1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
5 <!-- Stuff for xincludes -->
6 <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
9 <!-- entities files to use -->
10 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
15 <chapter id="Big500users">
16 <title>The 500-User Office</title>
19 The Samba-3 networking you explored in the previous chapter covers the finer points of
20 configuration of peripheral services such as DHCP and DNS, and WINS. You experienced
21 implementation of a simple configuration of the services that are important adjuncts
22 to successful deployment of Samba.
26 An analysis of the history of postings to the Samba mailing list easily demonstrates
27 that the two most prevalent Samba problem areas are:
32 Defective resolution of a NetBIOS name to its IP address
42 The next chapter deals with more complex printing configurations. The exercises
43 so far in this book have focused on implementation of the simplest printing processes
44 involving no print job processing intelligence. In this chapter, you maintain
45 that same approach to printing, but in the following chapter, there is an opportunity
46 to make printing more complex for the administrator while making it easier for the user.
50 <primary>WINS server</primary>
51 </indexterm><indexterm>
52 <primary>tdbsam</primary>
53 </indexterm><indexterm>
54 <primary>passdb backend</primary>
56 The previous chapter demonstrates operation of a DHCP server and a DNS server,
57 as well as a central WINS server. You validated the operation of these services and
58 saw an effective implementation of a Samba Domain Controller using the
59 <parameter>tdbsam</parameter> passdb backend.
63 The objective of this chapter is to introduce more complex techniques that can be used to
64 improve manageability of Samba as networking needs grow. In this chapter, you implement
65 a distributed DHCP server environment, a distributed DNS server arrangement, a centralized
66 WINS server, and a centralized Samba Domain Controller.
70 A note of caution is important regarding the Samba configuration that is used in this
71 chapter. The use of a single Domain Controller on a routed, multi-segment network is
72 a poor design choice that leads to potential network user complaints. As stated
73 in the paragraph above, the objective in this chapter is to demonstrate some successful
74 techniques in deployment and configuration management. This should be viewed as a
75 foundation chapter for complex Samba deployments.
79 As you master the techniques presented here, you may find much better methods to
80 improve network management and control while reducing human resource overheads.
81 You should take the opportunity to innovate and expand on the methods presented
82 here and explore them to the fullest.
86 <title>Introduction</title>
89 Business continues to go well for Abmas. Mr. Meany is driving your success and the
90 network continues to grow thanks to the hard work Christine has done. You recently
91 hired Stanley Soroka as Manager of Information Systems. Christine recommended Stan
92 to the role. She told you Stan is so good at handling Samba that he can make a cast
93 iron rocking horse that is embedded in concrete kick like a horse at a rodeo. You
94 need skills like his. Christine and Stan get along just fine. Let's see what
95 you can get out of this pair as they plot the next generation networks.
99 Ten months ago Abmas closed an acquisition of a property insurance business. The
100 founder lost interest in the business and decided to sell it to Mr. Meany.
101 Because they were former university classmates, the purchase was concluded with mutual assent. The
102 acquired business is located at the other end of town in much larger facilities.
103 The old Abmas building has become too small. Located on the same campus as the
104 newly acquired business are two empty buildings that are ideal to provide
105 Abmas with opportunity for growth.
109 Abmas has now completed the purchase of the two empty buildings and you are
110 to install a new network and relocate staff in nicely furnished new facilities.
111 The new network is to be used to fully integrate company operations. You have
112 decided to locate the new network operations control center in the larger building
113 in which the insurance group is located to take advantage of an ideal floor space
114 and to allow Stan and Christine to fully stage the new network and test it before
115 it is rolled out. Your strategy is to complete the new network so that it
116 is ready for operation when the old office moves into the new premises.
120 <title>Assignment Tasks</title>
123 The acquired business had 280 network users. The old Abmas building housed
124 220 network users in unbelievably cramped conditions. The network that
125 initially served 130 users now handles 220 users quite well.
129 The two businesses will be fully merged to create a single campus company.
130 The Property Insurance Group (PIG) houses 300 employees, the new Accounting
131 Services Group (ASG) will be in a small building (BLDG1) that houses 50
132 employees, and the Financial Services Group (FSG) will be housed in a large
133 building that has capacity for growth (BLDG2). Building 2 houses 150 network
138 You have decided to connect the building using fiber optic links between new
139 routers. As a backup, the buildings are interconnected using line-of-sight
140 high-speed infrared facilities. The infrared connection provides a
141 secondary route to be used during periods of high demand for network
146 The Internet gateway is upgraded to 15 Megabit/sec service. Your ISP
147 provides on your premises a fully managed Cisco PIX firewall. You no longer need
148 to worry about firewall facilities on your network.
152 Stanley Soroka and Christine have purchased new server hardware. Christine wants to
153 roll out a network that has whistles and bells. Stan wants to start off with
154 a simple to manage, not-too-complex network. He is of the opinion that network
155 users need to be gradually introduced to new features and capabilities and not
156 rushed into an environment that may cause disorientation and loss of productivity.
160 Your intrepid network team has decided to implement a network configuration
161 that closely mirrors the successful system you installed in the old Abmas building.
162 The new network infrastructure is owned by Abmas, but all desktop systems
163 are being procured through a new out-source services and leasing company. Under
164 the terms of a deal with Mr. M. Proper (CEO), DirectPointe Inc., provides
165 all desktop systems and includes full level-one Help desk support for
166 a flat per-machine monthly fee. The deal allows you to add workstations on demand.
167 This frees Stan and Christine to deal with deeper issues as they emerge and
168 permits Stan to work on creating new future value-added services.
172 DirectPointe Inc. receives from you a new standard desktop configuration
173 every four months. They automatically roll that out to each desktop system.
174 You must keep DirectPointe informed of all changes.
178 <primary>PDC</primary>
180 The new network has a single Samba Domain Controller (PDC) located in the
181 Network Operation Center (NOC). Buildings 1 and 2 each have a local server
182 for local application servicing. It is a Domain Member. The new system
183 uses the <parameter>tdbsam</parameter> passdb backend.
187 Printing is based on raw pass-through facilities as it has been used so far.
188 All printer drivers are installed on the desktop and notebook computers.
195 <title>Dissection and Discussion</title>
198 <indexterm><primary>network load factors</primary></indexterm>
199 The example you are building in this chapter is an example of a network design that works,
200 but this does not make it a design that is recommended. As a general rule, there should
201 be at least one Backup Domain Controller per 50 Windows network clients. The principle behind
202 this recommendation is the fact that correct operation of MS Windows clients requires rapid
203 network response to all SMB/CIFS requests. The same rule says that if there are more than
204 50 clients per Domain Controller they are too busy to service requests. Let's put such
205 rules aside and recognize that network load affects the integrity of Domain Controller
206 responsiveness. This network will have 500 clients serviced by one central Domain
207 Controller. This is not a good omen for user satisfaction. You, of course, address this
208 very soon (see next chapter).
212 <title>Technical Issues</title>
215 Stan has talked you into a horrible compromise, but it is addressed. Just make
216 certain that the performance of this network is well validated before going live.
220 Design decisions made in this design include:
225 <indexterm><primary>PDC</primary></indexterm>
226 <indexterm><primary>LDAP</primary></indexterm>
227 <indexterm><primary>identity management</primary></indexterm>
228 A single Primary Domain Controller (PDC) is being implemented. This limitation
229 is based on the choice not to use LDAP. Many network administrators fear using
230 LDAP based on the perceived complexity of implementation and management of an
231 LDAP-based backend for all user identity management as well as to store network
236 <indexterm><primary>BDC</primary></indexterm>
237 <indexterm><primary>machine secret password</primary></indexterm>
238 Because of the refusal to use an LDAP (ldapsam) passdb backend at this time,
239 the only choice that makes sense with 500 users is to use the tdbsam passwd backend.
240 This type of backend is not receptive to replication to Backup Domain Controllers.
241 If the tdbsam <filename>passdb.tdb</filename> file is replicated to Backup Domain
242 Controllers (BDCs) using <command>rsync</command>, there are two potential problems:
243 1) Data that is in memory but not yet written to disk will not be replicated,
244 and 2) Domain Member machines periodically change the secret machine password. When
245 this happens, there is no mechanism to return the changed password to the PDC.
249 All Domain user, group, and machine accounts are managed on the PDC. This makes
250 for a simple mode of operation, but has to be balanced with network performance and
251 integrity of operations considerations.
255 <indexterm><primary>WINS</primary></indexterm>
256 A single central WINS server is being used. The PDC is also the WINS server.
257 Any attempt to operate a routed network without a WINS server while using NetBIOS
258 over TCP/IP protocols does not work unless on each client the name resolution
259 entries for the PDC are added to the <filename>LMHOSTS</filename>. This file is
260 normally located on the Windows XP Professional client in the
261 <filename>C:\WINDOWS\SYSTEM32\ETC\DRIVERS</filename> directory.
265 At this time the Samba WINS database is not capable of being replicated. That is
266 why a single WINS server is being implemented. This should work without a problem.
270 <indexterm><primary>winbindd</primary></indexterm>
271 Backup Domain Controllers make use of <command>winbindd</command> to provide
272 access to Domain security credentials for file system access and object storage.
276 <indexterm><primary>DHCP</primary><secondary>relay</secondary></indexterm>
277 <indexterm><primary>DHCP</primary><secondary>requests</secondary></indexterm>
278 Configuration of Windows XP Professional clients is achieved using DHCP. Each
279 subnet has its own DHCP server. Backup DHCP serving is provided by one
280 alternate DHCP server. This necessitates enabling of the DHCP Relay agent on
281 all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the
282 network directed at the backup DHCP server.
286 All network users are granted the ability to print to any printer that is network
287 attached. All printers are available from each server. Print jobs that are spooled
288 to a printer that is not on the local network segment are automatically routed to
289 the print spooler that is in control of that printer. The specific details of how this
290 might be done is demonstrated for one example only.
294 The network address and sub-netmask chosen provide 1022 usable IP addresses in
295 each subnet. If in the future more addresses are required, it would make sense
296 to add further subnets rather than change addressing.
305 <title>Political Issues</title>
308 This case gets close to the real world. You and I know the right way to implement
309 Domain Control. Politically, we have to navigate a mine field. In this case, the need is to
310 get the PDC rolled out in compliance with expectations and also to be ready to save the day
311 by having the real solution ready before it is needed. That real solution is presented in
320 <title>Implementation</title>
323 The following configuration process begins following installation of Red Hat Linux 9.0 on the
324 three servers shown in the network topology diagram in <link linkend="chap05net"/>. You have
325 selected hardware that is appropriate to the task.
328 <image id="chap05net">
329 <imagedescription>Network Topology &smbmdash; 500 User Network Using tdbsam passdb backend.</imagedescription>
330 <imagefile scale="80">chap5-net</imagefile>
333 <sect2 id="ch5-dnshcp-setup">
334 <title>Installation of DHCP, DNS, and Samba Control Files</title>
337 Carefully install the configuration files into the correct locations as shown in
338 <link linkend="ch5-filelocations"/>. You should validate that the full file path is
343 The abbreviation shown in this table as <constant>{VLN}</constant> means
344 the directory location beginning with <filename>/var/lib/named</filename>.
348 <table id="ch5-filelocations"><title>Domain: <constant>MEGANET</constant>, File Locations for Servers</title>
350 <colspec colname='c1' align="left"/>
351 <colspec colname='c2' align="left"/>
352 <colspec colname='c3' align="center"/>
353 <colspec colname='c4' align="center"/>
354 <colspec colname='c5' align="center"/>
357 <entry align="center" namest='c1' nameend='c2'>File Information</entry>
358 <entry align="center" namest="c3" nameend="c5">Server Name</entry>
361 <entry align="center">Source</entry>
362 <entry align="center">Target Location</entry>
363 <entry align="center">MASSIVE</entry>
364 <entry align="center">BLDG1</entry>
365 <entry align="center">BLDG2</entry>
370 <entry><link linkend="ch5-massivesmb"/></entry>
371 <entry><filename>/etc/samba/smb.conf</filename></entry>
377 <entry><link linkend="ch5-dc-common"/></entry>
378 <entry><filename>/etc/samba/dc-common.conf</filename></entry>
384 <entry><link linkend="ch5-commonsmb"/></entry>
385 <entry><filename>/etc/samba/common.conf</filename></entry>
391 <entry><link linkend="ch5-bldg1-smb"/></entry>
392 <entry><filename>/etc/samba/smb.conf</filename></entry>
398 <entry><link linkend="ch5-bldg2-smb"/></entry>
399 <entry><filename>/etc/samba/smb.conf</filename></entry>
405 <entry><link linkend="ch5-dommem-smb"/></entry>
406 <entry><filename>/etc/samba/dommem.conf</filename></entry>
412 <entry><link linkend="massive-dhcp"/></entry>
413 <entry><filename>/etc/dhcpd.conf</filename></entry>
419 <entry><link linkend="bldg1dhcp"/></entry>
420 <entry><filename>/etc/dhcpd.conf</filename></entry>
426 <entry><link linkend="bldg2dhcp"/></entry>
427 <entry><filename>/etc/dhcpd.conf</filename></entry>
433 <entry><link linkend="massive-nameda"/></entry>
434 <entry><filename>/etc/named.conf (part A)</filename></entry>
440 <entry><link linkend="massive-namedb"/></entry>
441 <entry><filename>/etc/named.conf (part B)</filename></entry>
447 <entry><link linkend="massive-namedc"/></entry>
448 <entry><filename>/etc/named.conf (part C)</filename></entry>
454 <entry><link linkend="abmasbizdns"/></entry>
455 <entry><filename>{VLN}/master/abmas.biz.hosts</filename></entry>
461 <entry><link linkend="abmasusdns"/></entry>
462 <entry><filename>{VLN}/master/abmas.us.hosts</filename></entry>
468 <entry><link linkend="bldg12nameda"/></entry>
469 <entry><filename>/etc/named.conf (part A)</filename></entry>
475 <entry><link linkend="bldg12namedb"/></entry>
476 <entry><filename>/etc/named.conf (part B)</filename></entry>
482 <entry><link linkend="loopback"/></entry>
483 <entry><filename>{VLN}/localhost.zone</filename></entry>
489 <entry><link linkend="dnsloopy"/></entry>
490 <entry><filename>{VLN}/127.0.0.zone</filename></entry>
496 <entry><link linkend="roothint"/></entry>
497 <entry><filename>{VLN}/root.hint</filename></entry>
509 <title>Server Preparation &smbmdash; All Servers</title>
512 The following steps apply to all servers. Follow each step carefully.
517 Using the UNIX/Linux system tools, set the name of the server as shown in the network
518 topology diagram in <link linkend="chap05net"/>. For SUSE Linux products, the tool
519 that permits this is called <command>yast2</command>; for Red Hat Linux products,
520 you can use the <command>netcfg</command> tool.
521 Verify that your hostname is correctly set by running:
523 &rootprompt; uname -n
525 An alternate method to verify the hostname is:
527 &rootprompt; hostname -f
532 <indexterm><primary>/etc/hosts</primary></indexterm><indexterm>
533 <primary>named</primary>
535 Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses
536 of all network interfaces that are on the host server. This is necessary so that during
537 startup the system is able to resolve all its own names to the IP address prior to
538 startup of the DNS server. You should check the startup order of your system. If the
539 CUPS print server is started before the DNS server (<command>named</command>), you
540 should also include an entry for the printers in the <filename>/etc/hosts</filename> file.
544 <indexterm><primary>/etc/resolv.conf</primary></indexterm>
545 All DNS name resolution should be handled locally. To ensure that the server is configured
546 correctly to handle this, edit <filename>/etc/resolv.conf</filename> so it has the following
549 search abmas.us abmas.biz
552 This instructs the name resolver function (when configured correctly) to ask the DNS server
553 that is running locally to resolve names to addresses.
558 <indexterm><primary>administrator</primary></indexterm><indexterm>
559 <primary>smbpasswd</primary>
561 Add the <constant>root</constant> user to the password backend as follows:
563 &rootprompt; smbpasswd -a root
564 New SMB password: XXXXXXXX
565 Retype new SMB password: XXXXXXXX
568 The <constant>root</constant> account is the UNIX equivalent of the Windows Domain Administrator.
569 This account is essential in the regular maintenance of your Samba server. It must never be
570 deleted. If for any reason the account is deleted, you may not be able to recreate this account
571 without considerable trouble.
575 <indexterm><primary>username map</primary></indexterm><indexterm>
576 <primary>/etc/samba/smbusers</primary>
578 Create the username map file to permit the <constant>root</constant> account to be called
579 <constant>Administrator</constant> from the Windows network environment. To do this, create
580 the file <filename>/etc/samba/smbusers</filename> with the following contents:
587 # Unix_ID = Windows_ID
590 # root = Administrator
591 # janes = "Jane Smith"
594 # Note: If the name contains a space it must be double quoted.
595 # In the example above the name 'jimbo' will be mapped to Windows
596 # user names 'Jim' and 'Bones' because the space was not quoted.
597 #######################################################################
606 Configure all network attached printers to have a fixed IP address.
610 Create an entry in the DNS database on the server <constant>MASSIVE</constant>
611 in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
612 and in the reverse lookup database for the network segment that the printer is
613 located in. Example configuration files for similar zones were presented in
614 <link linkend="abmasbiz"/> and <link linkend="eth2zone"/>.
618 Follow the instructions in the printer manufacturer's manuals to permit printing
619 to port 9100. Use any other port the manufacturer specifies for direct mode,
620 raw printing. This allows the CUPS spooler to print using raw mode protocols.
621 <indexterm><primary>CUPS</primary></indexterm>
622 <indexterm><primary>raw printing</primary></indexterm>
626 <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
627 Only on the server to which the printer is attached configure the CUPS Print
630 &rootprompt; lpadmin -p <parameter>printque</parameter> -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
632 <indexterm><primary>print filter</primary></indexterm>
633 This step creates the necessary print queue to use no assigned print filter. This
634 is ideal for raw printing, i.e., printing without use of filters.
635 The name <parameter>printque</parameter> is the name you have assigned for
636 the particular printer.
640 Print queues may not be enabled at creation. Make certain that the queues
641 you have just created are enabled by executing the following:
643 &rootprompt; /usr/bin/enable <parameter>printque</parameter>
648 Even though your print queue may be enabled, it is still possible that it
649 does not accept print jobs. A print queue services incoming printing
650 requests only when configured to do so. Ensure that your print queue is
651 set to accept incoming jobs by executing the following command:
653 &rootprompt; /usr/bin/accept <parameter>printque</parameter>
658 <indexterm><primary>mime type</primary></indexterm>
659 <indexterm><primary>/etc/mime.convs</primary></indexterm>
660 <indexterm><primary>application/octet-stream</primary></indexterm>
661 Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
663 application/octet-stream application/vnd.cups-raw 0 -
668 <indexterm><primary>/etc/mime.types</primary></indexterm>
669 Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
671 application/octet-stream
676 Refer to the CUPS printing manual for instructions regarding how to configure
677 CUPS so that print queues that reside on CUPS servers on remote networks
678 route print jobs to the print server that owns that queue. The default setting
679 on your CUPS server may automatically discover remotely installed printers and
680 may permit this functionality without requiring specific configuration.
684 As part of the rollout program, you need to configure the application's
685 server shares. This can be done once on the central server and may then be
686 replicated using a tool such as <command>rsync</command>. Refer to the man
687 page for <command>rsync</command> for details regarding use. The notes in
688 <link linkend="ch4appscfg"/> may help in your decisions to use an application
695 Logon scripts that are run from a Domain Controller (PDC or BDC) are capable of using semi-intelligent
696 processes to auto-map Windows client drives to an application server that is nearest to the client. This
697 is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
698 as elegantly as you see in the next chapter.
704 <title>Server Specific Preparation</title>
707 There are some steps that apply to particular server functionality only. Each step is critical
708 to correct server operation.
712 <title>Configuration for Server: <constant>MASSIVE</constant></title>
716 <indexterm><primary>/etc/rc.d/boot.local</primary></indexterm>
717 <indexterm><primary>IP forwarding</primary></indexterm>
718 The host server acts as a router between the two internal network segments as well
719 as for all Internet access. This necessitates that IP forwarding must be enabled. This can be
720 achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows:
722 echo 1 > /proc/sys/net/ipv4/ip_forward
724 To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute
725 that command manually also. This setting permits the Linux system to act as a router.
729 This server is dual hosted (i.e., has two network interfaces) &smbmdash; one goes to the Internet,
730 and the other to a local network that has a router that is the gateway to the remote networks.
731 You must, therefore, configure the server with route table entries so that it can find machines
732 on the remote networks. You can do this using the appropriate system tools for your Linux
733 server or using static entries that you place in one of the system startup files. It is best
734 to always use the tools that the operating system vendor provided. In the case of SUSE Linux, the
735 best tool to do this is YaST (refer to SUSE Administration Manual); in the case of Red Hat,
736 this is best done using the graphical system configuration tools (see the Red Hat documentation).
737 An example of how this may be done manually is as follows:
739 &rootprompt; route add net 172.16.4.0 netmask 255.255.252.0 gw 172.16.0.128
740 &rootprompt; route add net 172.16.8.0 netmask 255.255.252.0 gw 172.16.0.128
742 If you just execute these commands manually, the route table entries you have created are
743 not persistent across system reboots. You may add these commands directly to the local
744 startup files as follows: (SUSE) <filename>/etc/rc.d/boot.local</filename>, (Red Hat)
745 <filename>/etc/rc.d/init.d/rc.local</filename>.
749 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
750 The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
751 This file controls the operation of the various resolver libraries that are part of the Linux
752 Glibc libraries. Edit this file so that it contains the following entries:
754 hosts: files dns wins
759 <indexterm><primary>initGrps.sh</primary></indexterm>
760 Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
761 <link linkend="ch5-initgrps"/>. Create a file containing this script. You called yours
762 <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed
763 and then execute the script. An example of the execution of this script as well as its
764 validation are shown in Chapter 4, Section 4.3.2, Step 5.
768 <indexterm><primary>/etc/passwd</primary></indexterm>
769 <indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
770 <indexterm><primary>smbpasswd</primary></indexterm>
771 For each user who needs to be given a Windows Domain account, make an entry in the
772 <filename>/etc/passwd</filename> file, as well as in the Samba password backend.
773 Use the system tool of your choice to create the UNIX system account and use the Samba
774 <command>smbpasswd</command> to create a Domain user account.
778 <indexterm><primary>useradd</primary></indexterm>
779 <indexterm><primary>adduser</primary></indexterm>
780 <indexterm><primary>user</primary><secondary>management</secondary></indexterm>
781 There are a number of tools for user management under UNIX. Commonly known ones include:
782 <command>useradd, adduser</command>. In addition to these, there is a plethora of custom
783 tools. With the tool of your choice, create a home directory for each user.
787 Using the preferred tool for your UNIX system, add each user to the UNIX groups created
788 previously as necessary. File system access control based on UNIX group membership.
792 Create the directory mount point for the disk sub-system that is to be mounted to provide
793 data storage for company files. In this case, the mount point indicated in the &smb.conf;
794 file is <filename>/data</filename>. Format the file system as required and mount the formatted
795 file system partition using appropriate system tools.
799 <indexterm><primary>file system</primary>
800 <secondary>permissions</secondary></indexterm>
801 Create the top-level file storage directories for data and applications as follows:
803 &rootprompt; mkdir -p /data/{accounts,finsvcs,pidata}
804 &rootprompt; mkdir -p /apps
805 &rootprompt; chown -R root.root /data
806 &rootprompt; chown -R root.root /apps
807 &rootprompt; chown -R bjordan.accounts /data/accounts
808 &rootprompt; chown -R bjordan.finsvcs /data/finsvcs
809 &rootprompt; chown -R bjordan.finsvcs /data/pidata
810 &rootprompt; chmod -R ug+rwxs,o-rwx /data
811 &rootprompt; chmod -R ug+rwx,o+rx-w /apps
813 Each department is responsible for creating its own directory structure within the departmental
814 share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
815 The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
816 The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share
817 that provides the application server infrastructure.
821 The &smb.conf; file specifies an infrastructure to support roaming profiles and network
822 logon services. You can now create the file system infrastructure to provide the
823 locations on disk that these services require. Adequate planning is essential
824 since desktop profiles can grow to be quite large. For planning purposes, a minimum of
825 200 Megabytes of storage should be allowed per user for profile storage. The following
826 commands create the directory infrastructure needed:
828 &rootprompt; mkdir -p /var/spool/samba
829 &rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
830 &rootprompt; chown -R root.root /var/spool/samba
831 &rootprompt; chown -R root.root /var/lib/samba
832 &rootprompt; chmod a+rwxt /var/spool/samba
834 For each user account that is created on the system, the following commands should be
837 &rootprompt; mkdir /var/lib/samba/profiles/'username'
838 &rootprompt; chown 'username'.users /var/lib/samba/profiles/'username'
839 &rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
844 Create a logon script. It is important that each line is correctly terminated with
845 a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
846 works if the right tools (<constant>unxi2dos</constant> and <constant>dos2unix</constant>) are installed.
847 First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename>
848 with the following contents:
850 net time \\massive /set /yes
853 Convert the UNIX file to a DOS file as follows:
855 &rootprompt; dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \
856 > /var/lib/samba/netlogon/scripts/logon.bat
861 There is one preparatory step without which you cannot have a working Samba network
862 environment. You must add an account for each network user. You can do this by executing
863 the following steps for each user:
865 &rootprompt; useradd -m <parameter>username</parameter>
866 &rootprompt; passwd <parameter>username</parameter>
867 Changing password for <parameter>username</parameter>.
868 New password: XXXXXXXX
869 Re-enter new password: XXXXXXXX
871 &rootprompt; smbpasswd -a <parameter>username</parameter>
872 New SMB password: XXXXXXXX
873 Retype new SMB password: XXXXXXXX
874 Added user <parameter>username</parameter>.
876 You do, of course, use a valid user login ID in place of <parameter>username</parameter>.
880 Follow the processes shown in <link linkend="ch5-procstart"/> to start all services.
884 Your server is ready for validation testing. Do not proceed with the steps in
885 <link linkend="ch5-domsvrspec"/> until after the operation of the server has been
886 validated following the same methods as outlined in <link linkend="ch4valid"/>.
893 <sect3 id="ch5-domsvrspec">
894 <title>Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant></title>
898 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
899 The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
900 This file controls the operation of the various resolver libraries that are part of the Linux
901 Glibc libraries. Edit this file so that it contains the following entries:
903 passwd: files winbind
905 hosts: files dns wins
910 Follow the steps outlined in <link linkend="ch5-procstart"/> to start all services. Do not
911 start Samba at this time. Samba is controlled by the process called <command>smb</command>.
914 <step><para><indexterm>
915 <primary>net</primary>
916 <secondary>rpc</secondary>
917 <tertiary>join</tertiary>
919 At this time, you must now attempt to join the Domain Member servers to the Domain. The following
920 instructions should be executed to effect this:
922 &rootprompt; net rpc join
926 <step><para><indexterm>
927 <primary>service</primary>
928 <secondary>smb</secondary>
929 <tertiary>start</tertiary>
931 You now start the Samba services by executing:
933 &rootprompt; service smb start
938 Your server is ready for validation testing. Do not proceed with the steps in
939 <link linkend="ch5-domsvrspec"/> until after the operation of the server has been
940 validated following the same methods as outlined in <link linkend="ch4valid"/>.
950 <smbconfexample id="ch5-massivesmb">
951 <title>Server: MASSIVE (PDC), File: <filename>/etc/samba/smb.conf</filename></title>
952 <smbconfcomment>Global parameters</smbconfcomment>
953 <smbconfsection>[global]</smbconfsection>
954 <smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
955 <smbconfoption><name>netbios name</name><value>MASSIVE</value></smbconfoption>
956 <smbconfoption><name>interfaces</name><value>eth1, lo</value></smbconfoption>
957 <smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
958 <smbconfoption><name>passdb backend</name><value>tdbsam</value></smbconfoption>
959 <smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
960 <smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
961 <smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
962 <smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
963 <smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
964 <smbconfoption><name>add machine script</name><value>/usr/sbin/useradd -s /bin/false -d /dev/null %u</value></smbconfoption>
965 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
966 <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
967 <smbconfoption><name>include</name><value>/etc/samba/dc-common.conf</value></smbconfoption>
969 <smbconfsection>[IPC$]</smbconfsection>
970 <smbconfoption><name>path</name><value>/tmp</value></smbconfoption>
971 <smbconfoption><name>hosts allow</name><value>172.16.0.0/16, 127.0.0.1</value></smbconfoption>
972 <smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
974 <smbconfsection>[accounts]</smbconfsection>
975 <smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
976 <smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
977 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
979 <smbconfsection>[service]</smbconfsection>
980 <smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
981 <smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
982 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
984 <smbconfsection>[pidata]</smbconfsection>
985 <smbconfoption><name>comment</name><value>Property Insurance Files</value></smbconfoption>
986 <smbconfoption><name>path</name><value>/data/pidata</value></smbconfoption>
987 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
991 <smbconfexample id="ch5-dc-common">
992 <title>Server: MASSIVE (PDC), File: <filename>/etc/samba/dc-common.conf</filename></title>
993 <smbconfcomment>Global parameters</smbconfcomment>
994 <smbconfsection>[global]</smbconfsection>
995 <smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
996 <smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
997 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
998 <smbconfoption><name>logon path</name><value>\%L\profiles\%U</value></smbconfoption>
999 <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
1000 <smbconfoption><name>logon home</name><value>\%L\%U</value></smbconfoption>
1001 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
1002 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1003 <smbconfoption><name>include</name><value>/etc/samba/common.conf</value></smbconfoption>
1005 <smbconfsection>[homes]</smbconfsection>
1006 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
1007 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
1008 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
1009 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
1011 <smbconfsection>[netlogon]</smbconfsection>
1012 <smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
1013 <smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
1014 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
1015 <smbconfoption><name>locking</name><value>No</value></smbconfoption>
1017 <smbconfsection>[profiles]</smbconfsection>
1018 <smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
1019 <smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
1020 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
1021 <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
1025 <smbconfexample id="ch5-commonsmb">
1026 <title>Common Samba Configuration File: <filename>/etc/samba/common.conf</filename></title>
1027 <smbconfsection>[global]</smbconfsection>
1028 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
1029 <smbconfoption><name>log level</name><value>1</value></smbconfoption>
1030 <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
1031 <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
1032 <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
1033 <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
1034 <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
1035 <smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
1036 <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
1037 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
1038 <smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
1039 <smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
1040 <smbconfoption><name>utmp</name><value>Yes</value></smbconfoption>
1041 <smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
1042 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
1043 <smbconfoption><name>veto files</name><value>/*.eml/*.nws/*.{*}/</value></smbconfoption>
1044 <smbconfoption><name>veto oplock files</name><value>/*.doc/*.xls/*.mdb/</value></smbconfoption>
1045 <smbconfoption><name>include</name><value> </value></smbconfoption>
1047 <smbconfcomment>Share and Service Definitions are common to all servers</smbconfcomment>
1048 <smbconfsection>[printers]</smbconfsection>
1049 <smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
1050 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
1051 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
1052 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
1053 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
1054 <smbconfoption><name>default devmode</name><value>Yes</value></smbconfoption>
1055 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
1057 <smbconfsection>[apps]</smbconfsection>
1058 <smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
1059 <smbconfoption><name>path</name><value>/apps</value></smbconfoption>
1060 <smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
1061 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
1062 <smbconfoption><name>include</name><value></value></smbconfoption>
1066 <smbconfexample id="ch5-bldg1-smb">
1067 <title>Server: BLDG1 (Member), File: smb.conf</title>
1068 <smbconfcomment>Global parameters</smbconfcomment>
1069 <smbconfsection>[global]</smbconfsection>
1070 <smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
1071 <smbconfoption><name>netbios name</name><value>BLDG1</value></smbconfoption>
1072 <smbconfoption><name>include</name><value>/etc/samba/dom-mem.conf</value></smbconfoption>
1076 <smbconfexample id="ch5-bldg2-smb">
1077 <title>Server: BLDG2 (Member), File: smb.conf</title>
1078 <smbconfcomment>Global parameters</smbconfcomment>
1079 <smbconfsection>[global]</smbconfsection>
1080 <smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
1081 <smbconfoption><name>netbios name</name><value>BLDG2</value></smbconfoption>
1082 <smbconfoption><name>include</name><value>/etc/samba/dom-mem.conf</value></smbconfoption>
1086 <smbconfexample id="ch5-dommem-smb">
1087 <title>Common Domain Member Include File: dom-mem.conf</title>
1088 <smbconfcomment>Global parameters</smbconfcomment>
1089 <smbconfsection>[global]</smbconfsection>
1090 <smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
1091 <smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
1092 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1093 <smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
1094 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
1095 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
1096 <smbconfoption><name>include</name><value>/etc/samba/common.conf</value></smbconfoption>
1100 <example id="massive-dhcp">
1101 <title>Server: MASSIVE, File: dhcpd.conf</title>
1103 # Abmas Accounting Inc. - Chapter 5/MASSIVE
1105 default-lease-time 86400;
1106 max-lease-time 172800;
1107 default-lease-time 86400;
1109 ddns-update-style ad-hoc;
1111 option ntp-servers 172.16.0.1;
1112 option domain-name "abmas.biz";
1113 option domain-name-servers 172.16.0.1, 172.16.4.1;
1114 option netbios-name-servers 172.16.0.1;
1115 option netbios-node-type 8;
1117 subnet 172.16.1.0 netmask 255.255.252.0 {
1118 range dynamic-bootp 172.16.1.0 172.16.2.255;
1119 option subnet-mask 255.255.252.0;
1120 option routers 172.16.0.1, 172.16.0.128;
1121 allow unknown-clients;
1123 subnet 172.16.4.0 netmask 255.255.252.0 {
1124 range dynamic-bootp 172.16.7.0 172.16.7.254;
1125 option subnet-mask 255.255.252.0;
1126 option routers 172.16.4.128;
1127 allow unknown-clients;
1129 subnet 172.16.8.0 netmask 255.255.252.0 {
1130 range dynamic-bootp 172.16.11.0 172.16.11.254;
1131 option subnet-mask 255.255.252.0;
1132 option routers 172.16.4.128;
1133 allow unknown-clients;
1135 subnet 127.0.0.0 netmask 255.0.0.0 {
1137 subnet 123.45.67.64 netmask 255.255.255.252 {
1143 <example id="bldg1dhcp">
1144 <title>Server: BLDG1, File: dhcpd.conf</title>
1146 # Abmas Accounting Inc. - Chapter 5/BLDG1
1148 default-lease-time 86400;
1149 max-lease-time 172800;
1150 default-lease-time 86400;
1152 ddns-update-style ad-hoc;
1154 option ntp-servers 172.16.0.1;
1155 option domain-name "abmas.biz";
1156 option domain-name-servers 172.16.0.1, 172.16.4.1;
1157 option netbios-name-servers 172.16.0.1;
1158 option netbios-node-type 8;
1160 subnet 172.16.1.0 netmask 255.255.252.0 {
1161 range dynamic-bootp 172.16.3.0 172.16.2.254;
1162 option subnet-mask 255.255.252.0;
1163 option routers 172.16.0.1, 172.16.0.128;
1164 allow unknown-clients;
1166 subnet 172.16.4.0 netmask 255.255.252.0 {
1167 range dynamic-bootp 172.16.5.0 172.16.6.255;
1168 option subnet-mask 255.255.252.0;
1169 option routers 172.16.4.128;
1170 allow unknown-clients;
1172 subnet 127.0.0.0 netmask 255.0.0.0 {
1178 <example id="bldg2dhcp">
1179 <title>Server: BLDG2, File: dhcpd.conf</title>
1181 # Abmas Accounting Inc. - Chapter 5/BLDG1
1183 default-lease-time 86400;
1184 max-lease-time 172800;
1185 default-lease-time 86400;
1187 ddns-update-style ad-hoc;
1189 option ntp-servers 172.16.0.1;
1190 option domain-name "abmas.biz";
1191 option domain-name-servers 172.16.0.1, 172.16.4.1;
1192 option netbios-name-servers 172.16.0.1;
1193 option netbios-node-type 8;
1195 subnet 172.16.8.0 netmask 255.255.252.0 {
1196 range dynamic-bootp 172.16.9.0 172.16.10.255;
1197 option subnet-mask 255.255.252.0;
1198 option routers 172.16.8.128;
1199 allow unknown-clients;
1201 subnet 127.0.0.0 netmask 255.0.0.0 {
1207 <example id="massive-nameda">
1208 <title>Server: MASSIVE, File: named.conf, Part: A</title>
1211 # Abmas Biz DNS Control File
1213 # Date: November 15, 2003
1216 directory "/var/lib/named";
1226 multiple-cnames yes;
1235 zone "localhost" in {
1237 file "localhost.zone";
1240 zone "0.0.127.in-addr.arpa" in {
1242 file "127.0.0.zone";
1259 <example id="massive-namedb">
1260 <title>Server: MASSIVE, File: named.conf, Part: B</title>
1264 file "/var/lib/named/master/abmas.biz.hosts";
1278 file "/var/lib/named/master/abmas.us.hosts";
1290 <example id="massive-namedc">
1291 <title>Server: MASSIVE, File: named.conf, Part: C</title>
1293 zone "0.16.172.in-addr.arpa" {
1295 file "/var/lib/named/master/172.16.0.0.rev";
1307 zone "4.16.172.in-addr.arpa" {
1309 file "/var/lib/named/master/172.16.4.0.rev";
1321 zone "8.16.172.in-addr.arpa" {
1323 file "/var/lib/named/master/172.16.8.0.rev";
1338 <example id="abmasbizdns">
1339 <title>Forward Zone File: abmas.biz.hosts</title>
1342 $TTL 38400 ; 10 hours 40 minutes
1343 abmas.biz IN SOA massive.abmas.biz. root.abmas.biz. (
1345 10800 ; refresh (3 hours)
1346 3600 ; retry (1 hour)
1347 604800 ; expire (1 week)
1348 38400 ; minimum (10 hours 40 minutes)
1350 NS massive.abmas.biz.
1353 MX 10 massive.abmas.biz.
1355 massive A 172.16.0.1
1356 router0 A 172.16.0.128
1358 router4 A 172.16.4.128
1360 router8 A 172.16.8.128
1365 <example id="abmasusdns">
1366 <title>Forward Zone File: abmas.biz.hosts</title>
1369 $TTL 38400 ; 10 hours 40 minutes
1370 abmas.us IN SOA server.abmas.us. root.abmas.us. (
1372 10800 ; refresh (3 hours)
1373 3600 ; retry (1 hour)
1374 604800 ; expire (1 week)
1375 38400 ; minimum (10 hours 40 minutes)
1379 MX 10 server.abmas.us.
1381 server A 123.45.67.66
1391 <example id="bldg12nameda">
1392 <title>Servers: BLDG1/BLDG2, File: named.conf, Part: A</title>
1395 # Abmas Biz DNS Control File
1397 # Date: November 15, 2003
1400 directory "/var/lib/named";
1409 multiple-cnames yes;
1418 zone "localhost" in {
1420 file "localhost.zone";
1423 zone "0.0.127.in-addr.arpa" in {
1425 file "127.0.0.zone";
1442 <example id="bldg12namedb">
1443 <title>Servers: BLDG1/BLDG2, File: named.conf, Part: B</title>
1447 file "/var/lib/named/slave/abmas.biz.hosts";
1456 zone "0.16.172.in-addr.arpa" {
1458 file "/var/lib/slave/master/172.16.0.0.rev";
1467 zone "4.16.172.in-addr.arpa" {
1469 file "/var/lib/named/slave/172.16.4.0.rev";
1478 zone "8.16.172.in-addr.arpa" {
1480 file "/var/lib/named/slave/172.16.8.0.rev";
1493 <example id="ch5-initgrps">
1494 <title>Initialize Groups Script, File: /etc/samba/initGrps.sh</title>
1498 # Create UNIX groups
1503 # Map Windows Domain Groups to UNIX groups
1504 net groupmap modify ntgroup="Domain Admins" unixgroup=root
1505 net groupmap modify ntgroup="Domain Users" unixgroup=users
1506 net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
1508 # Add Functional Domain Groups
1509 net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
1510 net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
1511 net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
1515 <!-- End of Examples -->
1517 <sect2 id="ch5-procstart">
1518 <title>Process Startup Configuration</title>
1521 <indexterm><primary>chkconfig</primary></indexterm><indexterm>
1522 <primary>daemon control</primary>
1524 There are two essential steps to process startup configuration. A process
1525 must be configured so that it is automatically restarted each time the server
1526 is rebooted. This step involves use of the <command>chkconfig</command> tool that
1527 created appropriate symbolic links from the master daemon control file that is
1528 located in the <filename>/etc/rc.d</filename> directory to the <filename>/etc/rc'x'.d</filename>
1529 directories. Links are created so that when the system run-level is changed, the
1530 necessary start or kill script is run.
1534 <indexterm><primary>/etc/xinetd.d</primary></indexterm>
1535 In the event that a service is provided not as a daemon but via the inter-networking
1536 super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command>
1537 tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory
1538 and sends a hang-up (HUP) signal to the super daemon, thus forcing it to
1539 re-read its control files.
1543 Last, each service must be started to permit system validation to proceed.
1548 Use the standard system tool to configure each service to restart
1549 automatically at every system reboot. For example:
1550 <indexterm><primary>chkconfig</primary></indexterm>
1552 &rootprompt; chkconfig dhpc on
1553 &rootprompt; chkconfig named on
1554 &rootprompt; chkconfig cups on
1555 &rootprompt; chkconfig smb on
1556 &rootprompt; chkconfig swat on
1561 <indexterm><primary>starting dhcpd</primary></indexterm>
1562 <indexterm><primary>starting samba</primary></indexterm>
1563 <indexterm><primary>starting CUPS</primary></indexterm>
1564 Now start each service to permit the system to be validated.
1565 Execute each of the following in the sequence shown:
1568 &rootprompt; service dhcp restart
1569 &rootprompt; service named restart
1570 &rootprompt; service cups restart
1571 &rootprompt; service smb restart
1572 &rootprompt; service swat restart
1579 <sect2 id="ch5wincfg">
1580 <title>Windows Client Configuration</title>
1583 The procedure for desktop client configuration for the network in this chapter is similar to
1584 that used for the previous one. There are a few subtle changes that should be noted.
1589 Install MS Windows XP Professional. During installation, configure the client to use DHCP for
1590 TCP/IP protocol configuration.
1591 <indexterm><primary>WINS</primary></indexterm>
1592 <indexterm><primary>DHCP</primary></indexterm>
1593 DHCP configures all Windows clients to use the WINS Server address that has been defined
1594 for the local subnet.
1598 Join the Windows Domain <constant>MEGANET</constant>. Use the Domain Administrator
1599 user name <constant>root</constant> and the SMB password you assigned to this account.
1600 A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
1601 a Windows Domain is given in <link linkend="domjoin"/>.
1602 Reboot the machine as prompted and then logon using the Domain Administrator account
1603 (<constant>root</constant>).
1607 Verify that the server called <constant>MEGANET</constant> is visible in <guimenu>My Network Places</guimenu>,
1608 that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>,
1609 <guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>,
1610 and that it is possible to open each share to reveal its contents.
1614 Create a drive mapping to the <constant>apps</constant> share on a server. At this time, it does
1615 not particularly matter which application server is used. It is necessary to manually
1616 set a persistent drive mapping to the local applications server on each workstation at the time of
1617 installation. This step is avoided by the improvements to the design of the network configuration
1618 in the next chapter.
1622 Perform an administrative installation of each application to be used. Select the options
1623 that you wish to use. Of course, you choose to run applications over the network, correct?
1627 Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat,
1628 NTP-based time synchronization software, drivers for specific local devices such as fingerprint
1629 scanners, and the like. Probably the most significant application to be locally installed
1630 is anti-virus software.
1634 Now install all four printers onto the staging system. The printers you install
1635 include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you
1636 also configure use of the identical printers that are located in the financial services department.
1637 Install printers on each machine using the following steps:
1642 <guimenu>Start</guimenu>
1643 <guimenuitem>Settings</guimenuitem>
1644 <guimenuitem>Printers</guimenuitem>
1645 <guiicon>Add Printer</guiicon>
1646 <guibutton>Next</guibutton>
1647 </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
1648 Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
1652 Click <guibutton>Next</guibutton>. In the panel labeled
1653 <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
1654 In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
1655 <constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>.
1659 In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
1660 <constant>FILE:</constant>. Accept the default printer name by clicking
1661 <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
1662 test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
1663 <guibutton>Finish</guibutton>.
1667 You may be prompted for the name of a file to print to. If so, close the
1668 dialog panel. Right-click <menuchoice>
1669 <guiicon>HP LaserJet 6</guiicon>
1670 <guimenuitem>Properties</guimenuitem>
1671 <guimenusub>Details (Tab)</guimenusub>
1672 <guimenubutton>Add Port</guimenubutton>
1677 In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
1678 the print queue on the Samba server as follows: <constant>\\BLDG1\hplj6a</constant>.
1680 <guibutton>OK</guibutton>
1681 <guibutton>OK</guibutton>
1682 </menuchoice> to complete the installation.
1686 Repeat the printer installation steps above for both HP LaserJet 6 printers
1687 as well as for both QMS Magicolor laser printers. Remember to install all
1688 printers, but to set the destination port for each to the server on the
1689 local network. For example, a workstation in the Accounting group should
1690 have all printers directed at the server <constant>BLDG1</constant>.
1691 You may elect to point all desktop workstation configurations at the
1692 server called <constant>MASSIVE</constant> and then in your deployment
1693 procedures, it would be wise to document the need to redirect the printer
1694 configuration (as well as the applications server drive mapping) to the
1695 server on the network segment on which the workstation is to be located.
1701 When you are satisfied that the staging systems are complete, use the appropriate procedure to
1702 remove the client from the domain. Reboot the system, and then log on as the local administrator
1703 and clean out all temporary files stored on the system. Before shutting down, use the disk
1704 defragmentation tool so that the file system is in an optimal condition before replication.
1708 Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the
1709 machine to a network share on the server.
1713 You may now replicate the image using the appropriate Norton Ghost procedure to the target
1714 machines. Make sure to use the procedure that ensures each machine has a unique
1715 Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.
1719 Log onto the machine as the local Administrator (the only option), and join the machine to
1720 the Domain following the procedure set out in <link linkend="domjoin"/>. You must now set the
1721 persistent drive mapping to the applications server that the user is to use. The system is now
1722 ready for the user to logon, providing you have created a network logon account for that
1727 Instruct all users to log onto the workstation using their assigned user name and password.
1734 <title>Key Points Learned</title>
1737 The network you have just deployed has been a valuable exercise in forced constraint.
1738 You have deployed a network that works well, although you may soon start to see
1739 performance problems, at which time the modifications demonstrated in the following
1740 chapter bring the network to life. The following key learning points were experienced:
1745 The power of using &smb.conf; include files
1749 Use of a single PDC over a routed network
1753 Joining a Samba-3 Domain Member server to a Samba-3 Domain
1757 Configuration of winbind to use Domain Users and Groups for Samba access
1758 to resources on the Domain Member servers
1762 The introduction of roaming profiles
1772 <title>Questions and Answers</title>
1777 <qandaset defaultlabel="chap01qa" type="number">
1782 The example &smb.conf; files in this chapter make use of the <parameter>include</parameter> facility.
1783 How may I get to see what the actual working &smb.conf; settings are?
1790 You may readily see the net compound effect of the included files by running:
1792 &rootprompt; testparm -s | less
1803 Why does the include file <filename>common.conf</filename> have an empty include statement?
1810 The use of the empty include statement nullifies further includes. For example, let's say you
1811 desire to have just an smb.conf file that is built from the array of include files of which the
1812 master control file is called <filename>master.conf</filename>. The following command
1813 produces a compound &smb.conf; file.
1815 &rootprompt; testparm -s /etc/samba/master.conf > /etc/samba/smb.conf
1817 If the include parameter was not in the common.conf file, the final &smb.conf; file leaves
1818 the include in place, even though the file it points to has already been included. This is a bug
1819 that will be fixed at a future date.
1829 I accept that the simplest configuration necessary to do the job is the best. The use of <parameter>tdbsam</parameter>
1830 passdb backend is much simpler than having to manage an LDAP-based <parameter>ldapsam</parameter> passdb backend.
1831 I tried using <command>rsync</command> to replicate the <filename>passdb.tdb</filename>, and it seems to work fine!
1832 So what is the problem?
1839 Replication of the <parameter>tdbsam</parameter> database file can result in loss of currency in its
1840 contents between the PDC and BDCs. The most notable symptom is that workstations may not be able
1841 to log onto the network following a reboot and may have to re-join the Domain to recover network
1852 You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
1859 No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server
1860 offers an IP address lease, but it is the client that determines which offer is accepted, no matter how many
1861 offers are made. Under normal operation, the client accepts the first offer it receives.
1865 The only exception to this rule is when the client makes a directed request from a specific DHCP server
1866 for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash.
1876 How does the Windows client find the PDC?
1883 The Windows client obtains the WINS server address from the DHCP lease information. It also
1884 obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast)
1885 to register itself with the WINS server and to obtain enumeration of vital network information to
1886 enable it to operate successfully.
1896 Why did you enable IP forwarding (routing) only on the server called <constant>MASSIVE</constant>?
1903 The server called <constant>MASSIVE</constant> is acting as a router to the Internet. No other server
1904 (BLDG1 or BLDG2) has any need for IP forwarding since they are attached only to their own network.
1905 Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network
1906 segments to the router that is its gateway to them.
1916 You did nothing special to implement roaming profiles. Why?
1923 Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional
1924 clients is to use roaming profiles.
1934 On the Domain Member computers, you configured winbind in the <filename>/etc/nsswitch.conf</filename> file.
1935 You did not configure any PAM settings. Is this an omission?
1942 PAM is needed only for authentication. When Samba is using Microsoft encrypted passwords, it makes only
1943 marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the Domain
1944 Member servers using Windows networking user names and passwords, it is necessary to configure PAM
1945 to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name
1946 service switcher (NSS).
1956 You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
1963 Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed
1964 in <emphasis>TOSHARG</emphasis>, where it has a full chapter dedicated to the subject. While we are on the
1965 subject, it should be noted that you should definitely not use SWAT on any system that makes use
1966 of &smb.conf; <parameter>include</parameter> files because SWAT optimizes them out into an aggregated
1967 file but leaves in place a broken reference to the top layer include file. SWAT was not designed to
1968 handle this functionality gracefully.
1978 The Domain Controller has an auto-shutdown script. Isn't that dangerous?
1985 Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though.