| blob | 7f8366c08a13356b46f56d804d987d87efd8fd92 |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
5 <!-- Stuff for xincludes -->
6 <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
7 %xinclude;
9 <!-- entities files to use -->
10 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
11 %global_entities;
13 ]>
15 <chapter id="secure">
16 <title>Secure Office Networking</title>
18 <para>
19 Congratulations, your Samba networking skills are developing nicely. You started out
20 with three simple networks in Chapter 2, and then in Chapter 3 you designed and built a
21 network that provides a high degree of flexibility, integrity, and dependability. It
22 was enough for the basic needs each was designed to fulfill. In this chapter you
23 address a more complex set of needs. The solution you explore is designed
24 to introduce you to basic features that are specific to Samba-3.
25 </para>
27 <para>
28 You should note that a working and secure solution could be implemented using Samba-2.2.x.
29 In the exercises presented here, you are gradually using more Samba-3 specific features
30 so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given.
31 To avoid confusion, this book is all about Samba-3. Let's get the exercises in this
32 chapter under way.
33 </para>
35 <sect1>
36 <title>Introduction</title>
38 <para>
39 You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work
40 well done. It is one year since the last network upgrade. You have been quite busy.
41 Two months ago Mr. Meany gave approval to hire Christine Roberson who has taken over
42 general network management. Soon she will provide primary user support. You have demonstrated
43 you can delegate responsibility, and plan and execute
44 to that plan. Above all, you have shown Mr. Meany that you are a responsible person.
45 Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never
46 expected. You are Mr. Bob Jordan and will take charge of business operations. Mr. Meany
47 is retiring and has entrusted the business to your capable hands.
48 </para>
50 <para>
51 Mr. Meany may be retiring from this company, but not from work. He is taking the opportunity to develop
52 Abmas Inc. into a larger and more substantial company. He says that it took him many
53 years to wake up to the fact that there is no future in just running a business. He
54 now realizes there is great personal reward and satisfaction in creation of career
55 opportunities for people in the local community. He wants to do more for others as he is
56 doing for you, Bob Jordan. Today he spent a lot of time talking about the grand plan.
57 He has plans for growth that you will deal with in the chapters ahead.
58 </para>
60 <para>
61 Over the past year, the growth projections were exceeded. The network has grown to
62 meet the needs of 130 users. Along with growth, the demand for improved services
63 and better functionality has also developed. You are about to make an interim
64 improvement and then hand over all Help desk and network maintenance to Christine.
65 Christine has professional certifications in Microsoft Windows as well as in Linux;
66 she is a hard worker and quite likable. Christine does not want to manage the department
67 (although she manages well). She gains job satisfaction when left to sort things out.
68 Occasionally she wants to work with you on a challenging problem. When you told her
69 about your move, she almost resigned, although she was reassured that a new manager would
70 be hired to run Information Technology and she would be responsible only for operations.
71 </para>
73 <sect2>
74 <title>Assignment Tasks</title>
76 <para>
77 You promised the staff Internet services including web browsing, electronic mail, virus
78 protection, and a company Web site. Christine is keen to help turn the vision into
79 reality. Let's see how close you can get to the promises made.
80 </para>
82 <para>
83 The network you are about to deliver will service 130 users today. Within 12 months,
84 Abmas will aquire another company. Mr. Meany claims that within two years there will be
85 well over 500 users on the network. You have bought into the big picture, so prepare
86 for growth.
87 </para>
89 <para>
90 You have purchased a new server, will implement a new network infrastructure, and
91 reward all staff with a new computer. Notebook computers will not be replaced at this time.
92 </para>
94 <para>
95 You have decided to not recycle old network components. The only items that will be
96 carried forward are notebook computers. You offered staff new notebooks, but not
97 one person wanted the disruption for what was perceived as a marginal update.
98 You have made the decision to give everyone a new desktop computer, even to those
99 who have a notebook computer.
100 </para>
102 <para>
103 You have procured a DSL Internet connection that provides 1.5 Megabit/sec (bidirectional)
104 and a 10 MBit/sec ethernet port. You have registered the domain
105 <constant>abmas.us</constant>, and the Internet Service Provider (ISP) is supplying
106 secondary DNS. Information furnished by your ISP is shown in <link linkend="chap4netid"/>.
107 </para>
109 <para>
110 It is of paramount priority that under no circumstances will Samba offer
111 service access from an Internet connection. You are paying an ISP to
112 give, as part of their value-added services, full firewall protection for your
113 connection to the outside world. The only services allowed in from
114 the Internet side are the following destination ports: <constant>http/https (ports
115 80 and 443), email (port 25), DNS (port 53)</constant>. All Internet traffic
116 will be allowed out after network address translation (NAT). No internal IP addresses
117 are permitted through the NAT filter as complete privacy of internal network
118 operations must be assured.
119 </para>
121 <table id="chap4netid">
122 <title>Abmas.US ISP Information</title>
123 <tgroup cols="2">
124 <colspec align="left"/>
125 <colspec align="center"/>
126 <thead>
127 <row>
128 <entry>Parameter</entry>
129 <entry>Value</entry>
130 </row>
131 </thead>
132 <tbody>
133 <row>
134 <entry>Server IP Address</entry>
135 <entry>123.45.67.66</entry>
136 </row>
137 <row>
138 <entry>DSL Device IP Address</entry>
139 <entry>123.45.67.65</entry>
140 </row>
141 <row>
142 <entry>Network Address</entry>
143 <entry>123.45.67.64/30</entry>
144 </row>
145 <row>
146 <entry>Gateway Address</entry>
147 <entry>123.45.54.65</entry>
148 </row>
149 <row>
150 <entry>Primary DNS Server</entry>
151 <entry>123.45.54.65</entry>
152 </row>
153 <row>
154 <entry>Secondary DNS Server</entry>
155 <entry>123.45.54.32</entry>
156 </row>
157 <row>
158 <entry>Forwarding DNS Server</entry>
159 <entry>123.45.12.23</entry>
160 </row>
161 </tbody>
162 </tgroup>
163 </table>
165 <image id="ch04net">
166 <imagedescription>Abmas Network Topology &smbmdash; 130 Users</imagedescription>
167 <imagefile scale="90">chap4-net</imagefile>
168 </image>
170 <para>
171 Christine has recommended that desktop systems should be installed from a single cloned
172 master system that has a minimum of locally installed software and loads all software
173 off a central application server. The benefit of having the central application server
174 is that it allows single point maintenance of all business applications, something
175 Christine is keen to pursue. She further recommended installation of anti-virus
176 software on workstations as well as on the Samba server. Christine is paranoid of
177 potential virus infection and insists on a comprehensive approach to detective
178 as well as corrective action to protect network operations.
179 </para>
181 <para>
182 A significant concern is the problem of managing company growth. Recently, a number
183 of users had to share a PC while waiting for new machines to arrive. This presented
184 some problems with desktop computers and software installation into the new users'
185 desktop profile.
186 </para>
188 </sect2>
189 </sect1>
191 <sect1>
192 <title>Dissection and Discussion</title>
194 <para>
195 Many of the conclusions you draw here are obvious. Some requirements are not very clear
196 or may simply be your means of drawing the most out of Samba-3. Much can be done more simply
197 than you will demonstrate here, but keep in mind that the network must scale to at least 500
198 users. This means that some functionality will be over-designed for the current 130 user
199 environment.
200 </para>
202 <sect2>
203 <title>Technical Issues</title>
205 <para>
206 In this exercise we are using a 24-bit subnet mask for the two local networks. This,
207 of course, limits our network to a maximum of 253 usable IP addresses. The network
208 address range chosen is one of the ranges assigned by RFC1918 for private networks.
209 When the number of users on the network begins to approach the limit of usable
210 addresses, it would be a good idea to switch to a network address specified in RFC1918
211 in the 172.16.0.0/16 range. This is done in the following chapters.
212 </para>
214 <para>
215 <indexterm><primary>tdbsam</primary></indexterm>
216 <indexterm><primary>smbpasswd</primary></indexterm>
217 The high growth rates projected are a good reason to use the <constant>tdbsam</constant>
218 passdb backend. The use of <constant>smbpasswd</constant> for the backend may result in
219 performance problems. The <constant>tdbsam</constant> passdb backend offers features that
220 are not available with the older flat ASCII-based <constant>smbpasswd</constant> database.
221 </para>
223 <para>
224 <indexterm><primary>risk</primary></indexterm>
225 The proposed network design uses a single server to act as an Internet services host for
226 electronic mail, Web serving, remote administrative access vis SSH, as well as for
227 Samba-based file and print services. This design is often chosen by sites that feel
228 they cannot afford or justify the cost or overhead of having separate servers. It must
229 be realized that if security of this type of server should ever be violated (compromised),
230 the whole network and all data is at risk. Many sites continue to choose this type
231 of solution; therefore, this chapter provides detailed coverage of key implementation
232 aspects.
233 </para>
235 <para>
236 Samba will be configured to specifically not operate on the ethernet interface that is
237 directly connected to the Internet.
238 </para>
240 <para>
241 <indexterm><primary>iptables</primary></indexterm>
242 <indexterm><primary>NAT</primary></indexterm>
243 <indexterm><primary>Network Address Translation</primary><see>NAT</see></indexterm>
244 <indexterm>
245 <primary>firewall</primary>
246 </indexterm>
247 You know that your ISP is providing full firewall services, but you cannot rely on that.
248 Always assume that human error will occur, so be prepared by using Linux firewall facilities
249 based on <command>iptables</command> to effect Network Address Translation (NAT). Block all
250 incoming traffic except to permitted well-known ports. You must also allow incoming packets
251 to established outgoing connections. You will permit all internal outgoing requests.
252 </para>
254 <para>
255 The configuration of Web serving, Web proxy services, electronic mail, and the details of
256 generic anti-virus handling are beyond the scope of this book and therefore are not
257 covered, except insofar as this affects Samba-3.
258 </para>
260 <para><indexterm>
261 <primary>login</primary>
262 </indexterm>
263 Notebook computers are configured to use a network login when in the office and a
264 local account to login while away from the office. Users store all work done in
265 transit (away from the office) by using a local share for work files. Standard procedures
266 will dictate that on completion of the work that necessitates mobile file access, all
267 work files are moved back to secure storage on the office server. Staff is instructed
268 to not carry on any company notebook computer any files that are not absolutely required.
269 This is a preventative measure to protect client information as well as business private
270 records.
271 </para>
273 <para><indexterm>
274 <primary>application server</primary>
275 </indexterm>
276 All applications are served from the central server from a share called <constant>apps</constant>.
277 Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network
278 (or administrative) installation. Accounting and financial management software can also
279 be run only from the central application server. Notebook users are provided with
280 locally installed applications on a need-to-have basis only.
281 </para>
283 <para>
284 <indexterm><primary>roaming profiles</primary></indexterm>
285 The introduction of roaming profiles support means that users can move between
286 desktop computer systems without constraint while retaining full access to their data.
287 The desktop travels with them as they move.
288 </para>
290 <para>
291 <indexterm><primary>DNS</primary></indexterm>
292 The DNS server implementation must now address both internal needs as well as external
293 needs. You forward DNS lookups to your ISP provided server as well as the
294 <constant>abmas.us</constant> external secondary DNS server.
295 </para>
297 <para>
298 <indexterm><primary>dynamic DNS</primary></indexterm>
299 <indexterm><primary>DDNS</primary><see>dynamic
300 DNS</see></indexterm><indexterm>
301 <primary>DHCP server</primary>
302 </indexterm>
303 Compared with the DHCP server configuration in <link linkend="dhcp01"/>, the configuration used
304 in this example has to deal with the presence of an Internet connection. The scope set for it
305 ensures that no DHCP services will be offered on the external connection. All printers are
306 configured as DHCP clients, so that the DHCP server assigns the printer a fixed IP
307 address by way of the ethernet interface (MAC) address. One additional feature of this DHCP
308 server configuration file is the inclusion of parameters to allow dynamic DNS (DDNS) operation.
309 </para>
311 <para>
312 This is the first implementation that depends on a correctly functioning DNS server.
313 Comprehensive steps are included to provide for a fully functioning DNS server that also
314 is enabled for dynamic DNS operation. This means that DHCP clients can be auto-registered
315 with the DNS server.
316 </para>
318 <para>
319 You are taking the opportunity to manually set the netbios name of the Samba server to
320 a name other than what will be automatically resolved. You are doing this to ensure that
321 the machine has the same NetBIOS name on both network segments.
322 </para>
324 <para>
325 As in the previous network configuration, printing in this network configuration uses
326 direct raw printing (i.e., no smart printing and no print driver auto-download to Windows
327 clients). Printer drivers are installed on the Windows client manually. This is not
328 a problem given that Christine is to install and configure one single workstation and
329 then clone that configuration, using Norton Ghost, to all workstations. Each machine is
330 identical, so this should pose no problem.
331 </para>
333 <sect3>
334 <title>Hardware Requirements</title>
336 <para><indexterm>
337 <primary>memory requirements</primary>
338 </indexterm>
339 This server runs a considerable number of services. From similarly configured Linux
340 installations the approximate calculated memory requirements will be as that shown in
341 <link linkend="ch4memoryest"/>.
343 <example id="ch4memoryest">
344 <title>Estimation of Memory Requirements</title>
345 <screen>
346 Application Memory per User 130 Users 500 Users
347 Name (MBytes) Total MBytes Total MBytes
348 ----------- --------------- ------------ ------------
349 DHCP 2.5 3 3
350 DNS 16.0 16 16
351 Samba (nmbd) 16.0 16 16
352 Samba (winbind) 16.0 16 16
353 Samba (smbd) 4.0 520 2000
354 Apache 10.0 (20 User) 200 200
355 CUPS 3.5 16 32
356 Basic OS 256.0 256 256
357 -------------- --------------
358 Total: 1043 MBytes 2539 MBytes
359 -------------- --------------
360 </screen>
361 </example>
362 You would choose to add a safety margin of at least 50% to these estimates. The minimum
363 system memory recommended for initial startup would be 1 GByte, but to permit the system
364 to scale to 500 users, it would make sense to provision the machine with 4 GBytes memory.
365 An initial configuration with only 1 GByte memory would lead to early performance complaints
366 as the system load builds up. Given the low cost of memory, it would not make sense to
367 compromise in this area.
368 </para>
370 <para><indexterm>
371 <primary>bandwidth calculations</primary>
372 </indexterm>
373 Aggregate Input/Output loads should be considered for sizing network configuration as
374 well as disk subsystems. For network bandwidth calculations, one would typically use an
375 estimate of 0.1 MBytes/sec per user. This would suggest that 100-Base-T (approx. 10 MBytes/sec)
376 would deliver below acceptable capacity for the initial user load. It is, therefore, a good
377 idea to begin with 1 Gigabit ethernet cards for the two internal networks, each attached
378 to a 1 Gigabit Etherswitch that provides connectivity to an expandable array of 100-Base-T
379 switched ports.
380 </para>
382 <para><indexterm>
383 <primary>network segments</primary>
384 </indexterm><indexterm>
385 <primary>RAID</primary>
386 </indexterm>
387 Considering the choice of 1 Gigabit ethernet interfaces for the two local network segments,
388 the aggregate network I/O capacity will be 2100 MBit/sec (about 230 MBytes/sec), an I/O
389 demand that would require a fast disk storage I/O capability. Peak disk throughput is
390 limited by the disk sub-system chosen. It would be desirable to provide the maximum
391 I/O bandwidth that can be afforded. If a low-cost solution must be chosen, the use of
392 3Ware IDE RAID Controllers makes a good choice. These controllers can be fitted into a
393 64 bit, 66 MHz PCI-X slot. They appear to the operating system as a high speed SCSI
394 controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MByte/sec).
395 Alternative SCSI-based hardware RAID controllers should also be considered. Alternately,
396 it would make sense to purchase well-known branded hardware that has appropriate performance
397 specifications. As a minimum, one should attempt to provide a disk sub-system that can
398 deliver I/O rates of at least 100 MBytes/sec.
399 </para>
401 <para>
402 Disk storage requirements may be calculated as shown in <link linkend="ch4diskest"/>.
404 <example id="ch4diskest">
405 <title>Estimation of Disk Storage Requirements</title>
406 <screen>
407 Corporate Data: 100 MBytes/user per year
408 Email Storage: 500 MBytes/user per year
409 Applications: 5000 MBytes
410 Safety Buffer: At least 50%
412 Given 500 Users and 2 years:
413 -----------------------------
414 Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes
415 Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes
416 Applications: 5000 MBytes = 5 GBytes
417 ----------------------------
418 Total: 605 GBytes
419 Add 50% buffer 303 GBytes
420 Recommended Storage: 908 GBytes
421 </screen>
422 </example>
423 <indexterm>
424 <primary>storage capacity</primary>
425 </indexterm>
426 The preferred storage capacity should be approximately 1 TeraByte. Use of RAID level 5
427 with two hot spare drives would require an 8 drive by 200 GByte capacity per drive array.
428 </para>
430 </sect3>
432 </sect2>
435 <sect2>
436 <title>Political Issues</title>
438 <para>
439 Your industry is coming under increasing accountability pressures. Increased paranoia
440 is necessary so you can demonstrate that you have acted with due diligence. You must
441 not trust your Internet connection.
442 </para>
444 <para>
445 Apart from permitting more efficient management of business applications through use of
446 an application server, your primary reason for the decision to implement this is that it
447 gives you greater control over software licensing.
448 </para>
450 <para><indexterm>
451 <primary>Outlook Express</primary>
452 </indexterm>
453 You are well aware that the current configuration results in some performance issues
454 as the size of the desktop profile grows. Given that users use Microsoft Outlook
455 Express, you know that the storage implications of the <constant>.PST</constant> file
456 is something that needs to be addressed later on.
457 </para>
459 </sect2>
461 </sect1>
463 <sect1>
464 <title>Implementation</title>
466 <para>
467 <link linkend="ch04net"/> demonstrates the overall design of the network that you will implement.
468 </para>
470 <para>
471 The information presented here assumes that you are already familiar with many basic steps.
472 As this stands, the details provided already extend well beyond just the necessities of
473 Samba configuration. This decision is deliberate to ensure that key determinants
474 of a successful installation are not overlooked. This is the last case that documents
475 the finite minutiae of DHCP and DNS server configuration. Beyond the information provided
476 here, there are many other good reference books on these subjects.
477 </para>
479 <para>
480 The &smb.conf; file has the following noteworthy features:
481 </para>
483 <itemizedlist>
484 <listitem><para>
485 The NetBIOS name of the Samba server is set to <constant>DIAMOND</constant>.
486 </para></listitem>
488 <listitem><para>
489 The Domain name is set to <constant>PROMISES</constant>.
490 </para></listitem>
492 <listitem><para><indexterm>
493 <primary>broadcast messages</primary>
494 </indexterm><indexterm>
495 <primary>interfaces</primary>
496 </indexterm><indexterm>
497 <primary>bind interfaces only</primary>
498 </indexterm>
499 Ethernet interface <constant>eth0</constant> is attached to the Internet connection
500 and is externally exposed. This interface is explicitly not available for Samba to use.
501 Samba listens on this interface for broadcast messages, but does not broadcast any
502 information on <constant>eth0</constant>, nor does it accept any connections from it.
503 This is achieved by way of the <parameter>interfaces</parameter> parameter and the
504 <parameter>bind interfaces only</parameter> entry.
505 </para></listitem>
507 <listitem><para><indexterm>
508 <primary>passdb backend</primary>
509 </indexterm><indexterm>
510 <primary>tdbsam</primary>
511 </indexterm><indexterm>
512 <primary>binary database</primary>
513 </indexterm>
514 The <parameter>passdb backend</parameter> parameter specifies the creation and use
515 of the <constant>tdbsam</constant> password backend. This is a binary database that
516 has excellent scalability for a large number of user account entries.
517 </para></listitem>
519 <listitem><para><indexterm>
520 <primary>WINS serving</primary>
521 </indexterm><indexterm>
522 <primary>wins support</primary>
523 </indexterm><indexterm>
524 <primary>name resolve order</primary>
525 </indexterm>
526 WINS serving is enabled by the <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>,
527 and name resolution is set to use it by means of the <smbconfoption><name>name resolve order</name>
528 <value>wins bcast hosts</value></smbconfoption> entry.
529 </para></listitem>
531 <listitem><para><indexterm>
532 <primary>time server</primary>
533 </indexterm>
534 The Samba server is configured for use by Windows clients as a time server.
535 </para></listitem>
537 <listitem><para><indexterm>
538 <primary>CUPS</primary>
539 </indexterm><indexterm>
540 <primary>printing</primary>
541 </indexterm><indexterm>
542 <primary>printcap name</primary>
543 </indexterm>
544 Samba is configured to directly interface with CUPS via the direct internal interface
545 that is provided by CUPS libraries. This is achieved with the
546 <smbconfoption><name>printing</name><value>CUPS</value></smbconfoption> as well as the
547 <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption> entries.
548 </para></listitem>
550 <listitem><para><indexterm>
551 <primary>user management</primary>
552 </indexterm><indexterm>
553 <primary>group management</primary>
554 </indexterm><indexterm>
555 <primary>SRVTOOLS.EXE</primary>
556 </indexterm>
557 External interface scripts are provided to enable Samba to interface smoothly to
558 essential operating system functions for user and group management. This is important
559 to enable workstations to join the Domain, and is also important so that you can use
560 the Windows NT4 Domain User Manager, as well as the Domain Server Manager. These tools
561 are provided as part of the <filename>SRVTOOLS.EXE</filename> toolkit that can be
562 downloaded from the Microsoft FTP <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">site.</ulink>
563 </para></listitem>
565 <listitem><para><indexterm>
566 <primary>User Mode</primary>
567 </indexterm>
568 The &smb.conf; file specifies that the Samba server will operate in (default) <parameter>
569 security = user</parameter> mode<footnote>See <emphasis>TOSHARG</emphasis>, Chapter 3. This is necessary
570 so that Samba can act as a Domain Controller (PDC); see <emphasis>TOSHARG</emphasis>, Chapter 4 for
571 additional information.</footnote> (User Mode).
572 </para></listitem>
574 <listitem><para><indexterm>
575 <primary>logon services</primary>
576 </indexterm><indexterm>
577 <primary>logon script</primary>
578 </indexterm>
579 Domain logon services as well as a Domain logon script are specified. The logon script
580 will be used to add robustness to the overall network configuration.
581 </para></listitem>
583 <listitem><para><indexterm>
584 <primary>roaming profiles</primary>
585 </indexterm><indexterm>
586 <primary>logon path</primary>
587 </indexterm><indexterm>
588 <primary>profile share</primary>
589 </indexterm>
590 Roaming profiles are enabled through the specification of the parameter, <smbconfoption><name>logon path</name>
591 <value>\\%L\profiles\%U</value></smbconfoption>. The value of this parameter translates the
592 <constant>%L</constant> to the name by which the Samba server is called by the client (for this
593 configuration, it translates to the name <constant>DIAMOND</constant>), and the <constant>%U</constant>
594 will translate to the name of the user within the context of the connection made to the profile share.
595 It is the administrator's responsibility to ensure there is a directory in the root of the
596 profile share for each user. This directory must be owned by the user also. An exception to this
597 requirement is when a profile is created for group use.
598 </para></listitem>
600 <listitem><para><indexterm>
601 <primary>virus</primary>
602 </indexterm><indexterm>
603 <primary>opportunistic locking</primary>
604 </indexterm>
605 Precautionary veto is effected for particular Windows file names that have been targeted by
606 virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking
607 controls. This should help to prevent lock contention related file access problems.
608 </para></listitem>
610 <listitem><para><indexterm>
611 <primary>IPC$</primary>
612 </indexterm>
613 Explicit controls are effected to restrict access to the <constant>IPC$</constant> share to
614 local networks only. The <constant>IPC$</constant> share plays an important role in network
615 browsing and in establishment of network connections.
616 </para></listitem>
618 <listitem><para>
619 Every user has a private home directory on the UNIX/Linux host. This is mapped to
620 a network drive that is the same for all users.
621 </para></listitem>
623 </itemizedlist>
625 <para>
626 The configuration of the server is the most complex so far. The following steps are used:
627 </para>
629 <orderedlist numeration="arabic">
630 <listitem><para>
631 Basic System Configuration
632 </para></listitem>
634 <listitem><para>
635 Samba Configuration
636 </para></listitem>
638 <listitem><para>
639 DHCP and DNS Server Configuration
640 </para></listitem>
642 <listitem><para>
643 Printer Configuration
644 </para></listitem>
646 <listitem><para>
647 Process Start-up Configuration
648 </para></listitem>
650 <listitem><para>
651 Validation
652 </para></listitem>
654 <listitem><para>
655 Application Share Configuration
656 </para></listitem>
658 <listitem><para>
659 Windows Client Configuration
660 </para></listitem>
661 </orderedlist>
663 <para>
664 The following sections cover each step in logical and defined detail.
665 </para>
667 <sect2 id="ch4bsc">
668 <title>Basic System Configuration</title>
670 <para><indexterm>
671 <primary>SUSE Enterprise Linux Server</primary>
672 </indexterm>
673 The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been
674 freshly installed. It prepares basic files so that the system is ready for comprehensive
675 operation in line with the network diagram shown in <link linkend="ch04net"/>.
676 </para>
678 <procedure>
679 <step><para><indexterm>
680 <primary>hostname</primary>
681 </indexterm>
682 Using the UNIX/Linux system tools, name the server <constant>server.abmas.us</constant>.
683 Verify that your hostname is correctly set by running:
684 <screen>
685 &rootprompt; uname -n
686 server
687 </screen>
688 An alternate method to verify the hostname is:
689 <screen>
690 &rootprompt; hostname -f
691 server.abmas.us
692 </screen>
693 </para></step>
695 <step><para>
696 <indexterm><primary>/etc/hosts</primary></indexterm><indexterm>
697 <primary>localhost</primary>
698 </indexterm>
699 Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses
700 of all network interfaces that are on the host server. This is necessary so that during
701 startup the system can resolve all its own names to the IP address prior to
702 startup of the DNS server. An example of entries that should be in the
703 <filename>/etc/hosts</filename> file is:
704 <screen>
705 127.0.0.1 localhost
706 192.168.1.1 sleeth1.abmas.biz sleeth1 diamond
707 192.168.2.1 sleeth2.abmas.biz sleeth2
708 123.45.67.66 server.abmas.us server
709 </screen>
710 You should check the startup order of your system. If the CUPS print server is started before
711 the DNS server (<command>named</command>), you should also include an entry for the printers
712 in the <filename>/etc/hosts</filename> file, as follows:
713 <screen>
714 192.168.1.20 qmsa.abmas.biz qmsa
715 192.168.1.30 hplj6a.abmas.biz hplj6a
716 192.168.2.20 qmsf.abmas.biz qmsf
717 192.168.2.30 hplj6f.abmas.biz hplj6f
718 </screen>
719 <indexterm>
720 <primary>named</primary>
721 </indexterm><indexterm>
722 <primary>cupsd</primary>
723 </indexterm><indexterm>
724 <primary>daemon</primary>
725 </indexterm>
726 The printer entries are not necessary if <command>named</command> is started prior to
727 startup of <command>cupsd</command>, the CUPS daemon.
728 </para></step>
730 <step><para>
731 <indexterm><primary>/etc/rc.d/boot.local</primary></indexterm>
732 <indexterm><primary>IP forwarding</primary></indexterm><indexterm>
733 <primary>/proc/sys/net/ipv4/ip_forward</primary>
734 </indexterm>
735 The host server is acting as a router between the two internal network segments as well
736 as for all Internet access. This necessitates that IP forwarding must be enabled. This can be
737 achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows:
738 <screen>
739 echo 1 > /proc/sys/net/ipv4/ip_forward
740 </screen>
741 To ensure that your kernel is capable of IP forwarding during configuration, you may
742 wish to execute that command manually also. This setting permits the Linux system to
743 act as a router.<footnote>ED NOTE: You may want to do the echo command last and include
744 "0" in the init scripts since it opens up your network for a short time.</footnote>
745 </para></step>
747 <step><para><indexterm>
748 <primary>firewall</primary>
749 </indexterm><indexterm>
750 <primary>abmas-netfw.sh</primary>
751 </indexterm>
752 Installation of a basic firewall and network address translation facility is necessary.
753 The following script can be installed in the <filename>/usr/local/sbin</filename>
754 directory. It is executed from the <filename>/etc/rc.d/boot.local</filename> startup
755 script. In your case, this script is called <filename>abmas-netfw.sh</filename>. The
756 script contents are shown in <link linkend="ch4natfw"/>.
758 <example id="ch4natfw">
759 <title>NAT Firewall Configuration Script</title>
760 <screen>
761 #!/bin/sh
762 echo -e "\n\nLoading NAT firewall.\n"
763 IPTABLES=/usr/sbin/iptables
764 EXTIF="eth0"
765 INTIFA="eth1"
766 INTIFB="eth2"
768 /sbin/depmod -a
769 /sbin/insmod ip_tables
770 /sbin/insmod ip_conntrack
771 /sbin/insmod ip_conntrack_ftp
772 /sbin/insmod iptable_nat
773 /sbin/insmod ip_nat_ftp
774 $IPTABLES -P INPUT DROP
775 $IPTABLES -F INPUT
776 $IPTABLES -P OUTPUT ACCEPT
777 $IPTABLES -F OUTPUT
778 $IPTABLES -P FORWARD DROP
779 $IPTABLES -F FORWARD
780 $IPTABLES -t nat -F
781 $IPTABLES -A INPUT -i lo -j ACCEPT
782 $IPTABLES -A INPUT -i $INTIFA -j ACCEPT
783 $IPTABLES -A INPUT -i $INTIFB -j ACCEPT
784 $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
785 # Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS
786 for i in 22 25 53 80 443
787 do
788 $IPTABLES -A INPUT -i $EXTIF -p tcp -dport $i -j ACCEPT
789 done
790 # Allow DNS(udp)
791 $IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT
792 echo "Allow all connections OUT and only existing and specified ones IN"
793 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \
794 --state ESTABLISHED,RELATED -j ACCEPT
795 $IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT
796 $IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT
797 $IPTABLES -A FORWARD -j LOG
798 echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
799 $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
800 echo "1" > /proc/sys/net/ipv4/ip_forward
801 echo -e "\nNAT firewall done.\n"
802 </screen>
803 </example>
804 </para></step>
806 <step><para>
807 Execute the following to make the script executable:
808 <screen>
809 &rootprompt; chmod 755 /usr/local/sbin/abmas-natfw.sh
810 </screen>
811 You must now edit <filename>/etc/rc.d/boot.local</filename> to add an entry
812 that runs your <command>abmas-natfw.sh</command> script. The following
813 entry works for you:
814 <screen>
815 #! /bin/sh
816 #
817 # Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany.
818 # All rights reserved.
819 #
820 # Author: Werner Fink, 1996
821 # Burchard Steinbild, 1996
822 #
823 # /etc/init.d/boot.local
824 #
825 # script with local commands to be executed from init on system startup
826 #
827 # Here you should add things that should happen directly after booting
828 # before we're going to the first run level.
829 #
830 /usr/local/sbin/abmas-natfw.sh
831 </screen>
832 </para></step>
833 </procedure>
835 <para><indexterm>
836 <primary>/etc/hosts</primary>
837 </indexterm>
838 The server is now ready for Samba configuration. During the validation step, you remove
839 the entry for the Samba server <constant>diamond</constant> from the <filename>/etc/hosts</filename>
840 file. This is done after you are satisfied that DNS-based name resolution is functioning correctly.
841 </para>
843 </sect2>
845 <sect2>
846 <title>Samba Configuration</title>
848 <para>
849 When you have completed this section, the Samba server is ready for testing and validation;
850 however, testing and validation have to wait until DHCP, DNS, and Printing (CUPS) services have
851 been configured.
852 </para>
854 <procedure>
855 <step><para>
856 Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary
857 RPM file is called <filename>samba-3.0.2-1.i386.rpm</filename>, one way to install this
858 file is as follows:
859 <screen>
860 &rootprompt; rpm -Uvh samba-3.0.2-1.i386.rpm
861 </screen>
862 This operation must be performed while logged in as the <command>root</command> user.
863 Successful operation is clearly indicated. If this installation should fail for any reason,
864 refer to the operating system manufacturer's documentation for guidance.
865 </para></step>
867 <step><para>
868 Install the &smb.conf; file shown in <link linkend="promisnet"/>, <link linkend="promisnetsvca"/>,
869 and <link linkend="promisnetsvcb"/>. Concatenate (join) all three files to make a single &smb.conf;
870 file. The final, fully qualified path for this file should be <filename>/etc/samba/smb.conf</filename>.
872 <smbconfexample id="promisnet">
873 <title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; [globals] Section</title>
874 <smbconfcomment>Global parameters</smbconfcomment>
875 <smbconfsection>[global]</smbconfsection>
876 <smbconfoption><name>workgroup</name><value>PROMISES</value></smbconfoption>
877 <smbconfoption><name>netbios name</name><value>DIAMOND</value></smbconfoption>
878 <smbconfoption><name>interfaces</name><value>eth1, eth2, lo</value></smbconfoption>
879 <smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
880 <smbconfoption><name>passdb backend</name><value>tdbsam</value></smbconfoption>
881 <smbconfoption><name>pam password change</name><value>Yes</value></smbconfoption>
882 <smbconfoption><name>passwd chat</name><value>*New*Password* %n\n *Re-enter*new*password*</value></smbconfoption>
883 <member><parameter> %n\n *Password*changed*</parameter></member>
884 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
885 <smbconfoption><name>unix password sync</name><value>Yes</value></smbconfoption>
886 <smbconfoption><name>log level</name><value>1</value></smbconfoption>
887 <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
888 <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
889 <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
890 <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
891 <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
892 <smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
893 <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
894 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
895 <smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
896 <smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
897 <smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
898 <smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
899 <smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
900 <smbconfoption><name>add machine script</name><value>/usr/sbin/useradd</value></smbconfoption>
901 <member><parameter>-s /bin/false -d /dev/null %u</parameter></member>
902 <smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
903 <smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
904 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
905 <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
906 <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
907 <smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
908 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
909 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
910 <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
911 <smbconfoption><name>utmp</name><value>Yes</value></smbconfoption>
912 <smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
913 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
914 <smbconfoption><name>veto files</name><value>/*.eml/*.nws/*.{*}/</value></smbconfoption>
915 <smbconfoption><name>veto oplock files</name><value>/*.doc/*.xls/*.mdb/</value></smbconfoption>
916 </smbconfexample>
918 <smbconfexample id="promisnetsvca">
919 <title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part A</title>
920 <smbconfsection>[IPC$]</smbconfsection>
921 <smbconfoption><name>path</name><value>/tmp</value></smbconfoption>
922 <smbconfoption><name>hosts allow</name><value>192.168.1.0/24, 192.168.2.0/24, 127.0.0.1</value></smbconfoption>
923 <smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
925 <smbconfsection>[homes]</smbconfsection>
926 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
927 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
928 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
929 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
931 <smbconfsection>[printers]</smbconfsection>
932 <smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
933 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
934 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
935 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
936 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
937 <smbconfoption><name>default devmode</name><value>Yes</value></smbconfoption>
938 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
940 <smbconfsection>[netlogon]</smbconfsection>
941 <smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
942 <smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
943 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
944 <smbconfoption><name>locking</name><value>No</value></smbconfoption>
945 </smbconfexample>
947 <smbconfexample id="promisnetsvcb">
948 <title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part B</title>
949 <smbconfsection>[profiles]</smbconfsection>
950 <smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
951 <smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
952 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
953 <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
955 <smbconfsection>[accounts]</smbconfsection>
956 <smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
957 <smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
958 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
960 <smbconfsection>[service]</smbconfsection>
961 <smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
962 <smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
963 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
965 <smbconfsection>[apps]</smbconfsection>
966 <smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
967 <smbconfoption><name>path</name><value>/apps</value></smbconfoption>
968 <smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
969 <smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
970 </smbconfexample>
971 </para></step>
973 <step><para>
974 <indexterm><primary>administrator</primary></indexterm><indexterm>
975 <primary>smbpasswd</primary>
976 </indexterm>
977 Add the <constant>root</constant> user to the password backend as follows:
978 <screen>
979 &rootprompt; smbpasswd -a root
980 New SMB password: XXXXXXXX
981 Retype new SMB password: XXXXXXXX
982 &rootprompt;
983 </screen>
984 The <constant>root</constant> account is the UNIX equivalent of the Windows Domain Administrator.
985 This account is essential in the regular maintenance of your Samba server. It must never be
986 deleted. If for any reason the account is deleted, you may not be able to recreate this account
987 without considerable trouble.
988 </para></step>
990 <step><para>
991 <indexterm><primary>username map</primary></indexterm>
992 Create the username map file to permit the <constant>root</constant> account to be called
993 <constant>Administrator</constant> from the Windows network environment. To do this, create
994 the file <filename>/etc/samba/smbusers</filename> with the following contents:
995 <screen>
996 ####
997 # User mapping file
998 ####
999 # File Format
1000 # -----------
1001 # Unix_ID = Windows_ID
1002 #
1003 # Examples:
1004 # root = Administrator
1005 # janes = "Jane Smith"
1006 # jimbo = Jim Bones
1007 #
1008 # Note: If the name contains a space it must be double quoted.
1009 # In the example above the name 'jimbo' will be mapped to Windows
1010 # user names 'Jim' and 'Bones' because the space was not quoted.
1011 #######################################################################
1012 root = Administrator
1013 ####
1014 # End of File
1015 ####
1016 </screen>
1017 </para></step>
1019 <step><para>
1020 <indexterm><primary>initGrps.sh</primary></indexterm><indexterm>
1021 <primary>net</primary>
1022 <secondary>groupmap</secondary>
1023 <tertiary>add</tertiary>
1024 </indexterm><indexterm>
1025 <primary>net</primary>
1026 <secondary>groupmap</secondary>
1027 <tertiary>modify</tertiary>
1028 </indexterm><indexterm>
1029 <primary>net</primary>
1030 <secondary>groupmap</secondary>
1031 <tertiary>list</tertiary>
1032 </indexterm>
1033 Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
1034 <link linkend="initGrps"/>. Create a file containing this script. We called ours
1035 <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed,
1036 and then execute the script. Sample output should be as follows:
1038 <example id="ch4initGrps">
1039 <title>Script to Map Windows NT Groups to UNIX Groups</title>
1040 <indexterm><primary>initGrps.sh</primary></indexterm>
1041 <screen>
1042 #!/bin/bash
1043 #
1044 # initGrps.sh
1045 #
1047 # Create UNIX groups
1048 groupadd acctsdep
1049 groupadd finsrvcs
1051 # Map Windows Domain Groups to UNIX groups
1052 net groupmap modify ntgroup="Domain Admins" unixgroup=root
1053 net groupmap modify ntgroup="Domain Users" unixgroup=users
1054 net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
1056 # Add Functional Domain Groups
1057 net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
1058 net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
1060 # Map Windows NT machine local groups to local UNIX groups
1061 # Mapping of local groups is not necessary and not functional
1062 # for this installation.
1063 </screen>
1064 </example>
1066 <screen>
1067 &rootprompt; chmod 755 initGrps.sh
1068 &rootprompt; /etc/samba # ./initGrps.sh
1069 Updated mapping entry for Domain Admins
1070 Updated mapping entry for Domain Users
1071 Updated mapping entry for Domain Guests
1072 No rid or sid specified, choosing algorithmic mapping
1073 Successfully added group Accounts Dept to the mapping db
1074 No rid or sid specified, choosing algorithmic mapping
1075 Successfully added group Domain Guests to the mapping db
1077 &rootprompt; /etc/samba # net groupmap list | sort
1078 Account Operators (S-1-5-32-548) -> -1
1079 Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep
1080 Administrators (S-1-5-32-544) -> -1
1081 Backup Operators (S-1-5-32-551) -> -1
1082 Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
1083 Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
1084 Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
1085 Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs
1086 Guests (S-1-5-32-546) -> -1
1087 Power Users (S-1-5-32-547) -> -1
1088 Print Operators (S-1-5-32-550) -> -1
1089 Replicators (S-1-5-32-552) -> -1
1090 System Operators (S-1-5-32-549) -> -1
1091 Users (S-1-5-32-545) -> -1
1092 </screen>
1093 </para></step>
1095 <step><para>
1096 <indexterm><primary>useradd</primary></indexterm>
1097 <indexterm><primary>adduser</primary></indexterm>
1098 <indexterm><primary>passwd</primary></indexterm>
1099 <indexterm><primary>smbpasswd</primary></indexterm>
1100 <indexterm><primary>/etc/passwd</primary></indexterm>
1101 <indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
1102 <indexterm><primary>user</primary><secondary>management</secondary></indexterm>
1103 There is one preparatory step without which you will not have a working Samba
1104 network environment. You must add an account for each network user.
1105 For each user who needs to be given a Windows Domain account, make an entry in the
1106 <filename>/etc/passwd</filename> file, as well as in the Samba password backend.
1107 Use the system tool of your choice to create the UNIX system account, and use the Samba
1108 <command>smbpasswd</command> to create a Domain user account.
1109 There are a number of tools for user management under UNIX. Commonly known ones include:
1110 <command>useradd, adduser</command>. In addition to these, there are a plethora of custom
1111 tools. You also want to create a home directory for each user.
1112 You can do this by executing the following steps for each user:
1113 <screen>
1114 &rootprompt; useradd -m <parameter>username</parameter>
1115 &rootprompt; passwd <parameter>username</parameter>
1116 Changing password for <parameter>username</parameter>.
1117 New password: XXXXXXXX
1118 Re-enter new password: XXXXXXXX
1119 Password changed
1120 &rootprompt; smbpasswd -a <parameter>username</parameter>
1121 New SMB password: XXXXXXXX
1122 Retype new SMB password: XXXXXXXX
1123 Added user <parameter>username</parameter>.
1124 </screen>
1125 You do of course use a valid user login ID in place of <parameter>username</parameter>.
1126 </para></step>
1128 <step><para><indexterm>
1129 <primary>file system</primary>
1130 <secondary>access control</secondary>
1131 </indexterm><indexterm>
1132 <primary>file system</primary>
1133 <secondary>permissions</secondary>
1134 </indexterm><indexterm>
1135 <primary>group membership</primary>
1136 </indexterm>
1137 Using the preferred tool for your UNIX system, add each user to the UNIX groups created
1138 previously as necessary. File system access control will be based on UNIX group membership.
1139 </para></step>
1141 <step><para>
1142 Create the directory mount point for the disk sub-system that can be mounted to provide
1143 data storage for company files. In this case the mount point indicated in the &smb.conf;
1144 file is <filename>/data</filename>. Format the file system as required, and mount the formatted
1145 file system partition using appropriate system tools.
1146 </para></step>
1148 <step><para>
1149 <indexterm><primary>file system</primary><secondary>permissions</secondary></indexterm>
1150 Create the top-level file storage directories for data and applications as follows:
1151 <screen>
1152 &rootprompt; mkdir -p /data/{accounts,finsvcs}
1153 &rootprompt; mkdir -p /apps
1154 &rootprompt; chown -R root.root /data
1155 &rootprompt; chown -R root.root /apps
1156 &rootprompt; chown -R bjordan.accounts /data/accounts
1157 &rootprompt; chown -R bjordan.finsvcs /data/finsvcs
1158 &rootprompt; chmod -R ug+rwxs,o-rwx /data
1159 &rootprompt; chmod -R ug+rwx,o+rx-w /apps
1160 </screen>
1161 Each department is responsible for creating its own directory structure within the departmental
1162 share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
1163 The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
1164 The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share
1165 that provides the application server infrastructure.
1166 </para></step>
1168 <step><para>
1169 The &smb.conf; file specifies an infrastructure to support roaming profiles and network
1170 logon services. You can now create the file system infrastructure to provide the
1171 locations on disk that these services require. Adequate planning is essential
1172 since desktop profiles can grow to be quite large. For planning purposes, a minimum of
1173 200 Megabytes of storage should be allowed per user for profile storage. The following
1174 commands create the directory infrastructure needed:
1175 <screen>
1176 &rootprompt; mkdir -p /var/spool/samba
1177 &rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
1178 &rootprompt; chown -R root.root /var/spool/samba
1179 &rootprompt; chown -R root.root /var/lib/samba
1180 &rootprompt; chmod a+rwxt /var/spool/samba
1181 </screen>
1182 For each user account that is created on the system, the following commands should be
1183 executed:
1184 <screen>
1185 &rootprompt; mkdir /var/lib/samba/profiles/'username'
1186 &rootprompt; chown 'username'.users /var/lib/samba/profiles/'username'
1187 &rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
1188 </screen>
1189 </para></step>
1191 <step><para><indexterm>
1192 <primary>logon scrip</primary>
1193 </indexterm><indexterm>
1194 <primary>unix2dos</primary>
1195 </indexterm><indexterm>
1196 <primary>dos2unix</primary>
1197 </indexterm>
1198 Create a logon script. It is important that each line is correctly terminated with
1199 a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
1200 works if the right tools (<constant>unix2dos</constant> and <constant>dos2unix</constant>) are installed.
1201 First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename>
1202 with the following contents:
1203 <screen>
1204 net time \\diamond /set /yes
1205 net use h: /home
1206 net use p: \\diamond\apps
1207 </screen>
1208 Convert the UNIX file to a DOS file using the <command>unix2dos</command> as shown here:
1209 <screen>
1210 &rootprompt; unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \
1211 > /var/lib/samba/netlogon/scripts/logon.bat
1212 </screen>
1213 </para></step>
1214 </procedure>
1216 </sect2>
1218 <sect2 id="ch4dhcpdns">
1219 <title>Configuration of DHCP and DNS Servers</title>
1221 <para>
1222 DHCP services are a basic component of the entire network client installation. DNS operation is
1223 foundational to Internet access as well as to trouble-free operation of local networking. When
1224 you have completed this section, the server should be ready for solid duty operation.
1225 </para>
1227 <procedure>
1228 <step><para>
1229 <indexterm><primary>/etc/dhcpd.conf</primary></indexterm>
1230 Create a file called <filename>/etc/dhcpd.conf</filename> with the contents as
1231 shown in <link linkend="prom-dhcp"/>.
1233 <example id="prom-dhcp">
1234 <title>DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title>
1235 <screen>
1236 # Abmas Accounting Inc. - Chapter 4
1237 default-lease-time 86400;
1238 max-lease-time 172800;
1239 default-lease-time 86400;
1240 option ntp-servers 192.168.1.1;
1241 option domain-name "abmas.biz";
1242 option domain-name-servers 192.168.1.1, 192.168.2.1;
1243 option netbios-name-servers 192.168.1.1, 192.168.2.1;
1244 option netbios-node-type 8; ### Node type = Hybrid ###
1245 ddns-updates on; ### Dynamic DNS enabled ###
1246 ddns-update-style ad-hoc;
1248 subnet 192.168.1.0 netmask 255.255.255.0 {
1249 range dynamic-bootp 192.168.1.128 192.168.1.254;
1250 option subnet-mask 255.255.255.0;
1251 option routers 192.168.1.1;
1252 allow unknown-clients;
1253 host qmsa {
1254 hardware ethernet 08:00:46:7a:35:e4;
1255 fixed-address 192.168.1.20;
1256 }
1257 host hplj6a {
1258 hardware ethernet 00:03:47:cb:81:e0;
1259 fixed-address 192.168.1.30;
1260 }
1261 }
1262 subnet 192.168.2.0 netmask 255.255.255.0 {
1263 range dynamic-bootp 192.168.2.128 192.168.2.254;
1264 option subnet-mask 255.255.255.0;
1265 option routers 192.168.2.1;
1266 allow unknown-clients;
1267 host qmsf {
1268 hardware ethernet 01:04:31:db:e1:c0;
1269 fixed-address 192.168.1.20;
1270 }
1271 host hplj6f {
1272 hardware ethernet 00:03:47:cf:83:e2;
1273 fixed-address 192.168.2.30;
1274 }
1275 }
1276 subnet 127.0.0.0 netmask 255.0.0.0 {
1277 }
1278 subnet 123.45.67.64 netmask 255.255.255.252 {
1279 }
1280 </screen>
1281 </example>
1282 </para></step>
1284 <step><para>
1285 <indexterm><primary>/etc/named.conf</primary></indexterm>
1286 Create a file called <filename>/etc/named.conf</filename> that has the combined contents
1287 of the <link linkend="ch4namedcfg"/>, <link linkend="ch4namedvarfwd"/>, and
1288 <link linkend="ch4namedvarrev"/> files that are concatenated (merged) in this
1289 specific order.
1290 </para></step>
1292 <step><para>
1293 Create the files shown in their directories as follows:
1295 <table if="namedrscfiles">
1296 <title>DNS (named) Resource Files</title>
1297 <tgroup cols="2">
1298 <colspec align="left"/>
1299 <colspec align="left"/>
1300 <thead>
1301 <row>
1302 <entry>Reference</entry>
1303 <entry>File Location</entry>
1304 </row>
1305 </thead>
1306 <tbody>
1307 <row>
1308 <entry><link linkend="loopback"/></entry>
1309 <entry>/var/lib/named/localhost.zone</entry>
1310 </row>
1311 <row>
1312 <entry><link linkend="dnsloopy"/></entry>
1313 <entry>/var/lib/named/127.0.0.zone</entry>
1314 </row>
1315 <row>
1316 <entry><link linkend="roothint"/></entry>
1317 <entry>/var/lib/named/root.hint</entry>
1318 </row>
1319 <row>
1320 <entry><link linkend="abmasbiz"/></entry>
1321 <entry>/var/lib/named/master/abmas.biz.hosts</entry>
1322 </row>
1323 <row>
1324 <entry><link linkend="abmasus"/></entry>
1325 <entry>/var/lib/named/abmas.us.hosts</entry>
1326 </row>
1327 <row>
1328 <entry><link linkend="eth1zone"/></entry>
1329 <entry>/var/lib/named/192.168.1.0.rev</entry>
1330 </row>
1331 <row>
1332 <entry><link linkend="eth2zone"/></entry>
1333 <entry>/var/lib/named/192.168.2.0.rev</entry>
1334 </row>
1335 </tbody>
1336 </tgroup>
1337 </table>
1339 <example id="ch4namedcfg">
1340 <title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Master Section</title>
1341 <indexterm><primary>/etc/named.conf</primary></indexterm>
1342 <screen>
1343 ###
1344 # Abmas Biz DNS Control File
1345 ###
1346 # Date: November 15, 2003
1347 ###
1348 options {
1349 directory "/var/lib/named";
1350 forwarders {
1351 123.45.12.23;
1352 };
1353 forward first;
1354 listen-on {
1355 mynet;
1356 };
1357 auth-nxdomain yes;
1358 multiple-cnames yes;
1359 notify no;
1360 };
1362 zone "." in {
1363 type hint;
1364 file "root.hint";
1365 };
1367 zone "localhost" in {
1368 type master;
1369 file "localhost.zone";
1370 };
1372 zone "0.0.127.in-addr.arpa" in {
1373 type master;
1374 file "127.0.0.zone";
1375 };
1377 acl mynet {
1378 192.168.1.0/24;
1379 192.168.2.0/24;
1380 127.0.0.1;
1381 };
1383 acl seconddns {
1384 123.45.54.32;
1385 }
1387 </screen>
1388 </example>
1390 <example id="ch4namedvarfwd">
1391 <title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Forward Lookup Definition Section</title>
1392 <screen>
1393 zone "abmas.biz" {
1394 type master;
1395 file "/var/lib/named/master/abmas.biz.hosts";
1396 allow-query {
1397 mynet;
1398 };
1399 allow-transfer {
1400 mynet;
1401 };
1402 allow-update {
1403 mynet;
1404 };
1405 };
1407 zone "abmas.us" {
1408 type master;
1409 file "/var/lib/named/master/abmas.us.hosts";
1410 allow-query {
1411 all;
1412 };
1413 allow-transfer {
1414 seconddns;
1415 };
1416 };
1417 </screen>
1418 </example>
1420 <example id="ch4namedvarrev">
1421 <title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Reverse Lookup Definition Section</title>
1422 <screen>
1423 zone "1.168.192.in-addr.arpa" {
1424 type master;
1425 file "/var/lib/named/master/192.168.1.0.rev";
1426 allow-query {
1427 mynet;
1428 };
1429 allow-transfer {
1430 mynet;
1431 };
1432 allow-update {
1433 mynet;
1434 };
1435 };
1437 zone "2.168.192.in-addr.arpa" {
1438 type master;
1439 file "/var/lib/named/master/192.168.2.0.rev";
1440 allow-query {
1441 mynet;
1442 };
1443 allow-transfer {
1444 mynet;
1445 };
1446 allow-update {
1447 mynet;
1448 };
1449 };
1450 </screen>
1451 </example>
1453 <example id="eth1zone">
1454 <title>DNS 192.168.1 Reverse Zone File</title>
1455 <screen>
1456 $ORIGIN .
1457 $TTL 38400 ; 10 hours 40 minutes
1458 1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
1459 2003021825 ; serial
1460 10800 ; refresh (3 hours)
1461 3600 ; retry (1 hour)
1462 604800 ; expire (1 week)
1463 38400 ; minimum (10 hours 40 minutes)
1464 )
1465 NS sleeth1.abmas.biz.
1466 $ORIGIN 1.168.192.in-addr.arpa.
1467 1 PTR sleeth1.abmas.biz.
1468 20 PTR qmsa.abmas.biz.
1469 30 PTR hplj6a.abmas.biz.
1470 </screen>
1471 </example>
1473 <example id="eth2zone">
1474 <title>DNS 192.168.2 Reverse Zone File</title>
1475 <screen>
1476 $ORIGIN .
1477 $TTL 38400 ; 10 hours 40 minutes
1478 2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
1479 2003021825 ; serial
1480 10800 ; refresh (3 hours)
1481 3600 ; retry (1 hour)
1482 604800 ; expire (1 week)
1483 38400 ; minimum (10 hours 40 minutes)
1484 )
1485 NS sleeth2.abmas.biz.
1486 $ORIGIN 2.168.192.in-addr.arpa.
1487 1 PTR sleeth2.abmas.biz.
1488 20 PTR qmsf.abmas.biz.
1489 30 PTR hplj6f.abmas.biz.
1490 </screen>
1491 </example>
1493 <example id="abmasbiz">
1494 <title>DNS Abmas.biz Forward Zone File</title>
1495 <screen>
1496 $ORIGIN .
1497 $TTL 38400 ; 10 hours 40 minutes
1498 abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. (
1499 2003021833 ; serial
1500 10800 ; refresh (3 hours)
1501 3600 ; retry (1 hour)
1502 604800 ; expire (1 week)
1503 38400 ; minimum (10 hours 40 minutes)
1504 )
1505 NS dns.abmas.biz.
1506 MX 10 sleeth1.abmas.biz.
1507 $ORIGIN abmas.biz.
1508 sleeth1 A 192.168.1.1
1509 sleeth2 A 192.168.2.1
1510 qmsa A 192.168.1.20
1511 hplj6a A 192.168.1.30
1512 qmsf A 192.168.2.20
1513 hplj6f A 192.168.2.30
1514 dns CNAME sleeth1
1515 diamond CNAME sleeth1
1516 mail CNAME sleeth1
1517 </screen>
1518 </example>
1520 <example id="abmasus">
1521 <title>DNS Abmas.us Forward Zone File</title>
1522 <screen>
1523 $ORIGIN .
1524 $TTL 38400 ; 10 hours 40 minutes
1525 abmas.us IN SOA server.abmas.us. root.abmas.us. (
1526 2003021833 ; serial
1527 10800 ; refresh (3 hours)
1528 3600 ; retry (1 hour)
1529 604800 ; expire (1 week)
1530 38400 ; minimum (10 hours 40 minutes)
1531 )
1532 NS dns.abmas.us.
1533 NS dns2.abmas.us.
1534 MX 10 server.abmas.us.
1535 $ORIGIN abmas.us.
1536 server A 123.45.67.66
1537 dns2 A 123.45.54.32
1538 gw A 123.45.67.65
1539 www CNAME server
1540 mail CNAME server
1541 dns CNAME server
1542 </screen>
1543 </example>
1545 </para></step>
1547 <step><para>
1548 <indexterm><primary>/etc/resolv.conf</primary></indexterm><indexterm>
1549 <primary>name resolution</primary>
1550 </indexterm>
1551 All DNS name resolution should be handled locally. To ensure that the server is configured
1552 correctly to handle this, edit <filename>/etc/resolv.conf</filename> to have the following
1553 content:
1554 <screen>
1555 search abmas.us abmas.biz
1556 nameserver 127.0.0.1
1557 nameserver 123.45.54.23
1558 </screen>
1559 <indexterm>
1560 <primary>DNS server</primary>
1561 </indexterm>
1562 This instructs the name resolver function (when configured correctly) to ask the DNS server
1563 that is running locally to resolve names to addresses. In the event that the local name server
1564 is not available, ask the name server provided by the ISP. The latter, of course, does not resolve
1565 purely local names to IP addresses.
1566 </para></step>
1568 <step><para>
1569 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
1570 The final step is to edit the <filename>/etc/nsswitch.conf</filename> file.
1571 This file controls the operation of the various resolver libraries that are part of the Linux
1572 Glibc libraries. Edit this file so that it contains the following entries:
1573 <screen>
1574 hosts: files dns wins
1575 </screen>
1576 </para></step>
1577 </procedure>
1579 <para>
1580 The basic DHCP and DNS services are now ready for validation testing. Before you can proceed,
1581 there are a few more steps along the road. First, configure the print spooling and print
1582 processing system. Then you can configure the server so that all services
1583 start automatically on reboot. You must also manually start all services prior to validation testing.
1584 </para>
1586 </sect2>
1588 <sect2 id="ch4ptrcfg">
1589 <title>Printer Configuration</title>
1591 <para>
1592 </para>
1594 <procedure>
1595 <step><para>
1596 Configure each printer to be a DHCP client carefully following the manufacturer's guidelines.
1597 </para></step>
1599 <step><para>
1600 Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100.
1601 Use any other port the manufacturer specifies for direct mode, raw printing and adjust the
1602 port as necessary in the following example commands.
1603 This allows the CUPS spooler to print using raw mode protocols.
1604 <indexterm><primary>CUPS</primary></indexterm>
1605 <indexterm><primary>raw printing</primary></indexterm>
1606 </para></step>
1608 <step><para>
1609 <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm><indexterm>
1610 <primary>lpadmin</primary>
1611 </indexterm>
1612 Configure the CUPS Print Queues as follows:
1613 <screen>
1614 &rootprompt; lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E
1615 &rootprompt; lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E
1616 &rootprompt; lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E
1617 &rootprompt; lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E
1618 </screen>
1619 <indexterm><primary>print filter</primary></indexterm>
1620 This has created the necessary print queues with no assigned print filter.
1621 </para></step>
1623 <step><para><indexterm>
1624 <primary>enable</primary>
1625 </indexterm>
1626 Print queues may not be enabled at creation. Use <command>lpc stat</command> to check
1627 the status of the print queues and if necessary make certain that the queues you have
1628 just created are enabled by executing the following:
1629 <screen>
1630 &rootprompt; /usr/bin/enable qmsa
1631 &rootprompt; /usr/bin/enable hplj6a
1632 &rootprompt; /usr/bin/enable qmsf
1633 &rootprompt; /usr/bin/enable hplj6f
1634 </screen>
1635 </para></step>
1637 <step><para><indexterm>
1638 <primary>accept</primary>
1639 </indexterm>
1640 Even though your print queues may be enabled, it is still possible that they
1641 are not accepting print jobs. A print queue services incoming printing
1642 requests only when configured to do so. Ensure that your print queues are
1643 set to accept incoming jobs by executing the following commands:
1644 <screen>
1645 &rootprompt; /usr/bin/accept qmsa
1646 &rootprompt; /usr/bin/accept hplj6a
1647 &rootprompt; /usr/bin/accept qmsf
1648 &rootprompt; /usr/bin/accept hplj6f
1649 </screen>
1650 </para></step>
1652 <step><para>
1653 <indexterm><primary>mime type</primary></indexterm>
1654 <indexterm><primary>/etc/mime.convs</primary></indexterm>
1655 <indexterm><primary>application/octet-stream</primary></indexterm>
1656 Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
1657 <screen>
1658 application/octet-stream application/vnd.cups-raw 0 -
1659 </screen>
1660 </para></step>
1662 <step><para>
1663 <indexterm><primary>/etc/mime.types</primary></indexterm>
1664 Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
1665 <screen>
1666 application/octet-stream
1667 </screen>
1668 </para></step>
1670 <step><para>
1671 Printing drivers are installed on each network client workstation.
1672 </para></step>
1673 </procedure>
1675 <para>
1676 The UNIX system print queues have been configured and are ready for validation testing.
1677 </para>
1679 </sect2>
1681 <sect2 id="procstart">
1682 <title>Process Startup Configuration</title>
1684 <para>
1685 <indexterm><primary>chkconfig</primary></indexterm>
1686 There are two essential steps to process startup configuration. First, the process
1687 must be configured so that it automatically restarts each time the server
1688 is rebooted. This step involves use of the <command>chkconfig</command> tool that
1689 creates the appropriate symbolic links from the master daemon control file that is
1690 located in the <filename>/etc/rc.d</filename> directory, to the <filename>/etc/rc'x'.d</filename>
1691 directories. Links are created so that when the system run-level is changed, the
1692 necessary start or kill script is run.
1693 </para>
1695 <para>
1696 <indexterm><primary>/etc/xinetd.d</primary></indexterm><indexterm>
1697 <primary>inetd</primary>
1698 </indexterm><indexterm>
1699 <primary>xinetd</primary>
1700 </indexterm><indexterm>
1701 <primary>chkconfig</primary>
1702 </indexterm><indexterm>
1703 <primary>super daemon</primary>
1704 </indexterm>
1705 In the event that a service is not run as a daemon, but via the inter-networking
1706 super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command>
1707 tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory
1708 and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to
1709 re-read its control files.
1710 </para>
1712 <para>
1713 Last, each service must be started to permit system validation to proceed.
1714 </para>
1716 <procedure>
1717 <step><para>
1718 Use the standard system tool to configure each service to restart
1719 automatically at every system reboot. For example:
1720 <indexterm><primary>chkconfig</primary></indexterm>
1721 <screen>
1722 &rootprompt; chkconfig dhpc on
1723 &rootprompt; chkconfig named on
1724 &rootprompt; chkconfig cups on
1725 &rootprompt; chkconfig smb on
1726 </screen>
1727 </para></step>
1729 <step><para>
1730 <indexterm><primary>starting dhcpd</primary></indexterm>
1731 <indexterm><primary>starting samba</primary></indexterm>
1732 <indexterm><primary>starting CUPS</primary></indexterm>
1733 Now start each service to permit the system to be validated.
1734 Execute each of the following in the sequence shown:
1736 <screen>
1737 &rootprompt; /etc/rc.d/init.d/dhcp restart
1738 &rootprompt; /etc/rc.d/init.d/named restart
1739 &rootprompt; /etc/rc.d/init.d/cups restart
1740 &rootprompt; /etc/rc.d/init.d/smb restart
1741 </screen>
1742 </para></step>
1743 </procedure>
1745 </sect2>
1747 <sect2 id="ch4valid">
1748 <title>Validation</title>
1750 <para><indexterm>
1751 <primary>validation</primary>
1752 </indexterm>
1753 Complex networking problems are most often caused by simple things that are poorly or incorrectly
1754 configured. The validation process adopted here should be followed carefully; it is the result of the
1755 experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should
1756 refrain from taking shortcuts, from making basic assumptions, and from not exercising due process
1757 and diligence in network validation. By thoroughly testing and validating every step in the process
1758 of network installation and configuration, you can save yourself from sleepless nights and restless
1759 days. A well debugged network is a foundation for happy network users and network administrators.
1760 Later in this book you learn how to make users happier. For now, it is enough to learn to
1761 validate. Let's get on with it.
1762 </para>
1764 <procedure>
1766 <step><para>
1767 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
1768 One of the most important facets of Samba configuration is to ensure that
1769 name resolution functions correctly. You can test name resolution
1770 with a few simple tests. The most basic name resolution is provided from the
1771 <filename>/etc/hosts</filename> file. To test its operation, make a
1772 temporary edit to the <filename>/etc/nsswitch.conf</filename> file. Using
1773 your favorite editor, change the entry for <constant>hosts</constant> to read:
1774 <screen>
1775 hosts: files
1776 </screen>
1777 When you have saved this file, execute the following command:
1778 <screen>
1779 &rootprompt; ping diamond
1780 PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
1781 64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms
1782 64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms
1783 64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms
1784 64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms
1786 --- sleeth1.abmas.biz ping statistics ---
1787 4 packets transmitted, 4 received, 0% packet loss, time 3016ms
1788 rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms
1789 </screen>
1790 This proves that name resolution via the <filename>/etc/hosts</filename> file
1791 is working.
1792 </para></step>
1794 <step><para>
1795 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
1796 So far, your installation is going particularly well. In this step we validate
1797 DNS server and name resolution operation. Using your favorite UNIX system editor,
1798 change the <filename>/etc/nsswitch.conf</filename> file so that the
1799 <constant>hosts</constant> entry reads:
1800 <screen>
1801 hosts: dns
1802 </screen>
1803 </para></step>
1805 <step><para>
1806 <indexterm><primary>named</primary></indexterm>
1807 Before you test DNS operation, it is a good idea to verify that the DNS server
1808 is running by executing the following:
1809 <screen>
1810 &rootprompt; ps ax | grep named
1811 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log
1812 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1813 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1814 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1815 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1816 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1817 2552 pts/2 S 0:00 grep named
1818 </screen>
1819 This means that we are ready to check DNS operation. Do so by executing:
1820 <indexterm><primary>ping</primary></indexterm>
1821 <screen>
1822 &rootprompt; ping diamond
1823 PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
1824 64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms
1825 64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms
1827 --- sleeth1.abmas.biz ping statistics ---
1828 2 packets transmitted, 2 received, 0% packet loss, time 999ms
1829 rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms
1830 </screen>
1831 You should take a few more steps to validate DNS server operation, as follows:
1832 <screen>
1833 &rootprompt; host -f diamond.abmas.biz
1834 sleeth1.abmas.biz has address 192.168.1.1
1835 </screen>
1836 <indexterm><primary>/etc/hosts</primary></indexterm>
1837 You may now remove the entry called <constant>diamond</constant> from the
1838 <filename>/etc/hosts</filename> file. It does not hurt to leave it there,
1839 but its removal reduces the number of administrative steps for this name.
1840 </para></step>
1842 <step><para>
1843 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
1844 WINS is a great way to resolve NetBIOS names to their IP address. You can test
1845 the operation of WINS by starting <command>nmbd</command> (manually, or by way
1846 of the Samba startup method shown in <link linkend="procstart"/>). You must edit
1847 the <filename>/etc/nsswitch.conf</filename> file so that the <constant>hosts</constant>
1848 entry is as follows:
1849 <screen>
1850 hosts: wins
1851 </screen>
1852 The next step is to make certain that Samba is running using <command>ps ax|grep mbd</command>, and then execute the following:
1853 <screen>
1854 &rootprompt; ping diamond
1855 PING diamond (192.168.1.1) 56(84) bytes of data.
1856 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms
1857 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms
1858 </screen>
1859 <indexterm><primary>ping</primary></indexterm>
1860 Now that you can relax with the knowledge that all three major forms of name
1861 resolution to IP address resolution are working, edit the <filename>/etc/nsswitch.conf</filename>
1862 again. This time you add all three forms of name resolution to this file.
1863 Your edited entry for <constant>hosts</constant> should now look like this:
1864 <screen>
1865 hosts: file dns wins
1866 </screen>
1867 The system is looking good. Let's move on.
1868 </para></step>
1870 <step><para>
1871 It would give peace of mind to know that the DHCP server is running
1872 and available for service. You can validate DHCP services by running:
1874 <screen>
1875 &rootprompt; ps ax | grep dhcp
1876 2618 ? S 0:00 /usr/sbin/dhcpd ...
1877 8180 pts/2 S 0:00 grep dhcp
1878 </screen>
1879 This shows that the server is running. The proof of whether or not it is working
1880 comes when you try to add the first DHCP client to the network.
1881 </para></step>
1883 <step><para>
1884 <indexterm><primary>testparm</primary></indexterm>
1885 This is a good point at which to start validating Samba operation. You are
1886 content that name resolution is working for basic TCP/IP needs. Let's move on.
1887 If your &smb.conf; file has bogus options or parameters, this may cause Samba
1888 to refuse to start. The first step should always be to validate the contents
1889 of this file by running:
1890 <screen>
1891 &rootprompt; testparm -s
1892 Load smb config files from /etc/samba/smb.conf
1893 Processing section "[IPC$]"
1894 Processing section "[homes]"
1895 Processing section "[printers]"
1896 Processing section "[netlogon]"
1897 Processing section "[profiles]"
1898 Processing section "[accounts]"
1899 Processing section "[service]"
1900 Processing section "[apps]"
1901 Loaded services file OK.
1902 # Global parameters
1903 [global]
1904 workgroup = PROMISES
1905 netbios name = DIAMOND
1906 interfaces = eth1, eth2, lo
1907 bind interfaces only = Yes
1908 passdb backend = tdbsam
1909 pam password change = Yes
1910 passwd chat = *New*Password* %n\n \
1911 *Re-enter*new*password* %n\n *Password*changed*
1912 username map = /etc/samba/smbusers
1913 unix password sync = Yes
1914 log level = 1
1915 syslog = 0
1916 log file = /var/log/samba/%m
1917 max log size = 50
1918 smb ports = 139 445
1919 name resolve order = wins bcast hosts
1920 time server = Yes
1921 printcap name = CUPS
1922 show add printer wizard = No
1923 add user script = /usr/sbin/useradd -m %u
1924 delete user script = /usr/sbin/userdel -r %u
1925 add group script = /usr/sbin/groupadd %g
1926 delete group script = /usr/sbin/groupdel %g
1927 add user to group script = /usr/sbin/usermod -G %g %u
1928 add machine script = /usr/sbin/useradd \
1929 -s /bin/false -d /dev/null %u
1930 shutdown script = /var/lib/samba/scripts/shutdown.sh
1931 abort shutdown script = /sbin/shutdown -c
1932 logon script = scripts\logon.bat
1933 logon path = \\%L\profiles\%U
1934 logon drive = X:
1935 logon home = \\%L\%U
1936 domain logons = Yes
1937 preferred master = Yes
1938 wins support = Yes
1939 utmp = Yes
1940 winbind use default domain = Yes
1941 map acl inherit = Yes
1942 printing = cups
1943 veto files = /*.eml/*.nws/riched20.dll/*.{*}/
1944 veto oplock files = /*.doc/*.xls/*.mdb/
1946 [IPC$]
1947 path = /tmp
1948 hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1
1949 hosts deny = 0.0.0.0/0
1950 ...
1951 ### Remainder cut to save space ###
1952 </screen>
1953 Clear away all errors before proceeding.
1954 </para></step>
1956 <step><para>
1957 <indexterm><primary>check samba daemons</primary></indexterm>
1958 <indexterm><primary>smbd</primary></indexterm>
1959 <indexterm><primary>nmbd</primary></indexterm>
1960 <indexterm><primary>winbindd</primary></indexterm>
1961 Check that the Samba server is running:
1962 <screen>
1963 &rootprompt; ps ax | grep mbd
1964 14244 ? S 0:00 /usr/sbin/nmbd -D
1965 14245 ? S 0:00 /usr/sbin/nmbd -D
1966 14290 ? S 0:00 /usr/sbin/smbd -D
1968 $rootprompt; ps ax | grep winbind
1969 14293 ? S 0:00 /usr/sbin/winbindd -B
1970 14295 ? S 0:00 /usr/sbin/winbindd -B
1971 </screen>
1972 The <command>winbindd</command> daemon is running in split mode (normal), so there are also
1973 two instances<footnote>For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>,
1974 Chapter 20, Section 20.3. The single instance of <command>smbd</command> is normal. One additional
1975 <command>smbd</command> slave process is spawned for each SMB/CIFS client
1976 connection.</footnote> of it.
1977 </para></step>
1979 <step><para>
1980 <indexterm><primary>anonymous
1981 connection</primary></indexterm>
1982 <indexterm>
1983 <primary>smbclient</primary>
1984 </indexterm>
1985 Check that an anonymous connection can be made to the Samba server:
1986 <screen>
1987 &rootprompt; smbclient -L localhost -U%
1989 Sharename Type Comment
1990 --------- ---- -------
1991 IPC$ IPC IPC Service (Samba 3.0.2)
1992 netlogon Disk Network Logon Service
1993 profiles Disk Profile Share
1994 accounts Disk Accounting Files
1995 service Disk Financial Services Files
1996 apps Disk Application Files
1997 ADMIN$ IPC IPC Service (Samba 3.0.2)
1998 hplj6a Printer hplj6a
1999 hplj6f Printer hplj6f
2000 qmsa Printer qmsa
2001 qmsf Printer qmsf
2003 Server Comment
2004 --------- -------
2005 DIAMOND Samba CVS 3.0.2
2007 Workgroup Master
2008 --------- -------
2009 PROMISES DIAMOND
2010 </screen>
2011 This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent
2012 of browsing the server from a Windows client to obtain a list of shares on the server.
2013 The <constant>-U%</constant> argument means "send a <constant>NULL</constant> username and
2014 a <constant>NULL</constant> password."
2015 </para></step>
2017 <step><para>
2018 <indexterm><primary>dhcp client validation</primary></indexterm>
2019 <indexterm><primary>printer validation</primary></indexterm>
2020 <indexterm><primary>arp</primary></indexterm>
2021 Verify that each printer has the IP address assigned in the DHCP server configuration file.
2022 The easiest way to do this is to ping the printer name. Immediately after the ping response
2023 has been received, execute <command>arp -a</command> to find the MAC address of the printer
2024 that has responded. Now you can compare the IP address and the MAC address of the printer
2025 with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They
2026 should, of course, match. For example:
2027 <screen>
2028 &rootprompt; ping hplj6
2029 PING hplj6a (192.168.1.30) 56(84) bytes of data.
2030 64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms
2032 &rootprompt; arp -a
2033 hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0
2034 </screen>
2035 <indexterm>
2036 <primary>/etc/dhcpd.conf</primary>
2037 </indexterm>
2038 The MAC address <constant>00:03:47:CB:81:E0</constant> matches that specified for the
2039 IP address from which the printer has responded and with the entry for it in the
2040 <filename>/etc/dhcpd.conf</filename> file. Repeat this for each printer configured.
2041 </para></step>
2043 <step><para>
2044 <indexterm><primary>authenticated connection</primary></indexterm>
2045 Make an authenticated connection to the server using the <command>smbclient</command> tool:
2046 <screen>
2047 &rootprompt; smbclient //diamond/accounts -U gholmes
2048 Password: XXXXXXX
2049 smb: \> dir
2050 . D 0 Thu Nov 27 15:07:09 2003
2051 .. D 0 Sat Nov 15 17:40:50 2003
2052 zakadmin.exe 161424 Thu Nov 27 15:06:52 2003
2053 zak.exe 6066384 Thu Nov 27 15:06:52 2003
2054 dhcpd.conf 1256 Thu Nov 27 15:06:52 2003
2055 smb.conf 2131 Thu Nov 27 15:06:52 2003
2056 initGrps.sh A 1089 Thu Nov 27 15:06:52 2003
2057 POLICY.EXE 86542 Thu Nov 27 15:06:52 2003
2059 55974 blocks of size 65536. 33968 blocks available
2060 smb: \> q
2061 </screen>
2062 </para></step>
2064 <step><para>
2065 <indexterm><primary>nmap</primary></indexterm>
2066 Your new server is connected to an Internet accessible connection. Before you start
2067 your firewall, you should run a port scanner against your system. You should repeat that
2068 after the firewall has been started. This helps you understand what extent the
2069 server may be vulnerable to external attack. One way you can do this is by using an
2070 external service provided such as the <ulink url="http://www.dslreports.com/scan">DSL Reports</ulink>
2071 tools. Alternately, if you can gain root-level access to a remote
2072 UNIX/Linux system that has the <command>nmap</command> tool, you can run this as follows:
2073 <screen>
2074 &rootprompt; nmap -v -sT server.abmas.us
2076 Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
2077 Host server.abmas.us (123.45.67.66) appears to be up ... good.
2078 Initiating Connect() Scan against server.abmas.us (123.45.67.66)
2079 Adding open port 6000/tcp
2080 Adding open port 873/tcp
2081 Adding open port 445/tcp
2082 Adding open port 10000/tcp
2083 Adding open port 901/tcp
2084 Adding open port 631/tcp
2085 Adding open port 25/tcp
2086 Adding open port 111/tcp
2087 Adding open port 32770/tcp
2088 Adding open port 3128/tcp
2089 Adding open port 53/tcp
2090 Adding open port 80/tcp
2091 Adding open port 443/tcp
2092 Adding open port 139/tcp
2093 Adding open port 22/tcp
2094 The Connect() Scan took 0 seconds to scan 1601 ports.
2095 Interesting ports on server.abmas.us (123.45.67.66):
2096 (The 1587 ports scanned but not shown below are in state: closed)
2097 Port State Service
2098 22/tcp open ssh
2099 25/tcp open smtp
2100 53/tcp open domain
2101 80/tcp open http
2102 111/tcp open sunrpc
2103 139/tcp open netbios-ssn
2104 443/tcp open https
2105 445/tcp open microsoft-ds
2106 631/tcp open ipp
2107 873/tcp open rsync
2108 901/tcp open samba-swat
2109 3128/tcp open squid-http
2110 6000/tcp open X11
2111 10000/tcp open snet-sensor-mgmt
2112 32770/tcp open sometimes-rpc3
2114 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
2115 </screen>
2116 The above scan was run before the external interface was locked down with the NAT-firewall
2117 script you created above. The following results are obtained after the firewall rules
2118 have been put into place:
2119 <screen>
2120 &rootprompt; nmap -v -sT server.abmas.us
2122 Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
2123 Host server.abmas.us (123.45.67.66) appears to be up ... good.
2124 Initiating Connect() Scan against server.abmas.us (123.45.67.66)
2125 Adding open port 53/tcp
2126 Adding open port 22/tcp
2127 The Connect() Scan took 168 seconds to scan 1601 ports.
2128 Interesting ports on server.abmas.us (123.45.67.66):
2129 (The 1593 ports scanned but not shown below are in state: filtered)
2130 Port State Service
2131 22/tcp open ssh
2132 25/tcp closed smtp
2133 53/tcp open domain
2134 80/tcp closed http
2135 443/tcp closed https
2137 Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
2138 </screen>
2139 </para></step>
2141 </procedure>
2143 </sect2>
2145 <sect2 id="ch4appscfg">
2146 <title>Application Share Configuration</title>
2148 <para><indexterm>
2149 <primary>application server</primary>
2150 </indexterm><indexterm>
2151 <primary>administrative installation</primary>
2152 </indexterm>
2153 The use of an application server is a key mechanism by which desktop administration overheads
2154 can be reduced. Check the application manual for your software to identify how best to
2155 create an administrative installation.
2156 </para>
2158 <para>
2159 Some Windows software will only run locally on the desktop computer. Such software
2160 is typically not suited for administrative installation. Administratively installed software
2161 permits one or more of the following installation choices:
2162 </para>
2164 <itemizedlist>
2165 <listitem><para>
2166 Install software fully onto a workstation, storing data files on the same workstation.
2167 </para></listitem>
2169 <listitem><para>
2170 Install software fully onto a workstation with central network data file storage.
2171 </para></listitem>
2173 <listitem><para>
2174 Install software to run off a central application server with data files stored
2175 on the local workstation. This is often called a minimum installation, or a
2176 network client installation.
2177 </para></listitem>
2179 <listitem><para>
2180 Install software to run off a central application server with data files stored
2181 on a central network share. This type of installation often prevents storage
2182 of work files on the local workstation.
2183 </para></listitem>
2184 </itemizedlist>
2186 <para><indexterm>
2187 <primary></primary>
2188 </indexterm>
2189 A common application deployed in this environment is an office suite.
2190 Enterprise editions of Microsoft Office XP Professional can be administratively installed
2191 by launching the installation from a command shell. The command that achieves this is:
2192 <command>setup /a</command>. It results in a set of prompts through which various
2193 installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource
2194 Kit for more information regarding this mode of installation of MS Office XP Professional.
2195 The full administrative installation of MS Office XP Professional requires approximately
2196 650 MB of disk space.
2197 </para>
2199 <para>
2200 When the MS Office XP Professional product has been installed to the administrative network
2201 share, the product can be installed onto a workstation by executing the normal setup program.
2202 The installation process now provides a choice to either perform a minimum installation
2203 or a full local installation. A full local installation takes over 100 MB of disk space.
2204 A network workstation (minimum) installation requires typically 10-15 MB of
2205 local disk space. In the later case, when the applications are used, they load over the network.
2206 </para>
2208 <para><indexterm>
2209 <primary>Service Packs</primary>
2210 </indexterm><indexterm>
2211 <primary>Microsoft Office</primary>
2212 </indexterm>
2213 Microsoft Office Service Packs can be unpacked to update an administrative share. This makes
2214 it possible to update MS Office XP Professional for all users from a single installation
2215 of the service pack and generally circumvents the need to run updates on each network
2216 Windows client.
2217 </para>
2219 <para>
2220 The default location for MS Office XP Professional data files can be set through registry
2221 editing or by way of configuration options inside each Office XP Professional application.
2222 </para>
2224 <para><indexterm>
2225 <primary>OpenOffice</primary>
2226 </indexterm>
2227 OpenOffice.Org OpenOffice Version 1.1.0 is capable of being installed locally. It can also
2228 be installed to run off a network share. The latter is a most desirable solution for office-bound
2229 network users and for administrative staff alike. It permits quick and easy updates
2230 to be rolled out to all users with a minimum of disruption and with maximum flexibility.
2231 </para>
2233 <para>
2234 The process for installation of administrative shared OpenOffice involves download of the
2235 distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area.
2236 When fully extracted using the un-zipping tool of your choosing, change into the Windows
2237 installation files directory then execute <command>setup -net</command>. You are
2238 prompted on screen for the target installation location. This is the administrative
2239 share point. The full administrative OpenOffice share takes approximately 150 MB of disk
2240 space.
2241 </para>
2243 <sect3>
2244 <title>Comments Regarding Software Terms of Use</title>
2245 <para>
2246 Many single-user products can be installed into an administrative share, but
2247 personal versions of products such as Microsoft Office XP Professional do not permit this.
2248 Many people do not like terms of use typical with commercial products, so a few comments
2249 regarding software licensing seem important and thus are included below.
2250 </para>
2252 <para>
2253 Please do not use an administrative installation of proprietary and commercially licensed
2254 software products to violate the copyright holders' property. All software is licensed,
2255 particularly software that is licensed for use free of charge. All software is the property
2256 of the copyright holder, unless the author and/or copyright holder has explicitly disavowed
2257 ownership and has placed the software into the public domain.
2258 </para>
2260 <para>
2261 Software that is under the GNU General Public License, like proprietary software, is
2262 licensed in a way that restricts use. For example, if you modify GPL software and then
2263 distribute the binary version of your modifications, you must offer to provide the source
2264 code as well. This is a form of restriction that is designed to maintain the momentum
2265 of the diffusion of technology and to protect against the withholding of innovations.
2266 </para>
2268 <para>
2269 Commercial and proprietary software generally restrict use to those who have paid the
2270 license fees and who comply with the licensee's terms of use. Software that is released
2271 under the GNU General Public License is restricted to particular terms and conditions
2272 also. Whatever the licensing terms may be, if you do not approve of the terms of use,
2273 please do not use the software.
2274 </para>
2276 <para><indexterm>
2277 <primary>GPL</primary>
2278 </indexterm>
2279 Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided
2280 with the source code.
2281 </para>
2282 </sect3>
2284 </sect2>
2286 <sect2 id="ch4wincfg">
2287 <title>Windows Client Configuration</title>
2289 <para>
2290 Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs
2291 to reinstall many of the notebook computers that will be recycled for use with the new network
2292 configuration. The smartest way to handle the challenge of the roll-out program is to build
2293 a staged system for each type of target machine, and then use an image replication tool such as Norton
2294 Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can
2295 be done with notebook computers as long as they are identical or sufficiently similar.
2296 </para>
2298 <procedure>
2299 <step><para>
2300 Install MS Windows XP Professional. During installation, configure the client to use DHCP for
2301 TCP/IP protocol configuration.
2302 <indexterm><primary>WINS</primary></indexterm>
2303 <indexterm><primary>DHCP</primary></indexterm>
2304 DHCP configures all Windows clients to use the WINS Server address that has been defined
2305 for the local subnet.
2306 </para></step>
2308 <step><para>
2309 Join the Windows Domain <constant>PROMISES</constant>. Use the Domain Administrator
2310 user name <constant>root</constant> and the SMB password you assigned to this account.
2311 A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
2312 a Windows Domain is given in <link linkend="domjoin"/>.
2313 Reboot the machine as prompted and then logon using the Domain Administrator account
2314 (<constant>root</constant>.
2315 </para></step>
2317 <step><para>
2318 Verify <constant>DIAMOND</constant> is visible in <guimenu>My Network Places</guimenu>,
2319 that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>,
2320 <guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>,
2321 and that it is possible to open each share to reveal its contents.
2322 </para></step>
2324 <step><para>
2325 Create a drive mapping to the <constant>apps</constant> share on the server <constant>DIAMOND</constant>.
2326 </para></step>
2328 <step><para>
2329 Perform an administrative installation of each application to be used. Select the options
2330 that you wish to use. Of course, you can choose to run applications over the network, correct?
2331 </para></step>
2333 <step><para>
2334 Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat,
2335 NTP-based time synchronization software, drivers for specific local devices such as finger-print
2336 scanners, and the like. Probably the most significant application for local installation
2337 is anti-virus software.
2338 </para></step>
2340 <step><para>
2341 Now install all four printers onto the staging system. The printers you install
2342 include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will
2343 also configure identical printers that are located in the financial services department.
2344 Install printers on each machine using the following steps:
2346 <procedure>
2347 <step><para>
2348 Click <menuchoice>
2349 <guimenu>Start</guimenu>
2350 <guimenuitem>Settings</guimenuitem>
2351 <guimenuitem>Printers</guimenuitem>
2352 <guiicon>Add Printer</guiicon>
2353 <guibutton>Next</guibutton>
2354 </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
2355 Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
2356 </para></step>
2358 <step><para>
2359 Click <guibutton>Next</guibutton>. In the panel labeled
2360 <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
2361 In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
2362 <constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>.
2363 </para></step>
2365 <step><para>
2366 In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
2367 <constant>FILE:</constant>. Accept the default printer name by clicking
2368 <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
2369 test page?,</quote> click <guimenuitem>No</guimenuitem>. Click
2370 <guibutton>Finish</guibutton>.
2371 </para></step>
2373 <step><para>
2374 You may be prompted for the name of a file to print to. If so, close the
2375 dialog panel. Right-click <menuchoice>
2376 <guiicon>HP LaserJet 6</guiicon>
2377 <guimenuitem>Properties</guimenuitem>
2378 <guimenusub>Details (Tab)</guimenusub>
2379 <guimenubutton>Add Port</guimenubutton>
2380 </menuchoice>.
2381 </para></step>
2383 <step><para>
2384 In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
2385 the print queue on the Samba server as follows: <constant>\\DIAMOND\hplj6a</constant>.
2386 Click <menuchoice>
2387 <guibutton>OK</guibutton>
2388 <guibutton>OK</guibutton>
2389 </menuchoice> to complete the installation.
2390 </para></step>
2392 <step><para>
2393 Repeat the printer installation steps above for both HP LaserJet 6 printers
2394 as well as for both QMS Magicolor laser printers.
2395 </para></step>
2396 </procedure>
2397 </para></step>
2399 <step><para><indexterm>
2400 <primary>defragmentation</primary>
2401 </indexterm>
2402 When you are satisfied that the staging systems are complete, use the appropriate procedure to
2403 remove the client from the domain. Reboot the system and then log on as the local administrator
2404 and clean out all temporary files stored on the system. Before shutting down, use the disk
2405 defragmentation tool so that the file system is in an optimal condition before replication.
2406 </para></step>
2408 <step><para>
2409 Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the
2410 machine to a network share on the server.
2411 </para></step>
2413 <step><para><indexterm>
2414 <primary>Windows security identifier</primary>
2415 <see>SID</see>
2416 </indexterm><indexterm>
2417 <primary>SID</primary>
2418 </indexterm>
2419 You may now replicate the image to the target machines using the appropriate Norton Ghost
2420 procedure. Make sure to use the procedure that ensures each machine has a unique
2421 Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.
2422 </para></step>
2424 <step><para>
2425 Log onto the machine as the local Administrator (the only option), and join the machine to
2426 the Domain following the procedure set out in <link linkend="domjoin"/>. The system is now
2427 ready for the user to logon, providing you have created a network logon account for that
2428 user, of course.
2429 </para></step>
2431 <step><para>
2432 Instruct all users to log onto the workstation using their assigned user name and password.
2433 </para></step>
2434 </procedure>
2436 </sect2>
2438 <sect2>
2439 <title>Key Points Learned</title>
2441 <para>
2442 How do you feel, Bob? You have built a capable network, a truly ambitious project.
2443 Just as well, you have Christine to help you. Future network updates can be handled by
2444 your staff. You must be a satisfied manager. Let's review the achievements.
2445 </para>
2447 <itemizedlist>
2448 <listitem><para>
2449 A simple firewall has been configured to protect the server in the event that
2450 the ISP firewall service should fail.
2451 </para></listitem>
2453 <listitem><para>
2454 The Samba configuration uses measures to ensure that only local network users
2455 can connect to SMB/CIFS services.
2456 </para></listitem>
2458 <listitem><para>
2459 Samba uses the new <constant>tdbsam</constant> passdb backend facility.
2460 Considerable complexity was added to Samba functionality.
2461 </para></listitem>
2463 <listitem><para>
2464 A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS
2465 server.
2466 </para></listitem>
2468 <listitem><para>
2469 The DNS server was configured to permit DDNS only for local network clients. This
2470 server also provides primary DNS services for the company Internet presence.
2471 </para></listitem>
2473 <listitem><para>
2474 You introduced an application server, as well as the concept of cloning a Windows
2475 client in order to effect improved standardization of desktops and to reduce
2476 the costs of network management.
2477 </para></listitem>
2478 </itemizedlist>
2480 </sect2>
2482 </sect1>
2484 <sect1>
2485 <title>Questions and Answers</title>
2487 <para>
2488 </para>
2490 <qandaset defaultlabel="chap04qa" type="number">
2491 <qandaentry>
2492 <question>
2494 <para>
2495 What is the maximum number of account entries that the <parameter>tdbsam</parameter> passdb backend can handle?
2496 </para>
2498 </question>
2499 <answer>
2501 <para>
2502 The tdb data structure and support system can handle more entries than the number of accounts
2503 that are possible on most UNIX systems. There is a practical limit that would come into play
2504 long before a performance boundary would be anticipated. That practical limit is controlled
2505 by the nature of Windows networking. There are few Windows file and print servers
2506 that can handle more than a few hundred concurrent client connections. The key limiting factors
2507 that predicate off-loading of services to additional servers are memory capacity, the number
2508 of CPUs, network bandwidth, and disk I/O limitations. All of these are readily exhausted by
2509 just a few hundred concurrent active users. Such bottlenecks can best be removed by segmentation
2510 of the network (distributing network load across multiple networks).
2511 </para>
2512 <para>
2513 As the network grows, it becomes necessary to provide additional authentication servers (domain
2514 controllers). The tdbsam is limited to a single machine and cannot be reliably replicated.
2515 This means that practical limits on network design dictate the point at which a distributed
2516 passdb backend is required; at this time, there is no real alternative other than ldapsam (LDAP).
2517 </para>
2519 <para>
2520 The guideline provided in <emphasis>TOSHARG</emphasis>, Chapter 10, Section 10.1.2, is to limit the number of accounts
2521 in the tdbsam backend to 250. This is the point at which most networks tend to want backup domain
2522 controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used
2523 by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication
2524 not on the limits<footnote>Bench tests have shown that tdbsam is a very effective database technology.
2525 There is surprisingly little performance loss even with over 4000 users.</footnote> of the tdbsam backend itself.
2526 </para>
2528 </answer>
2529 </qandaentry>
2531 <qandaentry>
2532 <question>
2534 <para>
2535 Would Samba operate any better if the OS Level is set to a value higher than 35?
2536 </para>
2538 </question>
2539 <answer>
2541 <para>
2542 No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value
2543 of 35 already assures Samba of precedence over MS Windows products in browser elections. There is
2544 no gain to be had from setting this higher.
2545 </para>
2547 </answer>
2548 </qandaentry>
2550 <qandaentry>
2551 <question>
2553 <para>
2554 Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?
2555 </para>
2557 </question>
2558 <answer>
2560 <para>
2561 At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at
2562 a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special
2563 Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups.
2564 </para>
2566 </answer>
2567 </qandaentry>
2569 <qandaentry>
2570 <question>
2572 <para>
2573 Why has a path been specified in the <parameter>IPC$</parameter> share?
2574 </para>
2576 </question>
2577 <answer>
2579 <para>
2580 This is done so that in the event that a software bug may permit a client connection to the IPC$ share to
2581 obtain access to the file system, it does so at a location that presents least risk. Under normal operation
2582 this type of paranoid step should not be necessary. The use of this parameter should not be necessary.
2583 </para>
2585 </answer>
2586 </qandaentry>
2588 <qandaentry>
2589 <question>
2591 <para>
2592 Why does the &smb.conf; file in this exercise include an entry for <smbconfoption><name>smb ports</name></smbconfoption>?
2593 </para>
2595 </question>
2596 <answer>
2598 <para>
2599 The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port
2600 used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS
2601 over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By
2602 specifying the use of port 139 before port 445, the intent is to reduce unsuccessful service connection attempts.
2603 The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain
2604 member, the default behavior is highly beneficial and should not be changed.
2605 </para>
2607 </answer>
2608 </qandaentry>
2610 <qandaentry>
2611 <question>
2613 <para>
2614 What is the difference between a print queue and a printer?
2615 </para>
2617 </question>
2618 <answer>
2620 <para>
2621 A printer is a physical device that is connected either directly to the network or to a computer
2622 via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a
2623 hard copy printout. Network attached printers that use TCP/IP-based printing generally accept a
2624 single print data stream and block all secondary attempts to dispatch jobs concurrently to the
2625 same device. If many clients were to concurrently print directly via TCP/IP to the same printer,
2626 it would result in a huge amount of network traffic through continually failing connection attempts.
2627 </para>
2629 <para>
2630 A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or
2631 print requests. When the data stream has been fully received the input stream is closed,
2632 the job is then submitted to a sequential print queue where the job is stored until
2633 the printer is ready to receive the job.
2634 </para>
2636 </answer>
2637 </qandaentry>
2639 <qandaentry>
2640 <question>
2642 <para>
2643 Can all MS Windows application software be installed onto an application server share?
2644 </para>
2646 </question>
2647 <answer>
2649 <para>
2650 Much older Windows software is not compatible with installation to and execution off
2651 an application server. Enterprise versions of Microsoft Office XP Professional can
2652 be installed to an application server. Retail consumer versions of Microsoft Office XP
2653 Professional do not permit installation to an application server share and can be installed
2654 and used only to/from a local workstation hard disk.
2655 </para>
2657 </answer>
2658 </qandaentry>
2660 <qandaentry>
2661 <question>
2663 <para>
2664 Why use dynamic DNS (DDNS)?
2665 </para>
2667 </question>
2668 <answer>
2670 <para>
2671 When DDNS records are updated directly from the DHCP server, it is possible for
2672 network clients that are not NetBIOS enabled, and thus cannot use WINS, to locate
2673 Windows clients via DNS.
2674 </para>
2676 </answer>
2677 </qandaentry>
2679 <qandaentry>
2680 <question>
2682 <para>
2683 Why would you use WINS as well as DNS-based name resolution?
2684 </para>
2686 </question>
2687 <answer>
2689 <para>
2690 WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is
2691 a name like <quote>myhost.mydomain.tld,</quote> where <parameter>tld</parameter>
2692 means <constant>top level domain</constant>. A FQDN is a long hand but easy to remember
2693 expression that may be up to 1024 characters in length and that represents an IP address.
2694 A NetBIOS name is always 16 characters long. The 16<superscript>th</superscript> character
2695 is a name type indicator. A specific name type is registered<footnote>
2696 See <emphasis>TOSHARG</emphasis>, Chapter 9 for more information.</footnote> for each
2697 type of service that is provided by the Windows server or client and that may be registered
2698 where a WINS server is in use.
2699 </para>
2701 <para>
2702 WINS is a mechanism by which a client may locate the IP Address that corresponds to a
2703 NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name
2704 that includes a particular registered NetBIOS name type. DNS does not provide a mechanism
2705 that permits handling of the NetBIOS name type information.
2706 </para>
2708 <para>
2709 DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular
2710 hostname or service name that has been registered in the DNS database for a particular domain.
2711 A DNS server has limited scope of control and is said to be authoritative for the zone over
2712 which it has control.
2713 </para>
2715 <para>
2716 Windows 200x Active Directory requires the registration in the DNS zone for the domain it
2717 controls of service locator<footnote>See TOSHARG, Chapter 9, Section 9.3.3</footnote> records
2718 that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also
2719 requires the registration of special records that are called global catalog (GC) entries
2720 and site entries by which domain controllers and other essential ADS servers may be located.
2721 </para>
2723 </answer>
2724 </qandaentry>
2726 <qandaentry>
2727 <question>
2729 <para>
2730 What are the major benefits of using an application server?
2731 </para>
2733 </question>
2734 <answer>
2736 <para>
2737 The use of an application server can significantly reduce application update maintenance.
2738 By providing a centralized application share, software updates need be applied to only
2739 one location for all major applications used. This results in faster update roll-outs and
2740 significantly better application usage control.
2741 </para>
2743 </answer>
2744 </qandaentry>
2746 </qandaset>
2748 </sect1>
2750 </chapter>