPM that has been downloaded as follows: @@ -2116,7 +2055,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; &rootprompt; rpmbuild -ba -v smbldap-tools.spec - A build process that has completed without error will place the install-able binary + A build process that has completed without error will place the installable binary files in the directory ../RPMS/noarch. @@ -2140,19 +2079,18 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; Configuration of smbldap-tools - Prior to use the smbldap-tools must be configured to match the settings in the &smb.conf; file + Prior to use, the smbldap-tools must be configured to match the settings in the &smb.conf; file and to match the settings in the /etc/openldap/slapd.conf file. The assumption - is made that the &smb.conf; file has correct contents. The following procedure will ensure that + is made that the &smb.conf; file has correct contents. The following procedure ensures that this is completed correctly: - The smbldap-tools require that the netbios name (machine name) of the Samba server be included + The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included in the &smb.conf; file. - Configuration of <filename>smbldap.conf</filename> Change into the directory that contains the configure.pl script. @@ -2268,13 +2206,13 @@ writing new configuration file: /etc/smbldap-tools/smbldap.conf done. /etc/smbldap-tools/smbldap_bind.conf done. - Since a slave LDAP server has not been configured it is necessary to specify the IP + Since a slave LDAP server has not been configured, it is necessary to specify the IP address of the master LDAP server for both the master and the slave configuration prompts. - Change to the directory that contains the smbldap.conf file + Change to the directory that contains the smbldap.conf file, then verify its contents. @@ -2292,13 +2230,13 @@ writing new configuration file: LDAP Initialization and Creation of User and Group Accounts - The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group + The LDAP database must be populated with well-known Windows domain user accounts and domain group accounts before Samba can be used. The following procedures step you through the process. - At this time, Samba-3 requires that on a PDC all UNIX (Posix) group accounts that are - mapped (linked) to Windows Domain Group accounts must be in the LDAP database. It does not + At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are + mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not hurt to have UNIX user and group accounts in both the system files as well as in the LDAP database. From a UNIX system perspective, the NSS resolver checks system files before referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it @@ -2306,71 +2244,65 @@ writing new configuration file: - Addition of an account to the LDAP backend can be done in a number of ways: + Addition of an account to the LDAP backend can be done in two ways: -
- NIS - - /etc/passwd - - Posix accounts - - pdbedit - - SambaSamAccount - - PosixAccount - - If you always have a user account in the /etc/passwd on every - server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in - LDAP. In this case, you can add Windows Domain user accounts using the - pdbedit utility. Use of this tool from the command line adds the - SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user. - + + + NIS + /etc/passwd + Posix accounts + pdbedit + SambaSamAccount + PosixAccount + If you always have a user account in the /etc/passwd on every + server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in + LDAP. In this case, you can add Windows domain user accounts using the + pdbedit utility. Use of this tool from the command line adds the + SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user. + - - If you decide that it is probably a good idea to add both the PosixAccount attributes - as well as the SambaSamAccount attributes for each user, then a suitable script is needed. - In the example system you are installing in this exercise, you are making use of the - Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system, - is included on the enclosed CD-ROM under Chap06/Tools. -
+ + This is the least desirable method because when LDAP is used as the passwd backend Samba + expects the POSIX account to be in LDAP also. It is possible to use the PADL account + migration tool to migrate all system accounts from either the /etc/passwd + files, or from NIS, to LDAP. + - - Idealx - smbldap-tools - + + If you decide that it is probably a good idea to add both the PosixAccount attributes + as well as the SambaSamAccount attributes for each user, then a suitable script is needed. + In the example system you are installing in this exercise, you are making use of the + Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system, + is included on the enclosed CD-ROM under Chap06/Tools. + + + + + Idealxsmbldap-tools If you wish to have more control over how the LDAP database is initialized or - want not to use the Idealx smbldap-tools, you should refer to . + if you don't want to use the Idealx smbldap-tools, you should refer to + , . - - smbldap-populate - + + smbldap-populate The following steps initialize the LDAP database, and then you can add user and group accounts that Samba can use. You use the smbldap-populate to seed the LDAP database. You then manually add the accounts shown in . The list of users does not cover all 500 network users; it provides examples only. - - LDAP - database - - directory - People container - - directory - Computers container - + + LDAPdatabase + directoryPeople container + directoryComputers container In the following examples, as the LDAP database is initialized, we do create a container for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made of the People container, not the Computers container, for domain member accounts. This is not a mistake; it is a deliberate action that is necessitated by the fact that the resolution of a machine (computer) account to a UID is done via NSS. The only way this can be handled is - using the NSS (/etc/nsswitch.conf) entry for passwd + using the NSS (/etc/nsswitch.conf) entry for passwd, which is resolved using the nss_ldap library. The configuration file for the nss_ldap library is the file /etc/ldap.conf that provides only one possible LDAP search command that is specified by the entry called @@ -2378,8 +2310,8 @@ writing new configuration file: the directory structure so that the LDAP search will commence at a level that is above both the Computers container and the Users (or People) container. If this is done, it is necessary to use a search that will descend the directory tree so that the machine account - can be found. Alternately, by placing all machine accounts in the People container, we - are able to side-step this limitation. This is the simpler solution that has been adopted + can be found. Alternatively, by placing all machine accounts in the People container, we + are able to sidestep this limitation. This is the simpler solution that has been adopted in this chapter. @@ -2447,8 +2379,6 @@ writing new configuration file: - Validation of Configuration - Start the LDAP server by executing: @@ -2518,10 +2448,9 @@ Starting ldap-server done - - slapcat - - So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data. + + slapcat + So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. There are several ways you can check that your LDAP database is able to receive IDMAP information. One of the simplest is to execute: @@ -2529,9 +2458,7 @@ Starting ldap-server done dn: ou=Idmap,dc=abmas,dc=biz ou: idmap - - ldapadd - + ldapadd If the execution of this command does not return IDMAP entries, you need to create an LDIF template file (see ). You can add the required entries using the following command: @@ -2542,9 +2469,8 @@ ou: idmap Samba automatically populates this LDAP directory container when it needs to. - - slapcat - + + slapcat It looks like all has gone well, as expected. Let's confirm that this is the case by running a few tests. First we check the contents of the database directly by running slapcat as follows (the output has been cut down): @@ -2583,9 +2509,8 @@ modifyTimestamp: 20031217234206Z This looks good so far. - - ldapsearch - + + ldapsearch The next step is to prove that the LDAP server is running and responds to a search request. Execute the following as shown (output has been cut to save space): @@ -2631,9 +2556,8 @@ result: 0 Success Good. It is all working just fine. - - getent - + + getent You must now make certain that the NSS resolver can interrogate LDAP also. Execute the following commands: @@ -2645,23 +2569,19 @@ Domain Admins:x:512:root Domain Users:x:513: Domain Guests:x:514: Domain Computers:x:553: - - nss_ldap - + + nss_ldap This demonstrates that the nss_ldap library is functioning - as it should. If these two steps fail to produce this information refer to + as it should. If these two steps fail to produce this information, refer to for diagnostic procedures that can be followed to - isolate the cause of the problem. Proceed to the next step only when the steps - above have been successfully completed. + isolate the cause of the problem. Proceed to the next step only when the previous steps + have been successfully completed. - - smbldap-useradd - - smbldap-passwd - - smbpasswd - + + smbldap-useradd + smbldap-passwd + smbpasswd Our database is now ready for the addition of network users. For each user for whom an account must be created, execute the following: @@ -2675,13 +2595,12 @@ Retype new password : XXXXXXXX New SMB password: XXXXXXXX Retype new SMB password: XXXXXXXX - Where username is the login ID for each user. + where username is the login ID for each user. - - getent - - Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the + + getent + Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the following: &rootprompt; getent passwd @@ -2699,23 +2618,25 @@ maryv:x:1003:513:System User:/home/maryv:/bin/bash - This step will determine + This step will determine whether or not identity resolution is working correctly. + Do not procede is this step fails, rather find the cause of the failure. The + id command may be used to validate your configuration so far, + as shown here: &rootprompt; id chrisr uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) - This confirms that the UNIX (Posix) user account information can be resolved from LDAP + This confirms that the UNIX (POSIX) user account information can be resolved from LDAP by system tools that make a getentpw() system call. - - smbldap-usermod - - The 'root' account must have UID=0, if not this means that operations conducted from + + smbldap-usermod + The root account must have UID=0; if not, this means that operations conducted from a Windows client using tools such as the Domain User Manager fails under UNIX because the management of user and group accounts requires that the UID=0. Additionally, it is - a good idea to make certain that no matter how 'root' account credentials are resolved - that the home directory and shell are valid. You decide to effect this immediately + a good idea to make certain that no matter how root account credentials are resolved, + the home directory and shell are valid. You decide to effect this immediately as demonstrated here: &rootprompt; cd /opt/IDEALX/sbin @@ -2749,11 +2670,9 @@ drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/ This is precisely what we want to see. - - ldapsam - - pdbedit - + + ldapsam + pdbedit The final validation step involves making certain that Samba-3 can obtain the user accounts from the LDAP ldapsam passwd backend. Execute the following command as shown: @@ -2785,9 +2704,8 @@ Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF This looks good. Of course, you fully expected that it would all work, didn't you? - - smbldap-groupadd - + + smbldap-groupadd Now you add the group accounts that are used on the Abmas network. Execute the following exactly as shown: @@ -2799,9 +2717,8 @@ Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF output is of no concern. - - getent - + + getent You really do want to confirm that UNIX group resolution from LDAP is functioning as it should. Let's do this as shown here: @@ -2819,12 +2736,9 @@ PIOps:x:1002: as our own site-specific group accounts, are correctly listed. This is looking good. - - net - groupmap - list - - The final step we need to validate is that Samba can see all the Windows Domain Groups + + netgroupmaplist + The final step we need to validate is that Samba can see all the Windows domain groups and that they are correctly mapped to the respective UNIX group account. To do this, just execute the following command: @@ -2838,7 +2752,7 @@ Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps This is looking good. Congratulations &smbmdash; it works! Note that in the above output - the lines where shortened by replacing the middle value (1010554828) of the SID with the + the lines were shortened by replacing the middle value (1010554828) of the SID with the ellipsis (...). @@ -2862,19 +2776,19 @@ PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps The next step might seem a little odd at this point, but take note that you are about to - start winbindd which must be able to authenticate to the PDC via the + start winbindd, which must be able to authenticate to the PDC via the localhost interface with the smbd process. This account can be - easily created by joining the PDC to the Domain by executing the following command: + easily created by joining the PDC to the domain by executing the following command: &rootprompt; net rpc join -S MASSIVE -U root%not24get - Note: Before executing this command on the PDC both nmbd and + Note: Before executing this command on the PDC, both nmbd and smbd must be started so that the net command - can communicate with smbd. The expected output is: + can communicate with smbd. The expected output is as follows: Joined domain MEGANET2. - This indicates that the Domain security account for the PDC has been correctly created. + This indicates that the domain security account for the PDC has been correctly created. @@ -2885,16 +2799,15 @@ Joined domain MEGANET2. - - smbclient - + + smbclient You may now check Samba-3 operation as follows: &rootprompt; smbclient -L massive -U% Sharename Type Comment --------- ---- ------- - IPC$ IPC IPC Service (Samba 3.0.20) + IPC$ IPC IPC Service (Samba 3.0.1) accounts Disk Accounting Files service Disk Financial Services Files pidata Disk Property Insurance Files @@ -2902,11 +2815,11 @@ Joined domain MEGANET2. netlogon Disk Network Logon Service profiles Disk Profile Share profdata Disk Profile Data Share - ADMIN$ IPC IPC Service (Samba 3.0.20) + ADMIN$ IPC IPC Service (Samba 3.0.1) Server Comment --------- ------- - MASSIVE Samba 3.0.20 + MASSIVE Samba 3.0.1 Workgroup Master --------- ------- @@ -2916,7 +2829,7 @@ Joined domain MEGANET2. - For your finale, let's try an authenticated connection. Follow this as shown: + For your finale, let's try an authenticated connection: &rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8 smb: \> dir @@ -2944,28 +2857,25 @@ smb: \> q Printer Configuration - - CUPS - + + CUPS The configuration for Samba-3 to enable CUPS raw-print-through printing has already been - taken care of in the &smb.conf; file. The only preparation needed for - smart + taken care of in the &smb.conf; file. The only preparation needed for smart printing to be possible involves creation of the directories in which Samba-3 stores Windows printing driver files. - Configuration of Raw Printers - Configure all network attached printers to have a fixed IP address. + Configure all network-attached printers to have a fixed IP address. Create an entry in the DNS database on the server MASSIVE in both the forward lookup database for the zone abmas.biz.hosts and in the reverse lookup database for the network segment that the printer is to - be located in. Example configuration files for similar zones were presented in + be located in. Example configuration files for similar zones were presented in Chapter 3, and in . @@ -2977,9 +2887,8 @@ smb: \> q raw printing - - lpadmin - + + lpadmin CUPSqueue Only on the server to which the printer is attached, configure the CUPS Print Queues as follows: @@ -2989,7 +2898,7 @@ smb: \> q print filter This step creates the necessary print queue to use no assigned print filter. This - is ideal for raw printing, i.e., printing without use of filters. + is ideal for raw printing, that is, printing without use of filters. The name printque is the name you have assigned for the particular printer. @@ -3012,7 +2921,7 @@ smb: \> q - + mime type /etc/mime.convs application/octet-stream @@ -3039,7 +2948,7 @@ application/octet-stream - The following action creates the necessary directory sub-system. Follow these + The following action creates the necessary directory subsystem. Follow these steps to printing heaven: &rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40} @@ -3059,7 +2968,6 @@ application/octet-stream Configuration of BDC Called: <constant>BLDG1</constant> - Install the files in , , and @@ -3082,15 +2990,14 @@ application/octet-stream to 1 and back to 5 before the NSS LDAP resolver functions. Follow these commands: -&rootprompt; telinit 1 +&rootprompt; init 1 After the run level has been achieved, you are prompted to provide the root password. Log on, and then execute: -&rootprompt; telinit 5 +&rootprompt; init 5 - When the normal logon prompt appears, log into the system as - root + When the normal logon prompt appears, log into the system as root and then execute these commands: &rootprompt; getent passwd @@ -3142,15 +3049,12 @@ Finances:x:1001: PIOps:x:1002: This is also the correct and desired output, because it demonstrates that the LDAP client - is able to communicate correctly with the LDAP server - (MASSIVE). + is able to communicate correctly with the LDAP server (MASSIVE). - - smbpasswd - - You must now set the LDAP administrative password into the - Samba-3 secrets.tdb + + smbpasswd + You must now set the LDAP administrative password into the Samba-3 secrets.tdb file by executing this command: &rootprompt; smbpasswd -w not24get @@ -3159,9 +3063,9 @@ Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb - Now you must obtain the Domain Security Identifier from the PDC and store it into the + Now you must obtain the domain SID from the PDC and store it into the secrets.tdb file also. This step is not necessary with an LDAP - passdb backend because Samba-3 obtains the Domain SID from the + passdb backend because Samba-3 obtains the domain SID from the sambaDomain object it automatically stores in the LDAP backend. It does not hurt to add the SID to the secrets.tdb, and if you wish to do so, this command can achieve that: @@ -3171,19 +3075,19 @@ Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ for Domain MEGANET2 in secrets.tdb When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take - any special action to join it to the Domain. However, winbind communicates with the - Domain Controller that is running on the localhost and must be able to authenticate, - thus requiring that the BDC should be joined to the Domain. The process of joining - the Domain creates the necessary authentication accounts. + any special action to join it to the domain. However, winbind communicates with the + domain controller that is running on the localhost and must be able to authenticate, + thus requiring that the BDC should be joined to the domain. The process of joining + the domain creates the necessary authentication accounts. - To join the Samba BDC to the Domain execute the following: + To join the Samba BDC to the domain, execute the following: &rootprompt; net rpc join -U root%not24get Joined domain MEGANET2. - This indicates that the Domain security account for the BDC has been correctly created. + This indicates that the domain security account for the BDC has been correctly created. @@ -3211,7 +3115,7 @@ Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps - The above results show that all things are in order. + These results show that all things are in order. @@ -3275,7 +3179,7 @@ smb: \> q - Configuration of BDC Called: <constant>BLDG2</constant> + Configuration of BDC Called <constant>BLDG2</constant> Install the files in , @@ -3450,7 +3354,7 @@ structuralObjectClass: organizationalUnit My father would say, Dinner is not over until the dishes have been done. The makings of a great network environment take a lot of effort and attention to detail. - So far you have completed most of the complex (and to many administrators, the interesting + So far, you have completed most of the complex (and to many administrators, the interesting part of server configuration) steps, but remember to tie it all together. Here are a few more steps that must be completed so that your network runs like a well-rehearsed orchestra. @@ -3460,8 +3364,7 @@ structuralObjectClass: organizationalUnit Configuring Directory Share Point Roots - In your &smb.conf; file, you have specified Windows shares. Each has a - path + In your &smb.conf; file, you have specified Windows shares. Each has a path parameter. Even though it is obvious to all, one of the common Samba networking problems is caused by forgetting to verify that every such share root directory actually exists and that it has the necessary permissions and ownership. @@ -3490,13 +3393,13 @@ structuralObjectClass: organizationalUnit You made a conscious decision to do everything it would take to improve network client performance. One of your decisions was to implement folder redirection. This means that Windows - user desktop profiles are now made up of two components &smbmdash; a dynamically loaded part and a set of file + user desktop profiles are now made up of two components: a dynamically loaded part and a set of file network folders. For this arrangement to work, every user needs a directory structure for the network folder - portion of their profile as shown here: + portion of his or her profile as shown here: &rootprompt; mkdir -p /var/lib/samba/profdata &rootprompt; chown root.root /var/lib/samba/profdata @@ -3515,11 +3418,9 @@ structuralObjectClass: organizationalUnit - - roaming profile - - mandatory profile - + + roaming profile + mandatory profile You have three options insofar as the dynamically loaded portion of the roaming profile is concerned: @@ -3531,21 +3432,17 @@ structuralObjectClass: organizationalUnit - Mandatory profiles cannot be overwritten by a user. The change from - a user profile to a mandatory profile is effected by renaming the - NTUSER.DAT to - NTUSER.MAN, i.e., just by changing the filename - extension. - - - - SRVTOOLS.EXE - - Domain User Manager - - The location of the profile that a user can obtain is set in the users' account in the LDAP passdb backend. + Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory + profile is effected by renaming the NTUSER.DAT to NTUSER.MAN, + that is, just by changing the filename extension. + + + + SRVTOOLS.EXE + Domain User Manager + The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend. You can manage this using the Idealx smbldap-tools or using the - Windows NT4 Domain User Manager. + Windows NT4 Domain User Manager. @@ -3564,9 +3461,8 @@ structuralObjectClass: organizationalUnit Preparation of Logon Scripts - - logon script - + + logon script The use of a logon script with Windows XP Professional is an option that every site should consider. Unless you have locked down the desktop so the user cannot change anything, there is risk that a vital network drive setting may be broken or that printer connections may be lost. Logon scripts @@ -3577,15 +3473,13 @@ structuralObjectClass: organizationalUnit - If you decide to use network logon scripts, by reference to the &smb.conf; files for the Domain - Controllers, you see that the path to the share point for the - NETLOGON + If you decide to use network logon scripts, by reference to the &smb.conf; files for the domain + controllers, you see that the path to the share point for the NETLOGON share defined is /var/lib/samba/netlogon. The path defined for the logon script inside that share is scripts\logon.bat. This means that as a Windows - NT/200x/XP client logs onto the network, it tries to obtain the file - logon.bat + NT/200x/XP client logs onto the network, it tries to obtain the file logon.bat from the fully qualified path /var/lib/samba/netlogon/scripts. This fully - qualified path should, therefore, exist where you install the logon.bat. + qualified path should therefore exist whether you install the logon.bat. @@ -3598,7 +3492,7 @@ structuralObjectClass: organizationalUnit You should research the options for logon script implementation by referring to TOSHARG, Chapter 21, Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon - facilities in use today is called KiXtart. + facilities in use today is called KiXtart. @@ -3614,9 +3508,8 @@ structuralObjectClass: organizationalUnit - By default, even Samba 3.0.11 does not grant any rights even to the Domain Admins - group. Here we will grant this group all privileges. The assignment of user rights and privileges - requires that the parameter enable privileges = Yes must be set in the &smb.conf; file. + By default, even Samba-3.0.11 does not grant any rights even to the Domain Admins + group. Here we grant this group all privileges. @@ -3626,10 +3519,9 @@ structuralObjectClass: organizationalUnit - Setting up User Privileges - Log onto the primary domain controller (PDC) as the root account. + Log onto the PDC as the root account. @@ -3642,8 +3534,8 @@ structuralObjectClass: organizationalUnit SeDiskOperatorPrivilege SeRemoteShutdownPrivilege Successfully granted rights. - Repeat this step on each domain controller in each case substituting the name of the server - (e.g.: BLDG1, BLDG2) in place of the PDC called MASSIVE. + Repeat this step on each domain controller, in each case substituting the name of the server + (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE. @@ -3658,7 +3550,7 @@ Successfully granted rights. - Verify that the assignment of privileges have been correctly applied by executing: + Verify that privilege assignments have been correctly applied by executing: net rpc rights list accounts -Uroot%not24get MEGANET2\bobj @@ -3709,15 +3601,14 @@ SeDiskOperatorPrivilege machine. You will configure all software, printer settings, profile and policy handling, and desktop default profile settings on this system. When it is complete, you copy the contents of the C:\Documents and Settings\Default User directory to a directory with the same - name in the NETLOGON share on the Domain Controllers. + name in the NETLOGON share on the domain controllers. Much can be learned from the Microsoft Support site regarding how best to set up shared profiles. - One knowledge-base article in particular stands out. See: - How to Create a - Base Profile for All Users. + One knowledge-base article in particular stands out: + "How to Create a + Base Profile for All Users." @@ -3727,9 +3618,8 @@ SeDiskOperatorPrivilege folder redirection Log onto the Windows XP Professional workstation as the local Administrator. - It is necessary to expose folders that are generally hidden to provide - access to the Default User - folder. + It is necessary to expose folders that are generally hidden to provide access to the + Default User folder. @@ -3745,19 +3635,19 @@ SeDiskOperatorPrivilege View Tab . Select Show hidden files and folders, - and click OK. Exit Windows Explorer. + and click OK. Exit Windows Explorer. - - regedt32 - + + regedt32 Launch the Registry Editor. Click Start Run . Key in regedt32, and click - OK. + OK. + @@ -3766,21 +3656,19 @@ SeDiskOperatorPrivilege Redirect Folders in Default System User Profile - - HKEY_LOCAL_MACHINE - - Default User - + + HKEY_LOCAL_MACHINE + Default User Give focus to HKEY_LOCAL_MACHINE hive entry in the left panel. Click File Load Hive... - [Panel] Documents and Settings - [Panel] Default User + Documents and Settings + Default User NTUSER Open - . In the dialog box that opens, enter the - key name Default and click OK. + . In the dialog box that opens, enter the key name + Default and click OK. @@ -3789,30 +3677,26 @@ SeDiskOperatorPrivilege HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ CurrentVersion\Explorer\User Shell Folders\ - The contents of the right panel reveals the contents as - shown in . + The right panel reveals the contents as shown in . - - %USERPROFILE% - - %LOGONSERVER% - + + %USERPROFILE% + %LOGONSERVER% You edit hive keys. Acceptable values to replace the %USERPROFILE% variable includes: - A drive letter such as: U: - A direct network path such as: - \\MASSIVE\profdata - A network redirection (UNC name) that contains a macro such as: + A drive letter such as U: + A direct network path such as + \\MASSIVE\profdata + A network redirection (UNC name) that contains a macro such as %LOGONSERVER%\profdata\ - - registry keys - + + registry keys Set the registry keys as shown in . Your implementation makes the assumption that users have statically located machines. Notebook computers (mobile users) need to be accommodated using local profiles. This is not an uncommon assumption. @@ -3824,9 +3708,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Yes. - - Registry Editor - + + Registry Editor Click FileExit. This exits the Registry Editor. @@ -3838,20 +3721,18 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ You are now ready to copy - There is an alternate method by which a Default User profile can be added to the + There is an alternate method by which a default user profile can be added to the NETLOGON share. This facility in the Windows System tool permits profiles to be exported. The export target may be a particular user or - group profile share point, or else into the NETLOGON share. - In this case, the profile directory must be named - Default User. + group profile share point or else the NETLOGON share. + In this case, the profile directory must be named Default User. - the Default User profile to the Samba Domain Controllers. Launch Microsoft - Windows Explorer, and use it to copy the full contents of the - directory Default User - that is in the C:\Documents and Settings to the root directory of the + the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer, + and use it to copy the full contents of the directory Default User that + is in the C:\Documents and Settings to the root directory of the NETLOGON share. If the NETLOGON share has the defined - UNIX path of /var/lib/samba/netlogon, when the copy is complete there must be - a directory in there called Default User. + UNIX path of /var/lib/samba/netlogon, when the copy is complete there must + be a directory in there called Default User. @@ -3868,8 +3749,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Folder Options View Tab . - Deselect Show hidden files and folders, - and click OK. + Deselect Show hidden files and folders, and click OK. Exit Windows Explorer. @@ -3933,10 +3813,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Configuration of MS Outlook to Relocate PST File - - Outlook - PST - + + OutlookPST Microsoft Outlook can store a Personal Storage file, generally known as a PST file. It is the nature of email storage that this file grows, at times quite rapidly. So that users' email is available to them at every workstation they may log onto, @@ -3969,18 +3847,16 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Configure Delete Cached Profiles on Logout - To configure the Windows XP Professional client to auto-delete roaming profiles on logout: + Configure the Windows XP Professional client to auto-delete roaming profiles on logout: - - MMC - - Click + + MMC + Click Start Run - . In the dialog box, enter: MMC - and click OK. + . In the dialog box, enter MMC and click OK. @@ -3998,10 +3874,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ . - - Microsoft Management Console - MMC - + + Microsoft Management ConsoleMMC The Microsoft Management Console now shows the Group Policy utility that enables you to set the policies needed. In the left panel, click @@ -4014,8 +3888,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - Do not check for user ownership of Roaming Profile Folders = Enabled - Delete cached copies of roaming profiles = Enabled + Do not check for user ownership of Roaming Profile Folders = Enabled + Delete cached copies of roaming profiles = Enabled @@ -4039,16 +3913,15 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - Uploading Printer Drivers Join your Windows XP Professional workstation (the staging machine) to the - MEGANET2 Domain. If you are not sure of the procedure, - follow the guidance given in . + MEGANET2 domain. If you are not sure of the procedure, + follow the guidance given in Appendix A, . - After the machine has re-booted, log onto the workstation as the domain + After the machine has rebooted, log onto the workstation as the domain root (this is the Administrator account for the operating system that is the host platform for this implementation of Samba. @@ -4078,18 +3951,15 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ The printer properties panel for the ps01-color printer on the server MASSIVE is displayed. Click the Advanced tab. Note that the box labeled Driver is empty. Click the New Driver - button that is next to the Driver box. This launches the quoteAdd Printer Wizard. + button that is next to the Driver box. This launches the Add Printer Wizard. - - Add Printer Wizard - APW - - APW - + + Add Printer WizardAPW + APW The Add Printer Driver Wizard on MASSIVE panel is now presented. Click Next to continue. From the left panel, select the - Printer Manufacturer. In your case, you are adding a driver for a printer manufactured by + printer manufacturer. In your case, you are adding a driver for a printer manufactured by Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click Next, and then Finish to commence driver upload. A progress bar appears and instructs you as each file is being uploaded and that it is being @@ -4105,10 +3975,10 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ AD printer publishing The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, you are returned to the Advanced tab in the Properties panel. - You can set the Location (under the General tab), and Security settings (under + You can set the Location (under the General tab) and Security settings (under the Security tab). Under the Sharing tab it is possible to - load additional printer drivers, there is also a check-box in this tab called List in the - directory. When this box is checked the printer will be published in Active Directory + load additional printer drivers; there is also a check-box in this tab called List in the + directory. When this box is checked, the printer will be published in Active Directory (Applicable to Active Directory use only.) @@ -4119,14 +3989,14 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Right-click on the printer, click Properties Device Settings . Now change the settings to suit your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if - you need to reverse them changes back to their original settings. + you need to reverse the changes back to their original settings. This is necessary so that the printer settings are initialized in the Samba printers database. Click Apply to commit your settings. Revert any settings you changed just to initialize the Samba printers database entry for this printer. If you need to revert a setting, - Click Apply again. + click Apply again. @@ -4139,10 +4009,11 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - You must repeat this process for all network printers (i.e., for every printer, on each server). + You must repeat this process for all network printers (i.e., for every printer on each server). When you have finished uploading drivers to all printers, close all applications. The next task is to install software your users require to do their work. + @@ -4159,7 +4030,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ For desktop systems, the installation of software onto administratively centralized application servers make a lot of sense. This means that you can manage software maintenance from a central - perspective and that only minimal application stub-ware needs to be installed onto the desktop + perspective and that only minimal application stubware needs to be installed onto the desktop systems. You should proceed with software installation and default configuration as far as is humanly possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect of software operations and configuration. @@ -4167,7 +4038,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ When you believe that the overall configuration is complete, be sure to create a shared group profile - and migrate that to the Samba server for later re-use when creating custom mandatory profiles, just in + and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in case a user may have specific needs you had not anticipated. @@ -4181,12 +4052,12 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
- Un-join the domain &smbmdash; Each workstation requires a unique name and must be independently - joined into Domain Membership. + Unjoin the domain &smbmdash; Each workstation requires a unique name and must be independently + joined into domain membership.
- De-fragment the hard disk &smbmdash; While not obvious to the uninitiated, de-fragmentation results + Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results in better performance and often significantly reduces the size of the compressed disk image. That also means it will take less time to deploy the image onto 500 workstations.
@@ -4199,7 +4070,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Key Points Learned - This chapter has introduced many new concepts. Is it a sad fact that the example presented deliberately + This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately avoided any consideration of security. Security does not just happen; you must design it into your total network. Security begins with a systems design and implementation that anticipates hostile behavior from users both inside and outside the organization. Hostile and malicious intruders do not respect barriers; @@ -4208,20 +4079,17 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ of compromise. - - Access Control Lists - ACLs - - ACLs - - As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs) and it must be + + Access Control ListsACLs + ACLs + As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be configured to use secure protocols for all communications over the network. Of course, secure networking does not result just from systems design and implementation but involves constant user education - training, and above all disciplined attention to detail and constant searching for signs of unfriendly + training and, above all, disciplined attention to detail and constant searching for signs of unfriendly or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources. - Jerry Carter's book LDAP System - Administration is a good place to start reading about OpenLDAP as well as security considerations. + Jerry Carter's book + LDAP System Administration is a good place to start reading about OpenLDAP + as well as security considerations. @@ -4230,18 +4098,18 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - Implementation of an OpenLDAP-based passwd backend &smbmdash; necessary to support distributed - Domain Control. + Implementation of an OpenLDAP-based passwd backend, necessary to support distributed + domain control. - Implementation of Samba Primary and Secondary Domain Controllers with a common LDAP backend + Implementation of Samba primary and secondary domain controllers with a common LDAP backend for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and pam_ldap tool-sets. - Use of the Idealx smbldap-tools scripts for UNIX (Posix) account management as well as + Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as to manage Samba Windows user and group accounts. @@ -4283,8 +4151,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Let's get this right. This is a book about Samba, not about OpenLDAP and secure - communication protocols for subjects other than Samba. Earlier on, you note - that the Dynamic DNS and DHCP solutions also used no protective secure communications + communication protocols for subjects other than Samba. Earlier on, you note, + that the dynamic DNS and DHCP solutions also used no protective secure communications protocols. The reason for this is simple: There are so many ways of implementing secure protocols that this book would have been even larger and more complex. @@ -4321,7 +4189,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications for a standard Linux distribution. The differences are marginal. Surely you know - your Linux platform and you do have access to administration manuals for it. This + your Linux platform, and you do have access to administration manuals for it. This book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on the Samba part of the book; all the other bits are peripheral (but important) to creation of a total network solution. @@ -4333,9 +4201,9 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ I have paid particular attention to the details of creating a whole solution framework. I have not tightened every nut and bolt, but I have touched on all the issues you need to be familiar with. Over the years many people have approached me wanting to - know the details of exactly how to implement a DHCP and Dynamic DNS server with Samba + know the details of exactly how to implement a DHCP and dynamic DNS server with Samba and WINS. In this chapter, it is plain to see what needs to be configured to provide - transparent interoperability. Likewise for CUPS and Samba inter-operation. These are + transparent interoperability. Likewise for CUPS and Samba interoperation. These are key stumbling areas for many people. @@ -4410,7 +4278,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ I took this up with Idealx and found them most willing to change that in the next version. Let's give Idealx some credit for the contribution they have made. I appreciate their work - and, besides, it does no harm to create accounts that are not now used as at some time + and, besides, it does no harm to create accounts that are not now used &smbmdash; at some time Samba may well use them. @@ -4428,11 +4296,11 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - Yes, you can do that for user accounts only. Samba requires there to be a Posix (UNIX) - group account for every Windows Domain group account. But if you put your users into + Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) + group account for every Windows domain group account. But if you put your users into the system password account, how do you plan to keep all domain controller system password files in sync? I think that having everything in LDAP makes a lot of sense - for the UNIX admin who is still learning the craft and is migrating from MS Windows. + for the UNIX administrator who is still learning the craft and is migrating from MS Windows. @@ -4442,7 +4310,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - Why are the Windows Domain RID portions not the same as the UNIX UID? + Why are the Windows domain RID portions not the same as the UNIX UID? @@ -4474,8 +4342,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ No. You can use any type of printer and must use the interfacing protocol supported by the printer. Many networks use LPR/LPD print servers to which are attached - PCL printers, InkJet printers, plotters, and so on. At home I use a USB attached - Inkjet printer. Use the appropriate device URI (Universal Resource Interface) + PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached + inkjet printer. Use the appropriate device URI (Universal Resource Interface) argument to the lpadmin -v option that is right for your printer. diff --git a/docs/Samba-Guide/SBE-SecureOfficeServer.xml b/docs/Samba-Guide/SBE-SecureOfficeServer.xml index e21776fbe98..3e7bc344691 100644 --- a/docs/Samba-Guide/SBE-SecureOfficeServer.xml +++ b/docs/Samba-Guide/SBE-SecureOfficeServer.xml @@ -5,19 +5,19 @@ Congratulations, your Samba networking skills are developing nicely. You started out - with three simple networks in Chapter 2, and then in Chapter 3 you designed and built a + with three simple networks in Chapter 1, and then in Chapter 2 you designed and built a network that provides a high degree of flexibility, integrity, and dependability. It was enough for the basic needs each was designed to fulfill. In this chapter you - address a more complex set of needs. The solution you explore is designed - to introduce you to basic features that are specific to Samba-3. + address a more complex set of needs. The solution you explore + introduces you to basic features that are specific to Samba-3. You should note that a working and secure solution could be implemented using Samba-2.2.x. - In the exercises presented here, you are gradually using more Samba-3 specific features + In the exercises presented here, you are gradually using more Samba-3-specific features, so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. To avoid confusion, this book is all about Samba-3. Let's get the exercises in this - chapter under way. + chapter underway. @@ -26,23 +26,23 @@ You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work well done. It is one year since the last network upgrade. You have been quite busy. - Two months ago Mr. Meany gave approval to hire Christine Roberson who has taken over - general network management. Soon she will provide primary user support. You have demonstrated - you can delegate responsibility, and plan and execute + Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over + general network management. Soon she will provide primary user support. You have + demonstrated that you can delegate responsibility and can plan and execute according to that plan. Above all, you have shown Mr. Meany that you are a responsible person. Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never - expected. You are Mr. Bob Jordan and will take charge of business operations. Mr. Meany + expected: You are going to take charge of business operations. Mr. Meany is retiring and has entrusted the business to your capable hands. - Mr. Meany may be retiring from this company, but not from work. He is taking the opportunity to develop - Abmas Inc. into a larger and more substantial company. He says that it took him many - years to wake up to the fact that there is no future in just running a business. He - now realizes there is great personal reward and satisfaction in creation of career - opportunities for people in the local community. He wants to do more for others as he is - doing for you, Bob Jordan. Today he spent a lot of time talking about the grand plan. - He has plans for growth that you will deal with in the chapters ahead. + Mr. Meany may be retiring from this company, but not from work. He is taking the + opportunity to develop Abmas Accounting into a larger and more substantial company. + He says that it took him many years to learn that there is no future in just running + a business. He now realizes there is great personal satisfaction in the creation of + career opportunities for people in the local community. He wants to do more for others, + as he is doing for you. Today he spent a lot of time talking about his grand plan + for growth, which you will deal with in the chapters ahead. @@ -55,41 +55,35 @@ (although she manages well). She gains job satisfaction when left to sort things out. Occasionally she wants to work with you on a challenging problem. When you told her about your move, she almost resigned, although she was reassured that a new manager would - be hired to run Information Technology and she would be responsible only for operations. + be hired to run Information Technology, and she would be responsible only for operations. Assignment Tasks - You promised the staff Internet services including web browsing, electronic mail, virus - protection, and a company Web site. Christine is keen to help turn the vision into + You promised the staff Internet services including Web browsing, electronic mail, virus + protection, and a company Web site. Christine is eager to help turn the vision into reality. Let's see how close you can get to the promises made. - The network you are about to deliver will service 130 users today. Within 12 months, - Abmas will aquire another company. Mr. Meany claims that within two years there will be + The network you are about to deliver will service 130 users today. Within a year, + Abmas will aquire another company. Mr. Meany claims that within 2 years there will be well over 500 users on the network. You have bought into the big picture, so prepare - for growth. - - - - You have purchased a new server, will implement a new network infrastructure, and - reward all staff with a new computer. Notebook computers will not be replaced at this time. + for growth. You have purchased a new server and will implement a new network infrastructure. You have decided to not recycle old network components. The only items that will be carried forward are notebook computers. You offered staff new notebooks, but not one person wanted the disruption for what was perceived as a marginal update. - You have made the decision to give everyone a new desktop computer, even to those - who have a notebook computer. + You decided to give everyone, even the notebook user, a new desktop computer. - You have procured a DSL Internet connection that provides 1.5 Megabit/sec (bidirectional) - and a 10 MBit/sec ethernet port. You have registered the domain + You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional) + and a 10 Mb/sec ethernet port. You registered the domain abmas.us, and the Internet Service Provider (ISP) is supplying secondary DNS. Information furnished by your ISP is shown in . @@ -97,12 +91,12 @@ It is of paramount priority that under no circumstances will Samba offer service access from an Internet connection. You are paying an ISP to - give, as part of their value-added services, full firewall protection for your + give, as part of its value-added services, full firewall protection for your connection to the outside world. The only services allowed in from the Internet side are the following destination ports: http/https (ports 80 and 443), email (port 25), DNS (port 53). All Internet traffic will be allowed out after network address translation (NAT). No internal IP addresses - are permitted through the NAT filter as complete privacy of internal network + are permitted through the NAT filter because complete privacy of internal network operations must be assured. @@ -156,13 +150,13 @@ - Christine has recommended that desktop systems should be installed from a single cloned + Christine recommended that desktop systems should be installed from a single cloned master system that has a minimum of locally installed software and loads all software off a central application server. The benefit of having the central application server - is that it allows single point maintenance of all business applications, something - Christine is keen to pursue. She further recommended installation of anti-virus - software on workstations as well as on the Samba server. Christine is paranoid of - potential virus infection and insists on a comprehensive approach to detective + is that it allows single-point maintenance of all business applications, a more + efficient way to manage software. She further recommended installation of antivirus + software on workstations as well as on the Samba server. Christine knows the dangers + of potential virus infection and insists on a comprehensive approach to detective as well as corrective action to protect network operations. @@ -170,7 +164,7 @@ A significant concern is the problem of managing company growth. Recently, a number of users had to share a PC while waiting for new machines to arrive. This presented some problems with desktop computers and software installation into the new users' - desktop profile. + desktop profiles. @@ -183,7 +177,7 @@ Many of the conclusions you draw here are obvious. Some requirements are not very clear or may simply be your means of drawing the most out of Samba-3. Much can be done more simply than you will demonstrate here, but keep in mind that the network must scale to at least 500 - users. This means that some functionality will be over-designed for the current 130 user + users. This means that some functionality will be overdesigned for the current 130-user environment. @@ -191,12 +185,12 @@ Technical Issues - In this exercise we are using a 24-bit subnet mask for the two local networks. This, + In this exercise we use a 24-bit subnet mask for the two local networks. This, of course, limits our network to a maximum of 253 usable IP addresses. The network - address range chosen is one of the ranges assigned by RFC1918 for private networks. + address range chosen is one assigned by RFC1918 for private networks. When the number of users on the network begins to approach the limit of usable - addresses, it would be a good idea to switch to a network address specified in RFC1918 - in the 172.16.0.0/16 range. This is done in the following chapters. + addresses, it is a good idea to switch to a network address specified in RFC1918 + in the 172.16.0.0/16 range. This is done in subsequent chapters. @@ -205,13 +199,13 @@ The high growth rates projected are a good reason to use the tdbsam passdb backend. The use of smbpasswd for the backend may result in performance problems. The tdbsam passdb backend offers features that - are not available with the older flat ASCII-based smbpasswd database. + are not available with the older, flat ASCII-based smbpasswd database. risk The proposed network design uses a single server to act as an Internet services host for - electronic mail, Web serving, remote administrative access vis SSH, as well as for + electronic mail, Web serving, remote administrative access via SSH, Samba-based file and print services. This design is often chosen by sites that feel they cannot afford or justify the cost or overhead of having separate servers. It must be realized that if security of this type of server should ever be violated (compromised), @@ -221,7 +215,7 @@ - Samba will be configured to specifically not operate on the ethernet interface that is + Samba will be configured to specifically not operate on the Ethernet interface that is directly connected to the Internet. @@ -234,27 +228,27 @@ You know that your ISP is providing full firewall services, but you cannot rely on that. Always assume that human error will occur, so be prepared by using Linux firewall facilities - based on iptables to effect Network Address Translation (NAT). Block all + based on iptables to effect NAT. Block all incoming traffic except to permitted well-known ports. You must also allow incoming packets - to established outgoing connections. You will permit all internal outgoing requests. + to establish outgoing connections. You will permit all internal outgoing requests. The configuration of Web serving, Web proxy services, electronic mail, and the details of - generic anti-virus handling are beyond the scope of this book and therefore are not - covered, except insofar as this affects Samba-3. + generic antivirus handling are beyond the scope of this book and therefore are not + covered except insofar as this affects Samba-3. login Notebook computers are configured to use a network login when in the office and a - local account to login while away from the office. Users store all work done in + local account to log in while away from the office. Users store all work done in transit (away from the office) by using a local share for work files. Standard procedures - will dictate that on completion of the work that necessitates mobile file access, all + dictate that on completion of the work that necessitates mobile file access, all work files are moved back to secure storage on the office server. Staff is instructed to not carry on any company notebook computer any files that are not absolutely required. - This is a preventative measure to protect client information as well as business private + This is a preventative measure to protect client information as well as private business records. @@ -277,29 +271,28 @@ DNS - The DNS server implementation must now address both internal needs as well as external - needs. You forward DNS lookups to your ISP provided server as well as the + The DNS server implementation must now address both internal and external + needs. You forward DNS lookups to your ISP-provided server as well as the abmas.us external secondary DNS server. dynamic DNS - DDNSdynamic - DNS - DHCP server - - Compared with the DHCP server configuration in , the configuration used - in this example has to deal with the presence of an Internet connection. The scope set for it - ensures that no DHCP services will be offered on the external connection. All printers are - configured as DHCP clients, so that the DHCP server assigns the printer a fixed IP - address by way of the ethernet interface (MAC) address. One additional feature of this DHCP - server configuration file is the inclusion of parameters to allow dynamic DNS (DDNS) operation. + DDNSdynamic DNS + DHCP server + Compared with the DHCP server configuration in Chapter 2, , the + configuration used in this example has to deal with the presence of an Internet connection. + The scope set for it ensures that no DHCP services will be offered on the external + connection. All printers are configured as DHCP clients so that the DHCP server assigns + the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional + feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic + DNS (DDNS) operation. This is the first implementation that depends on a correctly functioning DNS server. Comprehensive steps are included to provide for a fully functioning DNS server that also - is enabled for dynamic DNS operation. This means that DHCP clients can be auto-registered + is enabled for DDNS operation. This means that DHCP clients can be autoregistered with the DNS server. @@ -311,9 +304,9 @@ As in the previous network configuration, printing in this network configuration uses - direct raw printing (i.e., no smart printing and no print driver auto-download to Windows + direct raw printing (i.e., no smart printing and no print driver autodownload to Windows clients). Printer drivers are installed on the Windows client manually. This is not - a problem given that Christine is to install and configure one single workstation and + a problem because Christine is to install and configure one single workstation and then clone that configuration, using Norton Ghost, to all workstations. Each machine is identical, so this should pose no problem. @@ -321,11 +314,10 @@ Hardware Requirements - - memory requirements - + + memory requirements This server runs a considerable number of services. From similarly configured Linux - installations the approximate calculated memory requirements will be as that shown in + installations, the approximate calculated memory requirements are as shown in . @@ -347,43 +339,40 @@ Basic OS 256.0 256 256 -------------- -------------- - You would choose to add a safety margin of at least 50% to these estimates. The minimum - system memory recommended for initial startup would be 1 GByte, but to permit the system - to scale to 500 users, it would make sense to provision the machine with 4 GBytes memory. - An initial configuration with only 1 GByte memory would lead to early performance complaints - as the system load builds up. Given the low cost of memory, it would not make sense to + You should add a safety margin of at least 50% to these estimates. The minimum + system memory recommended for initial startup 1 GB, but to permit the system + to scale to 500 users, it makes sense to provision the machine with 4 GB memory. + An initial configuration with only 1 GB memory would lead to early performance complaints + as the system load builds up. Given the low cost of memory, it does not make sense to compromise in this area. - - bandwidth calculations - - Aggregate Input/Output loads should be considered for sizing network configuration as + + bandwidth calculations + Aggregate input/output loads should be considered for sizing network configuration as well as disk subsystems. For network bandwidth calculations, one would typically use an - estimate of 0.1 MBytes/sec per user. This would suggest that 100-Base-T (approx. 10 MBytes/sec) - would deliver below acceptable capacity for the initial user load. It is, therefore, a good - idea to begin with 1 Gigabit ethernet cards for the two internal networks, each attached - to a 1 Gigabit Ethernet switch that provides connectivity to an expandable array of 100-Base-T + estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec) + would deliver below acceptable capacity for the initial user load. It is therefore a good + idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached + to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T switched ports. - - network segments - - RAID - - Considering the choice of 1 Gigabit ethernet interfaces for the two local network segments, - the aggregate network I/O capacity will be 2100 MBit/sec (about 230 MBytes/sec), an I/O + + network segments + RAID + Considering the choice of 1 Gb Ethernet interfaces for the two local network segments, + the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O demand that would require a fast disk storage I/O capability. Peak disk throughput is - limited by the disk sub-system chosen. It would be desirable to provide the maximum - I/O bandwidth that can be afforded. If a low-cost solution must be chosen, the use of - 3Ware IDE RAID Controllers makes a good choice. These controllers can be fitted into a - 64 bit, 66 MHz PCI-X slot. They appear to the operating system as a high speed SCSI - controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MByte/sec). + limited by the disk subsystem chosen. It is desirable to provide the maximum + I/O bandwidth affordable. If a low-cost solution must be chosen, + 3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a + 64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI + controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec). Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, - it would make sense to purchase well-known branded hardware that has appropriate performance - specifications. As a minimum, one should attempt to provide a disk sub-system that can - deliver I/O rates of at least 100 MBytes/sec. + it makes sense to purchase well-known, branded hardware that has appropriate performance + specifications. As a minimum, one should attempt to provide a disk subsystem that can + deliver I/O rates of at least 100 MB/sec. @@ -408,11 +397,9 @@ Given 500 Users and 2 years: Recommended Storage: 908 GBytes - - storage capacity - + storage capacity The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5 - with two hot spare drives would require an 8 drive by 200 GByte capacity per drive array. + with two hot spare drives would require an 8-drive by 200 GB capacity per drive array. @@ -435,13 +422,12 @@ Given 500 Users and 2 years: gives you greater control over software licensing. - - Outlook Express - + + Outlook Express You are well aware that the current configuration results in some performance issues as the size of the desktop profile grows. Given that users use Microsoft Outlook Express, you know that the storage implications of the .PST file - is something that needs to be addressed later on. + is something that needs to be addressed later. @@ -477,106 +463,84 @@ Given 500 Users and 2 years: The Domain name is set to PROMISES. - - broadcast messages - - interfaces - - bind interfaces only - + + broadcast messages + interfaces + bind interfaces only Ethernet interface eth0 is attached to the Internet connection and is externally exposed. This interface is explicitly not available for Samba to use. - Samba listens on this interface for broadcast messages, but does not broadcast any + Samba listens on this interface for broadcast messages but does not broadcast any information on eth0, nor does it accept any connections from it. This is achieved by way of the interfaces parameter and the bind interfaces only entry. - - passdb backend - - tdbsam - - binary database - + + passdb backend + tdbsam + binary database The passdb backend parameter specifies the creation and use of the tdbsam password backend. This is a binary database that has excellent scalability for a large number of user account entries. - - WINS serving - - wins support - - name resolve order - + + WINS serving + wins support + name resolve order WINS serving is enabled by the Yes, and name resolution is set to use it by means of the wins bcast hosts entry. - - time server - + + time server The Samba server is configured for use by Windows clients as a time server. - - CUPS - - printing - - printcap name - + + CUPS + printing + printcap name Samba is configured to directly interface with CUPS via the direct internal interface that is provided by CUPS libraries. This is achieved with the CUPS as well as the CUPS entries. - - user management - - group management - - SRVTOOLS.EXE - + + user management + group management + SRVTOOLS.EXE External interface scripts are provided to enable Samba to interface smoothly to essential operating system functions for user and group management. This is important - to enable workstations to join the Domain, and is also important so that you can use - the Windows NT4 Domain User Manager, as well as the Domain Server Manager. These tools + to enable workstations to join the Domain and is also important so that you can use + the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools are provided as part of the SRVTOOLS.EXE toolkit that can be downloaded from the Microsoft FTP - site. + site. - - User Mode - + + User Mode The &smb.conf; file specifies that the Samba server will operate in (default) security = user modeSee TOSHARG, Chapter 3. This is necessary so that Samba can act as a Domain Controller (PDC); see - TOSHARG, Chapter 4 for additional information. + TOSHARG, Chapter 4, for additional information. (User Mode). - - logon services - - logon script - + + logon services + logon script Domain logon services as well as a Domain logon script are specified. The logon script will be used to add robustness to the overall network configuration. - - roaming profiles - - logon path - - profile share - + + roaming profiles + logon path + profile share Roaming profiles are enabled through the specification of the parameter, \\%L\profiles\%U. The value of this parameter translates the %L to the name by which the Samba server is called by the client (for this @@ -587,19 +551,16 @@ Given 500 Users and 2 years: requirement is when a profile is created for group use. - - virus - - opportunistic locking - + + virus + opportunistic locking Precautionary veto is effected for particular Windows file names that have been targeted by virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking - controls. This should help to prevent lock contention related file access problems. + controls. This should help to prevent lock contention-related file access problems. - - IPC$ - + + IPC$ Explicit controls are effected to restrict access to the IPC$ share to local networks only. The IPC$ share plays an important role in network browsing and in establishment of network connections. @@ -657,18 +618,16 @@ Given 500 Users and 2 years: Basic System Configuration - - SUSE Enterprise Linux Server - + + SUSE Enterprise Linux Server The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been freshly installed. It prepares basic files so that the system is ready for comprehensive operation in line with the network diagram shown in . - - hostname - + + hostname Using the UNIX/Linux system tools, name the server server.abmas.us. Verify that your hostname is correctly set by running: @@ -683,9 +642,8 @@ server.abmas.us - /etc/hosts - localhost - + /etc/hosts + localhost Edit your /etc/hosts file to include the primary names and addresses of all network interfaces that are on the host server. This is necessary so that during startup the system can resolve all its own names to the IP address prior to @@ -706,40 +664,33 @@ server.abmas.us 192.168.2.20 qmsf.abmas.biz qmsf 192.168.2.30 hplj6f.abmas.biz hplj6f - - named - - cupsd - - daemon - + named + cupsd + daemon The printer entries are not necessary if named is started prior to - startup of cupsd, the CUPS daemon. + startup of cupsd, the CUPS daemon. /etc/rc.d/boot.local - IP forwarding - /proc/sys/net/ipv4/ip_forward - + IP forwarding + /proc/sys/net/ipv4/ip_forward The host server is acting as a router between the two internal network segments as well - as for all Internet access. This necessitates that IP forwarding must be enabled. This can be + as for all Internet access. This necessitates that IP forwarding be enabled. This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows: echo 1 > /proc/sys/net/ipv4/ip_forward To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute that command manually also. This setting permits the Linux system to - act as a router.ED NOTE: You may want to do the echo command last and include - "0" in the init scripts since it opens up your network for a short time. + act as a router.You may want to do the echo command last and include + "0" in the init scripts, since it opens up your network for a short time. - - firewall - - abmas-netfw.sh - - Installation of a basic firewall and network address translation facility is necessary. + + firewall + abmas-netfw.sh + Installation of a basic firewall and NAT facility is necessary. The following script can be installed in the /usr/local/sbin directory. It is executed from the /etc/rc.d/boot.local startup script. In your case, this script is called abmas-netfw.sh. The @@ -824,9 +775,8 @@ echo -e "\nNAT firewall done.\n" - - /etc/hosts - + + /etc/hosts The server is now ready for Samba configuration. During the validation step, you remove the entry for the Samba server diamond from the /etc/hosts file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. @@ -839,7 +789,7 @@ echo -e "\nNAT firewall done.\n" When you have completed this section, the Samba server is ready for testing and validation; - however, testing and validation have to wait until DHCP, DNS, and Printing (CUPS) services have + however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have been configured. @@ -862,7 +812,7 @@ echo -e "\nNAT firewall done.\n" file. The final, fully qualified path for this file should be /etc/samba/smb.conf. -130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; [global] Section +130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; [globals] Section Global parameters PROMISES @@ -1008,20 +958,11 @@ root = Administrator - initGrps.sh - net - groupmap - add - - net - groupmap - modify - - net - groupmap - list - - Create and map Windows Domain Groups to UNIX groups. A sample script is provided in + initGrps.sh + netgroupmapadd + netgroupmapmodify + netgroupmaplist + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in Chapter 2, . Create a file containing this script. We called ours /etc/samba/initGrps.sh. Set this file so it can be executed, and then execute the script. Sample output should be as follows: @@ -1083,22 +1024,22 @@ Users (S-1-5-32-545) -> -1 - - useradd - adduser - passwd - smbpasswd - /etc/passwd - passwordbackend - usermanagement + + useradd + adduser + passwd + smbpasswd + /etc/passwd + passwordbackend + usermanagement There is one preparatory step without which you will not have a working Samba network environment. You must add an account for each network user. For each user who needs to be given a Windows Domain account, make an entry in the - /etc/passwd file, as well as in the Samba password backend. + /etc/passwd file as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system account, and use the Samba smbpasswd to create a Domain user account. - There are a number of tools for user management under UNIX. Commonly known ones include: - useradd, adduser. In addition to these, there are a plethora of custom + There are a number of tools for user management under UNIX, such as + useradd, and adduser, as well as a plethora of custom tools. You also want to create a home directory for each user. You can do this by executing the following steps for each user: @@ -1116,22 +1057,17 @@ Added user username. You do of course use a valid user login ID in place of username. - - file system - access control - - file system - permissions - - group membership - + + file systemaccess control + file systempermissions + group membership Using the preferred tool for your UNIX system, add each user to the UNIX groups created previously as necessary. File system access control will be based on UNIX group membership. - Create the directory mount point for the disk sub-system that can be mounted to provide - data storage for company files. In this case the mount point indicated in the &smb.conf; + Create the directory mount point for the disk subsystem that can be mounted to provide + data storage for company files. In this case the mount point is indicated in the &smb.conf; file is /data. Format the file system as required, and mount the formatted file system partition using appropriate system tools. @@ -1159,9 +1095,9 @@ Added user username. The &smb.conf; file specifies an infrastructure to support roaming profiles and network logon services. You can now create the file system infrastructure to provide the - locations on disk that these services require. Adequate planning is essential + locations on disk that these services require. Adequate planning is essential, since desktop profiles can grow to be quite large. For planning purposes, a minimum of - 200 Megabytes of storage should be allowed per user for profile storage. The following + 200 MB of storage should be allowed per user for profile storage. The following commands create the directory infrastructure needed: &rootprompt; mkdir -p /var/spool/samba @@ -1179,13 +1115,10 @@ Added user username. - - logon scrip - - unix2dos - - dos2unix - + + logon scrip + unix2dos + dos2unix Create a logon script. It is important that each line is correctly terminated with a carriage return and line-feed combination (i.e., DOS encoding). The following procedure works if the right tools (unix2dos and dos2unix) are installed. @@ -1281,7 +1214,7 @@ subnet 123.45.67.64 netmask 255.255.255.252 { - Create the files shown in their directories as follows: + Create the files shown in their directories as follows: (John, on this page, the numbered entry comes after the table it's referencing!!!!!) DNS (named) Resource Files @@ -1584,12 +1517,12 @@ hosts: files dns wins - Configure each printer to be a DHCP client carefully following the manufacturer's guidelines. + Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines. - Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100. - Use any other port the manufacturer specifies for direct mode, raw printing and adjust the + Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. + Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the port as necessary in the following example commands. This allows the CUPS spooler to print using raw mode protocols. CUPS @@ -1608,14 +1541,14 @@ hosts: files dns wins &rootprompt; lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E print filter - This has created the necessary print queues with no assigned print filter. + This creates the necessary print queues with no assigned print filter. enable Print queues may not be enabled at creation. Use lpc stat to check - the status of the print queues and if necessary make certain that the queues you have + the status of the print queues and, if necessary, make certain that the queues you have just created are enabled by executing the following: &rootprompt; /usr/bin/enable qmsa @@ -1679,21 +1612,17 @@ application/octet-stream is rebooted. This step involves use of the chkconfig tool that creates the appropriate symbolic links from the master daemon control file that is located in the /etc/rc.d directory, to the /etc/rc'x'.d - directories. Links are created so that when the system run-level is changed, the + directories. Links are created so that when the system run level is changed, the necessary start or kill script is run. - /etc/xinetd.d - inetd - - xinetd - - chkconfig - - super daemon - - In the event that a service is not run as a daemon, but via the inter-networking + /etc/xinetd.d + inetd + xinetd + chkconfig + super daemon + In the event that a service is not run as a daemon, but via the internetworking super daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /etc/xinetd.d directory and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to @@ -1707,7 +1636,7 @@ application/octet-stream Use the standard system tool to configure each service to restart - automatically at every system reboot. For example: + automatically at every system reboot. For example, chkconfig &rootprompt; chkconfig dhpc on @@ -1738,9 +1667,8 @@ application/octet-stream Validation - - validation - + + validation Complex networking problems are most often caused by simple things that are poorly or incorrectly configured. The validation process adopted here should be followed carefully; it is the result of the experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should @@ -1757,7 +1685,7 @@ application/octet-stream /etc/nsswitch.conf One of the most important facets of Samba configuration is to ensure that - name resolution functions correctly. You can test name resolution + name resolution functions correctly. You can check name resolution with a few simple tests. The most basic name resolution is provided from the /etc/hosts file. To test its operation, make a temporary edit to the /etc/nsswitch.conf file. Using @@ -1833,7 +1761,7 @@ sleeth1.abmas.biz has address 192.168.1.1 /etc/nsswitch.conf WINS is a great way to resolve NetBIOS names to their IP address. You can test - the operation of WINS by starting nmbd (manually, or by way + the operation of WINS by starting nmbd (manually or by way of the Samba startup method shown in ). You must edit the /etc/nsswitch.conf file so that the hosts entry is as follows: @@ -1859,7 +1787,7 @@ hosts: files dns wins - It would give peace of mind to know that the DHCP server is running + It would give you peace of mind to know that the DHCP server is running and available for service. You can validate DHCP services by running: @@ -2001,8 +1929,8 @@ $rootprompt; ps ax | grep winbind This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent of browsing the server from a Windows client to obtain a list of shares on the server. - The -U% argument means "send a NULL username and - a NULL password." + The -U% argument means to send a NULL username and + a NULL password. @@ -2014,7 +1942,7 @@ $rootprompt; ps ax | grep winbind has been received, execute arp -a to find the MAC address of the printer that has responded. Now you can compare the IP address and the MAC address of the printer with the configuration information in the /etc/dhcpd.conf file. They - should, of course, match. For example: + should, of course, match. For example, &rootprompt; ping hplj6 PING hplj6a (192.168.1.30) 56(84) bytes of data. @@ -2054,13 +1982,13 @@ smb: \> q nmap - Your new server is connected to an Internet accessible connection. Before you start + Your new server is connected to an Internet-accessible connection. Before you start your firewall, you should run a port scanner against your system. You should repeat that - after the firewall has been started. This helps you understand what extent the + after the firewall has been started. This helps you understand to what extent the server may be vulnerable to external attack. One way you can do this is by using an - external service provided such as the DSL Reports + external service, such as the DSL Reports tools. Alternately, if you can gain root-level access to a remote - UNIX/Linux system that has the nmap tool, you can run this as follows: + UNIX/Linux system that has the nmap tool, you can run the following: &rootprompt; nmap -v -sT server.abmas.us @@ -2136,11 +2064,9 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds Application Share Configuration - - application server - - administrative installation - + + application server + administrative installation The use of an application server is a key mechanism by which desktop administration overheads can be reduced. Check the application manual for your software to identify how best to create an administrative installation. @@ -2174,12 +2100,11 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - - - + + A common application deployed in this environment is an office suite. Enterprise editions of Microsoft Office XP Professional can be administratively installed - by launching the installation from a command shell. The command that achieves this is: + by launching the installation from a command shell. The command that achieves this is setup /a. It results in a set of prompts through which various installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource Kit for more information regarding this mode of installation of MS Office XP Professional. @@ -2192,15 +2117,13 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds share, the product can be installed onto a workstation by executing the normal setup program. The installation process now provides a choice to either perform a minimum installation or a full local installation. A full local installation takes over 100 MB of disk space. - A network workstation (minimum) installation requires typically 10-15 MB of - local disk space. In the later case, when the applications are used, they load over the network. + A network workstation (minimum) installation requires typically 10 MB to 15 MB of + local disk space. In the latter case, when the applications are used, they load over the network. - - Service Packs - - Microsoft Office - + + Service Packs + Microsoft Office Microsoft Office Service Packs can be unpacked to update an administrative share. This makes it possible to update MS Office XP Professional for all users from a single installation of the service pack and generally circumvents the need to run updates on each network @@ -2212,10 +2135,9 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds editing or by way of configuration options inside each Office XP Professional application. - - OpenOffice - - OpenOffice.Org OpenOffice Version 1.1.0 is capable of being installed locally. It can also + + OpenOffice + OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also be installed to run off a network share. The latter is a most desirable solution for office-bound network users and for administrative staff alike. It permits quick and easy updates to be rolled out to all users with a minimum of disruption and with maximum flexibility. @@ -2224,7 +2146,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds The process for installation of administrative shared OpenOffice involves download of the distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. - When fully extracted using the un-zipping tool of your choosing, change into the Windows + When fully extracted using the unzipping tool of your choosing, change into the Windows installation files directory then execute setup -net. You are prompted on screen for the target installation location. This is the administrative share point. The full administrative OpenOffice share takes approximately 150 MB of disk @@ -2237,14 +2159,14 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds Many single-user products can be installed into an administrative share, but personal versions of products such as Microsoft Office XP Professional do not permit this. Many people do not like terms of use typical with commercial products, so a few comments - regarding software licensing seem important and thus are included below. + regarding software licensing seem important. Please do not use an administrative installation of proprietary and commercially licensed software products to violate the copyright holders' property. All software is licensed, particularly software that is licensed for use free of charge. All software is the property - of the copyright holder, unless the author and/or copyright holder has explicitly disavowed + of the copyright holder unless the author and/or copyright holder has explicitly disavowed ownership and has placed the software into the public domain. @@ -2252,7 +2174,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds Software that is under the GNU General Public License, like proprietary software, is licensed in a way that restricts use. For example, if you modify GPL software and then distribute the binary version of your modifications, you must offer to provide the source - code as well. This is a form of restriction that is designed to maintain the momentum + code as well. This restriction is designed to maintain the momentum of the diffusion of technology and to protect against the withholding of innovations. @@ -2264,9 +2186,8 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds please do not use the software. - - GPL - + + GPL Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided with the source code. @@ -2298,11 +2219,11 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds Join the Windows Domain PROMISES. Use the Domain Administrator - user name root and the SMB password you assigned to this account. + username root and the SMB password you assigned to this account. A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to - a Windows Domain is given in . - Reboot the machine as prompted and then logon using the Domain Administrator account - (root. + a Windows Domain is given in Appendix A, . + Reboot the machine as prompted and then log on using the Domain Administrator account + (root). @@ -2322,20 +2243,20 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat, - NTP-based time synchronization software, drivers for specific local devices such as finger-print + Now install all applications to be installed locally. Typical tools include Adobe Acrobat, + NTP-based time synchronization software, drivers for specific local devices such as fingerprint scanners, and the like. Probably the most significant application for local installation - is anti-virus software. + is antivirus software. Now install all four printers onto the staging system. The printers you install - include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will + include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will also configure identical printers that are located in the financial services department. Install printers on each machine using the following steps: - + Click Start @@ -2348,14 +2269,14 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - Click Next. In the panel labeled - Manufacturer:, select HP. + Click Next. In the + Manufacturer: panel, select HP. In the Printers: panel, select the printer called HP LaserJet 6. Click Next. - In the panel labeled Available ports:, select + In the Available ports: panel, select FILE:. Accept the default printer name by clicking Next. When asked, Would you like to print a test page?, click No. Click @@ -2373,7 +2294,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - In the panel labeled Network, enter the name of + In the Network panel, enter the name of the print queue on the Samba server as follows: \\DIAMOND\hplj6a. Click OK @@ -2386,44 +2307,40 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds as well as for both QMS Magicolor laser printers. - + - - defragmentation - - When you are satisfied that the staging systems are complete, use the appropriate procedure to - remove the client from the domain. Reboot the system and then log on as the local administrator - and clean out all temporary files stored on the system. Before shutting down, use the disk - defragmentation tool so that the file system is in an optimal condition before replication. - + + defragmentation + When you are satisfied that the staging systems are complete, use the appropriate procedure to + remove the client from the domain. Reboot the system and then log on as the local administrator + and clean out all temporary files stored on the system. Before shutting down, use the disk + defragmentation tool so that the file system is in optimal condition before replication. + - - Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the - machine to a network share on the server. - + + Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the + machine to a network share on the server. + - - Windows security identifier - SID - - SID - - You may now replicate the image to the target machines using the appropriate Norton Ghost - procedure. Make sure to use the procedure that ensures each machine has a unique - Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. - + + Windows security identifierSID + SID + You may now replicate the image to the target machines using the appropriate Norton Ghost + procedure. Make sure to use the procedure that ensures each machine has a unique + Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. + - - Log onto the machine as the local Administrator (the only option), and join the machine to - the Domain following the procedure set out in . The system is now - ready for the user to logon, providing you have created a network logon account for that - user, of course. - + + Log onto the machine as the local Administrator (the only option), and join the machine to + the Domain, following the procedure set out in Appendix A, . The system is now + ready for the user to log on, provided you have created a network logon account for that + user, of course. + - - Instruct all users to log onto the workstation using their assigned user name and password. - - + + Instruct all users to log onto the workstation using their assigned username and password. + + @@ -2431,8 +2348,8 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds Key Points Learned - How do you feel, Bob? You have built a capable network, a truly ambitious project. - Just as well, you have Christine to help you. Future network updates can be handled by + How do you feel? You have built a capable network, a truly ambitious project. + Future network updates can be handled by your staff. You must be a satisfied manager. Let's review the achievements. @@ -2463,7 +2380,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - You introduced an application server, as well as the concept of cloning a Windows + You introduced an application server as well as the concept of cloning a Windows client in order to effect improved standardization of desktops and to reduce the costs of network management. @@ -2484,37 +2401,43 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - What is the maximum number of account entries that the tdbsam passdb backend can handle? + What is the maximum number of account entries that the tdbsam + passdb backend can handle? - The tdb data structure and support system can handle more entries than the number of accounts - that are possible on most UNIX systems. There is a practical limit that would come into play - long before a performance boundary would be anticipated. That practical limit is controlled - by the nature of Windows networking. There are few Windows file and print servers - that can handle more than a few hundred concurrent client connections. The key limiting factors - that predicate off-loading of services to additional servers are memory capacity, the number - of CPUs, network bandwidth, and disk I/O limitations. All of these are readily exhausted by - just a few hundred concurrent active users. Such bottlenecks can best be removed by segmentation - of the network (distributing network load across multiple networks). + The tdb data structure and support system can handle more entries than the number of + accounts that are possible on most UNIX systems. A practical limit would come into + play long before a performance boundary would be anticipated. That practical limit + is controlled by the nature of Windows networking. There are few Windows file and + print servers that can handle more than a few hundred concurrent client connections. + The key limiting factors that predicate offloading of services to additional servers + are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations. + All of these are readily exhausted by just a few hundred concurrent active users. + Such bottlenecks can best be removed by segmentation of the network (distributing + network load across multiple networks). + - As the network grows, it becomes necessary to provide additional authentication servers (domain - controllers). The tdbsam is limited to a single machine and cannot be reliably replicated. - This means that practical limits on network design dictate the point at which a distributed - passdb backend is required; at this time, there is no real alternative other than ldapsam (LDAP). + As the network grows, it becomes necessary to provide additional authentication + servers (domain controllers). The tdbsam is limited to a single machine and cannot + be reliably replicated. This means that practical limits on network design dictate + the point at which a distributed passdb backend is required; at this time, there is + no real alternative other than ldapsam (LDAP). - The guideline provided in TOSHARG, Chapter 10, Section 10.1.2, is to limit the number of accounts - in the tdbsam backend to 250. This is the point at which most networks tend to want backup domain - controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used - by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication - not on the limitsBench tests have shown that tdbsam is a very effective database technology. - There is surprisingly little performance loss even with over 4000 users. of the tdbsam backend itself. + The guideline provided in TOSHARG, Chapter 10, Section 10.1.2, + is to limit the number of accounts in the tdbsam backend to 250. This is the point + at which most networks tend to want backup domain controllers (BDCs). Samba-3 does + not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The + limitation of 250 users per tdbsam is predicated only on the need for replication, + not on the limitsBench tests have shown that tdbsam is a very + effective database technology. There is surprisingly little performance loss even + with over 4000 users. of the tdbsam backend itself. @@ -2524,7 +2447,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - Would Samba operate any better if the OS Level is set to a value higher than 35? + Would Samba operate any better if the OS level is set to a value higher than 35? @@ -2612,7 +2535,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds A printer is a physical device that is connected either directly to the network or to a computer via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a - hard copy printout. Network attached printers that use TCP/IP-based printing generally accept a + hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a single print data stream and block all secondary attempts to dispatch jobs concurrently to the same device. If many clients were to concurrently print directly via TCP/IP to the same printer, it would result in a huge amount of network traffic through continually failing connection attempts. @@ -2620,8 +2543,8 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or - print requests. When the data stream has been fully received the input stream is closed, - the job is then submitted to a sequential print queue where the job is stored until + print requests. When the data stream has been fully received, the input stream is closed, + and the job is then submitted to a sequential print queue where the job is stored until the printer is ready to receive the job. @@ -2639,7 +2562,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds - Much older Windows software is not compatible with installation to and execution off + Much older Windows software is not compatible with installation to and execution from an application server. Enterprise versions of Microsoft Office XP Professional can be installed to an application server. Retail consumer versions of Microsoft Office XP Professional do not permit installation to an application server share and can be installed @@ -2661,7 +2584,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds When DDNS records are updated directly from the DHCP server, it is possible for - network clients that are not NetBIOS enabled, and thus cannot use WINS, to locate + network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate Windows clients via DNS. @@ -2680,12 +2603,12 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is - a name like myhost.mydomain.tld, where tld - means top level domain. A FQDN is a long hand but easy to remember + a name like myhost.mydomain.tld where tld + means top-level domain. A FQDN is a longhand but easy-to-remember expression that may be up to 1024 characters in length and that represents an IP address. A NetBIOS name is always 16 characters long. The 16th character is a name type indicator. A specific name type is registered - See TOSHARG, Chapter 9 for more information. for each + See TOSHARG, Chapter 9, for more information. for each type of service that is provided by the Windows server or client and that may be registered where a WINS server is in use. @@ -2706,7 +2629,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds Windows 200x Active Directory requires the registration in the DNS zone for the domain it - controls of service locatorSee TOSHARG, Chapter 9, Section 9.3.3 records + controls of service locatorSee TOSHARG, Chapter 9, Section 9.3.3. records that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also requires the registration of special records that are called global catalog (GC) entries and site entries by which domain controllers and other essential ADS servers may be located. diff --git a/docs/Samba-Guide/SBE-TheSmallOffice.xml b/docs/Samba-Guide/SBE-TheSmallOffice.xml index 15e6c2deb7e..6ada0031591 100644 --- a/docs/Samba-Guide/SBE-TheSmallOffice.xml +++ b/docs/Samba-Guide/SBE-TheSmallOffice.xml @@ -4,41 +4,41 @@ Small Office Networking - So far, this book has focused on the basics of simple yet effective + Chapter 1 focused on the basics of simple yet effective network solutions. Network administrators who take pride in their work (that's most of us, right?) take care to deliver what our users want, - but not too much more. If we make things too complex, we confound our users and - increase costs of network ownership. A professional network manager + but not too much more. If we make things too complex, we confound our users + and increase costs of network ownership. A professional network manager avoids the temptation to put too much pizazz into the way that the network - operates. Some creativity is helpful, but do keep it under control. + operates. Some creativity is helpful, but keep it under control &smbmdash; + good advice that the following two scenarios illustrate. Netware - Five years ago there were two companies from which a lesson can be learned. - In one case the network administrator spent three months building a new - network to replace an old Netware server. What he delivered had all the - bells and whistles he could muster. There were a few teething problems - during the change-over, nothing serious but a little disruptive all the - same. Users were exposed to many changes at once. The network - administrator was asked to resign two months after implementing the - new system. This was necessary because so many staff had complained - they had lost time and were not happy with the new network. - Everything was automated and he delivered more features than any advanced - user could think of. He was just too smart for his own good. + In one case the network administrator of a mid-sized company spent three + months building a new network to replace an old Netware server. What he + delivered had all the bells and whistles he could muster. There were a + few teething problems during the changeover, nothing serious but a little + disruptive all the same. Users were exposed to many changes at once. The + network administrator was asked to resign two months after implementing + the new system because so many staff complained they had lost time and + were not happy with the new network. Everything was automated, and he + delivered more features than any advanced user could think of. He was + just too smart for his own good. In the case of the other company, a new network manager was appointed to oversee the replacement of a LanTastic network with an MS Windows NT 4.0 network. He had the replacement installed and operational within - two weeks. Before installation and change-over, he called a meeting to - explain to all users what was going to happen, how it would affect them + two weeks. Before installation and changeover, he called a meeting to + explain to all users what was going to happen, how it would affect them, and that he would be available 24 hours a day to help them transition. One week after conversion, he held another meeting asking for cooperation in the introduction of a few new features that would help to make life - easier. Network users were thrilled with what he was doing to help - them. The network he implemented was nowhere near as complex as the first example, had fewer + easier. Network users were thrilled with the help he provided. The network + he implemented was nowhere near as complex as in the first example, had fewer features, and yet he had happy users. Months later he was still adding new innovations. He always asked the users if a particular feature was what they wanted. He asked his boss for a raise @@ -51,7 +51,7 @@ Introduction - Abmas Accounting Inc. has grown. Mr. Meany likes you and says he knew you + Abmas Accounting has grown. Mr. Meany likes you and says he knew you were the right person for the job. That's why he asked you to install the new server. The past few months have been hard work. You advised Mr. Meany that it is time for a change. Abmas now has 52 users, having acquired an @@ -60,9 +60,9 @@ - Some of the Windows clients are getting to be past their use-by date. - You have found damaged and unusable software on some of the workstations - that came with the acquired business and found some machines that are + Some of the Windows clients are nearly past their use-by date. + You found damaged and unusable software on some of the workstations + that came with the acquired business and found some machines in need of both hardware and software maintenance. @@ -71,12 +71,12 @@ Windows XP - Mr. Meany has decided to retire in 12 months. He wants you to help him - make the business run better. Many of the new staff want notebook computers. - They visit customer business premises with the need to use local network + Mr. Meany is retiring in 12 months. Before he goes, he wants you to help ensure + that the business is running efficiently. Many of the new staff want notebook + computers. They visit customer business premises and need to use local network facilities; these users are technically competent. The company uses a - business application that requires Windows XP Professional. In short, a - complete client upgrade is about to happen. Mr. Meany told you that he is working + business application that requires Windows XP Professional. In short, a complete + client upgrade is about to happen. Mr. Meany told you that he is working on another business acquisition and that by the time he retires there will be 80 to 100 users. @@ -92,16 +92,16 @@ - In a few months, Abmas will require an Internet connection for email - and so staff easily obtain software updates. Mr. Meany is warming up to the - installation of anti-virus software, but is not yet ready to approve + In a few months, Abmas will require an Internet connection for email and so + that staff can easily obtain software updates. Mr. Meany is warming up to + the installation of antivirus software but is not yet ready to approve this expense. He told you to spend the money a virus scanner costs on better quality notebook computers for mobile users. - One of Mr. Meany's golfing partners sold him on the idea to buy new laser - printers. One black only, the other a color laser printer. Staff support + One of Mr. Meany's golfing partners convinced him to buy new laser + printers, one black only, the other a color laser printer. Staff support the need for a color printer so they can present more attractive proposals and reports. @@ -120,12 +120,12 @@ What are the key requirements in this business example? A quick review indicates - a need for: + a need for - Scalability &smbmdash; from 52 to over 100 users in 12 months + Scalability, from 52 to over 100 users in 12 months @@ -160,7 +160,7 @@ Domain It is time to implement a domain security environment. You will use the smbpasswd (default) backend. You should implement a DHCP server. There is no need to - run DNS at this time, but the system will use WINS. The Domain name will be + run DNS at this time, but the system will use WINS. The domain name will be BILLMORE. This time, the name of the server will be SLEETH. @@ -174,8 +174,8 @@ The &smb.conf; file you are creating in this exercise can be used with equal effectiveness with Samba-2.2.x series releases. This is deliberate so that in the next chapter it is possible to start with the installation that you have created here, migrate it - to a Samba-3 configuration and then secure the system further. Configurations following - this one will utilize features that may not be supported in Samba-2.2.x releases. + to a Samba-3 configuration, and then secure the system further. Configurations following + this one utilize features that may not be supported in Samba-2.2.x releases. However, you should note that the examples in each chapter start with the assumption that a fresh new installation is being effected. @@ -198,7 +198,7 @@ You will provide separate file storage areas for each business entity. The old system will go away, accounting files will be handled under a single directory, and files will be stored under customer name, not under a personal work area. Staff will be made - responsible for file location, so maintain the old share point. + responsible for file location, so the old share point must be maintained. @@ -209,27 +209,29 @@ Domaingroups UNIXgroups - It is necessary to map Windows Domain Groups to UNIX groups as a minimum. It is + It is necessary to map Windows Domain Groups to UNIX groups. It is advisable to also map Windows Local Groups to UNIX groups. Additionally, the two - key staff groups in the firm are Accounting Staff and Financial Services Staff. + key staff groups in the firm are accounting staff and financial services staff. For these, it is necessary to create UNIX groups as well as Windows Domain Groups. - In the sample &smb.conf; file, you have configured Samba to call the UNIX groupadd - to add group entries. This utility does not permit the addition of group names that - contain upper-case characters or spaces. This is considered a bug. The groupadd - is part of the shadow-utils Open Source Software package. - A later release of this package may have been patched to resolve this bug. - If your operating platform has this bug, it means that attempts to add a Windows Domain - Group that has either a space or upper-case characters in it will fail. See TOSHARG, Section 11.3.1, - Example 11.1, for more information. + In the sample &smb.conf; file, you have configured Samba to call the UNIX + groupadd to add group entries. This utility does not permit + the addition of group names that contain uppercase characters or spaces. This + is considered a bug. The groupadd is part of the + shadow-utils open source software package. A later release + of this package may have been patched to resolve this bug. If your operating + platform has this bug, it means that attempts to add a Windows Domain Group that + has either a space or uppercase characters in it will fail. See + TOSHARG, Chapter 11, Section 11.3.1, Example 11.1, for + more information. CUPS - Vendor-supplied printer drivers will be installed on each client. The CUPS print spooler - on the UNIX host will be operated in raw mode. + Vendor-supplied printer drivers will be installed on each client. The CUPS print + spooler on the UNIX host will be operated in raw mode. @@ -245,7 +247,7 @@ Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be - supplied with anti-virus software? Above all, demonstrate good purchase value and remember + supplied with antivirus software? Above all, demonstrate good purchase value and remember to make your users happy. @@ -256,23 +258,21 @@ Implementation - - migration - + + migration In this example, the assumption is made that this server is being configured from a clean start. The alternate approach could be to demonstrate the migration of the system that is documented in to meet the new requirements. The decision to treat this case, as with future examples, as a new installation is based on the premise that you can determine - the migration steps from the information provided in the separate chapter on this subject. + the migration steps from the information provided in Chapter ?????????. Additionally, a fresh installation makes the example easier to follow. - - group membership - + + group membership Each user will be given a home directory on the UNIX system, which will be available as a private - share. Two additional shares will be created, one for the Accounting Department and the other for - the Financial Services Department. Network users will be given access to these shares by way + share. Two additional shares will be created, one for the accounting department and the other for + the financial services department. Network users will be given access to these shares by way of group membership. @@ -289,13 +289,11 @@ - Abmas Accounting &smbmdash; 52 User Network Topology + Abmas Accounting &smbmdash; 52-User Network Topology acct2net - Implementation Procedure - Using UNIX/Linux system tools, name the server sleeth. @@ -303,7 +301,7 @@ /etc/hosts Place an entry for the machine sleeth in the /etc/hosts. - The printers are network attached, so it is desirable that there should be entries for the + The printers are network attached, so there should be entries for the network printers also. An example /etc/hosts file is shown here: 192.168.1.1 sleeth sleeth1 @@ -322,18 +320,14 @@ Install the ISC DHCP server using the UNIX/Linux system tools available to you. - - /etc/rc.d/rc.local - - IP forwarding - - router - - /proc/sys/net/ipv4/ip_forward - - Given that Samba will be operating over two network interfaces and clients on each side + + /etc/rc.d/rc.local + IP forwarding + router + /proc/sys/net/ipv4/ip_forward + Because Samba will be operating over two network interfaces and clients on each side may want to be able to reach clients on the other side, it is imperative that IP forwarding - shall be enabled. Use the system tool of your choice to enable IP forwarding. In the + is enabled. Use the system tool of your choice to enable IP forwarding. In the absence of such a tool on the Linux system, add to the /etc/rc.d/rc.local file an entry as follows: @@ -348,9 +342,8 @@ echo 1 > /proc/sys/net/ipv4/ip_forward /etc/samba/smb.conf file. - - smbpasswd - + + smbpasswd Add the user root to the Samba password backend: &rootprompt; smbpasswd -a root @@ -361,8 +354,8 @@ Retype new SMB password: XXXXXXX administrator This is the Windows Domain Administrator password. Never delete this account from the password backend after Windows Domain Groups have been initialized. If you delete - this account, your system is crippled. You cannot restore this account - and your Samba server is no longer capable of being administered. + this account, your system is crippled. You cannot restore this account, + and your Samba server can no longer be administered. @@ -462,7 +455,7 @@ Users (S-1-5-32-545) -> -1 smbpasswd For each user who needs to be given a Windows Domain account, make an entry in the /etc/passwd file as well as in the Samba password backend. - Use the system tool of your choice to create the UNIX system accounts and use the Samba + Use the system tool of your choice to create the UNIX system accounts, and use the Samba smbpasswd program to create the Domain user accounts. @@ -470,19 +463,19 @@ Users (S-1-5-32-545) -> -1 useradd adduser usermanagement - There are a number of tools for user management under UNIX. Commonly known ones include: - useradd, adduser. In addition to these, there are a plethora of custom + There are a number of tools for user management under UNIX, such as + useradd and adduser, as well as a plethora of custom tools. With the tool of your choice, create a home directory for each user. Using the preferred tool for your UNIX system, add each user to the UNIX groups created - previously as necessary. File system access control will be based on UNIX group membership. + previously, as necessary. File system access control will be based on UNIX group membership. - Create the directory mount point for the disk sub-system that is mounted to provide - data storage for company files. In this case the mount point indicated in the &smb.conf; + Create the directory mount point for the disk subsystem that is mounted to provide + data storage for company files. In this case the mount point is indicated in the &smb.conf; file is /data. Format the file system as required, mount the formatted file system partition using mount, and make the appropriate changes in /etc/fstab. @@ -511,9 +504,8 @@ Users (S-1-5-32-545) -> -1 - CUPSqueue - lpadmin - + CUPSqueue + lpadmin Configure the CUPS Print Queues as follows: &rootprompt; lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E @@ -542,9 +534,8 @@ application/octet-stream - - DHCP Server - + + DHCP Server Using your favorite system editor, create an /etc/dhcpd.conf with the contents as shown in . @@ -600,16 +591,15 @@ subnet 127.0.0.0 netmask 255.0.0.0 { Use the standard system tool to start Samba and CUPS and configure them to start - automatically at every system reboot. For example: + automatically at every system reboot. For example, chkconfig starting dhcpd starting samba - starting CUPS - chkconfig - + starting CUPS + chkconfig &rootprompt; chkconfig dhcp on &rootprompt; chkconfig smb on @@ -623,12 +613,11 @@ subnet 127.0.0.0 netmask 255.0.0.0 { name service switch NSSsame service switch - DNS - DNS server - + DNS + DNS server WINS /etc/nsswitch.conf - Configure the name service switch (NSS) to handle WINS based name resolution. + Configure the name service switch (NSS) to handle WINS-based name resolution. Since this system does not use a DNS server, it is safe to remove this option from the NSS configuration. Edit the /etc/nsswitch.conf file so that the hosts: entry looks like this: @@ -640,7 +629,7 @@ hosts: files wins -Accounting Office Network &smb.conf; File &smbmdash; [global] Section +Accounting Office Network &smb.conf; File &smbmdash; [globals] Section Global parameters BILLMORE @@ -711,11 +700,9 @@ hosts: files wins - Validation Steps - - testparm - + + testparm If your &smb.conf; file has bogus options or parameters, this may cause Samba to refuse to start. The first step should always be to validate the contents of this file by running: @@ -761,18 +748,14 @@ Loaded services file OK. Unknown parameter encountered: "dogbert" Ignoring unknown parameter "dogbert" - Clear away all errors before proceeding and start or restart samba as necessary. + Clear away all errors before proceeding, and start or restart samba as necessary. - check samba - daemons - nmbd - - smbd - - winbindd - + check samba daemons + nmbd + smbd + winbindd Check that the Samba server is running: &rootprompt; ps ax | grep mbd @@ -784,8 +767,8 @@ $rootprompt; ps ax | grep winbind 14293 ? S 0:00 /usr/sbin/winbindd -B 14295 ? S 0:00 /usr/sbin/winbindd -B - The winbindd daemon is running in split mode (normal) so there are also - two instances of it. For more information regarding winbindd, see TOSHARG, + The winbindd daemon is running in split mode (normal), so there are also + two instances of it. For more information regarding winbindd, see TOSHARG, Chapter 22, Section 22.3. The single instance of smbd is normal. @@ -816,22 +799,20 @@ $rootprompt; ps ax | grep winbind This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent of browsing the server from a Windows client to obtain a list of shares on the server. - The -U% argument means, send a "NULL username and - a NULL password." + The -U% argument means to send a NULL username and + a NULL password. dhcp client validation - printer - validation - /etc/dhcpd.conf - + printer validation + /etc/dhcpd.conf Verify that the printers have the IP addresses assigned in the DHCP server configuration file. The easiest way to do this is to ping the printer name. Immediately after the ping response has been received, execute arp -a to find the MAC address of the printer that has responded. Now you can compare the IP address and the MAC address of the printer with the configuration information in the /etc/dhcpd.conf file. They - should, of course, match. For example: + should, of course, match. For example, &rootprompt; ping hplj4 PING hplj4 (192.168.1.11) 56(84) bytes of data. @@ -841,7 +822,7 @@ PING hplj4 (192.168.1.11) 56(84) bytes of data. hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0 The MAC address 08:00:46:7A:35:E4 matches that specified for the - IP address from which the printer has responded and with the entry for it in the + IP address from which the printer has responded and the entry for it in the /etc/dhcpd.conf file. @@ -883,10 +864,10 @@ smb: \> q Join the Windows Domain called BILLMORE. Use the Domain Administrator - user name root and the SMB password you assigned to this account. + username root and the SMB password you assigned to this account. A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to - a Windows Domain is given in . - Reboot the machine as prompted and then logon using a Domain User account. + a Windows Domain is given in Appendix A, . + Reboot the machine as prompted and then log on using a Domain User account. @@ -898,7 +879,7 @@ smb: \> q - Instruct all users to log onto the workstation using their assigned user name and password. + Instruct all users to log onto the workstation using their assigned username and password. @@ -906,8 +887,6 @@ smb: \> q - Printer Installation - Click Start @@ -920,14 +899,14 @@ smb: \> q - Click Next. In the panel labeled - Manufacturer:, select HP. + Click Next. In the + Manufacturer: panel, select HP. In the Printers: panel, select the printer called HP LaserJet 4. Click Next. - In the panel labeled Available ports:, select + In the Available ports: panel, select FILE:. Accept the default printer name by clicking Next. When asked, Would you like to print a test page?, click No. Click @@ -945,7 +924,7 @@ smb: \> q - In the panel labeled Network, enter the name of + In the Network panel, enter the name of the print queue on the Samba server as follows: \\SERVER\hplj4. Click OK @@ -971,10 +950,10 @@ smb: \> q - By creating a local machine account that has the same user name and password as you create for that + By creating a local machine account that has the same username and password as you create for that user in the Windows Domain environment, the user can log onto the machine locally and still transparently access network resources as if logged onto the domain itself. There are some trade-offs - that mean that as the network is more tightly secured it becomes necessary to modify Windows client + that mean that as the network is more tightly secured, it becomes necessary to modify Windows client configuration somewhat. @@ -984,16 +963,16 @@ smb: \> q Key Points Learned - In this network design and implementation exercise, you have created a Windows NT4 style Domain - Controller using Samba-3.0.20. As a result of following these guidelines meant that you experienced - and implemented several important aspects of Windows networking. In the next chapter of this book, - you build on the experience gained. These are the highlights from this chapter: + In this network design and implementation exercise, you created a Windows NT4-style Domain + Controller using Samba-3.0.20. Following these guidelines, you experienced + and implemented several important aspects of Windows networking. In the next chapter, + you build on the experience. These are the highlights from this chapter: DHCP - You implemented a DHCP Server and Microsoft Windows clients were able to obtain all necessary + You implemented a DHCP server, and Microsoft Windows clients were able to obtain all necessary network configuration settings from this server. @@ -1070,7 +1049,7 @@ smb: \> q Yes. The configuration you created automatically provides each client with the IP address of your WINS server. It also configures the client to preferentially register NetBIOS names with the WINS server, and then instructs the client to first query the WINS server when a - NetBIOS machine name needs to be resolved to an IP Address. This means that this configuration + NetBIOS machine name needs to be resolved to an IP Address. This configuration results in far lower UDP broadcast traffic than would be the case if WINS was not used. @@ -1088,7 +1067,7 @@ smb: \> q - You can surely create a Windows Domain Account called Administrator. It is also + You can surely create a Windows Domain account called Administrator. It is also possible to map that account so that it has the effective UNIX UID of 0. This way it isn't necessary to use the username map facility to map this account to the UNIX account called root. @@ -1109,10 +1088,10 @@ smb: \> q The Windows Domain Administrator account is the most privileged account that - exists on the Windows platform. This user can change any setting, add/delete or modify user + exists on the Windows platform. This user can change any setting, add, delete, or modify user accounts, and completely reconfigure the system. The equivalent to this account in the UNIX environment is the root account. If you want to permit the Windows Domain - Administrator to manage accounts, as well as permissions, privileges, and security + Administrator to manage accounts as well as permissions, privileges, and security settings within the Domain and on the Samba server, equivalent rights must be assigned. This is achieved with the root UID equal to 0. @@ -1134,7 +1113,7 @@ smb: \> q Users who are members of the Domain Admins group can add machines to the Domain. This group is mapped to the UNIX group account called root - (or equivalent on wheel on some UNIX systems) that has a GID of 0. + (or the equivalent wheel on some UNIX systems) that has a GID of 0. This must be the primary GID of the account of the user who is a member of the Windows Domain Admins account. @@ -1154,8 +1133,8 @@ smb: \> q Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account - has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are: - Domain Guests, Domain Users, Domain Admins. + has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are + Domain Guests, Domain Users, and Domain Admins. @@ -1172,12 +1151,10 @@ smb: \> q - This is a nasty problem. Fortunately, here is a solution. + This is a nasty problem. Fortunately, there is a solution. - Re-creating the Samba <constant>root</constant> Account - Back up your existing configuration files in case you need to restore them. @@ -1223,23 +1200,23 @@ smb: \> q - What is the effect of changing the name of a Samba server, or of changing the Domain name? + What is the effect of changing the name of a Samba server or of changing the Domain name? - In the event that you elect to change the name of the Samba server, on restarting smbd, - Windows security identifiers are changed. In the case of a Stand-Alone server or a Domain Member server, - the machine SID is changed. This may break Domain Membership. In the case of a change of the Domain name - (Workgroup name), the Domain SID is changed. This affects all Domain Memberships. + If you elect to change the name of the Samba server, on restarting smbd, + Windows security identifiers are changed. In the case of a standalone server or a Domain Member server, + the machine SID is changed. This may break Domain membership. In the case of a change of the Domain name + (Workgroup name), the Domain SID is changed. This affects all Domain memberships. - If it becomes necessary to change either the Server name or the Domain name, be sure to back up the respective - SID before the change is made. You can back up the SID from use of the net getlocalsid (Samba-3), - or by way of the smbpasswd (Samba-2.2.x). To change the SID, you use the same tool. Be sure + If it becomes necessary to change either the server name or the Domain name, be sure to back up the respective + SID before the change is made. You can back up the SID using the net getlocalsid (Samba-3) + or the smbpasswd (Samba-2.2.x). To change the SID, you use the same tool. Be sure to check the man page for this command for detailed instructions regarding the steps involved. @@ -1257,10 +1234,10 @@ smb: \> q - Samba-3 implements a Windows NT4 style security domain architecture. This type of Domain cannot + Samba-3 implements a Windows NT4-style security domain architecture. This type of Domain cannot be managed using tools present on a Windows XP Professional installation. You may download from the Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use - it. This package extracts the tools known as: User Manager for Domains, Server Manager, Event + it. This package extracts the tools: User Manager for Domains, Server Manager, and Event Viewer. You may use the User Manager for Domains to manage your Samba-3 Domain user and group accounts. Of course, you do need to be logged on as the Administrator for the Samba-3 Domain. It may help to log on as the root account. diff --git a/docs/Samba-Guide/SBE-preface.xml b/docs/Samba-Guide/SBE-preface.xml index 74f129f6774..8c99546a6c6 100644 --- a/docs/Samba-Guide/SBE-preface.xml +++ b/docs/Samba-Guide/SBE-preface.xml @@ -78,14 +78,14 @@ - Samba 3.0.15 Update Edition + Samba 3.0.20 Update Edition The Samba 3.0.x series has been remarkably popular. At the time this book first went to print samba-3.0.2 was being released. There have been significant modifications and enhancements between samba-3.0.2 and samba-3.0.14 (the current release) that necessitate this documentation update. This update has the specific intent to - refocus this book so that its guidance can be followed for samba-3.0.15 + refocus this book so that its guidance can be followed for samba-3.0.20 and beyond. Further changes are expected as Samba-3 matures further and will be reflected in future updates. @@ -95,7 +95,7 @@
- Samba Changes &smbmdash; 3.0.2 to 3.0.15 + Samba Changes &smbmdash; 3.0.2 to 3.0.20 -- 2.11.4.GIT