Part II. Domain Members, Updating Samba and Migration

Question

- - +
+ + Is it true that DHCP uses lots of WAN bandwidth?
- - - + + + It is a smart practice to localize DHCP servers on each network segment. As a rule, there should be two DHCP servers per network segment. This means that if one server fails, there is always another to service user needs. DHCP requests use only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network routers. This makes it possible to run fewer DHCP servers.
- - + + A DHCP network address request and confirmation usually results in about six UDP packets. The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP clients and that uses a 24-hour IP address lease. This means that all clients renew @@ -874,28 +874,28 @@
From this can be seen that the traffic impact would be minimal.
- - + + Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, the impact of the update is no more than the DHCP IP address renewal traffic and thus still insignificant for most practical purposes. -
- - +
+ + How much background communication takes place between a master LDAP server and its slave LDAP servers?
- + The process that controls the replication of data from the master LDAP server to the slave LDAP servers is called slurpd. The slurpd remains nascent (quiet) until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) two user accounts requires less than 10KB traffic. -
+
LDAP has a database. Is LDAP not just a fancy database front end?
- - - - + + + + LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific data storage system. This type of database is indexed so that records can be rapidly located, but the database is not generic and can be used only in particular pre-programmed ways. General external @@ -904,57 +904,57 @@ orientation and typically allows external programs to perform ad hoc queries, even across data tables. An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific simple queries. The term database is heavily overloaded and thus much misunderstood. -
- +
+ Can Active Directory obtain account information from an OpenLDAP server?
- + No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface to OpenLDAP using standard LDAP queries and updates. -
+
What are the parts of a roaming profile? How large is each part? -
+
A roaming profile consists of -
+
Desktop folders such as Desktop, My Documents, My Pictures, My Music, Internet Files, Cookies, Application Data, Local Settings, and more. See “Making Happy Users”, “Windows XP Professional User Shared Folders”.
- + Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all such folders can be redirected to network drive resources. See “Configuration of Default Profile with Folder Redirection” for more information regarding folder redirection. -
+
A static or rewritable portion that is typically only a few files (2-5 KB of information). -
- - +
+ + The registry load file that modifies the HKEY_LOCAL_USER hive. This is the NTUSER.DAT file. It can be from 0.4 to 1.5 MB.
- + Microsoft Outlook PST files may be stored in the Local Settings\Application Data folder. It can be up to 2 GB in size per PST file. -
+
Can the My Documents folder be stored on a network drive?
- - + + Yes. More correctly, such folders can be redirected to network shares. No specific network drive connection is required. Registry settings permit this to be redirected directly to a UNC (Universal Naming Convention) resource, though it is possible to specify a network drive letter instead of a UNC name. See “Configuration of Default Profile with Folder Redirection”. -
- - - +
+ + + How much WAN bandwidth does WINS consume?
- - - + + + MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, @@ -966,7 +966,7 @@
In conclusion, the total load afforded through WINS traffic is again marginal to total operational usage as it should be. -
+
How many BDCs should I have? What is the right number of Windows clients per server?
It is recommended to have at least one BDC per network segment, including the segment served @@ -980,19 +980,19 @@
As unsatisfactory as the answer might sound, it all depends on network and server load characteristics. -
- +
+ I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to run an NIS server?
The correct answer to both questions is yes. But do understand that an LDAP server has a configurable schema that can store far more information for many more purposes than just NIS. -
+
Can I use NIS in place of LDAP?
- - + + No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal with the types of data necessary for interoperability with Microsoft Windows networking. The use of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/apa.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/apa.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/apa.html 2010-01-14 11:24:29.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/apa.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,50 +1,50 @@ -Appendix A. GNU General Public License version 3
Appendix A. +Appendix A. GNU General Public License version 3
Appendix A. + GNU General Public License version 3 +
Prev Part III. Reference Section Next
Appendix A. GNU General Public License version 3 -
Prev Part III. Reference Section Next
Appendix A. - GNU General Public License version 3 -
Table of Contents
A. +
Table of Contents
A. Preamble -
A. +
A. TERMS AND CONDITIONS -
A. +
A. 0. Definitions. -
A. +
A. 1. Source Code. -
A. +
A. 2. Basic Permissions. -
A. +
A. 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. -
A. +
A. 4. Conveying Verbatim Copies. -
A. +
A. 5. Conveying Modified Source Versions. -
A. +
A. 6. Conveying Non-Source Forms. -
A. +
A. 7. Additional Terms. -
A. +
A. 8. Termination. -
A. +
A. 9. Acceptance Not Required for Having Copies. -
A. +
A. 10. Automatic Licensing of Downstream Recipients. -
A. +
A. 11. Patents. -
A. +
A. 12. No Surrender of Others’ Freedom. -
A. +
A. 13. Use with the ???TITLE??? Affero General Public License. -
A. +
A. 14. Revised Versions of this License. -
A. +
A. 15. Disclaimer of Warranty. -
A. +
A. 16. Limitation of Liability. -
A. +
A. 17. Interpretation of Sections 15 and 16. -
A. +
A. END OF TERMS AND CONDITIONS -
A. +
A. How to Apply These Terms to Your New Programs
Version 3, 29 June 2007 @@ -54,7 +54,7 @@
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. -
+
Preamble
The GNU General Public License is a free, copyleft @@ -118,9 +118,9 @@
The precise terms and conditions for copying, distribution and modification follow. -
+
TERMS AND CONDITIONS -
+
0. Definitions.
“This License” refers to version 3 of the GNU @@ -162,7 +162,7 @@ License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. -
+
1. Source Code.
The “source code” for a work means the preferred form of the @@ -202,7 +202,7 @@ automatically from other parts of the Corresponding Source.
The Corresponding Source for a work in source code form is that same work. -
+
2. Basic Permissions.
All rights granted under this License are granted for the term of copyright @@ -227,7 +227,7 @@ Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. -
+
3. Protecting Users’ Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological measure @@ -242,7 +242,7 @@ the work as a means of enforcing, against the work’s users, your or third parties’ legal rights to forbid circumvention of technological measures. -
+
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program’s source code as you @@ -255,21 +255,21 @@
You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. -
+
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: -
+
The work must carry prominent notices stating that you modified it, and giving a relevant date. -
+
The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”. -
+
You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the @@ -277,7 +277,7 @@ packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. -
+
If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need @@ -291,18 +291,18 @@ or legal rights of the compilation’s users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. -
+
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: -
+
Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. -
+
Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts @@ -313,12 +313,12 @@ price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. -
+
Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. -
+
Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no @@ -331,7 +331,7 @@ Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. -
+
Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under @@ -386,7 +386,7 @@ (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. -
+
7. Additional Terms.
“Additional permissions” are terms that supplement the terms of @@ -408,24 +408,24 @@ Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: -
+
Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or -
+
Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or -
+
Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or -
+
Limiting the use for publicity purposes of names of licensors or authors of the material; or -
+
Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or -
+
Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any @@ -450,7 +450,7 @@ Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. -
+
8. Termination.
You may not propagate or modify a covered work except as expressly provided @@ -476,7 +476,7 @@ License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. -
+
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or run a @@ -487,7 +487,7 @@ These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. -
+
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically receives a @@ -512,7 +512,7 @@ or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. -
+
11. Patents.
A “contributor” is a copyright holder who authorizes use under @@ -579,7 +579,7 @@ Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. -
+
12. No Surrender of Others’ Freedom.
If conditions are imposed on you (whether by court order, agreement or @@ -591,7 +591,7 @@ to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. -
+
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have permission to @@ -602,7 +602,7 @@ requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. -
+
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of the @@ -627,7 +627,7 @@ Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. -
+
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE @@ -638,7 +638,7 @@ THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. -
+
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL @@ -650,7 +650,7 @@ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -
+
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided above @@ -659,9 +659,9 @@ waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. -
+
END OF TERMS AND CONDITIONS -
+
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/appendix.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/appendix.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/appendix.html 2010-01-14 11:24:26.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/appendix.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,26 +1,26 @@ -Chapter 15. A Collection of Useful Tidbits
Chapter 15. A Collection of Useful Tidbits
Prev Part III. Reference Section Next
Chapter 15. A Collection of Useful Tidbits
Table of Contents
Joining a Domain: Windows 200x/XP Professional
Samba System File Location
Starting Samba
DNS Configuration Files
The Forward Zone File for the Loopback Adaptor
The Reverse Zone File for the Loopback Adaptor
DNS Root Server Hint File
Alternative LDAP Database Initialization
Initialization of the LDAP Database
The LDAP Account Manager
IDEALX Management Console
Effect of Setting File and Directory SUID/SGID Permissions Explained
Shared Data Integrity
Microsoft Access
Act! Database Sharing
Opportunistic Locking Controls
- - +Chapter 15. A Collection of Useful Tidbits
Chapter 15. A Collection of Useful Tidbits
Prev Part III. Reference Section Next
Chapter 15. A Collection of Useful Tidbits
Table of Contents
Joining a Domain: Windows 200x/XP Professional
Samba System File Location
Starting Samba
DNS Configuration Files
The Forward Zone File for the Loopback Adaptor
The Reverse Zone File for the Loopback Adaptor
DNS Root Server Hint File
Alternative LDAP Database Initialization
Initialization of the LDAP Database
The LDAP Account Manager
IDEALX Management Console
Effect of Setting File and Directory SUID/SGID Permissions Explained
Shared Data Integrity
Microsoft Access
Act! Database Sharing
Opportunistic Locking Controls
+ + Information presented here is considered to be either basic or well-known material that is informative yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, as shown in the example given below. -
Joining a Domain: Windows 200x/XP Professional
- +
Joining a Domain: Windows 200x/XP Professional
+ Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a Domain Security environment. It should be noted that this process is identical when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. -
Procedure 15.1. Steps to Join a Domain
+
Procedure 15.1. Steps to Join a Domain
Click Start. -
+
Right-click My Computer, and then select Properties. -
+
The opening panel is the same one that can be reached by clicking System on the Control Panel. See “The General Panel.”.
Figure 15.1. The General Panel.

-
+
Click the Computer Name tab. This panel shows the Computer Description, the Full computer name, and the Workgroup or Domain name. @@ -29,40 +29,40 @@ Samba-3. If you wish to change the computer name, or join or leave the domain, click the Change button. See “The Computer Name Panel.”.
Figure 15.2. The Computer Name Panel.

-
+
Click on Change. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. We join the domain called MIDEARTH. See “The Computer Name Changes Panel”.
Figure 15.3. The Computer Name Changes Panel

-
+
Enter the name MIDEARTH in the field below the Domain radio button.
This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See “The Computer Name Changes Panel Domain MIDEARTH”.
Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH

-
+
Now click the OK button. A dialog box should appear to allow you to provide the credentials (username and password) of a domain administrative account that has the rights to add machines to the domain.
- Enter the name “root” and the root password from your Samba-3 server. See “Computer Name Changes User name and Password Panel”. + Enter the name “root” and the root password from your Samba-3 server. See “Computer Name Changes User name and Password Panel”.
Figure 15.5. Computer Name Changes User name and Password Panel
Computer Name Changes User name and Password Panel

-
+
Click OK.
- The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted. + The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted. Joining the domain is now complete.
- - + + The screen capture shown in “The Computer Name Changes Panel Domain MIDEARTH” has a button labeled More.... This button opens a panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.
- - + + Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server to find the services (like which machines are domain controllers or which machines have the Netlogon service running).
- + The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to a valid IP address. @@ -70,12 +70,12 @@ The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. Where the client is a member of a Samba domain, it is preferable to leave this field blank.
- - According to Microsoft documentation, “If this computer belongs to a group with Group Policy + + According to Microsoft documentation, “If this computer belongs to a group with Group Policy enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is - used only if Group Policy is disabled or unspecified.” -
Samba System File Location
+ used only if Group Policy is disabled or unspecified.” +
Samba System File Location
One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is in the /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other @@ -83,7 +83,7 @@
Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team default. -
+
Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy System (FHS), have elected to locate the configuration files under the /etc/samba directory, common binary files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the @@ -92,13 +92,13 @@ /usr/share/swat. There are additional support files for smbd in the /usr/lib/samba directory tree. The files located there include the dynamically loadable modules for the passdb backend as well as for the VFS modules. -
+
Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in the /var/lib/samba directory. Log files are created in /var/log/samba.
When Samba is built and installed using the default Samba Team process, all files are located under the /usr/local/samba directory tree. This makes it simple to find the files that Samba owns. -
+
One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location of all files called smbd. Here is an example:
@@ -131,7 +131,7 @@
Many people have been caught by installation of Samba using the default Samba Team process when it was already installed by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by - executing: + executing:
root# rpm -qa | grep samba samba3-pdb-3.0.20-1 @@ -143,9 +143,9 @@ samba3-doc-3.0.20-1 samba3-client-3.0.20-1 samba3-cifsmount-3.0.20-1 -
+
The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. -
Starting Samba
+
Starting Samba
Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there are three daemons, two of which are needed as a minimum. @@ -186,19 +186,19 @@ fi exit 0

nmbd
- - + + This daemon handles all name registration and resolution requests. It is the primary vehicle involved in network browsing. It handles all UDP-based protocols. The nmbd daemon should be the first command started as part of the Samba startup process.
smbd
- - + + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also manages local authentication. It should be started immediately following the startup of nmbd.
winbindd
- - + + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when Samba has trust relationships with another domain. The winbindd daemon will check the smb.conf file for the presence of the idmap uid and idmap gid @@ -252,22 +252,22 @@ echo "Usage: smb {start|stop|restart|status}" exit 1 esac -

+

SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently executed from the command line is shown in “A Useful Samba Control Script for SUSE Linux”. This can be located in the directory /sbin in a file called samba. This type of control script should be owned by user root and group root, and set so that only root can execute it. -
+
A sample startup script for a Red Hat Linux system is shown in “A Sample Samba Control Script for Red Hat Linux”. This file could be located in the directory /etc/rc.d and can be called samba. A similar startup script is required to control winbind. If you want to find more information regarding startup scripts please refer to the packaging section of the Samba source code distribution tarball. The packaging files for each platform include a startup control file. -
DNS Configuration Files
+
DNS Configuration Files
The following files are common to all DNS server configurations. Rather than repeat them multiple times, they are presented here for general reference. -
The Forward Zone File for the Loopback Adaptor
+
The Forward Zone File for the Loopback Adaptor
The forward zone file for the loopback address never changes. An example file is shown in “DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”. All traffic destined for an IP address that is hosted on a physical interface on the machine itself is routed to the loopback adaptor. This is @@ -284,7 +284,7 @@ IN NS @ IN A 127.0.0.1 -

The Reverse Zone File for the Loopback Adaptor
+

The Reverse Zone File for the Loopback Adaptor
The reverse zone file for the loopback address as shown in “DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone” is necessary so that references to the address 127.0.0.1 can be resolved to the correct name of the interface. @@ -344,21 +344,21 @@ . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 ; End of File -

DNS Root Server Hint File
+

DNS Root Server Hint File
The content of the root hints file as shown in “DNS Root Name Server Hint File: /var/lib/named/root.hint” changes slowly over time. Periodically this file should be updated from the source shown. Because of its size, this file is located at the end of this chapter. -
Alternative LDAP Database Initialization
+
Alternative LDAP Database Initialization
The following procedure may be used as an alternative means of configuring the initial LDAP database. Many administrators prefer to have greater control over how system files get configured. -
Initialization of the LDAP Database
+
Initialization of the LDAP Database
The first step to get the LDAP server ready for action is to create the LDIF file from which the LDAP database will be preloaded. This is necessary to create the containers into which the user, group, and other accounts are written. It is also necessary to preload the well-known Windows NT Domain Groups, as they must have the correct SID so that they can be recognized as special NT Groups by the MS Windows clients. -
Procedure 15.2. LDAP Directory Pre-Load Steps
+
Procedure 15.2. LDAP Directory Pre-Load Steps
Create a directory in which to store the files you use to generate the LDAP LDIF file for your system. Execute the following:
@@ -366,16 +366,16 @@ root# chown root:root /etc/openldap/SambaInit root# chmod 700 /etc/openldap/SambaInit
-
+
Install the files shown in “LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A”, “LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B”, and “LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C” into the directory /etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh. These three files are, respectively, parts A, B, and C of the SMBLDAP-ldif-preconfig.sh file. -
+
Install the files shown in “LDIF Pattern File Used to Pre-configure LDAP Part A” and “LDIF Pattern File Used to Pre-configure LDAP Part B” into the directory /etc/openldap/SambaInit/. These two files are parts A and B, respectively, of the init-ldif.pat file. -
+
Change to the /etc/openldap/SambaInit directory. Execute the following:
root# sh SMBLDAP-ldif-preconfig.sh @@ -415,7 +415,7 @@ root#
This creates a file called MEGANET2.ldif. -
+
It is now time to preload the LDAP database with the following command:
@@ -466,14 +466,14 @@ modifyTimestamp: 20031217055747Z entryCSN: 2003121705:57:47Z#0x000a#0#0000
-
+
Your LDAP database is ready for testing. You can now start the LDAP server using the system tool for your Linux operating system. For SUSE Linux, you can do this as follows:
root# rcldap start
-
+
It is now a good idea to validate that the LDAP server is running correctly. Execute the following:
@@ -705,14 +705,14 @@ sambaGroupType: 2 displayName: Domain Users description: Domain Users -

The LDAP Account Manager
- - - - - - - +

The LDAP Account Manager
+ + + + + + + The LDAP Account Manager (LAM) is an application suite that has been written in PHP. LAM can be used with any Web server that has PHP4 support. It connects to the LDAP server either using unencrypted connections or via SSL/TLS. LAM can be used to manage @@ -724,29 +724,29 @@ The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter of 2005.
- - - + + + Requirements: -
A web server that will work with PHP4.
PHP4 (available from the PHP home page.)
OpenLDAP 2.0 or later.
A Web browser that supports CSS.
Perl.
The gettext package.
mcrypt + mhash (optional).
It is also a good idea to install SSL support.
+
A web server that will work with PHP4.
PHP4 (available from the PHP home page.)
OpenLDAP 2.0 or later.
A Web browser that supports CSS.
Perl.
The gettext package.
mcrypt + mhash (optional).
It is also a good idea to install SSL support.
LAM is a useful tool that provides a simple Web-based device that can be used to manage the contents of the LDAP directory to: - - - -
Display user/group/host and Domain entries.
Manage entries (Add/Delete/Edit).
Filter and sort entries.
Store and use multiple operating profiles.
Edit organizational units (OUs).
Upload accounts from a file.
Is compatible with Samba-2.2.x and Samba-3.
+ + + +
Display user/group/host and Domain entries.
Manage entries (Add/Delete/Edit).
Filter and sort entries.
Store and use multiple operating profiles.
Edit organizational units (OUs).
Upload accounts from a file.
Is compatible with Samba-2.2.x and Samba-3.
When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba user, group, and windows domain member machine accounts.
- - - - -The default password is “lam.” It is highly recommended that you use only + + + + +The default password is “lam.” It is highly recommended that you use only an SSL connection to your Web server for all remote operations involving LAM. If you want secure connections, you must configure your Apache Web server to permit connections to LAM using only SSL. -
Procedure 15.3. Apache Configuration Steps for LAM
+
Procedure 15.3. Apache Configuration Steps for LAM
Extract the LAM package by untarring it as shown here:
root# tar xzf ldap-account-manager_0.4.9.tar.gz @@ -755,12 +755,12 @@
root# dpkg -i ldap-account-manager_0.4.9.all.deb
-
+
Copy the extracted files to the document root directory of your Web server. For example, on SUSE Linux Enterprise Server 9, copy to the /srv/www/htdocs directory. -
- +
+ Set file permissions using the following commands:
root# chown -R wwwrun:www /srv/www/htdocs/lam @@ -769,8 +769,8 @@ root# chmod 755 /srv/www/htdocs/lam/config root# chmod 755 /srv/www/htdocs/lam/lib/*pl
-
- +
+ Using your favorite editor create the following config.cfg LAM configuration file:
@@ -778,13 +778,13 @@ root# cp config.cfg_sample config.cfg root# vi config.cfg
- - + + An example file is shown in “Example LAM Configuration File config.cfg”. This is the minimum configuration that must be completed. The LAM profile file can be created using a convenient wizard that is part of the LAM configuration suite. -
+
Start your Web server then, using your Web browser, connect to LAM URL. Click on the the Configuration Login link then click on the @@ -794,7 +794,7 @@ lam.conf then, using your favorite editor, change the settings to match local site needs.
- + An example of a working file is shown here in “LAM Profile Control File lam.conf”. This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates @@ -802,12 +802,12 @@ Your configuration file obviously reflects the configuration options that are preferred at your site.
- + It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in “The LDAP Account Manager Login Screen”.
Figure 15.6. The LDAP Account Manager Login Screen

- + The LAM configuration editor has a number of options that must be managed correctly. An example of use of the LAM configuration editor is shown in “The LDAP Account Manager Configuration Screen”. It is important that you correctly set the minimum and maximum UID/GID values that are @@ -817,13 +817,13 @@ the initial settings to be made. Do not forget to reset these to sensible values before using LAM to add additional users and groups.
Figure 15.7. The LDAP Account Manager Configuration Screen

- + LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space.
- + When you log onto LAM the opening screen drops you right into the user manager as shown in “The LDAP Account Manager User Edit Screen”. This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, @@ -837,7 +837,7 @@ shows a sub-screen from the group editor that permits users to be assigned secondary group memberships.
Figure 15.9. The LDAP Account Manager Group Edit Screen

Figure 15.10. The LDAP Account Manager Group Membership Edit Screen

- + The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen “The LDAP Account Manager Host Edit Screen” will, in most cases, not be used. @@ -883,7 +883,7 @@ samba3: yes cachetimeout: 5 pwdhash: SSHA -

IDEALX Management Console
+

IDEALX Management Console
IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive web-based management interface for UNIX and Linux systems.
@@ -897,7 +897,7 @@
For further information regarding IMC refer to the web site. Prebuilt RPM packages are also available. -
Effect of Setting File and Directory SUID/SGID Permissions Explained
+
Effect of Setting File and Directory SUID/SGID Permissions Explained
The setting of the SUID/SGID bits on the file or directory permissions flag has particular consequences. If the file is executable and the SUID bit is set, it executes with the privilege of (with the UID of) the owner of the file. For example, if you are logged onto a system as @@ -967,34 +967,34 @@ total 1 drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
-
Shared Data Integrity
+
Shared Data Integrity
The integrity of shared data is often viewed as a particularly emotional issue, especially where there are concurrent problems with multiuser data access. Contrary to the assertions of some who have experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
The solution to concurrent multiuser data access problems must consider three separate areas - from which the problem may stem: -
application-level locking controls
client-side locking controls
server-side locking controls
+ from which the problem may stem: +
application-level locking controls
client-side locking controls
server-side locking controls
Many database applications use some form of application-level access control. An example of one well-known application that uses application-level locking is Microsoft Access. Detailed guidance is provided here because this is the most common application for which problems have been reported. -
+
Common applications that are affected by client- and server-side locking controls include MS Excel and Act!. Important locking guidance is provided here. -
Microsoft Access
+
Microsoft Access
The best advice that can be given is to carefully read the Microsoft knowledgebase articles that cover this area. Examples of relevant documents include: -
http://support.microsoft.com/default.aspx?scid=kb;en-us;208778
http://support.microsoft.com/default.aspx?scid=kb;en-us;299373
+
http://support.microsoft.com/default.aspx?scid=kb;en-us;208778
http://support.microsoft.com/default.aspx?scid=kb;en-us;299373
Make sure that your MS Access database file is configured for multiuser access (not set for exclusive open). Open MS Access on each client workstation, then set the following: (Menu bar) Tools+Options+[tab] General. Set network path to Default database folder: \\server\share\folder.
You can configure MS Access file sharing behavior as follows: click [tab] Advanced. - Set: -
Default open mode: Shared
Default Record Locking: Edited Record
Open databases using record_level locking
+ Set: +
Default open mode: Shared
Default Record Locking: Edited Record
Open databases using record_level locking
You must now commit the changes so that they will take effect. To do so, click ApplyOk. At this point, you should exit MS Access, restart it, and then validate that these settings have not changed. -
Act! Database Sharing
+
Act! Database Sharing
Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you must disable opportunistic locking on the server and all workstations. Failure to do so results in data corruption. This information is available from the Act! Web site @@ -1002,7 +1002,7 @@ 1998223162925 as well as from article 200110485036. -
+
These documents clearly state that opportunistic locking must be disabled on both the server (Samba in the case we are interested in here), as well as on every workstation from which the centrally shared Act! database will be accessed. Act! provides @@ -1010,18 +1010,18 @@ registry settings that may otherwise interfere with the operation of Act! Registered Act! users may download this utility from the Act! Web site. -
Opportunistic Locking Controls
+
Opportunistic Locking Controls
Third-party Windows applications may not be compatible with the use of opportunistic file - and record locking. For applications that are known not to be compatible,^[14] oplock + and record locking. For applications that are known not to be compatible,^[14] oplock support may need to be disabled both on the Samba server and on the Windows workstations. -
+
Oplocks enable a Windows client to cache parts of a file that are being edited. Another windows client may then request to open the file with the ability to write to it. The server will then ask the original workstation that had the file open with a write lock to release its lock. Before doing so, that workstation must flush the file from cache memory to the disk or network drive. -
+
Disabling of Oplocks usage may require server and client changes. Oplocks may be disabled by file, by file pattern, on the share, or on the Samba server. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/Big500users.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/Big500users.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/Big500users.html 2010-01-14 11:24:05.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/Big500users.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,4 +1,4 @@ -Chapter 4. The 500-User Office
Chapter 4. The 500-User Office
Prev Part I. Example Network Configurations Next
Chapter 4. The 500-User Office
Table of Contents
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
+Chapter 4. The 500-User Office
Chapter 4. The 500-User Office
Prev Part I. Example Network Configurations Next
Chapter 4. The 500-User Office
Table of Contents
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
The Samba-3 networking you explored in “Secure Office Networking” covers the finer points of configuration of peripheral services such as DHCP and DNS, and WINS. You experienced implementation of a simple configuration of the services that are important adjuncts @@ -6,9 +6,9 @@
An analysis of the history of postings to the Samba mailing list easily demonstrates that the two most prevalent Samba problem areas are -
+
Defective resolution of a NetBIOS name to its IP address -
+
Printing problems
The exercises @@ -17,9 +17,9 @@ that same approach to printing, but “Making Happy Users” presents an opportunity to make printing more complex for the administrator while making it easier for the user.
- - - + + + “Secure Office Networking” demonstrates operation of a DHCP server and a DNS server as well as a central WINS server. You validated the operation of these services and saw an effective implementation of a Samba domain controller using the @@ -41,7 +41,7 @@ improve network management and control while reducing human resource overheads. You should take the opportunity to innovate and expand on the methods presented here and explore them to the fullest. -
Introduction
+
Introduction
Business continues to go well for Abmas. Mr. Meany is driving your success and the network continues to grow thanks to the hard work Christine has done. You recently hired Stanley Soroka as manager of information systems. Christine recommended Stan @@ -66,7 +66,7 @@ and to allow Stan and Christine to fully stage the new network and test it before it is rolled out. Your strategy is to complete the new network so that it is ready for operation when the old office moves into the new premises. -
Assignment Tasks
+
Assignment Tasks
The acquired business had 280 network users. The old Abmas building housed 220 network users in unbelievably cramped conditions. The network that initially served 130 users now handles 220 users quite well. @@ -107,7 +107,7 @@ DirectPointe Inc. receives from you a new standard desktop configuration every four months. They automatically roll that out to each desktop system. You must keep DirectPointe informed of all changes. -
+
The new network has a single Samba Primary Domain Controller (PDC) located in the Network Operation Center (NOC). Buildings 1 and 2 each have a local server for local application servicing. It is a domain member. The new system @@ -115,8 +115,8 @@
Printing is based on raw pass-through facilities just as it has been used so far. All printer drivers are installed on the desktop and notebook computers. -
Dissection and Discussion
- +
Dissection and Discussion
+ The example you are building in this chapter is of a network design that works, but this does not make it a design that is recommended. As a general rule, there should be at least one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind @@ -127,22 +127,22 @@ responsiveness. This network will have 500 clients serviced by one central domain controller. This is not a good omen for user satisfaction. You, of course, address this very soon (see “Making Happy Users”). -
Technical Issues
+
Technical Issues
Stan has talked you into a horrible compromise, but it is addressed. Just make certain that the performance of this network is well validated before going live.
Design decisions made in this design include the following: -
- - - +
+ + + A single PDC is being implemented. This limitation is based on the choice not to use LDAP. Many network administrators fear using LDAP because of the perceived complexity of implementation and management of an LDAP-based backend for all user identity management as well as to store network access credentials. -
- - +
+ + Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the only choice that makes sense with 500 users is to use the tdbsam passwd backend. This type of backend is not receptive to replication to BDCs. If the tdbsam @@ -151,63 +151,63 @@ memory but not yet written to disk will not be replicated, and (2) domain member machines periodically change the secret machine password. When this happens, there is no mechanism to return the changed password to the PDC. -
+
All domain user, group, and machine accounts are managed on the PDC. This makes for a simple mode of operation but has to be balanced with network performance and integrity of operations considerations. -
- +
+ A single central WINS server is being used. The PDC is also the WINS server. Any attempt to operate a routed network without a WINS server while using NetBIOS over TCP/IP protocols does not work unless on each client the name resolution entries for the PDC are added to the LMHOSTS. This file is normally located on the Windows XP Professional client in the C:\WINDOWS\SYSTEM32\ETC\DRIVERS directory. -
+
At this time the Samba WINS database cannot be replicated. That is why a single WINS server is being implemented. This should work without a problem. -
- +
+ BDCs make use of winbindd to provide access to domain security credentials for file system access and object storage. -
- - +
+ + Configuration of Windows XP Professional clients is achieved using DHCP. Each subnet has its own DHCP server. Backup DHCP serving is provided by one alternate DHCP server. This necessitates enabling of the DHCP Relay agent on all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the network directed at the backup DHCP server. -
+
All network users are granted the ability to print to any printer that is network-attached. All printers are available from each server. Print jobs that are spooled to a printer that is not on the local network segment are automatically routed to the print spooler that is in control of that printer. The specific details of how this might be done are demonstrated for one example only. -
+
The network address and subnetmask chosen provide 1022 usable IP addresses in each subnet. If in the future more addresses are required, it would make sense to add further subnets rather than change addressing. -
Political Issues
+
Political Issues
This case gets close to the real world. You and I know the right way to implement domain control. Politically, we have to navigate a minefield. In this case, the need is to get the PDC rolled out in compliance with expectations and also to be ready to save the day by having the real solution ready before it is needed. That real solution is presented in “Making Happy Users”. -
Implementation
+
Implementation
The following configuration process begins following installation of Red Hat Fedora Core2 on the three servers shown in the network topology diagram in “Network Topology 500 User Network Using tdbsam passdb backend.”. You have selected hardware that is appropriate to the task. -
Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.
Network Topology 500 User Network Using tdbsam passdb backend.

Installation of DHCP, DNS, and Samba Control Files
+
Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.

Installation of DHCP, DNS, and Samba Control Files
Carefully install the configuration files into the correct locations as shown in “Domain: MEGANET, File Locations for Servers”. You should validate that the full file path is correct as shown.
The abbreviation shown in this table as {VLN} refers to the directory location beginning with /var/lib/named. -
Table 4.1. Domain: MEGANET, File Locations for Servers
File Information Server Name
Source Target Location MASSIVE BLDG1 BLDG2
“Server: MASSIVE (PDC), File: /etc/samba/smb.conf” /etc/samba/smb.conf Yes No No
“Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf” /etc/samba/dc-common.conf Yes No No
“Common Samba Configuration File: /etc/samba/common.conf” /etc/samba/common.conf Yes Yes Yes
“Server: BLDG1 (Member), File: smb.conf” /etc/samba/smb.conf No Yes No
“Server: BLDG2 (Member), File: smb.conf” /etc/samba/smb.conf No No Yes
“Common Domain Member Include File: dom-mem.conf” /etc/samba/dommem.conf No Yes Yes
“Server: MASSIVE, File: dhcpd.conf” /etc/dhcpd.conf Yes No No
“Server: BLDG1, File: dhcpd.conf” /etc/dhcpd.conf No Yes No
“Server: BLDG2, File: dhcpd.conf” /etc/dhcpd.conf No No Yes
“Server: MASSIVE, File: named.conf, Part: A” /etc/named.conf (part A) Yes No No
“Server: MASSIVE, File: named.conf, Part: B” /etc/named.conf (part B) Yes No No
“Server: MASSIVE, File: named.conf, Part: C” /etc/named.conf (part C) Yes No No
“Forward Zone File: abmas.biz.hosts” {VLN}/master/abmas.biz.hosts Yes No No
“Forward Zone File: abmas.biz.hosts” {VLN}/master/abmas.us.hosts Yes No No
“Servers: BLDG1/BLDG2, File: named.conf, Part: A” /etc/named.conf (part A) No Yes Yes
“Servers: BLDG1/BLDG2, File: named.conf, Part: B” /etc/named.conf (part B) No Yes Yes
“DNS Localhost Forward Zone File: /var/lib/named/localhost.zone” {VLN}/localhost.zone Yes Yes Yes
“DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone” {VLN}/127.0.0.zone Yes Yes Yes
“DNS Root Name Server Hint File: /var/lib/named/root.hint” {VLN}/root.hint Yes Yes Yes

Server Preparation: All Servers
+
Table 4.1. Domain: MEGANET, File Locations for Servers
File Information Server Name
Source Target Location MASSIVE BLDG1 BLDG2
“Server: MASSIVE (PDC), File: /etc/samba/smb.conf” /etc/samba/smb.conf Yes No No
“Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf” /etc/samba/dc-common.conf Yes No No
“Common Samba Configuration File: /etc/samba/common.conf” /etc/samba/common.conf Yes Yes Yes
“Server: BLDG1 (Member), File: smb.conf” /etc/samba/smb.conf No Yes No
“Server: BLDG2 (Member), File: smb.conf” /etc/samba/smb.conf No No Yes
“Common Domain Member Include File: dom-mem.conf” /etc/samba/dommem.conf No Yes Yes
“Server: MASSIVE, File: dhcpd.conf” /etc/dhcpd.conf Yes No No
“Server: BLDG1, File: dhcpd.conf” /etc/dhcpd.conf No Yes No
“Server: BLDG2, File: dhcpd.conf” /etc/dhcpd.conf No No Yes
“Server: MASSIVE, File: named.conf, Part: A” /etc/named.conf (part A) Yes No No
“Server: MASSIVE, File: named.conf, Part: B” /etc/named.conf (part B) Yes No No
“Server: MASSIVE, File: named.conf, Part: C” /etc/named.conf (part C) Yes No No
“Forward Zone File: abmas.biz.hosts” {VLN}/master/abmas.biz.hosts Yes No No
“Forward Zone File: abmas.biz.hosts” {VLN}/master/abmas.us.hosts Yes No No
“Servers: BLDG1/BLDG2, File: named.conf, Part: A” /etc/named.conf (part A) No Yes Yes
“Servers: BLDG1/BLDG2, File: named.conf, Part: B” /etc/named.conf (part B) No Yes Yes
“DNS Localhost Forward Zone File: /var/lib/named/localhost.zone” {VLN}/localhost.zone Yes Yes Yes
“DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone” {VLN}/127.0.0.zone Yes Yes Yes
“DNS Root Name Server Hint File: /var/lib/named/root.hint” {VLN}/root.hint Yes Yes Yes

Server Preparation: All Servers
The following steps apply to all servers. Follow each step carefully. -
Procedure 4.1. Server Preparation Steps
+
Procedure 4.1. Server Preparation Steps
Using the UNIX/Linux system tools, set the name of the server as shown in the network topology diagram in “Network Topology 500 User Network Using tdbsam passdb backend.”. For SUSE Linux products, the tool that permits this is called yast2; for Red Hat Linux products, @@ -220,17 +220,17 @@
root# hostname -f
-
- - +
+ + Edit your /etc/hosts file to include the primary names and addresses of all network interfaces that are on the host server. This is necessary so that during startup the system is able to resolve all its own names to the IP address prior to startup of the DNS server. You should check the startup order of your system. If the CUPS print server is started before the DNS server (named), you should also include an entry for the printers in the /etc/hosts file. -
- +
+ All DNS name resolution should be handled locally. To ensure that the server is configured correctly to handle this, edit /etc/resolv.conf so it has the following content: @@ -240,9 +240,9 @@
This instructs the name resolver function (when configured correctly) to ask the DNS server that is running locally to resolve names to addresses. -
- - +
+ + Add the root user to the password backend:
root# smbpasswd -a root @@ -254,9 +254,9 @@ This account is essential in the regular maintenance of your Samba server. It must never be deleted. If for any reason the account is deleted, you may not be able to recreate this account without considerable trouble. -
- - +
+ + Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents: @@ -282,39 +282,39 @@ # End of File ####
-
+
Configure all network-attached printers to have a fixed IP address. -
+
Create an entry in the DNS database on the server MASSIVE in both the forward lookup database for the zone abmas.biz.hosts and in the reverse lookup database for the network segment that the printer is located in. Example configuration files for similar zones were presented in “Secure Office Networking”, “DNS Abmas.biz Forward Zone File” and “DNS 192.168.2 Reverse Zone File”. -
+
Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct mode, raw printing. This allows the CUPS spooler to print using raw mode protocols. - - -
- + + +
+ Only on the server to which the printer is attached configure the CUPS Print Queues as follows:
root# lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E
- + This step creates the necessary print queue to use no assigned print filter. This is ideal for raw printing, that is, printing without use of filters. The name printque is the name you have assigned for the particular printer. -
+
Print queues may not be enabled at creation. Make certain that the queues you have just created are enabled by executing the following:
root# /usr/bin/enable printque
-
+
Even though your print queue may be enabled, it is still possible that it does not accept print jobs. A print queue services incoming printing requests only when configured to do so. Ensure that your print queue is @@ -322,10 +322,10 @@
root# /usr/bin/accept printque
-
- - - +
+ + + This step, as well as the next one, may be omitted where CUPS version 1.1.18 or later is in use. Although it does no harm to follow it anyway, and may help to avoid time spent later trying to figure out why print jobs may be @@ -335,41 +335,41 @@
application/octet-stream application/vnd.cups-raw 0 -
-
- +
+ Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream
-
+
Refer to the CUPS printing manual for instructions regarding how to configure CUPS so that print queues that reside on CUPS servers on remote networks route print jobs to the print server that owns that queue. The default setting on your CUPS server may automatically discover remotely installed printers and may permit this functionality without requiring specific configuration. -
+
As part of the roll-out program, you need to configure the application's server shares. This can be done once on the central server and may then be replicated using a tool such as rsync. Refer to the man page for rsync for details regarding use. The notes in “Application Share Configuration” may help in your decisions to use an application server facility. -
Note
+
Note
Logon scripts that are run from a domain controller (PDC or BDC) are capable of using semi-intelligent processes to automap Windows client drives to an application server that is nearest to the client. This is considerably more difficult when a single PDC is used on a routed network. It can be done, but not as elegantly as you see in the next chapter. -
Server-Specific Preparation
+
Server-Specific Preparation
There are some steps that apply to particular server functionality only. Each step is critical to correct server operation. The following step-by-step installation guidance will assist you in working through the process of configuring the PDC and then both BDC's. -
Configuration for Server: MASSIVE
+
Configuration for Server: MASSIVE
The steps presented here attempt to implement Samba installation in a generic manner. While some steps are clearly specific to Linux, it should not be too difficult to apply them to your platform of choice. -
Procedure 4.2. Primary Domain Controller Preparation
- - +
Procedure 4.2. Primary Domain Controller Preparation
+ + The host server acts as a router between the two internal network segments as well as for all Internet access. This necessitates that IP forwarding be enabled. This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows: @@ -378,7 +378,7 @@
To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute that command manually also. This setting permits the Linux system to act as a router. -
+
This server is dual hosted (i.e., has two network interfaces) one goes to the Internet and the other to a local network that has a router that is the gateway to the remote networks. You must therefore configure the server with route table entries so that it can find machines @@ -396,46 +396,46 @@ not persistent across system reboots. You may add these commands directly to the local startup files as follows: (SUSE) /etc/rc.d/boot.local, (Red Hat) /etc/rc.d/init.d/rc.local. -
- +
+ The final step that must be completed is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries:
hosts: files dns wins
-
- +
+ Create and map Windows domain groups to UNIX groups. A sample script is provided in “Initialize Groups Script, File: /etc/samba/initGrps.sh”. Create a file containing this script. You called yours /etc/samba/initGrps.sh. Set this file so it can be executed and then execute the script. An example of the execution of this script as well as its validation are shown in Section 4.3.2, Step 5. -
- - - +
+ + + For each user who needs to be given a Windows domain account, make an entry in the /etc/passwd file as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system account, and use the Samba smbpasswd to create a domain user account.
- - - + + + There are a number of tools for user management under UNIX, such as useradd, adduser, as well as a plethora of custom tools. With the tool of your choice, create a home directory for each user. -
+
Using the preferred tool for your UNIX system, add each user to the UNIX groups created previously as necessary. File system access control is based on UNIX group membership. -
+
Create the directory mount point for the disk subsystem that is to be mounted to provide data storage for company files, in this case, the mount point indicated in the smb.conf file is /data. Format the file system as required and mount the formatted file system partition using appropriate system tools. -
- +
+ Create the top-level file storage directories for data and applications as follows:
root# mkdir -p /data/{accounts,finsvcs,pidata} @@ -453,7 +453,7 @@ The directory root of the finsvcs share is /data/finsvcs. The /apps directory is the root of the apps share that provides the application server infrastructure. -
+
The smb.conf file specifies an infrastructure to support roaming profiles and network logon services. You can now create the file system infrastructure to provide the locations on disk that these services require. Adequate planning is essential @@ -474,9 +474,9 @@ root# chown 'username':users /var/lib/samba/profiles/'username' root# chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
-
- - +
+ + Create a logon script. It is important that each line is correctly terminated with a carriage return and line-feed combination (i.e., DOS encoding). The following procedure works if the right tools (unxi2dos and dos2unix) are installed. @@ -491,7 +491,7 @@ root# dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \ > /var/lib/samba/netlogon/scripts/logon.bat
-
+
There is one preparatory step without which you cannot have a working Samba network environment. You must add an account for each network user. You can do this by executing the following steps for each user: @@ -508,18 +508,18 @@ Added user username.
You do, of course, use a valid user login ID in place of username. -
+
Follow the processes shown in “Process Startup Configuration” to start all services. -
+
Your server is ready for validation testing. Do not proceed with the steps in “Configuration Specific to Domain Member Servers: BLDG1, BLDG2” until after the operation of the server has been validated following the same methods as outlined in “Secure Office Networking”, “Validation”. -
Configuration Specific to Domain Member Servers: BLDG1, BLDG2
+
Configuration Specific to Domain Member Servers: BLDG1, BLDG2
The following steps will guide you through the nuances of implementing BDCs for the broadcast isolated network segments. Remember that if the target installation platform is not Linux, it may be necessary to adapt some commands to the equivalent on the target platform. -
Procedure 4.3. Backup Domain Controller Configuration Steps
- +
Procedure 4.3. Backup Domain Controller Configuration Steps
+ The final step that must be completed is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries: @@ -528,27 +528,27 @@ group: files winbind hosts: files dns wins
-
+
Follow the steps outlined in “Process Startup Configuration” to start all services. Do not start Samba at this time. Samba is controlled by the process called smb. -
- +
+ You must now attempt to join the domain member servers to the domain. The following instructions should be executed to effect this:
root# net rpc join
-
- +
+ You now start the Samba services by executing:
root# service smb start
-
+
Your server is ready for validation testing. Do not proceed with the steps in “Configuration Specific to Domain Member Servers: BLDG1, BLDG2” until after the operation of the server has been validated following the same methods as outlined in “Validation”. -
Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
# Global parameters

[global]
workgroup = MEGANET
netbios name = MASSIVE
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = tdbsam
smb ports = 139
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
preferred master = Yes
wins support = Yes
include = /etc/samba/dc-common.conf

[accounts]
comment = Accounting Files
path = /data/accounts
read only = No

[service]
comment = Financial Services Files
path = /data/service
read only = No

[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No

Example 4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
# Global parameters

[global]
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scripts\logon.bat
logon path = \%L\profiles\%U
logon drive = X:
logon home = \%L\%U
domain logons = Yes
preferred master = Yes
include = /etc/samba/common.conf

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

Example 4.3. Common Samba Configuration File: /etc/samba/common.conf

[global]
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
utmp = Yes
map acl inherit = Yes
printing = cups
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
include =
# Share and Service Definitions are common to all servers

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
browseable = No

[apps]
comment = Application Files
path = /apps
admin users = bjordan
read only = No

Example 4.4. Server: BLDG1 (Member), File: smb.conf
# Global parameters

[global]
workgroup = MEGANET
netbios name = BLDG1
include = /etc/samba/dom-mem.conf

Example 4.5. Server: BLDG2 (Member), File: smb.conf
# Global parameters

[global]
workgroup = MEGANET
netbios name = BLDG2
include = /etc/samba/dom-mem.conf

Example 4.6. Common Domain Member Include File: dom-mem.conf
# Global parameters

[global]
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
preferred master = Yes
wins server = 172.16.0.1
idmap uid = 15000-20000
idmap gid = 15000-20000
include = /etc/samba/common.conf

Example 4.7. Server: MASSIVE, File: dhcpd.conf
+
Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
# Global parameters

[global]
workgroup = MEGANET
netbios name = MASSIVE
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = tdbsam
smb ports = 139
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
preferred master = Yes
wins support = Yes
include = /etc/samba/dc-common.conf

[accounts]
comment = Accounting Files
path = /data/accounts
read only = No

[service]
comment = Financial Services Files
path = /data/service
read only = No

[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No

Example 4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
# Global parameters

[global]
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scripts\logon.bat
logon path = \%L\profiles\%U
logon drive = X:
logon home = \%L\%U
domain logons = Yes
preferred master = Yes
include = /etc/samba/common.conf

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

Example 4.3. Common Samba Configuration File: /etc/samba/common.conf

[global]
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
utmp = Yes
map acl inherit = Yes
printing = cups
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
include =
# Share and Service Definitions are common to all servers

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
browseable = No

[apps]
comment = Application Files
path = /apps
admin users = bjordan
read only = No

Example 4.4. Server: BLDG1 (Member), File: smb.conf
# Global parameters

[global]
workgroup = MEGANET
netbios name = BLDG1
include = /etc/samba/dom-mem.conf

Example 4.5. Server: BLDG2 (Member), File: smb.conf
# Global parameters

[global]
workgroup = MEGANET
netbios name = BLDG2
include = /etc/samba/dom-mem.conf

Example 4.6. Common Domain Member Include File: dom-mem.conf
# Global parameters

[global]
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
preferred master = Yes
wins server = 172.16.0.1
idmap uid = 15000-20000
idmap gid = 15000-20000
include = /etc/samba/common.conf

Example 4.7. Server: MASSIVE, File: dhcpd.conf
# Abmas Accounting Inc. default-lease-time 86400; @@ -897,9 +897,9 @@ net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d -

Process Startup Configuration
- - +

Process Startup Configuration
+ + There are two essential steps to process startup configuration. A process must be configured so that it is automatically restarted each time the server is rebooted. This step involves use of the chkconfig tool that @@ -908,7 +908,7 @@ directories. Links are created so that when the system run-level is changed, the necessary start or kill script is run.
- + In the event that a service is provided not as a daemon but via the internetworking super daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /etc/xinetd.d directory @@ -918,10 +918,10 @@ Last, each service must be started to permit system validation to proceed. The following steps are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you are installing Samba. -
Procedure 4.4. Process Startup Configuration Steps
+
Procedure 4.4. Process Startup Configuration Steps
Use the standard system tool to configure each service to restart automatically at every system reboot. For example, - +
root# chkconfig dhpc on root# chkconfig named on @@ -929,10 +929,10 @@ root# chkconfig smb on root# chkconfig swat on
-
- - - +
+ + + Now start each service to permit the system to be validated. Execute each of the following in the sequence shown: @@ -943,70 +943,70 @@ root# service smb restart root# service swat restart
-
Windows Client Configuration
+
Windows Client Configuration
The procedure for desktop client configuration for the network in this chapter is similar to that used for the previous one. There are a few subtle changes that should be noted. -
Procedure 4.5. Windows Client Configuration Steps
+
Procedure 4.5. Windows Client Configuration Steps
Install MS Windows XP Professional. During installation, configure the client to use DHCP for TCP/IP protocol configuration. - - + + DHCP configures all Windows clients to use the WINS Server address that has been defined for the local subnet. -
+
Join the Windows domain MEGANET. Use the domain administrator username root and the SMB password you assigned to this account. A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to a Windows domain is given in “A Collection of Useful Tidbits”, “Joining a Domain: Windows 200x/XP Professional”. Reboot the machine as prompted and then log on using the domain administrator account (root). -
+
Verify that the server called MEGANET is visible in My Network Places, that it is possible to connect to it and see the shares accounts, apps, and finsvcs, and that it is possible to open each share to reveal its contents. -
+
Create a drive mapping to the apps share on a server. At this time, it does not particularly matter which application server is used. It is necessary to manually set a persistent drive mapping to the local applications server on each workstation at the time of installation. This step is avoided by the improvements to the design of the network configuration in the next chapter. -
+
Perform an administrative installation of each application to be used. Select the options that you wish to use. Of course, you choose to run applications over the network, correct? -
+
Now install all applications to be installed locally. Typical tools include Adobe Acrobat, NTP-based time synchronization software, drivers for specific local devices such as fingerprint scanners, and the like. Probably the most significant application to be locally installed is antivirus software. -
+
Now install all four printers onto the staging system. The printers you install include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you also configure use of the identical printers that are located in the financial services department. Install printers on each machine using the following steps: -
Procedure 4.6. Steps to Install Printer Drivers on Windows Clients
+
Procedure 4.6. Steps to Install Printer Drivers on Windows Clients
Click Start → Settings → Printers+Add Printer+Next. Do not click Network printer. Ensure that Local printer is selected. -
+
Click Next. In the Manufacturer: panel, select HP. In the Printers: panel, select the printer called HP LaserJet 6. Click Next. -
+
In the Available ports: panel, select FILE:. Accept the default printer name by clicking - Next. When asked, “Would you like to print a - test page?”, click No. Click + Next. When asked, “Would you like to print a + test page?”, click No. Click Finish. -
+
You may be prompted for the name of a file to print to. If so, close the dialog panel. Right-click HP LaserJet 6 → Properties. -
+
In the Network panel, enter the name of the print queue on the Samba server as follows: \\BLDG1\hplj6a. Click OK+OK to complete the installation. -
+
Repeat the printer installation steps above for both HP LaserJet 6 printers as well as for both QMS Magicolor laser printers. Remember to install all printers but to set the destination port for each to the server on the @@ -1018,69 +1018,69 @@ configuration (as well as the applications server drive mapping) to the server on the network segment on which the workstation is to be located.
-
+
When you are satisfied that the staging systems are complete, use the appropriate procedure to remove the client from the domain. Reboot the system, and then log on as the local administrator and clean out all temporary files stored on the system. Before shutting down, use the disk defragmentation tool so that the file system is in optimal condition before replication. -
+
Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the machine to a network share on the server. -
+
You may now replicate the image using the appropriate Norton Ghost procedure to the target machines. Make sure to use the procedure that ensures each machine has a unique Windows security identifier (SID). When the installation of the disk image is complete, boot the PC. -
+
Log onto the machine as the local Administrator (the only option), and join the machine to the domain following the procedure set out in “A Collection of Useful Tidbits”, “Joining a Domain: Windows 200x/XP Professional”. You must now set the persistent drive mapping to the applications server that the user is to use. The system is now ready for the user to log on, provided you have created a network logon account for that user, of course. -
+
Instruct all users to log onto the workstation using their assigned username and password. -
Key Points Learned
+
Key Points Learned
The network you have just deployed has been a valuable exercise in forced constraint. You have deployed a network that works well, although you may soon start to see performance problems, at which time the modifications demonstrated in “Making Happy Users” bring the network to life. The following key learning points were experienced: -
+
The power of using smb.conf include files -
+
Use of a single PDC over a routed network -
+
Joining a Samba-3 domain member server to a Samba-3 domain -
+
Configuration of winbind to use domain users and groups for Samba access to resources on the domain member servers -
+
The introduction of roaming profiles -
Questions and Answers
-
+
Questions and Answers
+
The example smb.conf files in this chapter make use of the include facility. How may I get to see what the actual working smb.conf settings are? -
+
Why does the include file common.conf have an empty include statement? -
+
I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. I tried using rsync to replicate the passdb.tdb, and it seems to work fine! So what is the problem? -
+
You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash? -
+
How does the Windows client find the PDC? -
+
Why did you enable IP forwarding (routing) only on the server called MASSIVE? -
+
You did nothing special to implement roaming profiles. Why? -
+
On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission? -
+
You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this? -
+
The domain controller has an auto-shutdown script. Isn't that dangerous? -
+
The example smb.conf files in this chapter make use of the include facility. How may I get to see what the actual working smb.conf settings are?
@@ -1088,7 +1088,7 @@
root# testparm -s | less
-
+
Why does the include file common.conf have an empty include statement?
The use of the empty include statement nullifies further includes. For example, let's say you @@ -1101,7 +1101,7 @@ If the include parameter was not in the common.conf file, the final smb.conf file leaves the include in place, even though the file it points to has already been included. This is a bug that will be fixed at a future date. -
+
I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. I tried using rsync to replicate the passdb.tdb, and it seems to work fine! @@ -1111,7 +1111,7 @@ contents between the PDC and BDCs. The most notable symptom is that workstations may not be able to log onto the network following a reboot and may have to rejoin the domain to recover network access capability. -
+
You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server @@ -1120,26 +1120,26 @@
The only exception to this rule is when the client makes a directed request from a specific DHCP server for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash. -
+
How does the Windows client find the PDC?
The Windows client obtains the WINS server address from the DHCP lease information. It also obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast) to register itself with the WINS server and to obtain enumeration of vital network information to enable it to operate successfully. -
+
Why did you enable IP forwarding (routing) only on the server called MASSIVE?
The server called MASSIVE is acting as a router to the Internet. No other server (BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network. Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network segments to the router that is its gateway to them. -
+
You did nothing special to implement roaming profiles. Why?
Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional clients is to use roaming profiles. -
+
On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission?
@@ -1148,7 +1148,7 @@ member servers using Windows networking usernames and passwords, it is necessary to configure PAM to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name service switch (NSS). -
+
You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed @@ -1157,7 +1157,7 @@ of smb.conf include files because SWAT optimizes them out into an aggregated file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to handle this functionality gracefully. -
+
The domain controller has an auto-shutdown script. Isn't that dangerous?
Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/ch14.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/ch14.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/ch14.html 2010-01-14 11:24:24.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/ch14.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,12 +1,12 @@ -Chapter 14. Samba Support
Chapter 14. Samba Support
Prev Part III. Reference Section Next
Chapter 14. Samba Support
Table of Contents
Free Support
Commercial Support
- -One of the most difficult to answer questions in the information technology industry is, “What is -support?”. That question irritates some folks, as much as common answers may annoy others. +Chapter 14. Samba Support
Chapter 14. Samba Support
Prev Part III. Reference Section Next
Chapter 14. Samba Support
Table of Contents
Free Support
Commercial Support
+ +One of the most difficult to answer questions in the information technology industry is, “What is +support?”. That question irritates some folks, as much as common answers may annoy others.
- + The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: -“Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen +“Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen through-out the IT industry. Answers like that are designed to inform us that there are some customers that a business just does not want to deal with, and well may we feel the anguish of the rejection that is dished out. @@ -15,50 +15,50 @@ at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk.
- - - + + + One of the forces that has become a driving force for the adoption of open source software is the fact that many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or that have been found wanting for other reasons.
- - + + In recognition of the need for needs satisfaction as the primary experience an information technology user or consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience in respect of problem resolution.
- - - + + + In the open source software arena there are two support options: free support and paid-for (commercial) support. -
Free Support
- - - - - - +
Free Support
+ + + + + + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user supported mutual assistance.
- - - - - + + + + + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. Information regarding subscription to the Samba mailing list can be found on the Samba web site. The public mailing list that can be used to obtain free, user contributed, support is called the samba list. The email address for this list is at mail:samba@samba.org. Information regarding the Samba IRC channels may be found on the Samba IRC web page.
- - - - + + + + As a general rule, it is considered poor net behavior to contact a Samba Team member directly for free support. Most active members of the Samba Team work exceptionally long hours to assist users who have demonstrated a qualified problem. Some team members may respond to direct email @@ -66,9 +66,9 @@ Team members actually provide professional paid-for Samba support and it is therefore wise to show appropriate discretion and reservation in all direct contact.
- - - + + + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting a bug report. All such reports are mailed to the responsible code maintainer for action. The better the report, and the more serious it is, @@ -76,16 +76,16 @@ the reported bug it is likely to be rejected. It is up to you to provide sufficient information that will permit the problem to be reproduced.
- + We all recognize that sometimes free support does not provide the answer that is sought within the time-frame required. At other times the problem is elusive and you may lack the experience necessary to isolate the problem and thus to resolve it. This is a situation where is may be prudent to purchase paid-for support. -
Commercial Support
+
Commercial Support
There are six basic support oriented services that are most commonly sought by Samba sites: -
Assistance with network design
Staff Training
Assistance with Samba network deployment and installation
Priority telephone or email Samba configuration assistance
Trouble-shooting and diagnostic assistance
Provision of quality assured ready-to-install Samba binary packages
- - +
Assistance with network design
Staff Training
Assistance with Samba network deployment and installation
Priority telephone or email Samba configuration assistance
Trouble-shooting and diagnostic assistance
Provision of quality assured ready-to-install Samba binary packages
+ + Information regarding companies that provide professional Samba support can be obtained by performing a Google search, as well as by reference to the Samba Support web page. Companies who notify the Samba Team that they provide commercial support are given a free listing that is sorted by the country of origin. @@ -93,13 +93,13 @@ provider and to satisfy yourself that both the company and its staff are able to deliver what is required of them.
- + The policy within the Samba Team is to treat all commercial support providers equally and to show no preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. You are encouraged to obtain the services needed from a company in your local area. The open source movement is pro-community; so do what you can to help a local business to prosper.
- + Open source software support can be found in any quality, at any price and in any place you can to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for suffering in the mistaken belief that Samba is unsupported software it is supported. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/DMSMig.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/DMSMig.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/DMSMig.html 2010-01-14 11:24:20.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/DMSMig.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,4 +1,4 @@ -Part II. Domain Members, Updating Samba and Migration
Part II. Domain Members, Updating Samba and Migration
Prev Next
Part II. Domain Members, Updating Samba and Migration
Domain Members, Updating Samba and Migration
+Part II. Domain Members, Updating Samba and Migration
Part II. Domain Members, Updating Samba and Migration
Prev Next
Part II. Domain Members, Updating Samba and Migration
Domain Members, Updating Samba and Migration
This section Samba-3 by Example covers two main topics: How to add Samba Domain Member Servers and Samba Domain Member Clients to a Samba domain, the other subject is that of how to migrate from and NT4 Domain, a NetWare server, or from an earlier @@ -7,4 +7,4 @@ Those who are making use of the chapter on Adding UNIX clients and servers running Samba to a Samba or a Windows networking domain may also benefit by referring to the book The Official Samba-3 HOWTO and Reference Guide. -
Table of Contents
7. Adding Domain Member Servers and Clients
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Samba Domain with Samba Domain Member Server Using NSS LDAP
NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
NT4/Samba Domain with Samba Domain Member Server without NSS Support
Active Directory Domain with Samba Domain Member Server
UNIX/Linux Client Domain Member
Key Points Learned
Questions and Answers
8. Updating Samba-3
Introduction
Cautions and Notes
Upgrading from Samba 1.x and 2.x to Samba-3
Samba 1.9.x and 2.x Versions Without LDAP
Applicable to All Samba 2.x to Samba-3 Upgrades
Samba-2.x with LDAP Support
Updating a Samba-3 Installation
Samba-3 to Samba-3 Updates on the Same Server
Migrating Samba-3 to a New Server
Migration of Samba Accounts to Active Directory
9. Migrating NT4 Domain to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
NT4 Migration Using LDAP Backend
NT4 Migration Using tdbsam Backend
Key Points Learned
Questions and Answers
10. Migrating NetWare Server to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
NetWare Migration Using LDAP Backend
Prev Next
Chapter 6. A Distributed 2000-User Network Home Chapter 7. Adding Domain Member Servers and Clients
+
Table of Contents
7. Adding Domain Member Servers and Clients
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Samba Domain with Samba Domain Member Server Using NSS LDAP
NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
NT4/Samba Domain with Samba Domain Member Server without NSS Support
Active Directory Domain with Samba Domain Member Server
UNIX/Linux Client Domain Member
Key Points Learned
Questions and Answers
8. Updating Samba-3
Introduction
Cautions and Notes
Upgrading from Samba 1.x and 2.x to Samba-3
Samba 1.9.x and 2.x Versions Without LDAP
Applicable to All Samba 2.x to Samba-3 Upgrades
Samba-2.x with LDAP Support
Updating a Samba-3 Installation
Samba-3 to Samba-3 Updates on the Same Server
Migrating Samba-3 to a New Server
Migration of Samba Accounts to Active Directory
9. Migrating NT4 Domain to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
NT4 Migration Using LDAP Backend
NT4 Migration Using tdbsam Backend
Key Points Learned
Questions and Answers
10. Migrating NetWare Server to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
NetWare Migration Using LDAP Backend
Prev Next
Chapter 6. A Distributed 2000-User Network Home Chapter 7. Adding Domain Member Servers and Clients
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/DomApps.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/DomApps.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/DomApps.html 2010-01-14 11:24:23.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/DomApps.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,9 +1,9 @@ -Chapter 12. Integrating Additional Services
Chapter 12. Integrating Additional Services
Prev Part III. Reference Section Next
Chapter 12. Integrating Additional Services
Table of Contents
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Removal of Pre-Existing Conflicting RPMs
Key Points Learned
Questions and Answers
- - - - - +Chapter 12. Integrating Additional Services
Chapter 12. Integrating Additional Services
Prev Part III. Reference Section Next
Chapter 12. Integrating Additional Services
Table of Contents
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Removal of Pre-Existing Conflicting RPMs
Key Points Learned
Questions and Answers
+ + + + + You've come a long way now. You have pretty much mastered Samba-3 for most uses it can be put to. Up until now, you have cast Samba-3 in the leading role, and where authentication was required, you have used one or another of @@ -14,7 +14,7 @@ implementing Samba and Samba-supported services in a domain controlled by the latest Windows authentication technologies. Let's get started this is leading edge. -
Introduction
+
Introduction
Abmas has continued its miraculous growth; indeed, nothing seems to be able to stop its diversification into multiple (and seemingly unrelated) fields. Its latest acquisition is Abmas Snack Foods, a big player in the snack-food @@ -30,17 +30,17 @@ You have decided to set the ball rolling by introducing Samba-3 into the network gradually, taking over key services and easing the way to a full migration and, therefore, integration into Abmas's existing business later. -
Assignment Tasks
- - +
Assignment Tasks
+ + You've promised the skeptical Abmas Snack Foods management team that you can show them how Samba can ease itself and other Open Source technologies into their existing infrastructure and deliver sound business advantages. Cost cutting is high on their agenda (a major promise of the acquisition). You have chosen Web proxying and caching as your proving ground.
- - + + Abmas Snack Foods has several thousand users housed at its head office and multiple regional offices, plants, and warehouses. A high proportion of the business's work is done online, so Internet access for most of these @@ -50,9 +50,9 @@ the team soon discovered proxying and caching. In fact, they became one of the earliest commercial users of Microsoft ISA.
- - - + + + The team is not happy with ISA. Because it never lived up to its marketing promises, it underperformed and had reliability problems. You have pounced on the opportunity to show what Open Source can do. The one thing they do like, however, is ISA's @@ -63,30 +63,30 @@
This is a hands-on exercise. You build software applications so that you obtain the functionality Abmas needs. -
Dissection and Discussion
+
Dissection and Discussion
The key requirements in this business example are straightforward. You are not required to do anything new, just to replicate an existing system, not lose any existing features, and improve performance. The key points are: -
+
Internet access for most employees -
+
Distributed system to accommodate load and geographical distribution of users -
+
Seamless and transparent interoperability with the existing Active Directory domain -
Technical Issues
- - - - - - - - - - - - - +
Technical Issues
+ + + + + + + + + + + + + Functionally, the user's Internet Explorer requests a browsing session with the Squid proxy, for which it offers its AD authentication token. Squid hands off the authentication request to the Samba-3 authentication helper application @@ -99,79 +99,79 @@ This process is entirely transparent and seamless to the user.
Enabling this consists of: -
+
Preparing the necessary environment using preconfigured packages -
+
Setting up raw Kerberos authentication against the Active Directory domain -
+
Configuring, compiling, and then installing the supporting Samba-3 components -
+
Tying it all together -
Political Issues
+
Political Issues
You are a stranger in a strange land, and all eyes are upon you. Some would even like to see you fail. For you to gain the trust of your newly acquired IT people, it is essential that your solution does everything the old one did, but does it better in every way. Only then will the entrenched positions consider taking up your new way of doing things on a wider scale. -
Implementation
- +
Implementation
+ First, your system needs to be prepared and in a known good state to proceed. This consists of making sure that everything the system depends on is present and that everything that could interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 packages and updating them if necessary. If conflicting packages of these programs are installed, they must be removed.
- + The following packages should be available on your Red Hat Linux system: -
- - +
+ + krb5-libs -
+
krb5-devel -
+
krb5-workstation -
+
krb5-server -
+
pam_krb5
- + In the case of SUSE Linux, these packages are called: -
+
heimdal-lib -
+
heimdal-devel -
- +
+ heimdal -
+
pam_krb5
If the required packages are not present on your system, you must install them from the vendor's installation media. Follow the administrative guide for your Linux system to ensure that the packages are correctly updated. -
Note
- - - +
Note
+ + + If the requirement is for interoperation with MS Windows Server 2003, it will be necessary to ensure that you are using MIT Kerberos version 1.3.1 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires updating.
- - + + Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. -
Removal of Pre-Existing Conflicting RPMs
- +
Removal of Pre-Existing Conflicting RPMs
+ If Samba and/or Squid RPMs are installed, they should be updated. You can build both from source.
- - - + + + Locating the packages to be un-installed can be achieved by running:
root# rpm -qa | grep -i samba @@ -181,11 +181,11 @@
root# rpm -e samba-common
-
Kerberos Configuration
- - - - +
Kerberos Configuration
+ + + + The systems Kerberos installation must be configured to communicate with your primary Active Directory server (ADS KDC).
@@ -193,13 +193,13 @@ although the current default Red Hat MIT version 1.2.7 gives acceptable results unless you are using Windows 2003 servers.
- - - - - - - + + + + + + + Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an /etc/krb5.conf file in order to work correctly. All ADS domains automatically create SRV records in the DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both @@ -207,30 +207,30 @@ automatically find the KDCs. In addition, krb5.conf allows specifying only a single KDC, even if there is more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available. -
Procedure 12.1. Kerberos Configuration Steps
- +
Procedure 12.1. Kerberos Configuration Steps
+ If you find the need to manually configure the krb5.conf, you should edit it to have the contents shown in “Kerberos Configuration File: /etc/krb5.conf”. The final fully qualified path for this file should be /etc/krb5.conf. -
- - - - - - - - - - - - - +
+ + + + + + + + + + + + + The following gotchas often catch people out. Kerberos is case sensitive. Your realm must - be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting - initial credentials”. Kerberos is picky about time synchronization. The time + be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting + initial credentials”. Kerberos is picky about time synchronization. The time according to your participating servers must be within 5 minutes or you get an error: - “kinit(v5): Clock skew too great while getting initial credentials”. + “kinit(v5): Clock skew too great while getting initial credentials”. Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is 5 minutes). A better solution is to implement NTP throughout your server network. Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. @@ -240,8 +240,8 @@ /etc/hosts entry mapping the IP address of your KDC to its NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error when you try to join the realm. -
- +
+ You are now ready to test your installation by issuing the command:
root# kinit [USERNAME@REALM] @@ -261,57 +261,57 @@ LONDON.ABMAS.BIZ = { kdc = w2k3s.london.abmas.biz } -

+

The command
root# klist -e
shows the Kerberos tickets cached by the system. -
Samba Configuration
- +
Samba Configuration
+ Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it has the necessary components to interface with Active Directory. -
Procedure 12.2. Securing Samba-3 With ADS Support Steps
- - - - - +
Procedure 12.2. Securing Samba-3 With ADS Support Steps
+ + + + + Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team FTP site. The official Samba Team RPMs for Red Hat Fedora Linux contain the ntlm_auth tool needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
- - + + The necessary, validated RPM packages for SUSE Linux may be obtained from the SerNet FTP site that is located in Germany. All SerNet RPMs are validated, have the necessary ntlm_auth tool, and are statically linked against suitably patched Heimdal 0.6 libraries. -
+
Using your favorite editor, change the /etc/samba/smb.conf file so it has contents similar to the example shown in “Samba Configuration File: /etc/samba/smb.conf”. -
- - - i - - +
+ + + i + + Next you need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the Samba server with an Active Directory Kerberos ticket. - This is done with the “net ads join -U [Administrator%Password]” + This is done with the “net ads join -U [Administrator%Password]” command, as follows:
root# net ads join -U administrator%vulcon
-
- - - - - +
+ + + + + Your new Samba binaries must be started in the standard manner as is applicable to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
@@ -319,12 +319,12 @@ root# nmbd -D root# winbindd -D
-
- - - - - +
+ + + + + We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands: @@ -356,9 +356,9 @@ LONDON+DnsUpdateProxy
This enumerates all the groups in your Active Directory tree. -
- - +
+ + Squid uses the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command:
@@ -369,20 +369,20 @@
root# NT_STATUS_OK: Success (0x0)
-
- - - - - - - - +
+ + + + + + + + The ntlm_auth helper, when run from a command line as the user - “root”, authenticates against your Active Directory domain (with + “root”, authenticates against your Active Directory domain (with the aid of winbind). It manages this by reading from the winbind privileged pipe. - Squid is running with the permissions of user “squid” and group - “squid” and is not able to do this unless we make a vital change. + Squid is running with the permissions of user “squid” and group + “squid” and is not able to do this unless we make a vital change. Squid cannot read from the winbind privilege pipe unless you change the permissions of its directory. This is the single biggest cause of failure in the whole process. Remember to issue the following command (for Red Hat Linux): @@ -395,77 +395,77 @@ root# chgrp squid /var/lib/samba/winbindd_privileged root# chmod 750 /var/lib/samba/winbindd_privileged
-
NSS Configuration
- - - +
NSS Configuration
+ + + For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
Edit your /etc/nsswitch.conf file so it has the parameters shown in “NSS Configuration File Extract File: /etc/nsswitch.conf”. -
Example 12.2. Samba Configuration File: /etc/samba/smb.conf

[global]
workgroup = LONDON
netbios name = W2K3S
realm = LONDON.ABMAS.BIZ
security = ads
encrypt passwords = yes
password server = w2k3s.london.abmas.biz
# separate domain and username with '/', like DOMAIN/username
winbind separator = /
# use UIDs from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use GIDs from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind user default domain = yes

Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
+
Example 12.2. Samba Configuration File: /etc/samba/smb.conf

[global]
workgroup = LONDON
netbios name = W2K3S
realm = LONDON.ABMAS.BIZ
security = ads
encrypt passwords = yes
password server = w2k3s.london.abmas.biz
# separate domain and username with '/', like DOMAIN/username
winbind separator = /
# use UIDs from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use GIDs from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind user default domain = yes

Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
passwd: files winbind shadow: files group: files winbind -

Squid Configuration
- - +

Squid Configuration
+ + Squid must be configured correctly to interact with the Samba-3 components that handle Active Directory authentication. -
Configuration
Procedure 12.3. Squid Configuration Steps
- - - +
Configuration
Procedure 12.3. Squid Configuration Steps
+ + + If your Linux distribution is SUSE Linux 9, the version of Squid supplied is already enabled to use the winbind helper agent. You can therefore omit the steps that would build the Squid binary programs. -
- - - - - +
+ + + + + Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already (if the default Red Hat squid rpms were installed, they will be). Set up a squid user in /etc/passwd and a squid group in /etc/group if these aren't there already. -
- - +
+ + You now need to change the permissions on Squid's var directory. Enter the following command:
root# chown -R squid /var/cache/squid
-
- - +
+ + Squid must also have control over its logging. Enter the following commands:
root# chown -R chown squid:squid /var/log/squid root# chmod 770 /var/log/squid
-
+
Finally, Squid must be able to write to its disk cache! Enter the following commands:
root# chown -R chown squid:squid /var/cache/squid root# chmod 770 /var/cache/squid
-
- +
+ The /etc/squid/squid.conf file must be edited to include the lines from “Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]” and “Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]”. -
- +
+ You must create Squid's cache directories before it may be run. Enter the following command:
root# squid -z
-
+
Finally, start Squid and enjoy transparent Active Directory authentication. Enter the following command:
@@ -487,23 +487,23 @@ auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers -

Key Points Learned
- - - - - +

Key Points Learned
+ + + + + Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft Windows clients use, even when accessing traditional services such as Web browsers. Depending on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over the cookie-based authentication regime used by all competing browsers. It is Samba's implementation of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. -
Questions and Answers
- - - - +
Questions and Answers
+ + + + The development of the ntlm_auth module was first discussed in many Open Source circles in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of ntlm_auth during one of the late developer meetings that took place. Since that time, the @@ -515,41 +515,41 @@ wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following comments were made with respect to questions regarding the performance of this installation:
- [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “almost” + [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “almost” part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. -
+
What does Samba have to do with Web proxy serving? -
+
What other services does Samba provide? -
+
Does use of Samba (ntlm_auth) improve the performance of Squid? -
+
What does Samba have to do with Web proxy serving?
- - - - - + + + + + To provide transparent interoperability between Windows clients and the network services that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit of Open Source software is that it can readily be reused. The current ntlm_auth module is basically a wrapper around authentication code from the core of the Samba project.
- - - - - - - - - + + + + + + + + + The ntlm_auth module supports basic plain-text authentication and NTLMSSP protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without the user being interrupted via his or her Windows logon credentials. This facility is available with @@ -557,36 +557,36 @@ There are a few open source initiatives to provide support for these protocols in the Apache Web server also.
- + The short answer is that by adding a wrapper around key authentication components of Samba, other projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. -
+
What other services does Samba provide?
- - - - - + + + + + Samba-3 is a file and print server. The core components that provide this functionality are smbd, nmbd, and the identity resolver daemon, winbindd.
- - + + Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient.
- - - - - + + + + + Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial server products). -
+
Does use of Samba (ntlm_auth) improve the performance of Squid?
Not really. Samba's ntlm_auth module handles only authentication. It requires that diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/ExNetworks.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/ExNetworks.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/ExNetworks.html 2010-01-14 11:24:12.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/ExNetworks.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,4 +1,4 @@ -Part I. Example Network Configurations
Part I. Example Network Configurations
Prev Next
Part I. Example Network Configurations
Example Network Configurations
+Part I. Example Network Configurations
Part I. Example Network Configurations
Prev Next
Part I. Example Network Configurations
Example Network Configurations
This section of Samba-3 by Example provides example network configurations that can be copied, or modified as needed, and deployed as-is. The contents have been marginally updated to reflect changes made in Samba=3.0.23. @@ -20,4 +20,4 @@ commercial support options may be obtained from the commercial support pages from the Samba web site. -
Table of Contents
1. No-Frills Samba Servers
Introduction
Assignment Tasks
Drafting Office
Charity Administration Office
Accounting Office
Questions and Answers
2. Small Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Validation
Notebook Computers: A Special Case
Key Points Learned
Questions and Answers
3. Secure Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Basic System Configuration
Samba Configuration
Configuration of DHCP and DNS Servers
Printer Configuration
Process Startup Configuration
Validation
Application Share Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
4. The 500-User Office
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
5. Making Happy Users
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
6. A Distributed 2000-User Network
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Key Points Learned
Questions and Answers
Prev Next
Preface Home Chapter 1. No-Frills Samba Servers
+
Table of Contents
1. No-Frills Samba Servers
Introduction
Assignment Tasks
Drafting Office
Charity Administration Office
Accounting Office
Questions and Answers
2. Small Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Validation
Notebook Computers: A Special Case
Key Points Learned
Questions and Answers
3. Secure Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Basic System Configuration
Samba Configuration
Configuration of DHCP and DNS Servers
Printer Configuration
Process Startup Configuration
Validation
Application Share Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
4. The 500-User Office
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
5. Making Happy Users
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
6. A Distributed 2000-User Network
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Key Points Learned
Questions and Answers
Prev Next
Preface Home Chapter 1. No-Frills Samba Servers
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/go01.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/go01.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/go01.html 2010-01-14 11:24:30.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/go01.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,4 +1,4 @@ -Glossary
Glossary
Prev Next
Glossary
Access Control List
+Glossary
Glossary
Prev Next
Glossary
Access Control List
A detailed list of permissions granted to users or groups with respect to file and network resource access.
Active Directory Service
@@ -11,7 +11,7 @@ the Internet hype in the 1990s. At about the time that the SMB protocol was renamed to CIFS, an additional dialect of the SMB protocol was in development. The need for the deployment of the NetBIOS layer was also removed, thus paving the way for use of the SMB - protocol natively over TCP/IP (known as NetBIOS-less SMB or “naked” TCP + protocol natively over TCP/IP (known as NetBIOS-less SMB or “naked” TCP transport).
Common UNIX Printing System
A recent implementation of a high-capability printing system for UNIX developed by @@ -96,8 +96,8 @@ DER refers to Distinguished Encoding Rules. These are a set of common rules for creating binary encodings in a platform-independent manner. Samba has support for SPNEGO.
The Official Samba-3 HOWTO and Reference Guide, Second Edition
- This book makes repeated reference to “The Official Samba-3 HOWTO and Reference Guide, Second - Edition” by John H. Terpstra and Jelmer R. Vernooij. This publication is available from + This book makes repeated reference to “The Official Samba-3 HOWTO and Reference Guide, Second + Edition” by John H. Terpstra and Jelmer R. Vernooij. This publication is available from Amazon.com. Publisher: Prentice Hall PTR (August 2005), ISBN: 013122282.
User IDentifier
@@ -111,5 +111,5 @@ freely available for UNIX/Linux and Microsoft Windows systems from the Wireshark Web site.
Prev Next
Appendix A. - GNU General Public License version 3 + GNU General Public License version 3 Home Index
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/HA.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/HA.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/HA.html 2010-01-14 11:24:24.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/HA.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,7 +1,7 @@ -Chapter 13. Performance, Reliability, and Availability
Chapter 13. Performance, Reliability, and Availability
Prev Part III. Reference Section Next
Chapter 13. Performance, Reliability, and Availability
Table of Contents
Introduction
Dissection and Discussion
Guidelines for Reliable Samba Operation
Name Resolution
Samba Configuration
Use and Location of BDCs
Use One Consistent Version of MS Windows Client
For Scalability, Use SAN-Based Storage on Samba Servers
Distribute Network Load with MSDFS
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
Hardware Problems
Large Directories
Key Points Learned
- - - +Chapter 13. Performance, Reliability, and Availability
Chapter 13. Performance, Reliability, and Availability
Prev Part III. Reference Section Next
Chapter 13. Performance, Reliability, and Availability
Table of Contents
Introduction
Dissection and Discussion
Guidelines for Reliable Samba Operation
Name Resolution
Samba Configuration
Use and Location of BDCs
Use One Consistent Version of MS Windows Client
For Scalability, Use SAN-Based Storage on Samba Servers
Distribute Network Load with MSDFS
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
Hardware Problems
Large Directories
Key Points Learned
+ + + Well, you have reached one of the last chapters of this book. It is customary to attempt to wrap up the theme and contents of a book in what is generally regarded as the chapter that should draw conclusions. This book is a suspense thriller, and since @@ -10,8 +10,8 @@ regarding some of the things everyone can do to deliver a reliable Samba-3 network.

In a world so full of noise, how can the sparrow be heard? -

--Anonymous
Introduction
- +

--Anonymous
Introduction
+ The sparrow is a small bird whose sounds are drowned out by the noise of the busy world it lives in. Likewise, the simple steps that can be taken to improve the reliability and availability of a Samba network are often drowned out by the volume @@ -20,22 +20,22 @@ itself to discussion of clustering because each clustering methodology uses its own custom tools and methods. Only passing comments are offered concerning these methods.
- - - + + + A search - for “samba cluster” produced 71,600 hits. And a search for “highly available samba” - and “highly available windows” produced an amazing number of references. + for “samba cluster” produced 71,600 hits. And a search for “highly available samba” + and “highly available windows” produced an amazing number of references. It is clear from the resources on the Internet that Windows file and print services availability, reliability, and scalability are of vital interest to corporate network users.
- + So without further background, you can review a checklist of simple steps that can be taken to ensure acceptable network performance while keeping costs of ownership well under control. -
Dissection and Discussion
- - +
Dissection and Discussion
+ + If it is your purpose to get the best mileage out of your Samba servers, there is one rule that must be obeyed. If you want the best, keep your implementation as simple as possible. You may well be forced to introduce some complexities, but you should do so only as a last resort. @@ -44,8 +44,8 @@ make life easier for your successor. Simple implementations can be more readily audited than can complex ones.
- - + + Problems reported by users fall into three categories: configurations that do not work, those that have broken behavior, and poor performance. The term broken behavior means that the function of a particular Samba component appears to work sometimes, but not at @@ -54,12 +54,12 @@ list of Windows machines in MS Explorer changes, sometimes listing machines that are running and at other times not listing them even though the machines are in use on the network.
- - - - - - + + + + + + A significant number of reports concern problems with the smbfs file system driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that smbfs is part of Samba, simply because Samba includes the front-end tools @@ -70,32 +70,32 @@ common infrastructure with some Samba components, but they are not maintained as part of Samba and are really foreign to it.
- + The new project, cifsfs, is destined to replace smbfs. It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in this project.
Table 13.1 lists typical causes of: -
Not Working (NW)
Broken Behavior (BB)
Poor Performance (PP)
Table 13.1. Effect of Common Problems
Problem
NW
BB
PP
File locking
-
X
-
Hardware problems
X
X
X
Incorrect authentication
X
X
-
Incorrect configuration
X
X
X
LDAP problems
X
X
-
Name resolution
X
X
X
Printing problems
X
X
-
Slow file transfer
-
-
X
Winbind problems
X
X
-

- +
Not Working (NW)
Broken Behavior (BB)
Poor Performance (PP)
Table 13.1. Effect of Common Problems
Problem
NW
BB
PP
File locking
-
X
-
Hardware problems
X
X
X
Incorrect authentication
X
X
-
Incorrect configuration
X
X
X
LDAP problems
X
X
-
Name resolution
X
X
X
Printing problems
X
X
-
Slow file transfer
-
-
X
Winbind problems
X
X
-

+ It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate problems that affect basic network operation. This book has provided sufficient working examples to help you to avoid all these problems. -
Guidelines for Reliable Samba Operation
- - +
Guidelines for Reliable Samba Operation
+ + Your objective is to provide a network that works correctly, can grow at all times, is resilient at times of extreme demand, and can scale to meet future needs. The following subject areas provide pointers that can help you today. -
Name Resolution
+
Name Resolution
There are three basic current problem areas: bad hostnames, routed networks, and network collisions. These are covered in the following discussion. -
Bad Hostnames
- - - - - +
Bad Hostnames
+ + + + + When configured as a DHCP client, a number of Linux distributions set the system hostname to localhost. If the parameter netbios name is not specified to something other than localhost, the Samba server appears @@ -107,13 +107,13 @@ the local Windows machine itself. Hostnames must be valid for Windows networking to function correctly.
- + A few sites have tried to name Windows clients and Samba servers with a name that begins with the digits 1-9. This does not work either because it may result in the client or server attempting to use that name as an IP address.
- - + + A Samba server called FRED in a NetBIOS domain called COLLISION in a network environment that is part of the fully-qualified Internet domain namespace known as parrots.com, results in DNS name lookups for fred.parrots.com @@ -121,50 +121,50 @@ (workgroup) collision.parrots.com, since this results in DNS lookup attempts to resolve fred.parrots.com.parrots.com, which most likely fails given that you probably do not have this in your DNS namespace. -
Note
- - - +
Note
+ + + An Active Directory realm called collision.parrots.com is perfectly okay, although it too must be capable of being resolved via DNS, something that functions correctly if Windows 200x ADS has been properly installed and configured. -
Routed Networks
- - - +
Routed Networks
+ + + NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use of UDP-based broadcast traffic, as you saw during the exercises in “Networking Primer”.
- - - + + + UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based networking cannot function across routed networks (i.e., multi-subnet networks) unless special provisions are made: -
- - - +
+ + + Either install on every Windows client an LMHOSTS file (located in the directory C:\windows\system32\drivers\etc). It is also necessary to add to the Samba server smb.conf file the parameters remote announce and remote browse sync. For more information, refer to the online manual page for the smb.conf file. -
- +
+ Or configure Samba as a WINS server, and configure all network clients to use that WINS server in their TCP/IP configuration. -
Note
- - +
Note
+ + The use of DNS is not an acceptable substitute for WINS. DNS does not store specific information regarding NetBIOS networking particulars that get stored in the WINS name resolution database and that Windows clients require and depend on. -
Network Collisions
- - - - +
Network Collisions
+ + + + Excessive network activity causes NetBIOS network timeouts. Timeouts may result in blue screen of death (BSOD) experiences. High collision rates may be caused by excessive UDP broadcast activity, by defective networking hardware, or through excessive network @@ -173,9 +173,9 @@ The use of WINS is highly recommended to reduce network broadcast traffic, as outlined in “Networking Primer”.
- - - + + + Under no circumstances should the facility be supported by many routers, known as NetBIOS forwarding, unless you know exactly what you are doing. Inappropriate use of this facility can result in UDP broadcast storms. In one case in 1999, a university network became @@ -183,13 +183,13 @@ testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance immediately returned to 11 MB/sec. -
Samba Configuration
+
Samba Configuration
As a general rule, the contents of the smb.conf file should be kept as simple as possible. No parameter should be specified unless you know it is essential to operation.
- - - + + + Many UNIX administrators like to fully document the settings in the smb.conf file. This is a bad idea because it adds content to the file. The smb.conf file is re-read by every smbd process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so). @@ -197,7 +197,7 @@ As the size of the smb.conf file grows, the risk of introducing parsing errors also increases. It is recommended to keep a fully documented smb.conf file on hand, and then to operate Samba only with an optimized file. -
+
The preferred way to maintain a documented file is to call it something like smb.conf.master. You can generate the optimized file by executing:
@@ -223,7 +223,7 @@ Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
- + You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C. The important thing to note is the noted Server role, as well as warning messages. Noted configuration conflicts must be remedied before proceeding. For example, the following error message represents a @@ -233,28 +233,28 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.

- - - + + + There are two parameters that can cause severe network performance degradation: socket options and socket address. The socket options parameter was often necessary when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from this parameter being set. Do not use either parameter unless it has been proven necessary to use them.
- - - - + + + + Another smb.conf parameter that may cause severe network performance degradation is the strict sync parameter. Do not use this at all. There is no good reason to use this with any modern Windows client. The strict sync is often used with the sync always parameter. This, too, can severely degrade network performance, so do not set it; if you must, do so with caution.
- - - - + + + + Finally, many network administrators deliberately disable opportunistic locking support. While this does not degrade Samba performance, it significantly degrades Windows client performance because this disables local file caching on Windows clients and forces every file read and written to @@ -262,12 +262,12 @@ support, do so only on the share on which it is required. That way, all other shares can provide oplock support for operations that are tolerant of it. See “Shared Data Integrity” for more information. -
Use and Location of BDCs
- - - - - +
Use and Location of BDCs
+ + + + + On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of authentication and logon processing. When a sole BDC on a routed network segment gets heavily @@ -275,13 +275,13 @@ to a BDC on a distant network segment. This significantly hinders WAN operations and is undesirable.
- - + + As a general guide, instead of adding domain member servers to a network, you would be better advised to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add domain member servers. This practice ensures that there are always sufficient domain controllers to handle logon requests and authentication traffic. -
Use One Consistent Version of MS Windows Client
+
Use One Consistent Version of MS Windows Client
Every network client has its own peculiarities. From a management perspective, it is easier to deal with one version of MS Windows that is maintained to a consistent update level than it is to deal with a mixture of clients. @@ -289,61 +289,61 @@ On a number of occasions, particular Microsoft service pack updates of a Windows server or client have necessitated special handling from the Samba server end. If you want to remain sane, keep you client workstation configurations consistent. -
For Scalability, Use SAN-Based Storage on Samba Servers
- - +
For Scalability, Use SAN-Based Storage on Samba Servers
+ + Many SAN-based storage systems permit more than one server to share a common data store. Use of a shared SAN data store means that you do not need to use time- and resource-hungry data synchronization techniques.
- - + + The use of a collection of relatively low-cost front-end Samba servers that are coupled to a shared backend SAN data store permits load distribution while containing costs below that of installing and managing a complex clustering facility. -
Distribute Network Load with MSDFS
- - +
Distribute Network Load with MSDFS
+ + Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits data to be accessed from a single share and yet to actually be distributed across multiple actual servers. Refer to TOSHARG2, Chapter 19, for information regarding implementation of an MSDFS installation.
- - + + The combination of multiple backend servers together with a front-end server and use of MSDFS can achieve almost the same as you would obtain with a clustered Samba server. -
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
- - - +
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
+ + + Consider using rsync to replicate data across the WAN during times of low utilization. Users can then access the replicated data store rather than needing to do so across the WAN. This works best for read-only data, but with careful planning can be implemented so that modified files get replicated back to the point of origin. Be careful with your implementation if you choose to permit modification and return replication of the modified file; otherwise, you may inadvertently overwrite important data. -
Hardware Problems
- - - - - - +
Hardware Problems
+ + + + + + Networking hardware prices have fallen sharply over the past 5 years. A surprising number of Samba networking problems over this time have been traced to defective network interface cards (NICs) or defective HUBs, switches, and cables.
- + Not surprising is the fact that network administrators do not like to be shown to have made a bad decision. Money saved in buying low-cost hardware may result in high costs incurred in corrective action.
- - - - - + + + + + Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent or persistent data corruption, slow network throughput, low performance, or even as BSOD problems with MS Windows clients. In one case, a company updated several workstations with newer, faster @@ -352,14 +352,14 @@
Defective hardware problems may take patience and persistence before the real cause can be discovered.
- + Networking hardware defects can significantly impact perceived Samba performance, but defective RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server operations. One business came to this realization only after replacing a Samba installation with MS Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network administrator until the entire server was replaced. While you may well think that this would never happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone. -
Large Directories
+
Large Directories
There exist applications that create or manage directories containing many thousands of files. Such applications typically generate many small files (less than 100 KB). At the best of times, under UNIX, listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, @@ -399,7 +399,7 @@ All files and directories under the path directory must be in the same case as specified in the smb.conf stanza. This means that smbd will not be able to find lower case filenames with these settings. Note, this is done on a per-share basis. -
Key Points Learned
+
Key Points Learned
This chapter has touched in broad sweeps on a number of simple steps that can be taken to ensure that your Samba network is resilient, scalable, and reliable, and that it performs well. @@ -408,7 +408,7 @@ In the long term, that may not be you. Spare a thought for your successor and give him or her an even break.
- + Last, but not least, you should not only keep the network design simple, but also be sure it is well documented. This book may serve as your pattern for documenting every aspect of your design, its implementation, and particularly the objects and assumptions diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/happy.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/happy.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/happy.html 2010-01-14 11:24:10.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/happy.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,12 +1,12 @@ -Chapter 5. Making Happy Users
Chapter 5. Making Happy Users
Prev Part I. Example Network Configurations Next
Chapter 5. Making Happy Users
Table of Contents
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
- It is said that “a day that is without troubles is not fulfilling. Rather, give - me a day of troubles well handled so that I can be content with my achievements.” +Chapter 5. Making Happy Users
Chapter 5. Making Happy Users
Prev Part I. Example Network Configurations Next
Chapter 5. Making Happy Users
Table of Contents
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
+ It is said that “a day that is without troubles is not fulfilling. Rather, give + me a day of troubles well handled so that I can be content with my achievements.”
In the world of computer networks, problems are as varied as the people who create them or experience them. The design of the network implemented in “The 500-User Office” may create problems for some network users. The following lists some of the problems that may occur: -
Caution
+
Caution
A significant number of network administrators have responded to the guidance given here. It should be noted that there are sites that have a single PDC for many hundreds of concurrent network clients. Network bandwidth, network bandwidth utilization, and server load @@ -19,8 +19,8 @@ overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows clients is conservative and if followed will minimize problems but it is not absolute.
Users experiencing difficulty logging onto the network
- - + + When a Windows client logs onto the network, many data packets are exchanged between the client and the server that is providing the network logon services. Each request between the client and the server must complete within a specific @@ -30,9 +30,9 @@ 30 to 150 clients. The actual limits are determined by network operational characteristics.
- - - + + + If the domain controller provides only network logon services and all file and print activity is handled by domain member servers, one domain controller per 150 clients on a single network segment may suffice. In any @@ -46,42 +46,42 @@ that can be supported is limited by the CPU speed, memory and the workload on the Samba server as well as network bandwidth utilization.
Slow logons and log-offs
- + Slow logons and log-offs may be caused by many factors that include: -
- - +
+ + Excessive delays in the resolution of a NetBIOS name to its IP address. This may be observed when an overloaded domain controller is also the WINS server. Another cause may be the failure to use a WINS server (this assumes that there is a single network segment). -
- - - +
+ + + Network traffic collisions due to overloading of the network segment. One short-term workaround to this may be to replace network HUBs with Ethernet switches. -
- +
+ Defective networking hardware. Over the past few years, we have seen on the Samba mailing list a significant increase in the number of problems that were traced to a defective network interface controller, a defective HUB or Ethernet switch, or defective cabling. In most cases, it was the erratic nature of the problem that ultimately pointed to the cause of the problem. -
- - +
+ + Excessively large roaming profiles. This type of problem is typically the result of poor user education as well as poor network management. It can be avoided by users not storing huge quantities of email in MS Outlook PST files as well as by not storing files on the desktop. These are old bad habits that require much discipline and vigilance on the part of network management. -
- +
+ You should verify that the Windows XP WebClient service is not running. The use of the WebClient service has been implicated in many Windows networking-related problems. @@ -89,27 +89,27 @@
Loss of access to network drives and printer resources
Loss of access to network resources during client operation may be caused by a number of factors, including: -
- +
+ Network overload (typically indicated by a high network collision rate) -
+
Server overload -
- +
+ Timeout causing the client to close a connection that is in use but has been latent (no traffic) for some time (5 minutes or more) -
- +
+ Defective networking hardware
- + No matter what the cause, a sudden loss of access to network resources can result in BSOD (blue screen of death) situations that necessitate rebooting of the client workstation. In the case of a mild problem, retrying to access the network drive of the printer may restore operations, but in any case this is a serious problem that may lead to the next problem, data corruption.
Potential data corruption
- + Data corruption is one of the most serious problems. It leads to uncertainty, anger, and frustration, and generally precipitates immediate corrective demands. Management response to this type of problem may be rational, as well as highly irrational. There have been @@ -123,48 +123,48 @@ anticipate and combat network performance issues. You can work through complex and thorny methods to improve the reliability of your network environment, but be warned that all such steps demand the price of complexity. -
Regarding LDAP Directories and Windows Computer Accounts
- +
Regarding LDAP Directories and Windows Computer Accounts
+ Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some constraints that are described in this section.
- - - - + + + + The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats them. A user account and a machine account are indistinguishable from each other, except that the machine account ends in a $ character, as do trust accounts.
- - + + The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID is a design decision that was made a long way back in the history of Samba development. It is unlikely that this decision will be reversed or changed during the remaining life of the Samba-3.x series.
- - + + The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that must refer back to the host operating system on which Samba is running. The name service switch (NSS) is the preferred mechanism that shields applications (like Samba) from the need to know everything about every host OS it runs on.
- Samba asks the host OS to provide a UID via the “passwd”, “shadow” - and “group” facilities in the NSS control (configuration) file. The best tool + Samba asks the host OS to provide a UID via the “passwd”, “shadow” + and “group” facilities in the NSS control (configuration) file. The best tool for achieving this is left up to the UNIX administrator to determine. It is not imposed by Samba. Samba provides winbindd together with its support libraries as one method. It is possible to do this via LDAP, and for that Samba provides the appropriate hooks so that all account entities can be located in an LDAP directory.
- + For many the weapon of choice is to use the PADL nss_ldap utility. This utility must be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That is fundamentally an LDAP design question. The information provided on the Samba list and in the documentation is directed at providing working examples only. The design of an LDAP directory is a complex subject that is beyond the scope of this documentation. -
Introduction
+
Introduction
You just opened an email from Christine that reads:
Good morning, @@ -193,8 +193,8 @@ regain control of our vital IT operations.

--Christine

- - + + Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a single domain controller is a poor design that has obvious operational effects that may frustrate users. Here is your reply: @@ -204,56 +204,56 @@ boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait for approval; I appreciate the urgency. -

--Bob
Assignment Tasks
+

--Bob
Assignment Tasks
The priority of assigned tasks in this chapter is: -
- - - - +
+ + + + Implement Backup Domain Controllers (BDCs) in each building. This involves a change from a tdbsam backend that was used in the previous chapter to an LDAP-based backend.
You can implement a single central LDAP server for this purpose. -
- - - - +
+ + + + Rectify the problem of excessive logon times. This involves redirection of folders to network shares as well as modification of all user desktops to exclude the redirected folders from being loaded at login time. You can also create a new default profile that can be used for all new users.
- + You configure a new MS Windows XP Professional workstation disk image that you roll out to all desktop users. The instructions you have created are followed on a staging machine from which all changes can be carefully tested before inflicting them on your network users.
- + This is the last network example in which specific mention of printing is made. The example again makes use of the CUPS printing system. -
Dissection and Discussion
- - - +
Dissection and Discussion
+ + + The implementation of Samba BDCs necessitates the installation and configuration of LDAP. For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial LDAP servers in current use with Samba-3 include: -
- +
+ Novell eDirectory is being successfully used by some sites. Information on how to use eDirectory can be obtained from the Samba mailing lists or from Novell. -
- +
+ IBM Tivoli Directory Server can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba source code tarball under the directory ~samba/example/LDAP. -
- +
+ Sun ONE Identity Server product suite provides an LDAP server that can be used for Samba. Example schema files are provided in the Samba source code tarball under the directory @@ -264,19 +264,19 @@ initialize the LDAP directory database. OpenLDAP itself has only command-line tools to help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
- + For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
- - - - - - - + + + + + + + When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. High availability operation may be obtained through directory replication/synchronization and master/slave server configurations. OpenLDAP is a mature platform to host the organizational @@ -286,10 +286,10 @@ contents with greater ability to back up, restore, and modify the directory than is generally possible with Microsoft Active Directory.
- - - - + + + + A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured for a specific task orientation. It comes with a set of administrative tools that is entirely customized @@ -300,8 +300,8 @@ MS ADAM that provides more generic LDAP services, yet it does not have the vanilla-like services of OpenLDAP.
- - + + You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly if you find the challenge of learning about LDAP directories, schemas, configuration, and management tools and the creation of shell and Perl scripts a bit @@ -309,7 +309,7 @@ many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file that is required for use as a passdb backend.
- + For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, there are a few nice Web-based tools that may help you to manage your users and groups more effectively. The Web-based tools you might like to consider include the @@ -323,7 +323,7 @@ LDAP Browser/Editor ; JXplorer (by Computer Associates); and phpLDAPadmin. -
Note
+
Note
The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided is considered to consist of the barest essentials only. You are strongly encouraged to learn more about @@ -334,10 +334,10 @@ LDAP System Administration, by Jerry Carter quite useful.
- - - - + + + + Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must be loaded over the WAN connection. The addition of BDCs on each network segment significantly @@ -345,31 +345,31 @@ user desktops, and this must be done in a way that wins their support and does not cause further loss of staff morale. The following procedures solve this problem.
- + There is also an opportunity to implement smart printing features. You add this to the Samba configuration so that future printer changes can be managed without need to change desktop configurations.
You add the ability to automatically download new printer drivers, even if they are not installed in the default desktop profile. Only one example of printing configuration is given. It is assumed that you can extrapolate the principles and use them to install all printers that may be needed. -
Technical Issues
- - - +
Technical Issues
+ + + The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account attributes Samba needs. Samba-3 can use the LDAP backend to store: -
Windows Networking User Accounts
Windows NT Group Accounts
Mapping Information between UNIX Groups and Windows NT Groups
ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
- - - - - - - - - +
Windows Networking User Accounts
Windows NT Group Accounts
Mapping Information between UNIX Groups and Windows NT Groups
ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
+ + + + + + + + + The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking accounts in the LDAP backend. This implies the need to use the PADL LDAP tools. The resolution @@ -378,16 +378,16 @@ that integrates with the NSS. The same requirements exist for resolution of the UNIX username to the UID. The relationships are demonstrated in “The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts”.
Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts

- - + + You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really ought to learn how to configure secure communications over LDAP so that site security is not at risk. This is not covered in the following guidance.
- - - - + + + + When OpenLDAP has been made operative, you configure the PDC called MASSIVE. You initialize the Samba secrets.tdb file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. @@ -395,27 +395,27 @@ You can also find on the enclosed CD-ROM, in the Chap06 directory, a few tools that help to manage user and group configuration.
- - - + + + In order to effect folder redirection and to add robustness to the implementation, create a network default profile. All network users workstations are configured to use the new profile. Roaming profiles will automatically be deleted from the workstation when the user logs off.
- + The profile is configured so that users cannot change the appearance of their desktop. This is known as a mandatory profile. You make certain that users are able to use their computers efficiently.
- + A network logon script is used to deliver flexible but consistent network drive connections. -
Addition of Machines to the Domain
- - - - +
Addition of Machines to the Domain
+ + + + Samba versions prior to 3.0.11 necessitated the use of a domain administrator account that maps to the UNIX UID=0. The UNIX operating system permits only the root user to add user and group accounts. Samba 3.0.11 introduced a new facility known as @@ -425,13 +425,13 @@ In this network example use is made of one of the supported privileges purely to demonstrate how any user can now be given the ability to add machines to the domain using a normal user account that has been given the appropriate privileges. -
Roaming Profile Background
+
Roaming Profile Background
As XP roaming profiles grow, so does the amount of time it takes to log in and out.
- - - - + + + + An XP roaming profile consists of the HKEY_CURRENT_USER hive file NTUSER.DAT and a number of folders (My Documents, Application Data, Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the @@ -453,20 +453,20 @@ user to not place large files on the desktop and to use his or her mapped home directory instead of the My Documents folder for saving documents.
- + Using a folder other than My Documents is a nuisance for some users, since many applications use it by default.
- - - + + + The secret to rapid loading of roaming profiles is to prevent unnecessary data from being copied back and forth, without losing any functionality. This is not difficult; it can be done by making changes to the Local Group Policy on each client as well as changing some paths in each user's NTUSER.DAT hive.
- - + + Every user profile has its own NTUSER.DAT file. This means you need to edit every user's profile, unless a better method can be followed. Fortunately, with the right preparations, this is not difficult. @@ -474,11 +474,11 @@ user's profile. Then just create a Network Default Profile. Of course, it is necessary to copy all files from redirected folders to the network share to which they are redirected. -
The Local Group Policy
- - - - +
The Local Group Policy
+ + + + Without an Active Directory PDC, you cannot take full advantage of Group Policy Objects. However, you can still make changes to the Local Group Policy by using the Group Policy editor (gpedit.msc). @@ -487,31 +487,31 @@ be found under User Configuration → Administrative Templates → System → User Profiles. By default this setting contains - “Local Settings; Temporary Internet Files; History; Temp”. + “Local Settings; Temporary Internet Files; History; Temp”.
Simply add the folders you do not wish to be copied back and forth to this semicolon-separated list. Note that this change must be made on all clients that are using roaming profiles. -
Profile Changes
- - +
Profile Changes
+ + There are two changes that should be done to each user's profile. Move each of the directories that you have excluded from being copied back and forth out of the usual profile path. Modify each user's NTUSER.DAT file to point to the new paths that are shared over the network instead of to the default path (C:\Documents and Settings\%USERNAME%).
- - + + The above modifies existing user profiles. So that newly created profiles have these settings, you need to modify the NTUSER.DAT in the C:\Documents and Settings\Default User folder on each client machine, changing the same registry keys. You could do this by copying NTUSER.DAT to a Linux box and using regedt32. The basic method is described under “Configuration of Default Profile with Folder Redirection”. -
Using a Network Default User Profile
- - +
Using a Network Default User Profile
+ + If you are using Samba as your PDC, you should create a file share called NETLOGON and within that create a directory called Default User, which is a copy of the desired default user @@ -520,20 +520,20 @@ the first login from a new account pulls its configuration from it. See also the Real Men Don't Click Web site. -
Installation of Printer Driver Auto-Download
- - - +
Installation of Printer Driver Auto-Download
+ + + The subject of printing is quite topical. Printing problems run second place to name resolution issues today. So far in this book, you have experienced only what is generally - known as “dumb” printing. Dumb printing is the arrangement by which all drivers + known as “dumb” printing. Dumb printing is the arrangement by which all drivers are manually installed on each client and the printing subsystems perform no filtering or intelligent processing. Dumb printing is easily understood. It usually works without many problems, but it has its limitations also. Dumb printing is better known as Raw-Print-Through printing.
- - + + Samba permits the configuration of smart printing using the Microsoft Windows point-and-click (also called drag-and-drop) printing. What this provides is essentially the ability to print to any printer. If the local client does not yet have a @@ -547,9 +547,9 @@ then invokes a suitable print filter to convert the incoming data stream into a format suited to the printer to which the job is dispatched.
- - - + + + The CUPS printing subsystem is capable of intelligent printing. It has the capacity to detect the data format and apply a print filter. This means that it is feasible to install on all Windows clients a single printer driver for use with all printers that are routed @@ -566,7 +566,7 @@ This book is about Samba-3, so you can confine the printing style to just the smart style of installation. Those interested in further information regarding intelligent printing should review documentation on the Easy Software Products Web site. -
Avoiding Failures: Solving Problems Before They Happen
+
Avoiding Failures: Solving Problems Before They Happen
It has often been said that there are three types of people in the world: those who have sharp minds and those who forget things. Please do not ask what the third group is like! Well, it seems that many of us have company in the second group. There must @@ -574,12 +574,12 @@ simple problems efficiently and effectively.
Here are some diagnostic guidelines that can be referred to when things go wrong: -
Preliminary Advice: Dangers Can Be Avoided
- The best advice regarding how to mend a broken leg is “Never break a leg!” +
Preliminary Advice: Dangers Can Be Avoided
+ The best advice regarding how to mend a broken leg is “Never break a leg!”
- + Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice - regarding the best way to remedy LDAP and Samba problems: “Avoid them like the plague!” + regarding the best way to remedy LDAP and Samba problems: “Avoid them like the plague!”
If you are now asking yourself how problems can be avoided, the best advice is to start out your learning experience with a known-good configuration. After @@ -589,11 +589,11 @@ The examples in this chapter (also in the book as a whole) are known to work. That means that they could serve as the kick-off point for your journey through fields of knowledge. Use this resource carefully; we hope it serves you well. -
Warning
+
Warning
Do not be lulled into thinking that you can easily adopt the examples in this book and adapt them without first working through the examples provided. A little thing overlooked can cause untold pain and may permanently tarnish your experience. -
The Name Service Caching Daemon
+
The Name Service Caching Daemon
The name service caching daemon (nscd) is a primary cause of difficulties with name resolution, particularly where winbind is used. Winbind does its own caching, thus nscd causes double caching which can lead to peculiar problems during @@ -660,17 +660,17 @@ root# chkconfig nscd off root# rcnscd off
-
Debugging LDAP
- - - +
Debugging LDAP
+ + + In the example /etc/openldap/slapd.conf control file (see “LDAP DB_CONFIG File”) there is an entry for loglevel 256. To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter and restart slapd.
- - + + LDAP log information can be directed into a file that is separate from the normal system log files by changing the /etc/syslog.conf file so it has the following contents: @@ -689,7 +689,7 @@ local site needs. The configuration used later in this chapter reflects such customization with the intent that LDAP log files will be stored at a location that meets local site needs and wishes more fully. -
Debugging NSS_LDAP
+
Debugging NSS_LDAP
The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the /etc/ldap.conf file the following parameters:
@@ -702,7 +702,7 @@

The diagnostic process should follow these steps: -
Procedure 5.1. NSS_LDAP Diagnostic Steps
+
Procedure 5.1. NSS_LDAP Diagnostic Steps
Verify the nss_base_passwd, nss_base_shadow, nss_base_group entries in the /etc/ldap.conf file and compare them closely with the directory tree location that was chosen when the directory was first created. @@ -739,7 +739,7 @@ will be evaluated sequentially. Let us consider an example of use where the following DIT has been implemented:
-
User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz
User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz
Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz
+
User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz
User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz
Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz

The appropriate multiple entry for the nss_base_passwd directive in the /etc/ldap.conf file may be: @@ -747,7 +747,7 @@ nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
-
+
Perform lookups such as:
root# getent passwd @@ -755,7 +755,7 @@ Each such lookup will create an entry in the /data/log directory for each such process executed. The contents of each file created in this directory may provide a hint as to the cause of the a problem that is under investigation. -
+
For additional diagnostic information, check the contents of the /var/log/messages to see what error messages are being generated as a result of the LDAP lookups. Here is an example of a successful lookup: @@ -788,11 +788,11 @@ slapd[12164]: conn=1 fd=10 closed
-
+
Check that the bindpw entry in the /etc/ldap.conf or in the /etc/ldap.secrets file is correct, as specified in the /etc/openldap/slapd.conf file. -
Debugging Samba
+
Debugging Samba
The following parameters in the smb.conf file can be useful in tracking down Samba-related problems:
[global] @@ -822,17 +822,17 @@
Search for hints of what may have failed by looking for the words fail and error. -
Debugging on the Windows Client
+
Debugging on the Windows Client
MS Windows 2000 Professional and Windows XP Professional clients can be configured to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search the Microsoft knowledge base for detailed instructions. The techniques vary a little with each version of MS Windows. -
Political Issues
+
Political Issues
MS Windows network users are generally very sensitive to limits that may be imposed when confronted with locked-down workstation configurations. The challenge you face must be promoted as a choice between reliable, fast network operation and a constant flux of problems that result in user irritation. -
Installation Checklist
+
Installation Checklist
You are starting a complex project. Even though you went through the installation of a complex network in “The 500-User Office”, this network is a bigger challenge because of the large number of complex applications that must be configured before the first few steps @@ -840,18 +840,18 @@ frequently review the steps ahead while making at least a mental note of what has already been completed. The following task list may help you to keep track of the task items that are covered: -
Samba-3 PDC Server Configuration
DHCP and DNS servers
OpenLDAP server
PAM and NSS client tools
Samba-3 PDC
Idealx smbldap scripts
LDAP initialization
Create user and group accounts
Printers
Share point directory roots
Profile directories
Logon scripts
Configuration of user rights and privileges
Samba-3 BDC Server Configuration
DHCP and DNS servers
PAM and NSS client tools
Printers
Share point directory roots
Profiles directories
Windows XP Client Configuration
Default profile folder redirection
MS Outlook PST file relocation
Delete roaming profile on logout
Upload printer drivers to Samba servers
Install software
Creation of roll-out images
Samba Server Implementation
- - +
Samba-3 PDC Server Configuration
DHCP and DNS servers
OpenLDAP server
PAM and NSS client tools
Samba-3 PDC
Idealx smbldap scripts
LDAP initialization
Create user and group accounts
Printers
Share point directory roots
Profile directories
Logon scripts
Configuration of user rights and privileges
Samba-3 BDC Server Configuration
DHCP and DNS servers
PAM and NSS client tools
Printers
Share point directory roots
Profiles directories
Windows XP Client Configuration
Default profile folder redirection
MS Outlook PST file relocation
Delete roaming profile on logout
Upload printer drivers to Samba servers
Install software
Creation of roll-out images
Samba Server Implementation
+ + The network design shown in “Network Topology 500 User Network Using ldapsam passdb backend” is not comprehensive. It is assumed that you will install additional file servers and possibly additional BDCs.
Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend
Network Topology 500 User Network Using ldapsam passdb backend

- - + + All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to adjust the locations for your particular Linux system distribution/implementation. -
Note
+
Note
The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball, please verify that the versions you are about to use are matching. The smbldap-tools package @@ -867,23 +867,23 @@ have completed the network implementation shown in that chapter. If you are starting with newly installed Linux servers, you must complete the steps shown in “Installation of DHCP, DNS, and Samba Control Files” before commencing at “OpenLDAP Server Configuration”. -
OpenLDAP Server Configuration
- - - +
OpenLDAP Server Configuration
+ + + Confirm that the packages shown in “Required OpenLDAP Linux Packages” are installed on your system.
Table 5.2. Required OpenLDAP Linux Packages
SUSE Linux 8.x SUSE Linux 9.x Red Hat Linux
nss_ldap nss_ldap nss_ldap
pam_ldap pam_ldap pam_ldap
openldap2 openldap2 openldap
openldap2-client openldap2-client

Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you follow these guidelines, the resulting system should work fine. -
Procedure 5.2. OpenLDAP Server Configuration Steps
- +
Procedure 5.2. OpenLDAP Server Configuration Steps
+ Install the file shown in “LDAP Master Configuration File /etc/openldap/slapd.conf Part A” in the directory /etc/openldap. -
- - - +
+ + + Remove all files from the directory /data/ldap, making certain that the directory exists with permissions:
@@ -891,19 +891,19 @@ drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
This may require you to add a user and a group account for LDAP if they do not exist. -
- +
+ Install the file shown in “LDAP DB_CONFIG File” in the directory /data/ldap. In the event that this file is added after ldap has been started, it is possible to cause the new settings to take effect by shutting down the LDAP server, executing the db_recover command inside the /data/ldap directory, and then restarting the LDAP server. -
- +
+ Performance logging can be enabled and should preferably be sent to a file on a file system that is large enough to handle significantly sized logs. To enable the logging at a verbose level to permit detailed analysis, uncomment the entry in - the /etc/openldap/slapd.conf shown as “loglevel 256”. + the /etc/openldap/slapd.conf shown as “loglevel 256”.
Edit the /etc/syslog.conf file to add the following at the end of the file: @@ -974,32 +974,32 @@ index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub -

PAM and NSS Client Configuration
- - - +

PAM and NSS Client Configuration
+ + + The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
- - + + Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely that you may want to use them for UNIX system (Linux) local machine logons. This necessitates correct configuration of PAM. The pam_ldap open source package provides the PAM modules that most people would use. On SUSE Linux systems, the pam_unix2.so module also has the ability to redirect authentication requests through LDAP.
- - - - + + + + You have chosen to configure these services by directly editing the system files, but of course, you know that this configuration can be done using system tools provided by the Linux system vendor. SUSE Linux has a facility in YaST (the system admin tool) through yast → system → ldap-client that permits configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the authconfig tool for this. -
Procedure 5.3. PAM and NSS Client Configuration Steps
Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf
+
Procedure 5.3. PAM and NSS Client Configuration Steps
Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf
host 127.0.0.1 base dc=abmas,dc=biz @@ -1041,23 +1041,23 @@ nss_base_group ou=Groups,dc=abmas,dc=biz?one ssl off -

- - - +

+ + + Execute the following command to find where the nss_ldap module expects to find its control file:
root# strings /lib/libnss_ldap.so.2 | grep conf
The preferred and usual location is /etc/ldap.conf. -
+
On the server MASSIVE, install the file shown in “Configuration File for NSS LDAP Support /etc/ldap.conf” into the path that was obtained from the step above. On the servers called BLDG1 and BLDG2, install the file shown in “Configuration File for NSS LDAP Clients Support /etc/ldap.conf” into the path that was obtained from the step above. -
- +
+ Edit the NSS control file (/etc/nsswitch.conf) so that the lines that control user and group resolution will obtain information from the normal system files as well as from ldap: @@ -1071,7 +1071,7 @@ added, you can validate resolution of the LDAP resolver process. The inclusion of WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be resolved to their IP addresses, whether or not they are DHCP clients. -
Note
+
Note
Some Linux systems (Novell SUSE Linux in particular) add entries to the nsswitch.conf file that may cause operational problems with the configuration methods adopted in this book. It is advisable to comment out the entries passwd_compat and group_compat @@ -1079,8 +1079,8 @@
Even at the risk of overstating the issue, incorrect and inappropriate configuration of the nsswitch.conf file is a significant cause of operational problems with LDAP. -
- +
+ For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following files in the /etc/pam.d directory: login, password, samba, sshd. In each file, locate every entry that has the @@ -1102,7 +1102,7 @@ session required pam_limits.so

- + On other Linux systems that do not have an LDAP-enabled pam_unix2.so module, you must edit these files by adding the pam_ldap.so modules as shown here:
@@ -1125,15 +1125,15 @@ demonstrates the use of the pam_ldap.so module. You can use either implementation, but if the pam_unix2.so on your system supports LDAP, you probably want to use it rather than add an additional module. -
Samba-3 PDC Configuration
- +
Samba-3 PDC Configuration
+ Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the choice to either build your own or obtain the packages from a dependable source. Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that is included with this book. -
Procedure 5.4. Configuration of PDC Called MASSIVE
+
Procedure 5.4. Configuration of PDC Called MASSIVE
Install the files in “LDAP Based smb.conf File, Server: MASSIVE global Section: Part A”, “LDAP Based smb.conf File, Server: MASSIVE global Section: Part B”, “LDAP Based smb.conf File, Shares Section Part A”, and “LDAP Based smb.conf File, Shares Section Part B” into the /etc/samba/ @@ -1142,8 +1142,8 @@ smb.conf.master and then to perform all file edits on the master file. The operational smb.conf is then generated as shown in the next step. -
- +
+ Create and verify the contents of the smb.conf file that is generated by:
root# testparm -s smb.conf.master > smb.conf @@ -1170,7 +1170,7 @@ Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
-
+
Delete all runtime files from prior Samba operation by executing (for SUSE Linux):
@@ -1179,9 +1179,9 @@ root# rm /var/lib/samba/*dat root# rm /var/log/samba/*
-
- - +
+ + Samba-3 communicates with the LDAP server. The password that it uses to authenticate to the LDAP server must be stored in the secrets.tdb file. Execute the following to create the new secrets.tdb files @@ -1193,9 +1193,9 @@
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
-
- - +
+ + Samba-3 generates a Windows Security Identifier (SID) only when smbd has been started. For this reason, you start Samba. After a few seconds delay, execute: @@ -1226,13 +1226,13 @@ may be misconfigured. In this case, carefully check the smb.conf file for typographical errors (the most common problem). The use of the testparm is highly recommended to validate the contents of this file. -
+
When a positive domain SID has been reported, stop Samba. -
- - - - +
+ + + + Configure the NFS server for your Linux system. So you can complete the steps that follow, enter into the /etc/exports the following entry:
@@ -1250,8 +1250,8 @@
Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with configuration of the LDAP server. -
Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
# Global parameters

[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = MASSIVE
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"

Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
printing = cups
printer admin = root, chrisr

Install and Configure Idealx smbldap-tools Scripts
- +
Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
# Global parameters

[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = MASSIVE
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"

Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
printing = cups
printer admin = root, chrisr

Install and Configure Idealx smbldap-tools Scripts
+ The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts on the LDAP server. You have chosen the Idealx scripts because they are the best-known LDAP configuration scripts. The use of these scripts will help avoid the necessity @@ -1261,16 +1261,16 @@ from this site also. Alternatively, you may obtain the smbldap-tools-0.9.1-1.src.rpm file that may be used to build an installable RPM package for your Linux system. -
Note
+
Note
The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must change the path to them in your smb.conf file on the PDC (MASSIVE).
The smbldap-tools are located in /opt/IDEALX/sbin. The scripts are not needed on BDC machines because all LDAP updates are handled by the PDC alone. -
Installation of smbldap-tools from the Tarball
+
Installation of smbldap-tools from the Tarball
To perform a manual installation of the smbldap-tools scripts, the following procedure may be used: -
Procedure 5.5. Unpacking and Installation Steps for the smbldap-tools Tarball
+
Procedure 5.5. Unpacking and Installation Steps for the smbldap-tools Tarball
Create the /opt/IDEALX/sbin directory, and set its permissions and ownership as shown here:
@@ -1281,11 +1281,11 @@ root# chown root:root /etc/smbldap-tools root# chmod 755 /etc/smbldap-tools
-
+
If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location. Change into either the directory extracted from the tarball or the smbldap-tools directory in your /usr/share/doc/packages directory tree. -
+
Copy all the smbldap-* and the configure.pl files into the /opt/IDEALX/sbin directory, as shown here:
@@ -1297,7 +1297,7 @@ root# chmod 640 /etc/smbldap-tools/smbldap.conf root# chmod 600 /etc/smbldap-tools/smbldap_bind.conf
-
+
The smbldap-tools scripts master control file must now be configured. Change to the /opt/IDEALX/sbin directory, then edit the smbldap_tools.pm to affect the changes @@ -1310,7 +1310,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; ...
-
+
To complete the configuration of the smbldap-tools, set the permissions and ownership by executing the following commands:
@@ -1320,15 +1320,15 @@
The smbldap-tools scripts are now ready for the configuration step outlined in “Configuration of smbldap-tools”. -
Installing smbldap-tools from the RPM Package
+
Installing smbldap-tools from the RPM Package
In the event that you have elected to use the RPM package provided by Idealx, download the source RPM smbldap-tools-0.9.1-1.src.rpm, then follow this procedure: -
Procedure 5.6. Installation Steps for smbldap-tools RPM's
+
Procedure 5.6. Installation Steps for smbldap-tools RPM's
Install the source RPM that has been downloaded as follows:
root# rpm -i smbldap-tools-0.9.1-1.src.rpm
-
+
Change into the directory in which the SPEC files are located. On SUSE Linux:
root# cd /usr/src/packages/SPECS @@ -1337,7 +1337,7 @@
root# cd /usr/src/redhat/SPECS
-
+
Edit the smbldap-tools.spec file to change the value of the _sysconfig macro as shown here:
@@ -1345,14 +1345,14 @@ %define _sysconfdir /etc
Note: Any suitable directory can be specified. -
+
Build the package by executing:
root# rpmbuild -ba -v smbldap-tools.spec
A build process that has completed without error will place the installable binary files in the directory ../RPMS/noarch. -
+
Install the binary package by executing:
root# rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm @@ -1360,7 +1360,7 @@
The Idealx scripts should now be ready for configuration using the steps outlined in Configuration of smbldap-tools. -
Configuration of smbldap-tools
+
Configuration of smbldap-tools
Prior to use, the smbldap-tools must be configured to match the settings in the smb.conf file and to match the settings in the /etc/openldap/slapd.conf file. The assumption is made that the smb.conf file has correct contents. The following procedure ensures that @@ -1368,12 +1368,12 @@
The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included in the smb.conf file. -
Procedure 5.7. Configuration Steps for smbldap-tools to Enable Use
+
Procedure 5.7. Configuration Steps for smbldap-tools to Enable Use
Change into the directory that contains the configure.pl script.
root# cd /opt/IDEALX/sbin
-
+
Execute the configure.pl script as follows:
root# ./configure.pl @@ -1469,12 +1469,12 @@ Since a slave LDAP server has not been configured, it is necessary to specify the IP address of the master LDAP server for both the master and the slave configuration prompts. -
+
Change to the directory that contains the smbldap.conf file, then verify its contents.
The smbldap-tools are now ready for use. -
LDAP Initialization and Creation of User and Group Accounts
+
LDAP Initialization and Creation of User and Group Accounts
The LDAP database must be populated with well-known Windows domain user accounts and domain group accounts before Samba can be used. The following procedures step you through the process.
@@ -1486,13 +1486,13 @@ does not need to ask LDAP.
Addition of an account to the LDAP backend can be done in two ways: -
- - - - - - +
+ + + + + + If you always have a user account in the /etc/passwd on every server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in LDAP. In this case, you can add Windows domain user accounts using the @@ -1503,27 +1503,27 @@ expects the POSIX account to be in LDAP also. It is possible to use the PADL account migration tool to migrate all system accounts from either the /etc/passwd files, or from NIS, to LDAP. -
+
If you decide that it is probably a good idea to add both the PosixAccount attributes as well as the SambaSamAccount attributes for each user, then a suitable script is needed. In the example system you are installing in this exercise, you are making use of the Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system, is included on the enclosed CD-ROM under Chap06/Tools.
- + If you wish to have more control over how the LDAP database is initialized or if you don't want to use the Idealx smbldap-tools, you should refer to “A Collection of Useful Tidbits”, “Alternative LDAP Database Initialization”.
- + The following steps initialize the LDAP database, and then you can add user and group accounts that Samba can use. You use the smbldap-populate to seed the LDAP database. You then manually add the accounts shown in “Abmas Network Users and Groups”. The list of users does not cover all 500 network users; it provides examples only. -
Note
- - - +
Note
+ + + In the following examples, as the LDAP database is initialized, we do create a container for Computer (machine) accounts. In the Samba-3 smb.conf files, specific use is made of the People container, not the Computers container, for domain member accounts. This is not a @@ -1540,15 +1540,15 @@ can be found. Alternatively, by placing all machine accounts in the People container, we are able to sidestep this limitation. This is the simpler solution that has been adopted in this chapter. -
Table 5.3. Abmas Network Users and Groups
Account Name Type ID Password
Robert Jordan User bobj n3v3r2l8
Stanley Soroka User stans impl13dst4r
Christine Roberson User chrisr S9n0nw4ll
Mary Vortexis User maryv kw13t0n3
Accounts Group Accounts
Finances Group Finances
Insurance Group PIOps

Procedure 5.8. LDAP Directory Initialization Steps
+
Table 5.3. Abmas Network Users and Groups
Account Name Type ID Password
Robert Jordan User bobj n3v3r2l8
Stanley Soroka User stans impl13dst4r
Christine Roberson User chrisr S9n0nw4ll
Mary Vortexis User maryv kw13t0n3
Accounts Group Accounts
Finances Group Finances
Insurance Group PIOps

Procedure 5.8. LDAP Directory Initialization Steps
Start the LDAP server by executing:
root# rcldap start Starting ldap-server done
-
+
Change to the /opt/IDEALX/sbin directory. -
+
Execute the script that will populate the LDAP database as shown here:
root# ./smbldap-populate -a root -k 0 -m 0 @@ -1579,7 +1579,7 @@ adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
-
+
Edit the /etc/smbldap-tools/smbldap.conf file so that the following information is changed from:
@@ -1592,15 +1592,15 @@ #sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
-
+
It is necessary to restart the LDAP server as shown here:
root# rcldap restart Shutting down ldap-server done Starting ldap-server done
-
- +
+ So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. There are several ways you can check that your LDAP database is able to receive IDMAP information. One of the simplest is to execute: @@ -1609,7 +1609,7 @@ dn: ou=Idmap,dc=abmas,dc=biz ou: idmap
- + If the execution of this command does not return IDMAP entries, you need to create an LDIF template file (see “LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF”). You can add the required entries using the following command: @@ -1618,8 +1618,8 @@ -w not24get < /etc/openldap/idmap.LDIF
Samba automatically populates this LDAP directory container when it needs to. -
- +
+ It looks like all has gone well, as expected. Let's confirm that this is the case by running a few tests. First we check the contents of the database directly by running slapcat as follows (the output has been cut down): @@ -1656,8 +1656,8 @@ modifyTimestamp: 20031217234206Z
This looks good so far. -
- +
+ The next step is to prove that the LDAP server is running and responds to a search request. Execute the following as shown (output has been cut to save space):
@@ -1701,8 +1701,8 @@ # numEntries: 19
Good. It is all working just fine. -
- +
+ You must now make certain that the NSS resolver can interrogate LDAP also. Execute the following commands:
@@ -1715,16 +1715,16 @@ Domain Guests:x:514: Domain Computers:x:553:
- + This demonstrates that the nss_ldap library is functioning as it should. If these two steps fail to produce this information, refer to “Avoiding Failures: Solving Problems Before They Happen” for diagnostic procedures that can be followed to isolate the cause of the problem. Proceed to the next step only when the previous steps have been successfully completed. -
- - - +
+ + + Our database is now ready for the addition of network users. For each user for whom an account must be created, execute the following:
@@ -1739,8 +1739,8 @@ Retype new SMB password: XXXXXXXX
where username is the login ID for each user. -
- +
+ Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the following:
@@ -1756,7 +1756,7 @@ maryv:x:1003:513:System User:/home/maryv:/bin/bash
This demonstrates that user account resolution via LDAP is working. -
+
This step will determine whether or not identity resolution is working correctly. Do not procede is this step fails, rather find the cause of the failure. The id command may be used to validate your configuration so far, @@ -1767,8 +1767,8 @@
This confirms that the UNIX (POSIX) user account information can be resolved from LDAP by system tools that make a getentpw() system call. -
- +
+ The root account must have UID=0; if not, this means that operations conducted from a Windows client using tools such as the Domain User Manager fails under UNIX because the management of user and group accounts requires that the UID=0. Additionally, it is @@ -1779,7 +1779,7 @@ root# cd /opt/IDEALX/sbin root# ./smbldap-usermod -u 0 -d /root -s /bin/bash root
-
+
Verify that the changes just made to the root account were accepted by executing:
@@ -1788,7 +1788,7 @@ root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
This demonstrates that the changes were accepted. -
+
Make certain that a home directory has been created for every user by listing the directories in /home as follows:
@@ -1801,9 +1801,9 @@ drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
This is precisely what we want to see. -
- - +
+ + The final validation step involves making certain that Samba-3 can obtain the user accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
@@ -1833,8 +1833,8 @@ Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
This looks good. Of course, you fully expected that it would all work, didn't you? -
- +
+ Now you add the group accounts that are used on the Abmas network. Execute the following exactly as shown:
@@ -1844,8 +1844,8 @@
The addition of groups does not involve keyboard interaction, so the lack of console output is of no concern. -
- +
+ You really do want to confirm that UNIX group resolution from LDAP is functioning as it should. Let's do this as shown here:
@@ -1861,8 +1861,8 @@
The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well as our own site-specific group accounts, are correctly listed. This is looking good. -
- +
+ The final step we need to validate is that Samba can see all the Windows domain groups and that they are correctly mapped to the respective UNIX group account. To do this, just execute the following command: @@ -1879,7 +1879,7 @@ This is looking good. Congratulations it works! Note that in the above output the lines were shortened by replacing the middle value (1010554828) of the SID with the ellipsis (...). -
+
The server you have so carefully built is now ready for another important step. You start the Samba-3 server and validate its operation. Execute the following to render all the processes needed fully operative so that, on system reboot, they are automatically @@ -1895,7 +1895,7 @@ root# rcsmb start root# rcwinbind start
-
+
The next step might seem a little odd at this point, but take note that you are about to start winbindd, which must be able to authenticate to the PDC via the localhost interface with the smbd process. This account can be @@ -1910,14 +1910,14 @@ Joined domain MEGANET2.
This indicates that the domain security account for the PDC has been correctly created. -
+
At this time it is necessary to restart winbindd so that it can correctly authenticate to the PDC. The following command achieves that:
root# rcwinbind restart
-
- +
+ You may now check Samba-3 operation as follows:
root# smbclient -L massive -U% @@ -1943,7 +1943,7 @@ MEGANET2 MASSIVE
This shows that an anonymous connection is working. -
+
For your finale, let's try an authenticated connection:
root# smbclient //massive/bobj -Ubobj%n3v3r2l8 @@ -1962,47 +1962,47 @@ Well done. All is working fine.
The server MASSIVE is now configured, and it is time to move onto the next task. -
Printer Configuration
- +
Printer Configuration
+ The configuration for Samba-3 to enable CUPS raw-print-through printing has already been taken care of in the smb.conf file. The only preparation needed for smart printing to be possible involves creation of the directories in which Samba-3 stores Windows printing driver files. -
Procedure 5.9. Printer Configuration Steps
+
Procedure 5.9. Printer Configuration Steps
Configure all network-attached printers to have a fixed IP address. -
+
Create an entry in the DNS database on the server MASSIVE in both the forward lookup database for the zone abmas.biz.hosts and in the reverse lookup database for the network segment that the printer is to be located in. Example configuration files for similar zones were presented in “Secure Office Networking”, “DNS Abmas.biz Forward Zone File” and in “DNS 192.168.2 Reverse Zone File”. -
+
Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct mode, raw printing. This allows the CUPS spooler to print using raw mode protocols. - - -
- - + + +
+ + Only on the server to which the printer is attached, configure the CUPS Print Queues as follows:
root# lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E
- + This step creates the necessary print queue to use no assigned print filter. This is ideal for raw printing, that is, printing without use of filters. The name printque is the name you have assigned for the particular printer. -
+
Print queues may not be enabled at creation. Make certain that the queues you have just created are enabled by executing the following:
root# /usr/bin/enable printque
-
+
Even though your print queue may be enabled, it is still possible that it may not accept print jobs. A print queue will service incoming printing requests only when configured to do so. Ensure that your print queue is @@ -2010,27 +2010,27 @@
root# /usr/bin/accept printque
-
- - - +
+ + + Edit the file /etc/cups/mime.convs to uncomment the line:
application/octet-stream application/vnd.cups-raw 0 -
-
- +
+ Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream
-
+
Refer to the CUPS printing manual for instructions regarding how to configure CUPS so that print queues that reside on CUPS servers on remote networks route print jobs to the print server that owns that queue. The default setting on your CUPS server may automatically discover remotely installed printers and may permit this functionality without requiring specific configuration. -
+
The following action creates the necessary directory subsystem. Follow these steps to printing heaven:
@@ -2038,17 +2038,17 @@ root# chown -R root:root /var/lib/samba/drivers root# chmod -R ug=rwx,o=rx /var/lib/samba/drivers
-
Samba-3 BDC Configuration
Procedure 5.10. Configuration of BDC Called: BLDG1
+
Samba-3 BDC Configuration
Procedure 5.10. Configuration of BDC Called: BLDG1
Install the files in “LDAP Based smb.conf File, Server: BLDG1”, “LDAP Based smb.conf File, Shares Section Part A”, and “LDAP Based smb.conf File, Shares Section Part B” into the /etc/samba/ directory. The three files should be added together to form the smb.conf file. -
+
Verify the smb.conf file as in step 2 of “Samba-3 PDC Configuration”. -
+
Carefully follow the steps outlined in “PAM and NSS Client Configuration”, taking particular note to install the correct ldap.conf. -
+
Verify that the NSS resolver is working. You may need to cycle the run level to 1 and back to 5 before the NSS LDAP resolver functions. Follow these commands: @@ -2080,8 +2080,8 @@ bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem. -
- +
+ The next step in the verification process involves testing the operation of UNIX group resolution via the NSS LDAP resolver. Execute these commands:
@@ -2110,15 +2110,15 @@
This is also the correct and desired output, because it demonstrates that the LDAP client is able to communicate correctly with the LDAP server (MASSIVE). -
- +
+ You must now set the LDAP administrative password into the Samba-3 secrets.tdb file by executing this command:
root# smbpasswd -w not24get Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
-
+
Now you must obtain the domain SID from the PDC and store it into the secrets.tdb file also. This step is not necessary with an LDAP passdb backend because Samba-3 obtains the domain SID from the @@ -2135,15 +2135,15 @@ domain controller that is running on the localhost and must be able to authenticate, thus requiring that the BDC should be joined to the domain. The process of joining the domain creates the necessary authentication accounts. -
+
To join the Samba BDC to the domain, execute the following:
root# net rpc join -U root%not24get Joined domain MEGANET2.
This indicates that the domain security account for the BDC has been correctly created. -
- +
+ Verify that user and group account resolution works via Samba-3 tools as follows:
root# pdbedit -L @@ -2169,7 +2169,7 @@ PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
These results show that all things are in order. -
+
The server you have so carefully built is now ready for another important step. Now start the Samba-3 server and validate its operation. Execute the following to render all the processes needed fully operative so that, upon system reboot, they are automatically @@ -2185,7 +2185,7 @@ root# rcwinbind start
Samba-3 should now be running and is ready for a quick test. But not quite yet! -
+
Your new BLDG1, BLDG2 servers do not have home directories for users. To rectify this using the SUSE yast2 utility or by manually editing the /etc/fstab file, add a mount entry to mount the home directory that has been exported @@ -2205,7 +2205,7 @@ root# df | grep home massive:/home 29532988 283388 29249600 1% /home
-
+
Implement a quick check using one of the users that is in the LDAP database. Here you go:
root# smbclient //bldg1/bobj -Ubobj%n3v3r2l8 @@ -2224,26 +2224,26 @@
Now that the first BDC (BDLG1) has been configured it is time to build and configure the second BDC server (BLDG2) as follows: -
Procedure 5.11. Configuration of BDC Called BLDG2
+
Procedure 5.11. Configuration of BDC Called BLDG2
Install the files in “LDAP Based smb.conf File, Server: BLDG2”, “LDAP Based smb.conf File, Shares Section Part A”, and “LDAP Based smb.conf File, Shares Section Part B” into the /etc/samba/ directory. The three files should be added together to form the smb.conf file. -
+
Follow carefully the steps shown in “Samba-3 BDC Configuration”, starting at step 2. -
Example 5.8. LDAP Based smb.conf File, Server: BLDG1
# Global parameters

[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG1
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
domain master = No
wins server = 172.16.0.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
printer admin = root, chrisr

Example 5.9. LDAP Based smb.conf File, Server: BLDG2
# Global parameters

[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG2
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
domain master = No
wins server = 172.16.0.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
printer admin = root, chrisr

Example 5.10. LDAP Based smb.conf File, Shares Section Part A

[accounts]
comment = Accounting Files
path = /data/accounts
read only = No

[service]
comment = Financial Services Files
path = /data/service
read only = No

[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No

Example 5.11. LDAP Based smb.conf File, Shares Section Part B

[apps]
comment = Application Files
path = /apps
admin users = bjordan
read only = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = root, chrisr

Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
+
Example 5.8. LDAP Based smb.conf File, Server: BLDG1
# Global parameters

[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG1
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
domain master = No
wins server = 172.16.0.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
printer admin = root, chrisr

Example 5.9. LDAP Based smb.conf File, Server: BLDG2
# Global parameters

[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG2
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
domain master = No
wins server = 172.16.0.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
printer admin = root, chrisr

Example 5.10. LDAP Based smb.conf File, Shares Section Part A

[accounts]
comment = Accounting Files
path = /data/accounts
read only = No

[service]
comment = Financial Services Files
path = /data/service
read only = No

[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No

Example 5.11. LDAP Based smb.conf File, Shares Section Part B

[apps]
comment = Application Files
path = /apps
admin users = bjordan
read only = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = root, chrisr

Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalUnit ou: idmap structuralObjectClass: organizationalUnit -

Miscellaneous Server Preparation Tasks
- My father would say, “Dinner is not over until the dishes have been done.” +

Miscellaneous Server Preparation Tasks
+ My father would say, “Dinner is not over until the dishes have been done.” The makings of a great network environment take a lot of effort and attention to detail. So far, you have completed most of the complex (and to many administrators, the interesting part of server configuration) steps, but remember to tie it all together. Here are a few more steps that must be completed so that your network runs like a well-rehearsed orchestra. -
Configuring Directory Share Point Roots
+
Configuring Directory Share Point Roots
In your smb.conf file, you have specified Windows shares. Each has a path parameter. Even though it is obvious to all, one of the common Samba networking problems is caused by forgetting to verify that every such share root directory actually exists and that it @@ -2261,7 +2261,7 @@ root# chmod -R ug+rwxs,o-rwx /data root# chmod -R ug+rwx,o+rx-w /apps
-
Configuring Profile Directories
+
Configuring Profile Directories
You made a conscious decision to do everything it would take to improve network client performance. One of your decisions was to implement folder redirection. This means that Windows user desktop profiles are now made up of two components: a dynamically loaded part and a set of file @@ -2286,17 +2286,17 @@ root# chmod -R 750 username

- - + + You have three options insofar as the dynamically loaded portion of the roaming profile is concerned: -
You may permit the user to obtain a default profile.
You can create a mandatory profile.
You can create a group profile (which is almost always a mandatory profile).
+
You may permit the user to obtain a default profile.
You can create a mandatory profile.
You can create a group profile (which is almost always a mandatory profile).
Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory profile is effected by renaming the NTUSER.DAT to NTUSER.MAN, that is, just by changing the filename extension.
- - + + The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend. You can manage this using the Idealx smbldap-tools or using the Windows NT4 Domain User Manager. @@ -2309,8 +2309,8 @@ /var/lib/samba/profiles/username root# chmod 700 /var/lib/samba/profiles/username
-
Preparation of Logon Scripts
- +
Preparation of Logon Scripts
+ The use of a logon script with Windows XP Professional is an option that every site should consider. Unless you have locked down the desktop so the user cannot change anything, there is risk that a vital network drive setting may be broken or that printer connections may be lost. Logon scripts @@ -2335,7 +2335,7 @@ You should research the options for logon script implementation by referring to TOSHARG2, Chapter 24, Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon facilities in use today is called KiXtart. -
Assigning User Rights and Privileges
+
Assigning User Rights and Privileges
The ability to perform tasks such as joining Windows clients to the domain can be assigned to normal user accounts. By default, only the domain administrator account (root on UNIX systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant @@ -2347,9 +2347,9 @@ Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who are granted rights can be restricted to particular machines. It is left to the network administrator to determine which rights should be provided and to whom. -
Procedure 5.12. Steps for Assignment of User Rights and Privileges
+
Procedure 5.12. Steps for Assignment of User Rights and Privileges
Log onto the PDC as the root account. -
+
Execute the following command to grant the Domain Admins group all rights and privileges:
@@ -2361,7 +2361,7 @@
Repeat this step on each domain controller, in each case substituting the name of the server (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE. -
+
In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations to the domain. Execute the following only on the PDC. It is not necessary to do this on BDCs or on DMS machines because machine accounts are only ever added by the PDC: @@ -2370,7 +2370,7 @@ "MEGANET2\bobj" SeMachineAccountPrivilege Successfully granted rights.
-
+
Verify that privilege assignments have been correctly applied by executing:
net rpc rights list accounts -Uroot%not24get @@ -2405,8 +2405,8 @@ SeRemoteShutdownPrivilege SeDiskOperatorPrivilege
-
Windows Client Configuration
- +
Windows Client Configuration
+ In the next few sections, you can configure a new Windows XP Professional disk image on a staging machine. You will configure all software, printer settings, profile and policy handling, and desktop default profile settings on this system. When it is complete, you copy the contents of the @@ -2418,60 +2418,60 @@ "How to Create a Base Profile for All Users." -
Configuration of Default Profile with Folder Redirection
- +
Configuration of Default Profile with Folder Redirection
+ Log onto the Windows XP Professional workstation as the local Administrator. It is necessary to expose folders that are generally hidden to provide access to the Default User folder. -
Procedure 5.13. Expose Hidden Folders
+
Procedure 5.13. Expose Hidden Folders
Launch the Windows Explorer by clicking Start → My Computer → Tools → Folder Options → View Tab. Select Show hidden files and folders, and click OK. Exit Windows Explorer. -
- +
+ Launch the Registry Editor. Click Start → Run. Key in regedt32, and click OK.
-
Procedure 5.14. Redirect Folders in Default System User Profile
- - +
Procedure 5.14. Redirect Folders in Default System User Profile
+ + Give focus to HKEY_LOCAL_MACHINE hive entry in the left panel. Click File → Load Hive... → Documents and Settings → Default User → NTUSER → Open. In the dialog box that opens, enter the key name Default and click OK. -
+
Browse inside the newly loaded Default folder to:
HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ CurrentVersion\Explorer\User Shell Folders\
The right panel reveals the contents as shown in “Windows XP Professional User Shared Folders”. -
- - +
+ + You edit hive keys. Acceptable values to replace the %USERPROFILE% variable includes: -
A drive letter such as U:
A direct network path such as - \\MASSIVE\profdata
A network redirection (UNC name) that contains a macro such as
%LOGONSERVER%\profdata\
-
- +
A drive letter such as U:
A direct network path such as + \\MASSIVE\profdata
A network redirection (UNC name) that contains a macro such as
%LOGONSERVER%\profdata\
+
+ Set the registry keys as shown in “Default Profile Redirections”. Your implementation makes the assumption that users have statically located machines. Notebook computers (mobile users) need to be accommodated using local profiles. This is not an uncommon assumption. -
+
Click back to the root of the loaded hive Default. Click File → Unload Hive... → Yes. -
- +
+ Click File → Exit. This exits the Registry Editor. -
+
Now follow the procedure given in “The Local Group Policy”. Make sure that each folder you have redirected is in the exclusion list. -
- You are now ready to copy^[11] +
+ You are now ready to copy^[11] the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer, and use it to copy the full contents of the directory Default User that is in the C:\Documents and Settings to the root directory of the @@ -2482,14 +2482,14 @@ Before punching out new desktop images for the client workstations, it is perhaps a good idea that desktop behavior should be returned to the original Microsoft settings. The following steps achieve that ojective: -
Procedure 5.15. Reset Folder Display to Original Behavior
+
Procedure 5.15. Reset Folder Display to Original Behavior
To launch the Windows Explorer, click Start → My Computer → Tools → Folder Options → View Tab. Deselect Show hidden files and folders, and click OK. Exit Windows Explorer. -
Figure 5.3. Windows XP Professional User Shared Folders
Windows XP Professional User Shared Folders

Table 5.4. Default Profile Redirections
Registry Key Redirected Value
Cache %LOGONSERVER%\profdata\%USERNAME%\InternetFiles
Cookies %LOGONSERVER%\profdata\%USERNAME%\Cookies
History %LOGONSERVER%\profdata\%USERNAME%\History
Local AppData %LOGONSERVER%\profdata\%USERNAME%\AppData
Local Settings %LOGONSERVER%\profdata\%USERNAME%\LocalSettings
My Pictures %LOGONSERVER%\profdata\%USERNAME%\MyPictures
Personal %LOGONSERVER%\profdata\%USERNAME%\MyDocuments
Recent %LOGONSERVER%\profdata\%USERNAME%\Recent

Configuration of MS Outlook to Relocate PST File
- - +
Figure 5.3. Windows XP Professional User Shared Folders
Windows XP Professional User Shared Folders

Table 5.4. Default Profile Redirections
Registry Key Redirected Value
Cache %LOGONSERVER%\profdata\%USERNAME%\InternetFiles
Cookies %LOGONSERVER%\profdata\%USERNAME%\Cookies
History %LOGONSERVER%\profdata\%USERNAME%\History
Local AppData %LOGONSERVER%\profdata\%USERNAME%\AppData
Local Settings %LOGONSERVER%\profdata\%USERNAME%\LocalSettings
My Pictures %LOGONSERVER%\profdata\%USERNAME%\MyPictures
Personal %LOGONSERVER%\profdata\%USERNAME%\MyDocuments
Recent %LOGONSERVER%\profdata\%USERNAME%\Recent

Configuration of MS Outlook to Relocate PST File
+ + Microsoft Outlook can store a Personal Storage file, generally known as a PST file. It is the nature of email storage that this file grows, at times quite rapidly. So that users' email is available to them at every workstation they may log onto, @@ -2498,19 +2498,19 @@
To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave slightly differently), follow these steps: -
Procedure 5.16. Outlook PST File Relocation
+
Procedure 5.16. Outlook PST File Relocation
Close Outlook if it is open. -
+
From the Control Panel, launch the Mail icon. -
+
Click Email Accounts. -
+
Make a note of the location of the PST file(s). From this location, move the files to the desired new target location. The most desired new target location may well be the users' home directory. -
+
Add a new data file, selecting the PST file in the new desired target location. - Give this entry (not the filename) a new name such as “Personal Mail Folders.” + Give this entry (not the filename) a new name such as “Personal Mail Folders.”
Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems following these instructions. Feedback from users suggests that where IMAP is used the PST @@ -2518,21 +2518,21 @@ MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is used please email jht@samba.org with useful tips and suggestions so that this warning can be removed or modified. -
+
Close the Date Files windows, then click Email Accounts. -
+
Select View of Change exiting email accounts, click Next. -
+
Change the Mail Delivery Location so as to use the data file in the new target location. -
+
Go back to the Data Files window, then delete the old data file entry. -
Note
- +
Note
+ You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise the user may be not be able to retrieve contacts when addressing a new email message. -
Note
- +
Note
+ Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook Express storage files can not be redirected to network shares. The options panel will not permit this, but they can be moved to folders outside of the user's profile. They can also be excluded @@ -2541,34 +2541,34 @@ While it is possible to redirect the data stores for Outlook Express data stores by editing the registry, experience has shown that data corruption and loss of email messages will result.
- - + + In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with roaming profiles this can result in excruciatingly long login and logout behavior will files are synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming profiles are used.
- + Microsoft does not support storing PST files on network shares, although the practice does appear to be rather popular. Anyone who does relocation the PST file to a network resource should refer the Microsoft reference to better understand the issues.
- + Apart from manually moving PST files to a network share, it is possible to set the default PST location for new accounts by following the instructions at the WindowsITPro web site.
- + User feedback suggests that disabling of oplocks on PST files will significantly improve network performance by reducing locking overheads. One way this can be done is to add to the smb.conf file stanza for the share the PST file the following:
veto oplock files = /*.pdf/*.PST/
-
Configure Delete Cached Profiles on Logout
+
Configure Delete Cached Profiles on Logout
Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
- + Click Start → Run. In the dialog box, enter MMC and click OK.
@@ -2576,94 +2576,94 @@ profiles are deleted as network users log out of the system. Click File → Add/Remove Snap-in → Add → Group Policy → Add → Finish → Close → OK.
- + The Microsoft Management Console now shows the Group Policy utility that enables you to set the policies needed. In the left panel, click Local Computer Policy → Administrative Templates → System → User Profiles. In the right panel, set the properties shown here by double-clicking on each item as shown: -
Do not check for user ownership of Roaming Profile Folders = Enabled
Delete cached copies of roaming profiles = Enabled
+
Do not check for user ownership of Roaming Profile Folders = Enabled
Delete cached copies of roaming profiles = Enabled
Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies made of this system to deploy the new standard desktop system. -
Uploading Printer Drivers to Samba Servers
- +
Uploading Printer Drivers to Samba Servers
+ Users want to be able to use network printers. You have a vested interest in making it easy for them to print. You have chosen to install the printer drivers onto the Samba servers and to enable point-and-click (drag-and-drop) printing. This process results in Samba being able to automatically provide the Windows client with the driver necessary to print to the printer chosen. The following procedure must be followed for every network printer: -
Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers
+
Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers
Join your Windows XP Professional workstation (the staging machine) to the MEGANET2 domain. If you are not sure of the procedure, follow the guidance given in “A Collection of Useful Tidbits”, “Joining a Domain: Windows 200x/XP Professional”. -
+
After the machine has rebooted, log onto the workstation as the domain root (this is the Administrator account for the operating system that is the host platform for this implementation of Samba. -
+
Launch MS Windows Explorer. Navigate in the left panel. Click My Network Places → Entire Network → Microsoft Windows Network → Meganet2 → Massive. Click on Massive Printers and Faxes. -
+
Identify a printer that is shown in the right panel. Let us assume the printer is called ps01-color. Right-click on the ps01-color icon and select the Properties entry. This opens a dialog box that indicates - that “The printer driver is not installed on this computer. Some printer properties + that “The printer driver is not installed on this computer. Some printer properties will not be accessible unless you install the printer driver. Do you want to install the - driver now?” It is important at this point you answer No. -
+ driver now?” It is important at this point you answer No. +
The printer properties panel for the ps01-color printer on the server MASSIVE is displayed. Click the Advanced tab. Note that the box labeled Driver is empty. Click the New Driver - button that is next to the Driver box. This launches the “Add Printer Wizard”. -
- - - The “Add Printer Driver Wizard on MASSIVE” panel + button that is next to the Driver box. This launches the “Add Printer Wizard”. +
+ + + The “Add Printer Driver Wizard on MASSIVE” panel is now presented. Click Next to continue. From the left panel, select the printer manufacturer. In your case, you are adding a driver for a printer manufactured by Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click Next, and then Finish to commence driver upload. A progress bar appears and instructs you as each file is being uploaded and that it is being directed at the network server \\massive\ps01-color. -
- - - - - - +
+ + + + + + The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, you are returned to the Advanced tab in the Properties panel. You can set the Location (under the General tab) and Security settings (under the Security tab). Under the Sharing tab it is possible to - load additional printer drivers; there is also a check-box in this tab called “List in the - directory”. When this box is checked, the printer will be published in Active Directory + load additional printer drivers; there is also a check-box in this tab called “List in the + directory”. When this box is checked, the printer will be published in Active Directory (Applicable to Active Directory use only.) -
- +
+ Click OK. It will take a minute or so to upload the settings to the server. You are now returned to the Printers and Faxes on Massive monitor. Right-click on the printer, click Properties → Device Settings. Now change the settings to suit your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if you need to reverse the changes back to their original settings. -
+
This is necessary so that the printer settings are initialized in the Samba printers database. Click Apply to commit your settings. Revert any settings you changed just to initialize the Samba printers database entry for this printer. If you need to revert a setting, click Apply again. -
- +
+ Verify that all printer settings are at the desired configuration. When you are satisfied that they are, click the General tab. Now click the Print Test Page button. A test page should print. Verify that it has printed correctly. Then click OK in the panel that is newly presented. Click OK on the ps01-color on massive Properties panel. -
+
You must repeat this process for all network printers (i.e., for every printer on each server). When you have finished uploading drivers to all printers, close all applications. The next task is to install software your users require to do their work. -
Software Installation
+
Software Installation
Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. Notebooks require special handling that is beyond the scope of this chapter. @@ -2678,7 +2678,7 @@ When you believe that the overall configuration is complete, be sure to create a shared group profile and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in case a user may have specific needs you had not anticipated. -
Roll-out Image Creation
+
Roll-out Image Creation
The final steps before preparing the distribution Norton Ghost image file you might follow are:
Unjoin the domain Each workstation requires a unique name and must be independently @@ -2687,7 +2687,7 @@ Defragment the hard disk While not obvious to the uninitiated, defragmentation results in better performance and often significantly reduces the size of the compressed disk image. That also means it will take less time to deploy the image onto 500 workstations. -
Key Points Learned
+
Key Points Learned
This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately avoided any consideration of security. Security does not just happen; you must design it into your total network. Security begins with a systems design and implementation that anticipates hostile behavior from @@ -2696,8 +2696,8 @@ practices, you must not deploy the design presented in this book in an environment where there is risk of compromise.
- - + + As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be configured to use secure protocols for all communications over the network. Of course, secure networking does not result just from systems design and implementation but involves constant user education @@ -2708,53 +2708,53 @@ as well as security considerations.
The substance of this chapter that has been deserving of particular attention includes: -
+
Implementation of an OpenLDAP-based passwd backend, necessary to support distributed domain control. -
+
Implementation of Samba primary and secondary domain controllers with a common LDAP backend for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and pam_ldap tool-sets. -
+
Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as to manage Samba Windows user and group accounts. -
+
The basics of implementation of Group Policy controls for Windows network clients. -
+
Control over roaming profiles, with particular focus on folder redirection to network drives. -
+
Use of the CUPS printing system together with Samba-based printer driver auto-download. -
Questions and Answers
+
Questions and Answers
Well, here we are at the end of this chapter and we have only ten questions to help you to remember so much. There are bound to be some sticky issues here. -
+
Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions? -
+
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant to the Linux I might be using? -
+
You did not use SWAT to configure Samba. Is there something wrong with it? -
+
You have exposed a well-used password not24get. Is that not irresponsible? -
+
The Idealx smbldap-tools create many domain group accounts that are not used. Is that a good thing? -
+
Can I use LDAP just for Samba accounts and not for UNIX system accounts? -
+
Why are the Windows domain RID portions not the same as the UNIX UID? -
+
Printer configuration examples all show printing to the HP port 9100. Does this mean that I must have HP printers for these solutions to work? -
+
Is folder redirection dangerous? I've heard that you can lose your data that way. -
+
Is it really necessary to set a local Group Policy to exclude the redirected folders from the roaming profile? -
+
Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions?
@@ -2773,7 +2773,7 @@ This book makes little mention of backup techniques. Does that mean that I am recommending that you should implement a network without provision for data recovery and for disaster management? Back to our focus: The deployment of Samba has been clearly demonstrated. -
+
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant to the Linux I might be using? @@ -2800,7 +2800,7 @@ of open source software. I favor neither and respect both. I like particular features of both products (companies also). No bias in presentation is intended. Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. -
+
You did not use SWAT to configure Samba. Is there something wrong with it?
That is a good question. As it is, the smb.conf file configurations are presented @@ -2811,14 +2811,14 @@ There are people in the Linux and open source community who feel that SWAT is dangerous and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I hope to have brought their interests on board. SWAT is well covered is TOSHARG2. -
+
You have exposed a well-used password not24get. Is that not irresponsible?
Well, I had to use a password of some sort. At least this one has been consistently used throughout. I guess you can figure out that in a real deployment it would make sense to use a more secure and original password. -
+
The Idealx smbldap-tools create many domain group accounts that are not used. Is that a good thing?
@@ -2826,7 +2826,7 @@ Let's give Idealx some credit for the contribution they have made. I appreciate their work and, besides, it does no harm to create accounts that are not now used at some time Samba may well use them. -
+
Can I use LDAP just for Samba accounts and not for UNIX system accounts?
Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) @@ -2834,7 +2834,7 @@ the system password account, how do you plan to keep all domain controller system password files in sync? I think that having everything in LDAP makes a lot of sense for the UNIX administrator who is still learning the craft and is migrating from MS Windows. -
+
Why are the Windows domain RID portions not the same as the UNIX UID?
Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. @@ -2843,7 +2843,7 @@ assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does permit you to override that to some extent. See the smb.conf man page entry for algorithmic rid base. -
+
Printer configuration examples all show printing to the HP port 9100. Does this mean that I must have HP printers for these solutions to work?
@@ -2853,7 +2853,7 @@ inkjet printer. Use the appropriate device URI (Universal Resource Interface) argument to the lpadmin -v option that is right for your printer. -
+
Is folder redirection dangerous? I've heard that you can lose your data that way.
The only loss of data I know of that involved folder redirection was caused by @@ -2863,13 +2863,13 @@ he declined to move the data because he thought it was still in the local profile folder. That was not the case, so by declining to move the data back, he wiped out the data. You cannot hold the tool responsible for that. Caveat emptor still applies. -
+
Is it really necessary to set a local Group Policy to exclude the redirected folders from the roaming profile?
Yes. If you do not do this, the data will still be copied from the network folder (share) to the local cached copy of the profile. -

^[11] +

^[11] There is an alternate method by which a default user profile can be added to the NETLOGON share. This facility in the Windows System tool permits profiles to be exported. The export target may be a particular user or Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/AccountingNetwork.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/AccountingNetwork.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/acct2net.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/acct2net.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP-Ok.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/ch7-dual-additive-LDAP.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/ch7-fail-overLDAP.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/ch7-fail-overLDAP.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/ch7-singleLDAP.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/ch7-singleLDAP.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/ch8-migration.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/ch8-migration.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/chap4-net.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/chap4-net.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/chap5-net.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/chap5-net.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/chap6-net.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/chap6-net.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/chap7-idresol.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/chap7-idresol.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/chap9-ADSDC.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/chap9-ADSDC.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/Charity-Network.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/Charity-Network.png sind verschieden. Dateien samba-3.3.10//docs/htmldocs/Samba3-ByExample/images/UNIX-Samba-and-LDAP.png und samba-3.3.11//docs/htmldocs/Samba3-ByExample/images/UNIX-Samba-and-LDAP.png sind verschieden. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/index.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/index.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/index.html 2010-01-14 11:24:52.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/index.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,47 +1,47 @@ -Samba-3 by Example
Samba-3 by Example
Next
Samba-3 by Example
Practical Exercises in Successful Samba Deployment
John H. Terpstra
Samba Team
<jht@samba.org>
July, 2006
Table of Contents
About the Cover Artwork
Acknowledgments
Foreword
By John M. Weathersby, Executive Director, OSSI
Preface
Why Is This Book Necessary?
Samba 3.0.20 Update Edition
Prerequisites
Approach
Summary of Topics
Conventions Used
I. Example Network Configurations
1. No-Frills Samba Servers
Introduction
Assignment Tasks
Drafting Office
Charity Administration Office
Accounting Office
Questions and Answers
2. Small Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Validation
Notebook Computers: A Special Case
Key Points Learned
Questions and Answers
3. Secure Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Basic System Configuration
Samba Configuration
Configuration of DHCP and DNS Servers
Printer Configuration
Process Startup Configuration
Validation
Application Share Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
4. The 500-User Office
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
5. Making Happy Users
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
6. A Distributed 2000-User Network
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Key Points Learned
Questions and Answers
II. Domain Members, Updating Samba and Migration
7. Adding Domain Member Servers and Clients
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Samba Domain with Samba Domain Member Server Using NSS LDAP
NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
NT4/Samba Domain with Samba Domain Member Server without NSS Support
Active Directory Domain with Samba Domain Member Server
UNIX/Linux Client Domain Member
Key Points Learned
Questions and Answers
8. Updating Samba-3
Introduction
Cautions and Notes
Upgrading from Samba 1.x and 2.x to Samba-3
Samba 1.9.x and 2.x Versions Without LDAP
Applicable to All Samba 2.x to Samba-3 Upgrades
Samba-2.x with LDAP Support
Updating a Samba-3 Installation
Samba-3 to Samba-3 Updates on the Same Server
Migrating Samba-3 to a New Server
Migration of Samba Accounts to Active Directory
9. Migrating NT4 Domain to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
NT4 Migration Using LDAP Backend
NT4 Migration Using tdbsam Backend
Key Points Learned
Questions and Answers
10. Migrating NetWare Server to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
NetWare Migration Using LDAP Backend
III. Reference Section
11. Active Directory, Kerberos, and Security
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
Share Access Controls
Share Definition Controls
Share Point Directory and File Permissions
Managing Windows 200x ACLs
Key Points Learned
Questions and Answers
12. Integrating Additional Services
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Removal of Pre-Existing Conflicting RPMs
Key Points Learned
Questions and Answers
13. Performance, Reliability, and Availability
Introduction
Dissection and Discussion
Guidelines for Reliable Samba Operation
Name Resolution
Samba Configuration
Use and Location of BDCs
Use One Consistent Version of MS Windows Client
For Scalability, Use SAN-Based Storage on Samba Servers
Distribute Network Load with MSDFS
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
Hardware Problems
Large Directories
Key Points Learned
14. Samba Support
Free Support
Commercial Support
15. A Collection of Useful Tidbits
Joining a Domain: Windows 200x/XP Professional
Samba System File Location
Starting Samba
DNS Configuration Files
The Forward Zone File for the Loopback Adaptor
The Reverse Zone File for the Loopback Adaptor
DNS Root Server Hint File
Alternative LDAP Database Initialization
Initialization of the LDAP Database
The LDAP Account Manager
IDEALX Management Console
Effect of Setting File and Directory SUID/SGID Permissions Explained
Shared Data Integrity
Microsoft Access
Act! Database Sharing
Opportunistic Locking Controls
16. Networking Primer
Requirements and Notes
Introduction
Assignment Tasks
Exercises
Single-Machine Broadcast Activity
Second Machine Startup Broadcast Interaction
Simple Windows Client Connection Characteristics
Windows 200x/XP Client Interaction with Samba-3
Conclusions to Exercises
Dissection and Discussion
Technical Issues
Questions and Answers
A. - GNU General Public License version 3 -
A. +Samba-3 by Example
Samba-3 by Example
Next
Samba-3 by Example
Practical Exercises in Successful Samba Deployment
John H. Samba Team Terpstra
Samba Team
<jht@samba.org>
July, 2006
Table of Contents
About the Cover Artwork
Acknowledgments
Foreword
By John M. Weathersby, Executive Director, OSSI
Preface
Why Is This Book Necessary?
Samba 3.0.20 Update Edition
Prerequisites
Approach
Summary of Topics
Conventions Used
I. Example Network Configurations
1. No-Frills Samba Servers
Introduction
Assignment Tasks
Drafting Office
Charity Administration Office
Accounting Office
Questions and Answers
2. Small Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Validation
Notebook Computers: A Special Case
Key Points Learned
Questions and Answers
3. Secure Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Basic System Configuration
Samba Configuration
Configuration of DHCP and DNS Servers
Printer Configuration
Process Startup Configuration
Validation
Application Share Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
4. The 500-User Office
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
5. Making Happy Users
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
6. A Distributed 2000-User Network
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Key Points Learned
Questions and Answers
II. Domain Members, Updating Samba and Migration
7. Adding Domain Member Servers and Clients
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Samba Domain with Samba Domain Member Server Using NSS LDAP
NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
NT4/Samba Domain with Samba Domain Member Server without NSS Support
Active Directory Domain with Samba Domain Member Server
UNIX/Linux Client Domain Member
Key Points Learned
Questions and Answers
8. Updating Samba-3
Introduction
Cautions and Notes
Upgrading from Samba 1.x and 2.x to Samba-3
Samba 1.9.x and 2.x Versions Without LDAP
Applicable to All Samba 2.x to Samba-3 Upgrades
Samba-2.x with LDAP Support
Updating a Samba-3 Installation
Samba-3 to Samba-3 Updates on the Same Server
Migrating Samba-3 to a New Server
Migration of Samba Accounts to Active Directory
9. Migrating NT4 Domain to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
NT4 Migration Using LDAP Backend
NT4 Migration Using tdbsam Backend
Key Points Learned
Questions and Answers
10. Migrating NetWare Server to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
NetWare Migration Using LDAP Backend
III. Reference Section
11. Active Directory, Kerberos, and Security
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
Share Access Controls
Share Definition Controls
Share Point Directory and File Permissions
Managing Windows 200x ACLs
Key Points Learned
Questions and Answers
12. Integrating Additional Services
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Removal of Pre-Existing Conflicting RPMs
Key Points Learned
Questions and Answers
13. Performance, Reliability, and Availability
Introduction
Dissection and Discussion
Guidelines for Reliable Samba Operation
Name Resolution
Samba Configuration
Use and Location of BDCs
Use One Consistent Version of MS Windows Client
For Scalability, Use SAN-Based Storage on Samba Servers
Distribute Network Load with MSDFS
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
Hardware Problems
Large Directories
Key Points Learned
14. Samba Support
Free Support
Commercial Support
15. A Collection of Useful Tidbits
Joining a Domain: Windows 200x/XP Professional
Samba System File Location
Starting Samba
DNS Configuration Files
The Forward Zone File for the Loopback Adaptor
The Reverse Zone File for the Loopback Adaptor
DNS Root Server Hint File
Alternative LDAP Database Initialization
Initialization of the LDAP Database
The LDAP Account Manager
IDEALX Management Console
Effect of Setting File and Directory SUID/SGID Permissions Explained
Shared Data Integrity
Microsoft Access
Act! Database Sharing
Opportunistic Locking Controls
16. Networking Primer
Requirements and Notes
Introduction
Assignment Tasks
Exercises
Single-Machine Broadcast Activity
Second Machine Startup Broadcast Interaction
Simple Windows Client Connection Characteristics
Windows 200x/XP Client Interaction with Samba-3
Conclusions to Exercises
Dissection and Discussion
Technical Issues
Questions and Answers
A. + GNU General Public License version 3 +
A. Preamble -
A. +
A. TERMS AND CONDITIONS -
A. +
A. 0. Definitions. -
A. +
A. 1. Source Code. -
A. +
A. 2. Basic Permissions. -
A. +
A. 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. -
A. +
A. 4. Conveying Verbatim Copies. -
A. +
A. 5. Conveying Modified Source Versions. -
A. +
A. 6. Conveying Non-Source Forms. -
A. +
A. 7. Additional Terms. -
A. +
A. 8. Termination. -
A. +
A. 9. Acceptance Not Required for Having Copies. -
A. +
A. 10. Automatic Licensing of Downstream Recipients. -
A. +
A. 11. Patents. -
A. +
A. 12. No Surrender of Others’ Freedom. -
A. +
A. 13. Use with the ???TITLE??? Affero General Public License. -
A. +
A. 14. Revised Versions of this License. -
A. +
A. 15. Disclaimer of Warranty. -
A. +
A. 16. Limitation of Liability. -
A. +
A. 17. Interpretation of Sections 15 and 16. -
A. +
A. END OF TERMS AND CONDITIONS -
A. +
A. How to Apply These Terms to Your New Programs -
Glossary
Index
List of Figures
1.1. Charity Administration Office Network
1.2. Accounting Office Network Topology
2.1. Abmas Accounting 52-User Network Topology
3.1. Abmas Network Topology 130 Users
4.1. Network Topology 500 User Network Using tdbsam passdb backend.
5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
5.2. Network Topology 500 User Network Using ldapsam passdb backend
5.3. Windows XP Professional User Shared Folders
6.1. Samba and Authentication Backend Search Pathways
6.2. Samba Configuration to Use a Single LDAP Server
6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server
6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!
6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.
6.6. Network Topology 2000 User Complex Design A
6.7. Network Topology 2000 User Complex Design B
7.1. Open Magazine Samba Survey
7.2. Samba Domain: Samba Member Server
7.3. Active Directory Domain: Samba Member Server
9.1. Schematic Explaining the net rpc vampire Process
9.2. View of Accounts in NT4 Domain User Manager
15.1. The General Panel.
15.2. The Computer Name Panel.
15.3. The Computer Name Changes Panel
15.4. The Computer Name Changes Panel Domain MIDEARTH
15.5. Computer Name Changes User name and Password Panel
15.6. The LDAP Account Manager Login Screen
15.7. The LDAP Account Manager Configuration Screen
15.8. The LDAP Account Manager User Edit Screen
15.9. The LDAP Account Manager Group Edit Screen
15.10. The LDAP Account Manager Group Membership Edit Screen
15.11. The LDAP Account Manager Host Edit Screen
15.12. The IMC Samba User Account Screen
16.1. Windows Me Broadcasts The First 10 Minutes
16.2. Windows Me Later Broadcast Sample
16.3. Typical Windows 9x/Me Host Announcement
16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request
16.5. Typical Windows 9x/Me User SessionSetUp AndX Request
16.6. Typical Windows XP NULL Session Setup AndX Request
16.7. Typical Windows XP User Session Setup AndX Request
List of Tables
1. Samba Changes 3.0.2 to 3.0.20
1.1. Accounting Office Network Information
3.1. Abmas.US ISP Information
3.2. DNS (named) Resource Files
4.1. Domain: MEGANET, File Locations for Servers
5.1. Current Privilege Capabilities
5.2. Required OpenLDAP Linux Packages
5.3. Abmas Network Users and Groups
5.4. Default Profile Redirections
9.1. Samba smb.conf Scripts Essential to Samba Operation
13.1. Effect of Common Problems
16.1. Windows Me Startup Broadcast Capture Statistics
16.2. Second Machine (Windows 98) Capture Statistics
List of Examples
1.1. Drafting Office smb.conf File
1.2. Charity Administration Office smb.conf New-style File
1.3. Charity Administration Office smb.conf Old-style File
1.4. Windows Me Registry Edit File: Disable Password Caching
1.5. Accounting Office Network smb.conf Old Style Configuration File
2.1. Script to Map Windows NT Groups to UNIX Groups
2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf
2.3. Accounting Office Network smb.conf File [globals] Section
2.4. Accounting Office Network smb.conf File Services and Shares Section
3.1. Estimation of Memory Requirements
3.2. Estimation of Disk Storage Requirements
3.3. NAT Firewall Configuration Script
3.4. 130 User Network with tdbsam [globals] Section
3.5. 130 User Network with tdbsam Services Section Part A
3.6. 130 User Network with tdbsam Services Section Part B
3.7. Script to Map Windows NT Groups to UNIX Groups
3.8. DHCP Server Configuration File /etc/dhcpd.conf
3.9. DNS Master Configuration File /etc/named.conf Master Section
3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section
3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section
3.12. DNS 192.168.1 Reverse Zone File
3.13. DNS 192.168.2 Reverse Zone File
3.14. DNS Abmas.biz Forward Zone File
3.15. DNS Abmas.us Forward Zone File
4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
4.3. Common Samba Configuration File: /etc/samba/common.conf
4.4. Server: BLDG1 (Member), File: smb.conf
4.5. Server: BLDG2 (Member), File: smb.conf
4.6. Common Domain Member Include File: dom-mem.conf
4.7. Server: MASSIVE, File: dhcpd.conf
4.8. Server: BLDG1, File: dhcpd.conf
4.9. Server: BLDG2, File: dhcpd.conf
4.10. Server: MASSIVE, File: named.conf, Part: A
4.11. Server: MASSIVE, File: named.conf, Part: B
4.12. Server: MASSIVE, File: named.conf, Part: C
4.13. Forward Zone File: abmas.biz.hosts
4.14. Forward Zone File: abmas.biz.hosts
4.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A
4.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B
4.17. Initialize Groups Script, File: /etc/samba/initGrps.sh
5.1. LDAP DB_CONFIG File
5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A
5.3. LDAP Master Configuration File /etc/openldap/slapd.conf Part B
5.4. Configuration File for NSS LDAP Support /etc/ldap.conf
5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
5.8. LDAP Based smb.conf File, Server: BLDG1
5.9. LDAP Based smb.conf File, Server: BLDG2
5.10. LDAP Based smb.conf File, Shares Section Part A
5.11. LDAP Based smb.conf File, Shares Section Part B
5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf
6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf
6.3. Primary Domain Controller smb.conf File Part A
6.4. Primary Domain Controller smb.conf File Part B
6.5. Primary Domain Controller smb.conf File Part C
6.6. Backup Domain Controller smb.conf File Part A
6.7. Backup Domain Controller smb.conf File Part B
7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File
7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
7.3. Configuration File for NSS LDAP Support /etc/ldap.conf
7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf
7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain
7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain
7.7. Samba Domain Member smb.conf File for Active Directory Membership
7.8. Example smb.conf File Using idmap_rid
7.9. Typical ADS Style Domain smb.conf File
7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File
7.11. SUSE: PAM login Module Using Winbind
7.12. SUSE: PAM xdm Module Using Winbind
7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind
9.1. NT4 Migration Samba-3 Server smb.conf Part: A
9.2. NT4 Migration Samba-3 Server smb.conf Part: B
9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A
9.4. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part B
9.5. NT4 Migration NSS LDAP File: /etc/ldap.conf
9.6. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)
9.7. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)
10.1. A Rough Tool to Create an LDIF File from the System Account Files
10.2. NSS LDAP Control File /etc/ldap.conf
10.3. The PAM Control File /etc/security/pam_unix2.conf
10.4. Samba Configuration File smb.conf Part A
10.5. Samba Configuration File smb.conf Part B
10.6. Samba Configuration File smb.conf Part C
10.7. Samba Configuration File smb.conf Part D
10.8. Samba Configuration File smb.conf Part E
10.9. Rsync Script
10.10. Rsync Files Exclusion List /root/excludes.txt
10.11. Idealx smbldap-tools Control File Part A
10.12. Idealx smbldap-tools Control File Part B
10.13. Idealx smbldap-tools Control File Part C
10.14. Idealx smbldap-tools Control File Part D
10.15. Kixtart Control File File: logon.kix
10.16. Kixtart Control File File: main.kix
10.17. Kixtart Control File File: setup.kix, Part A
10.18. Kixtart Control File File: setup.kix, Part B
10.19. Kixtart Control File File: acct.kix
12.1. Kerberos Configuration File: /etc/krb5.conf
12.2. Samba Configuration File: /etc/samba/smb.conf
12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]
12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]
15.1. A Useful Samba Control Script for SUSE Linux
15.2. A Sample Samba Control Script for Red Hat Linux
15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone
15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone
15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint
15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A
15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B
15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C
15.9. LDIF Pattern File Used to Pre-configure LDAP Part A
15.10. LDIF Pattern File Used to Pre-configure LDAP Part B
15.11. Example LAM Configuration File config.cfg
15.12. LAM Profile Control File lam.conf
Next
About the Cover Artwork
+
Glossary
Index
List of Figures
1.1. Charity Administration Office Network
1.2. Accounting Office Network Topology
2.1. Abmas Accounting 52-User Network Topology
3.1. Abmas Network Topology 130 Users
4.1. Network Topology 500 User Network Using tdbsam passdb backend.
5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
5.2. Network Topology 500 User Network Using ldapsam passdb backend
5.3. Windows XP Professional User Shared Folders
6.1. Samba and Authentication Backend Search Pathways
6.2. Samba Configuration to Use a Single LDAP Server
6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server
6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!
6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.
6.6. Network Topology 2000 User Complex Design A
6.7. Network Topology 2000 User Complex Design B
7.1. Open Magazine Samba Survey
7.2. Samba Domain: Samba Member Server
7.3. Active Directory Domain: Samba Member Server
9.1. Schematic Explaining the net rpc vampire Process
9.2. View of Accounts in NT4 Domain User Manager
15.1. The General Panel.
15.2. The Computer Name Panel.
15.3. The Computer Name Changes Panel
15.4. The Computer Name Changes Panel Domain MIDEARTH
15.5. Computer Name Changes User name and Password Panel
15.6. The LDAP Account Manager Login Screen
15.7. The LDAP Account Manager Configuration Screen
15.8. The LDAP Account Manager User Edit Screen
15.9. The LDAP Account Manager Group Edit Screen
15.10. The LDAP Account Manager Group Membership Edit Screen
15.11. The LDAP Account Manager Host Edit Screen
15.12. The IMC Samba User Account Screen
16.1. Windows Me Broadcasts The First 10 Minutes
16.2. Windows Me Later Broadcast Sample
16.3. Typical Windows 9x/Me Host Announcement
16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request
16.5. Typical Windows 9x/Me User SessionSetUp AndX Request
16.6. Typical Windows XP NULL Session Setup AndX Request
16.7. Typical Windows XP User Session Setup AndX Request
List of Tables
1. Samba Changes 3.0.2 to 3.0.20
1.1. Accounting Office Network Information
3.1. Abmas.US ISP Information
3.2. DNS (named) Resource Files
4.1. Domain: MEGANET, File Locations for Servers
5.1. Current Privilege Capabilities
5.2. Required OpenLDAP Linux Packages
5.3. Abmas Network Users and Groups
5.4. Default Profile Redirections
9.1. Samba smb.conf Scripts Essential to Samba Operation
13.1. Effect of Common Problems
16.1. Windows Me Startup Broadcast Capture Statistics
16.2. Second Machine (Windows 98) Capture Statistics
List of Examples
1.1. Drafting Office smb.conf File
1.2. Charity Administration Office smb.conf New-style File
1.3. Charity Administration Office smb.conf Old-style File
1.4. Windows Me Registry Edit File: Disable Password Caching
1.5. Accounting Office Network smb.conf Old Style Configuration File
2.1. Script to Map Windows NT Groups to UNIX Groups
2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf
2.3. Accounting Office Network smb.conf File [globals] Section
2.4. Accounting Office Network smb.conf File Services and Shares Section
3.1. Estimation of Memory Requirements
3.2. Estimation of Disk Storage Requirements
3.3. NAT Firewall Configuration Script
3.4. 130 User Network with tdbsam [globals] Section
3.5. 130 User Network with tdbsam Services Section Part A
3.6. 130 User Network with tdbsam Services Section Part B
3.7. Script to Map Windows NT Groups to UNIX Groups
3.8. DHCP Server Configuration File /etc/dhcpd.conf
3.9. DNS Master Configuration File /etc/named.conf Master Section
3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section
3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section
3.12. DNS 192.168.1 Reverse Zone File
3.13. DNS 192.168.2 Reverse Zone File
3.14. DNS Abmas.biz Forward Zone File
3.15. DNS Abmas.us Forward Zone File
4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
4.3. Common Samba Configuration File: /etc/samba/common.conf
4.4. Server: BLDG1 (Member), File: smb.conf
4.5. Server: BLDG2 (Member), File: smb.conf
4.6. Common Domain Member Include File: dom-mem.conf
4.7. Server: MASSIVE, File: dhcpd.conf
4.8. Server: BLDG1, File: dhcpd.conf
4.9. Server: BLDG2, File: dhcpd.conf
4.10. Server: MASSIVE, File: named.conf, Part: A
4.11. Server: MASSIVE, File: named.conf, Part: B
4.12. Server: MASSIVE, File: named.conf, Part: C
4.13. Forward Zone File: abmas.biz.hosts
4.14. Forward Zone File: abmas.biz.hosts
4.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A
4.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B
4.17. Initialize Groups Script, File: /etc/samba/initGrps.sh
5.1. LDAP DB_CONFIG File
5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A
5.3. LDAP Master Configuration File /etc/openldap/slapd.conf Part B
5.4. Configuration File for NSS LDAP Support /etc/ldap.conf
5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
5.8. LDAP Based smb.conf File, Server: BLDG1
5.9. LDAP Based smb.conf File, Server: BLDG2
5.10. LDAP Based smb.conf File, Shares Section Part A
5.11. LDAP Based smb.conf File, Shares Section Part B
5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf
6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf
6.3. Primary Domain Controller smb.conf File Part A
6.4. Primary Domain Controller smb.conf File Part B
6.5. Primary Domain Controller smb.conf File Part C
6.6. Backup Domain Controller smb.conf File Part A
6.7. Backup Domain Controller smb.conf File Part B
7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File
7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
7.3. Configuration File for NSS LDAP Support /etc/ldap.conf
7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf
7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain
7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain
7.7. Samba Domain Member smb.conf File for Active Directory Membership
7.8. Example smb.conf File Using idmap_rid
7.9. Typical ADS Style Domain smb.conf File
7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File
7.11. SUSE: PAM login Module Using Winbind
7.12. SUSE: PAM xdm Module Using Winbind
7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind
9.1. NT4 Migration Samba-3 Server smb.conf Part: A
9.2. NT4 Migration Samba-3 Server smb.conf Part: B
9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A
9.4. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part B
9.5. NT4 Migration NSS LDAP File: /etc/ldap.conf
9.6. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)
9.7. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)
10.1. A Rough Tool to Create an LDIF File from the System Account Files
10.2. NSS LDAP Control File /etc/ldap.conf
10.3. The PAM Control File /etc/security/pam_unix2.conf
10.4. Samba Configuration File smb.conf Part A
10.5. Samba Configuration File smb.conf Part B
10.6. Samba Configuration File smb.conf Part C
10.7. Samba Configuration File smb.conf Part D
10.8. Samba Configuration File smb.conf Part E
10.9. Rsync Script
10.10. Rsync Files Exclusion List /root/excludes.txt
10.11. Idealx smbldap-tools Control File Part A
10.12. Idealx smbldap-tools Control File Part B
10.13. Idealx smbldap-tools Control File Part C
10.14. Idealx smbldap-tools Control File Part D
10.15. Kixtart Control File File: logon.kix
10.16. Kixtart Control File File: main.kix
10.17. Kixtart Control File File: setup.kix, Part A
10.18. Kixtart Control File File: setup.kix, Part B
10.19. Kixtart Control File File: acct.kix
12.1. Kerberos Configuration File: /etc/krb5.conf
12.2. Samba Configuration File: /etc/samba/smb.conf
12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]
12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]
15.1. A Useful Samba Control Script for SUSE Linux
15.2. A Sample Samba Control Script for Red Hat Linux
15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone
15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone
15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint
15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A
15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B
15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C
15.9. LDIF Pattern File Used to Pre-configure LDAP Part A
15.10. LDIF Pattern File Used to Pre-configure LDAP Part B
15.11. Example LAM Configuration File config.cfg
15.12. LAM Profile Control File lam.conf
Next
About the Cover Artwork
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/ix01.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/ix01.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/ix01.html 2010-01-14 11:24:52.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/ix01.html 2010-02-22 16:53:36.000000000 +0100 @@ -1 +1 @@ -Index
Index
Prev
Index
Symbols
%LOGONSERVER%, Configuration of Default Profile with Folder Redirection
%USERNAME%, Roaming Profile Background, Profile Changes
%USERPROFILE%, Configuration of Default Profile with Folder Redirection
/data/ldap, OpenLDAP Server Configuration
/etc/cups/mime.convs, Implementation, Implementation
/etc/cups/mime.types, Implementation, Implementation
/etc/dhcpd.conf, Implementation, Validation, Configuration of DHCP and DNS Servers, Validation
/etc/exports, Samba-3 PDC Configuration
/etc/group, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Replacing a Domain Member Server, Questions and Answers, Removal of Pre-Existing Conflicting RPMs
/etc/hosts, Implementation, Implementation, Basic System Configuration, Validation, Server Preparation: All Servers, Questions and Answers, Kerberos Configuration, Bad Hostnames
/etc/krb5.conf, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
/etc/ldap.conf, PAM and NSS Client Configuration, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, LDAP Server Configuration
/etc/mime.convs, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
/etc/mime.types, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
/etc/named.conf, Configuration of DHCP and DNS Servers
/etc/nsswitch.conf, Implementation, Configuration of DHCP and DNS Servers, Validation, Configuration for Server: MASSIVE, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, PAM and NSS Client Configuration, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, NT4 Migration Using LDAP Backend
/etc/openldap/slapd.conf, Debugging LDAP, OpenLDAP Server Configuration, Implementation
/etc/passwd, Implementation, Samba Configuration, Configuration for Server: MASSIVE, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Replacing a Domain Member Server, Technical Issues, Questions and Answers, Technical Issues, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
/etc/rc.d/boot.local, Basic System Configuration, Configuration for Server: MASSIVE
/etc/rc.d/rc.local, Implementation
/etc/resolv.conf, Configuration of DHCP and DNS Servers, Server Preparation: All Servers
/etc/samba, Samba System File Location
/etc/samba/secrets.tdb, Active Directory Domain with Samba Domain Member Server
/etc/samba/smbusers, Server Preparation: All Servers
/etc/shadow, Replacing a Domain Member Server, Technical Issues
/etc/squid/squid.conf, Removal of Pre-Existing Conflicting RPMs
/etc/syslog.conf, Debugging LDAP
/etc/xinetd.d, Process Startup Configuration, Process Startup Configuration
/lib/libnss_ldap.so.2, PAM and NSS Client Configuration
/opt/IDEALX/sbin, NT4 Migration Using LDAP Backend
/proc/sys/net/ipv4/ip_forward, Implementation, Basic System Configuration
/usr/bin, Samba System File Location
/usr/lib/samba, Samba System File Location
/usr/local, Samba System File Location
/usr/local/samba, Samba System File Location
/usr/local/samba/var/locks, Samba 1.9.x and 2.x Versions Without LDAP
/usr/sbin, Samba System File Location
/usr/share, Samba System File Location
/usr/share/samba/swat, Samba System File Location
/usr/share/swat, Samba System File Location
/var/cache/samba, Samba 1.9.x and 2.x Versions Without LDAP
/var/lib/samba, Samba 1.9.x and 2.x Versions Without LDAP, Samba System File Location
/var/log/ldaplogs, Debugging LDAP
/var/log/samba, Samba System File Location
8-bit, International Language Support
, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Application Share Configuration, Implementation, Addition of Machines to the Domain, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Location of config files, NT4 Migration Using LDAP Backend, LDAP Server Configuration, NSS Configuration
Domain account, Technical Issues
liability, Dissection and Discussion
logon, Implementation
problem, Dissection and Discussion
transparent inter-operability, Questions and Answers
A
abmas-netfw.sh, Basic System Configuration
accept, Printer Configuration
accepts liability, Dissection and Discussion
access, Technical Issues, Checkpoint Controls
access control, Kerberos Exposed, Using the MMC Computer Management Interface
Access Control Lists (see ACLs)
access control settings, Share Access Controls
access controls, Technical Issues, Share Definition Controls
accessible, Share Point Directory and File Permissions
account, Regarding LDAP Directories and Windows Computer Accounts, Share Access Controls
ADS Domain, Technical Issues
account credentials, Findings and Comments
account information, Questions and Answers
account names, Questions and Answers
account policies, The LDAP Account Manager
accountable, Introduction, Dissection and Discussion
accounts
authoritative, Technical Issues
Domain, Introduction, Questions and Answers
group, Introduction, Questions and Answers, Introduction
machine, Introduction, Questions and Answers
manage, The LDAP Account Manager
user, Introduction, Questions and Answers, Introduction
ACL, Security Identifiers (SIDs), Checkpoint Controls
ACLs, Key Points Learned, Share Access Controls, Share Definition Controls
acquisitions, Introduction
Act!, Shared Data Integrity
ACT! database, Act! Database Sharing
Act!Diag, Act! Database Sharing
Active Directory, Dissection and Discussion, The Local Group Policy, Dissection and Discussion, Assignment Tasks, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, Questions and Answers, Introduction, Key Points Learned, Questions and Answers, Integrating Additional Services, Assignment Tasks, Technical Issues, Samba Configuration, Joining a Domain: Windows 200x/XP Professional
authentication, Squid Configuration
domain, Samba Configuration
join, Active Directory Domain with Samba Domain Member Server
management tools, Technical Issues
realm, Bad Hostnames
Replacement, Technical Issues
server, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration
Server, Technical Issues
tree, Samba Configuration
active directory, Technical Issues
AD printer publishing, Uploading Printer Drivers to Samba Servers
ADAM, Dissection and Discussion, IDMAP Storage in LDAP using Winbind
add group script, Applicable to All Samba 2.x to Samba-3 Upgrades
add machine script, Applicable to All Samba 2.x to Samba-3 Upgrades
Add Printer Wizard
APW, Uploading Printer Drivers to Samba Servers
add user script, Applicable to All Samba 2.x to Samba-3 Upgrades
add user to group script, Applicable to All Samba 2.x to Samba-3 Upgrades
adduser, Implementation, Samba Configuration, Configuration for Server: MASSIVE
adequate precautions, Introduction
administrative installation, Application Share Configuration
administrative rights, Checkpoint Controls
administrator, Implementation, Samba Configuration, Server Preparation: All Servers
ADMT, Migration of Samba Accounts to Active Directory
ADS, IDMAP Storage in LDAP using Winbind, Technical Issues, Kerberos Configuration, Bad Hostnames
server, Technical Issues
ADS Domain, Technical Issues
affordability, The Nature of Windows Networking Protocols
alarm, Introduction
algorithm, Technical Issues
allow trusted domains, IDMAP_RID with Winbind
alternative, Dissection and Discussion
analysis, Technical Issues
anonymous connection, Validation, Validation
Apache Web server, Questions and Answers
appliance mode, Technical Issues
application server, Technical Issues, Application Share Configuration
application servers, The Nature of Windows Networking Protocols
application/octet-stream, Implementation, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
APW, Uploading Printer Drivers to Samba Servers
arp, Validation
assessment, Introduction
assistance, Free Support
assumptions, Key Points Learned
authconfig, PAM and NSS Client Configuration
authenticate, LDAP Server Configuration, Samba Configuration
authenticated, Assignment Tasks
authenticated connection, Validation, Validation
authentication, The Nature of Windows Networking Protocols, Questions and Answers, Dissection and Discussion, Integrating Additional Services, Technical Issues, NSS Configuration, Questions and Answers
plain-text, Questions and Answers
authentication process, Implementation
authentication protocols, Key Points Learned
authoritative, Technical Issues
authorized location, Kerberos Exposed
auto-generated SID, Questions and Answers
automatically allocate, Technical Issues
availability, Performance, Reliability, and Availability
B
backends, Integrating Additional Services
background communication, Questions and Answers
Backup, Introduction
Backup Domain Controller (see BDC)
bandwidth, Assignment Tasks
requirements, User Needs
bandwidth calculations, Hardware Requirements
BDC, Technical Issues, Making Happy Users, Assignment Tasks, Dissection and Discussion, Samba Server Implementation, Samba-3 PDC Configuration, The Nature of Windows Networking Protocols, Key Points Learned, Technical Issues, Questions and Answers, Security Identifiers (SIDs), NT4 Migration Using tdbsam Backend, Use and Location of BDCs
benefit, Questions and Answers, Dissection and Discussion
best practices, Introduction
bias, Questions and Answers
binary database, Implementation
binary files, Updating a Samba-3 Installation
binary package, Updating a Samba-3 Installation
bind interfaces only, Implementation
broadcast, Routed Networks, Questions and Answers
directed, The Nature of Windows Networking Protocols
mailslot, The Nature of Windows Networking Protocols
broadcast messages, Implementation
broadcast storms, Network Collisions
broken, Dissection and Discussion
broken behavior, Dissection and Discussion
browse, Technical Issues
browse master, Findings
Browse Master, Questions and Answers
browse.dat, Replacing a Domain Member Server
Browser Election Service, Questions and Answers
browsing, Technical Issues, Technical Issues, Assignment Tasks
budgetted, Introduction
bug fixes, Introduction
bug report, Free Support
C
cache, Opportunistic Locking Controls
cache directories, Removal of Pre-Existing Conflicting RPMs
caching, Samba Configuration
case-sensitive, Kerberos Configuration
centralized storage, Questions and Answers
character set, International Language Support
check samba daemons, Validation, Validation
check-point, Share Definition Controls
check-point controls, Checkpoint Controls
Checkpoint Controls, Checkpoint Controls
chgrp, Samba Configuration
chkconfig, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration, Implementation
chmod, Samba Configuration
choice, Dissection and Discussion, Technical Issues
chown, Removal of Pre-Existing Conflicting RPMs
CIFS, Security Identifiers (SIDs), Findings
cifsfs, Dissection and Discussion
clean database, Questions and Answers
clients per DC, Making Happy Users
Clock skew, Kerberos Configuration
cluster, Introduction
clustering, Introduction, For Scalability, Use SAN-Based Storage on Samba Servers
code maintainer, Free Support
codepage, International Language Support
collision rates, Network Collisions
commercial, Dissection and Discussion
commercial software, Dissection and Discussion
commercial support, Samba Support, Commercial Support
Common Internet File System (see CIFS)
comparison
Active Directory & OpenLDAP, Dissection and Discussion
compat, Samba Domain with Samba Domain Member Server Using NSS LDAP
compatible, Technical Issues
compile-time, Location of config files
complexities, Dissection and Discussion
compromise, Introduction, Introduction, Technical Issues
computer account, Samba Configuration
Computer Management, Share Access Controls, Questions and Answers
computer name, Security Identifiers (SIDs)
condemns, Technical Issues
conferences, Technical Issues
configuration files, Introduction
configure.pl, NT4 Migration Using LDAP Backend
connection, Share Access Controls
connectivity, Questions and Answers
consequential risk, Technical Issues
consultant, Drafting Office, Introduction, Dissection and Discussion
consumer, Dissection and Discussion, Technical Issues
consumer expects, Samba Support
contiguous directory, Implementation
contributions, Updating Samba-3
control files, Updating a Samba-3 Installation
convmv, International Language Support
copy, Questions and Answers
corrective action, Hardware Problems
cost, Dissection and Discussion
cost-benefit, Assignment Tasks
country of origin, Commercial Support
Courier-IMAP, LDAP Server Configuration
credential, Share Definition Controls
credentials, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Technical Issues
crippled, Dissection and Discussion
criticism, Active Directory, Kerberos, and Security, Introduction
Critics, Technical Issues
Cryptographic, Technical Issues
CUPS, Dissection and Discussion, Technical Issues, Implementation, Key Points Learned, Implementation, Printer Configuration, Server Preparation: All Servers, Assignment Tasks, Installation of Printer Driver Auto-Download, Printer Configuration
queue, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
cupsd, Basic System Configuration
customer expected, Samba Support
customers, Samba Support
D
daemon, Validation, Basic System Configuration, Security Identifiers (SIDs), Technical Issues, Questions and Answers, Starting Samba
daemon control, Process Startup Configuration
data
corruption, Making Happy Users
integrity, Questions and Answers
data corruption, Hardware Problems, Act! Database Sharing
data integrity, Hardware Problems, Shared Data Integrity
data storage, Implementation
database, Dissection and Discussion, Questions and Answers, Dissection and Discussion
database applications, Shared Data Integrity
DB_CONFIG, OpenLDAP Server Configuration
DCE, Kerberos Exposed
DDNS (see dynamic DNS)
Debian, Migrating NetWare Server to Samba-3
default installation, Samba System File Location
default password, The LDAP Account Manager
default profile, Assignment Tasks, Technical Issues
Default User, Profile Changes, Configuration of Default Profile with Folder Redirection
defective
cables, Hardware Problems
HUBs, Hardware Problems
switches, Hardware Problems
defects, Technical Issues
defensible standards, Technical Issues
defragmentation, Windows Client Configuration
delete group script, Applicable to All Samba 2.x to Samba-3 Upgrades
delete user from group script, Applicable to All Samba 2.x to Samba-3 Upgrades
delimiter, Checkpoint Controls
dependability, Technical Issues
deployment, Free Support
desired security setting, Setting Posix ACLs in UNIX/Linux
development, Technical Issues
DHCP, Technical Issues, Implementation, Key Points Learned, Windows Client Configuration, Windows Client Configuration, The Nature of Windows Networking Protocols, Questions and Answers
client, Bad Hostnames
relay, Technical Issues
Relay Agent, Questions and Answers
request, Questions and Answers
requests, Technical Issues
servers, Questions and Answers
traffic, Questions and Answers
dhcp client validation, Validation, Validation
DHCP Server, Implementation
DHCP server, Technical Issues
diagnostic, IDMAP Storage in LDAP using Winbind
diffusion, Technical Issues
digital rights, Technical Issues
digital sign'n'seal, Technical Issues
digits, Bad Hostnames
diligence, Technical Issues
directory, Dissection and Discussion, Political Issues, Location of config files
Computers container, LDAP Initialization and Creation of User and Group Accounts
management, Dissection and Discussion
People container, LDAP Initialization and Creation of User and Group Accounts
replication, Dissection and Discussion
schema, Dissection and Discussion
server, Technical Issues
synchronization, Dissection and Discussion
directory tree, Setting Posix ACLs in UNIX/Linux
disable, Introduction
disaster recovery, Introduction
disk image, Assignment Tasks
disruptive, Dissection and Discussion
distributed, Identity Management Needs, Implementation, Questions and Answers, Distribute Network Load with MSDFS
distributed domain, Identity Management Needs
DMB, Questions and Answers
DMS, Security Identifiers (SIDs), Replacing a Domain Member Server
DNS, Technical Issues, Implementation, Technical Issues, The Nature of Windows Networking Protocols, LDAP Server Configuration, Bad Hostnames, Routed Networks, Joining a Domain: Windows 200x/XP Professional
configuration, Questions and Answers
Dynamic, Questions and Answers
dynamic, Joining a Domain: Windows 200x/XP Professional
lookup, Questions and Answers, Kerberos Configuration
name lookup, Bad Hostnames
SRV records, Kerberos Configuration
suffix, Joining a Domain: Windows 200x/XP Professional
DNS server, Implementation, Configuration of DHCP and DNS Servers
document the settings, Samba Configuration
documentation, Dissection and Discussion, Technical Issues
documented, Samba Configuration
Domain, Technical Issues
groups, Technical Issues
domain
Active Directory, Technical Issues
controller, Replacing a Domain Controller
joining, A Collection of Useful Tidbits
trusted, Questions and Answers
Domain accounts, Technical Issues
Domain Administrator, Share Access Controls
Domain Controller, Key Points Learned, The Nature of Windows Networking Protocols, Technical Issues, Implementation, Use and Location of BDCs
closest, The Nature of Windows Networking Protocols
domain controller, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades
domain controllers, Technical Issues
Domain Controllers, Questions and Answers
Domain Groups
well-known, Initialization of the LDAP Database
Domain join, Samba Domain with Samba Domain Member Server Using NSS LDAP
domain master, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
Domain Master Browser (see DMB)
Domain Member, Use and Location of BDCs
authoritative
local accounts, Technical Issues
client, Implementation
desktop, Introduction
server, Introduction, Technical Issues, Implementation, Active Directory Domain with Samba Domain Member Server
servers, Questions and Answers, Checkpoint Controls
workstations, Implementation
domain member
servers, Technical Issues
Domain Member server, Technical Issues, Questions and Answers
Domain Member servers, Questions and Answers
domain members, Questions and Answers
domain name space, Identity Management Needs
domain replication, Questions and Answers
domain SID, Security Identifiers (SIDs)
Domain SID, Technical Issues, Questions and Answers
domain tree, Identity Management Needs
Domain User Manager, Configuring Profile Directories
Domain users, Technical Issues
DOS, Security Identifiers (SIDs)
dos2unix, Samba Configuration, Configuration for Server: MASSIVE
down-grade, Introduction
drive letters, LDAP Server Configuration
drive mapping, Technical Issues
dumb printing, Installation of Printer Driver Auto-Download
dump, Technical Issues, Questions and Answers
duplicate accounts, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
dynamic DNS, Technical Issues
E
e-Directory, Dissection and Discussion
Easy Software Products, Installation of Printer Driver Auto-Download
economically sustainable, Dissection and Discussion
eDirectory, Dissection and Discussion
education, Identity Management Needs
election, Findings
employment, Introduction, Dissection and Discussion
enable, Printer Configuration
encrypted, Findings and Comments
encrypted password, Windows 200x/XP Client Interaction with Samba-3
encrypted passwords, Questions and Answers
End User License Agreement (see EULA)
enumerating, Samba Configuration
essential, Introduction
ethereal, Exercises
Ethernet switch, Technical Issues
ethernet switch, Making Happy Users
EULA, Dissection and Discussion
Everyone, Share Access Controls
Excel, Share Point Directory and File Permissions
exclusive open, Microsoft Access
experiment, Active Directory, Kerberos, and Security
export, Technical Issues
extent, Dissection and Discussion
External Domains, Technical Issues
extreme demand, Guidelines for Reliable Samba Operation
F
fail, The Nature of Windows Networking Protocols
fail-over, Identity Management Needs, Implementation
failed, Samba Domain with Samba Domain Member Server Using NSS LDAP
failed join, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
failure, Samba Configuration
familiar, Technical Issues
fatal problem, Samba Configuration
fear, Technical Issues
fears, Technical Issues
Fedora, Drafting Office
FHS, Samba System File Location
file and print server, Questions and Answers
file and print service, Dissection and Discussion
file caching, Samba Configuration, Opportunistic Locking Controls
File Hierarchy System (see FHS)
file locations, Samba System File Location
file permissions, The LDAP Account Manager
file server
read-only, Dissection and Discussion
file servers, Samba Server Implementation
file system, Technical Issues
access control, Samba Configuration
Ext3, Implementation
permissions, Samba Configuration, Configuration for Server: MASSIVE
file system security, Questions and Answers
filter, Share Access Controls
financial responsibility, Introduction
firewall, Technical Issues, Basic System Configuration, Introduction
fix, Dissection and Discussion
flaws, Introduction
flexibility, Technical Issues
flush
cache memory, Opportunistic Locking Controls
folder redirection, Technical Issues, Configuration of Default Profile with Folder Redirection, Questions and Answers
force group, Override Controls, Questions and Answers
force user, Dissection and Discussion, Override Controls, Questions and Answers
forced settings, Override Controls
foreign, Samba Domain with Samba Domain Member Server Using NSS LDAP
foreign SID, Samba Domain with Samba Domain Member Server Using NSS LDAP
forwarded, Routed Networks
foundation members, Technical Issues
Free Standards Group (see FSG)
free support, Samba Support, Free Support
front-end, Dissection and Discussion
server, Distribute Network Load with MSDFS
frustration, Introduction
FSG, Samba System File Location
FTP
proxy, Questions and Answers
full control, Share Access Controls, Using MS Windows Explorer (File Manager)
fully qualified, Checkpoint Controls
functional differences, Cautions and Notes
G
generation, Cautions and Notes
Gentoo, Migrating NetWare Server to Samba-3
getent, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
getfacl, Setting Posix ACLs in UNIX/Linux
getgrnam, Technical Issues
getpwnam, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP
getpwnam(), Questions and Answers
GID, Implementation, Questions and Answers, Questions and Answers
Goettingen, Questions and Answers
government, Identity Management Needs
GPL, Comments Regarding Software Terms of Use
group account, Implementation, OpenLDAP Server Configuration
group management, Implementation
group mapping, LDAP Server Configuration
group membership, Implementation, Samba Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
group names, Questions and Answers
group policies, Introduction
Group Policy, Joining a Domain: Windows 200x/XP Professional
Group Policy editor, The Local Group Policy
Group Policy Objects, The Local Group Policy
groupadd, Implementation, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
groupdel, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
groupmem, NT4 Migration Using LDAP Backend
groupmod, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
GSS-API, Windows 200x/XP Client Interaction with Samba-3
guest account, Findings and Comments, Dissection and Discussion, Technical Issues, Questions and Answers
H
hackers, Introduction
hardware prices, Hardware Problems
hardware problems, Hardware Problems
Heimdal, Implementation, Kerberos Configuration
Heimdal Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
Heimdal kerberos, IDMAP Storage in LDAP using Winbind
help, Free Support
helper agent, Removal of Pre-Existing Conflicting RPMs
hesiod, Samba Domain with Samba Domain Member Server Using NSS LDAP
hierarchy of control, Share Definition Controls
high availability, Dissection and Discussion
hire, Dissection and Discussion
HKEY_CURRENT_USER, Roaming Profile Background
HKEY_LOCAL_MACHINE, Configuration of Default Profile with Folder Redirection
HKEY_LOCAL_USER, Questions and Answers
host announcement, Assignment Tasks, Findings
hostname, Basic System Configuration, Security Identifiers (SIDs)
hosts, Questions and Answers
HUB, Making Happy Users
Hybrid, Questions and Answers
hypothetical, Introduction
I
Idealx, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
smbldap-tools, Install and Configure Idealx smbldap-tools Scripts, LDAP Initialization and Creation of User and Group Accounts
identifiers, Technical Issues
identity, Questions and Answers, Kerberos Exposed
management, Technical Issues
identity management, Technical Issues, Dissection and Discussion, Political Issues, Dissection and Discussion
Identity Management, Dissection and Discussion, The Nature of Windows Networking Protocols, Identity Management Needs
Identity management, UNIX/Linux Client Domain Member
Identity resolution, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, UNIX/Linux Client Domain Member, Questions and Answers
Identity resolver, Questions and Answers
IDMAP, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP_RID with Winbind
idmap backend, Technical Issues
IDMAP backend, Questions and Answers
idmap gid, IDMAP_RID with Winbind
idmap uid, IDMAP_RID with Winbind
idmap_rid, IDMAP_RID with Winbind
IMAP, Technical Issues
import, Technical Issues
income, Dissection and Discussion
independent expert, Introduction
inetd, Process Startup Configuration
inetOrgPerson, Technical Issues
inheritance, Setting Posix ACLs in UNIX/Linux
initGrps.sh, Implementation, Samba Configuration, Configuration for Server: MASSIVE
initial credentials, Kerberos Configuration
inoperative, Dissection and Discussion
install, Updating Samba-3
installation, Dissection and Discussion
integrate, Technical Issues
integrity, Introduction, Kerberos Exposed
inter-domain, Applicable to All Samba 2.x to Samba-3 Upgrades
inter-operability, Dissection and Discussion, Technical Issues, Key Points Learned, Questions and Answers
interactive help, Free Support
interdomain trusts, Identity Management Needs
interfaces, Implementation
intermittent, Hardware Problems
internationalization, International Language Support
Internet Explorer, Technical Issues
Internet Information Server, Questions and Answers
interoperability, Dissection and Discussion
IP forwarding, Implementation, Basic System Configuration, Configuration for Server: MASSIVE
IPC$, Findings and Comments
iptables, Technical Issues
IRC, Free Support
isolated, Introduction
Italian, Questions and Answers
J
jobs, Introduction
joining a domain, Joining a Domain: Windows 200x/XP Professional
K
KDC, Kerberos Configuration
Kerberos, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Key Points Learned, Technical Issues, Implementation, Kerberos Configuration
Heimdal, Active Directory Domain with Samba Domain Member Server
interoperability, Kerberos Exposed
libraries, Active Directory Domain with Samba Domain Member Server
MIT, Active Directory Domain with Samba Domain Member Server
unspecified fields, Kerberos Exposed
kerberos, Kerberos Exposed
server, Kerberos Exposed
Kerberos ticket, Samba Configuration
kinit, Kerberos Configuration
Kixtart, LDAP Server Configuration
klist, Kerberos Configuration
krb5, Implementation
krb5.conf, Kerberos Configuration
L
LAM, The LDAP Account Manager
configuration editor, The LDAP Account Manager
configuration file, The LDAP Account Manager
login screen, The LDAP Account Manager
opening screen, The LDAP Account Manager
profile, The LDAP Account Manager
wizard, The LDAP Account Manager
large domain, IDMAP_RID with Winbind
LDAP, Technical Issues, Assignment Tasks, Dissection and Discussion, Technical Issues, Preliminary Advice: Dangers Can Be Avoided, PAM and NSS Client Configuration, Introduction, Dissection and Discussion, Identity Management Needs, Implementation, Key Points Learned, Questions and Answers, Technical Issues, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Assignment Tasks, Technical Issues, Questions and Answers, Dissection and Discussion, LDAP Server Configuration, Technical Issues
backend, Identity Management Needs
database, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Alternative LDAP Database Initialization
directory, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs
fail-over, Implementation
initial configuration, Alternative LDAP Database Initialization
master, Identity Management Needs
master/slave
background communication, Questions and Answers
preload, Implementation
schema, Updating from Samba Versions between 3.0.6 and 3.0.10
secure, Technical Issues
server, Questions and Answers
slave, Identity Management Needs
updates, Identity Management Needs
ldap, Samba Domain with Samba Domain Member Server Using NSS LDAP
LDAP Account Manager (see LAM)
LDAP backend, Technical Issues
LDAP database, Questions and Answers
LDAP Interchange Format (see LDIF)
LDAP server, Identity Management Needs
LDAP-transfer-LDIF.txt, Implementation
ldap.conf, Samba Domain with Samba Domain Member Server Using NSS LDAP
ldapadd, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP
ldapsam, LDAP Initialization and Creation of User and Group Accounts, Dissection and Discussion, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Integrating Additional Services
ldapsam backend, Samba Domain with Samba Domain Member Server Using NSS LDAP
ldapsearch, LDAP Initialization and Creation of User and Group Accounts
LDIF, Technical Issues, Implementation, Technical Issues, LDAP Server Configuration, Initialization of the LDAP Database
leadership, Technical Issues
Lightweight Directory Access Protocol (see LDAP)
limit, Questions and Answers
Linux desktop, Introduction
Linux Standards Base (see LSB)
LMB, Findings, Questions and Answers
LMHOSTS, Routed Networks
load distribution, For Scalability, Use SAN-Based Storage on Samba Servers
local accounts, Technical Issues
Local Group Policy, Roaming Profile Background
Local Master Announcement, Findings
Local Master Browser (see LMB)
localhost, Basic System Configuration, Bad Hostnames
lock directory, Samba 1.9.x and 2.x Versions Without LDAP
locking
Application level, Shared Data Integrity
Client side, Shared Data Integrity
Server side, Shared Data Integrity
logging, Removal of Pre-Existing Conflicting RPMs
login, Technical Issues
loglevel, Debugging LDAP
logon credentials, Questions and Answers
logon hours, Technical Issues, Key Points Learned
logon machines, Technical Issues
logon path, Implementation
logon process, Implementation
logon scrip, Samba Configuration
logon script, Implementation, Technical Issues, Preparation of Logon Scripts, Technical Issues
logon server, The Nature of Windows Networking Protocols
logon services, Implementation
logon time, Assignment Tasks
logon traffic, The Nature of Windows Networking Protocols
logon.kix, LDAP Server Configuration
loopback, Validation
low performance, Hardware Problems
lower-case, Implementation
lpadmin, Implementation, Implementation, Implementation, Printer Configuration, Printer Configuration
LSB, Samba System File Location
M
machine, Security Identifiers (SIDs)
machine account, Regarding LDAP Directories and Windows Computer Accounts
machine accounts, Questions and Answers
machine secret password, Technical Issues
MACHINE.SID, Security Identifiers (SIDs)
mailing list, Free Support
mailing lists, Free Support
managed, Technical Issues
management, Political Issues, Questions and Answers
group, Technical Issues
User, Technical Issues
mandatory profile, Technical Issues, Configuring Profile Directories
Mandrake, Migrating NetWare Server to Samba-3
mapped drives, Questions and Answers
mapping, Technical Issues, Kerberos Configuration
consistent, Samba Domain with Samba Domain Member Server Using NSS LDAP
Mars_NWE, Migrating NetWare Server to Samba-3
master, Dissection and Discussion
material, A Collection of Useful Tidbits
memberUID, LDAP Server Configuration
memory requirements, Hardware Requirements
merge, Technical Issues, Questions and Answers
merged, Technical Issues
meta-directory, Questions and Answers
meta-service, Questions and Answers
Microsoft Access, Shared Data Integrity
Microsoft Excel, Shared Data Integrity
Microsoft ISA, Assignment Tasks
Microsoft Management Console (see MMC)
Microsoft Office, Application Share Configuration, Share Point Directory and File Permissions
Microsoft Outlook
PST files, Questions and Answers
migrate, Updating Samba-3, Technical Issues
migration, Implementation, Implementation, Assignment Tasks, Introduction, Questions and Answers, Migrating NetWare Server to Samba-3
objectives, Dissection and Discussion
Migration speed, Questions and Answers
mime type, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
mime types, Implementation
missing RPC's, Technical Issues
MIT, Implementation, Kerberos Configuration
MIT Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
MIT kerberos, IDMAP Storage in LDAP using Winbind
MIT KRB5, Samba Configuration
mixed mode, Active Directory Domain with Samba Domain Member Server
mixed-mode, Questions and Answers
MMC, Configure Delete Cached Profiles on Logout, Technical Issues, Questions and Answers
mobile computing, Dissection and Discussion
mobility, Technical Issues
modularization, Technical Issues
modules, Questions and Answers
MS Access
validate, Microsoft Access
MS Outlook, Configuration of MS Outlook to Relocate PST File
PST, Configuration of MS Outlook to Relocate PST File
PST file, Making Happy Users
MS Windows Server 2003, Implementation
MS Word, Share Point Directory and File Permissions
MSDFS, Distribute Network Load with MSDFS
multi-subnet, Routed Networks
multi-user
access, Microsoft Access
data access, Shared Data Integrity
multiple directories, Identity Management Needs
multiple domain controllers, Making Happy Users
multiple group mappings, Questions and Answers
mutual assistance, Free Support
My Documents, Roaming Profile Background
My Network Places, Implementation
mysqlsam, Implementation
N
name resolution, Configuration of DHCP and DNS Servers, Questions and Answers, Assignment Tasks
Defective, Active Directory Domain with Samba Domain Member Server
name resolve order, Implementation
name service switch, Implementation (see NSS)
named, Basic System Configuration, Validation, Server Preparation: All Servers
NAT, Technical Issues
native, Questions and Answers
net
ads
info, Active Directory Domain with Samba Domain Member Server
join, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Samba Configuration
status, Active Directory Domain with Samba Domain Member Server
getlocalsid, Samba-3 PDC Configuration, Security Identifiers (SIDs)
group, NT4 Migration Using tdbsam Backend
groupmap
add, Samba Configuration
list, Samba Configuration, LDAP Initialization and Creation of User and Group Accounts
modify, Samba Configuration
rpc
info, Security Identifiers (SIDs)
join, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, Questions and Answers, NT4 Migration Using tdbsam Backend
vampire, Updating Samba-3, NT4 Migration Using tdbsam Backend
setlocalsid, Security Identifiers (SIDs)
NetBIOS, The Nature of Windows Networking Protocols, Questions and Answers, Bad Hostnames, Routed Networks, Questions and Answers
name cache, Questions and Answers
name resolution
delays, Making Happy Users
Node Type, Questions and Answers
netbios
machine name, Change of hostname
netbios forwarding, Network Collisions
NetBIOS name, Kerberos Configuration
aliases, Identity Management Needs
netbios name, Security Identifiers (SIDs), Change of hostname, Bad Hostnames
NETLOGON, Using a Network Default User Profile, Windows Client Configuration
netlogon, The Nature of Windows Networking Protocols, LDAP Server Configuration
Netlogon, Joining a Domain: Windows 200x/XP Professional
netmask, Implementation
Netware, Small Office Networking
NetWare, Migrating NetWare Server to Samba-3, LDAP Server Configuration
network
administrators, Technical Issues
analyzer, Assignment Tasks
bandwidth, Identity Management Needs, Questions and Answers
broadcast, Introduction
captures, Requirements and Notes
collisions, Network Collisions
load, Network Collisions
logon, Making Happy Users
logon scripts, Dissection and Discussion
management, Introduction
multi-segment, Introduction
overload, Making Happy Users
performance, Samba Configuration
routed, Dissection and Discussion
secure, Introduction
segment, Dissection and Discussion
services, Questions and Answers
sniffer, Requirements and Notes
timeout, Making Happy Users
timeouts, Network Collisions
trace, Assignment Tasks
traffic
observation, Technical Issues
wide-area, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
Network Address Translation (see NAT)
network administrators, Technical Issues
network attached storage (see NAS)
network bandwidth
utilization, Making Happy Users
Network Default Profile, Roaming Profile Background
network hardware
defective, Making Happy Users
network hygiene, Dissection and Discussion
network Identities, Questions and Answers
network load factors, Dissection and Discussion
Network Neighborhood, Validation, Technical Issues
network segment, Use and Location of BDCs
network segments, Hardware Requirements
network share, Assignment Tasks
networking
client, Security Identifiers (SIDs)
networking hardware
defective, Making Happy Users
networking protocols, Technical Issues
next generation, Technical Issues
NextFreeUnixId, NT4 Migration Using LDAP Backend
NFS server, Samba-3 PDC Configuration
NICs, Hardware Problems
NIS, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Technical Issues, Political Issues, Questions and Answers
nis, Samba Domain with Samba Domain Member Server Using NSS LDAP
NIS schema, Questions and Answers
NIS server, Questions and Answers
NIS+, Identity Management Needs
nisplus, Samba Domain with Samba Domain Member Server Using NSS LDAP
NLM, Migrating NetWare Server to Samba-3
nmap, Validation
nmbd, Validation, Validation, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Starting Samba
nobody, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
Novell, Migrating NetWare Server to Samba-3, Introduction
Novell SUSE SLES 9, NT4 Migration Using LDAP Backend
NSS, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, PAM and NSS Client Configuration, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, UNIX/Linux Client Domain Member, Questions and Answers, LDAP Server Configuration, NSS Configuration (see same service switch)
nss_ldap, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, OpenLDAP Server Configuration, PAM and NSS Client Configuration, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Replacing a Domain Member Server, NT4 Migration Using LDAP Backend
nt acl support, Dissection and Discussion
NT4 registry, Dissection and Discussion
NTLM, Technical Issues
NTLM authentication daemon, Technical Issues
NTLMSSP, Key Points Learned, Questions and Answers, Windows 200x/XP Client Interaction with Samba-3
NTLMSSP_AUTH, Windows 200x/XP Client Interaction with Samba-3
ntlm_auth, Samba Configuration, Questions and Answers
NTP, Kerberos Configuration
NTUSER.DAT, Roaming Profile Background, Profile Changes, Using a Network Default User Profile, Questions and Answers
NULL connection, Validation
NULL session, Findings and Comments
NULL-Session, Discussion
O
objectClass, LDAP Server Configuration
off-site storage, Introduction
Open Magazine, Adding Domain Member Servers and Clients
Open Source, Dissection and Discussion
OpenLDAP, Dissection and Discussion, Dissection and Discussion, Questions and Answers, Political Issues, Technical Issues, Introduction, Technical Issues, Key Points Learned, The LDAP Account Manager
openldap, OpenLDAP Server Configuration
OpenOffice, Application Share Configuration
operating profiles, The LDAP Account Manager
oplock break, Override Controls
oplocks, Samba Configuration
Oplocks
disabled, Opportunistic Locking Controls
opportunistic
locking, Override Controls
opportunistic locking, Implementation, Samba Configuration, Act! Database Sharing
optimized, Samba Configuration
organizational units, The LDAP Account Manager
OS/2, Security Identifiers (SIDs)
Outlook
PST, Configuration of MS Outlook to Relocate PST File
Outlook Address Book, Configuration of MS Outlook to Relocate PST File
Outlook Express, Political Issues, Configuration of MS Outlook to Relocate PST File
over-ride, Technical Issues
over-ride controls, Override Controls
over-rule, Share Access Controls, Using MS Windows Explorer (File Manager)
overheads, Override Controls
ownership, Share Point Directory and File Permissions
P
package, Implementation
package names, Samba System File Location
packages, Updating a Samba-3 Installation
PADL, Technical Issues, IDMAP Storage in LDAP using Winbind
PADL LDAP tools, Technical Issues
PADL Software, Samba Domain with Samba Domain Member Server Using NSS LDAP
paid-for support, Samba Support
PAM, PAM and NSS Client Configuration, UNIX/Linux Client Domain Member, LDAP Server Configuration
pam_ldap, OpenLDAP Server Configuration
pam_ldap.so, PAM and NSS Client Configuration
pam_unix2.so, PAM and NSS Client Configuration
use_ldap, PAM and NSS Client Configuration
parameters, Applicable to All Samba 2.x to Samba-3 Upgrades
passdb backend, Implementation, The 500-User Office, Dissection and Discussion, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Questions and Answers
passdb.tdb, Technical Issues
passwd, Implementation, Implementation, Samba Configuration
password
backend, Implementation, Samba Configuration, Configuration for Server: MASSIVE
password caching, Implementation
password change, Key Points Learned
password length, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
payroll, Introduction
pdbedit, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, NT4 Migration Using tdbsam Backend, Questions and Answers
PDC, Assignment Tasks, Technical Issues, Making Happy Users, Technical Issues, The Local Group Policy, The Nature of Windows Networking Protocols, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Use and Location of BDCs
PDC/BDC ratio, Making Happy Users
PDF, The LDAP Account Manager
performance, Dissection and Discussion, Questions and Answers, Performance, Reliability, and Availability, Introduction, Network Collisions
performance degradation, Override Controls, Samba Configuration
Perl, LDAP Server Configuration, The LDAP Account Manager
permission, Share Point Directory and File Permissions
permissions, Implementation, Technical Issues, Share Access Controls, Checkpoint Controls, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs
excessive, Technical Issues
group, Share Point Directory and File Permissions
user, Share Point Directory and File Permissions
Permissions, Using the MMC Computer Management Interface
permits, Technical Issues
permitted group, Using the MMC Computer Management Interface
PHP, The LDAP Account Manager
PHP4, The LDAP Account Manager
pile-driver, Share Definition Controls
ping, Validation
pitfalls, The LDAP Account Manager
plain-text, Questions and Answers
Pluggable Authentication Modules (see PAM)
policy, Questions and Answers, Introduction
poor performance, Dissection and Discussion
POP3, Technical Issues
Posix, Dissection and Discussion, Technical Issues, Questions and Answers, Implementation, Questions and Answers, The LDAP Account Manager
POSIX, Regarding LDAP Directories and Windows Computer Accounts, LDAP Server Configuration
Posix accounts, LDAP Initialization and Creation of User and Group Accounts, Technical Issues
Posix ACLs, Managing Windows 200x ACLs
PosixAccount, LDAP Initialization and Creation of User and Group Accounts
posixAccount, LDAP Server Configuration
Postfix, LDAP Server Configuration
Postscript, Installation of Printer Driver Auto-Download
powers, Share Definition Controls
practices, Introduction
precaution, Introduction
presence and leadership, Technical Issues
price paid, Dissection and Discussion
primary group, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
principals, Kerberos Exposed
print filter, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
print queue, Charity Administration Office, Dissection and Discussion
print spooler, Charity Administration Office
Print Test Page, Uploading Printer Drivers to Samba Servers
printcap name, Implementation
printer validation, Validation, Validation
printers
Advanced, Uploading Printer Drivers to Samba Servers
Default Settings, Uploading Printer Drivers to Samba Servers
General, Uploading Printer Drivers to Samba Servers
Properties, Uploading Printer Drivers to Samba Servers
Security, Uploading Printer Drivers to Samba Servers
Sharing, Uploading Printer Drivers to Samba Servers
printing, Implementation
drag-and-drop, Installation of Printer Driver Auto-Download, Uploading Printer Drivers to Samba Servers
dumb, Installation of Printer Driver Auto-Download
point-n-click, Installation of Printer Driver Auto-Download
raw, Dissection and Discussion
privacy, Identity Management Needs
Privilege Attribute Certificates (see PAC)
privilege controls, Share Point Directory and File Permissions
privileged pipe, Samba Configuration
privileges, Identity Management Needs, Updating from Samba Versions after 3.0.6 to a Current Release, Technical Issues, Share Definition Controls
problem report, Free Support
problem resolution, Samba Support
product defects, Dissection and Discussion
professional support, Free Support
profile
default, Assignment Tasks
mandatory, The Nature of Windows Networking Protocols
roaming, Making Happy Users
profile path, Technical Issues
profile share, Implementation
profiles, Security Identifiers (SIDs)
profiles share, Dissection and Discussion
programmer, Dissection and Discussion
project, Free Support
project maintainers, Technical Issues
Properties, Using the MMC Computer Management Interface
proprietary, Technical Issues
protected, Technical Issues
protection, Technical Issues
protocol
negotiation, The Nature of Windows Networking Protocols
protocol analysis, Requirements and Notes
protocols, Technical Issues
provided services, Samba Support
proxy, Assignment Tasks, Technical Issues
PST file, Configuration of MS Outlook to Relocate PST File
public specifications, Technical Issues
purchase support, Free Support
Q
Qbasic, LDAP Server Configuration
qualified problem, Free Support
R
RAID, Hardware Requirements
RAID controllers, Hardware Problems
Raw Print Through, Installation of Printer Driver Auto-Download
raw printing, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
Rbase, LDAP Server Configuration
rcldap, Implementation
realm, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
recognize, Technical Issues
record locking, Microsoft Access
recursively, Setting Posix ACLs in UNIX/Linux
Red Hat, Drafting Office, Migrating NetWare Server to Samba-3
Red Hat Fedora Linux, Samba Configuration
Red Hat Linux, Dissection and Discussion, Accounting Office, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Samba Configuration
redirected folders, Roaming Profile Background, The Nature of Windows Networking Protocols
refereed standards, Technical Issues
regedit, Implementation
regedt32, Profile Changes, Configuration of Default Profile with Folder Redirection
registry, Questions and Answers
keys
SAM, Dissection and Discussion
SECURITY, Dissection and Discussion
registry change, Questions and Answers
Registry Editor, Configuration of Default Profile with Folder Redirection
registry hacks, Questions and Answers
registry keys, Configuration of Default Profile with Folder Redirection
reimburse, Dissection and Discussion
rejected, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Access Controls
rejoin, Questions and Answers
reliability, Performance, Reliability, and Availability
remote announce, Routed Networks
remote browse sync, Routed Networks
remote procedure call (see RPC)
replicate, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
replicated, Dissection and Discussion
requesting payment, Free Support
resilient, Guidelines for Reliable Samba Operation
resolution, Replacing a Domain Member Server
resolve, Technical Issues, Bad Hostnames
response, IDMAP_RID with Winbind
responsibility, Dissection and Discussion
responsible, Technical Issues
restrict anonymous, Samba Domain with Samba Domain Member Server Using NSS LDAP
restricted export, Kerberos Exposed
Restrictive security, Active Directory Domain with Samba Domain Member Server
reverse DNS, Kerberos Configuration
rfc2307bis, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension
RID, IDMAP_RID with Winbind, LDAP Server Configuration
risk, Technical Issues, Questions and Answers, Questions and Answers, Introduction
road-map, Technical Issues
published, Technical Issues
roaming profile, Technical Issues, Roaming Profile Background, Configuring Profile Directories, User Needs, Questions and Answers
roaming profiles, Technical Issues, Implementation, Roaming Profile Background
routed network, Use and Location of BDCs
router, Implementation
routers, Questions and Answers, Routed Networks
RPC, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
rpc, Security Identifiers (SIDs)
rpcclient, Security Identifiers (SIDs)
RPM, Security Identifiers (SIDs), Samba 1.9.x and 2.x Versions Without LDAP, Dissection and Discussion
install, Implementation
rpm, Removal of Pre-Existing Conflicting RPMs, Samba System File Location
RPMs, Samba Configuration
rpms, Removal of Pre-Existing Conflicting RPMs
rsync, Samba-3 PDC Configuration, Questions and Answers, LDAP Server Configuration, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
rsyncd.conf, LDAP Server Configuration
run-time control files, Samba System File Location
S
safe-guards, Technical Issues
SAM, Dissection and Discussion
samba, Removal of Pre-Existing Conflicting RPMs
starting samba, Implementation
Samba, Samba Configuration
Samba accounts, Technical Issues
samba cluster, Introduction
samba control script, Starting Samba
Samba Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers
Samba Domain server, Using the MMC Computer Management Interface
Samba RPM Packages, Samba-3 PDC Configuration
Samba Tea, Samba Configuration
sambaDomainName, NT4 Migration Using LDAP Backend
sambaGroupMapping, LDAP Server Configuration
SambaSAMAccount, Regarding LDAP Directories and Windows Computer Accounts
SambaSamAccount, LDAP Initialization and Creation of User and Group Accounts
sambaSamAccount, LDAP Server Configuration
SambaXP conference, Questions and Answers
SAN, For Scalability, Use SAN-Based Storage on Samba Servers
SAS, Security Identifiers (SIDs)
scalability, Introduction
scalable, Identity Management Needs
schannel, Technical Issues, Key Points Learned, Questions and Answers
schema, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, Samba-2.x with LDAP Support, Updating from Samba Versions between 3.0.6 and 3.0.10
scripts, The LDAP Account Manager
secondary group, Samba Domain with Samba Domain Member Server Using NSS LDAP
secret, Kerberos Exposed
secrets.tdb, Technical Issues, Samba-3 PDC Configuration, Security Identifiers (SIDs), Location of config files
secure, Introduction
secure account password, Questions and Answers
secure connections, The LDAP Account Manager
secure networking, Technical Issues
secure networking protocols, Technical Issues
security, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Introduction, Technical Issues, Share Point Directory and File Permissions, Questions and Answers
identifier, Security Identifiers (SIDs)
share mode, Dissection and Discussion
user mode, Dissection and Discussion
Security, Technical Issues, Using the MMC Computer Management Interface
Security Account Manager (see SAM)
security controls, Technical Issues
security descriptors, Dissection and Discussion
security fixes, Technical Issues
security updates, Technical Issues
SerNet, Active Directory Domain with Samba Domain Member Server, Samba Configuration
server
domain member, Security Identifiers (SIDs)
stand-alone, Security Identifiers (SIDs)
service, Implementation
smb
start, Configuration Specific to Domain Member Servers: BLDG1, BLDG2
Service Packs, Application Share Configuration
services, Key Points Learned
services provided, Samba Support
session setup, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
Session Setup, Simple Windows Client Connection Characteristics
SessionSetUpAndX, Security Identifiers (SIDs)
set primary group script, Applicable to All Samba 2.x to Samba-3 Upgrades
setfacl, Setting Posix ACLs in UNIX/Linux
severely degrade, Samba Configuration
SFU, IDMAP, Active Directory, and MS Services for UNIX 3.5
SGID, Dissection and Discussion, Share Point Directory and File Permissions, Effect of Setting File and Directory SUID/SGID Permissions Explained
shadow-utils, Questions and Answers
Share Access Controls, Share Access Controls
share ACLs, Questions and Answers
share definition, Technical Issues
Share Definition
Controls, Share Definition Controls
share definition controls, Share Definition Controls, Checkpoint Controls, Share Point Directory and File Permissions, Questions and Answers
share level access controls, Questions and Answers
share level ACL, Questions and Answers
Share Permissions, Share Access Controls
shared resource, Technical Issues, Setting Posix ACLs in UNIX/Linux
shares, Technical Issues
SID, Windows Client Configuration, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs, Technical Issues, IDMAP_RID with Winbind, Security Identifiers (SIDs), Change of Workgroup (Domain) Name, Questions and Answers, Initialization of the LDAP Database
side effects, Managing Windows 200x ACLs
Sign'n'seal, Key Points Learned, Questions and Answers
silent return, Active Directory Domain with Samba Domain Member Server
simple, Dissection and Discussion
Single Sign-On (see SSO)
slapcat, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, LDAP Server Configuration
slapd, Debugging LDAP
slapd.conf, NT4 Migration Using LDAP Backend
slave, Dissection and Discussion
slow logon, Making Happy Users
slow network, Hardware Problems
slurpd, Implementation, Questions and Answers
smart printing, Dissection and Discussion
SMB, Security Identifiers (SIDs)
SMB passwords, Implementation
SMB/CIFS, Questions and Answers
smbclient, Validation, Validation, LDAP Initialization and Creation of User and Group Accounts, Questions and Answers
smbd, Validation, Implementation, Validation, Validation, Samba-3 PDC Configuration, Technical Issues, Active Directory Domain with Samba Domain Member Server, Security Identifiers (SIDs), Location of config files, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
location of files, Samba System File Location
smbfs, Dissection and Discussion
smbldap-groupadd, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
smbldap-groupmod, LDAP Server Configuration
smbldap-passwd, LDAP Initialization and Creation of User and Group Accounts
smbldap-populate, LDAP Initialization and Creation of User and Group Accounts
smbldap-tools, NT4 Migration Using LDAP Backend, LDAP Server Configuration, The LDAP Account Manager
smbldap-tools updating, NT4 Migration Using LDAP Backend
smbldap-useradd, LDAP Initialization and Creation of User and Group Accounts, Implementation
smbldap-usermod, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
smbmnt, Dissection and Discussion
smbmount, Dissection and Discussion
smbpasswd, Implementation, Technical Issues, Implementation, Technical Issues, Samba Configuration, Server Preparation: All Servers, Configuration for Server: MASSIVE, Samba-3 PDC Configuration, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Technical Issues, Questions and Answers, Integrating Additional Services
smbumnt, Dissection and Discussion
smbumount, Dissection and Discussion
SMTP, Technical Issues
snap-shot, Dissection and Discussion
socket address, Samba Configuration
socket options, Samba Configuration
software, Dissection and Discussion
solve, Dissection and Discussion
source code, Dissection and Discussion
SPNEGO, Windows 200x/XP Client Interaction with Samba-3
SQL, Dissection and Discussion, Questions and Answers
Squid, Implementation, Removal of Pre-Existing Conflicting RPMs, Samba Configuration, Squid Configuration
squid, Removal of Pre-Existing Conflicting RPMs, Samba Configuration
Squid proxy, Technical Issues
SRVTOOLS.EXE, Implementation, Configuring Profile Directories, Questions and Answers, Questions and Answers
SSL, The LDAP Account Manager
stand-alone server, Security Identifiers (SIDs)
starting CUPS, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
starting dhcpd, Implementation, Process Startup Configuration, Process Startup Configuration
starting samba, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
nmbd, Starting Samba
smbd, Starting Samba
winbindd, Starting Samba
startingCUPS, Implementation
startup script, Starting Samba
sticky bit, Implementation
storage capacity, Hardware Requirements
strategic, Technical Issues
strategy, Questions and Answers
straw-man, Active Directory, Kerberos, and Security
strict sync, Samba Configuration
stripped, Samba 1.9.x and 2.x Versions Without LDAP
strong cryptography, Kerberos Exposed
subscription, Free Support
SUID, Dissection and Discussion, Questions and Answers, Effect of Setting File and Directory SUID/SGID Permissions Explained
Sun ONE Identity Server, Dissection and Discussion
super daemon, Process Startup Configuration
support, Dissection and Discussion, Samba Support
survey, Adding Domain Member Servers and Clients
SUSE, Migrating NetWare Server to Samba-3
SUSE Enterprise Linux Server, Charity Administration Office, Basic System Configuration, Implementation
SUSE Linux, Dissection and Discussion, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Removal of Pre-Existing Conflicting RPMs
SWAT, Samba System File Location
sync always, Samba Configuration
synchronization, Kerberos Configuration, For Scalability, Use SAN-Based Storage on Samba Servers
synchronize, User Needs, LDAP Server Configuration
synchronized, Questions and Answers
syslog, OpenLDAP Server Configuration
system level logins, Questions and Answers
system security, Technical Issues
T
tattooing, Questions and Answers
TCP/IP, Questions and Answers
tdbdump, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
tdbsam, Technical Issues, Implementation, The 500-User Office, Assignment Tasks, Dissection and Discussion, Implementation, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Technical Issues, Questions and Answers
testparm, Validation, Validation, Samba-3 PDC Configuration, Active Directory Domain with Samba Domain Member Server, Samba 1.9.x and 2.x Versions Without LDAP, Samba Configuration
ticket, Samba Configuration
time server, Implementation
Tivoli Directory Server, Dissection and Discussion
TLS, LDAP Server Configuration
token, Technical Issues
tool, Questions and Answers, Dissection and Discussion
TOSHARG2, Implementation
track record, Dissection and Discussion
traffic collisions, Making Happy Users
transaction processing, Dissection and Discussion
transactional, Questions and Answers
transfer, Questions and Answers
translate, Managing Windows 200x ACLs
traverse, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
tree, Dissection and Discussion
Tree Connect, Simple Windows Client Connection Characteristics
trust account, Regarding LDAP Directories and Windows Computer Accounts
trusted computing, Introduction
Trusted Domains, Technical Issues
trusted domains, Questions and Answers
trusted third-party, Kerberos Exposed
trusting, Kerberos Exposed
turn-around time, Technical Issues
U
UDP
broadcast, Routed Networks
UID, Dissection and Discussion, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, Implementation, Questions and Answers, Questions and Answers
un-join, Questions and Answers
unauthorized activities, Kerberos Exposed
UNC name, Questions and Answers
unencrypted, The LDAP Account Manager
Unicast, The Nature of Windows Networking Protocols
unicode, International Language Support
Universal Naming Convention (see UNC name)
UNIX, LDAP Server Configuration
groups, Technical Issues, Implementation
UNIX accounts, Technical Issues
UNIX/Linux server, Technical Issues
unix2dos, Samba Configuration, Configuration for Server: MASSIVE
unknown, Technical Issues
unsupported software, Commercial Support
update, Introduction, Cautions and Notes
updates, Introduction, Technical Issues
updating smbldap-tools, NT4 Migration Using LDAP Backend
upgrade, Introduction, Cautions and Notes, LDAP Server Configuration
uppercase, Implementation
user
management, Implementation, Samba Configuration, Configuration for Server: MASSIVE
user account, Making Happy Users, OpenLDAP Server Configuration
User and Group Controls, Technical Issues
user credentials, Identity Management Needs, UNIX/Linux Client Domain Member
user errors, Questions and Answers
user groups, Free Support
user identities, Implementation
user logins, Questions and Answers
user management, Implementation
User Manager, NT4 Migration Using LDAP Backend
User Mode, Implementation, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
useradd, Implementation, Implementation, Implementation, Samba Configuration, Configuration for Server: MASSIVE, Applicable to All Samba 2.x to Samba-3 Upgrades
userdel, Applicable to All Samba 2.x to Samba-3 Upgrades
usermod, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
username, Security Identifiers (SIDs)
username map, Implementation, Samba Configuration, Server Preparation: All Servers
UTF-8, International Language Support
utilities, Questions and Answers
V
valid users, Questions and Answers, Checkpoint Controls, Questions and Answers
validate, Questions and Answers, Checkpoint Controls
validated, Identity Management Needs, Active Directory Domain with Samba Domain Member Server, Introduction
validation, Validation, Validation, Questions and Answers
vampire, Questions and Answers
vendor, Dissection and Discussion
vendors, Updating a Samba-3 Installation
VFS modules, Samba System File Location
virus, Implementation
VPN, Assignment Tasks
vulnerabilities, Introduction
W
wbinfo, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Samba Configuration
weakness, Technical Issues
web
caching, Assignment Tasks
proxying, Assignment Tasks
Web
proxy, Questions and Answers
access, Key Points Learned
Web browsers, Key Points Learned
WebClient, Making Happy Users
WHATSNEW.txt, Samba-2.x with LDAP Support
white-pages, Technical Issues, LDAP Server Configuration
wide-area, User Needs, Identity Management Needs, Key Points Learned, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
wide-area network, Use and Location of BDCs, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
winbind, Implementation, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Introduction, Technical Issues, Technical Issues, Samba Configuration, NSS Configuration
Winbind, Questions and Answers, Technical Issues, Key Points Learned
winbind trusted domains only, Technical Issues, Questions and Answers
winbind use default domain, Checkpoint Controls
winbindd, Validation, Validation, Technical Issues, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Questions and Answers, Samba 1.9.x and 2.x Versions Without LDAP, Updating from Samba Versions after 3.0.6 to a Current Release, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
winbindd_cache.tdb, Technical Issues
winbindd_idmap.tdb, Technical Issues
Windows, LDAP Server Configuration
client, Security Identifiers (SIDs)
NT, Security Identifiers (SIDs)
Windows 2000 ACLs, Managing Windows 200x ACLs
Windows 2003 Serve, Introduction
Windows 200x ACLs, Questions and Answers
Windows accounts, Technical Issues
Windows ACLs, Setting Posix ACLs in UNIX/Linux
Windows Address Book, LDAP Server Configuration
Windows ADS Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
Windows clients, Questions and Answers
Windows Explorer, Validation
Windows explorer, Questions and Answers
Windows security identifier (see SID)
Windows Servers, Introduction
Windows Services for UNIX (see SUS)
Windows XP, Assignment Tasks
WINS, Implementation, Technical Issues, Implementation, Windows Client Configuration, Technical Issues, Windows Client Configuration, The Nature of Windows Networking Protocols, Identity Management Needs, Questions and Answers, Questions and Answers
lookup, Questions and Answers
name resolution, Routed Networks
server, Making Happy Users, Routed Networks
WINS server, The 500-User Office, Questions and Answers
WINS serving, Implementation
wins support, Implementation
wins.dat, Identity Management Needs, Replacing a Domain Member Server
Wireshark, Requirements and Notes
wireshark, Exercises
Word, Share Point Directory and File Permissions
workgroup, Implementation, Security Identifiers (SIDs), Change of Workgroup (Domain) Name
Workgroup Announcement, Findings
workstation, Implementation
wrapper, Questions and Answers
write lock, Opportunistic Locking Controls
X
xinetd, Process Startup Configuration
XML, Dissection and Discussion
xmlsam, Implementation
Y
YaST, PAM and NSS Client Configuration
Yellow Pages, Identity Management Needs
yellow pages (see NIS)
Prev
Glossary Home
+Index
Index
Prev
Index
Symbols
%LOGONSERVER%, Configuration of Default Profile with Folder Redirection
%USERNAME%, Roaming Profile Background, Profile Changes
%USERPROFILE%, Configuration of Default Profile with Folder Redirection
/data/ldap, OpenLDAP Server Configuration
/etc/cups/mime.convs, Implementation, Implementation
/etc/cups/mime.types, Implementation, Implementation
/etc/dhcpd.conf, Implementation, Validation, Configuration of DHCP and DNS Servers, Validation
/etc/exports, Samba-3 PDC Configuration
/etc/group, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Replacing a Domain Member Server, Questions and Answers, Removal of Pre-Existing Conflicting RPMs
/etc/hosts, Implementation, Implementation, Basic System Configuration, Validation, Server Preparation: All Servers, Questions and Answers, Kerberos Configuration, Bad Hostnames
/etc/krb5.conf, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
/etc/ldap.conf, PAM and NSS Client Configuration, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, LDAP Server Configuration
/etc/mime.convs, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
/etc/mime.types, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
/etc/named.conf, Configuration of DHCP and DNS Servers
/etc/nsswitch.conf, Implementation, Configuration of DHCP and DNS Servers, Validation, Configuration for Server: MASSIVE, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, PAM and NSS Client Configuration, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, NT4 Migration Using LDAP Backend
/etc/openldap/slapd.conf, Debugging LDAP, OpenLDAP Server Configuration, Implementation
/etc/passwd, Implementation, Samba Configuration, Configuration for Server: MASSIVE, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Replacing a Domain Member Server, Technical Issues, Questions and Answers, Technical Issues, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
/etc/rc.d/boot.local, Basic System Configuration, Configuration for Server: MASSIVE
/etc/rc.d/rc.local, Implementation
/etc/resolv.conf, Configuration of DHCP and DNS Servers, Server Preparation: All Servers
/etc/samba, Samba System File Location
/etc/samba/secrets.tdb, Active Directory Domain with Samba Domain Member Server
/etc/samba/smbusers, Server Preparation: All Servers
/etc/shadow, Replacing a Domain Member Server, Technical Issues
/etc/squid/squid.conf, Removal of Pre-Existing Conflicting RPMs
/etc/syslog.conf, Debugging LDAP
/etc/xinetd.d, Process Startup Configuration, Process Startup Configuration
/lib/libnss_ldap.so.2, PAM and NSS Client Configuration
/opt/IDEALX/sbin, NT4 Migration Using LDAP Backend
/proc/sys/net/ipv4/ip_forward, Implementation, Basic System Configuration
/usr/bin, Samba System File Location
/usr/lib/samba, Samba System File Location
/usr/local, Samba System File Location
/usr/local/samba, Samba System File Location
/usr/local/samba/var/locks, Samba 1.9.x and 2.x Versions Without LDAP
/usr/sbin, Samba System File Location
/usr/share, Samba System File Location
/usr/share/samba/swat, Samba System File Location
/usr/share/swat, Samba System File Location
/var/cache/samba, Samba 1.9.x and 2.x Versions Without LDAP
/var/lib/samba, Samba 1.9.x and 2.x Versions Without LDAP, Samba System File Location
/var/log/ldaplogs, Debugging LDAP
/var/log/samba, Samba System File Location
8-bit, International Language Support
, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Application Share Configuration, Implementation, Addition of Machines to the Domain, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Location of config files, NT4 Migration Using LDAP Backend, LDAP Server Configuration, NSS Configuration
Domain account, Technical Issues
liability, Dissection and Discussion
logon, Implementation
problem, Dissection and Discussion
transparent inter-operability, Questions and Answers
A
abmas-netfw.sh, Basic System Configuration
accept, Printer Configuration
accepts liability, Dissection and Discussion
access, Technical Issues, Checkpoint Controls
access control, Kerberos Exposed, Using the MMC Computer Management Interface
Access Control Lists (see ACLs)
access control settings, Share Access Controls
access controls, Technical Issues, Share Definition Controls
accessible, Share Point Directory and File Permissions
account, Regarding LDAP Directories and Windows Computer Accounts, Share Access Controls
ADS Domain, Technical Issues
account credentials, Findings and Comments
account information, Questions and Answers
account names, Questions and Answers
account policies, The LDAP Account Manager
accountable, Introduction, Dissection and Discussion
accounts
authoritative, Technical Issues
Domain, Introduction, Questions and Answers
group, Introduction, Questions and Answers, Introduction
machine, Introduction, Questions and Answers
manage, The LDAP Account Manager
user, Introduction, Questions and Answers, Introduction
ACL, Security Identifiers (SIDs), Checkpoint Controls
ACLs, Key Points Learned, Share Access Controls, Share Definition Controls
acquisitions, Introduction
Act!, Shared Data Integrity
ACT! database, Act! Database Sharing
Act!Diag, Act! Database Sharing
Active Directory, Dissection and Discussion, The Local Group Policy, Dissection and Discussion, Assignment Tasks, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, Questions and Answers, Introduction, Key Points Learned, Questions and Answers, Integrating Additional Services, Assignment Tasks, Technical Issues, Samba Configuration, Joining a Domain: Windows 200x/XP Professional
authentication, Squid Configuration
domain, Samba Configuration
join, Active Directory Domain with Samba Domain Member Server
management tools, Technical Issues
realm, Bad Hostnames
Replacement, Technical Issues
server, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration
Server, Technical Issues
tree, Samba Configuration
active directory, Technical Issues
AD printer publishing, Uploading Printer Drivers to Samba Servers
ADAM, Dissection and Discussion, IDMAP Storage in LDAP using Winbind
add group script, Applicable to All Samba 2.x to Samba-3 Upgrades
add machine script, Applicable to All Samba 2.x to Samba-3 Upgrades
Add Printer Wizard
APW, Uploading Printer Drivers to Samba Servers
add user script, Applicable to All Samba 2.x to Samba-3 Upgrades
add user to group script, Applicable to All Samba 2.x to Samba-3 Upgrades
adduser, Implementation, Samba Configuration, Configuration for Server: MASSIVE
adequate precautions, Introduction
administrative installation, Application Share Configuration
administrative rights, Checkpoint Controls
administrator, Implementation, Samba Configuration, Server Preparation: All Servers
ADMT, Migration of Samba Accounts to Active Directory
ADS, IDMAP Storage in LDAP using Winbind, Technical Issues, Kerberos Configuration, Bad Hostnames
server, Technical Issues
ADS Domain, Technical Issues
affordability, The Nature of Windows Networking Protocols
alarm, Introduction
algorithm, Technical Issues
allow trusted domains, IDMAP_RID with Winbind
alternative, Dissection and Discussion
analysis, Technical Issues
anonymous connection, Validation, Validation
Apache Web server, Questions and Answers
appliance mode, Technical Issues
application server, Technical Issues, Application Share Configuration
application servers, The Nature of Windows Networking Protocols
application/octet-stream, Implementation, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
APW, Uploading Printer Drivers to Samba Servers
arp, Validation
assessment, Introduction
assistance, Free Support
assumptions, Key Points Learned
authconfig, PAM and NSS Client Configuration
authenticate, LDAP Server Configuration, Samba Configuration
authenticated, Assignment Tasks
authenticated connection, Validation, Validation
authentication, The Nature of Windows Networking Protocols, Questions and Answers, Dissection and Discussion, Integrating Additional Services, Technical Issues, NSS Configuration, Questions and Answers
plain-text, Questions and Answers
authentication process, Implementation
authentication protocols, Key Points Learned
authoritative, Technical Issues
authorized location, Kerberos Exposed
auto-generated SID, Questions and Answers
automatically allocate, Technical Issues
availability, Performance, Reliability, and Availability
B
backends, Integrating Additional Services
background communication, Questions and Answers
Backup, Introduction
Backup Domain Controller (see BDC)
bandwidth, Assignment Tasks
requirements, User Needs
bandwidth calculations, Hardware Requirements
BDC, Technical Issues, Making Happy Users, Assignment Tasks, Dissection and Discussion, Samba Server Implementation, Samba-3 PDC Configuration, The Nature of Windows Networking Protocols, Key Points Learned, Technical Issues, Questions and Answers, Security Identifiers (SIDs), NT4 Migration Using tdbsam Backend, Use and Location of BDCs
benefit, Questions and Answers, Dissection and Discussion
best practices, Introduction
bias, Questions and Answers
binary database, Implementation
binary files, Updating a Samba-3 Installation
binary package, Updating a Samba-3 Installation
bind interfaces only, Implementation
broadcast, Routed Networks, Questions and Answers
directed, The Nature of Windows Networking Protocols
mailslot, The Nature of Windows Networking Protocols
broadcast messages, Implementation
broadcast storms, Network Collisions
broken, Dissection and Discussion
broken behavior, Dissection and Discussion
browse, Technical Issues
browse master, Findings
Browse Master, Questions and Answers
browse.dat, Replacing a Domain Member Server
Browser Election Service, Questions and Answers
browsing, Technical Issues, Technical Issues, Assignment Tasks
budgetted, Introduction
bug fixes, Introduction
bug report, Free Support
C
cache, Opportunistic Locking Controls
cache directories, Removal of Pre-Existing Conflicting RPMs
caching, Samba Configuration
case-sensitive, Kerberos Configuration
centralized storage, Questions and Answers
character set, International Language Support
check samba daemons, Validation, Validation
check-point, Share Definition Controls
check-point controls, Checkpoint Controls
Checkpoint Controls, Checkpoint Controls
chgrp, Samba Configuration
chkconfig, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration, Implementation
chmod, Samba Configuration
choice, Dissection and Discussion, Technical Issues
chown, Removal of Pre-Existing Conflicting RPMs
CIFS, Security Identifiers (SIDs), Findings
cifsfs, Dissection and Discussion
clean database, Questions and Answers
clients per DC, Making Happy Users
Clock skew, Kerberos Configuration
cluster, Introduction
clustering, Introduction, For Scalability, Use SAN-Based Storage on Samba Servers
code maintainer, Free Support
codepage, International Language Support
collision rates, Network Collisions
commercial, Dissection and Discussion
commercial software, Dissection and Discussion
commercial support, Samba Support, Commercial Support
Common Internet File System (see CIFS)
comparison
Active Directory & OpenLDAP, Dissection and Discussion
compat, Samba Domain with Samba Domain Member Server Using NSS LDAP
compatible, Technical Issues
compile-time, Location of config files
complexities, Dissection and Discussion
compromise, Introduction, Introduction, Technical Issues
computer account, Samba Configuration
Computer Management, Share Access Controls, Questions and Answers
computer name, Security Identifiers (SIDs)
condemns, Technical Issues
conferences, Technical Issues
configuration files, Introduction
configure.pl, NT4 Migration Using LDAP Backend
connection, Share Access Controls
connectivity, Questions and Answers
consequential risk, Technical Issues
consultant, Drafting Office, Introduction, Dissection and Discussion
consumer, Dissection and Discussion, Technical Issues
consumer expects, Samba Support
contiguous directory, Implementation
contributions, Updating Samba-3
control files, Updating a Samba-3 Installation
convmv, International Language Support
copy, Questions and Answers
corrective action, Hardware Problems
cost, Dissection and Discussion
cost-benefit, Assignment Tasks
country of origin, Commercial Support
Courier-IMAP, LDAP Server Configuration
credential, Share Definition Controls
credentials, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Technical Issues
crippled, Dissection and Discussion
criticism, Active Directory, Kerberos, and Security, Introduction
Critics, Technical Issues
Cryptographic, Technical Issues
CUPS, Dissection and Discussion, Technical Issues, Implementation, Key Points Learned, Implementation, Printer Configuration, Server Preparation: All Servers, Assignment Tasks, Installation of Printer Driver Auto-Download, Printer Configuration
queue, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
cupsd, Basic System Configuration
customer expected, Samba Support
customers, Samba Support
D
daemon, Validation, Basic System Configuration, Security Identifiers (SIDs), Technical Issues, Questions and Answers, Starting Samba
daemon control, Process Startup Configuration
data
corruption, Making Happy Users
integrity, Questions and Answers
data corruption, Hardware Problems, Act! Database Sharing
data integrity, Hardware Problems, Shared Data Integrity
data storage, Implementation
database, Dissection and Discussion, Questions and Answers, Dissection and Discussion
database applications, Shared Data Integrity
DB_CONFIG, OpenLDAP Server Configuration
DCE, Kerberos Exposed
DDNS (see dynamic DNS)
Debian, Migrating NetWare Server to Samba-3
default installation, Samba System File Location
default password, The LDAP Account Manager
default profile, Assignment Tasks, Technical Issues
Default User, Profile Changes, Configuration of Default Profile with Folder Redirection
defective
cables, Hardware Problems
HUBs, Hardware Problems
switches, Hardware Problems
defects, Technical Issues
defensible standards, Technical Issues
defragmentation, Windows Client Configuration
delete group script, Applicable to All Samba 2.x to Samba-3 Upgrades
delete user from group script, Applicable to All Samba 2.x to Samba-3 Upgrades
delimiter, Checkpoint Controls
dependability, Technical Issues
deployment, Free Support
desired security setting, Setting Posix ACLs in UNIX/Linux
development, Technical Issues
DHCP, Technical Issues, Implementation, Key Points Learned, Windows Client Configuration, Windows Client Configuration, The Nature of Windows Networking Protocols, Questions and Answers
client, Bad Hostnames
relay, Technical Issues
Relay Agent, Questions and Answers
request, Questions and Answers
requests, Technical Issues
servers, Questions and Answers
traffic, Questions and Answers
dhcp client validation, Validation, Validation
DHCP Server, Implementation
DHCP server, Technical Issues
diagnostic, IDMAP Storage in LDAP using Winbind
diffusion, Technical Issues
digital rights, Technical Issues
digital sign'n'seal, Technical Issues
digits, Bad Hostnames
diligence, Technical Issues
directory, Dissection and Discussion, Political Issues, Location of config files
Computers container, LDAP Initialization and Creation of User and Group Accounts
management, Dissection and Discussion
People container, LDAP Initialization and Creation of User and Group Accounts
replication, Dissection and Discussion
schema, Dissection and Discussion
server, Technical Issues
synchronization, Dissection and Discussion
directory tree, Setting Posix ACLs in UNIX/Linux
disable, Introduction
disaster recovery, Introduction
disk image, Assignment Tasks
disruptive, Dissection and Discussion
distributed, Identity Management Needs, Implementation, Questions and Answers, Distribute Network Load with MSDFS
distributed domain, Identity Management Needs
DMB, Questions and Answers
DMS, Security Identifiers (SIDs), Replacing a Domain Member Server
DNS, Technical Issues, Implementation, Technical Issues, The Nature of Windows Networking Protocols, LDAP Server Configuration, Bad Hostnames, Routed Networks, Joining a Domain: Windows 200x/XP Professional
configuration, Questions and Answers
Dynamic, Questions and Answers
dynamic, Joining a Domain: Windows 200x/XP Professional
lookup, Questions and Answers, Kerberos Configuration
name lookup, Bad Hostnames
SRV records, Kerberos Configuration
suffix, Joining a Domain: Windows 200x/XP Professional
DNS server, Implementation, Configuration of DHCP and DNS Servers
document the settings, Samba Configuration
documentation, Dissection and Discussion, Technical Issues
documented, Samba Configuration
Domain, Technical Issues
groups, Technical Issues
domain
Active Directory, Technical Issues
controller, Replacing a Domain Controller
joining, A Collection of Useful Tidbits
trusted, Questions and Answers
Domain accounts, Technical Issues
Domain Administrator, Share Access Controls
Domain Controller, Key Points Learned, The Nature of Windows Networking Protocols, Technical Issues, Implementation, Use and Location of BDCs
closest, The Nature of Windows Networking Protocols
domain controller, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades
domain controllers, Technical Issues
Domain Controllers, Questions and Answers
Domain Groups
well-known, Initialization of the LDAP Database
Domain join, Samba Domain with Samba Domain Member Server Using NSS LDAP
domain master, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
Domain Master Browser (see DMB)
Domain Member, Use and Location of BDCs
authoritative
local accounts, Technical Issues
client, Implementation
desktop, Introduction
server, Introduction, Technical Issues, Implementation, Active Directory Domain with Samba Domain Member Server
servers, Questions and Answers, Checkpoint Controls
workstations, Implementation
domain member
servers, Technical Issues
Domain Member server, Technical Issues, Questions and Answers
Domain Member servers, Questions and Answers
domain members, Questions and Answers
domain name space, Identity Management Needs
domain replication, Questions and Answers
domain SID, Security Identifiers (SIDs)
Domain SID, Technical Issues, Questions and Answers
domain tree, Identity Management Needs
Domain User Manager, Configuring Profile Directories
Domain users, Technical Issues
DOS, Security Identifiers (SIDs)
dos2unix, Samba Configuration, Configuration for Server: MASSIVE
down-grade, Introduction
drive letters, LDAP Server Configuration
drive mapping, Technical Issues
dumb printing, Installation of Printer Driver Auto-Download
dump, Technical Issues, Questions and Answers
duplicate accounts, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
dynamic DNS, Technical Issues
E
e-Directory, Dissection and Discussion
Easy Software Products, Installation of Printer Driver Auto-Download
economically sustainable, Dissection and Discussion
eDirectory, Dissection and Discussion
education, Identity Management Needs
election, Findings
employment, Introduction, Dissection and Discussion
enable, Printer Configuration
encrypted, Findings and Comments
encrypted password, Windows 200x/XP Client Interaction with Samba-3
encrypted passwords, Questions and Answers
End User License Agreement (see EULA)
enumerating, Samba Configuration
essential, Introduction
ethereal, Exercises
Ethernet switch, Technical Issues
ethernet switch, Making Happy Users
EULA, Dissection and Discussion
Everyone, Share Access Controls
Excel, Share Point Directory and File Permissions
exclusive open, Microsoft Access
experiment, Active Directory, Kerberos, and Security
export, Technical Issues
extent, Dissection and Discussion
External Domains, Technical Issues
extreme demand, Guidelines for Reliable Samba Operation
F
fail, The Nature of Windows Networking Protocols
fail-over, Identity Management Needs, Implementation
failed, Samba Domain with Samba Domain Member Server Using NSS LDAP
failed join, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
failure, Samba Configuration
familiar, Technical Issues
fatal problem, Samba Configuration
fear, Technical Issues
fears, Technical Issues
Fedora, Drafting Office
FHS, Samba System File Location
file and print server, Questions and Answers
file and print service, Dissection and Discussion
file caching, Samba Configuration, Opportunistic Locking Controls
File Hierarchy System (see FHS)
file locations, Samba System File Location
file permissions, The LDAP Account Manager
file server
read-only, Dissection and Discussion
file servers, Samba Server Implementation
file system, Technical Issues
access control, Samba Configuration
Ext3, Implementation
permissions, Samba Configuration, Configuration for Server: MASSIVE
file system security, Questions and Answers
filter, Share Access Controls
financial responsibility, Introduction
firewall, Technical Issues, Basic System Configuration, Introduction
fix, Dissection and Discussion
flaws, Introduction
flexibility, Technical Issues
flush
cache memory, Opportunistic Locking Controls
folder redirection, Technical Issues, Configuration of Default Profile with Folder Redirection, Questions and Answers
force group, Override Controls, Questions and Answers
force user, Dissection and Discussion, Override Controls, Questions and Answers
forced settings, Override Controls
foreign, Samba Domain with Samba Domain Member Server Using NSS LDAP
foreign SID, Samba Domain with Samba Domain Member Server Using NSS LDAP
forwarded, Routed Networks
foundation members, Technical Issues
Free Standards Group (see FSG)
free support, Samba Support, Free Support
front-end, Dissection and Discussion
server, Distribute Network Load with MSDFS
frustration, Introduction
FSG, Samba System File Location
FTP
proxy, Questions and Answers
full control, Share Access Controls, Using MS Windows Explorer (File Manager)
fully qualified, Checkpoint Controls
functional differences, Cautions and Notes
G
generation, Cautions and Notes
Gentoo, Migrating NetWare Server to Samba-3
getent, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
getfacl, Setting Posix ACLs in UNIX/Linux
getgrnam, Technical Issues
getpwnam, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP
getpwnam(), Questions and Answers
GID, Implementation, Questions and Answers, Questions and Answers
Goettingen, Questions and Answers
government, Identity Management Needs
GPL, Comments Regarding Software Terms of Use
group account, Implementation, OpenLDAP Server Configuration
group management, Implementation
group mapping, LDAP Server Configuration
group membership, Implementation, Samba Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
group names, Questions and Answers
group policies, Introduction
Group Policy, Joining a Domain: Windows 200x/XP Professional
Group Policy editor, The Local Group Policy
Group Policy Objects, The Local Group Policy
groupadd, Implementation, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
groupdel, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
groupmem, NT4 Migration Using LDAP Backend
groupmod, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
GSS-API, Windows 200x/XP Client Interaction with Samba-3
guest account, Findings and Comments, Dissection and Discussion, Technical Issues, Questions and Answers
H
hackers, Introduction
hardware prices, Hardware Problems
hardware problems, Hardware Problems
Heimdal, Implementation, Kerberos Configuration
Heimdal Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
Heimdal kerberos, IDMAP Storage in LDAP using Winbind
help, Free Support
helper agent, Removal of Pre-Existing Conflicting RPMs
hesiod, Samba Domain with Samba Domain Member Server Using NSS LDAP
hierarchy of control, Share Definition Controls
high availability, Dissection and Discussion
hire, Dissection and Discussion
HKEY_CURRENT_USER, Roaming Profile Background
HKEY_LOCAL_MACHINE, Configuration of Default Profile with Folder Redirection
HKEY_LOCAL_USER, Questions and Answers
host announcement, Assignment Tasks, Findings
hostname, Basic System Configuration, Security Identifiers (SIDs)
hosts, Questions and Answers
HUB, Making Happy Users
Hybrid, Questions and Answers
hypothetical, Introduction
I
Idealx, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
smbldap-tools, Install and Configure Idealx smbldap-tools Scripts, LDAP Initialization and Creation of User and Group Accounts
identifiers, Technical Issues
identity, Questions and Answers, Kerberos Exposed
management, Technical Issues
identity management, Technical Issues, Dissection and Discussion, Political Issues, Dissection and Discussion
Identity Management, Dissection and Discussion, The Nature of Windows Networking Protocols, Identity Management Needs
Identity management, UNIX/Linux Client Domain Member
Identity resolution, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, UNIX/Linux Client Domain Member, Questions and Answers
Identity resolver, Questions and Answers
IDMAP, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP_RID with Winbind
idmap backend, Technical Issues
IDMAP backend, Questions and Answers
idmap gid, IDMAP_RID with Winbind
idmap uid, IDMAP_RID with Winbind
idmap_rid, IDMAP_RID with Winbind
IMAP, Technical Issues
import, Technical Issues
income, Dissection and Discussion
independent expert, Introduction
inetd, Process Startup Configuration
inetOrgPerson, Technical Issues
inheritance, Setting Posix ACLs in UNIX/Linux
initGrps.sh, Implementation, Samba Configuration, Configuration for Server: MASSIVE
initial credentials, Kerberos Configuration
inoperative, Dissection and Discussion
install, Updating Samba-3
installation, Dissection and Discussion
integrate, Technical Issues
integrity, Introduction, Kerberos Exposed
inter-domain, Applicable to All Samba 2.x to Samba-3 Upgrades
inter-operability, Dissection and Discussion, Technical Issues, Key Points Learned, Questions and Answers
interactive help, Free Support
interdomain trusts, Identity Management Needs
interfaces, Implementation
intermittent, Hardware Problems
internationalization, International Language Support
Internet Explorer, Technical Issues
Internet Information Server, Questions and Answers
interoperability, Dissection and Discussion
IP forwarding, Implementation, Basic System Configuration, Configuration for Server: MASSIVE
IPC$, Findings and Comments
iptables, Technical Issues
IRC, Free Support
isolated, Introduction
Italian, Questions and Answers
J
jobs, Introduction
joining a domain, Joining a Domain: Windows 200x/XP Professional
K
KDC, Kerberos Configuration
Kerberos, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Key Points Learned, Technical Issues, Implementation, Kerberos Configuration
Heimdal, Active Directory Domain with Samba Domain Member Server
interoperability, Kerberos Exposed
libraries, Active Directory Domain with Samba Domain Member Server
MIT, Active Directory Domain with Samba Domain Member Server
unspecified fields, Kerberos Exposed
kerberos, Kerberos Exposed
server, Kerberos Exposed
Kerberos ticket, Samba Configuration
kinit, Kerberos Configuration
Kixtart, LDAP Server Configuration
klist, Kerberos Configuration
krb5, Implementation
krb5.conf, Kerberos Configuration
L
LAM, The LDAP Account Manager
configuration editor, The LDAP Account Manager
configuration file, The LDAP Account Manager
login screen, The LDAP Account Manager
opening screen, The LDAP Account Manager
profile, The LDAP Account Manager
wizard, The LDAP Account Manager
large domain, IDMAP_RID with Winbind
LDAP, Technical Issues, Assignment Tasks, Dissection and Discussion, Technical Issues, Preliminary Advice: Dangers Can Be Avoided, PAM and NSS Client Configuration, Introduction, Dissection and Discussion, Identity Management Needs, Implementation, Key Points Learned, Questions and Answers, Technical Issues, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Assignment Tasks, Technical Issues, Questions and Answers, Dissection and Discussion, LDAP Server Configuration, Technical Issues
backend, Identity Management Needs
database, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Alternative LDAP Database Initialization
directory, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs
fail-over, Implementation
initial configuration, Alternative LDAP Database Initialization
master, Identity Management Needs
master/slave
background communication, Questions and Answers
preload, Implementation
schema, Updating from Samba Versions between 3.0.6 and 3.0.10
secure, Technical Issues
server, Questions and Answers
slave, Identity Management Needs
updates, Identity Management Needs
ldap, Samba Domain with Samba Domain Member Server Using NSS LDAP
LDAP Account Manager (see LAM)
LDAP backend, Technical Issues
LDAP database, Questions and Answers
LDAP Interchange Format (see LDIF)
LDAP server, Identity Management Needs
LDAP-transfer-LDIF.txt, Implementation
ldap.conf, Samba Domain with Samba Domain Member Server Using NSS LDAP
ldapadd, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP
ldapsam, LDAP Initialization and Creation of User and Group Accounts, Dissection and Discussion, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Integrating Additional Services
ldapsam backend, Samba Domain with Samba Domain Member Server Using NSS LDAP
ldapsearch, LDAP Initialization and Creation of User and Group Accounts
LDIF, Technical Issues, Implementation, Technical Issues, LDAP Server Configuration, Initialization of the LDAP Database
leadership, Technical Issues
Lightweight Directory Access Protocol (see LDAP)
limit, Questions and Answers
Linux desktop, Introduction
Linux Standards Base (see LSB)
LMB, Findings, Questions and Answers
LMHOSTS, Routed Networks
load distribution, For Scalability, Use SAN-Based Storage on Samba Servers
local accounts, Technical Issues
Local Group Policy, Roaming Profile Background
Local Master Announcement, Findings
Local Master Browser (see LMB)
localhost, Basic System Configuration, Bad Hostnames
lock directory, Samba 1.9.x and 2.x Versions Without LDAP
locking
Application level, Shared Data Integrity
Client side, Shared Data Integrity
Server side, Shared Data Integrity
logging, Removal of Pre-Existing Conflicting RPMs
login, Technical Issues
loglevel, Debugging LDAP
logon credentials, Questions and Answers
logon hours, Technical Issues, Key Points Learned
logon machines, Technical Issues
logon path, Implementation
logon process, Implementation
logon scrip, Samba Configuration
logon script, Implementation, Technical Issues, Preparation of Logon Scripts, Technical Issues
logon server, The Nature of Windows Networking Protocols
logon services, Implementation
logon time, Assignment Tasks
logon traffic, The Nature of Windows Networking Protocols
logon.kix, LDAP Server Configuration
loopback, Validation
low performance, Hardware Problems
lower-case, Implementation
lpadmin, Implementation, Implementation, Implementation, Printer Configuration, Printer Configuration
LSB, Samba System File Location
M
machine, Security Identifiers (SIDs)
machine account, Regarding LDAP Directories and Windows Computer Accounts
machine accounts, Questions and Answers
machine secret password, Technical Issues
MACHINE.SID, Security Identifiers (SIDs)
mailing list, Free Support
mailing lists, Free Support
managed, Technical Issues
management, Political Issues, Questions and Answers
group, Technical Issues
User, Technical Issues
mandatory profile, Technical Issues, Configuring Profile Directories
Mandrake, Migrating NetWare Server to Samba-3
mapped drives, Questions and Answers
mapping, Technical Issues, Kerberos Configuration
consistent, Samba Domain with Samba Domain Member Server Using NSS LDAP
Mars_NWE, Migrating NetWare Server to Samba-3
master, Dissection and Discussion
material, A Collection of Useful Tidbits
memberUID, LDAP Server Configuration
memory requirements, Hardware Requirements
merge, Technical Issues, Questions and Answers
merged, Technical Issues
meta-directory, Questions and Answers
meta-service, Questions and Answers
Microsoft Access, Shared Data Integrity
Microsoft Excel, Shared Data Integrity
Microsoft ISA, Assignment Tasks
Microsoft Management Console (see MMC)
Microsoft Office, Application Share Configuration, Share Point Directory and File Permissions
Microsoft Outlook
PST files, Questions and Answers
migrate, Updating Samba-3, Technical Issues
migration, Implementation, Implementation, Assignment Tasks, Introduction, Questions and Answers, Migrating NetWare Server to Samba-3
objectives, Dissection and Discussion
Migration speed, Questions and Answers
mime type, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
mime types, Implementation
missing RPC's, Technical Issues
MIT, Implementation, Kerberos Configuration
MIT Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
MIT kerberos, IDMAP Storage in LDAP using Winbind
MIT KRB5, Samba Configuration
mixed mode, Active Directory Domain with Samba Domain Member Server
mixed-mode, Questions and Answers
MMC, Configure Delete Cached Profiles on Logout, Technical Issues, Questions and Answers
mobile computing, Dissection and Discussion
mobility, Technical Issues
modularization, Technical Issues
modules, Questions and Answers
MS Access
validate, Microsoft Access
MS Outlook, Configuration of MS Outlook to Relocate PST File
PST, Configuration of MS Outlook to Relocate PST File
PST file, Making Happy Users
MS Windows Server 2003, Implementation
MS Word, Share Point Directory and File Permissions
MSDFS, Distribute Network Load with MSDFS
multi-subnet, Routed Networks
multi-user
access, Microsoft Access
data access, Shared Data Integrity
multiple directories, Identity Management Needs
multiple domain controllers, Making Happy Users
multiple group mappings, Questions and Answers
mutual assistance, Free Support
My Documents, Roaming Profile Background
My Network Places, Implementation
mysqlsam, Implementation
N
name resolution, Configuration of DHCP and DNS Servers, Questions and Answers, Assignment Tasks
Defective, Active Directory Domain with Samba Domain Member Server
name resolve order, Implementation
name service switch, Implementation (see NSS)
named, Basic System Configuration, Validation, Server Preparation: All Servers
NAT, Technical Issues
native, Questions and Answers
net
ads
info, Active Directory Domain with Samba Domain Member Server
join, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Samba Configuration
status, Active Directory Domain with Samba Domain Member Server
getlocalsid, Samba-3 PDC Configuration, Security Identifiers (SIDs)
group, NT4 Migration Using tdbsam Backend
groupmap
add, Samba Configuration
list, Samba Configuration, LDAP Initialization and Creation of User and Group Accounts
modify, Samba Configuration
rpc
info, Security Identifiers (SIDs)
join, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, Questions and Answers, NT4 Migration Using tdbsam Backend
vampire, Updating Samba-3, NT4 Migration Using tdbsam Backend
setlocalsid, Security Identifiers (SIDs)
NetBIOS, The Nature of Windows Networking Protocols, Questions and Answers, Bad Hostnames, Routed Networks, Questions and Answers
name cache, Questions and Answers
name resolution
delays, Making Happy Users
Node Type, Questions and Answers
netbios
machine name, Change of hostname
netbios forwarding, Network Collisions
NetBIOS name, Kerberos Configuration
aliases, Identity Management Needs
netbios name, Security Identifiers (SIDs), Change of hostname, Bad Hostnames
NETLOGON, Using a Network Default User Profile, Windows Client Configuration
netlogon, The Nature of Windows Networking Protocols, LDAP Server Configuration
Netlogon, Joining a Domain: Windows 200x/XP Professional
netmask, Implementation
Netware, Small Office Networking
NetWare, Migrating NetWare Server to Samba-3, LDAP Server Configuration
network
administrators, Technical Issues
analyzer, Assignment Tasks
bandwidth, Identity Management Needs, Questions and Answers
broadcast, Introduction
captures, Requirements and Notes
collisions, Network Collisions
load, Network Collisions
logon, Making Happy Users
logon scripts, Dissection and Discussion
management, Introduction
multi-segment, Introduction
overload, Making Happy Users
performance, Samba Configuration
routed, Dissection and Discussion
secure, Introduction
segment, Dissection and Discussion
services, Questions and Answers
sniffer, Requirements and Notes
timeout, Making Happy Users
timeouts, Network Collisions
trace, Assignment Tasks
traffic
observation, Technical Issues
wide-area, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
Network Address Translation (see NAT)
network administrators, Technical Issues
network attached storage (see NAS)
network bandwidth
utilization, Making Happy Users
Network Default Profile, Roaming Profile Background
network hardware
defective, Making Happy Users
network hygiene, Dissection and Discussion
network Identities, Questions and Answers
network load factors, Dissection and Discussion
Network Neighborhood, Validation, Technical Issues
network segment, Use and Location of BDCs
network segments, Hardware Requirements
network share, Assignment Tasks
networking
client, Security Identifiers (SIDs)
networking hardware
defective, Making Happy Users
networking protocols, Technical Issues
next generation, Technical Issues
NextFreeUnixId, NT4 Migration Using LDAP Backend
NFS server, Samba-3 PDC Configuration
NICs, Hardware Problems
NIS, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Technical Issues, Political Issues, Questions and Answers
nis, Samba Domain with Samba Domain Member Server Using NSS LDAP
NIS schema, Questions and Answers
NIS server, Questions and Answers
NIS+, Identity Management Needs
nisplus, Samba Domain with Samba Domain Member Server Using NSS LDAP
NLM, Migrating NetWare Server to Samba-3
nmap, Validation
nmbd, Validation, Validation, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Starting Samba
nobody, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
Novell, Migrating NetWare Server to Samba-3, Introduction
Novell SUSE SLES 9, NT4 Migration Using LDAP Backend
NSS, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, PAM and NSS Client Configuration, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, UNIX/Linux Client Domain Member, Questions and Answers, LDAP Server Configuration, NSS Configuration (see same service switch)
nss_ldap, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, OpenLDAP Server Configuration, PAM and NSS Client Configuration, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Replacing a Domain Member Server, NT4 Migration Using LDAP Backend
nt acl support, Dissection and Discussion
NT4 registry, Dissection and Discussion
NTLM, Technical Issues
NTLM authentication daemon, Technical Issues
NTLMSSP, Key Points Learned, Questions and Answers, Windows 200x/XP Client Interaction with Samba-3
NTLMSSP_AUTH, Windows 200x/XP Client Interaction with Samba-3
ntlm_auth, Samba Configuration, Questions and Answers
NTP, Kerberos Configuration
NTUSER.DAT, Roaming Profile Background, Profile Changes, Using a Network Default User Profile, Questions and Answers
NULL connection, Validation
NULL session, Findings and Comments
NULL-Session, Discussion
O
objectClass, LDAP Server Configuration
off-site storage, Introduction
Open Magazine, Adding Domain Member Servers and Clients
Open Source, Dissection and Discussion
OpenLDAP, Dissection and Discussion, Dissection and Discussion, Questions and Answers, Political Issues, Technical Issues, Introduction, Technical Issues, Key Points Learned, The LDAP Account Manager
openldap, OpenLDAP Server Configuration
OpenOffice, Application Share Configuration
operating profiles, The LDAP Account Manager
oplock break, Override Controls
oplocks, Samba Configuration
Oplocks
disabled, Opportunistic Locking Controls
opportunistic
locking, Override Controls
opportunistic locking, Implementation, Samba Configuration, Act! Database Sharing
optimized, Samba Configuration
organizational units, The LDAP Account Manager
OS/2, Security Identifiers (SIDs)
Outlook
PST, Configuration of MS Outlook to Relocate PST File
Outlook Address Book, Configuration of MS Outlook to Relocate PST File
Outlook Express, Political Issues, Configuration of MS Outlook to Relocate PST File
over-ride, Technical Issues
over-ride controls, Override Controls
over-rule, Share Access Controls, Using MS Windows Explorer (File Manager)
overheads, Override Controls
ownership, Share Point Directory and File Permissions
P
package, Implementation
package names, Samba System File Location
packages, Updating a Samba-3 Installation
PADL, Technical Issues, IDMAP Storage in LDAP using Winbind
PADL LDAP tools, Technical Issues
PADL Software, Samba Domain with Samba Domain Member Server Using NSS LDAP
paid-for support, Samba Support
PAM, PAM and NSS Client Configuration, UNIX/Linux Client Domain Member, LDAP Server Configuration
pam_ldap, OpenLDAP Server Configuration
pam_ldap.so, PAM and NSS Client Configuration
pam_unix2.so, PAM and NSS Client Configuration
use_ldap, PAM and NSS Client Configuration
parameters, Applicable to All Samba 2.x to Samba-3 Upgrades
passdb backend, Implementation, The 500-User Office, Dissection and Discussion, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Questions and Answers
passdb.tdb, Technical Issues
passwd, Implementation, Implementation, Samba Configuration
password
backend, Implementation, Samba Configuration, Configuration for Server: MASSIVE
password caching, Implementation
password change, Key Points Learned
password length, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
payroll, Introduction
pdbedit, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, NT4 Migration Using tdbsam Backend, Questions and Answers
PDC, Assignment Tasks, Technical Issues, Making Happy Users, Technical Issues, The Local Group Policy, The Nature of Windows Networking Protocols, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Use and Location of BDCs
PDC/BDC ratio, Making Happy Users
PDF, The LDAP Account Manager
performance, Dissection and Discussion, Questions and Answers, Performance, Reliability, and Availability, Introduction, Network Collisions
performance degradation, Override Controls, Samba Configuration
Perl, LDAP Server Configuration, The LDAP Account Manager
permission, Share Point Directory and File Permissions
permissions, Implementation, Technical Issues, Share Access Controls, Checkpoint Controls, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs
excessive, Technical Issues
group, Share Point Directory and File Permissions
user, Share Point Directory and File Permissions
Permissions, Using the MMC Computer Management Interface
permits, Technical Issues
permitted group, Using the MMC Computer Management Interface
PHP, The LDAP Account Manager
PHP4, The LDAP Account Manager
pile-driver, Share Definition Controls
ping, Validation
pitfalls, The LDAP Account Manager
plain-text, Questions and Answers
Pluggable Authentication Modules (see PAM)
policy, Questions and Answers, Introduction
poor performance, Dissection and Discussion
POP3, Technical Issues
Posix, Dissection and Discussion, Technical Issues, Questions and Answers, Implementation, Questions and Answers, The LDAP Account Manager
POSIX, Regarding LDAP Directories and Windows Computer Accounts, LDAP Server Configuration
Posix accounts, LDAP Initialization and Creation of User and Group Accounts, Technical Issues
Posix ACLs, Managing Windows 200x ACLs
PosixAccount, LDAP Initialization and Creation of User and Group Accounts
posixAccount, LDAP Server Configuration
Postfix, LDAP Server Configuration
Postscript, Installation of Printer Driver Auto-Download
powers, Share Definition Controls
practices, Introduction
precaution, Introduction
presence and leadership, Technical Issues
price paid, Dissection and Discussion
primary group, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
principals, Kerberos Exposed
print filter, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
print queue, Charity Administration Office, Dissection and Discussion
print spooler, Charity Administration Office
Print Test Page, Uploading Printer Drivers to Samba Servers
printcap name, Implementation
printer validation, Validation, Validation
printers
Advanced, Uploading Printer Drivers to Samba Servers
Default Settings, Uploading Printer Drivers to Samba Servers
General, Uploading Printer Drivers to Samba Servers
Properties, Uploading Printer Drivers to Samba Servers
Security, Uploading Printer Drivers to Samba Servers
Sharing, Uploading Printer Drivers to Samba Servers
printing, Implementation
drag-and-drop, Installation of Printer Driver Auto-Download, Uploading Printer Drivers to Samba Servers
dumb, Installation of Printer Driver Auto-Download
point-n-click, Installation of Printer Driver Auto-Download
raw, Dissection and Discussion
privacy, Identity Management Needs
Privilege Attribute Certificates (see PAC)
privilege controls, Share Point Directory and File Permissions
privileged pipe, Samba Configuration
privileges, Identity Management Needs, Updating from Samba Versions after 3.0.6 to a Current Release, Technical Issues, Share Definition Controls
problem report, Free Support
problem resolution, Samba Support
product defects, Dissection and Discussion
professional support, Free Support
profile
default, Assignment Tasks
mandatory, The Nature of Windows Networking Protocols
roaming, Making Happy Users
profile path, Technical Issues
profile share, Implementation
profiles, Security Identifiers (SIDs)
profiles share, Dissection and Discussion
programmer, Dissection and Discussion
project, Free Support
project maintainers, Technical Issues
Properties, Using the MMC Computer Management Interface
proprietary, Technical Issues
protected, Technical Issues
protection, Technical Issues
protocol
negotiation, The Nature of Windows Networking Protocols
protocol analysis, Requirements and Notes
protocols, Technical Issues
provided services, Samba Support
proxy, Assignment Tasks, Technical Issues
PST file, Configuration of MS Outlook to Relocate PST File
public specifications, Technical Issues
purchase support, Free Support
Q
Qbasic, LDAP Server Configuration
qualified problem, Free Support
R
RAID, Hardware Requirements
RAID controllers, Hardware Problems
Raw Print Through, Installation of Printer Driver Auto-Download
raw printing, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
Rbase, LDAP Server Configuration
rcldap, Implementation
realm, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
recognize, Technical Issues
record locking, Microsoft Access
recursively, Setting Posix ACLs in UNIX/Linux
Red Hat, Drafting Office, Migrating NetWare Server to Samba-3
Red Hat Fedora Linux, Samba Configuration
Red Hat Linux, Dissection and Discussion, Accounting Office, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Samba Configuration
redirected folders, Roaming Profile Background, The Nature of Windows Networking Protocols
refereed standards, Technical Issues
regedit, Implementation
regedt32, Profile Changes, Configuration of Default Profile with Folder Redirection
registry, Questions and Answers
keys
SAM, Dissection and Discussion
SECURITY, Dissection and Discussion
registry change, Questions and Answers
Registry Editor, Configuration of Default Profile with Folder Redirection
registry hacks, Questions and Answers
registry keys, Configuration of Default Profile with Folder Redirection
reimburse, Dissection and Discussion
rejected, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Access Controls
rejoin, Questions and Answers
reliability, Performance, Reliability, and Availability
remote announce, Routed Networks
remote browse sync, Routed Networks
remote procedure call (see RPC)
replicate, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
replicated, Dissection and Discussion
requesting payment, Free Support
resilient, Guidelines for Reliable Samba Operation
resolution, Replacing a Domain Member Server
resolve, Technical Issues, Bad Hostnames
response, IDMAP_RID with Winbind
responsibility, Dissection and Discussion
responsible, Technical Issues
restrict anonymous, Samba Domain with Samba Domain Member Server Using NSS LDAP
restricted export, Kerberos Exposed
Restrictive security, Active Directory Domain with Samba Domain Member Server
reverse DNS, Kerberos Configuration
rfc2307bis, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension
RID, IDMAP_RID with Winbind, LDAP Server Configuration
risk, Technical Issues, Questions and Answers, Questions and Answers, Introduction
road-map, Technical Issues
published, Technical Issues
roaming profile, Technical Issues, Roaming Profile Background, Configuring Profile Directories, User Needs, Questions and Answers
roaming profiles, Technical Issues, Implementation, Roaming Profile Background
routed network, Use and Location of BDCs
router, Implementation
routers, Questions and Answers, Routed Networks
RPC, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
rpc, Security Identifiers (SIDs)
rpcclient, Security Identifiers (SIDs)
RPM, Security Identifiers (SIDs), Samba 1.9.x and 2.x Versions Without LDAP, Dissection and Discussion
install, Implementation
rpm, Removal of Pre-Existing Conflicting RPMs, Samba System File Location
RPMs, Samba Configuration
rpms, Removal of Pre-Existing Conflicting RPMs
rsync, Samba-3 PDC Configuration, Questions and Answers, LDAP Server Configuration, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
rsyncd.conf, LDAP Server Configuration
run-time control files, Samba System File Location
S
safe-guards, Technical Issues
SAM, Dissection and Discussion
samba, Removal of Pre-Existing Conflicting RPMs
starting samba, Implementation
Samba, Samba Configuration
Samba accounts, Technical Issues
samba cluster, Introduction
samba control script, Starting Samba
Samba Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers
Samba Domain server, Using the MMC Computer Management Interface
Samba RPM Packages, Samba-3 PDC Configuration
Samba Tea, Samba Configuration
sambaDomainName, NT4 Migration Using LDAP Backend
sambaGroupMapping, LDAP Server Configuration
SambaSAMAccount, Regarding LDAP Directories and Windows Computer Accounts
SambaSamAccount, LDAP Initialization and Creation of User and Group Accounts
sambaSamAccount, LDAP Server Configuration
SambaXP conference, Questions and Answers
SAN, For Scalability, Use SAN-Based Storage on Samba Servers
SAS, Security Identifiers (SIDs)
scalability, Introduction
scalable, Identity Management Needs
schannel, Technical Issues, Key Points Learned, Questions and Answers
schema, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, Samba-2.x with LDAP Support, Updating from Samba Versions between 3.0.6 and 3.0.10
scripts, The LDAP Account Manager
secondary group, Samba Domain with Samba Domain Member Server Using NSS LDAP
secret, Kerberos Exposed
secrets.tdb, Technical Issues, Samba-3 PDC Configuration, Security Identifiers (SIDs), Location of config files
secure, Introduction
secure account password, Questions and Answers
secure connections, The LDAP Account Manager
secure networking, Technical Issues
secure networking protocols, Technical Issues
security, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Introduction, Technical Issues, Share Point Directory and File Permissions, Questions and Answers
identifier, Security Identifiers (SIDs)
share mode, Dissection and Discussion
user mode, Dissection and Discussion
Security, Technical Issues, Using the MMC Computer Management Interface
Security Account Manager (see SAM)
security controls, Technical Issues
security descriptors, Dissection and Discussion
security fixes, Technical Issues
security updates, Technical Issues
SerNet, Active Directory Domain with Samba Domain Member Server, Samba Configuration
server
domain member, Security Identifiers (SIDs)
stand-alone, Security Identifiers (SIDs)
service, Implementation
smb
start, Configuration Specific to Domain Member Servers: BLDG1, BLDG2
Service Packs, Application Share Configuration
services, Key Points Learned
services provided, Samba Support
session setup, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
Session Setup, Simple Windows Client Connection Characteristics
SessionSetUpAndX, Security Identifiers (SIDs)
set primary group script, Applicable to All Samba 2.x to Samba-3 Upgrades
setfacl, Setting Posix ACLs in UNIX/Linux
severely degrade, Samba Configuration
SFU, IDMAP, Active Directory, and MS Services for UNIX 3.5
SGID, Dissection and Discussion, Share Point Directory and File Permissions, Effect of Setting File and Directory SUID/SGID Permissions Explained
shadow-utils, Questions and Answers
Share Access Controls, Share Access Controls
share ACLs, Questions and Answers
share definition, Technical Issues
Share Definition
Controls, Share Definition Controls
share definition controls, Share Definition Controls, Checkpoint Controls, Share Point Directory and File Permissions, Questions and Answers
share level access controls, Questions and Answers
share level ACL, Questions and Answers
Share Permissions, Share Access Controls
shared resource, Technical Issues, Setting Posix ACLs in UNIX/Linux
shares, Technical Issues
SID, Windows Client Configuration, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs, Technical Issues, IDMAP_RID with Winbind, Security Identifiers (SIDs), Change of Workgroup (Domain) Name, Questions and Answers, Initialization of the LDAP Database
side effects, Managing Windows 200x ACLs
Sign'n'seal, Key Points Learned, Questions and Answers
silent return, Active Directory Domain with Samba Domain Member Server
simple, Dissection and Discussion
Single Sign-On (see SSO)
slapcat, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, LDAP Server Configuration
slapd, Debugging LDAP
slapd.conf, NT4 Migration Using LDAP Backend
slave, Dissection and Discussion
slow logon, Making Happy Users
slow network, Hardware Problems
slurpd, Implementation, Questions and Answers
smart printing, Dissection and Discussion
SMB, Security Identifiers (SIDs)
SMB passwords, Implementation
SMB/CIFS, Questions and Answers
smbclient, Validation, Validation, LDAP Initialization and Creation of User and Group Accounts, Questions and Answers
smbd, Validation, Implementation, Validation, Validation, Samba-3 PDC Configuration, Technical Issues, Active Directory Domain with Samba Domain Member Server, Security Identifiers (SIDs), Location of config files, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
location of files, Samba System File Location
smbfs, Dissection and Discussion
smbldap-groupadd, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
smbldap-groupmod, LDAP Server Configuration
smbldap-passwd, LDAP Initialization and Creation of User and Group Accounts
smbldap-populate, LDAP Initialization and Creation of User and Group Accounts
smbldap-tools, NT4 Migration Using LDAP Backend, LDAP Server Configuration, The LDAP Account Manager
smbldap-tools updating, NT4 Migration Using LDAP Backend
smbldap-useradd, LDAP Initialization and Creation of User and Group Accounts, Implementation
smbldap-usermod, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
smbmnt, Dissection and Discussion
smbmount, Dissection and Discussion
smbpasswd, Implementation, Technical Issues, Implementation, Technical Issues, Samba Configuration, Server Preparation: All Servers, Configuration for Server: MASSIVE, Samba-3 PDC Configuration, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Technical Issues, Questions and Answers, Integrating Additional Services
smbumnt, Dissection and Discussion
smbumount, Dissection and Discussion
SMTP, Technical Issues
snap-shot, Dissection and Discussion
socket address, Samba Configuration
socket options, Samba Configuration
software, Dissection and Discussion
solve, Dissection and Discussion
source code, Dissection and Discussion
SPNEGO, Windows 200x/XP Client Interaction with Samba-3
SQL, Dissection and Discussion, Questions and Answers
Squid, Implementation, Removal of Pre-Existing Conflicting RPMs, Samba Configuration, Squid Configuration
squid, Removal of Pre-Existing Conflicting RPMs, Samba Configuration
Squid proxy, Technical Issues
SRVTOOLS.EXE, Implementation, Configuring Profile Directories, Questions and Answers, Questions and Answers
SSL, The LDAP Account Manager
stand-alone server, Security Identifiers (SIDs)
starting CUPS, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
starting dhcpd, Implementation, Process Startup Configuration, Process Startup Configuration
starting samba, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
nmbd, Starting Samba
smbd, Starting Samba
winbindd, Starting Samba
startingCUPS, Implementation
startup script, Starting Samba
sticky bit, Implementation
storage capacity, Hardware Requirements
strategic, Technical Issues
strategy, Questions and Answers
straw-man, Active Directory, Kerberos, and Security
strict sync, Samba Configuration
stripped, Samba 1.9.x and 2.x Versions Without LDAP
strong cryptography, Kerberos Exposed
subscription, Free Support
SUID, Dissection and Discussion, Questions and Answers, Effect of Setting File and Directory SUID/SGID Permissions Explained
Sun ONE Identity Server, Dissection and Discussion
super daemon, Process Startup Configuration
support, Dissection and Discussion, Samba Support
survey, Adding Domain Member Servers and Clients
SUSE, Migrating NetWare Server to Samba-3
SUSE Enterprise Linux Server, Charity Administration Office, Basic System Configuration, Implementation
SUSE Linux, Dissection and Discussion, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Removal of Pre-Existing Conflicting RPMs
SWAT, Samba System File Location
sync always, Samba Configuration
synchronization, Kerberos Configuration, For Scalability, Use SAN-Based Storage on Samba Servers
synchronize, User Needs, LDAP Server Configuration
synchronized, Questions and Answers
syslog, OpenLDAP Server Configuration
system level logins, Questions and Answers
system security, Technical Issues
T
tattooing, Questions and Answers
TCP/IP, Questions and Answers
tdbdump, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
tdbsam, Technical Issues, Implementation, The 500-User Office, Assignment Tasks, Dissection and Discussion, Implementation, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Technical Issues, Questions and Answers
testparm, Validation, Validation, Samba-3 PDC Configuration, Active Directory Domain with Samba Domain Member Server, Samba 1.9.x and 2.x Versions Without LDAP, Samba Configuration
ticket, Samba Configuration
time server, Implementation
Tivoli Directory Server, Dissection and Discussion
TLS, LDAP Server Configuration
token, Technical Issues
tool, Questions and Answers, Dissection and Discussion
TOSHARG2, Implementation
track record, Dissection and Discussion
traffic collisions, Making Happy Users
transaction processing, Dissection and Discussion
transactional, Questions and Answers
transfer, Questions and Answers
translate, Managing Windows 200x ACLs
traverse, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
tree, Dissection and Discussion
Tree Connect, Simple Windows Client Connection Characteristics
trust account, Regarding LDAP Directories and Windows Computer Accounts
trusted computing, Introduction
Trusted Domains, Technical Issues
trusted domains, Questions and Answers
trusted third-party, Kerberos Exposed
trusting, Kerberos Exposed
turn-around time, Technical Issues
U
UDP
broadcast, Routed Networks
UID, Dissection and Discussion, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, Implementation, Questions and Answers, Questions and Answers
un-join, Questions and Answers
unauthorized activities, Kerberos Exposed
UNC name, Questions and Answers
unencrypted, The LDAP Account Manager
Unicast, The Nature of Windows Networking Protocols
unicode, International Language Support
Universal Naming Convention (see UNC name)
UNIX, LDAP Server Configuration
groups, Technical Issues, Implementation
UNIX accounts, Technical Issues
UNIX/Linux server, Technical Issues
unix2dos, Samba Configuration, Configuration for Server: MASSIVE
unknown, Technical Issues
unsupported software, Commercial Support
update, Introduction, Cautions and Notes
updates, Introduction, Technical Issues
updating smbldap-tools, NT4 Migration Using LDAP Backend
upgrade, Introduction, Cautions and Notes, LDAP Server Configuration
uppercase, Implementation
user
management, Implementation, Samba Configuration, Configuration for Server: MASSIVE
user account, Making Happy Users, OpenLDAP Server Configuration
User and Group Controls, Technical Issues
user credentials, Identity Management Needs, UNIX/Linux Client Domain Member
user errors, Questions and Answers
user groups, Free Support
user identities, Implementation
user logins, Questions and Answers
user management, Implementation
User Manager, NT4 Migration Using LDAP Backend
User Mode, Implementation, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
useradd, Implementation, Implementation, Implementation, Samba Configuration, Configuration for Server: MASSIVE, Applicable to All Samba 2.x to Samba-3 Upgrades
userdel, Applicable to All Samba 2.x to Samba-3 Upgrades
usermod, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
username, Security Identifiers (SIDs)
username map, Implementation, Samba Configuration, Server Preparation: All Servers
UTF-8, International Language Support
utilities, Questions and Answers
V
valid users, Questions and Answers, Checkpoint Controls, Questions and Answers
validate, Questions and Answers, Checkpoint Controls
validated, Identity Management Needs, Active Directory Domain with Samba Domain Member Server, Introduction
validation, Validation, Validation, Questions and Answers
vampire, Questions and Answers
vendor, Dissection and Discussion
vendors, Updating a Samba-3 Installation
VFS modules, Samba System File Location
virus, Implementation
VPN, Assignment Tasks
vulnerabilities, Introduction
W
wbinfo, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Samba Configuration
weakness, Technical Issues
web
caching, Assignment Tasks
proxying, Assignment Tasks
Web
proxy, Questions and Answers
access, Key Points Learned
Web browsers, Key Points Learned
WebClient, Making Happy Users
WHATSNEW.txt, Samba-2.x with LDAP Support
white-pages, Technical Issues, LDAP Server Configuration
wide-area, User Needs, Identity Management Needs, Key Points Learned, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
wide-area network, Use and Location of BDCs, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
winbind, Implementation, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Introduction, Technical Issues, Technical Issues, Samba Configuration, NSS Configuration
Winbind, Questions and Answers, Technical Issues, Key Points Learned
winbind trusted domains only, Technical Issues, Questions and Answers
winbind use default domain, Checkpoint Controls
winbindd, Validation, Validation, Technical Issues, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Questions and Answers, Samba 1.9.x and 2.x Versions Without LDAP, Updating from Samba Versions after 3.0.6 to a Current Release, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
winbindd_cache.tdb, Technical Issues
winbindd_idmap.tdb, Technical Issues
Windows, LDAP Server Configuration
client, Security Identifiers (SIDs)
NT, Security Identifiers (SIDs)
Windows 2000 ACLs, Managing Windows 200x ACLs
Windows 2003 Serve, Introduction
Windows 200x ACLs, Questions and Answers
Windows accounts, Technical Issues
Windows ACLs, Setting Posix ACLs in UNIX/Linux
Windows Address Book, LDAP Server Configuration
Windows ADS Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
Windows clients, Questions and Answers
Windows Explorer, Validation
Windows explorer, Questions and Answers
Windows security identifier (see SID)
Windows Servers, Introduction
Windows Services for UNIX (see SUS)
Windows XP, Assignment Tasks
WINS, Implementation, Technical Issues, Implementation, Windows Client Configuration, Technical Issues, Windows Client Configuration, The Nature of Windows Networking Protocols, Identity Management Needs, Questions and Answers, Questions and Answers
lookup, Questions and Answers
name resolution, Routed Networks
server, Making Happy Users, Routed Networks
WINS server, The 500-User Office, Questions and Answers
WINS serving, Implementation
wins support, Implementation
wins.dat, Identity Management Needs, Replacing a Domain Member Server
Wireshark, Requirements and Notes
wireshark, Exercises
Word, Share Point Directory and File Permissions
workgroup, Implementation, Security Identifiers (SIDs), Change of Workgroup (Domain) Name
Workgroup Announcement, Findings
workstation, Implementation
wrapper, Questions and Answers
write lock, Opportunistic Locking Controls
X
xinetd, Process Startup Configuration
XML, Dissection and Discussion
xmlsam, Implementation
Y
YaST, PAM and NSS Client Configuration
Yellow Pages, Identity Management Needs
yellow pages (see NIS)
Prev
Glossary Home
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/kerberos.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/kerberos.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/kerberos.html 2010-01-14 11:24:22.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/kerberos.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,10 +1,10 @@ -Chapter 11. Active Directory, Kerberos, and Security
Chapter 11. Active Directory, Kerberos, and Security
Prev Part III. Reference Section Next
Chapter 11. Active Directory, Kerberos, and Security
Table of Contents
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
Share Access Controls
Share Definition Controls
Share Point Directory and File Permissions
Managing Windows 200x ACLs
Key Points Learned
Questions and Answers
+Chapter 11. Active Directory, Kerberos, and Security
Chapter 11. Active Directory, Kerberos, and Security
Prev Part III. Reference Section Next
Chapter 11. Active Directory, Kerberos, and Security
Table of Contents
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
Share Access Controls
Share Definition Controls
Share Point Directory and File Permissions
Managing Windows 200x ACLs
Key Points Learned
Questions and Answers
By this point in the book, you have been exposed to many Samba-3 features and capabilities. More importantly, if you have implemented the examples given, you are well on your way to becoming a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to practice, you likely have thought of improvements and scenarios with which you can experiment. You are rather well plugged in to the many flexible ways Samba can be used. -
+
This is a book about Samba-3. Understandably, its intent is to present it in a positive light. The casual observer might conclude that this book is one-eyed about Samba. It is what would you expect? This chapter exposes some criticisms that have been raised concerning @@ -13,13 +13,13 @@ Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of criticism develops with respect to Abmas. -
+
This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled out of thin air. They were drawn from comments made by Samba users and from criticism during discussions with Windows network administrators. The tone of the objections reflects as closely as possible that of the original. The case presented is a straw-man example that is designed to permit each objection to be answered as it might occur in real life. -
Introduction
+
Introduction
Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took note of the spectacular projection of Abmas onto the global business stage. Abmas is building an interesting portfolio of companies that includes accounting services, financial advice, investment @@ -28,42 +28,42 @@ interesting business growth and development plan. Abmas Video Rentals was recently acquired. During the time that the acquisition was closing, the Video Rentals business upgraded its Windows NT4-based network to Windows 2003 Server and Active Directory. -
+
You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory. The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform. Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to - operate with a solution that is viewed by Christine and her group as “an island of broken - technologies.” This comment was made by one of Christine's staff as they were installing a new + operate with a solution that is viewed by Christine and her group as “an island of broken + technologies.” This comment was made by one of Christine's staff as they were installing a new Samba-3 server at the new business. -
+
Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer should make such a comment. He felt that he had to prepare in case he might be criticized for his decision to use Active Directory. He decided he would defend his decision by hiring the services - of an outside security systems consultant to report^[12] on his unit's operations + of an outside security systems consultant to report^[12] on his unit's operations and to investigate the role of Samba at his site. Here are key extracts from this hypothetical report: -
+
... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site, has been examined. We find no evidence to support a notion that vulnerabilities exist at your site. ... we took additional steps to validate the integrity of the installation and operation of Active Directory and are pleased that your staff are following sound practices.
... -
+
User and group accounts, and respective privileges, have been well thought out. File system shares are appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and effective off-site storage practices are considered to exceed industry norms. -
+
Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain a secure network. -
+
The recently installed Linux file and application server uses a tool called winbind that is indiscriminate about security. All user accounts in Active Directory can be used to access data stored on the Linux system. We are alarmed that secure information is accessible to staff who should not even be aware that it exists. We share the concerns of your network management staff who have gone to great lengths to set fine-grained controls that limit information access to those who need access. It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work. -
+
Graham Judd [head of network administration] has locked down the security of all systems and is following the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network is isolated from the outside world, the [product name removed] firewall is under current contract @@ -72,7 +72,7 @@ detail and for following Microsoft recommended best practices.
... -
+
Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft ... what worries us regarding Samba is the need to disable essential Windows security features such as @@ -80,14 +80,14 @@ mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that with trusted computing initiatives that the Samba developers do not participate in. -
+
One wonders about the integrity of an open source program that is developed by a team of hackers who cannot be held accountable for the flaws in their code. The sheer number of updates and bug fixes they have released should ring alarm bells in any business. -
+
Another factor that should be considered is that buying Microsoft products and services helps to provide employment in the IT industry. Samba and Open Source software place those jobs at risk. -
+
This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple discussion, but it gets further out of hand. When you return to your office, you find the following email in your in-box: @@ -100,23 +100,23 @@ I also wish to advise that two of the recent recruits want to implement Kerberos authentication across all systems. I concur with the desire to improve security. One of the new guys who is championing the move to Kerberos was responsible for the comment that caused the embarrassment. -
+
I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, I would like to hire the services of a well-known Samba consultant to set the record straight. -
+
I intend to use this report to answer the criticism raised and would like to establish a policy that we will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce use of any centrally proposed standards, but make all noncompliance the financial responsibility of the out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone. -

--Stan

Assignment Tasks

+

Answer 1

- - - + + + It is a smart practice to localize DHCP servers on each network segment. As a rule, there should be two DHCP servers per network segment. This means that if one server fails, there is always another to service user needs. DHCP requests use only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network routers. This makes it possible to run fewer DHCP servers.

- - + + A DHCP network address request and confirmation usually results in about six UDP packets. The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP clients and that uses a 24-hour IP address lease. This means that all clients renew @@ -874,28 +874,28 @@

From this can be seen that the traffic impact would be minimal.

- - + + Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, the impact of the update is no more than the DHCP IP address renewal traffic and thus still insignificant for most practical purposes. -

Answer 2

- + The process that controls the replication of data from the master LDAP server to the slave LDAP servers is called slurpd. The slurpd remains nascent (quiet) until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) two user accounts requires less than 10KB traffic. -

Answer 3

- - - - + + + + LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific data storage system. This type of database is indexed so that records can be rapidly located, but the database is not generic and can be used only in particular pre-programmed ways. General external @@ -904,57 +904,57 @@ orientation and typically allows external programs to perform ad hoc queries, even across data tables. An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific simple queries. The term database is heavily overloaded and thus much misunderstood. -

Answer 4

- + No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface to OpenLDAP using standard LDAP queries and updates. -

Answer 5

A roaming profile consists of -

+
- Desktop folders such as Desktop, My Documents, My Pictures, My Music, Internet Files, Cookies, Application Data, Local Settings, and more. See “Making Happy Users”, “Windows XP Professional User Shared Folders”.
  - + Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all such folders can be redirected to network drive resources. See “Configuration of Default Profile with Folder Redirection” for more information regarding folder redirection. -
- +
- A static or rewritable portion that is typically only a few files (2-5 KB of information). -
- - - +
- + + The registry load file that modifies the HKEY_LOCAL_USER hive. This is the NTUSER.DAT file. It can be from 0.4 to 1.5 MB.
- + Microsoft Outlook PST files may be stored in the Local Settings\Application Data folder. It can be up to 2 GB in size per PST file. -

Answer 6

- - + + Yes. More correctly, such folders can be redirected to network shares. No specific network drive connection is required. Registry settings permit this to be redirected directly to a UNC (Universal Naming Convention) resource, though it is possible to specify a network drive letter instead of a UNC name. See “Configuration of Default Profile with Folder Redirection”. -

Answer 7

- - - + + + MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, @@ -966,7 +966,7 @@

In conclusion, the total load afforded through WINS traffic is again marginal to total operational usage as it should be. -

Answer 8

It is recommended to have at least one BDC per network segment, including the segment served @@ -980,19 +980,19 @@

As unsatisfactory as the answer might sound, it all depends on network and server load characteristics. -

Answer 9

The correct answer to both questions is yes. But do understand that an LDAP server has a configurable schema that can store far more information for many more purposes than just NIS. -

Answer 10

- - + + No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal with the types of data necessary for interoperability with Microsoft Windows networking. The use of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/apa.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/apa.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/apa.html 2010-01-14 11:24:29.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/apa.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,50 +1,50 @@ -Appendix A. GNU General Public License version 3

Appendix A. +Appendix A. GNU General Public License version 3

Appendix A. + GNU General Public License version 3 +
Prev	Part III. Reference Section	Next

Appendix A. GNU General Public License version 3 -

Table of Contents

A. +

Table of Contents

A. Preamble -
A. +
A. TERMS AND CONDITIONS -
A. +
A. 0. Definitions. -
A. +
A. 1. Source Code. -
A. +
A. 2. Basic Permissions. -
A. +
A. 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. -
A. +
A. 4. Conveying Verbatim Copies. -
A. +
A. 5. Conveying Modified Source Versions. -
A. +
A. 6. Conveying Non-Source Forms. -
A. +
A. 7. Additional Terms. -
A. +
A. 8. Termination. -
A. +
A. 9. Acceptance Not Required for Having Copies. -
A. +
A. 10. Automatic Licensing of Downstream Recipients. -
A. +
A. 11. Patents. -
A. +
A. 12. No Surrender of Others’ Freedom. -
A. +
A. 13. Use with the ???TITLE??? Affero General Public License. -
A. +
A. 14. Revised Versions of this License. -
A. +
A. 15. Disclaimer of Warranty. -
A. +
A. 16. Limitation of Liability. -
A. +
A. 17. Interpretation of Sections 15 and 16. -
A. +
A. END OF TERMS AND CONDITIONS -
A. +
A. How to Apply These Terms to Your New Programs

Version 3, 29 June 2007 @@ -54,7 +54,7 @@

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. -

+

Preamble

The GNU General Public License is a free, copyleft @@ -118,9 +118,9 @@

The precise terms and conditions for copying, distribution and modification follow. -

+

TERMS AND CONDITIONS -

+

0. Definitions.

“This License” refers to version 3 of the GNU @@ -162,7 +162,7 @@ License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. -

+

1. Source Code.

The “source code” for a work means the preferred form of the @@ -202,7 +202,7 @@ automatically from other parts of the Corresponding Source.

The Corresponding Source for a work in source code form is that same work. -

+

2. Basic Permissions.

All rights granted under this License are granted for the term of copyright @@ -227,7 +227,7 @@ Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. -

+

3. Protecting Users’ Legal Rights From Anti-Circumvention Law.

No covered work shall be deemed part of an effective technological measure @@ -242,7 +242,7 @@ the work as a means of enforcing, against the work’s users, your or third parties’ legal rights to forbid circumvention of technological measures. -

+

4. Conveying Verbatim Copies.

You may convey verbatim copies of the Program’s source code as you @@ -255,21 +255,21 @@

You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. -

+

5. Conveying Modified Source Versions.

You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: -

+
1. The work must carry prominent notices stating that you modified it, and giving a relevant date. -
2. +
3. The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”. -
4. +
5. You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the @@ -277,7 +277,7 @@ packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. -
6. +
7. If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need @@ -291,18 +291,18 @@ or legal rights of the compilation’s users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. -
  +
  6. Conveying Non-Source Forms.
  You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: -
  1. +
    Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. -
    +
    Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts @@ -313,12 +313,12 @@ price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. -
    +
    Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. -
    +
    Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no @@ -331,7 +331,7 @@ Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. -
    +
    Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under @@ -386,7 +386,7 @@ (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. -
    +
    7. Additional Terms.
    “Additional permissions” are terms that supplement the terms of @@ -408,24 +408,24 @@ Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: -
    +
    Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or -
    +
    Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or -
    +
    Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or -
    +
    Limiting the use for publicity purposes of names of licensors or authors of the material; or -
    +
    Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or -
    +
    Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any @@ -450,7 +450,7 @@ Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. -
    +
    8. Termination.
    You may not propagate or modify a covered work except as expressly provided @@ -476,7 +476,7 @@ License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. -
    +
    9. Acceptance Not Required for Having Copies.
    You are not required to accept this License in order to receive or run a @@ -487,7 +487,7 @@ These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. -
    +
    10. Automatic Licensing of Downstream Recipients.
    Each time you convey a covered work, the recipient automatically receives a @@ -512,7 +512,7 @@ or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. -
    +
    11. Patents.
    A “contributor” is a copyright holder who authorizes use under @@ -579,7 +579,7 @@ Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. -
    +
    12. No Surrender of Others’ Freedom.
    If conditions are imposed on you (whether by court order, agreement or @@ -591,7 +591,7 @@ to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. -
    +
    13. Use with the GNU Affero General Public License.
    Notwithstanding any other provision of this License, you have permission to @@ -602,7 +602,7 @@ requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. -
    +
    14. Revised Versions of this License.
    The Free Software Foundation may publish revised and/or new versions of the @@ -627,7 +627,7 @@ Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. -
    +
    15. Disclaimer of Warranty.
    THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE @@ -638,7 +638,7 @@ THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. -
    +
    16. Limitation of Liability.
    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL @@ -650,7 +650,7 @@ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -
    +
    17. Interpretation of Sections 15 and 16.
    If the disclaimer of warranty and limitation of liability provided above @@ -659,9 +659,9 @@ waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. -
    +
    END OF TERMS AND CONDITIONS -
    +
    How to Apply These Terms to Your New Programs
    If you develop a new program, and you want it to be of the greatest possible diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/appendix.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/appendix.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/appendix.html 2010-01-14 11:24:26.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/appendix.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,26 +1,26 @@ -Chapter 15. A Collection of Useful Tidbits
    Chapter 15. A Collection of Useful Tidbits
    Prev Part III. Reference Section Next
    Chapter 15. A Collection of Useful Tidbits
    Table of Contents
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    - - +Chapter 15. A Collection of Useful Tidbits
    Chapter 15. A Collection of Useful Tidbits
    Prev Part III. Reference Section Next
    Chapter 15. A Collection of Useful Tidbits
    Table of Contents
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    + + Information presented here is considered to be either basic or well-known material that is informative yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, as shown in the example given below. -
    Joining a Domain: Windows 200x/XP Professional
    - +
    Joining a Domain: Windows 200x/XP Professional
    + Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a Domain Security environment. It should be noted that this process is identical when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. -
    Procedure 15.1. Steps to Join a Domain
    +
    Procedure 15.1. Steps to Join a Domain
    Click Start. -
    +
    Right-click My Computer, and then select Properties. -
    +
    The opening panel is the same one that can be reached by clicking System on the Control Panel. See “The General Panel.”.
    Figure 15.1. The General Panel.
    
    -
    +
    Click the Computer Name tab. This panel shows the Computer Description, the Full computer name, and the Workgroup or Domain name. @@ -29,40 +29,40 @@ Samba-3. If you wish to change the computer name, or join or leave the domain, click the Change button. See “The Computer Name Panel.”.
    Figure 15.2. The Computer Name Panel.
    
    -
    +
    Click on Change. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. We join the domain called MIDEARTH. See “The Computer Name Changes Panel”.
    Figure 15.3. The Computer Name Changes Panel
    
    -
    +
    Enter the name MIDEARTH in the field below the Domain radio button.
    This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See “The Computer Name Changes Panel Domain MIDEARTH”.
    Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH
    
    -
    +
    Now click the OK button. A dialog box should appear to allow you to provide the credentials (username and password) of a domain administrative account that has the rights to add machines to the domain.
    - Enter the name “root” and the root password from your Samba-3 server. See “Computer Name Changes User name and Password Panel”. + Enter the name “root” and the root password from your Samba-3 server. See “Computer Name Changes User name and Password Panel”.
    Figure 15.5. Computer Name Changes User name and Password Panel
    
    -
    +
    Click OK.
    - The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted. + The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted. Joining the domain is now complete.
    - - + + The screen capture shown in “The Computer Name Changes Panel Domain MIDEARTH” has a button labeled More.... This button opens a panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.
    - - + + Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server to find the services (like which machines are domain controllers or which machines have the Netlogon service running).
    - + The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to a valid IP address. @@ -70,12 +70,12 @@ The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. Where the client is a member of a Samba domain, it is preferable to leave this field blank.
    - - According to Microsoft documentation, “If this computer belongs to a group with Group Policy + + According to Microsoft documentation, “If this computer belongs to a group with Group Policy enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is - used only if Group Policy is disabled or unspecified.” -
    Samba System File Location
    + used only if Group Policy is disabled or unspecified.” +
    Samba System File Location
    One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is in the /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other @@ -83,7 +83,7 @@
    Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team default. -
    +
    Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy System (FHS), have elected to locate the configuration files under the /etc/samba directory, common binary files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the @@ -92,13 +92,13 @@ /usr/share/swat. There are additional support files for smbd in the /usr/lib/samba directory tree. The files located there include the dynamically loadable modules for the passdb backend as well as for the VFS modules. -
    +
    Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in the /var/lib/samba directory. Log files are created in /var/log/samba.
    When Samba is built and installed using the default Samba Team process, all files are located under the /usr/local/samba directory tree. This makes it simple to find the files that Samba owns. -
    +
    One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location of all files called smbd. Here is an example:
    @@ -131,7 +131,7 @@
    Many people have been caught by installation of Samba using the default Samba Team process when it was already installed by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by - executing: + executing:
    root# rpm -qa | grep samba samba3-pdb-3.0.20-1 @@ -143,9 +143,9 @@ samba3-doc-3.0.20-1 samba3-client-3.0.20-1 samba3-cifsmount-3.0.20-1 -
    +
    The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. -
    Starting Samba
    +
    Starting Samba
    Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there are three daemons, two of which are needed as a minimum. @@ -186,19 +186,19 @@ fi exit 0
    
    nmbd
    - - + + This daemon handles all name registration and resolution requests. It is the primary vehicle involved in network browsing. It handles all UDP-based protocols. The nmbd daemon should be the first command started as part of the Samba startup process.
    smbd
    - - + + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also manages local authentication. It should be started immediately following the startup of nmbd.
    winbindd
    - - + + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when Samba has trust relationships with another domain. The winbindd daemon will check the smb.conf file for the presence of the idmap uid and idmap gid @@ -252,22 +252,22 @@ echo "Usage: smb {start|stop|restart|status}" exit 1 esac -
    
    +
    
    SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently executed from the command line is shown in “A Useful Samba Control Script for SUSE Linux”. This can be located in the directory /sbin in a file called samba. This type of control script should be owned by user root and group root, and set so that only root can execute it. -
    +
    A sample startup script for a Red Hat Linux system is shown in “A Sample Samba Control Script for Red Hat Linux”. This file could be located in the directory /etc/rc.d and can be called samba. A similar startup script is required to control winbind. If you want to find more information regarding startup scripts please refer to the packaging section of the Samba source code distribution tarball. The packaging files for each platform include a startup control file. -
    DNS Configuration Files
    +
    DNS Configuration Files
    The following files are common to all DNS server configurations. Rather than repeat them multiple times, they are presented here for general reference. -
    The Forward Zone File for the Loopback Adaptor
    +
    The Forward Zone File for the Loopback Adaptor
    The forward zone file for the loopback address never changes. An example file is shown in “DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”. All traffic destined for an IP address that is hosted on a physical interface on the machine itself is routed to the loopback adaptor. This is @@ -284,7 +284,7 @@ IN NS @ IN A 127.0.0.1 -
    
    The Reverse Zone File for the Loopback Adaptor
    +
    
    The Reverse Zone File for the Loopback Adaptor
    The reverse zone file for the loopback address as shown in “DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone” is necessary so that references to the address 127.0.0.1 can be resolved to the correct name of the interface. @@ -344,21 +344,21 @@ . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 ; End of File -
DNS Root Server Hint File
+

DNS Root Server Hint File

The content of the root hints file as shown in “DNS Root Name Server Hint File: /var/lib/named/root.hint” changes slowly over time. Periodically this file should be updated from the source shown. Because of its size, this file is located at the end of this chapter. -

Alternative LDAP Database Initialization

+

Alternative LDAP Database Initialization

The following procedure may be used as an alternative means of configuring the initial LDAP database. Many administrators prefer to have greater control over how system files get configured. -

Initialization of the LDAP Database

+

Initialization of the LDAP Database

The first step to get the LDAP server ready for action is to create the LDIF file from which the LDAP database will be preloaded. This is necessary to create the containers into which the user, group, and other accounts are written. It is also necessary to preload the well-known Windows NT Domain Groups, as they must have the correct SID so that they can be recognized as special NT Groups by the MS Windows clients. -

Procedure 15.2. LDAP Directory Pre-Load Steps

+
Procedure 15.2. LDAP Directory Pre-Load Steps
1. Create a directory in which to store the files you use to generate the LDAP LDIF file for your system. Execute the following:
```
@@ -366,16 +366,16 @@
 root#  chown root:root /etc/openldap/SambaInit
 root#  chmod 700 /etc/openldap/SambaInit
 
```
  -
2. +
3. Install the files shown in “LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A”, “LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B”, and “LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C” into the directory /etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh. These three files are, respectively, parts A, B, and C of the SMBLDAP-ldif-preconfig.sh file. -
4. +
5. Install the files shown in “LDIF Pattern File Used to Pre-configure LDAP Part A” and “LDIF Pattern File Used to Pre-configure LDAP Part B” into the directory /etc/openldap/SambaInit/. These two files are parts A and B, respectively, of the init-ldif.pat file. -
6. +
7. Change to the /etc/openldap/SambaInit directory. Execute the following:
```
 root#  sh SMBLDAP-ldif-preconfig.sh
@@ -415,7 +415,7 @@
 root# 
 
```
  This creates a file called MEGANET2.ldif. -
8. +
9. It is now time to preload the LDAP database with the following command:
```
@@ -466,14 +466,14 @@
 modifyTimestamp: 20031217055747Z
 entryCSN: 2003121705:57:47Z#0x000a#0#0000
 
```
  -
10. +
11. Your LDAP database is ready for testing. You can now start the LDAP server using the system tool for your Linux operating system. For SUSE Linux, you can do this as follows:
```
 root#  rcldap start
 
```
  -
12. +
13. It is now a good idea to validate that the LDAP server is running correctly. Execute the following:
```
@@ -705,14 +705,14 @@
 sambaGroupType: 2
 displayName: Domain Users
 description: Domain Users
-
```

The LDAP Account Manager

- - - - - - - +

The LDAP Account Manager

+ + + + + + + The LDAP Account Manager (LAM) is an application suite that has been written in PHP. LAM can be used with any Web server that has PHP4 support. It connects to the LDAP server either using unencrypted connections or via SSL/TLS. LAM can be used to manage @@ -724,29 +724,29 @@ The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter of 2005.

- - - + + + Requirements: -

A web server that will work with PHP4.
PHP4 (available from the PHP home page.)
OpenLDAP 2.0 or later.
A Web browser that supports CSS.
Perl.
The gettext package.
mcrypt + mhash (optional).
It is also a good idea to install SSL support.

+

A web server that will work with PHP4.
PHP4 (available from the PHP home page.)
OpenLDAP 2.0 or later.
A Web browser that supports CSS.
Perl.
The gettext package.
mcrypt + mhash (optional).
It is also a good idea to install SSL support.

LAM is a useful tool that provides a simple Web-based device that can be used to manage the contents of the LDAP directory to: - - - -

Display user/group/host and Domain entries.
Manage entries (Add/Delete/Edit).
Filter and sort entries.
Store and use multiple operating profiles.
Edit organizational units (OUs).
Upload accounts from a file.
Is compatible with Samba-2.2.x and Samba-3.

+ + + +

Display user/group/host and Domain entries.
Manage entries (Add/Delete/Edit).
Filter and sort entries.
Store and use multiple operating profiles.
Edit organizational units (OUs).
Upload accounts from a file.
Is compatible with Samba-2.2.x and Samba-3.

When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba user, group, and windows domain member machine accounts.

- - - - -The default password is “lam.” It is highly recommended that you use only + + + + +The default password is “lam.” It is highly recommended that you use only an SSL connection to your Web server for all remote operations involving LAM. If you want secure connections, you must configure your Apache Web server to permit connections to LAM using only SSL. -

Procedure 15.3. Apache Configuration Steps for LAM

+
Procedure 15.3. Apache Configuration Steps for LAM
1. Extract the LAM package by untarring it as shown here:
```
 root#  tar xzf ldap-account-manager_0.4.9.tar.gz
@@ -755,12 +755,12 @@
 
 root#  dpkg -i ldap-account-manager_0.4.9.all.deb
 

-	
```
2. +
3. Copy the extracted files to the document root directory of your Web server. For example, on SUSE Linux Enterprise Server 9, copy to the /srv/www/htdocs directory. -
4. - +
5. + Set file permissions using the following commands:
```
 root#  chown -R wwwrun:www /srv/www/htdocs/lam
@@ -769,8 +769,8 @@
 root#  chmod 755 /srv/www/htdocs/lam/config
 root#  chmod 755 /srv/www/htdocs/lam/lib/*pl
 
```
  -
6. - +
7. + Using your favorite editor create the following config.cfg LAM configuration file:
```
@@ -778,13 +778,13 @@
 root#  cp config.cfg_sample config.cfg
 root#  vi config.cfg
 
```
  - - + + An example file is shown in “Example LAM Configuration File config.cfg”. This is the minimum configuration that must be completed. The LAM profile file can be created using a convenient wizard that is part of the LAM configuration suite. -
8. +
9. Start your Web server then, using your Web browser, connect to LAM URL. Click on the the Configuration Login link then click on the @@ -794,7 +794,7 @@ lam.conf then, using your favorite editor, change the settings to match local site needs.
- + An example of a working file is shown here in “LAM Profile Control File lam.conf”. This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates @@ -802,12 +802,12 @@ Your configuration file obviously reflects the configuration options that are preferred at your site.
- + It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in “The LDAP Account Manager Login Screen”.
Figure 15.6. The LDAP Account Manager Login Screen

- + The LAM configuration editor has a number of options that must be managed correctly. An example of use of the LAM configuration editor is shown in “The LDAP Account Manager Configuration Screen”. It is important that you correctly set the minimum and maximum UID/GID values that are @@ -817,13 +817,13 @@ the initial settings to be made. Do not forget to reset these to sensible values before using LAM to add additional users and groups.
Figure 15.7. The LDAP Account Manager Configuration Screen

- + LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space.
- + When you log onto LAM the opening screen drops you right into the user manager as shown in “The LDAP Account Manager User Edit Screen”. This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, @@ -837,7 +837,7 @@ shows a sub-screen from the group editor that permits users to be assigned secondary group memberships.
Figure 15.9. The LDAP Account Manager Group Edit Screen

Figure 15.10. The LDAP Account Manager Group Membership Edit Screen

- + The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen “The LDAP Account Manager Host Edit Screen” will, in most cases, not be used. @@ -883,7 +883,7 @@ samba3: yes cachetimeout: 5 pwdhash: SSHA -

IDEALX Management Console

+

IDEALX Management Console

IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive web-based management interface for UNIX and Linux systems.

@@ -897,7 +897,7 @@

For further information regarding IMC refer to the web site. Prebuilt RPM packages are also available. -

Effect of Setting File and Directory SUID/SGID Permissions Explained

+

Effect of Setting File and Directory SUID/SGID Permissions Explained

The setting of the SUID/SGID bits on the file or directory permissions flag has particular consequences. If the file is executable and the SUID bit is set, it executes with the privilege of (with the UID of) the owner of the file. For example, if you are logged onto a system as @@ -967,34 +967,34 @@ total 1 drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt

-

Shared Data Integrity

+

Shared Data Integrity

The integrity of shared data is often viewed as a particularly emotional issue, especially where there are concurrent problems with multiuser data access. Contrary to the assertions of some who have experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.

The solution to concurrent multiuser data access problems must consider three separate areas - from which the problem may stem: -

application-level locking controls
client-side locking controls
server-side locking controls

+ from which the problem may stem: +

application-level locking controls
client-side locking controls
server-side locking controls

Many database applications use some form of application-level access control. An example of one well-known application that uses application-level locking is Microsoft Access. Detailed guidance is provided here because this is the most common application for which problems have been reported. -

+

Common applications that are affected by client- and server-side locking controls include MS Excel and Act!. Important locking guidance is provided here. -

Microsoft Access

+

Microsoft Access

The best advice that can be given is to carefully read the Microsoft knowledgebase articles that cover this area. Examples of relevant documents include: -

http://support.microsoft.com/default.aspx?scid=kb;en-us;208778
http://support.microsoft.com/default.aspx?scid=kb;en-us;299373

+

http://support.microsoft.com/default.aspx?scid=kb;en-us;208778
http://support.microsoft.com/default.aspx?scid=kb;en-us;299373

Make sure that your MS Access database file is configured for multiuser access (not set for exclusive open). Open MS Access on each client workstation, then set the following: (Menu bar) Tools+Options+[tab] General. Set network path to Default database folder: \\server\share\folder.

You can configure MS Access file sharing behavior as follows: click [tab] Advanced. - Set: -

Default open mode: Shared
Default Record Locking: Edited Record
Open databases using record_level locking

+ Set: +

Default open mode: Shared
Default Record Locking: Edited Record
Open databases using record_level locking

You must now commit the changes so that they will take effect. To do so, click ApplyOk. At this point, you should exit MS Access, restart it, and then validate that these settings have not changed. -

Act! Database Sharing

+

Act! Database Sharing

Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you must disable opportunistic locking on the server and all workstations. Failure to do so results in data corruption. This information is available from the Act! Web site @@ -1002,7 +1002,7 @@ 1998223162925 as well as from article 200110485036. -

+

These documents clearly state that opportunistic locking must be disabled on both the server (Samba in the case we are interested in here), as well as on every workstation from which the centrally shared Act! database will be accessed. Act! provides @@ -1010,18 +1010,18 @@ registry settings that may otherwise interfere with the operation of Act! Registered Act! users may download this utility from the Act! Web site. -

Opportunistic Locking Controls

+

Opportunistic Locking Controls

Third-party Windows applications may not be compatible with the use of opportunistic file - and record locking. For applications that are known not to be compatible,^[14] oplock + and record locking. For applications that are known not to be compatible,^[14] oplock support may need to be disabled both on the Samba server and on the Windows workstations. -

+

Oplocks enable a Windows client to cache parts of a file that are being edited. Another windows client may then request to open the file with the ability to write to it. The server will then ask the original workstation that had the file open with a write lock to release its lock. Before doing so, that workstation must flush the file from cache memory to the disk or network drive. -

+

Disabling of Oplocks usage may require server and client changes. Oplocks may be disabled by file, by file pattern, on the share, or on the Samba server. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/Big500users.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/Big500users.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/Big500users.html 2010-01-14 11:24:05.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/Big500users.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,4 +1,4 @@ -Chapter 4. The 500-User Office

Chapter 4. The 500-User Office
Prev	Part I. Example Network Configurations	Next

Chapter 4. The 500-User Office

Table of Contents

Introduction

Assignment Tasks

Dissection and Discussion

Technical Issues
Political Issues

Implementation

Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned

Questions and Answers

+Chapter 4. The 500-User Office

Chapter 4. The 500-User Office
Prev	Part I. Example Network Configurations	Next

Chapter 4. The 500-User Office

Table of Contents

Introduction

Assignment Tasks

Dissection and Discussion

Technical Issues
Political Issues

Implementation

Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned

Questions and Answers

The Samba-3 networking you explored in “Secure Office Networking” covers the finer points of configuration of peripheral services such as DHCP and DNS, and WINS. You experienced implementation of a simple configuration of the services that are important adjuncts @@ -6,9 +6,9 @@

An analysis of the history of postings to the Samba mailing list easily demonstrates that the two most prevalent Samba problem areas are -

+
- Defective resolution of a NetBIOS name to its IP address -
- +
- Printing problems
The exercises @@ -17,9 +17,9 @@ that same approach to printing, but “Making Happy Users” presents an opportunity to make printing more complex for the administrator while making it easier for the user.
- - - + + + “Secure Office Networking” demonstrates operation of a DHCP server and a DNS server as well as a central WINS server. You validated the operation of these services and saw an effective implementation of a Samba domain controller using the @@ -41,7 +41,7 @@ improve network management and control while reducing human resource overheads. You should take the opportunity to innovate and expand on the methods presented here and explore them to the fullest. -
Introduction
+
Introduction
Business continues to go well for Abmas. Mr. Meany is driving your success and the network continues to grow thanks to the hard work Christine has done. You recently hired Stanley Soroka as manager of information systems. Christine recommended Stan @@ -66,7 +66,7 @@ and to allow Stan and Christine to fully stage the new network and test it before it is rolled out. Your strategy is to complete the new network so that it is ready for operation when the old office moves into the new premises. -
Assignment Tasks
+
Assignment Tasks
The acquired business had 280 network users. The old Abmas building housed 220 network users in unbelievably cramped conditions. The network that initially served 130 users now handles 220 users quite well. @@ -107,7 +107,7 @@ DirectPointe Inc. receives from you a new standard desktop configuration every four months. They automatically roll that out to each desktop system. You must keep DirectPointe informed of all changes. -
+
The new network has a single Samba Primary Domain Controller (PDC) located in the Network Operation Center (NOC). Buildings 1 and 2 each have a local server for local application servicing. It is a domain member. The new system @@ -115,8 +115,8 @@
Printing is based on raw pass-through facilities just as it has been used so far. All printer drivers are installed on the desktop and notebook computers. -
Dissection and Discussion
- +
Dissection and Discussion
+ The example you are building in this chapter is of a network design that works, but this does not make it a design that is recommended. As a general rule, there should be at least one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind @@ -127,22 +127,22 @@ responsiveness. This network will have 500 clients serviced by one central domain controller. This is not a good omen for user satisfaction. You, of course, address this very soon (see “Making Happy Users”). -
Technical Issues
+
Technical Issues
Stan has talked you into a horrible compromise, but it is addressed. Just make certain that the performance of this network is well validated before going live.
Design decisions made in this design include the following: -
- - - +
+ + + A single PDC is being implemented. This limitation is based on the choice not to use LDAP. Many network administrators fear using LDAP because of the perceived complexity of implementation and management of an LDAP-based backend for all user identity management as well as to store network access credentials. -
- - +
+ + Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the only choice that makes sense with 500 users is to use the tdbsam passwd backend. This type of backend is not receptive to replication to BDCs. If the tdbsam @@ -151,63 +151,63 @@ memory but not yet written to disk will not be replicated, and (2) domain member machines periodically change the secret machine password. When this happens, there is no mechanism to return the changed password to the PDC. -
+
All domain user, group, and machine accounts are managed on the PDC. This makes for a simple mode of operation but has to be balanced with network performance and integrity of operations considerations. -
- +
+ A single central WINS server is being used. The PDC is also the WINS server. Any attempt to operate a routed network without a WINS server while using NetBIOS over TCP/IP protocols does not work unless on each client the name resolution entries for the PDC are added to the LMHOSTS. This file is normally located on the Windows XP Professional client in the C:\WINDOWS\SYSTEM32\ETC\DRIVERS directory. -
+
At this time the Samba WINS database cannot be replicated. That is why a single WINS server is being implemented. This should work without a problem. -
- +
+ BDCs make use of winbindd to provide access to domain security credentials for file system access and object storage. -
- - +
+ + Configuration of Windows XP Professional clients is achieved using DHCP. Each subnet has its own DHCP server. Backup DHCP serving is provided by one alternate DHCP server. This necessitates enabling of the DHCP Relay agent on all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the network directed at the backup DHCP server. -
+
All network users are granted the ability to print to any printer that is network-attached. All printers are available from each server. Print jobs that are spooled to a printer that is not on the local network segment are automatically routed to the print spooler that is in control of that printer. The specific details of how this might be done are demonstrated for one example only. -
+
The network address and subnetmask chosen provide 1022 usable IP addresses in each subnet. If in the future more addresses are required, it would make sense to add further subnets rather than change addressing. -
Political Issues
+

Political Issues

This case gets close to the real world. You and I know the right way to implement domain control. Politically, we have to navigate a minefield. In this case, the need is to get the PDC rolled out in compliance with expectations and also to be ready to save the day by having the real solution ready before it is needed. That real solution is presented in “Making Happy Users”. -

Implementation

+

Implementation

The following configuration process begins following installation of Red Hat Fedora Core2 on the three servers shown in the network topology diagram in “Network Topology 500 User Network Using tdbsam passdb backend.”. You have selected hardware that is appropriate to the task. -

Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.

Installation of DHCP, DNS, and Samba Control Files

+

Figure 4.1. Network Topology 500 User Network Using tdbsam passdb backend.

Installation of DHCP, DNS, and Samba Control Files

Carefully install the configuration files into the correct locations as shown in “Domain: MEGANET, File Locations for Servers”. You should validate that the full file path is correct as shown.

The abbreviation shown in this table as {VLN} refers to the directory location beginning with /var/lib/named. -

Table 4.1. Domain: MEGANET, File Locations for Servers

File Information		Server Name
Source	Target Location	MASSIVE	BLDG1	BLDG2
“Server: MASSIVE (PDC), File: /etc/samba/smb.conf”	`/etc/samba/smb.conf`	Yes	No	No
“Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf”	`/etc/samba/dc-common.conf`	Yes	No	No
“Common Samba Configuration File: /etc/samba/common.conf”	`/etc/samba/common.conf`	Yes	Yes	Yes
“Server: BLDG1 (Member), File: smb.conf”	`/etc/samba/smb.conf`	No	Yes	No
“Server: BLDG2 (Member), File: smb.conf”	`/etc/samba/smb.conf`	No	No	Yes
“Common Domain Member Include File: dom-mem.conf”	`/etc/samba/dommem.conf`	No	Yes	Yes
“Server: MASSIVE, File: dhcpd.conf”	`/etc/dhcpd.conf`	Yes	No	No
“Server: BLDG1, File: dhcpd.conf”	`/etc/dhcpd.conf`	No	Yes	No
“Server: BLDG2, File: dhcpd.conf”	`/etc/dhcpd.conf`	No	No	Yes
“Server: MASSIVE, File: named.conf, Part: A”	`/etc/named.conf (part A)`	Yes	No	No
“Server: MASSIVE, File: named.conf, Part: B”	`/etc/named.conf (part B)`	Yes	No	No
“Server: MASSIVE, File: named.conf, Part: C”	`/etc/named.conf (part C)`	Yes	No	No
“Forward Zone File: abmas.biz.hosts”	`{VLN}/master/abmas.biz.hosts`	Yes	No	No
“Forward Zone File: abmas.biz.hosts”	`{VLN}/master/abmas.us.hosts`	Yes	No	No
“Servers: BLDG1/BLDG2, File: named.conf, Part: A”	`/etc/named.conf (part A)`	No	Yes	Yes
“Servers: BLDG1/BLDG2, File: named.conf, Part: B”	`/etc/named.conf (part B)`	No	Yes	Yes
“DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”	`{VLN}/localhost.zone`	Yes	Yes	Yes
“DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone”	`{VLN}/127.0.0.zone`	Yes	Yes	Yes
“DNS Root Name Server Hint File: /var/lib/named/root.hint”	`{VLN}/root.hint`	Yes	Yes	Yes

Server Preparation: All Servers

+

Table 4.1. Domain: MEGANET, File Locations for Servers

File Information		Server Name
Source	Target Location	MASSIVE	BLDG1	BLDG2
“Server: MASSIVE (PDC), File: /etc/samba/smb.conf”	`/etc/samba/smb.conf`	Yes	No	No
“Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf”	`/etc/samba/dc-common.conf`	Yes	No	No
“Common Samba Configuration File: /etc/samba/common.conf”	`/etc/samba/common.conf`	Yes	Yes	Yes
“Server: BLDG1 (Member), File: smb.conf”	`/etc/samba/smb.conf`	No	Yes	No
“Server: BLDG2 (Member), File: smb.conf”	`/etc/samba/smb.conf`	No	No	Yes
“Common Domain Member Include File: dom-mem.conf”	`/etc/samba/dommem.conf`	No	Yes	Yes
“Server: MASSIVE, File: dhcpd.conf”	`/etc/dhcpd.conf`	Yes	No	No
“Server: BLDG1, File: dhcpd.conf”	`/etc/dhcpd.conf`	No	Yes	No
“Server: BLDG2, File: dhcpd.conf”	`/etc/dhcpd.conf`	No	No	Yes
“Server: MASSIVE, File: named.conf, Part: A”	`/etc/named.conf (part A)`	Yes	No	No
“Server: MASSIVE, File: named.conf, Part: B”	`/etc/named.conf (part B)`	Yes	No	No
“Server: MASSIVE, File: named.conf, Part: C”	`/etc/named.conf (part C)`	Yes	No	No
“Forward Zone File: abmas.biz.hosts”	`{VLN}/master/abmas.biz.hosts`	Yes	No	No
“Forward Zone File: abmas.biz.hosts”	`{VLN}/master/abmas.us.hosts`	Yes	No	No
“Servers: BLDG1/BLDG2, File: named.conf, Part: A”	`/etc/named.conf (part A)`	No	Yes	Yes
“Servers: BLDG1/BLDG2, File: named.conf, Part: B”	`/etc/named.conf (part B)`	No	Yes	Yes
“DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”	`{VLN}/localhost.zone`	Yes	Yes	Yes
“DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone”	`{VLN}/127.0.0.zone`	Yes	Yes	Yes
“DNS Root Name Server Hint File: /var/lib/named/root.hint”	`{VLN}/root.hint`	Yes	Yes	Yes

Server Preparation: All Servers

The following steps apply to all servers. Follow each step carefully. -

Procedure 4.1. Server Preparation Steps

+
Procedure 4.1. Server Preparation Steps
1. Using the UNIX/Linux system tools, set the name of the server as shown in the network topology diagram in “Network Topology 500 User Network Using tdbsam passdb backend.”. For SUSE Linux products, the tool that permits this is called yast2; for Red Hat Linux products, @@ -220,17 +220,17 @@
```
 root#  hostname -f
 
```
  -
2. - - +
3. + + Edit your /etc/hosts file to include the primary names and addresses of all network interfaces that are on the host server. This is necessary so that during startup the system is able to resolve all its own names to the IP address prior to startup of the DNS server. You should check the startup order of your system. If the CUPS print server is started before the DNS server (named), you should also include an entry for the printers in the /etc/hosts file. -
4. - +
5. + All DNS name resolution should be handled locally. To ensure that the server is configured correctly to handle this, edit /etc/resolv.conf so it has the following content: @@ -240,9 +240,9 @@
  This instructs the name resolver function (when configured correctly) to ask the DNS server that is running locally to resolve names to addresses. -
6. - - +
7. + + Add the root user to the password backend:
```
 root#  smbpasswd -a root
@@ -254,9 +254,9 @@
 			This account is essential in the regular maintenance of your Samba server. It must never be
 			deleted. If for any reason the account is deleted, you may not be able to recreate this account
 			without considerable trouble.
-			
```
8. - - +
9. + + Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents: @@ -282,39 +282,39 @@ # End of File ####
  -
10. +
11. Configure all network-attached printers to have a fixed IP address. -
12. +
13. Create an entry in the DNS database on the server MASSIVE in both the forward lookup database for the zone abmas.biz.hosts and in the reverse lookup database for the network segment that the printer is located in. Example configuration files for similar zones were presented in “Secure Office Networking”, “DNS Abmas.biz Forward Zone File” and “DNS 192.168.2 Reverse Zone File”. -
14. +
15. Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct mode, raw printing. This allows the CUPS spooler to print using raw mode protocols. - - -
16. - + + +
17. + Only on the server to which the printer is attached configure the CUPS Print Queues as follows:
```
 root#  lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E
 
```
  - + This step creates the necessary print queue to use no assigned print filter. This is ideal for raw printing, that is, printing without use of filters. The name printque is the name you have assigned for the particular printer. -
18. +
19. Print queues may not be enabled at creation. Make certain that the queues you have just created are enabled by executing the following:
```
 root#  /usr/bin/enable printque
 
```
  -
20. +
21. Even though your print queue may be enabled, it is still possible that it does not accept print jobs. A print queue services incoming printing requests only when configured to do so. Ensure that your print queue is @@ -322,10 +322,10 @@
```
 root#  /usr/bin/accept printque
 
```
  -
22. - - - +
23. + + + This step, as well as the next one, may be omitted where CUPS version 1.1.18 or later is in use. Although it does no harm to follow it anyway, and may help to avoid time spent later trying to figure out why print jobs may be @@ -335,41 +335,41 @@
```
 application/octet-stream     application/vnd.cups-raw      0     -
 
```
  -
24. - +
25. + Edit the file /etc/cups/mime.types to uncomment the line:
```
 application/octet-stream
 
```
  -
26. +
27. Refer to the CUPS printing manual for instructions regarding how to configure CUPS so that print queues that reside on CUPS servers on remote networks route print jobs to the print server that owns that queue. The default setting on your CUPS server may automatically discover remotely installed printers and may permit this functionality without requiring specific configuration. -
28. +
29. As part of the roll-out program, you need to configure the application's server shares. This can be done once on the central server and may then be replicated using a tool such as rsync. Refer to the man page for rsync for details regarding use. The notes in “Application Share Configuration” may help in your decisions to use an application server facility. -
Note
+

Note

Logon scripts that are run from a domain controller (PDC or BDC) are capable of using semi-intelligent processes to automap Windows client drives to an application server that is nearest to the client. This is considerably more difficult when a single PDC is used on a routed network. It can be done, but not as elegantly as you see in the next chapter. -

Server-Specific Preparation

+

Server-Specific Preparation

There are some steps that apply to particular server functionality only. Each step is critical to correct server operation. The following step-by-step installation guidance will assist you in working through the process of configuring the PDC and then both BDC's. -

Configuration for Server: `MASSIVE`

+

Configuration for Server: `MASSIVE`

The steps presented here attempt to implement Samba installation in a generic manner. While some steps are clearly specific to Linux, it should not be too difficult to apply them to your platform of choice. -

Procedure 4.2. Primary Domain Controller Preparation

- - +
Procedure 4.2. Primary Domain Controller Preparation
1. + + The host server acts as a router between the two internal network segments as well as for all Internet access. This necessitates that IP forwarding be enabled. This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows: @@ -378,7 +378,7 @@
  To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute that command manually also. This setting permits the Linux system to act as a router. -
2. +
3. This server is dual hosted (i.e., has two network interfaces) one goes to the Internet and the other to a local network that has a router that is the gateway to the remote networks. You must therefore configure the server with route table entries so that it can find machines @@ -396,46 +396,46 @@ not persistent across system reboots. You may add these commands directly to the local startup files as follows: (SUSE) /etc/rc.d/boot.local, (Red Hat) /etc/rc.d/init.d/rc.local. -
4. - +
5. + The final step that must be completed is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries:
```
 hosts:      files dns wins
 
```
  -
6. - +
7. + Create and map Windows domain groups to UNIX groups. A sample script is provided in “Initialize Groups Script, File: /etc/samba/initGrps.sh”. Create a file containing this script. You called yours /etc/samba/initGrps.sh. Set this file so it can be executed and then execute the script. An example of the execution of this script as well as its validation are shown in Section 4.3.2, Step 5. -
8. - - - +
9. + + + For each user who needs to be given a Windows domain account, make an entry in the /etc/passwd file as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system account, and use the Samba smbpasswd to create a domain user account.
  - - - + + + There are a number of tools for user management under UNIX, such as useradd, adduser, as well as a plethora of custom tools. With the tool of your choice, create a home directory for each user. -
10. +
11. Using the preferred tool for your UNIX system, add each user to the UNIX groups created previously as necessary. File system access control is based on UNIX group membership. -
12. +
13. Create the directory mount point for the disk subsystem that is to be mounted to provide data storage for company files, in this case, the mount point indicated in the smb.conf file is /data. Format the file system as required and mount the formatted file system partition using appropriate system tools. -
14. - +
15. + Create the top-level file storage directories for data and applications as follows:
```
 root#  mkdir -p /data/{accounts,finsvcs,pidata}
@@ -453,7 +453,7 @@
 			The directory root of the finsvcs share is /data/finsvcs.
 			The /apps directory is the root of the apps share
 			that provides the application server infrastructure.
-			
```
16. +
17. The smb.conf file specifies an infrastructure to support roaming profiles and network logon services. You can now create the file system infrastructure to provide the locations on disk that these services require. Adequate planning is essential @@ -474,9 +474,9 @@ root# chown 'username':users /var/lib/samba/profiles/'username' root# chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
  -
18. - - +
19. + + Create a logon script. It is important that each line is correctly terminated with a carriage return and line-feed combination (i.e., DOS encoding). The following procedure works if the right tools (unxi2dos and dos2unix) are installed. @@ -491,7 +491,7 @@ root# dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \ > /var/lib/samba/netlogon/scripts/logon.bat
  -
20. +
21. There is one preparatory step without which you cannot have a working Samba network environment. You must add an account for each network user. You can do this by executing the following steps for each user: @@ -508,18 +508,18 @@ Added user username.
  You do, of course, use a valid user login ID in place of username. -
22. +
23. Follow the processes shown in “Process Startup Configuration” to start all services. -
24. +
25. Your server is ready for validation testing. Do not proceed with the steps in “Configuration Specific to Domain Member Servers: BLDG1, BLDG2” until after the operation of the server has been validated following the same methods as outlined in “Secure Office Networking”, “Validation”. -

Configuration Specific to Domain Member Servers: `BLDG1, BLDG2`

+

Configuration Specific to Domain Member Servers: `BLDG1, BLDG2`

The following steps will guide you through the nuances of implementing BDCs for the broadcast isolated network segments. Remember that if the target installation platform is not Linux, it may be necessary to adapt some commands to the equivalent on the target platform. -

Procedure 4.3. Backup Domain Controller Configuration Steps

- +
Procedure 4.3. Backup Domain Controller Configuration Steps
1. + The final step that must be completed is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries: @@ -528,27 +528,27 @@ group: files winbind hosts: files dns wins
  -
2. +
3. Follow the steps outlined in “Process Startup Configuration” to start all services. Do not start Samba at this time. Samba is controlled by the process called smb. -
4. - +
5. + You must now attempt to join the domain member servers to the domain. The following instructions should be executed to effect this:
```
 root#  net rpc join 
 
```
  -
6. - +
7. + You now start the Samba services by executing:
```
 root#  service smb start
 
```
  -
8. +
9. Your server is ready for validation testing. Do not proceed with the steps in “Configuration Specific to Domain Member Servers: BLDG1, BLDG2” until after the operation of the server has been validated following the same methods as outlined in “Validation”. -

Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf

# Global parameters

[global]

workgroup = MEGANET

netbios name = MASSIVE

interfaces = eth1, lo

bind interfaces only = Yes

passdb backend = tdbsam

smb ports = 139

add user script = /usr/sbin/useradd -m '%u'

delete user script = /usr/sbin/userdel -r '%u'

add group script = /usr/sbin/groupadd '%g'

delete group script = /usr/sbin/groupdel '%g'

add user to group script = /usr/sbin/usermod -G '%g' '%u'

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'

preferred master = Yes

wins support = Yes

include = /etc/samba/dc-common.conf

[accounts]

comment = Accounting Files

path = /data/accounts

read only = No

[service]

comment = Financial Services Files

path = /data/service

read only = No

[pidata]

comment = Property Insurance Files

path = /data/pidata

read only = No

Example 4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf

# Global parameters

[global]

shutdown script = /var/lib/samba/scripts/shutdown.sh

abort shutdown script = /sbin/shutdown -c

logon script = scripts\logon.bat

logon path = \%L\profiles\%U

logon drive = X:

logon home = \%L\%U

domain logons = Yes

preferred master = Yes

include = /etc/samba/common.conf

[homes]

comment = Home Directories

valid users = %S

read only = No

browseable = No

[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

guest ok = Yes

locking = No

[profiles]

comment = Profile Share

path = /var/lib/samba/profiles

read only = No

profile acls = Yes

Example 4.3. Common Samba Configuration File: /etc/samba/common.conf

[global]

username map = /etc/samba/smbusers

log level = 1

syslog = 0

log file = /var/log/samba/%m

max log size = 50

smb ports = 139

name resolve order = wins bcast hosts

time server = Yes

printcap name = CUPS

show add printer wizard = No

shutdown script = /var/lib/samba/scripts/shutdown.sh

abort shutdown script = /sbin/shutdown -c

utmp = Yes

map acl inherit = Yes

printing = cups

veto files = /*.eml/*.nws/*.{*}/

veto oplock files = /*.doc/*.xls/*.mdb/

include =

# Share and Service Definitions are common to all servers

[printers]

comment = SMB Print Spool

path = /var/spool/samba

guest ok = Yes

printable = Yes

use client driver = Yes

default devmode = Yes

browseable = No

[apps]

comment = Application Files

path = /apps

admin users = bjordan

read only = No

Example 4.4. Server: BLDG1 (Member), File: smb.conf

# Global parameters

[global]

workgroup = MEGANET

netbios name = BLDG1

include = /etc/samba/dom-mem.conf

Example 4.5. Server: BLDG2 (Member), File: smb.conf

# Global parameters

[global]

workgroup = MEGANET

netbios name = BLDG2

include = /etc/samba/dom-mem.conf

Example 4.6. Common Domain Member Include File: dom-mem.conf

# Global parameters

[global]

shutdown script = /var/lib/samba/scripts/shutdown.sh

abort shutdown script = /sbin/shutdown -c

preferred master = Yes

wins server = 172.16.0.1

idmap uid = 15000-20000

idmap gid = 15000-20000

include = /etc/samba/common.conf

Example 4.7. Server: MASSIVE, File: dhcpd.conf

+

Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf

# Global parameters

[global]

workgroup = MEGANET

netbios name = MASSIVE

interfaces = eth1, lo

bind interfaces only = Yes

passdb backend = tdbsam

smb ports = 139

add user script = /usr/sbin/useradd -m '%u'

delete user script = /usr/sbin/userdel -r '%u'

add group script = /usr/sbin/groupadd '%g'

delete group script = /usr/sbin/groupdel '%g'

add user to group script = /usr/sbin/usermod -G '%g' '%u'

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'

preferred master = Yes

wins support = Yes

include = /etc/samba/dc-common.conf

[accounts]

comment = Accounting Files

path = /data/accounts

read only = No

[service]

comment = Financial Services Files

path = /data/service

read only = No

[pidata]

comment = Property Insurance Files

path = /data/pidata

read only = No

Example 4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf

# Global parameters

[global]

shutdown script = /var/lib/samba/scripts/shutdown.sh

abort shutdown script = /sbin/shutdown -c

logon script = scripts\logon.bat

logon path = \%L\profiles\%U

logon drive = X:

logon home = \%L\%U

domain logons = Yes

preferred master = Yes

include = /etc/samba/common.conf

[homes]

comment = Home Directories

valid users = %S

read only = No

browseable = No

[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

guest ok = Yes

locking = No

[profiles]

comment = Profile Share

path = /var/lib/samba/profiles

read only = No

profile acls = Yes

Example 4.3. Common Samba Configuration File: /etc/samba/common.conf

[global]

username map = /etc/samba/smbusers

log level = 1

syslog = 0

log file = /var/log/samba/%m

max log size = 50

smb ports = 139

name resolve order = wins bcast hosts

time server = Yes

printcap name = CUPS

show add printer wizard = No

shutdown script = /var/lib/samba/scripts/shutdown.sh

abort shutdown script = /sbin/shutdown -c

utmp = Yes

map acl inherit = Yes

printing = cups

veto files = /*.eml/*.nws/*.{*}/

veto oplock files = /*.doc/*.xls/*.mdb/

include =

# Share and Service Definitions are common to all servers

[printers]

comment = SMB Print Spool

path = /var/spool/samba

guest ok = Yes

printable = Yes

use client driver = Yes

default devmode = Yes

browseable = No

[apps]

comment = Application Files

path = /apps

admin users = bjordan

read only = No

Example 4.4. Server: BLDG1 (Member), File: smb.conf

# Global parameters

[global]

workgroup = MEGANET

netbios name = BLDG1

include = /etc/samba/dom-mem.conf

Example 4.5. Server: BLDG2 (Member), File: smb.conf

# Global parameters

[global]

workgroup = MEGANET

netbios name = BLDG2

include = /etc/samba/dom-mem.conf

Example 4.6. Common Domain Member Include File: dom-mem.conf

# Global parameters

[global]

shutdown script = /var/lib/samba/scripts/shutdown.sh

abort shutdown script = /sbin/shutdown -c

preferred master = Yes

wins server = 172.16.0.1

idmap uid = 15000-20000

idmap gid = 15000-20000

include = /etc/samba/common.conf

Example 4.7. Server: MASSIVE, File: dhcpd.conf

 # Abmas Accounting Inc.
 
 default-lease-time 86400;
@@ -897,9 +897,9 @@
 net groupmap add ntgroup="Accounts Dept"       unixgroup=acctsdep type=d
 net groupmap add ntgroup="Financial Services"  unixgroup=finsrvcs type=d
 net groupmap add ntgroup="Insurance Group"     unixgroup=piops type=d
-

Process Startup Configuration

- - +

Process Startup Configuration

+ + There are two essential steps to process startup configuration. A process must be configured so that it is automatically restarted each time the server is rebooted. This step involves use of the chkconfig tool that @@ -908,7 +908,7 @@ directories. Links are created so that when the system run-level is changed, the necessary start or kill script is run.

- + In the event that a service is provided not as a daemon but via the internetworking super daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /etc/xinetd.d directory @@ -918,10 +918,10 @@ Last, each service must be started to permit system validation to proceed. The following steps are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you are installing Samba. -

Procedure 4.4. Process Startup Configuration Steps

+
Procedure 4.4. Process Startup Configuration Steps
1. Use the standard system tool to configure each service to restart automatically at every system reboot. For example, - +
```
 root#  chkconfig dhpc on
 root#  chkconfig named on
@@ -929,10 +929,10 @@
 root#  chkconfig smb on
 root#  chkconfig swat on
 
```
  -
2. - - - +
3. + + + Now start each service to permit the system to be validated. Execute each of the following in the sequence shown: @@ -943,70 +943,70 @@ root# service smb restart root# service swat restart
  -

Windows Client Configuration

+

Windows Client Configuration

The procedure for desktop client configuration for the network in this chapter is similar to that used for the previous one. There are a few subtle changes that should be noted. -

Procedure 4.5. Windows Client Configuration Steps

+
Procedure 4.5. Windows Client Configuration Steps
1. Install MS Windows XP Professional. During installation, configure the client to use DHCP for TCP/IP protocol configuration. - - + + DHCP configures all Windows clients to use the WINS Server address that has been defined for the local subnet. -
2. +
3. Join the Windows domain MEGANET. Use the domain administrator username root and the SMB password you assigned to this account. A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to a Windows domain is given in “A Collection of Useful Tidbits”, “Joining a Domain: Windows 200x/XP Professional”. Reboot the machine as prompted and then log on using the domain administrator account (root). -
4. +
5. Verify that the server called MEGANET is visible in My Network Places, that it is possible to connect to it and see the shares accounts, apps, and finsvcs, and that it is possible to open each share to reveal its contents. -
6. +
7. Create a drive mapping to the apps share on a server. At this time, it does not particularly matter which application server is used. It is necessary to manually set a persistent drive mapping to the local applications server on each workstation at the time of installation. This step is avoided by the improvements to the design of the network configuration in the next chapter. -
8. +
9. Perform an administrative installation of each application to be used. Select the options that you wish to use. Of course, you choose to run applications over the network, correct? -
10. +
11. Now install all applications to be installed locally. Typical tools include Adobe Acrobat, NTP-based time synchronization software, drivers for specific local devices such as fingerprint scanners, and the like. Probably the most significant application to be locally installed is antivirus software. -
12. +
13. Now install all four printers onto the staging system. The printers you install include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you also configure use of the identical printers that are located in the financial services department. Install printers on each machine using the following steps: -
  Procedure 4.6. Steps to Install Printer Drivers on Windows Clients
  1. +
    Procedure 4.6. Steps to Install Printer Drivers on Windows Clients
    Click Start → Settings → Printers+Add Printer+Next. Do not click Network printer. Ensure that Local printer is selected. -
    +
    Click Next. In the Manufacturer: panel, select HP. In the Printers: panel, select the printer called HP LaserJet 6. Click Next. -
    +
    In the Available ports: panel, select FILE:. Accept the default printer name by clicking - Next. When asked, “Would you like to print a - test page?”, click No. Click + Next. When asked, “Would you like to print a + test page?”, click No. Click Finish. -
    +
    You may be prompted for the name of a file to print to. If so, close the dialog panel. Right-click HP LaserJet 6 → Properties. -
    +
    In the Network panel, enter the name of the print queue on the Samba server as follows: \\BLDG1\hplj6a. Click OK+OK to complete the installation. -
    +
    Repeat the printer installation steps above for both HP LaserJet 6 printers as well as for both QMS Magicolor laser printers. Remember to install all printers but to set the destination port for each to the server on the @@ -1018,69 +1018,69 @@ configuration (as well as the applications server drive mapping) to the server on the network segment on which the workstation is to be located.
    -
  2. +
  3. When you are satisfied that the staging systems are complete, use the appropriate procedure to remove the client from the domain. Reboot the system, and then log on as the local administrator and clean out all temporary files stored on the system. Before shutting down, use the disk defragmentation tool so that the file system is in optimal condition before replication. -
  4. +
  5. Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the machine to a network share on the server. -
  6. +
  7. You may now replicate the image using the appropriate Norton Ghost procedure to the target machines. Make sure to use the procedure that ensures each machine has a unique Windows security identifier (SID). When the installation of the disk image is complete, boot the PC. -
  8. +
  9. Log onto the machine as the local Administrator (the only option), and join the machine to the domain following the procedure set out in “A Collection of Useful Tidbits”, “Joining a Domain: Windows 200x/XP Professional”. You must now set the persistent drive mapping to the applications server that the user is to use. The system is now ready for the user to log on, provided you have created a network logon account for that user, of course. -
  10. +
  11. Instruct all users to log onto the workstation using their assigned username and password. -
Key Points Learned
+

Key Points Learned

The network you have just deployed has been a valuable exercise in forced constraint. You have deployed a network that works well, although you may soon start to see performance problems, at which time the modifications demonstrated in “Making Happy Users” bring the network to life. The following key learning points were experienced: -

+
- The power of using smb.conf include files -
- +
- Use of a single PDC over a routed network -
- +
- Joining a Samba-3 domain member server to a Samba-3 domain -
- +
- Configuration of winbind to use domain users and groups for Samba access to resources on the domain member servers -
- +
- The introduction of roaming profiles -

Questions and Answers

-

+

Questions and Answers

+

The example smb.conf files in this chapter make use of the include facility. How may I get to see what the actual working smb.conf settings are? -
+
Why does the include file common.conf have an empty include statement? -
+
I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. I tried using rsync to replicate the passdb.tdb, and it seems to work fine! So what is the problem? -
+
You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash? -
+
How does the Windows client find the PDC? -
+
Why did you enable IP forwarding (routing) only on the server called MASSIVE? -
+
You did nothing special to implement roaming profiles. Why? -
+
On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission? -
+
You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this? -
+
The domain controller has an auto-shutdown script. Isn't that dangerous? -

+
The example smb.conf files in this chapter make use of the include facility. How may I get to see what the actual working smb.conf settings are?
@@ -1088,7 +1088,7 @@
root# testparm -s | less
-
+
Why does the include file common.conf have an empty include statement?
The use of the empty include statement nullifies further includes. For example, let's say you @@ -1101,7 +1101,7 @@ If the include parameter was not in the common.conf file, the final smb.conf file leaves the include in place, even though the file it points to has already been included. This is a bug that will be fixed at a future date. -
+
I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. I tried using rsync to replicate the passdb.tdb, and it seems to work fine! @@ -1111,7 +1111,7 @@ contents between the PDC and BDCs. The most notable symptom is that workstations may not be able to log onto the network following a reboot and may have to rejoin the domain to recover network access capability. -
+
You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server @@ -1120,26 +1120,26 @@
The only exception to this rule is when the client makes a directed request from a specific DHCP server for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash. -
+
How does the Windows client find the PDC?
The Windows client obtains the WINS server address from the DHCP lease information. It also obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast) to register itself with the WINS server and to obtain enumeration of vital network information to enable it to operate successfully. -
+
Why did you enable IP forwarding (routing) only on the server called MASSIVE?
The server called MASSIVE is acting as a router to the Internet. No other server (BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network. Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network segments to the router that is its gateway to them. -
+
You did nothing special to implement roaming profiles. Why?
Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional clients is to use roaming profiles. -
+
On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission?
@@ -1148,7 +1148,7 @@ member servers using Windows networking usernames and passwords, it is necessary to configure PAM to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name service switch (NSS). -
+
You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed @@ -1157,7 +1157,7 @@ of smb.conf include files because SWAT optimizes them out into an aggregated file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to handle this functionality gracefully. -
+
The domain controller has an auto-shutdown script. Isn't that dangerous?
Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/ch14.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/ch14.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/ch14.html 2010-01-14 11:24:24.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/ch14.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,12 +1,12 @@ -Chapter 14. Samba Support
Chapter 14. Samba Support
Prev Part III. Reference Section Next
Chapter 14. Samba Support
Table of Contents
Free Support
Commercial Support
- -One of the most difficult to answer questions in the information technology industry is, “What is -support?”. That question irritates some folks, as much as common answers may annoy others. +Chapter 14. Samba Support
Chapter 14. Samba Support
Prev Part III. Reference Section Next
Chapter 14. Samba Support
Table of Contents
Free Support
Commercial Support
+ +One of the most difficult to answer questions in the information technology industry is, “What is +support?”. That question irritates some folks, as much as common answers may annoy others.
- + The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: -“Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen +“Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen through-out the IT industry. Answers like that are designed to inform us that there are some customers that a business just does not want to deal with, and well may we feel the anguish of the rejection that is dished out. @@ -15,50 +15,50 @@ at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk.
- - - + + + One of the forces that has become a driving force for the adoption of open source software is the fact that many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or that have been found wanting for other reasons.
- - + + In recognition of the need for needs satisfaction as the primary experience an information technology user or consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience in respect of problem resolution.
- - - + + + In the open source software arena there are two support options: free support and paid-for (commercial) support. -
Free Support
- - - - - - +
Free Support
+ + + + + + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user supported mutual assistance.
- - - - - + + + + + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. Information regarding subscription to the Samba mailing list can be found on the Samba web site. The public mailing list that can be used to obtain free, user contributed, support is called the samba list. The email address for this list is at mail:samba@samba.org. Information regarding the Samba IRC channels may be found on the Samba IRC web page.
- - - - + + + + As a general rule, it is considered poor net behavior to contact a Samba Team member directly for free support. Most active members of the Samba Team work exceptionally long hours to assist users who have demonstrated a qualified problem. Some team members may respond to direct email @@ -66,9 +66,9 @@ Team members actually provide professional paid-for Samba support and it is therefore wise to show appropriate discretion and reservation in all direct contact.
- - - + + + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting a bug report. All such reports are mailed to the responsible code maintainer for action. The better the report, and the more serious it is, @@ -76,16 +76,16 @@ the reported bug it is likely to be rejected. It is up to you to provide sufficient information that will permit the problem to be reproduced.
- + We all recognize that sometimes free support does not provide the answer that is sought within the time-frame required. At other times the problem is elusive and you may lack the experience necessary to isolate the problem and thus to resolve it. This is a situation where is may be prudent to purchase paid-for support. -
Commercial Support
+
Commercial Support
There are six basic support oriented services that are most commonly sought by Samba sites: -
Assistance with network design
Staff Training
Assistance with Samba network deployment and installation
Priority telephone or email Samba configuration assistance
Trouble-shooting and diagnostic assistance
Provision of quality assured ready-to-install Samba binary packages
- - +
Assistance with network design
Staff Training
Assistance with Samba network deployment and installation
Priority telephone or email Samba configuration assistance
Trouble-shooting and diagnostic assistance
Provision of quality assured ready-to-install Samba binary packages
+ + Information regarding companies that provide professional Samba support can be obtained by performing a Google search, as well as by reference to the Samba Support web page. Companies who notify the Samba Team that they provide commercial support are given a free listing that is sorted by the country of origin. @@ -93,13 +93,13 @@ provider and to satisfy yourself that both the company and its staff are able to deliver what is required of them.
- + The policy within the Samba Team is to treat all commercial support providers equally and to show no preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. You are encouraged to obtain the services needed from a company in your local area. The open source movement is pro-community; so do what you can to help a local business to prosper.
- + Open source software support can be found in any quality, at any price and in any place you can to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for suffering in the mistaken belief that Samba is unsupported software it is supported. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/DMSMig.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/DMSMig.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/DMSMig.html 2010-01-14 11:24:20.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/DMSMig.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,4 +1,4 @@ -Part II. Domain Members, Updating Samba and Migration
Part II. Domain Members, Updating Samba and Migration
Prev Next
Part II. Domain Members, Updating Samba and Migration
Domain Members, Updating Samba and Migration
+Part II. Domain Members, Updating Samba and Migration
Part II. Domain Members, Updating Samba and Migration
Prev Next
Part II. Domain Members, Updating Samba and Migration
Domain Members, Updating Samba and Migration
This section Samba-3 by Example covers two main topics: How to add Samba Domain Member Servers and Samba Domain Member Clients to a Samba domain, the other subject is that of how to migrate from and NT4 Domain, a NetWare server, or from an earlier @@ -7,4 +7,4 @@ Those who are making use of the chapter on Adding UNIX clients and servers running Samba to a Samba or a Windows networking domain may also benefit by referring to the book The Official Samba-3 HOWTO and Reference Guide. -
Table of Contents
7. Adding Domain Member Servers and Clients
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Samba Domain with Samba Domain Member Server Using NSS LDAP
NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
NT4/Samba Domain with Samba Domain Member Server without NSS Support
Active Directory Domain with Samba Domain Member Server
UNIX/Linux Client Domain Member
Key Points Learned
Questions and Answers
8. Updating Samba-3
Introduction
Cautions and Notes
Upgrading from Samba 1.x and 2.x to Samba-3
Samba 1.9.x and 2.x Versions Without LDAP
Applicable to All Samba 2.x to Samba-3 Upgrades
Samba-2.x with LDAP Support
Updating a Samba-3 Installation
Samba-3 to Samba-3 Updates on the Same Server
Migrating Samba-3 to a New Server
Migration of Samba Accounts to Active Directory
9. Migrating NT4 Domain to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
NT4 Migration Using LDAP Backend
NT4 Migration Using tdbsam Backend
Key Points Learned
Questions and Answers
10. Migrating NetWare Server to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
NetWare Migration Using LDAP Backend
Prev Next
Chapter 6. A Distributed 2000-User Network Home Chapter 7. Adding Domain Member Servers and Clients
+
Table of Contents
7. Adding Domain Member Servers and Clients
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Samba Domain with Samba Domain Member Server Using NSS LDAP
NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
NT4/Samba Domain with Samba Domain Member Server without NSS Support
Active Directory Domain with Samba Domain Member Server
UNIX/Linux Client Domain Member
Key Points Learned
Questions and Answers
8. Updating Samba-3
Introduction
Cautions and Notes
Upgrading from Samba 1.x and 2.x to Samba-3
Samba 1.9.x and 2.x Versions Without LDAP
Applicable to All Samba 2.x to Samba-3 Upgrades
Samba-2.x with LDAP Support
Updating a Samba-3 Installation
Samba-3 to Samba-3 Updates on the Same Server
Migrating Samba-3 to a New Server
Migration of Samba Accounts to Active Directory
9. Migrating NT4 Domain to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
NT4 Migration Using LDAP Backend
NT4 Migration Using tdbsam Backend
Key Points Learned
Questions and Answers
10. Migrating NetWare Server to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
NetWare Migration Using LDAP Backend
Prev Next
Chapter 6. A Distributed 2000-User Network Home Chapter 7. Adding Domain Member Servers and Clients
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/DomApps.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/DomApps.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/DomApps.html 2010-01-14 11:24:23.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/DomApps.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,9 +1,9 @@ -Chapter 12. Integrating Additional Services
Chapter 12. Integrating Additional Services
Prev Part III. Reference Section Next
Chapter 12. Integrating Additional Services
Table of Contents
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Removal of Pre-Existing Conflicting RPMs
Key Points Learned
Questions and Answers
- - - - - +Chapter 12. Integrating Additional Services
Chapter 12. Integrating Additional Services
Prev Part III. Reference Section Next
Chapter 12. Integrating Additional Services
Table of Contents
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Removal of Pre-Existing Conflicting RPMs
Key Points Learned
Questions and Answers
+ + + + + You've come a long way now. You have pretty much mastered Samba-3 for most uses it can be put to. Up until now, you have cast Samba-3 in the leading role, and where authentication was required, you have used one or another of @@ -14,7 +14,7 @@ implementing Samba and Samba-supported services in a domain controlled by the latest Windows authentication technologies. Let's get started this is leading edge. -
Introduction
+
Introduction
Abmas has continued its miraculous growth; indeed, nothing seems to be able to stop its diversification into multiple (and seemingly unrelated) fields. Its latest acquisition is Abmas Snack Foods, a big player in the snack-food @@ -30,17 +30,17 @@ You have decided to set the ball rolling by introducing Samba-3 into the network gradually, taking over key services and easing the way to a full migration and, therefore, integration into Abmas's existing business later. -
Assignment Tasks
- - +
Assignment Tasks
+ + You've promised the skeptical Abmas Snack Foods management team that you can show them how Samba can ease itself and other Open Source technologies into their existing infrastructure and deliver sound business advantages. Cost cutting is high on their agenda (a major promise of the acquisition). You have chosen Web proxying and caching as your proving ground.
- - + + Abmas Snack Foods has several thousand users housed at its head office and multiple regional offices, plants, and warehouses. A high proportion of the business's work is done online, so Internet access for most of these @@ -50,9 +50,9 @@ the team soon discovered proxying and caching. In fact, they became one of the earliest commercial users of Microsoft ISA.
- - - + + + The team is not happy with ISA. Because it never lived up to its marketing promises, it underperformed and had reliability problems. You have pounced on the opportunity to show what Open Source can do. The one thing they do like, however, is ISA's @@ -63,30 +63,30 @@
This is a hands-on exercise. You build software applications so that you obtain the functionality Abmas needs. -
Dissection and Discussion
+
Dissection and Discussion
The key requirements in this business example are straightforward. You are not required to do anything new, just to replicate an existing system, not lose any existing features, and improve performance. The key points are: -
+
Internet access for most employees -
+
Distributed system to accommodate load and geographical distribution of users -
+
Seamless and transparent interoperability with the existing Active Directory domain -
Technical Issues
- - - - - - - - - - - - - +
Technical Issues
+ + + + + + + + + + + + + Functionally, the user's Internet Explorer requests a browsing session with the Squid proxy, for which it offers its AD authentication token. Squid hands off the authentication request to the Samba-3 authentication helper application @@ -99,79 +99,79 @@ This process is entirely transparent and seamless to the user.
Enabling this consists of: -
+
Preparing the necessary environment using preconfigured packages -
+
Setting up raw Kerberos authentication against the Active Directory domain -
+
Configuring, compiling, and then installing the supporting Samba-3 components -
+
Tying it all together -
Political Issues
+
Political Issues
You are a stranger in a strange land, and all eyes are upon you. Some would even like to see you fail. For you to gain the trust of your newly acquired IT people, it is essential that your solution does everything the old one did, but does it better in every way. Only then will the entrenched positions consider taking up your new way of doing things on a wider scale. -
Implementation
- +
Implementation
+ First, your system needs to be prepared and in a known good state to proceed. This consists of making sure that everything the system depends on is present and that everything that could interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 packages and updating them if necessary. If conflicting packages of these programs are installed, they must be removed.
- + The following packages should be available on your Red Hat Linux system: -
- - +
+ + krb5-libs -
+
krb5-devel -
+
krb5-workstation -
+
krb5-server -
+
pam_krb5
- + In the case of SUSE Linux, these packages are called: -
+
heimdal-lib -
+
heimdal-devel -
- +
+ heimdal -
+
pam_krb5
If the required packages are not present on your system, you must install them from the vendor's installation media. Follow the administrative guide for your Linux system to ensure that the packages are correctly updated. -
Note
- - - +
Note
+ + + If the requirement is for interoperation with MS Windows Server 2003, it will be necessary to ensure that you are using MIT Kerberos version 1.3.1 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires updating.
- - + + Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. -
Removal of Pre-Existing Conflicting RPMs
- +
Removal of Pre-Existing Conflicting RPMs
+ If Samba and/or Squid RPMs are installed, they should be updated. You can build both from source.
- - - + + + Locating the packages to be un-installed can be achieved by running:
root# rpm -qa | grep -i samba @@ -181,11 +181,11 @@
root# rpm -e samba-common
-
Kerberos Configuration
- - - - +
Kerberos Configuration
+ + + + The systems Kerberos installation must be configured to communicate with your primary Active Directory server (ADS KDC).
@@ -193,13 +193,13 @@ although the current default Red Hat MIT version 1.2.7 gives acceptable results unless you are using Windows 2003 servers.
- - - - - - - + + + + + + + Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an /etc/krb5.conf file in order to work correctly. All ADS domains automatically create SRV records in the DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both @@ -207,30 +207,30 @@ automatically find the KDCs. In addition, krb5.conf allows specifying only a single KDC, even if there is more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available. -
Procedure 12.1. Kerberos Configuration Steps
- +
Procedure 12.1. Kerberos Configuration Steps
+ If you find the need to manually configure the krb5.conf, you should edit it to have the contents shown in “Kerberos Configuration File: /etc/krb5.conf”. The final fully qualified path for this file should be /etc/krb5.conf. -
- - - - - - - - - - - - - +
+ + + + + + + + + + + + + The following gotchas often catch people out. Kerberos is case sensitive. Your realm must - be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting - initial credentials”. Kerberos is picky about time synchronization. The time + be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting + initial credentials”. Kerberos is picky about time synchronization. The time according to your participating servers must be within 5 minutes or you get an error: - “kinit(v5): Clock skew too great while getting initial credentials”. + “kinit(v5): Clock skew too great while getting initial credentials”. Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is 5 minutes). A better solution is to implement NTP throughout your server network. Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. @@ -240,8 +240,8 @@ /etc/hosts entry mapping the IP address of your KDC to its NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error when you try to join the realm. -
- +
+ You are now ready to test your installation by issuing the command:
root# kinit [USERNAME@REALM] @@ -261,57 +261,57 @@ LONDON.ABMAS.BIZ = { kdc = w2k3s.london.abmas.biz } -

+

The command
root# klist -e
shows the Kerberos tickets cached by the system. -
Samba Configuration
- +
Samba Configuration
+ Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it has the necessary components to interface with Active Directory. -
Procedure 12.2. Securing Samba-3 With ADS Support Steps
- - - - - +
Procedure 12.2. Securing Samba-3 With ADS Support Steps
+ + + + + Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team FTP site. The official Samba Team RPMs for Red Hat Fedora Linux contain the ntlm_auth tool needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
- - + + The necessary, validated RPM packages for SUSE Linux may be obtained from the SerNet FTP site that is located in Germany. All SerNet RPMs are validated, have the necessary ntlm_auth tool, and are statically linked against suitably patched Heimdal 0.6 libraries. -
+
Using your favorite editor, change the /etc/samba/smb.conf file so it has contents similar to the example shown in “Samba Configuration File: /etc/samba/smb.conf”. -
- - - i - - +
+ + + i + + Next you need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the Samba server with an Active Directory Kerberos ticket. - This is done with the “net ads join -U [Administrator%Password]” + This is done with the “net ads join -U [Administrator%Password]” command, as follows:
root# net ads join -U administrator%vulcon
-
- - - - - +
+ + + + + Your new Samba binaries must be started in the standard manner as is applicable to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
@@ -319,12 +319,12 @@ root# nmbd -D root# winbindd -D
-
- - - - - +
+ + + + + We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands: @@ -356,9 +356,9 @@ LONDON+DnsUpdateProxy
This enumerates all the groups in your Active Directory tree. -
- - +
+ + Squid uses the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command:
@@ -369,20 +369,20 @@
root# NT_STATUS_OK: Success (0x0)
-
- - - - - - - - +
+ + + + + + + + The ntlm_auth helper, when run from a command line as the user - “root”, authenticates against your Active Directory domain (with + “root”, authenticates against your Active Directory domain (with the aid of winbind). It manages this by reading from the winbind privileged pipe. - Squid is running with the permissions of user “squid” and group - “squid” and is not able to do this unless we make a vital change. + Squid is running with the permissions of user “squid” and group + “squid” and is not able to do this unless we make a vital change. Squid cannot read from the winbind privilege pipe unless you change the permissions of its directory. This is the single biggest cause of failure in the whole process. Remember to issue the following command (for Red Hat Linux): @@ -395,77 +395,77 @@ root# chgrp squid /var/lib/samba/winbindd_privileged root# chmod 750 /var/lib/samba/winbindd_privileged
-
NSS Configuration
- - - +
NSS Configuration
+ + + For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
Edit your /etc/nsswitch.conf file so it has the parameters shown in “NSS Configuration File Extract File: /etc/nsswitch.conf”. -
Example 12.2. Samba Configuration File: /etc/samba/smb.conf

[global]
workgroup = LONDON
netbios name = W2K3S
realm = LONDON.ABMAS.BIZ
security = ads
encrypt passwords = yes
password server = w2k3s.london.abmas.biz
# separate domain and username with '/', like DOMAIN/username
winbind separator = /
# use UIDs from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use GIDs from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind user default domain = yes

Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
+
Example 12.2. Samba Configuration File: /etc/samba/smb.conf

[global]
workgroup = LONDON
netbios name = W2K3S
realm = LONDON.ABMAS.BIZ
security = ads
encrypt passwords = yes
password server = w2k3s.london.abmas.biz
# separate domain and username with '/', like DOMAIN/username
winbind separator = /
# use UIDs from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use GIDs from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind user default domain = yes

Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
passwd: files winbind shadow: files group: files winbind -

Squid Configuration
- - +

Squid Configuration
+ + Squid must be configured correctly to interact with the Samba-3 components that handle Active Directory authentication. -
Configuration
Procedure 12.3. Squid Configuration Steps
- - - +
Configuration
Procedure 12.3. Squid Configuration Steps
+ + + If your Linux distribution is SUSE Linux 9, the version of Squid supplied is already enabled to use the winbind helper agent. You can therefore omit the steps that would build the Squid binary programs. -
- - - - - +
+ + + + + Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already (if the default Red Hat squid rpms were installed, they will be). Set up a squid user in /etc/passwd and a squid group in /etc/group if these aren't there already. -
- - +
+ + You now need to change the permissions on Squid's var directory. Enter the following command:
root# chown -R squid /var/cache/squid
-
- - +
+ + Squid must also have control over its logging. Enter the following commands:
root# chown -R chown squid:squid /var/log/squid root# chmod 770 /var/log/squid
-
+
Finally, Squid must be able to write to its disk cache! Enter the following commands:
root# chown -R chown squid:squid /var/cache/squid root# chmod 770 /var/cache/squid
-
- +
+ The /etc/squid/squid.conf file must be edited to include the lines from “Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]” and “Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]”. -
- +
+ You must create Squid's cache directories before it may be run. Enter the following command:
root# squid -z
-
+
Finally, start Squid and enjoy transparent Active Directory authentication. Enter the following command:
@@ -487,23 +487,23 @@ auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers -

Key Points Learned
- - - - - +

Key Points Learned
+ + + + + Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft Windows clients use, even when accessing traditional services such as Web browsers. Depending on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over the cookie-based authentication regime used by all competing browsers. It is Samba's implementation of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. -
Questions and Answers
- - - - +
Questions and Answers
+ + + + The development of the ntlm_auth module was first discussed in many Open Source circles in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of ntlm_auth during one of the late developer meetings that took place. Since that time, the @@ -515,41 +515,41 @@ wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following comments were made with respect to questions regarding the performance of this installation:
- [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “almost” + [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “almost” part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. -
+
What does Samba have to do with Web proxy serving? -
+
What other services does Samba provide? -
+
Does use of Samba (ntlm_auth) improve the performance of Squid? -
+
What does Samba have to do with Web proxy serving?
- - - - - + + + + + To provide transparent interoperability between Windows clients and the network services that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit of Open Source software is that it can readily be reused. The current ntlm_auth module is basically a wrapper around authentication code from the core of the Samba project.
- - - - - - - - - + + + + + + + + + The ntlm_auth module supports basic plain-text authentication and NTLMSSP protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without the user being interrupted via his or her Windows logon credentials. This facility is available with @@ -557,36 +557,36 @@ There are a few open source initiatives to provide support for these protocols in the Apache Web server also.
- + The short answer is that by adding a wrapper around key authentication components of Samba, other projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. -
+
What other services does Samba provide?
- - - - - + + + + + Samba-3 is a file and print server. The core components that provide this functionality are smbd, nmbd, and the identity resolver daemon, winbindd.
- - + + Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient.
- - - - - + + + + + Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial server products). -
+
Does use of Samba (ntlm_auth) improve the performance of Squid?
Not really. Samba's ntlm_auth module handles only authentication. It requires that diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/ExNetworks.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/ExNetworks.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/ExNetworks.html 2010-01-14 11:24:12.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/ExNetworks.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,4 +1,4 @@ -Part I. Example Network Configurations
Part I. Example Network Configurations
Prev Next
Part I. Example Network Configurations
Example Network Configurations
+Part I. Example Network Configurations
Part I. Example Network Configurations
Prev Next
Part I. Example Network Configurations
Example Network Configurations
This section of Samba-3 by Example provides example network configurations that can be copied, or modified as needed, and deployed as-is. The contents have been marginally updated to reflect changes made in Samba=3.0.23. @@ -20,4 +20,4 @@ commercial support options may be obtained from the commercial support pages from the Samba web site. -
Table of Contents
1. No-Frills Samba Servers
Introduction
Assignment Tasks
Drafting Office
Charity Administration Office
Accounting Office
Questions and Answers
2. Small Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Validation
Notebook Computers: A Special Case
Key Points Learned
Questions and Answers
3. Secure Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Basic System Configuration
Samba Configuration
Configuration of DHCP and DNS Servers
Printer Configuration
Process Startup Configuration
Validation
Application Share Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
4. The 500-User Office
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
5. Making Happy Users
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
6. A Distributed 2000-User Network
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Key Points Learned
Questions and Answers
Prev Next
Preface Home Chapter 1. No-Frills Samba Servers
+
Table of Contents
1. No-Frills Samba Servers
Introduction
Assignment Tasks
Drafting Office
Charity Administration Office
Accounting Office
Questions and Answers
2. Small Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Validation
Notebook Computers: A Special Case
Key Points Learned
Questions and Answers
3. Secure Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Basic System Configuration
Samba Configuration
Configuration of DHCP and DNS Servers
Printer Configuration
Process Startup Configuration
Validation
Application Share Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
4. The 500-User Office
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
5. Making Happy Users
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
6. A Distributed 2000-User Network
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Key Points Learned
Questions and Answers
Prev Next
Preface Home Chapter 1. No-Frills Samba Servers
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/go01.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/go01.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/go01.html 2010-01-14 11:24:30.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/go01.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,4 +1,4 @@ -Glossary
Glossary
Prev Next
Glossary
Access Control List
+Glossary
Glossary
Prev Next
Glossary
Access Control List
A detailed list of permissions granted to users or groups with respect to file and network resource access.
Active Directory Service
@@ -11,7 +11,7 @@ the Internet hype in the 1990s. At about the time that the SMB protocol was renamed to CIFS, an additional dialect of the SMB protocol was in development. The need for the deployment of the NetBIOS layer was also removed, thus paving the way for use of the SMB - protocol natively over TCP/IP (known as NetBIOS-less SMB or “naked” TCP + protocol natively over TCP/IP (known as NetBIOS-less SMB or “naked” TCP transport).
Common UNIX Printing System
A recent implementation of a high-capability printing system for UNIX developed by @@ -96,8 +96,8 @@ DER refers to Distinguished Encoding Rules. These are a set of common rules for creating binary encodings in a platform-independent manner. Samba has support for SPNEGO.
The Official Samba-3 HOWTO and Reference Guide, Second Edition
- This book makes repeated reference to “The Official Samba-3 HOWTO and Reference Guide, Second - Edition” by John H. Terpstra and Jelmer R. Vernooij. This publication is available from + This book makes repeated reference to “The Official Samba-3 HOWTO and Reference Guide, Second + Edition” by John H. Terpstra and Jelmer R. Vernooij. This publication is available from Amazon.com. Publisher: Prentice Hall PTR (August 2005), ISBN: 013122282.
User IDentifier
@@ -111,5 +111,5 @@ freely available for UNIX/Linux and Microsoft Windows systems from the Wireshark Web site.
Prev Next
Appendix A. - GNU General Public License version 3 + GNU General Public License version 3 Home Index
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/HA.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/HA.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/HA.html 2010-01-14 11:24:24.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/HA.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,7 +1,7 @@ -Chapter 13. Performance, Reliability, and Availability
Chapter 13. Performance, Reliability, and Availability
Prev Part III. Reference Section Next
Chapter 13. Performance, Reliability, and Availability
Table of Contents
Introduction
Dissection and Discussion
Guidelines for Reliable Samba Operation
Name Resolution
Samba Configuration
Use and Location of BDCs
Use One Consistent Version of MS Windows Client
For Scalability, Use SAN-Based Storage on Samba Servers
Distribute Network Load with MSDFS
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
Hardware Problems
Large Directories
Key Points Learned
- - - +Chapter 13. Performance, Reliability, and Availability
Chapter 13. Performance, Reliability, and Availability
Prev Part III. Reference Section Next
Chapter 13. Performance, Reliability, and Availability
Table of Contents
Introduction
Dissection and Discussion
Guidelines for Reliable Samba Operation
Name Resolution
Samba Configuration
Use and Location of BDCs
Use One Consistent Version of MS Windows Client
For Scalability, Use SAN-Based Storage on Samba Servers
Distribute Network Load with MSDFS
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
Hardware Problems
Large Directories
Key Points Learned
+ + + Well, you have reached one of the last chapters of this book. It is customary to attempt to wrap up the theme and contents of a book in what is generally regarded as the chapter that should draw conclusions. This book is a suspense thriller, and since @@ -10,8 +10,8 @@ regarding some of the things everyone can do to deliver a reliable Samba-3 network.

In a world so full of noise, how can the sparrow be heard? -

--Anonymous
Introduction
- +

--Anonymous
Introduction
+ The sparrow is a small bird whose sounds are drowned out by the noise of the busy world it lives in. Likewise, the simple steps that can be taken to improve the reliability and availability of a Samba network are often drowned out by the volume @@ -20,22 +20,22 @@ itself to discussion of clustering because each clustering methodology uses its own custom tools and methods. Only passing comments are offered concerning these methods.
- - - + + + A search - for “samba cluster” produced 71,600 hits. And a search for “highly available samba” - and “highly available windows” produced an amazing number of references. + for “samba cluster” produced 71,600 hits. And a search for “highly available samba” + and “highly available windows” produced an amazing number of references. It is clear from the resources on the Internet that Windows file and print services availability, reliability, and scalability are of vital interest to corporate network users.
- + So without further background, you can review a checklist of simple steps that can be taken to ensure acceptable network performance while keeping costs of ownership well under control. -
Dissection and Discussion
- - +
Dissection and Discussion
+ + If it is your purpose to get the best mileage out of your Samba servers, there is one rule that must be obeyed. If you want the best, keep your implementation as simple as possible. You may well be forced to introduce some complexities, but you should do so only as a last resort. @@ -44,8 +44,8 @@ make life easier for your successor. Simple implementations can be more readily audited than can complex ones.
- - + + Problems reported by users fall into three categories: configurations that do not work, those that have broken behavior, and poor performance. The term broken behavior means that the function of a particular Samba component appears to work sometimes, but not at @@ -54,12 +54,12 @@ list of Windows machines in MS Explorer changes, sometimes listing machines that are running and at other times not listing them even though the machines are in use on the network.
- - - - - - + + + + + + A significant number of reports concern problems with the smbfs file system driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that smbfs is part of Samba, simply because Samba includes the front-end tools @@ -70,32 +70,32 @@ common infrastructure with some Samba components, but they are not maintained as part of Samba and are really foreign to it.
- + The new project, cifsfs, is destined to replace smbfs. It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in this project.
Table 13.1 lists typical causes of: -
Not Working (NW)
Broken Behavior (BB)
Poor Performance (PP)
Table 13.1. Effect of Common Problems
Problem
NW
BB
PP
File locking
-
X
-
Hardware problems
X
X
X
Incorrect authentication
X
X
-
Incorrect configuration
X
X
X
LDAP problems
X
X
-
Name resolution
X
X
X
Printing problems
X
X
-
Slow file transfer
-
-
X
Winbind problems
X
X
-

- +
Not Working (NW)
Broken Behavior (BB)
Poor Performance (PP)
Table 13.1. Effect of Common Problems
Problem
NW
BB
PP
File locking
-
X
-
Hardware problems
X
X
X
Incorrect authentication
X
X
-
Incorrect configuration
X
X
X
LDAP problems
X
X
-
Name resolution
X
X
X
Printing problems
X
X
-
Slow file transfer
-
-
X
Winbind problems
X
X
-

+ It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate problems that affect basic network operation. This book has provided sufficient working examples to help you to avoid all these problems. -
Guidelines for Reliable Samba Operation
- - +
Guidelines for Reliable Samba Operation
+ + Your objective is to provide a network that works correctly, can grow at all times, is resilient at times of extreme demand, and can scale to meet future needs. The following subject areas provide pointers that can help you today. -
Name Resolution
+
Name Resolution
There are three basic current problem areas: bad hostnames, routed networks, and network collisions. These are covered in the following discussion. -
Bad Hostnames
- - - - - +
Bad Hostnames
+ + + + + When configured as a DHCP client, a number of Linux distributions set the system hostname to localhost. If the parameter netbios name is not specified to something other than localhost, the Samba server appears @@ -107,13 +107,13 @@ the local Windows machine itself. Hostnames must be valid for Windows networking to function correctly.
- + A few sites have tried to name Windows clients and Samba servers with a name that begins with the digits 1-9. This does not work either because it may result in the client or server attempting to use that name as an IP address.
- - + + A Samba server called FRED in a NetBIOS domain called COLLISION in a network environment that is part of the fully-qualified Internet domain namespace known as parrots.com, results in DNS name lookups for fred.parrots.com @@ -121,50 +121,50 @@ (workgroup) collision.parrots.com, since this results in DNS lookup attempts to resolve fred.parrots.com.parrots.com, which most likely fails given that you probably do not have this in your DNS namespace. -
Note
- - - +
Note
+ + + An Active Directory realm called collision.parrots.com is perfectly okay, although it too must be capable of being resolved via DNS, something that functions correctly if Windows 200x ADS has been properly installed and configured. -
Routed Networks
- - - +
Routed Networks
+ + + NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use of UDP-based broadcast traffic, as you saw during the exercises in “Networking Primer”.
- - - + + + UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based networking cannot function across routed networks (i.e., multi-subnet networks) unless special provisions are made: -
- - - +
+ + + Either install on every Windows client an LMHOSTS file (located in the directory C:\windows\system32\drivers\etc). It is also necessary to add to the Samba server smb.conf file the parameters remote announce and remote browse sync. For more information, refer to the online manual page for the smb.conf file. -
- +
+ Or configure Samba as a WINS server, and configure all network clients to use that WINS server in their TCP/IP configuration. -
Note
- - +
Note
+ + The use of DNS is not an acceptable substitute for WINS. DNS does not store specific information regarding NetBIOS networking particulars that get stored in the WINS name resolution database and that Windows clients require and depend on. -
Network Collisions
- - - - +
Network Collisions
+ + + + Excessive network activity causes NetBIOS network timeouts. Timeouts may result in blue screen of death (BSOD) experiences. High collision rates may be caused by excessive UDP broadcast activity, by defective networking hardware, or through excessive network @@ -173,9 +173,9 @@ The use of WINS is highly recommended to reduce network broadcast traffic, as outlined in “Networking Primer”.
- - - + + + Under no circumstances should the facility be supported by many routers, known as NetBIOS forwarding, unless you know exactly what you are doing. Inappropriate use of this facility can result in UDP broadcast storms. In one case in 1999, a university network became @@ -183,13 +183,13 @@ testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance immediately returned to 11 MB/sec. -
Samba Configuration
+
Samba Configuration
As a general rule, the contents of the smb.conf file should be kept as simple as possible. No parameter should be specified unless you know it is essential to operation.
- - - + + + Many UNIX administrators like to fully document the settings in the smb.conf file. This is a bad idea because it adds content to the file. The smb.conf file is re-read by every smbd process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so). @@ -197,7 +197,7 @@ As the size of the smb.conf file grows, the risk of introducing parsing errors also increases. It is recommended to keep a fully documented smb.conf file on hand, and then to operate Samba only with an optimized file. -
+
The preferred way to maintain a documented file is to call it something like smb.conf.master. You can generate the optimized file by executing:
@@ -223,7 +223,7 @@ Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
- + You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C. The important thing to note is the noted Server role, as well as warning messages. Noted configuration conflicts must be remedied before proceeding. For example, the following error message represents a @@ -233,28 +233,28 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.

- - - + + + There are two parameters that can cause severe network performance degradation: socket options and socket address. The socket options parameter was often necessary when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from this parameter being set. Do not use either parameter unless it has been proven necessary to use them.
- - - - + + + + Another smb.conf parameter that may cause severe network performance degradation is the strict sync parameter. Do not use this at all. There is no good reason to use this with any modern Windows client. The strict sync is often used with the sync always parameter. This, too, can severely degrade network performance, so do not set it; if you must, do so with caution.
- - - - + + + + Finally, many network administrators deliberately disable opportunistic locking support. While this does not degrade Samba performance, it significantly degrades Windows client performance because this disables local file caching on Windows clients and forces every file read and written to @@ -262,12 +262,12 @@ support, do so only on the share on which it is required. That way, all other shares can provide oplock support for operations that are tolerant of it. See “Shared Data Integrity” for more information. -
Use and Location of BDCs
- - - - - +
Use and Location of BDCs
+ + + + + On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of authentication and logon processing. When a sole BDC on a routed network segment gets heavily @@ -275,13 +275,13 @@ to a BDC on a distant network segment. This significantly hinders WAN operations and is undesirable.
- - + + As a general guide, instead of adding domain member servers to a network, you would be better advised to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add domain member servers. This practice ensures that there are always sufficient domain controllers to handle logon requests and authentication traffic. -
Use One Consistent Version of MS Windows Client
+
Use One Consistent Version of MS Windows Client
Every network client has its own peculiarities. From a management perspective, it is easier to deal with one version of MS Windows that is maintained to a consistent update level than it is to deal with a mixture of clients. @@ -289,61 +289,61 @@ On a number of occasions, particular Microsoft service pack updates of a Windows server or client have necessitated special handling from the Samba server end. If you want to remain sane, keep you client workstation configurations consistent. -
For Scalability, Use SAN-Based Storage on Samba Servers
- - +
For Scalability, Use SAN-Based Storage on Samba Servers
+ + Many SAN-based storage systems permit more than one server to share a common data store. Use of a shared SAN data store means that you do not need to use time- and resource-hungry data synchronization techniques.
- - + + The use of a collection of relatively low-cost front-end Samba servers that are coupled to a shared backend SAN data store permits load distribution while containing costs below that of installing and managing a complex clustering facility. -
Distribute Network Load with MSDFS
- - +
Distribute Network Load with MSDFS
+ + Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits data to be accessed from a single share and yet to actually be distributed across multiple actual servers. Refer to TOSHARG2, Chapter 19, for information regarding implementation of an MSDFS installation.
- - + + The combination of multiple backend servers together with a front-end server and use of MSDFS can achieve almost the same as you would obtain with a clustered Samba server. -
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
- - - +
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
+ + + Consider using rsync to replicate data across the WAN during times of low utilization. Users can then access the replicated data store rather than needing to do so across the WAN. This works best for read-only data, but with careful planning can be implemented so that modified files get replicated back to the point of origin. Be careful with your implementation if you choose to permit modification and return replication of the modified file; otherwise, you may inadvertently overwrite important data. -
Hardware Problems
- - - - - - +
Hardware Problems
+ + + + + + Networking hardware prices have fallen sharply over the past 5 years. A surprising number of Samba networking problems over this time have been traced to defective network interface cards (NICs) or defective HUBs, switches, and cables.
- + Not surprising is the fact that network administrators do not like to be shown to have made a bad decision. Money saved in buying low-cost hardware may result in high costs incurred in corrective action.
- - - - - + + + + + Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent or persistent data corruption, slow network throughput, low performance, or even as BSOD problems with MS Windows clients. In one case, a company updated several workstations with newer, faster @@ -352,14 +352,14 @@
Defective hardware problems may take patience and persistence before the real cause can be discovered.
- + Networking hardware defects can significantly impact perceived Samba performance, but defective RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server operations. One business came to this realization only after replacing a Samba installation with MS Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network administrator until the entire server was replaced. While you may well think that this would never happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone. -
Large Directories
+
Large Directories
There exist applications that create or manage directories containing many thousands of files. Such applications typically generate many small files (less than 100 KB). At the best of times, under UNIX, listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, @@ -399,7 +399,7 @@ All files and directories under the path directory must be in the same case as specified in the smb.conf stanza. This means that smbd will not be able to find lower case filenames with these settings. Note, this is done on a per-share basis. -
Key Points Learned
+
Key Points Learned
This chapter has touched in broad sweeps on a number of simple steps that can be taken to ensure that your Samba network is resilient, scalable, and reliable, and that it performs well. @@ -408,7 +408,7 @@ In the long term, that may not be you. Spare a thought for your successor and give him or her an even break.
- + Last, but not least, you should not only keep the network design simple, but also be sure it is well documented. This book may serve as your pattern for documenting every aspect of your design, its implementation, and particularly the objects and assumptions diff -u -r --new-file --exclude .svn --exclude CVS samba-3.3.10//docs/htmldocs/Samba3-ByExample/happy.html samba-3.3.11//docs/htmldocs/Samba3-ByExample/happy.html --- samba-3.3.10//docs/htmldocs/Samba3-ByExample/happy.html 2010-01-14 11:24:10.000000000 +0100 +++ samba-3.3.11//docs/htmldocs/Samba3-ByExample/happy.html 2010-02-22 16:53:36.000000000 +0100 @@ -1,12 +1,12 @@ -Chapter 5. Making Happy Users
Chapter 5. Making Happy Users
Prev Part I. Example Network Configurations Next
Chapter 5. Making Happy Users
Table of Contents
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
- It is said that “a day that is without troubles is not fulfilling. Rather, give - me a day of troubles well handled so that I can be content with my achievements.” +Chapter 5. Making Happy Users
Chapter 5. Making Happy Users
Prev Part I. Example Network Configurations Next
Chapter 5. Making Happy Users
Table of Contents
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
+ It is said that “a day that is without troubles is not fulfilling. Rather, give + me a day of troubles well handled so that I can be content with my achievements.”
In the world of computer networks, problems are as varied as the people who create them or experience them. The design of the network implemented in “The 500-User Office” may create problems for some network users. The following lists some of the problems that may occur: -
Caution
+
Caution
A significant number of network administrators have responded to the guidance given here. It should be noted that there are sites that have a single PDC for many hundreds of concurrent network clients. Network bandwidth, network bandwidth utilization, and server load @@ -19,8 +19,8 @@ overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows clients is conservative and if followed will minimize problems but it is not absolute.
Users experiencing difficulty logging onto the network
- - + + When a Windows client logs onto the network, many data packets are exchanged between the client and the server that is providing the network logon services. Each request between the client and the server must complete within a specific @@ -30,9 +30,9 @@ 30 to 150 clients. The actual limits are determined by network operational characteristics.
- - - + + + If the domain controller provides only network logon services and all file and print activity is handled by domain member servers, one domain controller per 150 clients on a single network segment may suffice. In any @@ -46,42 +46,42 @@ that can be supported is limited by the CPU speed, memory and the workload on the Samba server as well as network bandwidth utilization.
Slow logons and log-offs
- + Slow logons and log-offs may be caused by many factors that include: -
- - +
+ + Excessive delays in the resolution of a NetBIOS name to its IP address. This may be observed when an overloaded domain controller is also the WINS server. Another cause may be the failure to use a WINS server (this assumes that there is a single network segment). -
- - - +
+ + + Network traffic collisions due to overloading of the network segment. One short-term workaround to this may be to replace network HUBs with Ethernet switches. -
- +
+ Defective networking hardware. Over the past few years, we have seen on the Samba mailing list a significant increase in the number of problems that were traced to a defective network interface controller, a defective HUB or Ethernet switch, or defective cabling. In most cases, it was the erratic nature of the problem that ultimately pointed to the cause of the problem. -
- - +
+ + Excessively large roaming profiles. This type of problem is typically the result of poor user education as well as poor network management. It can be avoided by users not storing huge quantities of email in MS Outlook PST files as well as by not storing files on the desktop. These are old bad habits that require much discipline and vigilance on the part of network management. -
- +
+ You should verify that the Windows XP WebClient service is not running. The use of the WebClient service has been implicated in many Windows networking-related problems. @@ -89,27 +89,27 @@
Loss of access to network drives and printer resources
Loss of access to network resources during client operation may be caused by a number of factors, including: -
- +
+ Network overload (typically indicated by a high network collision rate) -
+
Server overload -
- +
+ Timeout causing the client to close a connection that is in use but has been latent (no traffic) for some time (5 minutes or more) -
- +
+ Defective networking hardware
- + No matter what the cause, a sudden loss of access to network resources can result in BSOD (blue screen of death) situations that necessitate rebooting of the client workstation. In the case of a mild problem, retrying to access the network drive of the printer may restore operations, but in any case this is a serious problem that may lead to the next problem, data corruption.
Potential data corruption
- + Data corruption is one of the most serious problems. It leads to uncertainty, anger, and frustration, and generally precipitates immediate corrective demands. Management response to this type of problem may be rational, as well as highly irrational. There have been @@ -123,48 +123,48 @@ anticipate and combat network performance issues. You can work through complex and thorny methods to improve the reliability of your network environment, but be warned that all such steps demand the price of complexity. -
Regarding LDAP Directories and Windows Computer Accounts
- +
Regarding LDAP Directories and Windows Computer Accounts
+ Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some constraints that are described in this section.
- - - - + + + + The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats them. A user account and a machine account are indistinguishable from each other, except that the machine account ends in a $ character, as do trust accounts.
- - + + The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID is a design decision that was made a long way back in the history of Samba development. It is unlikely that this decision will be reversed or changed during the remaining life of the Samba-3.x series.
- - + + The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that must refer back to the host operating system on which Samba is running. The name service switch (NSS) is the preferred mechanism that shields applications (like Samba) from the need to know everything about every host OS it runs on.
- Samba asks the host OS to provide a UID via the “passwd”, “shadow” - and “group” facilities in the NSS control (configuration) file. The best tool + Samba asks the host OS to provide a UID via the “passwd”, “shadow” + and “group” facilities in the NSS control (configuration) file. The best tool for achieving this is left up to the UNIX administrator to determine. It is not imposed by Samba. Samba provides winbindd together with its support libraries as one method. It is possible to do this via LDAP, and for that Samba provides the appropriate hooks so that all account entities can be located in an LDAP directory.
- + For many the weapon of choice is to use the PADL nss_ldap utility. This utility must be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That is fundamentally an LDAP design question. The information provided on the Samba list and in the documentation is directed at providing working examples only. The design of an LDAP directory is a complex subject that is beyond the scope of this documentation. -
Introduction
+
Introduction
You just opened an email from Christine that reads:
Good morning, @@ -193,8 +193,8 @@ regain control of our vital IT operations.

--Christine

- - + + Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a single domain controller is a poor design that has obvious operational effects that may frustrate users. Here is your reply: @@ -204,56 +204,56 @@ boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait for approval; I appreciate the urgency. -

--Bob

Assignment Tasks

+

--Bob

Assignment Tasks

The priority of assigned tasks in this chapter is: -

- - - - +
1. + + + + Implement Backup Domain Controllers (BDCs) in each building. This involves a change from a tdbsam backend that was used in the previous chapter to an LDAP-based backend.
  You can implement a single central LDAP server for this purpose. -
2. - - - - +
3. + + + + Rectify the problem of excessive logon times. This involves redirection of folders to network shares as well as modification of all user desktops to exclude the redirected folders from being loaded at login time. You can also create a new default profile that can be used for all new users.
- + You configure a new MS Windows XP Professional workstation disk image that you roll out to all desktop users. The instructions you have created are followed on a staging machine from which all changes can be carefully tested before inflicting them on your network users.
- + This is the last network example in which specific mention of printing is made. The example again makes use of the CUPS printing system. -

Dissection and Discussion

- - - +

Dissection and Discussion

+ + + The implementation of Samba BDCs necessitates the installation and configuration of LDAP. For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial LDAP servers in current use with Samba-3 include: -

- +
- + Novell eDirectory is being successfully used by some sites. Information on how to use eDirectory can be obtained from the Samba mailing lists or from Novell. -
- - +
- + IBM Tivoli Directory Server can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba source code tarball under the directory ~samba/example/LDAP. -
- - +
- + Sun ONE Identity Server product suite provides an LDAP server that can be used for Samba. Example schema files are provided in the Samba source code tarball under the directory @@ -264,19 +264,19 @@ initialize the LDAP directory database. OpenLDAP itself has only command-line tools to help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
  - + For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
  - - - - - - - + + + + + + + When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. High availability operation may be obtained through directory replication/synchronization and master/slave server configurations. OpenLDAP is a mature platform to host the organizational @@ -286,10 +286,10 @@ contents with greater ability to back up, restore, and modify the directory than is generally possible with Microsoft Active Directory.
  - - - - + + + + A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured for a specific task orientation. It comes with a set of administrative tools that is entirely customized @@ -300,8 +300,8 @@ MS ADAM that provides more generic LDAP services, yet it does not have the vanilla-like services of OpenLDAP.
  - - + + You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly if you find the challenge of learning about LDAP directories, schemas, configuration, and management tools and the creation of shell and Perl scripts a bit @@ -309,7 +309,7 @@ many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file that is required for use as a passdb backend.
  - + For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, there are a few nice Web-based tools that may help you to manage your users and groups more effectively. The Web-based tools you might like to consider include the @@ -323,7 +323,7 @@ LDAP Browser/Editor ; JXplorer (by Computer Associates); and phpLDAPadmin. -
  Note
  +
  Note
  The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided is considered to consist of the barest essentials only. You are strongly encouraged to learn more about @@ -334,10 +334,10 @@ LDAP System Administration, by Jerry Carter quite useful.
  - - - - + + + + Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must be loaded over the WAN connection. The addition of BDCs on each network segment significantly @@ -345,31 +345,31 @@ user desktops, and this must be done in a way that wins their support and does not cause further loss of staff morale. The following procedures solve this problem.
  - + There is also an opportunity to implement smart printing features. You add this to the Samba configuration so that future printer changes can be managed without need to change desktop configurations.
  You add the ability to automatically download new printer drivers, even if they are not installed in the default desktop profile. Only one example of printing configuration is given. It is assumed that you can extrapolate the principles and use them to install all printers that may be needed. -
  Technical Issues
  - - - +
  Technical Issues
  + + + The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account attributes Samba needs. Samba-3 can use the LDAP backend to store: -
  Windows Networking User Accounts
  Windows NT Group Accounts
  Mapping Information between UNIX Groups and Windows NT Groups
  ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
  - - - - - - - - - +
  Windows Networking User Accounts
  Windows NT Group Accounts
  Mapping Information between UNIX Groups and Windows NT Groups
  ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
  + + + + + + + + + The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking accounts in the LDAP backend. This implies the need to use the PADL LDAP tools. The resolution @@ -378,16 +378,16 @@ that integrates with the NSS. The same requirements exist for resolution of the UNIX username to the UID. The relationships are demonstrated in “The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts”.
  Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
  
  - - + + You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really ought to learn how to configure secure communications over LDAP so that site security is not at risk. This is not covered in the following guidance.
  - - - - + + + + When OpenLDAP has been made operative, you configure the PDC called MASSIVE. You initialize the Samba secrets.tdb file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. @@ -395,27 +395,27 @@ You can also find on the enclosed CD-ROM, in the Chap06 directory, a few tools that help to manage user and group configuration.
  - - - + + + In order to effect folder redirection and to add robustness to the implementation, create a network default profile. All network users workstations are configured to use the new profile. Roaming profiles will automatically be deleted from the workstation when the user logs off.
  - + The profile is configured so that users cannot change the appearance of their desktop. This is known as a mandatory profile. You make certain that users are able to use their computers efficiently.
  - + A network logon script is used to deliver flexible but consistent network drive connections. -
  Addition of Machines to the Domain
  - - - - +
  Addition of Machines to the Domain
  + + + + Samba versions prior to 3.0.11 necessitated the use of a domain administrator account that maps to the UNIX UID=0. The UNIX operating system permits only the root user to add user and group accounts. Samba 3.0.11 introduced a new facility known as @@ -425,13 +425,13 @@ In this network example use is made of one of the supported privileges purely to demonstrate how any user can now be given the ability to add machines to the domain using a normal user account that has been given the appropriate privileges. -
  Roaming Profile Background
  +
  Roaming Profile Background
  As XP roaming profiles grow, so does the amount of time it takes to log in and out.
  - - - - + + + + An XP roaming profile consists of the HKEY_CURRENT_USER hive file NTUSER.DAT and a number of folders (My Documents, Application Data, Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the @@ -453,20 +453,20 @@ user to not place large files on the desktop and to use his or her mapped home directory instead of the My Documents folder for saving documents.
  - + Using a folder other than My Documents is a nuisance for some users, since many applications use it by default.
  - - - + + + The secret to rapid loading of roaming profiles is to prevent unnecessary data from being copied back and forth, without losing any functionality. This is not difficult; it can be done by making changes to the Local Group Policy on each client as well as changing some paths in each user's NTUSER.DAT hive.
  - - + + Every user profile has its own NTUSER.DAT file. This means you need to edit every user's profile, unless a better method can be followed. Fortunately, with the right preparations, this is not difficult. @@ -474,11 +474,11 @@ user's profile. Then just create a Network Default Profile. Of course, it is necessary to copy all files from redirected folders to the network share to which they are redirected. -
  The Local Group Policy
  - - - - +
  The Local Group Policy
  + + + + Without an Active Directory PDC, you cannot take full advantage of Group Policy Objects. However, you can still make changes to the Local Group Policy by using the Group Policy editor (gpedit.msc). @@ -487,31 +487,31 @@ be found under User Configuration → Administrative Templates → System → User Profiles. By default this setting contains - “Local Settings; Temporary Internet Files; History; Temp”. + “Local Settings; Temporary Internet Files; History; Temp”.
  Simply add the folders you do not wish to be copied back and forth to this semicolon-separated list. Note that this change must be made on all clients that are using roaming profiles. -
  Profile Changes
  - - +
  Profile Changes
  + + There are two changes that should be done to each user's profile. Move each of the directories that you have excluded from being copied back and forth out of the usual profile path. Modify each user's NTUSER.DAT file to point to the new paths that are shared over the network instead of to the default path (C:\Documents and Settings\%USERNAME%).
  - - + + The above modifies existing user profiles. So that newly created profiles have these settings, you need to modify the NTUSER.DAT in the C:\Documents and Settings\Default User folder on each client machine, changing the same registry keys. You could do this by copying NTUSER.DAT to a Linux box and using regedt32. The basic method is described under “Configuration of Default Profile with Folder Redirection”. -
  Using a Network Default User Profile
  - - +
  Using a Network Default User Profile
  + + If you are using Samba as your PDC, you should create a file share called NETLOGON and within that create a directory called Default User, which is a copy of the desired default user @@ -520,20 +520,20 @@ the first login from a new account pulls its configuration from it. See also the Real Men Don't Click Web site. -
  Installation of Printer Driver Auto-Download
  - - - +
  Installation of Printer Driver Auto-Download
  + + + The subject of printing is quite topical. Printing problems run second place to name resolution issues today. So far in this book, you have experienced only what is generally - known as “dumb” printing. Dumb printing is the arrangement by which all drivers + known as “dumb” printing. Dumb printing is the arrangement by which all drivers are manually installed on each client and the printing subsystems perform no filtering or intelligent processing. Dumb printing is easily understood. It usually works without many problems, but it has its limitations also. Dumb printing is better known as Raw-Print-Through printing.
  - - + + Samba permits the configuration of smart printing using the Microsoft Windows point-and-click (also called drag-and-drop) printing. What this provides is essentially the ability to print to any printer. If the local client does not yet have a @@ -547,9 +547,9 @@ then invokes a suitable print filter to convert the incoming data stream into a format suited to the printer to which the job is dispatched.
  - - - + + + The CUPS printing subsystem is capable of intelligent printing. It has the capacity to detect the data format and apply a print filter. This means that it is feasible to install on all Windows clients a single printer driver for use with all printers that are routed @@ -566,7 +566,7 @@ This book is about Samba-3, so you can confine the printing style to just the smart style of installation. Those interested in further information regarding intelligent printing should review documentation on the Easy Software Products Web site. -
  Avoiding Failures: Solving Problems Before They Happen
  +
  Avoiding Failures: Solving Problems Before They Happen
  It has often been said that there are three types of people in the world: those who have sharp minds and those who forget things. Please do not ask what the third group is like! Well, it seems that many of us have company in the second group. There must @@ -574,12 +574,12 @@ simple problems efficiently and effectively.
  Here are some diagnostic guidelines that can be referred to when things go wrong: -
  Preliminary Advice: Dangers Can Be Avoided
  - The best advice regarding how to mend a broken leg is “Never break a leg!” +
  Preliminary Advice: Dangers Can Be Avoided
  + The best advice regarding how to mend a broken leg is “Never break a leg!”
  - + Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice - regarding the best way to remedy LDAP and Samba problems: “Avoid them like the plague!” + regarding the best way to remedy LDAP and Samba problems: “Avoid them like the plague!”
  If you are now asking yourself how problems can be avoided, the best advice is to start out your learning experience with a known-good configuration. After @@ -589,11 +589,11 @@ The examples in this chapter (also in the book as a whole) are known to work. That means that they could serve as the kick-off point for your journey through fields of knowledge. Use this resource carefully; we hope it serves you well. -
  Warning
  +
  Warning
  Do not be lulled into thinking that you can easily adopt the examples in this book and adapt them without first working through the examples provided. A little thing overlooked can cause untold pain and may permanently tarnish your experience. -
  The Name Service Caching Daemon
  +
  The Name Service Caching Daemon
  The name service caching daemon (nscd) is a primary cause of difficulties with name resolution, particularly where winbind is used. Winbind does its own caching, thus nscd causes double caching which can lead to peculiar problems during @@ -660,17 +660,17 @@ root# chkconfig nscd off root# rcnscd off
  -
  Debugging LDAP
  - - - +
  Debugging LDAP
  + + + In the example /etc/openldap/slapd.conf control file (see “LDAP DB_CONFIG File”) there is an entry for loglevel 256. To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter and restart slapd.
  - - + + LDAP log information can be directed into a file that is separate from the normal system log files by changing the /etc/syslog.conf file so it has the following contents: @@ -689,7 +689,7 @@ local site needs. The configuration used later in this chapter reflects such customization with the intent that LDAP log files will be stored at a location that meets local site needs and wishes more fully. -
  Debugging NSS_LDAP
  +
  Debugging NSS_LDAP
  The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the /etc/ldap.conf file the following parameters:
  @@ -702,7 +702,7 @@
  
  The diagnostic process should follow these steps: -
  Procedure 5.1. NSS_LDAP Diagnostic Steps
  +
  Procedure 5.1. NSS_LDAP Diagnostic Steps
  Verify the nss_base_passwd, nss_base_shadow, nss_base_group entries in the /etc/ldap.conf file and compare them closely with the directory tree location that was chosen when the directory was first created. @@ -739,7 +739,7 @@ will be evaluated sequentially. Let us consider an example of use where the following DIT has been implemented:
  -
  User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz
  User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz
  Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz
  +
  User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz
  User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz
  Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz
  
  The appropriate multiple entry for the nss_base_passwd directive in the /etc/ldap.conf file may be: @@ -747,7 +747,7 @@ nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
  -
  +
  Perform lookups such as:
  root# getent passwd @@ -755,7 +755,7 @@ Each such lookup will create an entry in the /data/log directory for each such process executed. The contents of each file created in this directory may provide a hint as to the cause of the a problem that is under investigation. -
  +
  For additional diagnostic information, check the contents of the /var/log/messages to see what error messages are being generated as a result of the LDAP lookups. Here is an example of a successful lookup: @@ -788,11 +788,11 @@ slapd[12164]: conn=1 fd=10 closed
  -
  +
  Check that the bindpw entry in the /etc/ldap.conf or in the /etc/ldap.secrets file is correct, as specified in the /etc/openldap/slapd.conf file. -
  Debugging Samba
  +

Debugging Samba

The following parameters in the smb.conf file can be useful in tracking down Samba-related problems:

 [global]
@@ -822,17 +822,17 @@
 		

 		Search for hints of what may have failed by looking for the words fail
 		and error.
-

Debugging on the Windows Client

+

Debugging on the Windows Client

MS Windows 2000 Professional and Windows XP Professional clients can be configured to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search the Microsoft knowledge base for detailed instructions. The techniques vary a little with each version of MS Windows. -

Political Issues

+

Political Issues

MS Windows network users are generally very sensitive to limits that may be imposed when confronted with locked-down workstation configurations. The challenge you face must be promoted as a choice between reliable, fast network operation and a constant flux of problems that result in user irritation. -

Installation Checklist

+

Installation Checklist

You are starting a complex project. Even though you went through the installation of a complex network in “The 500-User Office”, this network is a bigger challenge because of the large number of complex applications that must be configured before the first few steps @@ -840,18 +840,18 @@ frequently review the steps ahead while making at least a mental note of what has already been completed. The following task list may help you to keep track of the task items that are covered: -

Samba-3 PDC Server Configuration
1. DHCP and DNS servers
2. OpenLDAP server
3. PAM and NSS client tools
4. Samba-3 PDC
5. Idealx smbldap scripts
6. LDAP initialization
7. Create user and group accounts
8. Printers
9. Share point directory roots
10. Profile directories
11. Logon scripts
12. Configuration of user rights and privileges
Samba-3 BDC Server Configuration
1. DHCP and DNS servers
2. PAM and NSS client tools
3. Printers
4. Share point directory roots
5. Profiles directories
Windows XP Client Configuration
1. Default profile folder redirection
2. MS Outlook PST file relocation
3. Delete roaming profile on logout
4. Upload printer drivers to Samba servers
5. Install software
6. Creation of roll-out images

Samba Server Implementation

- - +

Samba-3 PDC Server Configuration
1. DHCP and DNS servers
2. OpenLDAP server
3. PAM and NSS client tools
4. Samba-3 PDC
5. Idealx smbldap scripts
6. LDAP initialization
7. Create user and group accounts
8. Printers
9. Share point directory roots
10. Profile directories
11. Logon scripts
12. Configuration of user rights and privileges
Samba-3 BDC Server Configuration
1. DHCP and DNS servers
2. PAM and NSS client tools
3. Printers
4. Share point directory roots
5. Profiles directories
Windows XP Client Configuration
1. Default profile folder redirection
2. MS Outlook PST file relocation
3. Delete roaming profile on logout
4. Upload printer drivers to Samba servers
5. Install software
6. Creation of roll-out images

Samba Server Implementation

+ + The network design shown in “Network Topology 500 User Network Using ldapsam passdb backend” is not comprehensive. It is assumed that you will install additional file servers and possibly additional BDCs.

Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend

- - + + All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to adjust the locations for your particular Linux system distribution/implementation. -

Note

+

Note

The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball, please verify that the versions you are about to use are matching. The smbldap-tools package @@ -867,23 +867,23 @@ have completed the network implementation shown in that chapter. If you are starting with newly installed Linux servers, you must complete the steps shown in “Installation of DHCP, DNS, and Samba Control Files” before commencing at “OpenLDAP Server Configuration”. -

OpenLDAP Server Configuration

- - - +

OpenLDAP Server Configuration

+ + + Confirm that the packages shown in “Required OpenLDAP Linux Packages” are installed on your system.

Table 5.2. Required OpenLDAP Linux Packages

SUSE Linux 8.x	SUSE Linux 9.x	Red Hat Linux
nss_ldap	nss_ldap	nss_ldap
pam_ldap	pam_ldap	pam_ldap
openldap2	openldap2	openldap
openldap2-client	openldap2-client

Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you follow these guidelines, the resulting system should work fine. -

Procedure 5.2. OpenLDAP Server Configuration Steps

- +
Procedure 5.2. OpenLDAP Server Configuration Steps
1. + Install the file shown in “LDAP Master Configuration File /etc/openldap/slapd.conf Part A” in the directory /etc/openldap. -
2. - - - +
3. + + + Remove all files from the directory /data/ldap, making certain that the directory exists with permissions:
```
@@ -891,19 +891,19 @@
 drwx------   2 ldap    ldap       48 Dec 15 22:11 ldap
 
```
  This may require you to add a user and a group account for LDAP if they do not exist. -
4. - +
5. + Install the file shown in “LDAP DB_CONFIG File” in the directory /data/ldap. In the event that this file is added after ldap has been started, it is possible to cause the new settings to take effect by shutting down the LDAP server, executing the db_recover command inside the /data/ldap directory, and then restarting the LDAP server. -
6. - +
7. + Performance logging can be enabled and should preferably be sent to a file on a file system that is large enough to handle significantly sized logs. To enable the logging at a verbose level to permit detailed analysis, uncomment the entry in - the /etc/openldap/slapd.conf shown as “loglevel 256”. + the /etc/openldap/slapd.conf shown as “loglevel 256”.
  Edit the /etc/syslog.conf file to add the following at the end of the file: @@ -974,32 +974,32 @@ index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub -

PAM and NSS Client Configuration

- - - +

PAM and NSS Client Configuration

+ + + The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.

- - + + Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely that you may want to use them for UNIX system (Linux) local machine logons. This necessitates correct configuration of PAM. The pam_ldap open source package provides the PAM modules that most people would use. On SUSE Linux systems, the pam_unix2.so module also has the ability to redirect authentication requests through LDAP.

- - - - + + + + You have chosen to configure these services by directly editing the system files, but of course, you know that this configuration can be done using system tools provided by the Linux system vendor. SUSE Linux has a facility in YaST (the system admin tool) through yast → system → ldap-client that permits configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the authconfig tool for this. -

Procedure 5.3. PAM and NSS Client Configuration Steps

Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf

+	
Procedure 5.3. PAM and NSS Client Configuration Steps
Example 5.4. Configuration File for NSS LDAP Support  /etc/ldap.conf
 host 127.0.0.1
 
 base dc=abmas,dc=biz
@@ -1041,23 +1041,23 @@
 nss_base_group  ou=Groups,dc=abmas,dc=biz?one
 
 ssl off
-


-		
-		
-		
+

+ + + Execute the following command to find where the nss_ldap module expects to find its control file:
```
 root#  strings /lib/libnss_ldap.so.2 | grep conf
 
```
The preferred and usual location is /etc/ldap.conf. -
+
On the server MASSIVE, install the file shown in “Configuration File for NSS LDAP Support /etc/ldap.conf” into the path that was obtained from the step above. On the servers called BLDG1 and BLDG2, install the file shown in “Configuration File for NSS LDAP Clients Support /etc/ldap.conf” into the path that was obtained from the step above. -
- +
+ Edit the NSS control file (/etc/nsswitch.conf) so that the lines that control user and group resolution will obtain information from the normal system files as well as from ldap: @@ -1071,7 +1071,7 @@ added, you can validate resolution of the LDAP resolver process. The inclusion of WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be resolved to their IP addresses, whether or not they are DHCP clients. -
Note
+
Note
Some Linux systems (Novell SUSE Linux in particular) add entries to the nsswitch.conf file that may cause operational problems with the configuration methods adopted in this book. It is advisable to comment out the entries passwd_compat and group_compat @@ -1079,8 +1079,8 @@
Even at the risk of overstating the issue, incorrect and inappropriate configuration of the nsswitch.conf file is a significant cause of operational problems with LDAP. -
- +
+ For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following files in the /etc/pam.d directory: login, password, samba, sshd. In each file, locate every entry that has the @@ -1102,7 +1102,7 @@ session required pam_limits.so

- + On other Linux systems that do not have an LDAP-enabled pam_unix2.so module, you must edit these files by adding the pam_ldap.so modules as shown here:
```
@@ -1125,15 +1125,15 @@
 		demonstrates the use of the pam_ldap.so module. You can use either
 		implementation, but if the pam_unix2.so on your system supports
 		LDAP, you probably want to use it rather than add an additional module.
-		
```

Samba-3 PDC Configuration

- +

Samba-3 PDC Configuration

+ Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the choice to either build your own or obtain the packages from a dependable source. Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that is included with this book. -

Procedure 5.4. Configuration of PDC Called MASSIVE

+

Procedure 5.4. Configuration of PDC Called MASSIVE

Install the files in “LDAP Based smb.conf File, Server: MASSIVE global Section: Part A”, “LDAP Based smb.conf File, Server: MASSIVE global Section: Part B”, “LDAP Based smb.conf File, Shares Section Part A”, and “LDAP Based smb.conf File, Shares Section Part B” into the /etc/samba/ @@ -1142,8 +1142,8 @@ smb.conf.master and then to perform all file edits on the master file. The operational smb.conf is then generated as shown in the next step. -
- +

+ Create and verify the contents of the smb.conf file that is generated by:

 root#  testparm -s smb.conf.master > smb.conf
@@ -1170,7 +1170,7 @@
 Server role: ROLE_DOMAIN_PDC
 Press enter to see a dump of your service definitions

-

+

Delete all runtime files from prior Samba operation by executing (for SUSE Linux):

@@ -1179,9 +1179,9 @@
 root#  rm /var/lib/samba/*dat
 root#  rm /var/log/samba/*

-

- - +
+ + Samba-3 communicates with the LDAP server. The password that it uses to authenticate to the LDAP server must be stored in the secrets.tdb file. Execute the following to create the new secrets.tdb files @@ -1193,9 +1193,9 @@
```
 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
 
```
-
- - +
+ + Samba-3 generates a Windows Security Identifier (SID) only when smbd has been started. For this reason, you start Samba. After a few seconds delay, execute: @@ -1226,13 +1226,13 @@ may be misconfigured. In this case, carefully check the smb.conf file for typographical errors (the most common problem). The use of the testparm is highly recommended to validate the contents of this file. -
+
When a positive domain SID has been reported, stop Samba. -
- - - - +
+ + + + Configure the NFS server for your Linux system. So you can complete the steps that follow, enter into the /etc/exports the following entry:
```
@@ -1250,8 +1250,8 @@
 		
```

Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with configuration of the LDAP server. -

Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A

# Global parameters

[global]

unix charset = LOCALE

workgroup = MEGANET2

netbios name = MASSIVE

interfaces = eth1, lo

bind interfaces only = Yes

passdb backend = ldapsam:ldap://massive.abmas.biz

enable privileges = Yes

username map = /etc/samba/smbusers

log level = 1

syslog = 0

log file = /var/log/samba/%m

max log size = 50

smb ports = 139

name resolve order = wins bcast hosts

time server = Yes

printcap name = CUPS

show add printer wizard = No

add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"

delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"

add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"

delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"

add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"

delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"

set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"

add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"

Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B

logon script = scripts\logon.bat

logon path = \\%L\profiles\%U

logon drive = X:

domain logons = Yes

preferred master = Yes

wins support = Yes

ldap suffix = dc=abmas,dc=biz

ldap machine suffix = ou=People

ldap user suffix = ou=People

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

ldap admin dn = cn=Manager,dc=abmas,dc=biz

idmap backend = ldap:ldap://massive.abmas.biz

idmap uid = 10000-20000

idmap gid = 10000-20000

map acl inherit = Yes

printing = cups

printer admin = root, chrisr

Install and Configure Idealx smbldap-tools Scripts