diff options
author | John Terpstra <jht@samba.org> | 2005-04-13 02:26:17 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:46:25 -0500 |
commit | 6262d3083458e4fc1dfcff77e616063e4b71e477 (patch) | |
tree | ddfea67e7c0c679d69a0fea331795971cc42e58a /docs/Samba-Guide/SBE-SecureOfficeServer.xml | |
parent | 2b7907805aeb32775f11795b88e01721b115eafe (diff) | |
download | samba-6262d3083458e4fc1dfcff77e616063e4b71e477.tar.gz samba-6262d3083458e4fc1dfcff77e616063e4b71e477.tar.bz2 samba-6262d3083458e4fc1dfcff77e616063e4b71e477.zip |
Begin of another reorg.
(This used to be commit 131d76df85ab12f5a171120113d4dfa7ad3f2220)
Diffstat (limited to 'docs/Samba-Guide/SBE-SecureOfficeServer.xml')
-rw-r--r-- | docs/Samba-Guide/SBE-SecureOfficeServer.xml | 2737 |
1 files changed, 2737 insertions, 0 deletions
diff --git a/docs/Samba-Guide/SBE-SecureOfficeServer.xml b/docs/Samba-Guide/SBE-SecureOfficeServer.xml new file mode 100644 index 0000000000..4ceb6de671 --- /dev/null +++ b/docs/Samba-Guide/SBE-SecureOfficeServer.xml @@ -0,0 +1,2737 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<chapter id="secure"> + <title>Secure Office Networking</title> + + <para> + Congratulations, your Samba networking skills are developing nicely. You started out + with three simple networks in Chapter 2, and then in Chapter 3 you designed and built a + network that provides a high degree of flexibility, integrity, and dependability. It + was enough for the basic needs each was designed to fulfill. In this chapter you + address a more complex set of needs. The solution you explore is designed + to introduce you to basic features that are specific to Samba-3. + </para> + + <para> + You should note that a working and secure solution could be implemented using Samba-2.2.x. + In the exercises presented here, you are gradually using more Samba-3 specific features + so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. + To avoid confusion, this book is all about Samba-3. Let's get the exercises in this + chapter under way. + </para> + +<sect1> + <title>Introduction</title> + + <para> + You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work + well done. It is one year since the last network upgrade. You have been quite busy. + Two months ago Mr. Meany gave approval to hire Christine Roberson who has taken over + general network management. Soon she will provide primary user support. You have demonstrated + you can delegate responsibility, and plan and execute + to that plan. Above all, you have shown Mr. Meany that you are a responsible person. + Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never + expected. You are Mr. Bob Jordan and will take charge of business operations. Mr. Meany + is retiring and has entrusted the business to your capable hands. + </para> + + <para> + Mr. Meany may be retiring from this company, but not from work. He is taking the opportunity to develop + Abmas Inc. into a larger and more substantial company. He says that it took him many + years to wake up to the fact that there is no future in just running a business. He + now realizes there is great personal reward and satisfaction in creation of career + opportunities for people in the local community. He wants to do more for others as he is + doing for you, Bob Jordan. Today he spent a lot of time talking about the grand plan. + He has plans for growth that you will deal with in the chapters ahead. + </para> + + <para> + Over the past year, the growth projections were exceeded. The network has grown to + meet the needs of 130 users. Along with growth, the demand for improved services + and better functionality has also developed. You are about to make an interim + improvement and then hand over all Help desk and network maintenance to Christine. + Christine has professional certifications in Microsoft Windows as well as in Linux; + she is a hard worker and quite likable. Christine does not want to manage the department + (although she manages well). She gains job satisfaction when left to sort things out. + Occasionally she wants to work with you on a challenging problem. When you told her + about your move, she almost resigned, although she was reassured that a new manager would + be hired to run Information Technology and she would be responsible only for operations. + </para> + + <sect2> + <title>Assignment Tasks</title> + + <para> + You promised the staff Internet services including web browsing, electronic mail, virus + protection, and a company Web site. Christine is keen to help turn the vision into + reality. Let's see how close you can get to the promises made. + </para> + + <para> + The network you are about to deliver will service 130 users today. Within 12 months, + Abmas will aquire another company. Mr. Meany claims that within two years there will be + well over 500 users on the network. You have bought into the big picture, so prepare + for growth. + </para> + + <para> + You have purchased a new server, will implement a new network infrastructure, and + reward all staff with a new computer. Notebook computers will not be replaced at this time. + </para> + + <para> + You have decided to not recycle old network components. The only items that will be + carried forward are notebook computers. You offered staff new notebooks, but not + one person wanted the disruption for what was perceived as a marginal update. + You have made the decision to give everyone a new desktop computer, even to those + who have a notebook computer. + </para> + + <para> + You have procured a DSL Internet connection that provides 1.5 Megabit/sec (bidirectional) + and a 10 MBit/sec ethernet port. You have registered the domain + <constant>abmas.us</constant>, and the Internet Service Provider (ISP) is supplying + secondary DNS. Information furnished by your ISP is shown in <link linkend="chap4netid"/>. + </para> + + <para> + It is of paramount priority that under no circumstances will Samba offer + service access from an Internet connection. You are paying an ISP to + give, as part of their value-added services, full firewall protection for your + connection to the outside world. The only services allowed in from + the Internet side are the following destination ports: <constant>http/https (ports + 80 and 443), email (port 25), DNS (port 53)</constant>. All Internet traffic + will be allowed out after network address translation (NAT). No internal IP addresses + are permitted through the NAT filter as complete privacy of internal network + operations must be assured. + </para> + + <table id="chap4netid"> + <title>Abmas.US ISP Information</title> + <tgroup cols="2"> + <colspec align="left"/> + <colspec align="center"/> + <thead> + <row> + <entry>Parameter</entry> + <entry>Value</entry> + </row> + </thead> + <tbody> + <row> + <entry>Server IP Address</entry> + <entry>123.45.67.66</entry> + </row> + <row> + <entry>DSL Device IP Address</entry> + <entry>123.45.67.65</entry> + </row> + <row> + <entry>Network Address</entry> + <entry>123.45.67.64/30</entry> + </row> + <row> + <entry>Gateway Address</entry> + <entry>123.45.54.65</entry> + </row> + <row> + <entry>Primary DNS Server</entry> + <entry>123.45.54.65</entry> + </row> + <row> + <entry>Secondary DNS Server</entry> + <entry>123.45.54.32</entry> + </row> + <row> + <entry>Forwarding DNS Server</entry> + <entry>123.45.12.23</entry> + </row> + </tbody> + </tgroup> + </table> + + <image id="ch04net"> + <imagedescription>Abmas Network Topology &smbmdash; 130 Users</imagedescription> + <imagefile scale="60">chap4-net</imagefile> + </image> + + <para> + Christine has recommended that desktop systems should be installed from a single cloned + master system that has a minimum of locally installed software and loads all software + off a central application server. The benefit of having the central application server + is that it allows single point maintenance of all business applications, something + Christine is keen to pursue. She further recommended installation of anti-virus + software on workstations as well as on the Samba server. Christine is paranoid of + potential virus infection and insists on a comprehensive approach to detective + as well as corrective action to protect network operations. + </para> + + <para> + A significant concern is the problem of managing company growth. Recently, a number + of users had to share a PC while waiting for new machines to arrive. This presented + some problems with desktop computers and software installation into the new users' + desktop profile. + </para> + + </sect2> +</sect1> + +<sect1> + <title>Dissection and Discussion</title> + + <para> + Many of the conclusions you draw here are obvious. Some requirements are not very clear + or may simply be your means of drawing the most out of Samba-3. Much can be done more simply + than you will demonstrate here, but keep in mind that the network must scale to at least 500 + users. This means that some functionality will be over-designed for the current 130 user + environment. + </para> + + <sect2> + <title>Technical Issues</title> + + <para> + In this exercise we are using a 24-bit subnet mask for the two local networks. This, + of course, limits our network to a maximum of 253 usable IP addresses. The network + address range chosen is one of the ranges assigned by RFC1918 for private networks. + When the number of users on the network begins to approach the limit of usable + addresses, it would be a good idea to switch to a network address specified in RFC1918 + in the 172.16.0.0/16 range. This is done in the following chapters. + </para> + + <para> + <indexterm><primary>tdbsam</primary></indexterm> + <indexterm><primary>smbpasswd</primary></indexterm> + The high growth rates projected are a good reason to use the <constant>tdbsam</constant> + passdb backend. The use of <constant>smbpasswd</constant> for the backend may result in + performance problems. The <constant>tdbsam</constant> passdb backend offers features that + are not available with the older flat ASCII-based <constant>smbpasswd</constant> database. + </para> + + <para> + <indexterm><primary>risk</primary></indexterm> + The proposed network design uses a single server to act as an Internet services host for + electronic mail, Web serving, remote administrative access vis SSH, as well as for + Samba-based file and print services. This design is often chosen by sites that feel + they cannot afford or justify the cost or overhead of having separate servers. It must + be realized that if security of this type of server should ever be violated (compromised), + the whole network and all data is at risk. Many sites continue to choose this type + of solution; therefore, this chapter provides detailed coverage of key implementation + aspects. + </para> + + <para> + Samba will be configured to specifically not operate on the ethernet interface that is + directly connected to the Internet. + </para> + + <para> + <indexterm><primary>iptables</primary></indexterm> + <indexterm><primary>NAT</primary></indexterm> + <indexterm><primary>Network Address Translation</primary><see>NAT</see></indexterm> + <indexterm> + <primary>firewall</primary> + </indexterm> + You know that your ISP is providing full firewall services, but you cannot rely on that. + Always assume that human error will occur, so be prepared by using Linux firewall facilities + based on <command>iptables</command> to effect Network Address Translation (NAT). Block all + incoming traffic except to permitted well-known ports. You must also allow incoming packets + to established outgoing connections. You will permit all internal outgoing requests. + </para> + + <para> + The configuration of Web serving, Web proxy services, electronic mail, and the details of + generic anti-virus handling are beyond the scope of this book and therefore are not + covered, except insofar as this affects Samba-3. + </para> + + <para><indexterm> + <primary>login</primary> + </indexterm> + Notebook computers are configured to use a network login when in the office and a + local account to login while away from the office. Users store all work done in + transit (away from the office) by using a local share for work files. Standard procedures + will dictate that on completion of the work that necessitates mobile file access, all + work files are moved back to secure storage on the office server. Staff is instructed + to not carry on any company notebook computer any files that are not absolutely required. + This is a preventative measure to protect client information as well as business private + records. + </para> + + <para><indexterm> + <primary>application server</primary> + </indexterm> + All applications are served from the central server from a share called <constant>apps</constant>. + Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network + (or administrative) installation. Accounting and financial management software can also + be run only from the central application server. Notebook users are provided with + locally installed applications on a need-to-have basis only. + </para> + + <para> + <indexterm><primary>roaming profiles</primary></indexterm> + The introduction of roaming profiles support means that users can move between + desktop computer systems without constraint while retaining full access to their data. + The desktop travels with them as they move. + </para> + + <para> + <indexterm><primary>DNS</primary></indexterm> + The DNS server implementation must now address both internal needs as well as external + needs. You forward DNS lookups to your ISP provided server as well as the + <constant>abmas.us</constant> external secondary DNS server. + </para> + + <para> + <indexterm><primary>dynamic DNS</primary></indexterm> + <indexterm><primary>DDNS</primary><see>dynamic + DNS</see></indexterm><indexterm> + <primary>DHCP server</primary> + </indexterm> + Compared with the DHCP server configuration in <link linkend="dhcp01"/>, the configuration used + in this example has to deal with the presence of an Internet connection. The scope set for it + ensures that no DHCP services will be offered on the external connection. All printers are + configured as DHCP clients, so that the DHCP server assigns the printer a fixed IP + address by way of the ethernet interface (MAC) address. One additional feature of this DHCP + server configuration file is the inclusion of parameters to allow dynamic DNS (DDNS) operation. + </para> + + <para> + This is the first implementation that depends on a correctly functioning DNS server. + Comprehensive steps are included to provide for a fully functioning DNS server that also + is enabled for dynamic DNS operation. This means that DHCP clients can be auto-registered + with the DNS server. + </para> + + <para> + You are taking the opportunity to manually set the netbios name of the Samba server to + a name other than what will be automatically resolved. You are doing this to ensure that + the machine has the same NetBIOS name on both network segments. + </para> + + <para> + As in the previous network configuration, printing in this network configuration uses + direct raw printing (i.e., no smart printing and no print driver auto-download to Windows + clients). Printer drivers are installed on the Windows client manually. This is not + a problem given that Christine is to install and configure one single workstation and + then clone that configuration, using Norton Ghost, to all workstations. Each machine is + identical, so this should pose no problem. + </para> + + <sect3> + <title>Hardware Requirements</title> + + <para><indexterm> + <primary>memory requirements</primary> + </indexterm> + This server runs a considerable number of services. From similarly configured Linux + installations the approximate calculated memory requirements will be as that shown in + <link linkend="ch4memoryest"/>. + +<example id="ch4memoryest"> +<title>Estimation of Memory Requirements</title> +<screen> +Application Memory per User 130 Users 500 Users + Name (MBytes) Total MBytes Total MBytes +----------- --------------- ------------ ------------ +DHCP 2.5 3 3 +DNS 16.0 16 16 +Samba (nmbd) 16.0 16 16 +Samba (winbind) 16.0 16 16 +Samba (smbd) 4.0 520 2000 +Apache 10.0 (20 User) 200 200 +CUPS 3.5 16 32 +Basic OS 256.0 256 256 + -------------- -------------- + Total: 1043 MBytes 2539 MBytes + -------------- -------------- +</screen> +</example> + You would choose to add a safety margin of at least 50% to these estimates. The minimum + system memory recommended for initial startup would be 1 GByte, but to permit the system + to scale to 500 users, it would make sense to provision the machine with 4 GBytes memory. + An initial configuration with only 1 GByte memory would lead to early performance complaints + as the system load builds up. Given the low cost of memory, it would not make sense to + compromise in this area. + </para> + + <para><indexterm> + <primary>bandwidth calculations</primary> + </indexterm> + Aggregate Input/Output loads should be considered for sizing network configuration as + well as disk subsystems. For network bandwidth calculations, one would typically use an + estimate of 0.1 MBytes/sec per user. This would suggest that 100-Base-T (approx. 10 MBytes/sec) + would deliver below acceptable capacity for the initial user load. It is, therefore, a good + idea to begin with 1 Gigabit ethernet cards for the two internal networks, each attached + to a 1 Gigabit Etherswitch that provides connectivity to an expandable array of 100-Base-T + switched ports. + </para> + + <para><indexterm> + <primary>network segments</primary> + </indexterm><indexterm> + <primary>RAID</primary> + </indexterm> + Considering the choice of 1 Gigabit ethernet interfaces for the two local network segments, + the aggregate network I/O capacity will be 2100 MBit/sec (about 230 MBytes/sec), an I/O + demand that would require a fast disk storage I/O capability. Peak disk throughput is + limited by the disk sub-system chosen. It would be desirable to provide the maximum + I/O bandwidth that can be afforded. If a low-cost solution must be chosen, the use of + 3Ware IDE RAID Controllers makes a good choice. These controllers can be fitted into a + 64 bit, 66 MHz PCI-X slot. They appear to the operating system as a high speed SCSI + controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MByte/sec). + Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, + it would make sense to purchase well-known branded hardware that has appropriate performance + specifications. As a minimum, one should attempt to provide a disk sub-system that can + deliver I/O rates of at least 100 MBytes/sec. + </para> + + <para> + Disk storage requirements may be calculated as shown in <link linkend="ch4diskest"/>. + +<example id="ch4diskest"> +<title>Estimation of Disk Storage Requirements</title> +<screen> +Corporate Data: 100 MBytes/user per year +Email Storage: 500 MBytes/user per year +Applications: 5000 MBytes +Safety Buffer: At least 50% + +Given 500 Users and 2 years: +----------------------------- + Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes + Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes + Applications: 5000 MBytes = 5 GBytes + ---------------------------- + Total: 605 GBytes + Add 50% buffer 303 GBytes + Recommended Storage: 908 GBytes +</screen> +</example> + <indexterm> + <primary>storage capacity</primary> + </indexterm> + The preferred storage capacity should be approximately 1 TeraByte. Use of RAID level 5 + with two hot spare drives would require an 8 drive by 200 GByte capacity per drive array. + </para> + + </sect3> + + </sect2> + + + <sect2> + <title>Political Issues</title> + + <para> + Your industry is coming under increasing accountability pressures. Increased paranoia + is necessary so you can demonstrate that you have acted with due diligence. You must + not trust your Internet connection. + </para> + + <para> + Apart from permitting more efficient management of business applications through use of + an application server, your primary reason for the decision to implement this is that it + gives you greater control over software licensing. + </para> + + <para><indexterm> + <primary>Outlook Express</primary> + </indexterm> + You are well aware that the current configuration results in some performance issues + as the size of the desktop profile grows. Given that users use Microsoft Outlook + Express, you know that the storage implications of the <constant>.PST</constant> file + is something that needs to be addressed later on. + </para> + + </sect2> + +</sect1> + +<sect1> + <title>Implementation</title> + + <para> + <link linkend="ch04net"/> demonstrates the overall design of the network that you will implement. + </para> + + <para> + The information presented here assumes that you are already familiar with many basic steps. + As this stands, the details provided already extend well beyond just the necessities of + Samba configuration. This decision is deliberate to ensure that key determinants + of a successful installation are not overlooked. This is the last case that documents + the finite minutiae of DHCP and DNS server configuration. Beyond the information provided + here, there are many other good reference books on these subjects. + </para> + + <para> + The &smb.conf; file has the following noteworthy features: + </para> + + <itemizedlist> + <listitem><para> + The NetBIOS name of the Samba server is set to <constant>DIAMOND</constant>. + </para></listitem> + + <listitem><para> + The Domain name is set to <constant>PROMISES</constant>. + </para></listitem> + + <listitem><para><indexterm> + <primary>broadcast messages</primary> + </indexterm><indexterm> + <primary>interfaces</primary> + </indexterm><indexterm> + <primary>bind interfaces only</primary> + </indexterm> + Ethernet interface <constant>eth0</constant> is attached to the Internet connection + and is externally exposed. This interface is explicitly not available for Samba to use. + Samba listens on this interface for broadcast messages, but does not broadcast any + information on <constant>eth0</constant>, nor does it accept any connections from it. + This is achieved by way of the <parameter>interfaces</parameter> parameter and the + <parameter>bind interfaces only</parameter> entry. + </para></listitem> + + <listitem><para><indexterm> + <primary>passdb backend</primary> + </indexterm><indexterm> + <primary>tdbsam</primary> + </indexterm><indexterm> + <primary>binary database</primary> + </indexterm> + The <parameter>passdb backend</parameter> parameter specifies the creation and use + of the <constant>tdbsam</constant> password backend. This is a binary database that + has excellent scalability for a large number of user account entries. + </para></listitem> + + <listitem><para><indexterm> + <primary>WINS serving</primary> + </indexterm><indexterm> + <primary>wins support</primary> + </indexterm><indexterm> + <primary>name resolve order</primary> + </indexterm> + WINS serving is enabled by the <smbconfoption name="wins support">Yes</smbconfoption>, + and name resolution is set to use it by means of the <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> entry. + </para></listitem> + + <listitem><para><indexterm> + <primary>time server</primary> + </indexterm> + The Samba server is configured for use by Windows clients as a time server. + </para></listitem> + + <listitem><para><indexterm> + <primary>CUPS</primary> + </indexterm><indexterm> + <primary>printing</primary> + </indexterm><indexterm> + <primary>printcap name</primary> + </indexterm> + Samba is configured to directly interface with CUPS via the direct internal interface + that is provided by CUPS libraries. This is achieved with the + <smbconfoption name="printing">CUPS</smbconfoption> as well as the + <smbconfoption name="printcap name">CUPS</smbconfoption> entries. + </para></listitem> + + <listitem><para><indexterm> + <primary>user management</primary> + </indexterm><indexterm> + <primary>group management</primary> + </indexterm><indexterm> + <primary>SRVTOOLS.EXE</primary> + </indexterm> + External interface scripts are provided to enable Samba to interface smoothly to + essential operating system functions for user and group management. This is important + to enable workstations to join the Domain, and is also important so that you can use + the Windows NT4 Domain User Manager, as well as the Domain Server Manager. These tools + are provided as part of the <filename>SRVTOOLS.EXE</filename> toolkit that can be + downloaded from the Microsoft FTP <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">site.</ulink> + </para></listitem> + + <listitem><para><indexterm> + <primary>User Mode</primary> + </indexterm> + The &smb.conf; file specifies that the Samba server will operate in (default) <parameter> + security = user</parameter> mode<footnote><para>See <emphasis>TOSHARG</emphasis>, Chapter 3. This is necessary + so that Samba can act as a Domain Controller (PDC); see <emphasis>TOSHARG</emphasis>, Chapter 4 for + additional information.</para></footnote> (User Mode). + </para></listitem> + + <listitem><para><indexterm> + <primary>logon services</primary> + </indexterm><indexterm> + <primary>logon script</primary> + </indexterm> + Domain logon services as well as a Domain logon script are specified. The logon script + will be used to add robustness to the overall network configuration. + </para></listitem> + + <listitem><para><indexterm> + <primary>roaming profiles</primary> + </indexterm><indexterm> + <primary>logon path</primary> + </indexterm><indexterm> + <primary>profile share</primary> + </indexterm> + Roaming profiles are enabled through the specification of the parameter, <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>. The value of this parameter translates the + <constant>%L</constant> to the name by which the Samba server is called by the client (for this + configuration, it translates to the name <constant>DIAMOND</constant>), and the <constant>%U</constant> + will translate to the name of the user within the context of the connection made to the profile share. + It is the administrator's responsibility to ensure there is a directory in the root of the + profile share for each user. This directory must be owned by the user also. An exception to this + requirement is when a profile is created for group use. + </para></listitem> + + <listitem><para><indexterm> + <primary>virus</primary> + </indexterm><indexterm> + <primary>opportunistic locking</primary> + </indexterm> + Precautionary veto is effected for particular Windows file names that have been targeted by + virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking + controls. This should help to prevent lock contention related file access problems. + </para></listitem> + + <listitem><para><indexterm> + <primary>IPC$</primary> + </indexterm> + Explicit controls are effected to restrict access to the <constant>IPC$</constant> share to + local networks only. The <constant>IPC$</constant> share plays an important role in network + browsing and in establishment of network connections. + </para></listitem> + + <listitem><para> + Every user has a private home directory on the UNIX/Linux host. This is mapped to + a network drive that is the same for all users. + </para></listitem> + + </itemizedlist> + + <para> + The configuration of the server is the most complex so far. The following steps are used: + </para> + + <orderedlist numeration="arabic"> + <listitem><para> + Basic System Configuration + </para></listitem> + + <listitem><para> + Samba Configuration + </para></listitem> + + <listitem><para> + DHCP and DNS Server Configuration + </para></listitem> + + <listitem><para> + Printer Configuration + </para></listitem> + + <listitem><para> + Process Start-up Configuration + </para></listitem> + + <listitem><para> + Validation + </para></listitem> + + <listitem><para> + Application Share Configuration + </para></listitem> + + <listitem><para> + Windows Client Configuration + </para></listitem> + </orderedlist> + + <para> + The following sections cover each step in logical and defined detail. + </para> + + <sect2 id="ch4bsc"> + <title>Basic System Configuration</title> + + <para><indexterm> + <primary>SUSE Enterprise Linux Server</primary> + </indexterm> + The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been + freshly installed. It prepares basic files so that the system is ready for comprehensive + operation in line with the network diagram shown in <link linkend="ch04net"/>. + </para> + + <procedure> + <step><para><indexterm> + <primary>hostname</primary> + </indexterm> + Using the UNIX/Linux system tools, name the server <constant>server.abmas.us</constant>. + Verify that your hostname is correctly set by running: +<screen> +&rootprompt; uname -n +server +</screen> + An alternate method to verify the hostname is: +<screen> +&rootprompt; hostname -f +server.abmas.us +</screen> + </para></step> + + <step><para> + <indexterm><primary>/etc/hosts</primary></indexterm><indexterm> + <primary>localhost</primary> + </indexterm> + Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses + of all network interfaces that are on the host server. This is necessary so that during + startup the system can resolve all its own names to the IP address prior to + startup of the DNS server. An example of entries that should be in the + <filename>/etc/hosts</filename> file is: +<screen> +127.0.0.1 localhost +192.168.1.1 sleeth1.abmas.biz sleeth1 diamond +192.168.2.1 sleeth2.abmas.biz sleeth2 +123.45.67.66 server.abmas.us server +</screen> + You should check the startup order of your system. If the CUPS print server is started before + the DNS server (<command>named</command>), you should also include an entry for the printers + in the <filename>/etc/hosts</filename> file, as follows: +<screen> +192.168.1.20 qmsa.abmas.biz qmsa +192.168.1.30 hplj6a.abmas.biz hplj6a +192.168.2.20 qmsf.abmas.biz qmsf +192.168.2.30 hplj6f.abmas.biz hplj6f +</screen> + <indexterm> + <primary>named</primary> + </indexterm><indexterm> + <primary>cupsd</primary> + </indexterm><indexterm> + <primary>daemon</primary> + </indexterm> + The printer entries are not necessary if <command>named</command> is started prior to + startup of <command>cupsd</command>, the CUPS daemon. + </para></step> + + <step><para> + <indexterm><primary>/etc/rc.d/boot.local</primary></indexterm> + <indexterm><primary>IP forwarding</primary></indexterm><indexterm> + <primary>/proc/sys/net/ipv4/ip_forward</primary> + </indexterm> + The host server is acting as a router between the two internal network segments as well + as for all Internet access. This necessitates that IP forwarding must be enabled. This can be + achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows: +<screen> +echo 1 > /proc/sys/net/ipv4/ip_forward +</screen> + To ensure that your kernel is capable of IP forwarding during configuration, you may + wish to execute that command manually also. This setting permits the Linux system to + act as a router.<footnote><para>ED NOTE: You may want to do the echo command last and include + "0" in the init scripts since it opens up your network for a short time.</para></footnote> + </para></step> + + <step><para><indexterm> + <primary>firewall</primary> + </indexterm><indexterm> + <primary>abmas-netfw.sh</primary> + </indexterm> + Installation of a basic firewall and network address translation facility is necessary. + The following script can be installed in the <filename>/usr/local/sbin</filename> + directory. It is executed from the <filename>/etc/rc.d/boot.local</filename> startup + script. In your case, this script is called <filename>abmas-netfw.sh</filename>. The + script contents are shown in <link linkend="ch4natfw"/>. + +<example id="ch4natfw"> +<title>NAT Firewall Configuration Script</title> +<screen> +#!/bin/sh +echo -e "\n\nLoading NAT firewall.\n" +IPTABLES=/usr/sbin/iptables +EXTIF="eth0" +INTIFA="eth1" +INTIFB="eth2" + +/sbin/depmod -a +/sbin/insmod ip_tables +/sbin/insmod ip_conntrack +/sbin/insmod ip_conntrack_ftp +/sbin/insmod iptable_nat +/sbin/insmod ip_nat_ftp +$IPTABLES -P INPUT DROP +$IPTABLES -F INPUT +$IPTABLES -P OUTPUT ACCEPT +$IPTABLES -F OUTPUT +$IPTABLES -P FORWARD DROP +$IPTABLES -F FORWARD + +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A INPUT -i $INTIFA -j ACCEPT +$IPTABLES -A INPUT -i $INTIFB -j ACCEPT +$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT +# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS +for i in 22 25 53 80 443 +do + $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT +done +# Allow DNS(udp) +$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT +echo "Allow all connections OUT and only existing and specified ones IN" +$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \ + --state ESTABLISHED,RELATED -j ACCEPT +$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \ + --state ESTABLISHED,RELATED -j ACCEPT +$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT +$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT +$IPTABLES -A FORWARD -j LOG +echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" +$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE +echo "1" > /proc/sys/net/ipv4/ip_forward +echo -e "\nNAT firewall done.\n" +</screen> +</example> + </para></step> + + <step><para> + Execute the following to make the script executable: +<screen> +&rootprompt; chmod 755 /usr/local/sbin/abmas-natfw.sh +</screen> + You must now edit <filename>/etc/rc.d/boot.local</filename> to add an entry + that runs your <command>abmas-natfw.sh</command> script. The following + entry works for you: +<screen> +#! /bin/sh +# +# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany. +# All rights reserved. +# +# Author: Werner Fink, 1996 +# Burchard Steinbild, 1996 +# +# /etc/init.d/boot.local +# +# script with local commands to be executed from init on system startup +# +# Here you should add things that should happen directly after booting +# before we're going to the first run level. +# +/usr/local/sbin/abmas-natfw.sh +</screen> + </para></step> + </procedure> + + <para><indexterm> + <primary>/etc/hosts</primary> + </indexterm> + The server is now ready for Samba configuration. During the validation step, you remove + the entry for the Samba server <constant>diamond</constant> from the <filename>/etc/hosts</filename> + file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. + </para> + + </sect2> + + <sect2> + <title>Samba Configuration</title> + + <para> + When you have completed this section, the Samba server is ready for testing and validation; + however, testing and validation have to wait until DHCP, DNS, and Printing (CUPS) services have + been configured. + </para> + + <procedure> + <step><para> + Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary + RPM file is called <filename>samba-3.0.12-1.i386.rpm</filename>, one way to install this + file is as follows: +<screen> +&rootprompt; rpm -Uvh samba-3.0.12-1.i386.rpm +</screen> + This operation must be performed while logged in as the <command>root</command> user. + Successful operation is clearly indicated. If this installation should fail for any reason, + refer to the operating system manufacturer's documentation for guidance. + </para></step> + + <step><para> + Install the &smb.conf; file shown in <link linkend="promisnet"/>, <link linkend="promisnetsvca"/>, + and <link linkend="promisnetsvcb"/>. Concatenate (join) all three files to make a single &smb.conf; + file. The final, fully qualified path for this file should be <filename>/etc/samba/smb.conf</filename>. + +<smbconfexample id="promisnet"> +<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; [globals] Section</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">PROMISES</smbconfoption> +<smbconfoption name="netbios name">DIAMOND</smbconfoption> +<smbconfoption name="interfaces">eth1, eth2, lo</smbconfoption> +<smbconfoption name="bind interfaces only">Yes</smbconfoption> +<smbconfoption name="passdb backend">tdbsam</smbconfoption> +<smbconfoption name="pam password change">Yes</smbconfoption> +<smbconfoption name="passwd chat">*New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*</smbconfoption> +<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> +<smbconfoption name="unix password sync">Yes</smbconfoption> +<smbconfoption name="log level">1</smbconfoption> +<smbconfoption name="syslog">0</smbconfoption> +<smbconfoption name="log file">/var/log/samba/%m</smbconfoption> +<smbconfoption name="max log size">50</smbconfoption> +<smbconfoption name="smb ports">139 445</smbconfoption> +<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> +<smbconfoption name="time server">Yes</smbconfoption> +<smbconfoption name="printcap name">CUPS</smbconfoption> +<smbconfoption name="show add printer wizard">No</smbconfoption> +<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption> +<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption> +<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption> +<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption> +<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption> +<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /tmp '%u'</smbconfoption> +<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption> +<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption> +<smbconfoption name="logon script">scripts\logon.bat</smbconfoption> +<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption> +<smbconfoption name="logon drive">X:</smbconfoption> +<smbconfoption name="logon home">\\%L\%U</smbconfoption> +<smbconfoption name="domain logons">Yes</smbconfoption> +<smbconfoption name="preferred master">Yes</smbconfoption> +<smbconfoption name="wins support">Yes</smbconfoption> +<smbconfoption name="utmp">Yes</smbconfoption> +<smbconfoption name="map acl inherit">Yes</smbconfoption> +<smbconfoption name="printing">cups</smbconfoption> +<smbconfoption name="veto files">/*.eml/*.nws/*.{*}/</smbconfoption> +<smbconfoption name="veto oplock files">/*.doc/*.xls/*.mdb/</smbconfoption> +</smbconfexample> + +<smbconfexample id="promisnetsvca"> +<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part A</title> +<smbconfsection name="[IPC$]"/> +<smbconfoption name="path">/tmp</smbconfoption> +<smbconfoption name="hosts allow">192.168.1.0/24, 192.168.2.0/24, 127.0.0.1</smbconfoption> +<smbconfoption name="hosts deny">0.0.0.0/0</smbconfoption> + +<smbconfsection name="[homes]"/> +<smbconfoption name="comment">Home Directories</smbconfoption> +<smbconfoption name="valid users">%S</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[printers]"/> +<smbconfoption name="comment">SMB Print Spool</smbconfoption> +<smbconfoption name="path">/var/spool/samba</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="use client driver">Yes</smbconfoption> +<smbconfoption name="default devmode">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[netlogon]"/> +<smbconfoption name="comment">Network Logon Service</smbconfoption> +<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="locking">No</smbconfoption> +</smbconfexample> + +<smbconfexample id="promisnetsvcb"> +<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part B</title> +<smbconfsection name="[profiles]"/> +<smbconfoption name="comment">Profile Share</smbconfoption> +<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="profile acls">Yes</smbconfoption> + +<smbconfsection name="[accounts]"/> +<smbconfoption name="comment">Accounting Files</smbconfoption> +<smbconfoption name="path">/data/accounts</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> + +<smbconfsection name="[service]"/> +<smbconfoption name="comment">Financial Services Files</smbconfoption> +<smbconfoption name="path">/data/service</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> + +<smbconfsection name="[apps]"/> +<smbconfoption name="comment">Application Files</smbconfoption> +<smbconfoption name="path">/apps</smbconfoption> +<smbconfoption name="read only">Yes</smbconfoption> +<smbconfoption name="admin users">bjordan</smbconfoption> +</smbconfexample> + </para></step> + + <step><para> + <indexterm><primary>administrator</primary></indexterm><indexterm> + <primary>smbpasswd</primary> + </indexterm> + Add the <constant>root</constant> user to the password backend as follows: +<screen> +&rootprompt; smbpasswd -a root +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +&rootprompt; +</screen> + The <constant>root</constant> account is the UNIX equivalent of the Windows Domain Administrator. + This account is essential in the regular maintenance of your Samba server. It must never be + deleted. If for any reason the account is deleted, you may not be able to recreate this account + without considerable trouble. + </para></step> + + <step><para> + <indexterm><primary>username map</primary></indexterm> + Create the username map file to permit the <constant>root</constant> account to be called + <constant>Administrator</constant> from the Windows network environment. To do this, create + the file <filename>/etc/samba/smbusers</filename> with the following contents: +<screen> +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### +</screen> + </para></step> + + <step><para> + <indexterm><primary>initGrps.sh</primary></indexterm><indexterm> + <primary>net</primary> + <secondary>groupmap</secondary> + <tertiary>add</tertiary> + </indexterm><indexterm> + <primary>net</primary> + <secondary>groupmap</secondary> + <tertiary>modify</tertiary> + </indexterm><indexterm> + <primary>net</primary> + <secondary>groupmap</secondary> + <tertiary>list</tertiary> + </indexterm> + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in + <link linkend="initGrps"/>. Create a file containing this script. We called ours + <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed, + and then execute the script. Sample output should be as follows: + +<example id="ch4initGrps"> +<title>Script to Map Windows NT Groups to UNIX Groups</title> +<indexterm><primary>initGrps.sh</primary></indexterm> +<screen> +#!/bin/bash +# +# initGrps.sh +# + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs + +# Map Windows Domain Groups to UNIX groups +net groupmap modify ntgroup="Domain Admins" unixgroup=root +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d + +# Map Windows NT machine local groups to local UNIX groups +# Mapping of local groups is not necessary and not functional +# for this installation. +</screen> +</example> + +<screen> +&rootprompt; chmod 755 initGrps.sh +&rootprompt; /etc/samba # ./initGrps.sh +Updated mapping entry for Domain Admins +Updated mapping entry for Domain Users +Updated mapping entry for Domain Guests +No rid or sid specified, choosing algorithmic mapping +Successfully added group Accounts Dept to the mapping db +No rid or sid specified, choosing algorithmic mapping +Successfully added group Domain Guests to the mapping db + +&rootprompt; /etc/samba # net groupmap list | sort +Account Operators (S-1-5-32-548) -> -1 +Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep +Administrators (S-1-5-32-544) -> -1 +Backup Operators (S-1-5-32-551) -> -1 +Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root +Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody +Domain Users (S-1-5-21-179504-2437109-488451-513) -> users +Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs +Guests (S-1-5-32-546) -> -1 +Power Users (S-1-5-32-547) -> -1 +Print Operators (S-1-5-32-550) -> -1 +Replicators (S-1-5-32-552) -> -1 +System Operators (S-1-5-32-549) -> -1 +Users (S-1-5-32-545) -> -1 +</screen> + </para></step> + + <step><para> + <indexterm><primary>useradd</primary></indexterm> + <indexterm><primary>adduser</primary></indexterm> + <indexterm><primary>passwd</primary></indexterm> + <indexterm><primary>smbpasswd</primary></indexterm> + <indexterm><primary>/etc/passwd</primary></indexterm> + <indexterm><primary>password</primary><secondary>backend</secondary></indexterm> + <indexterm><primary>user</primary><secondary>management</secondary></indexterm> + There is one preparatory step without which you will not have a working Samba + network environment. You must add an account for each network user. + For each user who needs to be given a Windows Domain account, make an entry in the + <filename>/etc/passwd</filename> file, as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system account, and use the Samba + <command>smbpasswd</command> to create a Domain user account. + There are a number of tools for user management under UNIX. Commonly known ones include: + <command>useradd, adduser</command>. In addition to these, there are a plethora of custom + tools. You also want to create a home directory for each user. + You can do this by executing the following steps for each user: +<screen> +&rootprompt; useradd -m <parameter>username</parameter> +&rootprompt; passwd <parameter>username</parameter> +Changing password for <parameter>username</parameter>. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +&rootprompt; smbpasswd -a <parameter>username</parameter> +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +Added user <parameter>username</parameter>. +</screen> + You do of course use a valid user login ID in place of <parameter>username</parameter>. + </para></step> + + <step><para><indexterm> + <primary>file system</primary> + <secondary>access control</secondary> + </indexterm><indexterm> + <primary>file system</primary> + <secondary>permissions</secondary> + </indexterm><indexterm> + <primary>group membership</primary> + </indexterm> + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously as necessary. File system access control will be based on UNIX group membership. + </para></step> + + <step><para> + Create the directory mount point for the disk sub-system that can be mounted to provide + data storage for company files. In this case the mount point indicated in the &smb.conf; + file is <filename>/data</filename>. Format the file system as required, and mount the formatted + file system partition using appropriate system tools. + </para></step> + + <step><para> + <indexterm><primary>file system</primary><secondary>permissions</secondary></indexterm> + Create the top-level file storage directories for data and applications as follows: +<screen> +&rootprompt; mkdir -p /data/{accounts,finsvcs} +&rootprompt; mkdir -p /apps +&rootprompt; chown -R root.root /data +&rootprompt; chown -R root.root /apps +&rootprompt; chown -R bjordan.accounts /data/accounts +&rootprompt; chown -R bjordan.finsvcs /data/finsvcs +&rootprompt; chmod -R ug+rwxs,o-rwx /data +&rootprompt; chmod -R ug+rwx,o+rx-w /apps +</screen> + Each department is responsible for creating its own directory structure within the departmental + share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>. + The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>. + The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share + that provides the application server infrastructure. + </para></step> + + <step><para> + The &smb.conf; file specifies an infrastructure to support roaming profiles and network + logon services. You can now create the file system infrastructure to provide the + locations on disk that these services require. Adequate planning is essential + since desktop profiles can grow to be quite large. For planning purposes, a minimum of + 200 Megabytes of storage should be allowed per user for profile storage. The following + commands create the directory infrastructure needed: +<screen> +&rootprompt; mkdir -p /var/spool/samba +&rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles} +&rootprompt; chown -R root.root /var/spool/samba +&rootprompt; chown -R root.root /var/lib/samba +&rootprompt; chmod a+rwxt /var/spool/samba +</screen> + For each user account that is created on the system, the following commands should be + executed: +<screen> +&rootprompt; mkdir /var/lib/samba/profiles/'username' +&rootprompt; chown 'username'.users /var/lib/samba/profiles/'username' +&rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' +</screen> + </para></step> + + <step><para><indexterm> + <primary>logon scrip</primary> + </indexterm><indexterm> + <primary>unix2dos</primary> + </indexterm><indexterm> + <primary>dos2unix</primary> + </indexterm> + Create a logon script. It is important that each line is correctly terminated with + a carriage return and line-feed combination (i.e., DOS encoding). The following procedure + works if the right tools (<constant>unix2dos</constant> and <constant>dos2unix</constant>) are installed. + First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename> + with the following contents: +<screen> +net time \\diamond /set /yes +net use h: /home +net use p: \\diamond\apps +</screen> + Convert the UNIX file to a DOS file using the <command>unix2dos</command> as shown here: +<screen> +&rootprompt; unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \ + > /var/lib/samba/netlogon/scripts/logon.bat +</screen> + </para></step> + </procedure> + + </sect2> + + <sect2 id="ch4dhcpdns"> + <title>Configuration of DHCP and DNS Servers</title> + + <para> + DHCP services are a basic component of the entire network client installation. DNS operation is + foundational to Internet access as well as to trouble-free operation of local networking. When + you have completed this section, the server should be ready for solid duty operation. + </para> + + <procedure> + <step><para> + <indexterm><primary>/etc/dhcpd.conf</primary></indexterm> + Create a file called <filename>/etc/dhcpd.conf</filename> with the contents as + shown in <link linkend="prom-dhcp"/>. + +<example id="prom-dhcp"> +<title>DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title> +<screen> +# Abmas Accounting Inc. - Chapter 4 +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +option ntp-servers 192.168.1.1; +option domain-name "abmas.biz"; +option domain-name-servers 192.168.1.1, 192.168.2.1; +option netbios-name-servers 192.168.1.1, 192.168.2.1; +option netbios-node-type 8; ### Node type = Hybrid ### +ddns-updates on; ### Dynamic DNS enabled ### +ddns-update-style ad-hoc; + +subnet 192.168.1.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.1.128 192.168.1.254; + option subnet-mask 255.255.255.0; + option routers 192.168.1.1; + allow unknown-clients; + host qmsa { + hardware ethernet 08:00:46:7a:35:e4; + fixed-address 192.168.1.20; + } + host hplj6a { + hardware ethernet 00:03:47:cb:81:e0; + fixed-address 192.168.1.30; + } + } +subnet 192.168.2.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.2.128 192.168.2.254; + option subnet-mask 255.255.255.0; + option routers 192.168.2.1; + allow unknown-clients; + host qmsf { + hardware ethernet 01:04:31:db:e1:c0; + fixed-address 192.168.1.20; + } + host hplj6f { + hardware ethernet 00:03:47:cf:83:e2; + fixed-address 192.168.2.30; + } + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +subnet 123.45.67.64 netmask 255.255.255.252 { + } +</screen> +</example> + </para></step> + + <step><para> + <indexterm><primary>/etc/named.conf</primary></indexterm> + Create a file called <filename>/etc/named.conf</filename> that has the combined contents + of the <link linkend="ch4namedcfg"/>, <link linkend="ch4namedvarfwd"/>, and + <link linkend="ch4namedvarrev"/> files that are concatenated (merged) in this + specific order. + </para></step> + + <step><para> + Create the files shown in their directories as follows: + + <table id="namedrscfiles"> + <title>DNS (named) Resource Files</title> + <tgroup cols="2"> + <colspec align="left"/> + <colspec align="left"/> + <thead> + <row> + <entry>Reference</entry> + <entry>File Location</entry> + </row> + </thead> + <tbody> + <row> + <entry><link linkend="loopback"/></entry> + <entry>/var/lib/named/localhost.zone</entry> + </row> + <row> + <entry><link linkend="dnsloopy"/></entry> + <entry>/var/lib/named/127.0.0.zone</entry> + </row> + <row> + <entry><link linkend="roothint"/></entry> + <entry>/var/lib/named/root.hint</entry> + </row> + <row> + <entry><link linkend="abmasbiz"/></entry> + <entry>/var/lib/named/master/abmas.biz.hosts</entry> + </row> + <row> + <entry><link linkend="abmasus"/></entry> + <entry>/var/lib/named/abmas.us.hosts</entry> + </row> + <row> + <entry><link linkend="eth1zone"/></entry> + <entry>/var/lib/named/192.168.1.0.rev</entry> + </row> + <row> + <entry><link linkend="eth2zone"/></entry> + <entry>/var/lib/named/192.168.2.0.rev</entry> + </row> + </tbody> + </tgroup> + </table> + +<example id="ch4namedcfg"> +<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Master Section</title> +<indexterm><primary>/etc/named.conf</primary></indexterm> +<screen> +### +# Abmas Biz DNS Control File +### +# Date: November 15, 2003 +### +options { + directory "/var/lib/named"; + forwarders { + 123.45.12.23; + }; + forward first; + listen-on { + mynet; + }; + auth-nxdomain yes; + multiple-cnames yes; + notify no; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +acl mynet { + 192.168.1.0/24; + 192.168.2.0/24; + 127.0.0.1; +}; + +acl seconddns { + 123.45.54.32; +} + +</screen> +</example> + +<example id="ch4namedvarfwd"> +<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Forward Lookup Definition Section</title> +<screen> +zone "abmas.biz" { + type master; + file "/var/lib/named/master/abmas.biz.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "abmas.us" { + type master; + file "/var/lib/named/master/abmas.us.hosts"; + allow-query { + all; + }; + allow-transfer { + seconddns; + }; +}; +</screen> +</example> + +<example id="ch4namedvarrev"> +<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Reverse Lookup Definition Section</title> +<screen> +zone "1.168.192.in-addr.arpa" { + type master; + file "/var/lib/named/master/192.168.1.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "2.168.192.in-addr.arpa" { + type master; + file "/var/lib/named/master/192.168.2.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; +</screen> +</example> + +<example id="eth1zone"> +<title>DNS 192.168.1 Reverse Zone File</title> +<screen> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( + 2003021825 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS sleeth1.abmas.biz. +$ORIGIN 1.168.192.in-addr.arpa. +1 PTR sleeth1.abmas.biz. +20 PTR qmsa.abmas.biz. +30 PTR hplj6a.abmas.biz. +</screen> +</example> + +<example id="eth2zone"> +<title>DNS 192.168.2 Reverse Zone File</title> +<screen> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( + 2003021825 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS sleeth2.abmas.biz. +$ORIGIN 2.168.192.in-addr.arpa. +1 PTR sleeth2.abmas.biz. +20 PTR qmsf.abmas.biz. +30 PTR hplj6f.abmas.biz. +</screen> +</example> + +<example id="abmasbiz"> +<title>DNS Abmas.biz Forward Zone File</title> +<screen> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.biz. + MX 10 mail.abmas.biz. +$ORIGIN abmas.biz. +sleeth1 A 192.168.1.1 +sleeth2 A 192.168.2.1 +qmsa A 192.168.1.20 +hplj6a A 192.168.1.30 +qmsf A 192.168.2.20 +hplj6f A 192.168.2.30 +dns CNAME sleeth1 +diamond CNAME sleeth1 +mail CNAME sleeth1 +</screen> +</example> + +<example id="abmasus"> +<title>DNS Abmas.us Forward Zone File</title> +<screen> +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.us IN SOA server.abmas.us. root.abmas.us. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.us. + NS dns2.abmas.us. + MX 10 mail.abmas.us. +$ORIGIN abmas.us. +server A 123.45.67.66 +dns2 A 123.45.54.32 +gw A 123.45.67.65 +www CNAME server +mail CNAME server +dns CNAME server +</screen> +</example> + + </para></step> + + <step><para> + <indexterm><primary>/etc/resolv.conf</primary></indexterm><indexterm> + <primary>name resolution</primary> + </indexterm> + All DNS name resolution should be handled locally. To ensure that the server is configured + correctly to handle this, edit <filename>/etc/resolv.conf</filename> to have the following + content: +<screen> +search abmas.us abmas.biz +nameserver 127.0.0.1 +nameserver 123.45.54.23 +</screen> + <indexterm> + <primary>DNS server</primary> + </indexterm> + This instructs the name resolver function (when configured correctly) to ask the DNS server + that is running locally to resolve names to addresses. In the event that the local name server + is not available, ask the name server provided by the ISP. The latter, of course, does not resolve + purely local names to IP addresses. + </para></step> + + <step><para> + <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> + The final step is to edit the <filename>/etc/nsswitch.conf</filename> file. + This file controls the operation of the various resolver libraries that are part of the Linux + Glibc libraries. Edit this file so that it contains the following entries: +<screen> +hosts: files dns wins +</screen> + </para></step> + </procedure> + + <para> + The basic DHCP and DNS services are now ready for validation testing. Before you can proceed, + there are a few more steps along the road. First, configure the print spooling and print + processing system. Then you can configure the server so that all services + start automatically on reboot. You must also manually start all services prior to validation testing. + </para> + + </sect2> + + <sect2 id="ch4ptrcfg"> + <title>Printer Configuration</title> + + <para> + </para> + + <procedure> + <step><para> + Configure each printer to be a DHCP client carefully following the manufacturer's guidelines. + </para></step> + + <step><para> + Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100. + Use any other port the manufacturer specifies for direct mode, raw printing and adjust the + port as necessary in the following example commands. + This allows the CUPS spooler to print using raw mode protocols. + <indexterm><primary>CUPS</primary></indexterm> + <indexterm><primary>raw printing</primary></indexterm> + </para></step> + + <step><para> + <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm><indexterm> + <primary>lpadmin</primary> + </indexterm> + Configure the CUPS Print Queues as follows: +<screen> +&rootprompt; lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E +&rootprompt; lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E +&rootprompt; lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E +&rootprompt; lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E +</screen> + <indexterm><primary>print filter</primary></indexterm> + This has created the necessary print queues with no assigned print filter. + </para></step> + + <step><para><indexterm> + <primary>enable</primary> + </indexterm> + Print queues may not be enabled at creation. Use <command>lpc stat</command> to check + the status of the print queues and if necessary make certain that the queues you have + just created are enabled by executing the following: +<screen> +&rootprompt; /usr/bin/enable qmsa +&rootprompt; /usr/bin/enable hplj6a +&rootprompt; /usr/bin/enable qmsf +&rootprompt; /usr/bin/enable hplj6f +</screen> + </para></step> + + <step><para><indexterm> + <primary>accept</primary> + </indexterm> + Even though your print queues may be enabled, it is still possible that they + are not accepting print jobs. A print queue services incoming printing + requests only when configured to do so. Ensure that your print queues are + set to accept incoming jobs by executing the following commands: +<screen> +&rootprompt; /usr/bin/accept qmsa +&rootprompt; /usr/bin/accept hplj6a +&rootprompt; /usr/bin/accept qmsf +&rootprompt; /usr/bin/accept hplj6f +</screen> + </para></step> + + <step><para> + <indexterm><primary>mime type</primary></indexterm> + <indexterm><primary>/etc/mime.convs</primary></indexterm> + <indexterm><primary>application/octet-stream</primary></indexterm> + Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line: +<screen> +application/octet-stream application/vnd.cups-raw 0 - +</screen> + </para></step> + + <step><para> + <indexterm><primary>/etc/mime.types</primary></indexterm> + Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line: +<screen> +application/octet-stream +</screen> + </para></step> + + <step><para> + Printing drivers are installed on each network client workstation. + </para></step> + </procedure> + + <para> + The UNIX system print queues have been configured and are ready for validation testing. + </para> + + </sect2> + + <sect2 id="procstart"> + <title>Process Startup Configuration</title> + + <para> + <indexterm><primary>chkconfig</primary></indexterm> + There are two essential steps to process startup configuration. First, the process + must be configured so that it automatically restarts each time the server + is rebooted. This step involves use of the <command>chkconfig</command> tool that + creates the appropriate symbolic links from the master daemon control file that is + located in the <filename>/etc/rc.d</filename> directory, to the <filename>/etc/rc'x'.d</filename> + directories. Links are created so that when the system run-level is changed, the + necessary start or kill script is run. + </para> + + <para> + <indexterm><primary>/etc/xinetd.d</primary></indexterm><indexterm> + <primary>inetd</primary> + </indexterm><indexterm> + <primary>xinetd</primary> + </indexterm><indexterm> + <primary>chkconfig</primary> + </indexterm><indexterm> + <primary>super daemon</primary> + </indexterm> + In the event that a service is not run as a daemon, but via the inter-networking + super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command> + tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory + and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to + re-read its control files. + </para> + + <para> + Last, each service must be started to permit system validation to proceed. + </para> + + <procedure> + <step><para> + Use the standard system tool to configure each service to restart + automatically at every system reboot. For example: + <indexterm><primary>chkconfig</primary></indexterm> +<screen> +&rootprompt; chkconfig dhpc on +&rootprompt; chkconfig named on +&rootprompt; chkconfig cups on +&rootprompt; chkconfig smb on +</screen> + </para></step> + + <step><para> + <indexterm><primary>starting dhcpd</primary></indexterm> + <indexterm><primary>starting samba</primary></indexterm> + <indexterm><primary>starting CUPS</primary></indexterm> + Now start each service to permit the system to be validated. + Execute each of the following in the sequence shown: + +<screen> +&rootprompt; /etc/rc.d/init.d/dhcp restart +&rootprompt; /etc/rc.d/init.d/named restart +&rootprompt; /etc/rc.d/init.d/cups restart +&rootprompt; /etc/rc.d/init.d/smb restart +</screen> + </para></step> + </procedure> + + </sect2> + + <sect2 id="ch4valid"> + <title>Validation</title> + + <para><indexterm> + <primary>validation</primary> + </indexterm> + Complex networking problems are most often caused by simple things that are poorly or incorrectly + configured. The validation process adopted here should be followed carefully; it is the result of the + experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should + refrain from taking shortcuts, from making basic assumptions, and from not exercising due process + and diligence in network validation. By thoroughly testing and validating every step in the process + of network installation and configuration, you can save yourself from sleepless nights and restless + days. A well debugged network is a foundation for happy network users and network administrators. + Later in this book you learn how to make users happier. For now, it is enough to learn to + validate. Let's get on with it. + </para> + + <procedure> + + <step><para> + <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> + One of the most important facets of Samba configuration is to ensure that + name resolution functions correctly. You can test name resolution + with a few simple tests. The most basic name resolution is provided from the + <filename>/etc/hosts</filename> file. To test its operation, make a + temporary edit to the <filename>/etc/nsswitch.conf</filename> file. Using + your favorite editor, change the entry for <constant>hosts</constant> to read: +<screen> +hosts: files +</screen> + When you have saved this file, execute the following command: +<screen> +&rootprompt; ping diamond +PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. +64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms + +--- sleeth1.abmas.biz ping statistics --- +4 packets transmitted, 4 received, 0% packet loss, time 3016ms +rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms +</screen> + This proves that name resolution via the <filename>/etc/hosts</filename> file + is working. + </para></step> + + <step><para> + <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> + So far, your installation is going particularly well. In this step we validate + DNS server and name resolution operation. Using your favorite UNIX system editor, + change the <filename>/etc/nsswitch.conf</filename> file so that the + <constant>hosts</constant> entry reads: +<screen> +hosts: dns +</screen> + </para></step> + + <step><para> + <indexterm><primary>named</primary></indexterm> + Before you test DNS operation, it is a good idea to verify that the DNS server + is running by executing the following: +<screen> +&rootprompt; ps ax | grep named + 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log + 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 2552 pts/2 S 0:00 grep named +</screen> + This means that we are ready to check DNS operation. Do so by executing: + <indexterm><primary>ping</primary></indexterm> +<screen> +&rootprompt; ping diamond +PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. +64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms + +--- sleeth1.abmas.biz ping statistics --- +2 packets transmitted, 2 received, 0% packet loss, time 999ms +rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms +</screen> + You should take a few more steps to validate DNS server operation, as follows: +<screen> +&rootprompt; host -f diamond.abmas.biz +sleeth1.abmas.biz has address 192.168.1.1 +</screen> + <indexterm><primary>/etc/hosts</primary></indexterm> + You may now remove the entry called <constant>diamond</constant> from the + <filename>/etc/hosts</filename> file. It does not hurt to leave it there, + but its removal reduces the number of administrative steps for this name. + </para></step> + + <step><para> + <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> + WINS is a great way to resolve NetBIOS names to their IP address. You can test + the operation of WINS by starting <command>nmbd</command> (manually, or by way + of the Samba startup method shown in <link linkend="procstart"/>). You must edit + the <filename>/etc/nsswitch.conf</filename> file so that the <constant>hosts</constant> + entry is as follows: +<screen> +hosts: wins +</screen> + The next step is to make certain that Samba is running using <command>ps ax|grep mbd</command>, and then execute the following: +<screen> +&rootprompt; ping diamond +PING diamond (192.168.1.1) 56(84) bytes of data. +64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms +64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms +</screen> + <indexterm><primary>ping</primary></indexterm> + Now that you can relax with the knowledge that all three major forms of name + resolution to IP address resolution are working, edit the <filename>/etc/nsswitch.conf</filename> + again. This time you add all three forms of name resolution to this file. + Your edited entry for <constant>hosts</constant> should now look like this: +<screen> +hosts: files dns wins +</screen> + The system is looking good. Let's move on. + </para></step> + + <step><para> + It would give peace of mind to know that the DHCP server is running + and available for service. You can validate DHCP services by running: + +<screen> +&rootprompt; ps ax | grep dhcp + 2618 ? S 0:00 /usr/sbin/dhcpd ... + 8180 pts/2 S 0:00 grep dhcp +</screen> + This shows that the server is running. The proof of whether or not it is working + comes when you try to add the first DHCP client to the network. + </para></step> + + <step><para> + <indexterm><primary>testparm</primary></indexterm> + This is a good point at which to start validating Samba operation. You are + content that name resolution is working for basic TCP/IP needs. Let's move on. + If your &smb.conf; file has bogus options or parameters, this may cause Samba + to refuse to start. The first step should always be to validate the contents + of this file by running: +<screen> +&rootprompt; testparm -s +Load smb config files from /etc/samba/smb.conf +Processing section "[IPC$]" +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[accounts]" +Processing section "[service]" +Processing section "[apps]" +Loaded services file OK. +# Global parameters +[global] + workgroup = PROMISES + netbios name = DIAMOND + interfaces = eth1, eth2, lo + bind interfaces only = Yes + passdb backend = tdbsam + pam password change = Yes + passwd chat = *New*Password* %n\n \ + *Re-enter*new*password* %n\n *Password*changed* + username map = /etc/samba/smbusers + unix password sync = Yes + log level = 1 + syslog = 0 + log file = /var/log/samba/%m + max log size = 50 + smb ports = 139 445 + name resolve order = wins bcast hosts + time server = Yes + printcap name = CUPS + show add printer wizard = No + add user script = /usr/sbin/useradd -m %u + delete user script = /usr/sbin/userdel -r %u + add group script = /usr/sbin/groupadd %g + delete group script = /usr/sbin/groupdel %g + add user to group script = /usr/sbin/usermod -G %g %u + add machine script = /usr/sbin/useradd \ + -s /bin/false -d /var/lib/nobody %u + shutdown script = /var/lib/samba/scripts/shutdown.sh + abort shutdown script = /sbin/shutdown -c + logon script = scripts\logon.bat + logon path = \\%L\profiles\%U + logon drive = X: + logon home = \\%L\%U + domain logons = Yes + preferred master = Yes + wins support = Yes + utmp = Yes + winbind use default domain = Yes + map acl inherit = Yes + printing = cups + veto files = /*.eml/*.nws/riched20.dll/*.{*}/ + veto oplock files = /*.doc/*.xls/*.mdb/ + +[IPC$] + path = /tmp + hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1 + hosts deny = 0.0.0.0/0 +... +### Remainder cut to save space ### +</screen> + Clear away all errors before proceeding. + </para></step> + + <step><para> + <indexterm><primary>check samba daemons</primary></indexterm> + <indexterm><primary>smbd</primary></indexterm> + <indexterm><primary>nmbd</primary></indexterm> + <indexterm><primary>winbindd</primary></indexterm> + Check that the Samba server is running: +<screen> +&rootprompt; ps ax | grep mbd +14244 ? S 0:00 /usr/sbin/nmbd -D +14245 ? S 0:00 /usr/sbin/nmbd -D +14290 ? S 0:00 /usr/sbin/smbd -D + +$rootprompt; ps ax | grep winbind +14293 ? S 0:00 /usr/sbin/winbindd -B +14295 ? S 0:00 /usr/sbin/winbindd -B +</screen> + The <command>winbindd</command> daemon is running in split mode (normal), so there are also + two instances<footnote><para>For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>, + Chapter 22, Section 22.3. The single instance of <command>smbd</command> is normal. One additional + <command>smbd</command> slave process is spawned for each SMB/CIFS client + connection.</para></footnote> of it. + </para></step> + + <step><para> + <indexterm><primary>anonymous + connection</primary></indexterm> + <indexterm> + <primary>smbclient</primary> + </indexterm> + Check that an anonymous connection can be made to the Samba server: +<screen> +&rootprompt; smbclient -L localhost -U% + + Sharename Type Comment + --------- ---- ------- + IPC$ IPC IPC Service (Samba 3.0.12) + netlogon Disk Network Logon Service + profiles Disk Profile Share + accounts Disk Accounting Files + service Disk Financial Services Files + apps Disk Application Files + ADMIN$ IPC IPC Service (Samba 3.0.12) + hplj6a Printer hplj6a + hplj6f Printer hplj6f + qmsa Printer qmsa + qmsf Printer qmsf + + Server Comment + --------- ------- + DIAMOND Samba CVS 3.0.12 + + Workgroup Master + --------- ------- + PROMISES DIAMOND +</screen> + This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent + of browsing the server from a Windows client to obtain a list of shares on the server. + The <constant>-U%</constant> argument means "send a <constant>NULL</constant> username and + a <constant>NULL</constant> password." + </para></step> + + <step><para> + <indexterm><primary>dhcp client validation</primary></indexterm> + <indexterm><primary>printer validation</primary></indexterm> + <indexterm><primary>arp</primary></indexterm> + Verify that each printer has the IP address assigned in the DHCP server configuration file. + The easiest way to do this is to ping the printer name. Immediately after the ping response + has been received, execute <command>arp -a</command> to find the MAC address of the printer + that has responded. Now you can compare the IP address and the MAC address of the printer + with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They + should, of course, match. For example: +<screen> +&rootprompt; ping hplj6 +PING hplj6a (192.168.1.30) 56(84) bytes of data. +64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms + +&rootprompt; arp -a +hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0 +</screen> + <indexterm> + <primary>/etc/dhcpd.conf</primary> + </indexterm> + The MAC address <constant>00:03:47:CB:81:E0</constant> matches that specified for the + IP address from which the printer has responded and with the entry for it in the + <filename>/etc/dhcpd.conf</filename> file. Repeat this for each printer configured. + </para></step> + + <step><para> + <indexterm><primary>authenticated connection</primary></indexterm> + Make an authenticated connection to the server using the <command>smbclient</command> tool: +<screen> +&rootprompt; smbclient //diamond/accounts -U gholmes +Password: XXXXXXX +smb: \> dir + . D 0 Thu Nov 27 15:07:09 2003 + .. D 0 Sat Nov 15 17:40:50 2003 + zakadmin.exe 161424 Thu Nov 27 15:06:52 2003 + zak.exe 6066384 Thu Nov 27 15:06:52 2003 + dhcpd.conf 1256 Thu Nov 27 15:06:52 2003 + smb.conf 2131 Thu Nov 27 15:06:52 2003 + initGrps.sh A 1089 Thu Nov 27 15:06:52 2003 + POLICY.EXE 86542 Thu Nov 27 15:06:52 2003 + + 55974 blocks of size 65536. 33968 blocks available +smb: \> q +</screen> + </para></step> + + <step><para> + <indexterm><primary>nmap</primary></indexterm> + Your new server is connected to an Internet accessible connection. Before you start + your firewall, you should run a port scanner against your system. You should repeat that + after the firewall has been started. This helps you understand what extent the + server may be vulnerable to external attack. One way you can do this is by using an + external service provided such as the <ulink url="http://www.dslreports.com/scan">DSL Reports</ulink> + tools. Alternately, if you can gain root-level access to a remote + UNIX/Linux system that has the <command>nmap</command> tool, you can run this as follows: +<screen> +&rootprompt; nmap -v -sT server.abmas.us + +Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) +Host server.abmas.us (123.45.67.66) appears to be up ... good. +Initiating Connect() Scan against server.abmas.us (123.45.67.66) +Adding open port 6000/tcp +Adding open port 873/tcp +Adding open port 445/tcp +Adding open port 10000/tcp +Adding open port 901/tcp +Adding open port 631/tcp +Adding open port 25/tcp +Adding open port 111/tcp +Adding open port 32770/tcp +Adding open port 3128/tcp +Adding open port 53/tcp +Adding open port 80/tcp +Adding open port 443/tcp +Adding open port 139/tcp +Adding open port 22/tcp +The Connect() Scan took 0 seconds to scan 1601 ports. +Interesting ports on server.abmas.us (123.45.67.66): +(The 1587 ports scanned but not shown below are in state: closed) +Port State Service +22/tcp open ssh +25/tcp open smtp +53/tcp open domain +80/tcp open http +111/tcp open sunrpc +139/tcp open netbios-ssn +443/tcp open https +445/tcp open microsoft-ds +631/tcp open ipp +873/tcp open rsync +901/tcp open samba-swat +3128/tcp open squid-http +6000/tcp open X11 +10000/tcp open snet-sensor-mgmt +32770/tcp open sometimes-rpc3 + +Nmap run completed -- 1 IP address (1 host up) scanned in 1 second +</screen> + The above scan was run before the external interface was locked down with the NAT-firewall + script you created above. The following results are obtained after the firewall rules + have been put into place: +<screen> +&rootprompt; nmap -v -sT server.abmas.us + +Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) +Host server.abmas.us (123.45.67.66) appears to be up ... good. +Initiating Connect() Scan against server.abmas.us (123.45.67.66) +Adding open port 53/tcp +Adding open port 22/tcp +The Connect() Scan took 168 seconds to scan 1601 ports. +Interesting ports on server.abmas.us (123.45.67.66): +(The 1593 ports scanned but not shown below are in state: filtered) +Port State Service +22/tcp open ssh +25/tcp closed smtp +53/tcp open domain +80/tcp closed http +443/tcp closed https + +Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds +</screen> + </para></step> + + </procedure> + + </sect2> + + <sect2 id="ch4appscfg"> + <title>Application Share Configuration</title> + + <para><indexterm> + <primary>application server</primary> + </indexterm><indexterm> + <primary>administrative installation</primary> + </indexterm> + The use of an application server is a key mechanism by which desktop administration overheads + can be reduced. Check the application manual for your software to identify how best to + create an administrative installation. + </para> + + <para> + Some Windows software will only run locally on the desktop computer. Such software + is typically not suited for administrative installation. Administratively installed software + permits one or more of the following installation choices: + </para> + + <itemizedlist> + <listitem><para> + Install software fully onto a workstation, storing data files on the same workstation. + </para></listitem> + + <listitem><para> + Install software fully onto a workstation with central network data file storage. + </para></listitem> + + <listitem><para> + Install software to run off a central application server with data files stored + on the local workstation. This is often called a minimum installation, or a + network client installation. + </para></listitem> + + <listitem><para> + Install software to run off a central application server with data files stored + on a central network share. This type of installation often prevents storage + of work files on the local workstation. + </para></listitem> + </itemizedlist> + + <para><indexterm> + <primary></primary> + </indexterm> + A common application deployed in this environment is an office suite. + Enterprise editions of Microsoft Office XP Professional can be administratively installed + by launching the installation from a command shell. The command that achieves this is: + <command>setup /a</command>. It results in a set of prompts through which various + installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource + Kit for more information regarding this mode of installation of MS Office XP Professional. + The full administrative installation of MS Office XP Professional requires approximately + 650 MB of disk space. + </para> + + <para> + When the MS Office XP Professional product has been installed to the administrative network + share, the product can be installed onto a workstation by executing the normal setup program. + The installation process now provides a choice to either perform a minimum installation + or a full local installation. A full local installation takes over 100 MB of disk space. + A network workstation (minimum) installation requires typically 10-15 MB of + local disk space. In the later case, when the applications are used, they load over the network. + </para> + + <para><indexterm> + <primary>Service Packs</primary> + </indexterm><indexterm> + <primary>Microsoft Office</primary> + </indexterm> + Microsoft Office Service Packs can be unpacked to update an administrative share. This makes + it possible to update MS Office XP Professional for all users from a single installation + of the service pack and generally circumvents the need to run updates on each network + Windows client. + </para> + + <para> + The default location for MS Office XP Professional data files can be set through registry + editing or by way of configuration options inside each Office XP Professional application. + </para> + + <para><indexterm> + <primary>OpenOffice</primary> + </indexterm> + OpenOffice.Org OpenOffice Version 1.1.0 is capable of being installed locally. It can also + be installed to run off a network share. The latter is a most desirable solution for office-bound + network users and for administrative staff alike. It permits quick and easy updates + to be rolled out to all users with a minimum of disruption and with maximum flexibility. + </para> + + <para> + The process for installation of administrative shared OpenOffice involves download of the + distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. + When fully extracted using the un-zipping tool of your choosing, change into the Windows + installation files directory then execute <command>setup -net</command>. You are + prompted on screen for the target installation location. This is the administrative + share point. The full administrative OpenOffice share takes approximately 150 MB of disk + space. + </para> + + <sect3> + <title>Comments Regarding Software Terms of Use</title> + <para> + Many single-user products can be installed into an administrative share, but + personal versions of products such as Microsoft Office XP Professional do not permit this. + Many people do not like terms of use typical with commercial products, so a few comments + regarding software licensing seem important and thus are included below. + </para> + + <para> + Please do not use an administrative installation of proprietary and commercially licensed + software products to violate the copyright holders' property. All software is licensed, + particularly software that is licensed for use free of charge. All software is the property + of the copyright holder, unless the author and/or copyright holder has explicitly disavowed + ownership and has placed the software into the public domain. + </para> + + <para> + Software that is under the GNU General Public License, like proprietary software, is + licensed in a way that restricts use. For example, if you modify GPL software and then + distribute the binary version of your modifications, you must offer to provide the source + code as well. This is a form of restriction that is designed to maintain the momentum + of the diffusion of technology and to protect against the withholding of innovations. + </para> + + <para> + Commercial and proprietary software generally restrict use to those who have paid the + license fees and who comply with the licensee's terms of use. Software that is released + under the GNU General Public License is restricted to particular terms and conditions + also. Whatever the licensing terms may be, if you do not approve of the terms of use, + please do not use the software. + </para> + + <para><indexterm> + <primary>GPL</primary> + </indexterm> + Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided + with the source code. + </para> + </sect3> + + </sect2> + + <sect2 id="ch4wincfg"> + <title>Windows Client Configuration</title> + + <para> + Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs + to reinstall many of the notebook computers that will be recycled for use with the new network + configuration. The smartest way to handle the challenge of the roll-out program is to build + a staged system for each type of target machine, and then use an image replication tool such as Norton + Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can + be done with notebook computers as long as they are identical or sufficiently similar. + </para> + + <procedure> + <step><para> + Install MS Windows XP Professional. During installation, configure the client to use DHCP for + TCP/IP protocol configuration. + <indexterm><primary>WINS</primary></indexterm> + <indexterm><primary>DHCP</primary></indexterm> + DHCP configures all Windows clients to use the WINS Server address that has been defined + for the local subnet. + </para></step> + + <step><para> + Join the Windows Domain <constant>PROMISES</constant>. Use the Domain Administrator + user name <constant>root</constant> and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows Domain is given in <link linkend="domjoin"/>. + Reboot the machine as prompted and then logon using the Domain Administrator account + (<constant>root</constant>. + </para></step> + + <step><para> + Verify <constant>DIAMOND</constant> is visible in <guimenu>My Network Places</guimenu>, + that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>, + <guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>, + and that it is possible to open each share to reveal its contents. + </para></step> + + <step><para> + Create a drive mapping to the <constant>apps</constant> share on the server <constant>DIAMOND</constant>. + </para></step> + + <step><para> + Perform an administrative installation of each application to be used. Select the options + that you wish to use. Of course, you can choose to run applications over the network, correct? + </para></step> + + <step><para> + Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat, + NTP-based time synchronization software, drivers for specific local devices such as finger-print + scanners, and the like. Probably the most significant application for local installation + is anti-virus software. + </para></step> + + <step><para> + Now install all four printers onto the staging system. The printers you install + include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will + also configure identical printers that are located in the financial services department. + Install printers on each machine using the following steps: + </para> + + <procedure> + <step><para> + Click <menuchoice> + <guimenu>Start</guimenu> + <guimenuitem>Settings</guimenuitem> + <guimenuitem>Printers</guimenuitem> + <guiicon>Add Printer</guiicon> + <guibutton>Next</guibutton> + </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>. + Ensure that <guimenuitem>Local printer</guimenuitem> is selected. + </para></step> + + <step><para> + Click <guibutton>Next</guibutton>. In the panel labeled + <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>. + In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called + <constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>. + </para></step> + + <step><para> + In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select + <constant>FILE:</constant>. Accept the default printer name by clicking + <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a + test page?,</quote> click <guimenuitem>No</guimenuitem>. Click + <guibutton>Finish</guibutton>. + </para></step> + + <step><para> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <menuchoice> + <guiicon>HP LaserJet 6</guiicon> + <guimenuitem>Properties</guimenuitem> + <guisubmenu>Details (Tab)</guisubmenu> + <guimenuitem>Add Port</guimenuitem> + </menuchoice>. + </para></step> + + <step><para> + In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of + the print queue on the Samba server as follows: <constant>\\DIAMOND\hplj6a</constant>. + Click <menuchoice> + <guibutton>OK</guibutton> + <guibutton>OK</guibutton> + </menuchoice> to complete the installation. + </para></step> + + <step><para> + Repeat the printer installation steps above for both HP LaserJet 6 printers + as well as for both QMS Magicolor laser printers. + </para></step> + </procedure> + </step> + + <step><para><indexterm> + <primary>defragmentation</primary> + </indexterm> + When you are satisfied that the staging systems are complete, use the appropriate procedure to + remove the client from the domain. Reboot the system and then log on as the local administrator + and clean out all temporary files stored on the system. Before shutting down, use the disk + defragmentation tool so that the file system is in an optimal condition before replication. + </para></step> + + <step><para> + Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the + machine to a network share on the server. + </para></step> + + <step><para><indexterm> + <primary>Windows security identifier</primary> + <see>SID</see> + </indexterm><indexterm> + <primary>SID</primary> + </indexterm> + You may now replicate the image to the target machines using the appropriate Norton Ghost + procedure. Make sure to use the procedure that ensures each machine has a unique + Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. + </para></step> + + <step><para> + Log onto the machine as the local Administrator (the only option), and join the machine to + the Domain following the procedure set out in <link linkend="domjoin"/>. The system is now + ready for the user to logon, providing you have created a network logon account for that + user, of course. + </para></step> + + <step><para> + Instruct all users to log onto the workstation using their assigned user name and password. + </para></step> + </procedure> + + </sect2> + + <sect2> + <title>Key Points Learned</title> + + <para> + How do you feel, Bob? You have built a capable network, a truly ambitious project. + Just as well, you have Christine to help you. Future network updates can be handled by + your staff. You must be a satisfied manager. Let's review the achievements. + </para> + + <itemizedlist> + <listitem><para> + A simple firewall has been configured to protect the server in the event that + the ISP firewall service should fail. + </para></listitem> + + <listitem><para> + The Samba configuration uses measures to ensure that only local network users + can connect to SMB/CIFS services. + </para></listitem> + + <listitem><para> + Samba uses the new <constant>tdbsam</constant> passdb backend facility. + Considerable complexity was added to Samba functionality. + </para></listitem> + + <listitem><para> + A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS + server. + </para></listitem> + + <listitem><para> + The DNS server was configured to permit DDNS only for local network clients. This + server also provides primary DNS services for the company Internet presence. + </para></listitem> + + <listitem><para> + You introduced an application server, as well as the concept of cloning a Windows + client in order to effect improved standardization of desktops and to reduce + the costs of network management. + </para></listitem> + </itemizedlist> + + </sect2> + +</sect1> + +<sect1> + <title>Questions and Answers</title> + + <para> + </para> + + <qandaset> + <qandaentry> + <question> + + <para> + What is the maximum number of account entries that the <parameter>tdbsam</parameter> passdb backend can handle? + </para> + + </question> + <answer> + + <para> + The tdb data structure and support system can handle more entries than the number of accounts + that are possible on most UNIX systems. There is a practical limit that would come into play + long before a performance boundary would be anticipated. That practical limit is controlled + by the nature of Windows networking. There are few Windows file and print servers + that can handle more than a few hundred concurrent client connections. The key limiting factors + that predicate off-loading of services to additional servers are memory capacity, the number + of CPUs, network bandwidth, and disk I/O limitations. All of these are readily exhausted by + just a few hundred concurrent active users. Such bottlenecks can best be removed by segmentation + of the network (distributing network load across multiple networks). + </para> + <para> + As the network grows, it becomes necessary to provide additional authentication servers (domain + controllers). The tdbsam is limited to a single machine and cannot be reliably replicated. + This means that practical limits on network design dictate the point at which a distributed + passdb backend is required; at this time, there is no real alternative other than ldapsam (LDAP). + </para> + + <para> + The guideline provided in <emphasis>TOSHARG</emphasis>, Chapter 10, Section 10.1.2, is to limit the number of accounts + in the tdbsam backend to 250. This is the point at which most networks tend to want backup domain + controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used + by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication + not on the limits<footnote><para>Bench tests have shown that tdbsam is a very effective database technology. + There is surprisingly little performance loss even with over 4000 users.</para></footnote> of the tdbsam backend itself. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Would Samba operate any better if the OS Level is set to a value higher than 35? + </para> + + </question> + <answer> + + <para> + No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value + of 35 already assures Samba of precedence over MS Windows products in browser elections. There is + no gain to be had from setting this higher. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? + </para> + + </question> + <answer> + + <para> + At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at + a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special + Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Why has a path been specified in the <parameter>IPC$</parameter> share? + </para> + + </question> + <answer> + + <para> + This is done so that in the event that a software bug may permit a client connection to the IPC$ share to + obtain access to the file system, it does so at a location that presents least risk. Under normal operation + this type of paranoid step should not be necessary. The use of this parameter should not be necessary. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Why does the &smb.conf; file in this exercise include an entry for <smbconfoption name="smb ports"/>? + </para> + + </question> + <answer> + + <para> + The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port + used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS + over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By + specifying the use of port 139 before port 445, the intent is to reduce unsuccessful service connection attempts. + The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain + member, the default behavior is highly beneficial and should not be changed. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + What is the difference between a print queue and a printer? + </para> + + </question> + <answer> + + <para> + A printer is a physical device that is connected either directly to the network or to a computer + via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a + hard copy printout. Network attached printers that use TCP/IP-based printing generally accept a + single print data stream and block all secondary attempts to dispatch jobs concurrently to the + same device. If many clients were to concurrently print directly via TCP/IP to the same printer, + it would result in a huge amount of network traffic through continually failing connection attempts. + </para> + + <para> + A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or + print requests. When the data stream has been fully received the input stream is closed, + the job is then submitted to a sequential print queue where the job is stored until + the printer is ready to receive the job. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Can all MS Windows application software be installed onto an application server share? + </para> + + </question> + <answer> + + <para> + Much older Windows software is not compatible with installation to and execution off + an application server. Enterprise versions of Microsoft Office XP Professional can + be installed to an application server. Retail consumer versions of Microsoft Office XP + Professional do not permit installation to an application server share and can be installed + and used only to/from a local workstation hard disk. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Why use dynamic DNS (DDNS)? + </para> + + </question> + <answer> + + <para> + When DDNS records are updated directly from the DHCP server, it is possible for + network clients that are not NetBIOS enabled, and thus cannot use WINS, to locate + Windows clients via DNS. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Why would you use WINS as well as DNS-based name resolution? + </para> + + </question> + <answer> + + <para> + WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is + a name like <quote>myhost.mydomain.tld,</quote> where <parameter>tld</parameter> + means <constant>top level domain</constant>. A FQDN is a long hand but easy to remember + expression that may be up to 1024 characters in length and that represents an IP address. + A NetBIOS name is always 16 characters long. The 16<superscript>th</superscript> character + is a name type indicator. A specific name type is registered<footnote><para> + See <emphasis>TOSHARG</emphasis>, Chapter 9 for more information.</para></footnote> for each + type of service that is provided by the Windows server or client and that may be registered + where a WINS server is in use. + </para> + + <para> + WINS is a mechanism by which a client may locate the IP Address that corresponds to a + NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name + that includes a particular registered NetBIOS name type. DNS does not provide a mechanism + that permits handling of the NetBIOS name type information. + </para> + + <para> + DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular + hostname or service name that has been registered in the DNS database for a particular domain. + A DNS server has limited scope of control and is said to be authoritative for the zone over + which it has control. + </para> + + <para> + Windows 200x Active Directory requires the registration in the DNS zone for the domain it + controls of service locator<footnote><para>See TOSHARG, Chapter 9, Section 9.3.3</para></footnote> records + that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also + requires the registration of special records that are called global catalog (GC) entries + and site entries by which domain controllers and other essential ADS servers may be located. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + What are the major benefits of using an application server? + </para> + + </question> + <answer> + + <para> + The use of an application server can significantly reduce application update maintenance. + By providing a centralized application share, software updates need be applied to only + one location for all major applications used. This results in faster update roll-outs and + significantly better application usage control. + </para> + + </answer> + </qandaentry> + + </qandaset> + +</sect1> + +</chapter> |