1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <chapter id="AdvancedNetworkManagement">
6 <pubdate>June 15 2005</pubdate>
9 <title>Advanced Network Management</title>
12 This section documents peripheral issues that are of great importance to network
13 administrators who want to improve network resource access control, to automate the user
14 environment, and to make their lives a little easier.
18 <title>Features and Benefits</title>
21 Often the difference between a working network environment and a well-appreciated one can
22 best be measured by the <emphasis>little things</emphasis> that make everything work more
23 harmoniously. A key part of every network environment solution is the ability to remotely
24 manage MS Windows workstations, remotely access the Samba server, provide customized
25 logon scripts, as well as other housekeeping activities that help to sustain more reliable
30 This chapter presents information on each of these areas. They are placed here, and not in
31 other chapters, for ease of reference.
37 <title>Remote Server Administration</title>
40 <para><quote>How do I get User Manager and Server Manager?</quote></para>
43 <indexterm><primary>User Manager</primary></indexterm>
44 <indexterm><primary>Server Manager</primary></indexterm>
45 <indexterm><primary>Event Viewer</primary></indexterm>
46 Since I do not need to buy an <application>NT4 server</application>, how do I get the User Manager for Domains
47 and the Server Manager?
51 <indexterm><primary>Nexus.exe</primary></indexterm>
52 Microsoft distributes a version of these tools called <filename>Nexus.exe</filename> for installation
53 on <application>Windows 9x/Me</application> systems. The tools set includes:
57 <listitem><para>Server Manager</para></listitem>
58 <listitem><para>User Manager for Domains</para></listitem>
59 <listitem><para>Event Viewer</para></listitem>
63 Download the archived file at the Microsoft <ulink noescape="1"
64 url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">Nexus</ulink> link.
68 <indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
69 The <application>Windows NT 4.0</application> version of the User Manager for
70 Domains and Server Manager are available from Microsoft
71 <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
77 <title>Remote Desktop Management</title>
80 There are a number of possible remote desktop management solutions that range from free
81 through costly. Do not let that put you off. Sometimes the most costly solution is the
82 most cost effective. In any case, you will need to draw your own conclusions as to which
83 is the best tool in your network environment.
87 <title>Remote Management from NoMachine.Com</title>
90 <indexterm><primary>NoMachine.Com</primary></indexterm>
91 The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
92 It is presented in slightly edited form (with author details omitted for privacy reasons).
93 The entire answer is reproduced below with some comments removed.
97 I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote
98 desktop capabilities so users outside could login to the system and get their desktop up from home or
103 Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so
104 it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login
105 even if the computer is in a domain?
109 Answer provided: Check out the new offer of <quote>NX</quote> software from
110 <ulink noescape="1" url="http://www.nomachine.com/">NoMachine</ulink>.
114 It implements an easy-to-use interface to the Remote X protocol as
115 well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
116 performance much better than anything you may have ever seen.
120 Remote X is not new at all, but what they did achieve successfully is
121 a new way of compression and caching technologies that makes the thing
122 fast enough to run even over slow modem/ISDN connections.
126 I test drove their (public) Red Hat machine in Italy, over a loaded
127 Internet connection, with enabled thumbnail previews in KDE konqueror,
128 which popped up immediately on <quote>mouse-over</quote>. From inside that (remote X)
129 session I started a rdesktop session on another, a Windows XP machine.
130 To test the performance, I played Pinball. I am proud to announce
131 that my score was 631,750 points at first try.
135 NX performs better on my local LAN than any of the other <quote>pure</quote>
136 connection methods I use from time to time: TightVNC, rdesktop or
137 Remote X. It is even faster than a direct crosslink connection between
142 I even got sound playing from the Remote X app to my local boxes, and
143 had a working <quote>copy'n'paste</quote> from an NX window (running a KDE session
144 in Italy) to my Mozilla mailing agent. These guys are certainly doing
149 I recommend test driving NX to anybody with a only a passing interest in remote computing
150 the <ulink noescape="1" url="http://www.nomachine.com/testdrive.php">NX</ulink> utility.
154 Just download the free-of-charge client software (available for Red Hat,
155 SuSE, Debian and Windows) and be up and running within 5 minutes (they
156 need to send you your account data, though, because you are assigned
157 a real UNIX account on their testdrive.nomachine.com box).
161 They plan to get to the point were you can have NX application servers
162 running as a cluster of nodes, and users simply start an NX session locally
163 and can select applications to run transparently (apps may even run on
164 another NX node, but pretend to be on the same as used for initial login,
165 because it displays in the same window. You also can run it
166 full-screen, and after a short time you forget that it is a remote session
171 Now the best thing for last: All the core compression and caching
172 technologies are released under the GPL and available as source code
173 to anybody who wants to build on it! These technologies are working,
174 albeit started from the command line only (and very inconvenient to
175 use in order to get a fully running remote X session up and running).
179 To answer your questions:
184 You do not need to install a terminal server; XP has RDP support built in.
188 NX is much cheaper than Citrix &smbmdash; and comparable in performance, probably faster.
192 You do not need to hack XP &smbmdash; it just works.
196 You log into the XP box from remote transparently (and I think there is no
197 need to change anything to get a connection, even if authentication is against a domain).
201 The NX core technologies are all Open Source and released under the GPL &smbmdash;
202 you can now use a (very inconvenient) command line at no cost,
203 but you can buy a comfortable (proprietary) NX GUI front end for money.
207 NoMachine is encouraging and offering help to OSS/Free Software implementations
208 for such a front-end too, even if it means competition to them (they have written
209 to this effect even to the LTSP, KDE, and GNOME developer mailing lists).
218 <title>Network Logon Script Magic</title>
221 There are several opportunities for creating a custom network startup configuration environment.
225 <listitem><para>No Logon Script.</para></listitem>
226 <listitem><para>Simple universal Logon Script that applies to all users.</para></listitem>
227 <listitem><para>Use of a conditional Logon Script that applies per-user or per-group attributes.</para></listitem>
228 <listitem><para>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create
229 a custom logon script and then execute it.</para></listitem>
230 <listitem><para>User of a tool such as KixStart.</para></listitem>
234 The Samba source code tree includes two logon script generation/execution tools.
235 See <filename>examples</filename> directory <filename>genlogon</filename> and
236 <filename>ntlogon</filename> subdirectories.
240 The following listings are from the genlogon directory.
245 <indexterm><primary>genlogon.pl</primary></indexterm>
246 This is the <filename>genlogon.pl</filename> file:
253 # Perl script to generate user logon scripts on the fly, when users
254 # connect from a Windows client. This script should be called from
255 # smb.conf with the %U, %G and %L parameters. I.e:
257 # root preexec = genlogon.pl %U %G %L
259 # The script generated will perform
262 # 1. Log the user connection to /var/log/samba/netlogon.log
263 # 2. Set the PC's time to the Linux server time (which is maintained
264 # daily to the National Institute of Standards Atomic clock on the
266 # 3. Connect the user's home drive to H: (H for Home).
267 # 4. Connect common drives that everyone uses.
268 # 5. Connect group-specific drives for certain user groups.
269 # 6. Connect user-specific drives for certain users.
270 # 7. Connect network printers.
272 # Log client connection
273 #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
274 ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
275 open LOG, ">>/var/log/samba/netlogon.log";
276 print LOG "$mon/$mday/$year $hour:$min:$sec";
277 print LOG " - User $ARGV[0] logged into $ARGV[1]\n";
280 # Start generating logon script
281 open LOGON, ">/shared/netlogon/$ARGV[0].bat";
282 print LOGON "\@ECHO OFF\r\n";
284 # Connect shares just use by Software Development group
285 if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
287 print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
290 # Connect shares just use by Technical Support staff
291 if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
293 print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
296 # Connect shares just used by Administration staff
297 If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
299 print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
300 print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
303 # Now connect Printers. We handle just two or three users a little
304 # differently, because they are the exceptions that have desktop
305 # printers on LPT1: - all other user's go to the LaserJet on the
307 if ($ARGV[0] eq 'jim'
308 || $ARGV[0] eq 'yvonne')
310 print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
311 print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
315 print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
316 print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
319 # All done! Close the output file.
325 Those wishing to use a more elaborate or capable logon processing system should check out these sites:
329 <listitem><para><ulink noescape="1" url="http://www.craigelachie.org/rhacer/ntlogon">http://www.craigelachie.org/rhacer/ntlogon</ulink></para></listitem>
330 <listitem><para><ulink noescape="1" url="http://www.kixtart.org">http://www.kixtart.org</ulink></para></listitem>
334 <title>Adding Printers without User Intervention</title>
338 <indexterm><primary>rundll32</primary></indexterm>
339 Printers may be added automatically during logon script processing through the use of:
342 &dosprompt;<userinput>rundll32 printui.dll,PrintUIEntry /?</userinput>
345 See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft Knowledge Base article 189105</ulink>.
350 <title>Limiting Logon Connections</title>
353 Sometimes it is necessary to limit the number of concurrent connections to a
354 Samba shared resource. For example, a site may wish to permit only one network
359 The Samba <parameter>preexec script</parameter> parameter can be used to permit only one
360 connection per user. Though this method is not foolproof and may have side effects,
361 the following contributed method may inspire someone to provide a better solution.
365 This is not a perfect solution because Windows clients can drop idle connections
366 with an auto-reconnect capability that could result in the appearance that a share
367 is no longer in use, while actually it is. Even so, it demonstrates the principle
368 of use of the <parameter>preexec script</parameter> parameter.
372 The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>.
376 preexec script = /sbin/PermitSingleLogon.sh
383 <title>Script to Enforce Single Resource Logon</title>
388 RESULT=$(smbstatus -S -u $1 2> /dev/null | awk 'NF > 6 {print $1}' | sort | uniq -d)
390 if [ "X${RESULT}" == X ]; then